Opterius uses Jailkit to chroot SSH users into isolated environments. This prevents a hosting account from traversing the filesystem and accessing other accounts' files or system configuration.
Master Jail
The Opterius installer pre-creates a master jail at /var/jail/. This directory contains the shared libraries, binaries, and device nodes that all jailed users need. The master jail is set up once at install time and does not need to be modified per account.
The master jail structure:
/var/jail/
├── bin/ ← copies of shell binaries (ls, cp, mv, mkdir, rm, cat, vi, etc.)
├── lib/ ← shared libraries required by those binaries
├── lib64/
├── usr/
├── dev/ ← minimal device nodes (null, zero, tty)
└── etc/ ← minimal passwd/group entries
Available commands inside the jail include basic Unix tools: ls, cp, mv, mkdir, rm, cat, vi, grep, find, tar, gzip, plus php CLI.
Per-Account Jail Setup
When a user enables SSH access from Hosting Mode → Files → SSH → Enable Shell, the agent calls:
jk_jailuser -m -j /var/jail /home/username
This creates a bind-mount or hard-link structure that maps the account's home directory into the jail at:
/var/jail/home/username/
The account's shell is set to a Jailkit-aware shell (typically jk_chrootsh) in /etc/passwd. When the user connects via SSH, the OS sees the jk_chrootsh shell, which calls chroot(/var/jail) before handing off to the user's real shell.
What the User Sees
From inside the jail, the user's perspective is:
/ ← this is actually /var/jail/ on the real filesystem
└── home/
└── username/ ← their actual /home/username/ (bind-mounted in)
├── domain.com/
│ └── public_html/
└── staging.domain.com/
└── public_html/
Attempts to cd /home/other-user or cat /etc/passwd (the real one) return No such file or directory — the jail's /etc/passwd contains only minimal entries.
Security Boundaries
- The jailed user cannot see or access other accounts' home directories.
- System configuration files (
/etc/nginx,/etc/mysql,/opt/opterius, etc.) are not mounted into the jail and are inaccessible. - The user's PHP-FPM pool runs outside the jail (as a system service), so web requests are not affected by the jail.
- The jail does not restrict network access — the user can still
curlorwgetfrom within the jail.
[!NOTE] Jailkit chroot is not a container. A root exploit on the server can escape it. It provides strong isolation for normal hosting account activity, not kernel-level security. For that, use OS-level containers or VMs.
Disabling SSH for an Account
When SSH is disabled from the panel, the agent resets the account's shell to /sbin/nologin in /etc/passwd. The jail directory is left in place and reused if SSH is re-enabled.
Troubleshooting
If a user's SSH connection drops immediately after login, check:
# Verify the jail structure is intact
ls /var/jail/home/username/
# Check the user's shell entry
grep username /etc/passwd
# Check Jailkit logs
journalctl -u ssh | grep username
The most common cause is a missing library in the jail after a system library update. Rebuild the jail with:
jk_update -j /var/jail