files – Setting folder permissions on Cloudways

I recently changed to Cloudways where I have a server on Digital Ocean running Debian. I am about to roll out a Drupal installation into production, but cant get the file- and folder-permission to pass the automated security review (module) test.

My permissions look like this:

drwxr-xr-x  11 ggmpyecgmg www-data     4096 Jän  7 21:58 .
drwxr-xr-x+  9 root       ggmpyecgmg   4096 Jän 10 15:11 ..
-rw-r--r--   1 ggmpyecgmg www-data      312 Jän  7 02:54 autoload.php
-rw-r--r--   1 ggmpyecgmg www-data     3156 Jän  7 02:54 composer.json
-rw-r--r--   1 ggmpyecgmg www-data   165592 Jän  7 02:54 composer.lock
drwxr-xr-x  12 ggmpyecgmg www-data     4096 Jän  7 02:54 core
-rw-r--r--   1 ggmpyecgmg www-data     1025 Jän  7 02:54 .csslintrc
-rw-r--r--   1 ggmpyecgmg www-data      357 Jän  7 02:54 .editorconfig
-rw-r--r--   1 ggmpyecgmg www-data      151 Jän  7 02:54 .eslintignore
-rw-r--r--   1 ggmpyecgmg www-data       41 Jän  7 02:54 .eslintrc.json
-rw-r--r--   1 ggmpyecgmg www-data     1507 Jän  7 02:54 example.gitignore
drwxr-xr-x  12 ggmpyecgmg www-data     4096 Jän 10 16:19 files
-rw-r--r--   1 ggmpyecgmg www-data     3858 Jän  7 02:54 .gitattributes
-rw-r--r--   1 ggmpyecgmg www-data     7572 Jän  7 19:13 .htaccess
-rw-r--r--   1 ggmpyecgmg www-data     2314 Jän  7 02:54 .ht.router.php
-rw-r--r--   1 ggmpyecgmg www-data      549 Jän  7 02:54 index.php
drwxr-xr-x   5 ggmpyecgmg www-data     4096 Dez 23 07:38 libraries
drwxr-xr-x  49 ggmpyecgmg www-data     4096 Jän 10 16:18 modules
drwxr-xr-x   2 ggmpyecgmg www-data     4096 Dez  2 18:21 profiles
-rw-r--r--   1 ggmpyecgmg www-data     1586 Jän  7 19:13 robots.txt
drwxr-xr-x   3 ggmpyecgmg www-data     4096 Dez 30 20:41 sites
drwxr-xr-x   3 ggmpyecgmg www-data     4096 Dez 30 20:36 themes
drwxr-xr-x   6 ggmpyecgmg www-data     4096 Jän 10 16:18 tmp
-rw-r--r--   1 ggmpyecgmg www-data      804 Jän  7 02:54 update.php
drwxr-xr-x  19 ggmpyecgmg www-data     4096 Jän  7 02:54 vendor
-rw-r--r--   1 ggmpyecgmg www-data     4566 Jän  7 02:54 web.config

In my understanding, www-data should not have any write permissions by now. But still, security review module promts: “The following files and directories appear to be writeable by your web server.” And then followed by a huge list of files in /modules, /core, /vendor and so on…

I changed ownership “chown -R ggmpyecgmg:www-data /drupal_root_folder”
Then I took away writing permission of www-data by “chmod -R g-w” for the root folder.

But still, everything seems to be writeable for apache.

Has anybody experience with setting up file permissions on Cloudways / Digital Ocean? Can anybody point me anything I might have overlooked?

I am a litte desperated already. Thank you very much in advance!