Thanks a ton. I'm still not 100% sure whether I do it the right way, but
it occurs to me as if I just discovered two bugs in Apache2 suExec that
make crazy workarounds necessary.
What do you think?
Sorry for the lag in answering. I reviewed a bit the code and found out that this is a pretty common use case (looking for AP_USERDIR_SUFFIX and suexec in Google revealed a ton of material). suexec is compiled separately from httpd, since as you can see from the source it gets a main() by itself. This means that whatever you set in the httpd's config will not affect AP_USERDIR_SUFFIX, that is a parameter compiled with suexec (you can tune it using httpd's configure though at build time, but once you create the suexec binary it is done). As far as I can see there are suexec variant's shipped with some distributions that allow a suexec config file, but I don't have a lot of experience with systems like these.
In this list there should be people running into the same issue that you encountered, let's see if another ping triggers some answers :)