File permissions in PHP Apache mode

[philmck]

When installed on a server that runs PHP in "Apache" mode (rather than "CGI" mode), temporary files created by Piwik (e.g. in /tmp/sessions) are created with default permissions of 600, which means they can't be subsequently written or modified by Piwik. They need permisions of at least 606 on this sort of server - i.e., publicly writeable.

This is such an obvious problem I can't believe it hasn't been reported, yet I haven't been able to find it (humble apologies therefore if it's a duplicate). Piwik is so close to being an excellent utility, and so close to v1.0 now it seems a pity to let this go.

The workaround implemented by my hosting company is to set up a cron job to periodically CHMOD all files in /tmp to be writeable, but this is a but of a kludge.

[vipsoft]

I already have plans to add a system check at installation.

In the meantime... your change might be considered a security vulnerability, ie locally exploitable session file hijacking.

Try chmod -R apache /your/piwik/folder

[vipsoft]

Sorry... I meant chown (not chmod).

[philmck]

Sadly, I can't chown files, I'm on shared hosting. My provider claims the alternatives are even less secure and wouldn't allow it anyway - there are arguments both ways, I know.

Glad to hear there are plans to address this, anyway. I defected to Google analytics for a while because of this, but it's just not the same.

[vipsoft]

If you were on a dedicated host, you could set apache's umask instead of using the hackish cron job. But on shared hosting, making your files world-writeable is a bad idea.

Your provider evidently hasn't heard of using phpsuexec for php-cgi (php runs under your user ID), or using php-fpm (which allows workers to be started with a different uid/gid or php.ini).

[gerritvanaaken]

I’d like to confirm this issue. I need to make FTP backups of my whole project folder, and my FTP client stops working when it encounters those files that are only readable by the owner.

[vipsoft]

gerritvanaaken: please use the forum for further followup (instead of commenting on a closed ticket). You can safely ignore files in the tmp folder when ftp-ing.