supermarket.json permissions 644, should be 600

[rjhornsby]

Cookbook version

3.0.0

Chef-client version

13.8.5

Platform Details

AWS, CentOS 7

Scenario:

Credential-containing config file is world-readable (644). This is a security risk because it gives access to the credentials of various services to any valid system user.

Steps to Reproduce:

1. Use a wrapper cookbook to run supermarket-omnibus-cookbook, setting (for example) your Postgres server to something custom
2. Examine the ownership and permissions of /etc/supermarket/supermarket.json

Expected Result:

supermarket.json, containing credentials to AWS, Postgres, etc should not be world readable. The permissions should be 600. The file should probably be owned by supermarket.

Actual Result:

supermarket.json is mode 644. (-rw-r--r--)

This file in particular is also owned by root, whereas the other files in the directory are owned by supermarket.

[rjhornsby]

Sidenote: this problem may be better fixed with a change to chef_ingredient allowing ownership/mode to be set on the config property, or even further upstream in the supermarket RPM itself. I'm not familiar with the patterns (ie chef_ingredient) used in this omnibus cookbook, but I thought this would be the best place to start.

[robbkidd]

Yes, chef-ingredient is the first place we should consider addressing the permissions on that file.
The supermarket-omnibus-cookbook's supermarket_server resource uses the chef_ingredient resource which uses the ingredient_config resource to manage a product's config file.

🐢( 🐢 ( 🐢( 🐢 ( 🐢 ))))

[rjhornsby]

Moved to chef-cookbooks/chef-ingredient#225