Please review this FAQ for the specifics of how permissions should be set:
One thing this FAQ does not cover is selinux, which may be enabled by default in RHEL7/CENTOS7. If selinux is enabled, you will also need to set the selinux context for each writable directory to allow the webserver to write. https://wiki.centos.org/HowTos/SELinux