Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Error: Please check for sufficient write file permissions
 
Spek
Sr. Member
 
Total Posts:  77
Joined:  2007-11-28
 
NathanJ - 20 April 2008 06:43 AM

Sad - after all this, I changed all my permissions, got MagentoConnect Downloader to work, downloaded the Modern theme…

and am now getting a blank page when I load the front end.

*sigh*

Is there a tutorial anywhere on how to correctly activate a theme?

It should work if you fill in “modern” for templates/skin/layout in the backend under design > themes.

Did you refresh or disable the cache?

 
Magento Community Magento Community
Magento Community
Magento Community
 
NathanJ
Member
 
Total Posts:  44
Joined:  2008-04-07
 

Any pointers? Thanks…

 
Magento Community Magento Community
Magento Community
Magento Community
 
danob
Jr. Member
 
Total Posts:  1
Joined:  2008-04-09
 

So which files do I have to set the write permissions for? Am i missing something here? Or do I have to go through every file in magento and set the permissions for each one? That seems a bit far fetched....

 
Magento Community Magento Community
Magento Community
Magento Community
 
-=marien=-
Jr. Member
 
Total Posts:  24
Joined:  2008-04-19
 

I have the same issues, I don’t want to Cmod everything to 777 to make this work. What other ways are there to get Connect to work.

/edit, I pretty much cmodded every folder to 777 and kept all the files to 644.

Maybe i’ll turn this back to the usual settings when Im done with magento connect? what do you guys think.

 
Magento Community Magento Community
Magento Community
Magento Community
 
-=marien=-
Jr. Member
 
Total Posts:  24
Joined:  2008-04-19
 

I cmodded every folder to 777 but magento connect still says Error: Please check for sufficient write file permissions.

I also can’t go directly to magento connect from my admin, it gives me a 404 error. So i type in dowloader/index.php to get there.

Any idea how to resolve this? Or what to do? I have the latest version of Magento.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Crucial
Enthusiast
 
Avatar
Total Posts:  770
Joined:  2007-11-07
Phoenix, AZ
 

find . -type d -exec chmod 777 {} \;

Nothing more, nothing less.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Thejosh13
Sr. Member
 
Total Posts:  252
Joined:  2008-06-23
 

I used a FTP to change all the permissions recursively. My magento files are all just loaded to the base directory, there is a plesk folder in that directory that can not be changed. I still get permission error for magento connect. Would the plesk have something to do with it?

 
Magento Community Magento Community
Magento Community
Magento Community
 
SimpleHelixcom
Enthusiast
 
Avatar
Total Posts:  906
Joined:  2007-08-31
Huntsville, AL
 

This is a very important topic and I hope my voice here gets through to the guys at Varien.

I think Magento and Connect/PEAR feature runs beautifully on a suPHP/suExec when every process is run as a user rather than apache

The beauty of suPHP/suExec is that you never have to worry about CHMODs/permissions again. Most hosting companies who have suPHP/suExec, the users never even have to even touch CHMOD, everything will just work out of the box hands free. And it also keeps your script virtually bullet proof secure because no one else in the system will have access to your files.

I hope more hosting companies catch onto suExec/suPHP because there is no reason for anyone to have user’s file be set to 777. This is a very bad idea, almost same as exposing your files to virtually anyone in the server with an SSH access.

If Varien wants to make a secured open source applications, they should just allow PEAR/Magento Connect to be only accessible for hosting companies with suPHP/suExec. I see very bad things happening for other users who are not on a suExec environment, it could certainly be a rampant hack in the future.

 
Magento Community Magento Community
Magento Community
Magento Community
 
SimpleHelixcom
Enthusiast
 
Avatar
Total Posts:  906
Joined:  2007-08-31
Huntsville, AL
 

I did find a wiki mentioning about magento’s file permissions at http://www.magentocommerce.com/wiki/magento_filesystem_permissions
I think there needs to be some kind of a “Warning” to users who run on mod_php environment as it is not a safe thing to do.

