Ben Nemec wrote:
[...]
It would be good to describe the antipattern and how to write "good" privsep functions though, if only to be able to point developers and reviewers to that. Suggestions on where we could do that? Agree with this for sure. I understand the rootwrap->privsep thing well enough to review the existing series, but will need help understanding how (3) will need to look.
Long-term, the document should obviously live somewhere non-project-specific, and I don't know where that would be. Short(er)-term, since we have momentum on the issue in Nova, as well as a clear picture of all the places it needs to be applied (thanks to (2)/[A]), how about we include it in a Nova spec, since we're going to need one anyway?
Wouldn't we put privsep best practices in the privsep docs? Currently the usage docs[0] just link to Michael's blog posts about implementing privsep, but that seems like the logical place to keep the guidelines for writing good privileged functions.
Makes sense. I'll try to describe the antipattern, unless someone beats me to it. -- Thierry Carrez (ttx)