Not another chroot Question? chroot explained?

I have been researching what chroot does and if it is useful for me. I have found loads of information spread around the forum and other sites so I have put together what I know with some questions.

Could someone check my information is correct and answer the questions. This is one of those issues that keeps getting asked about so I hope I have put everything together properly.

Need confirmation of these

  1. chroot = Change root
  2. Aesthetic only
  3. Chroot only works on
    • port 22 for both SFTP and SSH
    • and the Terminal in the users Webmin
  4. ProFTPd controls SFTP on port 2222 and therefore is unaffected by the Virtualmin implementation of chroot.
  5. You configure restrictions in ProFTPd.
  6. You control what functions and services are added into the Jail by using the jail manager
  7. It restricts what commands can be run in SSH for the user. You can add what is allowed in.
  8. Any functions/services to be used in the jailed session need to be added.
  9. It is not a security feature, but only ‘security via obscurity’
  10. Jails are not very useful, it’s just a thing people in the hosting world like. Hides a load of mess from their clients.
  11. Chroot does more than jails.
  12. The Proper name for this, in the way we are using this feature = chroot jails.
  13. If you are not giving your clients SSH access, chroot is pointless.
  14. chroot needs root to run and is why it can be dangerous.


  • Why aesthetic only if you can restrict what functions a user has access to with SSH?
  • Where do you configure the SFTP (port 2222) restrictions in ProFTPd?
    • Is this done by hand
    • Webmin → servers → ProFTPD Server
    • ProFTPd jail features?
    • FTP is already restricted to the home page.
  • Does this stop people FTP’ing to the root and seeing files?
  • Does this stop people using SSH getting to the root of the server?

I have looked through the forum and elsewhere so can post all of my links if needed :smile:

Thanks in advance

It sounds good to invoke EVERY possible security solution known to admin kind, but, really not necessary. Your base OS has decades of best practices and knowledge built in. This software leverages that and then adds more.