I have a Linux server (Debian 7) with lots of users who needs Wordpress. When I create the users what group should they be in? Today I assign them to www-data. Then they download Wordpress by SFTP and runs the installation.

Which file permissions and user/group should their files have, specially wp-config.php?

Now, users can peek in eachothers wp-config.php from the terminal and read the password. Not very good.

Since the users aren't root they cant change file permissions/owner of wp-config.php which would solve my problem.

You can use this script by Mike Conigliaro for for setting permissions correctly on all wordpress files.

WP_OWNER=changeme # <-- wordpress owner
WP_GROUP=changeme # <-- wordpress group
WP_ROOT=/home/changeme # <-- wordpress root directory
WS_GROUP=changeme # <-- webserver group

# reset to safe defaults
find ${WP_ROOT} -exec chown ${WP_OWNER}:${WP_GROUP} {} \;
find ${WP_ROOT} -type d -exec chmod 755 {} \;
find ${WP_ROOT} -type f -exec chmod 644 {} \;

# allow wordpress to manage wp-config.php (but prevent world access)
chgrp ${WS_GROUP} ${WP_ROOT}/wp-config.php
chmod 660 ${WP_ROOT}/wp-config.php

# allow wordpress to manage .htaccess
touch ${WP_ROOT}/.htaccess
chgrp ${WS_GROUP} ${WP_ROOT}/.htaccess
chmod 664 ${WP_ROOT}/.htaccess

# allow wordpress to manage wp-content
find ${WP_ROOT}/wp-content -exec chgrp ${WS_GROUP} {} \;
find ${WP_ROOT}/wp-content -type d -exec chmod 775 {} \;
find ${WP_ROOT}/wp-content -type f -exec chmod 664 {} \;

This is how I solved it: Create users in a group "users". Create a script in /etc/cron.hourly that fixes permissions on all wp-config.php-files like this:

for f in locate wp-config.php
do
    chgrp www-data $f
    chmod 640 $f
done

Works like a charm.