openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #20045
Re: Nova root wrapper understanding
-
To:
openstack@xxxxxxxxxxxxxxxxxxx
-
From:
Thierry Carrez <thierry@xxxxxxxxxxxxx>
-
Date:
Mon, 14 Jan 2013 11:21:44 +0100
-
In-reply-to:
<CAMcPiroGO-Q_j3=CPOuBbB=Lq-D6VbmKS1xrqfaHms5Ok+8xiA@mail.gmail.com>
-
Organization:
OpenStack
-
User-agent:
Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130106 Thunderbird/17.0.2
Kun Huang wrote:
> Thanks, Thierry Carrez. Your explanation is easy to understand. I have
> got why we need such a mechanism.
>
> BTW, is root-wrap a general or popular way to keep security? I have no
> experience on security, but I have heard the /root /should be banned
> because of security. Ideally, should we ban /root /in nodes and just use
> root wrapped /nova /user for tasks in need?
Ideally, we should run all services as an unprivileged user ("nova"). In
reality, given the low-level tasks generally needed to bootstrap
infrastructure resources, it's difficult to achieve. So we should strive
to only escalate when really needed, and filter properly to ensure
escalation is limited. Rootwrap provides a framework for that filtering.
--
Thierry Carrez (ttx)
Release Manager, OpenStack
References