Add a script on the master to be able to update the fileserver
the script exposes the deploy password but it can be read/executed only
by root, and it is on the saltmaster machine either way (where the user
can type the underlying salt-run commands as well), so no real security
issue