Chef Blogs

Security Update: Hosted Chef

Marc Paradise | Posted on | community

Later today, we will be rolling out an update to Hosted Chef that
may impact your future use of data bag items in cookbooks. This change
will remove the Chef Client’s default permissions to ‘create’, ‘update’
and ‘delete’ data bags in newly-created organizations.

This means that if you create an organization today and proceed to add a recipe that
modifies data bag content, any converge that includes that recipe will fail with a 403.

## Why Change This?

Until now, Hosted Chef has defaulted to allowing Chef Client runs
on a node to create, update and delete data bag contents. This
presents a security risk, in that a bad actor with access to any managed
node in your organization can potentially modify data bag contents with
malicious intent.

While we understand the need for client runs to update data bags in some cases,
we hope to increase awareness of the potential risk by requiring customers to explicitly enable this ability for their new organization(s).

We are not modifying existing organizations in order to prevent any impact to customers who are following this usage pattern.

## What Do I Need To Do?

* If you do not use recipes that modify data bags, you do not need to take action. However, we recommend that you remove these permissions from your existing data bag default permissions and existing data bags.
* If you currently use recipes that modify data bags, you can continue to do so in your existing organization(s) without taking any action.
* If you will use recipes that modify data bags in organizations you create on or after Nov 10, 2014, you will need to modify default data bag ACLs of any new organizations you create that will use those recipes.
* In order to make any change to ACLs (as detailed below) administrative permissions are required.

## Disable Chef Client C/U/D on new data bags

### Using knife edit

Follow these steps to disable Create/Update/Delete of data bags from chef client in
your existing organizations.


knife edit /acls/containers/data.json

Under the sections `create`, `update`, and `delete`, remove `clients`
from the `groups` list, then save the file and close the editor.

Here is an example of an edited ACL document with only Read permissions enabled for clients,
disabling Create, Update, and Delete. Note that this may differ for your organization
if you have previously customized ACLs:


{

"create": {

"actors": [ "pivotal" ],

"groups": [ "admins", "users" ]

},

"read": {

"actors": [ "pivotal" ],

"groups": [ "admins", "clients", "users" ]

},

"update": {

"actors": [ "pivotal" ],

"groups": [ "admins", "users" ]

},

"delete": {

"actors": [ "pivotal" ],

"groups": [ "admins", "users" ]

},

"grant": {

"actors": [ "pivotal" ],

"groups": [ "admins" ]

}

}

### Using knife-acl plugin

You can install the knife-acl plugin via `gem install knife-acl`, then
modify ACLs as follows:


knife acl remove containers data update group clients
knife acl remove containers data delete group clients
knife acl remove containers data create group clients

## Enable Chef Client C/U/D on new data bags

Follow these steps to enable Create/Update/Delete of data bags from chef client in
any organizations created on or after Nov 10, 2014.

### Using knife edit


knife edit /acls/containers/data.json

Under the section `update`, add `clients` to the `groups` list, then
save the file and close the editor.

If you have cookbooks that are creating or deleting data bags or data
you will also need to add `clients` to the `groups` list of both
`update` and `delete`.

Here is an example of an edited ACL document with Create, Update, and Delete
permissions enabled for clients. Note that this may differ for your organization
if you have previously customized ACLs:


{

"create": {
"actors": [ "pivotal" ],
"groups": [ "admins", "clients", "users" ]
},

"read": {
"actors": [ "pivotal" ],
"groups": [ "admins", "clients", "users" ]
},

"update": {
"actors": [ "pivotal" ],
"groups": [ "admins", "clients", "users" ]
},

"delete": {
"actors": [ "pivotal" ],
"groups": [ "admins", "clients", "users" ]
},

"grant": {
"actors": [ "pivotal" ],
"groups": [ "admins" ]
}
}

### Using knife-acl plugin


knife acl add containers data update group clients

If you have cookbooks that are creating or deleting data bags or data
bag items, you will also need to add ‘create’ and ‘delete’ permissions
respectively:


knife acl add containers data create group clients
knife acl add containers data delete group clients

### Using manage.opscode.com

At this time, manage.opscode.com only supports removing the ‘create’
and ‘read’ privileges. Because of this, the necessary controls to
enable/disable update and delete are not available.

## Enabling/disabling C/U/D access on existing data bags

The changes above will modify the default permissions applied to any new data bags.

If you wish to modify all existing data bags, the following bash snippet gives an example using the knife acl permission:

for bag in $(knife data bag list); do
echo "Updating permissons on $bag."

knife acl remove data $bag update group clients

knife acl remove data $bag delete group clients

knife acl remove data $bag create group clients

done

You can find the full gist here.

## Other Options

Note that Chef Server’s RBAC controls allow you more fine-grained
control than globally enabling/disabling these activities. For example
you could create a group `privileged-clients`, set that group up
with necessary CRUD access to the data container, and add those clients
who require this access to it.

In this way, you could support a default behavior of disallowing updates from clients,
while still permitting some clients access to do so. You can further extend this
to only permit updates to specific data bags.

## Chef Server Impacts

* This change will be made the default behavior beginning in Chef Server 12 RC6
* This behavior is the existing default in OSC 11.
* This behavior will not be changed at this time in Enterprise Chef 11.
* This behavior will not be changed in Private Chef 1.4