[3006.x] Update 3006 packaging to reduce permissions given to salt user for running salt-master

[barneysowood]

What does this PR do?

Updates Debian and RPM packages to improve isolation offered by running the salt-master processes under the salt user.

Implementation of running salt-master as a non-root user by default introduced in #64037, gives ownership of shared salt directories to the salt user to mitigate a number of issues with running the salt-master as a non-root user. This PR aims to reduce the scope of those permission grants to increase isolation of the salt-master processes running under the salt user - see #64193 for more detail.

What issues does this PR fix or reference?

Fixes: #64193

Previous Behavior

The salt user that the salt-master process runs as was able to:

• Write to /opt/saltstack/salt modifying the salt install, including python, shared libs and python modules used by both the salt master and other salt process (eg salt-api and salt-minion) which run as root, compromising the isolation offered by running the salt-master as a non-root user.
• Read and write configs in /etc/salt for other salt daemons (that run as root) compromising the isolation offered by running as a non-root user.
• Reading private data from /etc/salt/pki/minion and /var/cache/salt/minion again compromising isolation.

New Behavior

Debian and RPM packages will now:

• Keep ownership of /opt/saltstack/salt hierarchy as root:root to prevent modification by salt-master process
• Bytecompile python packages under /opt/saltstack/salt/lib/ on install so that performance isn't compromised and the bytecompiled modules are owned by root
• Clean up *.pyc files and __pycache__ dirs under /opt/saltstack/salt/lib on uninstall
• Under /etc/salt limit ownership to /etc/salt/pki/master and /etc/salt/master.d
• Under /var/cache/salt and /var/run/salt only give ownership on master directories
• Under /var/log/salt, ensure /var/log/salt/master exists and give ownership of that. Also update logrotate config to create that with correct ownership and perms and install that on debian packages.

This should ensure that a compromised salt-master process cannot:

• Modify the salt installation used by it or other salt-daemons
• Modify the config of other salt daemons or tools
• Read pki or other private data via the local filesystem for a salt-minion running on the same host

Merge requirements satisfied?

• Docs
• Changelog - https://docs.saltproject.io/en/master/topics/development/changelog.html
• Tests written/updated

Commits signed with GPG?

No

[dwoz]

This is going to be affected by #64174

[barneysowood]

As discussed in #64174, will wait for that to be merged then re-base this and integrate on top of those changes.
Also need to add some tests.

[barneysowood]

Note that issues in #64219 will affect this.