Intoduction
This HOWTO details creating accounts on a *nix operating system that are chroot'ed to their home directory. That is, one this user logs in, they will not be able to access any other part of the filesystem(s) other than what lies in the account's home directory.

Warning: this document is pretty Linux-centric. I've never tried doing this on a different operating system. Please let me know of your success or failure in implementing something similar on other operating systems and I will update the HOWTO accordingly.

Requirements
sudo
su
chroot
bash (other /bin/sh's have been reported to work)

Overview
When a login is attempted, this is the course of events:
login -> sudo(root) -> chroot $HOME su $USER

Essentially what this means is that when a log in is attempted, the user is authenticated in the normal way. After successful authentication, the login process passes the user to what it assumes is a shell, but in fact, it will be passing the user to a sieries of programs that will turn the user into root, chroot them into their directory, then turn the user back into himself again.

Step-By-Step Process

1. Make a faux shell, I call it /bin/chroot-shell. Here is the shell script I use:

#!/bin/bash
if [ "$1" = "-c" ]; then
i=0;
PARAMS="";
for param in $*; do
if [ $i -gt 0 ]; then
PARAMS="$PARAMS $param";
fi
let i++;
done;
sudo /usr/sbin/chroot /home/$USER /bin/su - $USER -c "$PARAMS"
else
sudo /usr/sbin/chroot /home/$USER /bin/su - $USER
fi;


If you do not have bash, you can use this sh compatable chroot-shell:

#!/bin/sh
[ "$1" = "-c" ] && a="$*"
sudo /usr/sbin/chroot /home/$USER /bin/su - $USER $a

(Thanks to Ben Okopnik for this more simplified and compatable version of chroot-shell)
NOTE: This will not work if you need to run commands with spaces in them on login (e.g. scp)

2. Add a user. Example:
useradd -d /tmp -s /bin/chroot-shell peon
This makes an entry in the /etc/passwd file like this:
peon:x:1004:1004::/tmp:/bin/chroot-shell
You should also set the password for the new account at this time:
passwd peon
3. Create a home directory.
mkdir /home/peon
mkdir /home/peon/etc
mkdir /home/peon/dev
mkdir /home/peon/bin
mkdir /home/peon/lib
mkdir /home/peon/usr
mkdir /home/peon/usr/bin
mkdir /home/peon/home
chown peoneon /home/peon/home
4. Create a chroot passwd and group file

/home/peon/etc/passwd

root:x:0:0::/:/bin/bash
peon:x:1004:1004::/home:/bin/bash

/home/peon/etc/group

root:x:0:
peon:x:1004:

5. Install bash.
cp /bin/bash /home/peon/bin/
Unless you have a statically linked version of bash (which is doubtful), you'll have to copy the required libraries to /home/peon/lib. To find out what libraries are required, use ldd:
ldd /bin/bash
6. Install su.
cp /bin/su /home/peon/bin/
Unless you have a statically linked version of su (which is doubtful), you'll have to copy the required libraries to /home/peon/lib. To find out what libraries are required, use ldd:
ldd /bin/su
NOTE: at least with Slackware, for some reason the library /lib/libnss_compat.so.2 is not listed as a required lib for su, but it IS needed!
NOTE: If your su binary uses PAM for an authentication mechanism, you may have to build a new su binary. This is the case for RedHat. You can download sh-utils from ftp://alpha.gnu.org/pub/gnu/shellutils/Thanks to Pablo Pasqualino for pointing this out.
NOTE: On RedHat 7.x systems, not only do you have to build a new su binary but you must copy /lib/libnss_files.so.2 and /lib/libnsl.so.1 (as well as /lib/libnss_compat.so.2) to the chroot /lib directory even though they don't show up in 'ldd su'. Thanks to Arnstein Ressem and others for figuring this out.
7. Install fileutils (optional)
(cd /bin; cp ln ls rm mv cp du /home/peon/bin/)
The same goes for libs if you don't want to compile fileutils staticly, just use ldd to find out which shared libs you need to copy to /home/peon/lib.
8. Install OpenSSH (optional)
cp /usr/bin/ssh /home/peon/usr/bin/
cp /usr/bin/scp /home/peon/usr/bin/
cp /usr/bin/env /home/peon/usr/bin/
The same goes for libs if you don't want to compile OpenSSH staticly, just use ldd to find out which shared libs you need to copy to /home/peon/lib.
Open SSH also needs a couple of devices to function properly. Make them like this:
mknod -m 0666 /home/peon/dev/tty c 5 0
mknod -m 0644 /home/peon/dev/urandom c 1 9
9. Grant sudo access to the new account
If you are familiar with vi, I suggest just typing visudo. If not, you'll have to find another way to edit /etc/sudoers.
Add a line like the following:

peon ALL= NOPASSWD: /usr/sbin/chroot /home/peon /bin/su - peon*