Add an extra hook right after merging per-directory configuration.
This makes sure we are able to setuid() as early as possible (that
is, as soon as know what uid/gid to use for this location), so we
won't run all sorts of subrequests and other stuff as root.

An adapted version of this patch was committed in Apache trunk
as r1368121.

Index: httpd-2.4.1/server/request.c
===================================================================
--- httpd-2.4.1.orig/server/request.c
+++ httpd-2.4.1/server/request.c
@@ -69,6 +69,7 @@ APR_HOOK_STRUCT(
     APR_HOOK_LINK(auth_checker)
     APR_HOOK_LINK(insert_filter)
     APR_HOOK_LINK(create_request)
+    APR_HOOK_LINK(post_perdir_config)
 )
 
 AP_IMPLEMENT_HOOK_RUN_FIRST(int,translate_name,
@@ -91,6 +92,21 @@ AP_IMPLEMENT_HOOK_VOID(insert_filter, (r
 AP_IMPLEMENT_HOOK_RUN_ALL(int, create_request,
                           (request_rec *r), (r), OK, DECLINED)
 
+/**
+ * This hook allows modules to affect the request immediately after the
+ * per-directory configuration for the request has been generated. This allows
+ * modules to make decisions based upon the current directory configuration
+ *
+ * This hook is private to mpm-itk, so it is not exposed in http_request.h.
+ *
+ * @param r The current request
+ * @return OK or DECLINED
+ */
+AP_DECLARE_HOOK(int,post_perdir_config,(request_rec *r))
+
+AP_IMPLEMENT_HOOK_RUN_ALL(int,post_perdir_config,
+                          (request_rec *r), (r), OK, DECLINED)
+
 static int auth_internal_per_conf = 0;
 static int auth_internal_per_conf_hooks = 0;
 static int auth_internal_per_conf_providers = 0;
@@ -191,6 +207,13 @@ AP_DECLARE(int) ap_process_request_inter
         r->log = d->log;
     }
 
+    /* First chance to handle the request after per-directory configuration is
+     * generated 
+     */
+    if ((access_status = ap_run_post_perdir_config(r))) {
+        return access_status;
+    }
+
     /* Only on the main request! */
     if (r->main == NULL) {
         if ((access_status = ap_run_header_parser(r))) {