IMO suexec would be better suited to handle more sensitive operations
such as unmounting.
CGI is not an interactive shell, as you discovered.
Calling a separate script with the suid bit might work too.
But I don't need an interactive shell: I need a way to run a script as
user www-data, which is what CGI is for. I tested the script in an
interactive shell because that's the easy way to run a script as user
www-data.
What's interesting here is that CGI appears to be doing something more
complex than simply forking a process. The script which is the problem
has an EUID of 0, so why can't it unmount a filesystem? Have I just
messed up (probably?) Or has Apache run me /without/ CAP_SYS_ADMIN? If
so, how and why? Maybe this is unlikely, but if it happens, it should be
documented. If this, or something similar, doesn't happen, then I know
that the problem is my fault.