Add an extra hook right after merging per-directory configuration.
This makes sure we are able to setuid() as early as possible (that
is, as soon as know what uid/gid to use for this location), so we
won't run all sorts of subrequests and other stuff as root.

Index: httpd-2.4.1/server/request.c
===================================================================
--- httpd-2.4.1.orig/server/request.c
+++ httpd-2.4.1/server/request.c
@@ -69,6 +69,7 @@ APR_HOOK_STRUCT(
     APR_HOOK_LINK(auth_checker)
     APR_HOOK_LINK(insert_filter)
     APR_HOOK_LINK(create_request)
+    APR_HOOK_LINK(post_perdir_config)
 )
 
 AP_IMPLEMENT_HOOK_RUN_FIRST(int,translate_name,
@@ -91,6 +92,21 @@ AP_IMPLEMENT_HOOK_VOID(insert_filter, (r
 AP_IMPLEMENT_HOOK_RUN_ALL(int, create_request,
                           (request_rec *r), (r), OK, DECLINED)
 
+/**
+ * This hook allows modules to affect the request immediately after the
+ * per-directory configuration for the request has been generated. This allows
+ * modules to make decisions based upon the current directory configuration
+ *
+ * This hook is private to mpm-itk, so it is not exposed in http_request.h.
+ *
+ * @param r The current request
+ * @return OK or DECLINED
+ */
+AP_DECLARE_HOOK(int,post_perdir_config,(request_rec *r))
+
+AP_IMPLEMENT_HOOK_RUN_ALL(int,post_perdir_config,
+                          (request_rec *r), (r), OK, DECLINED)
+
 static int auth_internal_per_conf = 0;
 static int auth_internal_per_conf_hooks = 0;
 static int auth_internal_per_conf_providers = 0;
@@ -191,6 +207,13 @@ AP_DECLARE(int) ap_process_request_inter
         r->log = d->log;
     }
 
+    /* First chance to handle the request after per-directory configuration is
+     * generated 
+     */
+    if ((access_status = ap_run_post_perdir_config(r))) {
+        return access_status;
+    }
+
     /* Only on the main request! */
     if (r->main == NULL) {
         if ((access_status = ap_run_header_parser(r))) {