How to set the proper permissions for files within a Magento 1 installation.
Environmental considerations
Before installing Magento, first consider the environment in which you are hosting your site. Linux runs within two main environments: PHP scripts that use mod_php or equivalent, and PHP scripts that use an intermediate construct.
Read How to Improve the Security of Your Magento Store.
Mod_php or equivalent PHP scripts
PHP scripts that use mod_php or equivalent are executed as the webserver user. When your script is running, it can read and sometimes write with the same privilege level as the web server. This allows cross-account snooping in shared-hosting setups and is dangerous in shared environments, particularly in eCommerce.
PHP scripts running using an intermediate construct
Other PHP scripts use an intermediate construct such as suPHP, PHP suEXEC, PHP-FPM, and so on. In this case, your scripts run offer a more secure overall configuration when running on a shared server, and our team prefers this setup.
This method is also preferred because Linux provides an extra level of security when the permissions are configured correctly. All of our shared Magento SIP plans provide this preferred environment, giving isolated user-based permissions, and therefore more strict file permissions.
Magento file permissions
You must have SSH access to execute any of the changes shown below. If you do not have SSH access, contact the Nexcess Support Team for assistance.
Linux permissions
The first of these changes to Linux permissions restricts reading and writing privileges to all files in your Magento base directory to you; all others will only have reading privileges. The following command establishes a baseline in which the webserver itself can read all files. It will need read-access to serve static content like images, CSS and Javascript files:
find </path/to/magento> -type f \-exec chmod 644 {} \;
The second of these changes to Linux permissions makes all directories in your Magento base directory istable, file-editable and navigable for you, while only navigable for all others:
find </path/to/magento> -type d \-exec chmod 711 {} \;
The third change locks permissions for all PHP scripts so only you can read them. This is ideal because only you need to know the contents of scripts.
find </path/to/magento> -type f -name "*.php" \-exec chmod 600 {} \;
Finally, we recommend restricting all access to your local Magento configuration files to yourself with the below command. Only the PHP scripts need to read these files and PHP is running under your login; therefore, you can disable access to all others. This will prevent other users from accessing sensitive information:
chmod 600 </path/to/magento/app/etc/*.xml>
Web-based software requirements
You may encounter web-based software that claims all file permissions must be set to 777, meaning the software has full read, write, and execute permissions for all files. This may be necessary for some directories, but is rarely the case for files.
Permissions of 666, or read and write permissions for all, are adequate in these cases if more strict permissions cannot be set. In addition, the 777 permission sets the execute bit on files, though most web servers do not require them.
For 24-hour assistance any day of the year, contact our support team by email or through your Client Portal.