Chef Infra needs a way to provide secure credentials in the client.rb #10985
Labels
Aspect: Security
Can an unwanted third party affect the stability or look at privileged information?
Triage: Feature Request
Indicates an issue requesting new functionality.
Describe the Enhancement:
When specifying the
rubygems_url
,http_proxy
, orhttps_proxy
values in Chef Infra client's client.rb file, it seems that the only way to provide authentication credentials (e.g., to a private rubygems repo), is to embed the username and password in the URL, likehttps://myuser:mypass@private.rubygems.repo
. This is not ideal, as the file could be read by anyone without changing the mode to640
or stricter. For example, thechef-client::config
recipe sets the permissions on the client.rb wide open: https://github.com/chef-cookbooks/chef-client/blob/master/recipes/config.rb#L83Describe the Need:
Storing credentials in the client.rb file is not secure.
Current Alternative
The best we can do today is setting the file mode to 640 or stricter, but it would be optimal to have a better way to provide the credentials to the Chef client.
Can We Help You Implement This?:
The text was updated successfully, but these errors were encountered: