see also #1590

Anthon wrote:

If the directory/file owner and web server user have the same UID, use 0600 for files and 0700 for directories.

If not, but the owner and web server user are in the same group, use 0660 for files, and 0770 for directories.

Otherwise, use 0666 for files, and 0777 for directories. (If you're on a shared hosting account and have to be this permissive, then I'd probably switch hosting providers.)

Also there is a problem in that, it seems that by default /tmp/ directory is not protected. For example demo.piwik.org/tmp/templates_c/ demo.piwik.org/tmp/templates_c/%25%250D%5E0DB%5E0DBECC49%25%25index.tpl.php are directory disclosure.

I guess the easiest way would be to create a blank index.html in each directory?

Also, extract from email:

we recommend to execute, if the current permissions are not
proper (ie. user writable):
$directoryList .= "<code>chmod 0777 $realpath</code><br
/>";
I'm not sure why we give this command rather than the one we give above in
line 305:
. "<code>chown -R www-data:www-data
".Piwik_Common::getPathToPiwikRoot()."</code><br />"
. "<code>chmod -R 0755
".Piwik_Common::getPathToPiwikRoot()."</code><br />";

(only writable by webserver to write cache files and configs

If we change the message to the chown, would you say the issue is gone?
Yes. Definitely the second option with chown and chmod 0755 is so much better.
I would even consider adding the code, which checks for 777 perms and
raise a warning if found. Totaly up to you.

See also other report where the installation was loopig for lack of write permissions on the config/ folder. Are they checked properly?

See http://symfony.com/doc/current/book/installation.html for acl tips on environments that support it

We now give the command to chmod 755

So, I think this ticket is not necessary anymore, since the commands given do not give extra permissions that could be dangerous... Closing as won't fix.

Milestone 1.8.x Piwik 1.8.x deleted

See follow up #5034