In a test install, netinstall, when I got around to looking what it did with the database config info I entered, I found this:

dh_akhcfg@william-floyd:~/gal02.dd-b.net/piwigo/local/config$ ls -l
total 8
-rw-rw-rw- 1 dh_akhcfg pg75234 319 Oct  7 13:48 database.inc.php
-rwxr-xr-x 1 dh_akhcfg pg75234 610 Oct  7 13:36 index.php

database.inc.php, which contains the host, user, password, and database names, is world write!!!! (not just read).

Even read would be a huge security hole (it gives everybody who can read world-readable files on the server full access to the database).

Changing the protection of database.inc.php to 600 does not immediately seem to have broken anything, but I haven't done more than the most minimal testing, enough to establish it can still access the database.

    Piwigo 2.10.2
    Operating system: Linux
    PHP: 7.2.30 (Show info) [2020-10-07 15:17:11]
    MySQL: 5.7.29-log [2020-10-07 15:17:11]
    Graphics Library: ImageMagick 6.9.7-4