Generally, when setting up directory structure, everything other than the public directory should be owned by
root -- the rest by the user and group that needs read/write access.
For example, if you're using
/var/www/html, then both
/var/www should be owned by
/var/www/html should be owned by
www-data (in your case).
Normally I shy away from using
/var and stick with
/home and create individual directories for each user and site.
In the above,
/home should already be owned by
root (by default) and
/home/sammy should as well. Beyond that,
/home/sammy/htdocs and down is owned by
sammy -- all files and directories.
All files are
chmod 644 and all directories are at max
chmod 755 with some limited to 750.
You can, of course, further lock down permissions, though you have to be careful.
This is one reason why I use NGINX and PHP-FPM over Apache and
mod_php. Instead of Apache and a single user (in most default configurations), NGINX runs as one user (normally
nginx) and separate pool files are setup for each PHP-FPM instance, thus preventing a single user from needing to own all files and directories.
All users are basic users with only the permissions they need (which is normally SFTP access at most) and nothing more. They can't login to shell (via SSH) -- only SFTP. The
root user owns the base directories and the user:group that PHP-FPM is running as owns the rest (the public-facing directories).