From 8497c407186e6735c710163e19e2e267cb7d6180 Mon Sep 17 00:00:00 2001 From: Barney Sowood Date: Sat, 29 Apr 2023 16:57:43 +0100 Subject: [PATCH 01/23] Update packages for python modules owned by root Updates Debian and RPM packages so that /opt/saltstack/salt and the python packages don't have to be owned by salt user. It shouldn't be necessary for salt user, used to run salt-master to be able to write/modify files in that directory hierarchy. Add postinst scripts to call the python compileall module to create byte-compiled python modules. This should preserve performance whilst not requiring write access for salt user. Also cleans up .pyc files and __pycache__ dirs on removal. --- pkg/debian/salt-common.postinst | 4 ++++ pkg/debian/salt-common.prerm | 5 +++++ pkg/debian/salt-master.postinst | 2 +- pkg/rpm/salt.spec | 7 ++++++- 4 files changed, 16 insertions(+), 2 deletions(-) create mode 100644 pkg/debian/salt-common.postinst create mode 100644 pkg/debian/salt-common.prerm diff --git a/pkg/debian/salt-common.postinst b/pkg/debian/salt-common.postinst new file mode 100644 index 000000000000..c5a8d969b450 --- /dev/null +++ b/pkg/debian/salt-common.postinst @@ -0,0 +1,4 @@ +#!/bin/sh +set -e + +/opt/saltstack/salt/bin/python3 -m compileall -qq /opt/saltstack/salt/lib diff --git a/pkg/debian/salt-common.prerm b/pkg/debian/salt-common.prerm new file mode 100644 index 000000000000..236c2bd3d12d --- /dev/null +++ b/pkg/debian/salt-common.prerm @@ -0,0 +1,5 @@ +#!/bin/sh +set -e + +dpkg -L salt-common | perl -ne 's,/([^/]*)\.py$,/__pycache__/\1.*, or next; unlink $_ or die $! foreach glob($_)' +find /opt/saltstack/salt -type d -name __pycache__ -empty -print0 | xargs --null --no-run-if-empty rmdir diff --git a/pkg/debian/salt-master.postinst b/pkg/debian/salt-master.postinst index 1c78ee734788..45a759c8bac8 100644 --- a/pkg/debian/salt-master.postinst +++ b/pkg/debian/salt-master.postinst @@ -1,6 +1,6 @@ case "$1" in configure) - chown -R salt:salt /etc/salt /var/log/salt /opt/saltstack/salt/ /var/cache/salt/ /var/run/salt + chown -R salt:salt /etc/salt /var/log/salt /var/cache/salt/ /var/run/salt if command -v systemctl; then systemctl enable salt-master; fi ;; esac diff --git a/pkg/rpm/salt.spec b/pkg/rpm/salt.spec index f3cae2816050..d157fd540a19 100644 --- a/pkg/rpm/salt.spec +++ b/pkg/rpm/salt.spec @@ -428,6 +428,7 @@ chown -R %{_SALT_USER}:%{_SALT_GROUP} %{_SALT_HOME} chmod u=rwx,g=rwx,o=rx %{_SALT_HOME} ln -s -f /opt/saltstack/salt/spm %{_bindir}/spm ln -s -f /opt/saltstack/salt/salt-pip %{_bindir}/salt-pip +/opt/saltstack/salt/bin/python3 -m compileall -qq /opt/saltstack/salt/lib %post cloud @@ -452,7 +453,7 @@ if [ $1 -lt 2 ]; then /bin/openssl sha256 -r -hmac orboDeJITITejsirpADONivirpUkvarP /opt/saltstack/salt/lib/libcrypto.so.1.1 | cut -d ' ' -f 1 > /opt/saltstack/salt/lib/.libcrypto.so.1.1.hmac || : fi fi -chown -R salt:salt /etc/salt /var/log/salt /opt/saltstack/salt/ /var/cache/salt/ /var/run/salt/ +chown -R salt:salt /etc/salt /var/log/salt /var/cache/salt/ /var/run/salt/ %post syndic %systemd_post salt-syndic.service @@ -480,6 +481,10 @@ ln -s -f /opt/saltstack/salt/salt-ssh %{_bindir}/salt-ssh %systemd_post salt-api.service ln -s -f /opt/saltstack/salt/salt-api %{_bindir}/salt-api +%preun +find /opt/saltstack/salt -type f -name \*\.pyc -print0 | xargs --null --no-run-if-empty rm +find /opt/saltstack/salt -type d -name __pycache__ -empty -print0 | xargs --null --no-run-if-empty rmdir + %postun master %systemd_postun_with_restart salt-master.service if [ $1 -eq 0 ]; then From 14a9496ed33b166c60bffc8d1c9432c196ec8bef Mon Sep 17 00:00:00 2001 From: Barney Sowood Date: Sat, 29 Apr 2023 20:07:40 +0100 Subject: [PATCH 02/23] Reduce perms for salt user on other salt dirs Reduces the permissions granted to the salt user used to run the salt-master: * Under /etc/salt limit ownership to /etc/salt/pki/master and /etc/salt/master.d * Until #64219 is resolved also include /etc/salt/minion.d * Under /var/cache/salt and /var/run/salt only give ownership on master directories * Under /var/log/salt, ensure /var/log/salt/master exists and give ownership oof that. Also update logrotate config to create that with correct ownership and perms and install that on debian packages. --- pkg/common/salt-common.logrotate | 1 + pkg/debian/salt-common.install | 1 + pkg/debian/salt-common.preinst | 6 ------ pkg/debian/salt-master.dirs | 1 + pkg/debian/salt-master.postinst | 6 +++++- pkg/rpm/salt.spec | 17 ++++++++++------- 6 files changed, 18 insertions(+), 14 deletions(-) diff --git a/pkg/common/salt-common.logrotate b/pkg/common/salt-common.logrotate index a0306ff37024..8d0839344c45 100644 --- a/pkg/common/salt-common.logrotate +++ b/pkg/common/salt-common.logrotate @@ -4,6 +4,7 @@ rotate 7 compress notifempty + create 0640 salt salt } /var/log/salt/minion { diff --git a/pkg/debian/salt-common.install b/pkg/debian/salt-common.install index 7e88a78ee3ad..0671a987c207 100644 --- a/pkg/debian/salt-common.install +++ b/pkg/debian/salt-common.install @@ -1,5 +1,6 @@ conf/roster /etc/salt conf/cloud /etc/salt +pkg/common/salt-common.logrotate /etc/logrotate.d/salt pkg/common/fish-completions/salt-cp.fish /usr/share/fish/vendor_completions.d pkg/common/fish-completions/salt-call.fish /usr/share/fish/vendor_completions.d pkg/common/fish-completions/salt-syndic.fish /usr/share/fish/vendor_completions.d diff --git a/pkg/debian/salt-common.preinst b/pkg/debian/salt-common.preinst index 4c2b576cc98c..0e4ce9c59f7f 100644 --- a/pkg/debian/salt-common.preinst +++ b/pkg/debian/salt-common.preinst @@ -31,11 +31,5 @@ case "$1" in -s $SALT_SHELL \ -g $SALT_GROUP \ $SALT_USER - # 5. adjust file and directory permissions - if ! dpkg-statoverride --list $SALT_HOME >/dev/null - then - chown -R $SALT_USER:$SALT_GROUP $SALT_HOME - chmod u=rwx,g=rwx,o=rx $SALT_HOME - fi ;; esac diff --git a/pkg/debian/salt-master.dirs b/pkg/debian/salt-master.dirs index cffed208e63a..542db04259fb 100644 --- a/pkg/debian/salt-master.dirs +++ b/pkg/debian/salt-master.dirs @@ -13,3 +13,4 @@ /var/cache/salt/master/roots /var/cache/salt/master/syndics /var/cache/salt/master/tokens +/var/run/salt/master diff --git a/pkg/debian/salt-master.postinst b/pkg/debian/salt-master.postinst index 45a759c8bac8..45312283a051 100644 --- a/pkg/debian/salt-master.postinst +++ b/pkg/debian/salt-master.postinst @@ -1,6 +1,10 @@ case "$1" in configure) - chown -R salt:salt /etc/salt /var/log/salt /var/cache/salt/ /var/run/salt + if [ ! -e "/var/log/salt/master" ]; then + touch /var/log/salt/master + chmod 640 /var/log/salt/master + fi + chown -R salt:salt /etc/salt/pki/master /etc/salt/master.d /etc/salt/minion.d /var/log/salt/master /var/cache/salt/master /var/run/salt/master if command -v systemctl; then systemctl enable salt-master; fi ;; esac diff --git a/pkg/rpm/salt.spec b/pkg/rpm/salt.spec index d157fd540a19..b557447b239a 100644 --- a/pkg/rpm/salt.spec +++ b/pkg/rpm/salt.spec @@ -406,8 +406,6 @@ usermod -c "%{_SALT_NAME}" \ -d %{_SALT_HOME} \ -g %{_SALT_GROUP} \ %{_SALT_USER} -# 5. adjust file and directory permissions -chown -R %{_SALT_USER}:%{_SALT_GROUP} %{_SALT_HOME} # assumes systemd for RHEL 7 & 8 & 9 %preun master @@ -424,16 +422,17 @@ chown -R %{_SALT_USER}:%{_SALT_GROUP} %{_SALT_HOME} %post -chown -R %{_SALT_USER}:%{_SALT_GROUP} %{_SALT_HOME} -chmod u=rwx,g=rwx,o=rx %{_SALT_HOME} ln -s -f /opt/saltstack/salt/spm %{_bindir}/spm ln -s -f /opt/saltstack/salt/salt-pip %{_bindir}/salt-pip /opt/saltstack/salt/bin/python3 -m compileall -qq /opt/saltstack/salt/lib %post cloud -chown -R salt:salt /etc/salt/cloud.deploy.d -chown -R salt:salt /opt/saltstack/salt/lib/python3.10/site-packages/salt/cloud/deploy +if [ ! -e "/var/log/salt/cloud" ]; then + touch /var/log/salt/cloud + chmod 640 /var/log/salt/cloud +fi +chown -R %{_SALT_USER}:%{_SALT_GROUP} /etc/salt/cloud.deploy.d /var/log/salt/cloud /opt/saltstack/salt/lib/python3.10/site-packages/salt/cloud/deploy ln -s -f /opt/saltstack/salt/salt-cloud %{_bindir}/salt-cloud @@ -453,7 +452,11 @@ if [ $1 -lt 2 ]; then /bin/openssl sha256 -r -hmac orboDeJITITejsirpADONivirpUkvarP /opt/saltstack/salt/lib/libcrypto.so.1.1 | cut -d ' ' -f 1 > /opt/saltstack/salt/lib/.libcrypto.so.1.1.hmac || : fi fi -chown -R salt:salt /etc/salt /var/log/salt /var/cache/salt/ /var/run/salt/ +if [ ! -e "/var/log/salt/master" ]; then + touch /var/log/salt/master + chmod 640 /var/log/salt/master +fi +chown -R %{_SALT_USER}:%{_SALT_GROUP} /etc/salt/pki/master /etc/salt/master.d /var/log/salt/master /var/cache/salt/master /var/run/salt/master %post syndic %systemd_post salt-syndic.service From a3ac1f58ff9e3ece1a75cb16f418d0b43d61cd35 Mon Sep 17 00:00:00 2001 From: Barney Sowood Date: Mon, 15 May 2023 12:37:36 +0100 Subject: [PATCH 03/23] Update files to verify in pkg tests Updates lists of files to check in package tests when starting master. We now set the following as owned by salt:salt in master postinst * /etc/salt/pki/master * /etc/salt/master.d * /var/log/salt/master * /var/cache/salt/master * /var/run/salt/master --- pkg/tests/conftest.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/pkg/tests/conftest.py b/pkg/tests/conftest.py index b7d908f32d58..ff33a7d3da0d 100644 --- a/pkg/tests/conftest.py +++ b/pkg/tests/conftest.py @@ -352,11 +352,13 @@ def salt_master(salt_factories, install_salt, state_tree, pillar_tree): config_overrides["api_pidfile"] = salt.config.DEFAULT_API_OPTS.get( "api_pidfile" ) - # verify files where set with correct owner/group + # verify files were set with correct owner/group verify_files = [ - pathlib.Path("/var", "log", "salt"), - pathlib.Path("/etc", "salt", "master"), + pathlib.Path("/var", "log", "salt", "master"), + pathlib.Path("/etc", "salt", "pki", "master"), + pathlib.Path("/etc", "salt", "master.d"), pathlib.Path("/var", "cache", "salt", "master"), + pathlib.Path("/var", "run", "salt", "master"), ] for _file in verify_files: assert _file.owner() == "salt" From ff772325fc15d1df3aa34f2bfcfbf6680b13589e Mon Sep 17 00:00:00 2001 From: Barney Sowood Date: Sat, 20 May 2023 09:25:38 +0100 Subject: [PATCH 04/23] Create /var/run/salt/master Creates /var/run/salt/master directory - if we don't create that specifically the postinst script will fail --- pkg/rpm/salt.