[nova] Privsep is not giving us any security

Eric Fried openstack at fried.cc
Wed Apr 3 13:15:05 UTC 2019

> 1- introduce privsep
> 2- change rootwrap calls into generic privsep functions
> 3- start refactoring calling code so that generic privsep functions can
> be replaced by narrow, context-aware functions
> You can tackle (2) and (3) at the same time.

In Nova at least, (2) (without (3)) already has patches proposed all the
way up [A], so I'm going to go out on a limb and say we're going to wait
to tackle (3) until after that series [B], at least for existing code.

> It would be good to describe the antipattern and how to write "good"
> privsep functions though, if only to be able to point developers and
> reviewers to that. Suggestions on where we could do that?
Agree with this for sure. I understand the rootwrap->privsep thing well
enough to review the existing series, but will need help understanding
how (3) will need to look.

Long-term, the document should obviously live somewhere
non-project-specific, and I don't know where that would be.
Short(er)-term, since we have momentum on the issue in Nova, as well as
a clear picture of all the places it needs to be applied (thanks to
(2)/[A]), how about we include it in a Nova spec, since we're going to
need one anyway?


[B] Note that that series has been in flight for quite a while. The
patch that actually removes rootwrap
(https://review.openstack.org/#/c/554438/) was first proposed right
about a year ago. I'm hoping this email thread gets the series some more
review attention.

More information about the openstack-discuss mailing list