Avec des Acls
I think you may find POSIX ACL (access control lists) to be helpful. They allow a finer-grained permission model compared to the user:group:other model. I have found them to be easier to keep straight in my head since I can be more explicit and can also set the "default" behavior for a branch of the file system.
For example, you can specify each user's permissions explicitly:
setfacl -Rm d:u:userA:rwX,u:userA:rwX /var/www setfacl -Rm d:u:userB:rwX,u:userB:rwX /var/www
Or you can do it based on some shared group:
setfacl -Rm d:g:groupA:rwX,u:groupA:rwX /var/www
And perhaps you want to keep your Apache user as read-only
setfacl -Rm d:u:www-data:rX,u:www-data:rX /var/www