[openstack-dev] Python overhead for rootwrap

Sean Dague sean at dague.net
Fri Jul 26 12:07:48 UTC 2013

On 07/25/2013 05:43 PM, Thierry Carrez wrote:
> Russell Bryant wrote:
>> On 07/25/2013 04:40 PM, Mike Wilson wrote:
>>> In my opinion:
>>> 1. Stop using rootwrap completely and get strong argument checking
>>> support into sudo (regex).
>>> 2. Some sort of long lived rootwrap process, either forked by the
>>> service that want's to shell out or a general purpose rootwrapd type thing.
>>> I prefer #1 because it's surprising that sudo doesn't do this type of
>>> thing already. It _must_ be something that everyone wants. But #2 may be
>>> quicker and easier to implement, my $.02.
>> We could do #1 and keep rootwrap around as the fallback if the local
>> version of sudo doesn't support what we need.
> It's not just regexp support, rootwrap basically lets you extend the
> rules to be openstack-specific (custom filters). That feature is not
> widely used yet but is the key to fine-grained privilege escalation in
> the future. Also getting something new into sudo is (for good reasons)
> quite difficult.
> I would rather support solution 3: create a single, separate  executable
> that does those 20 things that need to be done (can be a shell script
> with some logic in it), and have rootwrap call that *once*. That way you
> increase speed by 20 times without dumping the security model.

The reason there are 20 different call outs is that they aren't all in 
the same place. There are phases that happen here, and different kind of 
errors needed. I'm skeptical that you could push it all into one place.


Sean Dague

More information about the OpenStack-dev mailing list