From nobody Mon Nov 10 11:06:18 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4d4n0V60LMz6GZ68; Mon, 10 Nov 2025 11:06:18 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4d4n0V3vctz3Vrr; Mon, 10 Nov 2025 11:06:18 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1762772778; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=La8Rr5+5RtFXgTEH8ML7DjgkMkvIiiG9H2iGKc2wVn0=; b=JJLU3tzwqp1J9BO7hnKeoClECd4y3W8xy9jsQRHtW/YMtkJ3ogps4jNc5aYRRSoTCTRUnf VpvJbybeOd/f7Tbh42Q663hLYCRNCZP8TwXwKE45yuND6hcrUdHnO74k2OM7CE+OwhhyHD C+06T5Iro7uYIbjAAaEOy1yFYD0nhpOSauWR1qxta035au0no4AHekdPX7cGAQKRLovArW K1Xl855j28u5GNOZPhBxr2rWfZpq9y7xtffAJrAaqQPJU/h6ifvnjCwE9S42UYJpHJobas fz3yRGDoW31gLhvKys+OfRYFeHSLPAdu6iM+COjs0kWTJ0+njOVSE3wBKy1OcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1762772778; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=La8Rr5+5RtFXgTEH8ML7DjgkMkvIiiG9H2iGKc2wVn0=; b=AD6SZJ4IbvlaBqwTepgfMpn4Dw/CqXRMIsCvjhAuNdrY0tM7YJgr8ttjKxes5NUdVwCHdl tzhYq+Olna/hoFnu8R4ZPFswL/zJ6ZOvAD2q1F3TKXkgRCbdYwLIXXsSSa/se3CZHQ8g3p VyiYayn7tl2jcy0qz4XxzjdP94P6oX4BZHEOcp0ACcx2o55V2PKgyXD7MrsB6IRL32ckSL W8YvJ+Xa3r8BbvzT1bjy14XzpLtD7f9zP3qCmVMC3c/awJS0IzjEI5zfZdWcG7aSyymOph VJfgRq1wIHWUGbdbKgj9pPOmnwDwuvAZbN1UgeLwRUwEK1udSJXyf4CIlaog/A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1762772778; a=rsa-sha256; cv=none; b=O/+fXgn7kW1NH28cRQ56m/9kbIskRXExD0iHUr2fNsQZPgR0HKyrAhYeJcI7G6hgVjY2mT 0EAo5xLAs0jk0fDqi33jbWyVwJLeyiRX0J95FOoeeY8A07uB4ZEhqENGVPWliaE3VqnaLK CuBDWlXC+22bEllcXN9Xwlpj3KkCBabTANhsw9wJddqHyjPwlrW2Gsz+tGQ5GbjM5qiits pJ7hwnGmIIBaeanQUe4MXXVqK80xOlv2T1oQt2fWmlhJ51Ze5jtuIgYtjeQI6dHO+8TIeb 6eQF2cOQ2JrS4ho5CtIar397Tp5glj6cyoH4lVq7YPdz5VZNTGwb8pYNy2llNQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4d4n0V3PR6z1Ct; Mon, 10 Nov 2025 11:06:18 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 5AAB6IqH011096; Mon, 10 Nov 2025 11:06:18 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 5AAB6I48011093; Mon, 10 Nov 2025 11:06:18 GMT (envelope-from git) Date: Mon, 10 Nov 2025 11:06:18 GMT Message-Id: <202511101106.5AAB6I48011093@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Lexi Winter Subject: git: 560af6b43e2a - main - libpam: Move to a new "pam" package List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: ivy X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 560af6b43e2a86e591e94bea99777630cd5f84fd Auto-Submitted: auto-generated The branch main has been updated by ivy: URL: https://cgit.FreeBSD.org/src/commit/?id=560af6b43e2a86e591e94bea99777630cd5f84fd commit 560af6b43e2a86e591e94bea99777630cd5f84fd Author: Lexi Winter AuthorDate: 2025-11-10 10:20:33 +0000 Commit: Lexi Winter CommitDate: 2025-11-10 11:05:37 +0000 libpam: Move to a new "pam" package OpenPAM is a discrete, largely self-contained system component. Users may not need PAM for many use-cases (e.g. jails, containers), so move it to its own package. Use LIB_PACKAGE to create a separate pam-lib package for libpam, so that applications that support PAM don't need to bring in all the PAM modules if PAM isn't actually in use. Add pam to the minimal sets, since this is a core system component that people expect to be installed. This means all supported installation methods will install the PAM modules by default, so don't add explicit dependencies on the PAM modules from things that use PAM (e.g. runtime), allowing custom/embedded systems to omit these easily. This change adds a new package to the system so, until we have a proper policy on how to handle this in release/stable branches, it should not be MFC'd. MFC after: never Reviewed by: des, bapt Sponsored by: https://www.patreon.com/bsdivy Differential Revision: https://reviews.freebsd.org/D53602 --- UPDATING | 12 ++++++++++ lib/libpam/Makefile.inc | 2 ++ lib/libpam/libpam/Makefile | 2 +- lib/libpam/modules/pam_lastlog/Makefile | 2 -- lib/libpam/modules/pam_login_access/Makefile | 2 -- lib/libpam/modules/pam_nologin/Makefile | 2 -- lib/libpam/modules/pam_securetty/Makefile | 2 -- lib/libpam/modules/pam_self/Makefile | 2 -- lib/libpam/modules/pam_unix/Makefile | 2 -- lib/libpam/pam.d/Makefile | 20 ++++++---------- release/packages/ucl/pam-all.ucl | 35 ++++++++++++++++++++++++++++ 11 files changed, 57 insertions(+), 26 deletions(-) diff --git a/UPDATING b/UPDATING index 62a920e3a696..d6cbe66009f0 100644 --- a/UPDATING +++ b/UPDATING @@ -27,6 +27,18 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 16.x IS SLOW: world, or to merely disable the most expensive debugging functionality at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".) +20251110: + OpenPAM (including libpam and the PAM modules) has moved to the new + "pam" package. The pam-lib subpackage, which includes libpam, will + be automatically installed when required. + + If you have set-minimal(-jail) installed, the pam base package which + contains the PAM modules will also be automatically installed. + If you don't, you MUST manually install the FreeBSD-pam package if you + need to authenticate users, otherwise you won't be able to log in. + + This change only affects pkgbase users. + 20251105: pf(4) now supports nat64 via the af-to keyword. diff --git a/lib/libpam/Makefile.inc b/lib/libpam/Makefile.inc index bec0687d1b7f..28630e46b949 100644 --- a/lib/libpam/Makefile.inc +++ b/lib/libpam/Makefile.inc @@ -23,6 +23,8 @@ # SUCH DAMAGE. # +PACKAGE?= pam + CFLAGS+= -DOPENPAM_DEBUG SHLIB_MAJOR= 6 diff --git a/lib/libpam/libpam/Makefile b/lib/libpam/libpam/Makefile index c6db4992bb36..f220063971d7 100644 --- a/lib/libpam/libpam/Makefile +++ b/lib/libpam/libpam/Makefile @@ -42,7 +42,7 @@ OPENPAM= ${SRCTOP}/contrib/openpam SHLIB= pam .endif -PACKAGE= runtime +LIB_PACKAGE= SRCS= openpam_asprintf.c \ openpam_borrow_cred.c \ diff --git a/lib/libpam/modules/pam_lastlog/Makefile b/lib/libpam/modules/pam_lastlog/Makefile index ecaf013c504a..9d27f4779184 100644 --- a/lib/libpam/modules/pam_lastlog/Makefile +++ b/lib/libpam/modules/pam_lastlog/Makefile @@ -23,8 +23,6 @@ # SUCH DAMAGE. # -PACKAGE= runtime - LIB= pam_lastlog SRCS= pam_lastlog.c MANNODEV= pam_lastlog.8 diff --git a/lib/libpam/modules/pam_login_access/Makefile b/lib/libpam/modules/pam_login_access/Makefile index 41bc32212351..e31866395a94 100644 --- a/lib/libpam/modules/pam_login_access/Makefile +++ b/lib/libpam/modules/pam_login_access/Makefile @@ -23,8 +23,6 @@ # SUCH DAMAGE. # -PACKAGE= runtime - LIB= pam_login_access SRCS= pam_login_access.c login_access.c MANNODEV= login.access.5 pam_login_access.8 diff --git a/lib/libpam/modules/pam_nologin/Makefile b/lib/libpam/modules/pam_nologin/Makefile index c4ccc27b8958..38c9ea2b0a2a 100644 --- a/lib/libpam/modules/pam_nologin/Makefile +++ b/lib/libpam/modules/pam_nologin/Makefile @@ -23,8 +23,6 @@ # SUCH DAMAGE. # -PACKAGE= runtime - LIB= pam_nologin SRCS= pam_nologin.c MANNODEV= pam_nologin.8 diff --git a/lib/libpam/modules/pam_securetty/Makefile b/lib/libpam/modules/pam_securetty/Makefile index 6e5e7d929b7d..90740721a3f5 100644 --- a/lib/libpam/modules/pam_securetty/Makefile +++ b/lib/libpam/modules/pam_securetty/Makefile @@ -23,8 +23,6 @@ # SUCH DAMAGE. # -PACKAGE= runtime - LIB= pam_securetty SRCS= pam_securetty.c MANNODEV= pam_securetty.8 diff --git a/lib/libpam/modules/pam_self/Makefile b/lib/libpam/modules/pam_self/Makefile index ecf85b8de70a..8a6b3702b5a1 100644 --- a/lib/libpam/modules/pam_self/Makefile +++ b/lib/libpam/modules/pam_self/Makefile @@ -23,8 +23,6 @@ # SUCH DAMAGE. # -PACKAGE= runtime - LIB= pam_self SRCS= pam_self.c MANNODEV= pam_self.8 diff --git a/lib/libpam/modules/pam_unix/Makefile b/lib/libpam/modules/pam_unix/Makefile index 1bb1e6f2c71a..124a757eae9d 100644 --- a/lib/libpam/modules/pam_unix/Makefile +++ b/lib/libpam/modules/pam_unix/Makefile @@ -36,8 +36,6 @@ .include .include -PACKAGE= runtime - LIB= pam_unix SRCS= pam_unix.c MANNODEV= pam_unix.8 diff --git a/lib/libpam/pam.d/Makefile b/lib/libpam/pam.d/Makefile index a58c37b6c223..2cc5122b2ecc 100644 --- a/lib/libpam/pam.d/Makefile +++ b/lib/libpam/pam.d/Makefile @@ -1,7 +1,5 @@ .include -PACKAGE= runtime - NO_OBJ= CONFGROUPS= CONFS @@ -17,20 +15,16 @@ CONFDIR= /etc/pam.d CONFSMODE_README= 444 CONFGROUPS+= CRON -CRON+= cron +CRON= cron CRONPACKAGE= cron -.if ${MK_AT} != "no" -CONFGROUPS+= AT -AT+= atrun -ATPACKAGE+= at -.endif +CONFGROUPS.${MK_AT}+= AT +AT= atrun +ATPACKAGE= at -.if ${MK_FTP} != "no" -CONFGROUPS+= FTP -FTP+= ftp ftpd +CONFGROUPS.${MK_FTP}+= FTP +FTP= ftp ftpd # Do not put these in the ftp package, since ports also use them. -FTPPACKAGE= runtime -.endif +FTPPACKAGE= pam .include diff --git a/release/packages/ucl/pam-all.ucl b/release/packages/ucl/pam-all.ucl new file mode 100644 index 000000000000..c77b926532e6 --- /dev/null +++ b/release/packages/ucl/pam-all.ucl @@ -0,0 +1,35 @@ +/* + * SPDX-License-Identifier: ISC + * + * Copyright (c) 2025 Lexi Winter + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +comment = "Modular user authentication facility" + +desc = <