Skip to content

[wip] salt-call and salt-pip honor configured user#68685

Open
dwoz wants to merge 11 commits intosaltstack:3006.xfrom
dwoz:salt-call-user
Open

[wip] salt-call and salt-pip honor configured user#68685
dwoz wants to merge 11 commits intosaltstack:3006.xfrom
dwoz:salt-call-user

Conversation

@dwoz
Copy link
Contributor

@dwoz dwoz commented Feb 5, 2026
edited
Loading

Fixes #68684, #68777

  • Ensure salt-call drops privileges to the configured 'user' to prevent root-owned cache files.
  • Add --priv flag to salt-call for explicit user switching.
  • Update sudo executor to use --priv to maintain sudo_user context.
  • Ensure salt-pip drops privileges to the configured 'user' before package installation.
  • Add unit and integration tests for privilege dropping and file ownership.

@dwoz dwoz requested a review from a team as a code owner February 5, 2026 09:00
@dwoz dwoz added the test:full Run the full test suite label Feb 5, 2026
@dwoz dwoz changed the title salt-call and salt-pip honor configured user [wip] salt-call and salt-pip honor configured user Feb 5, 2026
twangboy
twangboy previously approved these changes Feb 10, 2026
View reviewed changes
twangboy
twangboy previously approved these changes Feb 25, 2026
View reviewed changes
twangboy
twangboy previously approved these changes Feb 27, 2026
View reviewed changes
bdrx312
bdrx312 reviewed Mar 2, 2026
View reviewed changes
pkg/rpm/salt.spec
if [ -f "/etc/salt/minion" ] || [ -d "/etc/salt/minion.d" ]; then
# Try to get user from main config
if [ -f "/etc/salt/minion" ]; then
MINION_USER=$(grep -E "^user:" /etc/salt/minion | cut -d ':' -f 2 | tr -d ' ')
Copy link
Contributor

@bdrx312 bdrx312 Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From https://docs.saltproject.io/en/latest/ref/configuration/minion.html:

The Salt Minion configuration is very simple. Typically, the only value that needs to be set is the master value so the minion knows where to locate its master.

By default, the salt-minion configuration will be in /etc/salt/minion. A notable exception is FreeBSD, where the configuration will be in /usr/local/etc/salt/minion.

dwoz added 11 commits March 5, 2026 17:11
@dwoz
Fix upgrade tests
8741ccd
@dwoz
meh
80b1758
@dwoz
Upgrade test fix
7ad9d42
@dwoz
salt-pip should honor minion.d
526069b
@dwoz
meh
901a88a
@dwoz
Fix up deb packages
e541197
@dwoz
Fix rebase/merge wart
c59e886
@dwoz
Fix tests
e970b3b
@dwoz
Fix CI failures related to ownership and restricted users
cae5a21 
- Improve default CWD fallback in cmd.run to handle non-directory home dirs (e.g. /dev/null)
- Ensure /opt/saltstack/salt is chowned on fresh RPM installs
- Make test_pkg_paths more robust by checking actual configured minion user
- Restore missing minion user setup in test_permissions.py
@dwoz
Ensure /opt/saltstack/salt is chowned on fresh RPM installs for all c…
2836c21 
…omponents
@dwoz
Relax /opt/saltstack/salt ownership check in pkg tests
fc0d7e3 
Allow root, salt or configured minion user to own paths under onedir.
This handles mixed ownership cases during downgrade/upgrade cycles
while maintaining strict checks for other system paths.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@twangboy twangboy twangboy left review comments

+1 more reviewer

@bdrx312 bdrx312 bdrx312 left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@dwoz dwoz

Labels

test:full Run the full test suite

Projects

None yet

Milestone

Sulpher v3006.24

Development

Successfully merging this pull request may close these issues.

3 participants

@dwoz @bdrx312 @twangboy