Skip to content
This repository has been archived by the owner on Mar 19, 2022. It is now read-only.

Upload cookbooks to secure location #1

Closed
matschaffer opened this issue Aug 30, 2011 · 6 comments
Closed

Upload cookbooks to secure location #1

matschaffer opened this issue Aug 30, 2011 · 6 comments
Assignees
@matschaffer
Labels
feature

Comments

@matschaffer
Copy link
Owner

In order to keep my cookbooks more secure
As a developer
I want my cookbooks to be uploaded to a non-world-readable location

Right now since we upload using rsync potentially as a non-privileged user we put all cookbooks in /tmp/chef-solo. Ideally we should be writing these to /var/chef or something more secure, but we'll need to figure out how to get rsync doing that. See https://github.com/matschaffer/knife-solo/blob/master/lib/chef/knife/cook.rb#L67 for rsync stuff.
@matschaffer
Copy link
Owner Author

Starting to think that rsync might not be idea. Rather we could probably examine the cookbook dependency tree and sha's and upload using that which would be more inline with what Chef server does. Bonus points if we can leverage chef client code to do this.

@thbar
Copy link
Contributor

thbar commented Feb 11, 2012

Extra note on this: for Windows support we'll have to ensure the folder can be changed (ie: c:/tmp instead of /tmp, or even something else). Just so you know!

rubiojr pushed a commit to rubiojr/knife-solo that referenced this issue Apr 24, 2012
@thbar
Merge pull request matschaffer#1 from thbar/18-fail-fast
42fde9a 
Use system! fail-fast calls for rsync
@matschaffer matschaffer mentioned this issue May 17, 2012
Closed
@ghost ghost assigned matschaffer Aug 9, 2012
@matschaffer
Copy link
Owner Author

This might help: http://linuxexchange.org/questions/411/rsync-backups-using-sudo-instead-of-root

@matschaffer matschaffer mentioned this issue Aug 10, 2012
Closed
@matschaffer matschaffer mentioned this issue Nov 1, 2012
Closed
@tmatilai tmatilai mentioned this issue Dec 9, 2012
Closed
@matschaffer
Copy link
Owner Author

Making some progress on this in https://github.com/matschaffer/knife-solo/tree/issue/sudo-rsync-1

Still need to do a full test and set up error messages for people to update their solo.rb accordingly.

@matschaffer
Copy link
Owner Author

Boo... so turns out that trick makes some assumptions about the sudo environment. Instead I've opted to move the root path config to a knife[:solo_path] config and chmod 700 the dir to avoid it being seen by anything other than the user controlling the ssh connection.

@matschaffer
Copy link
Owner Author

Should be fixed with #145

@tmatilai tmatilai mentioned this issue Jan 23, 2013
Closed
tmatilai added a commit to tmatilai/knife-solo that referenced this issue Apr 4, 2013
@tmatilai
Restrict permissions of the upload directory
3377c72 
Set the provisioning_path dir mode so that it is not world-readable.
Fixes matschaffer#1.
tmatilai added a commit that referenced this issue Apr 6, 2013
@tmatilai
Merge pull request #199 from matschaffer/issue/knife-rb-configuration…
84edc5f 
…-199

- Generate solo.rb from knife.rb settings. Fixes #86, #125, #128, #177, #197.
- Read protect the uploaded directory. Fixes #1.
- Convert chef-solo-search as a submodule and upgrade it to v0.4.0. Should fix #216.
@iidatomohiko iidatomohiko mentioned this issue Jan 21, 2016
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@matschaffer matschaffer

Labels
feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@matschaffer @thbar