I would like to allow a set of students to access a shared web-server. Students work in groups, and each group's home directory contains a www folder that should be accessible to the shared instance of apache2. For example, if Bob and John are part of group MyPetShop, you would have user john in the john students mypetshop groups. I do not want to grant www-data membership to students, to avoid them messing up other people's pages directly*.

And their home directy would be at /home/students/mypetshop, with /home/students/mypetshop/www being read/write for user www-data. I can achieve this either using

• a sticky group of www-data for these folders (so that their permissions would be drwxrwsrwx john www-data). This has the problem of john using the wrong permissions for his files, so that bob or www-data cannot access them; or www-data creating files that john and bob can only touch once they fiddle around with permissions for a while.
• standard group ownership (mypetshop), and an ACL that would allow www-data access to these folders (via setfacl -m d:g:www-data:rwx www).

Would ACLs work here as intended? Are default ACLs automatically inherited in subfolders, or is there some much easier way to set this up that I am missing?.

(*) yes, this is not fool-proof, as they could write www-data-executed phps to do that for them...