libpam: Move to a new "pam" package

OpenPAM is a discrete, largely self-contained system component.
Users may not need PAM for many use-cases (e.g. jails, containers),
so move it to its own package.

Use LIB_PACKAGE to create a separate pam-lib package for libpam,
so that applications that support PAM don't need to bring in all
the PAM modules if PAM isn't actually in use.

Add pam to the minimal sets, since this is a core system component that
people expect to be installed.  This means all supported installation
methods will install the PAM modules by default, so don't add explicit
dependencies on the PAM modules from things that use PAM (e.g. runtime),
allowing custom/embedded systems to omit these easily.

This change adds a new package to the system so, until we have a proper
policy on how to handle this in release/stable branches, it should not
be MFC'd.

MFC after:	never
Reviewed by:	des, bapt
Sponsored by:	https://www.patreon.com/bsdivy
Differential Revision:	https://reviews.freebsd.org/D53602
This commit is contained in:
Lexi Winter
2025-11-10 10:20:33 +00:00
parent 9cf02c38e4
commit 560af6b43e
11 changed files with 57 additions and 26 deletions
+12
View File
@@ -27,6 +27,18 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 16.x IS SLOW:
world, or to merely disable the most expensive debugging functionality
at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".)
20251110:
OpenPAM (including libpam and the PAM modules) has moved to the new
"pam" package. The pam-lib subpackage, which includes libpam, will
be automatically installed when required.
If you have set-minimal(-jail) installed, the pam base package which
contains the PAM modules will also be automatically installed.
If you don't, you MUST manually install the FreeBSD-pam package if you
need to authenticate users, otherwise you won't be able to log in.
This change only affects pkgbase users.
20251105:
pf(4) now supports nat64 via the af-to keyword.
+2
View File
@@ -23,6 +23,8 @@
# SUCH DAMAGE.
#
PACKAGE?= pam
CFLAGS+= -DOPENPAM_DEBUG
SHLIB_MAJOR= 6
+1 -1
View File
@@ -42,7 +42,7 @@ OPENPAM= ${SRCTOP}/contrib/openpam
SHLIB= pam
.endif
PACKAGE= runtime
LIB_PACKAGE=
SRCS= openpam_asprintf.c \
openpam_borrow_cred.c \
-2
View File
@@ -23,8 +23,6 @@
# SUCH DAMAGE.
#
PACKAGE= runtime
LIB= pam_lastlog
SRCS= pam_lastlog.c
MANNODEV= pam_lastlog.8
@@ -23,8 +23,6 @@
# SUCH DAMAGE.
#
PACKAGE= runtime
LIB= pam_login_access
SRCS= pam_login_access.c login_access.c
MANNODEV= login.access.5 pam_login_access.8
-2
View File
@@ -23,8 +23,6 @@
# SUCH DAMAGE.
#
PACKAGE= runtime
LIB= pam_nologin
SRCS= pam_nologin.c
MANNODEV= pam_nologin.8
@@ -23,8 +23,6 @@
# SUCH DAMAGE.
#
PACKAGE= runtime
LIB= pam_securetty
SRCS= pam_securetty.c
MANNODEV= pam_securetty.8
-2
View File
@@ -23,8 +23,6 @@
# SUCH DAMAGE.
#
PACKAGE= runtime
LIB= pam_self
SRCS= pam_self.c
MANNODEV= pam_self.8
-2
View File
@@ -36,8 +36,6 @@
.include <src.opts.mk>
.include <bsd.init.mk>
PACKAGE= runtime
LIB= pam_unix
SRCS= pam_unix.c
MANNODEV= pam_unix.8
+7 -13
View File
@@ -1,7 +1,5 @@
.include <src.opts.mk>
PACKAGE= runtime
NO_OBJ=
CONFGROUPS= CONFS
@@ -17,20 +15,16 @@ CONFDIR= /etc/pam.d
CONFSMODE_README= 444
CONFGROUPS+= CRON
CRON+= cron
CRON= cron
CRONPACKAGE= cron
.if ${MK_AT} != "no"
CONFGROUPS+= AT
AT+= atrun
ATPACKAGE+= at
.endif
CONFGROUPS.${MK_AT}+= AT
AT= atrun
ATPACKAGE= at
.if ${MK_FTP} != "no"
CONFGROUPS+= FTP
FTP+= ftp ftpd
CONFGROUPS.${MK_FTP}+= FTP
FTP= ftp ftpd
# Do not put these in the ftp package, since ports also use them.
FTPPACKAGE= runtime
.endif
FTPPACKAGE= pam
.include <bsd.prog.mk>
+35
View File
@@ -0,0 +1,35 @@
/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 2025 Lexi Winter <ivy@FreeBSD.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
comment = "Modular user authentication facility"
desc = <<EOD
PAM (Pluggable Authentication Modules) is an API to connect programs which
wish to authenticate users, such as login(1) or sshd(8), with authentication
providers that handle various authentication methods, such as UNIX passwords
or Kerberos. PAM allows any application to authenticate using any supported
method without needing to modify the application.
PAM was originally implemented by Sun Microsystems as part of the Solaris
operating system. This implementation of PAM comes from OpenPAM, and aims
to be compatible with Solaris PAM.
EOD
annotations {
set = "minimal,minimal-jail"
}