So to confirm, this is the appropriate setup:
drwxr-xr-x root admin /srv
drwxr-xr-x root admin /srv/www
drwxr-x--- root admin /srv/www/logs
-rw-r----- root admin /srv/www/logs/access.log
-rw-r----- lsws lsws /srv/www/logs/error.log
In other words, any access by lsws to access.log and error.log will be denied except when forwarded by the parent lshttpd, right?