Errr right, which was stated in the first post (menucafe_sandwich.jpg line).

This doesn't make any sense to me in terms of a viable working environment for a user.

When a file is uploaded, is it set to apache:apache after you set the +s bit?

No, it gets uploaded as apache:apache.

Well, this is a more involved solution, but you can fix this at the Apache level as well. See the docs on suexec. Note that screwing this up can have Very Bad consequences.

I'm not seeing any official docs on how to tie that with PHP.

Hopefully this works: http://alain.knaff.lu/howto/PhpSuexec/

suexec with PHP is a nightmare. There is a suphp module, but DO NOT USE IT. it is horrifically written, buggy, and has had a number of security alerts over the past few years. The best bet for suexec with PHP is to use fastcgi and to configure apache to start the php fastcgi instances with the suexec wrapper. Keep in mind that any method for suexec besides suphp will disable support for putting PHP directives in your apache or .htaccess config files. Well written PHP code won't depend on any of those, but it some setups do depend on having those features working.

I kind of skimmed over most of the thread, so maybe this has already been invalidated, but generally what you want is to make an uploads directory, owned by your real user, with the group set to apache, and set it to be group writeable. You can then replace any file in the directory (you must delete it first – deleting files requires write permissions in its directory, not on the file itself) and both the user and apache can add new files to the directory.

Well, this is where we were at last. Zeno, is it acceptable to have to delete files before replacing them?

bob edits files locally then uploads, fairly sure that'll work.

It should, if the folder is owned by user bob and group web-server. The sticky bits on the front should make any file (or folder) created under it gain those user/group ID's.

It has no effect on files that already exist, you'd have to change those by hand (as root).

If your apache is somehow doing something funky itself, like writing the files AS root and then chown'ing them to apache, that's a configuration issue with apache. It shouldn't be doing that (the only apache process that should run as root is the parent – all the child processes that handle requests should run as apache – and thus shouldn't even be able to chown).

It's probably something on the php end, not Apache (at least not the Apache core – I consider mod_php to be separate for the purposes of this discussion). My bet is that Apache knows nothing of what is going on other than passing the cgi request to PHP (mod_php in this case, probably). But you are right that if a file is created as bob:apache, user apache shouldn't be able to chown it to apache. As I said earlier I am not sure what is going on because doing something very similar worked for me perfectly.