Magento Connect Manager Requires Write Permissions to All Folders
This is what I get when I try to install a Magento Extension:
Error: Please check for sufficient write file permissions
Your Magento folder does not have sufficient write permissions, which this web based downloader requires.
If you wish to proceed downloading Magento packages online, please set all Magento folders to have writable permission for the web server user (example: apache) and press the “Refresh” button to try again.
So, in order for Magento to be able to install extensions, all files and folders need to be writable by the web server user. This seems to be a very risky solution for an application that has access to a payment gateway.
Surely there can be a more surgical approach to permissions - for example, I imagine most extensions work with just the following folders made writable:
I am sure that a security audit on a Magento system will fail with this policy. Hopefully, with the new Magento Connect Manager (v2.0), extensions will not compromise the security of the application.