On most systems, Apache is installed to run as user nobody and group nobody. Or user httpd and group httpd. Or something along those lines. This prohibits us from leaving files for our website with 700 permissions, correct? (Apache must be able to read those files) However, this means that all users on the system can also read those files. What can be done to mitigate this risk? For example, php scripts often have mysql usernames and passwords in them. How can I allow apache access without destroying security? Are ACLs the only effective option?

You could change the group of the files to the group of the httpd user (i.e. nobody or httpd); and then give 750 (or 640) permissions. Hopefully, no regular users will be in that group.

Alternately (but less good), you can create a group that all users are in (e.g. "users") and change the group of the files to that group and then give 705 (or 604) permissions.

Also, for security, when Apache doesn't need to list a directory (e.g. to create an index when there is no index.html), you should not give it read permission to that directory. Execute permission is sufficient for it to access the files underneath without allowing it to list the directory.

I think your description of read/execute on directories is backwards, but I may be wrong. I'll double check later.

Additionally, I think 705 would still give all users permission to read, through the "other" value. Again, I could be wrong, but it would be logical.

chgrp returns "Permission denied" when chgrpping to nobody, so I'm not sure that avenue is possible.

This isn't critical, but just a matter of curiousity that one would think would've been more explored before now with the ubiquity of the apache server.

"chgrp" only allows you to change to a group of which you are a member (and I wouldn't think you are in nobody), so you probably have to do it as root.

As an alternative, you can create another group (e.g. "www") and put "nobody" and you in it and use that. The advantage of this is that you can allow other people to access the files by putting them in this group.

Yes, but if all web users are in that group, wouldn't that defeat the purpose of chgrouping them? Then all webusers could read it again.

By web users I just meant the people who need to adminstrate your PHP scripts and stuff (which is probably just you). Other users don't need access to it.

Yes, but my original question was regarding a shared server?