salt-call and salt-pip honor configured user#68685
Merged
dwoz merged 2 commits intosaltstack:3006.xfrom Mar 12, 2026
Merged
Conversation
dwoz
changed the title
twangboy
previously approved these changes
Feb 10, 2026
twangboy
previously approved these changes
Feb 25, 2026
twangboy
previously approved these changes
Feb 27, 2026
bdrx312
reviewed
Mar 2, 2026
This change ensures that Salt file and directory ownership is correctly detected and preserved during upgrades, and that salt-call and salt-pip correctly honor the configured user for privilege dropping. Core Changes: - Update salt-pip to detect the configured user and drop privileges when run as root, ensuring files in the onedir 'extras' directory maintain correct ownership. - Update salt-call to properly distinguish between the configured user (for environment verification/ownership) and the execution user (provided via --priv), preventing accidental ownership resets to root when running maintenance tasks. RPM Changes: - Implement robust ownership detection in %pre by checking runtime PID files, PKI directories, and cache paths. - Restore ownership in %post and %posttrans for all critical Salt paths, including the onedir installation directory (/opt/saltstack/salt) and extras directories. - Fix a bug in %posttrans where upgrades were incorrectly detected as fresh installs. A marker file is now used for reliable state transition. - Clean up debug logging and fix shell logic errors in the spec file. Debian Changes: - Prevent usermod from resetting the salt user's shell in preinst, ensuring salt-call and salt-pip remain functional after upgrade. - Ensure onedir installation paths are included in ownership management. - Update service postinst scripts to only apply default ownership on fresh installs, preventing resets during upgrades. Test and Tooling Changes: - Update Debian upgrade tests to use exact version pinning. - Add comprehensive upgrade tests to verify ownership preservation and the functionality of salt-call and salt-pip under non-root configurations. - Remove temporary relenv runtime patches from build rules. Fixes saltstack#68684
- Add ci_build_pkg and ci_test_pkg tools to salt-test MCP server - Generalize MCP server launcher to work across different worktrees - Update agents documentation for package building - Add changelog entry and update work summary
twangboy
approved these changes
Mar 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #68684, #68777