Magento 1.9 Security – Recommended File System Ownership and Privileges

magento-1.9Security

I need help for recommended privileges on my dedicated server.

My dedicated server is installed with Debian and on the official documentation of Magento it's recommended to follow the following instructions :

Dedicated Magento server only. As a user with root privileges :

chown -R web-server-user-name .

Enter the following commands to set permissions:

find . -type f -exec chmod 400 {} \;
find . -type d -exec chmod 500 {} \; 
find var/ -type f -exec chmod 600 {} \; 
find media/ -type f -exec chmod 600 {} \;
find var/ -type d -exec chmod 700 {} \; 
find media/ -type d -exec chmod 700 {} \;
chmod 700 includes
chmod 600 includes/config.php

On stackexchange posts, the main users use the following privileges:

find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;
find var/ -type d -exec chmod 777 {} \;

What is the most secure configuration?

How to secure the app folder and the local.xml?

How to secure the downloadable folder files?

And what are the privileges for run cron?

Best Answer

A rule of thumb is: Be as restrictive as possible while allowing as much as necessary.

This suggestion is the most restrictive:

chown -R web-server-user-name .

find . -type f -exec chmod 400 {} \;
find . -type d -exec chmod 500 {} \; 
find var/ -type f -exec chmod 600 {} \; 
find media/ -type f -exec chmod 600 {} \;
find var/ -type d -exec chmod 700 {} \; 
find media/ -type d -exec chmod 700 {} \;
chmod 700 includes
chmod 600 includes/config.php

web server user is owner
files can be read only by the owner, written only by root
directories can be read and opened only by the owner, written only by root
except var, media and includes - these directories can also be written by the owner

But this setup only works if

the Magento cronjob is run by the web server user as well (this is not a problem, use crontab -u web-server-user -e as root to set up the crontab
you can deploy the files with root permissions and then set ownership and permissions. This means, you have to set up SSH access for the root user which opens a different possible attack vector.

For that last reason, I'd consider the following setup more secure:

Full write access to owner, restrictive access to web server user

chown -R ssh-user-name:web-server-user-name .

find . -type f -exec chmod 640 {} \;
find . -type d -exec chmod 750 {} \; 
find var/ -type f -exec chmod 660 {} \; 
find media/ -type f -exec chmod 660 {} \;
find var/ -type d -exec chmod 770 {} \; 
find media/ -type d -exec chmod 770 {} \;
chmod 770 includes
chmod 660 includes/config.php

Now the web-server-user-name group has the same permissions as before, but additionally the ssh-user-name user has write access. other users still have zero permissions, and it is not necessary to deploy the files as root user.

How to secure the app folder and the local.xml?

These are already secured against access from the web via .htaccess. On a file system level, they get the same protection as any other file (see above).

How to secure the downloadable folder files?

Delete it. Seriously. Or read: Recommended method to protect /downloader?

And what are the privileges for run cron?

Run the cron as web server user (see above)

Related Solutions

Magento Security – Recommended Method to Protect /downloader

Just put a .htaccess (or if nginx/whatever a config) into the downloader directory with Disallow from all in it to forbid any request on the directory.

If you wanted to allow a few IP addresses in (like your own), try something like this in your .htaccess

order deny,allow
deny from all
allow from 1.2.3.4 5.6.7.8

Where 1.2.3.4 and 5.6.7.8 are IP addresses you want to let through.

My prefered way: Just delete downloader

Magento – What permissions schema should I use when deploying Magento securely

I'm working on a solution that feels right, but this is by no means authoritative. I'd love to get feedback or questions. Here it is:

The setup involves two users:

The deploy user in the deploy group: the user who writes to the server during deployments via rsync/SSH.
The apache user in the apache group: the user that Apache runs Magento as.

The general philosophy is to have the entire Magento directory chowned as deploy:apache and have the folders that require operational write access be group-writable. Step-by-step that should get you there:

As root, create the virtual host's HTTP root, say, /var/www/html and chown it as deploy:apache, setting the setgid sticky bit:
```
mkdir /var/www/html
chown deploy:apache /var/www/html
chmod g+s /var/www/html
```
Deploy the Magento code via rsync/SSH using the deploy user. All files and folders should now be owned deploy:apache.

As the deploy user, set /var and /media to group-writable.

chmod g+w /var/www/html/var
chmod g+w /var/www/html/media

Remove umask(0) in the Magento code to use the OS's default 022 or set explicitly to umask(022).
New temp files and folders should be owned by apache:apache and be 755 or 644.
Your setup is good and shouldn't require additional actions during future deploys.

This approach is consistent with the Magento wiki article that recommends the group permissions and fleshes it out a bit. It also seems to be rather close to what this gist by svenvarkel I found does. I see its advantages over the approach to setting the files as owned by the Apache user in that that approach requires you to use the Apache user to deploy and depending on implementation, it either requires constant toggling of write permissions for deployments or leaves the core writable by the Apache user.

I'd love to receive comments or critiques on my proposed approach.