I am following the installation directions on the Magento site at http://www.magentocommerce.com/knowledge-base/entry/install-privs-before and right after changing the file permissions to 600 for files and 700 for directories, I am faced with a 403 Forbidden error (with no surprise as I'm restricting access to the general public) when I go to the install page and the root Magento directory (it's in a subfolder).
I have followed the directions just as they are listed and even chowned the install directory for the apache user which I had to look up (it's a shared hosting environment so it was just my username.)
find . -type d -exec chmod 700 {} \;
find . -type f -exec chmod 600 {} \;
While I'm pretty sure this could be easily fixed with changing the permissions to 755 for directories and 644 for files, I am very curious as to why the installation guide would tell me change them to 600 for files and 700 for directories, when that simply doesn't work.
I'd like to keep this process secure as possible as it is for a client and stick with what Magento recommends. But why would they recommend something that doesn't work?
Is there something I am missing? Is there a more secure way to install Magento?
Best Answer
TLDR; version of why Magento gives those instructions: you want things to be writable during installation (700 directories and 600 files), then afterwards assign ownership to the web server running user and restrictive permissions (500 directories, 400 files) that allow read only except for media/ and var/ directories.
This will work on a server that has been set up specifically with security in mind. Web servers can have a lot of variation in their setup especially shared hosts.
Your system sounds like it needs group and/or global read permissions for the web server to read your login user owned files. Check to see who owns the
var/cache/sub folders and the files they contain, you probably will find it's different.From the question, you didn't get to the next step. They then have the After Installation settings which are even more restrictive.
Running recommendation is:
The key to understanding all this is the need to know the server user
On a dedicated server, in the instructions they tell you how to find the server user by checking the
apache2.conforhttpd.conffile for theUserconfig line.Typically, this will be something like
nobody,www-dataAnd so with this bit of information on a dedicated server you then assign all directories and files to be owned by the server user
On a hosted system, if you're using Apache MPM-ITK or litespeed, the web server will run with your
login nameas the server user.Once the ownership is set properly then you change all the directories and files as follows:
Now comes the massive headache part. Any time you upload files you no longer have write permissions except where you have allowed them (
var/,media/) so every time you want to do maintenance outside these folders, you must change everything back by:And on the dedicated server, also probably change ownership to the login user name so you will have permission to write stuff.
Also, if you used Magento Connect (on dedicated server, leave ownership as the web server user), anything it installs will be given 777 permissions.
Because you have to remember to undo and redo the process every time you change something, or are running on a system where the web server needs group/global read permissions, the following permissions have probably become the defacto standard among lesser technically skilled website owners: