SSH with chroot and only working "sftp", "rsync" (both)?

I have two users and one shared folder in my Ubuntu server: 1. User writer, which has write access to /var/shared. It's an application regularly making file changes in this folder from remote, with an SSH key. 2. User reader is used by multiple clients with an SSH key, a key they can get without my permission, that's why I need to restrict commands available in this shell. ### Question: I need to restrict commands accessible for the reader user so it can use only sftp and rsync protocols (no standard commands like mkdir, ls, top, ...).  Only directory /var/shared must be readable, and must be a root path, e.g., no need to cd into it, it's already / in sftp or rsync. **How do I write a shell script so I can apply it with usermod -s for user reader that will give such behavior?** I cannot find any samples. How do I make writer also remain "jailed" to /var/share, so paths are same? ### Notes: 1. I have tried sshd_config's Match, ForceCommand internal-sftp and ChrootDirectory directives already. This requires the ChrootDirectory to be owned by root and non-writable (755 or less), and does not support rsync. 2. I have tried rssh, but it simply doesn't work for directories outside the home directory for the logged in user. So I couldn't chroot users to the same directory with different permissions. 3. I tried to use command=".." ssh-rsa.... in the authorized_keys file, but didn't get how can I enable behavior which I need, I only check rrsync script from rsync's docs. This method has no chroot feature I need. ### Can I have a sample at least for such shells? Is this achievable with scripts? Bash and C++ (if needed) are welcome. Output of ldd /bin/bash: linux-vdso.so.1 => (0x00007fff7e9d1000) libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f79dfd8b000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f79dfb87000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f79df7bd000) /lib64/ld-linux-x86-64.so.2 (0x000055bd0767c000)