Comment That's very tricky with newer SuExec and not trans (Score 1) 168
It's very, very tricky (impossible?) to set that up right with the newer suckurity checks in recent version of SuExec, especially now that SELinux has removed *_disable_trans. Previously you could do it with httpd_suexec_disable_trans. Now mostly people resort to running Apache as a permissive context - effectively castrating the mandatory access controls in order to run soemthing that castrates the discretionary access controls (standard permissions).
Also, before the new checks were added, SuExec could be used in a smart way, though few people did. Suppose you have a user named "joe". You could create a script user named "joes_scripts". In that way, Joe's scripts would run as their own user. The new checks won't allow the joes_scripts user to run within a the home directory of "joe", so there goes the proper use of suexec.
On a dedicated server, the you CAN create a user that safely isolates scripts, so scripts run as a separate user from everything else. That user is called "httpd" or "nobody", and that's the default you get by NOT using suexec.