This will vary depending on whether you are on a shared server, or a dedicated machine, and whether you have one or multiple people interacting with OJS on the file level. I tried to explain some of those considerations here:
Equally important to the numeric permissions is the file ownership. For example, ownership of apache:www with permissions of 750 means that the apache user can read, write and execute; anyone with the www group can read or execute; and the file is protected against access by anyone else. Note that “execute” means two entirely different things for directories than for files!
In general, you want your permissions set such that your webserver can read and write (recursively) to config.inc.php’s …
Generally, the ownership of cache, public, and other web-writable directories should be your web user and the web-user’s primary group, for example apache:www-data. Permissions should probably be 750.
The ownership of the other non-web-writable directories should be your user, with either the web user’s group, or with public execute permissions. For example:
root:www-data with 750
or
root:root with 755.
Web-writable files would be the same, but without the execute permission:
apache:www-…