Merge ~vorlon/ubuntu/+source/pam:merge into ubuntu/+source/pam:debian/sid

Proposed by Steve Langasek on 2018-03-17
Status: Approved
Approved by: Nish Aravamudan on 2018-04-04
Approved revision: 56be0589c4360b577fcaaca8245090271a5427ea
Proposed branch: ~vorlon/ubuntu/+source/pam:merge
Merge into: ubuntu/+source/pam:debian/sid
Diff against target: 9799 lines (+9138/-0) (has conflicts)
25 files modified
debian/changelog (+2079/-0)
debian/control (+15/-0)
debian/libpam-modules-bin.install (+5/-0)
debian/libpam-modules.manpages (+4/-0)
debian/libpam-modules.postinst (+15/-0)
debian/libpam0g.postinst (+48/-0)
debian/local/common-session (+8/-0)
debian/local/common-session-noninteractive (+8/-0)
debian/local/pam-auth-update (+18/-0)
debian/local/pam-auth-update.8 (+3/-0)
debian/patches-applied/cve-2015-3238.patch (+6/-0)
debian/patches-applied/extrausers.patch (+6567/-0)
debian/patches-applied/pam_motd-legal-notice (+86/-0)
debian/patches-applied/pam_umask_usergroups_from_login.defs.patch (+127/-0)
debian/patches-applied/series (+11/-0)
debian/patches-applied/ubuntu-rlimit_nice_correction (+17/-0)
debian/patches-applied/update-motd-manpage-ref (+28/-0)
debian/po/eu.po (+6/-0)
debian/po/fi.po (+3/-0)
debian/po/ro.po (+3/-0)
debian/po/tr.po (+3/-0)
debian/po/vi.po (+3/-0)
debian/po/zh_CN.po (+3/-0)
debian/rules (+5/-0)
debian/update-motd.5 (+67/-0)
Conflict in debian/changelog
Conflict in debian/control
Conflict in debian/libpam-modules-bin.install
Conflict in debian/libpam-modules.manpages
Conflict in debian/libpam-modules.postinst
Conflict in debian/libpam0g.postinst
Conflict in debian/local/common-session
Conflict in debian/local/common-session-noninteractive
Conflict in debian/local/pam-auth-update
Conflict in debian/local/pam-auth-update.8
Conflict in debian/patches-applied/cve-2015-3238.patch
Conflict in debian/patches-applied/series
Conflict in debian/po/eu.po
Conflict in debian/po/fi.po
Conflict in debian/po/ro.po
Conflict in debian/po/tr.po
Conflict in debian/po/vi.po
Conflict in debian/po/zh_CN.po
Conflict in debian/rules
Reviewer Review Type Date Requested Status
Ubuntu Server Dev import team 2018-03-17 Pending
Review via email: mp+341556@code.launchpad.net

Description of the change

Resubmit of the now-abandoned <https://code.launchpad.net/~vorlon/ubuntu/+source/pam/+git/pam/+merge/332890> against the now reimported repository, with a fixed-up "logical" tag.

To post a comment you must log in.
Nish Aravamudan (nacc) wrote :

Because this was already uploaded, we are essentially 'too late' to integrate the rich history directly. I have upload-tagged the source commit and pushed it to the importer repository, though.

In a future merge, the upload tag can be used as the starting point (presuming no further bionic changes), or it can even be used as the starting point of the next bugfix, and then it would get integrated, as long as the upload tag is pushed before the dput.

Unmerged commits

56be058... by Steve Langasek on 2017-10-27

Fix service restart handling to integrate with systemd instead of upstart.

d83e877... by Steve Langasek on 2017-10-27

Fix references to /var/run in update-motd.5. LP: #1571864

e416d7e... by Steve Langasek on 2017-10-27

document bugs fixed upstream

e8b0ebb... by Steve Langasek on 2017-10-27

fix up VCS fields

b6efc2b... by Steve Langasek on 2017-10-27

update-maintainer

5c284b3... by Steve Langasek on 2017-10-27

reconstruct-changelog

5754c62... by Steve Langasek on 2017-10-27

merge-changelogs

763552a... by Steve Langasek on 2017-10-27

  * debian/patches-applied/cve-2015-3238.patch: removed manpage changes
    so they don't get regenerated during build and cause a multiarch
    installation issue. (LP: #1558114)

