Finally found the time to investigate this. Checking exec_dirs instead of the sudo-secured PATH would not cause security issues since exec_dirs is very much trusted too. That said, it is non-trivial to check exec_dirs as part of the match function of a filter (we need to change the match function arguments).
I consider this is a bit of a corner case (I don't think it can affect anything but killing 'python' processes ran from a venv), so I would rather document the limitation than change behavior to accommodate it.
But then, I'm not sure we should encourage switching secure_path (or exec_dirs) to list the venv bin directory. It is a security hole to specify (in exec_dirs or in secure_path) a directory that is not only writeable by root. I suspect in your case /opt/openstack/venv/neutron/bin is owned by some unprivileged user, and adding that to secure_path or exec_dirs may result in privilege escalation.
Which makes me ask, why does Neutron require root rights to kill a side Python process ? Will investigate more on Neutron side and report.
I also wonder WHY neutron needs root rights to kill this process -- like I said
Finally found the time to investigate this. Checking exec_dirs instead of the sudo-secured PATH would not cause security issues since exec_dirs is very much trusted too. That said, it is non-trivial to check exec_dirs as part of the match function of a filter (we need to change the match function arguments).
I consider this is a bit of a corner case (I don't think it can affect anything but killing 'python' processes ran from a venv), so I would rather document the limitation than change behavior to accommodate it.
But then, I'm not sure we should encourage switching secure_path (or exec_dirs) to list the venv bin directory. It is a security hole to specify (in exec_dirs or in secure_path) a directory that is not only writeable by root. I suspect in your case /opt/openstack/ venv/neutron/ bin is owned by some unprivileged user, and adding that to secure_path or exec_dirs may result in privilege escalation.
Which makes me ask, why does Neutron require root rights to kill a side Python process ? Will investigate more on Neutron side and report.
I also wonder WHY neutron needs root rights to kill this process -- like I said