Jail users in a directory

The #1 problem that people encounter with chrooted SFTP is that OpenSSH, by default, requires that root owns the whole path to a given user's chroot directory. In other words, if you want to chroot someone into /home/someone, / must be owned by root and have permissions no wider than 0755, /home must be owned by root and have permissions no wider than 0755, and perhaps most surprisingly, /home/someone must be owned by root and have permissions no wider than 0755. In your case, you want to chroot people into /var (I'm not even going to ask), so you avoid this permissions problem, but in other cases where it's unavoidable, you may want to look into mount --bind.

As to the actual chrooting, you've got two options for how to go about it: either by group or by user. In either case, you'll edit the sshd_config file. For group-wide, it'll look like:

Match group sftponly
ForceCommand internal-sftp
ChrootDirectory /var
AllowTcpForwarding no

For per-user configuration, it'll simply be:

Match user sftpdude
ForceCommand internal-sftp
ChrootDirectory /var
AllowTcpForwarding no

Note that internal-sftp wasn't supported until OpenSSH version 5 or so, so you may have to compile a custom copy of OpenSSH if you don't have access to a v5 package.

If you chmod 700 each user directory only the directory owner will be able to access the contents of that directory.

i.e. chmod 700 /home/duke/aa/servers/user2 will prevent any user other than user2 (and root) from accessing it.

Of course user2 needs to be the owner of /home/duke/aa/servers/user2 to access his own files.

Depending on the FTP server you use this should be relatively easy. Both proftpd and vsftpd, which as packages in Debian support chroot as an option. The ProFTPd docs are here.

For SSH/SFTP look at http://www.debian-administration.org/articles/590