rootsh
http://sourceforge.net/projects/rootsh/ is popular for tracking purposes.
I believe you can use it for the login shell, not just sudo.
Give each user a personal group (see Redhat default useradd mechanism) and create an upload dir owned by a separate user.
Add Apache & FTP to the upload group, also all users. Use the SGID bit to control default ownerships.
Do not add users to root group or give them sudo unless you need them to do admin work.
You should also look at SELinux (try Centos/RHEL).
You probably won't need ACLs unless you have some users with very individual requirements. (Hmm, maybe on the upload dir).
Set perms on user's home dir drwx------ .