[openstack-dev] Python overhead for rootwrap

Mark McLoughlin markmc at redhat.com
Fri Aug 2 09:58:11 UTC 2013


On Thu, 2013-07-25 at 14:40 -0600, Mike Wilson wrote:
> In my opinion:
> 
> 1. Stop using rootwrap completely and get strong argument checking support
> into sudo (regex).
> 2. Some sort of long lived rootwrap process, either forked by the service
> that want's to shell out or a general purpose rootwrapd type thing.
> 
> I prefer #1 because it's surprising that sudo doesn't do this type of thing
> already. It _must_ be something that everyone wants. But #2 may be quicker
> and easier to implement, my $.02.

IMHO, #1 set the discussion off in a poor direction.

Who exactly is stepping up to do this work in sudo? Unless there's
someone with a even prototype patch in hand, any insistence that we base
our solution on this hypothetical feature is an unhelpful diversion.

And even if this work was done, it will be a long time before it's in
all the distros we support, so improving rootwrap or finding an
alternate solution will still be an important discussion.

Cheers,
Mark.




More information about the OpenStack-dev mailing list