- From: Daniel Oliver <
>
- To: "
" <
>
- Subject: [chef] RE: RE: Re: Client privileges
- Date: Wed, 29 Jun 2011 08:31:37 +0100
- Accept-language: en-US
- Acceptlanguage: en-US
My apologies -- mailbox wasn't sorted in the right order.
-----Original Message-----
From: Daniel Oliver
Sent: 29 June 2011 08:30
To:
Subject: [chef] RE: Re: Client privileges
This is not true -- all API clients can currently upload/change/delete
cookbooks on the FOSS server. See my other mail and CHEF-2436
-----Original Message-----
From: Noah Kantrowitz
[mailto:
Sent: 28 June 2011 19:26
To:
Subject: [chef] Re: Client privileges
Assuming you mean the FOSS server (Hosted Chef has its own ACL system, so it
can be locked down to within an inch of its life), a non-admin client can
read all data from the server, perform searches (read: possible CPU DoS),
and write to a node with the same name as the client (read: possible storage
DoS). Hope that helps.
--Noah
On Jun 28, 2011, at 10:52 AM, Anthony Goddard wrote:
>
Hi All,
>
I'm poking around at the different privileges for admin / non admin users
/ clients, mostly with a view to considering what happens if root privileges
are gained by a malicious user on a machine that's managed by chef. I know
the user can do a lot of queries using the client.pem but can't write
changes, though I'm not sure of the specifics.
>
>
I'm wondering if there's any more info around (haven't been able to find
it on the wiki) regarding exactly what the differences are between admin
users and regular users, what privileges a client has etc..
>
>
>
Cheers,
>
Ant
>
>
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
Archive powered by MHonArc 2.6.16.