[openstack-dev] [nova][cinder][neutron][security] Rootwrap on root-intensive nodes
Daniel P. Berrange
berrange at redhat.com
Wed Feb 4 16:49:51 UTC 2015
On Wed, Feb 04, 2015 at 06:38:16PM +0200, Duncan Thomas wrote:
> If I'm reading that correctly, it does not help with the filtering issues
> at all, since it needs exactly the same kind of filter. Daniel explained
> the concept far better than I.
Yep, the only thing rootwrap daemon mode does is to remove the overhead
of spawning the rootwrap command. It does nothing to improve actual
security - it is still a chocolate teapot from that POV.
> On 4 February 2015 at 18:33, Jeremy Stanley <fungi at yuggoth.org> wrote:
>
> > On 2015-02-04 13:40:29 +0200 (+0200), Duncan Thomas wrote:
> > > 4) Write a small daemon that runs as root, accepting commands over
> > > a unix domain socket or similar. Easier to audit, less code
> > > running as root.
> >
> >
> > http://git.openstack.org/cgit/openstack/oslo.rootwrap/tree/oslo_rootwrap/daemon.py
> >
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the OpenStack-dev
mailing list