I'm running a PHP CMS on Apache, which includes functionality to upload files.
I'd like to configure permissions appropriately so that the Apache/PHP user can't chmod those files.
As I understand (please correct me if I'm wrong), if the PHP site is compromised, then it'll have permission to not only write files to the upload folder, but also to chmod +x them.
Is there any way to lock down my server to prevent chmod +x by a PHP script gone rogue?
Edit: There's no need at all for normal users to chmod. Would this be a good solution?
chmod 700 /bin/chmod