restrict domain user to browser to other domain

i try to simulate WSO as hack shell, while using the default virtualmin configuration, WSO can show and list or read all file outside the domain user directory. The hacker even badly can browse to os root folder and read some file inside it.

here what i try to prevent it.

  1. i try to use jailkit, but seems like the hacker using the wso or other rootkit still can browser upper directory (seems like the jailkit is useless if not please tell me what configuration that i miss)
  2. i try to use linux ACL ubuntu default by type this command :
    setfacl -m userdomain:x /
    setfacl -m user:x /home/

right know the second choice is more preferable to prevent the traversal directory browsing. can someone tell me is there any drawback or what worse things can happen when i use the second option ?

honestly setfacl is not good idea as hacker still can open upper file by type the file location, but at least he cannot browse it on wso shell

Thank you