Jay Buffington wrote: > I haven't closely looked at rootwrap, but it seems to me that you could > use the > rootwrap config files to generate a gigantic sudoers config file which > would not > necessarily be human readable. That would have the flexibility and > maintainability of rootwrap with the speed and audibility sudo.
I don't think you could. Sudo's ability to filter arguments is quite limited. Rootwrap implements smart filters, like for example limiting the usage of "kill" to "dnsmasq" processes by reading and resolving PIDs. Good luck for doing that in a sudoers file, gigantic or not. More explanation on rootwrap's rationale at: https://fnords.wordpress.com/2011/11/23/improving-nova-privilege-escalation-model-part-1/ -- Thierry Carrez (ttx) _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
