CGI's must be executable by everyone

AFAIK, this is configuration dependent. Commonly, Apache is often set up to run as the user 'nobody' (group 'nogroup'), and the scripts are owned by some user, i.e. 'webmaster', or possibly by root. In this case, the scripts must be world-executable, because the server is not running as the same user or group as the owner.

However, this is not always the case. My personal webserver, for example, runs as the user 'httpd', and is a member of the groups 'httpd' and 'web'. My PHP pages (the same rules apply as for CGI scripts) are owned by user 'rlk' (me), and have group 'web'. Since the server is a member of group web, the pages need only be group-executable. One advantage of doing it this way is that some of the pages need things such as database passwords hard-coded into them, and if they were world readable (a script must be readable to be executable), then any user on my system could read the script, learn my mysql password, and trash my database.

--
Ryan Koppenhaver, Aspiring Perl Hacker
"I ask for so little. Just fear me, love me, do as I say and I will be your slave."