What do I need to know about file permissions and "chmod"?

Unix systems are designed for multiple users, and include provision
for protecting your work from unauthorised access by other users
of the system.  The file permissions determine who is permitted
to do what with your programs, data, and directories.  The command
that sets file permissions is chmod.
Web servers typically run as user "nobody".  That means that, setting
aside serious bugs (such as those in certain versions of the Frontpage
extensions), your files are absolutely secure from damage through the
webserver.  It also means that you may have to make explicit changes to
enable the server to access them in a CGI context.
There are two ways to run CGI:
- by default they run as the webserver user (nobody)
 For most purposes this is safest, as your programs and data
 are protected by the operating system from unauthorised access
 through possible bugs in your CGI.  However, when the CGI has
 to write to a file, that file must be writable to every web
 user on the system, and is therefore completely unprotected.
- setuid, they run under your own userid.
 This means that files written by your CGI can be secure.
 On the other hand, any bugs in your CGI could now compromise
 *all* your programs and data on the server.
 As an elementary security precaution, scripts (e.g. Perl) are
 prevented from running setuid by most OSs.  The "cgiwrap"
 program offers a workaround for this.
A third way you should *never* permit CGI to be run is:
- as root or setuid root, they can run as any user.
 This is extremely dangerous, as any bugs could compromise the
 entire server, including every user's files.  Fortunately only
 the system administrator can install setuid root programs.  If
 you are *at all* concerned about security, make sure that no such
 programs (in particular Frontpage extensions) are installed,
 regardless of whether you use them yourself.
For a proper overview, "man chmod".  Some modes that may be useful
in a typical CGI context are:
* CGI programs, 0755
* data files to be readable by CGI, 0644
* directories for data used by CGI, 0755
* data files to be writable by CGI, 0666 (data has absolutely no security)
* directories for data used by CGI with write access, 0777 (no security)
* CGI programs to run setuid, 4755
* data files for setuid CGI programs, 0600 or 0644
* directories for data used by setuid CGI programs, 0700 or 0755
* For a typical backend server process, 4750
Finally, if this answer tells you anything you didn't already know,
don't even think about trying to set up a secure server!