On Wed, 13 May 2015 at 02:16 Thierry Carrez <thie...@openstack.org> wrote:
> Lucas Fisher wrote: > > We spent some time at the OSSG mid-cycle meet-up this week discussing > root wrap, looking at the existing code, and considering some of the > mailing list discussions. > > > > Summary of our discussions: > https://github.com/hyakuhei/OSSG-Security-Practices/blob/master/ossg_rootwrap.md > > > > The one line summary is we like the idea of a privileged daemon with > higher level interfaces to the commands being run. It has a number of > advantages such as easier to audit, enables better input sanitization, > cleaner interfaces, and easier to take advantage of Linux capabilities, > SELinux, AppArmour, etc. The write-up has some more details. > > For those interested in that topic and willing to work on the next > stage, we'll have a work session on the future of rootwrap in the Oslo > track at the Design Summit in Vancouver: > > http://sched.co/3B2B > > Fwiw, I've continued work on my privsep proposal(*) and how it interacts with existing rootwrap. I look forward to discussing it and alternatives at the session. (*) https://review.openstack.org/#/c/155631 - Gus
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