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkg/rpm/salt.spec b/pkg/rpm/salt.spec index b557447b239a..bb5feca24c81 100644 --- a/pkg/rpm/salt.spec +++ b/pkg/rpm/salt.spec @@ -194,6 +194,7 @@ cp -R $RPM_BUILD_DIR/build/salt %{buildroot}/opt/saltstack/ # Add some directories install -d -m 0755 %{buildroot}%{_var}/log/salt install -d -m 0755 %{buildroot}%{_var}/run/salt +install -d -m 0755 %{buildroot}%{_var}/run/salt/master install -d -m 0755 %{buildroot}%{_var}/cache/salt install -Dd -m 0750 %{buildroot}%{_var}/cache/salt/master install -Dd -m 0750 %{buildroot}%{_var}/cache/salt/minion @@ -328,6 +329,7 @@ rm -rf %{buildroot} %dir %attr(0750, salt, salt) %{_sysconfdir}/salt/pki/master/minions_denied/ %dir %attr(0750, salt, salt) %{_sysconfdir}/salt/pki/master/minions_pre/ %dir %attr(0750, salt, salt) %{_sysconfdir}/salt/pki/master/minions_rejected/ +%dir %attr(0750, salt, salt) %{_var}/run/salt/master/ %dir %attr(0750, salt, salt) %{_var}/cache/salt/master/ %dir %attr(0750, salt, salt) %{_var}/cache/salt/master/jobs/ %dir %attr(0750, salt, salt) %{_var}/cache/salt/master/proc/ From 33e283aa5a81ae27f7f32b82734bac4d9e7e3633 Mon Sep 17 00:00:00 2001 From: Barney Sowood Date: Thu, 25 May 2023 00:37:01 +0100 Subject: [PATCH 05/23] Correct docstrings for salt user test_salt_user Corrects docstrings for salt user tests - they were all the same. --- pkg/tests/integration/test_salt_user.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/tests/integration/test_salt_user.py b/pkg/tests/integration/test_salt_user.py index 8b6b0dcd42c8..b606842e05bc 100644 --- a/pkg/tests/integration/test_salt_user.py +++ b/pkg/tests/integration/test_salt_user.py @@ -27,7 +27,7 @@ def test_salt_user_master(salt_master, install_salt): def test_salt_user_home(install_salt): """ - Test the correct user is running the Salt Master + Test the salt user's home is /opt/saltstack/salt """ proc = subprocess.run( ["getent", "passwd", "salt"], check=False, capture_output=True @@ -43,7 +43,7 @@ def test_salt_user_home(install_salt): def test_salt_user_group(install_salt): """ - Test the salt user is the salt group + Test the salt user is in the salt group """ proc = subprocess.run(["id", "salt"], check=False, capture_output=True) assert proc.returncode == 0 @@ -77,7 +77,7 @@ def test_salt_user_shell(install_salt): def test_salt_cloud_dirs(install_salt): """ - Test the correct user is running the Salt Master + Test salt-cloud directories are owned by salt:salt """ paths = [ "/opt/saltstack/salt/lib/python{}.{}/site-packages/salt/cloud/deploy".format( From 2b0e04f0f50ae03d09c33d0c21b064a5f7ceba6d Mon Sep 17 00:00:00 2001 From: Barney Sowood Date: Fri, 26 May 2023 21:59:20 +0100 Subject: [PATCH 06/23] Move log creation and chown to posttrans Moves log creation for /var/log/salt/master and /var/log/salt/cloud and setting ownership to salt:salt to the %posttrans scriplets. Whilst using %post work fine for fresh installs, upgrading means that the previous package %postun removes those files. Using %posttrans ensures the logs are created at the end of the full install/upgrade transaction. --- pkg/rpm/salt.spec | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/pkg/rpm/salt.spec b/pkg/rpm/salt.spec index bb5feca24c81..c7b750563579 100644 --- a/pkg/rpm/salt.spec +++ b/pkg/rpm/salt.spec @@ -430,11 +430,6 @@ ln -s -f /opt/saltstack/salt/salt-pip %{_bindir}/salt-pip %post cloud -if [ ! -e "/var/log/salt/cloud" ]; then - touch /var/log/salt/cloud - chmod 640 /var/log/salt/cloud -fi -chown -R %{_SALT_USER}:%{_SALT_GROUP} /etc/salt/cloud.deploy.d /var/log/salt/cloud /opt/saltstack/salt/lib/python3.10/site-packages/salt/cloud/deploy ln -s -f /opt/saltstack/salt/salt-cloud %{_bindir}/salt-cloud @@ -454,11 +449,6 @@ if [ $1 -lt 2 ]; then /bin/openssl sha256 -r -hmac orboDeJITITejsirpADONivirpUkvarP /opt/saltstack/salt/lib/libcrypto.so.1.1 | cut -d ' ' -f 1 > /opt/saltstack/salt/lib/.libcrypto.so.1.1.hmac || : fi fi -if [ ! -e "/var/log/salt/master" ]; then - touch /var/log/salt/master - chmod 640 /var/log/salt/master -fi -chown -R %{_SALT_USER}:%{_SALT_GROUP} /etc/salt/pki/master /etc/salt/master.d /var/log/salt/master /var/cache/salt/master /var/run/salt/master %post syndic %systemd_post salt-syndic.service @@ -486,9 +476,29 @@ ln -s -f /opt/saltstack/salt/salt-ssh %{_bindir}/salt-ssh %systemd_post salt-api.service ln -s -f /opt/saltstack/salt/salt-api %{_bindir}/salt-api + +%posttrans cloud +if [ ! -e "/var/log/salt/cloud" ]; then + touch /var/log/salt/cloud + chmod 640 /var/log/salt/cloud +fi +chown -R %{_SALT_USER}:%{_SALT_GROUP} /etc/salt/cloud.deploy.d /var/log/salt/cloud /opt/saltstack/salt/lib/python3.10/site-packages/salt/cloud/deploy + + +%posttrans master +if [ ! -e "/var/log/salt/master" ]; then + touch /var/log/salt/master + chmod 640 /var/log/salt/master +fi +chown -R %{_SALT_USER}:%{_SALT_GROUP} /etc/salt/pki/master /etc/salt/master.d /var/log/salt/master /var/cache/salt/master /var/run/salt/master + + %preun -find /opt/saltstack/salt -type f -name \*\.pyc -print0 | xargs --null --no-run-if-empty rm -find /opt/saltstack/salt -type d -name __pycache__ -empty -print0 | xargs --null --no-run-if-empty rmdir +if [ $1 -eq 0 ]; then + # Uninstall + find /opt/saltstack/salt -type f -name \*\.pyc -print0 | xargs --null --no-run-if-empty rm + find /opt/saltstack/salt -type d -name __pycache__ -empty -print0 | xargs --null --no-run-if-empty rmdir +fi %postun master %systemd_postun_with_restart salt-master.service From 8f1ee1ab2b42b4e7529eb390afeb1f2b538c68d7 Mon Sep 17 00:00:00 2001 From: Barney Sowood Date: Sat, 27 May 2023 