Before You Install Magento: Recommended File System Ownership and Privileges


In a continuing effort to improve security and ease of use, Magento is updating its recommendations for file system permissions and ownership for the following Magento editions:

  • Magento Enterprise Edition (EE) versions 1.9 and later
  • Magento Community Edition (CE) versions 1.4 and later

The guidelines discussed in this article apply to:

  • New installations of or upgrades to the previously listed Magento versions only.
    The instructions might not work with older versions. If you have already installed Magento, see After You Install Magento: Recommended File System Ownership and Privileges.
  • Supported operating systems only.
importantImportant: This topic contains suggestions based on our experience. They are not requirements because we don’t know the details of your deployment. Consult your hosting provider, a qualified security specialist, or an experienced system administrator for advice about specific security settings.


This article uses the following terminology:

Hosted system
A Magento server located on a hosting provider. A hosted system typically does not enable you to elevate to root. The web server typically runs as an ordinary user. Magento assumes you log in as this user to start and stop the web server and that you already own all the files and directories in the Magento installation directory. You can use chmod to change permissions on files and directories.
Dedicated system
A Magento server you control and operate. Unlike a hosted system, you can elevate to root and, as root, you can use the chown and chmod commands to set ownership and privileges in the Magento installation directory.

Recommended Privileges and Ownership Before You Install Magento

This section discusses Magento’s pre-installation recommended privilege and ownership settings, which are as follows:

  • The Magento installation directory and all subdirectories are owned by the web server user.
    This enables the web server to change files in these subdirectories but other users cannot access them (except a higher-level user such as root).
  • All directories have 700 permissions (drwx------).
    700 permissions give full control (that is, read/write/execute) to the owner and no permissions to anyone else.
  • All files have 600 permissions (-rw-------).
    600 permissions mean the owner can read and write but other users have no permissions.
  • If you use PHP-FPM (FastCGI Process Manager), make sure it is configured to run the same user as the Apache web server (Nginx web server).
    This allows web server to access content generated by Magento (Uploaded files, images, etc.).

Note: On a dedicated system, all commands discussed in this article must be entered as a user with root privileges.

After you extract the Magento installation package, set ownership and permissions as follows:

  1. Dedicated Magento server only. Find the web server user:
    • Apache:
      • Ubuntu: grep User /etc/apache2/apache2.conf
      • CentOS: grep User /etc/httpd/conf/httpd.conf

        Note: The preceding paths are samples only. The paths to these .conf files on your system might be different. You can use the command whereis nginx to find the location of the configuration files.

      Typically, the Apache web server user on CentOS is apache and the Apache web server user on Ubuntu is www-data.

    • nginx: Open the nginx configuration file, typically /etc/nginx/nginx.conf. The user directive specifies the user name. It might run as the Apache user if Apache is installed on the same system.
  2. Change to the Magento installation directory.
  3. Dedicated Magento server only. Enter the following command to set ownership of the Magento installation directory and all its subdirectories:
    chown -R web-server-user-name .

    For example, on Ubuntu where Apache usually runs as www-data, enter

    chown -R www-data .
  4. Enter the following commands to set directory permissions to 700 and file permissions to 600:
    find . -type d -exec chmod 700 {} \;
    find . -type f -exec chmod 600 {} \;