ef05976... by Steve Langasek on 2017-10-27

    - don't notify about xdm restarts during a release-upgrade

b2595de... by Steve Langasek on 2017-10-27

po file cleanups

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index ff9229d..89101d7 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,4 @@
6+<<<<<<< debian/changelog
7 pam (1.1.8-3.7) unstable; urgency=medium
8
9 * Non-maintainer upload.
10@@ -7,6 +8,61 @@ pam (1.1.8-3.7) unstable; urgency=medium
11 enabling non-default configs without prompting the admin. (LP: #1192719)
12
13 -- Timo Aaltonen <tjaalton@debian.org> Fri, 02 Feb 2018 16:57:43 +0200
14+=======
15+pam (1.1.8-3.6ubuntu1) bionic; urgency=medium
16+
17+ * Merge with Debian unstable.
18+ - Fixes unescaped brace in pam_getenv regex. LP: #1538284.
19+ - Fixes pam_namespace defaults for compatibility with dash. LP: #1081323.
20+ * Remaining changes:
21+ - debian/control: have libpam-modules recommend update-motd package
22+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
23+ not present there or in /etc/security/pam_env.conf. (should send to
24+ Debian).
25+ - debian/libpam0g.postinst: only ask questions during update-manager when
26+ there are non-default services running.
27+ - debian/libpam0g.postinst: check if gdm is actually running before
28+ trying to reload it.
29+ - debian/libpam0g.postinst: the init script for 'samba' is now named
30+ 'smbd' in Ubuntu, so fix the restart handling.
31+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
32+ initialise RLIMIT_NICE rather than relying on the kernel limits.
33+ - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
34+ Deprecate pam_unix's explicit "usergroups" option and instead read it
35+ from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
36+ there. This restores compatibility with the pre-PAM behaviour of login.
37+ - debian/patches-applied/pam_motd-legal-notice: display the contents of
38+ /etc/legal once, then set a flag in the user's homedir to prevent
39+ showing it again.
40+ - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
41+ for update-motd, with some best practices and notes of explanation.
42+ - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
43+ to update-motd(5)
44+ - debian/local/common-session{,-noninteractive}: Enable pam_umask by
45+ default, now that the umask setting is gone from /etc/profile.
46+ - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
47+ - debian/patches-applied/extrausers.patch: Add a pam_extrausers module
48+ that is basically just a copy of pam_unix but looks at
49+ /var/lib/extrausers/{group,passwd,shadow} instead of /etc/
50+ - debian/libpam-modules-bin.install: install the helper binaries for
51+ pam_extrausers to /sbin
52+ - debian/rules: Make pam_extrausers_chkpwd sguid shadow
53+ - pam-configs/mkhomedir: Added a config for pam_mkhomedir, disabled
54+ by default.
55+ - don't notify about xdm restarts during a release-upgrade
56+ - debian/patches-applied/cve-2015-3238.patch: removed manpage changes
57+ so they don't get regenerated during build and cause a multiarch
58+ installation issue.
59+ * Dropped changes, included in Debian:
60+ - Build-depend on libfl-dev.
61+ - debian/patches-applied/pam-limits-nofile-fd-setsize-cap: cap the default
62+ soft nofile limit read from pid 1 to FD_SETSIZE.
63+ * Fix references to /var/run in update-motd.5. LP: #1571864
64+ * Fix service restart handling to integrate with systemd instead of
65+ upstart.
66+
67+ -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 26 Oct 2017 23:23:18 -0700
68+>>>>>>> debian/changelog
69
70 pam (1.1.8-3.6) unstable; urgency=medium
71
72@@ -75,6 +131,77 @@ pam (1.1.8-3.3) unstable; urgency=low
73
74 -- Laurent Bigonville <bigon@debian.org> Wed, 18 May 2016 02:04:29 +0200
75
76+<<<<<<< debian/changelog
77+=======
78+pam (1.1.8-3.2ubuntu3) artful; urgency=medium
79+
80+ * No-change rebuild to pick up -fPIE compiler default in static
81+ libraries
82+
83+ -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 21 Apr 2017 20:53:23 +0000
84+
85+pam (1.1.8-3.2ubuntu2) xenial; urgency=medium
86+
87+ * debian/patches-applied/cve-2015-3238.patch: removed manpage changes
88+ so they don't get regenerated during build and cause a multiarch
89+ installation issue. (LP: #1558114)
90+
91+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 16 Mar 2016 13:34:02 -0400
92+
93+pam (1.1.8-3.2ubuntu1) xenial; urgency=medium
94+
95+ * Merge from Debian unstable. Remaining changes:
96+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
97+ not present there or in /etc/security/pam_env.conf. (should send to
98+ Debian).
99+ - debian/libpam0g.postinst: only ask questions during update-manager when
100+ there are non-default services running.
101+ - debian/libpam0g.postinst: check if gdm is actually running before
102+ trying to reload it.
103+ - debian/libpam0g.postinst: the init script for 'samba' is now named
104+ 'smbd' in Ubuntu, so fix the restart handling.
105+ - Change Vcs-Bzr to point at the Ubuntu branch.
106+ - debian/patches-applied/series: Ubuntu patches are as below ...
107+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
108+ initialise RLIMIT_NICE rather than relying on the kernel limits.
109+ - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
110+ Deprecate pam_unix's explicit "usergroups" option and instead read it
111+ from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
112+ there. This restores compatibility with the pre-PAM behaviour of login.
113+ - debian/patches-applied/pam_motd-legal-notice: display the contents of
114+ /etc/legal once, then set a flag in the user's homedir to prevent
115+ showing it again.
116+ - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
117+ for update-motd, with some best practices and notes of explanation.
118+ - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
119+ to update-motd(5)
120+ - debian/local/common-session{,-noninteractive}: Enable pam_umask by
121+ default, now that the umask setting is gone from /etc/profile.
122+ - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
123+ - Build-depend on libfl-dev in addition to flex, for cross-building
124+ support.
125+ - Add /usr/local/games to PATH.
126+ - Adjust debian/patches-applied/update-motd to write to
127+ /run/motd.dynamic, as sysvinit/ssh/login in Debian have been changed
128+ to use this file and no longer links /etc/motd to /var/run/motd.
129+ - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
130+ include patch to autogenerated manpage file
131+ - debian/patches-applied/pam-loginuid-in-containers: pam_loginuid:
132+ Update patch with follow-up changes to loginuid.c
133+ - debian/patches-applied/extrausers.patch: Add a pam_extrausers module
134+ that is basically just a copy of pam_unix but looks at
135+ /var/lib/extrausers/{group,passwd,shadow} instead of /etc/
136+ - debian/libpam-modules-bin.install: install the helper binaries for
137+ pam_extrausers to /sbin
138+ - debian/rules: Make pam_extrausers_chkpwd sguid shadow
139+ - debian/patches-applied/extrausers.patch: Ship pre-generated man page
140+ - debian/patches-applied/pam-limits-nofile-fd-setsize-cap: cap the default
141+ soft nofile limit read from pid 1 to FD_SETSIZE.
142+ - debian/control: have libpam-modules recommend update-motd package
143+
144+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 16 Mar 2016 09:50:51 -0400
145+
146+>>>>>>> debian/changelog
147 pam (1.1.8-3.2) unstable; urgency=medium
148
149 * Non-maintainer upload.
150@@ -83,6 +210,79 @@ pam (1.1.8-3.2) unstable; urgency=medium
151
152 -- Tianon Gravi <tianon@debian.org> Wed, 06 Jan 2016 15:53:31 -0800
153
154+<<<<<<< debian/changelog
155+=======
156+pam (1.1.8-3.1ubuntu3) vivid; urgency=medium
157+
158+ * d/applied-patches/pam-limits-nofile-fd-setsize-cap: cap the default
159+ soft nofile limit read from pid 1 to FD_SETSIZE.
160+
161+ -- Robie Basak <robie.basak@ubuntu.com> Wed, 22 Apr 2015 08:55:24 +0000
162+
163+pam (1.1.8-3.1ubuntu2) vivid; urgency=medium
164+
165+ * debian/control:
166+ - have libpam-modules recommend update-motd package
167+ + while libpam-modules provides pam_motd, which does dynamically
168+ generate the motd from /etc/update-motd.d on login, hundreds of
169+ users have asked in the past few years how they might "force"
170+ a MOTD update; this is provided by /usr/sbin/update-motd
171+ in the tiny update-motd package (already in main); recommend
172+ this package
173+
174+ -- Dustin Kirkland <kirkland@ubuntu.com> Tue, 11 Nov 2014 12:49:14 -0600
175+
176+pam (1.1.8-3.1ubuntu1) vivid; urgency=low
177+
178+ * Merge from Debian unstable. Remaining changes:
179+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
180+ not present there or in /etc/security/pam_env.conf. (should send to
181+ Debian).
182+ - debian/libpam0g.postinst: only ask questions during update-manager when
183+ there are non-default services running.
184+ - debian/libpam0g.postinst: check if gdm is actually running before
185+ trying to reload it.
186+ - debian/libpam0g.postinst: the init script for 'samba' is now named
187+ 'smbd' in Ubuntu, so fix the restart handling.
188+ - Change Vcs-Bzr to point at the Ubuntu branch.
189+ - debian/patches-applied/series: Ubuntu patches are as below ...
190+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
191+ initialise RLIMIT_NICE rather than relying on the kernel limits.
192+ - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
193+ Deprecate pam_unix's explicit "usergroups" option and instead read it
194+ from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
195+ there. This restores compatibility with the pre-PAM behaviour of login.
196+ - debian/patches-applied/pam_motd-legal-notice: display the contents of
197+ /etc/legal once, then set a flag in the user's homedir to prevent
198+ showing it again.
199+ - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
200+ for update-motd, with some best practices and notes of explanation.
201+ - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
202+ to update-motd(5)
203+ - debian/local/common-session{,-noninteractive}: Enable pam_umask by
204+ default, now that the umask setting is gone from /etc/profile.
205+ - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
206+ - Build-depend on libfl-dev in addition to flex, for cross-building
207+ support.
208+ - Add /usr/local/games to PATH.
209+ - Adjust debian/patches-applied/update-motd to write to
210+ /run/motd.dynamic, as sysvinit/ssh/login in Debian have been changed
211+ to use this file and no longer links /etc/motd to /var/run/motd.
212+ - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
213+ include patch to autogenerated manpage file
214+ - debian/patches-applied/pam-loginuid-in-containers: pam_loginuid:
215+ Update patch with follow-up changes to loginuid.c
216+ - debian/patches-applied/extrausers.patch: Add a pam_extrausers module
217+ that is basically just a copy of pam_unix but looks at
218+ /var/lib/extrausers/{group,passwd,shadow} instead of /etc/
219+ - debian/libpam-modules-bin.install: install the helper binaries for
220+ pam_extrausers to /sbin
221+ - debian/rules: Make pam_extrausers_chkpwd sguid shadow
222+ - debian/patches-applied/extrausers.patch: Ship pre-generated man page
223+
224+ -- Michael Vogt <michael.vogt@ubuntu.com> Mon, 27 Oct 2014 09:57:52 +0100
225+
226+>>>>>>> debian/changelog
227 pam (1.1.8-3.1) unstable; urgency=high
228
229 * Non-maintainer upload by the Security Team.
230@@ -93,6 +293,81 @@ pam (1.1.8-3.1) unstable; urgency=high
231
232 -- Michael Gilbert <mgilbert@debian.org> Sat, 09 Aug 2014 09:50:42 +0000
233
234+<<<<<<< debian/changelog
235+=======
236+pam (1.1.8-3ubuntu4) utopic; urgency=medium
237+
238+ * No-change rebuild to get debug symbols on all architectures.
239+
240+ -- Brian Murray <brian@ubuntu.com> Tue, 21 Oct 2014 12:32:23 -0700
241+
242+pam (1.1.8-3ubuntu3) utopic; urgency=medium
243+
244+ * debian/patches-applied/extrausers.patch:
245+ - Ship pre-generated man page
246+
247+ -- Michael Terry <mterry@ubuntu.com> Tue, 22 Jul 2014 14:13:31 -0400
248+
249+pam (1.1.8-3ubuntu2) utopic; urgency=medium
250+
251+ * debian/patches-applied/extrausers.patch: Add a pam_extrausers module
252+ that is basically just a copy of pam_unix but looks at
253+ /var/lib/extrausers/{group,passwd,shadow} instead of /etc/
254+ * debian/libpam-modules-bin.install: install the helper binaries for
255+ pam_extrausers to /sbin
256+ * debian/rules: Make pam_extrausers_chkpwd sguid shadow
257+
258+ -- Michael Terry <mterry@ubuntu.com> Fri, 18 Jul 2014 14:52:08 -0400
259+
260+pam (1.1.8-3ubuntu1) utopic; urgency=medium
261+
262+ [ Stéphane Graber ]
263+ * Merge from Debian unstable, remaining changes:
264+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
265+ not present there or in /etc/security/pam_env.conf. (should send to
266+ Debian).
267+ - debian/libpam0g.postinst: only ask questions during update-manager when
268+ there are non-default services running.
269+ - debian/libpam0g.postinst: check if gdm is actually running before
270+ trying to reload it.
271+ - debian/libpam0g.postinst: the init script for 'samba' is now named
272+ 'smbd' in Ubuntu, so fix the restart handling.
273+ - Change Vcs-Bzr to point at the Ubuntu branch.
274+ - debian/patches-applied/series: Ubuntu patches are as below ...
275+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
276+ initialise RLIMIT_NICE rather than relying on the kernel limits.
277+ - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
278+ Deprecate pam_unix's explicit "usergroups" option and instead read it
279+ from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
280+ there. This restores compatibility with the pre-PAM behaviour of login.
281+ - debian/patches-applied/pam_motd-legal-notice: display the contents of
282+ /etc/legal once, then set a flag in the user's homedir to prevent
283+ showing it again.
284+ - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
285+ for update-motd, with some best practices and notes of explanation.
286+ - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
287+ to update-motd(5)
288+ - debian/local/common-session{,-noninteractive}: Enable pam_umask by
289+ default, now that the umask setting is gone from /etc/profile.
290+ - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
291+ - Build-depend on libfl-dev in addition to flex, for cross-building
292+ support.
293+ - Add /usr/local/games to PATH.
294+ - Adjust debian/patches-applied/update-motd to write to
295+ /run/motd.dynamic, as sysvinit/ssh/login in Debian have been changed
296+ to use this file and no longer links /etc/motd to /var/run/motd.
297+ - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
