Affects Version/s: 0.10.4
Fix Version/s: None
I first filled
CHEF-2747 but in the it might be very related.
there must be a missing test before doing the checksum of a file. i don't think the file is being tested as a symlink.
(haven't looked at the source yet tho)
anyway, here is the test, i first considered reporting this in private, in the end i'm not sure it's such a huge security issue.
on the node, before chef-client run:
after chef-client run:
BLA is unchanged, TEST's mode, owner and group are changed. oh oh looks like a symlink traversal issue !