If Apache has been set up by someone who isn't a complete retard it will be suiding to an unprivilidged user the moment it gets a connection request. On most systems this user will be the 'nobody' or 'www-data' user.

Probably the best you could do with one of those accounts is read the source code to the CGI scripts, and if your scripts are programmed correctly then you are safe.

In short, mod_perl is secure, just like mod_ anything is. The memory leaks are another story.

____________________
Jeremy
I didn't believe in evil until I dated it.

I believe z0d was indirectly refering to the fact that FastCGI can be configured to run as different uids for different users. This is similiar to the suexec functionality of regular CGI programs. I know someone who chose FastCGI over mod_perl for this reason at a webhosting site. Multiple unrelated users have less of a chance to step on each others toes this way.

So, its not a question of compromising my mod_perl process vs. my fastcgi process... Its a matter of limiting others security holes from becoming my problem.

p.s. I'm a mod_perl guy myself... but I couldn't refute this aspect when my friend told me about his webhosting gig.

-Blake