-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permission issues with static generated files in pub directory #2412
Comments
Hello @miguelbalparda, did you create a group as recommended? http://devdocs.magento.com/guides/v2.0/install-gde/install/file-system-perms.html |
@mazhalai yes, we tried that. Please keep in mind this is not me as an individual but a hosting company. It also looks like we are not the only one facing this issue https://twitter.com/mbalparda/status/667029022099046400 |
@miguelbalparda can you provide more details on the setup and why you think it fails? Are the newly generated files not getting proper permissions? |
@miguelbalparda we changed it from 755 to 770 because we would like to close access to anybody except file owner and group. Php files can contain configuration settings, keys, etc... so it is better to keep it safe. Please follow the instruction to set correct ownership setting http://devdocs.magento.com/guides/v2.0/install-gde/prereq/apache-user.html#install-update-depend-user-group Thank you |
Just to clarify: we recommend 0770.
|
Adding a bunch of users to the apache group is less than ideal, as it may cause security concerns on shared platforms and in some cases it is even impossible to implement. We will investigate more about adding apache to the users group since it might be the solution. |
The issue we see is in shared hosting where groups and ownerships cannot easily be set up in the desired fashion. With php-fpm, PHP runs as the owner. Apache runs as another less privileges user (i.e. nobody, apache, etc...). Apache can not "out of the box" pull css, js, and images (essentially static resources) from pub/static/xxx. php-fpm can read any file the owner has read permission on, so no issues with the php files themselves not being world readable. If we add the user to the nobody group, or nobody to their group, it does work, but it alters the standard way for shared hosting, and may open up security issues. As Miguel mentioned, we added the apache group to the user's group, and that seems to work. However, this could lead to other issues if a perl/cgi based script were to be used. |
+1 for the setup @robfico described. |
so @miguelbalparda @robfico would it be the right solution for you to have only the generated files (js/css/images) world readable (given they are already being sent outside, not a security issue)? and the code (including generated) could stay as is? |
@piotrekkaminski yes, that seems to be a solid solution. So far we haven't seen a single issue with files/folders outside the pub folder. |
Yes, I think that would work well. Since those files are publicly viewable anyway on the web, they should be world readable and directories world executable permissions wise to match. This way Apache is unrestricted in its static content access, while php-fpm can be used to manage access to mroe restricted files (xml, php, etc...). Seems like a win-win, and will avoid issues with other standard hosting in the shared world. |
After installing Magento 2 with data and running the content deploy, all permissions on those files were created at 770 & 660. None of the content was viewable for me, including the css and product images. It took me awhile, but once I figured out to change permissions to 755 and 644, my css and images were loaded and visible. I am continuing to have this issue- every time I add a new product image permissions are pre-loaded to 770 and newly cached images both appear broken. I would love to see the solution talked about here. |
We started experiencing errors in the vendor dir too. [20-Nov-2015 14:22:42 America/Detroit] PHP Fatal error: require(): Failed opening required '/chroothtml/vendor/magento/module-media-storage/registration.php' in html/vendor/composer/autoload_real.php on line 59 |
We've been having this issue with our dedi server running shared hosting too, I understand the reasons for changing to Here's an excerpt from the error log:
Having to run
on Our environment:
|
The permissions are set as constants in Just sayin', if anyone wanted to maybe manually edit them on their install just to not have to reset the permissions until such time as there's a neat way around this. It does seem to fix the problem on my install. NB: I know editing core files is very bad practice, but as far as I'm aware there's no way to redefine a |
@piotrekkaminski @mazhalai any news on this issue? |
There is some documentation on this issue in the devdocs. |
Some more info about this issue via @ryebell. It seems symlinks are being used for some files inside pub folder (JS in our case) and a chmod/chown -R is not enough to change its permissions.
