@dev-101 opened this Issue on July 11th 2021

I don't know exactly when this appeared under System, probably with recent update or so, but I wasn't regularly checking it, so can't be sure. Latest stable Matomo, Linux shared hosting, PHP 7.3.8 .

matomo-error-required-private-directories

I have tried the proposed fix in ssh console here https://matomo.org/faq/troubleshooting/how-do-i-fix-the-error-private-directories-are-accessible/ but it didn't fix it.

What should I do?
Thanks

@dev-101 commented on July 11th 2021

Btw, clicking on above URL will cause return HTTP 200 (no redirect), but it will load my website's homepage, so it's actually not critical in terms of security (e.g. it will not reveal any critical info via PHP).

@Findus23 commented on July 11th 2021 Member

Hi,

This check was added in the last Matomo release, which is why quite a few people are noticing it right now.

It tries to request the URL and if it doesn't return a 4XX response or does a redirect, it assumes the file is public for anyone to see.

You can see more about how it works here:
https://github.com/matomo-org/matomo/blob/4.x-dev/plugins/Diagnostics/Diagnostic/RequiredPrivateDirectories.php

How to fix it totally depends on your webserver setup. It is also more of a pointer at a potential webserver misconfiguration a lot of people have than a bug in Matomo.

If you are absolutely sure, your setup is fine, you can also ignore this system check:

https://forum.matomo.org/t/how-to-ignore-system-integrity-warnings/41368/3?u=lukas

@dev-101 commented on July 11th 2021

Not sure if this is the right way to do it and bother users this way. I changed manually cache folder to 0700 so it should be fine, but then again, this is confusing and a bit annoying tbh.

@Findus23 commented on July 11th 2021 Member

If your webserver and PHP are running as the same user, changing permissions doesn't change anything, because if Matomo can read it, Apache/Nginx can read it (and potentially send it to the visitor).

Not sure if this is the right way to do it and bother users this way.

If you know a better way to notify people that their webserver is allowing access to files that should not be public, I'm open for suggestions.

@dev-101 commented on July 11th 2021

True, I forgot there's only one user (= owner) in shared environment. Maybe updating documentation, or even add support to modify/generate main or local .htaccess file (in case of Apache) with some example rules would be nice. Maybe even include it by default in Matomo installation, it should cover majority of cases out there.

Thanks!

@Findus23 commented on July 11th 2021 Member

The idea of changing how .htaccess files are created by Matomo is maybe something one could look into and has been discussed a bit in the past. I can't say much about it as I don't know Apache at all myself.

But the warning is nevertheless useful as there are a lot of people who aren't using Apache or (as I noticed since the warning was added) are using Apache with htaccess support disabled without noticing.

@dev-101 commented on July 11th 2021

Actually, there is already an advanced .htaccess file in /tmp/ dir, but it is not working, because local htaccess files are not read by apache directive config on many servers (including mine). Hence, it's not working, either.

Another reason it might not actually work on sub directory (/cache/tracker/).

Anyway, I resolved this with a Rewrite rule in main .htaccess file.

This Issue was closed on July 11th 2021
Powered by GitHub Issue Mirror