Make sure configured user is properly set by Salt (bsc#1210994) (#596)

* Make sure Salt user and env is validated before daemon init

* Ensure HOME is always present in env and set according to pwuser

* Set User to salt in salt-master.service files

* Return proper exitcode if user is not valid

* Fix environment also for salt-ssh command

* Increase start_timeout to avoid test to be flaky

pkg/common/salt-master.service

@@ -8,6 +8,7 @@ LimitNOFILE=100000
 Type=notify
 NotifyAccess=all
 ExecStart=/usr/bin/salt-master
+User=salt
 
 [Install]
 WantedBy=multi-user.target

pkg/old/deb/salt-master.service

@@ -7,6 +7,7 @@ LimitNOFILE=16384
 Type=notify
 NotifyAccess=all
 ExecStart=/usr/bin/salt-master
+User=salt
 
 [Install]
 WantedBy=multi-user.target

pkg/old/suse/salt-master.service

@@ -8,6 +8,7 @@ LimitNOFILE=100000
 Type=simple
 ExecStart=/usr/bin/salt-master
 TasksMax=infinity
+User=salt
 
 [Install]
 WantedBy=multi-user.target

salt/cli/daemons.py

@@ -7,6 +7,7 @@
 import os
 import warnings
 
+import salt.defaults.exitcodes
 import salt.utils.kinds as kinds
 from salt.exceptions import SaltClientError, SaltSystemExit, get_error_message
 from salt.utils import migrations
@@ -73,6 +74,16 @@ def verify_hash_type(self):
                 self.__class__.__name__,
             )
 
+    def verify_user(self):
+        """
+        Verify Salt configured user for Salt and shutdown daemon if not valid.
+
+        :return:
+        """
+        if not check_user(self.config["user"]):
+            self.action_log_info("Cannot switch to configured user for Salt. Exiting")
+            self.shutdown(salt.defaults.exitcodes.EX_NOUSER)
+
     def action_log_info(self, action):
         """
         Say daemon starting.
@@ -178,6 +189,10 @@ def prepare(self):
         self.config["interface"] = ip_bracket(self.config["interface"])
         migrations.migrate_paths(self.config)
 
+        # Ensure configured user is valid and environment is properly set
+        # before initializating rest of the stack.
+        self.verify_user()
+
         # Late import so logging works correctly
         import salt.master
 
@@ -290,6 +305,10 @@ def prepare(self):
 
         transport = self.config.get("transport").lower()
 
+        # Ensure configured user is valid and environment is properly set
+        # before initializating rest of the stack.
+        self.verify_user()
+
         try:
             # Late import so logging works correctly
             import salt.minion
@@ -478,6 +497,10 @@ def prepare(self):
             self.action_log_info("An instance is already running. Exiting")
             self.shutdown(1)
 
+        # Ensure configured user is valid and environment is properly set
+        # before initializating rest of the stack.
+        self.verify_user()
+
         # TODO: AIO core is separate from transport
         # Late import so logging works correctly
         import salt.minion
@@ -576,6 +599,10 @@ def prepare(self):
 
         self.action_log_info('Setting up "{}"'.format(self.config["id"]))
 
+        # Ensure configured user is valid and environment is properly set
+        # before initializating rest of the stack.
+        self.verify_user()
+
         # Late import so logging works correctly
         import salt.minion
 

salt/cli/ssh.py

@@ -1,7 +1,9 @@
 import sys
 
 import salt.client.ssh
+import salt.defaults.exitcodes
 import salt.utils.parsers
+from salt.utils.verify import check_user
 
 
 class SaltSSH(salt.utils.parsers.SaltSSHOptionParser):
@@ -15,5 +17,11 @@ def run(self):
             # that won't be used anyways with -H or --hosts
         self.parse_args()
 
+        if not check_user(self.config["user"]):
+            self.exit(
+                salt.defaults.exitcodes.EX_NOUSER,
+                "Cannot switch to configured user for Salt. Exiting",
+            )
+
         ssh = salt.client.ssh.SSH(self.config)
         ssh.run()

salt/utils/verify.py

@@ -335,8 +335,8 @@ def check_user(user):
 
         # We could just reset the whole environment but let's just override
         # the variables we can get from pwuser
-        if "HOME" in os.environ:
-            os.environ["HOME"] = pwuser.pw_dir
+        # We ensure HOME is always present and set according to pwuser
+        os.environ["HOME"] = pwuser.pw_dir
 
         if "SHELL" in os.environ:
             os.environ["SHELL"] = pwuser.pw_shell

tests/pytests/integration/cli/test_salt_minion.py

@@ -41,7 +41,7 @@ def test_exit_status_unknown_user(salt_master, minion_id):
         factory = salt_master.salt_minion_daemon(
             minion_id, overrides={"user": "unknown-user"}
         )
-        factory.start(start_timeout=10, max_start_attempts=1)
+        factory.start(start_timeout=30, max_start_attempts=1)
 
     assert exc.value.process_result.returncode == salt.defaults.exitcodes.EX_NOUSER
     assert "The user is not available." in exc.value.process_result.stderr
@@ -53,7 +53,7 @@ def test_exit_status_unknown_argument(salt_master, minion_id):
     """
     with pytest.raises(FactoryNotStarted) as exc:
         factory = salt_master.salt_minion_daemon(minion_id)
-        factory.start("--unknown-argument", start_timeout=10, max_start_attempts=1)
+        factory.start("--unknown-argument", start_timeout=30, max_start_attempts=1)
 
     assert exc.value.process_result.returncode == salt.defaults.exitcodes.EX_USAGE
     assert "Usage" in exc.value.process_result.stderr