[openstack-dev] Python overhead for rootwrap
Thierry Carrez
thierry at openstack.org
Fri Aug 2 11:52:57 UTC 2013
Daniel P. Berrange wrote:
> On Fri, Aug 02, 2013 at 10:58:11AM +0100, Mark McLoughlin wrote:
>> On Thu, 2013-07-25 at 14:40 -0600, Mike Wilson wrote:
>>> In my opinion:
>>>
>>> 1. Stop using rootwrap completely and get strong argument checking support
>>> into sudo (regex).
>>> 2. Some sort of long lived rootwrap process, either forked by the service
>>> that want's to shell out or a general purpose rootwrapd type thing.
>>>
>>> I prefer #1 because it's surprising that sudo doesn't do this type of thing
>>> already. It _must_ be something that everyone wants. But #2 may be quicker
>>> and easier to implement, my $.02.
>>
>> IMHO, #1 set the discussion off in a poor direction.
>>
>> Who exactly is stepping up to do this work in sudo? Unless there's
>> someone with a even prototype patch in hand, any insistence that we base
>> our solution on this hypothetical feature is an unhelpful diversion.
>>
>> And even if this work was done, it will be a long time before it's in
>> all the distros we support, so improving rootwrap or finding an
>> alternate solution will still be an important discussion.
>
> Personally I'm of the opinion that from an architectural POV, use of
> either rootwrap or sudo is a bad solution, so arguing about which is
> better is really missing the bigger picture. In Linux, there has been
> a move away from use of sudo or similar approaches, towards the idea
> of having privileged separated services. So if you wanted todo stuff
> related to storage, you'd have some small daemon running privilegd,
> which exposed APIs over DBus, which the non-privileged thing would
> call to make storage changes. Operations exposed by the service would
> have access control configured via something like PolicyKit, and/or
> SELinux/AppArmour.
>
> Of course this is alot more work than just hacking up some scripts
> using sudo or rootwrap. That's the price you pay for properly
> engineering formal APIs todo jobs instead of punting to random
> shell scripts.
And for the record, I would be supportive of any proper effort to
implement privileged calls using a (hopefully minimal) privileged
daemon, especially for nodes that make heavy usage of privileged calls.
I just don't feel that going back to sudo (or claiming you can just
introduce all rootwrap features in sudo) is the proper way to fix the
problem.
--
Thierry Carrez (ttx)
More information about the OpenStack-dev
mailing list