From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH zfsonlinux 1/2] buildsys: make libpam-zfs a separate package
Date: Tue, 9 Feb 2021 19:41:43 +0100 [thread overview]
Message-ID: <20210209184144.29177-2-s.ivanov@proxmox.com> (raw)
In-Reply-To: <20210209184144.29177-1-s.ivanov@proxmox.com>
ZFS includes (since 2.0.0) a pam-module, which takes the login
credentials of an user to unlock their home-dataset.
Enabling it in its current state can cause some side-effects like
prompting for a password when running `su` as root (see [0]).
Our update to ZFS 2.0.0 shipped the pam config in zfsutils-linux,
whereas debian-upstream split it out into its own optional package
This commit adopts this change.
based on debian-upstream [1] commit
cad2f3d24aa44cfdce1e2eae8b6ba027efaba2d6
The issue becomes apparent by installing the current zfsutils-linux
package and running `pam-auth-update --package` (e.g. by installing
an upgraded libpam-runtime package).
[0] https://github.com/openzfs/zfs/issues/11222
[1] https://salsa.debian.org/zfsonlinux-team/zfs/
Reported-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Originally-by: Antonio Russo <aerusso@aerusso.net>
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
debian/control | 14 ++++++++++++++
debian/libpam-zfs.install | 2 ++
debian/libpam-zfs.postinst | 6 ++++++
debian/libpam-zfs.prerm | 8 ++++++++
debian/zfsutils-linux.install | 2 --
5 files changed, 30 insertions(+), 2 deletions(-)
create mode 100644 debian/libpam-zfs.install
create mode 100644 debian/libpam-zfs.postinst
create mode 100644 debian/libpam-zfs.prerm
diff --git a/debian/control b/debian/control
index cda525a8..096d4afe 100644
--- a/debian/control
+++ b/debian/control
@@ -5,6 +5,8 @@ Maintainer: Proxmox Support Team <support@proxmox.com>
Build-Depends: debhelper (>= 10~),
dh-python,
libblkid-dev,
+ libelf-dev,
+ libpam0g-dev,
libssl-dev | libssl1.0-dev,
libtool,
lsb-release,
@@ -30,6 +32,18 @@ Description: Solaris name-value library for Linux
transporting data across process boundaries, transporting between
kernel and userland, and possibly saving onto disk files.
+Package: libpam-zfs
+Section: contrib/admin
+Architecture: linux-any
+Depends: libpam-runtime, ${misc:Depends}, ${shlibs:Depends}
+Description: PAM module for managing encryption keys for ZFS
+ OpenZFS is a storage platform that encompasses the functionality of
+ traditional filesystems and volume managers. It supports data checksums,
+ compression, encryption, snapshots, and more.
+ .
+ This provides a Pluggable Authentication Module (PAM) that automatically
+ unlocks encrypted ZFS datasets upon login.
+
Package: libuutil2linux
Section: contrib/libs
Architecture: linux-any
diff --git a/debian/libpam-zfs.install b/debian/libpam-zfs.install
new file mode 100644
index 00000000..c33123f6
--- /dev/null
+++ b/debian/libpam-zfs.install
@@ -0,0 +1,2 @@
+lib/*/security/pam_zfs_key.so
+usr/share/pam-configs/zfs_key
diff --git a/debian/libpam-zfs.postinst b/debian/libpam-zfs.postinst
new file mode 100644
index 00000000..2db86744
--- /dev/null
+++ b/debian/libpam-zfs.postinst
@@ -0,0 +1,6 @@
+#!/bin/sh
+set -e
+
+pam-auth-update --package
+
+#DEBHELPER#
diff --git a/debian/libpam-zfs.prerm b/debian/libpam-zfs.prerm
new file mode 100644
index 00000000..21e82700
--- /dev/null
+++ b/debian/libpam-zfs.prerm
@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+
+if [ "$1" = remove ] ; then
+ pam-auth-update --package --remove zfs_key
+fi
+
+#DEBHELPER#
diff --git a/debian/zfsutils-linux.install b/debian/zfsutils-linux.install
index ccb1f169..4f93aa70 100644
--- a/debian/zfsutils-linux.install
+++ b/debian/zfsutils-linux.install
@@ -2,7 +2,6 @@
etc/default/zfs
etc/zfs/zfs-functions
etc/zfs/zpool.d/
-lib/*/security/pam_zfs_key.so
lib/systemd/system-preset/
lib/systemd/system/zfs-import-cache.service
lib/systemd/system/zfs-import-scan.service
@@ -119,4 +118,3 @@ usr/share/man/man8/zpoolconcepts.8
usr/share/man/man8/zpoolprops.8
usr/share/man/man8/zstream.8
usr/share/man/man8/zstreamdump.8
-usr/share/pam-configs/zfs_key
--
2.20.1
next prev parent reply other threads:[~2021-02-09 18:42 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-09 18:41 [pve-devel] [PATCH zfsonlinux 0/2] split out libpam-zfs and update copyright Stoiko Ivanov
2021-02-09 18:41 ` Stoiko Ivanov [this message]
2021-02-09 18:41 ` [pve-devel] [PATCH zfsonlinux 2/2] update debian/copyright Stoiko Ivanov
2021-02-11 17:21 ` [pve-devel] applied-series: [PATCH zfsonlinux 0/2] split out libpam-zfs and update copyright Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210209184144.29177-2-s.ivanov@proxmox.com \
--to=s.ivanov@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.