On 2015-02-04 11:58:03 +0100 (+0100), Thierry Carrez wrote:
> The second problem is the quality of the filter definitions. Rootwrap is
> a framework to enable isolation. It's only as good as the filters each
> project defines. Most of them rely on CommandFilters that do not check
> any argument, instead of using more powerful filters (which are arguably
> more painful to maintain). Developers routinely add filter definitions
> that basically remove any isolation that might have been there, like
> allowing blank dd, tee, chown or chmod.

This part is my biggest concern at the moment, from a vulnerability
management standpoint. I'm worried that it's an attractive nuisance
resulting in a false sense of security in its current state because
we're not calling this shortcoming out explicitly in documentation
(as far as I'm aware), and so we're opening our operators/users up
to unexpected risks and opening ourselves up to the possibility of a
slew of vulnerability reports because this mechanism doesn't provide
the level of protection it would seem to imply.
Jeremy Stanley

OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe

Reply via email to