On 07/25/2013 05:43 PM, Thierry Carrez wrote:
Russell Bryant wrote:
On 07/25/2013 04:40 PM, Mike Wilson wrote:
In my opinion:
1. Stop using rootwrap completely and get strong argument checking
support into sudo (regex).
2. Some sort of long lived rootwrap process, either forked by the
service that want's to shell out or a general purpose rootwrapd type thing.
I prefer #1 because it's surprising that sudo doesn't do this type of
thing already. It _must_ be something that everyone wants. But #2 may be
quicker and easier to implement, my $.02.
We could do #1 and keep rootwrap around as the fallback if the local
version of sudo doesn't support what we need.
It's not just regexp support, rootwrap basically lets you extend the
rules to be openstack-specific (custom filters). That feature is not
widely used yet but is the key to fine-grained privilege escalation in
the future. Also getting something new into sudo is (for good reasons)
quite difficult.
I would rather support solution 3: create a single, separate executable
that does those 20 things that need to be done (can be a shell script
with some logic in it), and have rootwrap call that *once*. That way you
increase speed by 20 times without dumping the security model.
The reason there are 20 different call outs is that they aren't all in
the same place. There are phases that happen here, and different kind of
errors needed. I'm skeptical that you could push it all into one place.
-Sean
--
Sean Dague
http://dague.net
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
