Apache is started by a master process which MUST run as root in most unix environments, since Unix is saddled / blessed with the design decision that outbound requests on ports <1024 MUST be made by the "root" user.
All other children in apache are then started as another user, specifically one that ISN'T usually ever root, and for good reason.
The master apache process is very restricted in function and process. All it does is create and destroy the other apache child processes, and administer things like common memory. It also logs I believe. This limits the interaction of this process enough that it can be thoroughly locked down.
The child processes can be started in one of two modes really. One mode starts all the children under the same user ID, all sharing the same resources, all with the same access. You can specify this user by changing the lines in the apache's httpd.conf file that degine the default user and group to run apache as. They look like this:
User nobody
Group nobody
Just change nobody to your name or something and they all start as you instead.
I generally create a user named httpd to run them as, then set permissions so httpd has a limited access to the universe around it and run apache as that user.
The other way to do things is called SetUID, whereby apache (remember the mast daemon runs as root and can do ANYTHING it wants) starts each process under the ownership of the directory owner is is served from. This is real handy for a machine with hundreds of users where you wanna keep people from peeking over the fence or planting petunias or whatever with each other's PHP code.
Combined with Safe mode (see the php documentation) setUID mode of apache makes for a moderately secure solution that is fast and stable.
But on production application servers, you just make one user like httpd and let him have reign over everything he needs.
