{"id":21671,"library":"oslo-privsep","title":"oslo.privsep","description":"OpenStack library for privilege separation. Provides a framework for running sensitive operations in a separate privileged process. Current version is 3.10.1, released as part of OpenStack Dalmatian. Released on a 6-month cadence aligned with OpenStack releases.","status":"active","version":"3.10.1","language":"python","source_language":"en","source_url":"https://opendev.org/openstack/oslo.privsep","tags":["openstack","privilege-separation","security","daemon"],"install":[{"cmd":"pip install oslo-privsep","lang":"bash","label":"Install via pip"}],"dependencies":[{"reason":"Required for configuration loading","package":"oslo.config","optional":false},{"reason":"Translation support","package":"oslo.i18n","optional":false},{"reason":"Logging utilities","package":"oslo.log","optional":false},{"reason":"Async networking, used in daemon mode","package":"eventlet","optional":false},{"reason":"Co-routines used by eventlet","package":"greenlet","optional":false}],"imports":[{"note":"Package uses underscores, not dots, in the import path (PEP 8 style).","wrong":"from oslo.privsep import priv_context","symbol":"priv_context","correct":"from oslo_privsep import priv_context"},{"note":"Submodules are not automatically imported; import directly.","wrong":"import oslo_privsep.daemon","symbol":"daemon","correct":"from oslo_privsep import daemon"}],"quickstart":{"code":"import os\nfrom oslo_privsep import priv_context\nfrom oslo_privsep import capabilities\n\n# Define a privileged context\npriv_context.init(\n    priv_context.DaemonPrincipal(\n        user='root',\n        group='root',\n    ),\n    resource_limits=[\n        priv_context.ResourceLimit(\n            resource=capabilities.RLIMIT_AS,\n            soft=1024 * 1024 * 500,  # 500 MB\n            hard=1024 * 1024 * 500,\n        ),\n    ],\n)\n\n# Expose a function to run as privileged\n@priv_context.entrypoint\ndef run_as_root():\n    # This runs with escalated privileges\n    import subprocess\n    return subprocess.check_output(['whoami']).strip()\n\nif __name__ == '__main__':\n    print(run_as_root())","lang":"python","description":"Initialize a daemon principal with root privileges and call a function that runs as root."},"warnings":[{"fix":"Use from oslo_privsep import priv_context instead of from oslo.privsep.","message":"In version 3.0.0, the package name changed from oslo-privsep to oslo_privsep for imports. All underscores must be used in Python code.","severity":"breaking","affected_versions":">=3.0.0"},{"fix":"Replace capabilities imports with direct resource constants (e.g., oslo_privsep.prctl.RLIMIT_AS).","message":"The `capabilities` module is deprecated and will be removed in a future release. Use `resource` module directly with `oslo_privsep.prctl` if needed.","severity":"deprecated","affected_versions":">=3.5.0"},{"fix":"Initialize the daemon at module load time and avoid lazy initialization in request handlers.","message":"The privileged process runs as a separate daemon; ensure the daemon is started before calling privileged functions. If using eventlet, monkey-patching must be done before daemon start.","severity":"gotcha","affected_versions":"all"}],"env_vars":null,"last_verified":"2026-04-27T00:00:00.000Z","next_check":"2026-07-26T00:00:00.000Z","problems":[{"fix":"Use `from oslo_privsep import priv_context` instead.","cause":"Using period instead of underscore in import path.","error":"ModuleNotFoundError: No module named 'oslo.privsep'"},{"fix":"Check that the `user` and `group` parameters in DaemonPrincipal are correct and that the system allows privilege escalation.","cause":"The daemon principal user/group does not have sufficient privileges for the requested operation.","error":"PermissionError: [Errno 13] Permission denied"}],"ecosystem":"pypi","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}