I’m really a noob when it comes to configuration, so I will ask it anyway.
I want to know which user is my apache running. I’m worried about security because I’m always letting files on httpdocs having 777 permission. As a example, I could only install JOOMLA after letting all subdirectories with 777 permissions. I know that’s not possible for a production environment, but I can help, since I dunno what to do in such situations.
So I ask, what would be the proper permissions for webapps running on my apache? who runs then (which user)?
Files and directories should never be 777, whether or not they are webserver files.
Generally webserver files should be owned by an account that is not wwwrun and a group that is not www. The exceptions are files and directories that have to be writable by the webserver, e.g. upload and cache directories. Your web app documentation should tell you which ones they are.
The initial default is for the files in /srv/www to be owned by root:root. But if you are working on the files, it’s ok for you to own them. Then you don’t have to make them world writable or become root to edit them, both less than safe practices.
Oh and a couple more things. After you have taken ownership of the relevant webserver content files and directories, you should make sure that files are publicly readable (r–), and directories publicly readable and searchable (r-x). Generally this means mode 644 for files and 755 for directories.
Make sure your umask doesn’t filter out the public r and x bits while you are working on the webserver content files, or you will create files and directories missing those bits and have to chmod them before they will be accessible.This means the last digit of your umask should be 2 (only w filtered out).