shoudl the folders under web belong to? or doesnt it matter as long as the webserver can read/write to that dir. Some of the sites i have read say to make most folders under webroot (htdocs - or where ever) belong to www:www and to make the folders chmod 400 or any dir it will need to write to at 700. Or doesnt it matter? at the moment they are under carpo:group and are 555 and 777 otherwise web server gives me 403 - which i suppose is right as it doesnt have rights to read the files. Main thing is which is more the more secure user to run it under ? edit: also i know under apache when using php-cgi you need to add cgi.fix_pathinfo=1 to php.ini - but is this required if using lighttpd ?