[openstack-dev] Python overhead for rootwrap

Mark McLoughlin markmc at redhat.com
Fri Aug 2 09:58:11 UTC 2013

On Thu, 2013-07-25 at 14:40 -0600, Mike Wilson wrote:
> In my opinion:
> 1. Stop using rootwrap completely and get strong argument checking support
> into sudo (regex).
> 2. Some sort of long lived rootwrap process, either forked by the service
> that want's to shell out or a general purpose rootwrapd type thing.
> I prefer #1 because it's surprising that sudo doesn't do this type of thing
> already. It _must_ be something that everyone wants. But #2 may be quicker
> and easier to implement, my $.02.

IMHO, #1 set the discussion off in a poor direction.

Who exactly is stepping up to do this work in sudo? Unless there's
someone with a even prototype patch in hand, any insistence that we base
our solution on this hypothetical feature is an unhelpful diversion.

And even if this work was done, it will be a long time before it's in
all the distros we support, so improving rootwrap or finding an
alternate solution will still be an important discussion.