298+ include patch to autogenerated manpage file
299+ - debian/patches-applied/pam-loginuid-in-containers: pam_loginuid:
300+ Update patch with follow-up changes to loginuid.c
301+
302+ [ Timo Aaltonen ]
303+ * pam-configs/mkhomedir: Added a config for pam_mkhomedir, disabled
304+ by default. (LP: #557013)
305+
306+ -- Stéphane Graber <stgraber@ubuntu.com> Fri, 02 May 2014 14:59:10 -0400
307+
308+>>>>>>> debian/changelog
309 pam (1.1.8-3) unstable; urgency=low
310
311 * debian/rules: On hurd, link libpam explicitly with -lpthread since glibc
312@@ -109,6 +384,57 @@ pam (1.1.8-2) unstable; urgency=medium
313
314 -- Steve Langasek <vorlon@debian.org> Thu, 13 Feb 2014 15:02:00 -0800
315
316+<<<<<<< debian/changelog
317+=======
318+pam (1.1.8-1ubuntu2) trusty; urgency=medium
319+
320+ * debian/patches-applied/pam-loginuid-in-containers: pam_loginuid:
321+ Update patch with follow-up changes to loginuid.c
322+
323+ -- Stéphane Graber <stgraber@ubuntu.com> Fri, 31 Jan 2014 22:11:02 +0000
324+
325+pam (1.1.8-1ubuntu1) trusty; urgency=medium
326+
327+ * Merge from Debian unstable, remaining changes:
328+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
329+ not present there or in /etc/security/pam_env.conf. (should send to
330+ Debian).
331+ - debian/libpam0g.postinst: only ask questions during update-manager when
332+ there are non-default services running.
333+ - debian/libpam0g.postinst: check if gdm is actually running before
334+ trying to reload it.
335+ - debian/libpam0g.postinst: the init script for 'samba' is now named
336+ 'smbd' in Ubuntu, so fix the restart handling.
337+ - Change Vcs-Bzr to point at the Ubuntu branch.
338+ - debian/patches-applied/series: Ubuntu patches are as below ...
339+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
340+ initialise RLIMIT_NICE rather than relying on the kernel limits.
341+ - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
342+ Deprecate pam_unix's explicit "usergroups" option and instead read it
343+ from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
344+ there. This restores compatibility with the pre-PAM behaviour of login.
345+ - debian/patches-applied/pam_motd-legal-notice: display the contents of
346+ /etc/legal once, then set a flag in the user's homedir to prevent
347+ showing it again.
348+ - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
349+ for update-motd, with some best practices and notes of explanation.
350+ - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
351+ to update-motd(5)
352+ - debian/local/common-session{,-noninteractive}: Enable pam_umask by
353+ default, now that the umask setting is gone from /etc/profile.
354+ - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
355+ - Build-depend on libfl-dev in addition to flex, for cross-building
356+ support.
357+ - Add /usr/local/games to PATH.
358+ - Adjust debian/patches-applied/update-motd to write to
359+ /run/motd.dynamic, as sysvinit/ssh/login in Debian have been changed
360+ to use this file and no longer links /etc/motd to /var/run/motd.
361+ * debian/patches-applied/pam_umask_usergroups_from_login.defs.patch: include
362+ patch to autogenerated manpage file
363+
364+ -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 16 Jan 2014 02:40:41 +0000
365+
366+>>>>>>> debian/changelog
367 pam (1.1.8-1) unstable; urgency=medium
368
369 * New upstream release.
370@@ -142,6 +468,50 @@ pam (1.1.8-1) unstable; urgency=medium
371
372 -- Steve Langasek <vorlon@debian.org> Thu, 16 Jan 2014 00:38:42 +0000
373
374+<<<<<<< debian/changelog
375+=======
376+pam (1.1.3-11ubuntu1) trusty; urgency=medium
377+
378+ * Merge from Debian unstable, remaining changes:
379+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
380+ not present there or in /etc/security/pam_env.conf. (should send to
381+ Debian).
382+ - debian/libpam0g.postinst: only ask questions during update-manager when
383+ there are non-default services running.
384+ - debian/libpam0g.postinst: check if gdm is actually running before
385+ trying to reload it.
386+ - debian/libpam0g.postinst: the init script for 'samba' is now named
387+ 'smbd' in Ubuntu, so fix the restart handling.
388+ - Change Vcs-Bzr to point at the Ubuntu branch.
389+ - debian/patches-applied/series: Ubuntu patches are as below ...
390+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
391+ initialise RLIMIT_NICE rather than relying on the kernel limits.
392+ - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
393+ Deprecate pam_unix's explicit "usergroups" option and instead read it
394+ from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
395+ there. This restores compatibility with the pre-PAM behaviour of login.
396+ - debian/patches-applied/pam_motd-legal-notice: display the contents of
397+ /etc/legal once, then set a flag in the user's homedir to prevent
398+ showing it again.
399+ - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
400+ for update-motd, with some best practices and notes of explanation.
401+ - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
402+ to update-motd(5)
403+ - debian/local/common-session{,-noninteractive}: Enable pam_umask by
404+ default, now that the umask setting is gone from /etc/profile.
405+ - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
406+ - Build-depend on libfl-dev in addition to flex, for cross-building
407+ support.
408+ - Add /usr/local/games to PATH.
409+ - Adjust debian/patches-applied/update-motd to write to
410+ /run/motd.dynamic, as sysvinit/ssh/login in Debian have been changed
411+ to use this file and no longer links /etc/motd to /var/run/motd.
412+ * Dropped changes, merged in Debian:
413+ - Disable libaudit for stage1 bootstrap.
414+
415+ -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 13 Jan 2014 21:41:05 -0800
416+
417+>>>>>>> debian/changelog
418 pam (1.1.3-11) unstable; urgency=low
419
420 [ Wookey ]
421@@ -155,6 +525,49 @@ pam (1.1.3-11) unstable; urgency=low
422
423 -- Steve Langasek <vorlon@debian.org> Tue, 14 Jan 2014 03:33:31 +0000
424
425+<<<<<<< debian/changelog
426+=======
427+pam (1.1.3-10ubuntu1) trusty; urgency=low
428+
429+ * Merge from Debian unstable, remaining changes:
430+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
431+ not present there or in /etc/security/pam_env.conf. (should send to
432+ Debian).
433+ - debian/libpam0g.postinst: only ask questions during update-manager when
434+ there are non-default services running.
435+ - debian/libpam0g.postinst: check if gdm is actually running before
436+ trying to reload it.
437+ - debian/libpam0g.postinst: the init script for 'samba' is now named
438+ 'smbd' in Ubuntu, so fix the restart handling.
439+ - Change Vcs-Bzr to point at the Ubuntu branch.
440+ - debian/patches-applied/series: Ubuntu patches are as below ...
441+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
442+ initialise RLIMIT_NICE rather than relying on the kernel limits.
443+ - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
444+ Deprecate pam_unix's explicit "usergroups" option and instead read it
445+ from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
446+ there. This restores compatibility with the pre-PAM behaviour of login.
447+ - debian/patches-applied/pam_motd-legal-notice: display the contents of
448+ /etc/legal once, then set a flag in the user's homedir to prevent
449+ showing it again.
450+ - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
451+ for update-motd, with some best practices and notes of explanation.
452+ - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
453+ to update-motd(5)
454+ - debian/local/common-session{,-noninteractive}: Enable pam_umask by
455+ default, now that the umask setting is gone from /etc/profile.
456+ - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
457+ - Build-depend on libfl-dev in addition to flex, for cross-building
458+ support.
459+ - Add /usr/local/games to PATH.
460+ - Disable libaudit for stage1 bootstrap.
461+ - Adjust debian/patches-applied/update-motd to write to
462+ /run/motd.dynamic, as sysvinit/ssh/login in Debian have been changed
463+ to use this file and no longer links /etc/motd to /var/run/motd.
464+
465+ -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 20 Oct 2013 18:21:34 -0700
466+
467+>>>>>>> debian/changelog
468 pam (1.1.3-10) unstable; urgency=low
469
470 * Fix pam-auth-update handling of trailing blank lines in the fields of
471@@ -176,6 +589,59 @@ pam (1.1.3-9) unstable; urgency=low
472
473 -- Steve Langasek <vorlon@debian.org> Tue, 12 Feb 2013 23:06:30 +0000
474
475+<<<<<<< debian/changelog
476+=======
477+pam (1.1.3-8ubuntu3) saucy; urgency=low
478+
479+ * Adjust debian/patches-applied/update-motd to write to /run/motd.dynamic,
480+ as sysvinit/ssh/login in Debian have been changed to use this file and
481+ no longer links /etc/motd to /var/run/motd.
482+
483+ -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 18 May 2013 00:07:43 -0500
484+
485+pam (1.1.3-8ubuntu2) raring; urgency=low
486+
487+ * Disable libaudit for stage1 bootstrap (LP: #1126404)
488+
489+ -- Wookey <wookey@wookware.org> Fri, 15 Feb 2013 12:45:27 +0000
490+
491+pam (1.1.3-8ubuntu1) raring; urgency=low
492+
493+ * Merge from Debian unstable, remaining changes:
494+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
495+ not present there or in /etc/security/pam_env.conf. (should send to
496+ Debian).
497+ - debian/libpam0g.postinst: only ask questions during update-manager when
498+ there are non-default services running.
499+ - debian/libpam0g.postinst: check if gdm is actually running before
500+ trying to reload it.
501+ - debian/libpam0g.postinst: the init script for 'samba' is now named
502+ 'smbd' in Ubuntu, so fix the restart handling.
503+ - Change Vcs-Bzr to point at the Ubuntu branch.
504+ - debian/patches-applied/series: Ubuntu patches are as below ...
505+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
506+ initialise RLIMIT_NICE rather than relying on the kernel limits.
507+ - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
508+ Deprecate pam_unix' explicit "usergroups" option and instead read it
509+ from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
510+ there. This restores compatibility with the pre-PAM behaviour of login.
511+ - debian/patches-applied/pam_motd-legal-notice: display the contents of
512+ /etc/legal once, then set a flag in the user's homedir to prevent
513+ showing it again.
514+ - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
515+ for update-motd, with some best practices and notes of explanation.
516+ - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
517+ to update-motd(5)
518+ - debian/local/common-session{,-noninteractive}: Enable pam_umask by
519+ default, now that the umask setting is gone from /etc/profile.
520+ - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
521+ - Build-depend on libfl-dev in addition to flex, for cross-building
522+ support.
523+ - Add /usr/local/games to PATH. LP: #110287.
524+
525+ -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 11 Feb 2013 22:08:44 -0800
526+
527+>>>>>>> debian/changelog
528 pam (1.1.3-8) unstable; urgency=low
529
530 * Confirm NMU for bug #611136; thanks to Michael Gilbert.
531@@ -212,6 +678,58 @@ pam (1.1.3-7.1) unstable; urgency=low
532
533 -- Michael Gilbert <mgilbert@debian.org> Sun, 29 Apr 2012 02:23:26 -0400
534
535+<<<<<<< debian/changelog
536+=======
537+pam (1.1.3-7ubuntu3) quantal; urgency=low
538+
539+ [ Nathan Williams ]
540+ * Add /usr/local/games to PATH. LP: #110287.
541+
542+ -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 03 Jul 2012 06:55:25 +0000
543+
544+pam (1.1.3-7ubuntu2) precise; urgency=low
545+
546+ * No-change rebuild with gzip 1.4-1ubuntu2 to get multiarch-clean
547+ compression of manpages. LP: #871083.
548+
549+ -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 08 Feb 2012 17:15:39 -0800
550+
551+pam (1.1.3-7ubuntu1) precise; urgency=low
552+
553+ * Merge from Debian unstable, remaining changes:
554+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
555+ not present there or in /etc/security/pam_env.conf. (should send to
556+ Debian).
557+ - debian/libpam0g.postinst: only ask questions during update-manager when
558+ there are non-default services running.
559+ - debian/libpam0g.postinst: check if gdm is actually running before
560+ trying to reload it.
561+ - debian/libpam0g.postinst: the init script for 'samba' is now named
562+ 'smbd' in Ubuntu, so fix the restart handling.
563+ - Change Vcs-Bzr to point at the Ubuntu branch.
564+ - debian/patches-applied/series: Ubuntu patches are as below ...
565+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
566+ initialise RLIMIT_NICE rather than relying on the kernel limits.
567+ - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
568+ Deprecate pam_unix' explicit "usergroups" option and instead read it
569+ from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
570+ there. This restores compatibility with the pre-PAM behaviour of login.
571+ - debian/patches-applied/pam_motd-legal-notice: display the contents of
572+ /etc/legal once, then set a flag in the user's homedir to prevent
573+ showing it again.
574+ - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
575+ for update-motd, with some best practices and notes of explanation.
576+ - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
577+ to update-motd(5)
578+ - debian/local/common-session{,-noninteractive}: Enable pam_umask by
579+ default, now that the umask setting is gone from /etc/profile.
580+ - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
581+ - Build-depend on libfl-dev in addition to flex, for cross-building
582+ support.
583+
584+ -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 28 Jan 2012 11:36:07 -0800
585+
586+>>>>>>> debian/changelog
587 pam (1.1.3-7) unstable; urgency=low
588
589 * Updated debconf translations:
590@@ -239,6 +757,52 @@ pam (1.1.3-7) unstable; urgency=low
591
592 -- Steve Langasek <vorlon@debian.org> Sat, 28 Jan 2012 10:57:49 -0800
593
594+<<<<<<< debian/changelog
595+=======
596+pam (1.1.3-6ubuntu1) precise; urgency=low
597+
598+ * Merge from Debian unstable. Remaining changes:
599+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
600+ not present there or in /etc/security/pam_env.conf. (should send to
601+ Debian).
602+ - debian/libpam0g.postinst: only ask questions during update-manager when
603+ there are non-default services running.
604+ - debian/libpam0g.postinst: check if gdm is actually running before
605+ trying to reload it.
606+ - debian/libpam0g.postinst: the init script for 'samba' is now named
607+ 'smbd' in Ubuntu, so fix the restart handling.
608+ - Change Vcs-Bzr to point at the Ubuntu branch.
