I have read What permissions should my website files/folders have on a Linux webserver? and here is a linked question. Let's say:
/var/www/bobweb/is owned bybob:bob/var/www/eveweb/is owned byeve:eve
and that each site has an Apache VirtualHost, linking to bobweb.com and eveweb.com.
Each website needs to be writable by Apache (there is an image uploader on both websites), so I often read:
"Just do
chgrp -R www-data /var/www/bobweb/, idem for Eve, and that's all!"
This gives:
drwxrwx--- 3 bob www-data 4096 Jan 9 17:45 bobweb
drwxrwx--- 5 eve www-data 4096 Feb 26 2019 eveweb
This indeed prevents Bob to visit Eve's files from shell/SSH and vice-versa.
But it seems that Eve could write a PHP script (run by www-data) to read (or even modify) /var/www/bobweb/wp-config.php (thus stealing Bob's DB password!).
Question: how to modify user+group ownerships and permissions to prevent Bob to read Eve's files and vice-versa, but still allow Apache+PHP to write data on these websites?
(typical shared hosting situation)
This can't fully be done with file permissions alone - you should look to the applications you are running to create jails. For PHP you can use "open_basedir" on a per virtualhost basis.
You will also want something similar in your FTP server (you have not advised which server you are using but many/most have an appropriate directive).
Of-course if you are allowing cgis the entire problem space changes.