Thanks for pointing it out. The System check screen is quite new and this is one of the first bugs on it in months.

What is your exact setup (command chmod you run on config folder?)

What do you recommend we suggest instead? move from "critical" level to "Notice" be enough for fix?

In 80dd44b: Fixes #4046 Not checking for config/config.ini.php in the system check since it's not required (and we display warning on other screens that need config writable)
Also fixing install process regression and removing config.ini.sample.php

I was just going to check that you should remove this check since you don't need config/ directory writeable most of the time, and I see you have already done that.

Thanks!

Anyway as a side note - never ever recommend chmod 777 since this gives the access to all users on the system, which is really bad on shared hosts.

I would ever say that if you want to have a secure setup then you should secure all directories (write protect) with files which might get executed by PHP. (But I don't think that logic belongs to Piwik.)

E.g. if the "quick setup/update" can update the site then the black hat also can if there's a security hole in Piwik (or PHP itself).

I just read the below message in the updater, and I thought this ticket would be the right place to post it because I cannot see from the commit in comment#2 that it has actually been fixed.

chmod -R 0755 /var/www/piwik

Files are not supposed to be marked executable under no circumstances. If the intention is to make all directories executable, you have to do this:

chmod -R +X /var/www/piwik

Sorry, I'm not a Piwik dev - but I wanted you to know this so your app doesn't spread bad security practices.

Thanks for a great alternative to GA,
Ben

Removing owner from tickets. from now on, I suggest we assign tickets to ourselves for cases when we we plan to actively work on them in the coming days/weeks. let's discuss if needed during our team call.

see #13628