Forwarding Debian bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=70982 --- begin quote --- Apache will call suexec in "user" mode (specifying a user to su to), when any URL starts with ~. It does not check if UserDir has been disabled before doing this. ViewCvs (and cvsweb) use the token "~checkout~" at the front of a URL to indicate that the file should be downloaded from CVS. If a server is setup such as "cvs.example.com", with a rewrite rule pointing at the CGI script, suexec will be run, and try to switch to user "checkout", which is incorrect. This bug should probably be forwarded upstream. I think a test to see if userdir is disabled, and if so, pass any parameters verbatim, would solve the problem. --- end quote --- Note that this specific problem is no longer relevant; viewcvs now uses *checkout* instead of ~checkout~, but there may be other situations when this is inappropriate.
(Fixed in 2.0)