Apache's documentation (links following) says you shouldn't give anyone write-access to the directories where you put your log files:
http://httpd.apache.org/docs/misc/security_tips.html
http://httpd.apache.org/docs/logs.html
http://httpd.apache.org/docs/mod/core.html#errorlog
One of the warnings is this: "Anyone who can write to the directory where Apache is writing a log file can almost certainly gain access to the uid that the server is started as, which is normally root." Which sounds pretty scary.
My httpd.conf tells Apache to run as user nobody, which can't write logs if /var/log/apache is owned by root. That forces me to change the owner of /var/log/apache to nobody, but if the warnings above are true then that somewhat defeats the purpose of using the nobody user. Am I doing something wrong here?
Thanks,
GR
(Yes, I run apache chrooted.)