Daniel P. Berrange wrote: > On Fri, Aug 02, 2013 at 10:58:11AM +0100, Mark McLoughlin wrote: >> On Thu, 2013-07-25 at 14:40 -0600, Mike Wilson wrote: >>> In my opinion: >>> >>> 1. Stop using rootwrap completely and get strong argument checking support >>> into sudo (regex). >>> 2. Some sort of long lived rootwrap process, either forked by the service >>> that want's to shell out or a general purpose rootwrapd type thing. >>> >>> I prefer #1 because it's surprising that sudo doesn't do this type of thing >>> already. It _must_ be something that everyone wants. But #2 may be quicker >>> and easier to implement, my $.02. >> >> IMHO, #1 set the discussion off in a poor direction. >> >> Who exactly is stepping up to do this work in sudo? Unless there's >> someone with a even prototype patch in hand, any insistence that we base >> our solution on this hypothetical feature is an unhelpful diversion. >> >> And even if this work was done, it will be a long time before it's in >> all the distros we support, so improving rootwrap or finding an >> alternate solution will still be an important discussion. > > Personally I'm of the opinion that from an architectural POV, use of > either rootwrap or sudo is a bad solution, so arguing about which is > better is really missing the bigger picture. In Linux, there has been > a move away from use of sudo or similar approaches, towards the idea > of having privileged separated services. So if you wanted todo stuff > related to storage, you'd have some small daemon running privilegd, > which exposed APIs over DBus, which the non-privileged thing would > call to make storage changes. Operations exposed by the service would > have access control configured via something like PolicyKit, and/or > SELinux/AppArmour. > > Of course this is alot more work than just hacking up some scripts > using sudo or rootwrap. That's the price you pay for properly > engineering formal APIs todo jobs instead of punting to random > shell scripts.
And for the record, I would be supportive of any proper effort to implement privileged calls using a (hopefully minimal) privileged daemon, especially for nodes that make heavy usage of privileged calls. I just don't feel that going back to sudo (or claiming you can just introduce all rootwrap features in sudo) is the proper way to fix the problem. -- Thierry Carrez (ttx) _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
