For 1,2,3: the general categories seem to be:
a) libvirt (can't these operations be done with euca in the libvirt group?)
b) vlan, bridge, ip configurations: CAP_NET_ADMIN + CAP_NET_RAW should be sufficient for these commands.
c) LVM: CAP_SYS_ADMIN should be sufficient.
d) dd: why does this need root privs?
Is the AOE manager used?
e) process management: should use some kind of sanity-wrapper with CAP_KILL (is this really needed? kill -9 is pretty harsh)
f) module loading: should be done via packaging not via call-outs to modprobe (also note CAP_SYS_MODULE)
Having the wrapper select caps based on the path of the command seems like a starting point. Getting rid of needless wrapper calls would be nice too: "which", "cat", "dd"...
For 1,2,3: the general categories seem to be:
a) libvirt (can't these operations be done with euca in the libvirt group?)
b) vlan, bridge, ip configurations: CAP_NET_ADMIN + CAP_NET_RAW should be sufficient for these commands.
c) LVM: CAP_SYS_ADMIN should be sufficient.
d) dd: why does this need root privs?
Is the AOE manager used?
e) process management: should use some kind of sanity-wrapper with CAP_KILL (is this really needed? kill -9 is pretty harsh)
f) module loading: should be done via packaging not via call-outs to modprobe (also note CAP_SYS_MODULE)
Having the wrapper select caps based on the path of the command seems like a starting point. Getting rid of needless wrapper calls would be nice too: "which", "cat", "dd"...