nonroot.rst 2.1 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849
  1. .. _configuration-non-root-user:
  2. ======================================================
  3. Running the Salt Master/Minion as an Unprivileged User
  4. ======================================================
  5. While the default setup runs the master and minion as the root user, some
  6. may consider it an extra measure of security to run the master as a non-root
  7. user. Keep in mind that doing so does not change the master's capability
  8. to access minions as the user they are running as. Due to this many feel that
  9. running the master as a non-root user does not grant any real security advantage
  10. which is why the master has remained as root by default.
  11. .. note::
  12. Some of Salt's operations cannot execute correctly when the master is not
  13. running as root, specifically the pam external auth system, as this system
  14. needs root access to check authentication.
  15. As of Salt 0.9.10 it is possible to run Salt as a non-root user. This can be
  16. done by setting the :conf_master:`user` parameter in the master configuration
  17. file. and restarting the ``salt-master`` service.
  18. The minion has it's own :conf_minion:`user` parameter as well, but running the
  19. minion as an unprivileged user will keep it from making changes to things like
  20. users, installed packages, etc. unless access controls (sudo, etc.) are setup
  21. on the minion to permit the non-root user to make the needed changes.
  22. In order to allow Salt to successfully run as a non-root user, ownership, and
  23. permissions need to be set such that the desired user can read from and write
  24. to the following directories (and their subdirectories, where applicable):
  25. * /etc/salt
  26. * /var/cache/salt
  27. * /var/log/salt
  28. * /var/run/salt
  29. Ownership can be easily changed with ``chown``, like so:
  30. .. code-block:: bash
  31. # chown -R user /etc/salt /var/cache/salt /var/log/salt /var/run/salt
  32. .. warning::
  33. Running either the master or minion with the :conf_master:`root_dir`
  34. parameter specified will affect these paths, as will setting options like
  35. :conf_master:`pki_dir`, :conf_master:`cachedir`, :conf_master:`log_file`,
  36. and other options that normally live in the above directories.