Magento Forum

Error: Please check for sufficient write file permissions
 
Coalesce Creative
Jr. Member
 
Total Posts:  16
Joined:  2009-03-03
 

Ya, lets forget about the hosting wars.

I think the main issue here is Magento requires users to open their stores to major vulnerabilities by requiring the 777 setting. I get nervous setting one folder to 777. Unless Magento defies traditional exploitation techniques it’s vulnerable to attacks out of the box.

Is it possible to manually upgrade the software and forget Magento Connect? Obviously Magento Connect is just not ready…

 
Magento Community Magento Community
Magento Community
Magento Community
 
Sindre|ProperHost
Mentor
 
Avatar
Total Posts:  1158
Joined:  2008-04-24
 

Coalesce Creative: Magento does not require you to use 777 permissions. Your server configuration does. It all comes down to how PHP is handled by your server.

In short: If using mod_php, all Apache processes are owned by the same user ID (e.g. ‘nobody’), and in order for a PHP script to write to file it must have write access to that file/directory. In this case, this means (1) the file/directory itself must be owned by the Apache user OR (2) world-writable permissions (xx7). This of course makes your site vulnerable as virtually any other user on the server will have read/write access to those files as well. Now, there are some ways to reduce the risk of this such as PHP open_basedir protection, but that is easy to bypass for anyone with some technical knowledge. Unless each account is completely isolated in its own chroot environment, I would say that mod_php is not suitable for shared hosting.

The answer is suEXEC, suPHP, or phpSuExec as cPanel calls it. In such setup, the PHP scripts will execute under the user ID of the account owner instead of the web server user. Hence, there is no longer a need for world-writable permissions.

The disadvantage of this is that in order to take advantage of suEXEC, PHP is required to run in CGI mode, which is considerably slower than mod_php (Apache module). The performance can be improved by implementing FastCGI, or different web server software like LiteSpeed Enterprise which has developed their own PHP LSAPI. LiteSpeed offers the security of suEXEC and at the same time being ~50% faster than Apache+mod_php. We’ve been using it for our own servers for some time, and I can highly recommend it.

That being said, Magento Connect does have a habit of resetting file permission after use. And I agree, this is something that needs to be addressed.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Coalesce Creative
Jr. Member
 
Total Posts:  16
Joined:  2009-03-03
 

Sindre thanks for your reply. Im just not sure why Magento was built to handle permissions so differently than other opensource packages.

 
Magento Community Magento Community
Magento Community
Magento Community
 
tradiArt
Guru
 
Avatar
Total Posts:  379
Joined:  2008-04-28
Spain
 

I’m extremely confused with this issue.

I was in a shared account and everything was going perfect, slow, without innodb, but perfect.

Now I have migrated to a VPS and I’m having this problem. My host has recommended me not to leave all dirs with 777 permissions, which seems logical.

I can’t access magento connect manager now.

SO....

what options do we have now?

Sometimes I wonder why everything in Magento is always so complicated… :-(

 
Magento Community Magento Community
Magento Community
Magento Community
 
fancytricks
Jr. Member
 
Total Posts:  2
Joined:  2009-02-18
New Zealand
 

Ok simple:

1) Public_Html or Magento main folder = 777
2) downloader/config.ini = 666

www.undergrounddesign.com.au

 
Magento Community Magento Community
Magento Community
Magento Community
 
Sindre|ProperHost
Mentor
 
Avatar
Total Posts:  1158
Joined:  2008-04-24
 

XOXO: this is probably because your shared host where running suEXEC/suPHP, which only requires ‘644’ and ‘755’ permissions. On your VPS, PHP is running as an Apache module, which means that PHP scripts are executed under the same user as the Apache process. Therefore you will need ‘777’ permissions on files/directories that must be writable.

 
Magento Community Magento Community
Magento Community
Magento Community
 
tradiArt
Guru
 
Avatar
Total Posts:  379
Joined:  2008-04-28
Spain
 

Thank you all for replay,

Seems strange, I’m running two installations, one at root, the live store, and other into a folder, for testing, and this is the store that can’t connect to magento connect.

