Why is chmod 777 given to solve perm issues per README?


#1

This is not a solution, but a hack and opens up people to possible security risks. Why would this even be given and not properly solved in the code? As of right now with these settings I can easily store malicious executable code in the tmp dir. Which is a great foothold to expoit the box then. This also means any process on my box running Piwik can write to this dir.

What is the thinking behind such a suggestion by the Piwik devs? Can you please explain how this solves the problem properly and does not further open a box to a greater risk of being exploited. Fingerprinters like blindelephant can be used to find such installs. I have actually updated my local copies of its DB to start looking for that.

This type of recomendation reminds me of stuff OpenCart spews or even OpenX.


(Matthieu Aubry) #2

Sounds like a “documentation” bug. Can you send the link to it and what you suggest we fix it with instead?

Also see related ticket: System check update message regarding config file permissions · Issue #4046 · matomo-org/matomo · GitHub


#3

I have not spent enough time in your actual code base to properly suggest a resolution. But this can and will be used to exploit installs of Piwik.


(Matthieu Aubry) #4

These are instructions for setting up unit tests for developers, so one should never run these instructions on a production server


#5

OK well its what comes up with google searches when I hit the error stated there. I get
RuntimeException: Unable to create the cache directory ( piwik/tmp/templates_c/66/77)
on almost every graph


(Matthieu Aubry) #6

try giving write permissions to piwik/tmp/ folder