[openstack-dev] [neutron][security][rootwrap] Proposal to replace rootwrap/sudo with privsep helper process (for neutron, but others too)
Eric Windisch
eric at windisch.us
Fri Feb 13 06:44:02 UTC 2015
ᐧ
>
> from neutron.agent.privileged.commands import ip_lib as priv_ip
> def foo():
> # Need to create a new veth interface pair - that usually requires
> root/NET_ADMIN
> priv_ip.CreateLink('veth', 'veth0', peer='veth1')
>
> Because we now have elevated privileges directly (on the privileged daemon
> side) without having to shell out through sudo, we can do all sorts of
> nicer things like just using netlink directly to configure networking.
> This avoids the overhead of executing subcommands, the ugliness (and
> danger) of generating command lines and regex parsing output, and make us
> less reliant on specific versions of command line tools (since the kernel
> API should be very stable).
>
One of the advantages of spawning a new process is being able to use flags
to clone(2) and to set capabilities. This basically means to create
containers, by some definition. Anything you have in a "privileged daemon"
or privileged process ideally should reduce its privilege set for any
operation it performs. That might mean it clones itself and executes
Python, or it may execvp an executable, but either way, the new process
would have less-than-full-privilege.
For instance, writing a file might require root access, but does not need
the ability to load kernel modules. Changing network interfaces does not
need access to the filesystem, no more than changes to the filesystem needs
access to the network. The capabilities and namespaces mechanisms resolve
these security conundrums and simplify principle of least privilege.
Regards,
Eric Windisch
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150213/89120b1c/attachment.html>
More information about the OpenStack-dev
mailing list