From 77b505ab990b9512e52e9bc15dd46a0c7238b5b3a95447a8a0dc4a3d2c36e65d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pablo=20Su=C3=A1rez=20Hern=C3=A1ndez?=
 <pablo.suarezhernandez@suse.com>
Date: Mon, 27 Nov 2017 17:18:19 +0000
Subject: [PATCH] Accepting request 546088 from
 home:mdinca:branches:systemsmanagement:saltstack

- Run salt master as dedicated salt user
- Run salt-api as user salt (bsc#1064520)
- Added:
 * run-salt-master-as-dedicated-salt-user.patch
 * run-salt-api-as-user-salt-bsc-1064520.patch

OBS-URL: https://build.opensuse.org/request/show/546088
OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:saltstack/salt?expand=0&rev=101
---
 _service                                     | 21 ---------
 run-salt-api-as-user-salt-bsc-1064520.patch  | 24 ++++++++++
 run-salt-master-as-dedicated-salt-user.patch | 46 ++++++++++++++++++++
 salt.changes                                 | 11 +++++
 salt.spec                                    | 22 ++++++----
 5 files changed, 94 insertions(+), 30 deletions(-)
 delete mode 100644 _service
 create mode 100644 run-salt-api-as-user-salt-bsc-1064520.patch
 create mode 100644 run-salt-master-as-dedicated-salt-user.patch

diff --git a/_service b/_service
deleted file mode 100644
index 0a766ae..0000000
--- a/_service
+++ /dev/null
@@ -1,21 +0,0 @@
-<services>
-  <service name="tar_scm" mode="localonly">
-    <param name="scm">git</param>
-    <param name="url">https://github.com/opensuse/salt.git</param>
-    <param name="exclude">.git</param>
-    <param name="filename">package</param>
-    <param name="revision">openSUSE-2017.7.2-python3-only</param>
-  </service>
-  <service name="extract_file" mode="localonly">
-    <param name="archive">*package*.tar</param>
-    <param name="files">
-      */obs/*
-      */scripts/suse/zypper/plugins/commit/zyppnotify
-    </param>
-  </service>
-  <service name="verify_file" mode="localonly">
-    <param name="file">_service:extract_file:salt-2017.7.2.tar.gz</param>
-    <param name="verifier">sha256</param>
-    <param name="checksum">ff3bc7de5abf01b8acbd144db5811b00867179b2353f5c6f7f19241e2eff2840</param>
-  </service>
-</services>
diff --git a/run-salt-api-as-user-salt-bsc-1064520.patch b/run-salt-api-as-user-salt-bsc-1064520.patch
new file mode 100644
index 0000000..959a81d
--- /dev/null
+++ b/run-salt-api-as-user-salt-bsc-1064520.patch
@@ -0,0 +1,24 @@
+From 8f81bee8d8929cc4cd30dabc7cbc92d2cba9760e Mon Sep 17 00:00:00 2001
+From: Christian Lanig <clanig@suse.com>
+Date: Mon, 27 Nov 2017 13:10:26 +0100
+Subject: [PATCH 2/2] Run salt-api as user salt (bsc#1064520)
+
+---
+ pkg/salt-api.service | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/pkg/salt-api.service b/pkg/salt-api.service
+index 7ca582dfb4..bf513e4dbd 100644
+--- a/pkg/salt-api.service
++++ b/pkg/salt-api.service
+@@ -6,6 +6,7 @@ After=network.target
+ [Service]
+ Type=notify
+ NotifyAccess=all
++User=salt
+ LimitNOFILE=8192
+ ExecStart=/usr/bin/salt-api
+ TimeoutStopSec=3
+-- 
+2.14.2
+
diff --git a/run-salt-master-as-dedicated-salt-user.patch b/run-salt-master-as-dedicated-salt-user.patch
new file mode 100644
index 0000000..e6e11e7
--- /dev/null
+++ b/run-salt-master-as-dedicated-salt-user.patch
@@ -0,0 +1,46 @@
+From 3902fe4183d169808b9d248b9b963926035ba954 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Klaus=20K=C3=A4mpf?= <kkaempf@suse.de>
+Date: Wed, 20 Jan 2016 11:01:06 +0100
+Subject: [PATCH 1/2] Run salt master as dedicated salt user
+
+* Minion runs always as a root
+---
+ conf/master               | 3 ++-
+ pkg/salt-common.logrotate | 2 ++
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/conf/master b/conf/master
+index abfc1fa808..bd28f6d406 100644
+--- a/conf/master
++++ b/conf/master
+@@ -25,7 +25,8 @@
+ # permissions to allow the specified user to run the master. The exception is
+ # the job cache, which must be deleted if this user is changed. If the
+ # modified files cause conflicts, set verify_env to False.
+-#user: root
++user: salt
++syndic_user: salt
+ 
+ # The port used by the communication interface. The ret (return) port is the
+ # interface used for the file server, authentication, job returns, etc.
+diff --git a/pkg/salt-common.logrotate b/pkg/salt-common.logrotate
+index 3cd002308e..0d99d1b801 100644
+--- a/pkg/salt-common.logrotate
++++ b/pkg/salt-common.logrotate
+@@ -1,4 +1,5 @@
+ /var/log/salt/master {
++	su salt salt
+ 	weekly
+ 	missingok
+ 	rotate 7
+@@ -15,6 +16,7 @@
+ }
+ 
+ /var/log/salt/key {
++	su salt salt
+ 	weekly
+ 	missingok
+ 	rotate 7
+-- 
+2.14.2
+
diff --git a/salt.changes b/salt.changes
index 952c174..e4c5a33 100644
--- a/salt.changes
+++ b/salt.changes
@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Mon Nov 27 17:13:03 UTC 2017 - mihai.dinca@suse.com
+
+- Run salt master as dedicated salt user
+- Run salt-api as user salt (bsc#1064520)
+
+- Added:
+ * run-salt-master-as-dedicated-salt-user.patch
+ * run-salt-api-as-user-salt-bsc-1064520.patch
+
+-------------------------------------------------------------------
 Fri Nov  9 10:22:08 UTC 2017 - mdinca@suse.de
 
