- From: Lamont Granquist <
>
- To:
- Subject: [chef] Re: Re: Re: Different data_bags in production and test-kitchen
- Date: Thu, 20 Feb 2014 17:20:49 -0800
On 2/20/14 4:47 PM, Mitsutoshi Aoe wrote:
sudo "vagrant" do
user "vagrant"
nopasswd true
only_if { Etc.getpwnam('vagrant') }
end
I was rather opposed to writing vagrant-aware recipes. Probably I was
just too paranoid in this case.
It does have a bit of "code smell" but its pretty much the thing that
you want. You could try for better precision and look in ohai
information to find out if you were running virtualized under vagrant,
but that detection code may not be as reliable (false negatives).
I just noticed a security edge case which is that if someone can create
an arbitrary new user on your production servers and login as it, then
they could name that 'vagrant' and their new account would also gain
root-access (a false positive). That assumes a lot of capabilities on
the part of the attacker, though, but you might want to mitigate that
with a chef_environment != "production" check or something along those
lines...
Archive powered by MHonArc 2.6.16.