Ubuntu
pam package

Merge ~vorlon/ubuntu/+source/pam:merge into ubuntu/+source/pam:debian/sid

  1. Git
  2. lp:~vorlon/ubuntu/+source/pam
  3. merge
  4. Merge into debian/sid
Proposed by Steve Langasek
Status: Approved
Approved by: Nish Aravamudan
Approved revision: 56be0589c4360b577fcaaca8245090271a5427ea
Proposed branch: ~vorlon/ubuntu/+source/pam:merge
Merge into: ubuntu/+source/pam:debian/sid
Diff against target: 9799 lines (+9138/-0) (has conflicts)
25 files modified
debian/changelog (+2079/-0)
debian/control (+15/-0)
debian/libpam-modules-bin.install (+5/-0)
debian/libpam-modules.manpages (+4/-0)
debian/libpam-modules.postinst (+15/-0)
debian/libpam0g.postinst (+48/-0)
debian/local/common-session (+8/-0)
debian/local/common-session-noninteractive (+8/-0)
debian/local/pam-auth-update (+18/-0)
debian/local/pam-auth-update.8 (+3/-0)
debian/patches-applied/cve-2015-3238.patch (+6/-0)
debian/patches-applied/extrausers.patch (+6567/-0)
debian/patches-applied/pam_motd-legal-notice (+86/-0)
debian/patches-applied/pam_umask_usergroups_from_login.defs.patch (+127/-0)
debian/patches-applied/series (+11/-0)
debian/patches-applied/ubuntu-rlimit_nice_correction (+17/-0)
debian/patches-applied/update-motd-manpage-ref (+28/-0)
debian/po/eu.po (+6/-0)
debian/po/fi.po (+3/-0)
debian/po/ro.po (+3/-0)
debian/po/tr.po (+3/-0)
debian/po/vi.po (+3/-0)
debian/po/zh_CN.po (+3/-0)
debian/rules (+5/-0)
debian/update-motd.5 (+67/-0)
Conflict in debian/changelog
Conflict in debian/control
Conflict in debian/libpam-modules-bin.install
Conflict in debian/libpam-modules.manpages
Conflict in debian/libpam-modules.postinst
Conflict in debian/libpam0g.postinst
Conflict in debian/local/common-session
Conflict in debian/local/common-session-noninteractive
Conflict in debian/local/pam-auth-update
Conflict in debian/local/pam-auth-update.8
Conflict in debian/patches-applied/cve-2015-3238.patch
Conflict in debian/patches-applied/series
Conflict in debian/po/eu.po
Conflict in debian/po/fi.po
Conflict in debian/po/ro.po
Conflict in debian/po/tr.po
Conflict in debian/po/vi.po
Conflict in debian/po/zh_CN.po
Conflict in debian/rules
Reviewer Review Type Date Requested Status
git-ubuntu developers Pending
Review via email: mp+341556@code.launchpad.net

Description of the change

Resubmit of the now-abandoned <https://code.launchpad.net/~vorlon/ubuntu/+source/pam/+git/pam/+merge/332890> against the now reimported repository, with a fixed-up "logical" tag.

To post a comment you must log in.
Revision history for this message
Nish Aravamudan (nacc) wrote :

Because this was already uploaded, we are essentially 'too late' to integrate the rich history directly. I have upload-tagged the source commit and pushed it to the importer repository, though.

In a future merge, the upload tag can be used as the starting point (presuming no further bionic changes), or it can even be used as the starting point of the next bugfix, and then it would get integrated, as long as the upload tag is pushed before the dput.

Reply

Unmerged commits

56be058... by Steve Langasek

Fix service restart handling to integrate with systemd instead of upstart.

d83e877... by Steve Langasek

Fix references to /var/run in update-motd.5. LP: #1571864

e416d7e... by Steve Langasek

document bugs fixed upstream

e8b0ebb... by Steve Langasek

fix up VCS fields

b6efc2b... by Steve Langasek

update-maintainer

5c284b3... by Steve Langasek

reconstruct-changelog

5754c62... by Steve Langasek

merge-changelogs

763552a... by Steve Langasek

  * debian/patches-applied/cve-2015-3238.patch: removed manpage changes
    so they don't get regenerated during build and cause a multiarch
    installation issue. (LP: #1558114)

