Web directory file permissions seem insecure by default? maybe...

I'm just going off what I know here, so maybe some of you guys can correct me if I'm wrong.

Using EHCP, all files that are uploaded through ftp have an owner of "vsftpd" and a group of "nogroup".

When thinking in terms of Owner-Group-Other, this leaves the "www-data" user in the Other group. As far as I know, it's basically ok to let the "Other" group have read access to everything in a web root folder. However, I didn't think it was ok to give the "Other" group write permissions on anything. If you are using some time of php or other dynamic web application, this is what you will likely have to do. In my case, I am using Drupal.

Drupal requires certain directories to have write access from the user "www-data", but since the "www-data" user is in the other group, so does "Other", which could be who knows what on a production system.

This seems like an insecure setup to me. It would seem more reasonable if the group were set to "www-data" by default. If that were so, you could have permissions like this:

Owner - vsftpd - write on select folders - always read access
Group - www-data - write on select folders - always read access
Other - 000

But again, I'm not a security expert, this is just the way I thought it should be setup. So if there are any people that know more about permissions than me, feel free to let me know where I'm wrong at.

with new version 0.30 of ehcp, default file ownership is vsftpd:www-data just as you suggested, now being tested as you see on front page of ehcp.net

Awesome, I'll download it and try it out

Just set it up, but the issue is still there. Here is my httpdocs directory after uploading drupal 7.8 through ftp:

root@webserver3:/var/www/vhosts/mysite.com/mysite.com/httpdocs# ls -al
total 240
drwxr-xr-x 9 vsftpd www-data 4096 2011-09-13 11:45 .
drwxr-xr-x 5 vsftpd www-data 4096 2011-09-13 11:27 ..
-rw-r--r-- 1 vsftpd nogroup 6780 2011-09-13 11:45 authorize.php
-rw-r--r-- 1 vsftpd nogroup 61959 2011-09-13 11:45 CHANGELOG.txt
-rw-r--r-- 1 vsftpd nogroup 1021 2011-09-13 11:45 COPYRIGHT.txt
-rw-r--r-- 1 vsftpd nogroup 746 2011-09-13 11:45 cron.php
-rw-r--r-- 1 vsftpd nogroup 180 2011-09-13 11:45 .gitignore
-rw-r--r-- 1 vsftpd nogroup 5547 2011-09-13 11:45 .htaccess
drwxr-xr-x 4 vsftpd nogroup 4096 2011-09-13 11:45 includes
-rw-r--r-- 1 vsftpd nogroup 550 2011-09-13 11:45 index.php
-rw-r--r-- 1 vsftpd nogroup 1489 2011-09-13 11:45 INSTALL.mysql.txt
-rw-r--r-- 1 vsftpd nogroup 1918 2011-09-13 11:45 INSTALL.pgsql.txt
-rw-r--r-- 1 vsftpd nogroup 714 2011-09-13 11:45 install.php
-rw-r--r-- 1 vsftpd nogroup 1329 2011-09-13 11:45 INSTALL.sqlite.txt
-rw-r--r-- 1 vsftpd nogroup 18254 2011-09-13 11:45 INSTALL.txt
-rw-r--r-- 1 vsftpd nogroup 15214 2011-09-13 11:45 LICENSE.txt
-rw-r--r-- 1 vsftpd nogroup 7816 2011-09-13 11:45 MAINTAINERS.txt
drwxr-xr-x 4 vsftpd nogroup 4096 2011-09-13 11:45 misc
drwxr-xr-x 42 vsftpd nogroup 4096 2011-09-13 11:45 modules
drwxr-xr-x 5 vsftpd nogroup 4096 2011-09-13 11:45 profiles
-rw-r--r-- 1 vsftpd nogroup 3582 2011-09-13 11:45 README.txt
-rw-r--r-- 1 vsftpd nogroup 1621 2011-09-13 11:45 robots.txt
drwxr-xr-x 2 vsftpd nogroup 4096 2011-09-13 11:45 scripts
drwxr-xr-x 4 vsftpd nogroup 4096 2011-09-13 11:45 sites
drwxr-xr-x 8 vsftpd nogroup 4096 2011-09-13 11:45 themes
-rw-r--r-- 1 vsftpd nogroup 18503 2011-09-13 11:45 update.php
-rw-r--r-- 1 vsftpd nogroup 9035 2011-09-13 11:45 UPGRADE.txt
-rw-r--r-- 1 vsftpd nogroup 2051 2011-09-13 11:45 web.config
-rw-r--r-- 1 vsftpd nogroup 435 2011-09-13 11:45 xmlrpc.php

The group is not set on anything...

This is using the new .30 version. Is there anything I can do to fix this easily?