609+ - debian/patches-applied/series: Ubuntu patches are as below ...
610+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
611+ initialise RLIMIT_NICE rather than relying on the kernel limits.
612+ - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
613+ Deprecate pam_unix' explicit "usergroups" option and instead read it
614+ from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
615+ there. This restores compatibility with the pre-PAM behaviour of login.
616+ - debian/patches-applied/pam_motd-legal-notice: display the contents of
617+ /etc/legal once, then set a flag in the user's homedir to prevent
618+ showing it again.
619+ - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
620+ for update-motd, with some best practices and notes of explanation.
621+ - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
622+ to update-motd(5)
623+ - debian/local/common-session{,-noninteractive}: Enable pam_umask by
624+ default, now that the umask setting is gone from /etc/profile.
625+ - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
626+ * Dropped changes, included in Debian:
627+ - debian/patches-applied/update-motd: set a sane umask before calling
628+ run-parts, and restore the old mask afterwards, so /run/motd gets
629+ consistent permissions.
630+ - debian/patches-applied/update-motd: new module option for pam_motd,
631+ 'noupdate', which suppresses the call to run-parts /etc/update-motd.d.
632+ - debian/libpam0g.postinst: drop kdm from the list of services to
633+ restart.
634+ * Build-depend on libfl-dev in addition to flex, for cross-building
635+ support.
636+
637+ -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 07 Nov 2011 21:15:00 -0800
638+
639+>>>>>>> debian/changelog
640 pam (1.1.3-6) unstable; urgency=low
641
642 * debian/patches-applied/hurd_no_setfsuid: we don't want to check all
643@@ -266,6 +830,62 @@ pam (1.1.3-6) unstable; urgency=low
644
645 -- Steve Langasek <vorlon@debian.org> Sun, 06 Nov 2011 19:43:14 -0800
646
647+<<<<<<< debian/changelog
648+=======
649+pam (1.1.3-5ubuntu2) precise; urgency=low
650+
651+ * Rebuild with dpkg 1.16.1.1ubuntu2 to restore large file support.
652+
653+ -- Colin Watson <cjwatson@ubuntu.com> Tue, 01 Nov 2011 16:59:55 -0400
654+
655+pam (1.1.3-5ubuntu1) precise; urgency=low
656+
657+ * Merge from Debian unstable. Remaining changes:
658+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
659+ not present there or in /etc/security/pam_env.conf. (should send to
660+ Debian).
661+ - debian/libpam0g.postinst: only ask questions during update-manager when
662+ there are non-default services running.
663+ - Change Vcs-Bzr to point at the Ubuntu branch.
664+ - debian/patches-applied/series: Ubuntu patches are as below ...
665+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
666+ initialise RLIMIT_NICE rather than relying on the kernel limits.
667+ - debian/patches-applied/pam_motd-legal-notice: display the contents of
668+ /etc/legal once, then set a flag in the user's homedir to prevent
669+ showing it again.
670+ - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
671+ for update-motd, with some best practices and notes of explanation.
672+ - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
673+ to update-motd(5)
674+ - debian/libpam0g.postinst: drop kdm from the list of services to
675+ restart.
676+ - debian/libpam0g.postinst: check if gdm is actually running before
677+ trying to reload it.
678+ - debian/local/common-session{,-noninteractive}: Enable pam_umask by
679+ default, now that the umask setting is gone from /etc/profile.
680+ - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
681+ - add debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
682+ Deprecate pam_unix' explicit "usergroups" option and instead read it
683+ from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
684+ there. This restores compatibility with the pre-PAM behaviour of login.
685+ (Closes: #583958)
686+ * Dropped changes, included in Debian:
687+ - debian/patches-applied/CVE-2011-3148.patch
688+ - debian/patches-applied/CVE-2011-3149.patch
689+ - debian/patches-applied/update-motd: updated to use clean environment
690+ and absolute paths in modules/pam_motd/pam_motd.c.
691+ * debian/libpam0g.postinst: the init script for 'samba' is now named 'smbd'
692+ in Ubuntu, so fix the restart handling.
693+ * debian/patches-applied/update-motd: set a sane umask before calling
694+ run-parts, and restore the old mask afterwards, so /run/motd gets
695+ consistent permissions. LP: #871943.
696+ * debian/patches-applied/update-motd: new module option for pam_motd,
697+ 'noupdate', which suppresses the call to run-parts /etc/update-motd.d.
698+ LP: #805423.
699+
700+ -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 30 Oct 2011 09:45:00 -0600
701+
702+>>>>>>> debian/changelog
703 pam (1.1.3-5) unstable; urgency=low
704
705 [ Kees Cook ]
706@@ -320,6 +940,67 @@ pam (1.1.3-3) unstable; urgency=low
707
708 -- Steve Langasek <vorlon@debian.org> Sat, 24 Sep 2011 20:08:56 +0000
709
710+<<<<<<< debian/changelog
711+=======
712+pam (1.1.3-2ubuntu2.1) oneiric-security; urgency=low
713+
714+ * SECURITY UPDATE: possible code execution via incorrect environment file
715+ parsing (LP: #874469)
716+ - debian/patches-applied/CVE-2011-3148.patch: correctly count leading
717+ whitespace when parsing environment file in modules/pam_env/pam_env.c.
718+ - CVE-2011-3148
719+ * SECURITY UPDATE: denial of service via overflowed environment variable
720+ expansion (LP: #874565)
721+ - debian/patches-applied/CVE-2011-3149.patch: when overflowing, exit
722+ with PAM_BUF_ERR in modules/pam_env/pam_env.c.
723+ - CVE-2011-3149
724+ * SECURITY UPDATE: code execution via incorrect environment cleaning
725+ - debian/patches-applied/update-motd: updated to use clean environment
726+ and absolute paths in modules/pam_motd/pam_motd.c.
727+ - CVE-2011-XXXX
728+
729+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 18 Oct 2011 09:33:47 -0400
730+
731+pam (1.1.3-2ubuntu1) oneiric; urgency=low
732+
733+ * Merge with Debian to get bug fix for unknown kernel rlimits. Remaining
734+ changes:
735+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
736+ not present there or in /etc/security/pam_env.conf. (should send to
737+ Debian).
738+ - debian/libpam0g.postinst: only ask questions during update-manager when
739+ there are non-default services running.
740+ - Change Vcs-Bzr to point at the Ubuntu branch.
741+ - debian/patches-applied/series: Ubuntu patches are as below ...
742+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
743+ initialise RLIMIT_NICE rather than relying on the kernel limits.
744+ - debian/patches-applied/pam_motd-legal-notice: display the contents of
745+ /etc/legal once, then set a flag in the user's homedir to prevent
746+ showing it again.
747+ - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
748+ for update-motd, with some best practices and notes of explanation.
749+ - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
750+ to update-motd(5)
751+ - debian/libpam0g.postinst: drop kdm from the list of services to
752+ restart.
753+ - debian/libpam0g.postinst: check if gdm is actually running before
754+ trying to reload it.
755+ - debian/local/common-session{,-noninteractive}: Enable pam_umask by
756+ default, now that the umask setting is gone from /etc/profile.
757+ - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
758+ - add debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
759+ Deprecate pam_unix' explicit "usergroups" option and instead read it
760+ from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
761+ there. This restores compatibility with the pre-PAM behaviour of login.
762+ (Closes: #583958)
763+ * Dropped changes:
764+ - debian/patches-applied/027_pam_limits_better_init_allow_explicit_root:
765+ no need to bump the hard limit for number of file descriptors any more
766+ since we read kernel limits directly now.
767+
768+ -- Kees Cook <kees@ubuntu.com> Thu, 18 Aug 2011 16:41:18 -0500
769+
770+>>>>>>> debian/changelog
771 pam (1.1.3-2) unstable; urgency=low
772
773 [ Kees Cook ]
774@@ -336,6 +1017,76 @@ pam (1.1.3-2) unstable; urgency=low
775
776 -- Steve Langasek <vorlon@debian.org> Tue, 21 Jun 2011 11:41:12 -0700
777
778+<<<<<<< debian/changelog
779+=======
780+pam (1.1.3-1ubuntu3) oneiric; urgency=low
781+
782+ [ Steve Langasek ]
783+ * debian/patches/pam_motd-legal-notice: use pam_modutil_gain/drop_priv
784+ common helper functions, instead of hand-rolled uid-setting code.
785+
786+ [ Martin Pitt ]
787+ * debian/local/common-session{,-noninteractive}: Enable pam_umask by
788+ default, now that the umask setting is gone from /etc/profile.
789+ (LP: #253096, UbuntuSpec:umask-to-0002)
790+ * debian/local/pam-auth-update: Add the new md5sum of above files.
791+ * Add debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
792+ Deprecate pam_unix' explicit "usergroups" option and instead read it from
793+ /etc/login.def's "USERGROUP_ENAB" option if umask is only defined there.
794+ This restores compatibility with the pre-PAM behaviour of login.
795+ (Closes: #583958)
796+
797+ -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 24 Jun 2011 11:07:57 +0200
798+
799+pam (1.1.3-1ubuntu2) oneiric; urgency=low
800+
801+ * debian/patches-applied/update-motd-manpage-ref: refresh patch to apply
802+ cleanly against new upstream.
803+
804+ -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 04 Jun 2011 14:20:17 -0700
805+
806+pam (1.1.3-1ubuntu1) oneiric; urgency=low
807+
808+ * Merge from Debian unstable, remaining changes:
809+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
810+ not present there or in /etc/security/pam_env.conf. (should send to
811+ Debian).
812+ - debian/libpam0g.postinst: only ask questions during update-manager when
813+ there are non-default services running.
814+ - Change Vcs-Bzr to point at the Ubuntu branch.
815+ - debian/patches-applied/series: Ubuntu patches are as below ...
816+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
817+ initialise RLIMIT_NICE rather than relying on the kernel limits.
818+ - debian/patches-applied/027_pam_limits_better_init_allow_explicit_root:
819+ bump the hard limit for number of file descriptors, to keep pace with
820+ the changes in the kernel.
821+ - debian/patches-applied/pam_motd-legal-notice: display the contents of
822+ /etc/legal once, then set a flag in the user's homedir to prevent
823+ showing it again.
824+ - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
825+ for update-motd, with some best practices and notes of explanation.
826+ - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
827+ to update-motd(5)
828+ - debian/libpam0g.postinst: drop kdm from the list of services to
829+ restart.
830+ - debian/libpam0g.postinst: check if gdm is actually running before
831+ trying to reload it.
832+ - New patch, lib_security_multiarch_compat, which lets us reuse the
833+ upstream --enable-isadir functionality to support a true path for
834+ module lookups; this way we don't have to force a hard transition to
835+ multiarch, but can support resolving modules in both the multiarch and
836+ non-multiarch directories.
837+ - build for multiarch, splitting our executables out of libpam-modules
838+ into a new package, libpam-modules-bin, so that modules can be
839+ co-installable between architectures.
840+ * Dropped changes:
841+ - bumping the service restart version in libpam0g.postinst to ensure
842+ servers don't fail to find the pam modules in the new paths; the min
843+ version requirement upstream is higher than this now.
844+
845+ -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 04 Jun 2011 14:04:19 -0700
846+
847+>>>>>>> debian/changelog
848 pam (1.1.3-1) unstable; urgency=low
849
850 * New upstream release.
851@@ -353,6 +1104,49 @@ pam (1.1.3-1) unstable; urgency=low
852
853 -- Steve Langasek <vorlon@debian.org> Sat, 04 Jun 2011 03:10:50 -0700
854
855+<<<<<<< debian/changelog
856+=======
857+pam (1.1.2-3ubuntu1) oneiric; urgency=low
858+
859+ * Merge from Debian unstable, remaining changes:
860+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
861+ not present there or in /etc/security/pam_env.conf. (should send to
862+ Debian).
863+ - debian/libpam0g.postinst: only ask questions during update-manager when
864+ there are non-default services running.
865+ - Change Vcs-Bzr to point at the Ubuntu branch.
866+ - debian/patches-applied/series: Ubuntu patches are as below ...
867+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
868+ initialise RLIMIT_NICE rather than relying on the kernel limits.
869+ - debian/patches-applied/027_pam_limits_better_init_allow_explicit_root:
870+ bump the hard limit for number of file descriptors, to keep pace with
871+ the changes in the kernel.
872+ - debian/patches-applied/pam_motd-legal-notice: display the contents of
873+ /etc/legal once, then set a flag in the user's homedir to prevent
874+ showing it again.
875+ - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
876+ for update-motd, with some best practices and notes of explanation.
877+ - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
878+ to update-motd(5)
879+ - debian/libpam0g.postinst: drop kdm from the list of services to
880+ restart.
881+ - debian/libpam0g.postinst: check if gdm is actually running before
882+ trying to reload it.
883+ - New patch, lib_security_multiarch_compat, which lets us reuse the
884+ upstream --enable-isadir functionality to support a true path for
885+ module lookups; this way we don't have to force a hard transition to
886+ multiarch, but can support resolving modules in both the multiarch and
887+ non-multiarch directories.
888+ - build for multiarch, splitting our executables out of libpam-modules
889+ into a new package, libpam-modules-bin, so that modules can be
890+ co-installable between architectures.
891+ - bumping the service restart version in libpam0g.postinst to ensure
892+ servers don't fail to find the pam modules in the new paths.
893+ * bump debhelper build-dep for final multiarch support.
894+
895+ -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 20 May 2011 12:53:24 -0700
896+
897+>>>>>>> debian/changelog
898 pam (1.1.2-3) unstable; urgency=low
899
900 [ Kees Cook ]
901@@ -371,6 +1165,95 @@ pam (1.1.2-3) unstable; urgency=low
902
903 -- Steve Langasek <vorlon@debian.org> Sun, 01 May 2011 01:49:11 -0700
904
905+<<<<<<< debian/changelog
906+=======
907+pam (1.1.2-2ubuntu8) natty; urgency=low
908+
909+ * Check if gdm is actually running before trying to reload it. (LP: #745532)
910+
911+ -- Stéphane Graber <stgraber@ubuntu.com> Mon, 11 Apr 2011 21:57:36 -0400
912+
913+pam (1.1.2-2ubuntu7) natty; urgency=low
