chroot still only provides a false sense of security (I talked about this in a few other threads way back when this was a popular question, and we pretty much ruled out doing it in VIrtualmin because of the historic negative security implications, but even now, there is no security benefit to using chroot in this way).
scponly is no longer necessary, as ProFTPd supports FTP over SSH connections (though not general purpose ssh shell connections, but there’s no safe way to restrict a full shell user from seeing the rest of the file system). Using the DefaultRoot option, you can restrict any type of connection or any type of user to their home directory.
So to specifically answer your questions:
- scponly is no longer needed or recommended (it’s not dangerous, as far as I know, but it’s not useful). You just need to use ProFTPd for all connections from users (except those you trust to have shell ssh access), and add “DefaultRoot ~” to the configuration.
- No, and we still discourage people from using a chroot environment for untrusted users. chroot has security implications that are difficult to reason about. It may be that recent versions of openssh make chroot safer, as it may be able to drop privileges in a safe way today (it probably can, if I’m reading the docs right); historically, even a single mistake in your chroot filesystem could lead to a root privilege escalation vulnerability (which is game over for security). I haven’t done the research to understand how this risk has been mitigated in recent years, as I don’t want to go down that path for security in Virtualmin. There are much better options today, including SELinux.
Also, note that Virtualmin has tighter permissions on home and safer defaults for web apps than other control panels (at least, it did last time I looked at how cPanel and Plesk were doing things). A chroot would provide little actual security benefit and would potentially open up security concerns of its own. On my personal systems, I don’t mind granting untrusted (but not anonymous) users shell access. I’m not worried about them seeing files on my system, because UNIX systems were designed from the ground up to be multi-user systems.
chroot also does not prevent someone with any level of knowledge from seeing files on the filesystem (as they do when logging in without a chroot). There are many ways to see those files in any hosting system, including web applications, procmail recipes, cron jobs (though this can be forced to take on the environment of the chroot at the expense of a more complex chroot), etc. chrooting the shell or FTP provides a false sense of security.
I would like to spend more time with SELinux. It does provide means to do what many people use chroot for, without the problems of chroot. I made Virtualmin work comfortably with SELinux a while back when we built our new boxes on CentOS 7 (it actually wasn’t that hard; took a couple of hours), but haven’t done the work to package up the new rules that are needed yet. But, the standard strict SELinux rule set also does not prevent users from seeing files outside of their home. The stuff that people want chroot for just aren’t security issues, generally speaking…they seem like security issues, but they’re really not.
So, to sum up:
We don’t do chroot because it does not improve security to do chroot. But, you can get the effect of a chroot for FTP and FTP over SSH connections using the DefaultRoot option in ProFTPd. This option is easy, and it is safe.
Oh, also, the new File Manager (Filemin) has this ability as well, and defaults to restricting user to their home (not for security, but for usability).