undefined | Better HN

0 pointstomxor7y ago0 comments

I thought it was reasonably secure (consider this would only include minimal binaries required for rsync without an interactive shell), but I am relatively ignorant in this area, would you care to elaborate?

LXC/D was on my radar but all of this is a little more complexity than I was anticipating dealing with myself (the security side of locking down the rsync account at least). I may even settle for "restricted rsync". This is why I value rsync.net, they do this for me - and for a much lower cost I might add (I am not a security expert).

0 comments

napsterbr7y ago

Indeed. For clarification, FreeBSD jails are considered safe, since they add capabilities checks on top of the chroot. Chroot itself, on the other hand, is relatively easy to break out.

Not sure if you have ever used, but you might enjoy FreeBSD :) using jails is not at all that difficult. To be honest I find it easier to use jails than docker. Never used LXC so I don't know how it compares with regards to ease of use.

tomxorOP7y ago

Thanks. I've used FreeBSD before, but have far more experience using Linux in production, I may have to give it another go some time for specific purposes like this.

j / k navigate · click thread line to collapse

0 pointstomxor7y ago0 comments

0 comments

napsterbr7y ago

Indeed. For clarification, FreeBSD jails are considered safe, since they add capabilities checks on top of the chroot. Chroot itself, on the other hand, is relatively easy to break out.

tomxorOP7y ago

Thanks. I've used FreeBSD before, but have far more experience using Linux in production, I may have to give it another go some time for specific purposes like this.

j / k navigate · click thread line to collapse