12:06:02 +0100 Subject: [PATCH 07/23] Create empty log for salt-api Creates empty log for salt-api owned by salt user in same way we do for the master and salt-cloud --- pkg/common/salt-common.logrotate | 1 + pkg/debian/salt-api.postinst | 9 +++++++++ pkg/rpm/salt.spec | 8 ++++++++ 3 files changed, 18 insertions(+) create mode 100644 pkg/debian/salt-api.postinst diff --git a/pkg/common/salt-common.logrotate b/pkg/common/salt-common.logrotate index 8d0839344c45..1248599390a2 100644 --- a/pkg/common/salt-common.logrotate +++ b/pkg/common/salt-common.logrotate @@ -29,6 +29,7 @@ rotate 7 compress notifempty + create 0640 salt salt } /var/log/salt/syndic { diff --git a/pkg/debian/salt-api.postinst b/pkg/debian/salt-api.postinst new file mode 100644 index 000000000000..4b284d5d7c82 --- /dev/null +++ b/pkg/debian/salt-api.postinst @@ -0,0 +1,9 @@ +case "$1" in + configure) + if [ ! -e "/var/log/salt/api" ]; then + touch /var/log/salt/api + chmod 640 /var/log/salt/api + fi + chown salt:salt /var/log/salt/api + ;; +esac diff --git a/pkg/rpm/salt.spec b/pkg/rpm/salt.spec index c7b750563579..f92f86523e6a 100644 --- a/pkg/rpm/salt.spec +++ b/pkg/rpm/salt.spec @@ -493,6 +493,14 @@ fi chown -R %{_SALT_USER}:%{_SALT_GROUP} /etc/salt/pki/master /etc/salt/master.d /var/log/salt/master /var/cache/salt/master /var/run/salt/master +%posttrans api +if [ ! -e "/var/log/salt/api" ]; then + touch /var/log/salt/api + chmod 640 /var/log/salt/api +fi +chown %{_SALT_USER}:%{_SALT_GROUP} /var/log/salt/api + + %preun if [ $1 -eq 0 ]; then # Uninstall From 3d88f61649e215504326b604f8f3235427cdd4f7 Mon Sep 17 00:00:00 2001 From: Barney Sowood Date: Sat, 27 May 2023 12:12:05 +0100 Subject: [PATCH 08/23] Add tests for package directory and file ownership Adds test that checks that files and directories created by the packages that should be owned by salt:salt are owned by that user and that the other files/directories created are owned by root:root. --- pkg/tests/integration/test_salt_user.py | 80 +++++++++++++++++++++++-- 1 file changed, 76 insertions(+), 4 deletions(-) diff --git a/pkg/tests/integration/test_salt_user.py b/pkg/tests/integration/test_salt_user.py index b606842e05bc..c200805810ea 100644 --- a/pkg/tests/integration/test_salt_user.py +++ b/pkg/tests/integration/test_salt_user.py @@ -1,3 +1,4 @@ +import os import pathlib import subprocess import sys @@ -13,6 +14,41 @@ ] +@pytest.fixture +def pkg_paths(): + """ + Paths created by package installs + """ + paths = [ + "/etc/salt", + "/var/cache/salt", + "/var/log/salt", + "/var/run/salt", + "/opt/saltstack/salt", + ] + return paths + + +@pytest.fixture +def pkg_paths_salt_user(): + """ + Paths created by package installs and owned by salt user + """ + paths = [ + "/etc/salt/cloud.deploy.d", + "/var/log/salt/cloud", + "/opt/saltstack/salt/lib/python3.10/site-packages/salt/cloud/deploy", + "/etc/salt/pki/master", + "/etc/salt/master.d", + "/etc/salt/minion.d", + "/var/log/salt/master", + "/var/log/salt/api", + "/var/cache/salt/master", + "/var/run/salt/master", + ] + return paths + + def test_salt_user_master(salt_master, install_salt): """ Test the correct user is running the Salt Master @@ -77,12 +113,12 @@ def test_salt_user_shell(install_salt): def test_salt_cloud_dirs(install_salt): """ - Test salt-cloud directories are owned by salt:salt + Test the correct user is running the Salt Master """ + if platform.is_windows() or platform.is_darwin(): + pytest.skip("Package does not have user set. Not testing user") paths = [ - "/opt/saltstack/salt/lib/python{}.{}/site-packages/salt/cloud/deploy".format( - *sys.version_info - ), + "/opt/saltstack/salt/lib/python3.10/site-packages/salt/cloud/deploy", "/etc/salt/cloud.deploy.d", ] for name in paths: @@ -90,3 +126,39 @@ def test_salt_cloud_dirs(install_salt): assert path.exists() assert path.owner() == "salt" assert path.group() == "salt" + + +def test_pkg_paths(install_salt, pkg_paths, pkg_paths_salt_user): + """ + Test package paths ownership + """ + salt_user_subdirs = [] + for _path in pkg_paths: + pkg_path = pathlib.Path(_path) + assert pkg_path.exists() + for dirpath, sub_dirs, files in os.walk(pkg_path): + path = pathlib.Path(dirpath) + # Directories owned by salt:salt or their subdirs/files + if str(path) in pkg_paths_salt_user or str(path) in salt_user_subdirs: + assert path.owner() == "salt" + assert path.group() == "salt" + salt_user_subdirs.extend( + [str(path.joinpath(sub_dir)) for sub_dir in sub_dirs] + ) + for file in files: + file_path = path.joinpath(file) + assert file_path.owner() == "salt" + assert file_path.group() == "salt" + # Directories owned by root:root + else: + assert path.owner() == "root" + assert path.group() == "root" + for file in files: + file_path = path.joinpath(file) + # Individual files owned by salt:salt + if str(file_path) in pkg_paths_salt_user: + assert file_path.owner() == "salt" + assert file_path.group() == "salt" + else: + assert file_path.owner() == "root" + assert file_path.group() == "root" From d2fcd3d6380410fb79dd95e10434a88d9f4bdfb3 Mon Sep 17 00:00:00 2001 From: Barney Sowood Date: Sat, 27 May 2023 15:04:55 +0100 Subject: [PATCH 09/23] Remove group test for files Removes group test for ownership on files by the salt user. Files that are created by the salt-master process can be owned by salt:root, rather than salt:salt and that's valid --- pkg/tests/integration/test_salt_user.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/pkg/tests/integration/test_salt_user.py b/pkg/tests/integration/test_salt_user.py index c200805810ea..f29a7342be43 100644 --- a/pkg/tests/integration/test_salt_user.py +++ b/pkg/tests/integration/test_salt_user.py @@ -145,20 +145,19 @@ def test_pkg_paths(install_salt, pkg_paths, pkg_paths_salt_user): salt_user_subdirs.extend( [str(path.joinpath(sub_dir)) for sub_dir in sub_dirs] ) + # Individual files owned by salt user for file in files: file_path = path.joinpath(file) assert file_path.owner() == "salt" - assert file_path.group() == "salt" # Directories owned by root:root else: assert path.owner() == "root" assert path.group() == "root" for file in files: file_path = path.joinpath(file) - # Individual files owned by salt:salt + # Individual files owned by salt user if str(file_path) in pkg_paths_salt_user: assert file_path.owner() == "salt" - assert file_path.group() == "salt" else: assert file_path.owner() == "root" assert file_path.group() == "root" From 0c0b3decb21d49b7dc89d1bbcb4369405ae5f47c Mon Sep 17 00:00:00 2001 From: Barney Sowood Date: Sat, 24 Jun 2023 00:14:29 +0100 Subject: [PATCH 10/23] Handle creation of /var/log/salt/key --- pkg/common/salt-common.logrotate | 1 + pkg/debian/salt-master.postinst | 6 +++++- pkg/rpm/salt.spec | 6 +++++- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/pkg/common/salt-common.logrotate b/pkg/common/salt-common.logrotate index 1248599390a2..1bc063ebfdb9 100644 --- a/pkg/common/salt-common.logrotate +++ b/pkg/common/salt-common.logrotate @@ -21,6 +21,7 @@ rotate 7 compress notifempty + create 0640 salt salt } /var/log/salt/api { diff --git a/pkg/debian/salt-master.postinst b/pkg/debian/salt-master.postinst index 45312283a051..bc4c825a872f 100644 --- a/pkg/debian/salt-master.postinst +++ b/pkg/debian/salt-master.postinst @@ -4,7 +4,11 @@ case "$1" in touch /var/log/salt/master chmod 640 /var/log/salt/master fi - chown -R salt:salt /etc/salt/pki/master /etc/salt/master.d /etc/salt/minion.d /var/log/salt/master /var/cache/salt/master /var/run/salt/master + if [ ! -e "/var/log/salt/key" ]; then + touch /var/log/salt/key + chmod 640 /var/log/salt/key + fi + chown -R salt:salt /etc/salt/pki/master /etc/salt/master.d /etc/salt/minion.d /var/log/salt/master /var/log/salt/key /var/cache/salt/master /var/run/salt/master if command -v systemctl; then systemctl enable salt-master; fi ;; esac diff --git a/pkg/rpm/salt.spec b/pkg/rpm/salt.spec index f92f86523e6a..18cba6a48e48 100644 --- a/pkg/rpm/salt.spec +++ b/pkg/rpm/salt.spec @@ -490,7 +490,11 @@ if [ ! -e "/var/log/salt/master" ]; then touch /var/log/salt/master chmod 640 /var/log/salt/master fi -chown -R %{_SALT_USER}:%{_SALT_GROUP} /etc/salt/pki/master /etc/salt/master.d /var/log/salt/master /var/cache/salt/master /var/run/salt/master +if [ ! -e "/var/log/salt/key" ]; then + touch /var/log/salt/key + chmod 640 /var/log/salt/key +fi +chown -R %{_SALT_USER}:%{_SALT_GROUP} /etc/salt/pki/master /etc/salt/master.d /var/log/salt/master /var/log/salt/key /var/cache/salt/master /var/run/salt/master %posttrans api From 51ccd206ca1d72368749e1adc7533433a60bcdb6 Mon Sep 17 00:00:00 2001 From: Barney Sowood Date: Sat, 24 Jun 2023 00:17:18 +0100 Subject: [PATCH 11/23] Handle pytest-salt-factories permission changes Handles permission changes caused by test suite running as root and the creation of /var/cache/salt/master/.root_key. Running the test suite as root means that /etc/salt/pki/master subdirs get their ownership changed to root - clean that up in conftest.py. No longer need to fix /var/log/salt as we handle the files in there individually. Adds exclusion for /var/cache/salt/master/.root_key as that gets created by salt* cli tools running as root. --- pkg/tests/conftest.py | 11 +++++++++-- pkg/tests/integration/test_salt_user.py | 23 ++++++++++++++++++++--- 2 files changed, 29 insertions(+), 5 deletions(-) diff --git a/pkg/tests/conftest.py b/pkg/tests/conftest.py index ff33a7d3da0d..d19148b1cf23 100644 --- a/pkg/tests/conftest.py +++ b/pkg/tests/conftest.py @@ -412,10 +412,17 @@ def salt_master(salt_factories, install_salt, state_tree, pillar_tree): factory.after_terminate(pytest.helpers.remove_stale_master_key, factory) if test_user: # Salt factories calls salt.utils.verify.verify_env - # which sets root perms on /var/log/salt since we are running + # which sets root perms on /etc/salt/pki/master since we are running # the test suite as root, but we want to run Salt master as salt # We ensure those permissions where set by the package earlier - shutil.chown(pathlib.Path("/var", "log", "salt"), "salt", "salt") + subprocess.run( + [ + "chown", + "-R", + "salt:salt", + str(pathlib.Path("/etc", "salt", "pki", "master")), + ] + ) # The engines_dirs is created in .nox path. We need to set correct perms # for the user running the Salt Master subprocess.run(["chown", "-R", "salt:salt", str(CODE_DIR.parent / ".nox")]) diff --git a/pkg/tests/integration/test_salt_user.py b/pkg/tests/integration/test_salt_user.py index f29a7342be43..a18dff7cfe8d 100644 --- a/pkg/tests/integration/test_salt_user.py +++ b/pkg/tests/integration/test_salt_user.py @@ -43,12 +43,24 @@ def pkg_paths_salt_user(): "/etc/salt/minion.d", "/var/log/salt/master", "/var/log/salt/api", + "/var/log/salt/key", "/var/cache/salt/master", "/var/run/salt/master", ] return paths +@pytest.fixture +def pkg_paths_salt_user_exclusions(): + """ + Exclusions from paths created by package installs and owned by salt user + """ + paths = [ + "/var/cache/salt/master/.root_key" # written by salt, salt-run and salt-key as root + ] + return paths + + def test_salt_user_master(salt_master, install_salt): """ Test the correct user is running the Salt Master @@ -128,7 +140,9 @@ def test_salt_cloud_dirs(install_salt): assert path.group() == "salt" -def test_pkg_paths(install_salt, pkg_paths, pkg_paths_salt_user): +def test_pkg_paths( + install_salt, pkg_paths, pkg_paths_salt_user, pkg_paths_salt_user_exclusions +): """ Test package paths ownership """ @@ -139,7 +153,9 @@ def test_pkg_paths(install_salt, pkg_paths, pkg_paths_salt_user): for dirpath, sub_dirs, files in os.walk(pkg_path): path = pathlib.Path(dirpath) # Directories owned by salt:salt or their subdirs/files - if str(path) in pkg_paths_salt_user or str(path) in salt_user_subdirs: + if ( + str(path) in pkg_paths_salt_user or str(path) in salt_user_subdirs + ) and str(path) not in pkg_paths_salt_user_exclusions: assert path.owner() == "salt" assert path.group() == "salt" salt_user_subdirs.extend( @@ -148,7 +164,8 @@ def test_pkg_paths(install_salt, pkg_paths, pkg_paths_salt_user): # Individual files owned by salt user for file in files: file_path = path.joinpath(file) - assert file_path.owner() == "salt" + if str(file_path) not in pkg_paths_salt_user_exclusions: + assert file_path.owner() == "salt" # Directories owned by root:root else: assert path.owner() == "root" From a9c142a9c3dcb1b39ff36a7e579555c43cafd613 Mon Sep 17 00:00:00 2001 From: Barney Sowood Date: Sat, 24 Jun 2023 10:11:01 +0100 Subject: [PATCH 12/23] Ensure salt-api service is enabled Ensure salt-api service is enabled now we've added a postinst script --- pkg/debian/salt-api.postinst | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/debian/salt-api.postinst b/pkg/debian/salt-api.postinst index 4b284d5d7c82..9345d72bf2aa 100644 --- a/pkg/debian/salt-api.postinst +++ b/pkg/debian/salt-api.postinst @@ -5,5 +5,6 @@ case "$1" in chmod 640 /var/log/salt/api fi chown salt:salt /var/log/salt/api + if command -v systemctl; then systemctl enable salt-api; fi ;; esac From 2c30824abaac09242a9d79bcac8dd9e2f06908b9 Mon Sep 17 00:00:00 2001 From: Barney Sowood Date: Mon, 7 Aug 2023 12:23:57 +0100 Subject: [PATCH 13/23] Removing check on /etc/salt/minion.d Removes check on /etc/salt/minion.d - it's causing issues in CI that I can't reproduce locally and we'll deal with it in #64235 anyway. --- pkg/tests/integration/test_salt_user.py | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/tests/integration/test_salt_user.py b/pkg/tests/integration/test_salt_user.py index a18dff7cfe8d..ac3d5df7d729 100644 --- a/pkg/tests/integration/test_salt_user.py +++ b/pkg/tests/integration/test_salt_user.py @@ -40,7 +40,6 @@ def pkg_paths_salt_user(): "/opt/saltstack/salt/lib/python3.10/site-packages/salt/cloud/deploy", "/etc/salt/pki/master", "/etc/salt/master.d", - "/etc/salt/minion.d", "/var/log/salt/master", "/var/log/salt/api", "/var/log/salt/key", From d362fdc7c329d6224ee2abb30c7ee8665e890d7a Mon Sep 17 00:00:00 2001 From: Barney Sowood Date: Mon, 7 Aug 2023 19:48:12 +0100 Subject: [PATCH 14/23] Remove some perms checks in conftest.py Remove checks for perms on /var/log/salt/master and /var/run/salt/master in the salt_master fixture as they may not existing during an upgrade test and it's not critical to test them in the fixture. --- pkg/tests/conftest.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/pkg/tests/conftest.py b/pkg/tests/conftest.py index d19148b1cf23..257f4615fb32 100644 --- a/pkg/tests/conftest.py +++ b/pkg/tests/conftest.py @@ -354,11 +354,9 @@ def salt_master(salt_factories, install_salt, state_tree, pillar_tree): ) # verify files were set with correct owner/group verify_files = [ - pathlib.Path("/var", "log", "salt", "master"), pathlib.Path("/etc", "salt", "pki", "master"), pathlib.Path("/etc", "salt", "master.d"), pathlib.Path("/var", "cache", "salt", "master"), - pathlib.Path("/var", "run", "salt", "master"), ] for _file in verify_files: assert _file.owner() == "salt" From 3630b287f88de958c039f4b6eb109e844be77e92 Mon Sep 17 00:00:00 2001 From: Barney Sowood Date: Tue, 8 Aug 2023 16:56:12 +0100 Subject: [PATCH 15/23] Add support for fixing old pkg perms Adds support for fixing old package (3006.0/3006.1) perms that used the salt user too widely. Without doing this, tests don't pass for upgrades. --- pkg/debian/salt-master.preinst | 14 ++++++++++++++ pkg/rpm/salt.spec | 8 ++++++++ 2 files changed, 22 insertions(+) create mode 100644 pkg/debian/salt-master.preinst diff --git a/pkg/debian/salt-master.preinst b/pkg/debian/salt-master.preinst new file mode 100644 index 000000000000..f1e1e7edc71b --- /dev/null +++ b/pkg/debian/salt-master.preinst @@ -0,0 +1,14 @@ +case "$1" in + install|upgrade) + [ -z "$SALT_HOME" ] && SALT_HOME=/opt/saltstack/salt + [ -z "$SALT_USER" ] && SALT_USER=salt + [ -z "$SALT_NAME" ] && SALT_NAME="Salt" + [ -z "$SALT_GROUP" ] && SALT_GROUP=salt + PY_VER=$(/opt/saltstack/salt/bin/python3 -c "import sys; sys.stdout.write('{}.