On 08/02/2013 07:52 AM, Thierry Carrez wrote: > Daniel P. Berrange wrote: >> On Fri, Aug 02, 2013 at 10:58:11AM +0100, Mark McLoughlin wrote: >>> On Thu, 2013-07-25 at 14:40 -0600, Mike Wilson wrote: >>>> In my opinion: >>>> >>>> 1. Stop using rootwrap completely and get strong argument checking support >>>> into sudo (regex). >>>> 2. Some sort of long lived rootwrap process, either forked by the service >>>> that want's to shell out or a general purpose rootwrapd type thing. >>>> >>>> I prefer #1 because it's surprising that sudo doesn't do this type of thing >>>> already. It _must_ be something that everyone wants. But #2 may be quicker >>>> and easier to implement, my $.02. >>> >>> IMHO, #1 set the discussion off in a poor direction. >>> >>> Who exactly is stepping up to do this work in sudo? Unless there's >>> someone with a even prototype patch in hand, any insistence that we base >>> our solution on this hypothetical feature is an unhelpful diversion. >>> >>> And even if this work was done, it will be a long time before it's in >>> all the distros we support, so improving rootwrap or finding an >>> alternate solution will still be an important discussion. >> >> Personally I'm of the opinion that from an architectural POV, use of >> either rootwrap or sudo is a bad solution, so arguing about which is >> better is really missing the bigger picture. In Linux, there has been >> a move away from use of sudo or similar approaches, towards the idea >> of having privileged separated services. So if you wanted todo stuff >> related to storage, you'd have some small daemon running privilegd, >> which exposed APIs over DBus, which the non-privileged thing would >> call to make storage changes. Operations exposed by the service would >> have access control configured via something like PolicyKit, and/or >> SELinux/AppArmour. >> >> Of course this is alot more work than just hacking up some scripts >> using sudo or rootwrap. That's the price you pay for properly >> engineering formal APIs todo jobs instead of punting to random >> shell scripts. > > And for the record, I would be supportive of any proper effort to > implement privileged calls using a (hopefully minimal) privileged > daemon, especially for nodes that make heavy usage of privileged calls. > I just don't feel that going back to sudo (or claiming you can just > introduce all rootwrap features in sudo) is the proper way to fix the > problem. >
Cool, this seems like a good approach to me, as well. Of course, we're back to "is anyone up for the task?" -- Russell Bryant _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev