Giving other users write access to apache logs can result in root exploit - How does this work?

Check out the security tips page.

http://httpd.apache.org/docs/2.2/misc/security_tips.html

If you allow non-root users to modify any files that root either executes or writes on then you open your system to root compromises. For example, someone could replace the httpd binary so that the next time you start it, it will execute some arbitrary code. If the logs directory is writeable (by a non-root user), someone could replace a log file with a symlink to some other system file, and then root might overwrite that file with arbitrary data. If the log files themselves are writeable (by a non-root user), then someone may be able to overwrite the log itself with bogus data.

Since apache opens and reads the log file as root, there is a danger here for abuse. Not sure why you would want a non-root (apache) user to have write access to the files. You can safely grant read access but would suggest that write access only be given to old files that have rotated. Apache is not opening these files when you use logrotate to manage log rotation.

If apache is running as root... and a non-root user writes a script for apache to execute... then by-virtue of how processes work... the script runs as root. As a security measure, most distributions do not run apache as root... but as a dedicated user like "www-data" or "apache" or "httpd".