How secure is /Inetpub/Secure/foo.dat from other users on the server? The thing I like about Apache suExec is that I can set 'chmod 600 /Inetpub/Secure/foo.dat' to protect the contents while retaining cgi access. I've been setting up private ~/lib directories that way.

Can readers of the config be tricked into remembering too much? The polymorphisn you set up is a specialization to certain arguments of the stock DBI::connect method. Perhaps if your modules are sufficiently unreadable to the world, you can let each module take care of its own $dbuser and $dbpass using the same bareblocked closure you quote, but without the need for a synched config file. A module then knows its own secrets, and no other secrets are exposed to it.

Security is pretty often at odds with maintainability, and I think your question is an example of that. Apache suExec requires extra care. I wouldn't develop for it without taint on.

After Compline,
Zaxo