Lighttpd

Hi, this is my first post here.

My server is running Debian Lenny with PHP5 running on FastCGI and I also have Mysql running to. Lighttpd uses www-data as the owner and group as set in lighttpd.conf. I am still in the process of setting it up and making it production ready. I am also quite new to linux, but other than using sftp to upload my web files, I have done everything on the server so far with ssh terminal. I think it is easier if I put my questions into numbered sections.

1)My main issue or concern is in regards to the ownership and permissions of my web root directory (and its sub dirs and files) which is the default /var/www directory. Who should ultimately be the owner and group of this directory and what should the permissions for said owner, group be? Mine is currently owner = root, group = www-data (I believe that lighttpd makes a 'www-data' user on Debian and not a 'lighty' user as I have seen documented on nearly all lighttpd tutorials).

2)Another thing that confuses me is one of the 'other' user or anonymous user in the permissions system which is the last digit in the chmod value 755 for example. I believed rightly or wrongly that if I go to my site lets call it www.example.com that I would be served the pages within /var/www as the other/anonymous user. Currently my /var/www folder is set to 755 where 7 is root user and the middle 5 is www-data group as indicated in query 1) above. If I set the permissions to 750 or 050 I can access and use the site as the group user; www-data which means that I and indeed anyone going to the site is not accessing it as an anonymous user. Is this correct?

3)I am running a custom made cms which is located at http*s*://cms.example.com. The document root for this sub domain has been set in my lighttpd.conf file as /var/cms/. Should the owner, group and permissions on the cms.example.com's document root be the same as my public document root - /var/www?

4) Finally, my website images are served from http://images.example.com/. The document root for this directory is /var/images. Anyone who has access to my cms be it authors or administrators can upload .jpg images to /var/images for use within their work they publish. However when they upload an image my script tries to upload the file to a specific directory for the year and month the file was uploaded on. If the directory is not found the script will create the directory with mkdir. So for example if they upload an image the script will try to place the image in /var/images/2009/september/some_image.jpg. If the year and or month directories do not exist the script will create them and move the uploaded file to the current year and months directory. My public site visitors will then access http://images.example.com/2009/september/some_image.jpg to view the image.

My questions for this point are:

1. Who should the the owner, group for /var/images be and what should the permissions be baring in mind my cms users have write permissions to make directories and upload/write images to /var/images on the server?
2. With the above point in mind should /var/cms actually have a different group to that of /var/www if I am giving users of /var/cms write access. In other words keep /var/cms and /var/www groups different as anonymous users (who appear to using the group www-data) have group access on /var/www. Can you see what I am trying to say here?

Sorry for the babble, but any insight into this would be very helpful as am quite confused by this ownership, groups & permissions issue:).