Wasn't the use of symlink highly discouraged in Magento 1? |
Same issue as #2449 -- pub directory is getting perm denied errors. I'm running Debian Jessie. I'm trying a fresh install on a variation of my docker image which is a really clean operating system snapshot. I did manage to get this working by:
Note that I didn't run the suggested I did setup a new This does seem to be an issue, as the recommended install settings don't seem to be working on a clean os image. |
hmm @markoshust that file for me is located at lib/internal/Magento/Framework/Filesystem/DriverInterface.php |
@pantaoran I'm installing with composer create new project. This may be why. This may be related issue that could possible by merged in #2525 Please see my setup script here https://github.com/mageinferno/docker-magento2-setup/blob/master/m2setup.sh#L42 These lines were required to get things working on Ubuntu Jessie. Update: I did need to setgid on |
It's not an official Magento patch, I just took that commit you pointed out and adapted it for Magento 2.0.2 downloaded from Magento.com. Assuming that commit makes it into a final release version, then I guess it would become official at that point. |
@wbyrnetx kind of bad practice, people would blindly install this and wonder why their shop crashes when this commit gets released.. Can you please remove your comment? |
It was meant to just help people who know what they're doing and would know to revert it when they either upgrade or apply the Magento patch that has it. But sure, it's removed. |
Any update on this? Having to flush cache and run scripts every single time an update is made in development is becoming a bit of a pain. |
This fix is taking far too long! |
+1 |
I'm glad I found this thread —being new to the platform I just assumed I was the only one struggling with this. Hassling with these ongoing musical chair permissions has single handedly been the biggest headache with my development in M2. I have never experienced so many errors that can all be attributed back to insufficient permissions. Someone above recommend setting up a cron job to regularly reset these.... 😐. Absolute madness. It feels like an uphill battle constantly working against the platform every time it aggressively changes permissions behind your back without much transparency or rationale. A fix for this should be prioritized. |
I totally believe that Magento is the best shopping cart out there for the well experienced user and I totally agree with everyone on here that is dissatisfied with the permissions issues on Magento 2.0.#. |
fyi, i just wrote a blog post on this entire topic. pretty much for now, if you stay away from the |
I installed Magento with composer and the DriverInterface.php is located at /vendor/magento/framework/Filesystem, then change perms to 755 for both dir and file.
|
@markoshust what user you use for command line actions (like running bin/magento)? this has the potential to break stuff. |
@piotrekkaminski during container start, i execute this script, which moves |
Thanks @markoshust |
@piotrekkaminski good catch! all of the default log output to STDOUT for nginx is handled from the base image, i forgot about the cronjob output. will do. |
Fixed!!!!!!!! man this was a tough one, i'm running CentOS 7 with Cpanel/WHM the fix was to use EasyApache 4 to disable SUphp... that's it... done and fixed :) |
Starting with Magento 2.0.6, Magento provides a more flexible way for you to set file ownership and permissions. Instead of setting permissions explicitly, you only need to make sure files and directories are writable for installation. We provide different suggestions for doing this, depending on whether you access your Magento server with one user account (typical of shared hosting) or two user accounts (typical of private hosting or having your own server). After installation, to further restrict access to files and directories, you can optionally create a file named magento_umask in your Magento root directory. By default, the umask is 002, which means that directories have 775 permissions and files have 664 permissions. For more details, see Magento file system ownership and permissions. http://devdocs.magento.com/guides/v2.0/release-notes/ReleaseNotes2.0.6CE.html |
@miguelbalparda can you please close this issue once you've downloaded 2.0.6 and performed your testing to verify that the new code supports your use case? Thanks |
All - we have addressed this issue as a part of 2.0.6. If you have some comments, please feel free to reopen this issue or open a new one. |
@elenleonova I have 2.0.6, but still facing the same issue. |
@agarwalswapnil are your webserver PHP user and your CLI php user the same or different? And have you set the permissions recommended in http://devdocs.magento.com/guides/v2.0/config-guide/prod/prod_file-sys-perms.html ? |
For share hosting it difficult to change user.Then what will be good idea. For a case, i have change file permission from Magento\Framework\Exception\FileSystemException\DriverInterface i have change Are u thought that is identical process for share hosting ?please put yours views |
@devamitbera With the 2.1 release candidate, and with 2.0.6+, if you need permissions for generated assets of 664 and 775, you can use "magento_umask" as described here. |
@romeof1980 Thanks for the detailed information. Its so strange when i keep minify options to yes, the website does not show up at all. -> Email templates -> It does not load order templates for editing them? . |
hi there @nmallepally , Please, be careful to tackle 1 issue at a time (in the right thread) and not to go off-topic: indeed the admin->marketing issue is probably off-topic, (try to google around after you've solved the issue with the static files if the problem persists) |
hi @romeof1980 Thanks for coming back. |
hi @nmallepally , if you're certain owner and permissions are set correctly: did you try to redeploy static content? if I remember correctly you mentioned you're working with multilanguage (hence at least with 2 store view): verify that the static content has been deployed correctly for both and if in doubt delete the folders that contain the static content and redeploy it. I don't see any bug here but just incorrect procedure when deploying the static content |
I used apache as webserver and this cron setting fixed my issue:
|
We have been experiencing issues with permissions using the latest version of Magento 2.
It seems that it all comes from 'vendor/magento/framework/Filesystem/DriverInterface.php' which explicitly sets the umask for folders to something that isn't going to work on a lot of setups, including our own.
Is there any reason for not setting the default for directories to 0755 instead of 0770?
Our issues were mostly 403 errors inside the pub folder for assets and templates and we suspect a lot of hosting companies might face this issue too.
The text was updated successfully, but these errors were encountered: