The DocumentRoot should be owned by who will update it; don't make that root unless you want only root to do the updating. The apache user is nologin'd on CentOS by default, so it's also not the account you should be using to update the contents of the DocumentRoot. I typically leave the directory owned to apache, but grouped to a secondary group I set up for users who will have permission to modify the contents of the web root (chown apache:webusers /path/to/docroot), and chmod 770 /path/to/docroot.
Root ownership will prevent apache from being able to make any changes to its DocRoot.
If you have just one site, you can get a lot of security by enabling selinux if its disabled. If you need access to network resources, its possible with selinux to say just mysql access, or just memcache access.
The DocumentRoot should be owned by who will update it; don't make that root unless you want only root to do the updating. The apache user is nologin'd on CentOS by default, so it's also not the account you should be using to update the contents of the DocumentRoot. I typically leave the directory owned to apache, but grouped to a secondary group I set up for users who will have permission to modify the contents of the web root (
chown apache:webusers /path/to/docroot), andchmod 770 /path/to/docroot.Root ownership will prevent apache from being able to make any changes to its DocRoot.
If you have just one site, you can get a lot of security by enabling selinux if its disabled. If you need access to network resources, its possible with selinux to say just mysql access, or just memcache access.