I've been doing web development for about 6 months now for fun and so I never really had a reason to be secure. Now I want to change that but I'm having a hard time understanding apache file permissions. I created the server and usually just ran var/www with 777 permissions because I needed to get by and didn't have information worth stealing. I researched user permissions and now I have run into a problem after configuring some things. I added the apache user "nobody" to a group I created called webserver, I also have an ftp user in this group. I set var/www permissions so that "me" and the group webserver have full permissions on for the folder and enclosed files and other users have no rights (can't read). When I attempt to view my sample website on 'localhost' I get a permission denied message from apache, but apache has full ownership of the file so why can't it process the file, send the appropriate response the the computer which requested it, and complete the transaction? Does Apache process http requests as a different user? I'm confused.
Usually on Ubuntu, apache run with the user www-data.
You can also pimp it by editing APACHE_RUN_USER and APACHE_RUN_GROUP in the envvars file.