Lucas Fisher wrote: > We spent some time at the OSSG mid-cycle meet-up this week discussing root > wrap, looking at the existing code, and considering some of the mailing list > discussions. > > Summary of our discussions: > https://github.com/hyakuhei/OSSG-Security-Practices/blob/master/ossg_rootwrap.md > > The one line summary is we like the idea of a privileged daemon with higher > level interfaces to the commands being run. It has a number of advantages > such as easier to audit, enables better input sanitization, cleaner > interfaces, and easier to take advantage of Linux capabilities, SELinux, > AppArmour, etc. The write-up has some more details.
For those interested in that topic and willing to work on the next stage, we'll have a work session on the future of rootwrap in the Oslo track at the Design Summit in Vancouver: http://sched.co/3B2B -- Thierry Carrez (ttx) __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev