From 560af6b43e2a86e591e94bea99777630cd5f84fd Mon Sep 17 00:00:00 2001 From: Lexi Winter Date: Mon, 10 Nov 2025 10:20:33 +0000 Subject: [PATCH] libpam: Move to a new "pam" package OpenPAM is a discrete, largely self-contained system component. Users may not need PAM for many use-cases (e.g. jails, containers), so move it to its own package. Use LIB_PACKAGE to create a separate pam-lib package for libpam, so that applications that support PAM don't need to bring in all the PAM modules if PAM isn't actually in use. Add pam to the minimal sets, since this is a core system component that people expect to be installed. This means all supported installation methods will install the PAM modules by default, so don't add explicit dependencies on the PAM modules from things that use PAM (e.g. runtime), allowing custom/embedded systems to omit these easily. This change adds a new package to the system so, until we have a proper policy on how to handle this in release/stable branches, it should not be MFC'd. MFC after: never Reviewed by: des, bapt Sponsored by: https://www.patreon.com/bsdivy Differential Revision: https://reviews.freebsd.org/D53602 --- UPDATING | 12 +++++++ lib/libpam/Makefile.inc | 2 ++ lib/libpam/libpam/Makefile | 2 +- lib/libpam/modules/pam_lastlog/Makefile | 2 -- lib/libpam/modules/pam_login_access/Makefile | 2 -- lib/libpam/modules/pam_nologin/Makefile | 2 -- lib/libpam/modules/pam_securetty/Makefile | 2 -- lib/libpam/modules/pam_self/Makefile | 2 -- lib/libpam/modules/pam_unix/Makefile | 2 -- lib/libpam/pam.d/Makefile | 20 ++++------- release/packages/ucl/pam-all.ucl | 35 ++++++++++++++++++++ 11 files changed, 57 insertions(+), 26 deletions(-) create mode 100644 release/packages/ucl/pam-all.ucl diff --git a/UPDATING b/UPDATING index 62a920e3a69..d6cbe66009f 100644 --- a/UPDATING +++ b/UPDATING @@ -27,6 +27,18 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 16.x IS SLOW: world, or to merely disable the most expensive debugging functionality at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".) +20251110: + OpenPAM (including libpam and the PAM modules) has moved to the new + "pam" package. The pam-lib subpackage, which includes libpam, will + be automatically installed when required. + + If you have set-minimal(-jail) installed, the pam base package which + contains the PAM modules will also be automatically installed. + If you don't, you MUST manually install the FreeBSD-pam package if you + need to authenticate users, otherwise you won't be able to log in. + + This change only affects pkgbase users. + 20251105: pf(4) now supports nat64 via the af-to keyword. diff --git a/lib/libpam/Makefile.inc b/lib/libpam/Makefile.inc index bec0687d1b7..28630e46b94 100644 --- a/lib/libpam/Makefile.inc +++ b/lib/libpam/Makefile.inc @@ -23,6 +23,8 @@ # SUCH DAMAGE. # +PACKAGE?= pam + CFLAGS+= -DOPENPAM_DEBUG SHLIB_MAJOR= 6 diff --git a/lib/libpam/libpam/Makefile b/lib/libpam/libpam/Makefile index c6db4992bb3..f220063971d 100644 --- a/lib/libpam/libpam/Makefile +++ b/lib/libpam/libpam/Makefile @@ -42,7 +42,7 @@ OPENPAM= ${SRCTOP}/contrib/openpam SHLIB= pam .endif -PACKAGE= runtime +LIB_PACKAGE= SRCS= openpam_asprintf.c \ openpam_borrow_cred.c \ diff --git a/lib/libpam/modules/pam_lastlog/Makefile b/lib/libpam/modules/pam_lastlog/Makefile index ecaf013c504..9d27f477918 100644 --- a/lib/libpam/modules/pam_lastlog/Makefile +++ b/lib/libpam/modules/pam_lastlog/Makefile @@ -23,8 +23,6 @@ # SUCH DAMAGE. # -PACKAGE= runtime - LIB= pam_lastlog SRCS= pam_lastlog.c MANNODEV= pam_lastlog.8 diff --git a/lib/libpam/modules/pam_login_access/Makefile b/lib/libpam/modules/pam_login_access/Makefile index 41bc3221235..e31866395a9 100644 --- a/lib/libpam/modules/pam_login_access/Makefile +++ b/lib/libpam/modules/pam_login_access/Makefile @@ -23,8 +23,6 @@ # SUCH DAMAGE. # -PACKAGE= runtime - LIB= pam_login_access SRCS= pam_login_access.c login_access.c MANNODEV= login.access.5 pam_login_access.8 diff --git a/lib/libpam/modules/pam_nologin/Makefile b/lib/libpam/modules/pam_nologin/Makefile index c4ccc27b895..38c9ea2b0a2 100644 --- a/lib/libpam/modules/pam_nologin/Makefile +++ b/lib/libpam/modules/pam_nologin/Makefile @@ -23,8 +23,6 @@ # SUCH DAMAGE. # -PACKAGE= runtime - LIB= pam_nologin SRCS= pam_nologin.c MANNODEV= pam_nologin.8 diff --git a/lib/libpam/modules/pam_securetty/Makefile b/lib/libpam/modules/pam_securetty/Makefile index 6e5e7d929b7..90740721a3f 100644 --- a/lib/libpam/modules/pam_securetty/Makefile +++ b/lib/libpam/modules/pam_securetty/Makefile @@ -23,8 +23,6 @@ # SUCH DAMAGE. # -PACKAGE= runtime - LIB= pam_securetty SRCS= pam_securetty.c MANNODEV= pam_securetty.8 diff --git a/lib/libpam/modules/pam_self/Makefile b/lib/libpam/modules/pam_self/Makefile index ecf85b8de70..8a6b3702b5a 100644 --- a/lib/libpam/modules/pam_self/Makefile +++ b/lib/libpam/modules/pam_self/Makefile @@ -23,8 +23,6 @@ # SUCH DAMAGE. # -PACKAGE= runtime - LIB= pam_self SRCS= pam_self.c MANNODEV= pam_self.8 diff --git a/lib/libpam/modules/pam_unix/Makefile b/lib/libpam/modules/pam_unix/Makefile index 1bb1e6f2c71..124a757eae9 100644 --- a/lib/libpam/modules/pam_unix/Makefile +++ b/lib/libpam/modules/pam_unix/Makefile @@ -36,8 +36,6 @@ .include .include -PACKAGE= runtime - LIB= pam_unix SRCS= pam_unix.c MANNODEV= pam_unix.8 diff --git a/lib/libpam/pam.d/Makefile b/lib/libpam/pam.d/Makefile index a58c37b6c22..2cc5122b2ec 100644 --- a/lib/libpam/pam.d/Makefile +++ b/lib/libpam/pam.d/Makefile @@ -1,7 +1,5 @@ .include -PACKAGE= runtime - NO_OBJ= CONFGROUPS= CONFS @@ -17,20 +15,16 @@ CONFDIR= /etc/pam.d CONFSMODE_README= 444 CONFGROUPS+= CRON -CRON+= cron +CRON= cron CRONPACKAGE= cron -.if ${MK_AT} != "no" -CONFGROUPS+= AT -AT+= atrun -ATPACKAGE+= at -.endif +CONFGROUPS.${MK_AT}+= AT +AT= atrun +ATPACKAGE= at -.if ${MK_FTP} != "no" -CONFGROUPS+= FTP -FTP+= ftp ftpd +CONFGROUPS.${MK_FTP}+= FTP +FTP= ftp ftpd # Do not put these in the ftp package, since ports also use them. -FTPPACKAGE= runtime -.endif +FTPPACKAGE= pam .include diff --git a/release/packages/ucl/pam-all.ucl b/release/packages/ucl/pam-all.ucl new file mode 100644 index 00000000000..c77b926532e --- /dev/null +++ b/release/packages/ucl/pam-all.ucl @@ -0,0 +1,35 @@ +/* + * SPDX-License-Identifier: ISC + * + * Copyright (c) 2025 Lexi Winter + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +comment = "Modular user authentication facility" + +desc = <