Set user and/or group when starting daemons/CLIs

Signed-off-by: Pedro Algarvio <[email protected]>

salt/cli/api.py

@@ -12,7 +12,7 @@
 import salt.client.netapi
 import salt.utils.files
 import salt.utils.parsers as parsers
-from salt.utils.verify import check_user
+from salt.utils.verify import check_group
 
 log = logging.getLogger(__name__)
 
@@ -47,7 +47,7 @@ def start(self):
         NOTE: Run any required code before calling `super()`.
         """
         super().start()
-        if check_user(self.config["user"]):
+        if check_group(self.config["user"], group=self.config.get("group")):
             log.info("The salt-api is starting up")
             self.api.run()
 

salt/cli/call.py

@@ -4,6 +4,7 @@
 import salt.defaults.exitcodes
 import salt.utils.parsers
 from salt.config import _expand_glob_path
+from salt.utils.verify import check_group
 
 
 class SaltCall(salt.utils.parsers.SaltCallOptionParser):
@@ -37,14 +38,15 @@ def run(self):
         if self.options.master:
             self.config["master"] = self.options.master
 
-        caller = salt.cli.caller.Caller.factory(self.config)
+        if check_group(self.config["user"], group=self.config.get("group")):
+            caller = salt.cli.caller.Caller.factory(self.config)
 
-        if self.options.doc:
-            caller.print_docs()
-            self.exit(salt.defaults.exitcodes.EX_OK)
+            if self.options.doc:
+                caller.print_docs()
+                self.exit(salt.defaults.exitcodes.EX_OK)
 
-        if self.options.grains_run:
-            caller.print_grains()
-            self.exit(salt.defaults.exitcodes.EX_OK)
+            if self.options.grains_run:
+                caller.print_grains()
+                self.exit(salt.defaults.exitcodes.EX_OK)
 
-        caller.run()
+            caller.run()

salt/cli/cp.py

@@ -22,6 +22,7 @@
 import salt.utils.platform
 import salt.utils.stringutils
 import salt.utils.verify
+from salt.utils.verify import check_group
 
 log = logging.getLogger(__name__)
 
@@ -36,8 +37,9 @@ def run(self):
         Execute salt-cp
         """
         self.parse_args()
-        cp_ = SaltCP(self.config)
-        cp_.run()
+        if check_group(self.config["user"], group=self.config.get("group")):
+            cp_ = SaltCP(self.config)
+            cp_.run()
 
 
 class SaltCP:

salt/cli/daemons.py

@@ -45,7 +45,7 @@
 try:
     import salt.utils.parsers
     from salt.utils.network import ip_bracket
-    from salt.utils.verify import check_user, verify_env, verify_socket
+    from salt.utils.verify import check_group, verify_env, verify_socket
 except ImportError as exc:
     if exc.args[0] != "No module named _msgpack":
         raise
@@ -198,7 +198,7 @@ def start(self):
         NOTE: Run any required code before calling `super()`.
         """
         super().start()
-        if check_user(self.config["user"]):
+        if check_group(self.config["user"], group=self.config.get("group")):
             self.action_log_info("Starting up")
             self.verify_hash_type()
             self.master.start()
@@ -288,8 +288,6 @@ def prepare(self):
             self.action_log_info("An instance is already running. Exiting")
             self.shutdown(1)
 
-        transport = self.config.get("transport").lower()
-
         try:
             # Late import so logging works correctly
             import salt.minion
@@ -323,15 +321,15 @@ def start(self):
         while True:
             try:
                 self._real_start()
-            except SaltClientError as exc:
+            except SaltClientError:
                 # Restart for multi_master failover when daemonized
                 if self.options.daemon:
                     continue
             break
 
     def _real_start(self):
         try:
-            if check_user(self.config["user"]):
+            if check_group(self.config["user"], group=self.config.get("group")):
                 self.action_log_info("Starting up")
                 self.verify_hash_type()
                 self.minion.tune_in()
@@ -361,7 +359,7 @@ def call(self, cleanup_protecteds):
         """
         try:
             self.prepare()
-            if check_user(self.config["user"]):
+            if check_group(self.config["user"], group=self.config.get("group")):
                 self.minion.opts["__role"] = kinds.APPL_KIND_NAMES[
                     kinds.applKinds.caller
                 ]
@@ -504,7 +502,7 @@ def start(self):
         """
         super().start()
         try:
-            if check_user(self.config["user"]):
+            if check_group(self.config["user"], group=self.config.get("group")):
                 self.action_log_info("The Proxy Minion is starting up")
                 self.verify_hash_type()
                 self.minion.tune_in()
@@ -594,7 +592,7 @@ def start(self):
         NOTE: Run any required code before calling `super()`.
         """
         super().start()
-        if check_user(self.config["user"]):
+        if check_group(self.config["user"], group=self.config.get("group")):
             self.action_log_info("Starting up")
             self.verify_hash_type()
             try:

salt/cli/key.py

@@ -1,5 +1,5 @@
 import salt.utils.parsers
-from salt.utils.verify import check_user
+from salt.utils.verify import check_group
 
 
 class SaltKey(salt.utils.parsers.SaltKeyOptionParser):
@@ -16,5 +16,5 @@ def run(self):
         self.parse_args()
 
         key = salt.key.KeyCLI(self.config)
-        if check_user(self.config["user"]):
+        if check_group(self.config["user"], group=self.config.get("group")):
             key.run()

salt/cli/run.py

@@ -2,7 +2,7 @@
 import salt.utils.parsers
 import salt.utils.profile
 from salt.exceptions import SaltClientError
-from salt.utils.verify import check_user
+from salt.utils.verify import check_group
 
 
 class SaltRun(salt.utils.parsers.SaltRunOptionParser):
@@ -28,7 +28,7 @@ def run(self):
         # Run this here so SystemExit isn't raised anywhere else when
         # someone tries to use the runners via the python API
         try:
-            if check_user(self.config["user"]):
+            if check_group(self.config["user"], group=self.config.get("group")):
                 pr = salt.utils.profile.activate_profile(profiling_enabled)
                 try:
                     ret = runner.run()

salt/cli/salt.py

@@ -18,6 +18,7 @@
     SaltSystemExit,
 )
 from salt.utils.args import yamlify_arg
+from salt.utils.verify import check_group
 
 
 class SaltCMD(salt.utils.parsers.SaltCMDOptionParser):
@@ -33,6 +34,9 @@ def run(self):
 
         self.parse_args()
 
+        if not check_group(self.config["user"], group=self.config.get("group")):
+            sys.exit(salt.defaults.exitcodes.EX_GENERIC)
+
         try:
             # We don't need to bail on config file permission errors
             # if the CLI process is run with the -a flag

salt/cli/spm.py

@@ -6,11 +6,12 @@
 
 .. versionadded:: 2015.8.0
 """
+import sys
 
-
+import salt.defaults.exitcodes
 import salt.spm
 import salt.utils.parsers as parsers
-from salt.utils.verify import verify_env
+from salt.utils.verify import check_group, verify_env
 
 
 class SPM(parsers.SPMParser):
@@ -22,8 +23,10 @@ def run(self):
         """
         Run the api
         """
-        ui = salt.spm.SPMCmdlineInterface()
         self.parse_args()
+        if not check_group(self.config["user"], group=self.config.get("group")):
+            sys.exit(salt.defaults.exitcodes.EX_GENERIC)
+        ui = salt.spm.SPMCmdlineInterface()
         v_dirs = [
             self.config["spm_cache_dir"],
         ]

salt/cli/ssh.py

@@ -1,7 +1,9 @@
 import sys
 
 import salt.client.ssh
+import salt.defaults.exitcodes
 import salt.utils.parsers
+from salt.utils.verify import check_group
 
 
 class SaltSSH(salt.utils.parsers.SaltSSHOptionParser):
@@ -15,6 +17,9 @@ def run(self):
             # that won't be used anyways with -H or --hosts
         self.parse_args()
 
+        if not check_group(self.config["user"], group=self.config.get("group")):
+            sys.exit(salt.defaults.exitcodes.EX_GENERIC)
+
         ssh = salt.client.ssh.SSH(self.config)
         try:
             ssh.run()

salt/config/__init__.py

@@ -177,6 +177,8 @@ def _gather_buffer_space():
         "key_cache": str,
         # The user under which the daemon should run
         "user": str,
+        # The group under which the daemon should run
+        "group": str,
         # The root directory prepended to these options: pki_dir, cachedir,
         # sock_dir, log_file, autosign_file, autoreject_file, extension_modules,
         # key_logfile, pidfile:
@@ -1017,6 +1019,7 @@ def _gather_buffer_space():
         "master_sign_key_name": "master_sign",
         "syndic_finger": "",
         "user": salt.utils.user.get_user(),
+        "group": None,
         "root_dir": salt.syspaths.ROOT_DIR,
         "pki_dir": os.path.join(salt.syspaths.LIB_STATE_DIR, "pki", "minion"),
         "id": "",
@@ -1307,6 +1310,7 @@ def _gather_buffer_space():
         "pub_hwm": 1000,
         "auth_mode": 1,
         "user": _MASTER_USER,
+        "group": None,
         "worker_threads": 5,
         "sock_dir": os.path.join(salt.syspaths.SOCK_DIR, "master"),
         "sock_pool_size": 1,
@@ -2466,6 +2470,7 @@ def syndic_config(
             )
         ),
         "user": opts.get("syndic_user", opts["user"]),
+        "group": opts.get("syndic_group", opts.get("group")),
         "sock_dir": os.path.join(
             opts["cachedir"], opts.get("syndic_sock_dir", opts["sock_dir"])
         ),
@@ -2875,7 +2880,7 @@ def apply_vm_profiles_config(providers, overrides, defaults=None):
     vms = {}
 
     for key, val in config.items():
-        if key in ("conf_file", "include", "default_include", "user"):
+        if key in ("conf_file", "include", "default_include", "user", "group"):
             continue
         if not isinstance(val, dict):
             raise salt.exceptions.SaltCloudConfigError(
@@ -3035,7 +3040,7 @@ def apply_cloud_providers_config(overrides, defaults=None):
     providers = {}
     ext_count = 0
     for key, val in config.items():
-        if key in ("conf_file", "include", "default_include", "user"):
+        if key in ("conf_file", "include", "default_include", "user", "group"):
             continue
 
         if not isinstance(val, (list, tuple)):

salt/utils/user.py

@@ -2,8 +2,6 @@
 Functions for querying and modifying a user account and the groups to which it
 belongs.
 """
-
-
 import ctypes
 import getpass
 import logging
@@ -12,11 +10,9 @@
 
 import salt.utils.path
 import salt.utils.platform
-import salt.utils.stringutils
 from salt.exceptions import CommandExecutionError
 from salt.utils.decorators.jinja import jinja_filter
 
-# Conditional imports
 try:
     import pwd
 
@@ -53,14 +49,12 @@ def get_user():
     Get the current user
     """
     if HAS_PWD:
-        ret = pwd.getpwuid(os.geteuid()).pw_name
-    elif HAS_WIN_FUNCTIONS and salt.utils.win_functions.HAS_WIN32:
-        ret = salt.utils.win_functions.get_current_user()
-    else:
-        raise CommandExecutionError(
-            "Required external library (pwd or win32api) not installed"
-        )
-    return salt.utils.stringutils.to_unicode(ret)
+        return pwd.getpwuid(os.geteuid()).pw_name
+    if HAS_WIN_FUNCTIONS and salt.utils.win_functions.HAS_WIN32:
+        return salt.utils.win_functions.get_current_user()
+    raise CommandExecutionError(
+        "Required external library (pwd or win32api) not installed"
+    )
 
 
 @jinja_filter("get_uid")

salt/utils/verify.py

@@ -326,10 +326,7 @@ def check_user(user):
     pwuser = _get_pwnam(user)
 
     try:
-        if hasattr(os, "initgroups"):
-            os.initgroups(user, pwuser.pw_gid)  # pylint: disable=minimum-python-version
-        else:
-            os.setgroups(salt.utils.user.get_gid_list(user, include_default=False))
+        os.initgroups(user, pwuser.pw_gid)
         os.setgid(pwuser.pw_gid)
         os.setuid(pwuser.pw_uid)
 
@@ -351,6 +348,42 @@ def check_user(user):
     return True
 
 
+def check_group(user, group=None):
+    """
+    Check user and group and assign process uid and gid.
+
+    .. versionadded:: 3006.1
+    """
+    if salt.utils.platform.is_windows():
+        return True
+
+    if check_user(user) is False:
+        return
+
+    # Late import after confirming we're not running under windows
+    import grp
+
+    default_group = grp.getgrgid(_get_pwnam(user).pw_gid).gr_name
+    if group is None:
+        # If no group is passed, default to the passed user's default group
+        group = default_group
+
+    if group == default_group:
+        # No need to switch process group
+        return True
+
+    group_gid = grp.getgrgid(group).pw_gid
+
+    try:
+        os.setgid(group_gid)
+    except OSError:
+        log.critical(
+            'Salt configured to run as group "%s" but unable to switch.', group
+        )
+        return False
+    return True
+
+
 def list_path_traversal(path):
     """
     Returns a full list of directories leading up to, and including, a path.