Need a secure way to vhosting

Hi,

first, may excuse my 'lame' english.

Introduction:
-------------
We're running a just-for-fun hosting service on a dedicated server
apache 1.x, ssl, php enabled. no suexec at this moment but think it is
enabled as we're recompiling apache to enable it soon

users are in different groups, let call them reelusers and virtusers
they're homedirs are just like this:

/export/home/$group/$user

a closer look on the 'virtusers' group, which is used for the (v)hosting.

they have real entries in /etc/passwd and they're all members of the
virtusers group

they got the following sub directories in their path:
cgi-bin - no comment
www - they're htdocs
ftp - they're anon ftp
logs - httpd/ftp logging
private - area where they can place they're .htpasswd and others sensible
datas

dns and ftp allow them to ftp to www.us.tld and www.theirdomain.tld with
their logins
and their DefaultRoot is set to ~, with <Limits> on these sub directories,
actually they cant' write to ~, and cant' create others directories than
www, cgi-bin, ...

apache is run by vwww/vwww
proftpd is run by nobody/nogroup (perhaps we need to switch to vwww/vvww
too)

each virtusers sub directories are mounted (--bind) to another place on the
system
let's call it 'vhosting' to make it simple:
so /export/home/virtusers/$user/www is now /vhosting/www/$user

the same for all others sub directories, accordingly with the services we
offer or not
to a particular user, letting us to mount or umount one of these dirs.
in order to prevent users to see a full path to the system.

apache vhosts documentroot are pointing to /vhosting/www/$user
cgi bin are aliased to /vhosting/cgi-bin/$user
logs to ...
these <VirtualHost> are actually in the same user/group couple than apache,
then we will add User/Group to each vhosts with suexec enabled.


And now the problem...
------------------------
we're aware about privacy/security problems and hardly need to
prevent users to get informations from outside their directories,
of course, we will enable suexec, limit php with the base_dir value
but a simple test on two users with a couple of .htacces and .htpasswd
reveal a major problem. user A can reach user B private/ directory, and www/
as well.

we have tried to use the sticky bit but we're lost into the
rights/permissions nightmare.
here's the (latest) perms:
drwxrwxr-x 3 root root 72 May 25 07:33 export/
drwxrwxr-x 6 root root 144 May 25 07:35 home/
drwxr-s--x 5 root vwww 128 May 30 07:41 virtusers/

at this point we place a sticky bit on /export/home/virtusers/

drwxr-x--- 7 usera virtusers 168 Jun 2 19:16 usera/
drwxr-x--- 7 userb virtusers 168 Jun 2 12:29 userb/
drwxr-x--- 4 userc virtusers 96 Jun 1 23:45 userc/

so users, in theory, inherit the vwww group and can't look inside
others directory, virtusers are not in the group vwww.

sub directories perms:
drwxr-xr-x 2 usera virtusers 48 Jun 2 12:50 cgi-bin/
drwxr-xr-x 2 usera virtusers 48 Jun 1 23:14 ftp/
drwxr-xr-x 2 usera virtusers 48 Jun 1 22:55 logs/
drwxr-xr-x 2 usera virtusers 80 Jun 2 19:21 private/
drwxr-xr-x 14 usera virtusers 584 Jun 2 21:47 www/


perms on /vhosting or nightmare part II
---------------------------------------
/vhosting
drwxr-xr-x 7 root root 168 Jun 1 23:14 vhosting/

/vhosting/*
drwxr-s--- 4 vwww vwww 104 Jun 1 23:45 private/
drwxr-s--- 5 vwww vwww 128 May 30 10:53 www/

/vhosting/www
drwxr-xr-x 2 usera virtusers 112 Jun 2 19:17 usera/
drwxr-xr-x 14 userb virtusers 584 Jun 2 21:47 userb/
....

The question:
what's the best/prefered/secure way to set up perms on these directories
to prevent users to do something bad with the system and other users datas?
limiting their rights but allowing them to run any cgi/php software
securely?
the idea behind is to properly host them anyway :)

Thanks in advance for any help.

--
Marcus