The Problem

Normally PHP applications run thru Apache's mod_php4 module which means that they are executing as the "apache" user. This is the default behavior because mod_php4 is the fastest way to run a PHP script. The drawback is that it has important security implications: the scripts run as the same user that Apache runs as. This means that all files that the PHP applications accesses must be readable (and sometimes even writable) by the apache user. Also, the .php files themselves need to be readable by apache. Since all files on your web site are owned by you in order to allow apache to access them you need to give read permissions for those files to the rest of the world. In a shared hosting environment this could be dangerous (other users on the same server may be able to access your data including the source code of your PHP programs). If you're using GPL'd third-party applications you don't have to worry about other people browsing the source code since the code is publicly available anyway. But if you're developing your own PHP applications this may become an issue.