[pve-devel] [PATCH zfsonlinux 1/2] buildsys: make libpam-zfs a separate package

Stoiko Ivanov s.ivanov at proxmox.com
Tue Feb 9 19:41:43 CET 2021


ZFS includes (since 2.0.0) a pam-module, which takes the login
credentials of an user to unlock their home-dataset.

Enabling it in its current state can cause some side-effects like
prompting for a password when running `su` as root (see [0]).

Our update to ZFS 2.0.0 shipped the pam config in zfsutils-linux,
whereas debian-upstream split it out into its own optional package

This commit adopts this change.
based on debian-upstream [1] commit
cad2f3d24aa44cfdce1e2eae8b6ba027efaba2d6

The issue becomes apparent by installing the current zfsutils-linux
package and running `pam-auth-update --package` (e.g. by installing
an upgraded libpam-runtime package).

[0] https://github.com/openzfs/zfs/issues/11222
[1] https://salsa.debian.org/zfsonlinux-team/zfs/

Reported-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
Originally-by: Antonio Russo <aerusso at aerusso.net>
Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
---
 debian/control                | 14 ++++++++++++++
 debian/libpam-zfs.install     |  2 ++
 debian/libpam-zfs.postinst    |  6 ++++++
 debian/libpam-zfs.prerm       |  8 ++++++++
 debian/zfsutils-linux.install |  2 --
 5 files changed, 30 insertions(+), 2 deletions(-)
 create mode 100644 debian/libpam-zfs.install
 create mode 100644 debian/libpam-zfs.postinst
 create mode 100644 debian/libpam-zfs.prerm

diff --git a/debian/control b/debian/control
index cda525a8..096d4afe 100644
--- a/debian/control
+++ b/debian/control
@@ -5,6 +5,8 @@ Maintainer: Proxmox Support Team <support at proxmox.com>
 Build-Depends: debhelper (>= 10~),
                dh-python,
                libblkid-dev,
+               libelf-dev,
+               libpam0g-dev,
                libssl-dev | libssl1.0-dev,
                libtool,
                lsb-release,
@@ -30,6 +32,18 @@ Description: Solaris name-value library for Linux
  transporting data across process boundaries, transporting between
  kernel and userland, and possibly saving onto disk files.
 
+Package: libpam-zfs
+Section: contrib/admin
+Architecture: linux-any
+Depends: libpam-runtime, ${misc:Depends}, ${shlibs:Depends}
+Description: PAM module for managing encryption keys for ZFS
+ OpenZFS is a storage platform that encompasses the functionality of
+ traditional filesystems and volume managers. It supports data checksums,
+ compression, encryption, snapshots, and more.
+ .
+ This provides a Pluggable Authentication Module (PAM) that automatically
+ unlocks encrypted ZFS datasets upon login.
+
 Package: libuutil2linux
 Section: contrib/libs
 Architecture: linux-any
diff --git a/debian/libpam-zfs.install b/debian/libpam-zfs.install
new file mode 100644
index 00000000..c33123f6
--- /dev/null
+++ b/debian/libpam-zfs.install
@@ -0,0 +1,2 @@
+lib/*/security/pam_zfs_key.so
+usr/share/pam-configs/zfs_key
diff --git a/debian/libpam-zfs.postinst b/debian/libpam-zfs.postinst
new file mode 100644
index 00000000..2db86744
--- /dev/null
+++ b/debian/libpam-zfs.postinst
@@ -0,0 +1,6 @@
+#!/bin/sh
+set -e
+
+pam-auth-update --package
+
+#DEBHELPER#
diff --git a/debian/libpam-zfs.prerm b/debian/libpam-zfs.prerm
new file mode 100644
index 00000000..21e82700
--- /dev/null
+++ b/debian/libpam-zfs.prerm
@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+
+if [ "$1" = remove ] ; then
+    pam-auth-update --package --remove zfs_key
+fi
+
+#DEBHELPER#
diff --git a/debian/zfsutils-linux.install b/debian/zfsutils-linux.install
index ccb1f169..4f93aa70 100644
--- a/debian/zfsutils-linux.install
+++ b/debian/zfsutils-linux.install
@@ -2,7 +2,6 @@
 etc/default/zfs
 etc/zfs/zfs-functions
 etc/zfs/zpool.d/
-lib/*/security/pam_zfs_key.so
 lib/systemd/system-preset/
 lib/systemd/system/zfs-import-cache.service
 lib/systemd/system/zfs-import-scan.service
@@ -119,4 +118,3 @@ usr/share/man/man8/zpoolconcepts.8
 usr/share/man/man8/zpoolprops.8
 usr/share/man/man8/zstream.8
 usr/share/man/man8/zstreamdump.8
-usr/share/pam-configs/zfs_key
-- 
2.20.1





More information about the pve-devel mailing list