[chef] RE: RE: Chef-client as unprivileged Windows user

["Adam Edwards" < >]

Title: RE: [chef] Chef-client as unprivileged Windows user

Hello Dan – there aren’t any changes from chef-client 10 to chef-client 11 that should affect Windows unprivileged users. There *is* a warning however that you may see in log output indicating that you’re better off running with full privileges.

 

So if things worked for you with chef-client 10, they will probably work fine on chef-client 11; if that is indeed true for you, you can ignore the warning in the logs, which is aimed at unblocking people who hit issues that could be fixed by running with full privileges. That said, as Kevin suggests, there are a lot of things that won’t work in you don’t have full privileges – this is due to restrictions (correctly) built in to Windows, not really a limitation in Chef – chef-client won’t allow the security model of Windows to be circumvented.

 

For example, if you have a recipe that adds a new user to a Windows system, that recipe will fail unless chef-client is executed as a user with full privileges. The “fix” is to run with full privileges, or since its Windows, configure the system / user account such that it has exactly the privileges you need for your specific recipes to succeed.

 

-Adam

 

From: [mailto: On Behalf Of Kevin Keane Subscription
Sent: Thursday, October 10, 2013 1:38 AM
To:
Subject: [chef] RE: Chef-client as unprivileged Windows user

 

First of all, you mention that you are migrating from Chef 10 to Chef 11. Are you talking about migrating the server, or the client? Migrating the server really shouldn't make a difference; migrating the client might.

My best guess is that the permission problems aren't with the final file location, but rather with the Chef cache directory (or one of the other directories the Chef client uses). It is also possible that the problem arises because Chef doesn't actually create the file, but move it. Chef actually doesn't create templatized files in place. Rather, it builds the templatized files in a temporary location (I think it's actually the cache directory, but I'm not sure off the top of my head), computes the file hash, and then computes the hash of the existing file (only if a file already exists, of course). If the two hashes don't match, Chef then moves the file from the temporary location to its final place.

Generally, Chef was not really designed to run with limited permissions. I'm actually impressed that you manage to run it to set up per-user configurations; it's something I'd also love to be able to accomplish!

Kevin Keane

The NetTech

760-721-8339

http://www.4nettech.com

Our values: Privacy, Liberty, Justice

See https://www.4nettech.com/corp/the-nettech-values.html

 

-----Original message-----
From: Daniel Oliver < "> >
Sent: Thursday 10th October 2013 1:17
To: ">
Subject: [chef] Chef-client as unprivileged Windows user

Hi list,

 

I’m sorry if this question has been asked before, but I can’t find in my archives.  I am testing our migration from Chef 10 to 11, and things have been ok the server and system side.  Unfortunately, I’ve hit a road-block when it comes to unprivileged Windows users.

 

We use Chef to perform various configuration tasks in each of our user profiles, such as dropping per-user configuration files into the correct location at login and periodically thereafter using a scheduled task.  Unfortunately, I have been unable to make Chef 11.6 deploy even the simplest template to a user’s profile; I just keep file security permission errors.  I have tried varying absolute/relative paths, Windows/Unix style directories and combinations of Windows/Unix permission options, all with no success.

 

I do see a 0-byte file appear, for which the current user is the owner having full control, and I am able to change permissions using Explorer.

 

I’ve looked through mv_windows.rb, and I understand why the permissions handling has been implemented as it has realise that this may well introduce some scenarios I need to work around.  However, what I don’t understand is why it isn’t working in this situation?  My user is able to manipulate the file permissions in Explorer with no privilege escalation, and the location I am trying to write to is not subject to redirection by the Virtual Store.  Chef is also creating a 0-byte file with the current user as the owner and explicit full control.

 

If anyone can shed some light on this problem, I would really appreciate your input.

 

Thanks,

Dan.