On 2015-02-04 11:58:03 +0100 (+0100), Thierry Carrez wrote: [...] > The second problem is the quality of the filter definitions. Rootwrap is > a framework to enable isolation. It's only as good as the filters each > project defines. Most of them rely on CommandFilters that do not check > any argument, instead of using more powerful filters (which are arguably > more painful to maintain). Developers routinely add filter definitions > that basically remove any isolation that might have been there, like > allowing blank dd, tee, chown or chmod. [...]
This part is my biggest concern at the moment, from a vulnerability management standpoint. I'm worried that it's an attractive nuisance resulting in a false sense of security in its current state because we're not calling this shortcoming out explicitly in documentation (as far as I'm aware), and so we're opening our operators/users up to unexpected risks and opening ourselves up to the possibility of a slew of vulnerability reports because this mechanism doesn't provide the level of protection it would seem to imply. -- Jeremy Stanley __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev