Securely Setting Unix File Permissions for Magento

Are you getting this error during the installation of Magento?

Fatal error: Call to a member function children() on a non-object …

The most common reason for this error message is that the Magento Installation script is trying to access other scripts which are in a directory that is unreadable by your web server. You probably broke the file and directory permissions for these installation scripts.

You might have better luck with uncompressing the tar.gz archived version of Magento, which you can download from Magentocommerce.com. Tar archives generally are preset with the permissions of the person who archived them, which might be easier since the good folks at Magento probably have a better idea about how permissions need to be set for their software.

If you are using a Magento friendly hosting company like Host Monster, you should be able to simply upload the compressed tar.gz file and uncompress it on the server side with the permissions already set properly.

It’s still a good idea for you to know how to set permissions for web applications on a web server, especially if you run your own VPS or dedicated web server or people are paying you to install/set up Magento for them.

Here’s how to set the file and directory permissions for Magento Manually

Check that all directories inside your magento directory are readable and executable by your web server’s user. Normally the web server runs as either the user apache or nobody. As a side note, it’s more secure to run your web server as it’s own username instead of “nobody”.

For those of you running the lazy (less secure) installation of your web server… The lazy (less secure) way is to change permissions is:
chmod -r 777 /your/magento

Don’t set permissions using the lazy method, because anyone with access to your web server (shell, ftp, or even just web access through a script) can overwrite your magento files and heavily compromise your e-commerce site. It is very important to run an e-commerce web server securely because a compromised web server can send thousands of credit card numbers to thieves before the security breach is noticed. If you are unsure about security, it is recommended that you use a scalable e-commerce service such as Shopify or that you purchase a Magento installation from someone who is seasoned in e-commerce. I can set up the Magento software platform (which supports the hosting of multiple web stores) in about an hour or two depending on your hosting situation. However, if you prefer to and are comfortable setting up e-commerce sites yourself, read on.

Try to limit permissions to only your ftp/shell username and the web server. The way most people handle this is to change the owner of files to their ftp/shell username and set the group to the web server’s group.

For example (assuming your web server runs under the user name “apache”):
chown -r yourname:apache /your/magento

Make files (not directories) readable by your web server:
find /your/magento -type f -exec chmod 640 {} ;

The next thing you should do is set the file permissions for Magento directories to readable and executable:
find /your/magento -type d -exec chmod 750 {} ;

Now set the permissions for directories that need to be writable and executable:

chmod 770 /your/magento/app/etc
chmod 770 /your/magento/var
chmod 770 /your/magento/var/cache
chmod 770 /your/magento/media
chmod 770 /your/magento/media/downloadable

chmod 770 /your/magento/media/import

Tagged with: , , , , , , ,
Posted in eCommerce
8 comments on “Securely Setting Unix File Permissions for Magento
  1. buecilcompmi says:

    Hasta que tiempo?

  2. Aubrey Zorn says:

    Anyway, once a again a great post and worth a bookmark and from me thank you.

  3. Stewart Reckley says:

    I found a great Unix tips article in the IBM website. Its a little old but I’m sure your readers will find it useful. Here’s the link http://www.ibm.com/developerworks/aix/library/au-badunixhabits.html

  4. meeeearcus says:

    You should note that var/cache should also be chmod’d to be writable.

  5. Asher Bond says:

    Thanks, meeeearcus. I added var/cache to the list.

  6. John says:

    Super, thanks, that saved me a fair bit of time. How many decades have you spent ninja-ing Magento? You so are an online specialist at it!

    Thanks again, John.

  7. Ben says:

    I’ve been here a few times, bookmarked a while back. Thanks.