Indeed. A chroot would only apply to a user if they were logged into
the system. Let's say I wanted to prevent users executing the command
"bad_command". Well, if "bad_command" was not available to a user in
their chroot, they wouldn't be able to execute it. However, a user
might write a Perl script that contained the following line:
system("bad_command");
If they got Apache to execute the script, the "bad_command" would be
run. This is the reason why I'm trying to approach this problem from a
permissions standpoint.