Comment 1 for bug 948520

Completely agree. We still need to add custom CommandFilters for a lot of commands, in particular those chown/chmod/dd running on compute/network nodes, if we want to efficiently prevent nova->root privilege escalation.

nova-rootwrap just provides the framework allowing to do that (previously we used plain "sudo" which didn't allow any filtering at all), and provides node separation (so the user-facing nova-api can't run any command as root at all). So it's an incremental improvement compared to previous versions, but it's not perfect yet.

That was on my TODO for essex by I just didn't get to it. Will do in Folsom though, if nobody beats me to it.