From e4e14d8ea830e9a6bd8f69ba222f1d506e49bf311c6cb6d85226709772a3bada Mon Sep 17 00:00:00 2001
From: Dominique Leuenberger <dleuenberger@suse.com>
Date: Mon, 31 Aug 2015 20:59:05 +0000
Subject: [PATCH] Accepting request 327739 from devel:languages:python

1

OBS-URL: https://build.opensuse.org/request/show/327739
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/salt?expand=0&rev=50
---
 README.SUSE          | 35 +++++++++++++++++++++++++++++++++++
 salt-2015.5.3.tar.gz |  3 ---
 salt-2015.5.5.tar.gz |  3 +++
 salt.changes         | 14 ++++++++++++++
 salt.spec            | 14 ++++++++++----
 5 files changed, 62 insertions(+), 7 deletions(-)
 create mode 100644 README.SUSE
 delete mode 100644 salt-2015.5.3.tar.gz
 create mode 100644 salt-2015.5.5.tar.gz

diff --git a/README.SUSE b/README.SUSE
new file mode 100644
index 0000000..bcf3d73
--- /dev/null
+++ b/README.SUSE
@@ -0,0 +1,35 @@
+Salt-master as non-root user
+============================
+
+With the latest version of the salt-master package a new user has been added.
+The user salt be used in later versions as the default user for the salt-master daemon.
+
+For now the default user for the salt-master daemon will be root.
+
+Why an extra user
+=================
+
+While the current setup runs the master as root user, this is considered a security issue
+and not in line with the other configuration management tools (eg. puppet) which runs as a
+dedicated user. 
+
+How can I make the change
+=========================
+
+If you would like to make the change before you can do the following steps manually:
+1. uncomment the user parameter in the master configuration
+   user: salt
+2. update the file permissions:
+   as root: chown -R salt /etc/salt /var/cache/salt /var/log/salt /var/run/salt
+3. restart the salt-master daemon:
+   as root: rcsalt-master restart or systemctl restart salt-master
+
+NOTE
+====
+
+Running the salt-master daemon as a non-root user has some consequences, some salt operations
+cannot be executed correctly when the master is not running as root, specifically the pam external
+auth system, as this system needs root access to check authentication.
+
+For more information:
+http://docs.saltstack.com/en/latest/ref/configuration/nonroot.html
\ No newline at end of file
diff --git a/salt-2015.5.3.tar.gz b/salt-2015.5.3.tar.gz
deleted file mode 100644
index f327c0e..0000000
--- a/salt-2015.5.3.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f8b04dc8bd4b00ce803d31ce5fba033c2f20fa38cdc5a3bf54b4c47362fbe853
-size 5389038
diff --git a/salt-2015.5.5.tar.gz b/salt-2015.5.5.tar.gz
new file mode 100644
index 0000000..f4f96cc
--- /dev/null
+++ b/salt-2015.5.5.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5cd8d317616abab691a83f7fd3f8bcf9ad8aecaa95fcfdc0f6d788de87f0beeb
+size 5526444
diff --git a/salt.changes b/salt.changes
index 932e7bd..de76fa9 100644
--- a/salt.changes
+++ b/salt.changes
@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Tue Aug 18 06:58:18 UTC 2015 - aboe76@gmail.com
+
+- Updated to Bugfix release 2015.5
+
+  for more details:
+  https://github.com/saltstack/salt/blob/develop/doc/topics/releases/2015.5.5.rst
+
+- Add prereq, for user creation.
+- Add creation of salt user in preparation of running the salt-master daemon
+  as non-root user salt.
+  https://bugzilla.opensuse.org/show_bug.cgi?id=939831
+- Add README.SUSE with explanation and how to.
+
 -------------------------------------------------------------------
 Mon Jul 20 12:22:26 UTC 2015 - bwiedemann@suse.com
 
diff --git a/salt.spec b/salt.spec
index c22693f..0a036ac 100644
--- a/salt.spec
+++ b/salt.spec
@@ -17,14 +17,14 @@
 
 
 Name:           salt
-Version:        2015.5.3
+Version:        2015.5.5
 Release:        0
 Summary:        A parallel remote execution system
 License:        Apache-2.0
 Group:          System/Monitoring
 Url:            http://saltstack.org/
 Source0:        http://pypi.python.org/packages/source/s/%{name}/%{name}-%{version}.tar.gz
-
+Source1:		README.SUSE
 # PATCH-FIX-OPENSUSE use-forking-daemon.patch tserong@suse.com -- We don't have python-systemd, so notify can't work
 Patch1:         use-forking-daemon.patch
 
@@ -76,7 +76,10 @@ Requires:       python-tornado
 Requires:       python-xml
 Requires:       python-yaml
 Requires:       python-zypp
-Requires(pre): %fillup_prereq
+Requires(pre):  %fillup_prereq
+Requires(pre):  %{_sbindir}/groupadd
+Requires(pre):  %{_sbindir}/useradd
+Requires(pre):  pwdutils
 %if 0%{?suse_version} < 1210
 Requires(pre): %insserv_prereq
 %endif
@@ -239,6 +242,7 @@ Zsh command line completion support for %{name}.
 
 %prep
 %setup -q
+cp %{S:1} .
 %patch1 -p1
 
 %build
@@ -355,6 +359,8 @@ install -Dpm 0644 pkg/zsh_completion.zsh %{buildroot}/etc/zsh_completion.d/%{nam
 %endif
 
 %pre master
+getent group salt >/dev/null || %{_sbindir}/groupadd -r salt
+getent passwd salt >/dev/null || %{_sbindir}/useradd -r -g salt -d /srv/salt -s /bin/false -c "salt-master daemon" salt
 %if 0%{?_unitdir:1}
 %service_add_pre salt-master.service
 %endif
@@ -521,7 +527,7 @@ install -Dpm 0644 pkg/zsh_completion.zsh %{buildroot}/etc/zsh_completion.d/%{nam
 %config(noreplace) %{_sysconfdir}/logrotate.d/salt
 %attr(755,root,root)%{python_sitelib}/salt/cloud/deploy/*.sh
 %{python_sitelib}/*
-%doc LICENSE AUTHORS README.rst HACKING.rst
+%doc LICENSE AUTHORS README.rst HACKING.rst README.SUSE
 
 %if %with_bashcomp