You want to create a chroot cage to restrict a service to a particular directory (and its subdirectories) in your filesystem.

Create a chroot cage by running the GNU chroot program instead of the service. Pass the service executable as an argument. In other words, change this:

               /etc/xinetd.conf or /etc/xinetd.d/myservice:
service myservice
{
        ...
        server       = /usr/sbin/myservice -a -b
        ...
}

into this:

service myservice
{
        ...
        user = root
        server = /usr/sbin/chroot
        server_args = /var/cage /usr/sbin/myservice -a -b
        ...
}

chroot takes two arguments: a directory and a program. It forces the program to behave as if the given directory were the root of the filesystem, “/”. This effectively prevents the program from accessing any files not under the chroot cage directory, since those files have no names in the chroot’ed view of the filesystem. Even if the program runs with root privileges, it cannot get around this restriction. The system call invoked by chroot (which also is named chroot) is one-way: once it is invoked, there is no system call to undo it in the context of the calling process or its children.

A chroot cage is most effective if the program relinquishes its root privileges after it starts—many daemons can be configured to do this. A root program confined to a chroot cage can still wreak havoc by creating and using new device special files, or maliciously using system calls that are not related to ...