I have a web application needs write access to certain folders on a LAMP server.
Since suPHP / suEXEC escalate operations to an account you specify, it seems like your server is no more secure because a hacker could still compromise your site (you just get to pick the user).
Is this any more secure than granting www-data write access on those specific files / folders?
Keep in mind,
suexecdoes not eliminate all security problems, and deals only with a very small subset of issues. You mention that a hacker could still compromise your site, but as a different user--which is true. But consider this--on a shared hosting environment, where all the Apache instances are running aswww-data, an exploited Apache process now has access to everythingwww-datahas, which likely spans multiple users.So if you had a user that could ONLY view its own files, had a jailed shell (if the hacker was able to exploit and login as the user), disabled login, etc., then exploiting that user, specifically, would have only a limited effect. The purpose here is not to prevent hackers from getting in, but to limit their damage once they are. Since CGI can be exploited, it still falls on your shoulders to make sure that your scripts are still secured.