—

Why it Matters

The file app/etc/env.php stores very sensitive information. It includes database logins, encryption keys, and other secrets. If this file has weak permissions, any local user or process could read it. Attackers may then use those secrets to take over the database, steal customer data, or gain full control of the Magento store.

Strong file permissions limit access to only the web server user and trusted group. This reduces the chance that secrets leak through misconfigured hosting, shared servers, or malicious scripts running on the same machine. Protecting env.php is one of the most important steps to keep the store secure.

Verification Steps

Manual (Unix)

# Check permissions, owner and group
stat -c "%a %U:%G %n" /var/www/magento/app/etc/env.php

# Good result should be 640 or stricter (owner can read/write, group read, others none)

Remediation / Fix Guidance

Set correct owner and group for the web server user, e.g. www-data:www-data.

Apply strict permissions:

chmod 640 /var/www/magento/app/etc/env.php

Make sure deployment scripts and CI/CD pipelines do not reset the permissions to weaker values.

Examples

Fail Example

# Too open, unsafe
-rw-r--r-- 1 www-data www-data 1234 Jan 1 10:00 env.php

Pass Example

# Safe, only owner and group can read
-rw-r----- 1 www-data www-data 1234 Jan 1 10:00 env.php

References

OWASP Top 10 — A05: Security Misconfiguration