Client privileges

Chef Infra (archive)
1

Hi All,
I’m poking around at the different privileges for admin / non admin users / clients, mostly with a view to considering what happens if root privileges are gained by a malicious user on a machine that’s managed by chef. I know the user can do a lot of queries using the client.pem but can’t write changes, though I’m not sure of the specifics.

I’m wondering if there’s any more info around (haven’t been able to find it on the wiki) regarding exactly what the differences are between admin users and regular users, what privileges a client has etc…

Cheers,
Ant

2

I’ve recently submitted CHEF-2436, because all API clients are able to
upload/change cookbooks.

I am not a user of the Opscode Platform, but I also saw a ticket recently
(sorry, find it at the moment) asking for chef-server-api to reflect the
platform behaviour and allow re-registrations using validation.pem. While I
think it is unavoidable that an attacker could potentially publish
information that may cause other systems to configure themselves incorrectly
using this information, allowing re-registration using validation.pem allows
an attacker to usurp the identity of a an entirely separate system.

I know that it is good practice to delete validation.pem once a system has
registered itself, but this is assumes a certain deployment model where the
key can be built into a base image and is held ‘out-of-band’ somewhere and
is never accessible from a live system. I think this is a flawed assumption
because it limits possible deployment architectures where the base-build
deployment system exists at the same logical level as the operational level
(e.g. if not using virtualisation).

Dan.

From: Anthony Goddard [mailto:agoddard@mbl.edu]
Sent: 28 June 2011 18:52
To: chef@lists.opscode.com
Subject: [chef] Client privileges

Hi All,
I’m poking around at the different privileges for admin / non admin users /
clients, mostly with a view to considering what happens if root privileges
are gained by a malicious user on a machine that’s managed by chef. I know
the user can do a lot of queries using the client.pem but can’t write
changes, though I’m not sure of the specifics.

I’m wondering if there’s any more info around (haven’t been able to find it
on the wiki) regarding exactly what the differences are between admin users
and regular users, what privileges a client has etc…

Cheers,
Ant

3

Assuming you mean the FOSS server (Hosted Chef has its own ACL system, so it can be locked down to within an inch of its life), a non-admin client can read all data from the server, perform searches (read: possible CPU DoS), and write to a node with the same name as the client (read: possible storage DoS). Hope that helps.

--Noah

On Jun 28, 2011, at 10:52 AM, Anthony Goddard wrote:

Hi All,
I'm poking around at the different privileges for admin / non admin users / clients, mostly with a view to considering what happens if root privileges are gained by a malicious user on a machine that's managed by chef. I know the user can do a lot of queries using the client.pem but can't write changes, though I'm not sure of the specifics.

I'm wondering if there's any more info around (haven't been able to find it on the wiki) regarding exactly what the differences are between admin users and regular users, what privileges a client has etc..

Cheers,
Ant

4

Awesome, yep that's what I was looking for. Other than the concept of different users managing different nodes or roles, what is a use case for the hosted platform ACLs? Preventing a host from running a query for example? This was obviously a big concern pre encrypted databags, but that seems to be solved now.

A node being able to overwrite a cookbook is probably a concern, given they could throw a cookbook in place of one in a base role and then that would be it. Of course, having everything centrally managed by Chef server probably means that you're going to have good insight into user accounts and nice logging anyway, so this in some ways makes things more secure.

On Jun 28, 2011, at 14:26, Noah Kantrowitz noah@coderanger.net wrote:

Assuming you mean the FOSS server (Hosted Chef has its own ACL system, so it can be locked down to within an inch of its life), a non-admin client can read all data from the server, perform searches (read: possible CPU DoS), and write to a node with the same name as the client (read: possible storage DoS). Hope that helps.

--Noah

On Jun 28, 2011, at 10:52 AM, Anthony Goddard wrote:

Hi All,
I'm poking around at the different privileges for admin / non admin users / clients, mostly with a view to considering what happens if root privileges are gained by a malicious user on a machine that's managed by chef. I know the user can do a lot of queries using the client.pem but can't write changes, though I'm not sure of the specifics.

I'm wondering if there's any more info around (haven't been able to find it on the wiki) regarding exactly what the differences are between admin users and regular users, what privileges a client has etc..

Cheers,
Ant

5

Just about anything, restricting access to data bags or to cookbooks could have security implications, or having users that aren't full admins and can only see/edit a subset of the nodes. The issue with cookbook uploads not being locked down was supposed to be fixed already, I'll go investigate that now actually :slight_smile:

--Noah

On Jun 28, 2011, at 2:36 PM, Anthony Goddard wrote:

Awesome, yep that's what I was looking for. Other than the concept of different users managing different nodes or roles, what is a use case for the hosted platform ACLs? Preventing a host from running a query for example? This was obviously a big concern pre encrypted databags, but that seems to be solved now.

A node being able to overwrite a cookbook is probably a concern, given they could throw a cookbook in place of one in a base role and then that would be it. Of course, having everything centrally managed by Chef server probably means that you're going to have good insight into user accounts and nice logging anyway, so this in some ways makes things more secure.

On Jun 28, 2011, at 14:26, Noah Kantrowitz noah@coderanger.net wrote:

Assuming you mean the FOSS server (Hosted Chef has its own ACL system, so it can be locked down to within an inch of its life), a non-admin client can read all data from the server, perform searches (read: possible CPU DoS), and write to a node with the same name as the client (read: possible storage DoS). Hope that helps.

--Noah

On Jun 28, 2011, at 10:52 AM, Anthony Goddard wrote:

Hi All,
I'm poking around at the different privileges for admin / non admin users / clients, mostly with a view to considering what happens if root privileges are gained by a malicious user on a machine that's managed by chef. I know the user can do a lot of queries using the client.pem but can't write changes, though I'm not sure of the specifics.

I'm wondering if there's any more info around (haven't been able to find it on the wiki) regarding exactly what the differences are between admin users and regular users, what privileges a client has etc..

Cheers,
Ant

6

This is not true -- all API clients can currently upload/change/delete
cookbooks on the FOSS server. See my other mail and CHEF-2436

-----Original Message-----
From: Noah Kantrowitz [mailto:noah@coderanger.net]
Sent: 28 June 2011 19:26
To: chef@lists.opscode.com
Subject: [chef] Re: Client privileges

Assuming you mean the FOSS server (Hosted Chef has its own ACL system, so it
can be locked down to within an inch of its life), a non-admin client can
read all data from the server, perform searches (read: possible CPU DoS),
and write to a node with the same name as the client (read: possible storage
DoS). Hope that helps.

--Noah

On Jun 28, 2011, at 10:52 AM, Anthony Goddard wrote:

Hi All,
I'm poking around at the different privileges for admin / non admin users
/ clients, mostly with a view to considering what happens if root privileges
are gained by a malicious user on a machine that's managed by chef. I know
the user can do a lot of queries using the client.pem but can't write
changes, though I'm not sure of the specifics.

I'm wondering if there's any more info around (haven't been able to find
it on the wiki) regarding exactly what the differences are between admin
users and regular users, what privileges a client has etc..

Cheers,
Ant

7

My apologies -- mailbox wasn't sorted in the right order.

-----Original Message-----
From: Daniel Oliver
Sent: 29 June 2011 08:30
To: chef@lists.opscode.com
Subject: [chef] RE: Re: Client privileges

This is not true -- all API clients can currently upload/change/delete
cookbooks on the FOSS server. See my other mail and CHEF-2436

-----Original Message-----
From: Noah Kantrowitz [mailto:noah@coderanger.net]
Sent: 28 June 2011 19:26
To: chef@lists.opscode.com
Subject: [chef] Re: Client privileges

Assuming you mean the FOSS server (Hosted Chef has its own ACL system, so it
can be locked down to within an inch of its life), a non-admin client can
read all data from the server, perform searches (read: possible CPU DoS),
and write to a node with the same name as the client (read: possible storage
DoS). Hope that helps.

--Noah

On Jun 28, 2011, at 10:52 AM, Anthony Goddard wrote:

Hi All,
I'm poking around at the different privileges for admin / non admin users
/ clients, mostly with a view to considering what happens if root privileges
are gained by a malicious user on a machine that's managed by chef. I know
the user can do a lot of queries using the client.pem but can't write
changes, though I'm not sure of the specifics.

I'm wondering if there's any more info around (haven't been able to find
it on the wiki) regarding exactly what the differences are between admin
users and regular users, what privileges a client has etc..

Cheers,
Ant