Because Apache needs to be able to read files in that directory to serve them.
This isn’t “cross contamination”. The Apache user never executes code that users choose (unless you’ve installed mod_php or use CGI without suexec).
The only way to do otherwise would be to basically run a whole new web server for every user. There’s mpm-itk that automates this, but that isn’t available in the standard repos on any OS we support. http://mpm-itk.sesse.net/
mpm-itk also has some big caveats that make it a bit scary. It runs as root, for example, while Apache as we configure it drops privileges after binding to ports 80 and 443. It also has a notable performance and resource usage penalty.
If you’ve seen or configured web servers that didn’t have Apache with secondary group membership in all domain owner groups, it was almost certainly because security was worse and permissions were looser on the public_html dirs and the paths leading up to them.
So, what you’re seeing with that secondary group membership is a tool to allow tighter permissions on homes, rather than a loosening of permissions.
If you must remove it, and if you’re only using traditional Linux permissions and ownership, you’ll have to loosen permissions on the path to public_html in all of your homes, and the umask will need to be loosened so files created by the user or any apps are readable by Apache.
There are other ways to balance the compromise, and there are new ways to restrict file access in Linux, like POSIX ACLs or contexts in SELinux, but those are probably too hard to use for most casual web hosting administrators. Our File Manager has tools for working with ACLs and attributes, but I’d recommend you get real familiar with them before trying to implement server-wide security that way. And, nobody (statistically speaking) understands SELinux, so nobody will ever use that, so I wouldn’t even bother trying to go down that path.
So, the short answer to your question, “How do I overcome that error?” Probably something like this:
chmod 755 /home/domain
chmod 755 /home/domain/public_html
chmod 644 -R /home/domain/public_html/*
But, notice that what you currently have, by default on a Virtualmin system, is 750 and 640, respectively, which is notably more locked down. (Go look at other systems to see what they’re doing. If they’re not doing what we’re doing, they’re probably doing something worse. And, if they’re not, please tell us about it. We implemented this 20 years ago. Things change, and we’re open to new things, but not somewhat experimental things like mpm-itk.)
More on the topic from the Apache wiki (and note we do a slight improvement over their suggestion, which is enabled by Linux having a very high limit on the number of secondary groups and basically no penalty for having a gazillion secondary groups…some OSes we supported in the past didn’t allow that, and compromises were required): PrivilegeSeparation - HTTPD - Apache Software Foundation
