In short, yes this can be a security threat. You mentioned you have not chrooted users. A chroot jail is most likely what you are looking for, however. I can suggest a few places to look as I have set this up before in the past using these same pages (I kept them bookmarked).
This creates a script to auto setup a chroot jail. It's very easy to understand and follow:
http://www.fuschlberger.net/programs...p-chroot-jail/
This helps explain how to setup a chrooted environment for rssh:
http://www.cyberciti.biz/tips/howto-...ail-setup.html
This user, Falko Timme is brilliant with detailing his walkthroughs. For some reason anytime I look for how to do something, I always seem to find his guides:
http://www.howtoforge.com/chrooted-s...l-debian-lenny
Rich