-
Notifications
You must be signed in to change notification settings - Fork 160
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security concerns - bumping access from client to admin #263
Comments
Yes, that's a threat, although you can reasonably mitigate it by changing the ACLs on your data bags and data bag items to make clients read only |
Didn't know ACLs exist until now, would it be possible to integrate that process into chef vault refresh? |
Maybe using https://github.com/chef/knife-acl |
yes, conceivably. It's unlikely I have time to do that work though, but if you'd like to submit a PR I'd help you get it merged. |
A simpler possibility would be to document the need to think about acl when using chef-vault. Maybe in THEORY.md |
Hello,
Wouldn't a client / workstation be able to make itself an administrator by modifying to contents of the _keys databag item, and moving itself from the clients array to the admins array, keeping the rest intact?
into
The text was updated successfully, but these errors were encountered: