salt: [DOCS] cmd.run does not run as the user's default gid
Description of Issue
With salt 2018.3.4, using runas in a cmd.run would run the command with the uid and gid of the user account requested.
In 2019.2.0, it runs with the uid of the user account, but the gid is set to root.
Adding the kwarg group to the state resolves this - but this is not mentioned in the docs.
Setup
# cat > /etc/salt/minion.d/localminion.conf <<EOF
use_master_when_local: False
file_client: local
EOF
# mkdir -p /srv/salt
# cat > /srv/salt/test.sls <<EOF
runas salt:
cmd.run:
- name: id
- runas: salt
runas salt with group:
cmd.run:
- name: id
- runas: salt
- group: salt
EOF
# useradd -m -k /etc/skel -s /bin/bash salt
Steps to Reproduce Issue
# salt-call state.apply test
local:
----------
ID: runas salt
Function: cmd.run
Name: id
Result: True
Comment: Command "id" run
Started: 10:11:12.416785
Duration: 53.337 ms
Changes:
----------
pid:
2082
retcode:
0
stderr:
stdout:
uid=1009(salt) gid=0(root) groups=0(root),1010(salt) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
----------
ID: runas salt with group
Function: cmd.run
Name: id
Result: True
Comment: Command "id" run
Started: 10:11:12.470421
Duration: 56.659 ms
Changes:
----------
pid:
2098
retcode:
0
stderr:
stdout:
uid=1009(salt) gid=1010(salt) groups=1010(salt) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Summary for local
------------
Succeeded: 2 (changed=2)
Failed: 0
------------
Total states run: 2
Total run time: 109.996 ms
Versions Report
# salt-call --versions-report
Salt Version:
Salt: 2019.2.0
Dependency Versions:
cffi: Not Installed
cherrypy: Not Installed
dateutil: Not Installed
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
ioflo: Not Installed
Jinja2: 2.7.2
libgit2: Not Installed
libnacl: Not Installed
M2Crypto: Not Installed
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.5.6
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: 2.6.1
pycryptodome: Not Installed
pygit2: Not Installed
Python: 2.7.5 (default, Jun 20 2019, 20:27:34)
python-gnupg: Not Installed
PyYAML: 3.11
PyZMQ: 15.3.0
RAET: Not Installed
smmap: Not Installed
timelib: Not Installed
Tornado: 4.2.1
ZMQ: 4.1.4
System Versions:
dist: centos 7.6.1810 Core
locale: UTF-8
machine: x86_64
release: 3.10.0-957.27.2.el7.x86_64
system: Linux
version: CentOS Linux 7.6.1810 Core
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 18 (13 by maintainers)
Commits related to this issue
- WiP: Use runas user's gid when group not set Potential fix for https://github.com/saltstack/salt/issues/54378. Still a lot to do here, this only impacts `sudo` cases, and is untested. — committed to oeuftete/salt by deleted user 4 years ago
- Add regression test for #54378 — committed to s0undt3ch/salt by s0undt3ch 3 years ago
- Add regression test for #54378 — committed to saltstack/salt by s0undt3ch 3 years ago
- Add regression test for #54378 — committed to truzzon/salt by s0undt3ch 3 years ago
Looks like original fix was here - https://github.com/saltstack/salt/pull/53681
Then it got ported to master here - https://github.com/saltstack/salt/pull/56891
Nice finds, @barneysowood and @dkfsalt.
What’s left for this issue is to get the
groupargument for thecmd.runstate documented, or maybe spun off into a different issue with a clean start.Supporting the
groupoption in other modules/states that leverage thecmdmodule (likegitas mentioned in https://github.com/saltstack/salt/issues/54378#issuecomment-647360485) probably should have new issues as well.since we didn’t use this ticket for the original regression/fix in Magnesium and we committed to the work, we can update this to be a documentation ticket. @ScriptAutomate likely can help, here, too. I prefer smaller issues written for a small PR, but with docs that can be a bit different, it may make sense to keep it here in this ticket with the history of the comments and all.
Just updated to version 3000.2 and ran into the same issue. When using cmd directly I can workaround the issue by providing the desired group. But not all modules which makes use of cmd module (e.g. git) have the possibilty to provide group information and therefore do their “work” using group “root”.