 - Update to 2017.7.2
diff --git a/salt.spec b/salt.spec
index 73b84d7..0742ba1 100644
--- a/salt.spec
+++ b/salt.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package salt
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -57,10 +57,12 @@ Patch3:         multiprocessing-minion-option-documentation-fixes.patch
 Patch4:         introduce-process_count_max-minion-configuration-par.patch
 Patch5:         bugfix-always-return-a-string-list-on-unknown-job-ta.patch
 Patch6:         enable-with-salt-version-parameter-for-setup.py-scri.patch
+Patch7:         run-salt-master-as-dedicated-salt-user.patch
+Patch8:         run-salt-api-as-user-salt-bsc-1064520.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-BuildRequires:  python-rpm-macros
 BuildRequires:  logrotate
+BuildRequires:  python-rpm-macros
 BuildRequires:  python3
 BuildRequires:  python3-devel
 # requirements/base.txt
@@ -70,11 +72,11 @@ BuildRequires:  python3-jinja2
 BuildRequires:  python3-Jinja2
 %endif
 BuildRequires:  python3-MarkupSafe
+BuildRequires:  python3-PyYAML
 BuildRequires:  python3-msgpack-python > 0.3
 BuildRequires:  python3-psutil
 BuildRequires:  python3-requests >= 1.0.0
 BuildRequires:  python3-tornado >= 4.2.1
-BuildRequires:  python3-PyYAML
 
 # requirements/zeromq.txt
 BuildRequires:  python3-pycrypto >= 2.6.1
@@ -110,8 +112,8 @@ Requires(pre):  dbus-1
 Requires(pre):  dbus
 %endif
 
-Requires:       procps
 Requires:       logrotate
+Requires:       procps
 Requires:       python3
 #
 %if ! 0%{?suse_version} > 1110
@@ -119,20 +121,20 @@ Requires:       python3-certifi
 %endif
 # requirements/base.txt
 %if 0%{?rhel}
-Requires:  python3-jinja2
-Requires:  yum
+Requires:       python3-jinja2
+Requires:       yum
 %if 0%{?rhel} == 6
-Requires:  yum-plugin-security
+Requires:       yum-plugin-security
 %endif
 %else
-Requires:  python3-Jinja2
+Requires:       python3-Jinja2
 %endif
 Requires:       python3-MarkupSafe
+Requires:       python3-PyYAML
 Requires:       python3-msgpack-python > 0.3
 Requires:       python3-psutil
 Requires:       python3-requests >= 1.0.0
 Requires:       python3-tornado >= 4.2.1
-Requires:       python3-PyYAML
 %if 0%{?suse_version}
 # required for zypper.py
 Requires:       python3-rpm
@@ -402,6 +404,8 @@ cp %{S:6} ./zyppnotify
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
+%patch8 -p1
 
 %build
 %{__python3} setup.py --salt-transport=both build