Fix: Files shouldn't be owned or writeable by httpd unless necessary.

roles/blog/tasks/blog.yml

 - name: Create directory for blog HTML
-  file: state=directory path=/var/www/{{ domain }} group=www-data owner=www-data
+  file: state=directory path=/var/www/{{ domain }} group=www-data owner={{ main_user_name }}
 
 - name: Rename existing Apache blog virtualhost
   command: mv /etc/apache2/sites-available/{{ domain }} /etc/apache2/sites-available/{{ domain }}.conf removes=/etc/apache2/sites-available/{{ domain }}

roles/git/tasks/cgit.yml

 - name: Copy cgitrc
   template: src=etc_cgitrc.j2 dest=/etc/cgitrc
             group=www-data
-            owner=www-data
+            owner=root
 
 - name: Rename existing Apache cgit virtualhost
   command: mv /etc/apache2/sites-available/cgit /etc/apache2/sites-available/cgit.conf removes=/etc/apache2/sites-available/cgit

roles/mailserver/tasks/autoconfig.yml

 #
 
 - name: Create directory for mail autoconfiguration virtualhost
-  file: state=directory path=/var/www/autoconfig group=www-data owner=www-data
+  file: state=directory path=/var/www/autoconfig group=www-data owner=root
 
 - name: Create directory holding the autoconfig XML file
-  file: state=directory path=/var/www/autoconfig/mail group=www-data owner=www-data
+  file: state=directory path=/var/www/autoconfig/mail group=www-data owner=root
 
 - name: Create the autoconfig XML file
-  template: src=var_www_autoconfig_mail_config-v1.1.j2 dest=/var/www/autoconfig/mail/config-v1.1.xml group=www-data owner=www-data
+  template: src=var_www_autoconfig_mail_config-v1.1.j2 dest=/var/www/autoconfig/mail/config-v1.1.xml group=www-data owner=root
 
 - name: Configure the mail autoconfiguration virtualhost
   template: src=etc_apache2_sites-available_autoconfig.j2 dest=/etc/apache2/sites-available/autoconfig.conf group=root owner=root

roles/news/tasks/selfoss.yml

        dest=/var/www/selfoss
        accept_hostkey=yes
 
-- name: Set selfoss permissions
-  action: file owner=www-data group=www-data path=/var/www/selfoss recurse=yes state=directory
+- name: Set selfoss ownership
+  action: file owner=root group=www-data path=/var/www/selfoss recurse=yes state=directory
+
+# only data/cache, data/favicons, data/logs, data/thumbnails, data/sqlite public/ should be writeable by httpd
+- name: Set selfoss permission
+  action: file path=/var/www/selfoss/{{ item }} permission=775
+  with_items:
+    - data/cache
+    - data/favicons
+    - data/logs
+    - data/thumbnails
+    - data/sqlite
+    - public
 
 - name: Install selfoss dependencies
   apt: pkg={{ item }} state=present
   postgresql_db: login_host=localhost login_user={{ db_admin_username }} login_password="{{ db_admin_password }}" name={{ selfoss_db_database }} state=present owner={{ selfoss_db_username }}
 
 - name: Install selfoss config.ini
-  template: src=var_www_selfoss_config.ini.j2 dest=/var/www/selfoss/config.ini group=www-data owner=www-data
+  template: src=var_www_selfoss_config.ini.j2 dest=/var/www/selfoss/config.ini group=www-data owner=root
 
 - name: Enable Apache rewrite module
   command: a2enmod rewrite creates=/etc/apache2/mods-enabled/rewrite.load

roles/readlater/tasks/wallabag.yml

            chdir=/var/www/wallabag
            creates=/var/www/wallabag/vendor/autoload.php
 
-- name: Set wallabag permissions
-  file: owner=www-data
+- name: Set wallabag ownership
+  file: owner=root
         group=www-data
         path=/var/www/wallabag
         recurse=yes
         state=directory
 
+# the httpd only needs write access to the wallabag assets, cache and db directories
+- name: Set wallabag assets, cache and db permissions
+  file: path=/var/www/wallabag/{{ item }}
+        mode=0775
+        state=directory
+  with_items:
+    - assets
+    - cache
+    - db
+
 - name: Create the configuration file
   template: src=var_www_wallabag_inc_poche_config.inc.php.j2
             dest=/var/www/wallabag/inc/poche/config.inc.php
-            owner=www-data
+            owner=root
             group=www-data
 
 - name: Rename existing Apache wallabag virtualhost