What user should apache and PHP be running as? What permissions should /var/www files have?
- not root
- not root
- SuEXEC
- Depends. 644 for files and 755 for folders are a safeish default.
Don't change ownership of anything to www-data unless you want php to be able to edit the contents of that file/folder
Irrespective of anything else you do: folders need read and execute permissions for the user to find files; files need read permissions for the user to read them. If you get any permissions errors when changing things - you've managed to remove these fundamentally required permissions.
If you are not writing any files via your php application, you can leave files owned by you:you. In this circumstance the world permission (xx4/5) is the one which applies.
If you leave the files as owned by you:you with file permissions of 644 (files) what that would mean is that only you can edit the website files - www-data is not you - so it cannot edit the files.
If you want to restrict access to apache + you and block out all other access chown -R you:www-data *. With file permissions of 640 and folder permissions of 750 you can edit, www-data can read - because then apache reads the group permission (x4/5x).
Restrict to a minimum the paths you allow apache/php to write to - if there's a tmp dir the application needs to write to - allow it to write to that folder only - and for any writable locations if at all possible make sure it's outside the document root or take steps to ensure this writable path is not web-accessible.
Note that "you" should not be root. Allowing direct ssh access as root is an indicator of other security lapses (such as not disallowing password login), but that's a whole bunch of questions unto itself.
So if I understand things correctly, if apache is running as www-data and I want apache to be able to read a directory, the x bit needs to be set for the world (other) group (o+x), and that also needs to be set on all parent directories all the way up the chain (www, var). And if I want apache to be able to read from a file, then the o+r bit needs to be set.
This is not true, you don't have to set rwx for 'other'. You should change the owner and/or group of the particular folder/file you are trying to protect. E.g.:
chown -R cwd:www-data /var/www/cwd.com
chmod 750 /var/www/cwd.com
Now only members of the group www-data can read /var/www/cwd.com. And only you (cwd) can write to it. If you want to allow your applications (through Apache) to write/modify files in that directory too you chmod it to 770.
I think this covers all your issues, I see no reason to change the user apache is running under.