in reply to
Just thought I'd point out that Apache can be also configured
to run using a suid wrapper, so that CGIs can be run in
mode 700 (rwx------) or 500 (r-x------). In this
configuration, the CGIs execute as the user whose account
corresponds to that directory. Thus, on a system that
hosts many web accounts, a user can create a set of scripts
which are executable, have the same access as that
user, yet be unreadable by other users on the same system.
The script can also then read and write files which the
user can only access (mode 600: rw-------).
I'm not sure how common this setup is (so far I've only
run into two servers which have Apache set up this way;
both were webhosting companies).