Contents
- Overview of ownership and permissions
- Create a user and give the user a strong password
- Options for shared groups
- Switch to the Magento file system owner
Totally lost? Need a helping hand? Try our installation quick reference (tutorial) or installation roadmap (reference).
Overview of ownership and permissions
Even in a development environment, you want your Magento installation to be secure. To help prevent issues related to unauthorized people or processes doing potentially harmful things to your system, we recommend some guidelines related to file system ownership and security:
-
The web server user should not own the files and directories on the Magento file system; however, the web server user must have write access to some directories.
The web server user runs the web-based Setup Wizard installer and everything you do in the Magento Admin. This user must have the ability to write media files and so on. However, the user cannot own the files because that can potentially lead to security issues because any web-based process could potentially attack the Magento file system.
-
Another user should own the Magento files and directories; this user must not be
root
.This user runs the Magento cron job, command-line utilities, and has full control over all Magento files and directories. Because the user exists only on the server, it’s very difficult for a malicious process to exploit it.
Although you can install and use the Magento software as the web server user, for the preceding reasons, we don't recommend it and don't discuss it in this guide.
Create a user and give the user a strong password
This section discusses how to create the Magento file system owner.
If you don't have root
privileges on your Magento server, you can use another local user account. Make sure the user has a strong password and continue with Put the Magento file system owner in the web server group.
To create a user on CentOS or Ubuntu, enter the following command as a user with root
privileges:
adduser <username>
To give the user a password, enter the following command as a user with root
privileges:
passwd <username>
Follow the prompts on your screen to create a password for the user.
For example, to create a user named magento_user
and give the user a password, enter:
sudo adduser magento_user
sudo passwd magento_user
Because the point of creating this user is to provide added security, make sure you create a strong password.
Options for shared groups
To enable the web server to write files and directories in the Magento file system but to also maintain ownership by the Magento file system owner. This is necessary so both users can share access to Magento files. (This includes files created using the Magento Admin or other web-based utilities.)
You must share the users’ groups in any of the following ways:
-
Put the Magento file system in the web server’s group
This method is simpler but otherwise equivalent to the other method.
-
Put each user in the other’s group
See the following sections:
- Find the web server group
-
Any of the following:
Find the web server group
To find the web server user’s group:
-
CentOS:
egrep -i '^user|^group' /etc/httpd/conf/httpd.conf
Typically, the user and group name are both
apache
-
Ubuntu:
ps aux | grep apache
to find the apache user, thengroups <apache user>
to find the groupTypically, the user name and the group name are both
www-data
Continue with either:
Put the Magento file system owner in the web server's group
To put the Magento file system owner in the web server’s primary group (assuming the typical Apache group name for CentOS and Ubuntu), enter the following command as a user with root
privileges:
- CentOS:
usermod -g apache <username>
- Ubuntu:
usermod -g www-data <username>
For example, to add the user magento_user
to the apache
primary group on CentOS:
usermod -g apache magento_user
To confirm your Magento user is a member of the web server group, enter the following command:
groups <user name>
A sample result follows:
magento_user : apache
To complete the task, restart the web server:
- Ubuntu:
service apache2 restart
- CentOS:
service httpd restart
Put each user in the other's group
An alternative to setting up group membership is to put the web server user in the Magento file system owner’s group and vice versa. To put each user in the other’s group, as a user with root
privileges, enter the following command for each of the two users:
usermod -a -G <groupname> <username>
For example,
usermod -a -G apache magento_user
usermod -a -G magento_user apache
To confirm the users’ group membership, enter the following command for each user:
groups <username>
Example:
groups apache
apache : apache magento_user
groups magento_user
magento_user : magento_user apache
To complete the task, restart the web server:
- Ubuntu:
service apache2 restart
- CentOS:
service httpd restart
Switch to the Magento file system owner
After you’ve performed the other tasks in this topic, enter one of the following commands to switch to that user:
- Ubuntu:
su <username>
- CentOS:
su - <username>
For example,
su magento_user
Find us on