git: ee21ee1572d4 - main - openzfs: attach pam_zfs_key to build

Steffen Nurpmeso steffen at sdaoden.eu
Tue Mar 2 21:59:02 UTC 2021 

Ryan Moeller wrote in
 <202103021227.122CRUDH011301 at gitrepo.freebsd.org>:
 ...
 |URL: https://cgit.FreeBSD.org/src/commit/?id=ee21ee1572d40a3b74f18638dae\
 |38c1a9ad1e9e3
 |
 |commit ee21ee1572d40a3b74f18638dae38c1a9ad1e9e3
 |Author:     Greg V <greg_unrelenting.technology>
 |AuthorDate: 2021-03-02 11:01:14 +0000
 |Commit:     Ryan Moeller <freqlabs at FreeBSD.org>
 |CommitDate: 2021-03-02 12:26:59 +0000
 |
 |    openzfs: attach pam_zfs_key to build
 |    
 |    This PAM module allows unlocking encrypted user home datasets when
 |    logging in (and changing passphrase when changing the account password)\
 |    ,
 |    see https://github.com/openzfs/zfs/pull/9903
 |    
 |    Also supposed to unload the key when the last session for the user is
 |    done, but there are EBUSY issues:
 |    https://github.com/openzfs/zfs/issues/11222#issuecomment-731897858

Very interesting.  This is "cool" per se.  (Especially on
encrypted block devices where a resume requires a password anyhow.
I would not do it like this for myself, but don't mind this.)

As i could not figure it out, how do you manage a session without
having a supervisor like (please let me say the greedy monster)
systemd?  I wrote a pam_xdg module [1] to create the /run/user/PID
of the XDG spec of FreeDesktop (as well as inject the other XDG
path environment variables, optionally), but in the end i had to
strip it down to the absolute core because session handling seemed
impossible.  (As in, daemonized scripts and important things like
tmux, they keep on living even after the "session" has ended.)

(In my superficial opinion PAM is a terrible and under-documented
mess, and each and every module is left alone fiddling around with
effective-[gu]id flags, for example, in order to work gracefully
under all circumstances.)

  [1] https://git.sdaoden.eu/browse?p=s-toolbox.git;a=blob;f=pam_xdg.c;h=4c121e93ca76d2f53a9de67aa9bc100f639f6a05;hb=HEAD

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

More information about the dev-commits-src-all mailing list