Chmod

rienus · March 30, 2010, 8:43am

Hi

I just updated a Piwik installation to the latest version. I was only able to update, after I set CHMOD 777 on all folders.

Now my question:
Is there an overview of rights for all important folders, which can be used as a guide, making sure Piwik will not get hacked?

Thanks for a great statistic program!

Cheers
Rienus

derspinner · April 2, 2010, 7:41am

I join issue.

sxm · April 2, 2010, 8:45pm

But chmod 777 is really necessary ? In the readme manual there isn’t any note to set the permission on 777 style_emoticons/<#EMO_DIR#>/blink.gif

matthieu · April 6, 2010, 12:30pm

chmod 777 is mandatory on piwik/tmp folder

if you want to use the one click auto update, you would also need chmod 777 on piwik/*

neofutur · August 31, 2010, 7:04pm

Same here, the one clik upgrade is great, but after the upgrade, the process should say something like
"the webserver now have write access on all the website, its more secure to revert the permissions".
“After the upgrade the webserver need write access only on the tmp folder of your piwik installation”

matthieu · November 23, 2010, 10:18am

[quote=neofutur @ Aug 31 2010, 07:04 PM]Same here, the one clik upgrade is great, but after the upgrade, the process should say something like
"the webserver now have write access on all the website, its more secure to revert the permissions".
“After the upgrade the webserver need write access only on the tmp folder of your piwik installation”[/quote]

Good point, I created a ticket with your suggestion in http://dev.piwik.org/trac/ticket/1833

cwd · June 2, 2012, 6:04pm

I noticed that the support ticket[/url] addressing this issue has been closed, but the [url=http://piwik.org/update/]update page still recommends you CHMOD recursively all files and folders to 777, which creates a glaring security hole, does it not?

matthieu · June 2, 2012, 10:29pm

Thanks I’ve updated the doc - is it ok now? Update Piwik - Analytics Platform - Matomo

cwd · June 5, 2012, 6:50pm

Yes, thanks. However, we opted to use the manual method because, given that the CHMOD is recursive, it would have taken forever for us to figure out the permissions of all the files and folders and subsequently revert them to their original permissions.

sonexus · February 3, 2014, 12:51am

Well wait a minute. I just installed the latest Piwik on my server as of 2/2/14 and in order to install, I had to chmod 0777 the entire tmp folder just to be able to complete the install. Even after the installation, piwik/tmp requires 777! Why can’t Piwik utilize the permissions of the user and group that the webserver is running under for this!?! This is a major security issue!! Are there any plans to address this?

matthieu · February 3, 2014, 3:56am

It does not require 777. Simply the web server user has to have write access.