Chroot doubles disk space

OS type and version Debian 10
Webmin version 1.981
Virtualmin version 6.17-3
Related packages ?


The directory “/home/five” is a copy of “/home/chroot/163102573011192/home/five”.
I do not find an explain on the forum or on Google.
Is there an expert here who can guide me?

Excellente journée,

I’m sure it’s some virtual copy, like a symbolic link or something like that, but not a duplicate copy. Don’t worry.
If you like to learn more, research “chroot” and how it creates a “contained space” for the user.

Virtualmin uses jailkit to setup and manage jails. If you’re using the chroot jail feature, it’s worth checking out the docs: Jailkit - chroot jail utilities

Also, I always like to point out that if you don’t know what you’re doing, jailed users are probably not more secure than unjailed ones.

In fact, the opposite can be true, though most of the security concerns with jails are resolved by use of capabilities (a Linux kernel feature that allows escalated privileges in a limited way). But, it is still almost certainly possible to give a user tools they need to elevate privileges, if you aren’t careful about how you setup the jail. The default jail configuration is believed to be secure, but once you start modifying what is in the jail…well, who knows?

You should, at the least, read and understand the Security Considerations section of this page: Jailkit - chroot jail utilities

Thank’s for your response :+1:

Yes, I thought it was a symbolic link, but no. I also tried renaming the “home/five” directory to “home/five-back”, then I created a symbolic link to “/home/chroot/163102573011192/home/five”, good try but it crashes all.

But yes, for disk space, I confirm the data is indeed doubled.
656M ./site1
231M ./site2
169M ./site3
352M ./site4
28K ./site5
272M ./site6
166M ./site7
4.0G ./chroot
133M ./site8
24K ./debian
27M ./site9
12M ./site10
49M ./phpmyadmin
525M ./site11
188M ./site12
30M ./site13
6.7G .

Thank’s for the link to “Jailkit”.

Yes, that’s right, I don’t know exactly what I’m doing, I confirm :+1:.

The security strategy is to set up all the services with VirtualMin without touching the configuration without understanding. I am cautious. Then, we carry out tests to validate that the users are well separated. You should know that it is for websites that we manage and we want to protect these websites from each other but no one other than us has access to the sites.

This is dangerously chaotic energy to be applying to a security sensitive part of your system.

In the case of PHP (not SSH, nor SFTP), the PHP CGI handler (FPM, etc) takes care of running the PHP code in the user’s name, so they cannot access other users’ files if permissions are set up properly (this is the default case).

1 Like

Jails merely hide some details about the filesystem, they don’t really add much in the way of security (and can introduce security holes of their own, if you don’t understand how chroot works and put something dangerous into the chroot, though again, a capabilities-enabled jailkit package mitigates some of that risk). chroot jails give an illusion of more security, but it’s not a security feature.

Given OP is randomly moving files around and trying to consolidate jails to save disk space, I think they’re on a path to introducing security problems due to lack of understanding of how jails work.

@Jeff31 you may also want to read this, which is the ticket where I documented the Jailkit feature for Jamie to implement in Virtualmin: Changes needed for Jailkit chroot jail support [#45859] | Virtualmin

The “double disk space” you’re seeing is not (it is a bind mount), and you’re obviously going to break the jail by linking or copying things around.

@Jeff31, I used the jailkit too, in current state it’s more of a perception and you end up with false security - introducing potentially new issues already mentioned. I also had issues when restoring a jailed domain, didn’t always work as expected. Make sure php-fpm is used, best practice with domain owners/ what they have access to etc. but do disable the jailkit.

Jails should work, and backups/restores should also work when using jails (though there are potential compatibility issues when restoring jails across different distro/versions). We’ll fix bugs (but not OS/version compatibility issues) that are reported in those areas, and I don’t know of any outstanding issues.

I’m not telling anybody not to use jails because they’re buggy, I’m saying don’t assume you’re safer or more secure because you’re using them, and if you are using them you should spend an afternoon reading and understanding them and the security implications of using them.

Thanks @vending_makina and @Whoops . Yes, I also use php-FPM :+1:
But Chroot hallows me give ssh access just for one website at one developer of the team.

I realize that I have a complicated configuration. Before, i use virtualisation, it was more simply but the network layer was complicated. It’s like cars, we add a turbo, we add a lot of technology and after when you have a problem, it’s difficult and expensive for repairs. It’s efficiency that wants it.

@Joe, thanks for your explain. I inderstand, it’s not duplicate :+1: Is it correct to say that the “df -h” command and “du -h --max-depth=1” command returns the wrong information?

Absolutely. Make things simple. The more stuff you add and the more features you apply - somebody will need to maintain this. If you are an expert, probably ok but if you are managing this at a ‘normal’ level, important to reduce risk of complications. I probably spend 10 hours on something that somebody else could fix in 10 minutes - therefore my approach would be tactical in terms of managing a server.

Same goes for fail2ban, you click here and there, enabling whatever - how many people do actually know what happens/impact it has. Or locking yourself out grin by accident. As Joe suggested, if you read/study the jail documentation and other improvements, might help to identify some challenges that you may experience.

1 Like

No it doesn’t. It just hides some details of the filesystem from them. You can safely grant ssh access to users without chroot, as long as your filesystem permissions are correct. (They generally would be in a default Virtualmin configuration.)


@Joe @Whoops
Thanks you all, yes i understand. I have to do this for the next server :+1:

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.