ef05976... by Steve Langasek

    - don't notify about xdm restarts during a release-upgrade

b2595de... by Steve Langasek

po file cleanups

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index ff9229d..89101d7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,4 @@
1<<<<<<< debian/changelog
1pam (1.1.8-3.7) unstable; urgency=medium2pam (1.1.8-3.7) unstable; urgency=medium
23
3 * Non-maintainer upload.4 * Non-maintainer upload.
@@ -7,6 +8,61 @@ pam (1.1.8-3.7) unstable; urgency=medium
7 enabling non-default configs without prompting the admin. (LP: #1192719)8 enabling non-default configs without prompting the admin. (LP: #1192719)
89
9 -- Timo Aaltonen <tjaalton@debian.org> Fri, 02 Feb 2018 16:57:43 +020010 -- Timo Aaltonen <tjaalton@debian.org> Fri, 02 Feb 2018 16:57:43 +0200
11=======
12pam (1.1.8-3.6ubuntu1) bionic; urgency=medium
13
14 * Merge with Debian unstable.
15 - Fixes unescaped brace in pam_getenv regex. LP: #1538284.
16 - Fixes pam_namespace defaults for compatibility with dash. LP: #1081323.
17 * Remaining changes:
18 - debian/control: have libpam-modules recommend update-motd package
19 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
20 not present there or in /etc/security/pam_env.conf. (should send to
21 Debian).
22 - debian/libpam0g.postinst: only ask questions during update-manager when
23 there are non-default services running.
24 - debian/libpam0g.postinst: check if gdm is actually running before
25 trying to reload it.
26 - debian/libpam0g.postinst: the init script for 'samba' is now named
27 'smbd' in Ubuntu, so fix the restart handling.
28 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
29 initialise RLIMIT_NICE rather than relying on the kernel limits.
30 - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
31 Deprecate pam_unix's explicit "usergroups" option and instead read it
32 from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
33 there. This restores compatibility with the pre-PAM behaviour of login.
34 - debian/patches-applied/pam_motd-legal-notice: display the contents of
35 /etc/legal once, then set a flag in the user's homedir to prevent
36 showing it again.
37 - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
38 for update-motd, with some best practices and notes of explanation.
39 - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
40 to update-motd(5)
41 - debian/local/common-session{,-noninteractive}: Enable pam_umask by
42 default, now that the umask setting is gone from /etc/profile.
43 - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
44 - debian/patches-applied/extrausers.patch: Add a pam_extrausers module
45 that is basically just a copy of pam_unix but looks at
46 /var/lib/extrausers/{group,passwd,shadow} instead of /etc/
47 - debian/libpam-modules-bin.install: install the helper binaries for
48 pam_extrausers to /sbin
49 - debian/rules: Make pam_extrausers_chkpwd sguid shadow
50 - pam-configs/mkhomedir: Added a config for pam_mkhomedir, disabled
51 by default.
52 - don't notify about xdm restarts during a release-upgrade
53 - debian/patches-applied/cve-2015-3238.patch: removed manpage changes
54 so they don't get regenerated during build and cause a multiarch
55 installation issue.
56 * Dropped changes, included in Debian:
57 - Build-depend on libfl-dev.
58 - debian/patches-applied/pam-limits-nofile-fd-setsize-cap: cap the default
59 soft nofile limit read from pid 1 to FD_SETSIZE.
60 * Fix references to /var/run in update-motd.5. LP: #1571864
61 * Fix service restart handling to integrate with systemd instead of
62 upstart.
63
64 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 26 Oct 2017 23:23:18 -0700
65>>>>>>> debian/changelog
1066
11pam (1.1.8-3.6) unstable; urgency=medium67pam (1.1.8-3.6) unstable; urgency=medium
1268
@@ -75,6 +131,77 @@ pam (1.1.8-3.3) unstable; urgency=low
75131
76 -- Laurent Bigonville <bigon@debian.org> Wed, 18 May 2016 02:04:29 +0200132 -- Laurent Bigonville <bigon@debian.org> Wed, 18 May 2016 02:04:29 +0200
77133
134<<<<<<< debian/changelog
135=======
136pam (1.1.8-3.2ubuntu3) artful; urgency=medium
137
138 * No-change rebuild to pick up -fPIE compiler default in static
139 libraries
140
141 -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 21 Apr 2017 20:53:23 +0000
142
143pam (1.1.8-3.2ubuntu2) xenial; urgency=medium
144
145 * debian/patches-applied/cve-2015-3238.patch: removed manpage changes
146 so they don't get regenerated during build and cause a multiarch
147 installation issue. (LP: #1558114)
148
149 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 16 Mar 2016 13:34:02 -0400
150
151pam (1.1.8-3.2ubuntu1) xenial; urgency=medium
152
153 * Merge from Debian unstable. Remaining changes:
154 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
155 not present there or in /etc/security/pam_env.conf. (should send to
156 Debian).
157 - debian/libpam0g.postinst: only ask questions during update-manager when
158 there are non-default services running.
159 - debian/libpam0g.postinst: check if gdm is actually running before
160 trying to reload it.
161 - debian/libpam0g.postinst: the init script for 'samba' is now named
162 'smbd' in Ubuntu, so fix the restart handling.
163 - Change Vcs-Bzr to point at the Ubuntu branch.
164 - debian/patches-applied/series: Ubuntu patches are as below ...
165 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
166 initialise RLIMIT_NICE rather than relying on the kernel limits.
167 - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
168 Deprecate pam_unix's explicit "usergroups" option and instead read it
169 from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
170 there. This restores compatibility with the pre-PAM behaviour of login.
171 - debian/patches-applied/pam_motd-legal-notice: display the contents of
172 /etc/legal once, then set a flag in the user's homedir to prevent
173 showing it again.
174 - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
175 for update-motd, with some best practices and notes of explanation.
176 - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
177 to update-motd(5)
178 - debian/local/common-session{,-noninteractive}: Enable pam_umask by
179 default, now that the umask setting is gone from /etc/profile.
180 - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
181 - Build-depend on libfl-dev in addition to flex, for cross-building
182 support.
183 - Add /usr/local/games to PATH.
184 - Adjust debian/patches-applied/update-motd to write to
185 /run/motd.dynamic, as sysvinit/ssh/login in Debian have been changed
186 to use this file and no longer links /etc/motd to /var/run/motd.
187 - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
188 include patch to autogenerated manpage file
189 - debian/patches-applied/pam-loginuid-in-containers: pam_loginuid:
190 Update patch with follow-up changes to loginuid.c
191 - debian/patches-applied/extrausers.patch: Add a pam_extrausers module
192 that is basically just a copy of pam_unix but looks at
193 /var/lib/extrausers/{group,passwd,shadow} instead of /etc/
194 - debian/libpam-modules-bin.install: install the helper binaries for
195 pam_extrausers to /sbin
196 - debian/rules: Make pam_extrausers_chkpwd sguid shadow
197 - debian/patches-applied/extrausers.patch: Ship pre-generated man page
198 - debian/patches-applied/pam-limits-nofile-fd-setsize-cap: cap the default
199 soft nofile limit read from pid 1 to FD_SETSIZE.
200 - debian/control: have libpam-modules recommend update-motd package
201
202 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 16 Mar 2016 09:50:51 -0400
203
204>>>>>>> debian/changelog
78pam (1.1.8-3.2) unstable; urgency=medium205pam (1.1.8-3.2) unstable; urgency=medium
79206
80 * Non-maintainer upload.207 * Non-maintainer upload.
@@ -83,6 +210,79 @@ pam (1.1.8-3.2) unstable; urgency=medium
83210
84 -- Tianon Gravi <tianon@debian.org> Wed, 06 Jan 2016 15:53:31 -0800211 -- Tianon Gravi <tianon@debian.org> Wed, 06 Jan 2016 15:53:31 -0800
85212
213<<<<<<< debian/changelog
214=======
215pam (1.1.8-3.1ubuntu3) vivid; urgency=medium
216
217 * d/applied-patches/pam-limits-nofile-fd-setsize-cap: cap the default
218 soft nofile limit read from pid 1 to FD_SETSIZE.
219
220 -- Robie Basak <robie.basak@ubuntu.com> Wed, 22 Apr 2015 08:55:24 +0000
221
222pam (1.1.8-3.1ubuntu2) vivid; urgency=medium
223
224 * debian/control:
225 - have libpam-modules recommend update-motd package
226 + while libpam-modules provides pam_motd, which does dynamically
227 generate the motd from /etc/update-motd.d on login, hundreds of
228 users have asked in the past few years how they might "force"
229 a MOTD update; this is provided by /usr/sbin/update-motd
230 in the tiny update-motd package (already in main); recommend
231 this package
232
233 -- Dustin Kirkland <kirkland@ubuntu.com> Tue, 11 Nov 2014 12:49:14 -0600
234
235pam (1.1.8-3.1ubuntu1) vivid; urgency=low
236
237 * Merge from Debian unstable. Remaining changes:
238 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
239 not present there or in /etc/security/pam_env.conf. (should send to
240 Debian).
241 - debian/libpam0g.postinst: only ask questions during update-manager when
242 there are non-default services running.
243 - debian/libpam0g.postinst: check if gdm is actually running before
244 trying to reload it.
245 - debian/libpam0g.postinst: the init script for 'samba' is now named
246 'smbd' in Ubuntu, so fix the restart handling.
247 - Change Vcs-Bzr to point at the Ubuntu branch.
248 - debian/patches-applied/series: Ubuntu patches are as below ...
249 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
250 initialise RLIMIT_NICE rather than relying on the kernel limits.
251 - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
252 Deprecate pam_unix's explicit "usergroups" option and instead read it
253 from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
254 there. This restores compatibility with the pre-PAM behaviour of login.
255 - debian/patches-applied/pam_motd-legal-notice: display the contents of
256 /etc/legal once, then set a flag in the user's homedir to prevent
257 showing it again.
258 - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
259 for update-motd, with some best practices and notes of explanation.
260 - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
261 to update-motd(5)
262 - debian/local/common-session{,-noninteractive}: Enable pam_umask by
263 default, now that the umask setting is gone from /etc/profile.
264 - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
265 - Build-depend on libfl-dev in addition to flex, for cross-building
266 support.
267 - Add /usr/local/games to PATH.
268 - Adjust debian/patches-applied/update-motd to write to
269 /run/motd.dynamic, as sysvinit/ssh/login in Debian have been changed
270 to use this file and no longer links /etc/motd to /var/run/motd.
271 - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
272 include patch to autogenerated manpage file
273 - debian/patches-applied/pam-loginuid-in-containers: pam_loginuid:
274 Update patch with follow-up changes to loginuid.c
275 - debian/patches-applied/extrausers.patch: Add a pam_extrausers module
276 that is basically just a copy of pam_unix but looks at
277 /var/lib/extrausers/{group,passwd,shadow} instead of /etc/
278 - debian/libpam-modules-bin.install: install the helper binaries for
279 pam_extrausers to /sbin
280 - debian/rules: Make pam_extrausers_chkpwd sguid shadow
281 - debian/patches-applied/extrausers.patch: Ship pre-generated man page
282
283 -- Michael Vogt <michael.vogt@ubuntu.com> Mon, 27 Oct 2014 09:57:52 +0100
284
285>>>>>>> debian/changelog
86pam (1.1.8-3.1) unstable; urgency=high286pam (1.1.8-3.1) unstable; urgency=high
87287
88 * Non-maintainer upload by the Security Team.288 * Non-maintainer upload by the Security Team.
@@ -93,6 +293,81 @@ pam (1.1.8-3.1) unstable; urgency=high
93293
94 -- Michael Gilbert <mgilbert@debian.org> Sat, 09 Aug 2014 09:50:42 +0000294 -- Michael Gilbert <mgilbert@debian.org> Sat, 09 Aug 2014 09:50:42 +0000
95295
296<<<<<<< debian/changelog
297=======
298pam (1.1.8-3ubuntu4) utopic; urgency=medium
299
300 * No-change rebuild to get debug symbols on all architectures.
301
302 -- Brian Murray <brian@ubuntu.com> Tue, 21 Oct 2014 12:32:23 -0700
303
304pam (1.1.8-3ubuntu3) utopic; urgency=medium
305
306 * debian/patches-applied/extrausers.patch:
307 - Ship pre-generated man page
308
309 -- Michael Terry <mterry@ubuntu.com> Tue, 22 Jul 2014 14:13:31 -0400
310
311pam (1.1.8-3ubuntu2) utopic; urgency=medium
312
313 * debian/patches-applied/extrausers.patch: Add a pam_extrausers module
314 that is basically just a copy of pam_unix but looks at
315 /var/lib/extrausers/{group,passwd,shadow} instead of /etc/
316 * debian/libpam-modules-bin.install: install the helper binaries for
317 pam_extrausers to /sbin
318 * debian/rules: Make pam_extrausers_chkpwd sguid shadow
319
320 -- Michael Terry <mterry@ubuntu.com> Fri, 18 Jul 2014 14:52:08 -0400
321
322pam (1.1.8-3ubuntu1) utopic; urgency=medium
323
324 [ Stéphane Graber ]
325 * Merge from Debian unstable, remaining changes:
326 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
327 not present there or in /etc/security/pam_env.conf. (should send to
328 Debian).
329 - debian/libpam0g.postinst: only ask questions during update-manager when
330 there are non-default services running.
331 - debian/libpam0g.postinst: check if gdm is actually running before
332 trying to reload it.
333 - debian/libpam0g.postinst: the init script for 'samba' is now named
334 'smbd' in Ubuntu, so fix the restart handling.
335 - Change Vcs-Bzr to point at the Ubuntu branch.
336 - debian/patches-applied/series: Ubuntu patches are as below ...
337 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
338 initialise RLIMIT_NICE rather than relying on the kernel limits.
339 - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
340 Deprecate pam_unix's explicit "usergroups" option and instead read it
341 from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
342 there. This restores compatibility with the pre-PAM behaviour of login.
343 - debian/patches-applied/pam_motd-legal-notice: display the contents of
344 /etc/legal once, then set a flag in the user's homedir to prevent
345 showing it again.
346 - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
347 for update-motd, with some best practices and notes of explanation.
348 - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
349 to update-motd(5)
350 - debian/local/common-session{,-noninteractive}: Enable pam_umask by
351 default, now that the umask setting is gone from /etc/profile.
352 - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
353 - Build-depend on libfl-dev in addition to flex, for cross-building
354 support.
355 - Add /usr/local/games to PATH.
356 - Adjust debian/patches-applied/update-motd to write to
357 /run/motd.dynamic, as sysvinit/ssh/login in Debian have been changed
358 to use this file and no longer links /etc/motd to /var/run/motd.
359 - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
360 include patch to autogenerated manpage file
361 - debian/patches-applied/pam-loginuid-in-containers: pam_loginuid:
362 Update patch with follow-up changes to loginuid.c
363
364 [ Timo Aaltonen ]
365 * pam-configs/mkhomedir: Added a config for pam_mkhomedir, disabled
366 by default. (LP: #557013)
367
368 -- Stéphane Graber <stgraber@ubuntu.com> Fri, 02 May 2014 14:59:10 -0400
369
370>>>>>>> debian/changelog
96pam (1.1.8-3) unstable; urgency=low371pam (1.1.8-3) unstable; urgency=low
97372
98 * debian/rules: On hurd, link libpam explicitly with -lpthread since glibc373 * debian/rules: On hurd, link libpam explicitly with -lpthread since glibc
@@ -109,6 +384,57 @@ pam (1.1.8-2) unstable; urgency=medium
109384
110 -- Steve Langasek <vorlon@debian.org> Thu, 13 Feb 2014 15:02:00 -0800385 -- Steve Langasek <vorlon@debian.org> Thu, 13 Feb 2014 15:02:00 -0800
111386
387<<<<<<< debian/changelog
388=======
389pam (1.1.8-1ubuntu2) trusty; urgency=medium
390
391 * debian/patches-applied/pam-loginuid-in-containers: pam_loginuid:
392 Update patch with follow-up changes to loginuid.c
393
394 -- Stéphane Graber <stgraber@ubuntu.com> Fri, 31 Jan 2014 22:11:02 +0000
395
396pam (1.1.8-1ubuntu1) trusty; urgency=medium
397
398 * Merge from Debian unstable, remaining changes:
399 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
400 not present there or in /etc/security/pam_env.conf. (should send to
401 Debian).
402 - debian/libpam0g.postinst: only ask questions during update-manager when
403 there are non-default services running.
404 - debian/libpam0g.postinst: check if gdm is actually running before
405 trying to reload it.
406 - debian/libpam0g.postinst: the init script for 'samba' is now named
407 'smbd' in Ubuntu, so fix the restart handling.
408 - Change Vcs-Bzr to point at the Ubuntu branch.
409 - debian/patches-applied/series: Ubuntu patches are as below ...
410 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
411 initialise RLIMIT_NICE rather than relying on the kernel limits.
412 - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
413 Deprecate pam_unix's explicit "usergroups" option and instead read it
414 from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
415 there. This restores compatibility with the pre-PAM behaviour of login.
416 - debian/patches-applied/pam_motd-legal-notice: display the contents of
417 /etc/legal once, then set a flag in the user's homedir to prevent
418 showing it again.
419 - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
420 for update-motd, with some best practices and notes of explanation.
421 - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
422 to update-motd(5)
423 - debian/local/common-session{,-noninteractive}: Enable pam_umask by
424 default, now that the umask setting is gone from /etc/profile.
425 - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
426 - Build-depend on libfl-dev in addition to flex, for cross-building
427 support.
428 - Add /usr/local/games to PATH.
429 - Adjust debian/patches-applied/update-motd to write to
430 /run/motd.dynamic, as sysvinit/ssh/login in Debian have been changed
431 to use this file and no longer links /etc/motd to /var/run/motd.
432 * debian/patches-applied/pam_umask_usergroups_from_login.defs.patch: include
433 patch to autogenerated manpage file
434
435 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 16 Jan 2014 02:40:41 +0000
436
437>>>>>>> debian/changelog
112pam (1.1.8-1) unstable; urgency=medium438pam (1.1.8-1) unstable; urgency=medium
113439
114 * New upstream release.440 * New upstream release.
@@ -142,6 +468,50 @@ pam (1.1.8-1) unstable; urgency=medium
142468
143 -- Steve Langasek <vorlon@debian.org> Thu, 16 Jan 2014 00:38:42 +0000469 -- Steve Langasek <vorlon@debian.org> Thu, 16 Jan 2014 00:38:42 +0000
144470
471<<<<<<< debian/changelog
472=======
473pam (1.1.3-11ubuntu1) trusty; urgency=medium
474
475 * Merge from Debian unstable, remaining changes:
476 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
477 not present there or in /etc/security/pam_env.conf. (should send to
478 Debian).
479 - debian/libpam0g.postinst: only ask questions during update-manager when
480 there are non-default services running.
481 - debian/libpam0g.postinst: check if gdm is actually running before
482 trying to reload it.
483 - debian/libpam0g.postinst: the init script for 'samba' is now named
484 'smbd' in Ubuntu, so fix the restart handling.
485 - Change Vcs-Bzr to point at the Ubuntu branch.
486 - debian/patches-applied/series: Ubuntu patches are as below ...
487 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
488 initialise RLIMIT_NICE rather than relying on the kernel limits.
489 - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
490 Deprecate pam_unix's explicit "usergroups" option and instead read it
491 from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
492 there. This restores compatibility with the pre-PAM behaviour of login.
493 - debian/patches-applied/pam_motd-legal-notice: display the contents of
494 /etc/legal once, then set a flag in the user's homedir to prevent
495 showing it again.
496 - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
497 for update-motd, with some best practices and notes of explanation.
498 - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
499 to update-motd(5)
500 - debian/local/common-session{,-noninteractive}: Enable pam_umask by
501 default, now that the umask setting is gone from /etc/profile.
502 - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
503 - Build-depend on libfl-dev in addition to flex, for cross-building
504 support.
505 - Add /usr/local/games to PATH.
506 - Adjust debian/patches-applied/update-motd to write to
507 /run/motd.dynamic, as sysvinit/ssh/login in Debian have been changed
508 to use this file and no longer links /etc/motd to /var/run/motd.
509 * Dropped changes, merged in Debian:
510 - Disable libaudit for stage1 bootstrap.
511
512 -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 13 Jan 2014 21:41:05 -0800
513
514>>>>>>> debian/changelog
145pam (1.1.3-11) unstable; urgency=low515pam (1.1.3-11) unstable; urgency=low
146516
147 [ Wookey ]517 [ Wookey ]
@@ -155,6 +525,49 @@ pam (1.1.3-11) unstable; urgency=low
155525
156 -- Steve Langasek <vorlon@debian.org> Tue, 14 Jan 2014 03:33:31 +0000526 -- Steve Langasek <vorlon@debian.org> Tue, 14 Jan 2014 03:33:31 +0000
157527
528<<<<<<< debian/changelog
529=======
530pam (1.1.3-10ubuntu1) trusty; urgency=low
531
532 * Merge from Debian unstable, remaining changes:
533 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
534 not present there or in /etc/security/pam_env.conf. (should send to
535 Debian).
536 - debian/libpam0g.postinst: only ask questions during update-manager when
537 there are non-default services running.
538 - debian/libpam0g.postinst: check if gdm is actually running before
539 trying to reload it.
540 - debian/libpam0g.postinst: the init script for 'samba' is now named
541 'smbd' in Ubuntu, so fix the restart handling.
542 - Change Vcs-Bzr to point at the Ubuntu branch.
543 - debian/patches-applied/series: Ubuntu patches are as below ...
544 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
545 initialise RLIMIT_NICE rather than relying on the kernel limits.
546 - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
547 Deprecate pam_unix's explicit "usergroups" option and instead read it
548 from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
549 there. This restores compatibility with the pre-PAM behaviour of login.
550 - debian/patches-applied/pam_motd-legal-notice: display the contents of
551 /etc/legal once, then set a flag in the user's homedir to prevent
552 showing it again.
553 - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
554 for update-motd, with some best practices and notes of explanation.
555 - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
556 to update-motd(5)
557 - debian/local/common-session{,-noninteractive}: Enable pam_umask by
558 default, now that the umask setting is gone from /etc/profile.
559 - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
560 - Build-depend on libfl-dev in addition to flex, for cross-building
561 support.
562 - Add /usr/local/games to PATH.
563 - Disable libaudit for stage1 bootstrap.
564 - Adjust debian/patches-applied/update-motd to write to
565 /run/motd.dynamic, as sysvinit/ssh/login in Debian have been changed
566 to use this file and no longer links /etc/motd to /var/run/motd.
567
568 -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 20 Oct 2013 18:21:34 -0700
569
570>>>>>>> debian/changelog
158pam (1.1.3-10) unstable; urgency=low571pam (1.1.3-10) unstable; urgency=low
159572
160 * Fix pam-auth-update handling of trailing blank lines in the fields of573 * Fix pam-auth-update handling of trailing blank lines in the fields of
@@ -176,6 +589,59 @@ pam (1.1.3-9) unstable; urgency=low
176589
177 -- Steve Langasek <vorlon@debian.org> Tue, 12 Feb 2013 23:06:30 +0000590 -- Steve Langasek <vorlon@debian.org> Tue, 12 Feb 2013 23:06:30 +0000
178591
592<<<<<<< debian/changelog
593=======
594pam (1.1.3-8ubuntu3) saucy; urgency=low
595
596 * Adjust debian/patches-applied/update-motd to write to /run/motd.dynamic,
597 as sysvinit/ssh/login in Debian have been changed to use this file and
598 no longer links /etc/motd to /var/run/motd.
599
600 -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 18 May 2013 00:07:43 -0500
601
602pam (1.1.3-8ubuntu2) raring; urgency=low
603
604 * Disable libaudit for stage1 bootstrap (LP: #1126404)
605
606 -- Wookey <wookey@wookware.org> Fri, 15 Feb 2013 12:45:27 +0000
607
608pam (1.1.3-8ubuntu1) raring; urgency=low
609
610 * Merge from Debian unstable, remaining changes:
611 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
612 not present there or in /etc/security/pam_env.conf. (should send to
613 Debian).
614 - debian/libpam0g.postinst: only ask questions during update-manager when
615 there are non-default services running.
616 - debian/libpam0g.postinst: check if gdm is actually running before
617 trying to reload it.
618 - debian/libpam0g.postinst: the init script for 'samba' is now named
619 'smbd' in Ubuntu, so fix the restart handling.
620 - Change Vcs-Bzr to point at the Ubuntu branch.
621 - debian/patches-applied/series: Ubuntu patches are as below ...
622 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
623 initialise RLIMIT_NICE rather than relying on the kernel limits.
624 - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
625 Deprecate pam_unix' explicit "usergroups" option and instead read it
626 from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
627 there. This restores compatibility with the pre-PAM behaviour of login.
628 - debian/patches-applied/pam_motd-legal-notice: display the contents of
629 /etc/legal once, then set a flag in the user's homedir to prevent
630 showing it again.
631 - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
632 for update-motd, with some best practices and notes of explanation.
633 - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
634 to update-motd(5)
635 - debian/local/common-session{,-noninteractive}: Enable pam_umask by
636 default, now that the umask setting is gone from /etc/profile.
637 - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
638 - Build-depend on libfl-dev in addition to flex, for cross-building
639 support.
640 - Add /usr/local/games to PATH. LP: #110287.
641
642 -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 11 Feb 2013 22:08:44 -0800
643
644>>>>>>> debian/changelog
179pam (1.1.3-8) unstable; urgency=low645pam (1.1.3-8) unstable; urgency=low
180646
181 * Confirm NMU for bug #611136; thanks to Michael Gilbert.647 * Confirm NMU for bug #611136; thanks to Michael Gilbert.
@@ -212,6 +678,58 @@ pam (1.1.3-7.1) unstable; urgency=low
212678
213 -- Michael Gilbert <mgilbert@debian.org> Sun, 29 Apr 2012 02:23:26 -0400679 -- Michael Gilbert <mgilbert@debian.org> Sun, 29 Apr 2012 02:23:26 -0400
214680
681<<<<<<< debian/changelog
682=======
683pam (1.1.3-7ubuntu3) quantal; urgency=low
684
685 [ Nathan Williams ]
686 * Add /usr/local/games to PATH. LP: #110287.
687
688 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 03 Jul 2012 06:55:25 +0000
689
690pam (1.1.3-7ubuntu2) precise; urgency=low
691
692 * No-change rebuild with gzip 1.4-1ubuntu2 to get multiarch-clean
693 compression of manpages. LP: #871083.
694
695 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 08 Feb 2012 17:15:39 -0800
696
697pam (1.1.3-7ubuntu1) precise; urgency=low
698
699 * Merge from Debian unstable, remaining changes:
700 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
701 not present there or in /etc/security/pam_env.conf. (should send to
702 Debian).
703 - debian/libpam0g.postinst: only ask questions during update-manager when
704 there are non-default services running.
705 - debian/libpam0g.postinst: check if gdm is actually running before
706 trying to reload it.
707 - debian/libpam0g.postinst: the init script for 'samba' is now named
708 'smbd' in Ubuntu, so fix the restart handling.
709 - Change Vcs-Bzr to point at the Ubuntu branch.
710 - debian/patches-applied/series: Ubuntu patches are as below ...
711 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
712 initialise RLIMIT_NICE rather than relying on the kernel limits.
713 - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
714 Deprecate pam_unix' explicit "usergroups" option and instead read it
715 from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
716 there. This restores compatibility with the pre-PAM behaviour of login.
717 - debian/patches-applied/pam_motd-legal-notice: display the contents of
718 /etc/legal once, then set a flag in the user's homedir to prevent
719 showing it again.
720 - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
721 for update-motd, with some best practices and notes of explanation.
722 - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
723 to update-motd(5)
724 - debian/local/common-session{,-noninteractive}: Enable pam_umask by
725 default, now that the umask setting is gone from /etc/profile.
726 - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
727 - Build-depend on libfl-dev in addition to flex, for cross-building
728 support.
729
730 -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 28 Jan 2012 11:36:07 -0800
731
732>>>>>>> debian/changelog
215pam (1.1.3-7) unstable; urgency=low733pam (1.1.3-7) unstable; urgency=low
216734
217 * Updated debconf translations:735 * Updated debconf translations:
@@ -239,6 +757,52 @@ pam (1.1.3-7) unstable; urgency=low
239757
240 -- Steve Langasek <vorlon@debian.org> Sat, 28 Jan 2012 10:57:49 -0800758 -- Steve Langasek <vorlon@debian.org> Sat, 28 Jan 2012 10:57:49 -0800
241759
760<<<<<<< debian/changelog
761=======
762pam (1.1.3-6ubuntu1) precise; urgency=low
763
764 * Merge from Debian unstable. Remaining changes:
765 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
766 not present there or in /etc/security/pam_env.conf. (should send to
767 Debian).
768 - debian/libpam0g.postinst: only ask questions during update-manager when
769 there are non-default services running.
770 - debian/libpam0g.postinst: check if gdm is actually running before
771 trying to reload it.
772 - debian/libpam0g.postinst: the init script for 'samba' is now named
773 'smbd' in Ubuntu, so fix the restart handling.
774 - Change Vcs-Bzr to point at the Ubuntu branch.
775 - debian/patches-applied/series: Ubuntu patches are as below ...
776 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
777 initialise RLIMIT_NICE rather than relying on the kernel limits.
778 - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
779 Deprecate pam_unix' explicit "usergroups" option and instead read it
780 from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
781 there. This restores compatibility with the pre-PAM behaviour of login.
782 - debian/patches-applied/pam_motd-legal-notice: display the contents of
783 /etc/legal once, then set a flag in the user's homedir to prevent
784 showing it again.
785 - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
786 for update-motd, with some best practices and notes of explanation.
787 - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
788 to update-motd(5)
789 - debian/local/common-session{,-noninteractive}: Enable pam_umask by
790 default, now that the umask setting is gone from /etc/profile.
791 - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
792 * Dropped changes, included in Debian:
793 - debian/patches-applied/update-motd: set a sane umask before calling
794 run-parts, and restore the old mask afterwards, so /run/motd gets
795 consistent permissions.
796 - debian/patches-applied/update-motd: new module option for pam_motd,
797 'noupdate', which suppresses the call to run-parts /etc/update-motd.d.
798 - debian/libpam0g.postinst: drop kdm from the list of services to
799 restart.
800 * Build-depend on libfl-dev in addition to flex, for cross-building
801 support.
802
803 -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 07 Nov 2011 21:15:00 -0800
804
805>>>>>>> debian/changelog
242pam (1.1.3-6) unstable; urgency=low806pam (1.1.3-6) unstable; urgency=low
243807
244 * debian/patches-applied/hurd_no_setfsuid: we don't want to check all808 * debian/patches-applied/hurd_no_setfsuid: we don't want to check all
@@ -266,6 +830,62 @@ pam (1.1.3-6) unstable; urgency=low
266830
267 -- Steve Langasek <vorlon@debian.org> Sun, 06 Nov 2011 19:43:14 -0800831 -- Steve Langasek <vorlon@debian.org> Sun, 06 Nov 2011 19:43:14 -0800
268832
833<<<<<<< debian/changelog
834=======
835pam (1.1.3-5ubuntu2) precise; urgency=low
836
837 * Rebuild with dpkg 1.16.1.1ubuntu2 to restore large file support.
838
839 -- Colin Watson <cjwatson@ubuntu.com> Tue, 01 Nov 2011 16:59:55 -0400
840
841pam (1.1.3-5ubuntu1) precise; urgency=low
842
843 * Merge from Debian unstable. Remaining changes:
844 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
845 not present there or in /etc/security/pam_env.conf. (should send to
846 Debian).
847 - debian/libpam0g.postinst: only ask questions during update-manager when
848 there are non-default services running.
849 - Change Vcs-Bzr to point at the Ubuntu branch.
850 - debian/patches-applied/series: Ubuntu patches are as below ...
851 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
852 initialise RLIMIT_NICE rather than relying on the kernel limits.
853 - debian/patches-applied/pam_motd-legal-notice: display the contents of
854 /etc/legal once, then set a flag in the user's homedir to prevent
855 showing it again.
856 - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
857 for update-motd, with some best practices and notes of explanation.
858 - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
859 to update-motd(5)
860 - debian/libpam0g.postinst: drop kdm from the list of services to
861 restart.
862 - debian/libpam0g.postinst: check if gdm is actually running before
863 trying to reload it.
864 - debian/local/common-session{,-noninteractive}: Enable pam_umask by
865 default, now that the umask setting is gone from /etc/profile.
866 - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
867 - add debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
868 Deprecate pam_unix' explicit "usergroups" option and instead read it
869 from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
870 there. This restores compatibility with the pre-PAM behaviour of login.
871 (Closes: #583958)
872 * Dropped changes, included in Debian:
873 - debian/patches-applied/CVE-2011-3148.patch
874 - debian/patches-applied/CVE-2011-3149.patch
875 - debian/patches-applied/update-motd: updated to use clean environment
876 and absolute paths in modules/pam_motd/pam_motd.c.
877 * debian/libpam0g.postinst: the init script for 'samba' is now named 'smbd'
878 in Ubuntu, so fix the restart handling.
879 * debian/patches-applied/update-motd: set a sane umask before calling
880 run-parts, and restore the old mask afterwards, so /run/motd gets
881 consistent permissions. LP: #871943.
882 * debian/patches-applied/update-motd: new module option for pam_motd,
883 'noupdate', which suppresses the call to run-parts /etc/update-motd.d.
884 LP: #805423.
885
886 -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 30 Oct 2011 09:45:00 -0600
887
888>>>>>>> debian/changelog
269pam (1.1.3-5) unstable; urgency=low889pam (1.1.3-5) unstable; urgency=low
270890
271 [ Kees Cook ]891 [ Kees Cook ]
@@ -320,6 +940,67 @@ pam (1.1.3-3) unstable; urgency=low
320940
321 -- Steve Langasek <vorlon@debian.org> Sat, 24 Sep 2011 20:08:56 +0000941 -- Steve Langasek <vorlon@debian.org> Sat, 24 Sep 2011 20:08:56 +0000
322942
943<<<<<<< debian/changelog
944=======
945pam (1.1.3-2ubuntu2.1) oneiric-security; urgency=low
946
947 * SECURITY UPDATE: possible code execution via incorrect environment file
948 parsing (LP: #874469)
949 - debian/patches-applied/CVE-2011-3148.patch: correctly count leading
950 whitespace when parsing environment file in modules/pam_env/pam_env.c.
951 - CVE-2011-3148
952 * SECURITY UPDATE: denial of service via overflowed environment variable
953 expansion (LP: #874565)
954 - debian/patches-applied/CVE-2011-3149.patch: when overflowing, exit
955 with PAM_BUF_ERR in modules/pam_env/pam_env.c.
956 - CVE-2011-3149
957 * SECURITY UPDATE: code execution via incorrect environment cleaning
958 - debian/patches-applied/update-motd: updated to use clean environment
959 and absolute paths in modules/pam_motd/pam_motd.c.
960 - CVE-2011-XXXX
961
962 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 18 Oct 2011 09:33:47 -0400
963
964pam (1.1.3-2ubuntu1) oneiric; urgency=low
965
966 * Merge with Debian to get bug fix for unknown kernel rlimits. Remaining
967 changes:
968 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
969 not present there or in /etc/security/pam_env.conf. (should send to
970 Debian).
971 - debian/libpam0g.postinst: only ask questions during update-manager when
972 there are non-default services running.
973 - Change Vcs-Bzr to point at the Ubuntu branch.
974 - debian/patches-applied/series: Ubuntu patches are as below ...
975 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
976 initialise RLIMIT_NICE rather than relying on the kernel limits.
977 - debian/patches-applied/pam_motd-legal-notice: display the contents of
978 /etc/legal once, then set a flag in the user's homedir to prevent
979 showing it again.
980 - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
981 for update-motd, with some best practices and notes of explanation.
982 - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
983 to update-motd(5)
984 - debian/libpam0g.postinst: drop kdm from the list of services to
985 restart.
986 - debian/libpam0g.postinst: check if gdm is actually running before
987 trying to reload it.
988 - debian/local/common-session{,-noninteractive}: Enable pam_umask by
989 default, now that the umask setting is gone from /etc/profile.
990 - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
991 - add debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
992 Deprecate pam_unix' explicit "usergroups" option and instead read it
993 from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
994 there. This restores compatibility with the pre-PAM behaviour of login.
995 (Closes: #583958)
996 * Dropped changes:
997 - debian/patches-applied/027_pam_limits_better_init_allow_explicit_root:
998 no need to bump the hard limit for number of file descriptors any more
999 since we read kernel limits directly now.
1000
1001 -- Kees Cook <kees@ubuntu.com> Thu, 18 Aug 2011 16:41:18 -0500
1002
1003>>>>>>> debian/changelog
323pam (1.1.3-2) unstable; urgency=low1004pam (1.1.3-2) unstable; urgency=low
3241005
325 [ Kees Cook ]1006 [ Kees Cook ]
@@ -336,6 +1017,76 @@ pam (1.1.3-2) unstable; urgency=low
3361017
337 -- Steve Langasek <vorlon@debian.org> Tue, 21 Jun 2011 11:41:12 -07001018 -- Steve Langasek <vorlon@debian.org> Tue, 21 Jun 2011 11:41:12 -0700
3381019
1020<<<<<<< debian/changelog
1021=======
1022pam (1.1.3-1ubuntu3) oneiric; urgency=low
1023
1024 [ Steve Langasek ]
1025 * debian/patches/pam_motd-legal-notice: use pam_modutil_gain/drop_priv
1026 common helper functions, instead of hand-rolled uid-setting code.
1027
1028 [ Martin Pitt ]
1029 * debian/local/common-session{,-noninteractive}: Enable pam_umask by
1030 default, now that the umask setting is gone from /etc/profile.
1031 (LP: #253096, UbuntuSpec:umask-to-0002)
1032 * debian/local/pam-auth-update: Add the new md5sum of above files.
1033 * Add debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
1034 Deprecate pam_unix' explicit "usergroups" option and instead read it from
1035 /etc/login.def's "USERGROUP_ENAB" option if umask is only defined there.
1036 This restores compatibility with the pre-PAM behaviour of login.
1037 (Closes: #583958)
1038
1039 -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 24 Jun 2011 11:07:57 +0200
1040
1041pam (1.1.3-1ubuntu2) oneiric; urgency=low
1042
1043 * debian/patches-applied/update-motd-manpage-ref: refresh patch to apply
1044 cleanly against new upstream.
1045
1046 -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 04 Jun 2011 14:20:17 -0700
1047
1048pam (1.1.3-1ubuntu1) oneiric; urgency=low
1049
1050 * Merge from Debian unstable, remaining changes:
1051 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
1052 not present there or in /etc/security/pam_env.conf. (should send to
1053 Debian).
1054 - debian/libpam0g.postinst: only ask questions during update-manager when
1055 there are non-default services running.
1056 - Change Vcs-Bzr to point at the Ubuntu branch.
1057 - debian/patches-applied/series: Ubuntu patches are as below ...
1058 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1059 initialise RLIMIT_NICE rather than relying on the kernel limits.
1060 - debian/patches-applied/027_pam_limits_better_init_allow_explicit_root:
1061 bump the hard limit for number of file descriptors, to keep pace with
1062 the changes in the kernel.
1063 - debian/patches-applied/pam_motd-legal-notice: display the contents of
1064 /etc/legal once, then set a flag in the user's homedir to prevent
1065 showing it again.
1066 - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
1067 for update-motd, with some best practices and notes of explanation.
1068 - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
1069 to update-motd(5)
1070 - debian/libpam0g.postinst: drop kdm from the list of services to
1071 restart.
1072 - debian/libpam0g.postinst: check if gdm is actually running before
1073 trying to reload it.
1074 - New patch, lib_security_multiarch_compat, which lets us reuse the
1075 upstream --enable-isadir functionality to support a true path for
1076 module lookups; this way we don't have to force a hard transition to
1077 multiarch, but can support resolving modules in both the multiarch and
1078 non-multiarch directories.
1079 - build for multiarch, splitting our executables out of libpam-modules
1080 into a new package, libpam-modules-bin, so that modules can be
1081 co-installable between architectures.
1082 * Dropped changes:
1083 - bumping the service restart version in libpam0g.postinst to ensure
1084 servers don't fail to find the pam modules in the new paths; the min
1085 version requirement upstream is higher than this now.
1086
1087 -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 04 Jun 2011 14:04:19 -0700
1088
1089>>>>>>> debian/changelog
339pam (1.1.3-1) unstable; urgency=low1090pam (1.1.3-1) unstable; urgency=low
3401091
341 * New upstream release.1092 * New upstream release.
@@ -353,6 +1104,49 @@ pam (1.1.3-1) unstable; urgency=low
3531104
354 -- Steve Langasek <vorlon@debian.org> Sat, 04 Jun 2011 03:10:50 -07001105 -- Steve Langasek <vorlon@debian.org> Sat, 04 Jun 2011 03:10:50 -0700
3551106
1107<<<<<<< debian/changelog
1108=======
1109pam (1.1.2-3ubuntu1) oneiric; urgency=low
1110
1111 * Merge from Debian unstable, remaining changes:
1112 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
1113 not present there or in /etc/security/pam_env.conf. (should send to
1114 Debian).
1115 - debian/libpam0g.postinst: only ask questions during update-manager when
1116 there are non-default services running.
1117 - Change Vcs-Bzr to point at the Ubuntu branch.
1118 - debian/patches-applied/series: Ubuntu patches are as below ...
1119 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1120 initialise RLIMIT_NICE rather than relying on the kernel limits.
1121 - debian/patches-applied/027_pam_limits_better_init_allow_explicit_root:
1122 bump the hard limit for number of file descriptors, to keep pace with
1123 the changes in the kernel.
1124 - debian/patches-applied/pam_motd-legal-notice: display the contents of
1125 /etc/legal once, then set a flag in the user's homedir to prevent
1126 showing it again.
1127 - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
1128 for update-motd, with some best practices and notes of explanation.
1129 - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
1130 to update-motd(5)
1131 - debian/libpam0g.postinst: drop kdm from the list of services to
1132 restart.
1133 - debian/libpam0g.postinst: check if gdm is actually running before
1134 trying to reload it.
1135 - New patch, lib_security_multiarch_compat, which lets us reuse the
1136 upstream --enable-isadir functionality to support a true path for
1137 module lookups; this way we don't have to force a hard transition to
1138 multiarch, but can support resolving modules in both the multiarch and
1139 non-multiarch directories.
1140 - build for multiarch, splitting our executables out of libpam-modules
1141 into a new package, libpam-modules-bin, so that modules can be
1142 co-installable between architectures.
1143 - bumping the service restart version in libpam0g.postinst to ensure
1144 servers don't fail to find the pam modules in the new paths.
1145 * bump debhelper build-dep for final multiarch support.
1146
1147 -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 20 May 2011 12:53:24 -0700
1148
1149>>>>>>> debian/changelog
356pam (1.1.2-3) unstable; urgency=low1150pam (1.1.2-3) unstable; urgency=low
3571151
358 [ Kees Cook ]1152 [ Kees Cook ]
@@ -371,6 +1165,95 @@ pam (1.1.2-3) unstable; urgency=low
3711165
372 -- Steve Langasek <vorlon@debian.org> Sun, 01 May 2011 01:49:11 -07001166 -- Steve Langasek <vorlon@debian.org> Sun, 01 May 2011 01:49:11 -0700
3731167
1168<<<<<<< debian/changelog
1169=======
1170pam (1.1.2-2ubuntu8) natty; urgency=low
1171
1172 * Check if gdm is actually running before trying to reload it. (LP: #745532)
1173
1174 -- Stéphane Graber <stgraber@ubuntu.com> Mon, 11 Apr 2011 21:57:36 -0400
1175
1176pam (1.1.2-2ubuntu7) natty; urgency=low
1177
1178 * debian/patches-applied/027_pam_limits_better_init_allow_explicit_root:
1179 bump the hard limit for number of file descriptors, to keep pace with
1180 the changes in the kernel. Fortunately this shadowing should all go
1181 away next cycle when we can start to grab defaults directly from /proc.
1182 LP: #663090
1183
1184 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 05 Apr 2011 13:02:02 -0700
1185
1186pam (1.1.2-2ubuntu6) natty; urgency=low
1187
1188 * debian/libpam0g.postinst: according to Kubuntu developers, kdm no longer
1189 keeps libpam loaded persistently at runtime, so it's not necessary to
1190 force a kdm restart on ABI bump. Which is good, since restarting kdm
1191 now seems to also log users out of running sessions, which we rather
1192 want to avoid. LP: #744944.
1193
1194 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 29 Mar 2011 13:16:26 -0700
1195
1196pam (1.1.2-2ubuntu5) natty; urgency=low
1197
1198 * Force a service restart on upgrade to the new libpam0g, to ensure
1199 servers don't fail to find the pam modules in the new paths.
1200 * libpam-modules should also Pre-Depend: on the multiarch-aware libpam0g,
1201 for the same reason.
1202
1203 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 22 Mar 2011 02:19:51 -0700
1204
1205pam (1.1.2-2ubuntu4) natty; urgency=low
1206
1207 * Build for multiarch; FFe LP: #733501.
1208 * Split our executables out of libpam-modules into a new package,
1209 libpam-modules-bin, so that modules can be co-installable between
1210 architectures.
1211 * New patch, lib_security_multiarch_compat, which lets us reuse the
1212 upstream --enable-isadir functionality to support a true path for module
1213 lookups; this way we don't have to force a hard transition to multiarch,
1214 but can support resolving modules in both the multiarch and
1215 non-multiarch directories.
1216 * Build-Depend on the multiarchified debhelper.
1217 * Add Pre-Depends: ${misc:Pre-Depends} for multiarch-support.
1218
1219 -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 18 Mar 2011 00:12:26 -0700
1220
1221pam (1.1.2-2ubuntu3) natty; urgency=low
1222
1223 * Er, but let's get this patch applying cleanly.
1224
1225 -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 21 Feb 2011 16:10:11 -0800
1226
1227pam (1.1.2-2ubuntu2) natty; urgency=low
1228
1229 * debian/patches/update-motd-manpage-ref: patch the manpage too, not just
1230 the xml source.
1231
1232 -- Steve Langasek <vorlon@debian.org> Mon, 21 Feb 2011 15:47:27 -0800
1233
1234pam (1.1.2-2ubuntu1) natty; urgency=low
1235
1236 * Merge from Debian unstable, remaining changes:
1237 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
1238 not present there or in /etc/security/pam_env.conf. (should send to
1239 Debian).
1240 - debian/libpam0g.postinst: only ask questions during update-manager when
1241 there are non-default services running.
1242 - debian/patches-applied/series: Ubuntu patches are as below ...
1243 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1244 initialise RLIMIT_NICE rather than relying on the kernel limits.
1245 - Change Vcs-Bzr to point at the Ubuntu branch.
1246 - debian/patches-applied/pam_motd-legal-notice: display the contents of
1247 /etc/legal once, then set a flag in the user's homedir to prevent
1248 showing it again.
1249 - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
1250 for update-motd, with some best practices and notes of explanation.
1251 - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
1252 to update-motd(5)
1253
1254 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 17 Feb 2011 16:15:47 -0800
1255
1256>>>>>>> debian/changelog
374pam (1.1.2-2) unstable; urgency=low1257pam (1.1.2-2) unstable; urgency=low
3751258
376 * debian/patches-applied/hurd_no_setfsuid: handle some new calls to1259 * debian/patches-applied/hurd_no_setfsuid: handle some new calls to
@@ -429,6 +1312,35 @@ pam (1.1.1-7) UNRELEASED; urgency=low
4291312
430 -- Steve Langasek <vorlon@debian.org> Wed, 17 Nov 2010 16:53:46 -08001313 -- Steve Langasek <vorlon@debian.org> Wed, 17 Nov 2010 16:53:46 -0800
4311314
1315<<<<<<< debian/changelog
1316=======
1317pam (1.1.1-6.1ubuntu1) natty; urgency=low
1318
1319 * Merge from Debian unstable, remaining changes:
1320 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
1321 not present there or in /etc/security/pam_env.conf. (should send to
1322 Debian).
1323 - debian/libpam0g.postinst: only ask questions during update-manager when
1324 there are non-default services running.
1325 - debian/patches-applied/series: Ubuntu patches are as below ...
1326 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1327 initialise RLIMIT_NICE rather than relying on the kernel limits.
1328 - Change Vcs-Bzr to point at the Ubuntu branch.
1329 - debian/patches-applied/pam_motd-legal-notice: display the contents of
1330 /etc/legal once, then set a flag in the user's homedir to prevent
1331 showing it again.
1332 - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
1333 for update-motd, with some best practices and notes of explanation.
1334 - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
1335 to update-motd(5)
1336 * Dropped changes:
1337 - libpam-modules depend on base-files (>= 5.0.0ubuntu6): 5.0.0ubuntu20
1338 is in 10.04 LTS and this is an essential package, so no more need for
1339 the versioned dependency.
1340
1341 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 15 Feb 2011 23:36:47 -0800
1342
1343>>>>>>> debian/changelog
432pam (1.1.1-6.1) unstable; urgency=low1344pam (1.1.1-6.1) unstable; urgency=low
4331345
434 * Non-maintainer upload.1346 * Non-maintainer upload.
@@ -466,6 +1378,41 @@ pam (1.1.1-5) unstable; urgency=low
4661378
467 -- Steve Langasek <vorlon@debian.org> Sun, 05 Sep 2010 12:42:34 -07001379 -- Steve Langasek <vorlon@debian.org> Sun, 05 Sep 2010 12:42:34 -0700
4681380
1381<<<<<<< debian/changelog
1382=======
1383pam (1.1.1-4ubuntu2) maverick-security; urgency=low
1384
1385 * SECURITY UPDATE: root privilege escalation via symlink following.
1386 - debian/patches-applied/pam_motd-legal-notice: drop privs for work.
1387 - CVE-2010-0832
1388
1389 -- Kees Cook <kees@ubuntu.com> Mon, 25 Oct 2010 06:40:32 -0700
1390
1391pam (1.1.1-4ubuntu1) maverick; urgency=low
1392
1393 * Merge from Debian unstable, remaining changes:
1394 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
1395 not present there or in /etc/security/pam_env.conf. (should send to
1396 Debian).
1397 - debian/libpam0g.postinst: only ask questions during update-manager when
1398 there are non-default services running.
1399 - debian/patches-applied/series: Ubuntu patches are as below ...
1400 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1401 initialise RLIMIT_NICE rather than relying on the kernel limits.
1402 - Change Vcs-Bzr to point at the Ubuntu branch.
1403 - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
1404 run-parts does the right thing in /etc/update-motd.d.
1405 - debian/patches-applied/pam_motd-legal-notice: display the contents of
1406 /etc/legal once, then set a flag in the user's homedir to prevent
1407 showing it again.
1408 - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
1409 for update-motd, with some best practices and notes of explanation.
1410 - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
1411 to update-motd(5)
1412
1413 -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 16 Aug 2010 19:12:35 -0700
1414
1415>>>>>>> debian/changelog
469pam (1.1.1-4) unstable; urgency=low1416pam (1.1.1-4) unstable; urgency=low
4701417
471 * debian/patches/conditional_module,_conditional_man: if we don't have the1418 * debian/patches/conditional_module,_conditional_man: if we don't have the
@@ -484,6 +1431,43 @@ pam (1.1.1-4) unstable; urgency=low
4841431
485 -- Steve Langasek <vorlon@debian.org> Sun, 15 Aug 2010 21:53:46 -07001432 -- Steve Langasek <vorlon@debian.org> Sun, 15 Aug 2010 21:53:46 -0700
4861433
1434<<<<<<< debian/changelog
1435=======
1436pam (1.1.1-3ubuntu2) maverick; urgency=low
1437
1438 * Trigger a rebuild, applying changes from 1.1.1-2ubuntu2 which
1439 were previously not committed to bzr
1440
1441 -- Dustin Kirkland <kirkland@ubuntu.com> Thu, 13 May 2010 10:04:23 +0200
1442
1443pam (1.1.1-3ubuntu1) maverick; urgency=low
1444
1445 * Merge from Debian, remaining changes:
1446 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
1447 present there or in /etc/security/pam_env.conf. (should send to Debian).
1448 - debian/libpam0g.postinst: only ask questions during update-manager when
1449 there are non-default services running.
1450 - debian/patches-applied/series: Ubuntu patches are as below ...
1451 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1452 initialise RLIMIT_NICE rather than relying on the kernel limits.
1453 - Change Vcs-Bzr to point at the Ubuntu branch.
1454 - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
1455 run-parts does the right thing in /etc/update-motd.d.
1456 - debian/patches-applied/pam_motd-legal-notice: display the contents of
1457 /etc/legal once, then set a flag in the user's homedir to prevent showing
1458 it again.
1459 * Dropped changes:
1460 - debian/local/common-{auth,account,password}.md5sums: include the
1461 Ubuntu-specific intrepid,jaunty md5sums for use during the
1462 common-session-noninteractive upgrade - upgrades to maverick are
1463 only supported from lucid, so this delta can be dropped.
1464 - debian/patches-applied/ubuntu-no-error-if-missingok: 'missingok' option
1465 is obsoleted by 10.04 LTS and no longer needs to be supported for
1466 upgrades.
1467
1468 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 13 May 2010 00:39:44 +0200
1469
1470>>>>>>> debian/changelog
487pam (1.1.1-3) unstable; urgency=low1471pam (1.1.1-3) unstable; urgency=low
4881472
489 * pam-auth-update: fix a bug in our handling of module options when the1473 * pam-auth-update: fix a bug in our handling of module options when the
@@ -494,6 +1478,44 @@ pam (1.1.1-3) unstable; urgency=low
4941478
495 -- Steve Langasek <vorlon@debian.org> Sun, 25 Apr 2010 05:53:44 -07001479 -- Steve Langasek <vorlon@debian.org> Sun, 25 Apr 2010 05:53:44 -0700
4961480
1481<<<<<<< debian/changelog
1482=======
1483pam (1.1.1-2ubuntu2) lucid; urgency=low
1484
1485 * debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
1486 for update-motd, with some best practices and notes of explanation,
1487 LP: #562566
1488 * debian/patches/update-motd-manpage-ref: add a reference in pam_mod(8)
1489 to update-motd(5), LP: #552175
1490
1491 -- Dustin Kirkland <kirkland@ubuntu.com> Tue, 13 Apr 2010 16:58:12 -0500
1492
1493pam (1.1.1-2ubuntu1) lucid; urgency=low
1494
1495 * Merge from Debian, remaining changes:
1496 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
1497 present there or in /etc/security/pam_env.conf. (should send to Debian).
1498 - debian/libpam0g.postinst: only ask questions during update-manager when
1499 there are non-default services running.
1500 - debian/patches-applied/series: Ubuntu patches are as below ...
1501 - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
1502 module option 'missingok' which will suppress logging of errors by
1503 libpam if the module is not found.
1504 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1505 initialise RLIMIT_NICE rather than relying on the kernel limits.
1506 - Change Vcs-Bzr to point at the Ubuntu branch.
1507 - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
1508 run-parts does the right thing in /etc/update-motd.d.
1509 - debian/patches-applied/pam_motd-legal-notice: display the contents of
1510 /etc/legal once, then set a flag in the user's homedir to prevent showing
1511 it again.
1512 - debian/local/common-{auth,account,password}.md5sums: include the
1513 Ubuntu-specific intrepid,jaunty md5sums for use during the
1514 common-session-noninteractive upgrade.
1515
1516 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 18 Feb 2010 12:04:18 +0000
1517
1518>>>>>>> debian/changelog
497pam (1.1.1-2) unstable; urgency=low1519pam (1.1.1-2) unstable; urgency=low
4981520
499 * Document the new symbols added in 1.1.1 in debian/libpam0g.symbols, and1521 * Document the new symbols added in 1.1.1 in debian/libpam0g.symbols, and
@@ -502,6 +1524,34 @@ pam (1.1.1-2) unstable; urgency=low
5021524
503 -- Steve Langasek <vorlon@debian.org> Wed, 17 Feb 2010 23:21:23 -08001525 -- Steve Langasek <vorlon@debian.org> Wed, 17 Feb 2010 23:21:23 -0800
5041526
1527<<<<<<< debian/changelog
1528=======
1529pam (1.1.1-1ubuntu1) lucid; urgency=low
1530
1531 * Merge from Debian, remaining changes:
1532 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
1533 present there or in /etc/security/pam_env.conf. (should send to Debian).
1534 - debian/libpam0g.postinst: only ask questions during update-manager when
1535 there are non-default services running.
1536 - debian/patches-applied/series: Ubuntu patches are as below ...
1537 - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
1538 module option 'missingok' which will suppress logging of errors by
1539 libpam if the module is not found.
1540 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1541 initialise RLIMIT_NICE rather than relying on the kernel limits.
1542 - Change Vcs-Bzr to point at the Ubuntu branch.
1543 - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
1544 run-parts does the right thing in /etc/update-motd.d.
1545 - debian/patches-applied/pam_motd-legal-notice: display the contents of
1546 /etc/legal once, then set a flag in the user's homedir to prevent showing
1547 it again.
1548 - debian/local/common-{auth,account,password}.md5sums: include the
1549 Ubuntu-specific intrepid,jaunty md5sums for use during the
