Search code examples
linuxsecuritysalt-project

Does a SaltStack Master/Minion auto 'sudo' when running as a non root user?


When running a saltstack, for security reasons I don't want them to run as root. Although I would not mind creating a new 'salt' user with NOPASS sudo access to run the salt minion / master on.

My question is that even though the documentation says here: https://docs.saltstack.com/en/latest/ref/configuration/nonroot.html that we can configure salt to run as a non root user, does it append sudo to normal commands instead or looses that functionality entirely.

Additional Research: Both the master and the minion config files have an uption for setting the users to anything other than root but the minion config file has an option to setup a sudo-user which defaults to saltdev but I changed to root. Not sure if this implies that the minion should sudo and use the root account or not. If so, why is this not present on the master config file.


Solution

  • The direct answer to the title question is NO. As stated in the docs:

    [...] running the minion as an unprivileged user will keep it from making changes to things like users, installed packages, etc. unless access controls (sudo, etc.) are setup on the minion to permit the non-root user to make the needed changes.

    In order to setup sudo on the minion you should use the sudo_user config. After setting a user to this variable Salt will invoke the salt.module.sudo every time a command is issued to this minion.

    This sudo option is only available on the minion because the execution of commands on hosts is intended to be made only by the minion. Even if you are managing your master with Salt, the minion inside the master is what runs the commands.