From 1b6c362a9fe952b831259ed2597dce4730d366fe5363ad1bc44db8e7532ca4f6 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Tue, 28 May 2013 12:42:56 +0000 Subject: [PATCH] Accepting request 176794 from devel:languages:python updated salt-master with extra security: salt-master daemon running under priviliged user salt (forwarded request 176793 from aboe76) OBS-URL: https://build.opensuse.org/request/show/176794 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/salt?expand=0&rev=2 --- salt-daemon.conf | 2 ++ salt.changes | 8 ++++++++ salt.spec | 36 +++++++++++++++++++++++++++--------- 3 files changed, 37 insertions(+), 9 deletions(-) create mode 100644 salt-daemon.conf diff --git a/salt-daemon.conf b/salt-daemon.conf new file mode 100644 index 0000000..da49d22 --- /dev/null +++ b/salt-daemon.conf @@ -0,0 +1,2 @@ +user: salt +verify_env: True diff --git a/salt.changes b/salt.changes index bdb91c1..399ba0b 100644 --- a/salt.changes +++ b/salt.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Mon May 27 20:04:14 UTC 2013 - aboe76@gmail.com + +- Updated package spec: security enhancement. + added system user salt to run salt-master under privileged user 'salt' + added config dirs, master.d/minion.d/syndic.d to add config files. + added salt-daemon.conf were salt user is specified under salt-master. + ------------------------------------------------------------------- Sun May 12 20:18:24 UTC 2013 - aboe76@gmail.com diff --git a/salt.spec b/salt.spec index 864d03a..2ea4aec 100644 --- a/salt.spec +++ b/salt.spec @@ -1,7 +1,7 @@ # # spec file for package salt # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -15,13 +15,14 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # + Name: salt Version: 0.15.1 -Release: 1 -License: Apache-2.0 +Release: 2 Summary: A parallel remote execution system -Url: http://saltstack.org/ +License: Apache-2.0 Group: System/Monitoring +Url: http://saltstack.org/ Source0: http://pypi.python.org/packages/source/s/%{name}/%{name}-%{version}.tar.gz Source1: %{name}-master Source2: %{name}-syndic @@ -29,25 +30,29 @@ Source3: %{name}-minion Source4: %{name}-master.service Source5: %{name}-syndic.service Source6: %{name}-minion.service -Source7: %{name}.logrotate +Source7: %{name}.logrotate +Source8: %{name}-daemon.conf +BuildRequires: logrotate BuildRequires: python-Jinja2 BuildRequires: python-M2Crypto BuildRequires: python-PyYAML BuildRequires: python-msgpack-python BuildRequires: python-pycrypto BuildRequires: python-pyzmq >= 2.1.9 -BuildRequires: logrotate +Requires: logrotate Requires: python-Jinja2 Requires: python-M2Crypto Requires: python-PyYAML Requires: python-msgpack-python Requires: python-pycrypto Requires: python-pyzmq >= 2.1.9 -Requires: logrotate Requires(pre): %fillup_prereq Requires(pre): %insserv_prereq +Requires(pre): /usr/sbin/groupadd +Requires(pre): /usr/sbin/useradd +Requires(pre): /usr/sbin/userdel %if 0%{?suse_version} >= 1210 -BuildRequires: systemd +BuildRequires: systemd %{?systemd_requires} %endif %ifarch %{ix86} x86_64 @@ -113,7 +118,9 @@ python setup.py build python setup.py install --prefix=%{_prefix} --root=%{buildroot} ##missing directories -mkdir -p %{buildroot}%{_sysconfdir}/salt/ +mkdir -p %{buildroot}%{_sysconfdir}/salt/master.d +mkdir -p %{buildroot}%{_sysconfdir}/salt/syndic.d +mkdir -p %{buildroot}%{_sysconfdir}/salt/minion.d mkdir -p %{buildroot}%{_sysconfdir}/init.d mkdir -p %{buildroot}%{_localstatedir}/log/salt mkdir -p %{buildroot}/%{_sysconfdir}/logrotate.d/ @@ -139,6 +146,9 @@ install -Dpm 0640 conf/master %{buildroot}%{_sysconfdir}/salt/master # ##logrotate file install -Dpm 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/salt +# +##Salt-master daemon user +install -Dpm 644 %{SOURCE8} %{buildroot}%{_sysconfdir}/salt/master.d/salt-daemon.conf %preun -n salt-syndic %stop_on_removal salt-syndic @@ -159,6 +169,10 @@ install -Dpm 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/salt %endif %insserv_cleanup +%pre -n salt-master +getent group salt >/dev/null || /usr/sbin/groupadd -r salt +getent passwd salt >/dev/null || /usr/sbin/useradd -r -g salt -d /srv/salt -s /bin/false -c "salt-master daemon" salt + %preun -n salt-master %stop_on_removal salt-master %if 0%{?_unitdir:1} @@ -203,6 +217,7 @@ install -Dpm 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/salt %{_mandir}/man1/salt-syndic.1.* %{_sbindir}/rcsalt-syndic %{_sysconfdir}/init.d/salt-syndic +%{_sysconfdir}/salt/syndic.d %if 0%{?_unitdir:1} %_unitdir/salt-syndic.service %endif @@ -216,6 +231,7 @@ install -Dpm 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/salt %{_sbindir}/rcsalt-minion %config(noreplace) %{_sysconfdir}/init.d/salt-minion %config(noreplace) %{_sysconfdir}/salt/minion +%{_sysconfdir}/salt/minion.d %if 0%{?_unitdir:1} %_unitdir/salt-minion.service %endif @@ -235,6 +251,8 @@ install -Dpm 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/salt %{_sbindir}/rcsalt-master %config(noreplace) %{_sysconfdir}/init.d/salt-master %config(noreplace) %{_sysconfdir}/salt/master +%config(noreplace) %{_sysconfdir}/salt/master.d/salt-daemon.conf +%{_sysconfdir}/salt/master.d %if 0%{?_unitdir:1} %_unitdir/salt-master.service %endif