Incorrect Permission Assignment for Critical Resource

Summary

An issue was discovered in SaltStack Salt and Salt-ssh in versions prior to 3002.8, 3003.x prior to 3003.4, and 3004.x prior to 3004.1. When configured as a Master-of-Masters, with a "publisher_acl", if a user configured in the "publisher_acl" targets any minion connected to the Syndic, the Salt Master incorrectly interpreted no valid targets as valid, allowing configured users to target any of the minions connected to the syndic with their configured commands. This requires a syndic master combined with "publisher_acl" configured on the Master-of-Masters, allowing users specified in the "publisher_acl" to bypass permissions, publishing authorized commands to any configured minion.