diff options
author | Thom May <thom@may.lt> | 2017-05-25 14:12:07 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-05-25 14:12:07 -0500 |
commit | d62337c082f77f2803b689434ec55e5f7dcd1ec9 (patch) | |
tree | 3d7c10492b1686e5fa81f4e32a5fa7af4d40d7d4 | |
parent | daaeeb1a597c603e0f0c8bf8adb42e2e68ab241d (diff) | |
parent | ed418fe8d72d1a849569e6f4f41b6ea0a4b019f7 (diff) | |
download | chef-d62337c082f77f2803b689434ec55e5f7dcd1ec9.tar.gz |
Merge pull request #6177 from coderanger/no-listen
Use socketless local mode by default
-rw-r--r-- | RELEASE_NOTES.md | 19 | ||||
-rw-r--r-- | lib/chef/application/client.rb | 2 | ||||
-rw-r--r-- | lib/chef/application/knife.rb | 2 | ||||
-rw-r--r-- | lib/chef/deprecated.rb | 10 | ||||
-rw-r--r-- | lib/chef/local_mode.rb | 1 |
5 files changed, 31 insertions, 3 deletions
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index 0bce39e83f..b8a134d9f3 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -1,6 +1,23 @@ _This file holds "in progress" release notes for the current release under development and is intended for consumption by the Chef Documentation team. Please see <https://docs.chef.io/release_notes.html> for the official Chef release notes._ -# Chef Client Release Notes 13.0-13.1: +# Chef Client Release Notes + +# 13.2 + +## Socketless local mode by default + +For security reasons we are switching Local Mode to use socketless connections +by default. This prevents potential attacks where an unprivileged user or process +connects to the internal Zero server for the converge and changes data. + +If you use Chef Provisioning with Local Mode, you may need to pass `--listen` to +`chef-client`. + +# 13.1 + +No new major features. + +# 13.0 ## Rubygems provider sources behavior changed. diff --git a/lib/chef/application/client.rb b/lib/chef/application/client.rb index c8dbd76019..3765821993 100644 --- a/lib/chef/application/client.rb +++ b/lib/chef/application/client.rb @@ -286,7 +286,7 @@ class Chef::Application::Client < Chef::Application option :listen, :long => "--[no-]listen", :description => "Whether a local mode (-z) server binds to a port", - :boolean => true + :boolean => false option :fips, :long => "--[no-]fips", diff --git a/lib/chef/application/knife.rb b/lib/chef/application/knife.rb index 521011348f..6a09427ccd 100644 --- a/lib/chef/application/knife.rb +++ b/lib/chef/application/knife.rb @@ -132,7 +132,7 @@ class Chef::Application::Knife < Chef::Application option :listen, :long => "--[no-]listen", :description => "Whether a local mode (-z) server binds to a port", - :boolean => true + :boolean => false option :version, :short => "-v", diff --git a/lib/chef/deprecated.rb b/lib/chef/deprecated.rb index 04ecfe5a6e..372609c10a 100644 --- a/lib/chef/deprecated.rb +++ b/lib/chef/deprecated.rb @@ -238,6 +238,16 @@ class Chef end end + class LocalListen < Base + def id + 18 + end + + def target + "local_listen.html" + end + end + # id 3694 was deleted class Generic < Base diff --git a/lib/chef/local_mode.rb b/lib/chef/local_mode.rb index 5ce17e6fb3..5630a54335 100644 --- a/lib/chef/local_mode.rb +++ b/lib/chef/local_mode.rb @@ -73,6 +73,7 @@ class Chef @chef_zero_server = ChefZero::Server.new(server_options) if Chef::Config[:listen] + Chef.deprecated(:local_listen, "Starting local-mode server in deprecated socket mode") @chef_zero_server.start_background else @chef_zero_server.start_socketless |