Currently running a server off of RedHat 6.2 and am worried about users making insecure programs. Is there any way to make a cgi program work only within a certain directory or only up levels? What I mean is, if the big is located in /var/httpd/cgi/, is there anyway to lock scripts to be able to view or do anything in any directories below that? If so, how would I lock it to do that? Thx.

Not really, no. But if you don't want users adding CGI scripts at all, just remove write access from your CGI-BIN directory. If for some reason, you have to allow users to add CGI scripts... well, hmm. I'm sure you have Apache running as a non-priveleged user like "nobody" or "wwwdata" or something like that, rather than as root. Therefore, the scripts won't be able to do anything that that user doesn't have rights to do. Make sure that that user account doesn't have access to any files you don't want it to. That'd keep you fairly safe right there -- but allowing anybody to add CGI scripts, you're never going to be entirely safe.

Consider suEXEC if you are worrying about members browsing and reading each other files including your default web directory. At the very least, they can't even have READ access to other files or SEARCH access for dirs. Though they would have some READ access above your default web docroot.
It's fine to enable suEXEC if your don't have too many users (over 10k).
If you choose to enable suEXEC, you also need to disable PHP(as a module) for maximim security. Since PHP as a module runs as the same user Apache runs as, therefore, such script has read access to other user's non-cgi scripts or files including *.php. You still can enable PHP for your docroot and preminum or trusted users, partially.

[ 30 May 2001: Message edited by: freebsd ]