It seems to me that there are as many ways to do this as there are sysadmins out there. This is what I came up with.

Security of /var/www is left as-is.

Security of the directories and subdirectories under /var/www have the following perm/user/group:
drwxrws--- martijn www

Security of files in those directories (recursive) is:
-rw-rw---- martijn www

martijn is the owner. www is the group.
www-data is member of www.

I need my websites to be writable by themselves. Please don't dive into this, this is just the way I need it. For this requirement, the security seems quite alright to me. Good enough at least.

However, I stumble upon an issue. When a website updates itself, it will create some new files and whatnot. But if the www-data user creates a new file, this becomes the security:
-rw-r--r-- www-data www

This I don't want. I want any new files and directory to *inherit* from their parent. The security mask should be inherited, the owner should be inherited, and the group is already inherited.

How do I achieve this? How do I make the security mask and file owners inheritable?