914+
915+ * debian/patches-applied/027_pam_limits_better_init_allow_explicit_root:
916+ bump the hard limit for number of file descriptors, to keep pace with
917+ the changes in the kernel. Fortunately this shadowing should all go
918+ away next cycle when we can start to grab defaults directly from /proc.
919+ LP: #663090
920+
921+ -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 05 Apr 2011 13:02:02 -0700
922+
923+pam (1.1.2-2ubuntu6) natty; urgency=low
924+
925+ * debian/libpam0g.postinst: according to Kubuntu developers, kdm no longer
926+ keeps libpam loaded persistently at runtime, so it's not necessary to
927+ force a kdm restart on ABI bump. Which is good, since restarting kdm
928+ now seems to also log users out of running sessions, which we rather
929+ want to avoid. LP: #744944.
930+
931+ -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 29 Mar 2011 13:16:26 -0700
932+
933+pam (1.1.2-2ubuntu5) natty; urgency=low
934+
935+ * Force a service restart on upgrade to the new libpam0g, to ensure
936+ servers don't fail to find the pam modules in the new paths.
937+ * libpam-modules should also Pre-Depend: on the multiarch-aware libpam0g,
938+ for the same reason.
939+
940+ -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 22 Mar 2011 02:19:51 -0700
941+
942+pam (1.1.2-2ubuntu4) natty; urgency=low
943+
944+ * Build for multiarch; FFe LP: #733501.
945+ * Split our executables out of libpam-modules into a new package,
946+ libpam-modules-bin, so that modules can be co-installable between
947+ architectures.
948+ * New patch, lib_security_multiarch_compat, which lets us reuse the
949+ upstream --enable-isadir functionality to support a true path for module
950+ lookups; this way we don't have to force a hard transition to multiarch,
951+ but can support resolving modules in both the multiarch and
952+ non-multiarch directories.
953+ * Build-Depend on the multiarchified debhelper.
954+ * Add Pre-Depends: ${misc:Pre-Depends} for multiarch-support.
955+
956+ -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 18 Mar 2011 00:12:26 -0700
957+
958+pam (1.1.2-2ubuntu3) natty; urgency=low
959+
960+ * Er, but let's get this patch applying cleanly.
961+
962+ -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 21 Feb 2011 16:10:11 -0800
963+
964+pam (1.1.2-2ubuntu2) natty; urgency=low
965+
966+ * debian/patches/update-motd-manpage-ref: patch the manpage too, not just
967+ the xml source.
968+
969+ -- Steve Langasek <vorlon@debian.org> Mon, 21 Feb 2011 15:47:27 -0800
970+
971+pam (1.1.2-2ubuntu1) natty; urgency=low
972+
973+ * Merge from Debian unstable, remaining changes:
974+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
975+ not present there or in /etc/security/pam_env.conf. (should send to
976+ Debian).
977+ - debian/libpam0g.postinst: only ask questions during update-manager when
978+ there are non-default services running.
979+ - debian/patches-applied/series: Ubuntu patches are as below ...
980+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
981+ initialise RLIMIT_NICE rather than relying on the kernel limits.
982+ - Change Vcs-Bzr to point at the Ubuntu branch.
983+ - debian/patches-applied/pam_motd-legal-notice: display the contents of
984+ /etc/legal once, then set a flag in the user's homedir to prevent
985+ showing it again.
986+ - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
987+ for update-motd, with some best practices and notes of explanation.
988+ - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
989+ to update-motd(5)
990+
991+ -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 17 Feb 2011 16:15:47 -0800
992+
993+>>>>>>> debian/changelog
994 pam (1.1.2-2) unstable; urgency=low
995
996 * debian/patches-applied/hurd_no_setfsuid: handle some new calls to
997@@ -429,6 +1312,35 @@ pam (1.1.1-7) UNRELEASED; urgency=low
998
999 -- Steve Langasek <vorlon@debian.org> Wed, 17 Nov 2010 16:53:46 -0800
1000
1001+<<<<<<< debian/changelog
1002+=======
1003+pam (1.1.1-6.1ubuntu1) natty; urgency=low
1004+
1005+ * Merge from Debian unstable, remaining changes:
1006+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
1007+ not present there or in /etc/security/pam_env.conf. (should send to
1008+ Debian).
1009+ - debian/libpam0g.postinst: only ask questions during update-manager when
1010+ there are non-default services running.
1011+ - debian/patches-applied/series: Ubuntu patches are as below ...
1012+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1013+ initialise RLIMIT_NICE rather than relying on the kernel limits.
1014+ - Change Vcs-Bzr to point at the Ubuntu branch.
1015+ - debian/patches-applied/pam_motd-legal-notice: display the contents of
1016+ /etc/legal once, then set a flag in the user's homedir to prevent
1017+ showing it again.
1018+ - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
1019+ for update-motd, with some best practices and notes of explanation.
1020+ - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
1021+ to update-motd(5)
1022+ * Dropped changes:
1023+ - libpam-modules depend on base-files (>= 5.0.0ubuntu6): 5.0.0ubuntu20
1024+ is in 10.04 LTS and this is an essential package, so no more need for
1025+ the versioned dependency.
1026+
1027+ -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 15 Feb 2011 23:36:47 -0800
1028+
1029+>>>>>>> debian/changelog
1030 pam (1.1.1-6.1) unstable; urgency=low
1031
1032 * Non-maintainer upload.
1033@@ -466,6 +1378,41 @@ pam (1.1.1-5) unstable; urgency=low
1034
1035 -- Steve Langasek <vorlon@debian.org> Sun, 05 Sep 2010 12:42:34 -0700
1036
1037+<<<<<<< debian/changelog
1038+=======
1039+pam (1.1.1-4ubuntu2) maverick-security; urgency=low
1040+
1041+ * SECURITY UPDATE: root privilege escalation via symlink following.
1042+ - debian/patches-applied/pam_motd-legal-notice: drop privs for work.
1043+ - CVE-2010-0832
1044+
1045+ -- Kees Cook <kees@ubuntu.com> Mon, 25 Oct 2010 06:40:32 -0700
1046+
1047+pam (1.1.1-4ubuntu1) maverick; urgency=low
1048+
1049+ * Merge from Debian unstable, remaining changes:
1050+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
1051+ not present there or in /etc/security/pam_env.conf. (should send to
1052+ Debian).
1053+ - debian/libpam0g.postinst: only ask questions during update-manager when
1054+ there are non-default services running.
1055+ - debian/patches-applied/series: Ubuntu patches are as below ...
1056+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1057+ initialise RLIMIT_NICE rather than relying on the kernel limits.
1058+ - Change Vcs-Bzr to point at the Ubuntu branch.
1059+ - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
1060+ run-parts does the right thing in /etc/update-motd.d.
1061+ - debian/patches-applied/pam_motd-legal-notice: display the contents of
1062+ /etc/legal once, then set a flag in the user's homedir to prevent
1063+ showing it again.
1064+ - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
1065+ for update-motd, with some best practices and notes of explanation.
1066+ - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
1067+ to update-motd(5)
1068+
1069+ -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 16 Aug 2010 19:12:35 -0700
1070+
1071+>>>>>>> debian/changelog
1072 pam (1.1.1-4) unstable; urgency=low
1073
1074 * debian/patches/conditional_module,_conditional_man: if we don't have the
1075@@ -484,6 +1431,43 @@ pam (1.1.1-4) unstable; urgency=low
1076
1077 -- Steve Langasek <vorlon@debian.org> Sun, 15 Aug 2010 21:53:46 -0700
1078
1079+<<<<<<< debian/changelog
1080+=======
1081+pam (1.1.1-3ubuntu2) maverick; urgency=low
1082+
1083+ * Trigger a rebuild, applying changes from 1.1.1-2ubuntu2 which
1084+ were previously not committed to bzr
1085+
1086+ -- Dustin Kirkland <kirkland@ubuntu.com> Thu, 13 May 2010 10:04:23 +0200
1087+
1088+pam (1.1.1-3ubuntu1) maverick; urgency=low
1089+
1090+ * Merge from Debian, remaining changes:
1091+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
1092+ present there or in /etc/security/pam_env.conf. (should send to Debian).
1093+ - debian/libpam0g.postinst: only ask questions during update-manager when
1094+ there are non-default services running.
1095+ - debian/patches-applied/series: Ubuntu patches are as below ...
1096+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1097+ initialise RLIMIT_NICE rather than relying on the kernel limits.
1098+ - Change Vcs-Bzr to point at the Ubuntu branch.
1099+ - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
1100+ run-parts does the right thing in /etc/update-motd.d.
1101+ - debian/patches-applied/pam_motd-legal-notice: display the contents of
1102+ /etc/legal once, then set a flag in the user's homedir to prevent showing
1103+ it again.
1104+ * Dropped changes:
1105+ - debian/local/common-{auth,account,password}.md5sums: include the
1106+ Ubuntu-specific intrepid,jaunty md5sums for use during the
1107+ common-session-noninteractive upgrade - upgrades to maverick are
1108+ only supported from lucid, so this delta can be dropped.
1109+ - debian/patches-applied/ubuntu-no-error-if-missingok: 'missingok' option
1110+ is obsoleted by 10.04 LTS and no longer needs to be supported for
1111+ upgrades.
1112+
1113+ -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 13 May 2010 00:39:44 +0200
1114+
1115+>>>>>>> debian/changelog
1116 pam (1.1.1-3) unstable; urgency=low
1117
1118 * pam-auth-update: fix a bug in our handling of module options when the
1119@@ -494,6 +1478,44 @@ pam (1.1.1-3) unstable; urgency=low
1120
1121 -- Steve Langasek <vorlon@debian.org> Sun, 25 Apr 2010 05:53:44 -0700
1122
1123+<<<<<<< debian/changelog
1124+=======
1125+pam (1.1.1-2ubuntu2) lucid; urgency=low
1126+
1127+ * debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
1128+ for update-motd, with some best practices and notes of explanation,
1129+ LP: #562566
1130+ * debian/patches/update-motd-manpage-ref: add a reference in pam_mod(8)
1131+ to update-motd(5), LP: #552175
1132+
1133+ -- Dustin Kirkland <kirkland@ubuntu.com> Tue, 13 Apr 2010 16:58:12 -0500
1134+
1135+pam (1.1.1-2ubuntu1) lucid; urgency=low
1136+
1137+ * Merge from Debian, remaining changes:
1138+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
1139+ present there or in /etc/security/pam_env.conf. (should send to Debian).
1140+ - debian/libpam0g.postinst: only ask questions during update-manager when
1141+ there are non-default services running.
1142+ - debian/patches-applied/series: Ubuntu patches are as below ...
1143+ - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
1144+ module option 'missingok' which will suppress logging of errors by
1145+ libpam if the module is not found.
1146+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1147+ initialise RLIMIT_NICE rather than relying on the kernel limits.
1148+ - Change Vcs-Bzr to point at the Ubuntu branch.
1149+ - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
1150+ run-parts does the right thing in /etc/update-motd.d.
1151+ - debian/patches-applied/pam_motd-legal-notice: display the contents of
1152+ /etc/legal once, then set a flag in the user's homedir to prevent showing
1153+ it again.
1154+ - debian/local/common-{auth,account,password}.md5sums: include the
1155+ Ubuntu-specific intrepid,jaunty md5sums for use during the
1156+ common-session-noninteractive upgrade.
1157+
1158+ -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 18 Feb 2010 12:04:18 +0000
1159+
1160+>>>>>>> debian/changelog
1161 pam (1.1.1-2) unstable; urgency=low
1162
1163 * Document the new symbols added in 1.1.1 in debian/libpam0g.symbols, and
1164@@ -502,6 +1524,34 @@ pam (1.1.1-2) unstable; urgency=low
1165
1166 -- Steve Langasek <vorlon@debian.org> Wed, 17 Feb 2010 23:21:23 -0800
1167
1168+<<<<<<< debian/changelog
1169+=======
1170+pam (1.1.1-1ubuntu1) lucid; urgency=low
1171+
1172+ * Merge from Debian, remaining changes:
1173+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
1174+ present there or in /etc/security/pam_env.conf. (should send to Debian).
1175+ - debian/libpam0g.postinst: only ask questions during update-manager when
1176+ there are non-default services running.
1177+ - debian/patches-applied/series: Ubuntu patches are as below ...
1178+ - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
1179+ module option 'missingok' which will suppress logging of errors by
1180+ libpam if the module is not found.
1181+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1182+ initialise RLIMIT_NICE rather than relying on the kernel limits.
1183+ - Change Vcs-Bzr to point at the Ubuntu branch.
1184+ - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
1185+ run-parts does the right thing in /etc/update-motd.d.
1186+ - debian/patches-applied/pam_motd-legal-notice: display the contents of
1187+ /etc/legal once, then set a flag in the user's homedir to prevent showing
1188+ it again.
1189+ - debian/local/common-{auth,account,password}.md5sums: include the
1190+ Ubuntu-specific intrepid,jaunty md5sums for use during the
1191+ common-session-noninteractive upgrade.
1192+
1193+ -- Steve Langasek <vorlon@debian.org> Mon, 01 Feb 2010 09:55:02 -0800
1194+
1195+>>>>>>> debian/changelog
1196 pam (1.1.1-1) unstable; urgency=low
1197
1198 * New upstream version.
1199@@ -529,6 +1579,50 @@ pam (1.1.1-1) unstable; urgency=low
1200
1201 -- Steve Langasek <vorlon@debian.org> Mon, 01 Feb 2010 02:04:33 -0800
1202
1203+<<<<<<< debian/changelog
1204+=======
1205+pam (1.1.0-4ubuntu3) lucid; urgency=low
1206+
1207+ * Brown paper bag: remove the right patch from the series file.
1208+
1209+ -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 10 Dec 2009 23:09:03 -0800
1210+
1211+pam (1.1.0-4ubuntu2) lucid; urgency=low
1212+
1213+ * "Rebase" Ubuntu patches to apply them last in the series.
1214+ * Drop patch ubuntu-regression_fix_securetty, superseded by the more
1215+ precise fix in pam_securetty_tty_check_before_user_check.
1216+
1217+ -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 10 Dec 2009 22:52:20 -0800
1218+
1219+pam (1.1.0-4ubuntu1) lucid; urgency=low
1220+
1221+ * Merge from Debian, remaining changes:
1222+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
1223+ present there or in /etc/security/pam_env.conf. (should send to Debian).
1224+ - debian/libpam0g.postinst: only ask questions during update-manager when
1225+ there are non-default services running.
1226+ - debian/patches-applied/series: Ubuntu patches are as below ...
1227+ - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
1228+ module option 'missingok' which will suppress logging of errors by
1229+ libpam if the module is not found.
1230+ - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
1231+ password on bad username.
