File security warning message shown in dashboard

[brendanmckeown]

I'm not quite sure why I'm getting this security notification when I login to the admin dashboard (it would be nice if it was a little more specific):
"Your web server is set up incorrectly and allows unauthorized access to sensitive files. Please contact your hosting provider."

My file ownership and permission settings are as follows:

• All files and directories are owned by ubuntu and have the group of www-data
• All directory permissions are set to 770 and files set to 660, except for...
• In pub/static, directories are set to 775 and files set to 664 -- this change was needed in order to get assets to load on the front-end.

It seems to me that all of the sensitive files (e.g. those in app/etc) are configured correctly.

Why am I still seeing this warning message?

[piotrekkaminski]

@brendanmckeown what are the permissions to /app/etc? are you using Nginx or Apache?

[brendanmckeown]

@piotrekkaminski
Using Apache (2.4.18), app/etc has the same perms as the others, directories are 770 and files are 660.

[stenidor]

I have exactly the same problem ! Have you found a solution ?

[AeroBob93]

I have the same problem, with files are 664 and directories 755. the root folder (public_html) has 755 as well.

[brendanmckeown]

This message eventually went away on it's own, without me changing any file permissions. I'm now running 2.0.2.

[straltest]

I have same problem in windows.To solve what I did is disallow /app/etc/config.php access.You have to create .htaccess and add following code into it.

Order deny,allow
Deny from all
RewriteRule ^(.*)config.php$ - [F,L]

[SmarDeFiProjects]

To fix message "Your web server is set up incorrectly and allows unauthorized access to sensitive files. Please contact your hosting provider".

1. shh- Run the following command from your root account.

chown -R accountuser:accountusergroup /path-to-root-folderl/

2. ssh - Run the following command from the domain account user(not your web server account such as apache etc).

find . -type d -exec chmod 770 {} ; & find . -type f -exec chmod 660 {} ; && chmod u+x bin/magento
chmod -R g+w /path-to-root-folderl/{pub,var}
chmod -R g+w /path-to-root-folderl/{app/etc,vendor}
chmod -R g+s pub/static pub/media .
find var/generation -type d -exec chmod g+s {} ;
find var/session -type d -exec chmod g+s {} ;

3. ssh - Run the following command from your root account.

chown -R domain_account_user:webservergroup /path-to-root-folderl/var
chown -R domain_account_user:webservergroup /path-to-root-folder/app/etc
chown -R domain_account_user:webservergroup /path-to-root-folderl/pub
chown -R webserverUSER:webservergroup /path-to-root-folder/var/session

This will fix this error and many other error. Note: disable SUPHP when using magento 2, you will save yourself a lot of headache.
Currently I'm running mod_mpm_event with ea-apache24-mod_cgid and PHP 7 and ea-php70-php-fpm.

I had my magento 2 running with just mod_mpm_event with ea-apache24-mod_cgid and PHP 7 before I added PHP-FPM.

If you are running cpanel/ apache and you don't want to use easyapache to move to mod_mpm_event + ea-apache24-mod_cgid you can use shell from ssh .
Run the command bellow from ssh .
yum shell
remove ea-apache24-mod_mpm_worker
remove ea-apache24-mod_cgi
install ea-apache24-mod_mpm_event
install ea-apache24-mod_cgid
run
quit

[ideadx]

Here is the permission sets I ran on Nginx and still getting dashboard warning error, please help:

#Update permissions:

sudo find var vendor pub/static pub/media app/etc var -type f -exec chmod u+w {} ;
sudo find var vendor pub/static pub/media app/etc var -type d -exec chmod u+w {} ;
sudo chmod u+x bin/magento

sudo find . -type d -exec chmod 770 {} ; && sudo find . -type f -exec chmod 660 {} ; && sudo chmod u+x bin/magento; sudo chmod -R g+w /var/www//{pub,var}

#update the permission to write:
sudo chown -R :www-data .

#Generate the content
sudo php bin/magento setup:static-content:deploy

[leo-leung]

vendor/magento/module-admin-notification/Model/System/Message/Security.php

This file always use server curl post to check a file http://domain.com/app/etc/config.php can be access or not, if receive 200OK, then the notification bar will be shown.