From 1370c047469347f27e0033261c8deca49d98da08 Mon Sep 17 00:00:00 2001
From: Philip Garrett <philip.garrett@weather.com>
Date: Sat, 4 Jun 2016 19:38:40 -0400
Subject: [PATCH] Updated readme with security paragraph

---
 README.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/README.md b/README.md
index 965048d8..1cd86eed 100644
--- a/README.md
+++ b/README.md
@@ -84,6 +84,22 @@ consul_service 'consul' do
   config_file config.path
 end
 ```
+
+### Security
+The default recipe makes the Consul configuration writable by the consul service user to avoid breaking existing implementations. You can make this more secure by setting the `node['consul']['config']` attribute to `root`, or set the `owner` property of `consul_config` explicitly:
+
+```ruby
+# attributes file
+default['consul']['config']['owner'] = 'root'
+```
+or
+```ruby
+# recipe file
+consul_config '/etc/consul/consul.json' do
+  owner 'root'
+end
+```
+
 ### Watches/Definitions
 In order to provide an idempotent implementation of Consul
 watches and definitions. We write these out as