There are 2 things going on here. One is permission for people to pull up that file in their browsers (really, that's permission for your webserver to serve that page), and the other is permission for other people logged in to that machine to read and write that file.

The first is probably prohibited in the server configuration. It's pretty common for people to put something in apache configuration files to prohibit from serving any file that starts with ".ht". In fact, I think that's default in a lot of setups. That may be why you can't pull the page even when you don't specifically deny it in your .htaccess. I think you're alright here.

The other kind of security needs a little work. I recommend a permission setting of 644 on your .htacess. The first digit is for permissions of the owner of the file. 6 is 4+2. The 4 is for reading, and the 2 is for writing. (and the 1 that's not there is for executing). the second digit is for people in the group that owns the file. You may as well give this 4 for read access. The third digit is for all others. You need to give this a 4 so that the user that runs the webserver process (probably 'nobody')can read the file in order to determine what special stuff you're doing in it.

That's a pretty quick summary, but you can search google for more on unix file permissions and use of chmod.

Thanks for the reply. What happens if I set .htaccess to 666? How can this compromise my security?
At the moment I'm using .htaccess to block some IP addresses, some user agents and to prevent image leeching.

If your file is world writable then anybody (a script running on the system) logged into the system can change your .htaccess file. This is a risk if you share a server with other people. They could write such a script and have it mess with your files.

There was a nice article [heise.de] about this in the German computer magazine c't. So if you took German in High School now is a good time to refresh your knowledge.

Thanks for the article (am fluent in German).

Coming back to my problem, I need to write a PHP script which adds a 'deny from IP-address' line to .htaccess when called. The idea is to prevent people from downloading my entire site.

How to do all this when PHP is installed as 'others' on my provider's server?

There seem to be only two options:
1. set the permissions of .htaccess to 666 (and then according to the article somebody could modify my .htaccess)
2. let the PHP script connect in FTP mode with user-id and password (and store user-id and password in the script). In this case somebody who gets the script's code also gets my user Id and password.

What is the lesser evil? Having somebody mess up my .htaccess or having somebody get my user-id or password?