Once an installation of 2.9 is complete (fresh install) we see this...
root@otenew:/etc# ls -lah amportal.conf freepbx.conf
-rw-rw-r-- 1 asterisk asterisk 5.4K Jun 8 09:51 amportal.conf
-rw-rw-r-- 1 asterisk asterisk 296 Jun 8 09:52 freepbx.conf
The needed change to freepbx_engine is this...
diff freepbx_engine_orig freepbx_engine
< chown -R $AMPASTERISKWEBUSER:$AMPASTERISKWEBGROUP /etc/amportal.conf
< chown -R $AMPASTERISKWEBUSER:$AMPASTERISKWEBGROUP $FREEPBX_CONF
< chmod g+w /etc/amportal.conf
< chmod g+w $FREEPBX_CONF
> chown $AMPASTERISKWEBUSER:$AMPASTERISKWEBGROUP /etc/amportal.conf
> chown $AMPASTERISKWEBUSER:$AMPASTERISKWEBGROUP $FREEPBX_CONF
> chmod o-r /etc/amportal.conf
> chmod o-r $FREEPBX_CONF
This will ultimately lead to those two files being on mode 640 thus preventing anyone other than asterisk (or whomever $AMPASTERISKWEBUSER is) or root from being able to read sensitive data such as most critically the freepbx database credentials or things like ARI/FOP passwords.
And yeah... also the change removes making the files recursively owned (what the hell?) and making the file group writeable, which is pointless given the group is the same as the user which has read/write access.