Comment 2 for bug 1250101

The issue does not live in Oslo. It lives in the filters that are shipped with Cinder. So that would only need to be fixed in Cinder.

That said, I'm not sure that would be security advisory material. The cinder user already has (limited) escalation to root, the rootwrap is just trying hard to limit the extent of it. Find is clearly not the only command that can be easily abused in Cinder volume.filters: this one also allows dd, chown, ln, chmod and mv... which can all be abused to fully escalate the cinder user to the root user on Cinder.

Like nova compute nodes, cinder volume nodes run, in effect, as root. Rootwrap is a tool that can be used to limit root escalation, but on those nodes there is still a lot of work to do before they can be considered truly isolated. Those efforts would fall into strengthening, rather than vulnerability fixing, since those weaknesses cannot be directly exploited (attacker needs to be able to execute code as the cinder user first).

This is very much like https://bugs.launchpad.net/nova/+bug/1081795 -- and the comment I made there also applies to this bug:

"""
So I would count this as a welcome strengthening step, but not issue an advisory about it (which could be interpreted as "we vouch that this user can't be escalated to root anymore") [...]

I'm also for making this bug public, unless one of you object.
"""