I’ve found that the /media and subs need to be writable. Spooky yes but all the same, there’s some tricks you can do to safeguard yourself against attack with .htaccess or with apache (if you use either).
I’ve been farting around trying to figure out what directories require 777 for sure, there’s only a few dependent on it truthfully BUT the simplest way is to make /media and all subs 777 then limit function to the directories with .htaccess or something to the equivalent. I prefer apache and htaccess personally.
.htaccess (in media directory, will limit function in sub directorys)
Options Includes FollowSymLinks
# secure directory by disabling script execution
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
I’ve been farting around with the directory structure and found that it is far easier to deal with locking down outside access inside the write access directories and I’m sure there’s a better way to do this but this is a means to keep out unwanted guests.
Hope this helps.