- From: Mitsutoshi Aoe <
>
- To:
- Subject: [chef] Re: Re: Re: Re: Different data_bags in production and test-kitchen
- Date: Fri, 21 Feb 2014 10:30:47 +0900
Good point. I'll add some checks.
Thanks,
Mitsutoshi Aoe
2014-02-21 10:20 GMT+09:00 Lamont Granquist
<
>:
>
On 2/20/14 4:47 PM, Mitsutoshi Aoe wrote:
>
>
>
> sudo "vagrant" do
>
> user "vagrant"
>
> nopasswd true
>
> only_if { Etc.getpwnam('vagrant') }
>
> end
>
>
>
> I was rather opposed to writing vagrant-aware recipes. Probably I was
>
> just too paranoid in this case.
>
>
>
>
>
It does have a bit of "code smell" but its pretty much the thing that you
>
want. You could try for better precision and look in ohai information to
>
find out if you were running virtualized under vagrant, but that detection
>
code may not be as reliable (false negatives).
>
>
I just noticed a security edge case which is that if someone can create an
>
arbitrary new user on your production servers and login as it, then they
>
could name that 'vagrant' and their new account would also gain root-access
>
(a false positive). That assumes a lot of capabilities on the part of the
>
attacker, though, but you might want to mitigate that with a
>
chef_environment != "production" check or something along those lines...
Archive powered by MHonArc 2.6.16.