We are on suPHP/suExec and we take security very seriously here for our clients. It was one of the first thing we took measures when we started off providing hosting for Magento. We hope others follow their steps before any kind of problem arises for them.

To anyone who is still chmodding their ways to their Magento, ask your host if they support suPHP/suExec or not. And if they don’t, I seriously consider you to have them implement the feature or find different hosting.

As for Crucial, I think you got a lot of things wrong here and I’d have to agree with Ron Siegel in that it is now hard for me to put any trust into what you say. You bashed shared hosting companies for security but in reality it’s the other way around. It looks like your “split-shared” is the one with the security flaws.

SuPHP solves most of web security flaws, as each web process works like a container for each users in the system, which is the way it should have been all along.

Most companies now a days are in fact on suPHP/suExec such as hostgator/hostmonster/godaddy etc.. etc...ours included...and there is a pretty good reason why almost no one have adapted the split-shared practice because realistically, as it is really not that beneficial for the hoster nor the customer when you get even more security and performance out of a good shared hosting setup.

And I think it’d be nice if you can just rephrase your statements about shared hosting and actually respect those companies who knows how to secure their servers, because quite frankly speaking, I’m pretty sure you have offended many other companies out there by that statement let alone a incorrect statement at that as well. You’d expect all shared hosting to go out of business if it were true, and you might want to second guess why no one have adapted the practice of split-shared hosting.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Crucial Web Host
Guru
 
Avatar
Total Posts:  364
Joined:  2007-11-08
Phoenix, AZ
 
SimpleHelix.com - 31 July 2008 12:47 AM

I think there needs to be some kind of a “Warning” to users who run on mod_php environment as it is not a safe thing to do.

This is incorrect information - mod_php can be and is a very safe hosting environment configuration.  Modern versions of PHP include many additional security features that help to flatten the security landscape of the web server.

ask your host if they support suPHP/suExec or not. And if they don’t, I seriously consider you to have them implement the feature or find different hosting.

There are many factors to consider in choosing a host.  I would consider things such as , client isolation/density, external/internal security measures, support, performance and the companies character above all else. 

As for Crucial, I think you got a lot of things wrong here and I’d have to agree with Ron Siegel in that it is now hard for me to put any trust into what you say. You bashed shared hosting companies for security but in reality it’s the other way around. It looks like your “split-shared” is the one with the security flaws.

It’s actually the PCI-DSS Compliance standards that say you cant do ecommerce in shared hosting, not ‘Crucial’.  If you dont store credit card information then you’re really just pushing off to Paypal or some other service and that’s a different story.

Simple Helix, do you host your company website in shared hosting?  How many clients share access to your server?

SuPHP solves almost all of php security flaws, as each web process works like a container for each users in the system, which is the way it should have been all along.

Anytime you see statements that some modules solves ALL of security you should really look hard at the source.  The only thing that SuPHP/Exec guarantees is an additional module code base for exploits to be found in.

Most companies now a days are in fact on suPHP/suExec such as hostgator/hostmonster/godaddy etc.. etc...ours included...and there is a pretty good reason why almost no one have adapted the split-shared practice because realistically, as it is really not that beneficial for the hoster nor the customer when you get even more security and performance out of a good shared hosting setup.

This has nothing to do with Crucial’s Split-Shared hosting environments.  We have over 60 Split-Shared hosting environments.  Many of these run on a variety of hosting configurations, including SuPHP/Exec. 

Do you know what Split-Shared hosting is?  If not, why comment?  Split-Shared is about Client Isolation and guaranteed performace and service levels.  It has nothing to do with anything you are talking about.  To be blunt, you sound ignorant.

Split-Shared hosting environments are limited to 25 clients per environment and each environment is guaranteed a certain quality of service through Parallels Virtualization technology.  As a Parallels Gold Partner, Crucial leverages this technology to produce isololated, dynamically scalable hosting solutions. 

How many clients do you have to put on your dual 3.0GB ,16GB RAM server?  You see, we have a few of these servers, so I know the cost - so, let’s do some math.

Let’s say the server costs a cool $1K a month - that’s fully cost factored including licences’, etc.

You have a average shared hosting cost of $15.00/mo ($10pkg and $20pkg == $15avg)

$1000/$15 == 67 clients

But, you like to make a profit too - so, you have to get $2000 for that server at a minimum - this is if you dont pay things like insurance, taxes, etc...that’s up to you.

$2000/$15 == 134 clients

So, even with a small marginal profit you need about 150 clients per hosting environment, right?

So, you have a server where 150 clients must all compete for resources.  That’s 150 clients that you must protect from each other.  We all know it only takes a single problem client to cause issues for an entire hosting environment regardless whether that is security or resource abuse.

Contrast this to Crucial where Parallels Virtualization technology isolates clients to smaller, more manageable groups of 25 clients per environment.  Yes, there is still resource and security sharing, but Crucial clients have a far smaller pool of clients that they must share with.

Parallels Virtualization also allows us to dynamically scale our hosting environments - Does a container need more disk space, not a problem.  Need to tripple the RAM / CPU for a few days to get through a DIGG, no worries.  Ask yourself how you would deal with such a situation.

And I think it’d be nice if you can just rephrase your statements about shared hosting and actually respect those companies who knows how to secure their servers, because quite frankly speaking, I’m pretty sure you have offended many other companies out there by that statement let alone a incorrect statement at that as well.

Quite frankly, I dont care.  I didnt make the rules - VISA and Mastercard did - and if you are going to accept those cards you need to accept their rules.  It’s called PCI Compliance and I suggest you spend some time with Google before continuing to spout off about which things you are so ignorant of.

You’d expect all shared hosting to go out of business if it were true, and you might want to second guess why no one have adapted the practice of split-shared hosting.

You’re right, I do expect many in shared hosting to go out of business.  However, Split-Shared hosting has nothing to do with that.  The fact is that Split-Shared hosting continues to be adopted by those whom can support it.  I believe it’s been called other names as well ‘Grid Service’ and [DV].

PCI Compiance

https://www.mcafeesecure.com/RatingVerify?ref=www.crucialwebhost.com

 
Magento Community Magento Community
Magento Community
Magento Community
 
SimpleHelixcom
Enthusiast
 
Avatar
Total Posts:  906
Joined:  2007-08-31
Huntsville, AL
 

Crucial,

I’m not trying to be rude here or anything but, there are clearly some mis-guided statements you keep throwing around.

First of all, you shouldn’t compared yours to grid service. Grid service (gs) is cloud computing sharing multiple servers being combined to one virtual server. Whereas split-shared is just, well just that, a split shared hosting in simple terms, a shared hosting inside a vps. So that’s a quite a bit of difference there and you are leading me to believe that you may want to re-read up on Cloud Computing.

When it comes to performance, zero-overselling shared hosting will outperform the so called split-shared. Only thing split-shared brings to the table is just isolation, but split-shared is not the only way to provide cpu/memory isolation per user. 

As for PCI compliance, a lot of our clients already either accept VISA/MC as well as have mcaffee/scanalert seal. It’s nothing new in this business and this goes to show you are spreading even more uninformed statements.

And why do you expect shared hosting to go out of business? I think ever since the lessons of ipowerweb/dreamhost, you’ll now see that not all companies are just stock LAMP setup. Some actually have proprietary technology that enables far more versatility and flexibility than split-shared. This includes real-time load-balancing, cpu/memory throttle, etc..... Is split-shared load-balanced??

And lastly, nice try on the budget diagram but it just goes to show that we are just running 2 different types of business in 2 totally different ways. We don’t lease our server , we have them all custom built piece by piece for sheer performance while helping us cut cost considerably. That is why going with server providers like SoftLayer is at its disadvantage, there is just no profit at the type of pricing you have to pay for to lease a high performance server and it’s why you have to raise the price high to have any kind of profit.

-----------
Anyway before this topic goes any further OT, how can you explain that having an entire directory set to 777 be still considered secure?
That is a really bad practice to have. With the advent of suPHP, it is now commonly advised to users that the ‘chmod’ is now considered a dirty word. There is absolutely no reason for any web file to be set to 777.

SuPHP solves these problems for you and web applications will work like a web application, so what is it that you have about that is against suPHP environment? Personally, I wouldn’t risk any of our clients to have their magento setup to be on 777.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Crucial Web Host
Guru
 
Avatar
Total Posts:  364
Joined:  2007-11-08
Phoenix, AZ
 
SimpleHelix.com - 31 July 2008 07:49 AM

First of all, you shouldn’t compared yours to grid service.

‘Misquoted the gs, my apologies - I was referring to the more high end products.’
http://weblog.mediatemple.net/weblog/2008/02/12/parallels-mt-is-one-of-the-largest-deployments-in-the-world/

As for PCI compliance, a lot of our clients already either accept VISA/MC as well as have mcaffee/scanalert seal. It’s nothing new in this business and this goes to show you are spreading even more uninformed statements.

Are you a PCI Compliant Service provider? 

QAS-D
A.1.1 - Does each entity have access to only its own cardholder data environment?
A.1.2 - Are each entities access and privileges restrticted to its own cardholder data environment?
A.1.3 - Are logging and audit trails enabled and unique to each entity’s cardholder data environment and consistent with DSS Requirement 10?

You will learn more about your responsibilities of hosting clients who accept VISA an Mastercard soon. 

Your statements and lack of knowledge about PCI Compliance show that you could be a ‘dangerous’ host who offers false sense of security for your clients.  If you are not PCI Compliant, neither are your clients.

And why do you expect shared hosting to go out of business?

I believe that PCI Compliance has the ability to destroy hosting companies at will through fines and disruption of payment systems.

Did you know that not all companies are just stock LAMP setup? Some actually have proprietary technology that enables far more versatility and flexibility than split-shared. This includes real-time load-balancing for whenever digg strikes, etc..... Is split-shared load-balanced??

Yes, I am aware of these technologies.  My guess is that you dont run anything like this and are simply trying to change the subject.

And lastly, nice try on the budget diagram but it just goes to show that we are just running 2 different types of business in 2 totally different ways. We don’t lease our server , we have them all custom built piece by piece for sheer performance while helping us cut cost considerably.

And how long to you have to keep that server to make up for long term costs and profit?  We’ll just turn our in the next time a faster server comes out and perform live migrations of our containers to the newer servers.

Two different models for certain - one ensures that you will be the proud own of outdated hardware in 6 months.  The second ensures that you always have the fastest available servers in the most robust, PCI Compliant Datacenter.

Do you run your own DC?  Is it PCI Compliant? 

That is why going with server providers like SoftLayer is at its disadvantage, there is just no profit at the type of pricing you have to pay for to lease a high performance server and it’s why you have to raise the price high to have any kind of profit.

You can be certain that Crucial will always have the latest hardware available - Very few would argue a server is not a depreciating asset and likely one of the fastest depreciations you can buy.  We would prefer to lease these server as opposed to have to maintain the machine long enough to make a profit back on an outdated server.  Just difference business models - not saying mine or yours is right, just different.

I’d prefer for you to just go back to your regular self promotion posts and leave our company out of your posts.  Your history precedes you and anyone capable of doing a search will quickly understand your ‘business model’. 

This will be our last response to this issue - take it somewhere else if you want to bash Crucial.

