Security concerns with shared hosting

hosting

#1

Hello,

we are a small group of people and decided to use ownCloud for our files. Since I'm responsible for the IT related stuff and we are very low on budget, i tried to set up an ownCloud installation on our shared hosting on which our website is running on. Everything seems to work fine, but integrated security check mechanism shows some warnings, so I'm questioning the security of this installation. Since I know very less about security in this area i'm asking about some thoughts and opinions about it.

The warnings are as follow:

  • Transactional file locking should be configured to use memory-based locking, not the default slow database-based locking.
  • SQLite is used as database. For larger installations we recommend to switch to a different database backend. ...
  • We recommend to enable system cron as any other cron method has possible performance and reliability implications.
  • Some files have not passed the integrity check.
    • INVALID_HASH
      • .htaccess
      • core/doc/admin/_static/img/note_pencil.svg
      • core/doc/admin/_static/img/warning.svg
      • core/fonts/LICENSE.txt
      • core/vendor/clipboard/dist/clipboard.js
      • core/vendor/jsTimezoneDetect/jstz.js
      • core/vendor/showdown/dist/showdown.js
      • core/vendor/showdown/dist/showdown.min.js
    • FILE_MISSING
      • .user.ini
  • This server has no working Internet connection. ...
  • /dev/urandom is not readable by PHP which is highly discouraged for security reasons.
  • You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead as described in our security tips.

I only see problems with the three points (files integrity check, https and urandom notize). So my question is, how those points can be exploit? And what exactly would be the security risk (e.g. datalos, piracy,...) ?

I don't know if this is related to the .htaccess point, but right now it is possible to access some sub folders from the installation (e.g.: core, apps, config, settings). The .htaccess is basicly the same; I only removed the lines (AddDefaultCharset utf-8 | Options -Indexes) from the .htaccess files.

Thanks for your help!

Luc


#2

Hey, from what i can see most of the messages should have a link to the documentation of ownCloud explaining its purposes. In the past i've stumbled over a nice overview in the docs as well:

https://doc.owncloud.org/server/latest/admin_manual/configuration/server/security_setup_warnings.html

This e.g. links to a page where it is explained why it is recommended to use HTTPS:

https://doc.owncloud.org/server/latest/admin_manual/configuration/server/harden_server.html#use-https-label

and why you should allow your PHP to access /dev/urandom:

https://doc.owncloud.org/server/latest/admin_manual/configuration/server/harden_server.html#dev-urandom-label

Something similar seems to be also available for the integrity message:

https://doc.owncloud.org/server/latest/admin_manual/issues/code_signing.html

The other messages are probably also something which shouldn't be neglected.