Well we have an in house server manager (like Webmin, only more specific), comprising of a bunch of C CGI programs and CGI Perl scripts, some of which require root privileges (adding system users, managing passwords, dealing with mail queues etc. ) to be executed.
Currently Apache works as a reverse proxy and passes requests to another web server (Xitami) that listens on localhost, running as root.
So my question is, that instead of running a web server as root (even if its on 127.0.0.1), is it any different from doing a setuid root on the specific cgi directories/programs/scripts that absolutely require root privileges to execute ? Or are both equally insecure ? What could be the best possible solution/practice in this scenario ?
It is better to setuid root only those CGI that need such access, instead of running the whole web server as root.
Even better would be to use SELinux or RBAC (or similar mechanism, you didn't specify what platform you're using) so that privileged operations do not actually need root.