{"library":"oslo-rootwrap","title":"Oslo Rootwrap","description":"Oslo Rootwrap is an OpenStack library providing a highly configurable privilege escalation mechanism, akin to `sudo`. It enables non-root users to execute specific commands as root, governed by filters defined in configuration files, and is crucial for secure privileged operations in OpenStack services. The current version is 7.9.0, and it is actively maintained as part of the OpenStack Oslo common libraries, following OpenStack's release cadence.","language":"python","status":"active","last_verified":"Fri Apr 17","install":{"commands":["pip install oslo-rootwrap"],"cli":{"name":"oslo-rootwrap","version":"/usr/local/bin/oslo-rootwrap: No command specified"}},"imports":["from oslo_rootwrap.client import RootwrapClient","from oslo_config import cfg"],"auth":{"required":false,"env_vars":[]},"quickstart":{"code":"import os\nfrom oslo_config import cfg\nfrom oslo_rootwrap import client\n\n# Define oslo-rootwrap specific configuration options\nrootwrap_group = cfg.OptGroup(\n name='rootwrap',\n title='Rootwrap Options for privilege escalation'\n)\ncfg.CONF.register_group(rootwrap_group)\n\ncfg.CONF.register_opts([\n cfg.StrOpt('rootwrap_config',\n default='/etc/rootwrap.conf',\n help='Path to the rootwrap configuration file.'),\n cfg.StrOpt('filters_path',\n default='/etc/rootwrap.d',\n help='Path to the directory containing rootwrap filter files.'),\n cfg.StrOpt('daemon_pid_dir',\n default='/var/run/oslo-rootwrap',\n help='Directory for rootwrap daemon PID files. Used only if in daemon mode.'),\n cfg.StrOpt('daemon_wrapper',\n default='/usr/bin/sudo',\n help='Path to the sudo wrapper binary that executes the rootwrap daemon.'),\n], group=rootwrap_group)\n\n# Initialize oslo_config. In a real application, you'd usually load from files:\n# cfg.CONF(project='my_app', default_config_files=['/etc/my_app/my_app.conf'])\n# For this quickstart, we use registered defaults.\nprint(\"Initializing oslo_config and setting up rootwrap options...\")\ncfg.CONF() # This parses any command-line arguments and loads default config values\n\n# Instantiate the RootwrapClient\ntry:\n # The client uses the global cfg.CONF object\n rootwrap_client = client.RootwrapClient(cfg.CONF)\n print(\"RootwrapClient instantiated successfully using oslo_config.\")\n\n # Display some configured paths\n print(f\"Configured rootwrap config file: {cfg.CONF.rootwrap.rootwrap_config}\")\n print(f\"Configured rootwrap filters path: {cfg.CONF.rootwrap.filters_path}\")\n print(f\"Configured daemon wrapper (sudo path): {rootwrap_client.get_daemon_wrapper()}\")\n\n print(\"\\n--- Important Note for Execution ---\")\n print(\"The oslo-rootwrap library requires extensive system-level setup to function:\")\n print(\"1. A 'rootwrap.conf' file (e.g., at /etc/rootwrap.conf) defining general rules.\")\n print(\"2. Filter files (e.g., in /etc/rootwrap.d/) specifying allowed commands and parameters.\")\n print(\"3. 'sudo' configured to execute the 'oslo-rootwrap' binary with SUID permissions.\")\n print(\"\\nTo execute a command, you would typically use:\")\n print(\" stdout, stderr, returncode = rootwrap_client.execute(['command', 'arg1', 'arg2'])\")\n print(\"Attempting to run `execute` without this setup will likely result in errors.\")\n\nexcept Exception as e:\n print(f\"Error during RootwrapClient instantiation: {e}\")\n print(\"Ensure oslo_config options are correctly registered and paths are valid for your setup.\")\n","lang":"python","description":"This quickstart demonstrates how to initialize `oslo_config` and instantiate the `RootwrapClient`. While the client can be created, actual privilege escalation via `rootwrap_client.execute()` requires a fully configured `sudo` setup, `rootwrap.conf`, and filter files on the system, which are beyond a simple runnable code snippet.","tag":null,"tag_description":null,"last_tested":null,"results":[]},"compatibility":null}