Security Diagnostics: save_path woes

I’m trying to lock down Piwik, but I can’t get rid of “save_path is disabled, or is set to a common world-writable directory”.

In php.ini I have the following configured:

session.save_path = “/usr/share/nginx/sessions”

This is a folder readable by the www-data user, it is not inside the web folder (not accessible from the web). What is the recommended setting for getting a passing grade on the save_path test really?

what is the CHMOD of this directory? Check it is not world-readable.

root@kfumpiwik:~# ls -lah /usr/share/nginx/ | grep sessions
drwxrwx— 2 www-data www-data 4.0K Aug 13 17:31 sessions

Octal is 770, in other words:


User:  read | write | execute
Group: read | write | execute
World: -    | -     | -