How to avoid users accessing the Chef cookbooks in node cache directory

Question

We have got a situation in which, we need to avoid users accessing Chef cookbooks in node cache directory. what is the best way to handle this?

Can we delete the cookbook from cache path, at the end of cookbook execution?
Is it possible to encrypt/decrypt cookbook while executing Chef client?

Expecting expert suggestions to handle the scenario.

Have you considered moving your secrets outside of your cookbooks? Or changing the permissions on the cache directory? Also, check out the comments on this old ticket: https://tickets.opscode.com/browse/CHEF-4512 — Martin, Nov 12 '15 at 12:09
Thanks @Martin. In the case of non-admin users, we can restrict permissions. But chef-client run using admin right, so whoever is the admin user in the vm can have access to cookbook cache path. So there is a chance of cookbook been redistributed without our permission. That's the purpose of this post. Btw, the ticket you posted doesn't fit into the scenario of ours. — Saravanan G, Nov 12 '15 at 12:25
Do you have such so-well written cookbooks needing to secure them ? I assume a report handler could do to wipe out the cache, at cost of redownload of all cookbooks on each run. — Tensibai, Nov 12 '15 at 13:02
@SaravananG -- to be clear, anyone with admin permissions can use the chef client key from /etc/chef and fetch the cookbooks directly from the server. Deleting the cookbooks won't increase security against anyone who is already root or another admin user. — Martin, Nov 12 '15 at 13:46
Thanks Tensibai and Martin. I'll try to implement cleaning up cookbook cache at the end of execution. — Saravanan G, Nov 12 '15 at 13:53
I would repeat and endorse @Martin's advice to not keep secrets in your cookbook. The best way to keep a secret safe is not to store it. Chef provides alternatives to store sensitive data, from encrypted data bags to the more capable chef vault solution. (Vault is part of chefdk) — Mark O'Connor, Nov 12 '15 at 16:33

score 1 · Accepted Answer · answered Nov 14 '15 at 21:02

1

No, there is no handling for this at this time. That said, all files in the cache should be restricted to only be readable by root, if this is not the case please report it as a bug to the Chef project itself. Given that a root user can always access the client key and thus can get the cookbook data directly from the server, controlling access to the cache doesn't help anything.

answered Nov 14 '15 at 21:02

coderanger

52,400
4
52
75

Answer does not solve the purpose of my query. Answer has been discussed in comments section above. – Saravanan G Nov 19 '15 at 11:23
Coderanger As you suggested, added the issue in Chef github https://github.com/chef/chef/issues/4191 – Saravanan G Nov 20 '15 at 11:01
I said open a ticket _if there is a bug in the cache's file permissions_, not because you don't like the answer. – coderanger Nov 20 '15 at 18:45
Accepted your answer..! – Saravanan G Nov 20 '15 at 19:07

How to avoid users accessing the Chef cookbooks in node cache directory

1 Answers1