Magento 2 correct permissions

The most frequent question, asked by Magento users, is correct permissions. They can differ, whether you run your store in one-user mode, or many-user, and also can be different for different modes.

Single user mode

One-user mode is the simplest case. In this case user shall belong to group, which own Magento system and also runs web-server. For them the following rules apply:

  • All directories should have 770 permissions. Such a permission gives read, write and execute permission to the owner and to his group, but no permissions to anyone else.
  • All files should have 660 permissions. Such a permission means, that owner and the group can read and write but other users have no permissions.
  • Temporary and media directories (/var/pub/media/pub/static) should have public access (777 permission)

To set them, follow these steps:

  1. Log in to your SSH/CLI with admin permissions and navigate to the root of your store.
  2. Set permissions to the files: find . -type f -exec chmod 644 {} \;
  3. Set permissions to the directories: find . -type d -exec chmod 755 {} \;
  4. Set permissions to special directories: find ./var -type d -exec chmod 777 {} \;
    find ./pub/media -type d -exec chmod 777 {} \;
    find ./pub/static -type d -exec chmod 777 {} \;

In some cases, you can not use 770 or 660 permissions (Fast-CGI systems, for example). Instead, you can use 755 and 644 respectively.

In any case do not set 777 (public) permission to /app/etc directory. It contains information about your database, and public access there can be open way to hack your store. Disclose access there only for those you can really trust.

Two-user mode

Basically this scheme can be used for any quantity of users, they just need to be splitted to the following groups:

  • The web server group, which runs the Magento Admin (including Setup Wizard) and storefront;
  • A command-line group, which can remotely log in to the server and perform maintenance tasks. This group also should be able to run Magento cron jobs and command-line utilities.

In this case permissions setup shall be as in one-user mode, with the two exceptions. Directories vendor and app/etc and its content should be read/write accessible for the second group. It can be done via the following commands:

find ./vendor -type d -exec chmod 775 {} \; && find ./app/etc -type d -exec chmod 775 {} \;
find ./vendor/* -type f -exec chmod 664 {} \;

You need also pass to the second group possibility to execute commands and work with your store setup:

chmod o-rwx app/etc/env.php && chmod u+x bin/magento

This will set correct permissions for both groups.


reference :