Thomas Goirand wrote: > On 07/26/2013 05:43 AM, Thierry Carrez wrote: >> I would rather support solution 3: create a single, separate executable >> that does those 20 things that need to be done (can be a shell script >> with some logic in it), and have rootwrap call that *once*. That way you >> increase speed by 20 times without dumping the security model. > > Hi Thierry, > > Does rootwrap has to be written in Python? How much work would it be to > rewrite it in C? It doesn't seem that big to me (less than 700 lines of > python right now). Or is it too complicated, and then too dangerous, to > be in such no-safety-net type of language?
The trick is that we would then have to write the filters themselves as C code. Apart from the risky side of getting Python coders to write C code manipulating strings as root, the original plan was to have lots of specialized filters for extremely fine-grained control of privilege escalation. We are just starting to see those appear (EnvFilter, PathFilter, KillFilter) and I certainly don't want to kill the momentum... Our community speaks Python: forcing those to be written in C would probably limit, rather than increase, the number of those specialized filters. It's always been a trade-off: rootwrap favored security and ease of development over performance, as I didn't think we would ever make enough calls for it to be a problem (compared to, say, booting an image in KVM). Apparently I was wrong, at least for nova-network :) -- Thierry Carrez (ttx) _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
