[openstack-dev] Python overhead for rootwrap

Russell Bryant rbryant at redhat.com
Thu Jul 25 20:59:47 UTC 2013


On 07/25/2013 04:40 PM, Mike Wilson wrote:
> In my opinion:
> 
> 1. Stop using rootwrap completely and get strong argument checking
> support into sudo (regex).
> 2. Some sort of long lived rootwrap process, either forked by the
> service that want's to shell out or a general purpose rootwrapd type thing.
> 
> I prefer #1 because it's surprising that sudo doesn't do this type of
> thing already. It _must_ be something that everyone wants. But #2 may be
> quicker and easier to implement, my $.02.

We could do #1 and keep rootwrap around as the fallback if the local
version of sudo doesn't support what we need.

-- 
Russell Bryant



More information about the OpenStack-dev mailing list