Re: [openstack-dev] [neutron][security][rootwrap] Proposal to replace rootwrap/sudo with privsep helper process (for neutron, but others too)

On Fri Feb 13 2015 at 10:35:49 PM Miguel Ángel Ajo majop...@redhat.com wrote: We have an ongoing effort in neutron to move to rootwrap-daemon. https://review.openstack.org/#/q/status:open+project:openstack/neutron+branch:master+topic:bp/rootwrap-daemon-mode,n,z Thanks for replying. I

Re: [openstack-dev] [neutron][security][rootwrap] Proposal to replace rootwrap/sudo with privsep helper process (for neutron, but others too)

On Fri Feb 13 2015 at 5:45:36 PM Eric Windisch e...@windisch.us wrote: ᐧ from neutron.agent.privileged.commands import ip_lib as priv_ip def foo(): # Need to create a new veth interface pair - that usually requires root/NET_ADMIN priv_ip.CreateLink('veth', 'veth0',

Re: [openstack-dev] [neutron][security][rootwrap] Proposal to replace rootwrap/sudo with privsep helper process (for neutron, but others too)

We have an ongoing effort in neutron to move to rootwrap-daemon. https://review.openstack.org/#/q/status:open+project:openstack/neutron+branch:master+topic:bp/rootwrap-daemon-mode,n,z To speed up multiple system calls, and be able to spawn daemons inside namespaces. I have to read a bit what

Re: [openstack-dev] [neutron][security][rootwrap] Proposal to replace rootwrap/sudo with privsep helper process (for neutron, but others too)

Angus Lees wrote: So inspired by the Rootwrap on root-intensive nodes thread, I went and wrote a proof-of-concept privsep daemon for neutron: https://review.openstack.org/#/c/155631 Nice work! Trying to check where the security model is actually weaker than the one provided by rootwrap here...

Re: [openstack-dev] [neutron][security][rootwrap] Proposal to replace rootwrap/sudo with privsep helper process (for neutron, but others too)

So inspired by the Rootwrap on root-intensive nodes thread, I went and wrote a proof-of-concept privsep daemon for neutron: https://review.openstack.org/#/c/155631 There's nothing neutron-specific in the core mechanism and it could easily be moved out into a common (oslo) library and reused across

Re: [openstack-dev] [neutron][security][rootwrap] Proposal to replace rootwrap/sudo with privsep helper process (for neutron, but others too)

On 13 Feb 2015 17:42, Angus Lees g...@inodes.org wrote: So inspired by the Rootwrap on root-intensive nodes thread, I went and wrote a proof-of-concept privsep daemon for neutron: https://review.openstack.org/#/c/155631 There's nothing neutron-specific in the core mechanism and it could easily

Re: [openstack-dev] [neutron][security][rootwrap] Proposal to replace rootwrap/sudo with privsep helper process (for neutron, but others too)

ᐧ from neutron.agent.privileged.commands import ip_lib as priv_ip def foo(): # Need to create a new veth interface pair - that usually requires root/NET_ADMIN priv_ip.CreateLink('veth', 'veth0', peer='veth1') Because we now have elevated privileges directly (on the

Re: [openstack-dev] [neutron][security][rootwrap] Proposal to replace rootwrap/sudo with privsep helper process (for neutron, but others too)

On Fri Feb 13 2015 at 4:05:33 PM Robert Collins robe...@robertcollins.net wrote: On 13 Feb 2015 17:42, Angus Lees g...@inodes.org wrote: So inspired by the Rootwrap on root-intensive nodes thread, I went and wrote a proof-of-concept privsep daemon for neutron: