Current situation

Warning for this section, this is only recommended if your only usage is web-hosting, apache is not meant to have access to home user's folder (other suggestion at the end of the answer may be more suitable).

1. Web/Apache group (www-data group) must have all users using the service
2. Apache and the users need to have access to their respective www while limiting access between each others
   • Each directory under /home should have www-data:user rights

        chown www-data:me /home/me

OR

1. Web/Apache group (www-data group) must have all users using the service
2. Apache and the users need to have access to their respective www while limiting access between each other
   • Home user's folder should have the right chown me:me /home/me
   • Make /home belong to apache chown www-data:root /home

Like that, apache would have access to the necessary www directory and users won't have access to other users folders.

The key here is the group permission is shared between users while apache itself is a user that is not exposed to other user, for instance chown www:me /home/me keep me isolated from other user while granting access to apache and me (and chown me:www /home/me would let everyone on the group www access me folder)

The directory www need to be present in a location that belong to apache (www-data user) in your current config setting /home/me to www-data:me or /home to www-data:root is a workaround because you are locating www inside the user directory.

This is why the default www location is under /var and not under the home directory, to let apache and the user have w/r to www without giving apache unnecessary access (like in this case access to the whole user's folder)

If your home folder is only meant for www (web usage) you are fine with the current suggestion/config, now if you are using the system for additional purpose more than web hosting; then www should not reside on /home folder but on another location like /var; in that case you would need to remove ChrootDirectory usage and instead go for a classic config where the file access would be managed only by file access permission, here is some reading about restriction to a classic user...

If you want security, separation, web hosting plus other Linux/server usage for each user, you would need to implement a different solution evolving virtualisation and/or sandboxing.

Note that there are many other possibilities to achieve what you are asking but this one is the fastest regarding your config, read the section Final suggestion below for a more suitable implementation.

The config

The implementation depends on the targeted security level and the targeted usage. Thus one config could be great for one situation and at the same time bad for another situation.

Your current config is not far from a classic one where instead of ChrootDirectory classic file permissions, group, and user access level would be used to manage the separation between each ssh user. I guess that you are just missing user access level on your config to achieve that. Here are some details on how to implement that here, here and here (that said using ChrootDirectory in addition to that is a good security practice)

Alternative (hardened security)

First PermitRootLogin yes should never be used, instead add me user to the suders. Root will then be accessible through me user with sudo su or su

If you are targeting a hardened security, Kernel user space feature can be used, which will separate completely each user, but this is a whole other config. This can be achieved with the native Linux tools and/or firejail to separate files/network etc.

Also in the same scope of hardened security, authentication with private/public key should be used instead of PasswordAuthentication yes

SSHFS may also be an alternative to separate the hosted file.

Also here are some interesting link on the topic:

• SSH as a normal user
• Kernel userpace
• Sandboxing in Linux

Final suggestion

Finally, regarding your config I would just suggest

• Disabling PermitRootLogin
• Review users and /home right.
• In the case of unique web hosting usage
  • Apply the suggested permission, not for /home directory but use a structure like /var/apache/user1,user2,etc. then use ChrootDirectory /var/apache/
• In the case of multi-purpose system
  • Many possibilities can be used here one of them is applying the suggested permission, not for /home directory but use a structure like /var/apache/user1,user2,etc without using ChrootDirectory then manage permission with file access rights.

This article gives a nice a simple solution:

• Create a root-owned dir /friends/, and make /friends/alice/ be the home of user alice:

  usermod -m -d /friends/alice alice
  

• Add this at the end of /etc/ssh/sshd_config:

  Subsystem sftp internal-sftp
  Match User alice
  ChrootDirectory /friends
  

• Then /etc/init.d/ssh restart

• If you chroot multiple users to the same directory, but don't want the users to browse the home directories of the other users, you can change the permissions of each home directory as follows: example:

  chmod 700 /home/alice
  

  Only drawback: with this solution, Apache won't be able to read in /home/alice/www...