On Wed, Feb 04, 2015 at 06:38:16PM +0200, Duncan Thomas wrote: > If I'm reading that correctly, it does not help with the filtering issues > at all, since it needs exactly the same kind of filter. Daniel explained > the concept far better than I.
Yep, the only thing rootwrap daemon mode does is to remove the overhead of spawning the rootwrap command. It does nothing to improve actual security - it is still a chocolate teapot from that POV. > On 4 February 2015 at 18:33, Jeremy Stanley <[email protected]> wrote: > > > On 2015-02-04 13:40:29 +0200 (+0200), Duncan Thomas wrote: > > > 4) Write a small daemon that runs as root, accepting commands over > > > a unix domain socket or similar. Easier to audit, less code > > > running as root. > > > > > > http://git.openstack.org/cgit/openstack/oslo.rootwrap/tree/oslo_rootwrap/daemon.py > > Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
