File systems access permissions

This section discusses how to set up the owner or owners of the Magento file system for a development and production system. Before you continue, review the concepts discussed in Overview of file system ownership and permissions.

This topic focuses on Magento development and production systems. If you are installing Magento, see Set pre-installation ownership and permissions.

The sections that follow discuss requirements for one or two Magento file system owners. That means:

  • One user: Typically necessary on shared hosting providers, which allow you to access only one user on the server This user can log in, transfer files using FTP, and this user also runs the web server.

  • Two users: We recommend two users if you run your own Magento server: one to transfer files and run command-line utilities, and a separate user for the web server software. When possible, this is preferable because it’s more secure.

    Instead, you have separate users:

    • The web server user, which runs the Magento Admin (including Setup Wizard) and storefront.

    • A command-line user, which is a local user account you can use to log in to the server. This user runs Magento cron jobs and command-line utilities.

Production file system ownership for shared hosting (one user)

To use the one-owner setup, you must log in to your Magento server as the same user that runs the web server. This is typical for shared hosting.

Because having one file system owner is less secure, we recommend you deploy Magento in production on a private server instead of on shared hosting, if possible.

Set up one owner for default or developer mode

In default or developer mode, the following directories must be writable by the user:

  • vendor
  • app/etc
  • pub/static
  • var
  • Any other static resources
  • generated/code
  • generated/metadata
  • var/view_preprocessed

You can set these permissions using either the command line or a file manager application provided by your shared hosting provider.

Set up one owner for production mode

When you are ready to deploy your site to production, you should remove write access from files in the following directories for improved security:

  • vendor
  • app/code
  • app/etc
  • pub/static
  • Any other static resources
  • generated/code
  • generated/metadata
  • var/view_preprocessed

To update components, install new components, or to upgrade the Magento software, all of the preceding directories must be read-write.

Make code files and directories read-only

To remove write permissions to files and directories from the web server user’s group:

  1. Log in to your Magento server.

  2. Change to your Magento installation directory.

  3. Change to production mode.

    1
    
    bin/magento deploy:mode:set production
    
  4. Remove write permissions to the following directories.

    1
    
    find app/code var/view_preprocessed vendor pub/static app/etc generated/code generated/metadata \( -type f -or -type d \) -exec chmod u-w {} + && chmod o-rwx app/etc/env.php && chmod u+x bin/magento
    

Make code files and directories writable

To make files and directories writable so you can update components and upgrade the Magento software:

  1. Log in to your Magento server.
  2. Change to your Magento installation directory.
  3. Enter the following commands:

    1
    
    chmod -R u+w .
    

Optionally set magento_umask

The web server group must have write permissions to certain directories in the Magento file system; however, you might want tighter security, especially in production. We provide the flexibility for you to further restrict those permissions using a umask.

Our solution is to enable you to optionally create a file named magento_umask in your Magento root directory that restricts permissions for the web server group and everyone else.

We recommend changing the umask on a one-user or shared hosting system only. If you have a private Magento server, the group must have write access to the Magento file system; the umask removes write access from the group.

The default umask (with no magento_umask specified) is 002, which means:

  • 775 for directories, which means full control by the user, full control by the group, and enables everyone to traverse the directory. These permissions are typically required by shared hosting providers.

  • 664 for files, which means writable by the user, writable by the group, and read-only for everyone else

A common suggestion is to use a value of 022 in the magento_umask file, which means:

  • 755 for directories: full control for the user, and everyone else can traverse directories.
  • 644 for files: read-write permissions for the user, and read-only for everyone else.

To set magento_umask:

  1. In a command line terminal, log in to your Magento server as a Magento file system owner.
  2. Navigate to the Magento install directory:

    1
    
    cd <Magento install directory>
    
  3. Use the following command to create a file named magento_umask and write the umask value to it.

    1
    
    echo <desired umask number> > magento_umask
    

    You should now have a file named magento_umask in the <Magento install dir> with the only content being the umask number.

  4. Log out and log back in as the Magento file system owner to apply the changes.

Production file system ownership for private hosting (two users)

If you use your own server (including a hosting provider’s private server setup), there are two users:

  • The web server user, which runs the Magento Admin (including the Setup Wizard) and storefront.

    Linux systems typically do not provide a shell for this user; you cannot log in to the Magento server as, or switch to, the web server user.

  • The command-line user, which you log in to your Magento server as or switch to.

    Magento uses this user to run Magento CLI commands and cron.

    The command-line user is also referred to as the Magento file system owner.

Because these users require access to the same files, we recommend you create a shared group to which they both belong. The following procedures assume you have already done this.

See one of the following sections:

Set up two owners for default or developer mode

Files in the following directories must be writable by both users in developer and default mode:

  • var
  • generated
  • pub/static
  • pub/media
  • app/etc

Set the setgid bit on directories so permissions always inherit from the parent directory.

setgid applies to directories only, not to files.

In addition, the directories should be writable by the web server group. Because content might already exist in these directories, add the permissions recursively.

Set permissions and setgid

To set setgid and permissions for developer mode:

  1. Log in to your Magento server as, or switch to, the Magento file system owner.
  2. Enter the following commands in the order shown:

    1
    
    cd <magento_root>
    
    1
    
    find var generated pub/static pub/media app/etc -type f -exec chmod g+w {} + &&
    
    1
    
    find var generated pub/static pub/media app/etc -type d -exec chmod g+ws {} +
    

Two Magento file system owners in production mode

When you are ready to deploy your site to production, you should remove write access from files in the following directories for improved security:

  • vendor
  • app/code
  • app/etc
  • lib
  • pub/static
  • Any other static resources
  • generated/code
  • generated/metadata
  • var/view_preprocessed

Make code files and directories read-only

To remove writable permissions to files and directories from the web server user’s group:

  1. Log in to your Magento server.
  2. Change to your Magento installation directory.
  3. As the Magento file system owner, enter the following command to change to production mode:

    1
    
    bin/magento deploy:mode:set production
    
  4. Enter the following command as a user with root privileges:

    1
    
    find app/code lib pub/static app/etc generated/code generated/metadata var/view_preprocessed \( -type d -or -type f \) -exec chmod g-w {} + && chmod o-rwx app/etc/env.php
    

Make code files and directories writable

To make files and directories writable so you can update components and upgrade the Magento software:

  1. Log in to your Magento server.
  2. Change to your Magento installation directory.
  3. Enter the following command:

    1
    
    find app/code lib var generated vendor pub/static pub/media app/etc \( -type d -or -type f \) -exec chmod g+w {} + && chmod o+rwx app/etc/env.php