<div dir="ltr"><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)">Since the problem comes from the dynamic language PHP, you can create several pools using different user/group pairs.<br></div><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)">
You could use 644 (or 640) permissions with user = PHP user on a specific directory and group = Web server group with read-only permissions.<br><br></div><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)">
Raw idea of the big picture, There must be some details to check (such as verify PHP isolation/jail/chroot inside pools).<br><br></div><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)">My (quick) 2 cents,</div>
<div class="gmail_extra"><font size="1"><span style="color:rgb(102,102,102)"><div class="gmail_default" style="font-size:small;color:rgb(51,51,153);display:inline"></div>---<br></span><b><span style="color:rgb(102,102,102)">B. R.</span></b><span style="color:rgb(102,102,102)"></span></font>
</div></div>