After asking my host:

Server runs PHP on DSO and Apache suEXEC is enabled.
Default PHP Version (.php files) 5
PHP 5 Handler dso
PHP 4 Handler none
Apache suEXEC on

So what permissions do I need? 755 or 777?

Thank you for your help!

 
Magento Community Magento Community
Magento Community
Magento Community
 
Sindre|ProperHost
Mentor
 
Avatar
Total Posts:  1158
Joined:  2008-04-24
 

DSO means apache module (mod_php), so you will need 777 permissions for any directory that must be writable by Magento and 666 for writable files. suEXEC has no effect on PHP scripts as long as they are handled by DSO. Be careful with these permission settings, as they are not particularly safe. You should atleast reset the permissions when you are done with Magento Connect.

Hope this helps.

 
Magento Community Magento Community
Magento Community
Magento Community
 
tradiArt
Guru
 
Avatar
Total Posts:  379
Joined:  2008-04-28
Spain
 

Thank you Sindre,

Well, I can always use SSH, but magento connect is soo nice grin

I will change permissions once finished.

Thank you for your help.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Coalesce Creative
Jr. Member
 
Total Posts:  16
Joined:  2009-03-03
 
fancytricks - 24 March 2009 10:18 PM

Ok simple:

1) Public_Html or Magento main folder = 777
2) downloader/config.ini = 666

www.undergrounddesign.com.au

Fancytricks, that definitely DOES NOT work

 
Magento Community Magento Community
Magento Community
Magento Community
 
Sindre|ProperHost
Mentor
 
Avatar
Total Posts:  1158
Joined:  2008-04-24
 

Coalesce Creative: You need to chmod _every_ folder in your Magento install, including the root folder, to 777 if you want to use Magento Connect and your server is running mod_php. In addition, any files that must be overwritten (e.g. during an upgrade) must be writable (i.e. 666 permissions). It will not suffice to change the perms on only the main folder.

Be careful with these permission settings as they are a huge security risk, especially in a shared hosting environment.

You might want to use PEAR via SSH instead of Magento Connect.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Coalesce Creative
Jr. Member
 
Total Posts:  16
Joined:  2009-03-03
 

Sindre, thank you for your reply. If we switch to suEXEC, suPHP, or phpSuExec this seems like it would make this much more manageable.

However would this greatly affect other PHP scripts we have running on our server? ie. Joomla installs, Wordpress, etc.?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Sindre|ProperHost
Mentor
 
Avatar
Total Posts:  1158
Joined:  2008-04-24
 

The other scripts should not be affected. But please note, suPHP/phpSuExec has a significant performance hit compared to running PHP as an Apache module.

Another thing is that suPHP does not allow world writable files or directories (i.e. permission mode xx7 or xx6). This will generate a 500 internal server error. You should therefore change the permissions on all directories to ‘755’ and all files to ‘644’ if you install suPHP.

 
Magento Community Magento Community
Magento Community
Magento Community
 
fancytricks
Jr. Member
 
Total Posts:  2
Joined:  2009-02-18
New Zealand
 
Coalesce Creative - 26 March 2009 07:55 AM

fancytricks - 24 March 2009 10:18 PM
Ok simple:

1) Public_Html or Magento main folder = 777
2) downloader/config.ini = 666

www.undergrounddesign.com.au

Fancytricks, that definitely DOES NOT work

Yes this is assuming that you have set the rest of the permissions ok though SSH.

find ./ -type d -exec chmod 755 {} \; && find ./ -type f -exec chmod 644 {} \;

 
Magento Community Magento Community
Magento Community
Magento Community
 
smalltom
Jr. Member
 
Total Posts:  10
Joined:  2008-03-23
 

rolleyes My solution:
1, add apache to the group of owner
2, umask 002
3, chmod ug+w -R magento

it seems work

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top