A 0750 permission for the dot-file is fine, ***as long as the `apache-user' does not own the directory***
@AlexK> Would you mind detailing the reasoning behind this?
Hi blang, and sorry for the long wait - have only just realised that the thread had new postings.
The intent of my comment was purely to point out that if Apache owns the directory, then PHP can post a file into it. For that reason, and as lammert pointed out, public-facing directories all want to be `0750::some-user::apache-group' at max, where `some-user' is an unprivileged user account which has few rights.
There are certainly occasions where the apache-user needs to be able to post a file on the server. Those directories need to be *above* the public directories, and the PHP scripts need to sniff for the ever-so-common `/../../' directory traversal attempts. By the same reasoning, public PHP scripts should avoid include()s and/or require()s which contain server paths that will reveal the server sub-directory structure, as you cannot guarantee that one of millions of accesses will deliver up the script text rather than a correct webpage. Placing a common above-the-public directory within the PHP Path will assist that.
Of course, if a malicious agency is able to get root on the server, the above is academic.