From cd64a94b4c5ad8cbeec6981e29923d8a97fa9116 Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Wed, 10 Oct 2012 14:17:12 -0700
Subject: [PATCH] Run salt master as non root user.

The salt master service should not run as root. Run it as salt instead.

Change-Id: Ia5cdedf8c98684e25c5d88c59130cae3361c9fc3
Reviewed-on: https://review.openstack.org/14311
Approved: James E. Blair <corvus@inaugust.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
---
 modules/salt/manifests/master.pp  | 26 +++++++++++++++++++++++++-
 modules/salt/templates/master.erb |  2 +-
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/modules/salt/manifests/master.pp b/modules/salt/manifests/master.pp
index 729590a33a..19406bc43d 100644
--- a/modules/salt/manifests/master.pp
+++ b/modules/salt/manifests/master.pp
@@ -18,6 +18,27 @@ class salt::master {
     require => Apt::Ppa['ppa:saltstack/salt'],
   }
 
+  group { 'salt':
+    ensure => present,
+    system => true,
+  }
+
+  user { 'salt':
+    ensure => present,
+    gid    => 'salt',
+    home   => '/home/salt',
+    shell  => '/bin/bash',
+    system => true,
+  }
+
+  file { '/home/salt':
+    ensure  => directory,
+    owner   => 'salt',
+    group   => 'salt',
+    mode    => '0755',
+    require => User['salt'],
+  }
+
   file { '/etc/salt/master':
     ensure => present,
     owner   => 'root',
@@ -31,7 +52,10 @@ class salt::master {
   service { 'salt-master':
     ensure    => running,
     enable    => true,
-    require   => File['/etc/salt/master'],
+    require   => [
+      User['salt'],
+      File['/etc/salt/master'],
+    ],
     subscribe => [
       Package['salt-master'],
       File['/etc/salt/master'],
diff --git a/modules/salt/templates/master.erb b/modules/salt/templates/master.erb
index ad73a74568..30fbfe2658 100644
--- a/modules/salt/templates/master.erb
+++ b/modules/salt/templates/master.erb
@@ -18,7 +18,7 @@
 # The user to run the salt-master as. Salt will update all permissions to
 # allow the specified user to run the master. If the modified files cause
 # conflicts set verify_env to False.
-#user: root
+user: salt
 
 # Max open files
 # Each minion connecting to the master uses AT LEAST one file descriptor, the