 
Magento Community Magento Community
Magento Community
Magento Community
 
SimpleHelixcom
Enthusiast
 
Avatar
Total Posts:  906
Joined:  2007-08-31
Huntsville, AL
 

Wow, so let’s see here, now you are referring to as bashing now, I apologize if it may have seen that way.
All I was trying to get out of it was that if you or any other companies out there who have clients chmodding their entire folder to 777, need to toughen up their security with suPHP. If you took that the wrong way then I apologize. But no need to post any more mis-informations.

It seems this time, you are now comparing split-shared to (dv). Perhaps your Magento Containers is more like it but comparing it with your split-shared and (dv) are still apples to oranges. (I’m not bashing, just straight out facts)

And as for the PCI bit, you keep saying Shared Hosting is not pci compliance, then I ask you how hundreds of other hosting companies are pci compliant. It really is no any different than your split-shared. Statements like those are kind of like shooting your own foot there as we been pci compliant ever since we started back 3 years ago.

You make it sound like split-shared is the holy grail for web hosting but I assure you there are alternatives out there. Perhaps it is you who need to do some more research in this area. And it’s a bit brash making harsh judgements of shared hosting considering you have no idea what you are talking about. I’d love for you to find out how guys like 1and1/godaddy/hostgator/bluehost are all still in business, you’d guess it’s nothing short of a miracle .

As for about the hardware, you might want to do the math. At the rate you replace one server, we can afford to purchase 3 other more.

And I am not trying to change the subject, it seems you are the one who been dodging all the points I sent across. I wouldn’t mind diving in further as there are lots of things I’d like to discuss but I know this is not the place. I know we’ve had little quarrels here and there in the past but right now all I’m trying to do is just trying to help out one another, just trying to create a more robust and secured magento environment. And if you ever want to take this to PM then feel free to do so, I have no hard feelings with anybody.

But most of all, I’m just amazed at the type of responses I’m getting, I just didn’t expect such reactions when all I suggested was to use suPHP over mod_php, which is highly recommended for anyone running an online website.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Coalesce Creative
Jr. Member
 
Total Posts:  16
Joined:  2009-03-03
 

Ya, lets forget about the hosting wars.

I think the main issue here is Magento requires users to open their stores to major vulnerabilities by requiring the 777 setting. I get nervous setting one folder to 777. Unless Magento defies traditional exploitation techniques it’s vulnerable to attacks out of the box.

Is it possible to manually upgrade the software and forget Magento Connect? Obviously Magento Connect is just not ready…

 
Magento Community Magento Community
Magento Community
Magento Community
 
Sindre|ProperHost
Mentor
 
Avatar
Total Posts:  1158
Joined:  2008-04-24
 

Coalesce Creative: Magento does not require you to use 777 permissions. Your server configuration does. It all comes down to how PHP is handled by your server.

In short: If using mod_php, all Apache processes are owned by the same user ID (e.g. ‘nobody’), and in order for a PHP script to write to file it must have write access to that file/directory. In this case, this means (1) the file/directory itself must be owned by the Apache user OR (2) world-writable permissions (xx7). This of course makes your site vulnerable as virtually any other user on the server will have read/write access to those files as well. Now, there are some ways to reduce the risk of this such as PHP open_basedir protection, but that is easy to bypass for anyone with some technical knowledge. Unless each account is completely isolated in its own chroot environment, I would say that mod_php is not suitable for shared hosting.

The answer is suEXEC, suPHP, or phpSuExec as cPanel calls it. In such setup, the PHP scripts will execute under the user ID of the account owner instead of the web server user. Hence, there is no longer a need for world-writable permissions.

The disadvantage of this is that in order to take advantage of suEXEC, PHP is required to run in CGI mode, which is considerably slower than mod_php (Apache module). The performance can be improved by implementing FastCGI, or different web server software like LiteSpeed Enterprise which has developed their own PHP LSAPI. LiteSpeed offers the security of suEXEC and at the same time being ~50% faster than Apache+mod_php. We’ve been using it for our own servers for some time, and I can highly recommend it.

That being said, Magento Connect does have a habit of resetting file permission after use. And I agree, this is something that needs to be addressed.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top