One of those things I can't quite get my head around... What's basically the difference between "Read" and "Execute" permissions? If a certain php file is not readable, but executable by apache (chmod 641), why does it give a 403? Or is the Execute permission only applicable to directories/folders? One day I think I "get" it, next day I'm lost...
Basically "read" allows you to read a file. This should be enough for most webserver purposes, even php scripts normally don't have to be executable (cgi scripts on the other hand should be executable). Seting something executable but not readable doesn't make much sense because to execute the script the server first has to read it. On directories the executable flags enables you to enter that directory.
OK thanks, in that context, it makes more sense. For a new site I need a folder to be writable by the script. The script is executed as "apache". The owner is "webmaster" and the group is "webdev". Webmaster belongs to "webdev" but "apache" doesn't. So I need to make it 777, or at least 666. Would it be better if I added user "apache" to group "webdev" so I can reduce it to 664 and then set all files so they can only be deleted by the owner? Am I right in thinking that will prevent someone when they put a script in the writable folder to destroy other files?
The best way would probably be to put the apache user into the same group as the admin user (in this case webmaster). Otherwise you would need to set the folder to 777 because a folder that can't be open is pretty useless - but setting something to 777 generally is a bad idea. So, to make it short: I would place apache into the webdev-group and the set permissions for the folder to 775 and the generated files to 664.
If Apache is in the webdev group and the files are 664 then any script executed as the Apache user will be able to delete them - it has write access to them after all. Besides which, if they're created by Apache then apache will be the owner anyway. If you're going to create sub-directories using your script you'll want to set your directory to mode 2775 (gid sticky bit) so that sub-directories are created with the group webdev rather than apache.