Secure file permissions (operating system level)

This chapter explains how to securely configure file and directory permissions at the operating system level for TYPO3 installations. It focuses on who can read and write to files on disk.

To learn how to prevent public access via the web server, see Restrict public file access in the web server.

A common risk is allowing one user to read or modify another client's files— especially in shared environments. A misconfigured server where all sites run as the same user can allow cross-site scripting, data theft, or manipulation of TYPO3 files such as config/system/settings.php.

TYPO3 can be installed either in classic (non-Composer) mode or using a Composer-based setup. Each approach requires a slightly different file permission strategy.

Composer-based installations

In Composer-based TYPO3 installations, the document root is typically a public/ directory. Core files, extensions, and the vendor/ directory reside outside the web root, improving security by design.

Recommendations:

  • Set the web server's document root to public/ only.
  • Grant the web server user write access to:

    • public/fileadmin/
    • public/typo3temp/
    • var/ (used for cache, logs, sessions, etc.)
  • The public/_assets/ directory must be readable by the web server. It is generated during deployment or Composer operations and should not be writable at runtime.
  • The config/ directory should be read-only for the web server in production environments unless certain TYPO3 features require write access:

    • To allow changing site configurations via the backend, the web server needs write access to config/sites/.
    • To allow system maintainers to update settings via the Admin Tools module, the web server needs write access to config/system/settings.php.
  • Keep vendor/, composer.json, and public/index.php read-only for the web server.

Classic-mode installations

In classic TYPO3 installations, all TYPO3 files (Core, extensions, uploads) are located inside the web server's document root. This increases the risk of file exposure or accidental manipulation, making secure filesystem permissions essential.

Recommendations:

  • On shared hosting, ensure each virtual host runs under a separate system user.
  • Revoke write access for the web server user to the TYPO3 core source directories, especially typo3/sysext/ (core system extensions) and vendor/
  • Allow write access only to:

    • fileadmin/
    • typo3temp/
    • Only grant write access to subdirectories within typo3conf/ as needed:
    • typo3conf/ext/, typo3conf/autoload/, typo3conf/PackageStates.php: Required if you want to install or update extensions using the Extension Manager.
    • typo3conf/sites/: Stores site configuration; writable if managing sites through the backend.
    • typo3conf/system/: Stores system settings; writable if modifying settings via the Admin Tools → Settings module.
    • typo3conf/l10n/: Must be writable to allow downloading or updating translation files via the Admin Tools.
  • The rest of the typo3conf/ directory should remain read-only to the web server where possible.
  • On UNIX/Linux systems, enforce appropriate user/group ownership and permissions (e.g., chmod, chown).

Check file permissions in the backend

TYPO3 provides a built-in backend tool to verify directory permissions.

You can access it via:

Admin Tools > Environment > Directory Status

This view lists key directories such as fileadmin/, config/, var/, and others, and shows whether the current web server user has the recommend level of access.

Use this tool to confirm that required directories are writable after deployment or when debugging permission-related issues.