#1137186 pam-auth-update: please consider making $DPKG_ROOT the default value for --root

Package:
src:pam
Source:
src:pam
Submitter:
Johannes Schauer Marin Rodrigues
Date:
2026-06-25 16:05:02 UTC
Severity:
normal
Tags:
#1137186#5
Date:
2026-05-20 14:24:58 UTC
From:
To:
Hello pam maintainers,

thank you for adding the --root option to pam-auth-update back in the day as
the fix of Debian bug #983427 or pam [MR6].

[MR6] https://salsa.debian.org/vorlon/pam/-/merge_requests/6

According to codesearch.d.n the libpam-runtime postinst maintainer script is
the only place in Debian which currently passes that option to pam-auth-update.
I was in the process of adding the --root parameter to the postinst of
libpam-systemd but instead of adding the --root parameter to every maintainer
script which uses it, maybe we could do what other Debian-specific scripts
(e.g.: update-alternatives, update-rc.d, deb-systemd-helper) do and make the
value of $DPKG_ROOT the default value of the --root option. Doing so makes
sense for scripts which are

 * Debian specific ($DPKG_ROOT is not useful for upstream projects which are
   supposed to work outside Debian)
 * are predominantly used in maintainer scripts (where dpkg will set
   $DPKG_ROOT to a non-empty value if it is run with --force-script-chrootless)

The pam-auth-update program fulfills these conditions, so I propose to change
the default value of the --root parameter to be $DPKG_ROOT. I prepared a patch
which implements this in this MR:

https://salsa.debian.org/vorlon/pam/-/merge_requests/33

Like last time, this patch was tested as part of our weekly CI setup at
https://salsa.debian.org/helmutg/dpkg-root-demo/

What do you think? Do you agree that the value of the $DPKG_ROOT environment
variable value would be a good default for the --root option? I'm wondering
whether I should either patch libpam-systemd so that it uses the --root option
or whether I can leave libpam-systemd untouched and change pam-auth-update
instead.

Let me know what you think.

Thanks!

cheers, josch

#1137186#8
Date:
2026-06-25 16:03:10 UTC
From:
To:
Hi Sam,

thank you for your recent work and upload of pam!

Since it has been more than a month since I filed this bug, I wanted to send a
friendly ping about this bug and ask for a review of the changes.

I'm working on allowing the creation of bootable GNU/Hurd images on Linux and
if this change were applied, packages which use pam-auth-update would
automatically pick up the $DPKG_ROOT setting as the correct default.

If you reject this change, then I would file patches against the packages which
call pam-auth-update in their maintainer scripts (like openssh-server). Any
decision is fine but without a decision my work on this is soft-blocked and I
have to rely on locally patched versions of pam. :)

Thanks!

cheers, josch