While working through an issue with php-ldap I was running an strace on apache and noticed there were some access denied errors when a process was attempting to write to the apache error_log. Now this was interesting as apache typically opens the log files as root and does not require the log permissions to be opened up to the apache user (or whichever user the permissions are downgraded to after startup).
I changed ownership on the apache logs to be owned by the apache user and the logs began to be flooded with php debug messages. It looks like apache child processes attempt to write to the logs as apache and traffic and apache errors are logged to the logs with the root permissions that apache had upon startup.
In the future, I’ll be more careful when verifying permissions on apache logs to ensure that the user that apache runs as has write permissions.