Best permissions/ownership for apache document root

Create a new group

groupadd webadmin

Add your users to the group

usermod -a -G webadmin user1
usermod -a -G webadmin user2

Change ownership of the sites directory

chown root:webadmin /var/www/html/

Change permissions of the sites directory

chmod 2775 /var/www/html/ -R

Now anybody can read the files (including the apache user) but only root and webadmin can modify their contents.

I prefer to mount the partition with -o acl. This allows you to use the setfacl command to give set fine grained permissions on files and folders, instead of only specifying user-group-other permissions.

So put acl to your partition line in /etc/fstab, or remount with mount -o remount,acl /mnt/xy, and then give ownership of your web directory to nobody:nobody. Chmod to 770, and use setfacl to give write permissions only on the folders that need it, eg. give www-data (or the user your webserver runs as) write permissions for the upload folder, and give write permissions to your own user for the whole directory.

mkdir dir
chown nobody:nobody dir
setfacl -m u:www-data:r-x,d:u:www-data:r-x dir
setfacl -m u:www-data:rwx,d:u:www-data:rwx dir/upload
setfacl -m u:youruser:rwx,d:u:youruser:rwx dir

Now nobody can read your files, apart your webserver, and your own user. You can write to every file in the folder, and the webserver can only write into the upload folder.