Hello, Thierry. On Mon, Mar 17, 2014 at 6:04 PM, Thierry Carrez <thie...@openstack.org>wrote:
> Note that the whole concept behind rootwrap is to limit the amount of > code that runs with elevated privileges. If you end up running a full > service as root which imports as many libraries as the rest of OpenStack > services, then you should seriously consider switching to running your > root-heavy service as root directly, because it won't make that much of > a difference. > > I'm not closing the door to a persistent implementation... Just saying > that in order to be useful, it needs to be as minimal as possible (both > in amount of code written and code imported) and as simple as possible > (so that its security model can be easily proven safe). > I'm aiming at ~100 new lines of code for daemon. Of course I'll use some batteries included with Python stdlib but they should be safe already. It should be rather easy to audit them. -- Kind regards, Yuriy.
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
