Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Chmod 640 for uploaded file after SUPEE 7405 patch

After installing the SUPEE 7405 patch, we noticed a problem uploading images from the admin. All file permissions are being set to CHMOD 640 which makes them inaccessible to all users.

Is there a solution that does not involve rewriting the /lib/Varien/File/Uploader.php file?

like image 457
Jared Avatar asked Jan 22 '16 23:01

Jared


1 Answers

A new version of SUPEE-7405 has been released that resolves this issue:

http://magento.com/security/patches/supee-7405

Updated February 23, 2016

Updated versions of this release are now available. The updates add support for PHP 5.3 and address issues with upload file permissions, merging carts, and SOAP APIs experienced with the original release.

Note that even without the revised patch, you can fix the issue by using the recommended file permissions (see below).


Magento expects the webserver to own the site files:

http://devdocs.magento.com/guides/m1x/install/installer-privileges_after.html#privs-after

You can resolve this problem by making the webserver the owner of the files.

chown -R web-server-user-name magento/root/path

The webserver user name is commonly www-data or apache.

If you follow the instructions in the above link, the webserver will have read access to all files, and write access to media files and var files. This should be all you need for typical site operation. If you need to use Magento Connect you'll have to temporarily give the webserver write access to all files.

All file permissions are being set to CHMOD 640 which makes them inaccessible to all users.

Only the webserver user needs access to the files. There is no need to grant any permissions to all users.

You may want to grant access to a specific user if, for example, you need to edit or upload files via FTP. In this case, what I do is set a user who owns the file system and set the files' group to the webserver:

cd magento/root/directory
 
# Set ownership 
# 'username' should be the file system owner username
# 'webserver' should be the webserver username
chown -R username:webserver .
 
# Give the user read/write access to all files.
# Give the webserver read access to all files
find . -type f -exec chmod 640 {} \;
find . -type d -exec chmod 2750 {} \; 
 
# Give the user and the webserver read/write access to var and media
find var/ -type f -exec chmod 660 {} \;
find media/ -type f -exec chmod 660 {} \;
find var/ -type d -exec chmod 2770 {} \;
find media/ -type d -exec chmod 2770 {} \;
chmod 2770 includes
chmod 660 includes/config.php

The above commands will give your file system owner read/write access to everything and the webserver read access to everything. The webserver will also be able to write to the media and var directories.

like image 129
Mathew Tinsley Avatar answered Sep 28 '22 07:09

Mathew Tinsley