1550 common-session-noninteractive upgrade.
1551
1552 -- Steve Langasek <vorlon@debian.org> Mon, 01 Feb 2010 09:55:02 -0800
1553
1554>>>>>>> debian/changelog
505pam (1.1.1-1) unstable; urgency=low1555pam (1.1.1-1) unstable; urgency=low
5061556
507 * New upstream version.1557 * New upstream version.
@@ -529,6 +1579,50 @@ pam (1.1.1-1) unstable; urgency=low
5291579
530 -- Steve Langasek <vorlon@debian.org> Mon, 01 Feb 2010 02:04:33 -08001580 -- Steve Langasek <vorlon@debian.org> Mon, 01 Feb 2010 02:04:33 -0800
5311581
1582<<<<<<< debian/changelog
1583=======
1584pam (1.1.0-4ubuntu3) lucid; urgency=low
1585
1586 * Brown paper bag: remove the right patch from the series file.
1587
1588 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 10 Dec 2009 23:09:03 -0800
1589
1590pam (1.1.0-4ubuntu2) lucid; urgency=low
1591
1592 * "Rebase" Ubuntu patches to apply them last in the series.
1593 * Drop patch ubuntu-regression_fix_securetty, superseded by the more
1594 precise fix in pam_securetty_tty_check_before_user_check.
1595
1596 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 10 Dec 2009 22:52:20 -0800
1597
1598pam (1.1.0-4ubuntu1) lucid; urgency=low
1599
1600 * Merge from Debian, remaining changes:
1601 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
1602 present there or in /etc/security/pam_env.conf. (should send to Debian).
1603 - debian/libpam0g.postinst: only ask questions during update-manager when
1604 there are non-default services running.
1605 - debian/patches-applied/series: Ubuntu patches are as below ...
1606 - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
1607 module option 'missingok' which will suppress logging of errors by
1608 libpam if the module is not found.
1609 - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
1610 password on bad username.
1611 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1612 initialise RLIMIT_NICE rather than relying on the kernel limits.
1613 - Change Vcs-Bzr to point at the Ubuntu branch.
1614 - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
1615 run-parts does the right thing in /etc/update-motd.d.
1616 - debian/patches-applied/pam_motd-legal-notice: display the contents of
1617 /etc/legal once, then set a flag in the user's homedir to prevent showing
1618 it again.
1619 - debian/local/common-{auth,account,password}.md5sums: include the
1620 Ubuntu-specific intrepid,jaunty md5sums for use during the
1621 common-session-noninteractive upgrade.
1622
1623 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 05 Nov 2009 21:33:15 -0800
1624
1625>>>>>>> debian/changelog
532pam (1.1.0-4) unstable; urgency=low1626pam (1.1.0-4) unstable; urgency=low
5331627
534 * debian/patches/pam_securetty_tty_check_before_user_check: new patch,1628 * debian/patches/pam_securetty_tty_check_before_user_check: new patch,
@@ -578,6 +1672,39 @@ pam (1.1.0-3) unstable; urgency=low
5781672
579 -- Steve Langasek <vorlon@debian.org> Mon, 07 Sep 2009 18:47:45 -07001673 -- Steve Langasek <vorlon@debian.org> Mon, 07 Sep 2009 18:47:45 -0700
5801674
1675<<<<<<< debian/changelog
1676=======
1677pam (1.1.0-2ubuntu1) karmic; urgency=low
1678
1679 * Merge from Debian, remaining changes:
1680 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
1681 present there or in /etc/security/pam_env.conf. (should send to Debian).
1682 - debian/libpam0g.postinst: only ask questions during update-manager when
1683 there are non-default services running.
1684 - debian/patches-applied/series: Ubuntu patches are as below ...
1685 - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
1686 module option 'missingok' which will suppress logging of errors by
1687 libpam if the module is not found.
1688 - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
1689 password on bad username.
1690 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1691 initialise RLIMIT_NICE rather than relying on the kernel limits.
1692 - Change Vcs-Bzr to point at the Ubuntu branch.
1693 - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
1694 run-parts does the right thing in /etc/update-motd.d.
1695 - debian/patches-applied/pam_motd-legal-notice: display the contents of
1696 /etc/legal once, then set a flag in the user's homedir to prevent showing
1697 it again.
1698 - debian/local/common-{auth,account,password}.md5sums: include the
1699 Ubuntu-specific intrepid,jaunty md5sums for use during the
1700 common-session-noninteractive upgrade.
1701 * Changes merged in Debian:
1702 - debian/local/common-password, debian/pam-configs/unix: switch from
1703 "md5" to "sha512" as password crypt default.
1704
1705 -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 04 Sep 2009 01:11:48 -0700
1706
1707>>>>>>> debian/changelog
581pam (1.1.0-2) unstable; urgency=low1708pam (1.1.0-2) unstable; urgency=low
5821709
583 [ Steve Langasek ]1710 [ Steve Langasek ]
@@ -606,6 +1733,44 @@ pam (1.1.0-2) unstable; urgency=low
6061733
607 -- Steve Langasek <vorlon@debian.org> Mon, 31 Aug 2009 14:21:27 -07001734 -- Steve Langasek <vorlon@debian.org> Mon, 31 Aug 2009 14:21:27 -0700
6081735
1736<<<<<<< debian/changelog
1737=======
1738pam (1.1.0-1ubuntu1) karmic; urgency=low
1739
1740 * Merge from Debian, remaining changes:
1741 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
1742 present there or in /etc/security/pam_env.conf. (should send to Debian).
1743 - debian/libpam0g.postinst: only ask questions during update-manager when
1744 there are non-default services running.
1745 - debian/patches-applied/series: Ubuntu patches are as below ...
1746 - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
1747 module option 'missingok' which will suppress logging of errors by
1748 libpam if the module is not found.
1749 - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
1750 password on bad username.
1751 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1752 initialise RLIMIT_NICE rather than relying on the kernel limits.
1753 - Change Vcs-Bzr to point at the Ubuntu branch.
1754 - debian/local/common-password, debian/pam-configs/unix: switch from
1755 "md5" to "sha512" as password crypt default.
1756 - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
1757 run-parts does the right thing in /etc/update-motd.d.
1758 - debian/patches-applied/pam_motd-legal-notice: display the contents of
1759 /etc/legal once, then set a flag in the user's homedir to prevent showing
1760 it again.
1761 - debian/local/common-{auth,account,password}.md5sums: include the
1762 Ubuntu-specific intrepid,jaunty md5sums for use during the
1763 common-session-noninteractive upgrade.
1764 * Dropped changes, superseded upstream:
1765 - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
1766 type rather than __u8.
1767 - debian/patches-applied/ubuntu-user_defined_environment: Look at
1768 ~/.pam_environment too, with the same format as
1769 /etc/security/pam_env.conf.
1770
1771 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 26 Aug 2009 00:40:14 -0700
1772
1773>>>>>>> debian/changelog
609pam (1.1.0-1) unstable; urgency=low1774pam (1.1.0-1) unstable; urgency=low
6101775
611 * New upstream version.1776 * New upstream version.
@@ -649,6 +1814,45 @@ pam (1.1.0-1) unstable; urgency=low
6491814
650 -- Steve Langasek <vorlon@debian.org> Tue, 25 Aug 2009 20:35:26 -07001815 -- Steve Langasek <vorlon@debian.org> Tue, 25 Aug 2009 20:35:26 -0700
6511816
1817<<<<<<< debian/changelog
1818=======
1819pam (1.0.1-11ubuntu1) karmic; urgency=low
1820
1821 * Merge from Debian, remaining changes:
1822 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
1823 present there or in /etc/security/pam_env.conf. (should send to Debian).
1824 - debian/libpam0g.postinst: only ask questions during update-manager when
1825 there are non-default services running.
1826 - debian/patches-applied/series: Ubuntu patches are as below ...
1827 - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
1828 type rather than __u8.
1829 - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
1830 module option 'missingok' which will suppress logging of errors by
1831 libpam if the module is not found.
1832 - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
1833 password on bad username.
1834 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1835 initialise RLIMIT_NICE rather than relying on the kernel limits.
1836 - debian/patches-applied/ubuntu-user_defined_environment: Look at
1837 ~/.pam_environment too, with the same format as
1838 /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
1839 - Change Vcs-Bzr to point at the Ubuntu branch.
1840 - debian/local/common-password, debian/pam-configs/unix: switch from
1841 "md5" to "sha512" as password crypt default.
1842 - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
1843 run-parts does the right thing in /etc/update-motd.d.
1844 - debian/patches-applied/pam_motd-legal-notice: display the contents of
1845 /etc/legal once, then set a flag in the user's homedir to prevent showing
1846 it again.
1847 * debian/local/pam-auth-update: prune some more md5sums from intrepid
1848 pre-release versions, reducing the Ubuntu delta some
1849 * debian/local/common-{auth,account,password}.md5sums: include the
1850 Ubuntu-specific intrepid,jaunty md5sums for use during the
1851 common-session-noninteractive upgrade.
1852
1853 -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 23 Aug 2009 20:14:58 -0700
1854
1855>>>>>>> debian/changelog
652pam (1.0.1-11) unstable; urgency=low1856pam (1.0.1-11) unstable; urgency=low
6531857
654 * debian/libpam-runtime.postinst: bump the --force version check to1858 * debian/libpam-runtime.postinst: bump the --force version check to
@@ -676,6 +1880,40 @@ pam (1.0.1-11) unstable; urgency=low
6761880
677 -- Steve Langasek <vorlon@debian.org> Sun, 23 Aug 2009 18:07:11 -07001881 -- Steve Langasek <vorlon@debian.org> Sun, 23 Aug 2009 18:07:11 -0700
6781882
1883<<<<<<< debian/changelog
1884=======
1885pam (1.0.1-10ubuntu1) karmic; urgency=low
1886
1887 * Merge from Debian, remaining changes:
1888 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
1889 present there or in /etc/security/pam_env.conf. (should send to Debian).
1890 - debian/libpam0g.postinst: only ask questions during update-manager when
1891 there are non-default services running.
1892 - debian/patches-applied/series: Ubuntu patches are as below ...
1893 - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
1894 type rather than __u8.
1895 - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
1896 module option 'missingok' which will suppress logging of errors by
1897 libpam if the module is not found.
1898 - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
1899 password on bad username.
1900 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1901 initialise RLIMIT_NICE rather than relying on the kernel limits.
1902 - debian/patches-applied/ubuntu-user_defined_environment: Look at
1903 ~/.pam_environment too, with the same format as
1904 /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
1905 - Change Vcs-Bzr to point at the Ubuntu branch.
1906 - debian/local/common-password, debian/pam-configs/unix: switch from
1907 "md5" to "sha512" as password crypt default.
1908 - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
1909 run-parts does the right thing in /etc/update-motd.d.
1910 - debian/patches-applied/pam_motd-legal-notice: display the contents of
1911 /etc/legal once, then set a flag in the user's homedir to prevent showing
1912 it again.
1913
1914 -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 07 Aug 2009 09:50:02 +0100
1915
1916>>>>>>> debian/changelog
679pam (1.0.1-10) unstable; urgency=high1917pam (1.0.1-10) unstable; urgency=high
6801918
681 [ Steve Langasek ]1919 [ Steve Langasek ]
@@ -712,6 +1950,54 @@ pam (1.0.1-10) unstable; urgency=high
7121950
713 -- Steve Langasek <vorlon@debian.org> Thu, 06 Aug 2009 17:54:32 +01001951 -- Steve Langasek <vorlon@debian.org> Thu, 06 Aug 2009 17:54:32 +0100
7141952
1953<<<<<<< debian/changelog
1954=======
1955pam (1.0.1-9ubuntu3) karmic; urgency=low
1956
1957 * Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
1958 run-parts does the right thing in /etc/update-motd.d.
1959
1960 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 15 Jul 2009 23:55:50 -0700
1961
1962pam (1.0.1-9ubuntu2) karmic; urgency=low
1963
1964 [ Dustin Kirkland ]
1965 * debian/patches/update-motd: run the update-motd scripts in pam_motd;
1966 render update-motd obsolete, LP: #399071
1967 * debian/patches-applied/pam_motd-legal-notice: display the contents of
1968 /etc/legal once, then set a flag in the user's homedir to prevent showing
1969 it again.
1970
1971 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 15 Jul 2009 20:41:52 -0700
1972
1973pam (1.0.1-9ubuntu1) jaunty; urgency=low
1974
1975 * Merge from Debian unstable
1976 * Remaining changes:
1977 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
1978 present there or in /etc/security/pam_env.conf. (should send to Debian).
1979 - debian/libpam0g.postinst: only ask questions during update-manager when
1980 there are non-default services running.
1981 - debian/patches-applied/series: Ubuntu patches are as below ...
1982 - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
1983 type rather than __u8.
1984 - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
1985 module option 'missingok' which will suppress logging of errors by
1986 libpam if the module is not found.
1987 - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
1988 password on bad username.
1989 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1990 initialise RLIMIT_NICE rather than relying on the kernel limits.
1991 - debian/patches-applied/ubuntu-user_defined_environment: Look at
1992 ~/.pam_environment too, with the same format as
1993 /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
1994 - Change Vcs-Bzr to point at the Ubuntu branch.
1995 - debian/local/common-password, debian/pam-configs/unix: switch from
1996 "md5" to "sha512" as password crypt default.
1997
1998 -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 20 Mar 2009 19:12:10 -0700
1999
2000>>>>>>> debian/changelog
715pam (1.0.1-9) unstable; urgency=low2001pam (1.0.1-9) unstable; urgency=low
7162002
717 * Move the pam module packages to section 'admin'.2003 * Move the pam module packages to section 'admin'.
@@ -745,6 +2031,59 @@ pam (1.0.1-8) unstable; urgency=low
7452031
746 -- Steve Langasek <vorlon@debian.org> Fri, 20 Mar 2009 18:15:07 -07002032 -- Steve Langasek <vorlon@debian.org> Fri, 20 Mar 2009 18:15:07 -0700
7472033
2034<<<<<<< debian/changelog
2035=======
2036pam (1.0.1-7ubuntu1) jaunty; urgency=low
2037
2038 * Merge from Debian unstable
2039 * Remaining changes:
2040 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
2041 present there or in /etc/security/pam_env.conf. (should send to Debian).
2042 - debian/libpam0g.postinst: only ask questions during update-manager when
2043 there are non-default services running.
2044 - debian/patches-applied/series: Ubuntu patches are as below ...
2045 - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
2046 type rather than __u8.
2047 - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
2048 module option 'missingok' which will suppress logging of errors by
2049 libpam if the module is not found.
2050 - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
2051 password on bad username.
2052 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
2053 initialise RLIMIT_NICE rather than relying on the kernel limits.
2054 - debian/patches-applied/ubuntu-user_defined_environment: Look at
2055 ~/.pam_environment too, with the same format as
2056 /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
2057 - Change Vcs-Bzr to point at the Ubuntu branch.
2058 - debian/local/common-password, debian/pam-configs/unix: switch from
2059 "md5" to "sha512" as password crypt default.
2060 * Dropped changes, merged in Debian:
2061 - debian/local/pam-auth-update (et al): new interface for managing
2062 /etc/pam.d/common-*, using drop-in config snippets provided by module
2063 packages.
2064 - New patch dont_freeze_password_chain, cherry-picked from upstream:
2065 don't always follow the same path through the password stack on
2066 the PAM_UPDATE_AUTHTOK pass as was used in the PAM_PRELIM_CHECK
2067 pass; this Linux-PAM deviation from the original PAM spec causes a
2068 number of problems, in particular causing wrong return values when
2069 using the refactored pam-auth-update stack. LP: #303515, #305882.
2070 - debian/patches/027_pam_limits_better_init_allow_explicit_root:
2071 Add documentation to the patch showing how to set limits for root.
2072 * Bump the libpam-cracklib dependency on libpam-runtime to 1.0.1-6,
2073 reducing the delta with Debian.
2074 * Drop upgrade handling code from libpam-runtime.postinst that's only
2075 needed when upgrading from 1.0.1-2ubuntu1, a superseded intrepid
2076 pre-release version of the package.
2077 * pam-auth-update: swap out known md5sums from intrepid pre-release versions
2078 with the md5sums from the released intrepid version
2079 * pam-auth-update: drop some md5sums that will only be seen on upgrade from
2080 pre-intrepid versions; skipping over the 8.10 final release is not
2081 supported, and upgrading via 8.10 means those config files will be
2082 replaced so the old md5sums will never be seen again.
2083
2084 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 03 Mar 2009 17:34:19 -0800
2085
2086>>>>>>> debian/changelog
748pam (1.0.1-7) unstable; urgency=low2087pam (1.0.1-7) unstable; urgency=low
7492088
750 * 027_pam_limits_better_init_allow_explicit_root:2089 * 027_pam_limits_better_init_allow_explicit_root:
@@ -779,6 +2118,70 @@ pam (1.0.1-6) unstable; urgency=low
7792118
780 -- Steve Langasek <vorlon@debian.org> Sat, 28 Feb 2009 13:36:57 -08002119 -- Steve Langasek <vorlon@debian.org> Sat, 28 Feb 2009 13:36:57 -0800
7812120
2121<<<<<<< debian/changelog
2122=======
2123pam (1.0.1-5ubuntu2) jaunty; urgency=low
2124
2125 * New patch dont_freeze_password_chain, cherry-picked from upstream:
2126 don't always follow the same path through the password stack on
2127 the PAM_UPDATE_AUTHTOK pass as was used in the PAM_PRELIM_CHECK
2128 pass; this Linux-PAM deviation from the original PAM spec causes a
2129 number of problems, in particular causing wrong return values when
2130 using the refactored pam-auth-update stack. LP: #303515, #305882.
2131
2132 -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 27 Feb 2009 16:20:24 -0800
2133
2134pam (1.0.1-5ubuntu1) jaunty; urgency=low
2135
2136 * Merge from Debian unstable
2137 * Remaining changes:
2138 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
2139 present there or in /etc/security/pam_env.conf. (should send to Debian).
2140 - debian/libpam0g.postinst: only ask questions during update-manager when
2141 there are non-default services running.
2142 - debian/patches-applied/series: Ubuntu patches are as below ...
2143 - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
2144 type rather than __u8.
2145 - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
2146 module option 'missingok' which will suppress logging of errors by
2147 libpam if the module is not found.
2148 - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
2149 password on bad username.
2150 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
2151 initialise RLIMIT_NICE rather than relying on the kernel limits.
2152 - debian/patches-applied/ubuntu-user_defined_environment: Look at
2153 ~/.pam_environment too, with the same format as
2154 /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
2155 - Change Vcs-Bzr to point at the Ubuntu branch.
2156 - debian/local/pam-auth-update (et al): new interface for managing
2157 /etc/pam.d/common-*, using drop-in config snippets provided by module
2158 packages.
2159 - debian/local/common-password, debian/pam-configs/unix: switch from
2160 "md5" to "sha512" as password crypt default.
2161 * Bump the version numbers referenced in the config files, again, as pam
2162 has revved in Debian and moved the bar.
2163 * pam-auth-update: If /var/lib/pam/seen is absent, treat this the same
2164 as a present but empty file; thanks to Greg Price for the patch.
2165 LP: #294513.
2166 * pam-auth-update: Ignore removed profiles when detecting an empty set
2167 of currently-enabled modules. Thanks to Greg Price for this as well.
2168 * debian/control: libpam-runtime needs a versioned dependency on
2169 debconf, because it uses the x_loadtemplatefile extension that's
2170 not supported by debconf versions before hardy. LP: #295135.
2171 * pam-auth-update: trim leading whitespace from multiline fields when
2172 parsing PAM profiles. LP: #295441.
2173 * pam-auth-update: factor out the duplicate code used for returning
2174 the lines for a given module
2175
2176 [ Jonathan Marsden ]
2177 * debian/patches/027_pam_limits_better_init_allow_explicit_root:
2178 Add to patch, documenting how to set limits for root user.
2179 Include an example. Alters limits.conf, limits.conf.5.xml,
2180 and limits.conf.5 . (LP: #65244)
2181
2182 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 08 Jan 2009 20:26:25 +0000
2183
2184>>>>>>> debian/changelog
782pam (1.0.1-5) unstable; urgency=low2185pam (1.0.1-5) unstable; urgency=low
7832186
784 * Build-conflict with libxcrypt-dev, which otherwise pulls libxcrypt in as2187 * Build-conflict with libxcrypt-dev, which otherwise pulls libxcrypt in as
@@ -814,6 +2217,114 @@ pam (1.0.1-5) unstable; urgency=low
8142217
815 -- Steve Langasek <vorlon@debian.org> Tue, 06 Jan 2009 00:05:13 -08002218 -- Steve Langasek <vorlon@debian.org> Tue, 06 Jan 2009 00:05:13 -0800
8162219
2220<<<<<<< debian/changelog
2221=======
2222pam (1.0.1-4ubuntu5.4) jaunty; urgency=low
2223
2224 * No-change upload to jaunty to fix publication on armel.
2225
2226 -- Colin Watson <cjwatson@ubuntu.com> Tue, 18 Nov 2008 14:09:00 +0000
2227
2228pam (1.0.1-4ubuntu5.3) intrepid-updates; urgency=low
2229
2230 * No-change upload of 1.0.1-4ubuntu5.1 to -updates. -proposed package was
2231 copied while some ports were not built yet.
2232
2233 -- Martin Pitt <martin.pitt@ubuntu.com> Tue, 11 Nov 2008 14:50:12 +0100
2234
2235pam (1.0.1-4ubuntu5.2) intrepid-proposed; urgency=low
2236
2237 * No-change rebuild because the archive admin (me) copied the package
2238 to jaunty too soon.
2239
2240 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 05 Nov 2008 20:28:11 +0000
2241
2242pam (1.0.1-4ubuntu5.1) intrepid-proposed; urgency=low
2243
2244 * Allow passwords to change on expired accounts, by passing
2245 new_authtok_reqd return codes immediately (LP: #291091).
2246
2247 -- Kees Cook <kees@ubuntu.com> Wed, 05 Nov 2008 09:31:45 -0800
2248
2249pam (1.0.1-4ubuntu5) intrepid; urgency=low
2250
2251 * debian/libpam0g.postinst: change 'cupsys' to 'cups' in the list of
2252 default desktop services that are ignored in deciding whether to prompt
2253 for service restarts on upgrade. Partially addresses LP #278117.
2254 * debian/libpam0g.postinst: also filter out samba, which may be installed
2255 on the desktop to enable filesharing.
2256 * debian/libpam-cracklib.prerm, debian/libpam-runtime.prerm: add the
2257 ubiquitous debhelper tokens (currently a no-op)
2258 * pam-auth-update: Use -Initial only for the first profile, even when
2259 there's no explicit -Initial config for that first profile
2260 * fix common-session/common-password to use the same overall stack
2261 structure as auth/account, so that we get the correct behavior when
2262 all password modules fail. LP: #272232.
2263
2264 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 15 Oct 2008 18:11:13 -0700
2265
2266pam (1.0.1-4ubuntu4) intrepid; urgency=low
2267
2268 * Fix a bug in the parser that caused spewing of errors when there
2269 were more lines in the config file following the managed block.
2270 LP: #270328.
2271
2272 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 23 Sep 2008 06:34:56 +0000
2273
2274pam (1.0.1-4ubuntu3) intrepid; urgency=low
2275
2276 * Fix up the code that saves state to /var/lib/pam, so that it matches
2277 what's expected by the code which later compares the saved and active
2278 profiles in the case that there are both primary and additional
2279 modules present.
2280
2281 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 16 Sep 2008 06:49:56 +0000
2282
2283pam (1.0.1-4ubuntu2) intrepid; urgency=low
2284
2285 * Brown paper bag bug: fix a missing comma in pam-auth-update.
2286
2287 -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 13 Sep 2008 08:55:32 +0000
2288
2289pam (1.0.1-4ubuntu1) intrepid; urgency=low
2290
2291 * Merge from Debian unstable
2292 * Remaining changes:
2293 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
2294 present there or in /etc/security/pam_env.conf. (should send to Debian).
2295 - debian/libpam0g.postinst: only ask questions during update-manager when
2296 there are non-default services running.
2297 - debian/patches-applied/series: Ubuntu patches are as below ...
2298 - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
2299 type rather than __u8.
2300 - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
2301 module option 'missingok' which will suppress logging of errors by
2302 libpam if the module is not found.
2303 - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
2304 password on bad username.
2305 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
2306 initialise RLIMIT_NICE rather than relying on the kernel limits.
2307 - debian/patches-applied/ubuntu-user_defined_environment: Look at
2308 ~/.pam_environment too, with the same format as
2309 /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
2310 - Change Vcs-Bzr to point at the Ubuntu branch.
2311 - debian/local/pam-auth-update (et al): new interface for managing
2312 /etc/pam.d/common-*, using drop-in config snippets provided by module
2313 packages.
2314 - debian/local/common-password, debian/pam-configs/unix: switch from
2315 "md5" to "sha512" as password crypt default.
2316 * Bump the version numbers referenced in the config files, again, as pam
2317 has revved in Debian and moved the bar.
2318 * debian/pam-config/*: refine the password profiles to use a 'primary'
2319 block, to better parallel the auth structure.
2320 * Drop '-Final' from the field names in /usr/share/pam-configs, supporting
2321 these field names for backwards compatibility only
2322 * Bump the dependency version requirement to 1.0.1-4ubuntu1 for the above
2323 change
2324
2325 -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 13 Sep 2008 08:55:19 +0000
2326
2327>>>>>>> debian/changelog
817pam (1.0.1-4) unstable; urgency=high2328pam (1.0.1-4) unstable; urgency=high
8182329
819 * High-urgency upload for RC bugfix.2330 * High-urgency upload for RC bugfix.
@@ -836,6 +2347,91 @@ pam (1.0.1-4) unstable; urgency=high
8362347
837 -- Steve Langasek <vorlon@debian.org> Thu, 28 Aug 2008 22:59:23 -07002348 -- Steve Langasek <vorlon@debian.org> Thu, 28 Aug 2008 22:59:23 -0700
8382349
2350<<<<<<< debian/changelog
2351=======
2352pam (1.0.1-3ubuntu5) intrepid; urgency=low
2353
2354 [ Steve Langasek ]
2355 * Never remove the .pam-old files; just avoid creating them if --force isn't
2356 set.
2357 * Add a manpage for pam-auth-update.
2358 * Automatically upgrade the boilerplate for /etc/pam.d/common-* if we
2359 detect that they have not been locally modified.
2360
2361 [ Kees Cook ]
2362 * debian/local/common-password, debian/pam-configs/unix: switch from "md5"
2363 to "sha512" as password crypt default.
2364
2365 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 26 Aug 2008 06:33:07 +0000
2366
2367pam (1.0.1-3ubuntu4) intrepid; urgency=low
2368
2369 * If two profiles have the same Priority, sort by the profile name to
2370 ensure a complete sort so we can filter out all the duplicates from the
2371 list and not write out broken configs. LP: #260371.
2372
2373 -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 22 Aug 2008 17:33:14 +0000
2374
2375pam (1.0.1-3ubuntu3) intrepid; urgency=low
2376
2377 * s/pam-auth-config/pam-auth-update/ in the source, I can't seem to get
2378 this name consistent to save my life - I'm starting to think I named it
2379 wrong...
2380 * Fix the regex used when suppressing jump counts when reading the saved
2381 config, so that we don't clobber module options with numbers in them.
2382 * If the target doesn't already exist, don't try to copy it.
2383 * Filter the config list to exclude configs that no longer exist.
2384 LP: #260122.
2385 * Avoid unnecessary sort/grep in the case where we already have a sorted
2386 list.
2387 * Implement pam-auth-update --remove, for use in package prerms when called
2388 with "remove".
2389
2390 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 21 Aug 2008 15:38:37 -0700
2391
2392pam (1.0.1-3ubuntu2) intrepid; urgency=high
2393
2394 * debian/local/common-session: the session stack needs to be handled the
2395 same way as the password stack, with the possibility of zero primary
2396 modules; required to fix build failures on the Ubuntu buildds due to
2397 su not being able to open sessions by default. LP: #259867.
2398 * debian/libpam-runtime.postinst: when upgrading from the broken
2399 1.0.1-2ubuntu1 version, manually edit /etc/pam.d/common-session to
2400 recover.
2401
2402 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 20 Aug 2008 13:27:10 -0700
2403
2404pam (1.0.1-3ubuntu1) intrepid; urgency=low
2405
2406 * Merge from Debian unstable
2407 * Remaining changes:
2408 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
2409 present there or in /etc/security/pam_env.conf. (should send to Debian).
2410 - debian/libpam0g.postinst: only ask questions during update-manager when
2411 there are non-default services running.
2412 - debian/patches-applied/series: Ubuntu patches are as below ...
2413 - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
2414 type rather than __u8.
2415 - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
2416 module option 'missingok' which will suppress logging of errors by
2417 libpam if the module is not found.
2418 - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
2419 password on bad username.
2420 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
2421 initialise RLIMIT_NICE rather than relying on the kernel limits.
2422 - debian/patches-applied/ubuntu-user_defined_environment: Look at
2423 ~/.pam_environment too, with the same format as
2424 /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
2425 - Change Vcs-Bzr to point at the Ubuntu branch.
2426 - debian/local/pam-auth-update (et al): new interface for managing
2427 /etc/pam.d/common-*, using drop-in config snippets provided by module
2428 packages.
2429 * Remove spurious 'conflict' with a non-existent module, which was added
2430 just as an example
2431
2432 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 20 Aug 2008 11:58:35 -0700
2433
2434>>>>>>> debian/changelog
839pam (1.0.1-3) unstable; urgency=high2435pam (1.0.1-3) unstable; urgency=high
8402436
841 * 055_pam_unix_nullok_secure: don't call _pammodutil_tty_secure with a NULL2437 * 055_pam_unix_nullok_secure: don't call _pammodutil_tty_secure with a NULL
@@ -845,6 +2441,43 @@ pam (1.0.1-3) unstable; urgency=high
8452441
846 -- Steve Langasek <vorlon@debian.org> Wed, 20 Aug 2008 11:55:47 -07002442 -- Steve Langasek <vorlon@debian.org> Wed, 20 Aug 2008 11:55:47 -0700
8472443
2444<<<<<<< debian/changelog
2445=======
2446pam (1.0.1-2ubuntu1) intrepid; urgency=low
2447
2448 * Merge from Debian unstable
2449 * Remaining changes:
2450 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
2451 present there or in /etc/security/pam_env.conf. (should send to Debian).
2452 - debian/libpam-runtime.postinst,
2453 debian/local/common-{auth,password}{,.md5sums}:
2454 Use the new 'missingok' option by default for pam_smbpass in case
2455 libpam-smbpass is not installed (LP: #216990); must use "requisite"
2456 rather than "required" to prevent "pam_smbpass migrate" from firing in
2457 the event of an auth failure; md5sums updated accordingly.
2458 - debian/libpam0g.postinst: only ask questions during update-manager when
2459 there are non-default services running.
2460 - debian/patches-applied/series: Ubuntu patches are as below ...
2461 - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
2462 type rather than __u8.
2463 - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
2464 module option 'missingok' which will suppress logging of errors by
2465 libpam if the module is not found.
2466 - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
2467 password on bad username.
2468 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
2469 initialise RLIMIT_NICE rather than relying on the kernel limits.
2470 - debian/patches-applied/ubuntu-user_defined_environment: Look at
2471 ~/.pam_environment too, with the same format as
2472 /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
2473 - Change Vcs-Bzr to point at the Ubuntu branch.
2474 * debian/local/pam-auth-update (et al): new interface for managing
2475 /etc/pam.d/common-*, using drop-in config snippets provided by module
2476 packages.
2477
2478 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 20 Aug 2008 09:17:28 +0000
2479
2480>>>>>>> debian/changelog
848pam (1.0.1-2) unstable; urgency=low2481pam (1.0.1-2) unstable; urgency=low
8492482
850 * 007_modules_pam_unix: update the documentation to correctly document2483 * 007_modules_pam_unix: update the documentation to correctly document
@@ -869,6 +2502,52 @@ pam (1.0.1-2) unstable; urgency=low
8692502
870 -- Steve Langasek <vorlon@debian.org> Fri, 08 Aug 2008 10:47:26 -07002503 -- Steve Langasek <vorlon@debian.org> Fri, 08 Aug 2008 10:47:26 -0700
8712504
2505<<<<<<< debian/changelog
2506=======
2507pam (1.0.1-1ubuntu1) intrepid; urgency=low
2508
2509 * Merge from Debian unstable
2510 * Dropped changes:
2511 - Linux-PAM/modules/pam_selinux/pam_selinux.8: Ubuntu pam_selinux manpage
2512 is 2 years newer than Debian's, contains a number of character escaping
2513 fixes plus content updates
2514 - debian/patches-applied/ubuntu-pam_selinux_seusers: patch pam_selinux to
2515 correctly support seusers (backported from changes in PAM 0.99.8).
2516 - debian/rules: install unix_chkpwd setgid shadow instead of setuid root.
2517 The nis package handles overriding this as necessary.
2518 - debian/patches-applied/ubuntu-rlimit_nice_correction: Bound RLIMIT_NICE
2519 from below as well as from above. Fix off-by-one error when converting
2520 RLIMIT_NICE to the range of values used by the kernel.
2521 * Remaining changes:
2522 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
2523 present there or in /etc/security/pam_env.conf. (should send to Debian).
2524 - debian/libpam-runtime.postinst,
2525 debian/local/common-{auth,password}{,.md5sums}:
2526 Use the new 'missingok' option by default for pam_smbpass in case
2527 libpam-smbpass is not installed (LP: #216990); must use "requisite"
2528 rather than "required" to prevent "pam_smbpass migrate" from firing in
2529 the event of an auth failure; md5sums updated accordingly.
2530 - debian/libpam0g.postinst: only ask questions during update-manager when
2531 there are non-default services running.
2532 - debian/patches-applied/series: Ubuntu patches are as below ...
2533 - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
2534 type rather than __u8.
2535 - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
2536 module option 'missingok' which will suppress logging of errors by
2537 libpam if the module is not found.
2538 - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
2539 password on bad username.
2540 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
2541 initialise RLIMIT_NICE rather than relying on the kernel limits.
2542 - debian/patches-applied/ubuntu-user_defined_environment: Look at
2543 ~/.pam_environment too, with the same format as
2544 /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
2545 * Refresh patch ubuntu-no-error-if-missingok for the new upstream version.
2546 * Change Vcs-Bzr to point at the new Ubuntu branch.
2547
2548 -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 28 Jul 2008 20:58:26 +0000
2549
2550>>>>>>> debian/changelog
872pam (1.0.1-1) unstable; urgency=low2551pam (1.0.1-1) unstable; urgency=low
8732552
874 * New upstream version.2553 * New upstream version.
@@ -984,6 +2663,72 @@ pam (0.99.7.1-7) unstable; urgency=medium
9842663
985 -- Steve Langasek <vorlon@debian.org> Mon, 21 Jul 2008 11:49:59 -07002664 -- Steve Langasek <vorlon@debian.org> Mon, 21 Jul 2008 11:49:59 -0700
9862665
2666<<<<<<< debian/changelog
2667=======
2668pam (0.99.7.1-6ubuntu2) intrepid; urgency=low
2669
2670 * debian/libpam-modules.postinst: revert addition of ~/bin to the end of the
2671 default PATH set in /etc/environment as it was pointed out by Colin
2672 Watson that getenv() does not properly expand '~'
2673
2674 -- Jamie Strandboge <jamie@ubuntu.com> Tue, 24 Jun 2008 06:29:40 -0400
2675
2676pam (0.99.7.1-6ubuntu1) intrepid; urgency=low
2677
2678 * Merge from debian unstable
2679 * Dropped changes:
2680 - Linux-PAM/modules/pam_limits/README,
2681 Linux-PAM/modules/pam_selinux/README: Ubuntu versions had some
2682 insignificant character differences, dropping in favor of Debian
2683 versions; pam_selinux documentation has dropped "multiple", and added
2684 "select_context", and "use_current_range" as options.
2685 - debian/control, debian/local/common-session{,md5sums}: use
2686 libpam-foreground for session management.
2687 - Build using db4.5 instead of db4.6.
2688 * Remaining changes:
2689 - Linux-PAM/modules/pam_selinux/pam_selinux.8: Ubuntu pam_selinux manpage
2690 is 2 years newer than Debian's, contains a number of character escaping
2691 fixes plus content updates; (should send to Debian).
2692 - debian/control: Maintainer updated.
2693 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
2694 present there or in /etc/security/pam_env.conf; add ~/bin to PATH
2695 (LP: #64064); (should send to Debian).
2696 - debian/libpam-runtime.postinst,
2697 debian/local/common-{auth,password}{,.md5sums}:
2698 Use the new 'missingok' option by default for pam_smbpass in case
2699 libpam-smbpass is not installed (LP: #216990); must use "requisite"
2700 rather than "required" to prevent "pam_smbpass migrate" from firing in
2701 the event of an auth failure; md5sums updated accordingly.
2702 - debian/libpam0g.postinst: only ask questions during update-manager when
2703 there are non-default services running (LP: #141309).
2704 - debian/applied/series: Ubuntu patches are as below ...
2705 - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
2706 type rather than __u8.
2707 - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
2708 module option 'missingok' which will suppress logging of errors by
2709 libpam if the module is not found.
2710 - debian/patches-applied/ubuntu-pam_selinux_seusers: patch pam_selinux to
2711 correctly support seusers (backported from changes in PAM 0.99.8).
2712 Without this patch login will not get correct security context when
2713 using libselinux >= 1.27.2 (LP: #187822).
2714 - debian/patches-applied/ubuntu-regression_fix_securetty: securetty's
2715 earlier behavior would correctly prompt for password on bad usernames
2716 (LP: #139075).
2717 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
2718 initialise RLIMIT_NICE rather than relying on the kernel limits. Bound
2719 RLIMIT_NICE from below as well as from above. Fix off-by-one error when
2720 converting RLIMIT_NICE to the range of values used by the kernel.
2721 - debian/patches-applied/ubuntu-user_defined_environment: Look at
2722 ~/.pam_environment too, with the same format as
2723 /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
2724 - debian/rules: install unix_chkpwd setgid shadow instead of setuid root.
2725 The nis package handles overriding this as necessary.
2726 * Alphabetized this merge changelog entry by filename (easier reading
2727 against Ubuntu patch).
2728
2729 -- Dustin Kirkland <kirkland@ubuntu.com> Fri, 20 Jun 2008 10:32:00 -0500
2730
2731>>>>>>> debian/changelog
987pam (0.99.7.1-6) unstable; urgency=low2732pam (0.99.7.1-6) unstable; urgency=low
9882733
989 * Debconf translations:2734 * Debconf translations:
@@ -1010,6 +2755,101 @@ pam (0.99.7.1-6) unstable; urgency=low
10102755
1011 -- Steve Langasek <vorlon@debian.org> Sun, 16 Mar 2008 02:06:28 -07002756 -- Steve Langasek <vorlon@debian.org> Sun, 16 Mar 2008 02:06:28 -0700
10122757
2758<<<<<<< debian/changelog
2759=======
2760pam (0.99.7.1-5ubuntu8) intrepid; urgency=low
2761
2762 * debian/libpam-modules.postinst: Add ~/bin to the end of the default PATH
2763 set in /etc/environment (LP: #64064).
2764
2765 -- Dustin Kirkland <kirkland@ubuntu.com> Thu, 19 Jun 2008 12:52:48 -0500
2766
2767pam (0.99.7.1-5ubuntu7) intrepid; urgency=low
2768
2769 * debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
2770 module option 'missingok' which will suppress logging of errors by
2771 libpam if the module is not found.
2772 * debian/local/common-{auth,password}, debian/libpam-runtime.postinst:
2773 Use the new 'missingok' option by default for pam_smbpass, to
2774 correct the problem of very loud logging introduced in the previous
2775 upload when libpam-smbpass is not installed. LP: #216990.
2776
2777 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 22 Apr 2008 18:53:37 +0000
2778
2779pam (0.99.7.1-5ubuntu6) hardy; urgency=low
2780
2781 * debian/local/common-{auth,password}, debian/libpam-runtime.postinst:
2782 Add pam_smbpass as an optional module in the stack, to keep NTLM
2783 passwords (for filesharing) in sync with the main system passwords on a
2784 best-effort basis. LP: #208419.
2785
2786 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 08 Apr 2008 18:21:40 +0000
2787
2788pam (0.99.7.1-5ubuntu5) hardy; urgency=low
2789
2790 * debian/local/common-session: Drop libpam-foreground. It's gone for good,
2791 and we do not want this in the PAM config for new installations, since it
2792 just spams syslog with error messages. (LP: #198714)
2793
2794 -- Martin Pitt <martin.pitt@ubuntu.com> Tue, 11 Mar 2008 11:22:11 +0100
2795
2796pam (0.99.7.1-5ubuntu4) hardy; urgency=low
2797
2798 * ubuntu-pam_selinux_seusers: patch pam_selinux to correctly support
2799 seusers (backported from changes in PAM 0.99.8). Without this patch
2800 login will not get correct security context when using libselinux
2801 >= 1.27.2 (LP: #187822).
2802
2803 -- Caleb Case <ccase@tresys.com> Wed, 30 Jan 2008 06:39:48 -0500
2804
2805pam (0.99.7.1-5ubuntu3) hardy; urgency=low
2806
2807 * Temporarily reenable libpam-foreground in common-session again, until
2808 dbus' at_console policy works with ConsoleKit.
2809
2810 -- Martin Pitt <martin.pitt@ubuntu.com> Thu, 29 Nov 2007 15:17:54 +0100
2811
2812pam (0.99.7.1-5ubuntu2) hardy; urgency=low
2813
2814 * debian/local/common-session{,.md5sums}, debian/control: Drop
2815 libpam-foreground, superseded by ConsoleKit integration into hal.
2816 * debian/control: Build against libdb4.6 again. This drops this Debian delta
2817 and 4.6 is our target version in Hardy.
2818
2819 -- Martin Pitt <martin.pitt@ubuntu.com> Thu, 22 Nov 2007 18:56:47 +0100
2820
2821pam (0.99.7.1-5ubuntu1) gutsy; urgency=low
2822
2823 * Resynchronise with Debian. Remaining changes:
2824 - debian/control, debian/local/common-session{,md5sums}: use
2825 libpam-foreground for session management.
2826 - debian/rules: install unix_chkpwd setgid shadow instead of setuid root.
2827 The nis package handles overriding this as necessary.
2828 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
2829 present there or in /etc/security/pam_env.conf.
2830 - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
2831 type rather than __u8.
2832 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
2833 initialise RLIMIT_NICE rather than relying on the kernel limits. Bound
2834 RLIMIT_NICE from below as well as from above. Fix off-by-one error when
2835 converting RLIMIT_NICE to the range of values used by the kernel.
2836 (Originally patch 101; converted to quilt.)
2837 - debian/patches-applied/ubuntu-user_defined_environment: Look at
2838 ~/.pam_environment too, with the same format as
2839 /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
2840 - debian/patches-applied/ubuntu-regression_fix_securetty: securetty's
2841 earlier behavior would correctly prompt for password on bad usernames
2842 (LP: #139075).
2843 - Build using db4.5 instead of db4.6.
2844 - debian/libpam0g.postinst: only ask questions during update-manager when
2845 there are non-default services running (LP: #141309).
2846 * debian/libpam0g.postinst: don't display a debconf warning about display
2847 managers that need restarting when update-manager is running, instead
2848 signal to update-notifier if a reboot is required.
2849
2850 -- Steve Langasek <vorlon@debian.org> Fri, 28 Sep 2007 23:45:24 -0700
2851
2852>>>>>>> debian/changelog
1013pam (0.99.7.1-5) unstable; urgency=low2853pam (0.99.7.1-5) unstable; urgency=low
10142854
1015 * More lintian overrides, related to debconf prompting in the postinst2855 * More lintian overrides, related to debconf prompting in the postinst
@@ -1054,6 +2894,58 @@ pam (0.99.7.1-5) unstable; urgency=low
10542894
1055 -- Steve Langasek <vorlon@debian.org> Fri, 28 Sep 2007 00:17:00 -07002895 -- Steve Langasek <vorlon@debian.org> Fri, 28 Sep 2007 00:17:00 -0700
10562896
2897<<<<<<< debian/changelog
2898=======
2899pam (0.99.7.1-4ubuntu4) gutsy; urgency=low
2900
2901 * debian/libpam0g.postinst: call "reload" for all display managers
2902 (LP: #139065).
2903 * debian/libpam0g.postinst: only ask questions during update-manager when
2904 there are non-default services running (LP: #141309).
2905
2906 -- Kees Cook <kees@ubuntu.com> Mon, 24 Sep 2007 15:01:29 -0700
2907
2908pam (0.99.7.1-4ubuntu3) gutsy; urgency=low
2909
2910 * ubuntu-regression_fix_securetty: securetty's earlier behavior would
2911 correctly prompt for password on bad usernames (LP: #139075).
2912
2913 -- Kees Cook <kees@ubuntu.com> Wed, 12 Sep 2007 15:20:09 -0700
2914
2915pam (0.99.7.1-4ubuntu2) gutsy; urgency=low
2916
2917 * Build using db4.5 (instead of db4.6). One db4.x version less on the CD.
2918
2919 -- Matthias Klose <doko@ubuntu.com> Wed, 12 Sep 2007 17:44:25 +0200
2920
2921pam (0.99.7.1-4ubuntu1) gutsy; urgency=low
2922
2923 * Resynchronise with Debian (LP: #43169, #14505, #80431). Remaining changes:
2924 - debian/control, debian/local/common-session{,md5sums}: use
2925 libpam-foreground for session management.
2926 - debian/rules: install unix_chkpwd setgid shadow instead of setuid root.
2927 The nis package handles overriding this as necessary.
2928 - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
2929 present there or in /etc/security/pam_env.conf.
2930 - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
2931 type rather than __u8.
2932 - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
2933 initialise RLIMIT_NICE rather than relying on the kernel limits. Bound
2934 RLIMIT_NICE from below as well as from above. Fix off-by-one error when
2935 converting RLIMIT_NICE to the range of values used by the kernel.
2936 (Originally patch 101; converted to quilt.)
2937 - debian/patches-applied/ubuntu-user_defined_environment: Look at
2938 ~/.pam_environment too, with the same format as
2939 /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
2940 * Dropped:
2941 - debian/rules: bashism fixes (merged upstream).
2942 - debian/control: Conflict on ancient nis (expired with Breezy).
2943 - debian/libpam-runtime.postinst: check for ancient pam (expired with
2944 Breezy).
2945
2946 -- Kees Cook <kees@ubuntu.com> Wed, 05 Sep 2007 15:18:36 -0700
2947
2948>>>>>>> debian/changelog
1057pam (0.99.7.1-4) unstable; urgency=low2949pam (0.99.7.1-4) unstable; urgency=low
10582950
1059 * libpam0g.postinst, libpam0g.templates: gdm doesn't need to be restarted2951 * libpam0g.postinst, libpam0g.templates: gdm doesn't need to be restarted
@@ -1300,6 +3192,35 @@ pam (0.99.7.1-2) unstable; urgency=low
13003192
1301 -- Steve Langasek <vorlon@debian.org> Sun, 26 Aug 2007 19:15:09 -07003193 -- Steve Langasek <vorlon@debian.org> Sun, 26 Aug 2007 19:15:09 -0700
13023194
3195<<<<<<< debian/changelog
3196=======
3197pam (0.79-4ubuntu2) feisty; urgency=low
3198
3199 * Remove /usr/bin/X11 from default PATH (new installs only).
3200
3201 -- Colin Watson <cjwatson@ubuntu.com> Wed, 20 Dec 2006 16:14:37 +0000
3202
3203pam (0.79-4ubuntu1) feisty; urgency=low
3204
3205 * Resynchronise with Debian. Remaining changes:
3206 - Patch 100 (renumbered from 060): Look at ~/.pam_environment too, with
3207 the same format as /etc/security/pam_env.conf.
3208 - Patch 101 (renumbered from 061): Explicitly initialise RLIMIT_NICE
3209 rather than relying on the kernel limits. Bound RLIMIT_NICE from below
3210 as well as from above. Fix off-by-one error when converting
3211 RLIMIT_NICE to the range of values used by the kernel.
3212 - Add PATH to /etc/environment if it's not present there or in
3213 /etc/security/pam_env.conf.
3214 - debian/rules: Fix a bashism.
3215 - Install unix_chkpwd setgid shadow instead of setuid root. The nis
3216 package handles overriding this as necessary.
3217 - Use pam_foreground in the default session.
3218 - Linux-PAM/libpamc/test/regress/test.libpamc.c: Use standard u_int8_t
3219 type rather than __u8.
3220
3221 -- Colin Watson <cjwatson@ubuntu.com> Tue, 19 Dec 2006 10:32:47 +0000
3222
3223>>>>>>> debian/changelog
1303pam (0.79-4) unstable; urgency=medium3224pam (0.79-4) unstable; urgency=medium
13043225
1305 * Medium-urgency upload; at least one RC bugfix, but also a3226 * Medium-urgency upload; at least one RC bugfix, but also a
@@ -1352,6 +3273,15 @@ pam (0.79-3.2) unstable; urgency=low
13523273
1353 -- Margarita Manterola <marga@debian.org> Sat, 5 Aug 2006 02:11:22 -03003274 -- Margarita Manterola <marga@debian.org> Sat, 5 Aug 2006 02:11:22 -0300
13543275
3276<<<<<<< debian/changelog
3277=======
3278pam (0.79-3.1ubuntu1) edgy; urgency=low
3279
3280 * Resynchronise with Debian.
3281
3282 -- Colin Watson <cjwatson@ubuntu.com> Thu, 29 Jun 2006 17:27:34 +0100
3283
3284>>>>>>> debian/changelog
1355pam (0.79-3.1) unstable; urgency=low3285pam (0.79-3.1) unstable; urgency=low
13563286
1357 * Non-maintainer upload.3287 * Non-maintainer upload.
@@ -1362,6 +3292,117 @@ pam (0.79-3.1) unstable; urgency=low
13623292
1363 -- Roger Leigh <rleigh@debian.org> Sun, 5 Feb 2006 21:46:59 +00003293 -- Roger Leigh <rleigh@debian.org> Sun, 5 Feb 2006 21:46:59 +0000
13643294
3295<<<<<<< debian/changelog
3296=======
3297pam (0.79-3ubuntu14) dapper; urgency=low
3298
3299 * debian/patches-applied/061_pam_rlimits_nice_rtprio: Protect use of
3300 RLIMIT_NICE in init_limits() with an #ifdef.
3301
3302 -- Colin Watson <cjwatson@ubuntu.com> Fri, 12 May 2006 17:42:40 +0100
3303
3304pam (0.79-3ubuntu13) dapper; urgency=low
3305
3306 * debian/patches-applied/061_pam_rlimits_nice_rtprio: Set soft and hard
3307 nice limits to 20 (= userland nice value 0) rather than unlimited by
3308 default. Correct off-by-one error (the same error as in Linux 2.6.12,
3309 but fixed in 2.6.13) in user<->kernel translation of nice limit.
3310
3311 -- Colin Watson <cjwatson@ubuntu.com> Thu, 11 May 2006 11:29:58 +0100
3312
3313pam (0.79-3ubuntu12) dapper; urgency=low
3314
3315 * debian/control: Add libpam-foreground dependency to libpam-runtime, since
3316 the default /etc/pam.d/common-session refers to it. Closes: LP#35142
3317
3318 -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 10 Apr 2006 14:42:40 +0200
3319
3320pam (0.79-3ubuntu11) dapper; urgency=low
3321
3322 [ Dana Olson ]
3323 * debian/patches-applied/061_pam_rlimits_nice_rtprio: removed glibc
3324 workaround now that glibc is aware of rlimits.
3325
3326 [ Martin Pitt ]
3327 * debian/rules: Fix bashisms.
3328
3329 -- Martin Pitt <martin.pitt@ubuntu.com> Thu, 6 Apr 2006 15:03:37 +0200
3330
3331pam (0.79-3ubuntu10) dapper; urgency=low
3332
3333 * debian/patches-applied/061_pam_rlimits_nice_rtprio: Support "nice" and
3334 "rtprio" rlimits, new in Linux 2.6.12. Backported from upstream thanks
3335 to Dana Olson and others (closes: Malone #17348).
3336
3337 -- Colin Watson <cjwatson@ubuntu.com> Thu, 23 Feb 2006 16:22:12 +0000
3338
3339pam (0.79-3ubuntu9) dapper; urgency=low
3340
3341 * Fix operator precedence in libpam-modules.postinst.
3342
3343 -- Colin Watson <cjwatson@ubuntu.com> Thu, 16 Feb 2006 15:23:04 +0000
3344
3345pam (0.79-3ubuntu8) dapper; urgency=low
3346
3347 * Make pam_env be quiet if it can't find the user's configuration file,
3348 since it's optional.
3349
3350 -- Tollef Fog Heen <tfheen@ubuntu.com> Sat, 4 Feb 2006 16:44:12 +0100
3351
3352pam (0.79-3ubuntu7) dapper; urgency=low
3353
3354 * Add the PATH on initial install for real this time.
3355
3356 -- Tollef Fog Heen <tfheen@ubuntu.com> Thu, 2 Feb 2006 20:33:42 +0100
3357
3358pam (0.79-3ubuntu6) dapper; urgency=low
3359
3360 * Changes from Roger Leigh:
3361
3362 * Linux-PAM/libpamc/include/security/pam_client.h,
3363 Linux-PAM/libpamc/pamc_converse.c: Apply patch from
3364 latest upstream version to remove redefinition of internal
3365 glibc/libstdc++ types. Closes: #344447.
3366 * Linux-PAM/libpamc/test/regress/test.libpamc.c: Also switch to standard
3367 types; not taken from upstream.
3368
3369 -- Reinhard Tartler <siretart@ubuntu.com> Wed, 1 Feb 2006 13:14:24 +0000
3370
3371pam (0.79-3ubuntu5) dapper; urgency=low
3372
3373 * Add pam_foreground to /etc/pam.d/common-session
3374
3375 -- Matthew Garrett <mjg59@srcf.ucam.org> Tue, 24 Jan 2006 02:26:19 +0000
3376
3377pam (0.79-3ubuntu4) dapper; urgency=low
3378
3379 * Add PATH on initial install, too.
3380
3381 -- Tollef Fog Heen <tfheen@ubuntu.com> Mon, 23 Jan 2006 15:55:40 +0100
3382
3383pam (0.79-3ubuntu3) dapper; urgency=low
3384
3385 * Add PATH to /etc/environment if it's not present there or in
3386 /etc/security/pam_env.conf and we are upgrading from a version which
3387 didn't add it.
3388
3389 -- Tollef Fog Heen <tfheen@ubuntu.com> Tue, 17 Jan 2006 15:54:01 +0100
3390
3391pam (0.79-3ubuntu2) dapper; urgency=low
3392
3393 * Look at ~/.pam_environment too. Same format as
3394 /etc/security/pam_env.conf. The patch is recorded as
3395 patches-applied/060_pam_env_per_user
3396
3397 -- Tollef Fog Heen <tfheen@ubuntu.com> Tue, 17 Jan 2006 15:32:55 +0100
3398
3399pam (0.79-3ubuntu1) dapper; urgency=low
3400
3401 * Resynchronise with Debian.
3402
3403 -- Colin Watson <cjwatson@ubuntu.com> Mon, 21 Nov 2005 12:15:44 +0000
3404
3405>>>>>>> debian/changelog
1365pam (0.79-3) unstable; urgency=low3406pam (0.79-3) unstable; urgency=low
13663407
1367 * Patch 0593408 * Patch 059
@@ -1442,6 +3483,37 @@ pam (0.76-23) unstable; urgency=low
14423483
1443 -- Sam Hartman <hartmans@debian.org> Sun, 10 Jul 2005 16:42:25 -04003484 -- Sam Hartman <hartmans@debian.org> Sun, 10 Jul 2005 16:42:25 -0400
14443485
3486<<<<<<< debian/changelog
3487=======
3488pam (0.76-22ubuntu3) breezy; urgency=low
3489
3490 * Fix pam_getenv, which never worked:
3491 - Parse /etc/security/pam_env.conf using its own syntax, and then
3492 /etc/environment using its own syntax rather than the syntax of
3493 /etc/security/pam_env.conf.
3494 - 'my $val' was used in an incorrect scope; fixed.
3495 - Exit non-zero if the requested environment variable is not found.
3496
3497 -- Colin Watson <cjwatson@ubuntu.com> Mon, 12 Sep 2005 18:32:54 +0100
3498
3499pam (0.76-22ubuntu2) breezy; urgency=low
3500
3501 * debian/rules: Install unix_chkpwd setgid shadow instead of setuid root.
3502 This only breaks when using NIS lookups, therefore the new nis package
3503 dpkg-statoverrides it back to setuid root while being installed.
3504 (Debian #155583, http://udu.wiki.ubuntu.com/ProactiveSecurityRoadmap)
3505 * debian/control: Added conflict to nis (<< 3.13-3ubuntu1): This is the
3506 version that corrects the permissions for usage with NIS.
3507
3508 -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 17 Jun 2005 12:34:23 +0200
3509
3510pam (0.76-22ubuntu1) breezy; urgency=low
3511
3512 * Fix FTBFS with gcc-3.4 (closes: #259634). Ubuntu 9037.
3513
3514 -- Matthias Klose <doko@ubuntu.com> Wed, 4 May 2005 18:14:51 +0200
3515
3516>>>>>>> debian/changelog
1445pam (0.76-22) unstable; urgency=medium3517pam (0.76-22) unstable; urgency=medium
14463518
1447 * Add uploaders3519 * Add uploaders
@@ -1861,8 +3933,11 @@ pam (0.72-20) unstable; urgency=low
18613933
1862 -- Sam Hartman <hartmans@debian.org> Fri, 6 Apr 2001 06:38:15 -04003934 -- Sam Hartman <hartmans@debian.org> Fri, 6 Apr 2001 06:38:15 -0400
18633935
3936<<<<<<< debian/changelog
18643937
18653938
3939=======
3940>>>>>>> debian/changelog
1866pam (0.72-19) unstable; urgency=low3941pam (0.72-19) unstable; urgency=low
18673942
1868 * New maintainer, closes: #923533943 * New maintainer, closes: #92353
@@ -2668,3 +4743,7 @@ pam (0.56-1) unstable; urgency=low
2668 * Reorganization of package structure (-dev, -dbg, etc).4743 * Reorganization of package structure (-dev, -dbg, etc).
26694744
2670 -- Klee Dienes <klee@debian.org> Sat, 8 Mar 1997 01:21:17 -05004745 -- Klee Dienes <klee@debian.org> Sat, 8 Mar 1997 01:21:17 -0500
4746<<<<<<< debian/changelog
4747=======
4748
4749>>>>>>> debian/changelog
diff --git a/debian/control b/debian/control
index 9c76380..766d319 100644
--- a/debian/control
+++ b/debian/control
@@ -2,13 +2,24 @@ Source: pam
2Section: libs2Section: libs
3Priority: optional3Priority: optional
4Uploaders: Sam Hartman <hartmans@debian.org>, Roger Leigh <rleigh@debian.org>4Uploaders: Sam Hartman <hartmans@debian.org>, Roger Leigh <rleigh@debian.org>
5<<<<<<< debian/control
5Maintainer: Steve Langasek <vorlon@debian.org>6Maintainer: Steve Langasek <vorlon@debian.org>
7=======
8Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
9XSBC-Original-Maintainer: Steve Langasek <vorlon@debian.org>
10>>>>>>> debian/control
6Standards-Version: 3.9.811Standards-Version: 3.9.8
7Build-Depends: libcrack2-dev (>= 2.8), bzip2, debhelper (>= 9), quilt (>= 0.48-1), flex, libdb-dev, libselinux1-dev [linux-any], po-debconf, dh-autoreconf, autopoint, libaudit-dev [linux-any], pkg-config, libfl-dev, libfl-dev:native, docbook-xsl, docbook-xml, xsltproc, libxml2-utils, w3m12Build-Depends: libcrack2-dev (>= 2.8), bzip2, debhelper (>= 9), quilt (>= 0.48-1), flex, libdb-dev, libselinux1-dev [linux-any], po-debconf, dh-autoreconf, autopoint, libaudit-dev [linux-any], pkg-config, libfl-dev, libfl-dev:native, docbook-xsl, docbook-xml, xsltproc, libxml2-utils, w3m
8Build-Conflicts-Indep: fop13Build-Conflicts-Indep: fop
9Build-Conflicts: libdb4.2-dev, libxcrypt-dev14Build-Conflicts: libdb4.2-dev, libxcrypt-dev
15<<<<<<< debian/control
10Vcs-Bzr: https://alioth.debian.org/scm/loggerhead/pkg-pam/debian/sid16Vcs-Bzr: https://alioth.debian.org/scm/loggerhead/pkg-pam/debian/sid
11Vcs-Browser: https://alioth.debian.org/scm/loggerhead/pkg-pam/debian/sid/files17Vcs-Browser: https://alioth.debian.org/scm/loggerhead/pkg-pam/debian/sid/files
18=======
19Vcs-Bzr: https://code.launchpad.net/~ubuntu-core-dev/pam/ubuntu
20XS-Debian-Vcs-Bzr: https://alioth.debian.org/scm/loggerhead/pkg-pam/debian/sid
21XS-Debian-Vcs-Browser: https://alioth.debian.org/scm/loggerhead/pkg-pam/debian/sid/files
22>>>>>>> debian/control
12Homepage: http://www.linux-pam.org/23Homepage: http://www.linux-pam.org/
1324
14Package: libpam0g25Package: libpam0g
@@ -36,6 +47,10 @@ Pre-Depends: ${shlibs:Depends}, ${misc:Depends}, libpam0g (>= 1.1.3-2),
