We’ve already explored a case related to exceptions during the Magento 2 installation. Below, you will see how to fix a similar problem that occurs after you successfully install the software. Since exceptions display when you try to access your storefront or admin, you cannot write to the generated/code directory. More tips are available in this article: Magento 2 Cookbook.
Since Magento 2 recommends different ownership and permissions settings for different users to run the application, you may meet the exceptions mentioned above and, as a result, the inability to write to the generated/code directory in Magento 2.
Although it is recommended to have one user on shared hosting and two users on private hosting, the system has some exceptions to this. Let’s briefly describe Magento 2 requirements to ownership and permissions.
The core purpose behind this block of settings is security. You want to make your online business as safe as possible, even in a development environment. Thus, preventing unauthorized access and potentially harmful things is a number one reason to use different ownership and permissions configurations.
File system owner in Magento 2
The Magento 2 file system owner is a user able to write to files in the Magento 2 file system. This term is sometimes a synonym of the command-line user and may refer to any of the following:
A single user of shared hosting who can log in to the Magento server to run it and transfer files via FTP. You can implement a umask if there is a single user for further access restriction.
Several users from a shared group. This situation is typical for private hosting or your server. Although it is not possible to log in to the server and switch to the webserver user to manage everything, you have separate users:
One for the webserver to run the Magento 2 backend and frontend;
And another one to run cron jobs and command-line utilities (a command-line user). You can use this local account to log in to the server.
Note that write permissions to the Magento file system may be necessary for both the webserver and command-line users. Write access is required for the developer mode. You provide them with permissions via a shared group to which they belong. Also, note that private hosting has its unique requirements. To let the shared group write to the Magento 2 file system, use the default 002umask.
To make your e-commerce business more secure, Magento 2 offers a umask – a tool that enables restrict access to different levels of your website. Being also called a file system creation mask; it is a set of bits. The purpose of each bit is to control and restrict the corresponding permissions set for newly created files.
A default three-bit mask for Magento 2 is 002. You subtract it from the UNIX standards:
666 – for files;
777 – for directories.
As a result, you have 664 for files which are writable for both the user and the group. As for the others, they are only readable. 775 for directories makes them fully controllable for both the user and the group, just like in the case of files. Everyone else can traverse the directory. You can find more information about magento_umask here: Optionally set a umask.