Each OS-level user that needs access to the DB gets a DB user on his own, and usually also a separate database, and gets granted all the permission he needs.

His DB credentials are then stored in a file, and read access of that file is limited to a certain user or group.

Then one uses the suexec mechanism of Apache (or comparable for other webservers) to make it execute the CGI script in the context of said user or group.