Just to expand a bit on my paranoia - giving write access seems to be not-best-practice, eg. here:
For example, on many systems the Apache process runs as a user called "www-data". This user should be able to read all of the files in your web root directory either by group permissions or by "other" permissions. It should not have write permissions to any of the files in your web root directory. If you have web applications that require to write data to certain files (like config files or log files) then only set write permissions on that file or directory.
Be careful how you select the owner and group membership. Some setups set the ownership and group ownership to root:root and allow read access for "other". This might seem like a good idea but can disclose sensitive information if you run a system with multiple users. Imagine the case where you have a config.inc.php file containing a username and password. This file, when called through a browser, will be processed by your webserver. None of the sensitive information will (should) be "viewable" through a browser. A local user on the other hand can view the content of the file, without having the file processed by PHP, because it's accessible by everyone. An alternative setup with root:www-data and no access to "other" might be a more suitable setup for the latter case.
from:
cert.belnet.be/content/web-server-security-best-practices#2.
