Yireo - Extensions, tutorials and blog for Magento and Joomla!

World-writable permissions in Magento

When installing Magento, you place the setup-files in the proper directory of your webserver. But in many cases it's also wise to check the ownership and permissions on all the files. For instance 666 is evil and 777 is far too much. Also it is easiest to keep the ownership of all files to the webserver-user. But what if Magento places new files, for instance when installing new modules?

666 is evil

Good permissions on a webserver are always needed. The number 666 in UNIX-terms refers to a file being writable to all users on that UNIX-system, which is a very very dangerous thing to do. Best is to make all files writable to only the webserver-user (for instance "web" or "apache") and read-only to everybody else.

Mode 666 gives sometimes extra annoyance: If you're running PHP in so-called CGI-mode, than your webserver could be configured to prevent dangerous situations. If the mode is set to 666 or 777, the PHP-parser might just stop parsing and your application crashes. This behaviour could be true for all files in your web-environment, but especially for "entry-points" to your application.

An "entry-point" is basically the file that PHP begins parsing your application. With Magento and Joomla! this is the file called "index.php". With MageBridge, a second entry-point is added to Magento called "magebridge.php". From the entry-point other PHP-scripts could be included, but somehow PHP/CGI-mode just figures that the entry-point is the most important file, so should have correct permissions.

Adding new modules in Magento

After installation of Magento, you might have fixed all file-permissions to be correct and secure. But as soon as you add new extensions in Magento, files are being copied from the installation-package to their final destination and on their final destination permissions are set.

By default however, Magento will add again world-writable permissions. This is due to a little line of code in the Magento entry-point "index.php":

umask(0);

Setting the umask to 0 basically means remove none of the permissions from the default permission-set (being: everything enabled). So umask set to 0 is the same as mode 666 for files and mode 777 for directories. This of course adds security risks, but with MageBridge it also gave PHP Fatal Errors because the new entry-point "magebridge.php" also got permissions too open for CGI-environments.

Fix index.php

The solution is simple but effective. Replace the umask with an umask that actually makes more sense. In many environments this means using modes like 644 or 755 which is accomplished through umask 022:

umask(022);

Modifying the file "index.php" might sound like a core hack, but actually with Magento this is kind of ok. Many other configurations like multi-domain setups or tricks like special stores on special days require the "index.php" to be modified.