IMHO you need a basic understanding of Linux user, group, and security permissions in order to set things up right. I've read a lot of posts here and elsewhere where people go to insane lengths to secure J!, but have glossed over the basics.
The Apache webserver runs as a user, if you do not have root access to your server likely your host has set this in the httpd.conf file. The easy way to find out the user of your webserver is via command line:
ps -ef | grep httpd
That will output the apache process and to the left will be the user: it will likely be apache, nobody, root, etc. A good server setup will have it running as an isolated user such as apache whose only real access is to the httpd process and config and log files.
Once you figure out who your webserver is running as, you need to give this user access to your J! files: the webserver is the one who reads, writes, executes all scripts and files and tells the person's browser how to render the output. So at a minimum, your webserver user will need read access to everything in J!; and will require execute on most everything; and will require write on a subset of folders and files. (This is the part I am still trying to work through.)
Now, people access your website through their browser, which sends the http requests to your server, which apache acts on and sends html back to the user's browser.
If you give 777 to all files and folders, you are giving the webserver AND every user full read, write, and execute on everything. This is a Bad Thing.
Folders like /images and /cache do need 777 so that people using your website can read, write, and execute: for example, uploading and viewing a picture. If you took any of the permissions off /images, noone could either view (read), save (write), or upload (execute) anything in the directory.
Back to the case of the root J! folder and configuration.php: IMHO your webserver should only be able to read the config file, and you should manually change it to write, then back to read-only, when necessary. This file should never have execute rights.
There is a hierarchy to permissions as well. There's tons of great explanations on the web, but to summarize: folder permissions should be set properly first, then file permissions.
If you were to, for example, set your root J! folder to 640 and set all files underneath to 777, your site will be broken. The folder permissions sort of take precedence: the webserver will look at the root J! directory permissions, then any subdirectory(ies) it needs to access, then lastly at the file permissions. If any permission is set incorrectly in that path to the actual file, mayhem ensues.
Conversely, setting everything to 777 means there are no restrictions to what can be done.
And therein lies the problem: figuring out exactly what the webserver needs to read, write, and execute to properly serve your J! site is the most fundamental issue that has to be addressed and set. From there, additional security measures can be put in place (and there are tons available).
Sorry for rambling, still having my morning coffee.............