Update docs

doc/topics/hardening.rst

@@ -150,3 +150,13 @@ Run the following on the Salt minion:
 
 .. _salt-users: https://groups.google.com/forum/#!forum/salt-users
 .. _salt-announce: https://groups.google.com/forum/#!forum/salt-announce
+
+
+Hardening of syndic setups
+==========================
+
+Syndics must be run as the same user as their syndic master process. The master
+of master's will include publisher ACL information in jobs send to downstream
+masters via syndics. This means that any minions connected directly to a master
+of masters will also receive ACL information in jobs being published. For the
+most secure setup, only connect syndics directly to master of masters.

doc/topics/topology/syndic.rst

@@ -21,14 +21,6 @@ node and the local ``salt-master`` daemon.  This gives the Master node control
 over the Minion nodes attached to the ``salt-master`` daemon running on the
 Syndic node.
 
-.. warning::
-
-    Salt does not officially support Syndic and :ref:`external auth or
-    publisher_acl<acl-eauth>`. It's possible that it might work under certain
-    circumstances, but comprehensive support is lacking. See `issue #62618 on
-    GitHub <https://github.com/saltstack/salt/issues/62618>`_ for more
-    information. Currently Syndic is only expected to work when running Salt as
-    root, though work is scheduled to fix this in Salt 3006 (Sulfur).
 
 Configuring the Syndic
 ======================
@@ -71,6 +63,10 @@ The :conf_master:`order_masters` option configures the Master node to send
 extra information with its publications that is needed by Syndic nodes
 connected directly to it.
 
+.. warning::
+   The syndic process must be run as the same user as the syndic master.
+
+
 .. note::
 
     Each Syndic must provide its own ``file_roots`` directory. Files will not