On Thu, 2013-07-25 at 14:40 -0600, Mike Wilson wrote: > In my opinion: > > 1. Stop using rootwrap completely and get strong argument checking support > into sudo (regex). > 2. Some sort of long lived rootwrap process, either forked by the service > that want's to shell out or a general purpose rootwrapd type thing. > > I prefer #1 because it's surprising that sudo doesn't do this type of thing > already. It _must_ be something that everyone wants. But #2 may be quicker > and easier to implement, my $.02.
IMHO, #1 set the discussion off in a poor direction. Who exactly is stepping up to do this work in sudo? Unless there's someone with a even prototype patch in hand, any insistence that we base our solution on this hypothetical feature is an unhelpful diversion. And even if this work was done, it will be a long time before it's in all the distros we support, so improving rootwrap or finding an alternate solution will still be an important discussion. Cheers, Mark. _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev