Comment 3 for bug 1394279

Finally found the time to investigate this. Checking exec_dirs instead of the sudo-secured PATH would not cause security issues since exec_dirs is very much trusted too. That said, it is non-trivial to check exec_dirs as part of the match function of a filter (we need to change the match function arguments).

I consider this is a bit of a corner case (I don't think it can affect anything but killing 'python' processes ran from a venv), so I would rather document the limitation than change behavior to accommodate it.

But then, I'm not sure we should encourage switching secure_path (or exec_dirs) to list the venv bin directory. It is a security hole to specify (in exec_dirs or in secure_path) a directory that is not only writeable by root. I suspect in your case /opt/openstack/venv/neutron/bin is owned by some unprivileged user, and adding that to secure_path or exec_dirs may result in privilege escalation.

Which makes me ask, why does Neutron require root rights to kill a side Python process ? Will investigate more on Neutron side and report.

I also wonder WHY neutron needs root rights to kill this process -- like I said