[Openstack] Question on nova disk injection...

Eric Windisch eric at cloudscaling.com
Wed Jun 6 02:31:57 UTC 2012 

Yun,

The setuid bit is unnecessary, python can be launched by the root user. It would then drop privileges. For instance, the sshd daemon does not require a setuid bit, it is simply executed by root. It uses privilege separation  and does the set(e)uid for users that login through it.

Having a compiled program and a setuid bit destroys a number of the reasons why you would want to have this run as root. For one thing, if your daemon runs as root and drops to the 'nova' user, compromises within the context of running as the nova user cannot allow the daemon to be modified and re-executed.  Without having any 'sudo' requirements, the nova user would be quite constrained, relative to the current situation.  

--  
Eric Windisch


On Tuesday, June 5, 2012 at 21:18 PM, Yun Mao wrote:

> Python is a scripting language. To get setuid work, you usually have
> to give the setuid permission to /usr/bin/python which is a big no no.
>  
> One work around is to have a customized compiled program (e.g. from
> C), which takes a python file as input, do all kinds of sanity check,
> and switch to root user to execute Python. But in that case it's not
> that much more appealing from the rootwrap.
>  
> my 2c.
> Yun
>  
> On Tue, Jun 5, 2012 at 5:42 PM, Joshua Harlow <harlowja at yahoo-inc.com (mailto:harlowja at yahoo-inc.com)> wrote:
> > Hi all,
> >  
> > Just some questions that I had about how nova is doing disk injection and
> > such.
> >  
> > I was noticing that it the main disk/api.py does a lot of tee, cat and
> > similar commands. Is there any reason it couldn’t just use the standard
> > python open and write data and such.
> >  
> > Is it because of sudo access (which is connected to rootwrap?), just
> > wondering since it seems sort of odd that to write a file there a tee call
> > has to be done with piped input, when python already has file operators and
> > such...
> >  
> > Thx!
> >  
> > _______________________________________________
> > Mailing list: https://launchpad.net/~openstack
> > Post to     : openstack at lists.launchpad.net (mailto:openstack at lists.launchpad.net)
> > Unsubscribe : https://launchpad.net/~openstack
> > More help   : https://help.launchpad.net/ListHelp
> >  
>  
>  
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack at lists.launchpad.net (mailto:openstack at lists.launchpad.net)
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>  
>  


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120605/4dfe0082/attachment.html>

More information about the Openstack mailing list