Adding or removing a virtual server resets the groups of all users

Under System settings > server templates > Default > Administration user I have a secondary group filled out in "Add domain owners to secondary group". I have a specific user that I don't want to be in that group, so I removed the user from it manually, however every time I add or remove a virtual server the user gets re-added to this secondary group.

Status: 
Active

Comments

That's expected - Virtualmin re-builds the group membership list each time a domain is added or removed.

Couldn't this be seen as a security risk?

Is there anything I can do to prevent the user from being added to the secondary group?

You could create another template in Virtualmin which doesn't add users to that secondary group, and switch the one domain you want to exclude to that template.

Thank you for the info. Perhaps what's lacking is a more explicit message in the documentation that any manual changes to the domain administrator's user will be overridden when any changes are made to any domains, so in order to add or remove a user from a specific group it must be done in this section and never ever via any other method (including command line or Webmin itself).

Currently it just says:

"When this field is set to the name of an existing group, all server owner Unix users will be added to it as secondary members. This can be useful for configuring other programs like Samba or ProFTPd to further restrict or allow server owners.

Be sure to select a group that already exists and has no current members, as its member list will be over-written with the list of Virtualmin domain owners."

However I still wish there were another way to handle this as this really could be a security issue. A system admin could revoke a certain permission from a user by changing their group and this will be reverted without them necessarily being aware of it. Virtualmin and Webmin as a whole do an excellent job of allowing the system admin to make manual changes to the system without it making everything go bonkers, however this is one exception to the rule. Maybe an option would be to keep a history of the groups a user belongs to and if they have been modified from what Virtualmin expects, leave that user alone - or at least prompt the end user what to do.

Also, I followed your suggestion and created another template that does not include this secondary group and moved a virtual server into this newly created group and the secondary group was not removed from the user. I had to manually remove it from that group.

The group not being updated when saving a domain to change the template is clearly a bug - I'll fix that.

OK, another update:

I have two servers that were once members of a server template that would add them to a secondary group. I then created another template exactly the same as that one that did not have this secondary group and moved these two servers to it. Not only did they not get removed from the secondary group when altering the virtual servers to use the new template, when I add or delete virtual servers in the future, these two users are re-added back to this secondary group even though they are in a completely different server template now.