Magento 2 permissions & ownership in 3 modes

Magento 2 file system permissions

Change default magento_umask via the command line

Magento 2 file system ownership for shared hosting

Amasty recommendations for file permissions set up

Magento 2 file permissions check

What are Magento 2 permissions for?

Magento 2 permissions are used to make Magento tooled for your specific business needs. While installing some new extensions or using the platform in the main operational regime you have to set ownership and permissions for the development and production modes. In case you are going to install Magento 2 from scratch, read the pre-installation ownership and permissions requirements to configure everything correctly.

Permissions can be set using either the command line or a file manager application provided by your shared hosting provider. 

Are you looking for the best solution? Check Amasty recommendations.

Magento 2 file system permissions

When you create a file or directory in Magento it provides them with a default set of permissions. However, the default settings can pose security risks to your private data. Thus, if a text file, for instance, has 777 permissions everyone achieve read, write and execute permissions. The 777 showing in the example is named umask or the user file-creation mode mask.

What is umask?

The characteristic is used to set Magento 2 file permissions for newly created files and folders. It is usually expressed through symbolic or octal values.

Octal values: permissions [file manager]

• 0: read/ write/ execute;
• 1: read/ write;
• 2: read/ execute;
• 3: read-only;
• 4: write/ execute;
• 5: write-only;
• 6: execute-only;
• 7: no permissions.

Symbolic values: permissions [command line]

• r: read;
• w: write;
• x: execute;
• u: user ownership (who owns the file);
• g: group ownership (members of a file group who own the file);
• o: other ownership (for all users).

Thus, if umask is set to 077 or $ umask u=rwx,g=,o= that means User* is granted with read, write and execute permissions; Group* and World* are granted with no permissions.

***

User - the owner of a Magento file/ folder;
Group - the owners of a Magento file/ folder or members of a file group;
World - other users outside the User and Group.

Umask and your security level

Magento default umask and recommendations

Magento uses a three-bit mask (002) by default ( with no magento_umask specified), which means:

• 775 for directories: User and Group - read, write, execute permissions; World can traverse the directory. The permissions are generally required by shared hosting providers;
• 664 for files: User and Group - write permission, World - read.

However, Magento suggests using 022 in the magento_umask file that means:

• 755 for directories: User has a full control and Group/World can traverse directories;
• 644 for files: User - read, write; Group/ World - read.

Change default magento_umask via the command line

To configure or change magento_umask you need to:

• Log in to your server or switch to Magento file system owner;
• Set a new value for magento_umask:

for this go to a text editor to create a new file:
<your Magento install dir>/magento_umask, and set magento_umask to a desired value, e.g.: 022;
save the changes and exit the text editor.

Magento 2 file system ownership for shared hosting

Magento file system owner or a command-line user is a user that owns the files and can write to files in the Magento file system.
To apply the one-owner set up, you should log in to your Magento as the same user that utilizes the web server.

¡It’s known to be insecure to run one file system owner and is recommended to deploy Magento on a private server if it’s possible!

The default, developer, production modes: required permissions

In this mode User should be granted with write permission for the next directories:

• vendor
• app/etc
• pub/static
• var
• var/generation
• var/di
• var/view_preprocesse

When deploying a site to the production mode the same directories should be disabled for write permission to boost your security level.

You can set the permission either via the magento command line or a file manager. As long as the file manager provided by your hosting service is unknown for us, we will consider a universal solution or the settings made via the command line: 

How to make code files and directories read-only?

• Log in to your Magento server;
• Change to Magento installation directory;
• Change to the production mode using the command: php bin/magento deploy:mode:set production;
• Enter the next command: find app/code pub/static app/etc var/generation var/di var/view_preprocessed vendor \( -type f -or -type d \) -exec chmod u-w {} \; && chmod o-rwx app/etc/env.php && chmod u+x bin/magento.

How to make files and directories writeable?

• Log in to your Magento server;
• Change to the installation directory;
• Enter the next commands: chmod -R u+w .

To see how to make the settings for private hosting follow the link.

Amasty recommendations for Magento 2 file permissions set up

We normally use the next access permissions:
chown -R admin:www-data /var/www/magento2
find /var/www/magento2 -type f -print0 | xargs -r0 chmod 640
find /var/www/magento2 -type d -print0 | xargs -r0 chmod 750
chmod -R g+w /var/www/magento2/{pub,var}.
However, in case you are to install Magento 2 from the web interface, you should add write permissions for app/etc/ and vendor/:
chmod -R g+w /var/www/magento2/{app/etc,vendor}.
Get more information here.

Magento file permissions check (Amasty advice)

Current Magento file permissions assigned to a file, a Magento media folder permissions can be checked:

• change the directory to the folder containing it and use the /s- / command;
• all the files, folders will be shown in a table where you can split them into three groups: r (read); w (write), x (execute);
• If there is a dash instead of the symbols: r, w, x, that means a definite file permission doesn’t exist.

Directories in the file system must be writable by the web server users and the Magento file system owner.

In case your permissions are not set properly, you’ll see a relevant message in the file manager already after the changes.

Besides, you can find a needed file or folder in the file manager and check the permissions:

• right-click the file, folder;
• choose the ‘Change permissions’ option.

¡File system security is extremely important for e-commerce websites. It’s strongly recommended to address an experienced system administrator before making any changes!

→ Use the Magento file system extension to control and configure permissions for Magento 2 admins easily.