Jail users in a directory

Solution 1:

The #1 problem that people encounter with chrooted SFTP is that OpenSSH, by default, requires that root owns the whole path to a given user's chroot directory. In other words, if you want to chroot someone into /home/someone, / must be owned by root and have permissions no wider than 0755, /home must be owned by root and have permissions no wider than 0755, and perhaps most surprisingly, /home/someone must be owned by root and have permissions no wider than 0755. In your case, you want to chroot people into /var (I'm not even going to ask), so you avoid this permissions problem, but in other cases where it's unavoidable, you may want to look into mount --bind.

As to the actual chrooting, you've got two options for how to go about it: either by group or by user. In either case, you'll edit the sshd_config file. For group-wide, it'll look like:

Match group sftponly
ForceCommand internal-sftp
ChrootDirectory /var
AllowTcpForwarding no

For per-user configuration, it'll simply be:

Match user sftpdude
ForceCommand internal-sftp
ChrootDirectory /var
AllowTcpForwarding no

Note that internal-sftp wasn't supported until OpenSSH version 5 or so, so you may have to compile a custom copy of OpenSSH if you don't have access to a v5 package.