← Back to team overview

openstack team mailing list archive

Nova root wrapper understanding

 

Hi, all:

In this wiki, http://wiki.openstack.org/Nova/Rootwrap, the part of
"security model" results in "This chain ensures that the nova user itself
is not in control of the configuration or modules used by the nova-rootwrap
executable". I understand that chain but I`m confused with this conclusion.


That chain means that a nova-rootwrap executable runs safely under
root-control. In another word, the program nova-rootwrap runs is protected
by root, and it cannot be influenced by other users. But that conclusion
implies that the insecurity model is *nova* user is in control by someone.
This is what I'm confused with.

Follow ups