[Disregarded, and dropped news:comp.lang.perl.misc from
Followup-To:, as my questions below are little related to Perl.]
To clarify: my issue with Apache's mod_suexec is that (as of
2.2) I cannot use configure SuexecUserGroup within, say, a
<Directory /> block. Which means that I have to introduce a
<VirtualHost /> whenever I want to run a new Web application
under a new UID.
[...]
FWIW, wrapping a CGI::Simple code into a FCGI loop doesn't seem
like a big deal. Like (untested):

## Was:

my $o
= \*STDOUT;
my $q
= CGI::Simple->new ()
or die ();
## ...
## FIXME: and what about the encoding?
$o->print ($q->header ("-type" => "application/xhtml+xml",
@more_headers));
binmode ($o);
$xml->setEncoding ("utf-8");
$xml->toFH ($o, 0);


## Becomes:

my $sock
= FCGI::OpenSocket ($sock_fn, 7);
die ()
if ($sock < 0);
my $o
= \*STDOUT;
binmode ($o);
my $rq
= FCGI::Request (\*STDIN, $o, \*STDERR, \%ENV, $sock)
or die ();
## NB: a never-ending loop?
while ($rq->Accept () >= 0) {
my $q
= CGI::Simple->new ()
or die ();
## ...
## FIXME: and what about the encoding?
$o->print ($q->header ("-type" => "application/xhtml+xml",
@more_headers));
$xml->setEncoding ("utf-8");
$xml->toFH ($o, 0);
$rq->Finish ();
}

Obviously, any "early exit" locations should be tweaked as well,
and the state cleaned up. (Most of the state should be GC'ed by
the Perl system itself, however, should it be associated with
"my" variables.)

[...]
ACK, thanks!
I believe that the only proper way to utilize a separate UID for
a Web application is to start it separately from the HTTP server
(say, with its own script run during the system's boot up), with
the server communicating the application via a Unix socket.

Then, either the starting script, a helper, or the Web
application itself is responsible for dropping the root
privileges. (Just as in the case of the HTTP server itself.)

The use of Unix sockets allows for the Unix filesystem access
control to be utilized, thus ensuring that the HTTP server
passes the (potentially sensitive) information contained within
the HTTP request to the designated application. (It is much
harder to maintain this level of security with TCP/IP sockets.)

Unfortunately, AIUI, the mod_fcgid (as available for Apache 2.2)
insists on starting the Fast CGI code by itself, thus requiring
a set-UID wrapper to switch the UID.

OTOH, mod_proxy_fcgi, while requiring for the Fast CGI code to
be started separately, insists on using TCP/IP sockets.

Thus, as it seems, I'm having no luck with Apache either way.

Lighttpd, however, can be configured in such a way. Consider,
e. g.:

--cut: http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModFastCGI --
fastcgi.server = ( ".php" =>
(( "socket" => "/tmp/php-fastcgi.socket",
"bin-path" => "/usr/local/bin/php"
))
)
--cut: http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModFastCGI --

(though, obviously, "bin-path" is an extra here.)

Unfortunately, I'm somewhat concerned with the (possible) lack
of features in Lighttpd that I may wish to utilize, one of them
being the Kerberos authentication support, yet to appear in its
stable version.

[...]
Perhaps, though at the first glance, Lighttpd looked a bit
easier to configure. (Why, my ~/.lighttpd/lighttpd.conf, which
I used to gain some familiarity with the server, and its CGI
features, is only 27 lines long, sans the blank lines and
comments. IIRC, my ~/.nginx/nginx.conf was a few times larger.)
There seem to be a couple of drawbacks in using HTTP for server
to application communication. Namely:

* I know of no standard way to pass the authentication
credentials (either HTTP "plain" or Kerberos), or X.509
certificate down such a proxy chain;

* as long as Apache is concerned, I expect it to require the use
of TCP/IP sockets for such communication (while using Unix
ones would arguably be more secure.)

Unless these issues are in fact easy to resolve, I wouldn't
really consider HTTP as a substitute for (whatever) CGI.

[...]