Magento Guide, Part 2 – Using Magento Connect
There have been more than a few updates to Magento in the last 2 months or so, and unless you’ve just installed it or haven’t worked on it, an update is going to be a bit of an annoyance. You certainly don’t want to reinstall Magento and copy or, even worse, add all your products and skin changes all over again.
The best way by far to update Magento is to use the Magento Downloader facility. To do that, all you need is a paper, pencil, a die… no, wait. You need Magento installed and an Internet connection. An FTP client and/or a helpful Web Host will come in handy as well.
In The Beginning…
To begin with, you need to set the folder permissions so that the Downloader can work. The Downloader requires all of the folders in your Magento install, every single one, to be writeable. If you have an FTP client like FileZilla and a lot of patience, you can ask it to set the permissions of your folders to 777 and recurse it through all folders and subdirectories. Don’t change permissions for the files – this isn’t needed. If you have SSH access or a nice webhost, ask them to run this line in your Magento install folder:
find ./ -type d -exec chmod 777 {} \;
This command will find all the directories and set the permission to 777. And it’s a lot quicker than using an FTP client… if you are forced to use an FTP client, I’d go put the kettle on. And maybe go to the shop and buy some biscuits – it’s going to take a while.
Let there be Downloads
Once you’ve done that, point your browser to www.yourdomainname.extension/downloader Here you’ll be presented with a login screen. Any user with full admin rights can log in to this area.
Once you’ve logged in, assuming you’ve never been in the Downloader before you’ll be confronted with a screen that looks a bit like this (click on the thumbnail to view it full size):
You can’t use the full functionality of the Downloader yet. Enter the following line of code into the second box (Paste extension key to install) – it will tell the Downloader to find and install all the latest updates for Magento:
magento-core/Mage_All_Latest
Push the button and wait for the console to tell you it’s finished installing (the downloader opens up a black console screen in your web page, with green text) and you’ll see this page (again, click on the thumbnail):
Now the hard part is over. When you refresh this page, you’ll see a list of all the Magento components, your version number and the current version available. Modules requiring an update are highlighted in Gold. You can also use this downloader to incorporate modules available on Magento Connect into your Magento store.
It’s also recommended that you take Varien’s advice and select the option to clear all the sessions – this will ensure that you won’t encounter any cached content from older versions.
Well, that’s it – no more cumbersome upgrades or installs!
User Comments
Hube
On August 30, 2008 at 5:49 pm
>>>”Magento install, every single one, to be writeable. If you have an FTP client like FileZilla and a lot of patience, you can ask it to set the permissions of your folders to 777″
This is a huge security vulnerability!!! Changing all folders to 777 opens the entire site up to hacking!!!
Perhaps you have never been on the receiving end of this, but I have. A host that I have worked with required that I set a folders permissions to 777 in order to allow scripts residing on the server to write to the folder. This was due to the fact that my scripts on the server ran with the permissions of the visitor rather than the permission of the file owner. This opened a window for hackers and I nearly lost the entire site.
Knowing this, how can I make all the folders that Magento uses public writable (777) and insure the security of the site?
admin
On September 3, 2008 at 11:34 am
I would suggest that the problem lies with the scripts and the hosts rather than the permissions.
Yes, if your files and folders are set to 777 then anyone can do anything. Except, of course:
They need access to your files and folders!
If a website is hacked, it is because the hacker found a way in. This is NOT because of the permissions. The permissions dictate what LEGITIMATE users of various kinds can do; without access they make no difference.
So the problem lies with how the hackers got to your site (or get to your site, however you want to put it). I’d suggest vulnerabilities in the scripts you mention are at fault here; an exploit in those scripts that allows a hacker a multitude of ways into your site code. Perhaps.
They may have found another way in. Just because the permissions were changed and the site was hacked doesn’t mean the two were related – it may have been coincidental. Well known software, old versions that don’t have updates to fix security issues, poor choice of passwords – all are avenues for potential hacking.
Magento is a new product, it is constantly updated, and we have high levels of security on our servers. There has not been a single successful hack on our servers; we host many, many Magento sites, who all use the downloader and haven’t had issues. There are many more Magento users around the world who, sadly, are not using us for their hosting, but who, happily, have not reported that their sites have been hacked.
So, no. This is NOT ‘a huge security vulnerability!!!’ Running scripts that allow hackers to cost you almost an entire site is a vulnerability. Setting full permissions for Magento on a secure server is not a vulnerability.
And there’s always the final option – you could change the permissions back? Whereas the downloader needs these permissions, Magento itself does not…
iman
On December 16, 2008 at 1:13 pm
Thanks for the tutorial. Finally i found a site that made sense. Keep it up.
The use of pictures really helps!
Thanks!
~iman
Swapnil
On December 25, 2008 at 12:29 pm
I have followed the instructions to change the permission of the files and the permission have been successfully changed.
But, when I load the downloader and provide username and password it gives the following error.
404 Error
Page Not Found
I shall be thankful for any help.
Webshopnews
On January 4, 2009 at 3:03 pm
Thank you for your Magento connect tutorial. I´ve only one suggestion, but it´s not a criticism: A Video-Tutorial for that would be a blast….
Nadia
On January 9, 2009 at 10:04 pm
I have been trying to install magento via ftp and ssh and neither seems to work I get the following error in the magento installation wizard:
Path “/usr/www/users/jibjab/store/app/etc” must be writable
Path “/usr/www/users/jibjab/store/var” must be writable
Path “/usr/www/users/jibjab/store/media” must be writable
the hacking info was helpful because I did cahnge all the file permissions to 777, but I will change them back. I may have missed a step, but do you leave all of the downloaded magento files on the desk top or do I put them in a certain place? Any advice would be very help ful. thanks
Qbert
On January 20, 2009 at 9:26 am
infact the folders simply have to be writable by the server usually ‘www-data’ or similar, so you could do this instead in theory (i have yet to try this but i will very shortly
)
find ./ –type d –exec chgrp www-data {} \;
Adam
On January 21, 2009 at 11:34 pm
ok, apology time, I’ve just noticed you were only recommending changing directories not files to 777 (RTFA!
, so it’s not as bad as I made out above. Still preferable to set the correct permissions though if possible, or at the very least set them back after you’ve upgraded…
http://www.magentocommerce.com/wiki/groups/227/resetting_file_permissions
Gary
On May 1, 2009 at 3:20 pm
Thanks for the how-to!
Thanks,
Gary
OwlBoy
On July 28, 2009 at 9:28 am
Thanks for this! It made things clear as can be for me I think
. Been wondering how Magento connect was able to do its stuff, I had my permissions wrong heh.
Post Comment