search

saltstack / salt

Software to automate the management and configuration of any infrastructure or application at scale. Install Salt from the Salt package repositories here:
https://docs.saltproject.io/salt/install-guide/en/latest/
Apache License 2.0
14.19k stars 5.48k forks source link

Salt can't manage user's password via user.present in ALT Linux (Simply Linux) #65597

Open Mogaba opened 12 months ago

Mogaba commented 12 months ago

Description

ALT Linux uses tcb mechanism that stores user password in /etc/tcb/<username>/shadow file instead of /etc/shadow. As far as I understand after looking into salt/modules/linux_shadow.py file, Salt checks if os grain equals to ALT to determine if it should use tcb or classic shadow scheme. But os grain not always equals to ALT in ALT Linux distros. E.g. in Simply Linux (which also belongs to ALT Linux family and uses tcb) os == "Simply Linux" so Salt tries to use/etc/shadow instead of tcb. I tried to look into Salt source code to understand how Salt determines os grain but my Python knowledge is poor.

Setup

test-user.sls:

user_test-user:
  user.present:
    - name: test-user
    - password: ...
    - optional_groups:
        - wheel

Steps to Reproduce the behavior

$ salt test-minion state.apply test-user

Output:

ID: user_test-user
Function: user.present
Name: test-user
Result: False
Comment: User test-user created but failed to set password to XXX-REDACTED-XXX
Started: 09:14:37.397189
Duration: 140.739 ms

After state completes, user password appears in /etc/shadow instead of /etc/tcb.

Expected behavior

Salt should use tcb for password management in Simply Linux.

Versions Report

salt-call --versions-report (Provided by running salt --versions-report. Please also mention any differences in master/minion versions.) ```yaml Salt Version: Salt: 3006.3 Python Version: Python: 3.9.16 (main, Mar 21 2023, 10:12:38) Dependency Versions: cffi: 1.14.5 cherrypy: 18.6.0 dateutil: Not Installed docker-py: Not Installed gitdb: Not Installed gitpython: Not Installed Jinja2: 3.0.1 libgit2: Not Installed looseversion: 1.2.0 M2Crypto: Not Installed Mako: Not Installed msgpack: 1.0.2 msgpack-pure: Not Installed mysql-python: Not Installed packaging: 23.0 pycparser: 2.20 pycrypto: Not Installed pycryptodome: 3.9.9 pygit2: Not Installed python-gnupg: Not Installed PyYAML: 5.4.1 PyZMQ: 22.1.0 relenv: Not Installed smmap: Not Installed timelib: Not Installed Tornado: 4.5.3 ZMQ: 4.2.5 System Versions: dist: altlinux 10.2 Captain Finn locale: utf-8 machine: x86_64 release: 5.10.199-std-def-alt2 system: Linux version: Simply Linux 10.2 Captain Finn ```

Additional context

Link to Simply Linux iso: https://mirror.yandex.ru/altlinux/p10/images/simply/x86_64/slinux-10.2-x86_64.iso

OrangeDog commented 12 months ago

What is the output from grains.item os os_family osfullname on that minion?

Mogaba commented 12 months ago

What is the output from grains.item os os_family osfullname on that minion?

    os:
        Simply Linux
    os_family:
        Simply Linux
    osarch:
        x86_64
    oscodename:
        Simply Linux 10.2 (Captain Finn)
    osfinger:
        Simply Linux-10
    osfullname:
        Simply Linux
    osmajorrelease:
        10
    osrelease:
        10.2
    osrelease_info:
        - 10
        - 2
OrangeDog commented 12 months ago

We need salt/grains/core.py to detect it as e.g. os_family: ALT and we need salt/modules/linux_shadow.py to check that grain and not os.

I also looked at ALT 10, which gives these:

    os:
        starter kit
    os_family:
        starter kit
    osarch:
        x86_64
    oscodename:
        ALT Starterkit 10 (Hypericum)
    osfinger:
        starter kit-10
    osfullname:
        starter kit
System Versions:
          dist: altlinux 10
        locale: utf-8
       machine: x86_64
       release: 5.15.133.1-microsoft-standard-WSL2
        system: Linux
       version: starter kit 10

And ALT 9:

    os:
        starter kit
    os_family:
        starter kit
    osarch:
        x86_64
    oscodename:
        ALT Starterkit (Hypericum)
    osfinger:
        starter kit-p9
    osfullname:
        starter kit
System Versions:
          dist: altlinux p9 Hypericum
        locale: utf-8
       machine: x86_64
       release: 5.15.133.1-microsoft-standard-WSL2
        system: Linux
       version: starter kit p9 Hypericum

So user.present isn't going to be working on those either.

Outputs from distro -j are more sensible, but still not consistent:

{
    "codename": "",
    "id": "altlinux",
    "like": "",
    "version": "10",
    "version_parts": {
        "build_number": "",
        "major": "10",
        "minor": ""
    }
}
{
    "codename": "Hypericum",
    "id": "altlinux",
    "like": "",
    "version": "p9",
    "version_parts": {
        "build_number": "",
        "major": "",
        "minor": ""
    }
}

@Mogaba what does distro -j give on Simply Linux?

OrangeDog commented 12 months ago

Looking at the current grains, the os ALT is mapped to the os_family RedHat, which is not strictly correct either.

While ALT does use RPM packages, it uses APT to manage them. So the pkg states probably weren't working either, even when the OS grain was set correctly.

Mogaba commented 12 months ago

@Mogaba what does distro -j give on Simply Linux?

{
"codename": "Captain Finn",
"id": "altlinux",
"like": "",
"version": "10.2",
"version_parts": {
"build_number": "",
"major": "10",
"minor": "2"
}
}

Seems like id is the same in all versions.

Looking at the current grains, the os ALT is mapped to the os_family RedHat, which is not strictly correct either.

While ALT does use RPM packages, it uses APT to manage them. So the pkg states probably weren't working either, even when the OS grain was set correctly.

Yep, pkg doesn't work either: https://github.com/saltstack/salt/issues/64971

OrangeDog commented 12 months ago

For the moment, you can probably override the os grain so it has the expected value then user.present will work. https://docs.saltproject.io/salt/user-guide/en/latest/topics/grains.html#precedence