Uses that connect to the server using SFTP over SSH so they can download or edit their webfiles can actually browse outside of their home directory. If they connect by FTP they are restricted to their home directory.
I seem to remember this SSH behaviour was a limitation of Virtualmin. There is a specific option in ProFTPd to restrict users to their home directory.
I currently do not have clients on this server and I would just block SFTP over SSH by just not exposing the port.
The Question
Is it still a limitation of virtualmin that users connecting with SFTP over SSH can browse all server files or do I need to do something like enabling Jails.
that is what jailkit is for, I would guess this is a limitation of ssh and not virtualmin. I would not give clients ssh access, nor in fact ftp access. I direct them to file manager which allows the client upload,download and edit files which is what you would do with an ftp client such as filezilla and jails them to their home directory
When the team look at CageFS (or what ever the open source version is) I think they should make a pre-setup environment for webhosting. This possible could be an optional thing.
For me each account should be completely isolated from each other and the server, however it is done.
That’s exactly what you get if you limit the client to virtualmin i.e no shell login and no ftp. That saves you messing around with a load of services/scripts that a: may not have a webmin module b: impossible to create a webmin module
