Package: salt-master
Version: 3002.6+dfsg1-4
Severity: Normal
While the official packages run salt-master as root, the Debian packages
run salt-master under the user "salt". I have written a plug-in for Salt
that provides dynamically generated pillars for encryption keys,
passwords, and other useful features (shameless plug:
https://github.com/jdelic/dynamicsecrets). However, dynamicsecrets needs
to save data to a permanent location in the form of a sqlite database.
The default path for that is /etc/salt/dynamicsecrets.sqlite. Of the
folders owned by the salt-master package, this is the logical choice
since /var/cache/salt and /var/run/salt are ephemeral locations.
Unfortunately on the Debian packages the "salt" user has no write access
to /etc/salt.
Salt's own documentation
(https://docs.saltproject.io/en/latest/ref/configuration/nonroot.html)
under "Running the Salt Master/Minion as an Unprivileged User" states
"""
In order to allow Salt to successfully run as a non-root user,
ownership, and permissions need to be set such that the desired user can
read from and write to the following directories (and their
subdirectories, where applicable):
/etc/salt
/var/cache/salt
/var/log/salt
/var/run/salt
"""
Unfortunately there is no way to fix this from within dynamicsecrets as
the "salt" user doesn't have write access to any location amenable to
long-term storage.
So I would ask the package to be updated to change the owner of
/etc/salt to be owned by the "salt" user.
