The github page for chef-zero says “It does NO input validation, authentication or authorization”. Do I understand this correctly: When I use chef-client in local mode, it runs the chef-zero server and communicates with it through a TCP socket on localhost. Chef-client loads the configuration into the chef-zero server which will then be available to anyone on the local host through this open port from chef-zero as long as chef-client is running. If there is no kind of security check on this connection, local programs run by anybody could get access to configuration data this way.
Solo and local mode don’t actually bind the zero server to a visible socket, it just lives internally for exactly this reason. If you ever see a debug trace with a weird looking “chefzero://” URL that’s why, the special scheme is used to redirect requests to the internal zero instance.
Original Quoted context has been removed as per policy
But I see a listening socket on localhost:8889 open while the chef-client --local-mode is running.
You can give the --no-listen flag to disable that. We’d intended to make that the default in 13 but it looks like we forgot about it.
Ah, thanks. That is better. That should definitely be the default. And the documentation could be improved, too.