Web home directories world writable?

I was looking at the launch script

ls /etc/init.d/ispconfig_server


###################################
#
# ISPConfig Server-Startscript
#
###################################

TMPDIR=/tmp
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin

case "$1" in
start)
echo "Starting ISPConfig system..."
/etc/init.d/mysqld start &> /dev/null
/etc/init.d/mysql start &> /dev/null
sleep 3
/root/ispconfig/httpd/bin/apachectl startssl
/root/ispconfig/sv/ispconfig_wconf &> /dev/null &
/root/ispconfig/php/php -q /root/ispconfig/scripts/shell/firewall.php
if ps ax | grep -iw '/home/admispconfig/ispconfig/tools/clamav/bin/freshclam' |

So the ispconfig server is contained in /root/ispconfig directory?

Then I looked at ps of apache processes:

homeland:/etc/init.d# ps axwu | grep apache
root 2217 0.0 0.5 102352 12184 ? Ss 11:02 0:00 /usr/sbin/apache2 -k start -DSSL
www-data 2280 0.1 1.4 119820 29308 ? S 11:02 0:02 /usr/sbin/apache2 -k start -DSSL
www-data 2281 0.0 1.3 116828 27264 ? S 11:02 0:00 /usr/sbin/apache2 -k start -DSSL
www-data 2283 0.0 1.3 118168 28612 ? S 11:02 0:01 /usr/sbin/apache2 -k start -DSSL
www-data 2337 0.0 1.3 117848 28456 ? S 11:02 0:01 /usr/sbin/apache2 -k start -DSSL
www-data 6963 0.0 1.3 117600 27940 ? S 11:06 0:00 /usr/sbin/apache2 -k start -DSSL
www-data 7132 0.0 1.3 117764 28176 ? S 11:10 0:00 /usr/sbin/apache2 -k start -DSSL
www-data 7134 0.0 1.3 117616 28012 ? S 11:10 0:00 /usr/sbin/apache2 -k start -DSSL
www-data 7135 0.0 1.3 117712 28192 ? S 11:10 0:00 /usr/sbin/apache2 -k start -DSSL
www-data 7137 0.0 1.3 116592 26936 ? S 11:10 0:00 /usr/sbin/apache2 -k start -DSSL
www-data 8388 0.0 0.5 102352 12216 ? S 11:24 0:00 /usr/sbin/apache2 -k start -DSSL
root 8436 0.0 0.0 2620 504 pts/0 R+ 11:26 0:00 grep apache
homeland:/etc/init.d# ps axwu | grep httpd
root 2067 0.0 0.2 27524 5948 ? Ss 11:01 0:00 /root/ispconfig/httpd/bin/ispconfig_httpd -DSSL
admispc 2072 0.0 0.6 34220 13836 ? S 11:01 0:01 /root/ispconfig/httpd/bin/ispconfig_httpd -DSSL
root 2218 0.0 0.0 2680 436 ? S 11:02 0:00 /root/ispconfig/cronolog --symlink=/var/log/httpd/ispconfig_access_log /var/log/httpd/ispconfig_access_log_%Y_%m_%d
admispc 2492 0.0 0.6 34180 14000 ? S 11:02 0:01 /root/ispconfig/httpd/bin/ispconfig_httpd -DSSL
root 8440 0.0 0.0 2620 504 pts/0 R+ 11:26 0:00 grep httpd

Well, the apache serving user pages has www-data.www-data owner/group.

But since all the user web space are under their userid:

ls -lah /var/www/

drwxr-xr-x 15 web11_giorgio web11 4.0K Jul 25 11:03 web11

That means that each sub directory under web11 root hdtocs should be readable, writable and executable by all (-a in chmod). The same for files in there: to be overwritable by a php generated web process they should be worldwide writable.

I noticed that to make ispconfig be able to modify files in user web homes, its userid is added to each user group.

Aren't these settings a bit insecure? Ore there's something I don't catch?