I am trying to set permissions on my server properly. Currently I have a number of directories and files chmod'd at 0777 -- but I am not comfortable with it being this way.

So at the advice of a serverfault specialist, I had my hosting provider install ACL on my shared virtual server.

When I FTP to the server as my FTP user account "abc", I can do everything I need to do (and rightfully so) because all my dirs and files are owned by "abc", the group is "abc", and the 1st octet is set to 7 (rwx). That much I get.

But here's where it gets dark gray for me. PHP is set to user "nobody".

• so when someone browses on of my web pages that either ends in .php or has some embedded PHP, I assume the last octet controls the access. Because all my dirs and files are owned by "abc" and assigned to group "abc", if the last octet was a 4 (r--) then the server would let the browser read the file. If it were a 6 (rw-) then the server would let the browser also write to the file or directory, correct?
• what if the web document does not end in .php or does not have any PHP embedded? What is the user then?
• how can I use ACL to not set the permission to 6 (rw-) or even 7 (rwx)? [not sure what execute does or means]

Just looking for some sort of policy settings to best lock down my dirs and files while allowing my PHP scripts to do uploads and write to files (so my users don't call me to tell me "permission denied".

Ok, thanks to anyone out there willing to lend me a hand. It is greatly appreciated.