Chroot

Та директория, куда выполняется chroot должна принадлежать пользователю root

Выдержка из man sshd_config ChrootDirectory Specifies the pathname of a directory to chroot(2) to after authentication. All components of the pathname must be root- owned directories that are not writable by any other user or            group. After the chroot, sshd(8) changes the working directory to the user's home directory.

The pathname may contain the following tokens that are expanded at runtime once the connecting user has been authenticated: %% is            replaced by a literal '%', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the user‐ name of that user.

The ChrootDirectory must contain the necessary files and directo‐ ries to support the user's session. For an interactive session this requires at least a shell, typically sh(1), and basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4), arandom(4) and tty(4) devices. For file transfer sessions using “sftp”, no additional configuration of the environment is neces‐ sary if the in-process sftp server is used, though sessions which use logging do require /dev/log inside the chroot directory (see            sftp-server(8) for details).

The default is not to chroot(2).

Выход за пределы
Как и вслучае чрута черезе Ftpd не пускает если сделать симлинку ln

mkdir backups mount_nullfs /var/backups/ backups