From 5ea4add5c8e2bed50b9825edfff7565e5f6124f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pablo=20Su=C3=A1rez=20Hern=C3=A1ndez?=
 <psuarezhernandez@suse.com>
Date: Tue, 22 Aug 2023 12:57:44 +0100
Subject: [PATCH] Make sure configured user is properly set by Salt
 (bsc#1210994) (#596)

* Make sure Salt user and env is validated before daemon init

* Ensure HOME is always present in env and set according to pwuser

* Set User to salt in salt-master.service files

* Return proper exitcode if user is not valid

* Fix environment also for salt-ssh command

* Increase start_timeout to avoid test to be flaky
---
 pkg/common/salt-master.service                |  1 +
 pkg/old/deb/salt-master.service               |  1 +
 pkg/old/suse/salt-master.service              |  1 +
 salt/cli/daemons.py                           | 27 +++++++++++++++++++
 salt/cli/ssh.py                               |  8 ++++++
 salt/utils/verify.py                          |  4 +--
 .../integration/cli/test_salt_minion.py       |  4 +--
 7 files changed, 42 insertions(+), 4 deletions(-)

diff --git a/pkg/common/salt-master.service b/pkg/common/salt-master.service
index 377c87afeb..257ecc283f 100644
--- a/pkg/common/salt-master.service
+++ b/pkg/common/salt-master.service
@@ -8,6 +8,7 @@ LimitNOFILE=100000
 Type=notify
 NotifyAccess=all
 ExecStart=/usr/bin/salt-master
+User=salt
 
 [Install]
 WantedBy=multi-user.target
diff --git a/pkg/old/deb/salt-master.service b/pkg/old/deb/salt-master.service
index b5d0cdd22c..f9dca296b4 100644
--- a/pkg/old/deb/salt-master.service
+++ b/pkg/old/deb/salt-master.service
@@ -7,6 +7,7 @@ LimitNOFILE=16384
 Type=notify
 NotifyAccess=all
 ExecStart=/usr/bin/salt-master
+User=salt
 
 [Install]
 WantedBy=multi-user.target
diff --git a/pkg/old/suse/salt-master.service b/pkg/old/suse/salt-master.service
index 9e002d16ca..caabca511c 100644
--- a/pkg/old/suse/salt-master.service
+++ b/pkg/old/suse/salt-master.service
@@ -8,6 +8,7 @@ LimitNOFILE=100000
 Type=simple
 ExecStart=/usr/bin/salt-master
 TasksMax=infinity
+User=salt
 
 [Install]
 WantedBy=multi-user.target
diff --git a/salt/cli/daemons.py b/salt/cli/daemons.py
index ecc05c919e..c9ee9ced91 100644
--- a/salt/cli/daemons.py
+++ b/salt/cli/daemons.py
@@ -7,6 +7,7 @@ import logging
 import os
 import warnings
 
+import salt.defaults.exitcodes
 import salt.utils.kinds as kinds
 from salt.exceptions import SaltClientError, SaltSystemExit, get_error_message
 from salt.utils import migrations
@@ -73,6 +74,16 @@ class DaemonsMixin:  # pylint: disable=no-init
                 self.__class__.__name__,
             )
 
+    def verify_user(self):
+        """
+        Verify Salt configured user for Salt and shutdown daemon if not valid.
+
+        :return:
+        """
+        if not check_user(self.config["user"]):
+            self.action_log_info("Cannot switch to configured user for Salt. Exiting")
+            self.shutdown(salt.defaults.exitcodes.EX_NOUSER)
+
     def action_log_info(self, action):
         """
         Say daemon starting.
@@ -178,6 +189,10 @@ class Master(
         self.config["interface"] = ip_bracket(self.config["interface"])
         migrations.migrate_paths(self.config)
 
+        # Ensure configured user is valid and environment is properly set
+        # before initializating rest of the stack.
+        self.verify_user()
+
         # Late import so logging works correctly
         import salt.master
 
