Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Required Private Directories error in System / Diagnostics #17751

Closed
dev-101 opened this issue Jul 11, 2021 · 7 comments
Closed

Required Private Directories error in System / Diagnostics #17751

dev-101 opened this issue Jul 11, 2021 · 7 comments
Labels
answered For when a question was asked and we referred to forum or answered it.

Comments

@dev-101
Copy link

dev-101 commented Jul 11, 2021

I don't know exactly when this appeared under System, probably with recent update or so, but I wasn't regularly checking it, so can't be sure. Latest stable Matomo, Linux shared hosting, PHP 7.3.8 .

matomo-error-required-private-directories

I have tried the proposed fix in ssh console here https://matomo.org/faq/troubleshooting/how-do-i-fix-the-error-private-directories-are-accessible/ but it didn't fix it.

What should I do?
Thanks

@dev-101 dev-101 added the Potential Bug Something that might be a bug, but needs validation and confirmation it can be reproduced. label Jul 11, 2021
@dev-101
Copy link
Author

dev-101 commented Jul 11, 2021

Btw, clicking on above URL will cause return HTTP 200 (no redirect), but it will load my website's homepage, so it's actually not critical in terms of security (e.g. it will not reveal any critical info via PHP).

@Findus23
Copy link
Member

Hi,

This check was added in the last Matomo release, which is why quite a few people are noticing it right now.

It tries to request the URL and if it doesn't return a 4XX response or does a redirect, it assumes the file is public for anyone to see.

You can see more about how it works here:
https://github.com/matomo-org/matomo/blob/4.x-dev/plugins/Diagnostics/Diagnostic/RequiredPrivateDirectories.php

How to fix it totally depends on your webserver setup. It is also more of a pointer at a potential webserver misconfiguration a lot of people have than a bug in Matomo.

If you are absolutely sure, your setup is fine, you can also ignore this system check:

https://forum.matomo.org/t/how-to-ignore-system-integrity-warnings/41368/3?u=lukas

@Findus23 Findus23 added answered For when a question was asked and we referred to forum or answered it. and removed Potential Bug Something that might be a bug, but needs validation and confirmation it can be reproduced. labels Jul 11, 2021
@dev-101
Copy link
Author

dev-101 commented Jul 11, 2021

Not sure if this is the right way to do it and bother users this way. I changed manually cache folder to 0700 so it should be fine, but then again, this is confusing and a bit annoying tbh.

@Findus23
Copy link
Member

If your webserver and PHP are running as the same user, changing permissions doesn't change anything, because if Matomo can read it, Apache/Nginx can read it (and potentially send it to the visitor).

Not sure if this is the right way to do it and bother users this way.

If you know a better way to notify people that their webserver is allowing access to files that should not be public, I'm open for suggestions.

@dev-101
Copy link
Author

dev-101 commented Jul 11, 2021

True, I forgot there's only one user (= owner) in shared environment. Maybe updating documentation, or even add support to modify/generate main or local .htaccess file (in case of Apache) with some example rules would be nice. Maybe even include it by default in Matomo installation, it should cover majority of cases out there.

Thanks!

@Findus23
Copy link
Member

The idea of changing how .htaccess files are created by Matomo is maybe something one could look into and has been discussed a bit in the past. I can't say much about it as I don't know Apache at all myself.

But the warning is nevertheless useful as there are a lot of people who aren't using Apache or (as I noticed since the warning was added) are using Apache with htaccess support disabled without noticing.

@dev-101
Copy link
Author

dev-101 commented Jul 11, 2021

Actually, there is already an advanced .htaccess file in /tmp/ dir, but it is not working, because local htaccess files are not read by apache directive config on many servers (including mine). Hence, it's not working, either.

Another reason it might not actually work on sub directory (/cache/tracker/).

Anyway, I resolved this with a Rewrite rule in main .htaccess file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
answered For when a question was asked and we referred to forum or answered it.
Projects
None yet
Development

No branches or pull requests

2 participants