Tim:
What *actually* will write to your files? Is it an Apache process, or your script. Or, probably even better, having them owned an actual user that logs in, even if through your scripting system (e.g. when I edit files using VIM, they're owned be me, not the VIM program).
Alex:
It's joomla PHP scripts running through apache, and remote sftp users running as the user logging in. Changing the files to be owned by apache allows the joomla scripts to write (just to show joomla is still running under apache), but then it prevents any other user from being able to modify any of the same files.
Of course I know I could add apache to the same group as the sftp user and chmod the files to group-writable, but the joomla recommendations are to have all the files 644 and directories 755. It complains (and some parts of it won't run) when permissions are other than 644 on files.
Perhaps the question is more about *who* should own the files, rather than the permissions.
e.g. https://www.google.com/search?q=what+user+should+own+joomla+files
https://joomla.stackexchange.com/questions/132/recommended-practices-regardi...
https://forum.joomla.org/viewtopic.php?t=121470
https://forum.joomla.org/viewtopic.php?t=891689
https://docs.joomla.org/Security_Checklist/Hosting_and_Server_Setup#File_per...
I don't use Joomla, nor do I know what you're going to do with it, so I'm only approaching this on what I know about webserving directly with Apache.
Looking at some of the results, I don't see useful answers to who should own them. I do see comments about the default PHP handlers, etc., not being the best choice, and you could have to change web hosting providers to do the job properly. (I've still got to change mine, I deliberately picked one using Apache, then they got bought out and changed to LightSpeed, which is only partially compatible, and fails some of my needs, at some rather basic Apache features.)
I saw one hint that you might have to loosen permissions to set things up, then restrict them once the installation had finished. It all sounds badly cobbled together, to me.
It appears that today the php-fpm or mod_fcgid modules does something similar by first sending the files through a proxy or external script to actually do the writing.
That's not too surprising. They could filter traffic, and only allow what should be allowed, and keep the writable files in a different area. If you make any file writeable by Apache, and that file can somehow be addressed through Apache, you're going to get hacked.