36 libpam-modules-bin (= ${binary:Version})47 libpam-modules-bin (= ${binary:Version})
37Conflicts: libpam-motd, libpam-mkhomedir, libpam-umask48Conflicts: libpam-motd, libpam-mkhomedir, libpam-umask
38Replaces: libpam0g-util, libpam-umask49Replaces: libpam0g-util, libpam-umask
50<<<<<<< debian/control
51=======
52Recommends: update-motd
53>>>>>>> debian/control
39Provides: libpam-motd, libpam-mkhomedir, libpam-umask54Provides: libpam-motd, libpam-mkhomedir, libpam-umask
40Description: Pluggable Authentication Modules for PAM55Description: Pluggable Authentication Modules for PAM
41 This package completes the set of modules for PAM. It includes the56 This package completes the set of modules for PAM. It includes the
diff --git a/debian/libpam-modules-bin.install b/debian/libpam-modules-bin.install
index fee3bce..6ab6ac7 100644
--- a/debian/libpam-modules-bin.install
+++ b/debian/libpam-modules-bin.install
@@ -4,3 +4,8 @@ sbin/pam_tally sbin
4sbin/pam_tally2 sbin4sbin/pam_tally2 sbin
5sbin/mkhomedir_helper sbin5sbin/mkhomedir_helper sbin
6sbin/pam_timestamp_check usr/sbin6sbin/pam_timestamp_check usr/sbin
7<<<<<<< debian/libpam-modules-bin.install
8=======
9sbin/pam_extrausers_chkpwd sbin
10sbin/pam_extrausers_update sbin
11>>>>>>> debian/libpam-modules-bin.install
diff --git a/debian/libpam-modules.manpages b/debian/libpam-modules.manpages
index a9f488d..9287b2e 100644
--- a/debian/libpam-modules.manpages
+++ b/debian/libpam-modules.manpages
@@ -1,2 +1,6 @@
1debian/tmp/usr/share/man/man8/pam_*.81debian/tmp/usr/share/man/man8/pam_*.8
2debian/tmp/usr/share/man/man5/*conf.52debian/tmp/usr/share/man/man5/*conf.5
3<<<<<<< debian/libpam-modules.manpages
4=======
5debian/update-motd.5
6>>>>>>> debian/libpam-modules.manpages
diff --git a/debian/libpam-modules.postinst b/debian/libpam-modules.postinst
index ce03090..0969526 100644
--- a/debian/libpam-modules.postinst
+++ b/debian/libpam-modules.postinst
@@ -17,6 +17,21 @@ then
17 touch /etc/environment17 touch /etc/environment
18fi18fi
1919
20<<<<<<< debian/libpam-modules.postinst
21=======
22# Add PATH to /etc/environment if it's not present there or in
23# /etc/security/pam_env.conf
24if [ "$1" = "configure" ] && dpkg --compare-versions "$2" lt 1.1.3-7ubuntu3; then
25 if ! grep -qs ^PATH /etc/security/pam_env.conf; then
26 if ! grep -qs ^PATH= /etc/environment; then
27 echo 'PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games"' >> /etc/environment
28 elif ! grep -qs "^PATH=.*/usr/local/games" /etc/environment; then
29 sed -i '/^PATH=/ s,:/usr/games,:/usr/games:/usr/local/games,g' /etc/environment
30 fi
31 fi
32fi
33
34>>>>>>> debian/libpam-modules.postinst
20if dpkg --compare-versions "$2" lt-nl 1.1.2-1 \35if dpkg --compare-versions "$2" lt-nl 1.1.2-1 \
21 && grep -q 'pam_unix.*\bmin=[0-9]\+' /etc/pam.d/common-password36 && grep -q 'pam_unix.*\bmin=[0-9]\+' /etc/pam.d/common-password
22then37then
diff --git a/debian/libpam0g.postinst b/debian/libpam0g.postinst
index bc8a52f..16affb8 100644
--- a/debian/libpam0g.postinst
+++ b/debian/libpam0g.postinst
@@ -69,6 +69,10 @@ installed_services() {
69 -e's/\bhylafax-server\b/hylafax/g' \69 -e's/\bhylafax-server\b/hylafax/g' \
70 -e's/\bpartimage-server\b/partimaged/g' \70 -e's/\bpartimage-server\b/partimaged/g' \
71 -e's/\bpostgresql-common\b/postgresql/g' \71 -e's/\bpostgresql-common\b/postgresql/g' \
72<<<<<<< debian/libpam0g.postinst
73=======
74 -e's/\bsamba\b/smbd-ad-dc/g' \
75>>>>>>> debian/libpam0g.postinst
72 -e's/\bsasl2-bin\b/saslauthd/g' \76 -e's/\bsasl2-bin\b/saslauthd/g' \
73 )77 )
7478
@@ -112,13 +116,36 @@ then
112 echo "Checking init scripts..."116 echo "Checking init scripts..."
113 services=$(installed_services "$check")117 services=$(installed_services "$check")
114 if [ -n "$services" ]; then118 if [ -n "$services" ]; then
119<<<<<<< debian/libpam0g.postinst
115 db_input critical libraries/restart-without-asking || true120 db_input critical libraries/restart-without-asking || true
121=======
122 db_reset libpam0g/restart-services
123 db_set libpam0g/restart-services "$services"
124 question_priority="critical"
125 # Do not prompt when we're running in the upgrade-manager
126 # and only default services need restarting.
127 nondefault_services=$(echo "$services" | sed \
128 -e's/\batd\b//g' \
129 -e's/\bcron\b//g' \
130 -e's/\bcups\b//g' \
131 -e's/\bgdm\b//g' \
132 -e's/\bsmbd\b//g' \
133 -e's/^ *//g')
134 if [ -n "$RELEASE_UPGRADE_IN_PROGRESS" ] && [ -z "$nondefault_services" ]; then
135 question_priority="medium"
136 fi
137 db_input "$question_priority" libraries/restart-without-asking || true
138>>>>>>> debian/libpam0g.postinst
116 db_go || true139 db_go || true
117 db_get libraries/restart-without-asking140 db_get libraries/restart-without-asking
118 if [ "$RET" != true ]; then141 if [ "$RET" != true ]; then
119 db_reset libpam0g/restart-services142 db_reset libpam0g/restart-services
120 db_set libpam0g/restart-services "$services"143 db_set libpam0g/restart-services "$services"
144<<<<<<< debian/libpam0g.postinst
121 db_input critical libpam0g/restart-services || true145 db_input critical libpam0g/restart-services || true
146=======
147 db_input "$question_priority" libpam0g/restart-services || true
148>>>>>>> debian/libpam0g.postinst
122 db_go || true149 db_go || true
123 db_get libpam0g/restart-services150 db_get libpam0g/restart-services
124151
@@ -139,6 +166,16 @@ then
139166
140 case "$service" in167 case "$service" in
141 gdm)168 gdm)
169<<<<<<< debian/libpam0g.postinst
170=======
171 # If gdm isn't running, there's no need to reload it (LP: #745532)
172 if ! $idl status | grep -q 'Active: active (running)'
173 then
174 echo " $service: not running, no reload needed."
175 continue
176 fi
177
178>>>>>>> debian/libpam0g.postinst
142 echo -n " $service: reloading..."179 echo -n " $service: reloading..."
143 if $idl reload > /dev/null 2>&1; then180 if $idl reload > /dev/null 2>&1; then
144 echo "done."181 echo "done."
@@ -184,8 +221,19 @@ then
184 done221 done
185 services=$(installed_services "$dms")222 services=$(installed_services "$dms")
186 if [ -n "$services" ]; then223 if [ -n "$services" ]; then
224<<<<<<< debian/libpam0g.postinst
187 db_input critical libpam0g/xdm-needs-restart || true225 db_input critical libpam0g/xdm-needs-restart || true
188 db_go || true226 db_go || true
227=======
228 if [ -n "$RELEASE_UPGRADE_IN_PROGRESS" ] \
229 && [ -x /usr/share/update-notifier/notify-reboot-required ]
230 then
231 /usr/share/update-notifier/notify-reboot-required
232 else
233 db_input critical libpam0g/xdm-needs-restart || true
234 db_go || true
235 fi
236>>>>>>> debian/libpam0g.postinst
189 fi237 fi
190 fi238 fi
191239
diff --git a/debian/local/common-session b/debian/local/common-session
index 2e94d6c..bd831f2 100644
--- a/debian/local/common-session
+++ b/debian/local/common-session
@@ -20,6 +20,14 @@ session requisite pam_deny.so
20# this avoids us returning an error just because nothing sets a success code20# this avoids us returning an error just because nothing sets a success code
21# since the modules above will each just jump around21# since the modules above will each just jump around
22session required pam_permit.so22session required pam_permit.so
23<<<<<<< debian/local/common-session
24=======
25# The pam_umask module will set the umask according to the system default in
26# /etc/login.defs and user settings, solving the problem of different
27# umask settings with different shells, display managers, remote sessions etc.
28# See "man pam_umask".
29session optional pam_umask.so
30>>>>>>> debian/local/common-session
23# and here are more per-package modules (the "Additional" block)31# and here are more per-package modules (the "Additional" block)
24$session_additional32$session_additional
25# end of pam-auth-update config33# end of pam-auth-update config
diff --git a/debian/local/common-session-noninteractive b/debian/local/common-session-noninteractive
index 1dd1a17..063f1ca 100644
--- a/debian/local/common-session-noninteractive
+++ b/debian/local/common-session-noninteractive
@@ -20,6 +20,14 @@ session requisite pam_deny.so
20# this avoids us returning an error just because nothing sets a success code20# this avoids us returning an error just because nothing sets a success code
21# since the modules above will each just jump around21# since the modules above will each just jump around
22session required pam_permit.so22session required pam_permit.so
23<<<<<<< debian/local/common-session-noninteractive
24=======
25# The pam_umask module will set the umask according to the system default in
26# /etc/login.defs and user settings, solving the problem of different
27# umask settings with different shells, display managers, remote sessions etc.
28# See "man pam_umask".
29session optional pam_umask.so
30>>>>>>> debian/local/common-session-noninteractive
23# and here are more per-package modules (the "Additional" block)31# and here are more per-package modules (the "Additional" block)
24$session_nonint_additional32$session_nonint_additional
25# end of pam-auth-update config33# end of pam-auth-update config
diff --git a/debian/local/pam-auth-update b/debian/local/pam-auth-update
index 5fb4f40..9682062 100644
--- a/debian/local/pam-auth-update
+++ b/debian/local/pam-auth-update
@@ -39,7 +39,11 @@ my $blanktemplate = 'libpam-runtime/no_profiles_chosen';
39my $titletemplate = 'libpam-runtime/title';39my $titletemplate = 'libpam-runtime/title';
40my $confdir = '/etc/pam.d';40my $confdir = '/etc/pam.d';
41my $savedir = '/var/lib/pam';41my $savedir = '/var/lib/pam';
42<<<<<<< debian/local/pam-auth-update
42my (%profiles, @sorted, @enabled, @conflicts, @new, %removals, %to_enable);43my (%profiles, @sorted, @enabled, @conflicts, @new, %removals, %to_enable);
44=======
45my (%profiles, @sorted, @enabled, @conflicts, @new, %removals);
46>>>>>>> debian/local/pam-auth-update
43my $force = 0;47my $force = 0;
44my $package = 0;48my $package = 0;
45my $priority = 'high';49my $priority = 'high';
@@ -54,9 +58,17 @@ my %md5sums = (
54 'session' => [58 'session' => [
55 '240fb92986c885b327cdb21dd641da8c',59 '240fb92986c885b327cdb21dd641da8c',
56 '4a25673e8b36f1805219027d3be02cd2',60 '4a25673e8b36f1805219027d3be02cd2',
61<<<<<<< debian/local/pam-auth-update
57 ],62 ],
58 'session-noninteractive' => [63 'session-noninteractive' => [
59 'ad2b78ce1498dd637ef36469430b6ac6',64 'ad2b78ce1498dd637ef36469430b6ac6',
65=======
66 '73144a2f4e609a922a51e301cd66a57e',
67 ],
68 'session-noninteractive' => [
69 'ad2b78ce1498dd637ef36469430b6ac6',
70 'a20e8df3469bfe25c13a3b39161b30f0',
71>>>>>>> debian/local/pam-auth-update
60 ],72 ],
61);73);
6274
@@ -89,6 +101,7 @@ while ($#ARGV >= 0) {
89 }101 }
90 # --remove implies --package102 # --remove implies --package
91 $package = 1 if (keys(%removals));103 $package = 1 if (keys(%removals));
104<<<<<<< debian/local/pam-auth-update
92 } elsif ($opt eq '--enable') {105 } elsif ($opt eq '--enable') {
93 while ($#ARGV >= 0) {106 while ($#ARGV >= 0) {
94 last if ($ARGV[0] =~ /^--/);107 last if ($ARGV[0] =~ /^--/);
@@ -96,6 +109,8 @@ while ($#ARGV >= 0) {
96 }109 }
97 # --enable implies --package110 # --enable implies --package
98 $package = 1 if (keys(%to_enable));111 $package = 1 if (keys(%to_enable));
112=======
113>>>>>>> debian/local/pam-auth-update
99 }114 }
100}115}
101116
@@ -143,10 +158,13 @@ if (!@enabled) {
143 $priority = 'high' unless ($force);158 $priority = 'high' unless ($force);
144}159}
145160
161<<<<<<< debian/local/pam-auth-update
146# add configs to enable162# add configs to enable
147push(@enabled,163push(@enabled,
148 grep { $to_enable{$_} } @sorted);164 grep { $to_enable{$_} } @sorted);
149165
166=======
167>>>>>>> debian/local/pam-auth-update
150# add any previously-unseen configs168# add any previously-unseen configs
151push(@enabled,169push(@enabled,
152 grep { $profiles{$_}->{'Default'} eq 'yes' && !$seen{$_} } @sorted);170 grep { $profiles{$_}->{'Default'} eq 'yes' && !$seen{$_} } @sorted);
diff --git a/debian/local/pam-auth-update.8 b/debian/local/pam-auth-update.8
index a5ebdba..933fb0f 100644
--- a/debian/local/pam-auth-update.8
+++ b/debian/local/pam-auth-update.8
@@ -68,10 +68,13 @@ Indicate that the caller is a package maintainer script; lowers the
68priority of debconf questions to `medium' so that the user is not68priority of debconf questions to `medium' so that the user is not
69prompted by default.69prompted by default.
70.TP70.TP
71<<<<<<< debian/local/pam-auth-update.8
71.B \-\-enable \fIprofile \fR[\fIprofile\fR...]72.B \-\-enable \fIprofile \fR[\fIprofile\fR...]
72Enable the specified profiles in system configuration. This is used to73Enable the specified profiles in system configuration. This is used to
73enable profiles that are not on by default.74enable profiles that are not on by default.
74.TP75.TP
76=======
77>>>>>>> debian/local/pam-auth-update.8
75.B \-\-remove \fIprofile \fR[\fIprofile\fR...]78.B \-\-remove \fIprofile \fR[\fIprofile\fR...]
76Remove the specified profiles from the system configuration.79Remove the specified profiles from the system configuration.
77.B pam\-auth\-update \-\-remove80.B pam\-auth\-update \-\-remove
diff --git a/debian/patches-applied/cve-2015-3238.patch b/debian/patches-applied/cve-2015-3238.patch
index cb5e8c0..7515fad 100644
--- a/debian/patches-applied/cve-2015-3238.patch
+++ b/debian/patches-applied/cve-2015-3238.patch
@@ -15,6 +15,7 @@ pipe that has a limited capacity.
15With this fix, the verifiable password length will be limited to15With this fix, the verifiable password length will be limited to
16PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix.16PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix.
1717
18<<<<<<< debian/patches-applied/cve-2015-3238.patch
18diff --git a/modules/pam_exec/pam_exec.8.xml b/modules/pam_exec/pam_exec.8.xml19diff --git a/modules/pam_exec/pam_exec.8.xml b/modules/pam_exec/pam_exec.8.xml
19index 2379366..d1b00a2 10064420index 2379366..d1b00a2 100644
20--- a/modules/pam_exec/pam_exec.8.xml21--- a/modules/pam_exec/pam_exec.8.xml
@@ -29,6 +30,8 @@ index 2379366..d1b00a2 100644
29 </para>30 </para>
30 </listitem>31 </listitem>
31 </varlistentry>32 </varlistentry>
33=======
34>>>>>>> debian/patches-applied/cve-2015-3238.patch
32diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c35diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c
33index 5ab9630..17ba6ca 10064436index 5ab9630..17ba6ca 100644
34--- a/modules/pam_exec/pam_exec.c37--- a/modules/pam_exec/pam_exec.c
@@ -47,6 +50,7 @@ index 5ab9630..17ba6ca 100644
47 50
48 if (pipe(fds) != 0)51 if (pipe(fds) != 0)
49 {52 {
53<<<<<<< debian/patches-applied/cve-2015-3238.patch
50diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml54diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
51index 4008402..a8b64bb 10064455index 4008402..a8b64bb 100644
52--- a/modules/pam_unix/pam_unix.8.xml56--- a/modules/pam_unix/pam_unix.8.xml
@@ -65,6 +69,8 @@ index 4008402..a8b64bb 100644
65 The password component of this module performs the task of updating69 The password component of this module performs the task of updating
66 the user's password. The default encryption hash is taken from the70 the user's password. The default encryption hash is taken from the
67 <emphasis remap='B'>ENCRYPT_METHOD</emphasis> variable from71 <emphasis remap='B'>ENCRYPT_METHOD</emphasis> variable from
72=======
73>>>>>>> debian/patches-applied/cve-2015-3238.patch
68diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c74diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
69index 2d330e5..c2e5de5 10064475index 2d330e5..c2e5de5 100644
70--- a/modules/pam_unix/pam_unix_passwd.c76--- a/modules/pam_unix/pam_unix_passwd.c
diff --git a/debian/patches-applied/extrausers.patch b/debian/patches-applied/extrausers.patch
71new file mode 10064477new file mode 100644
index 0000000..f316f1d
--- /dev/null
+++ b/debian/patches-applied/extrausers.patch
@@ -0,0 +1,6567 @@
1Index: pam-1.1.8/modules/pam_extrausers/Makefile.am
2===================================================================
3--- /dev/null
4+++ pam-1.1.8/modules/pam_extrausers/Makefile.am
5@@ -0,0 +1,70 @@
6+#
7+# Copyright (c) 2005, 2006, 2009, 2011 Thorsten Kukuk <kukuk@suse.de>
8+#
9+
10+CLEANFILES = *~
11+MAINTAINERCLEANFILES = $(MANS)
12+
13+EXTRA_DIST = md5.c md5_crypt.c lckpwdf.-c $(MANS) \
14+ tst-pam_extrausers $(XMLS)
15+
16+man_MANS = pam_extrausers.8
17+XMLS = pam_extrausers.8.xml
18+
19+#TESTS = tst-pam_extrausers
20+
21+securelibdir = $(SECUREDIR)
22+secureconfdir = $(SCONFIGDIR)
23+
24+AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
25+ -DCHKPWD_HELPER=\"$(sbindir)/pam_extrausers_chkpwd\" \
26+ -DUPDATE_HELPER=\"$(sbindir)/pam_extrausers_update\" \
27+ $(NIS_CFLAGS)
28+
29+if HAVE_LIBSELINUX
30+ AM_CFLAGS += -D"WITH_SELINUX"
31+endif
32+
33+pam_extrausers_la_LDFLAGS = -no-undefined -avoid-version -module
34+if HAVE_VERSIONING
35+ pam_extrausers_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
36+endif
37+pam_extrausers_la_LIBADD = $(top_builddir)/libpam/libpam.la \
38+ @LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS) \
39+ ../pam_securetty/tty_secure.lo
40+
41+securelib_LTLIBRARIES = pam_extrausers.la
42+
43+noinst_HEADERS = md5.h support.h yppasswd.h bigcrypt.h passverify.h \
44+ pam_unix_static.h
45+
46+sbin_PROGRAMS = pam_extrausers_chkpwd pam_extrausers_update
47+
48+noinst_PROGRAMS = bigcrypt
49+
50+pam_extrausers_la_SOURCES = bigcrypt.c pam_unix_acct.c \
51+ pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \
52+ passverify.c yppasswd_xdr.c md5_good.c md5_broken.c obscure.c
53+if STATIC_MODULES
54+pam_extrausers_la_SOURCES += pam_unix_static.c
55+endif
56+
57+bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c
58+bigcrypt_CFLAGS = $(AM_CFLAGS)
59+bigcrypt_LDADD = @LIBCRYPT@
60+
61+pam_extrausers_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \
62+ passverify.c
63+pam_extrausers_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"pam_extrausers_chkpwd\"
64+pam_extrausers_chkpwd_LDFLAGS = @PIE_LDFLAGS@
65+pam_extrausers_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@
66+
67+pam_extrausers_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \
68+ passverify.c
69+pam_extrausers_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"pam_extrausers_update\"
70+pam_extrausers_update_LDFLAGS = @PIE_LDFLAGS@
71+pam_extrausers_update_LDADD = @LIBCRYPT@ @LIBSELINUX@
72+
73+if ENABLE_REGENERATE_MAN
74+-include $(top_srcdir)/Make.xml.rules
75+endif
76Index: pam-1.1.8/modules/pam_extrausers/README
77===================================================================
78--- /dev/null
79+++ pam-1.1.8/modules/pam_extrausers/README
80@@ -0,0 +1,5 @@
81+This is a simple fork of pam_unix, but with the following changes:
82+
83+ - The expected namespace changes
84+ - References to /etc or /etc/secure are replaced with /var/lib/extrausers
85+ - Unconditionally use our custom lckpwdf methods and namespace them
86Index: pam-1.1.8/modules/pam_extrausers/bigcrypt.c
87===================================================================
88--- /dev/null
89+++ pam-1.1.8/modules/pam_extrausers/bigcrypt.c
90@@ -0,0 +1,159 @@
91+/*
92+ * This function implements the "bigcrypt" algorithm specifically for
93+ * Linux-PAM.
94+ *
95+ * This algorithm is algorithm 0 (default) shipped with the C2 secure
96+ * implementation of Digital UNIX.
97+ *
98+ * Disclaimer: This work is not based on the source code to Digital
99+ * UNIX, nor am I connected to Digital Equipment Corp, in any way
100+ * other than as a customer. This code is based on published
101+ * interfaces and reasonable guesswork.
102+ *
103+ * Description: The cleartext is divided into blocks of SEGMENT_SIZE=8
104+ * characters or less. Each block is encrypted using the standard UNIX
105+ * libc crypt function. The result of the encryption for one block
106+ * provides the salt for the suceeding block.
107+ *
108+ * Restrictions: The buffer used to hold the encrypted result is
109+ * statically allocated. (see MAX_PASS_LEN below). This is necessary,
110+ * as the returned pointer points to "static data that are overwritten
111+ * by each call", (XPG3: XSI System Interface + Headers pg 109), and
112+ * this is a drop in replacement for crypt();
113+ *
114+ * Andy Phillips <atp@mssl.ucl.ac.uk>
115+ */
116+
117+#include "config.h"
118+
119+#include <string.h>
120+#include <stdlib.h>
121+#include <security/_pam_macros.h>
122+#ifdef HAVE_LIBXCRYPT
123+#include <xcrypt.h>
124+#elif defined(HAVE_CRYPT_H)
125+#include <crypt.h>
126+#endif
127+
128+#include "bigcrypt.h"
129+
130+/*
131+ * Max cleartext password length in segments of 8 characters this
132+ * function can deal with (16 segments of 8 chars= max 128 character
133+ * password).
134+ */
135+
136+#define MAX_PASS_LEN 16
137+#define SEGMENT_SIZE 8
138+#define SALT_SIZE 2
139+#define KEYBUF_SIZE ((MAX_PASS_LEN*SEGMENT_SIZE)+SALT_SIZE)
140+#define ESEGMENT_SIZE 11
141+#define CBUF_SIZE ((MAX_PASS_LEN*ESEGMENT_SIZE)+SALT_SIZE+1)
142+
143+char *bigcrypt(const char *key, const char *salt)
144+{
145+ char *dec_c2_cryptbuf;
146+#ifdef HAVE_CRYPT_R
147+ struct crypt_data *cdata;
148+#endif
149+ unsigned long int keylen, n_seg, j;
150+ char *cipher_ptr, *plaintext_ptr, *tmp_ptr, *salt_ptr;
151+ char keybuf[KEYBUF_SIZE + 1];
152+
153+ D(("called with key='%s', salt='%s'.", key, salt));
154+
155+ /* reset arrays */
156+ dec_c2_cryptbuf = malloc(CBUF_SIZE);
157+ if (!dec_c2_cryptbuf) {
158+ return NULL;
159+ }
160+#ifdef HAVE_CRYPT_R
161+ cdata = malloc(sizeof(*cdata));
162+ if(!cdata) {
163+ free(dec_c2_cryptbuf);
164+ return NULL;
165+ }
166+ cdata->initialized = 0;
167+#endif
168+ memset(keybuf, 0, KEYBUF_SIZE + 1);
169+ memset(dec_c2_cryptbuf, 0, CBUF_SIZE);
170+
171+ /* fill KEYBUF_SIZE with key */
172+ strncpy(keybuf, key, KEYBUF_SIZE);
173+
174+ /* deal with case that we are doing a password check for a
175+ conventially encrypted password: the salt will be
176+ SALT_SIZE+ESEGMENT_SIZE long. */
177+ if (strlen(salt) == (SALT_SIZE + ESEGMENT_SIZE))
178+ keybuf[SEGMENT_SIZE] = '\0'; /* terminate password early(?) */
179+
180+ keylen = strlen(keybuf);
181+
182+ if (!keylen) {
183+ n_seg = 1;
184+ } else {
185+ /* work out how many segments */
186+ n_seg = 1 + ((keylen - 1) / SEGMENT_SIZE);
187+ }
188+
189+ if (n_seg > MAX_PASS_LEN)
190+ n_seg = MAX_PASS_LEN; /* truncate at max length */
191+
192+ /* set up some pointers */
193+ cipher_ptr = dec_c2_cryptbuf;
194+ plaintext_ptr = keybuf;
195+
196+ /* do the first block with supplied salt */
197+#ifdef HAVE_CRYPT_R
198+ tmp_ptr = crypt_r(plaintext_ptr, salt, cdata); /* libc crypt_r() */
199+#else
200+ tmp_ptr = crypt(plaintext_ptr, salt); /* libc crypt() */
201+#endif
202+ if (tmp_ptr == NULL) {
203+ free(dec_c2_cryptbuf);
204+ return NULL;
205+ }
206+ /* and place in the static area */
207+ strncpy(cipher_ptr, tmp_ptr, 13);
208+ cipher_ptr += ESEGMENT_SIZE + SALT_SIZE;
209+ plaintext_ptr += SEGMENT_SIZE; /* first block of SEGMENT_SIZE */
210+
211+ /* change the salt (1st 2 chars of previous block) - this was found
212+ by dowsing */
213+
214+ salt_ptr = cipher_ptr - ESEGMENT_SIZE;
215+
216+ /* so far this is identical to "return crypt(key, salt);", if
217+ there is more than one block encrypt them... */
218+
219+ if (n_seg > 1) {
220+ for (j = 2; j <= n_seg; j++) {
221+
222+#ifdef HAVE_CRYPT_R
223+ tmp_ptr = crypt_r(plaintext_ptr, salt_ptr, cdata);
224+#else
225+ tmp_ptr = crypt(plaintext_ptr, salt_ptr);
226+#endif
227+ if (tmp_ptr == NULL) {
228+ _pam_overwrite(dec_c2_cryptbuf);
229+ free(dec_c2_cryptbuf);
230+ return NULL;
231+ }
232+
233+ /* skip the salt for seg!=0 */
234+ strncpy(cipher_ptr, (tmp_ptr + SALT_SIZE), ESEGMENT_SIZE);
235+
236+ cipher_ptr += ESEGMENT_SIZE;
237+ plaintext_ptr += SEGMENT_SIZE;
238+ salt_ptr = cipher_ptr - ESEGMENT_SIZE;
239+ }
240+ }
241+ D(("key=|%s|, salt=|%s|\nbuf=|%s|\n", key, salt, dec_c2_cryptbuf));
242+
243+#ifdef HAVE_CRYPT_R
244+ free(cdata);
245+#endif
246+
247+ /* this is the <NUL> terminated encrypted password */
248+ return dec_c2_cryptbuf;
249+}
250Index: pam-1.1.8/modules/pam_extrausers/bigcrypt.h
251===================================================================
252--- /dev/null
253+++ pam-1.1.8/modules/pam_extrausers/bigcrypt.h
254@@ -0,0 +1 @@
255+extern char *bigcrypt(const char *key, const char *salt);
256Index: pam-1.1.8/modules/pam_extrausers/bigcrypt_main.c
257===================================================================
258--- /dev/null
259+++ pam-1.1.8/modules/pam_extrausers/bigcrypt_main.c
260@@ -0,0 +1,18 @@
261+#include <stdio.h>
262+#include <string.h>
263+
264+#include "bigcrypt.h"
265+
266+int
267+main(int argc, char **argv)
268+{
269+ if (argc < 3) {
270+ fprintf(stderr, "Usage: %s password salt\n",
271+ strchr(argv[0], '/') ?
272+ (strchr(argv[0], '/') + 1) :
273+ argv[0]);
274+ return 0;
275+ }
276+ fprintf(stdout, "%s\n", bigcrypt(argv[1], argv[2]));
277+ return 0;
278+}
279Index: pam-1.1.8/modules/pam_extrausers/lckpwdf.-c
280===================================================================
281--- /dev/null
282+++ pam-1.1.8/modules/pam_extrausers/lckpwdf.-c
283@@ -0,0 +1,142 @@
284+/*
285+ * This is a hack, but until libc and glibc both include this function
286+ * by default (libc only includes it if nys is not being used, at the
287+ * moment, and glibc doesn't appear to have it at all) we need to have
288+ * it here, too. :-(
289+ *
290+ * This should not become an official part of PAM.
291+ *
292+ * BEGIN_HACK
293+ */
294+
295+/*
296+ * lckpwdf.c -- prevent simultaneous updates of password files
297+ *
298+ * Before modifying any of the password files, call lckpwdf(). It may block
299+ * for up to 15 seconds trying to get the lock. Return value is 0 on success
300+ * or -1 on failure. When you are done, call ulckpwdf() to release the lock.
301+ * The lock is also released automatically when the process exits. Only one
302+ * process at a time may hold the lock.
303+ *
304+ * These functions are supposed to be conformant with AT&T SVID Issue 3.
305+ *
306+ * Written by Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>,
307+ * public domain.
308+ */
309+
310+#include <fcntl.h>
311+#include <signal.h>
312+#ifdef WITH_SELINUX
313+#include <selinux/selinux.h>
314+#endif
315+
316+#define LOCKFILE "/var/lib/extrausers/.pwd.lock"
317+#define TIMEOUT 15
318+
319+static int lockfd = -1;
320+
321+static int set_close_on_exec(int fd)
322+{
323+ int flags = fcntl(fd, F_GETFD, 0);
324+ if (flags == -1)
325+ return -1;
326+ flags |= FD_CLOEXEC;
327+ return fcntl(fd, F_SETFD, flags);
328+}
329+
330+static int do_lock(int fd)
331+{
332+ struct flock fl;
333+
334+ memset(&fl, 0, sizeof fl);
335+ fl.l_type = F_WRLCK;
336+ fl.l_whence = SEEK_SET;
337+ return fcntl(fd, F_SETLKW, &fl);
338+}
339+
340+static void alarm_catch(int sig)
341+{
342+/* does nothing, but fcntl F_SETLKW will fail with EINTR */
343+}
344+
345+static int extrausers_lckpwdf(void)
346+{
347+ struct sigaction act, oldact;
348+ sigset_t set, oldset;
349+
350+ if (lockfd != -1)
351+ return -1;
352+
353+#ifdef WITH_SELINUX
354+ if(is_selinux_enabled()>0)
355+ {
356+ lockfd = open(LOCKFILE, O_WRONLY);
357+ if(lockfd == -1 && errno == ENOENT)
358+ {
359+ security_context_t create_context;
360+ int rc;
361+
362+ if(getfilecon("/var/lib/extrausers/passwd", &create_context))
363+ return -1;
364+ rc = setfscreatecon(create_context);
365+ freecon(create_context);
366+ if(rc)
367+ return -1;
368+ lockfd = open(LOCKFILE, O_CREAT | O_WRONLY, 0600);
369+ if(setfscreatecon(NULL))
370+ return -1;
371+ }
372+ }
373+ else
374+#endif
375+ lockfd = open(LOCKFILE, O_CREAT | O_WRONLY, 0600);
376+ if (lockfd == -1)
377+ return -1;
378+ if (set_close_on_exec(lockfd) == -1)
379+ goto cleanup_fd;
380+
381+ memset(&act, 0, sizeof act);
382+ act.sa_handler = alarm_catch;
383+ act.sa_flags = 0;
384+ sigfillset(&act.sa_mask);
385+ if (sigaction(SIGALRM, &act, &oldact) == -1)
386+ goto cleanup_fd;
387+
388+ sigemptyset(&set);
389+ sigaddset(&set, SIGALRM);
390+ if (sigprocmask(SIG_UNBLOCK, &set, &oldset) == -1)
391+ goto cleanup_sig;
392+
393+ alarm(TIMEOUT);
394+ if (do_lock(lockfd) == -1)
395+ goto cleanup_alarm;
396+ alarm(0);
397+ sigprocmask(SIG_SETMASK, &oldset, NULL);
398+ sigaction(SIGALRM, &oldact, NULL);
399+ return 0;
400+
401+ cleanup_alarm:
402+ alarm(0);
403+ sigprocmask(SIG_SETMASK, &oldset, NULL);
404+ cleanup_sig:
405+ sigaction(SIGALRM, &oldact, NULL);
406+ cleanup_fd:
407+ close(lockfd);
408+ lockfd = -1;
409+ return -1;
410+}
411+
412+static int extrausers_ulckpwdf(void)
413+{
414+ unlink(LOCKFILE);
415+ if (lockfd == -1)
416+ return -1;
417+
418+ if (close(lockfd) == -1) {
419+ lockfd = -1;
420+ return -1;
421+ }
422+ lockfd = -1;
423+ return 0;
424+}
425+/* END_HACK */
426Index: pam-1.1.8/modules/pam_extrausers/md5.c
427===================================================================
428--- /dev/null
429+++ pam-1.1.8/modules/pam_extrausers/md5.c
430@@ -0,0 +1,255 @@
431+/*
432+ * $Id$
433+ *
434+ * This code implements the MD5 message-digest algorithm.
435+ * The algorithm is due to Ron Rivest. This code was
436+ * written by Colin Plumb in 1993, no copyright is claimed.
437+ * This code is in the public domain; do with it what you wish.
438+ *
439+ * Equivalent code is available from RSA Data Security, Inc.
440+ * This code has been tested against that, and is equivalent,
441+ * except that you don't need to include two pages of legalese
442+ * with every copy.
443+ *
444+ * To compute the message digest of a chunk of bytes, declare an
445+ * MD5Context structure, pass it to MD5Init, call MD5Update as
446+ * needed on buffers full of bytes, and then call MD5Final, which
447+ * will fill a supplied 16-byte array with the digest.
448+ *
449+ */
450+
451+#include <string.h>
