Web directory file permissions seem insecure by default? maybe...
I'm just going off what I know here, so maybe some of you guys can correct me if I'm wrong.
Using EHCP, all files that are uploaded through ftp have an owner of "vsftpd" and a group of "nogroup".
When thinking in terms of Owner-Group-Other, this leaves the "www-data" user in the Other group. As far as I know, it's basically ok to let the "Other" group have read access to everything in a web root folder. However, I didn't think it was ok to give the "Other" group write permissions on anything. If you are using some time of php or other dynamic web application, this is what you will likely have to do. In my case, I am using Drupal.
Drupal requires certain directories to have write access from the user "www-data", but since the "www-data" user is in the other group, so does "Other", which could be who knows what on a production system.
This seems like an insecure setup to me. It would seem more reasonable if the group were set to "www-data" by default. If that were so, you could have permissions like this:
Owner - vsftpd - write on select folders - always read access
Group - www-data - write on select folders - always read access
Other - 000
But again, I'm not a security expert, this is just the way I thought it should be setup. So if there are any people that know more about permissions than me, feel free to let me know where I'm wrong at.