The access granted to server owners for log viewing is excessive. They don't need anything other than the logs in their own home, but they get everything in /var/log, including the system level httpd access and error logs, which is potentially a security issue (it shouldn't be, but it's hard to predict what scripts will reveal in URL query strings and errors).
If it's possible to update this one soon, it'd be worth re-rolling 3.27 for.
Status:
Closed (fixed)