I'm running apache and my php site uploads images to the server. should apache upload dir have 777 permissions or belong to www-data user? How would this affect backing things up?

I think read + write permission is enough. read for backup, write for upload. It seems that no one ever need to execute anything.

And you should only grant permissions to who really need them. For example, grant write permission to www-data. And if you use another-user to do back up, only grant read permission to another-user.

You'd better avoid using 777

That depends on what you need from it. You should always use the most restrictive permissions that will let you do what you need.

Read the man page for chmod(1) to learn what the various permission bits mean. And maybe provide some more detail about your situation, so someone can provide a specific answer for you.

First and foremost the apache server needs to run as a non-privileged user. Second the upload directory should only need 600 as the permission (rw) iirc. This will allow the user that is running apache to write to that directory. The practical attack against a web server is to trick it into writing to a directory and having it execute the code that is placed there.