Magento / Uncategorized / Web Apps

Magento Chmod – Secure Permissions for Magento 1.x

by , , revisited on


We have by far the largest RPM repository with dynamic stable NGINX modules and VMODs for Varnish 4.1 and 6.0 LTS. If you want to install nginx, Varnish and lots of useful modules for them, this is your one stop repository to get all performance related software.
You have to maintain an active subscription in order to be able to use the repository!

There is no point setting up something if it’s not secure. There are millions of bots who scan Magento stores for vulnerabilities. Setup Magento store securely and you will have no outages caused by hackers. You will also have good profit from your secure store.

This guide is for existing properly setup Magento server

This guide is for those people who know how to setup servers properly. This implies that:

  • You have taken advantage of having a VPS or dedicated server
  • You are using Nginx for hosting your Magento installation
  • You’ve configured PHP-FPM to run as Magento files owner, i.e. site1
  • You’ve configured nginx user to be member of website user’s group.

OR

  • You have ordered one of our server setup products.

<

h2 class=”h3″>Secure file permissions on new servers

<

h3 class=”h4″>Ownership (chown)

Everything should be owned by website user: i.e. chown -R *site1:site1*.

In the standard setup, files are uploaded via SFTP by that user.
PHP runs under that same user, so the website owner can always access the website files.
And thus PHP engine can access them too. That is, provided that the site user will not revoke his own permissions for security or by mistake.

The only issue that may arise is from incorrect chmod which prevents web server user from reading the files (incorrect chmod).
Following the next rules for chmod, the website has no permission issue and very secure.

Rule of thumb for owner chmod bit, (the first octal number)

For directories

  • Set owner permission bit to 7 for _directories_ which require write access by PHP
  • Set owner permission bit to 5 for _directories_ which require read only access by PHP

For files

  • Set owner permission bit to 6 for files which require write access by PHP
  • Set owner permission bit to 4 for files which require read only access by PHP

Rule of thumb for group chmod bit, (the middle octal number)

For directories

  • Set group permission to 5 (i.e. 750) on directories that have static assets (images, css, javascript, etc.)
  • Set group permission to 0 (i.e. 700) on directories that don’t require direct access by server (contains PHP files only)

For files

  • Set group permission to 6 (i.e. 640) on files that require web server (not PHP) write access (mostly never use this)
  • Set group permission to 4 (i.e. 640) on files that have static assets
  • Set group permission to 0 (i.e. 600) on PHP files

Rule of thumb for other chmod bit, (the last octal number)

Set it to 0 always!

Example

We have a directory with static files only: /var/www/example.com/httpdocs/News

  1. We want the website user (PHP) to be able to read and write to that directory because we want to manage it via PHP file manager.
    So the owner bit is 7 for directory
  2. We want web server user to be able to read files there directly, without going through PHP engine (just serve the jpg files)
    So the group bit is 5 for directory

We got chmod 750 for directory (remember the last one is 0 always)

We apply the same rules from above for the files within that directory, and we get correct chmod for them: 640.

Apply chmod and be happy and secure.

Secure Magento after going live

For Magento 1.x website with standard directory structure, the following may be applied after the website goes to production.
Note! This is “lockdown” chmod – the website user won’t be able to write to Magento core for security.
For more information read the manual.

The only major additions from the manual that we have here, is giving read access to group (web server) for media directory (since web server runs under a different user)

The following will result in some “downtime”, because the permissions are applied from strictest and later relaxed with each command.
Also nginx might have to be restarted if open file cache is enabled (it might cache inaccessible status while the commands are running and visitors accessing):

find . -type f -exec chmod 400 {} \; # this will make all PHP files (even with odd extensions) readable to PHP-FPM process only
find . -type d -exec chmod 500 {} \; 
find var/ -type f -exec chmod 600 {} \; 
find var/ -type d -exec chmod 700 {} \; 
find media/ -type d -exec chmod 750 {} \;
find media/ -type f -exec chmod 640 {} \;
chmod 700 includes
chmod 600 includes/config.php
# Cron script should always be executable
chmod +x cron.sh
chmod g+r favicon.ico
chmod g+rX errors errors/default
chmod -R g+rX errors/default/{css,images}
find js ! -name '*.php' -exec chmod g+rX {} \;
find skin ! -name '*.php' -exec chmod g+rX {} \;
chmod 0640 sitemap.xml
# finally make sure that directory itself is accessible to nginx (group):
chmod g+rX .

rewrite or internal redirection cycle while processing “/index.php” is possible with this config

This is extreme lockdown also, because we whitelist a handful of directories and files accessible to NGINX.

To make for a no-downtime lockdown, you should inverse the commands to mostly remove permissions instead of setting exact ones (TODO 😀 )

Lock down Chmod of PHP files (most important)

This needs to be run by a sudo user:

sudo find . -type f -name "*.php" -exec chattr +i {} \; # finalize by preventing PHP changing our chmod back

These commands:

  • allow PHP to write only to var directory and to includes/config.php file
  • prevent PHP from changing core files – if malicious file is called, it won’t be able to change core files
  • allow web server to read static files

Naturally, if there is additional directory with images, css, etc. i.e. , treat it as media (check example above)

Identify directories containing static files:

find . -type f -name '*.jpg' - name '*.css' -printf '%h\n' | sort -u

h3. On sites with multiple SSH users per site

Run commands above first.
Then, before accessing Magento via browser for the first time, run:

find var/ -type d -exec chmod g+s {} \; 
find media/ -type d -exec chmod g+s {} \;
chmod g+s includes
chmod g+s includes/config.php

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.