{}'.format(*sys.version_info)); sys.stdout.flush;") + + # Reset permissions to fix previous installs + find ${SALT_HOME} /etc/salt /var/log/salt /var/cache/salt /var/run/salt \ + \! \( -path /etc/salt/cloud.deploy.d\* -o -path /var/log/salt/cloud -o -path /opt/saltstack/salt/lib/python${PY_VER}/site-packages/salt/cloud/deploy\* \) -a \ + \( -user ${SALT_USER} -o -group ${SALT_GROUP} \) -exec chown root:root \{\} \; + ;; +esac diff --git a/pkg/rpm/salt.spec b/pkg/rpm/salt.spec index 18cba6a48e48..5d63d4907743 100644 --- a/pkg/rpm/salt.spec +++ b/pkg/rpm/salt.spec @@ -409,6 +409,14 @@ usermod -c "%{_SALT_NAME}" \ -g %{_SALT_GROUP} \ %{_SALT_USER} +%pre master +# Reset permissions to fix previous installs +PY_VER=$(/opt/saltstack/salt/bin/python3 -c "import sys; sys.stdout.write('{}.{}'.format(*sys.version_info)); sys.stdout.flush;") +find /etc/salt /opt/saltstack/salt /var/log/salt /var/cache/salt /var/run/salt \ + \! \( -path /etc/salt/cloud.deploy.d\* -o -path /var/log/salt/cloud -o -path /opt/saltstack/salt/lib/python${PY_VER}/site-packages/salt/cloud/deploy\* \) -a \ + \( -user salt -o -group salt \) -exec chown root:root \{\} \; + + # assumes systemd for RHEL 7 & 8 & 9 %preun master # RHEL 9 is giving warning msg if syndic is not installed, supress it From b5494f7f481b8d55a2c95aa9019719554f641b50 Mon Sep 17 00:00:00 2001 From: Barney Sowood Date: Wed, 9 Aug 2023 15:55:13 +0100 Subject: [PATCH 16/23] Fix call to sys.stdout.flush() --- pkg/debian/salt-master.preinst | 2 +- pkg/rpm/salt.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/debian/salt-master.preinst b/pkg/debian/salt-master.preinst index f1e1e7edc71b..3a00b757eeb7 100644 --- a/pkg/debian/salt-master.preinst +++ b/pkg/debian/salt-master.preinst @@ -4,7 +4,7 @@ case "$1" in [ -z "$SALT_USER" ] && SALT_USER=salt [ -z "$SALT_NAME" ] && SALT_NAME="Salt" [ -z "$SALT_GROUP" ] && SALT_GROUP=salt - PY_VER=$(/opt/saltstack/salt/bin/python3 -c "import sys; sys.stdout.write('{}.{}'.format(*sys.version_info)); sys.stdout.flush;") + PY_VER=$(/opt/saltstack/salt/bin/python3 -c "import sys; sys.stdout.write('{}.{}'.format(*sys.version_info)); sys.stdout.flush();") # Reset permissions to fix previous installs find ${SALT_HOME} /etc/salt /var/log/salt /var/cache/salt /var/run/salt \ diff --git a/pkg/rpm/salt.spec b/pkg/rpm/salt.spec index 5d63d4907743..9de455ea30b2 100644 --- a/pkg/rpm/salt.spec +++ b/pkg/rpm/salt.spec @@ -411,7 +411,7 @@ usermod -c "%{_SALT_NAME}" \ %pre master # Reset permissions to fix previous installs -PY_VER=$(/opt/saltstack/salt/bin/python3 -c "import sys; sys.stdout.write('{}.{}'.format(*sys.version_info)); sys.stdout.flush;") +PY_VER=$(/opt/saltstack/salt/bin/python3 -c "import sys; sys.stdout.write('{}.{}'.format(*sys.version_info)); sys.stdout.flush();") find /etc/salt /opt/saltstack/salt /var/log/salt /var/cache/salt /var/run/salt \ \! \( -path /etc/salt/cloud.deploy.d\* -o -path /var/log/salt/cloud -o -path /opt/saltstack/salt/lib/python${PY_VER}/site-packages/salt/cloud/deploy\* \) -a \ \( -user salt -o -group salt \) -exec chown root:root \{\} \; From d48afd9e4faef45dcd2a4ab6be73eb0ce1f9020f Mon Sep 17 00:00:00 2001 From: Barney Sowood Date: Wed, 9 Aug 2023 15:58:30 +0100 Subject: [PATCH 17/23] Calculaate python version --- pkg/rpm/salt.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/rpm/salt.spec b/pkg/rpm/salt.spec index 9de455ea30b2..1d48c30a7bff 100644 --- a/pkg/rpm/salt.spec +++ b/pkg/rpm/salt.spec @@ -486,11 +486,12 @@ ln -s -f /opt/saltstack/salt/salt-api %{_bindir}/salt-api %posttrans cloud +PY_VER=$(/opt/saltstack/salt/bin/python3 -c "import sys; sys.stdout.write('{}.{}'.format(*sys.version_info)); sys.stdout.flush();") if [ ! -e "/var/log/salt/cloud" ]; then touch /var/log/salt/cloud chmod 640 /var/log/salt/cloud fi -chown -R %{_SALT_USER}:%{_SALT_GROUP} /etc/salt/cloud.deploy.d /var/log/salt/cloud /opt/saltstack/salt/lib/python3.10/site-packages/salt/cloud/deploy +chown -R %{_SALT_USER}:%{_SALT_GROUP} /etc/salt/cloud.deploy.d /var/log/salt/cloud /opt/saltstack/salt/lib/python${PY_VER}/site-packages/salt/cloud/deploy %posttrans master From 1dcf643e8f5e210da15649c68b22def20ea593d0 Mon Sep 17 00:00:00 2001 From: Barney Sowood Date: Wed, 9 Aug 2023 15:59:20 +0100 Subject: [PATCH 18/23] Return paths without setting var --- pkg/tests/integration/test_salt_user.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pkg/tests/integration/test_salt_user.py b/pkg/tests/integration/test_salt_user.py index ac3d5df7d729..f1af7b05258e 100644 --- a/pkg/tests/integration/test_salt_user.py +++ b/pkg/tests/integration/test_salt_user.py @@ -34,7 +34,7 @@ def pkg_paths_salt_user(): """ Paths created by package installs and owned by salt user """ - paths = [ + return [ "/etc/salt/cloud.deploy.d", "/var/log/salt/cloud", "/opt/saltstack/salt/lib/python3.10/site-packages/salt/cloud/deploy", @@ -46,7 +46,6 @@ def pkg_paths_salt_user(): "/var/cache/salt/master", "/var/run/salt/master", ] - return paths @pytest.fixture From ed82030def542acf2d979b1a928377a58730ac86 Mon Sep 17 00:00:00 2001 From: Barney Sowood Date: Wed, 9 Aug 2023 16:13:42 +0100 Subject: [PATCH 19/23] Revert to not hardcoding python version in cloud deploy path --- pkg/tests/integration/test_salt_user.