secure_access_group option for higher user security

Version 1.333

Feature
Finished

This is enabled by default for new installs. Option that can be added to the directadmin.conf if you which to enable this feature: secure_access_group=access where access is the group name to be used. The internal defaut is null. If you wish to disable this feature, you must delete it completely from the directadmin.conf. After enabling this, it applies to any newly created user. To set it for existing users, run: echo "action=rewrite&value=secure_access_group" >> /usr/local/directadmin/data/task.queue What this feature does, is it creates a group called access (assuming you use this value). In this newly created group will be the users apache, nobody and mail. These 3 UID values will be granted permission into the users home directory by means of this access group set on /home/username for Users, and /home/username/domains for Admins and Resellers. The respective path will be set to chmod 710, thus preventing any other user on the system from looking in to that path. Note: If you're running clamd, you must also manually add the clamav user to this group: usermod -G access clamav Note that a restart of all services will be required if you change this group for existing users. I have not determined why this is, but appears to be some strange permission caching on the system where is doesn't recognize the new group instantly. After restarting the services, the new group value is recognized. The above echo command will do this automatically, but just something to keep in mind if you get strange permission problems after making this change. Note, that using this with apache_public_html=1 would be redundant, so set: apache_public_html=0 in your directadmin.conf. ------------------------- Note that Admin and Reseller /home/user paths must be chmod to 711. The reason is that backups require full execute access for all Users. Also implies that any other backup directory for the Admin Backup/Transfer must also be chmod to 711, and chown to admin (or whichever Admin is running the backup)

Interested to try DirectAdmin? Get a 30-day Free Trial!