[nova] Privsep is not giving us any security

Ben Nemec openstack at nemebean.com
Wed Apr 3 15:23:21 UTC 2019

On 4/3/19 8:15 AM, Eric Fried wrote:
>> 1- introduce privsep
>> 2- change rootwrap calls into generic privsep functions
>> 3- start refactoring calling code so that generic privsep functions can
>> be replaced by narrow, context-aware functions
>> You can tackle (2) and (3) at the same time.
> In Nova at least, (2) (without (3)) already has patches proposed all the
> way up [A], so I'm going to go out on a limb and say we're going to wait
> to tackle (3) until after that series [B], at least for existing code.
>> It would be good to describe the antipattern and how to write "good"
>> privsep functions though, if only to be able to point developers and
>> reviewers to that. Suggestions on where we could do that?
> Agree with this for sure. I understand the rootwrap->privsep thing well
> enough to review the existing series, but will need help understanding
> how (3) will need to look.
> Long-term, the document should obviously live somewhere
> non-project-specific, and I don't know where that would be.
> Short(er)-term, since we have momentum on the issue in Nova, as well as
> a clear picture of all the places it needs to be applied (thanks to
> (2)/[A]), how about we include it in a Nova spec, since we're going to
> need one anyway?

Wouldn't we put privsep best practices in the privsep docs? Currently 
the usage docs[0] just link to Michael's blog posts about implementing 
privsep, but that seems like the logical place to keep the guidelines 
for writing good privileged functions.

0: https://docs.openstack.org/oslo.privsep/latest/user/index.html

> -efried
> [A]
> https://review.openstack.org/#/q/topic:my-own-personal-alternative-universe+(status:open+OR+status:merged)
> [B] Note that that series has been in flight for quite a while. The
> patch that actually removes rootwrap
> (https://review.openstack.org/#/c/554438/) was first proposed right
> about a year ago. I'm hoping this email thread gets the series some more
> review attention.

More information about the openstack-discuss mailing list