Now that our web server uses the proper user, maybe we should consider implementing a turnin web front-end that whould work along with the command line version.

Later we could completely avoid setuid writing a python script accessing the web front-end from the command-line (this should be a new project however).

We could also consider unifying the rendezvous system (which used to support file uploads and now should be safe to use) with turnin.

Ironically I was thinking of this yesterday..
It seems impossible unless each class hosts it's own copy. I was thinking of each student hosting his own front-end but a class-hosted turnin implemented and integrated to RV can be better.
So far I only designed a front end to upload files without all the enable(1) hussle. https://github.com/DaKnOb/CSD-FileUpload
I think all files will have to be stored in public_html since the rest of the directory is not mounted on the web server.

My major concern is that storing them in public_html we rely on the .htaccess file which I do not trust. It can be easily altered, removed by accident, or even disabled by the server admins without notice.

Files uploaded with PHP are owned by the user that runs the script so a chmod 0700 with PHP and maybe an optional .htaccess too will do the trick :-)

I think 0700 is not enough since someone could craft the path to the file and access it through the web server. Since the web server is running as the owner it would give access to the attacker. Am I wrong? Did not find time yet to play around with it.

I don't think this is possible. In both systems (web server & workstations) the file is owned by the user that created it. Of course, there is always the chance students will drop privilege escalation 0days on us..
Any other ideas?

Yes, you are right. Direct access should respect the file permissions, it has nothing to do with the php server.