I think it is a unix account security issue.
A private group should be created for each user, the root directory of each user should be owned by the user and the private group, perission should be 0750 or 0770. then only this user can read his own directory.
The user that web server running as should be member of the private groups of those users, so the web server can read all files.
Then a set-uid CGI script will not able to peak files of another user. :-)