Impossible to run Salt SSH as unprivileged user

[yuriiz]

Description of Issue

It is impossible to run Salt SSH as unprivileged user.
Instructions at https://docs.saltstack.com/en/latest/topics/ssh/#running-salt-ssh-as-non-root-user say it should be possible by specifying writable cachedir and pki_dir, but it is not. Following these instructions result in

PermissionError: [Errno 13] Permission denied: '/var/cache/salt'

Setup

As described in docs I've created following Saltfile:

salt-ssh:
  pki_dir: /tmp/pki
  cachedir: /tmp/cache
  ssh_log_file: /tmp/salt-ssh.log
  roster_file: /tmp/roster

Steps to Reproduce Issue

1. Create Saltfile pointing to writable dirs (like above)
2. Run salt-ssh -c . \* test.ping in directory with this Saltfile as unprivileged user.
3. Receive

[ERROR   ] Unable to render roster file: Traceback (most recent call last):
  File "/tmp/lib/python3.7/site-packages/salt/utils/templates.py", line 169, in render_tmpl
    output = render_str(tmplstr, context, tmplpath)
  File "/tmp/lib/python3.7/site-packages/salt/utils/templates.py", line 309, in render_jinja_tmpl
    loader = salt.utils.jinja.SaltCacheLoader(opts, saltenv, pillar_rend=context.get('_pillar_rend', False))
  File "/tmp/lib/python3.7/site-packages/salt/utils/jinja.py", line 89, in __init__
    self.file_client()
  File "/tmp/lib/python3.7/site-packages/salt/utils/jinja.py", line 102, in file_client
    cached_client = salt.fileclient.get_file_client(self.opts, self.pillar_rend)
  File "/tmp/lib/python3.7/site-packages/salt/fileclient.py", line 63, in get_file_client
    }.get(client, RemoteClient)(opts)
  File "/tmp/lib/python3.7/site-packages/salt/fileclient.py", line 1392, in __init__
    self.channel = salt.fileserver.FSChan(opts)
  File "/tmp/lib/python3.7/site-packages/salt/fileserver/__init__.py", line 886, in __init__
    self.fs.update()
  File "/tmp/lib/python3.7/site-packages/salt/fileserver/__init__.py", line 503, in update
    self.servers[fstr]()
  File "/tmp/lib/python3.7/site-packages/salt/fileserver/roots.py", line 195, in update
    os.makedirs(mtime_map_path_dir)
  File "/usr/lib/python3.7/os.py", line 211, in makedirs
    makedirs(head, exist_ok=exist_ok)
  File "/usr/lib/python3.7/os.py", line 211, in makedirs
    makedirs(head, exist_ok=exist_ok)
  File "/usr/lib/python3.7/os.py", line 221, in makedirs
    mkdir(name, mode)
PermissionError: [Errno 13] Permission denied: '/var/cache/salt'

So if these steps are not enough to run salt-ssh as unprivileged user I thinks docs should be updated accordingly to mention extra required settings and not be so confusing. Alternatively salt-ssh behaviour should be updated to respect settings from Saltfile.

Versions Report

Salt Version:
Salt: 2019.2.2

Dependency Versions:
cffi: Not Installed
cherrypy: Not Installed
dateutil: Not Installed
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
ioflo: Not Installed
Jinja2: 2.10.3
libgit2: Not Installed
libnacl: Not Installed
M2Crypto: Not Installed
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.6.2
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: Not Installed
pycryptodome: Not Installed
pygit2: Not Installed
Python: 3.7.3 (default, Oct 7 2019, 12:56:13)
python-gnupg: Not Installed
PyYAML: 3.13
PyZMQ: Not Installed
RAET: Not Installed
smmap: Not Installed
timelib: Not Installed
Tornado: 4.5.3
ZMQ: Not Installed

System Versions:
dist: Ubuntu 19.04 disco
locale: UTF-8
machine: x86_64
release: 5.0.0-38-generic
system: Linux
version: Ubuntu 19.04 disco

(Latest version from PyPi)

[max-arnold]

Related issue: #53664

[Ch3LL]

thanks we will need to get this fixed up

[dahabakuk]

still an issue on 3001

[pizzamig]

still an issue with 3002.
In Saltfile, I setup all directories to use folders in the user's home.

  config_dir: /home/pizzamig/salt/salt
  pki_dir: /home/pizzamig//salt/pki
  cachedir: /home/pizzamig/salt/cache
  root_dir: /hom/pizzamig/salt/tmp
  ssh_log_file:` /home/pizzamig/salt/logs/salt-ssh.log

I still have issues with the thin_folder, but only when targeting the local machine (as reported in #46891 )

[simon-20]

Is this still recognised as an issue? I'm seeing this, or something very similar, in 3004.

I have:

cachedir: /home/simon/salt/cache

But then see the following:

023-09-07 09:04:45,027 [salt.roster      :102 ][ERROR   ][10811] Unable to render roster file: Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/salt/utils/templates.py", line 261, in render_tmpl
    output = render_str(tmplstr, context, tmplpath)
...
...
  File "/usr/lib/python3/dist-packages/salt/utils/files.py", line 385, in fopen
    f_handle = open(*args, **kwargs)  # pylint: disable=resource-leakage
PermissionError: [Errno 13] Permission denied: '/var/cache/salt/master/roots/mtime_map'

So despite my config setting, it is still trying to use the default cache location.

It is reading and using other configuration variables from the Saltfile correctly.