Comment 1 for bug 1989008

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.

For a bit of OpenStack background, the migration from our old "rootwrap" privilege escalation mechanism to oslo.privsep is ongoing. One of the early stepping stones projects took in order to be able to drop use of rootwrap was to port their extremely loose (more or less root-equivalent) sudoers rules to similarly unsafe privsep policies, with the intention of eventually replacing them with more fine-grained policies. I think it's safe to say many if not most OpenStack services are still effectively relying on having unrestricted system-wide root permissions. I also don't think we'll be able to safely backport any fixes (i.e. completion of the many-years-long rootwrap to privsep migration effort) to maintained stable branches, making this a class B1 or B2 in our report taxonomy: https://security.openstack.org/vmt-process.html#report-taxonomy

It's my opinion that we should switch this to a public security hardening bug and, if relevant, mark it as a duplicate of any existing bug reports about the incomplete state of privsep adoption, but I'm eager to hear from developers in the affected projects as to their position on this. Thanks!