Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Secure setup for permissions and file ownership on a dedicated server
 
guidobras
Jr. Member
 
Total Posts:  4
Joined:  2013-02-18
 

Hi,
I’m setting up a dedicated CentOS server for Magento 1.7.0.2 and I would like to secure it properly.

I’ve found a lot of sparse information on the topic, the most relevant being:

users and groups for magento dir (/var/www/html/shop)
http://www.sonassi.com/knowledge-base/stop-magento-permissions-errors-permanently/

permissions
http://www.magentocommerce.com/wiki/1_-_installation_and_configuration/magento_filesystem_permissions

I came to this conclusions, that I would like to check/verify with the forum community:

Regarding users and groups:
to my understanding webserver processes run on user “apache” on Centos, so every http connection from the outside world runs with the same privileges apache has.
Because of that I don’t want user “apache” having write permissions on magento dirs and files, so I recursively set user and group to guido:webadmins on “shop” directory

Regarding permissions:
with the users and groups setup described above I set this permissions:
755 for dirs
644 for files
so apache can read (serve) the files.

Anyway official magento installing instructions (for installing via SSH: http://www.magentocommerce.com/wiki/1_-_installation_and_configuration/installing_magento_via_shell_ssh) state that:
media, var, var/.htaccess, app/etc
must have 777 permissions

This is a big security risk IMHO.
On other posts i read that those 4 files & folders can have 750 permissions (obviously with my users/groups setup this would be 755 for dirs and 644 for files): will magento run correctly wit this permissions setup?
Is my users and group setup OK?

Thank you
Guido

 
Magento Community Magento Community
Magento Community
Magento Community
 
Sindre|ProperHost
Mentor
 
Avatar
Total Posts:  1158
Joined:  2008-04-24
 

Hello,

The problem with this setup is that Apache runs as the user nobody by default. You should create a dedicated account for Apache and make PHP and Apache run using this account.  Normally, you would use a control panel like cPanel and then the server process should run as the same cPanel user. This way, no one but the file owner (cPanel user) will be able to write to the files. You can then use 644 permissions for files and 755 or 750 for directories, and still be able to use upload functionality in Magento, write to session directory etc.

There are a couple of ways to ensure the php process runs as a separate user; commonly a feature called suPHP is used.

I also recommend replacing Apache with LiteSpeed web server if you can afford the extra cost. It allows more granular control and easy management of suPHP.

 
Magento Community Magento Community
Magento Community
Magento Community
 
guidobras
Jr. Member
 
Total Posts:  4
Joined:  2013-02-18
 

Hi Sindre,
thanks for your advice.

A couple of observations to further clarify the scenario.

1-I’m running a dedicated server, I shoud not need user isolation via suPHP because there are not other users sharing the (web)server with me.

2-from my httpd.conf:
User apache
Group apache

then an excerpt from “ps axu | grep apache”
apache 10470 0.0 0.1 631336 29364 ?  S 18:08 0:00 /usr/sbin/httpd
apache 10471 0.0 0.2 637472 48180 ?  S 18:08 0:00 /usr/sbin/httpd
apache 10472 0.0 0.1 628156 22724 ?  S 18:08 0:00 /usr/sbin/httpd

So apparently my webserver is running under user “apache”

 
Magento Community Magento Community
Magento Community
Magento Community
 
Sindre|ProperHost
Mentor
 
Avatar
Total Posts:  1158
Joined:  2008-04-24
 
guidobras - 19 February 2013 12:25 PM

Hi Sindre,
thanks for your advice.

A couple of observations to further clarify the scenario.

1-I’m running a dedicated server, I shoud not need user isolation via suPHP because there are not other users sharing the (web)server with me.

2-from my httpd.conf:
User apache
Group apache

then an excerpt from “ps axu | grep apache”
apache 10470 0.0 0.1 631336 29364 ?  S 18:08 0:00 /usr/sbin/httpd
apache 10471 0.0 0.2 637472 48180 ?  S 18:08 0:00 /usr/sbin/httpd
apache 10472 0.0 0.1 628156 22724 ?  S 18:08 0:00 /usr/sbin/httpd

So apparently my webserver is running under user “apache”

In that case, you should chown your files to apache:apache and you should be good with default permissions (644/755). The key point is that the webserver should run under the same user as the owner of the script.

Let me know if you have further questions.

