[nova][tc][security-sig] Privsep is not giving us any security
Jeremy Stanley
fungi at yuggoth.org
Fri Mar 29 13:19:54 UTC 2019
On 2019-03-29 11:18:10 +0000 (+0000), Matthew Booth wrote:
[...]
> I suspect out of expediency in the initial forklift from rootwrap,
> we've lost this critical principal of moving security-critical
> logic into privsep itself.
[...]
Yes, the expectation was that once the privsep framework was
available, services relying on rootwrap would rework sensitive calls
to operate within privsep and minimally limit those services'
ability to influence their execution in dangerous ways. Nova isn't
the only one still in this state (either with far-too-dangerous
privsep functions exposed or still mostly relying on really lax
rootwrap filters). This could make for an excellent cross-project
effort, perhaps even a cycle goal, so I've added the [tc] tag to the
subject. I've also tagged it for the [security-sig] as members there
may have an interest in assisting with the effort.
--
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190329/afb8a519/attachment.sig>
More information about the openstack-discuss
mailing list