Page MenuHomeFreeBSD
Differential D50339

libpam: provide a real /etc/pam.d/ftp
ClosedPublic
Actions

Authored by ivy on May 13 2025, 10:40 PM.
Tags
None
Referenced Files
F121244246: D50339.diff
Tue, Jun 24, 9:18 PM
Unknown Object (File)
Sat, Jun 21, 5:26 PM
Unknown Object (File)
Sat, Jun 21, 3:12 PM
Unknown Object (File)
Thu, Jun 19, 6:00 PM
Unknown Object (File)
Thu, Jun 19, 11:14 AM
Unknown Object (File)
Wed, Jun 18, 12:55 AM
Unknown Object (File)
Tue, Jun 17, 5:36 AM
Unknown Object (File)
Fri, Jun 13, 10:32 PM
View All 34 Files
Subscribers
imp

Details

Reviewers
des
kevans
bapt
Group Reviewers
pkgbase
Commits
rG7a8747f53498: libpam: provide a real /etc/pam.d/ftp
Summary
We provide both /etc/pam.d/ftp and /etc/pam.d/ftpd because FTP servers
are inconsistent about which service name they use.  Previously ftp was
a hard link to ftpd; to avoid hard linking config files, replace ftp
with a normal config file that includes the ftpd service.

Move ftpd from the -ftpd package into the -runtime package (where the
rest of the pam.d services live) since FTP servers from ports use it,
and people using a ports FTP server won't want to install the -ftpd
package as well.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

ivy created this revision.May 13 2025, 10:40 PM
Herald added a subscriber: imp. · View Herald TranscriptMay 13 2025, 10:40 PM
ivy requested review of this revision.May 13 2025, 10:40 PM
Harbormaster completed remote builds in B64152: Diff 155418.May 13 2025, 10:40 PM
kevans added inline comments.May 14 2025, 2:25 AM
lib/libpam/pam.d/Makefile
31–33

I suspect you want this to be spelled ${FTPTAG_ARGS} instead, in case we modify how configuration tags are done at an infrastructure level.

des added a comment.May 14 2025, 10:36 AM

I would prefer fixing the mk scripts, if that's not too much work?

ivy updated this revision to Diff 155440.May 14 2025, 11:49 AM

use FTPTAG_ARGS

Harbormaster completed remote builds in B64168: Diff 155440.May 14 2025, 11:49 AM
ivy marked an inline comment as done.May 14 2025, 11:50 AM
In D50339#1148701, @des wrote:

I would prefer fixing the mk scripts, if that's not too much work?

i don't think this is a problem in the mk scripts, the Makefile just wasn't accounting for the fact that the file is in a non-default conf group. unless there's something else to fix here?

kevans added a comment.May 14 2025, 12:11 PM
In D50339#1148754, @ivy wrote:
In D50339#1148701, @des wrote:

I would prefer fixing the mk scripts, if that's not too much work?

i don't think this is a problem in the mk scripts, the Makefile just wasn't accounting for the fact that the file is in a non-default conf group. unless there's something else to fix here?

Looking at the target from a broader view, it seems like it only exists because we don't have a notion of per-group LINKS. I think that's the only further enhancement that would be required to do this correctly- otherwise the bug was entirely on us not using the correct *TAG_ARGS

ivy added a comment.May 14 2025, 12:19 PM
In D50339#1148758, @kevans wrote:

Looking at the target from a broader view, it seems like it only exists because we don't have a notion of per-group LINKS.

i really dislike the idea of hardlinked config files so i'm not sure this is something we want to encourage by adding (more) mk support... in fact my first thought on discovering this bug was that we should remove one of them, but i assume there's a reason we have both—ports FTP servers, maybe? so i'm happy with this as it is (using FTPTAG_ARGS) but if we really want mk infra for this i suppose we could do that.

des added a comment.May 14 2025, 12:34 PM

The correct service name is ftpd, but (at least) two FTP daemons in ports use ftp instead (others use either ftpd or something more specific).

However, we don't need to link the file. We can instead create an ftp policy containing:

auth            include         ftpd
account         include         ftpd
session         include         ftpd
ivy added a comment.May 14 2025, 12:51 PM

if we're intending for this file to be used by ports, FreeBSD-ftpd may not be the right place to put it in the first place; perhaps it should live in -runtime with (most of) the rest of the PAM configs?

% grep '@config.* /etc/pam.d/' ~/src/bsd/obj/home/ivy/src/bsd/dev/amd64.amd64/worldstage/*.plist
/home/ivy/src/bsd/obj/home/ivy/src/bsd/dev/amd64.amd64/worldstage/at.plist:@config(root,wheel,0644,) /etc/pam.d/atrun
/home/ivy/src/bsd/obj/home/ivy/src/bsd/dev/amd64.amd64/worldstage/cron.plist:@config(root,wheel,0644,) /etc/pam.d/cron
/home/ivy/src/bsd/obj/home/ivy/src/bsd/dev/amd64.amd64/worldstage/ftp.plist:@config(root,wheel,0644,) /etc/pam.d/ftp
/home/ivy/src/bsd/obj/home/ivy/src/bsd/dev/amd64.amd64/worldstage/ftp.plist:@config(root,wheel,0644,) /etc/pam.d/ftpd
/home/ivy/src/bsd/obj/home/ivy/src/bsd/dev/amd64.amd64/worldstage/runtime.plist:@config(root,wheel,0444,) /etc/pam.d/README
/home/ivy/src/bsd/obj/home/ivy/src/bsd/dev/amd64.amd64/worldstage/runtime.plist:@config(root,wheel,0644,) /etc/pam.d/imap
/home/ivy/src/bsd/obj/home/ivy/src/bsd/dev/amd64.amd64/worldstage/runtime.plist:@config(root,wheel,0644,) /etc/pam.d/login
/home/ivy/src/bsd/obj/home/ivy/src/bsd/dev/amd64.amd64/worldstage/runtime.plist:@config(root,wheel,0644,) /etc/pam.d/other
/home/ivy/src/bsd/obj/home/ivy/src/bsd/dev/amd64.amd64/worldstage/runtime.plist:@config(root,wheel,0644,) /etc/pam.d/passwd
/home/ivy/src/bsd/obj/home/ivy/src/bsd/dev/amd64.amd64/worldstage/runtime.plist:@config(root,wheel,0644,) /etc/pam.d/pop3
/home/ivy/src/bsd/obj/home/ivy/src/bsd/dev/amd64.amd64/worldstage/runtime.plist:@config(root,wheel,0644,) /etc/pam.d/sshd
/home/ivy/src/bsd/obj/home/ivy/src/bsd/dev/amd64.amd64/worldstage/runtime.plist:@config(root,wheel,0644,) /etc/pam.d/su
/home/ivy/src/bsd/obj/home/ivy/src/bsd/dev/amd64.amd64/worldstage/runtime.plist:@config(root,wheel,0644,) /etc/pam.d/system
/home/ivy/src/bsd/obj/home/ivy/src/bsd/dev/amd64.amd64/worldstage/runtime.plist:@config(root,wheel,0644,) /etc/pam.d/xdm
des added a comment.May 14 2025, 1:19 PM

yeah we can put it in runtime and add a comment at the top explaining that it is provided for compatibility with ports that use the wrong service name.

ivy retitled this revision from libpam: install /etc/pam.d/ftp correctly to libpam: provide a real /etc/pam.d/ftp.May 14 2025, 1:37 PM
ivy updated this revision to Diff 155446.May 14 2025, 1:37 PM

per comments, remove the link

Harbormaster completed remote builds in B64173: Diff 155446.May 14 2025, 1:37 PM
ivy edited the summary of this revision. (Show Details)May 14 2025, 1:38 PM

i've tested pkg upgrade with this change and it is not confused by replacing the hard link with a separate file as far as i can tell (e.g., it doesn't replace /etc/pam.d/ftpd with the contents of /etc/pam.d/ftp).

bapt accepted this revision.May 14 2025, 1:52 PM
This revision is now accepted and ready to land.May 14 2025, 1:52 PM
ivy added a comment.May 14 2025, 1:56 PM

actually i see the file was previously installed in the ftp package (not ftpd) which seems also dubious as that's for the FTP client, which won't be using PAM at all. so i think the change is still right but i'll clarify the commit message before landing.

des accepted this revision.May 14 2025, 2:01 PM
des added inline comments.
lib/libpam/pam.d/ftp
2

We don't need two blank lines, I think they're an artifact of when we had $FreeBSD$ here.

Closed by commit rG7a8747f53498: libpam: provide a real /etc/pam.d/ftp (authored by ivy). · Explain WhyMay 15 2025, 12:04 AM
This revision was automatically updated to reflect the committed changes.
ivy added a commit: rG7a8747f53498: libpam: provide a real /etc/pam.d/ftp.

Revision Contents
Changeset List

PathSize
lib/
libpam/
pam.d/
11 lines
13 lines

Diff 155479

View Options

lib/libpam/pam.d/Makefile

Loading...
View Options

lib/libpam/pam.d/ftp

Loading...