1232+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1233+ initialise RLIMIT_NICE rather than relying on the kernel limits.
1234+ - Change Vcs-Bzr to point at the Ubuntu branch.
1235+ - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
1236+ run-parts does the right thing in /etc/update-motd.d.
1237+ - debian/patches-applied/pam_motd-legal-notice: display the contents of
1238+ /etc/legal once, then set a flag in the user's homedir to prevent showing
1239+ it again.
1240+ - debian/local/common-{auth,account,password}.md5sums: include the
1241+ Ubuntu-specific intrepid,jaunty md5sums for use during the
1242+ common-session-noninteractive upgrade.
1243+
1244+ -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 05 Nov 2009 21:33:15 -0800
1245+
1246+>>>>>>> debian/changelog
1247 pam (1.1.0-4) unstable; urgency=low
1248
1249 * debian/patches/pam_securetty_tty_check_before_user_check: new patch,
1250@@ -578,6 +1672,39 @@ pam (1.1.0-3) unstable; urgency=low
1251
1252 -- Steve Langasek <vorlon@debian.org> Mon, 07 Sep 2009 18:47:45 -0700
1253
1254+<<<<<<< debian/changelog
1255+=======
1256+pam (1.1.0-2ubuntu1) karmic; urgency=low
1257+
1258+ * Merge from Debian, remaining changes:
1259+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
1260+ present there or in /etc/security/pam_env.conf. (should send to Debian).
1261+ - debian/libpam0g.postinst: only ask questions during update-manager when
1262+ there are non-default services running.
1263+ - debian/patches-applied/series: Ubuntu patches are as below ...
1264+ - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
1265+ module option 'missingok' which will suppress logging of errors by
1266+ libpam if the module is not found.
1267+ - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
1268+ password on bad username.
1269+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1270+ initialise RLIMIT_NICE rather than relying on the kernel limits.
1271+ - Change Vcs-Bzr to point at the Ubuntu branch.
1272+ - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
1273+ run-parts does the right thing in /etc/update-motd.d.
1274+ - debian/patches-applied/pam_motd-legal-notice: display the contents of
1275+ /etc/legal once, then set a flag in the user's homedir to prevent showing
1276+ it again.
1277+ - debian/local/common-{auth,account,password}.md5sums: include the
1278+ Ubuntu-specific intrepid,jaunty md5sums for use during the
1279+ common-session-noninteractive upgrade.
1280+ * Changes merged in Debian:
1281+ - debian/local/common-password, debian/pam-configs/unix: switch from
1282+ "md5" to "sha512" as password crypt default.
1283+
1284+ -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 04 Sep 2009 01:11:48 -0700
1285+
1286+>>>>>>> debian/changelog
1287 pam (1.1.0-2) unstable; urgency=low
1288
1289 [ Steve Langasek ]
1290@@ -606,6 +1733,44 @@ pam (1.1.0-2) unstable; urgency=low
1291
1292 -- Steve Langasek <vorlon@debian.org> Mon, 31 Aug 2009 14:21:27 -0700
1293
1294+<<<<<<< debian/changelog
1295+=======
1296+pam (1.1.0-1ubuntu1) karmic; urgency=low
1297+
1298+ * Merge from Debian, remaining changes:
1299+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
1300+ present there or in /etc/security/pam_env.conf. (should send to Debian).
1301+ - debian/libpam0g.postinst: only ask questions during update-manager when
1302+ there are non-default services running.
1303+ - debian/patches-applied/series: Ubuntu patches are as below ...
1304+ - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
1305+ module option 'missingok' which will suppress logging of errors by
1306+ libpam if the module is not found.
1307+ - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
1308+ password on bad username.
1309+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1310+ initialise RLIMIT_NICE rather than relying on the kernel limits.
1311+ - Change Vcs-Bzr to point at the Ubuntu branch.
1312+ - debian/local/common-password, debian/pam-configs/unix: switch from
1313+ "md5" to "sha512" as password crypt default.
1314+ - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
1315+ run-parts does the right thing in /etc/update-motd.d.
1316+ - debian/patches-applied/pam_motd-legal-notice: display the contents of
1317+ /etc/legal once, then set a flag in the user's homedir to prevent showing
1318+ it again.
1319+ - debian/local/common-{auth,account,password}.md5sums: include the
1320+ Ubuntu-specific intrepid,jaunty md5sums for use during the
1321+ common-session-noninteractive upgrade.
1322+ * Dropped changes, superseded upstream:
1323+ - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
1324+ type rather than __u8.
1325+ - debian/patches-applied/ubuntu-user_defined_environment: Look at
1326+ ~/.pam_environment too, with the same format as
1327+ /etc/security/pam_env.conf.
1328+
1329+ -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 26 Aug 2009 00:40:14 -0700
1330+
1331+>>>>>>> debian/changelog
1332 pam (1.1.0-1) unstable; urgency=low
1333
1334 * New upstream version.
1335@@ -649,6 +1814,45 @@ pam (1.1.0-1) unstable; urgency=low
1336
1337 -- Steve Langasek <vorlon@debian.org> Tue, 25 Aug 2009 20:35:26 -0700
1338
1339+<<<<<<< debian/changelog
1340+=======
1341+pam (1.0.1-11ubuntu1) karmic; urgency=low
1342+
1343+ * Merge from Debian, remaining changes:
1344+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
1345+ present there or in /etc/security/pam_env.conf. (should send to Debian).
1346+ - debian/libpam0g.postinst: only ask questions during update-manager when
1347+ there are non-default services running.
1348+ - debian/patches-applied/series: Ubuntu patches are as below ...
1349+ - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
1350+ type rather than __u8.
1351+ - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
1352+ module option 'missingok' which will suppress logging of errors by
1353+ libpam if the module is not found.
1354+ - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
1355+ password on bad username.
1356+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1357+ initialise RLIMIT_NICE rather than relying on the kernel limits.
1358+ - debian/patches-applied/ubuntu-user_defined_environment: Look at
1359+ ~/.pam_environment too, with the same format as
1360+ /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
1361+ - Change Vcs-Bzr to point at the Ubuntu branch.
1362+ - debian/local/common-password, debian/pam-configs/unix: switch from
1363+ "md5" to "sha512" as password crypt default.
1364+ - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
1365+ run-parts does the right thing in /etc/update-motd.d.
1366+ - debian/patches-applied/pam_motd-legal-notice: display the contents of
1367+ /etc/legal once, then set a flag in the user's homedir to prevent showing
1368+ it again.
1369+ * debian/local/pam-auth-update: prune some more md5sums from intrepid
1370+ pre-release versions, reducing the Ubuntu delta some
1371+ * debian/local/common-{auth,account,password}.md5sums: include the
1372+ Ubuntu-specific intrepid,jaunty md5sums for use during the
1373+ common-session-noninteractive upgrade.
1374+
1375+ -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 23 Aug 2009 20:14:58 -0700
1376+
1377+>>>>>>> debian/changelog
1378 pam (1.0.1-11) unstable; urgency=low
1379
1380 * debian/libpam-runtime.postinst: bump the --force version check to
1381@@ -676,6 +1880,40 @@ pam (1.0.1-11) unstable; urgency=low
1382
1383 -- Steve Langasek <vorlon@debian.org> Sun, 23 Aug 2009 18:07:11 -0700
1384
1385+<<<<<<< debian/changelog
1386+=======
1387+pam (1.0.1-10ubuntu1) karmic; urgency=low
1388+
1389+ * Merge from Debian, remaining changes:
1390+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
1391+ present there or in /etc/security/pam_env.conf. (should send to Debian).
1392+ - debian/libpam0g.postinst: only ask questions during update-manager when
1393+ there are non-default services running.
1394+ - debian/patches-applied/series: Ubuntu patches are as below ...
1395+ - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
1396+ type rather than __u8.
1397+ - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
1398+ module option 'missingok' which will suppress logging of errors by
1399+ libpam if the module is not found.
1400+ - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
1401+ password on bad username.
1402+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1403+ initialise RLIMIT_NICE rather than relying on the kernel limits.
1404+ - debian/patches-applied/ubuntu-user_defined_environment: Look at
1405+ ~/.pam_environment too, with the same format as
1406+ /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
1407+ - Change Vcs-Bzr to point at the Ubuntu branch.
1408+ - debian/local/common-password, debian/pam-configs/unix: switch from
1409+ "md5" to "sha512" as password crypt default.
1410+ - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
1411+ run-parts does the right thing in /etc/update-motd.d.
1412+ - debian/patches-applied/pam_motd-legal-notice: display the contents of
1413+ /etc/legal once, then set a flag in the user's homedir to prevent showing
1414+ it again.
1415+
1416+ -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 07 Aug 2009 09:50:02 +0100
1417+
1418+>>>>>>> debian/changelog
1419 pam (1.0.1-10) unstable; urgency=high
1420
1421 [ Steve Langasek ]
1422@@ -712,6 +1950,54 @@ pam (1.0.1-10) unstable; urgency=high
1423
1424 -- Steve Langasek <vorlon@debian.org> Thu, 06 Aug 2009 17:54:32 +0100
1425
1426+<<<<<<< debian/changelog
1427+=======
1428+pam (1.0.1-9ubuntu3) karmic; urgency=low
1429+
1430+ * Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
1431+ run-parts does the right thing in /etc/update-motd.d.
1432+
1433+ -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 15 Jul 2009 23:55:50 -0700
1434+
1435+pam (1.0.1-9ubuntu2) karmic; urgency=low
1436+
1437+ [ Dustin Kirkland ]
1438+ * debian/patches/update-motd: run the update-motd scripts in pam_motd;
1439+ render update-motd obsolete, LP: #399071
1440+ * debian/patches-applied/pam_motd-legal-notice: display the contents of
1441+ /etc/legal once, then set a flag in the user's homedir to prevent showing
1442+ it again.
1443+
1444+ -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 15 Jul 2009 20:41:52 -0700
1445+
1446+pam (1.0.1-9ubuntu1) jaunty; urgency=low
1447+
1448+ * Merge from Debian unstable
1449+ * Remaining changes:
1450+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
1451+ present there or in /etc/security/pam_env.conf. (should send to Debian).
1452+ - debian/libpam0g.postinst: only ask questions during update-manager when
1453+ there are non-default services running.
1454+ - debian/patches-applied/series: Ubuntu patches are as below ...
1455+ - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
1456+ type rather than __u8.
1457+ - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
1458+ module option 'missingok' which will suppress logging of errors by
1459+ libpam if the module is not found.
1460+ - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
1461+ password on bad username.
1462+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1463+ initialise RLIMIT_NICE rather than relying on the kernel limits.
1464+ - debian/patches-applied/ubuntu-user_defined_environment: Look at
1465+ ~/.pam_environment too, with the same format as
1466+ /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
1467+ - Change Vcs-Bzr to point at the Ubuntu branch.
1468+ - debian/local/common-password, debian/pam-configs/unix: switch from
1469+ "md5" to "sha512" as password crypt default.
1470+
1471+ -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 20 Mar 2009 19:12:10 -0700
1472+
1473+>>>>>>> debian/changelog
1474 pam (1.0.1-9) unstable; urgency=low
1475
1476 * Move the pam module packages to section 'admin'.
1477@@ -745,6 +2031,59 @@ pam (1.0.1-8) unstable; urgency=low
1478
1479 -- Steve Langasek <vorlon@debian.org> Fri, 20 Mar 2009 18:15:07 -0700
1480
1481+<<<<<<< debian/changelog
1482+=======
1483+pam (1.0.1-7ubuntu1) jaunty; urgency=low
1484+
1485+ * Merge from Debian unstable
1486+ * Remaining changes:
1487+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
1488+ present there or in /etc/security/pam_env.conf. (should send to Debian).
1489+ - debian/libpam0g.postinst: only ask questions during update-manager when
1490+ there are non-default services running.
1491+ - debian/patches-applied/series: Ubuntu patches are as below ...
1492+ - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
1493+ type rather than __u8.
1494+ - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
1495+ module option 'missingok' which will suppress logging of errors by
1496+ libpam if the module is not found.
1497+ - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
1498+ password on bad username.
1499+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1500+ initialise RLIMIT_NICE rather than relying on the kernel limits.
1501+ - debian/patches-applied/ubuntu-user_defined_environment: Look at
1502+ ~/.pam_environment too, with the same format as
1503+ /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
1504+ - Change Vcs-Bzr to point at the Ubuntu branch.
1505+ - debian/local/common-password, debian/pam-configs/unix: switch from
1506+ "md5" to "sha512" as password crypt default.
1507+ * Dropped changes, merged in Debian:
1508+ - debian/local/pam-auth-update (et al): new interface for managing
1509+ /etc/pam.d/common-*, using drop-in config snippets provided by module
1510+ packages.
1511+ - New patch dont_freeze_password_chain, cherry-picked from upstream:
1512+ don't always follow the same path through the password stack on
1513+ the PAM_UPDATE_AUTHTOK pass as was used in the PAM_PRELIM_CHECK
1514+ pass; this Linux-PAM deviation from the original PAM spec causes a
1515+ number of problems, in particular causing wrong return values when
1516+ using the refactored pam-auth-update stack. LP: #303515, #305882.
1517+ - debian/patches/027_pam_limits_better_init_allow_explicit_root:
1518+ Add documentation to the patch showing how to set limits for root.
1519+ * Bump the libpam-cracklib dependency on libpam-runtime to 1.0.1-6,
1520+ reducing the delta with Debian.
1521+ * Drop upgrade handling code from libpam-runtime.postinst that's only
1522+ needed when upgrading from 1.0.1-2ubuntu1, a superseded intrepid
1523+ pre-release version of the package.
1524+ * pam-auth-update: swap out known md5sums from intrepid pre-release versions
1525+ with the md5sums from the released intrepid version
1526+ * pam-auth-update: drop some md5sums that will only be seen on upgrade from
1527+ pre-intrepid versions; skipping over the 8.10 final release is not
1528+ supported, and upgrading via 8.10 means those config files will be
