Restrict access with a umask

To tighten security, particularly in a production environment on a shared hosting system, you can use umask to restrict access. A umask—also referred to as a file system creation mask—is a set of bits that controls how the file permissions are set for newly created files.

WARNING
File system security is complex and important. We strongly recommend that you consult an experienced system administrator or network administrator before you decide the level of permissions to set. We provide a mechanism for you to use, but creating a permissions strategy is your responsibility.

Adobe Commerce uses a three-bit, default mask: 002. Subtract the default mask from the UNIX defaults of 666 for files and 777 for directories.

For example:

  • 775 for directories—Full control by the user, full control by the group, and enables everyone to traverse the directory. These permissions are typically required by shared hosting providers.

  • 664 for files—Writable by the user, writable by the group, and read-only for everyone else.

For more information about creating a magento_umask file, see Set a umask.

Permissions, ownership, and application modes

We recommend different permissions and ownership when you use the different Adobe Commerce application modes:

  • Default
  • Developer
  • Production

See About modes in the Configuration guide.

We further discuss permissions recommendations in File systems access permissions in the Configuration guide.

TIP
Before you install Adobe Commerce, review Configure file ownership and permissions.