From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH zfsonlinux 1/2] buildsys: make libpam-zfs a separate package
Date: Tue, 9 Feb 2021 19:41:43 +0100 [thread overview]
Message-ID: <20210209184144.29177-2-s.ivanov@proxmox.com> (raw)
In-Reply-To: <20210209184144.29177-1-s.ivanov@proxmox.com>
ZFS includes (since 2.0.0) a pam-module, which takes the login
credentials of an user to unlock their home-dataset.
Enabling it in its current state can cause some side-effects like
prompting for a password when running `su` as root (see [0]).
Our update to ZFS 2.0.0 shipped the pam config in zfsutils-linux,
whereas debian-upstream split it out into its own optional package
This commit adopts this change.
based on debian-upstream [1] commit
cad2f3d24aa44cfdce1e2eae8b6ba027efaba2d6
The issue becomes apparent by installing the current zfsutils-linux
package and running `pam-auth-update --package` (e.g. by installing
an upgraded libpam-runtime package).
[0] https://github.com/openzfs/zfs/issues/11222
[1] https://salsa.debian.org/zfsonlinux-team/zfs/
Reported-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Originally-by: Antonio Russo <aerusso@aerusso.net>
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
debian/control | 14 ++++++++++++++
debian/libpam-zfs.install | 2 ++
debian/libpam-zfs.postinst | 6 ++++++
debian/libpam-zfs.prerm | 8 ++++++++
debian/zfsutils-linux.install | 2 --
5 files changed, 30 insertions(+), 2 deletions(-)
create mode 100644 debian/libpam-zfs.install
create mode 100644 debian/libpam-zfs.postinst
create mode 100644 debian/libpam-zfs.prerm
diff --git a/debian/control b/debian/control
index cda525a8..096d4afe 100644
--- a/debian/control
+++ b/debian/control
@@ -5,6 +5,8 @@ Maintainer: Proxmox Support Team <support@proxmox.com>
Build-Depends: debhelper (>= 10~),
dh-python,
libblkid-dev,
+ libelf-dev,
+ libpam0g-dev,
libssl-dev | libssl1.0-dev,
libtool,
lsb-release,
@@ -30,6 +32,18 @@ Description: Solaris name-value library for Linux
transporting data across process boundaries, transporting between
kernel and userland, and possibly saving onto disk files.
+Package: libpam-zfs
+Section: contrib/admin
+Architecture: linux-any
+Depends: libpam-runtime, ${misc:Depends}, ${shlibs:Depends}
+Description: PAM module for managing encryption keys for ZFS
+ OpenZFS is a storage platform that encompasses the functionality of
+ traditional filesystems and volume managers. It supports data checksums,
+ compression, encryption, snapshots, and more.
+ .
+ This provides a Pluggable Authentication Module (PAM) that automatically
+ unlocks encrypted ZFS datasets upon login.
+
Package: libuutil2linux
Section: contrib/libs
Architecture: linux-any
diff --git a/debian/libpam-zfs.install b/debian/libpam-zfs.install
new file mode 100644
index 00000000..c33123f6
--- /dev/null
+++ b/debian/libpam-zfs.install
@@ -0,0 +1,2 @@
+lib/*/security/pam_zfs_key.so
+usr/share/pam-configs/zfs_key
diff --git a/debian/libpam-zfs.postinst b/debian/libpam-zfs.postinst
new file mode 100644
index 00000000..2db86744
--- /dev/null
+++ b/debian/libpam-zfs.postinst
@@ -0,0 +1,6 @@
+#!/bin/sh
+set -e
+
+pam-auth-update --package
+
+#DEBHELPER#
diff --git a/debian/libpam-zfs.prerm b/debian/libpam-zfs.prerm
new file mode 100644
index 00000000..21e82700
--- /dev/null
+++ b/debian/libpam-zfs.prerm
@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+
+if [ "$1" = remove ] ; then
+ pam-auth-update --package --remove zfs_key
+fi
+
+#DEBHELPER#
diff --git a/debian/zfsutils-linux.install b/debian/zfsutils-linux.install
index ccb1f169..4f93aa70 100644
--- a/debian/zfsutils-linux.install
+++ b/debian/zfsutils-linux.install
@@ -2,7 +2,6 @@
etc/default/zfs
etc/zfs/zfs-functions
etc/zfs/zpool.d/
-lib/*/security/pam_zfs_key.so
lib/systemd/system-preset/
lib/systemd/system/zfs-import-cache.service
lib/systemd/system/zfs-import-scan.service
@@ -119,4 +118,3 @@ usr/share/man/man8/zpoolconcepts.8
usr/share/man/man8/zpoolprops.8
usr/share/man/man8/zstream.8
usr/share/man/man8/zstreamdump.8
-usr/share/pam-configs/zfs_key
--
2.20.1
next prev parent reply other threads:[~2021-02-09 18:42 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-09 18:41 [pve-devel] [PATCH zfsonlinux 0/2] split out libpam-zfs and update copyright Stoiko Ivanov
2021-02-09 18:41 ` Stoiko Ivanov [this message]
2021-02-09 18:41 ` [pve-devel] [PATCH zfsonlinux 2/2] update debian/copyright Stoiko Ivanov
2021-02-11 17:21 ` [pve-devel] applied-series: [PATCH zfsonlinux 0/2] split out libpam-zfs and update copyright Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210209184144.29177-2-s.ivanov@proxmox.com \
--to=s.ivanov@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox