security - Apache 2.2 isn't obeying file level cgi permissions

I have two serveers. Server 1 runs Apache 2.2 and mod_perl 2.0.4. Server 2 runs Apache 2.0 and mod_perl 1.99. They have nearly identical conf files. The perl section of the vhost looks like this:

/perl>
    SetHandler perl-script
    PerlResponseHandler ModPerl::Registry
    Options +ExecCGI
</Location>




If I put a cgi script in the designated perl directory of Server 2 chmodded to 644, I can't access the file through the web browser. I get Forbidden as the error. That's the behavior I'd expect. I have to chmod it to 755 first.

However, if I put the save script in the directory for cgi scripts on Server 1 chmodded to 644 the server just executes the script. It doesn't seem to care what the file's permissions are only what the directory is set to.

All files are owned and grouped in root and apache is running under a separate user. The directory is chmodded 755 and also belongs to root.

My question is, is there a way to make the behavior identical and is this a potential security risk on Server 1? Or is there a generally better way I should be doing this?

Answer

mod_perl isn't CGI, so neither +ExecCGI nor executable permissions actually matter for it. The reason that you see different behaviour is that in verstion 1.999_02 mod_perl developers changed their mind about the executable bit:

ModPerl::Registry no longer checks for -x bit (we don't executed
scripts anyway), and thus works on acl-based filesystems. Also

replaced the -r check with a proper error handling when the file is
read in. [Damon Buckwalter ]

From http://perl.apache.org/dist/mod_perl-2.0-current/Changes