diff --git a/changelog/65264.fixed.md b/changelog/65264.fixed.md index f12bad4e2db..42bb45ac968 100644 --- a/changelog/65264.fixed.md +++ b/changelog/65264.fixed.md @@ -1 +1 @@ -Ensure on rpm systems, that user and group for existing Salt, is maintained on upgrade +Ensure on rpm and deb systems, that user and group for existing Salt, is maintained on upgrade diff --git a/pkg/debian/salt-api.postinst b/pkg/debian/salt-api.postinst index 9345d72bf2a..0624c297c85 100644 --- a/pkg/debian/salt-api.postinst +++ b/pkg/debian/salt-api.postinst @@ -1,10 +1,15 @@ +. /usr/share/debconf/confmodule + case "$1" in configure) - if [ ! -e "/var/log/salt/api" ]; then - touch /var/log/salt/api - chmod 640 /var/log/salt/api + db_get salt-master/user + if [ "$RET" != "root" ]; then + if [ ! -e "/var/log/salt/api" ]; then + touch /var/log/salt/api + chmod 640 /var/log/salt/api + fi + chown $RET:$RET /var/log/salt/api fi - chown salt:salt /var/log/salt/api if command -v systemctl; then systemctl enable salt-api; fi ;; esac diff --git a/pkg/debian/salt-cloud.postinst b/pkg/debian/salt-cloud.postinst index a92551161da..8eb74eae0ed 100644 --- a/pkg/debian/salt-cloud.postinst +++ b/pkg/debian/salt-cloud.postinst @@ -1,6 +1,12 @@ +. /usr/share/debconf/confmodule + case "$1" in configure) - PY_VER=$(/opt/saltstack/salt/bin/python3 -c "import sys; sys.stdout.write('{}.{}'.format(*sys.version_info)); sys.stdout.flush;") - chown -R salt:salt /etc/salt/cloud.deploy.d /opt/saltstack/salt/lib/python${PY_VER}/site-packages/salt/cloud/deploy + db_get salt-master/user + if [ "$RET" != "root" ]; then + PY_VER=$(/opt/saltstack/salt/bin/python3 -c "import sys; sys.stdout.write('{}.{}'.format(*sys.version_info)); sys.stdout.flush;") + # TBD DGM what is this salt:salt doing here, should this be $RET:$RET + chown -R salt:salt /etc/salt/cloud.deploy.d /opt/saltstack/salt/lib/python${PY_VER}/site-packages/salt/cloud/deploy + fi ;; esac diff --git a/pkg/debian/salt-master.config b/pkg/debian/salt-master.config new file mode 100644 index 00000000000..d18163d0237 --- /dev/null +++ b/pkg/debian/salt-master.config @@ -0,0 +1,7 @@ +#!/bin/sh -e + +# Source debconf library. +. /usr/share/debconf/confmodule + +db_input medium salt-master/user || true +db_go || true diff --git a/pkg/debian/salt-master.postinst b/pkg/debian/salt-master.postinst index 4f7686d8ed9..e068d334e39 100644 --- a/pkg/debian/salt-master.postinst +++ b/pkg/debian/salt-master.postinst @@ -1,14 +1,19 @@ +. /usr/share/debconf/confmodule + case "$1" in configure) - if [ ! -e "/var/log/salt/master" ]; then - touch /var/log/salt/master - chmod 640 /var/log/salt/master + db_get salt-master/user + if [ "$RET" != "root" ]; then + if [ ! -e "/var/log/salt/master" ]; then + touch /var/log/salt/master + chmod 640 /var/log/salt/master + fi + if [ ! -e "/var/log/salt/key" ]; then + touch /var/log/salt/key + chmod 640 /var/log/salt/key + fi + chown -R $RET:$RET /etc/salt/pki/master /etc/salt/master.d /var/log/salt/master /var/log/salt/key /var/cache/salt/master /var/run/salt/master fi - if [ ! -e "/var/log/salt/key" ]; then - touch /var/log/salt/key - chmod 640 /var/log/salt/key - fi - chown -R salt:salt /etc/salt/pki/master /etc/salt/master.d /var/log/salt/master /var/log/salt/key /var/cache/salt/master /var/run/salt/master if command -v systemctl; then systemctl enable salt-master; fi ;; esac diff --git a/pkg/debian/salt-master.preinst b/pkg/debian/salt-master.preinst index f205423079c..fcf3fde21c4 100644 --- a/pkg/debian/salt-master.preinst +++ b/pkg/debian/salt-master.preinst @@ -7,10 +7,14 @@ case "$1" in PY_VER=$(/opt/saltstack/salt/bin/python3 -c "import sys; sys.stdout.write('{}.