A project I'm currently working on requires global users to be split into different chroots (either individual or shared for multiple users) using the pam_chroot module.
Aside from the annoying fact that pam_chroot doesn't support group based rules (but does allow regex matches), I found that most of the standard CGI security tools like suphp and cgiwrap do not use PAM and thus cannot take advantage (implicitly) of PAM modules (including pam_chroot).
As a result I've patched both suphp and cgiwrap to support basic per-user chroot directory lookup from /etc/security/chroot.conf.