the application runs with the privileges of the web server. If that is root, you have a problem.

No, you have two problems - the first of which is solved by firing your system administrator.

Red Hat locked apache down by changing to some "nobody/nogroup"

No, apache has done that from (very nearly if not) the start. Various distributions will change the username and/or group, but the net effect is that apache needs to be launched as root to bind to a privileged port (< 1024) and then drops privileges to as unprivileged a user as possible.

s**lil*;  $*=join'',sort split q**;  s;.*;grr; &&s+(.(.)).+$2$1+; $; =
qq-$_-;s,.*,ahc,;$,.=chop for split q,,,reverse;print for($,,$;,$*,$/)
[download]