Best practice for web server user/group permissions

What's the best practice in a secure manner to setup the user/group and permissions? Here's what we currently have; web server runs as www/www. Fastcgi Php runs as www/www. User's shell/ftp account is 开发者_运维技巧username/username.

We want the user to be able to have full access to all files, including those created by the web server 'www' from the shell or ftp. Similarly, we want the scripts run by fastcgi/php to be able to create files in user created directories and modify user created files.

Best practice for multiple users with different domains / files would be running suexec for fastcgi, so they run their own files as their own user, and their scripts don't have the privileges the webserver has.

If you're paranoid you start chrooting.