[openstack-dev] Python overhead for rootwrap

Thierry Carrez thierry at openstack.org
Tue Jul 30 09:06:26 UTC 2013


Jay Buffington wrote:
> I haven't closely looked at rootwrap, but it seems to me that you could
> use the
> rootwrap config files to generate a gigantic sudoers config file which
> would not
> necessarily be human readable.  That would have the flexibility and 
> maintainability of rootwrap with the speed and audibility sudo.

I don't think you could. Sudo's ability to filter arguments is quite
limited. Rootwrap implements smart filters, like for example limiting
the usage of "kill" to "dnsmasq" processes by reading and resolving
PIDs. Good luck for doing that in a sudoers file, gigantic or not.

More explanation on rootwrap's rationale at:
https://fnords.wordpress.com/2011/11/23/improving-nova-privilege-escalation-model-part-1/

-- 
Thierry Carrez (ttx)



More information about the OpenStack-dev mailing list