Is it standard practice to give the web user apache full read/write/execute privileges to the files and folders within the webroot?

The following URL provided the information I needed:

http://httpd.apache....urity_tips.html

In summary, the answer is no. Root should be the owner of the files/folders within your webroot. Then, Apache is configured as the user in the httpd.conf file.

Correct - best security practices would be that, for pretty much any software, you:

1. Don't run it as root. Run it as a nonprivilieged user and either just use a high port or use some kind of "briefly setuid to get a low port and then switch to nonprivileged" scheme (like Apache has built in) if you really want a low port. Keep in mind that usually if you're using a front end proxy, load balancer, etc. you can map ports at that level and don't even need a low port on the worker machines.

2. Never be able to write to your own program's files. And ideally not its config either, though many products do this as an ill-conceived "feature."

3. Separate out your writable bits from the rest. Apache is great in how it's designed to allow this; you can easily move the logs and the temp files elsewhere. In the perfect security world, Apache itself would be running on a read only disk and logs/temp would be somewhere else (also good to avoid disk space filling issues).

Good software provides all of this... Sadly there's little good software out there. I just got done hacking up a Tomcat install to move all its logs and temp files and there was a lot more editing of scripts etc. than there should be... Lazy lazy.