 
Magento Community Magento Community
Magento Community
Magento Community
 
guidobras
Jr. Member
 
Total Posts:  4
Joined:  2013-02-18
 

Thanks again.

My main point is to have NOT apache ( = outside web/http visitors) with write/execute privileges on magento files.

If file/dir ownership is apache:apache and permissions are 644/755 http visitors from outside world would potentially be able to execute files and write into directories.

so I opted for this file/dir ownership:
guido:webadmins

So apache cannot write in to dirs/files and execute fiiles.
An exception are media, var, var/.htaccess, app/etc which as per magento install instructions RECURSIVELY need write privileges (do they REALLY need?)

 
Magento Community Magento Community
Magento Community
Magento Community
 
Sindre|ProperHost
Mentor
 
Avatar
Total Posts:  1158
Joined:  2008-04-24
 
guidobras - 19 February 2013 10:20 PM

Thanks again.

My main point is to have NOT apache ( = outside web/http visitors) with write/execute privileges on magento files.

If file/dir ownership is apache:apache and permissions are 644/755 http visitors from outside world would potentially be able to execute files and write into directories.

so I opted for this file/dir ownership:
guido:webadmins

So apache cannot write in to dirs/files and execute fiiles.
An exception are media, var, var/.htaccess, app/etc which as per magento install instructions RECURSIVELY need write privileges (do they REALLY need?)

Not sure of your interpretation of “outside web/http visitors”, but no one other than web server process itself will be able to write to those files. Given this is a dedicated server with only one user I don’t see a real issue with this. Anyway, the var/ folder needs to be writable as this is where Magento stores its sessions, cache, backups, etc. media/ must be writable in order to upload product images through the admin panel I believe. .htaccess files does not need to be writable. app/etc does not NEED to be, but during installation it will write config to app/etc/local.xml, which is probably why they recommend it. Afterwards you can and SHOULD reset the permissions as you don’t want your config file to be writable. These are the directories that must be writable for Magento to function properly.

Another thing to consider is Magento Connect. If you want to install extensions or perform upgrades through the web interface, the web server will need write-permissions to basically all files so your file ownership/permission settings will not work in this case.

 
Magento Community Magento Community
Magento Community
Magento Community
 
guidobras
Jr. Member
 
Total Posts:  4
Joined:  2013-02-18
 

Hi Sindra,
excellent information, thank you very much.

By “outside web/http visitors” I mean each http visit reaching the server, including normal visitors and malicious ones.

I suppose that theoretically a malicious visitor could use an HTTP PUT (by the way does magento need it for media upload or could it be safely disabled?) to write/upload to a 777 dir a malicious special crafted php file that he can then force to exec with bad consequences.

Just to be even more paranoid, assuming that an intruder coud break in and use a compromise daemon user, I could minimize consequences with this setup on magento directory:

file ownership
guido:apache

permissions:
750 for dirs (770 for var/ and media/)
640 for files

Perhaps, for a dedicated server, this could be an ideal setup for magento dir.
What do you think?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Dewdan
Member
 
Total Posts:  31
Joined:  2008-11-05
 

I am a bit confused with permitions, I run a dedicated server and always set privilages to 755 and 644.

I am upgrading now to 1.8 and reading the process i see that now Magento recomends to set directory permissions to 500 and file permissions to 400:
You can see this from : magento’s instructions

So this seem to have changed recently, no more need to set 777 for var and media?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Sindre|ProperHost
Mentor
 
Avatar
Total Posts:  1158
Joined:  2008-04-24
 

There has never been a need for 777 permissions on any folders. What is important is whether or not the server/PHP process runs under the user account of the file owner. If that is the case, you will never need anything above 755/644 permissions. If the server runs as a different, usually unprivileged user such as “nobody”, you will need 777 permissions for Magento to be able to WRITE to the file system. This is necessary for Magento Connect, file uploads, etc. to work.

Because some servers run PHP in dso mode where each PHP request does not fork a PHP process under the current user, people have developed the misconception that Magento requires 777 permissions. It was never the case. Just unfortunate that many articles have misinterpreted this fact and presents it as the only solution, while actually it is a server configuration problem.

 
Magento Community Magento Community
Magento Community
Magento Community
 
elspood
Magento Team
 
Total Posts:  22
Joined:  2012-05-01
Magento
 

Magento’s most current file system permissions recommendations are here:

http://www.magentocommerce.com/knowledge-base/entry/install-privs-before

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top