Hello,

Not sure if this is technically a "design issue" but I have question about the cache-folder files with type .bin e.g "limesurvey/tmp/runtime/cache/0b354aa9282277cdf15f32fd9d472d54.bin"

A security plugin of Joomla-installation is complaining about the file permission of these files as they have permission of 666, and not what the plugin considers secure, which is 644.

What are these files in the first place and is the permission of 666 actually needed for them? And is there any config-option to control this?

this file is the CStatePersister. It's managed by the yii framework itself.

www.yiiframework.com/doc/api/1.1/CStatePersister

I see, thank you very much for the information! It seems the permissions could be changed by modifying file CFileCache.php but do you have any idea, if it is needed for everyone to have read/write permission to the cache files, and do these pose any threat to the site? I did a bit of research and it seems the original file of yii framework has set the permissions to default of the current environment.

File CFileCache.php of Limesurvey:
/**
* @var integer the permission to be set for new cache files.
* This value will be used by PHP chmod function.
* Defaults to 0666, meaning the file is read-writable by all users.
* @since 1.1.16
*/
public $cacheFileMode=0666;

From file FileCache.php of the yii framework ( github.com/yiisoft/yii2/blob/master/fram...aching/FileCache.php ):
/**
* @var int the permission to be set for newly created cache files.
* This value will be used by PHP chmod() function. No umask will be applied.
* If not set, the permission will be determined by the current environment.
*/
public $fileMode;

LimeSurvey use Yii1, not Yii2.

github.com/yiisoft/yii