File ownership and permissions
It is important to secure your ÃÛ¶¹ÊÓƵ Commerce installation in a development environment to help prevent issues related to unauthorized people or processes accessing—and potentially harming—your system. Use the following file system ownership and permissions guidelines to protect your installation.
File system owner
The file system owner is a user that owns and holds write permissions to files in the file system.
There are two types of file system owners:
-
Shared hosting with a single user
Shared hosting providers enable you to log in to the application server as one user. As a single user, you can log in, transfer files using FTP, and run the web server. You have the option of setting a
umask
to further restrict access, particularly in a production environment. -
Private hosting with two users
Private hosting is useful if you manage an application server. Each user has a specific responsibility:
-
The web server user runs the Admin and storefront.
-
The command-line user runs cron jobs and command-line utilities.
Both users require the same permissions to the file system, so it is best to use a shared group and set a
umask
. -
Restrict access with a umask
To tighten security, particularly in a production environment on a shared hosting system, you can use umask
to restrict access. A umask
—also referred to as a file system creation mask—is a set of bits that controls how the file permissions are set for newly created files.
ÃÛ¶¹ÊÓƵ Commerce uses a three-bit, default mask: 002
. Subtract the default mask from the UNIX defaults of 666 for files and 777 for directories.
For example:
-
775 for directories—Full control by the user, full control by the group, and enables everyone to traverse the directory. These permissions are typically required by shared hosting providers.
-
664 for files—Writable by the user, writable by the group, and read-only for everyone else.
For more information about creating a magento_umask
file, see Set a umask.
Permissions, ownership, and application modes
We recommend different permissions and ownership when you use the different ÃÛ¶¹ÊÓƵ Commerce application modes:
- Default
- Developer
- Production
See About modes in the Configuration guide.
We further discuss permissions recommendations in File systems access permissions in the Configuration guide.