Move /srv/user_salt/ to ~/.local/salt/

[zaz]

Qubes OS release

4.2.0

Brief summary

In the interest of making SALT more accessible to end users (#8218), I propose allowing easy backup and restore of SALT states.

The Qubes backup tool backs up the dom0 home directory. A lot of the use of SALT for the end user comes from allowing them to smoothly migrate privileged modifications to a fresh install. So we should move /srv/user_salt/ to ~/.local/salt/ so that a user's SALT states are backed up.

Of course, we still allow custom usernames in dom0, so we would have to detect the username when qubes.user-dirs is activated, but that should be straightforward: just use the name of UID 1000: id -nu 1000

Steps to reproduce

Run

qubesctl state.sls qubes.user-dirs

Expected behavior

~/.local/salt/ is created.

Actual behavior

/srv/user_salt/ is created.

[ben-grande]

You can specify more directories with a file in /etc/salt/minion.d/SOMETHING.conf

---
file_roots:
  base:
    - PATH

There are some important files and directories that may be important to some users and not to others:

/etc/qubes/rpc-config/
/etc/qubes/policy.d/
/etc/qubes/backup/
/srv/user_salt/
/srv/user_pillar/
/srv/user_formulas/
...

But they have these paths for a reason, they follow a directory hierarchy, are root owned and some are owned by the qubes group, all of them have fixed paths to these exact directories. Why should some be backed up an others not? This is a personal preference, for you, it is user_salt, for others, might be anything else, Xorg configuration for example.

I have a script to backup dom0 files important to me, it is very simple, a much simpler solution than deal with file permissions in the user home directory for a process run as root.

[zaz]

I believe we should do the same, wherever feasible, for any directories that are specifically for user configuration.

Files that could be updated by the system or the user are up to personal preference. But /srv/user_salt/ is specifically designed to only be modified by the user after creation, so it doesn't make sense not to back it up and restore it by default.

Alternatively, we could add a section to the default backup script that works similarly to your script, but it is important that the backup should not lose important data by default. An even more robust option would be to backup all files that have been modified by the user, but I'm not sure we have a way to tell if a file has been modified by the user on Fedora.

We could use a symlink to link /srv/user_salt/ → ~/.local/salt/ if the /srv/user_salt/ path is important. As for permissions, we could either:

1. Keep the same permissions, and have some files with root permissions in the home directory. This is unusual, but I don't believe it causes issues; or
2. Use user permissions. Each Qube is intended to be a single-user system with passwordless root, so this should not harm security in any way.