Open Stack

     As part of the plugin framework, I'm thinking about facilities for 
adding commands to the nova-rootwrap list without directly editing the 
code in nova-rootwrap.  This is, naturally, super dangerous; I'm worried 
that I'm going to open a security hole big enough to pass a herd of 
elephants.

     It doesn't help that I mostly know about devstack, and don't know a 
whole lot about the variety of ways that Nova is installed on actual 
production systems.  So, my questions:

a)  Is the nova code on a production system generally owned by root and 
read-only?  (If the answer to this one is ever 'no' then we're done, 
because we're already 100% insecure.)

b)  Does nova usually run as root user?  (Again, thinking 'no' because 
otherwise we wouldn't need a rootwrap tool in the first place.)

c)  Who generally has rights to modify nova.conf and/or add command-line 
args to the nova launch?  (I want the answer to this to be 'just root' 
but I fear the answer is 'both root and the nova user.')

The crux: If additional commands can be added to rootwrap via nova.conf 
or the commandline, does that open security holes that aren't already 
open?  Such a facility will give root to anyone who can modify the 
nova.conf or the nova commandline.  So, if the nova user can modify the 
commandline, the question is:  did the nova user /already/ have root access?