34c4e47c9b
- Allow NamedLoaderContexts to be returned from loader - Revert the change making reactor less blocking (bsc#1230322) - Use --cachedir for extension_modules in salt-call (bsc#1226141) - Prevent using SyncWrapper with no reason - Added: * avoid-explicit-reading-of-etc-salt-minion-bsc-122035.patch * allow-namedloadercontexts-to-be-returned-from-loader.patch * revert-the-change-making-reactor-less-blocking-bsc-1.patch * use-cachedir-for-extension_modules-in-salt-call-bsc-.patch * prevent-using-syncwrapper-with-no-reason.patch OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:saltstack/salt?expand=0&rev=259
31 lines
1.1 KiB
Plaintext
31 lines
1.1 KiB
Plaintext
Salt-master as non-root user
|
|
============================
|
|
|
|
With this version of salt the salt-master will run as salt user.
|
|
|
|
Why an extra user
|
|
=================
|
|
|
|
While the current setup runs the master as root user, this is considered a security issue
|
|
and not in line with the other configuration management tools (eg. puppet) which runs as a
|
|
dedicated user.
|
|
|
|
How can I undo the change
|
|
=========================
|
|
|
|
If you would like to make the change before you can do the following steps manually:
|
|
1. change the user parameter in the master configuration
|
|
user: root
|
|
2. update the file permissions:
|
|
as root: chown -R root /etc/salt /var/cache/salt /var/log/salt /var/run/salt
|
|
3. restart the salt-master daemon:
|
|
as root: rcsalt-master restart or systemctl restart salt-master
|
|
|
|
NOTE
|
|
====
|
|
|
|
Running the salt-master daemon as a root user is considers by some a security risk, but
|
|
running as root, enables the pam external auth system, as this system needs root access to check authentication.
|
|
|
|
For more information:
|
|
http://docs.saltstack.com/en/latest/ref/configuration/nonroot.html |