<div dir="ltr">Hello, Thierry.<div class="gmail_extra"><br><div class="gmail_quote">On Mon, Mar 17, 2014 at 6:04 PM, Thierry Carrez <span dir="ltr"><<a href="mailto:thierry@openstack.org" target="_blank">thierry@openstack.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">Note that the whole concept behind rootwrap is to limit the amount of<br></div>
code that runs with elevated privileges. If you end up running a full<br>
service as root which imports as many libraries as the rest of OpenStack<br>
services, then you should seriously consider switching to running your<br>
root-heavy service as root directly, because it won't make that much of<br>
a difference.<br>
<br>
I'm not closing the door to a persistent implementation... Just saying<br>
that in order to be useful, it needs to be as minimal as possible (both<br>
in amount of code written and code imported) and as simple as possible<br>
(so that its security model can be easily proven safe).<br></blockquote><div><br></div><div style>I'm aiming at ~100 new lines of code for daemon. Of course I'll use some batteries included with Python stdlib but they should be safe already.</div>
<div style>It should be rather easy to audit them.</div></div><div><br></div>-- <br><br><div>Kind regards, Yuriy.</div>
</div></div>