← Back to team overview

openstack team mailing list archive

Re: Question on nova disk injection...

 

Yun,

The setuid bit is unnecessary, python can be launched by the root user. It would then drop privileges. For instance, the sshd daemon does not require a setuid bit, it is simply executed by root. It uses privilege separation  and does the set(e)uid for users that login through it.

Having a compiled program and a setuid bit destroys a number of the reasons why you would want to have this run as root. For one thing, if your daemon runs as root and drops to the 'nova' user, compromises within the context of running as the nova user cannot allow the daemon to be modified and re-executed.  Without having any 'sudo' requirements, the nova user would be quite constrained, relative to the current situation.  

--  
Eric Windisch


On Tuesday, June 5, 2012 at 21:18 PM, Yun Mao wrote:

> Python is a scripting language. To get setuid work, you usually have
> to give the setuid permission to /usr/bin/python which is a big no no.
>  
> One work around is to have a customized compiled program (e.g. from
> C), which takes a python file as input, do all kinds of sanity check,
> and switch to root user to execute Python. But in that case it's not
> that much more appealing from the rootwrap.
>  
> my 2c.
> Yun
>  
> On Tue, Jun 5, 2012 at 5:42 PM, Joshua Harlow <harlowja@xxxxxxxxxxxxx (mailto:harlowja@xxxxxxxxxxxxx)> wrote:
> > Hi all,
> >  
> > Just some questions that I had about how nova is doing disk injection and
> > such.
> >  
> > I was noticing that it the main disk/api.py does a lot of tee, cat and
> > similar commands. Is there any reason it couldn’t just use the standard
> > python open and write data and such.
> >  
> > Is it because of sudo access (which is connected to rootwrap?), just
> > wondering since it seems sort of odd that to write a file there a tee call
> > has to be done with piped input, when python already has file operators and
> > such...
> >  
> > Thx!
> >  
> > _______________________________________________
> > Mailing list: https://launchpad.net/~openstack
> > Post to     : openstack@xxxxxxxxxxxxxxxxxxx (mailto:openstack@xxxxxxxxxxxxxxxxxxx)
> > Unsubscribe : https://launchpad.net/~openstack
> > More help   : https://help.launchpad.net/ListHelp
> >  
>  
>  
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@xxxxxxxxxxxxxxxxxxx (mailto:openstack@xxxxxxxxxxxxxxxxxxx)
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>  
>  



References