New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make the file_cache_path directory configurable #36

Closed
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
2 participants
@nougad

nougad commented May 30, 2014

When the cookbook is running as root, chef sets the chef directory (top
directory of cache folder) to 700. When the homebrew cookbook is
executed the homebrew_go script is downloaded to chef cache. The file
can't be executed by the non root owner because the chef top level
directory is not readable by the user:

$ sudo ls -ld chef chef/cache chef/cache/homebrew_go
drwx------ 5 root root 170 May 28 11:53 chef
drwxr-xr-x 5 root root 170 May 28 11:53 chef/cache
-rwxr-xr-x 1 root root 7231 May 28 11:53 chef/cache/homebrew_go

In general it might be a better idea to download the homebrew_go script
to /tmp and only download it if homebrew is not installed. But as a
first fix this patch makes the file_cache_path configurable over an
attribute.

Make the file_cache_path directory configurable
When the cookbook is running as root, chef sets the chef directory (top
directory of cache folder) to 700. When the homebrew cookbook is
executed the homebrew_go script is downloaded to chef cache. The file
can't be executed by the non root owner because the chef top level
directory is not readable by the user:

$ sudo ls -ld chef chef/cache chef/cache/homebrew_go
drwx------  5 root  root   170 May 28 11:53 chef
drwxr-xr-x  5 root  root   170 May 28 11:53 chef/cache
-rwxr-xr-x  1 root  root  7231 May 28 11:53 chef/cache/homebrew_go

In general it might be a better idea to download the homebrew_go script
to /tmp and only download it if homebrew is not installed. But as a
first fix this patch makes the file_cache_path configurable over an
attribute.
@jtimberman

This comment has been minimized.

Show comment
Hide comment
@jtimberman

jtimberman Jun 21, 2014

Member

Couple things.

First, what version of Chef and how was it installed? I'm not seeing this issue.

Second, why not use a config file with file_cache_path set?

Member

jtimberman commented Jun 21, 2014

Couple things.

First, what version of Chef and how was it installed? I'm not seeing this issue.

Second, why not use a config file with file_cache_path set?

@nougad

This comment has been minimized.

Show comment
Hide comment
@nougad

nougad Jun 21, 2014

I'm using chefdk with chef 11.14.0.alpha.1 running chef-solo with sudo.

$WORKDIR/solo.rb:

file_cache_path  "${WORKDIR}/cache"
file_backup_path "${WORKDIR}/backup"
cookbook_path    ["${WORKDIR}/cookbooks"]
log_level        :debug
verbose_logging  true
ssl_verify_mode :verify_peer

sudo chef-solo -j "$HOME/conf.json" -c "$WORKDIR/solo.rb" --no-fork -r "$WORKDIR/cookbooks.tar.gz"

This will set the permissions of $WORKDIR to 700 for user root. So it is not possible to execute the file #{Chef::Config[:file_cache_path]}/homebrew_go as non root user.

nougad commented Jun 21, 2014

I'm using chefdk with chef 11.14.0.alpha.1 running chef-solo with sudo.

$WORKDIR/solo.rb:

file_cache_path  "${WORKDIR}/cache"
file_backup_path "${WORKDIR}/backup"
cookbook_path    ["${WORKDIR}/cookbooks"]
log_level        :debug
verbose_logging  true
ssl_verify_mode :verify_peer

sudo chef-solo -j "$HOME/conf.json" -c "$WORKDIR/solo.rb" --no-fork -r "$WORKDIR/cookbooks.tar.gz"

This will set the permissions of $WORKDIR to 700 for user root. So it is not possible to execute the file #{Chef::Config[:file_cache_path]}/homebrew_go as non root user.

@jtimberman

This comment has been minimized.

Show comment
Hide comment
@jtimberman

jtimberman Jun 22, 2014

Member

I couldn't reproduce this, the permissions on the cache directory and homebrew_go were such I could read the file as a non-root user.

jtimbermans-Mac:work jtimberman$ ls -ld cache
drwxr-xr-x  6 root        staff   204 Jun 22 10:57 cache
jtimbermans-Mac:work jtimberman$ ls -l cache/
-rwxr-xr-x  1 root  staff  7310 Jun 22 10:57 homebrew_go

The resource for the script sets mode 0755:

remote_file homebrew_go do
  source 'https://raw.github.com/Homebrew/homebrew/go/install'
  mode 00755
end

The method inside Chef that creates the Chef::Config[:file_cache_path] just does a Dir.mkdir. Permissions for this directory should be set according to the umask of the execution environment.

I don't think we should add another attribute to the cookbook. If you're executing as root, and can't resolve this issue, perhaps another recipe that does this:

file Chef::Config[:file_cache_path] do
  owner "useryouwant"
  mode 00755
end
Member

jtimberman commented Jun 22, 2014

I couldn't reproduce this, the permissions on the cache directory and homebrew_go were such I could read the file as a non-root user.

jtimbermans-Mac:work jtimberman$ ls -ld cache
drwxr-xr-x  6 root        staff   204 Jun 22 10:57 cache
jtimbermans-Mac:work jtimberman$ ls -l cache/
-rwxr-xr-x  1 root  staff  7310 Jun 22 10:57 homebrew_go

The resource for the script sets mode 0755:

remote_file homebrew_go do
  source 'https://raw.github.com/Homebrew/homebrew/go/install'
  mode 00755
end

The method inside Chef that creates the Chef::Config[:file_cache_path] just does a Dir.mkdir. Permissions for this directory should be set according to the umask of the execution environment.

I don't think we should add another attribute to the cookbook. If you're executing as root, and can't resolve this issue, perhaps another recipe that does this:

file Chef::Config[:file_cache_path] do
  owner "useryouwant"
  mode 00755
end

@jtimberman jtimberman closed this Jun 22, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment