Prevent default domain deletion or change

[minadreapta]

Hello,

we are migrating from cPanel and stumbled upon this "inconvenient": by default a user can delete or change his main/default domain name in DA Domain management
interface.
We are also using WHMCS and the main domains in whmcs should match the main domain in DA panel.

How can we achieve this, or is this achievable:
1. the users can't delete or change the main/defaul domain name, but the reseller or admin should be able to do this
and
2. where allowed by the hosting plan, the users should be able to add/delete/modify only additional domains (but not the main one).

I tried different settings in directadmin.conf for "users_can_add_remove_domains" parameter but none was what i wanted.


Thanks.

 

[sparek]

Stumbled across this today too.

This is a slightly old thread... but no replies... so I'm guessing this was never resolved?

There may be an option that disabled this. But trying to find the correct option to flag is really a tough exercise with DirectAdmin scattered documentation.

 

[smtalk]

Option to Disallow Domain Rename

It would be great if you could implement an option to disallow Domain Rename by Customers.

forum.directadmin.com

Version 1.56.0 | Directadmin Docs

DirectAdmin Knowledge Base

www.directadmin.com

 

[sparek]

Correct me if I'm wrong here.

Option to Disallow Domain Rename

It would be great if you could implement an option to disallow Domain Rename by Customers.

forum.directadmin.com

Only refers to changing the name of a domain name. It doesn't prevent deletion of the domain name.

Version 1.56.0 | Directadmin Docs

DirectAdmin Knowledge Base

www.directadmin.com

Doesn't do anything specifically to prevent the deletion of JUST the "main" or "default" domain name. You can set it to block deletion of domain names, but then users can't delete any extra domain names they may have previously created.

Basically I'm looking for an option that forces a user to always have at least 1 domain name. IDEALLY, that 1 domain name would be the one that the reseller or admin assigned to them - end-users shouldn't be able to delete that domain name. This is because we (and I suspect most everyone else) ties hosting accounts to the domain name that the reseller or admin assigned to the account. If that domain name is allowed to be deleted without the intervention of the reseller or admin then this can throw the reseller or admin's billing system out of whack. Addon or extra domain names are of little consequence in terms of billing system recognition, so those can be added and deleted at will by the end-user. But when the admin or reseller assigned domain name is deleted without explicit intervention by the admin or reseller, then that can create a lot of havoc.

What good is a web hosting account with no domain names assigned to it?

 

[Zhenyapan]

For billing purposes use LOGIN instead of domain name. Users/resellers can't modify their logins.

 

[DirectAdmin Support]

We were able to sneak in the ability to not rename any domain for the upcoming 1.61.0 release:

Version 1.61.0 | Directadmin Docs

DirectAdmin Knowledge Base

directadmin.com

Allows direcadmin.conf setting, or per-User user.conf override if needed.
GUI/package option probable to be included in the future.

However, your request for only blocking the removal of the default domain would need to be custom scripted.. and it's actually 2 steps, since Users can also change their default domain too.

So you'd want to create 2 custom hooks to check if it's the default domain and block:

/usr/local/directadmin/scripts/custom/domain_destroy_pre/default_domain.sh
/usr/local/directadmin/scripts/custom/domain_destroy_pre/default_domain.sh
/usr/local/directadmin/scripts/custom/public_html_link_set_pre/default_domain.sh

The domain_destroy_pre/default_domain.sh could be:

#!/bin/sh
if [ "$defaultdomain" = "yes" ]; then
    echo "Cannot delete the default domain";
    exit 1;
fi
exit 0;

and the public_html_link_set_pre/default_domain.sh would be:

#!/bin/sh
if [ "$main_domain" = "$domain" ]; then
    echo "Cannot change the default domain";
    exit 1;
fi
exit 0;

Chmod both new directories and scripts to 755 (700 would be enough) and that should do it.

But if you only want to block the rename of the default domain, then the new id=2775 guide won't cut it.
For blocking the rename only on the default domain, you'd create:

/usr/local/directadmin/scripts/custom/domain_change_pre/default_domain.sh

with the same code as public_html_link_set_pre/default_domain.sh, and of course change the word "delete" with "rename".

John

 

[sparek]

The

/usr/local/directadmin/scripts/custom/domain_destroy_pre/default_domain.sh

Looks like it would accomplish what I need and this will work just fine.

I suppose to stray this a bit off-topic, but to my point about documentation... is there a list of all of the /usr/local/directadmin/scripts/custom available hooks? And then what environment variables are passed to each hook would also be beneficial. Is that information any where in any central location?

 

[sparek]

The one issue with the code in - /usr/local/directadmin/scripts/custom/domain_destroy_pre/default_domain.sh -

#!/bin/sh
if [ "$defaultdomain" = "yes" ]; then
    echo "Cannot delete the default domain";
    exit 1;
fi
exit 0;

Is that it will create issue if the account (i.e - the username) is deleted by the admin or reseller (I presume). The domain won't get fully deleted with this code present.

My solution to this was to modify the code slightly:

#!/bin/sh

if [ -z "${creator}" ]
then
        if [ "$defaultdomain" = "yes" ]
        then
                echo "Cannot delete the default domain";
                exit 1;
        fi
        exit 0;
fi

It would seem tha the ${creator} environment variable is not present when the domain_destroy_pre hook is called from within a user's control panel. But it is present when deleted from the admin panel (or at least using the API). So you check for the existence of the ${creator} variable and if it's not found, then you check to make sure the domain name is not the default domain before exiting.

