Nova-core reviewers, When you review code that introduces new utils.execute run_as_root commands, please apply extra care to avoid removing the thin layer of root/nova privilege separation we managed to introduce in Nova, or breaking people running with nova-rootwrap.
* Any new run_as_root command should include a new nova.rootwrap filter to match (generic or specific) * Commands opening up too many possibilities should add a specific filter * Make sure that command actually needs to run as root and can't be replaced by a more specific or restrictive command Examples: Bad: https://github.com/openstack/nova/commit/1463839f "cp" and "rm" added without any matching rootwrap filter DoublePlusGood: https://github.com/openstack/nova/commit/65e23313 "cat" being added with specific filters to only allow it to touch specific files NB: There were about 5 commands added to master without filters -- I will file bugs and add code so that nova-rootwrap works with those. -- Thierry Carrez (ttx) Release Manager, OpenStack _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
