The trick is that you can't decide at utils.execute() level what generic argument is or is not safe. In some cases passing "../.." is perfectly accepted use !
I see your point though... and as a strengthening low-level measure the rootwrap filter that allows to run mkdir/tee as root should also do a deeper inspection on arguments to check that it only affects nova stuff.
The trick is that you can't decide at utils.execute() level what generic argument is or is not safe. In some cases passing "../.." is perfectly accepted use !
I see your point though... and as a strengthening low-level measure the rootwrap filter that allows to run mkdir/tee as root should also do a deeper inspection on arguments to check that it only affects nova stuff.