Keeping a web directory inside one’s home directory tree has always been a bad idea, in my opinion. It leads to numerous permissions and security issues. I would like to have normal home directories be /home/user as usual, but keep web directories elsewhere, e.g., /web/user. There are at least three advantages to this. First, a user can keep his home directory permissions at 700, which offers the best privacy, but still have his web directory permissions open enough to be useful. Second, if you are using suexec, it could be compiled to stay within /web and never get into /home. Third, one could have SELinux enabled in enforcing mode, with the web server forced to remain within the /web/ directory tree, with no access possible into /home (or elsewhere) even if an intruder could get root access within the web server.
(Instead of /web you could use /var/www, which is the CentOS default.)
I’ve been looking at the Apache virtualhost templates supported by Virtualmin GPL (in the section Server Templates => Edit Server Template => Apache website), and I have not seen any obvious way of making the above happen. I’m really more interested in Virtualmin Pro, but am testing with Virtualmin GPL.
The problem is that, while the Apache virtualhost itself can be configured to have its DocumentRoot equal to /web/${USER}, the remaining settings on the screen seem to require that everything be somewhere inside the user’s home directory.
Before I invest any time in experimenting with this to see if it can actually be made to work, let me ask:
Has anybody considered this, or been successful in implementing this? Either in Virtualmin GPL or in Virtualmin Pro?
There was someone who did it many years ago, with websites in /var/www. I’m not sure how much has changed that might impact that. Dividing up will be tricky, as you note. Virtualmin does expect everything in one place. But, it’s also extraordinarily configurable. I’d be surprised if it prevents you from doing it (but I also expect it to be a lot of work).
I’m kinda swamped at the moment, so can’t really poke around to see what the implications would be…but, might take a look in a couple of weeks. I wonder, however, if maybe SELinux might not have better solutions. You can achieve a lot of the same ends regardless of where the files are stored. I have at least one of our systems running with SELinux enabled, with a moderately strict policy. I haven’t had enough time with it to know what the impact is on usability or secondary admin accounts and the like, however, so haven’t made those policy files public yet.
I appreciate the response, thanks. I will see if Virtualmin can be configured to put things outside home. But offhand, looking at the available settings, I suspect it won’t work.
The issue with using SELinux to implement the same type of access separation as putting web directories outside home directories is the overhead of creating and maintaining the SELinux policy. Each time we created a new website, we would have to add an explicit line into our SELinux policy permitting Apache into /home/user/, and each time we deleted a website we would have to undo that policy. Each time you added or removed a user, the entire policy file would need to be compiled and reloaded into the kernel, which would 10-15 seconds, maybe longer if you had many users.
I looked a little further, to see if there were hooks that could be used to cause an external program to be run each time a user is added or removed. That program could adjust SELinux policy, perhaps. I see that you do allow an external program to be invoked when a user is added to Virtualmin GPL,. But I don’t see any provision to run such a program when a user is removed. Furthermore, the external program is not, so far as I can tell, given any parameters that identify the user who was just created.
The above is what I concluded after looking at Virtualmin GPL’s System Settings => Virtualmin Config => Actions upon user and server creation screen. I do not know if Virtualmin Pro has any additional options that would allow an external program to be given parameters (such as HOME, DOM, USER) that would tell if what it needed to know about the user or website being added or removed.
I could modify the Virtualmin GPL code itself, but quite likely won’t be able to do it in Virtualmin Pro.
Yes, all scripts called by Virtualmin after user or domain creation/modification/deletion have the details of object being changed passed in as environment variables. If you run the env command in your script they should be self-explanatory.
Since I posted saying that I could not find enough hooks to run external programs, I have indeed discovered that you can. I found a number of places on the Internet where people described using such programs and all the arguments that they can use from the environment.
I looked further at the possibility of keeping web directories outside home directories, and that doesn’t seem doable. There are some hard-coded assumptions in virtualmin that web files are inside home.