salt: runsas broken on Fedora29

The runas option isn’t effective on Fedora 29 with salt-2018.3.2-5.fc29.noarch because getpass.getuser() while running as root is returning the runas username. This affects cmd.run, git.latest, etc. I am running salt from an interactive shell as user me with sudo salt-call ... exclusively, so it might be specific to that use case.

I’ve fixed it for myself with this patch:

--- utils/user.py.orig  2018-06-27 11:04:57.000000000 -0500
+++ utils/user.py       2019-01-04 07:45:21.322476941 -0600
@@ -222,7 +222,9 @@
     Helper method for for subprocess.Popen to initialise uid/gid and umask
     for the new process.
     '''
-    if runas is not None and runas != getpass.getuser():
+#   if runas is not None and runas != getpass.getuser():
+    uinfo = pwd.getpwnam(runas)
+    if os.getuid() != uinfo.pw_uid:
         chugid(runas)
     if umask is not None:
         os.umask(umask)  # pylint: disable=blacklisted-function

About this issue

  • Original URL
  • State: open
  • Created 5 years ago
  • Comments: 18 (9 by maintainers)

Most upvoted comments

Still a problem on Fedora 33, probably for the same reason (both ran as root):

LOGNAME=root python3 -c 'import getpass; print(getpass.getuser())'
root
LOGNAME=marius python3 -c 'import getpass; print(getpass.getuser())'
marius

Worked around by using alias salt-call='LOGNAME=root salt-call'.

+1
mariushoch on Apr 2, 2021

thanks for pointing that out @cdalvaro @c-wicklein does that look like a duplicate of your issue? If so i’ll close here and we can monitor in the other issue.

+1
Ch3LL on Jan 17, 2019
Read more comments on GitHub
← salt: RPM installation fails due to no TLS SNI support on Amazon AMI
salt: Salt 2015.8.5 incompatible with Pip v8.1.2 →