Hi Mandy,
> I need to know if its a good idea to run webserver as
> user 'apache', have all files in webroot owned by user
> apache and perms 644?
It's not exactly a good idea, but if you are in a situation
where the advantage outweighs the problems, then go ahead.
> Would this still mean that if server runs as apache
> and it has read/write access, someone could take
> advantage of loop holes on the site and overwrite
> some files on our site?
Simply speaking yes.
You may also want to look into the mod_suexec.
regs,
Christian Folini