IMO suexec would be better suited to handle more sensitive operations such as unmounting.
CGI is not an interactive shell, as you discovered.
Calling a separate script with the suid bit might work too.
But I don't need an interactive shell: I need a way to run a script as user www-data, which is what CGI is for. I tested the script in an interactive shell because that's the easy way to run a script as user www-data.
What's interesting here is that CGI appears to be doing something more complex than simply forking a process. The script which is the problem has an EUID of 0, so why can't it unmount a filesystem? Have I just messed up (probably?) Or has Apache run me without CAP_SYS_ADMIN? If so, how and why? Maybe this is unlikely, but if it happens, it should be documented. If this, or something similar, doesn't happen, then I know that the problem is my fault.