1529+ replaced so the old md5sums will never be seen again.
1530+
1531+ -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 03 Mar 2009 17:34:19 -0800
1532+
1533+>>>>>>> debian/changelog
1534 pam (1.0.1-7) unstable; urgency=low
1535
1536 * 027_pam_limits_better_init_allow_explicit_root:
1537@@ -779,6 +2118,70 @@ pam (1.0.1-6) unstable; urgency=low
1538
1539 -- Steve Langasek <vorlon@debian.org> Sat, 28 Feb 2009 13:36:57 -0800
1540
1541+<<<<<<< debian/changelog
1542+=======
1543+pam (1.0.1-5ubuntu2) jaunty; urgency=low
1544+
1545+ * New patch dont_freeze_password_chain, cherry-picked from upstream:
1546+ don't always follow the same path through the password stack on
1547+ the PAM_UPDATE_AUTHTOK pass as was used in the PAM_PRELIM_CHECK
1548+ pass; this Linux-PAM deviation from the original PAM spec causes a
1549+ number of problems, in particular causing wrong return values when
1550+ using the refactored pam-auth-update stack. LP: #303515, #305882.
1551+
1552+ -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 27 Feb 2009 16:20:24 -0800
1553+
1554+pam (1.0.1-5ubuntu1) jaunty; urgency=low
1555+
1556+ * Merge from Debian unstable
1557+ * Remaining changes:
1558+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
1559+ present there or in /etc/security/pam_env.conf. (should send to Debian).
1560+ - debian/libpam0g.postinst: only ask questions during update-manager when
1561+ there are non-default services running.
1562+ - debian/patches-applied/series: Ubuntu patches are as below ...
1563+ - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
1564+ type rather than __u8.
1565+ - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
1566+ module option 'missingok' which will suppress logging of errors by
1567+ libpam if the module is not found.
1568+ - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
1569+ password on bad username.
1570+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1571+ initialise RLIMIT_NICE rather than relying on the kernel limits.
1572+ - debian/patches-applied/ubuntu-user_defined_environment: Look at
1573+ ~/.pam_environment too, with the same format as
1574+ /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
1575+ - Change Vcs-Bzr to point at the Ubuntu branch.
1576+ - debian/local/pam-auth-update (et al): new interface for managing
1577+ /etc/pam.d/common-*, using drop-in config snippets provided by module
1578+ packages.
1579+ - debian/local/common-password, debian/pam-configs/unix: switch from
1580+ "md5" to "sha512" as password crypt default.
1581+ * Bump the version numbers referenced in the config files, again, as pam
1582+ has revved in Debian and moved the bar.
1583+ * pam-auth-update: If /var/lib/pam/seen is absent, treat this the same
1584+ as a present but empty file; thanks to Greg Price for the patch.
1585+ LP: #294513.
1586+ * pam-auth-update: Ignore removed profiles when detecting an empty set
1587+ of currently-enabled modules. Thanks to Greg Price for this as well.
1588+ * debian/control: libpam-runtime needs a versioned dependency on
1589+ debconf, because it uses the x_loadtemplatefile extension that's
1590+ not supported by debconf versions before hardy. LP: #295135.
1591+ * pam-auth-update: trim leading whitespace from multiline fields when
1592+ parsing PAM profiles. LP: #295441.
1593+ * pam-auth-update: factor out the duplicate code used for returning
1594+ the lines for a given module
1595+
1596+ [ Jonathan Marsden ]
1597+ * debian/patches/027_pam_limits_better_init_allow_explicit_root:
1598+ Add to patch, documenting how to set limits for root user.
1599+ Include an example. Alters limits.conf, limits.conf.5.xml,
1600+ and limits.conf.5 . (LP: #65244)
1601+
1602+ -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 08 Jan 2009 20:26:25 +0000
1603+
1604+>>>>>>> debian/changelog
1605 pam (1.0.1-5) unstable; urgency=low
1606
1607 * Build-conflict with libxcrypt-dev, which otherwise pulls libxcrypt in as
1608@@ -814,6 +2217,114 @@ pam (1.0.1-5) unstable; urgency=low
1609
1610 -- Steve Langasek <vorlon@debian.org> Tue, 06 Jan 2009 00:05:13 -0800
1611
1612+<<<<<<< debian/changelog
1613+=======
1614+pam (1.0.1-4ubuntu5.4) jaunty; urgency=low
1615+
1616+ * No-change upload to jaunty to fix publication on armel.
1617+
1618+ -- Colin Watson <cjwatson@ubuntu.com> Tue, 18 Nov 2008 14:09:00 +0000
1619+
1620+pam (1.0.1-4ubuntu5.3) intrepid-updates; urgency=low
1621+
1622+ * No-change upload of 1.0.1-4ubuntu5.1 to -updates. -proposed package was
1623+ copied while some ports were not built yet.
1624+
1625+ -- Martin Pitt <martin.pitt@ubuntu.com> Tue, 11 Nov 2008 14:50:12 +0100
1626+
1627+pam (1.0.1-4ubuntu5.2) intrepid-proposed; urgency=low
1628+
1629+ * No-change rebuild because the archive admin (me) copied the package
1630+ to jaunty too soon.
1631+
1632+ -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 05 Nov 2008 20:28:11 +0000
1633+
1634+pam (1.0.1-4ubuntu5.1) intrepid-proposed; urgency=low
1635+
1636+ * Allow passwords to change on expired accounts, by passing
1637+ new_authtok_reqd return codes immediately (LP: #291091).
1638+
1639+ -- Kees Cook <kees@ubuntu.com> Wed, 05 Nov 2008 09:31:45 -0800
1640+
1641+pam (1.0.1-4ubuntu5) intrepid; urgency=low
1642+
1643+ * debian/libpam0g.postinst: change 'cupsys' to 'cups' in the list of
1644+ default desktop services that are ignored in deciding whether to prompt
1645+ for service restarts on upgrade. Partially addresses LP #278117.
1646+ * debian/libpam0g.postinst: also filter out samba, which may be installed
1647+ on the desktop to enable filesharing.
1648+ * debian/libpam-cracklib.prerm, debian/libpam-runtime.prerm: add the
1649+ ubiquitous debhelper tokens (currently a no-op)
1650+ * pam-auth-update: Use -Initial only for the first profile, even when
1651+ there's no explicit -Initial config for that first profile
1652+ * fix common-session/common-password to use the same overall stack
1653+ structure as auth/account, so that we get the correct behavior when
1654+ all password modules fail. LP: #272232.
1655+
1656+ -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 15 Oct 2008 18:11:13 -0700
1657+
1658+pam (1.0.1-4ubuntu4) intrepid; urgency=low
1659+
1660+ * Fix a bug in the parser that caused spewing of errors when there
1661+ were more lines in the config file following the managed block.
1662+ LP: #270328.
1663+
1664+ -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 23 Sep 2008 06:34:56 +0000
1665+
1666+pam (1.0.1-4ubuntu3) intrepid; urgency=low
1667+
1668+ * Fix up the code that saves state to /var/lib/pam, so that it matches
1669+ what's expected by the code which later compares the saved and active
1670+ profiles in the case that there are both primary and additional
1671+ modules present.
1672+
1673+ -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 16 Sep 2008 06:49:56 +0000
1674+
1675+pam (1.0.1-4ubuntu2) intrepid; urgency=low
1676+
1677+ * Brown paper bag bug: fix a missing comma in pam-auth-update.
1678+
1679+ -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 13 Sep 2008 08:55:32 +0000
1680+
1681+pam (1.0.1-4ubuntu1) intrepid; urgency=low
1682+
1683+ * Merge from Debian unstable
1684+ * Remaining changes:
1685+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
1686+ present there or in /etc/security/pam_env.conf. (should send to Debian).
1687+ - debian/libpam0g.postinst: only ask questions during update-manager when
1688+ there are non-default services running.
1689+ - debian/patches-applied/series: Ubuntu patches are as below ...
1690+ - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
1691+ type rather than __u8.
1692+ - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
1693+ module option 'missingok' which will suppress logging of errors by
1694+ libpam if the module is not found.
1695+ - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
1696+ password on bad username.
1697+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1698+ initialise RLIMIT_NICE rather than relying on the kernel limits.
1699+ - debian/patches-applied/ubuntu-user_defined_environment: Look at
1700+ ~/.pam_environment too, with the same format as
1701+ /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
1702+ - Change Vcs-Bzr to point at the Ubuntu branch.
1703+ - debian/local/pam-auth-update (et al): new interface for managing
1704+ /etc/pam.d/common-*, using drop-in config snippets provided by module
1705+ packages.
1706+ - debian/local/common-password, debian/pam-configs/unix: switch from
1707+ "md5" to "sha512" as password crypt default.
1708+ * Bump the version numbers referenced in the config files, again, as pam
1709+ has revved in Debian and moved the bar.
1710+ * debian/pam-config/*: refine the password profiles to use a 'primary'
1711+ block, to better parallel the auth structure.
1712+ * Drop '-Final' from the field names in /usr/share/pam-configs, supporting
1713+ these field names for backwards compatibility only
1714+ * Bump the dependency version requirement to 1.0.1-4ubuntu1 for the above
1715+ change
1716+
1717+ -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 13 Sep 2008 08:55:19 +0000
1718+
1719+>>>>>>> debian/changelog
1720 pam (1.0.1-4) unstable; urgency=high
1721
1722 * High-urgency upload for RC bugfix.
1723@@ -836,6 +2347,91 @@ pam (1.0.1-4) unstable; urgency=high
1724
1725 -- Steve Langasek <vorlon@debian.org> Thu, 28 Aug 2008 22:59:23 -0700
1726
1727+<<<<<<< debian/changelog
1728+=======
1729+pam (1.0.1-3ubuntu5) intrepid; urgency=low
1730+
1731+ [ Steve Langasek ]
1732+ * Never remove the .pam-old files; just avoid creating them if --force isn't
1733+ set.
1734+ * Add a manpage for pam-auth-update.
1735+ * Automatically upgrade the boilerplate for /etc/pam.d/common-* if we
1736+ detect that they have not been locally modified.
1737+
1738+ [ Kees Cook ]
1739+ * debian/local/common-password, debian/pam-configs/unix: switch from "md5"
1740+ to "sha512" as password crypt default.
1741+
1742+ -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 26 Aug 2008 06:33:07 +0000
1743+
1744+pam (1.0.1-3ubuntu4) intrepid; urgency=low
1745+
1746+ * If two profiles have the same Priority, sort by the profile name to
1747+ ensure a complete sort so we can filter out all the duplicates from the
1748+ list and not write out broken configs. LP: #260371.
1749+
1750+ -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 22 Aug 2008 17:33:14 +0000
1751+
1752+pam (1.0.1-3ubuntu3) intrepid; urgency=low
1753+
1754+ * s/pam-auth-config/pam-auth-update/ in the source, I can't seem to get
1755+ this name consistent to save my life - I'm starting to think I named it
1756+ wrong...
1757+ * Fix the regex used when suppressing jump counts when reading the saved
1758+ config, so that we don't clobber module options with numbers in them.
1759+ * If the target doesn't already exist, don't try to copy it.
1760+ * Filter the config list to exclude configs that no longer exist.
1761+ LP: #260122.
1762+ * Avoid unnecessary sort/grep in the case where we already have a sorted
1763+ list.
1764+ * Implement pam-auth-update --remove, for use in package prerms when called
1765+ with "remove".
1766+
1767+ -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 21 Aug 2008 15:38:37 -0700
1768+
1769+pam (1.0.1-3ubuntu2) intrepid; urgency=high
1770+
1771+ * debian/local/common-session: the session stack needs to be handled the
1772+ same way as the password stack, with the possibility of zero primary
1773+ modules; required to fix build failures on the Ubuntu buildds due to
1774+ su not being able to open sessions by default. LP: #259867.
1775+ * debian/libpam-runtime.postinst: when upgrading from the broken
1776+ 1.0.1-2ubuntu1 version, manually edit /etc/pam.d/common-session to
1777+ recover.
1778+
1779+ -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 20 Aug 2008 13:27:10 -0700
1780+
1781+pam (1.0.1-3ubuntu1) intrepid; urgency=low
1782+
1783+ * Merge from Debian unstable
1784+ * Remaining changes:
1785+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
1786+ present there or in /etc/security/pam_env.conf. (should send to Debian).
1787+ - debian/libpam0g.postinst: only ask questions during update-manager when
1788+ there are non-default services running.
1789+ - debian/patches-applied/series: Ubuntu patches are as below ...
1790+ - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
1791+ type rather than __u8.
1792+ - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
1793+ module option 'missingok' which will suppress logging of errors by
1794+ libpam if the module is not found.
1795+ - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
1796+ password on bad username.
1797+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1798+ initialise RLIMIT_NICE rather than relying on the kernel limits.
1799+ - debian/patches-applied/ubuntu-user_defined_environment: Look at
1800+ ~/.pam_environment too, with the same format as
1801+ /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
1802+ - Change Vcs-Bzr to point at the Ubuntu branch.
1803+ - debian/local/pam-auth-update (et al): new interface for managing
1804+ /etc/pam.d/common-*, using drop-in config snippets provided by module
1805+ packages.
1806+ * Remove spurious 'conflict' with a non-existent module, which was added
1807+ just as an example
1808+
1809+ -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 20 Aug 2008 11:58:35 -0700
1810+
1811+>>>>>>> debian/changelog
1812 pam (1.0.1-3) unstable; urgency=high
1813
1814 * 055_pam_unix_nullok_secure: don't call _pammodutil_tty_secure with a NULL
1815@@ -845,6 +2441,43 @@ pam (1.0.1-3) unstable; urgency=high
1816
1817 -- Steve Langasek <vorlon@debian.org> Wed, 20 Aug 2008 11:55:47 -0700
1818
1819+<<<<<<< debian/changelog
1820+=======
1821+pam (1.0.1-2ubuntu1) intrepid; urgency=low
1822+
1823+ * Merge from Debian unstable
1824+ * Remaining changes:
1825+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
1826+ present there or in /etc/security/pam_env.conf. (should send to Debian).
1827+ - debian/libpam-runtime.postinst,
1828+ debian/local/common-{auth,password}{,.md5sums}:
1829+ Use the new 'missingok' option by default for pam_smbpass in case
1830+ libpam-smbpass is not installed (LP: #216990); must use "requisite"
1831+ rather than "required" to prevent "pam_smbpass migrate" from firing in
1832+ the event of an auth failure; md5sums updated accordingly.
1833+ - debian/libpam0g.postinst: only ask questions during update-manager when
1834+ there are non-default services running.
1835+ - debian/patches-applied/series: Ubuntu patches are as below ...
1836+ - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
1837+ type rather than __u8.
1838+ - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
