MB-R001 — No chmod 777

C01 File & Folder Permissions High

Magento project files and directories must never be world-writable using chmod 777. Overly permissive permissions allow attackers or rogue processes to modify code and configuration. Always apply least-privilege settings, restricting write access to only the system user that runs Magento.

Why it Matters

If files or folders use 777 permissions, anyone on the server can change them. This makes it easy for attackers or bad programs to place backdoors, steal data, or break the store. On shared servers, it is even more dangerous because other users could also change your Magento files.

Using the “least privilege” rule (only give the needed access) keeps the code safe. It also makes it harder for an attacker to stay inside the system or move to other parts if they get in once.

Verification Steps

Manual (Unix)

# Find files or folders that are world-writable
find /var/www/magento \( -type f -o -type d \) -perm -0002 -print

# Check important file env.php
namei -om /var/www/magento/app/etc/env.php
stat -c "%a %U:%G %n" /var/www/magento/app/etc/env.php

Remediation / Fix Guidance

Set the correct owner and group for the web server user, for example www-data:www-data.
Use safe permissions:
- Folders: 755
- Files: 644
- app/etc/env.php: 640
Remove write access for group/others:
```
chmod -R go-w /var/www/magento
```
Update deployment scripts so they never set 777 by mistake.

Examples

Fail Example

# Too open, unsafe
chmod -R 777 var/ pub/

Pass Example

# Safe settings
find var pub -type d -exec chmod 755 {} \;
find var pub -type f -exec chmod 644 {} \;
chmod 640 app/etc/env.php

References

OWASP Top 10 — A05: Security Misconfiguration