Local server install on Linux - file permissions & security?

I (think that I) just did a successful local install of the ownCloud server on a shared Linux server. In so doing I followed the instructions provided by my ISP. I used a tarball to do the installation. Before installing, I did a umask 0022 to let the files keep their default permissions (except for group/other write, of course). I successfully set up a desktop client on a Windows client, and successfully uploaded a file. After doing this, I was curious where the file would be stored, and found that it was in a folder having permissions 755 under a folder hierarchy that also had permissions 755 up several levels to a directory that had permissions 770. I know that if I put a 700 directory higher up in the hierarchy I can make the file secure, but I’m worried whether that might break things. As things stand, the file is potentially visible to anyone who can gain command-line access to the server. There is obviously something wrong here.
(FYI I first tried installing with my default umask 077, but found that I couldn’t even configure ownCloud at all, so I reinstalled using umask 0022.)
I know that the default location should be in the /var/www/owncloud/data, which should be secure, but I am on a shared server and do not have access to that location.
I might be able to set up external storage, which would (!?!presumably!?!) be more secure. I’m trying to understand whether I did something wrong, whether I can use more restrictive permissions and still get owncloud to work, whether external storage will solve this problem, and/or whether it is simply bad practice to do a local installation on a shared server.
Any advice or suggestions would be appreciated.
Thank you,
P.S. I do not necessarily think that this is a bug, but I filled out some of the tracking info below.

Steps to reproduce

Expected behaviour

Tell us what should happen

Actual behaviour

Tell us what happens instead

Server configuration

Operating system:
x86_64 GNU/Linux
Web server:
PHP version:
ownCloud version: (see ownCloud admin page)
Updated from an older ownCloud or fresh install:
Where did you install ownCloud from:
tarball owncloud-10.3.2.tar
Signing status (ownCloud 9.0 and above):

Login as admin user into your ownCloud and access 
paste the results into https://gist.github.com/ and puth the link here.

The content of config/config.php:

Log in to the web-UI with an administrator account and click on
'admin' -> 'Generate Config Report' -> 'Download ownCloud config report'
This report includes the config.php settings, the list of activated apps
and other details in a well sanitized form.


If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your ownCloud installation folder

*ATTENTION:* Do not post your config.php file in public as is. Please use one of the above
methods whenever possible. Both, the generated reports from the web-ui and from occ config:list
consistently remove sensitive data. You still may want to review the report before sending.
If done manually then it is critical for your own privacy to dilligently
remove *all* host names, passwords, usernames, salts and other credentials before posting.
You should assume that attackers find such information and will use them against your systems.

List of activated apps:

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your ownCloud installation folder.

Are you using external storage, if yes which one: local/smb/sftp/…

Are you using encryption: yes/no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/…

LDAP configuration (delete this part if not used)

With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your ownCloud installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';

Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

Client configuration


Operating system:


Web server error log

Insert your webserver log here

ownCloud log (data/owncloud.log)

Insert your ownCloud log here

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log 
c) ...

Could you sum up your problem in a bullet point form or in a “I did this - then this happened instead of this”

Steps to reproduce and expected and actual behaviour template are there for a reason - readability.
Expecting for a person to read a long text is very optimistic :wink: