Should not try to give people advice at two in the morning. I said
I've set each user's web-facing directories and files to owned by user, but group is the apache user. The directories that serve the domain root are owned by the apache user. Directory permissions are read/write/search (rwx) for owner, read/search (r-x) for group, no permissions (---) for others.
And I failed to mention the permissions on the files. Putting the files in the apache user group allows you to remove the read (static html) and execute (cgi) permissions for "others" if you want, which shores things up a bit. I don't remember if Apple gives you an apache group, but that's easy enough to add with netinfo if they don't.
And I said
I personally am a bit of a bigot about file extensions. I don't use them except for perl because I don't have to, and because I prefer to have all my cgi in one place.
But I should have said I don't use extensions with perl, only with php, because that's the way php is built. (But I don't use php at home, which is kind of ironic. :-/)
My reason for confining executables to a specific set of directories is somewhat related to my reason for not using HFS on web-facing partitions. It allows me a greater level of confidence that I know which files the server is going to expose to the web and how. Less to keep track of. Less chance of mistakenly treating a non-cgi file as an executable, and less chance of spilling source code through some slip in the configuration.
(And how's that for trying to keep this on-topic?)