+# This service which allows CGI programs to be provided which do not
+# run as the webserver user, but instead are owned by a particular
+# other account.
+#
+# Similar effects can be achieved with Apache's suexec; this facility
+# is for administrators who do not trust suexec and wish to defend the
+# webserver from the CGI script providers, and vice versa, as much as
+# possible. This is achieved by using userv to do the cross-account
+# call, rather than a custom setuid helper.
+#
+# This default configuration allows the webserver user to invoke
+# users' CGI programs from each user's ~/public-cgi, but to allow
+# external http clients to do this, the webserver will also need to be
+# configured.
+
if ( grep service-user-shell /etc/shells
& glob calling-user www-data
)