@@ -290,6 +305,10 @@ class Minion(
 
         transport = self.config.get("transport").lower()
 
+        # Ensure configured user is valid and environment is properly set
+        # before initializating rest of the stack.
+        self.verify_user()
+
         try:
             # Late import so logging works correctly
             import salt.minion
@@ -478,6 +497,10 @@ class ProxyMinion(
             self.action_log_info("An instance is already running. Exiting")
             self.shutdown(1)
 
+        # Ensure configured user is valid and environment is properly set
+        # before initializating rest of the stack.
+        self.verify_user()
+
         # TODO: AIO core is separate from transport
         # Late import so logging works correctly
         import salt.minion
@@ -576,6 +599,10 @@ class Syndic(
 
         self.action_log_info('Setting up "{}"'.format(self.config["id"]))
 
+        # Ensure configured user is valid and environment is properly set
+        # before initializating rest of the stack.
+        self.verify_user()
+
         # Late import so logging works correctly
         import salt.minion
 
diff --git a/salt/cli/ssh.py b/salt/cli/ssh.py
index 6048cb5f58..672f32b8c0 100644
--- a/salt/cli/ssh.py
+++ b/salt/cli/ssh.py
@@ -1,7 +1,9 @@
 import sys
 
 import salt.client.ssh
+import salt.defaults.exitcodes
 import salt.utils.parsers
+from salt.utils.verify import check_user
 
 
 class SaltSSH(salt.utils.parsers.SaltSSHOptionParser):
@@ -15,5 +17,11 @@ class SaltSSH(salt.utils.parsers.SaltSSHOptionParser):
             # that won't be used anyways with -H or --hosts
         self.parse_args()
 
+        if not check_user(self.config["user"]):
+            self.exit(
+                salt.defaults.exitcodes.EX_NOUSER,
+                "Cannot switch to configured user for Salt. Exiting",
+            )
+
         ssh = salt.client.ssh.SSH(self.config)
         ssh.run()
diff --git a/salt/utils/verify.py b/salt/utils/verify.py
index 879128f231..7899fbe538 100644
--- a/salt/utils/verify.py
+++ b/salt/utils/verify.py
@@ -335,8 +335,8 @@ def check_user(user):
 
         # We could just reset the whole environment but let's just override
         # the variables we can get from pwuser
-        if "HOME" in os.environ:
-            os.environ["HOME"] = pwuser.pw_dir
+        # We ensure HOME is always present and set according to pwuser
+        os.environ["HOME"] = pwuser.pw_dir
 
         if "SHELL" in os.environ:
             os.environ["SHELL"] = pwuser.pw_shell
diff --git a/tests/pytests/integration/cli/test_salt_minion.py b/tests/pytests/integration/cli/test_salt_minion.py
index c0d6013474..bde2dd51d7 100644
--- a/tests/pytests/integration/cli/test_salt_minion.py
+++ b/tests/pytests/integration/cli/test_salt_minion.py
@@ -41,7 +41,7 @@ def test_exit_status_unknown_user(salt_master, minion_id):
         factory = salt_master.salt_minion_daemon(
             minion_id, overrides={"user": "unknown-user"}
         )
-        factory.start(start_timeout=10, max_start_attempts=1)
+        factory.start(start_timeout=30, max_start_attempts=1)
 
     assert exc.value.process_result.returncode == salt.defaults.exitcodes.EX_NOUSER
     assert "The user is not available." in exc.value.process_result.stderr
@@ -53,7 +53,7 @@ def test_exit_status_unknown_argument(salt_master, minion_id):
     """
     with pytest.raises(FactoryNotStarted) as exc:
         factory = salt_master.salt_minion_daemon(minion_id)
-        factory.start("--unknown-argument", start_timeout=10, max_start_attempts=1)
+        factory.start("--unknown-argument", start_timeout=30, max_start_attempts=1)
 
     assert exc.value.process_result.returncode == salt.defaults.exitcodes.EX_USAGE
     assert "Usage" in exc.value.process_result.stderr
-- 
2.41.0