Comment 1 for bug 1519839

Revision history for this message
Ben Nemec (bnemec) wrote :

The /bin/cat hard-coding appears to be just a convenience filter, and if you make it configurable it turns into essentially CommandFilter.

KillFilter appears to have actual logic related to killing processes though, so I could see an argument to make that configurable.

I should also note that we are encouraging people to move to oslo.privsep instead of oslo.rootwrap. There's much less chance of operator error exposing security holes with privsep.