Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
chef user resource for macOS is not compatible with macOS 10.14 security protections #7763
The user resource as currently designed for macOS performs operations which are blocked in 10.14 by default.
This affects all versions, but the examples I'll give here are for 14.3.37
macOS 10.14 (Mojave) build 18A391
Create a user resource:
Run chef once. No errors will occur. Run it again, chef will terminate with an error.
Root cause for this lies in several behaviors the chef resource performs which are now denied by default on macOS 10.14.
Direct file access of the dslocal plists are now denied by the new privacy protections in 10.14. All user information access must be done via OS APIs or tools that make use of these native APIs. This means that
So in the example above, creation works on the first run because it goes through
But on the second run, it sees that the user exists (
There are deeper problems with the resource as well.
If you want to set a password, the password operation is also done via direct plist access. All password operations are disallowed under 10.14 as a result.
When you remove a user resource, it attempts to clean up the home directory with
If the account that was created with chef was ever logged into and Apple Mail was used, it will make a ~/Library/Mail directory in the user's home folder which also falls under Mojave's new privacy security protections and recursive removal of the directory is denied.
We have some monkey patching which corrects much of this - but for issues like remove_user ... I'm not sure what the best path forward here is.
For an overview of the Mojave privacy protections, this is a good writeup: https://carlashley.com/2018/09/28/tcc-round-up/
There's a management functionality for this on macOS, but it requires not just MDM management of the Mac but also DEP/UAMDM enabled MDM - before a configuration profile like the one in the blog post can be deployed to the machine to make chef runs work again.
Additionally, to get these protections - part of chef for macOS will need to be codesigned. Is chef interested in doing this? Will organizations be expected to do this?