As designed Default visibility on internal-data and code-cache is public

[Kirby]

Affected version

2.2.5

\XF:FsMounts::loadDefaultMounts

$internalData = new EventableFilesystem($internalDataAdapter, [
    'visibility' => AdapterInterface::VISIBILITY_PUBLIC
]);

[...]

$codeCache = new EventableFilesystem($codeCacheAdapter, [
    'visibility' => AdapterInterface::VISIBILITY_PUBLIC
]);

This causes all files in internal-data / code-cache to have a visibility of public.

With the standard local filesystem adapter, this would cause files to be 0644/0666.

As far as I can see, those files are not public and there normally shouldn't be a need for any other user except the user running PHP to read or write those files.
Though there might be situations where another user (like the webserver) would need read access, so maybe this should be be made configurable.

 

[Mike]

This is generally intentional and is really most significantly about trying to avoid issues in different permission configurations that may exist (based on the various combination of web server, PHP, and FTP users that may be used). The change you propose is likely to cause pain/difficulty for a portion of these setups for example (for not a lot of benefit IMO).

If there are particular setups you want to use, you should be override the adapters used via config.php and apply the desired permission configuration.