[Openstack] extending rootwrap securely
Thierry Carrez
thierry at openstack.org
Wed May 2 10:01:21 UTC 2012
Eric Windisch wrote:
> I'd really like to see this security mechanism overhauled. Rootwrap was
> an improvement over what was there before, however, I don't believe that
> rootwrap is a viable long-term solution as currently designed. Rootwrap
> has resulted in the use of potentially insecure shell-outs for the
> purposes of privilege escalation in cases where pure Python would be safer.
The Filter mechanism could easily be extended so that rather than always
executing an external command, it could run some python code as root
instead. Any other reason why you think it's not a viable long-term
solution ?
--
Thierry Carrez (ttx)
Release Manager, OpenStack
More information about the Openstack
mailing list