I'm planning on using an suexec like thing (CGIWrap). I don't know of any mechanisms that could be limited by the UID of the CGI process. Maybe a socket? Are there others?