What is the minimum ACL required for (public_html) to keep my web site secure and working fine?
And what is the default ACL for the new virtual server?
As long as you’re running an Apache that has been rebuilt with suexec docroot set to /home, you’ve configured Virtualmin to add the Apache user to the domain owners group, and Dovecot 1.0, you can set all homes to 750 (including public_html within the home).
If you’re not running Dovecot 1.0, you’ll need to go 755 for the home directory and public_html can be 750.
If you aren’t adding the Apache user to the virtual server group, public_html will have to be 755.
If you haven’t rebuilt Apache to use suexec docroot /home, scripts won’t be able to run as the user, and permissions will have to be 755 (or worse).
Virtualmin Professional does all of these, by default, and in the next few days, there will be an automated installer for GPL that will do all of them on Debian 4.0 and CentOS 5 (no others will be supported by the GPL installer, at least for a while).