openstack team mailing list archive

Thread
Date

Re: extending rootwrap securely

To: openstack@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry@xxxxxxxxxxxxx>
Date: Thu, 03 May 2012 13:45:20 +0200
In-reply-to: <CABocrW4NFqCf5NhrAEcV04F-StWqWhRz_RrTgFQ9N8ebS-Lifg@mail.gmail.com>
Organization: OpenStack
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20120410 Thunderbird/11.0.1

Yuriy Taraday wrote:
> We can do "#includedir /etc/nova/sudoers.d" from sudoers as well.
> I think, a solution with a separate conf/dir for rootwrap is a step
> back to sudo.

Except that sudo/sudoers does not allow argument filtering or more
complex filters, which is the main reason nova-rootwrap was proposed as
an alternate root escalation filtering mechanism.

-- 
Thierry Carrez (ttx)
Release Manager, OpenStack

References

extending rootwrap securely
From: Andrew Bogott, 2012-04-29
Re: extending rootwrap securely
From: Thierry Carrez, 2012-05-02
Re: extending rootwrap securely
From: Yuriy Taraday, 2012-05-03