in reply to Allowing Apache to Write to filesystem
Your concern appears to be about ensuring the data integrity. You want to provide only the unmodified files that your process creates. I suggest that your PDF creator store a checksum/hash of the created files in a database, and that your download CGI only offers those files whose checksum is in the database. Before beginning the download, it can check to see that the file has not been altered, and throw an error if there is not a match. Digest::SHA (128-bit or better) would be a good method.
Alternately, you could have your tool provide an automatically generated signature for each "official" file. GnuPG::Signature or the like would take you down that road.
Updated: or better yet, Roll your DSA signatures
The intelligent reader will judge for himself. Without examining the facts fully and fairly, there is no way of knowing whether vox populi is really vox dei, or merely vox asinorum. — Cyrus H. Gordon