Best practices securing HTTP/HTTPS (continued)...


Permissions on ServerRoot Directories

Apache is started by the root user, and it switches to the user defined in the Apache configuration file to serve web pages. You must take care that ServerRoot Directories are protected from modification by non-root users.

Not only must the files themselves be writable only by root, the directories, and parents of all directories must also be protected. 

If you allow non-root users to modify any files that root either executes or writes on then you open your system to root compromises.