—

Why it Matters

Important code folders like app/, vendor/, and lib/ must be read-only for the web server user. If these folders are writable, an attacker who finds a small bug elsewhere could drop new PHP files, change dependencies, or inject malware directly into the application code.

Protecting these directories ensures that the code base cannot be silently changed at runtime. It also reduces supply-chain style risks where attackers try to add backdoors into third-party libraries. Read-only permissions keep your production code consistent with what you reviewed and deployed.

Verification Steps

Manual (Unix)

# Check if critical code folders are writable by web server
ls -ld /var/www/magento/app /var/www/magento/vendor /var/www/magento/lib

# Should not have write access for web server user or group
stat -c "%a %U:%G %n" /var/www/magento/vendor

Remediation / Fix Guidance

Set ownership to a deploy/build user, not the web server process.

Apply read-only permissions for the web server:

chmod -R 755 /var/www/magento/app /var/www/magento/vendor /var/www/magento/lib

Only allow write access during deployment, then switch back to read-only.
Review CI/CD jobs to avoid leaving code folders writable after deployment.

Examples

Fail Example

# Vendor folder writable by web user
drwxrwxrwx  www-data  vendor/

Pass Example

# Vendor folder read-only, owned by deploy user
drwxr-xr-x  deploy  vendor/

References

OWASP Top 10 — A05: Security Misconfiguration