—

Why it Matters

If files or folders use 777 permissions, anyone on the server can change them. This makes it easy for attackers or bad programs to place backdoors, steal data, or break the store. On shared servers, it is even more dangerous because other users could also change your Magento files.

Using the “least privilege” rule (only give the needed access) keeps the code safe. It also makes it harder for an attacker to stay inside the system or move to other parts if they get in once.

Verification Steps

# Find files or folders that are world-writable
find /var/www/magento \( -type f -o -type d \) -perm -0002 -print

# Check important file env.php
namei -om /var/www/magento/app/etc/env.php
stat -c "%a %U:%G %n" /var/www/magento/app/etc/env.php

Remediation / Fix Guidance

1. Set the correct owner and group for the web server user, for example www-data:www-data.
2. Use safe permissions:
   • Folders: 755
   • Files: 644
   • app/etc/env.php: 640
3. Remove write access for group/others:

   chmod -R go-w /var/www/magento

4. Update deployment scripts so they never set 777 by mistake.

Examples

# Too open, unsafe
chmod -R 777 var/ pub/

# Safe settings
find var pub -type d -exec chmod 755 {} \;
find var pub -type f -exec chmod 644 {} \;
chmod 640 app/etc/env.php

References

• OWASP Top 10 — A05: Security Misconfiguration