<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, May 14, 2015 at 2:48 AM, Angus Lees <span dir="ltr"><<a href="mailto:gus@inodes.org" target="_blank">gus@inodes.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><span class="">On Wed, 13 May 2015 at 02:16 Thierry Carrez <<a href="mailto:thierry@openstack.org" target="_blank">thierry@openstack.org</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Lucas Fisher wrote:<br>
> We spent some time at the OSSG mid-cycle meet-up this week discussing root wrap, looking at the existing code, and considering some of the mailing list discussions.<br>
><br>
> Summary of our discussions: <a href="https://github.com/hyakuhei/OSSG-Security-Practices/blob/master/ossg_rootwrap.md" target="_blank">https://github.com/hyakuhei/OSSG-Security-Practices/blob/master/ossg_rootwrap.md</a><br>
><br>
> The one line summary is we like the idea of a privileged daemon with higher level interfaces to the commands being run. It has a number of advantages such as easier to audit, enables better input sanitization, cleaner interfaces, and easier to take advantage of Linux capabilities, SELinux, AppArmour, etc. The write-up has some more details.<br>
<br>
For those interested in that topic and willing to work on the next<br>
stage, we'll have a work session on the future of rootwrap in the Oslo<br>
track at the Design Summit in Vancouver:<br>
<br>
<a href="http://sched.co/3B2B" target="_blank">http://sched.co/3B2B</a><br><br></blockquote><div><br></div></span><div>Fwiw, I've continued work on my privsep proposal(*) and how it interacts with existing rootwrap. I look forward to discussing it and alternatives at the session.</div><div><br></div><div>(*) <a href="https://review.openstack.org/#/c/155631" target="_blank">https://review.openstack.org/#/c/155631</a></div><div><br></div><div> - Gus</div></div></div>
<br></blockquote><div><br><div class="gmail_extra">As part of the OSSG work, I started prototyping changes in Nova where the goal is to<br><br>1) Get all the code that's calling rootwrap into one place so that it's easy to find, and get tests for this code.<br>2)
Next (or even in step 1 if it's easy enough), tighten the interfaces,
so that rather than providing a function to do "chmod %s %s" it would
only allow whatever chmod nova actually has to do, maybe passing
in a server ID rather than a bare file name.<br></div><div class="gmail_extra"><br></div><div class="gmail_extra">With this, we should be able to tighten up the rootwrap filters in the same way, or switch to privsep or whatever we decide to do in the future. So maybe it looks like rearranging deckchairs on the titanic, but in this case the deckchairs are blocking the emergency exits.<br></div><br></div><div>I didn't get too far in it to even see how viable the approach is since I was working on other things.<br></div><div><br></div><div>I'll put this session on my calendar.<br></div><div><br></div><div>- Brant<br></div><br></div></div></div>