{}'.format(*sys.version_info)); sys.stdout.flush();") # Reset permissions to fix previous installs + # TBD DGM Need to check this code for root:root, doesn't seem correct, needs to be whatever the user is find ${SALT_HOME} /etc/salt /var/log/salt /var/cache/salt /var/run/salt \ \! \( -path /etc/salt/cloud.deploy.d\* -o -path /var/log/salt/cloud -o -path /opt/saltstack/salt/lib/python${PY_VER}/site-packages/salt/cloud/deploy\* \) -a \ \( -user ${SALT_USER} -o -group ${SALT_GROUP} \) -exec chown root:root \{\} \; + ;; + esac + # remove incorrectly installed ufw salt-master directory - issue 57712 test -d /etc/ufw/applications.d/salt-master && rm -rf /etc/ufw/applications.d/salt-master || /bin/true diff --git a/pkg/debian/salt-master.templates b/pkg/debian/salt-master.templates new file mode 100644 index 00000000000..70a1141e33b --- /dev/null +++ b/pkg/debian/salt-master.templates @@ -0,0 +1,5 @@ +Template: salt-master/user +Type: string +Default: salt +Description: User for salt-master + User to run the salt-master process as diff --git a/pkg/rpm/salt.spec b/pkg/rpm/salt.spec index c7340e6a5a7..f64884c9d58 100644 --- a/pkg/rpm/salt.spec +++ b/pkg/rpm/salt.spec @@ -15,10 +15,12 @@ %global __requires_exclude_from ^.*$ %define _source_payload w2.gzdio %define _binary_payload w2.gzdio -%define _SALT_GROUP salt -%define _SALT_USER salt -%define _SALT_NAME Salt -%define _SALT_HOME /opt/saltstack/salt +%global _SALT_GROUP salt +%global _SALT_USER salt +%global _SALT_NAME Salt +%global _SALT_HOME /opt/saltstack/salt +%global _CUR_USER %{_SALT_USER} +%global _CUR_GROUP %{_SALT_GROUP} # Disable debugsource template %define _debugsource_template %{nil} @@ -426,22 +428,37 @@ usermod -c "%{_SALT_NAME}" \ %pre master if [ $1 -gt 1 ] ; then - # Reset permissions to match previous installs - PY_VER=$(/opt/saltstack/salt/bin/python3 -c "import sys; sys.stdout.write('{}.{}'.format(*sys.version_info)); sys.stdout.flush();") - _CUR_USER=$(command -v salt-master | xargs ls -l | cut -d ' ' -f 3) - _CUR_GROUP=$(command -v salt-master | xargs ls -l | cut -d ' ' -f 4) - find /etc/salt /opt/saltstack/salt /var/log/salt /var/cache/salt /var/run/salt \ - \! \( -path /etc/salt/cloud.deploy.d\* -o -path /var/log/salt/cloud -o -path /opt/saltstack/salt/lib/python${PY_VER}/site-packages/salt/cloud/deploy\* \) -a \ - \( -user salt -o -group salt \) -exec chown -R ${_CUR_USER}:${_CUR_GROUP} \{\} \; + # Reset permissions to match previous installs - performing upgrade +# PY_VER=$(/opt/saltstack/salt/bin/python3 -c "import sys; sys.stdout.write('{}.{}'.format(*sys.version_info)); sys.stdout.flush();") +# _CUR_USER=$(ls -dl /run/salt/master | cut -d ' ' -f 3) +# _CUR_GROUP=$(ls -dl /run/salt/master | cut -d ' ' -f 4) +# # TBD DGM this find command will overwrite any ownership if a minion - user is preinstalled first +# find /etc/salt /opt/saltstack/salt /var/log/salt /var/cache/salt /var/run/salt \ +# \! \( -path /etc/salt/cloud.deploy.d\* -o -path /var/log/salt/cloud -o \ +# -path /opt/saltstack/salt/lib/python${PY_VER}/site-packages/salt/cloud/deploy\* \) -a \ +# \( -user salt -o -group salt \) -exec chown -R ${_CUR_USER}:${_CUR_GROUP} \{\} \; + _LCUR_USER=$(ls -dl /run/salt/master | cut -d ' ' -f 3) + _LCUR_GROUP=$(ls -dl /run/salt/master | cut -d ' ' -f 4) + %global _CUR_USER %{_LCUR_USER} + %global _CUR_GROUP %{_LCUR_GROUP} fi %pre minion if [ $1 -gt 1 ] ; then - # Reset permissions to match previous installs - _CUR_USER=$(command -v salt-minion | xargs ls -l | cut -d ' ' -f 3) - _CUR_GROUP=$(command -v salt-minion | xargs ls -l | cut -d ' ' -f 4) - find /etc/salt /opt/saltstack/salt /var/log/salt /var/cache/salt /var/run/salt \ - \( -user salt -o -group salt \) -exec chown -R ${_CUR_USER}:${_CUR_GROUP} \{\} \; + # Reset permissions to match previous installs - performing upgrade +# _CUR_USER=$(ls -dl /run/salt/minion | cut -d ' ' -f 3) +# _CUR_GROUP=$(ls -dl /run/salt/minion | cut -d ' ' -f 4) +# if [ ! -e "/var/log/salt/master" ]; then +# find /etc/salt /opt/saltstack/salt /var/log/salt /var/cache/salt /var/run/salt \ +# \( -user salt -o -group salt \) -exec chown -R ${_CUR_USER}:${_CUR_GROUP} \{\} \; +# else +# # master exists, it takes precedence +# find /etc/salt/minion /var/log/salt/minion /var/cache/salt/minion /var/run/salt/minion \ +# \( -user salt -o -group salt \) -exec chown -R ${_CUR_USER}:${_CUR_GROUP} \{\} \; + _LCUR_USER=$(ls -dl /run/salt/minion | cut -d ' ' -f 3) + _LCUR_GROUP=$(ls -dl /run/salt/minion | cut -d ' ' -f 4) + %global _CUR_USER %{_LCUR_USER} + %global _CUR_GROUP %{_LCUR_GROUP} fi @@ -571,7 +588,14 @@ if [ ! -e "/var/log/salt/cloud" ]; then touch /var/log/salt/cloud chmod 640 /var/log/salt/cloud fi -chown -R %{_SALT_USER}:%{_SALT_GROUP} /etc/salt/cloud.deploy.d /var/log/salt/cloud /opt/saltstack/salt/lib/python${PY_VER}/site-packages/salt/cloud/deploy +if [ $1 -gt 1 ] ; then + # Reset permissions to match previous installs - performing upgrade +# _CUR_USER=$(ls -dl /var/log/salt/cloud | cut -d ' ' -f 3) +# _CUR_GROUP=$(ls -dl /var/log/salt/cloud | cut -d ' ' -f 4) + chown -R %{_CUR_USER}:%{_CUR_GROUP} /etc/salt/cloud.deploy.d /var/log/salt/cloud /opt/saltstack/salt/lib/python${PY_VER}/site-packages/salt/cloud/deploy +else + chown -R %{_SALT_USER}:%{_SALT_GROUP} /etc/salt/cloud.deploy.d /var/log/salt/cloud /opt/saltstack/salt/lib/python${PY_VER}/site-packages/salt/cloud/deploy +fi %posttrans master @@ -583,7 +607,14 @@ if [ ! -e "/var/log/salt/key" ]; then touch /var/log/salt/key chmod 640 /var/log/salt/key fi -chown -R %{_SALT_USER}:%{_SALT_GROUP} /etc/salt/pki/master /etc/salt/master.d /var/log/salt/master /var/log/salt/key /var/cache/salt/master /var/run/salt/master +if [ $1 -gt 1 ] ; then + # Reset permissions to match previous installs - performing upgrade +# _CUR_USER=$(ls -dl /run/salt/master | cut -d ' ' -f 3) +# _CUR_GROUP=$(ls -dl /run/salt/master | cut -d ' ' -f 4) + chown -R %{_CUR_USER}:%{_CUR_GROUP} /etc/salt/pki/master /etc/salt/master.d /var/log/salt/master /var/log/salt/key /var/cache/salt/master /var/run/salt/master +else + chown -R %{_SALT_USER}:%{_SALT_GROUP} /etc/salt/pki/master /etc/salt/master.d /var/log/salt/master /var/log/salt/key /var/cache/salt/master /var/run/salt/master +fi %posttrans api @@ -591,7 +622,14 @@ if [ ! -e "/var/log/salt/api" ]; then touch /var/log/salt/api chmod 640 /var/log/salt/api fi -chown %{_SALT_USER}:%{_SALT_GROUP} /var/log/salt/api +if [ $1 -gt 1 ] ; then + # Reset permissions to match previous installs - performing upgrade +# _CUR_USER=$(ls -dl /var/log/salt/api | cut -d ' ' -f 3) +# _CUR_GROUP=$(ls -dl /var/log/salt/api | cut -d ' ' -f 4) + chown -R %{_CUR_USER}:%{_CUR_GROUP} /var/log/salt/api +else + chown -R %{_SALT_USER}:%{_SALT_GROUP} /var/log/salt/api +fi %preun @@ -748,6 +786,7 @@ fi # Fixed +- Fix issue with ownership on upgrade of master and minion files - Fix an issue with mac_shadow that was causing a command execution error when retrieving values that were not yet set. For example, retrieving last login before the user had logged in. [#34658](https://github.com/saltstack/salt/issues/34658)