Comment 9 for bug 1343657

Running with shell=True is clearly a bug, and as you mention it enables permissions traversal, which has... interesting properties.

I think we could issue an OSSA (or OSSN) about it -- the problem is, that would make us declare that we consider escalation from config files write rights to executing arbitrary code as the service as being a vulnerability. I think there are plenty of ways throughout OpenStack to convert config file writing rights to service arbitrary code execution rights -- for example through the definition of entry points and plugins. We are a long way from having proper isolation here.

So I think it's a bit of a slippery slope. We may come one day to the point where we can consider those rights as being properly isolated, but as of today I think we should fix it and pass on the advisory.