I tried to get rid of all warnings from the SecurityInfo module. But I kept getting two red alerts concerning a priviledged user/group running the php files.
Using the current debian package the php runs using www-data:www-data account which uses user_id=33 (same for the group_id). The uid.php and gid.php scripts of the module define a minimum value of 100 to be save which is to strict. Anything above zero should even be OK, as ist might not be root anymore.
I changed the defines to 10 and - as expected - the red warning disapeared. (PHP is executing as what is probably a non-privileged user) & (PHP is executing as what is probably a non-privileged group)
Could anyone just change these to constants to either a lower value or depending of the OS to a meaningful value?
SecurityInfo provides “best practices” recommendations. Piwik doesn’t actually know if you share your web server with other users.
With a privileged user, the implication is that the web server executes all php code under one user ID.
So, my code running at http://example.com/~vipsoft/exploit.php could access the files in another user’s public_html directory on the same server, or session files in the shared session folder, etc.
Hi everybody,
I am new to Piwik but I seem to have the same problem as kkretsch:
In my security listing I have two red errors regarding user_id and group_id. I tried to change both to a new user (test) with a user_id of 1001 but had no success. I have to give the pwik folder 777 in order for it to work.
What can I do to set up Piwik in a secure manner? We are running several instances of piwik.
Thank you for your advice. I knew that this is no real security issue in our case but my boss is afraid the customers could see this and get concerned…
Any way I played around with user permissions until everything was ok. My solution is giving apache2 a new owner and giving this owner all rights to the piwik folder. Simple as that but hard to find out if you new to all this.