File Permissions
Permissions on files must be set properly. Inside of /usr, files should be owned by root:root unless a more specific user or group is needed for security . They must be universally readable (and executable if appropriate). Outside of /usr, non-config and non-state files should be owned by root:root, universally readable (and executable if appropriate) unless circumstances require otherwise.
Default file mode is 0644 or 0755. Directories should be mode 0755. Most well behaved build scripts and rpm will use these defaults. If the directory needs to be group writable, it should also have the setgid bit set so that files written there are owned by that group. These directories should have mode 2775.
Deviations from the default ownership or mode must be justified and documented in the specfile.
In the past (pre rpm 4.4), it was necessary to have a %defattr section at the beginning of each %files section, but this is now the default and no longer necessary to explicitly include.