Comment 2 for bug 2021966

I think this is well-understood and has been discussed in the past. The compute.filters file should not be writable by the nova user (along with the rest of /etc/nova) but that is, AFAIK, only a packaging thing and not something we control since we don't really provide OS packages nor support/expect people installing from pip.

But the loose-ness of the rootwrap filters in general have been discussed and is part of the impetus for moving to privsep. The fact that you can ssh to the node to run these things does not make this materially different from 1700501, IMHO.

I would acknowledge this as a known security hardening opportunity (i.e. a dupe of 1700501) and not something worthy of being a private security bug.