452+#include "md5.h"
453+
454+#ifndef HIGHFIRST
455+#define byteReverse(buf, len) /* Nothing */
456+#else
457+static void byteReverse(unsigned char *buf, unsigned longs);
458+
459+#ifndef ASM_MD5
460+/*
461+ * Note: this code is harmless on little-endian machines.
462+ */
463+static void byteReverse(unsigned char *buf, unsigned longs)
464+{
465+ uint32 t;
466+ do {
467+ t = (uint32) ((unsigned) buf[3] << 8 | buf[2]) << 16 |
468+ ((unsigned) buf[1] << 8 | buf[0]);
469+ *(uint32 *) buf = t;
470+ buf += 4;
471+ } while (--longs);
472+}
473+#endif
474+#endif
475+
476+/*
477+ * Start MD5 accumulation. Set bit count to 0 and buffer to mysterious
478+ * initialization constants.
479+ */
480+void MD5Name(MD5Init)(struct MD5Context *ctx)
481+{
482+ ctx->buf[0] = 0x67452301U;
483+ ctx->buf[1] = 0xefcdab89U;
484+ ctx->buf[2] = 0x98badcfeU;
485+ ctx->buf[3] = 0x10325476U;
486+
487+ ctx->bits[0] = 0;
488+ ctx->bits[1] = 0;
489+}
490+
491+/*
492+ * Update context to reflect the concatenation of another buffer full
493+ * of bytes.
494+ */
495+void MD5Name(MD5Update)(struct MD5Context *ctx, unsigned const char *buf, unsigned len)
496+{
497+ uint32 t;
498+
499+ /* Update bitcount */
500+
501+ t = ctx->bits[0];
502+ if ((ctx->bits[0] = t + ((uint32) len << 3)) < t)
503+ ctx->bits[1]++; /* Carry from low to high */
504+ ctx->bits[1] += len >> 29;
505+
506+ t = (t >> 3) & 0x3f; /* Bytes already in shsInfo->data */
507+
508+ /* Handle any leading odd-sized chunks */
509+
510+ if (t) {
511+ unsigned char *p = (unsigned char *) ctx->in + t;
512+
513+ t = 64 - t;
514+ if (len < t) {
515+ memcpy(p, buf, len);
516+ return;
517+ }
518+ memcpy(p, buf, t);
519+ byteReverse(ctx->in, 16);
520+ MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
521+ buf += t;
522+ len -= t;
523+ }
524+ /* Process data in 64-byte chunks */
525+
526+ while (len >= 64) {
527+ memcpy(ctx->in, buf, 64);
528+ byteReverse(ctx->in, 16);
529+ MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
530+ buf += 64;
531+ len -= 64;
532+ }
533+
534+ /* Handle any remaining bytes of data. */
535+
536+ memcpy(ctx->in, buf, len);
537+}
538+
539+/*
540+ * Final wrapup - pad to 64-byte boundary with the bit pattern
541+ * 1 0* (64-bit count of bits processed, MSB-first)
542+ */
543+void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx)
544+{
545+ unsigned count;
546+ unsigned char *p;
547+
548+ /* Compute number of bytes mod 64 */
549+ count = (ctx->bits[0] >> 3) & 0x3F;
550+
551+ /* Set the first char of padding to 0x80. This is safe since there is
552+ always at least one byte free */
553+ p = ctx->in + count;
554+ *p++ = 0x80;
555+
556+ /* Bytes of padding needed to make 64 bytes */
557+ count = 64 - 1 - count;
558+
559+ /* Pad out to 56 mod 64 */
560+ if (count < 8) {
561+ /* Two lots of padding: Pad the first block to 64 bytes */
562+ memset(p, 0, count);
563+ byteReverse(ctx->in, 16);
564+ MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
565+
566+ /* Now fill the next block with 56 bytes */
567+ memset(ctx->in, 0, 56);
568+ } else {
569+ /* Pad block to 56 bytes */
570+ memset(p, 0, count - 8);
571+ }
572+ byteReverse(ctx->in, 14);
573+
574+ /* Append length in bits and transform */
575+ memcpy((uint32 *)ctx->in + 14, ctx->bits, 2*sizeof(uint32));
576+
577+ MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
578+ byteReverse((unsigned char *) ctx->buf, 4);
579+ memcpy(digest, ctx->buf, 16);
580+ memset(ctx, 0, sizeof(*ctx)); /* In case it's sensitive */
581+}
582+
583+#ifndef ASM_MD5
584+
585+/* The four core functions - F1 is optimized somewhat */
586+
587+/* #define F1(x, y, z) (x & y | ~x & z) */
588+#define F1(x, y, z) (z ^ (x & (y ^ z)))
589+#define F2(x, y, z) F1(z, x, y)
590+#define F3(x, y, z) (x ^ y ^ z)
591+#define F4(x, y, z) (y ^ (x | ~z))
592+
593+/* This is the central step in the MD5 algorithm. */
594+#define MD5STEP(f, w, x, y, z, data, s) \
595+ ( w += f(x, y, z) + data, w = w<<s | w>>(32-s), w += x )
596+
597+/*
598+ * The core of the MD5 algorithm, this alters an existing MD5 hash to
599+ * reflect the addition of 16 longwords of new data. MD5Update blocks
600+ * the data and converts bytes into longwords for this routine.
601+ */
602+void MD5Name(MD5Transform)(uint32 buf[4], uint32 const in[16])
603+{
604+ register uint32 a, b, c, d;
605+
606+ a = buf[0];
607+ b = buf[1];
608+ c = buf[2];
609+ d = buf[3];
610+
611+ MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478U, 7);
612+ MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756U, 12);
613+ MD5STEP(F1, c, d, a, b, in[2] + 0x242070dbU, 17);
614+ MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceeeU, 22);
615+ MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0fafU, 7);
616+ MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62aU, 12);
617+ MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613U, 17);
618+ MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501U, 22);
619+ MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8U, 7);
620+ MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7afU, 12);
621+ MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1U, 17);
622+ MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7beU, 22);
623+ MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122U, 7);
624+ MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193U, 12);
625+ MD5STEP(F1, c, d, a, b, in[14] + 0xa679438eU, 17);
626+ MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821U, 22);
627+
628+ MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562U, 5);
629+ MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340U, 9);
630+ MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51U, 14);
631+ MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aaU, 20);
632+ MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105dU, 5);
633+ MD5STEP(F2, d, a, b, c, in[10] + 0x02441453U, 9);
634+ MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681U, 14);
635+ MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8U, 20);
636+ MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6U, 5);
637+ MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6U, 9);
638+ MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87U, 14);
639+ MD5STEP(F2, b, c, d, a, in[8] + 0x455a14edU, 20);
640+ MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905U, 5);
641+ MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8U, 9);
642+ MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9U, 14);
643+ MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8aU, 20);
644+
645+ MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942U, 4);
646+ MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681U, 11);
647+ MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122U, 16);
648+ MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380cU, 23);
649+ MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44U, 4);
650+ MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9U, 11);
651+ MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60U, 16);
652+ MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70U, 23);
653+ MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6U, 4);
654+ MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127faU, 11);
655+ MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085U, 16);
656+ MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05U, 23);
657+ MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039U, 4);
658+ MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5U, 11);
659+ MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8U, 16);
660+ MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665U, 23);
661+
662+ MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244U, 6);
663+ MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97U, 10);
664+ MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7U, 15);
665+ MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039U, 21);
666+ MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3U, 6);
667+ MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92U, 10);
668+ MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47dU, 15);
669+ MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1U, 21);
670+ MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4fU, 6);
671+ MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0U, 10);
672+ MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314U, 15);
673+ MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1U, 21);
674+ MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82U, 6);
675+ MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235U, 10);
676+ MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bbU, 15);
677+ MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391U, 21);
678+
679+ buf[0] += a;
680+ buf[1] += b;
681+ buf[2] += c;
682+ buf[3] += d;
683+}
684+
685+#endif
686Index: pam-1.1.8/modules/pam_extrausers/md5.h
687===================================================================
688--- /dev/null
689+++ pam-1.1.8/modules/pam_extrausers/md5.h
690@@ -0,0 +1,31 @@
691+
692+#ifndef MD5_H
693+#define MD5_H
694+
695+typedef unsigned int uint32;
696+
697+struct MD5Context {
698+ uint32 buf[4];
699+ uint32 bits[2];
700+ unsigned char in[64];
701+};
702+
703+void GoodMD5Init(struct MD5Context *);
704+void GoodMD5Update(struct MD5Context *, unsigned const char *, unsigned);
705+void GoodMD5Final(unsigned char digest[16], struct MD5Context *);
706+void GoodMD5Transform(uint32 buf[4], uint32 const in[16]);
707+void BrokenMD5Init(struct MD5Context *);
708+void BrokenMD5Update(struct MD5Context *, unsigned const char *, unsigned);
709+void BrokenMD5Final(unsigned char digest[16], struct MD5Context *);
710+void BrokenMD5Transform(uint32 buf[4], uint32 const in[16]);
711+
712+char *Goodcrypt_md5(const char *pw, const char *salt);
713+char *Brokencrypt_md5(const char *pw, const char *salt);
714+
715+/*
716+ * This is needed to make RSAREF happy on some MS-DOS compilers.
717+ */
718+
719+typedef struct MD5Context MD5_CTX;
720+
721+#endif /* MD5_H */
722Index: pam-1.1.8/modules/pam_extrausers/md5_broken.c
723===================================================================
724--- /dev/null
725+++ pam-1.1.8/modules/pam_extrausers/md5_broken.c
726@@ -0,0 +1,4 @@
727+#define MD5Name(x) Broken##x
728+
729+#include "md5.c"
730+#include "md5_crypt.c"
731Index: pam-1.1.8/modules/pam_extrausers/md5_crypt.c
732===================================================================
733--- /dev/null
734+++ pam-1.1.8/modules/pam_extrausers/md5_crypt.c
735@@ -0,0 +1,154 @@
736+/*
737+ * $Id$
738+ *
739+ * ----------------------------------------------------------------------------
740+ * "THE BEER-WARE LICENSE" (Revision 42):
741+ * <phk@login.dknet.dk> wrote this file. As long as you retain this notice you
742+ * can do whatever you want with this stuff. If we meet some day, and you think
743+ * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
744+ * ----------------------------------------------------------------------------
745+ *
746+ * Origin: Id: crypt.c,v 1.3 1995/05/30 05:42:22 rgrimes Exp
747+ *
748+ */
749+
750+#include <string.h>
751+#include <stdlib.h>
752+#include "md5.h"
753+
754+static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */
755+"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
756+
757+static void to64(char *s, unsigned long v, int n)
758+{
759+ while (--n >= 0) {
760+ *s++ = itoa64[v & 0x3f];
761+ v >>= 6;
762+ }
763+}
764+
765+/*
766+ * UNIX password
767+ *
768+ * Use MD5 for what it is best at...
769+ */
770+
771+char *MD5Name(crypt_md5)(const char *pw, const char *salt)
772+{
773+ const char *magic = "$1$";
774+ /* This string is magic for this algorithm. Having
775+ * it this way, we can get get better later on */
776+ char *passwd, *p;
777+ const char *sp, *ep;
778+ unsigned char final[16];
779+ int sl, pl, i, j;
780+ MD5_CTX ctx, ctx1;
781+ unsigned long l;
782+
783+ /* Refine the Salt first */
784+ sp = salt;
785+
786+ /* TODO: now that we're using malloc'ed memory, get rid of the
787+ strange constant buffer size. */
788+ passwd = malloc(120);
789+
790+ /* If it starts with the magic string, then skip that */
791+ if (!strncmp(sp, magic, strlen(magic)))
792+ sp += strlen(magic);
793+
794+ /* It stops at the first '$', max 8 chars */
795+ for (ep = sp; *ep && *ep != '$' && ep < (sp + 8); ep++)
796+ continue;
797+
798+ /* get the length of the true salt */
799+ sl = ep - sp;
800+
801+ MD5Name(MD5Init)(&ctx);
802+
803+ /* The password first, since that is what is most unknown */
804+ MD5Name(MD5Update)(&ctx,(unsigned const char *)pw,strlen(pw));
805+
806+ /* Then our magic string */
807+ MD5Name(MD5Update)(&ctx,(unsigned const char *)magic,strlen(magic));
808+
809+ /* Then the raw salt */
810+ MD5Name(MD5Update)(&ctx,(unsigned const char *)sp,sl);
811+
812+ /* Then just as many characters of the MD5(pw,salt,pw) */
813+ MD5Name(MD5Init)(&ctx1);
814+ MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw));
815+ MD5Name(MD5Update)(&ctx1,(unsigned const char *)sp,sl);
816+ MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw));
817+ MD5Name(MD5Final)(final,&ctx1);
818+ for (pl = strlen(pw); pl > 0; pl -= 16)
819+ MD5Name(MD5Update)(&ctx,(unsigned const char *)final,pl>16 ? 16 : pl);
820+
821+ /* Don't leave anything around in vm they could use. */
822+ memset(final, 0, sizeof final);
823+
824+ /* Then something really weird... */
825+ for (j = 0, i = strlen(pw); i; i >>= 1)
826+ if (i & 1)
827+ MD5Name(MD5Update)(&ctx, (unsigned const char *)final+j, 1);
828+ else
829+ MD5Name(MD5Update)(&ctx, (unsigned const char *)pw+j, 1);
830+
831+ /* Now make the output string */
832+ strcpy(passwd, magic);
833+ strncat(passwd, sp, sl);
834+ strcat(passwd, "$");
835+
836+ MD5Name(MD5Final)(final,&ctx);
837+
838+ /*
839+ * and now, just to make sure things don't run too fast
840+ * On a 60 Mhz Pentium this takes 34 msec, so you would
841+ * need 30 seconds to build a 1000 entry dictionary...
842+ */
843+ for (i = 0; i < 1000; i++) {
844+ MD5Name(MD5Init)(&ctx1);
845+ if (i & 1)
846+ MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw));
847+ else
848+ MD5Name(MD5Update)(&ctx1,(unsigned const char *)final,16);
849+
850+ if (i % 3)
851+ MD5Name(MD5Update)(&ctx1,(unsigned const char *)sp,sl);
852+
853+ if (i % 7)
854+ MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw));
855+
856+ if (i & 1)
857+ MD5Name(MD5Update)(&ctx1,(unsigned const char *)final,16);
858+ else
859+ MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw));
860+ MD5Name(MD5Final)(final,&ctx1);
861+ }
862+
863+ p = passwd + strlen(passwd);
864+
865+ l = (final[0] << 16) | (final[6] << 8) | final[12];
866+ to64(p, l, 4);
867+ p += 4;
868+ l = (final[1] << 16) | (final[7] << 8) | final[13];
869+ to64(p, l, 4);
870+ p += 4;
871+ l = (final[2] << 16) | (final[8] << 8) | final[14];
872+ to64(p, l, 4);
873+ p += 4;
874+ l = (final[3] << 16) | (final[9] << 8) | final[15];
875+ to64(p, l, 4);
876+ p += 4;
877+ l = (final[4] << 16) | (final[10] << 8) | final[5];
878+ to64(p, l, 4);
879+ p += 4;
880+ l = final[11];
881+ to64(p, l, 2);
882+ p += 2;
883+ *p = '\0';
884+
885+ /* Don't leave anything around in vm they could use. */
886+ memset(final, 0, sizeof final);
887+
888+ return passwd;
889+}
890Index: pam-1.1.8/modules/pam_extrausers/md5_good.c
891===================================================================
892--- /dev/null
893+++ pam-1.1.8/modules/pam_extrausers/md5_good.c
894@@ -0,0 +1,5 @@
895+#define HIGHFIRST
896+#define MD5Name(x) Good##x
897+
898+#include "md5.c"
899+#include "md5_crypt.c"
900Index: pam-1.1.8/modules/pam_extrausers/obscure.c
901===================================================================
902--- /dev/null
903+++ pam-1.1.8/modules/pam_extrausers/obscure.c
904@@ -0,0 +1,198 @@
905+/*
906+ * Copyright 1989 - 1994, Julianne Frances Haugh
907+ * All rights reserved.
908+ *
909+ * Redistribution and use in source and binary forms, with or without
910+ * modification, are permitted provided that the following conditions
911+ * are met:
912+ * 1. Redistributions of source code must retain the above copyright
913+ * notice, this list of conditions and the following disclaimer.
914+ * 2. Redistributions in binary form must reproduce the above copyright
915+ * notice, this list of conditions and the following disclaimer in the
916+ * documentation and/or other materials provided with the distribution.
917+ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors
918+ * may be used to endorse or promote products derived from this software
919+ * without specific prior written permission.
920+ *
921+ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
922+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
923+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
924+ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
925+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
926+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
927+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
928+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
929+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
930+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
931+ * SUCH DAMAGE.
932+ */
933+
934+#include "config.h"
935+
936+#include <ctype.h>
937+#include <stdio.h>
938+#include <unistd.h>
939+#include <string.h>
940+#include <stdlib.h>
941+#include <pwd.h>
942+#include <security/pam_modules.h>
943+#include <security/_pam_macros.h>
944+
945+
946+#include "support.h"
947+
948+/* can't be a palindrome - like `R A D A R' or `M A D A M' */
949+static int palindrome(const char *old, const char *new) {
950+ int i, j;
951+
952+ i = strlen (new);
953+
954+ for (j = 0;j < i;j++)
955+ if (new[i - j - 1] != new[j])
956+ return 0;
957+
958+ return 1;
959+}
960+
961+/* more than half of the characters are different ones. */
962+static int similar(const char *old, const char *new) {
963+ int i, j;
964+
965+ /*
966+ * XXX - sometimes this fails when changing from a simple password
967+ * to a really long one (MD5). For now, I just return success if
968+ * the new password is long enough. Please feel free to suggest
969+ * something better... --marekm
970+ */
971+ if (strlen(new) >= 8)
972+ return 0;
973+
974+ for (i = j = 0; new[i] && old[i]; i++)
975+ if (strchr(new, old[i]))
976+ j++;
977+
978+ if (i >= j * 2)
979+ return 0;
980+
981+ return 1;
982+}
983+
984+/* a nice mix of characters. */
985+static int simple(const char *old, const char *new) {
986+ int digits = 0;
987+ int uppers = 0;
988+ int lowers = 0;
989+ int others = 0;
990+ int size;
991+ int i;
992+
993+ for (i = 0;new[i];i++) {
994+ if (isdigit (new[i]))
995+ digits++;
996+ else if (isupper (new[i]))
997+ uppers++;
998+ else if (islower (new[i]))
999+ lowers++;
1000+ else
1001+ others++;
1002+ }
1003+
1004+ /*
1005+ * The scam is this - a password of only one character type
1006+ * must be 8 letters long. Two types, 7, and so on.
1007+ */
1008+
1009+ size = 9;
1010+ if (digits) size--;
1011+ if (uppers) size--;
1012+ if (lowers) size--;
1013+ if (others) size--;
1014+
1015+ if (size <= i)
1016+ return 0;
1017+
1018+ return 1;
1019+}
1020+
1021+static char *str_lower(char *string) {
1022+ char *cp;
1023+
1024+ for (cp = string; *cp; cp++)
1025+ *cp = tolower(*cp);
1026+ return string;
1027+}
1028+
1029+static const char * password_check(const char *old, const char *new,
1030+ const struct passwd *pwdp) {
1031+ const char *msg = NULL;
1032+ char *oldmono, *newmono, *wrapped;
1033+
1034+ if (strcmp(new, old) == 0)
1035+ return _("Bad: new password must be different than the old one");
1036+
1037+ newmono = str_lower(strdup(new));
1038+ oldmono = str_lower(strdup(old));
1039+ wrapped = (char *)malloc(strlen(oldmono) * 2 + 1);
1040+ strcpy (wrapped, oldmono);
1041+ strcat (wrapped, oldmono);
1042+
1043+ if (palindrome(oldmono, newmono)) {
1044+ msg = _("Bad: new password cannot be a palindrome");
1045+ } else if (strcmp(oldmono, newmono) == 0) {
1046+ msg = _("Bad: new and old password must differ by more than just case");
1047+ } else if (similar(oldmono, newmono)) {
1048+ msg = _("Bad: new and old password are too similar");
1049+ } else if (simple(old, new)) {
1050+ msg = _("Bad: new password is too simple");
1051+ } else if (strstr(wrapped, newmono)) {
1052+ msg = _("Bad: new password is just a wrapped version of the old one");
1053+ }
1054+
1055+ _pam_delete(newmono);
1056+ _pam_delete(oldmono);
1057+ _pam_delete(wrapped);
1058+
1059+ return msg;
1060+}
1061+
1062+const char *obscure_msg(const char *old, const char *new,
1063+ const struct passwd *pwdp, unsigned int ctrl) {
1064+ int oldlen, newlen;
1065+ char *new1, *old1;
1066+ const char *msg;
1067+
1068+ if (old == NULL)
1069+ return NULL; /* no check if old is NULL */
1070+
1071+ oldlen = strlen(old);
1072+ newlen = strlen(new);
1073+
1074+ /* Remaining checks are optional. */
1075+ if (off(UNIX_OBSCURE_CHECKS,ctrl))
1076+ return NULL;
1077+
1078+ if ((msg = password_check(old, new, pwdp)) != NULL)
1079+ return msg;
1080+
1081+ /* The traditional crypt() truncates passwords to 8 chars. It is
1082+ possible to circumvent the above checks by choosing an easy
1083+ 8-char password and adding some random characters to it...
1084+ Example: "password$%^&*123". So check it again, this time
1085+ truncated to the maximum length. Idea from npasswd. --marekm */
1086+
1087+ if (!UNIX_DES_CRYPT(ctrl))
1088+ return NULL; /* unlimited password length */
1089+
1090+ if (oldlen <= 8 && newlen <= 8)
1091+ return NULL;
1092+
1093+ new1 = strndup(new,8);
1094+ old1 = strndup(old,8);
1095+
1096+ msg = password_check(old1, new1, pwdp);
1097+
1098+ _pam_delete(new1);
1099+ _pam_delete(old1);
1100+
1101+ return msg;
1102+}
1103Index: pam-1.1.8/modules/pam_extrausers/pam_unix_acct.c
1104===================================================================
1105--- /dev/null
1106+++ pam-1.1.8/modules/pam_extrausers/pam_unix_acct.c
1107@@ -0,0 +1,304 @@
1108+/*
1109+ * Copyright Elliot Lee, 1996. All rights reserved.
1110+ * Copyright Jan R\EAkorajski, 1999. All rights reserved.
1111+ *
1112+ * Redistribution and use in source and binary forms, with or without
1113+ * modification, are permitted provided that the following conditions
1114+ * are met:
1115+ * 1. Redistributions of source code must retain the above copyright
1116+ * notice, and the entire permission notice in its entirety,
1117+ * including the disclaimer of warranties.
1118+ * 2. Redistributions in binary form must reproduce the above copyright
1119+ * notice, this list of conditions and the following disclaimer in the
1120+ * documentation and/or other materials provided with the distribution.
1121+ * 3. The name of the author may not be used to endorse or promote
1122+ * products derived from this software without specific prior
1123+ * written permission.
1124+ *
1125+ * ALTERNATIVELY, this product may be distributed under the terms of
1126+ * the GNU Public License, in which case the provisions of the GPL are
1127+ * required INSTEAD OF the above restrictions. (This clause is
1128+ * necessary due to a potential bad interaction between the GPL and
1129+ * the restrictions contained in a BSD-style copyright.)
1130+ *
1131+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
1132+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1133+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
1134+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
1135+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
1136+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
1137+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1138+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
1139+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
1140+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
1141+ * OF THE POSSIBILITY OF SUCH DAMAGE.
1142+ */
1143+
1144+#include "config.h"
1145+
1146+#include <stdlib.h>
1147+#include <stdio.h>
1148+#include <string.h>
1149+#include <unistd.h>
1150+#include <sys/types.h>
1151+#include <sys/resource.h>
1152+#include <syslog.h>
1153+#include <pwd.h>
1154+#include <shadow.h>
1155+#include <time.h> /* for time() */
1156+#include <errno.h>
1157+#include <sys/wait.h>
1158+
1159+#include <security/_pam_macros.h>
1160+
1161+/* indicate that the following groups are defined */
1162+
1163+#ifdef PAM_STATIC
1164+# include "pam_unix_static.h"
1165+#else
1166+# define PAM_SM_ACCOUNT
1167+#endif
1168+
1169+#include <security/pam_modules.h>
1170+#include <security/pam_ext.h>
1171+#include <security/pam_modutil.h>
1172+
1173+#include "support.h"
1174+#include "passverify.h"
1175+
1176+int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl,
1177+ const char *user, int *daysleft)
1178+{
1179+ int retval=0, child, fds[2];
1180+ struct sigaction newsa, oldsa;
1181+ D(("running verify_binary"));
1182+
1183+ /* create a pipe for the messages */
1184+ if (pipe(fds) != 0) {
1185+ D(("could not make pipe"));
1186+ pam_syslog(pamh, LOG_ERR, "Could not make pipe: %m");
1187+ return PAM_AUTH_ERR;
1188+ }
1189+ D(("called."));
1190+
1191+ if (off(UNIX_NOREAP, ctrl)) {
1192+ /*
1193+ * This code arranges that the demise of the child does not cause
1194+ * the application to receive a signal it is not expecting - which
1195+ * may kill the application or worse.
1196+ *
1197+ * The "noreap" module argument is provided so that the admin can
1198+ * override this behavior.
1199+ */
1200+ memset(&newsa, '\0', sizeof(newsa));
1201+ newsa.sa_handler = SIG_DFL;
1202+ sigaction(SIGCHLD, &newsa, &oldsa);
1203+ }
1204+
1205+ /* fork */
1206+ child = fork();
1207+ if (child == 0) {
1208+ int i=0;
1209+ struct rlimit rlim;
1210+ static char *envp[] = { NULL };
1211+ char *args[] = { NULL, NULL, NULL, NULL };
1212+
1213+ /* reopen stdout as pipe */
1214+ dup2(fds[1], STDOUT_FILENO);
1215+
1216+ /* XXX - should really tidy up PAM here too */
1217+
1218+ if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
1219+ if (rlim.rlim_max >= MAX_FD_NO)
1220+ rlim.rlim_max = MAX_FD_NO;
1221+ for (i=0; i < (int)rlim.rlim_max; i++) {
1222+ if (i != STDOUT_FILENO) {
1223+ close(i);
1224+ }
1225+ }
1226+ }
1227+
1228+ if (geteuid() == 0) {
1229+ /* must set the real uid to 0 so the helper will not error
1230+ out if pam is called from setuid binary (su, sudo...) */
1231+ if (setuid(0) == -1) {
1232+ pam_syslog(pamh, LOG_ERR, "setuid failed: %m");
1233+ printf("-1\n");
1234+ fflush(stdout);
1235+ _exit(PAM_AUTHINFO_UNAVAIL);
1236+ }
1237+ }
1238+
1239+ /* exec binary helper */
1240+ args[0] = x_strdup(CHKPWD_HELPER);
1241+ args[1] = x_strdup(user);
1242+ args[2] = x_strdup("chkexpiry");
1243+
1244+ execve(CHKPWD_HELPER, args, envp);
1245+
1246+ pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %m");
1247+ /* should not get here: exit with error */
1248+ D(("helper binary is not available"));
1249+ printf("-1\n");
1250+ fflush(stdout);
1251+ _exit(PAM_AUTHINFO_UNAVAIL);
1252+ } else {
1253+ close(fds[1]);
1254+ if (child > 0) {
1255+ char buf[32];
1256+ int rc=0;
1257+ /* wait for helper to complete: */
1258+ while ((rc=waitpid(child, &retval, 0)) < 0 && errno == EINTR);
1259+ if (rc<0) {
1260+ pam_syslog(pamh, LOG_ERR, "pam_extrausers_chkpwd waitpid returned %d: %m", rc);
1261+ retval = PAM_AUTH_ERR;
1262+ } else if (!WIFEXITED(retval)) {
1263+ pam_syslog(pamh, LOG_ERR, "pam_extrausers_chkpwd abnormal exit: %d", retval);
1264+ retval = PAM_AUTH_ERR;
1265+ } else {
1266+ retval = WEXITSTATUS(retval);
1267+ rc = pam_modutil_read(fds[0], buf, sizeof(buf) - 1);
1268+ if(rc > 0) {
1269+ buf[rc] = '\0';
1270+ if (sscanf(buf,"%d", daysleft) != 1 )
1271+ retval = PAM_AUTH_ERR;
1272+ }
1273+ else {
1274+ pam_syslog(pamh, LOG_ERR, "read pam_extrausers_chkpwd output error %d: %m", rc);
1275+ retval = PAM_AUTH_ERR;
1276+ }
1277+ }
1278+ } else {
1279+ pam_syslog(pamh, LOG_ERR, "Fork failed: %m");
1280+ D(("fork failed"));
1281+ retval = PAM_AUTH_ERR;
1282+ }
1283+ close(fds[0]);
1284+ }
1285+
1286+ if (off(UNIX_NOREAP, ctrl)) {
1287+ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */
1288+ }
1289+
1290+ D(("Returning %d",retval));
1291+ return retval;
1292+}
1293+
1294+/*
1295+ * PAM framework looks for this entry-point to pass control to the
1296+ * account management module.
1297+ */
1298+
1299+int
1300+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
1301+{
1302+ unsigned int ctrl;
1303+ const void *void_uname;
1304+ const char *uname;
1305+ int retval, daysleft;
1306+ struct spwd *spent;
1307+ struct passwd *pwent;
1308+ char buf[256];
1309+
1310+ D(("called."));
1311+
1312+ ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv);
1313+
1314+ retval = pam_get_item(pamh, PAM_USER, &void_uname);
1315+ uname = void_uname;
1316+ D(("user = `%s'", uname));
1317+ if (retval != PAM_SUCCESS || uname == NULL) {
1318+ pam_syslog(pamh, LOG_ALERT,
1319+ "could not identify user (from uid=%lu)",
1320+ (unsigned long int)getuid());
1321+ return PAM_USER_UNKNOWN;
1322+ }
1323+
1324+ retval = get_account_info(pamh, uname, &pwent, &spent);
1325+ if (retval == PAM_USER_UNKNOWN) {
1326+ pam_syslog(pamh, LOG_ALERT,
1327+ "could not identify user (from getpwnam(%s))",
1328+ uname);
1329+ return retval;
1330+ }
1331+
1332+ if (retval == PAM_SUCCESS && spent == NULL)
1333+ return PAM_SUCCESS;
1334+
1335+ if (retval == PAM_UNIX_RUN_HELPER) {
1336+ retval = _unix_run_verify_binary(pamh, ctrl, uname, &daysleft);
1337+ if (retval == PAM_AUTHINFO_UNAVAIL &&
1338+ on(UNIX_BROKEN_SHADOW, ctrl))
1339+ return PAM_SUCCESS;
1340+ } else if (retval != PAM_SUCCESS) {
1341+ if (on(UNIX_BROKEN_SHADOW,ctrl))
1342+ return PAM_SUCCESS;
1343+ else
1344+ return retval;
1345+ } else
1346+ retval = check_shadow_expiry(pamh, spent, &daysleft);
1347+
1348+ switch (retval) {
1349+ case PAM_ACCT_EXPIRED:
1350+ pam_syslog(pamh, LOG_NOTICE,
1351+ "account %s has expired (account expired)",
1352+ uname);
1353+ _make_remark(pamh, ctrl, PAM_ERROR_MSG,
1354+ _("Your account has expired; please contact your system administrator"));
1355+ break;
1356+ case PAM_NEW_AUTHTOK_REQD:
1357+ if (daysleft == 0) {
1358+ pam_syslog(pamh, LOG_NOTICE,
1359+ "expired password for user %s (root enforced)",
1360+ uname);
1361+ _make_remark(pamh, ctrl, PAM_ERROR_MSG,
1362+ _("You are required to change your password immediately (root enforced)"));
1363+ } else {
1364+ pam_syslog(pamh, LOG_DEBUG,
1365+ "expired password for user %s (password aged)",
1366+ uname);
1367+ _make_remark(pamh, ctrl, PAM_ERROR_MSG,
1368+ _("You are required to change your password immediately (password aged)"));
1369+ }
1370+ break;
1371+ case PAM_AUTHTOK_EXPIRED:
1372+ pam_syslog(pamh, LOG_NOTICE,
1373+ "account %s has expired (failed to change password)",
1374+ uname);
1375+ _make_remark(pamh, ctrl, PAM_ERROR_MSG,
1376+ _("Your account has expired; please contact your system administrator"));
1377+ break;
1378+ case PAM_AUTHTOK_ERR:
1379+ retval = PAM_SUCCESS;
1380+ /* fallthrough */
1381+ case PAM_SUCCESS:
1382+ if (daysleft >= 0) {
1383+ pam_syslog(pamh, LOG_DEBUG,
1384+ "password for user %s will expire in %d days",
1385+ uname, daysleft);
1386+#if defined HAVE_DNGETTEXT && defined ENABLE_NLS
1387+ snprintf (buf, sizeof (buf),
1388+ dngettext(PACKAGE,
1389+ "Warning: your password will expire in %d day",
1390+ "Warning: your password will expire in %d days",
1391+ daysleft),
1392+ daysleft);
1393+#else
1394+ if (daysleft == 1)
1395+ snprintf(buf, sizeof (buf),
1396+ _("Warning: your password will expire in %d day"),
1397+ daysleft);
1398+ else
1399+ snprintf(buf, sizeof (buf),
1400+ /* TRANSLATORS: only used if dngettext is not supported */
1401+ _("Warning: your password will expire in %d days"),
1402+ daysleft);
1403+#endif
1404+ _make_remark(pamh, ctrl, PAM_TEXT_INFO, buf);
1405+ }
1406+ }
1407+
1408+ D(("all done"));
1409+
1410+ return retval;
1411+}
1412Index: pam-1.1.8/modules/pam_extrausers/pam_unix_auth.c
1413===================================================================
1414--- /dev/null
1415+++ pam-1.1.8/modules/pam_extrausers/pam_unix_auth.c
1416@@ -0,0 +1,218 @@
1417+/*
1418+ * Copyright Alexander O. Yuriev, 1996. All rights reserved.
1419+ * NIS+ support by Thorsten Kukuk <kukuk@weber.uni-paderborn.de>
1420+ * Copyright Jan R\EAkorajski, 1999. All rights reserved.
1421+ *
1422+ * Redistribution and use in source and binary forms, with or without
1423+ * modification, are permitted provided that the following conditions
1424+ * are met:
1425+ * 1. Redistributions of source code must retain the above copyright
1426+ * notice, and the entire permission notice in its entirety,
1427+ * including the disclaimer of warranties.
1428+ * 2. Redistributions in binary form must reproduce the above copyright
1429+ * notice, this list of conditions and the following disclaimer in the
1430+ * documentation and/or other materials provided with the distribution.
1431+ * 3. The name of the author may not be used to endorse or promote
1432+ * products derived from this software without specific prior
1433+ * written permission.
1434+ *
1435+ * ALTERNATIVELY, this product may be distributed under the terms of
1436+ * the GNU Public License, in which case the provisions of the GPL are
1437+ * required INSTEAD OF the above restrictions. (This clause is
1438+ * necessary due to a potential bad interaction between the GPL and
1439+ * the restrictions contained in a BSD-style copyright.)
1440+ *
1441+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
1442+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1443+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
1444+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
1445+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
1446+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
1447+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1448+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
1449+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
1450+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
1451+ * OF THE POSSIBILITY OF SUCH DAMAGE.
1452+ */
1453+
1454+#include "config.h"
1455+
1456+#include <stdio.h>
1457+#include <stdlib.h>
1458+#include <stdarg.h>
1459+#include <string.h>
1460+#include <unistd.h>
1461+#include <fcntl.h>
1462+#include <ctype.h>
1463+#include <sys/types.h>
1464+#include <sys/stat.h>
1465+#include <syslog.h>
1466+
1467+/* indicate the following groups are defined */
1468+
1469+#ifdef PAM_STATIC
1470+# include "pam_unix_static.h"
1471+#else
1472+# define PAM_SM_AUTH
1473+#endif
1474+
1475+#define _PAM_EXTERN_FUNCTIONS
1476+#include <security/_pam_macros.h>
1477+#include <security/pam_modules.h>
1478+#include <security/pam_ext.h>
1479+
1480+#include "support.h"
1481+
1482+/*
1483+ * PAM framework looks for these entry-points to pass control to the
1484+ * authentication module.
1485+ */
1486+
1487+/* Fun starts here :)
1488+
1489+ * pam_sm_authenticate() performs UNIX/shadow authentication
1490+ *
1491+ * First, if shadow support is available, attempt to perform
1492+ * authentication using shadow passwords. If shadow is not
1493+ * available, or user does not have a shadow password, fallback
1494+ * onto a normal UNIX authentication
1495+ */
1496+
1497+#define _UNIX_AUTHTOK "-UN*X-PASS"
1498+
1499+#define AUTH_RETURN \
1500+do { \
1501+ if (on(UNIX_LIKE_AUTH, ctrl) && ret_data) { \
1502+ D(("recording return code for next time [%d]", \
1503+ retval)); \
1504+ *ret_data = retval; \
1505+ pam_set_data(pamh, "unix_setcred_return", \
1506+ (void *) ret_data, setcred_free); \
1507+ } else if (ret_data) \
1508+ free (ret_data); \
1509+ D(("done. [%s]", pam_strerror(pamh, retval))); \
1510+ return retval; \
1511+} while (0)
1512+
1513+
1514+static void
1515+setcred_free (pam_handle_t *pamh UNUSED, void *ptr, int err UNUSED)
1516+{
1517+ if (ptr)
1518+ free (ptr);
1519+}
1520+
1521+int
1522+pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
1523+{
1524+ unsigned int ctrl;
1525+ int retval, *ret_data = NULL;
1526+ const char *name;
1527+ const void *p;
1528+
1529+ D(("called."));
1530+
1531+ ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv);
1532+
1533+ /* Get a few bytes so we can pass our return value to
1534+ pam_sm_setcred(). */
1535+ if (on(UNIX_LIKE_AUTH, ctrl))
1536+ ret_data = malloc(sizeof(int));
1537+
1538+ /* get the user'name' */
1539+
1540+ retval = pam_get_user(pamh, &name, NULL);
1541+ if (retval == PAM_SUCCESS) {
1542+ /*
1543+ * Various libraries at various times have had bugs related to
1544+ * '+' or '-' as the first character of a user name. Don't
1545+ * allow this characters here.
1546+ */
1547+ if (name == NULL || name[0] == '-' || name[0] == '+') {
1548+ pam_syslog(pamh, LOG_ERR, "bad username [%s]", name);
1549+ retval = PAM_USER_UNKNOWN;
1550+ AUTH_RETURN;
1551+ }
1552+ if (on(UNIX_DEBUG, ctrl))
1553+ D(("username [%s] obtained", name));
1554+ } else {
1555+ D(("trouble reading username"));
1556+ if (retval == PAM_CONV_AGAIN) {
1557+ D(("pam_get_user/conv() function is not ready yet"));
1558+ /* it is safe to resume this function so we translate this
1559+ * retval to the value that indicates we're happy to resume.
1560+ */
1561+ retval = PAM_INCOMPLETE;
1562+ }
1563+ AUTH_RETURN;
1564+ }
1565+
1566+ /* if this user does not have a password... */
1567+
1568+ if (_unix_blankpasswd(pamh, ctrl, name)) {
1569+ D(("user '%s' has blank passwd", name));
1570+ name = NULL;
1571+ retval = PAM_SUCCESS;
1572+ AUTH_RETURN;
1573+ }
1574+ /* get this user's authentication token */
1575+
1576+ retval = _unix_read_password(pamh, ctrl, NULL, _("Password: "), NULL
1577+ ,_UNIX_AUTHTOK, &p);
1578+ if (retval != PAM_SUCCESS) {
1579+ if (retval != PAM_CONV_AGAIN) {
1580+ pam_syslog(pamh, LOG_CRIT,
1581+ "auth could not identify password for [%s]", name);
1582+ } else {
1583+ D(("conversation function is not ready yet"));
1584+ /*
1585+ * it is safe to resume this function so we translate this
1586+ * retval to the value that indicates we're happy to resume.
1587+ */
1588+ retval = PAM_INCOMPLETE;
1589+ }
1590+ name = NULL;
1591+ AUTH_RETURN;
1592+ }
1593+ D(("user=%s, password=[%s]", name, p));
1594+
1595+ /* verify the password of this user */
1596+ retval = _unix_verify_password(pamh, name, p, ctrl);
1597+ name = p = NULL;
1598+
1599+ AUTH_RETURN;
1600+}
1601+
1602+
1603+/*
1604+ * The only thing _pam_set_credentials_unix() does is initialization of
1605+ * UNIX group IDs.
1606+ *
1607+ * Well, everybody but me on linux-pam is convinced that it should not
1608+ * initialize group IDs, so I am not doing it but don't say that I haven't
1609+ * warned you. -- AOY
1610+ */
1611+
1612+int
1613+pam_sm_setcred (pam_handle_t *pamh, int flags UNUSED,
1614+ int argc UNUSED, const char **argv UNUSED)
1615+{
1616+ int retval;
1617+ const void *pretval = NULL;
1618+
1619+ D(("called."));
1620+
1621+ retval = PAM_SUCCESS;
1622+
1623+ D(("recovering return code from auth call"));
1624+ /* We will only find something here if UNIX_LIKE_AUTH is set --
1625+ don't worry about an explicit check of argv. */
1626+ if (pam_get_data(pamh, "unix_setcred_return", &pretval) == PAM_SUCCESS
1627+ && pretval) {
1628+ retval = *(const int *)pretval;
1629+ pam_set_data(pamh, "unix_setcred_return", NULL, NULL);
1630+ D(("recovered data indicates that old retval was %d", retval));
1631+ }
1632+
1633+ return retval;
1634+}
1635Index: pam-1.1.8/modules/pam_extrausers/pam_unix_passwd.c
1636===================================================================
1637--- /dev/null
1638+++ pam-1.1.8/modules/pam_extrausers/pam_unix_passwd.c
1639@@ -0,0 +1,843 @@
1640+/*
1641+ * Main coding by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
1642+ * Copyright (C) 1996.
1643+ * Copyright (c) Jan Rêkorajski, 1999.
1644+ * Copyright (c) Red Hat, Inc., 2007, 2008.
1645+ *
1646+ * Redistribution and use in source and binary forms, with or without
1647+ * modification, are permitted provided that the following conditions
1648+ * are met:
1649+ * 1. Redistributions of source code must retain the above copyright
1650+ * notice, and the entire permission notice in its entirety,
1651+ * including the disclaimer of warranties.
1652+ * 2. Redistributions in binary form must reproduce the above copyright
1653+ * notice, this list of conditions and the following disclaimer in the
1654+ * documentation and/or other materials provided with the distribution.
1655+ * 3. The name of the author may not be used to endorse or promote
1656+ * products derived from this software without specific prior
1657+ * written permission.
1658+ *
1659+ * ALTERNATIVELY, this product may be distributed under the terms of
1660+ * the GNU Public License, in which case the provisions of the GPL are
1661+ * required INSTEAD OF the above restrictions. (This clause is
1662+ * necessary due to a potential bad interaction between the GPL and
1663+ * the restrictions contained in a BSD-style copyright.)
1664+ *
1665+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
1666+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1667+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
1668+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
1669+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
1670+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
1671+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1672+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
1673+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
1674+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
1675+ * OF THE POSSIBILITY OF SUCH DAMAGE.
1676+ */
1677+
1678+#include "config.h"
1679+
1680+#include <stdio.h>
1681+#include <stdlib.h>
1682+#include <stdarg.h>
1683+#include <string.h>
1684+#include <malloc.h>
1685+#include <unistd.h>
1686+#include <errno.h>
1687+#include <sys/types.h>
1688+#include <pwd.h>
1689+#include <syslog.h>
1690+#include <shadow.h>
1691+#include <time.h> /* for time() */
1692+#include <fcntl.h>
1693+#include <ctype.h>
1694+#include <sys/time.h>
1695+#include <sys/stat.h>
1696+
1697+#include <signal.h>
1698+#include <errno.h>
1699+#include <sys/wait.h>
1700+#include <sys/resource.h>
1701+
1702+#include <security/_pam_macros.h>
1703+
1704+/* indicate the following groups are defined */
1705+
1706+#ifdef PAM_STATIC
1707+# include "pam_unix_static.h"
1708+#else
1709+# define PAM_SM_PASSWORD
1710+#endif
1711+
1712+#include <security/pam_modules.h>
1713+#include <security/pam_ext.h>
1714+#include <security/pam_modutil.h>
1715+
1716+#include "md5.h"
1717+#include "support.h"
1718+#include "passverify.h"
1719+#include "bigcrypt.h"
1720+
1721+#if (HAVE_YP_GET_DEFAULT_DOMAIN || HAVE_GETDOMAINNAME) && HAVE_YP_MASTER
1722+# define HAVE_NIS
1723+#endif
1724+
1725+#ifdef HAVE_NIS
1726+# include <rpc/rpc.h>
1727+
1728+# if HAVE_RPCSVC_YP_PROT_H
1729+# include <rpcsvc/yp_prot.h>
1730+# endif
1731+
1732+# if HAVE_RPCSVC_YPCLNT_H
1733+# include <rpcsvc/ypclnt.h>
1734+# endif
1735+
1736+# include "yppasswd.h"
1737+
1738+# if !HAVE_DECL_GETRPCPORT
1739+extern int getrpcport(const char *host, unsigned long prognum,
1740+ unsigned long versnum, unsigned int proto);
1741+# endif /* GNU libc 2.1 */
1742+#endif
1743+
1744+extern const char *obscure_msg(const char *, const char *, const struct passwd *,
1745+ unsigned int);
1746+
1747+/*
1748+ How it works:
1749+ Gets in username (has to be done) from the calling program
1750+ Does authentication of user (only if we are not running as root)
1751+ Gets new password/checks for sanity
1752+ Sets it.
1753+ */
1754+
1755+/* data tokens */
1756+
1757+#define _UNIX_OLD_AUTHTOK "-UN*X-OLD-PASS"
1758+#define _UNIX_NEW_AUTHTOK "-UN*X-NEW-PASS"
1759+
1760+#define MAX_PASSWD_TRIES 3
1761+
1762+#ifdef HAVE_NIS
1763+static char *getNISserver(pam_handle_t *pamh, unsigned int ctrl)
1764+{
1765+ char *master;
1766+ char *domainname;
1767+ int port, err;
1768+
1769+#ifdef HAVE_YP_GET_DEFAULT_DOMAIN
1770+ if ((err = yp_get_default_domain(&domainname)) != 0) {
1771+ pam_syslog(pamh, LOG_WARNING, "can't get local yp domain: %s",
1772+ yperr_string(err));
1773+ return NULL;
1774+ }
1775+#elif defined(HAVE_GETDOMAINNAME)
1776+ char domainname_res[256];
1777+
1778+ if (getdomainname (domainname_res, sizeof (domainname_res)) == 0)
1779+ {
1780+ if (strcmp (domainname_res, "(none)") == 0)
1781+ {
1782+ /* If domainname is not set, some systems will return "(none)" */
1783+ domainname_res[0] = '\0';
1784+ }
1785+ domainname = domainname_res;
1786+ }
1787+ else domainname = NULL;
1788+#endif
1789+
1790+ if ((err = yp_master(domainname, "passwd.byname", &master)) != 0) {
1791+ pam_syslog(pamh, LOG_WARNING, "can't find the master ypserver: %s",
1792+ yperr_string(err));
1793+ return NULL;
1794+ }
1795+ port = getrpcport(master, YPPASSWDPROG, YPPASSWDPROC_UPDATE, IPPROTO_UDP);
1796+ if (port == 0) {
1797+ pam_syslog(pamh, LOG_WARNING,
1798+ "yppasswdd not running on NIS master host");
1799+ return NULL;
1800+ }
1801+ if (port >= IPPORT_RESERVED) {
1802+ pam_syslog(pamh, LOG_WARNING,
1803+ "yppasswd daemon running on illegal port");
1804+ return NULL;
1805+ }
1806+ if (on(UNIX_DEBUG, ctrl)) {
1807+ pam_syslog(pamh, LOG_DEBUG, "Use NIS server on %s with port %d",
1808+ master, port);
1809+ }
1810+ return master;
1811+}
1812+#endif
1813+
1814+#ifdef WITH_SELINUX
1815+
1816+static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user,
1817+ const char *fromwhat, const char *towhat, int remember)
1818+{
1819+ int retval, child, fds[2];
1820+ struct sigaction newsa, oldsa;
1821+
1822+ D(("called."));
1823+ /* create a pipe for the password */
1824+ if (pipe(fds) != 0) {
1825+ D(("could not make pipe"));
1826+ return PAM_AUTH_ERR;
1827+ }
1828+
1829+ if (off(UNIX_NOREAP, ctrl)) {
1830+ /*
1831+ * This code arranges that the demise of the child does not cause
1832+ * the application to receive a signal it is not expecting - which
1833+ * may kill the application or worse.
1834+ *
1835+ * The "noreap" module argument is provided so that the admin can
1836+ * override this behavior.
1837+ */
1838+ memset(&newsa, '\0', sizeof(newsa));
1839+ newsa.sa_handler = SIG_DFL;
1840+ sigaction(SIGCHLD, &newsa, &oldsa);
1841+ }
1842+
1843+ /* fork */
1844+ child = fork();
1845+ if (child == 0) {
1846+ int i=0;
1847+ struct rlimit rlim;
1848+ static char *envp[] = { NULL };
1849+ char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL };
1850+ char buffer[16];
1851+
1852+ /* XXX - should really tidy up PAM here too */
1853+
1854+ /* reopen stdin as pipe */
1855+ dup2(fds[0], STDIN_FILENO);
1856+
1857+ if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
1858+ if (rlim.rlim_max >= MAX_FD_NO)
1859+ rlim.rlim_max = MAX_FD_NO;
1860+ for (i=0; i < (int)rlim.rlim_max; i++) {
1861+ if (i != STDIN_FILENO)
1862+ close(i);
1863+ }
1864+ }
1865+
1866+ /* exec binary helper */
1867+ args[0] = x_strdup(UPDATE_HELPER);
1868+ args[1] = x_strdup(user);
1869+ args[2] = x_strdup("update");
1870+ if (on(UNIX_SHADOW, ctrl))
1871+ args[3] = x_strdup("1");
1872+ else
1873+ args[3] = x_strdup("0");
1874+
1875+ snprintf(buffer, sizeof(buffer), "%d", remember);
1876+ args[4] = x_strdup(buffer);
1877+
1878+ execve(UPDATE_HELPER, args, envp);
1879+
1880+ /* should not get here: exit with error */
1881+ D(("helper binary is not available"));
1882+ _exit(PAM_AUTHINFO_UNAVAIL);
1883+ } else if (child > 0) {
1884+ /* wait for child */
1885+ /* if the stored password is NULL */
1886+ int rc=0;
1887+ if (fromwhat)
1888+ pam_modutil_write(fds[1], fromwhat, strlen(fromwhat)+1);
1889+ else
1890+ pam_modutil_write(fds[1], "", 1);
1891+ if (towhat) {
1892+ pam_modutil_write(fds[1], towhat, strlen(towhat)+1);
1893+ }
1894+ else
1895+ pam_modutil_write(fds[1], "", 1);
1896+
1897+ close(fds[0]); /* close here to avoid possible SIGPIPE above */
1898+ close(fds[1]);
1899+ /* wait for helper to complete: */
1900+ while ((rc=waitpid(child, &retval, 0)) < 0 && errno == EINTR);
1901+ if (rc<0) {
1902+ pam_syslog(pamh, LOG_ERR, "pam_extrausers_update waitpid failed: %m");
1903+ retval = PAM_AUTHTOK_ERR;
1904+ } else if (!WIFEXITED(retval)) {
1905+ pam_syslog(pamh, LOG_ERR, "pam_extrausers_update abnormal exit: %d", retval);
1906+ retval = PAM_AUTHTOK_ERR;
1907+ } else {
1908+ retval = WEXITSTATUS(retval);
1909+ }
1910+ } else {
1911+ D(("fork failed"));
1912+ close(fds[0]);
1913+ close(fds[1]);
1914+ retval = PAM_AUTH_ERR;
1915+ }
1916+
1917+ if (off(UNIX_NOREAP, ctrl)) {
1918+ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */
1919+ }
1920+
1921+ return retval;
1922+}
1923+#endif
1924+
1925+static int check_old_password(const char *forwho, const char *newpass)
1926+{
1927+ static char buf[16384];
1928+ char *s_luser, *s_uid, *s_npas, *s_pas;
1929+ int retval = PAM_SUCCESS;
1930+ FILE *opwfile;
1931+ size_t len = strlen(forwho);
1932+
1933+ opwfile = fopen(OLD_PASSWORDS_FILE, "r");
1934+ if (opwfile == NULL)
1935+ return PAM_ABORT;
1936+
1937+ while (fgets(buf, 16380, opwfile)) {
1938+ if (!strncmp(buf, forwho, len) && (buf[len] == ':' ||
1939+ buf[len] == ',')) {
1940+ char *sptr;
1941+ buf[strlen(buf) - 1] = '\0';
1942+ s_luser = strtok_r(buf, ":,", &sptr);
1943+ s_uid = strtok_r(NULL, ":,", &sptr);
1944+ s_npas = strtok_r(NULL, ":,", &sptr);
1945+ s_pas = strtok_r(NULL, ":,", &sptr);
1946+ while (s_pas != NULL) {
1947+ char *md5pass = Goodcrypt_md5(newpass, s_pas);
1948+ if (!strcmp(md5pass, s_pas)) {
1949+ _pam_delete(md5pass);
1950+ retval = PAM_AUTHTOK_ERR;
1951+ break;
1952+ }
1953+ s_pas = strtok_r(NULL, ":,", &sptr);
1954+ _pam_delete(md5pass);
1955+ }
1956+ break;
1957+ }
1958+ }
1959+ fclose(opwfile);
1960+
1961+ return retval;
1962+}
1963+
1964+static int _do_setpass(pam_handle_t* pamh, const char *forwho,
1965+ const char *fromwhat,
1966+ char *towhat, unsigned int ctrl, int remember)
1967+{
1968+ struct passwd *pwd = NULL;
1969+ int retval = 0;
1970+ int unlocked = 0;
1971+ char *master = NULL;
1972+
1973+ D(("called"));
1974+
1975+ pwd = getpwnam(forwho);
1976+
1977+ if (pwd == NULL) {
1978+ retval = PAM_AUTHTOK_ERR;
1979+ goto done;
1980+ }
1981+
1982+ if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, forwho, 0, 1)) {
1983+#ifdef HAVE_NIS
1984+ if ((master=getNISserver(pamh, ctrl)) != NULL) {
1985+ struct timeval timeout;
1986+ struct yppasswd yppwd;
1987+ CLIENT *clnt;
1988+ int status;
1989+ enum clnt_stat err;
1990+
1991+ /* Unlock passwd file to avoid deadlock */
1992+ unlock_pwdf();
1993+ unlocked = 1;
1994+
1995+ /* Initialize password information */
1996+ yppwd.newpw.pw_passwd = pwd->pw_passwd;
1997+ yppwd.newpw.pw_name = pwd->pw_name;
1998+ yppwd.newpw.pw_uid = pwd->pw_uid;
1999+ yppwd.newpw.pw_gid = pwd->pw_gid;
2000+ yppwd.newpw.pw_gecos = pwd->pw_gecos;
2001+ yppwd.newpw.pw_dir = pwd->pw_dir;
2002+ yppwd.newpw.pw_shell = pwd->pw_shell;
2003+ yppwd.oldpass = fromwhat ? strdup (fromwhat) : strdup ("");
2004+ yppwd.newpw.pw_passwd = towhat;
2005+
2006+ D(("Set password %s for %s", yppwd.newpw.pw_passwd, forwho));
2007+
2008+ /* The yppasswd.x file said `unix authentication required',
2009+ * so I added it. This is the only reason it is in here.
2010+ * My yppasswdd doesn't use it, but maybe some others out there
2011+ * do. --okir
2012+ */
2013+ clnt = clnt_create(master, YPPASSWDPROG, YPPASSWDVERS, "udp");
2014+ clnt->cl_auth = authunix_create_default();
2015+ memset((char *) &status, '\0', sizeof(status));
2016+ timeout.tv_sec = 25;
2017+ timeout.tv_usec = 0;
2018+ err = clnt_call(clnt, YPPASSWDPROC_UPDATE,
2019+ (xdrproc_t) xdr_yppasswd, (char *) &yppwd,
2020+ (xdrproc_t) xdr_int, (char *) &status,
2021+ timeout);
2022+
2023+ free (yppwd.oldpass);
2024+
2025+ if (err) {
2026+ _make_remark(pamh, ctrl, PAM_TEXT_INFO,
2027+ clnt_sperrno(err));
2028+ } else if (status) {
2029+ D(("Error while changing NIS password.\n"));
2030+ }
2031+ D(("The password has%s been changed on %s.",
2032+ (err || status) ? " not" : "", master));
2033+ pam_syslog(pamh, LOG_NOTICE, "password%s changed for %s on %s",
2034+ (err || status) ? " not" : "", pwd->pw_name, master);
2035+
2036+ auth_destroy(clnt->cl_auth);
2037+ clnt_destroy(clnt);
2038+ if (err || status) {
2039+ _make_remark(pamh, ctrl, PAM_TEXT_INFO,
2040+ _("NIS password could not be changed."));
2041+ retval = PAM_TRY_AGAIN;
2042+ }
2043+#ifdef PAM_DEBUG
2044+ sleep(5);
2045+#endif
2046+ } else {
2047+ retval = PAM_TRY_AGAIN;
2048+ }
2049+#else
2050+ if (on(UNIX_DEBUG, ctrl)) {
2051+ pam_syslog(pamh, LOG_DEBUG, "No NIS support available");
2052+ }
2053+
2054+ retval = PAM_TRY_AGAIN;
2055+#endif
2056+ }
2057+
2058+ if (_unix_comesfromsource(pamh, forwho, 1, 0)) {
2059+ if(unlocked) {
2060+ if (lock_pwdf() != PAM_SUCCESS) {
2061+ return PAM_AUTHTOK_LOCK_BUSY;
2062+ }
2063+ }
2064+#ifdef WITH_SELINUX
2065+ if (unix_selinux_confined())
2066+ return _unix_run_update_binary(pamh, ctrl, forwho, fromwhat, towhat, remember);
2067+#endif
2068+ /* first, save old password */
2069+ if (save_old_password(pamh, forwho, fromwhat, remember)) {
2070+ retval = PAM_AUTHTOK_ERR;
2071+ goto done;
2072+ }
2073+ if (on(UNIX_SHADOW, ctrl) || is_pwd_shadowed(pwd)) {
2074+ retval = unix_update_shadow(pamh, forwho, towhat);
2075+ if (retval == PAM_SUCCESS)
2076+ if (!is_pwd_shadowed(pwd))
2077+ retval = unix_update_passwd(pamh, forwho, "x");
2078+ } else {
2079+ retval = unix_update_passwd(pamh, forwho, towhat);
2080+ }
2081+ }
2082+
2083+
2084+done:
2085+ unlock_pwdf();
2086+
2087+ return retval;
2088+}
2089+
2090+static int _unix_verify_shadow(pam_handle_t *pamh, const char *user, unsigned int ctrl)
2091+{
2092+ struct passwd *pwent = NULL; /* Password and shadow password */
2093+ struct spwd *spent = NULL; /* file entries for the user */
2094+ int daysleft;
2095+ int retval;
2096+
2097+ retval = get_account_info(pamh, user, &pwent, &spent);
2098+ if (retval == PAM_USER_UNKNOWN) {
2099+ return retval;
2100+ }
2101+
2102+ if (retval == PAM_SUCCESS && spent == NULL)
2103+ return PAM_SUCCESS;
2104+
2105+ if (retval == PAM_UNIX_RUN_HELPER) {
2106+ retval = _unix_run_verify_binary(pamh, ctrl, user, &daysleft);
2107+ if (retval == PAM_AUTH_ERR || retval == PAM_USER_UNKNOWN)
2108+ return retval;
2109+ }
2110+ else if (retval == PAM_SUCCESS)
2111+ retval = check_shadow_expiry(pamh, spent, &daysleft);
2112+
2113+ if (on(UNIX__IAMROOT, ctrl) || retval == PAM_NEW_AUTHTOK_REQD)
2114+ return PAM_SUCCESS;
2115+
2116+ return retval;
2117+}
2118+
2119+static int _pam_unix_approve_pass(pam_handle_t * pamh
2120+ ,unsigned int ctrl
2121+ ,const char *pass_old
2122+ ,const char *pass_new,
2123+ int pass_min_len)
2124+{
2125+ const void *user;
2126+ const char *remark = NULL;
2127+ int retval = PAM_SUCCESS;
2128+
2129+ D(("&new=%p, &old=%p", pass_old, pass_new));
2130+ D(("new=[%s]", pass_new));
2131+ D(("old=[%s]", pass_old));
2132+
2133+ if (pass_new == NULL || (pass_old && !strcmp(pass_old, pass_new))) {
2134+ if (on(UNIX_DEBUG, ctrl)) {
2135+ pam_syslog(pamh, LOG_DEBUG, "bad authentication token");
2136+ }
2137+ _make_remark(pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ?
2138+ _("No password supplied") : _("Password unchanged"));
2139+ return PAM_AUTHTOK_ERR;
2140+ }
2141+ /*
2142+ * if one wanted to hardwire authentication token strength
2143+ * checking this would be the place - AGM
2144+ */
2145+
2146+ retval = pam_get_item(pamh, PAM_USER, &user);
2147+ if (retval != PAM_SUCCESS) {
2148+ if (on(UNIX_DEBUG, ctrl)) {
2149+ pam_syslog(pamh, LOG_ERR, "Can not get username");
2150+ return PAM_AUTHTOK_ERR;
2151+ }
2152+ }
2153+ if (off(UNIX__IAMROOT, ctrl)) {
2154+ if (strlen(pass_new) < pass_min_len)
2155+ remark = _("You must choose a longer password");
2156+ D(("length check [%s]", remark));
2157+ if (on(UNIX_REMEMBER_PASSWD, ctrl)) {
2158+ if ((retval = check_old_password(user, pass_new)) == PAM_AUTHTOK_ERR)
2159+ remark = _("Password has been already used. Choose another.");
2160+ if (retval == PAM_ABORT) {
2161+ pam_syslog(pamh, LOG_ERR, "can't open %s file to check old passwords",
2162+ OLD_PASSWORDS_FILE);
2163+ return retval;
2164+ }
2165+ }
2166+ if (!remark && pass_old != NULL) { /* only check if we don't already have a failure */
2167+ struct passwd *pwd;
2168+ pwd = pam_modutil_getpwnam(pamh, user);
2169+ remark = (char *)obscure_msg(pass_old,pass_new,pwd,ctrl); /* do obscure checks */
2170+ }
2171+ }
2172+ if (remark) {
2173+ _make_remark(pamh, ctrl, PAM_ERROR_MSG, remark);
2174+ retval = PAM_AUTHTOK_ERR;
2175+ }
2176+ return retval;
2177+}
2178+
2179+int
2180+pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
2181+{
2182+ unsigned int ctrl, lctrl;
2183+ int retval;
2184+ int remember = -1;
2185+ int rounds = -1;
2186+ int pass_min_len = 6;
2187+
2188+ /* <DO NOT free() THESE> */
2189+ const char *user;
2190+ const void *pass_old, *pass_new;
2191+ /* </DO NOT free() THESE> */
2192+
2193+ D(("called."));
2194+
2195+ ctrl = _set_ctrl(pamh, flags, &remember, &rounds, &pass_min_len,
2196+ argc, argv);
2197+
2198+ /*
2199+ * First get the name of a user
2200+ */
2201+ retval = pam_get_user(pamh, &user, NULL);
2202+ if (retval == PAM_SUCCESS) {
2203+ /*
2204+ * Various libraries at various times have had bugs related to
2205+ * '+' or '-' as the first character of a user name. Don't
2206+ * allow them.
2207+ */
2208+ if (user == NULL || user[0] == '-' || user[0] == '+') {
2209+ pam_syslog(pamh, LOG_ERR, "bad username [%s]", user);
2210+ return PAM_USER_UNKNOWN;
2211+ }
2212+ if (retval == PAM_SUCCESS && on(UNIX_DEBUG, ctrl))
2213+ pam_syslog(pamh, LOG_DEBUG, "username [%s] obtained",
2214+ user);
2215+ } else {
2216+ if (on(UNIX_DEBUG, ctrl))
2217+ pam_syslog(pamh, LOG_DEBUG,
2218+ "password - could not identify user");
2219+ return retval;
2220+ }
2221+
2222+ D(("Got username of %s", user));
2223+
2224+ /*
2225+ * Before we do anything else, check to make sure that the user's
2226+ * info is in one of the databases we can modify from this module,
2227+ * which currently is 'files' and 'nis'. We have to do this because
2228+ * getpwnam() doesn't tell you *where* the information it gives you
2229+ * came from, nor should it. That's our job.
2230+ */
2231+ if (_unix_comesfromsource(pamh, user, 1, on(UNIX_NIS, ctrl)) == 0) {
2232+ pam_syslog(pamh, LOG_DEBUG,
2233+ "user \"%s\" does not exist in /var/lib/extrausers/passwd%s",
2234+ user, on(UNIX_NIS, ctrl) ? " or NIS" : "");
2235+ return PAM_USER_UNKNOWN;
2236+ } else {
2237+ struct passwd *pwd;
2238+ _unix_getpwnam(pamh, user, 1, on(UNIX_NIS, ctrl), &pwd);
2239+ if (pwd == NULL) {
2240+ pam_syslog(pamh, LOG_DEBUG,
2241+ "user \"%s\" has corrupted passwd entry",
2242+ user);
2243+ return PAM_USER_UNKNOWN;
2244+ }
2245+ }
2246+
2247+ /*
2248+ * This is not an AUTH module!
2249+ */
2250+ if (on(UNIX__NONULL, ctrl))
2251+ set(UNIX__NULLOK, ctrl);
2252+
2253+ if (on(UNIX__PRELIM, ctrl)) {
2254+ /*
2255+ * obtain and verify the current password (OLDAUTHTOK) for
2256+ * the user.
2257+ */
2258+ char *Announce;
2259+
2260+ D(("prelim check"));
2261+
2262+ if (_unix_blankpasswd(pamh, ctrl, user)) {
2263+ return PAM_SUCCESS;
2264+ } else if (off(UNIX__IAMROOT, ctrl) || on(UNIX_NIS, ctrl)) {
2265+ /* instruct user what is happening */
2266+ if (asprintf(&Announce, _("Changing password for %s."),
2267+ user) < 0) {
2268+ pam_syslog(pamh, LOG_CRIT,
2269+ "password - out of memory");
2270+ return PAM_BUF_ERR;
2271+ }
2272+
2273+ lctrl = ctrl;
2274+ set(UNIX__OLD_PASSWD, lctrl);
2275+ retval = _unix_read_password(pamh, lctrl
2276+ ,Announce
2277+ ,(on(UNIX__IAMROOT, ctrl)
2278+ ? _("NIS server root password: ")
2279+ : _("(current) UNIX password: "))
2280+ ,NULL
2281+ ,_UNIX_OLD_AUTHTOK
2282+ ,&pass_old);
2283+ free(Announce);
The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches