There's a PHP bug where open_basedir errors are incorrectly flagged, for what is actually something else entirely: https://bugs.php.net/bug.php?id=52065. This caused me to start looking at this issue early, as it's even more important to make correct permissions easier to understand and maintain if PHP is going to misreport things.

I've done most of what is required in a new class I've committed called CMSPermissionsScanner. This class can run standalone of Composr, which is important because if permissions are broken Composr might not be runnable.

It checks regular permissions in an almost absolutist way, it can check extended attributes, and it can check selinux.

I want to go beyond the original scope of this issue and make this class the consistent back-bone of all Composr permission checks/fixup:
- fixperms.sh and fixperms.bat become front-ends to the class, running the commands it outputs
- these scripts will now take an optional parameter that specifies the username of the web user (currently they assume they need to set things as world-writable)
- for fixperms.sh that will default to apache or nobody or http or httpd, whatever exists
- for fixperms.bat that will default to IUSR
- security is important, they can't just front-end to code that could also be run over a web URL - any code must be initiated either using "php -r", or do an "is_cli" check
- upgrader permission checks / fixup (for those with no shell access but may have a broken site)
- Health Check permission check (the ideal place for checking everything)
- If some kind of permission check exists for Commandr, remove it

Any unit tests that check that our permissions checking is in sync everywhere can be simplified, as now the only place listing permissions will be inst_special.php and the documentation.

Improvements to the class:
- Add ability to spit out Windows permission fixing commands (icacls not chmod); test it works as expected on Windows