Web Folder Ownership and Permissions for Apache

[Drek]

I'm wondering if anyone can give me some advice on ownership and permissions for web folders for Apache. All my web folders were owned by root root. I changed that to www-data www-data (my Apache group and user). I did this so I could change the permissions on some upload folders to 775, instead of 777, which they were before.

However, it occurs to me now that, if Apache gets hacked somehow, the hackers could, conceivably, alter the contents of all my web folders, whereas before with the owner being root root, the only folders that could have been altered were the upload folders. However, I suspect with 777 permissions, the chances of those upload folders being compromised were much higher than they are presently for the web folders.

This is not a situation where I am offering a service to clients. I have read that in that case I should have the web folders owned by the client user, so they can upload to them, etc. Am I better off to create a separate user account anyway, and assign ownership of the web folders to that user (in which case I would have to return to 777 permissions), or is what I have done a good solution?

[coopstah13]

chmod 644 the files if they are html, if they need to be executed AKA perl scripts, php scripts, chmod 655

[Drek]

My question wasn't as much about the permissions on my webfolders in general, but on certain specific folders that php uploads to that require quite loose permissions, and on what group and user should own my web folders. However that is a helpful answer and I will check my general permissions as well.

[coopstah13]

just make the folders that aren't being uploaded to write protected
if you have a folder that needs to be written to, i don't really know of a way to stop someone from overwriting the files, other than in the php script you would want to check if the file existed already, if it did, throw an error