File permissions are very HTTP server specific, but general guide is:
EPESI directory tree (all files and dirs) has to be readable by HTTP server user.
/data directory tree has to be writable by HTTP server user.
But to simplify maintenance it's recommended to set EPESI directory tree both - readable and writable by HTTP server user.
Examples below are not universal solutions for every situation and server. You have to know limitations of your server and decide what permissions are acceptable when privacy matters.
/var/www/epesi - EPESI installation directory
apache-user - HTTP server user
apache-group - HTTP server group
johny - your user
HTTP server access only
Basic permissions - readable and writable by only HTTP server user or group. Johny will not be able to read files.
johny@localhost:/> su root password: *** root@localhost:/> chown -R apache-user:apache-group /var/www/epesi root@localhost:/> chmod -R a=,ug+rwX /var/www/epesi
Note: Some apache extensions doesn't allow to run scripts that are writable by group. In such case set writable by user only
root@localhost:/> chmod -R a=,ug+rX,u+w /var/www/epesi
Johny is a developer and wants to have access to files. Also we don't care about read permission and allow everyone to read files (Everyone can read your attachments!)
johny@localhost:/> su root password: *** root@localhost:/> chown -R johny:apache-group /var/www/epesi root@localhost:/> chmod -R a=,a+rX,ug+w /var/www/epesi