[BUG] The "salt" user login shell should be /usr/sbin/nologin on Debian

[clayoster]

Description
The default location of "nologin" on Debian distributions is /usr/sbin/nologin. Debian 10 and newer also include /sbin/nologin, but if a server started on Debian 9 (or older) and was upgraded to the current release the /sbin/nologin file does not exist.

In Salt 3006, this can lead to a situation where attempting to start the salt-master in the foreground for debugging purposes (salt-master -l debug) causes an error because the "salt" user's login shell does not exist.

root@salt:~# getent passwd salt
salt:x:993:116:Salt:/opt/saltstack/salt:/sbin/nologin
root@salt:~# ls -l /sbin/nologin
ls: cannot access '/sbin/nologin': No such file or directory
root@salt:~# ls -l /usr/sbin/nologin
-rwxr-xr-x 1 root root 14488 Feb  7  2020 /usr/sbin/nologin

[ERROR   ] An un-handled exception was caught by Salt's global exception handler:
CommandExecutionError: The shell /sbin/nologin is not available
Traceback (most recent call last):
  File "/usr/bin/salt-master", line 11, in <module>
    sys.exit(salt_master())
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/scripts.py", line 89, in salt_master
    master.start()
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/cli/daemons.py", line 204, in start
    self.master.start()
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/master.py", line 723, in start
    chan = salt.channel.server.PubServerChannel.factory(opts)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/channel/server.py", line 721, in factory
    return cls(opts, transport, presence_events=presence_events)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/channel/server.py", line 727, in __init__
    self.aes_funcs = salt.master.AESFuncs(self.opts)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/master.py", line 1233, in __init__
    self.mminion = salt.minion.MasterMinion(
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/minion.py", line 974, in __init__
    self.opts = salt.config.mminion_config(
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/config/__init__.py", line 2328, in mminion_config
    opts["grains"] = salt.loader.grains(opts)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/__init__.py", line 1116, in grains
    ret = funcs[key]()
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 149, in __call__
    return self.loader.run(run_func, *args, **kwargs)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 1232, in run
    return self._last_context.run(self._run_as, _func_or_method, *args, **kwargs)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 1247, in _run_as
    return _func_or_method(*args, **kwargs)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/grains/core.py", line 2665, in os_data
    grains["osarch"] = _osarch(grains.get("os_family"), grains.get("cpuarch"))
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/grains/core.py", line 2369, in _osarch
    return __salt__["cmd.run"]("dpkg --print-architecture").strip()
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/modules/cmdmod.py", line 955, in _run_quiet
    return _run(
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/modules/cmdmod.py", line 372, in _run
    raise CommandExecutionError(msg)
salt.exceptions.CommandExecutionError: The shell /sbin/nologin is not available

This was noticed while troubleshooting a few configuration issues with my salt master after upgrading from 3005 to 3006. The server had started out on Debian 9 and had been upgraded to 10 and then 11 over time. I have checked ~100 other Debian 11 servers and found that /sbin/nologin was missing from every one that had begun on Debian 9 or older.

Setup

• on-prem machine
• VM (VMware and KVM)
• VM running on a cloud service, please be explicit and add details
• container (LXC)
• or a combination, please be explicit
• jails if it is FreeBSD
• classic packaging
• onedir packaging
• used bootstrap to install

The Salt Master server was built on Debian 9 and upgraded from 9 > 10 > 11 and has a simple gitfs setup.

/etc/salt/master.d/main.conf

state_verbose: False

fileserver_backend:
  - roots
  - git

gitfs_remotes:
  - git@git.domain.com:saltstack/data.git:
    - privkey: /opt/saltstack/salt/.ssh/id_rsa
    - pubkey: /opt/saltstack/salt/.ssh/id_rsa.pub
  - git@git.domain.com:saltstack/states.git:
    - privkey: /opt/saltstack/salt/.ssh/id_rsa
    - pubkey: /opt/saltstack/salt/.ssh/id_rsa.pub

ext_pillar:
  - git:
    - master git@git.domain.com:saltstack/pillar.git:
      - privkey: /opt/saltstack/salt/.ssh/id_rsa
      - pubkey: /opt/saltstack/salt/.ssh/id_rsa.pub

file_roots:
  base:
    - /srv/salt

Steps to Reproduce the behavior
To reproduce, I performed a clean install of Debian 9 on a KVM virtual machine, then upgraded from 9 > 10 > 11. I installed the salt-master package (3006.1) with the default configuration and then attempting to run the salt-master process in the foreground (salt-master -l debug).

Expected behavior
Clean startup of salt-master -l debug with no error about a missing login shell

Versions Report

salt --versions-report

```yaml Salt Version: Salt: 3006.1

Python Version:
Python: 3.10.11 (main, May 5 2023, 02:31:54) [GCC 11.2.0]

Dependency Versions:
cffi: 1.14.6
cherrypy: unknown
dateutil: 2.8.1
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
Jinja2: 3.1.2
libgit2: Not Installed
looseversion: 1.0.2
M2Crypto: Not Installed
Mako: Not Installed
msgpack: 1.0.2
msgpack-pure: Not Installed
mysql-python: Not Installed
packaging: 22.0
pycparser: 2.21
pycrypto: Not Installed
pycryptodome: 3.9.8
pygit2: Not Installed
python-gnupg: 0.4.8
PyYAML: 5.4.1
PyZMQ: 23.2.0
relenv: 0.12.3
smmap: Not Installed
timelib: 0.2.4
Tornado: 4.5.3
ZMQ: 4.3.4

System Versions:
dist: debian 11 bullseye
locale: utf-8
machine: x86_64
release: 5.10.0-23-amd64
system: Linux
version: Debian GNU/Linux 11 bullseye

</details>

[welcome]

Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey.
Please be sure to review our Code of Conduct. Also, check out some of our community resources including:

• Community Wiki
• Salt’s Contributor Guide
• Join our Community Slack
• IRC on LiberaChat
• Salt Project YouTube channel
• Salt Project Twitch channel

There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar.
If you have additional questions, email us at saltproject@vmware.com. We’re glad you’ve joined our community and look forward to doing awesome things with you!

[Ch3LL]

closed by #64378