On operating systems that support this operation, cvsnt provides the Chroot parameter (in the /etc/cvsnt/PServer file). After CVSNT has loaded it will perform the chroot just prior to dropping privileges and before any filesystem operations.
The chroot jail must contain a /tmp directory for use by the server but does not need any binary or library directories. In the minimal (most secure) configuration it is impossible to run scripts of any kind. Adding binaries/libraries to allow script execution should be done with care. Never add setuid binaries to a chroot jail as it may allow an attacker an avenue to break out of it.