Just thought I'd point out that Apache can be also configured to run using a suid wrapper, so that CGIs can be run in mode 700 (rwx------) or 500 (r-x------). In this configuration, the CGIs execute as the user whose account corresponds to that directory. Thus, on a system that hosts many web accounts, a user can create a set of scripts which are executable, have the same access as that user, yet be unreadable by other users on the same system. The script can also then read and write files which the user can only access (mode 600: rw-------). I'm not sure how common this setup is (so far I've only run into two servers which have Apache set up this way; both were webhosting companies).

- Zoogie