What does pledge() do here? Apache usually drops to nobody, daemon, or www (eg as a user without privilege on the host at all) after opening a socket. Does OpenBSD's httpd run as root so it can invoke a low-privilege EUID request process? Because running as nobody doesn't include becoming a different user, unless calling a setuid binary, which is kindof possible, if awkward, with Apache (eg. because you'll want that only after auth, hence with a setuid program matching the authenticated client).