Allow setting file ownership/permissions

[rjhornsby]

Moved from chef-cookbooks/supermarket-omnibus-cookbook#61 as per @robbkidd

Cookbook version

1.1.0 (This is the version requirement of supermarket-omnibus-cookbook)

Chef-client version

13.8.5

Platform Details

AWS, CentOS 7

Scenario:

Need to be able to set ownership/permissions on configuration files.

For example, supermarket-omnibus-cookbook uses chef-ingredient to create /etc/supermarket/supermarket.json. This file lands with mode 0644, when it should be 0600

Steps to Reproduce:

1. Use a wrapper cookbook to run supermarket-omnibus-cookbook (which depends on chef-ingredient), setting (for example) your Postgres server to something custom
2. Examine the ownership and permissions of /etc/supermarket/supermarket.json

Expected Result:

The file ownership/permissions should be settable when depending on chef-ingredient to write a configuration file.

Actual Result:

In the case of supermarket, the file lands with whatever ownership/permissions with which it was packed into the RPM. The file is mode 0644 and the owner is root:root, instead of 0600 and supermarket:supermarket as it should be.

This is an issue with chef-ingredient because there are no properties/parameters exposed that allow setting ownership/permissions.

This issue creates a security risk because supermarket.json contains credential information, and the file is world-readable.