OpenStack’s privilege mechanism has evolved over time from simple sudoers file to rootwrap.

The rootwrap security policy revolves around whitelisting particular command lines via the configuration of various “filters”. Configuring these correctly are hard, because the filters have limited expressiveness, command line tools typically weren’t expected to be the privilege boundary, and the “context” of the original operation has already been lost at this level.

Generating command lines and parsing textual output from tools is slow and susceptible to inconsistencies across tool versions, since typically this output was not designed as a programmatic API.

This spec proposes a new privilege mechanism that is based around python function calls rather than command lines

OpenStack library for privilege separation

This library helps applications perform actions which require more or less privileges than they were started with in a safe, easy to code and easy to use manner.

In a similar way to rootwrap-daemon, privsep runs two processes - one with and one without privileges. The privileged process is as minimal as possible, and is written to assume it is possibly under attack by the unprivileged process.

To limit the impact of a potential exploit, this spec proposes the privileged process support the use of Linux capabilities to allow the process to drop broad root (uid=0) superpowers but keep a limited subset