From 6a788482cfb57bd29ca24ee4528c42084031954b Mon Sep 17 00:00:00 2001
From: merlinz01 <158784988+merlinz01@users.noreply.github.com>
Date: Wed, 24 Apr 2024 13:57:29 -0400
Subject: [PATCH] note permission errors for /dev/stdin and possibility of
 using "-" for stdin

---
 salt/states/cmd.py | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/salt/states/cmd.py b/salt/states/cmd.py
index a159606663a..e9fb2a2315f 100644
--- a/salt/states/cmd.py
+++ b/salt/states/cmd.py
@@ -248,10 +248,18 @@ in combination with the slots feature. Example:
 
 .. code-block:: yaml
 
-    my-command --read-password-from-stdin:
+    my-command --read-secret-from-stdin:
       cmd.run:
         - stdin: __slot__:salt:pillar.get(example:secret)
 
+Some commands read from stdin when "-" is passed as an input file:
+
+.. code-block:: yaml
+
+    gcc - -x c -o ./myprogram:
+      cmd.run:
+        - stdin: __slot__:salt:pillar.get(example:my_super_secret_c_code)
+
 If your command can read from a file and is running on a Unix-ish system,
 pass /dev/stdin as the file and feed the data to stdin. Example:
 
@@ -260,6 +268,10 @@ pass /dev/stdin as the file and feed the data to stdin. Example:
     step ca certificate server.example.com cert.pem key.pem --provisioner JWK --provisioner-password-file /dev/stdin:
       cmd.run:
         - stdin: __slot__:salt:pillar.get(server:provisioner_password)
+        - unless: step certificate needs-renewal cert.pem 2>&1 | grep "certificate does not need renewal"
+
+Note: The use of the runas option or sudo will cause permission errors when reading /dev/stdin.
+If you need to run as a specific user the command will have to read from the usual internal stdin file descriptor.
 
 The use of the slots feature keeps minions who can render the state file from stealing the password.
 """