When I try to enable the terminal and SSH for a website, I notice that each domain owner has read access to the root directories.
Is there a way to restrict read access of all files outside the virtual domain directory?
OS Ubuntu 22.04.03.
Thank you.
You can use jailkit, but to use jailkit you must be aware that all resources that the user needs must be placed in the jail, you also may have to alter the users environment to get the best experience. That said for what reason does a domain owner ssh access ? As most things that a domain owner may need are in the virtualmin/usermin panels. I don’t give Domain owners ssh access, I point them to the relevant function in Vmin/Umin.
Is there a default set of commands & environment that Vmin will set up auto setup so PHP will work out of the box (sendmail for example) or does the user still have to manually enter these ?
We setup by default the following sections:
perl, basicshell, extendedshell, ssh, scp, sftp, editors, netutils, logbasics
hmm php will not work out of the box as I see the following
jail@server:~/public_html$ sendmail
bash: sendmail: command not found
jail@server:~/public_html$ clear
TERM environment variable not set.
jail@server:~/public_html$
You could use a new Virtualmin Pro feature to easily copy php and dir commands to user’s jail. Dependencies will be copied automatically.
That is what I am using. You said php worked out of the box. It does not appear to do that
It does on EL systems. Debian and derivatives don’t have php section defined, so it has to be added manually.
So therefore you need to adjust your statement to read ‘this works on el but not on debian systems’ rather than ‘a pro user can do this’ as it from your statement it does not work using debian
Virtualmin Pro can still copy php binary and all dependencies using Extra commands and directories for Jailkit to copy option.
So i have to guess what dependences are required for php ?
So i have to guess what dependences are required for php ?
Nope, this is what Jailkit init program is doing.
If we’re shipping improvements to jail support, making it easier to get a PHP environment is probably one of the obvious ease-of-use improvements. I’m surprised the RPM has a configuration that the Debian package doesn’t have, though. I guess it’s a version issue (i.e. added to Jailkit recently)?
Edit: What I mean by that last bit is that if a newer version of the package will have it, we should just encourage people to use new versions of their OS, rather than working around it by shipping our own.
But, also, I don’t know how we make it clear that folks need to understand Jailkit in order to use it safely!
I think the more we add UI enhancements that make it seem like an easy thing to do, the more likely someone will make mistakes that make their jails breakable (which is actually extremely dangerous on Debian/Ubuntu where the Jailkit binaries do not use capabilities and are running as full root, at least, last time I checked…the RPM uses capabilities, so it’s much safer).
The distinction lies in the packaging differences between EL and Debian distributions. Specifically, in the EL distribution, jk_init includes a defined [php] section, whereas this section is absent in the Debian distribution. 
However, this difference should not affect our users, thanks to a new feature in Virtualmin Pro that automates the process. Users simply need to add php to the Extra commands and directories for Jailkit to copy field, and the system will handle the rest seamlessly.
I was always assuming the RPM was packaging the upstream files unmodified, but I guess not. I see there is no php section here: [jailkit] Contents of /jailkit/ini/jk_init.ini
I wonder now what is adding [php] section in RPM package? 
Most probably Red Hat or EPEL?
