New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
System check update message regarding config file permissions #4046
Comments
Thanks for pointing it out. The System check screen is quite new and this is one of the first bugs on it in months. What is your exact setup (command chmod you run on config folder?) What do you recommend we suggest instead? move from "critical" level to "Notice" be enough for fix? |
I was just going to check that you should remove this check since you don't need config/ directory writeable most of the time, and I see you have already done that. Thanks! |
Anyway as a side note - never ever recommend chmod 777 since this gives the access to all users on the system, which is really bad on shared hosts. I would ever say that if you want to have a secure setup then you should secure all directories (write protect) with files which might get executed by PHP. (But I don't think that logic belongs to Piwik.) E.g. if the "quick setup/update" can update the site then the black hat also can if there's a security hole in Piwik (or PHP itself). |
I just read the below message in the updater, and I thought this ticket would be the right place to post it because I cannot see from the commit in comment#2 that it has actually been fixed.
Files are not supposed to be marked executable under no circumstances. If the intention is to make all directories executable, you have to do this:
Sorry, I'm not a Piwik dev - but I wanted you to know this so your app doesn't spread bad security practices. Thanks for a great alternative to GA, |
Removing owner from tickets. from now on, I suggest we assign tickets to ourselves for cases when we we plan to actively work on them in the coming days/weeks. let's discuss if needed during our team call. |
…ystem check since it's not required (and we display warning on other screens that need config writable) Also fixing install process regression and removing config.ini.sample.php
see #13628 |
This is related to #1590, the System Check page still recommends:
and it marks the issue as "critical":
Such advice is just the first step to getting hacked.
The text was updated successfully, but these errors were encountered: