Bug#499191: Possible security issues
I have a patch prepared. Attached is what I got so far, and seems to be
working fine. (It's the modified .dpatch file, not a patch to a dpatch).
So now a third line in /etc/apache2/suexec/www-data is supported, being
a cgi_docroot. Scripts inside this cgi_docroot, and owned by root are
allowed to be executed by the target user.
I believe this addition will be very useful. On the other hand I
understand you want to stick to suexec as close as possible. You have to
realize though that many people patch suexec themselves because their
distro doesn't deliver something more usable. It's probably more secure
to have one widely used patched version inside the distro than having
many different locally patched versions.