I don't know exactly when this appeared under System, probably with recent update or so, but I wasn't regularly checking it, so can't be sure. Latest stable Matomo, Linux shared hosting, PHP 7.3.8 .
I have tried the proposed fix in ssh console here https://matomo.org/faq/troubleshooting/how-do-i-fix-the-error-private-directories-are-accessible/ but it didn't fix it.
What should I do?
Btw, clicking on above URL will cause return HTTP 200 (no redirect), but it will load my website's homepage, so it's actually not critical in terms of security (e.g. it will not reveal any critical info via PHP).
This check was added in the last Matomo release, which is why quite a few people are noticing it right now.
It tries to request the URL and if it doesn't return a 4XX response or does a redirect, it assumes the file is public for anyone to see.
You can see more about how it works here:
How to fix it totally depends on your webserver setup. It is also more of a pointer at a potential webserver misconfiguration a lot of people have than a bug in Matomo.
If you are absolutely sure, your setup is fine, you can also ignore this system check:
Not sure if this is the right way to do it and bother users this way. I changed manually cache folder to 0700 so it should be fine, but then again, this is confusing and a bit annoying tbh.
If your webserver and PHP are running as the same user, changing permissions doesn't change anything, because if Matomo can read it, Apache/Nginx can read it (and potentially send it to the visitor).
Not sure if this is the right way to do it and bother users this way.
If you know a better way to notify people that their webserver is allowing access to files that should not be public, I'm open for suggestions.
True, I forgot there's only one user (= owner) in shared environment. Maybe updating documentation, or even add support to modify/generate main or local .htaccess file (in case of Apache) with some example rules would be nice. Maybe even include it by default in Matomo installation, it should cover majority of cases out there.
The idea of changing how .htaccess files are created by Matomo is maybe something one could look into and has been discussed a bit in the past. I can't say much about it as I don't know Apache at all myself.
But the warning is nevertheless useful as there are a lot of people who aren't using Apache or (as I noticed since the warning was added) are using Apache with htaccess support disabled without noticing.
Actually, there is already an advanced .htaccess file in /tmp/ dir, but it is not working, because local htaccess files are not read by apache directive config on many servers (including mine). Hence, it's not working, either.
Another reason it might not actually work on sub directory (/cache/tracker/).
Anyway, I resolved this with a Rewrite rule in main .htaccess file.