I was poking for info on how ppl set their permissions, i have see a fair share of setups even on big shared hostings on many distributions.
The ones i liked are:
Webserver credentials: $webserveruser:www-data
user credentials : $username:$privateusergroup (same as username)
php pool credentials: same as user credentials.
Now for files:
Usually you have a root folder for the user (sort like homedir) and a root folder por serving web pages.
Now, each "home dir" is owned by its own user, example /var/www/user2 is owned by user2:user2
Every subfolder too, exactly like a homedir, this is where many ppl get confused, how do you let the webserver read the files? (remember, php is using user credentials so it will always have full permissions on the working dir of the user, example, user2/html), Well..
Assign $webserveruser to each $privateusergroup, everytime you add an user, do:
usermod -aG $privateusergroup $webserveruser
not the other way around, its confusing because the privategroup has the same name as the user.
Now, you can set home dir to: chmod 710 /var/www/user2
and user2/html should have a default mask and permissions, example 75x, the root dir is already locked to others so it doesn't matter. The webserver should be able to traverse a serve files, the user should not have problems using ftp with default mask and permissions, and php should be able to edit and read user files. Other users wont be able to read the files.
The other solution is using ACLs, but in the end its the exact same thing as my solution above, as setfacl will set a mask on the group permissions when setting a particular user or group access, it means the 'extra' permissions ser using acl will be controlled using the group permissions 'mask', And the extra headche to manage ACLs on a server is not worth it in my exprience.
setguid and group traditionals groups like www-data are a problem when the owner of the root dir is the user as it can change or delete permissions.
If many users have to access proyect1 for example, ACLs can be used but i like to ser the owner of the proyect to a particular user or root, set a group for collaboration like $project1group, chmod g+s bit on that dir, set 770, and asign the $webserveruser and the users of the proyect to $project1group.