Open Stack

Jay Buffington wrote:
> I haven't closely looked at rootwrap, but it seems to me that you could
> use the
> rootwrap config files to generate a gigantic sudoers config file which
> would not
> necessarily be human readable.  That would have the flexibility and 
> maintainability of rootwrap with the speed and audibility sudo.

I don't think you could. Sudo's ability to filter arguments is quite
limited. Rootwrap implements smart filters, like for example limiting
the usage of "kill" to "dnsmasq" processes by reading and resolving
PIDs. Good luck for doing that in a sudoers file, gigantic or not.

More explanation on rootwrap's rationale at:
https://fnords.wordpress.com/2011/11/23/improving-nova-privilege-escalation-model-part-1/

-- 
Thierry Carrez (ttx)