Fix non-root salt CLI when publisher_acl is configured (#65317)#69484
Merged
Conversation
Since 3006.3 the master defaults to running as the ``salt`` user.
The runtime/packaging then leaves ``sock_dir`` and ``cachedir`` owned
by ``salt:salt`` with mode ``0o750``. Non-root users authorised
through ``publisher_acl`` (or ``external_auth``) can no longer
traverse those directories to reach ``master_event_pub.ipc`` /
``publish_pull.ipc`` (sock_dir) or their per-user ``.<user>_key``
(cachedir), so the salt CLI fails with::
[ERROR ] Unable to connect to the salt master publisher at /var/run/salt/master
Authentication error occurred.
When the operator has explicitly opted into non-root usage by
configuring ``publisher_acl`` or ``external_auth``, add the
world-execute bit to ``sock_dir`` (in ``EventPublisher.run``) and to
``cachedir`` (in ``salt.daemons.masterapi.access_keys``) so other
users can traverse without exposing directory listings. Individual
files inside still rely on their own permissions for read/write
access; this is the same security tradeoff already in place for the
existing ``master_event_pub.ipc`` ``0o660`` chmod next to it.
Fixes saltstack#65317
twangboy
approved these changes
Jun 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Restores non-root salt CLI access on masters running as the
saltuser whenpublisher_aclorexternal_authis configured. The master now adds the world-execute bit tosock_dirandcachedirso authorised non-root users can traverse into them to reach the IPC sockets and per-user key files.What issues does this PR fix or reference?
Fixes #65317
Previous Behavior
After upgrading to 3006.3 (where the master defaults to running as the
saltuser) non-root callers configured inpublisher_acllost access to the salt CLI:Manually loosening sock_dir got them past that error and onto the next failure:
Both symptoms came from the runtime/packaging leaving
/var/run/salt/masterand/var/cache/salt/mastermode0o750owned bysalt:salt. The CLI'sos.path.exists(publish_pull.ipc)check andcheck_path_traversalwalk ofcachedirboth fail because the user has neither read nor execute on those parents.New Behavior
When
publisher_aclorexternal_authis configured, the master adds the world-execute bit (no world-read) to:sock_dir— done inEventPublisher.runnext to the existingmaster_event_pub.ipc0o660chmod, gated on the same condition.cachedir— done insalt.daemons.masterapi.access_keysnext to where per-user.<user>_keyfiles are already being created and chowned.Directory listings stay hidden; individual sockets/files inside still rely on their own perms (
master_event_pub.ipcremains0o660groupsalt, key files remain0o600chowned to their user). The chmod is idempotent and never narrows existing perms. Operators who have not opted into non-root usage (nopublisher_acl/external_auth) see no change.Merge requirements satisfied?
publisher_acldocs at https://docs.saltproject.io/en/latest/ref/publisheracl.html already cover the use case being restored)Tests
tests/pytests/unit/test_issue_65317_non_root_publisher_acl.py(5 cases): assertsaccess_keysaddso+xtocachedirwhenpublisher_acl/external_authis set, leaves it untouched without ACLs, preserves more-permissive existing modes, and short-circuits cleanly whencachediris missing.tests/pytests/functional/master/test_event_publisher_perms.py(2 cases): spawns theEventPublisherprocess and verifiessock_dirends up witho+xwhenpublisher_aclis configured, and is left alone otherwise.Commits signed with GPG?
Yes