salt-master should not run as root anymore

[karlp]

We're up to 0.15.1, and the PPA at least still ships a config that runs salt-master as root.
The docs at https://salt.readthedocs.org/en/latest/topics/nonroot.html say it's been available since 0.91.

Tagging @kb1jwq because he wanted to be involved

[aboe76]

This is also possible with archlinux package:
I could modify the package to use a create a system user salt
and add a conf file in /etc/salt/master.d/salt-user.conf with the content:

user: salt

only addition to the salt PKGBUILD would be 1 file and one line in PKGBUILD
salt.install (this script will take care of creating and deleting the salt system user.)
and setting the directory permissions.

I have a PKGBUILD ready with these changes.

[aboe76]

Only issue so far running salt under a system user other than root is a message about dmidecode permissions.
and you need to be aware that all files in /srv/salt (salt root) can be read by the system user.

I have investigated the dmidecode message in salt master log, and I think it is not a problem
as long as the salt-minion daemon runs under root privileges.

[thatch45]

The dmidecode error is not a real issue and can probably be changed to an info log message. I agree that running the master as non-root is a good, but since @kb1jwq is involved I will need to deny all requests.....

In seriousness though, I think that the package is where this change should be, since the package should also be responsible for setting up the user and any initial permissions

[thatch45]

I have reached out to the packagers and let them know about this, but I don't think it is a salt specific bug, I think that we should change the dmidecode to be less severe of a warning here though

[QuinnyPig]

Not to mention that dmidecode warnings are rampant on MacOS, given that dmidecode doesn't exist on that platform. Downgrading this would be swell.

[karlp]

So, where exactly is this tracked now? Are there xxxx bugs filed in all the packages? Have you got links to those?

[basepi]

Actually, I'm not sure that there's an open issue for it, I think Tom just notified the packagers directly. If you'd like to keep track of it, please create a new issue, and make it obvious that it's related to Ubuntu packaging, something like "Ubuntu package should not run Salt as root". That way it doesn't get forgotten. Thanks!

[aboe76]

With the Suse packages salt-master is running under it's own system user 'salt'

[aboe76]

@thatch45 and @KB1JWQ can you guyes take look into this:

I Found another issue with running salt-master as is own user instead of root.
The external_auth pam module can't verify the user without running as root.

Digged a little deeper and found on the jenkins/hudson mailing list an explanation because of the same issue:
http://jenkins-ci.361315.n4.nabble.com/Using-UNIX-PAM-authentication-from-a-non-root-user-td378559.html

apparently pam authentication can only be done as root or opening up a whole lot of security issues.

But testing further with other authentication methods:
external_auth with the ldap does not have this issue...so it is only related to pam check passwd.
salt-api daemon as root and using salt-ui can check authentication (because of root permissions for salt-api)

So running salt-master as privileged user not as root can be done, but you lose pam external authentication on cli.
This information I think needs to be added to the documentation of external_auth.