First of all, you mention that you are migrating from Chef 10 to Chef 11. Are you talking about migrating the server, or the client? Migrating the server really shouldn't make a difference; migrating the client might.
My best guess is that the permission problems aren't with the final file location, but rather with the Chef cache directory (or one of the other directories the Chef client uses). It is also possible that the problem arises because Chef doesn't actually create the file, but move it. Chef actually doesn't create templatized files in place. Rather, it builds the templatized files in a temporary location (I think it's actually the cache directory, but I'm not sure off the top of my head), computes the file hash, and then computes the hash of the existing file (only if a file already exists, of course). If the two hashes don't match, Chef then moves the file from the temporary location to its final place.
Generally, Chef was not really designed to run with limited permissions. I'm actually impressed that you manage to run it to set up per-user configurations; it's something I'd also love to be able to accomplish!
Kevin Keane
The NetTech
760-721-8339
http://www.4nettech.com
Our values: Privacy, Liberty, Justice
See https://www.4nettech.com/corp/the-nettech-values.html
-----Original message-----
From: Daniel Oliver < >
Sent: Thursday 10th October 2013 1:17
To:
Subject: [chef] Chef-client as unprivileged Windows user
Hi list,
I’m sorry if this question has been asked before, but I can’t find in my archives. I am testing our migration from Chef 10 to 11, and things have been ok the server and system side. Unfortunately, I’ve hit a road-block when it comes to unprivileged Windows users.
We use Chef to perform various configuration tasks in each of our user profiles, such as dropping per-user configuration files into the correct location at login and periodically thereafter using a scheduled task. Unfortunately, I have been unable to make Chef 11.6 deploy even the simplest template to a user’s profile; I just keep file security permission errors. I have tried varying absolute/relative paths, Windows/Unix style directories and combinations of Windows/Unix permission options, all with no success.
I do see a 0-byte file appear, for which the current user is the owner having full control, and I am able to change permissions using Explorer.
I’ve looked through mv_windows.rb, and I understand why the permissions handling has been implemented as it has realise that this may well introduce some scenarios I need to work around. However, what I don’t understand is why it isn’t working in this situation? My user is able to manipulate the file permissions in Explorer with no privilege escalation, and the location I am trying to write to is not subject to redirection by the Virtual Store. Chef is also creating a 0-byte file with the current user as the owner and explicit full control.
If anyone can shed some light on this problem, I would really appreciate your input.
Thanks,
Dan.
Archive powered by MHonArc 2.6.16.