This way, only users in the group users could cross de first dir, then only THE web user and THE user with group group1 could cross the second dir, then everybody could cross the third level, but in fact, everybody only means web and group1 (user1).
So, you only need one group per user and you don't need the webserver user to be in all groups.
Slashdot Mirror
I'm not sure if this is only a matter of group ownership of the files.
If this is the question, the solution could be having a few directory levels with different groups:
/home/users/user1/website
/home/users/use r2/website
drwxr-x--- root:users
drwxr-x--- web:group1
drwxr-xr-x user1:other
This way, only users in the group users could cross de first dir, then only THE web user and THE user with group group1 could cross the second dir, then everybody could cross the third level, but in fact, everybody only means web and group1 (user1).
So, you only need one group per user and you don't need the webserver user to be in all groups.
Is this ok?
Miquel