Comment 1 for bug 681774

Do you mean euca_rootwrap as implemented like this: http://www.sfr-fresh.com/linux/misc/eucalyptus-2.0.2-src-online.tar.gz:a/eucalyptus-2.0.2/util/euca_rootwrap.c?

Unless I'm missing something, this will execute any command with full root privileges, which completely defeats the point of privilege separation. Using sudo is pretty horrible, but at least it can enforce that only a few named commands may be run. Using euca_rootwrap would be hardly any more secure than just running the nova daemons as root.