Chmod


(Rienus) #1

Hi

I just updated a Piwik installation to the latest version. I was only able to update, after I set CHMOD 777 on all folders.

Now my question:
Is there an overview of rights for all important folders, which can be used as a guide, making sure Piwik will not get hacked?

Thanks for a great statistic program!

Cheers
Rienus


(derSpinner) #2

I join issue.


(SxM) #3

But chmod 777 is really necessary ? In the readme manual there isn’t any note to set the permission on 777 style_emoticons/<#EMO_DIR#>/blink.gif


(Matthieu Aubry) #4

chmod 777 is mandatory on piwik/tmp folder

if you want to use the one click auto update, you would also need chmod 777 on piwik/*


(neofutur) #5

Same here, the one clik upgrade is great, but after the upgrade, the process should say something like
"the webserver now have write access on all the website, its more secure to revert the permissions".
“After the upgrade the webserver need write access only on the tmp folder of your piwik installation”


(Matthieu Aubry) #6

[quote=neofutur @ Aug 31 2010, 07:04 PM]Same here, the one clik upgrade is great, but after the upgrade, the process should say something like
"the webserver now have write access on all the website, its more secure to revert the permissions".
“After the upgrade the webserver need write access only on the tmp folder of your piwik installation”[/quote]

Good point, I created a ticket with your suggestion in http://dev.piwik.org/trac/ticket/1833


(WeRockYourWeb.com) #7

I noticed that the support ticket[/url] addressing this issue has been closed, but the [url=http://piwik.org/update/]update page still recommends you CHMOD recursively all files and folders to 777, which creates a glaring security hole, does it not?


(Matthieu Aubry) #8

Thanks I’ve updated the doc - is it ok now? Update Piwik - Analytics Platform - Matomo


(WeRockYourWeb.com) #9

Yes, thanks. However, we opted to use the manual method because, given that the CHMOD is recursive, it would have taken forever for us to figure out the permissions of all the files and folders and subsequently revert them to their original permissions.


#10

Well wait a minute. I just installed the latest Piwik on my server as of 2/2/14 and in order to install, I had to chmod 0777 the entire tmp folder just to be able to complete the install. Even after the installation, piwik/tmp requires 777! Why can’t Piwik utilize the permissions of the user and group that the webserver is running under for this!?! This is a major security issue!! Are there any plans to address this?


(Matthieu Aubry) #11

It does not require 777. Simply the web server user has to have write access.