I understand from reading the Apache
book by the Lauries, that a CGI program runs with the authority of “Apache” user name, which should be much less than that of root.
The book indicates that a server subprocess renounces its root privilege before it begins to attend to http requests.
This certainly solves many security problems.
I presume that this authority includes reading the entire web space of the server machine.
I presume that normal (non suEXEC) CGI programs run with this reduced authority but have the authority to invoke suEXEC just as does the Apache program itself running under Apache authority.
If one server client has both “normal” and suEXEC CGI scripts then it would seem that the normal CGI program could invoke suEXEC and that suEXEC would be unable to determine that the invocation was inauthentic.
Of course suEXEC and Apache could institute secret handshakes but these could scarcely work with open source or even open bianries.