 

[souzadavi]

Hello, thanks for all information this give me a direction to get it done, so to save for future and others I'm showing below how I did, I used IA to explain with details:


We manage a DirectAdmin environment and have specific requirements for user permissions regarding domain management:

1. Renaming: Users must NOT be able to rename ANY domain (Main or Addon).
2. Deleting: Users CAN delete Addon domains, but must NOT be able to delete the Main Domain.

Here is the configuration we implemented to achieve this hybrid control.

1. Disable Renaming Globally (directadmin.conf)​

Since we want to block renaming for all domains, we rely on the native DirectAdmin configuration.In /usr/local/directadmin/conf/directadmin.conf:

users_can_rename_domains=0

This removes the rename functionality for the user entirely. https://docs.directadmin.com/changelog/version-1.61.0.html#block-domain-rename

2. Allow Domain Deletion Globally (directadmin.conf)​

To allow users to manage their Addon Domains, we must ensure the global setting allows adding/removing domains:In /usr/local/directadmin/conf/directadmin.conf:

users_can_add_remove_domains=0

(Note: 0 is the default value which means "Allowed". If set to 1, users cannot delete any domain). https://docs.directadmin.com/change...ins-user-conf-to-block-domain-adding-deleting

3. Protect Main Domain from Deletion (Custom Hook)​

Since the global setting allows deletion, we use a custom script to intercept the delete command and block it only if the target is the Main Domain.

Create/Edit: /usr/local/directadmin/scripts/custom/domain_destroy_pre.sh

#!/bin/bash

# 1. QUEM ESTÁ EXECUTANDO A AÇÃO?
# Se caller_username estiver vazio, assumimos que é o próprio usuário ($username).
# Se tiver valor (ex: admin), usamos ele.
if [ -z "$caller_username" ]; then
    QUEM_ESTA_FAZENDO="$username"
else
    QUEM_ESTA_FAZENDO="$caller_username"
fi

# 2. PROTEÇÃO PARA ADMIN/RESELLER
# Se quem está fazendo a ação FOR DIFERENTE do dono da conta,
# significa que é um Admin ou Reseller gerenciando o cliente.
# Nesse caso, permitimos tudo (exit 0), inclusive deletar a conta inteira.
if [ "$QUEM_ESTA_FAZENDO" != "$username" ]; then
    exit 0
fi

# -----------------------------------------------------------------------
# DAQUI PARA BAIXO, SABEMOS QUE É O PRÓPRIO USUÁRIO TENTANDO DELETAR ALGO
# -----------------------------------------------------------------------

USER_CONF="/usr/local/directadmin/data/users/${username}/user.conf"

# Verifica se o arquivo de configuração existe
if [ -f "$USER_CONF" ]; then
    
    # Pega o domínio principal e remove possíveis espaços em branco (xargs)
    MAIN_DOMAIN=$(grep "^domain=" "$USER_CONF" | cut -d= -f2 | xargs)
    
    # Pega o domínio que está sendo deletado e remove espaços
    DOMAIN_ALVO=$(echo "$domain" | xargs)

    # Compara os dois
    if [ "$DOMAIN_ALVO" = "$MAIN_DOMAIN" ]; then
        echo "ERRO DE SEGURANCA: Voce nao pode deletar o dominio principal da conta."
        echo "Para cancelar sua conta ou alterar o dominio principal, contate o suporte."
        exit 1
    fi
fi

exit 0

4. Set Permissions​

Don't forget to set the correct permissions for the script:

chown diradmin:diradmin /usr/local/directadmin/scripts/custom/domain_destroy_pre.sh
chown diradmin:diradmin /usr/local/directadmin/scripts/custom/domain_change_pre.sh
chmod 700 /usr/local/directadmin/scripts/custom/domain_destroy_pre.sh
chmod 700 /usr/local/directadmin/scripts/custom/domain_change_pre.sh

Summary of Result​

• Renaming: Totally disabled for users (via directadmin.conf).
• Deleting Addon Domains: Allowed.
• Deleting Main Domain: Blocked (via domain_destroy_pre.sh).
• Admin/Reseller Actions: Fully allowed (script bypasses if caller != username).

 

[Richard G]

Thank you.
However it would be nice if Directadmin would make things a bit more structural or similar.

Now we got several settings which use the "user_can" this or that in singular.
Like for example:
user_can_select_skin
user_can_set_email_limit
user_dnssec_control=0

Only the renaming/adding/deleting domain uses the "users_can" where users are in plural. This makes things a bit confusing or rather more eligible to make a mistake.

@fln wouln't it be a good idea to make this consequent? So it would be either plural or singular for all commands?

 

[SEO Guru]

Thank you.
However it would be nice if Directadmin would make things a bit more structural or similar.

Now we got several settings which use the "user_can" this or that in singular.
Like for example:
user_can_select_skin
user_can_set_email_limit
user_dnssec_control=0

Only the renaming/adding/deleting domain uses the "users_can" where users are in plural. This makes things a bit confusing or rather more eligible to make a mistake.

@fln wouln't it be a good idea to make this consequent? So it would be either plural or singular for all commands?

At this point im doubting if DA code changes get reviewed…