chef - [chef] Re: Re: Re: Re: Re: Running package install with sudo

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: Re: Re: Re: Re: Running package install with sudo

From: Daniel DeLeo < >
To:
Subject: [chef] Re: Re: Re: Re: Re: Running package install with sudo
Date: Wed, 8 Dec 2010 09:18:35 -0800

For the sake of argument, what's to stop a bad guy from installing a
setuid shell (or whatever) via yum/rpm if he gains access to your
package system?

Adding a privilege separation/non-root mode to Chef is something I
think about from time to time, but every design I come up with has a
trivial workaround for the attacker.

Dan DeLeo

On Wed, Dec 8, 2010 at 2:12 AM, Christian Requena
< >
wrote:
> I don't think the approach with the groups will work. You need sudo to run
> rpm/yum, because of the rpm db.
>
> --CR
>
> On 12/08/2010 09:57 AM, Dreamcat4 wrote:
>>
>> Another thing you can try is to make /usr group writable to the
>> "admin" group. And add your user on the admin group. Then installing
>> packages without sudo. The initial chowning of directories will
>> require sudo however.
>>
>> On Wed, Dec 8, 2010 at 7:26 AM, Noah
>> Kantrowitz< >
>>  wrote:
>>
>>>
>>> On Dec 7, 2010, at 3:08 PM, Christian Requena wrote:
>>>
>>>
>>>>
>>>> Hi,
>>>>
>>>> you can define your commands freely.
>>>>
>>>> Example for tomcat.
>>>>
>>>> Define what do you want to do (i.e. in an attribute file):
>>>>
>>>>
>>>>>
>>>>> # start the service
>>>>> default[:tomcat][:start]= (platform == 'windows') ?
>>>>> 'C:\Applications\tomcat\bin\catalina.sh start' : \
>>>>>                                                    "sudo service tomcat
>>>>> start"
>>>>> # stop the service
>>>>> default[:tomcat][:stop]= (platform == 'windows') ?
>>>>> 'C:\Applications\tomcat\bin\catalina.sh stop' : \
>>>>>                                                   "sudo service tomcat
>>>>> stop"
>>>>> #
>>>>> # get service status. TODO: windows!?
>>>>> default[:tomcat][:status]="sudo service tomcat status"
>>>>>
>>>>
>>>> Overwrite the start,stop,... commands in your recipe:
>>>>
>>>>
>>>>>
>>>>> ...
>>>>> service "tomcat" do
>>>>>  action :nothing
>>>>>  supports :start =>  true, :stop =>  true, :restart =>  true, :status
>>>>> =>
>>>>> false
>>>>>  start_command node[:tomcat][:start]
>>>>>  stop_command node[:tomcat][:stop]
>>>>>  status_command node[:tomcat][:status]
>>>>>  restart_command "#{node[:tomcat][:stop]}&&  #{node[:tomcat][:start]}"
>>>>> end
>>>>> ...
>>>>>
>>>
>>> This is specific to the service resource, but you could certainly build
>>> your
>>> own provider (which would be 99% identical to the existing RPM provider)
>>> which uses sudo in the command.
>>>
>>> --Noah
>>>
>>>
>>>
>
>

[chef] Running package install with sudo, Tristan Sloughter, 12/07/2010
- [chef] Re: Running package install with sudo, Christian Requena, 12/07/2010
  - [chef] Re: Re: Running package install with sudo, Noah Kantrowitz, 12/07/2010
    - [chef] Re: Re: Re: Running package install with sudo, Dreamcat4, 12/08/2010
      - [chef] Re: Re: Re: Re: Running package install with sudo, Christian Requena, 12/08/2010
        
        [chef] Re: Re: Re: Re: Re: Running package install with sudo, Daniel DeLeo, 12/08/2010
        
        [chef] Re: Re: Re: Re: Re: Re: Running package install with sudo, Tristan Sloughter, 12/08/2010
        
        [chef] Re: Re: Re: Re: Re: Re: Running package install with sudo, Avishai Ish-Shalom, 12/08/2010