@p-blomberg opened this Issue on October 6th 2016

Piwik 2.16.5 intends to be secure, but asks for permissions to overwrite parts of itself all the time. From a security standpoint, this is unacceptable.

Here are some examples:

  • In Admin -> Diagnostic -> System Check, piwik begs for me to make piwik.js writable. It even says "In the future even some core features might not work as expected".
  • Upgrades from earlier versions cannot be completed if config/config.ini.php is not writable
  • The tmp dir is required to be writable, and is placed in the piwik directory served by the webserver (like everything else). We should have the option to keep this directory somewhere else, such as /tmp/piwik
  • Usage of the auto-update and marketplace features are encouraged, even though they are insecure by design. The web server user should not have access to install software.

There are some other security issues as well, that make me uncomfortable using piwik for a large site.

  • As far as I can tell, there is no mailing list for security announcements, only an RSS feed for new versions
  • Many parts of the Piwik.org website are served over http instead of https, even though the server is capable of https.
  • When downloading a new version, there is no checksum to make sure the file is complete and has not been altered.
@iMarkus commented on October 10th 2016 Contributor

I also had to change the tmp directory in the global.php due to security reasons.

We should have the option to configure this directory in the config.ini.php

@mattab commented on November 12th 2016 Member

thanks for the great feedback and summary of important security topics :+1:

In Admin -> Diagnostic -> System Check, piwik begs for me to make piwik.js writable. It even says "In the future even some core features might not work as expected".

good point. Created #10855 for this.

Upgrades from earlier versions cannot be completed if config/config.ini.php is not writable

Yes writable config is needed by design. (mostly because we store list of activated plugins in config) typically you make file writable while update is running then make it read only again. Is there maybe other issues with this?

The tmp dir is required to be writable, and is placed in the piwik directory served by the webserver (like everything else). We should have the option to keep this directory somewhere else, such as /tmp/piwik

created #10854

Usage of the auto-update and marketplace features are encouraged, even though they are insecure by design. The web server user should not have access to install software.

Yes by design we encourage to use the Marketplace because of the huge value it provides. We also however make it easy to disable the Marketplace, simply deactivate the marketplace plugin (in Piwik 2.17.0 where marketplace was vastly improved!)

As far as I can tell, there is no mailing list for security announcements, only an RSS feed for new versions

you can signup here: http://madmimi.com/signups/139168/join - we need to show it on the website, covered in https://github.com/piwik/piwik/issues/7063#issuecomment-91113781

When downloading a new version, there is no checksum to make sure the file is complete and has not been altered.

for this we use PGP signature. it's documented in http://piwik.org/blog/2014/11/verify-signatures-piwik-packages/ and we'll show this in download page soon #10687

Feel free to open new issues or post further feedback here :+1:

@p-blomberg commented on November 24th 2016

Upgrades from earlier versions cannot be completed if config/config.ini.php is not writable

Yes writable config is needed by design. (mostly because we store list of activated plugins in config) typically you make file writable while update is running then make it read only again. Is there maybe other issues with this?

Sorry, I can't accept this as a solution. The config file is a PHP file, so any code in it will be executed. This means that the application should not be able to write to it, because if it can write to the file, it can inject code.
Instead, give the administrator a list of the changes that are needed in the config file during the update, and let me do the changes myself.
The whole point of a config file is for the administrator to tell the application how it should behave, not for the application to configure itself however it wants. I want to keep version control of all configuration changes and be able to understand why each change was made.

@mattab commented on December 6th 2016 Member

Instead, give the administrator a list of the changes that are needed in the config file during the update, and let me do the changes myself.

that's a nice idea! it could technically be done in the future. Feel free to create a separate issue (as the scope would be smaller than this current issue) :+1:

@sowmyar13 commented on November 29th 2018

Hello,

I am also looking similar kind of requirement where I don't want to give write permission to config.ini.php file I want to manage through system administrators update the file rather than browser update the configuration file.Please let me know any solution to achieve this. Currently it's blocker.

This Issue was closed on November 12th 2016
Powered by GitHub Issue Mirror