Using the same user for running service and the configuration files is a danger. i.e. the service running user shouldn't change the configuration files. a simple attack like: * a hacker hacked into nova-api container with nova user * he can change the /etc/nova/rootwrap.conf file and /etc/nova/rootwrap.d file, which he can get much greater authority with sudo * he also can change the /etc/nova/nova.conf file to use another privsep_command.helper_command to get greater authority [privsep_entrypoint] helper_command=sudo nova-rootwrap /etc/nova/rootwrap.conf privsep-helper --config-file /etc/nova/nova.conf So right rule should be: do not let the service running user have write permission to configuration files, about for the nova.conf file, i think root:root with 644 permission is enough for the directory file, root:root with 755 is enough. A related BP[0] and PS[1] is created [0] https://blueprints.launchpad.net/kolla/+spec/config-readonly [1] https://review.openstack.org/376465 On Sat, Sep 24, 2016 at 11:08 PM, 1392607554 <1392607554 at qq.com> wrote: > configuration file owner and permission in container > > -- > Regrad, > zhubingbing > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- Regards, Jeffrey Zhang Blog: http://xcodest.me -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160926/891227aa/attachment.html>