File systems access permissions
This section discusses how to set up the owner or owners of the Commerce file system for a development and production system. Before you continue, review the concepts discussed in Overview of file system ownership and permissions.
This topic focuses on Commerce development and production systems. If you are installing Commerce, see Set pre-installation ownership and permissions.
The sections that follow discuss requirements for one or two file system owners. That means:
-
One user—Typically necessary on shared hosting providers, which allow you to access only one user on the server This user can log in, transfer files using FTP, and this user also runs the web server.
-
Two users—We recommend two users if you run your own Commerce server: one to transfer files and run command-line utilities, and a separate user for the web server software. When possible, this is preferable because it is more secure.
Instead, you have separate users:
-
The web server user, which runs the Admin and storefront.
-
A command-line user, which is a local user account you can use to log in to the server. This user runs Commerce cron jobs and command-line utilities.
-
Production file system ownership for shared hosting (one user)
To use the one-owner setup, you must log in to your Commerce server as the same user that runs the web server. This is typical for shared hosting.
Because having one file system owner is less secure, we recommend you deploy Commerce in production on a private server instead of on shared hosting, if possible.
Set up one owner for default or developer mode
In default or developer mode, the following directories must be writable by the user:
vendor
app/etc
pub/static
var
- Any other static resources
generated/code
generated/metadata
var/view_preprocessed
You can set these permissions using either the command line or a file manager application provided by your shared hosting provider.
Set up one owner for production mode
When you are ready to deploy your site to production, you should remove write access from files in the following directories for improved security:
vendor
app/code
app/etc
pub/static
- Any other static resources
generated/code
generated/metadata
var/view_preprocessed
To update components, install new components, or to upgrade the Commerce software, all of the preceding directories must be read-write.
Make code files and directories read-only
To remove write permissions to files and directories from the web server user’s group:
-
Log in to your Commerce server.
-
Change to your Commerce installation directory.
-
Change to production mode.
code language-bash bin/magento deploy:mode:set production
-
Remove write permissions to the following directories.
code language-bash find app/code var/view_preprocessed vendor pub/static app/etc generated/code generated/metadata \( -type f -or -type d \) -exec chmod u-w {} + && chmod o-rwx app/etc/env.php
-
Make the command-line tool executable.
code language-bash chmod u+x bin/magento
Make code files and directories writable
To make files and directories writable so you can update components and upgrade the Commerce software:
-
Log in to your Commerce server.
-
Change to your Commerce installation directory.
-
Enter the following commands:
code language-bash chmod -R u+w .
Optionally set magento_umask
See Optionally set a umask in the Installation guide.
Production file system ownership for private hosting (two users)
If you use your own server (including a hosting provider’s private server setup), there are two users:
-
The web server user, which runs the Admin and storefront.
Linux systems typically do not provide a shell for this user; you cannot log in to the Commerce server as, or switch to, the web server user.
-
The command-line user, which you log in to your Commerce server as or switch to.
Commerce uses this user to run CLI commands and cron.
note info INFO The command-line user is also referred to as the file system owner.
Because these users require access to the same files, we recommend you create a shared group to which they both belong. The following procedures assume you have already done this.
See one of the following sections:
- Two file system owners in developer or default mode
- Two file system owners in production mode
Set up two owners for default or developer mode
Files in the following directories must be writable by both users in developer and default mode:
var
generated
pub/static
pub/media
app/etc
Set the bit on directories so permissions always inherit from the parent directory.
setgid
applies only to directories, not to files.In addition, the directories should be writable by the web server group. Because content might exist in these directories, add the permissions recursively.
Set permissions and setgid
To set setgid
and permissions for developer mode:
-
Log in to your Commerce server as, or switch to, the file system owner.
-
Enter the following commands in the order shown:
code language-bash cd <magento_root>
code language-bash find var generated pub/static pub/media app/etc -type f -exec chmod g+w {} +
code language-bash find var generated pub/static pub/media app/etc -type d -exec chmod g+ws {} +
Two file system owners in production mode
When you are ready to deploy your site to production, you should remove write access from files in the following directories for improved security:
vendor
app/code
app/etc
lib
pub/static
- Any other static resources
generated/code
generated/metadata
var/view_preprocessed
Make code files and directories read-only
To remove writable permissions to files and directories from the web server user’s group:
-
Log in to your Commerce server.
-
Change to your Commerce installation directory.
-
As the file system owner, enter the following command to change to production mode:
code language-bash bin/magento deploy:mode:set production
-
Enter the following command as a user with
root
privileges:code language-bash find app/code lib pub/static app/etc generated/code generated/metadata var/view_preprocessed \( -type d -or -type f \) -exec chmod g-w {} + && chmod o-rwx app/etc/env.php
Make code files and directories writable
To make files and directories writable so you can update components and upgrade the Commerce software:
-
Log in to your Commerce server.
-
Change to your Commerce installation directory.
-
Enter the following command:
code language-bash find app/code lib var generated vendor pub/static pub/media app/etc \( -type d -or -type f \) -exec chmod g+w {} + && chmod o+rwx app/etc/env.php