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkg/tests/integration/test_salt_user.py b/pkg/tests/integration/test_salt_user.py index f1af7b05258e..22f6684f4d0b 100644 --- a/pkg/tests/integration/test_salt_user.py +++ b/pkg/tests/integration/test_salt_user.py @@ -37,7 +37,9 @@ def pkg_paths_salt_user(): return [ "/etc/salt/cloud.deploy.d", "/var/log/salt/cloud", - "/opt/saltstack/salt/lib/python3.10/site-packages/salt/cloud/deploy", + "/opt/saltstack/salt/lib/python{}.{}/site-packages/salt/cloud/deploy".format( + *sys.version_info + ), "/etc/salt/pki/master", "/etc/salt/master.d", "/var/log/salt/master", From 1e659ea64287d8a386775fe8e009c50d464ad826 Mon Sep 17 00:00:00 2001 From: Barney Sowood Date: Mon, 14 Aug 2023 16:41:43 +0100 Subject: [PATCH 20/23] Remove seperate salt-cloud path tests Removes seperate salt-cloud path tests as they are now covered by test_pkg_paths --- pkg/tests/integration/test_salt_user.py | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/pkg/tests/integration/test_salt_user.py b/pkg/tests/integration/test_salt_user.py index 22f6684f4d0b..5e1ee05e70d6 100644 --- a/pkg/tests/integration/test_salt_user.py +++ b/pkg/tests/integration/test_salt_user.py @@ -123,23 +123,6 @@ def test_salt_user_shell(install_salt): assert shell_exists is True -def test_salt_cloud_dirs(install_salt): - """ - Test the correct user is running the Salt Master - """ - if platform.is_windows() or platform.is_darwin(): - pytest.skip("Package does not have user set. Not testing user") - paths = [ - "/opt/saltstack/salt/lib/python3.10/site-packages/salt/cloud/deploy", - "/etc/salt/cloud.deploy.d", - ] - for name in paths: - path = pathlib.Path(name) - assert path.exists() - assert path.owner() == "salt" - assert path.group() == "salt" - - def test_pkg_paths( install_salt, pkg_paths, pkg_paths_salt_user, pkg_paths_salt_user_exclusions ): From afdced09a7514faea94c6fa310abe3f9ddfb7754 Mon Sep 17 00:00:00 2001 From: Barney Sowood Date: Wed, 16 Aug 2023 00:51:29 +0100 Subject: [PATCH 21/23] Add changelog --- changelog/64193.fixed.md | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 changelog/64193.fixed.md diff --git a/changelog/64193.fixed.md b/changelog/64193.fixed.md new file mode 100644 index 000000000000..d7b6ebaff81d --- /dev/null +++ b/changelog/64193.fixed.md @@ -0,0 +1,6 @@ +Fixes permissions created by the Debian and RPM packages for the salt user. + +The salt user created by the Debian and RPM packages to run the salt-master process, was previously given ownership of various directories in a way which compromised the benefits of running the salt-master process as a non-root user. + +This fix sets the salt user to only have write access to those files and +directories required for the salt-master process to run. From 607a4de52a10285dd52c4b4fbec9d8a8cc200371 Mon Sep 17 00:00:00 2001 From: Barney Sowood Date: Wed, 16 Aug 2023 15:12:53 +0100 Subject: [PATCH 22/23] Don't change ownership of /etc/salt/minion.d No longer changes ownership of /etc/salt/minion.d to salt user for the salt-master. Requires #64219 to be resolved. --- pkg/debian/salt-master.postinst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/debian/salt-master.postinst b/pkg/debian/salt-master.postinst index bc4c825a872f..4f7686d8ed9c 100644 --- a/pkg/debian/salt-master.postinst +++ b/pkg/debian/salt-master.postinst @@ -8,7 +8,7 @@ case "$1" in touch /var/log/salt/key chmod 640 /var/log/salt/key fi - chown -R salt:salt /etc/salt/pki/master /etc/salt/master.d /etc/salt/minion.d /var/log/salt/master /var/log/salt/key /var/cache/salt/master /var/run/salt/master + chown -R salt:salt /etc/salt/pki/master /etc/salt/master.d /var/log/salt/master /var/log/salt/key /var/cache/salt/master /var/run/salt/master if command -v systemctl; then systemctl enable salt-master; fi ;; esac From cdd4fece5352d54e08fd0d777d99032fdaaf43ef Mon Sep 17 00:00:00 2001 From: MKLeb Date: Wed, 16 Aug 2023 16:18:27 -0400 Subject: [PATCH 23/23] Fix `test_pip_non_root` --- pkg/tests/integration/test_pip.py | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/pkg/tests/integration/test_pip.py b/pkg/tests/integration/test_pip.py index 7037763064ec..eb4b5c4896e3 100644 --- a/pkg/tests/integration/test_pip.py +++ b/pkg/tests/integration/test_pip.py @@ -29,7 +29,19 @@ def wipe_pydeps(shell, install_salt, extras_pypath): shell.run( *(install_salt.binary_paths["pip"] + ["uninstall", "-y", dep]), ) - shutil.rmtree(extras_pypath, ignore_errors=True) + # Let's remove everything under the extras directory, uninstalling doesn't get dependencies + dirs = [] + files = [] + for filename in extras_pypath.glob("**/**"): + if filename != extras_pypath and filename.exists(): + if filename.is_dir(): + dirs.append(filename) + else: + files.append(filename) + for fp in files: + fp.unlink() + for dirname in dirs: + shutil.rmtree(dirname, ignore_errors=True) def test_pip_install(salt_call_cli): @@ -88,6 +100,8 @@ def test_pip_install_extras(shell, install_salt, extras_pypath_bin): def demote(user_uid, user_gid): def result(): + # os.setgid does not remove group membership, so we remove them here so they are REALLY non-root + os.setgroups([]) os.setgid(user_gid) os.setuid(user_uid)