...

644, which is not really on. Access logs shouldn't be available to all users, at least not by default.

Why not? Users can create WEB-pages, so these files are often usefull to debug problems. If you want to create access statistics, (for example with webalizer) you need to read httpd.access too. I don't see any security hole... (please let me know, if you really find one)

It's not directly a security problem, more a privacy one (but privacy is security-related). As such, users shouldn't have access to other users' or the system's access logs. At least not by default. Ask your ISP or web hoster whether you can have a copy of the access logs of all customers plus everyone else's and see how far you're going to get. If you have a good web hoster, they will provide you with *your own* logs only. Likewise for email - do you give transfer logs (date, time, sender, receiver, perhaps subject) to all users on your system? Certainly not. Volker