1839+ module option 'missingok' which will suppress logging of errors by
1840+ libpam if the module is not found.
1841+ - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
1842+ password on bad username.
1843+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1844+ initialise RLIMIT_NICE rather than relying on the kernel limits.
1845+ - debian/patches-applied/ubuntu-user_defined_environment: Look at
1846+ ~/.pam_environment too, with the same format as
1847+ /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
1848+ - Change Vcs-Bzr to point at the Ubuntu branch.
1849+ * debian/local/pam-auth-update (et al): new interface for managing
1850+ /etc/pam.d/common-*, using drop-in config snippets provided by module
1851+ packages.
1852+
1853+ -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 20 Aug 2008 09:17:28 +0000
1854+
1855+>>>>>>> debian/changelog
1856 pam (1.0.1-2) unstable; urgency=low
1857
1858 * 007_modules_pam_unix: update the documentation to correctly document
1859@@ -869,6 +2502,52 @@ pam (1.0.1-2) unstable; urgency=low
1860
1861 -- Steve Langasek <vorlon@debian.org> Fri, 08 Aug 2008 10:47:26 -0700
1862
1863+<<<<<<< debian/changelog
1864+=======
1865+pam (1.0.1-1ubuntu1) intrepid; urgency=low
1866+
1867+ * Merge from Debian unstable
1868+ * Dropped changes:
1869+ - Linux-PAM/modules/pam_selinux/pam_selinux.8: Ubuntu pam_selinux manpage
1870+ is 2 years newer than Debian's, contains a number of character escaping
1871+ fixes plus content updates
1872+ - debian/patches-applied/ubuntu-pam_selinux_seusers: patch pam_selinux to
1873+ correctly support seusers (backported from changes in PAM 0.99.8).
1874+ - debian/rules: install unix_chkpwd setgid shadow instead of setuid root.
1875+ The nis package handles overriding this as necessary.
1876+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Bound RLIMIT_NICE
1877+ from below as well as from above. Fix off-by-one error when converting
1878+ RLIMIT_NICE to the range of values used by the kernel.
1879+ * Remaining changes:
1880+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
1881+ present there or in /etc/security/pam_env.conf. (should send to Debian).
1882+ - debian/libpam-runtime.postinst,
1883+ debian/local/common-{auth,password}{,.md5sums}:
1884+ Use the new 'missingok' option by default for pam_smbpass in case
1885+ libpam-smbpass is not installed (LP: #216990); must use "requisite"
1886+ rather than "required" to prevent "pam_smbpass migrate" from firing in
1887+ the event of an auth failure; md5sums updated accordingly.
1888+ - debian/libpam0g.postinst: only ask questions during update-manager when
1889+ there are non-default services running.
1890+ - debian/patches-applied/series: Ubuntu patches are as below ...
1891+ - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
1892+ type rather than __u8.
1893+ - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
1894+ module option 'missingok' which will suppress logging of errors by
1895+ libpam if the module is not found.
1896+ - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
1897+ password on bad username.
1898+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1899+ initialise RLIMIT_NICE rather than relying on the kernel limits.
1900+ - debian/patches-applied/ubuntu-user_defined_environment: Look at
1901+ ~/.pam_environment too, with the same format as
1902+ /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
1903+ * Refresh patch ubuntu-no-error-if-missingok for the new upstream version.
1904+ * Change Vcs-Bzr to point at the new Ubuntu branch.
1905+
1906+ -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 28 Jul 2008 20:58:26 +0000
1907+
1908+>>>>>>> debian/changelog
1909 pam (1.0.1-1) unstable; urgency=low
1910
1911 * New upstream version.
1912@@ -984,6 +2663,72 @@ pam (0.99.7.1-7) unstable; urgency=medium
1913
1914 -- Steve Langasek <vorlon@debian.org> Mon, 21 Jul 2008 11:49:59 -0700
1915
1916+<<<<<<< debian/changelog
1917+=======
1918+pam (0.99.7.1-6ubuntu2) intrepid; urgency=low
1919+
1920+ * debian/libpam-modules.postinst: revert addition of ~/bin to the end of the
1921+ default PATH set in /etc/environment as it was pointed out by Colin
1922+ Watson that getenv() does not properly expand '~'
1923+
1924+ -- Jamie Strandboge <jamie@ubuntu.com> Tue, 24 Jun 2008 06:29:40 -0400
1925+
1926+pam (0.99.7.1-6ubuntu1) intrepid; urgency=low
1927+
1928+ * Merge from debian unstable
1929+ * Dropped changes:
1930+ - Linux-PAM/modules/pam_limits/README,
1931+ Linux-PAM/modules/pam_selinux/README: Ubuntu versions had some
1932+ insignificant character differences, dropping in favor of Debian
1933+ versions; pam_selinux documentation has dropped "multiple", and added
1934+ "select_context", and "use_current_range" as options.
1935+ - debian/control, debian/local/common-session{,md5sums}: use
1936+ libpam-foreground for session management.
1937+ - Build using db4.5 instead of db4.6.
1938+ * Remaining changes:
1939+ - Linux-PAM/modules/pam_selinux/pam_selinux.8: Ubuntu pam_selinux manpage
1940+ is 2 years newer than Debian's, contains a number of character escaping
1941+ fixes plus content updates; (should send to Debian).
1942+ - debian/control: Maintainer updated.
1943+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
1944+ present there or in /etc/security/pam_env.conf; add ~/bin to PATH
1945+ (LP: #64064); (should send to Debian).
1946+ - debian/libpam-runtime.postinst,
1947+ debian/local/common-{auth,password}{,.md5sums}:
1948+ Use the new 'missingok' option by default for pam_smbpass in case
1949+ libpam-smbpass is not installed (LP: #216990); must use "requisite"
1950+ rather than "required" to prevent "pam_smbpass migrate" from firing in
1951+ the event of an auth failure; md5sums updated accordingly.
1952+ - debian/libpam0g.postinst: only ask questions during update-manager when
1953+ there are non-default services running (LP: #141309).
1954+ - debian/applied/series: Ubuntu patches are as below ...
1955+ - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
1956+ type rather than __u8.
1957+ - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
1958+ module option 'missingok' which will suppress logging of errors by
1959+ libpam if the module is not found.
1960+ - debian/patches-applied/ubuntu-pam_selinux_seusers: patch pam_selinux to
1961+ correctly support seusers (backported from changes in PAM 0.99.8).
1962+ Without this patch login will not get correct security context when
1963+ using libselinux >= 1.27.2 (LP: #187822).
1964+ - debian/patches-applied/ubuntu-regression_fix_securetty: securetty's
1965+ earlier behavior would correctly prompt for password on bad usernames
1966+ (LP: #139075).
1967+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
1968+ initialise RLIMIT_NICE rather than relying on the kernel limits. Bound
1969+ RLIMIT_NICE from below as well as from above. Fix off-by-one error when
1970+ converting RLIMIT_NICE to the range of values used by the kernel.
1971+ - debian/patches-applied/ubuntu-user_defined_environment: Look at
1972+ ~/.pam_environment too, with the same format as
1973+ /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
1974+ - debian/rules: install unix_chkpwd setgid shadow instead of setuid root.
1975+ The nis package handles overriding this as necessary.
1976+ * Alphabetized this merge changelog entry by filename (easier reading
1977+ against Ubuntu patch).
1978+
1979+ -- Dustin Kirkland <kirkland@ubuntu.com> Fri, 20 Jun 2008 10:32:00 -0500
1980+
1981+>>>>>>> debian/changelog
1982 pam (0.99.7.1-6) unstable; urgency=low
1983
1984 * Debconf translations:
1985@@ -1010,6 +2755,101 @@ pam (0.99.7.1-6) unstable; urgency=low
1986
1987 -- Steve Langasek <vorlon@debian.org> Sun, 16 Mar 2008 02:06:28 -0700
1988
1989+<<<<<<< debian/changelog
1990+=======
1991+pam (0.99.7.1-5ubuntu8) intrepid; urgency=low
1992+
1993+ * debian/libpam-modules.postinst: Add ~/bin to the end of the default PATH
1994+ set in /etc/environment (LP: #64064).
1995+
1996+ -- Dustin Kirkland <kirkland@ubuntu.com> Thu, 19 Jun 2008 12:52:48 -0500
1997+
1998+pam (0.99.7.1-5ubuntu7) intrepid; urgency=low
1999+
2000+ * debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
2001+ module option 'missingok' which will suppress logging of errors by
2002+ libpam if the module is not found.
2003+ * debian/local/common-{auth,password}, debian/libpam-runtime.postinst:
2004+ Use the new 'missingok' option by default for pam_smbpass, to
2005+ correct the problem of very loud logging introduced in the previous
2006+ upload when libpam-smbpass is not installed. LP: #216990.
2007+
2008+ -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 22 Apr 2008 18:53:37 +0000
2009+
2010+pam (0.99.7.1-5ubuntu6) hardy; urgency=low
2011+
2012+ * debian/local/common-{auth,password}, debian/libpam-runtime.postinst:
2013+ Add pam_smbpass as an optional module in the stack, to keep NTLM
2014+ passwords (for filesharing) in sync with the main system passwords on a
2015+ best-effort basis. LP: #208419.
2016+
2017+ -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 08 Apr 2008 18:21:40 +0000
2018+
2019+pam (0.99.7.1-5ubuntu5) hardy; urgency=low
2020+
2021+ * debian/local/common-session: Drop libpam-foreground. It's gone for good,
2022+ and we do not want this in the PAM config for new installations, since it
2023+ just spams syslog with error messages. (LP: #198714)
2024+
2025+ -- Martin Pitt <martin.pitt@ubuntu.com> Tue, 11 Mar 2008 11:22:11 +0100
2026+
2027+pam (0.99.7.1-5ubuntu4) hardy; urgency=low
2028+
2029+ * ubuntu-pam_selinux_seusers: patch pam_selinux to correctly support
2030+ seusers (backported from changes in PAM 0.99.8). Without this patch
2031+ login will not get correct security context when using libselinux
2032+ >= 1.27.2 (LP: #187822).
2033+
2034+ -- Caleb Case <ccase@tresys.com> Wed, 30 Jan 2008 06:39:48 -0500
2035+
2036+pam (0.99.7.1-5ubuntu3) hardy; urgency=low
2037+
2038+ * Temporarily reenable libpam-foreground in common-session again, until
2039+ dbus' at_console policy works with ConsoleKit.
2040+
2041+ -- Martin Pitt <martin.pitt@ubuntu.com> Thu, 29 Nov 2007 15:17:54 +0100
2042+
2043+pam (0.99.7.1-5ubuntu2) hardy; urgency=low
2044+
2045+ * debian/local/common-session{,.md5sums}, debian/control: Drop
2046+ libpam-foreground, superseded by ConsoleKit integration into hal.
2047+ * debian/control: Build against libdb4.6 again. This drops this Debian delta
2048+ and 4.6 is our target version in Hardy.
2049+
2050+ -- Martin Pitt <martin.pitt@ubuntu.com> Thu, 22 Nov 2007 18:56:47 +0100
2051+
2052+pam (0.99.7.1-5ubuntu1) gutsy; urgency=low
2053+
2054+ * Resynchronise with Debian. Remaining changes:
2055+ - debian/control, debian/local/common-session{,md5sums}: use
2056+ libpam-foreground for session management.
2057+ - debian/rules: install unix_chkpwd setgid shadow instead of setuid root.
2058+ The nis package handles overriding this as necessary.
2059+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
2060+ present there or in /etc/security/pam_env.conf.
2061+ - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
2062+ type rather than __u8.
2063+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
2064+ initialise RLIMIT_NICE rather than relying on the kernel limits. Bound
2065+ RLIMIT_NICE from below as well as from above. Fix off-by-one error when
2066+ converting RLIMIT_NICE to the range of values used by the kernel.
2067+ (Originally patch 101; converted to quilt.)
2068+ - debian/patches-applied/ubuntu-user_defined_environment: Look at
2069+ ~/.pam_environment too, with the same format as
2070+ /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
2071+ - debian/patches-applied/ubuntu-regression_fix_securetty: securetty's
2072+ earlier behavior would correctly prompt for password on bad usernames
2073+ (LP: #139075).
2074+ - Build using db4.5 instead of db4.6.
2075+ - debian/libpam0g.postinst: only ask questions during update-manager when
2076+ there are non-default services running (LP: #141309).
2077+ * debian/libpam0g.postinst: don't display a debconf warning about display
2078+ managers that need restarting when update-manager is running, instead
2079+ signal to update-notifier if a reboot is required.
2080+
2081+ -- Steve Langasek <vorlon@debian.org> Fri, 28 Sep 2007 23:45:24 -0700
2082+
2083+>>>>>>> debian/changelog
2084 pam (0.99.7.1-5) unstable; urgency=low
2085
2086 * More lintian overrides, related to debconf prompting in the postinst
2087@@ -1054,6 +2894,58 @@ pam (0.99.7.1-5) unstable; urgency=low
2088
2089 -- Steve Langasek <vorlon@debian.org> Fri, 28 Sep 2007 00:17:00 -0700
2090
2091+<<<<<<< debian/changelog
2092+=======
2093+pam (0.99.7.1-4ubuntu4) gutsy; urgency=low
2094+
2095+ * debian/libpam0g.postinst: call "reload" for all display managers
2096+ (LP: #139065).
2097+ * debian/libpam0g.postinst: only ask questions during update-manager when
2098+ there are non-default services running (LP: #141309).
2099+
2100+ -- Kees Cook <kees@ubuntu.com> Mon, 24 Sep 2007 15:01:29 -0700
2101+
2102+pam (0.99.7.1-4ubuntu3) gutsy; urgency=low
2103+
2104+ * ubuntu-regression_fix_securetty: securetty's earlier behavior would
2105+ correctly prompt for password on bad usernames (LP: #139075).
2106+
2107+ -- Kees Cook <kees@ubuntu.com> Wed, 12 Sep 2007 15:20:09 -0700
2108+
2109+pam (0.99.7.1-4ubuntu2) gutsy; urgency=low
2110+
2111+ * Build using db4.5 (instead of db4.6). One db4.x version less on the CD.
2112+
2113+ -- Matthias Klose <doko@ubuntu.com> Wed, 12 Sep 2007 17:44:25 +0200
2114+
2115+pam (0.99.7.1-4ubuntu1) gutsy; urgency=low
2116+
2117+ * Resynchronise with Debian (LP: #43169, #14505, #80431). Remaining changes:
2118+ - debian/control, debian/local/common-session{,md5sums}: use
2119+ libpam-foreground for session management.
2120+ - debian/rules: install unix_chkpwd setgid shadow instead of setuid root.
2121+ The nis package handles overriding this as necessary.
2122+ - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
2123+ present there or in /etc/security/pam_env.conf.
2124+ - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
2125+ type rather than __u8.
2126+ - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
2127+ initialise RLIMIT_NICE rather than relying on the kernel limits. Bound
2128+ RLIMIT_NICE from below as well as from above. Fix off-by-one error when
2129+ converting RLIMIT_NICE to the range of values used by the kernel.
2130+ (Originally patch 101; converted to quilt.)
2131+ - debian/patches-applied/ubuntu-user_defined_environment: Look at
2132+ ~/.pam_environment too, with the same format as
2133+ /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
2134+ * Dropped:
2135+ - debian/rules: bashism fixes (merged upstream).
2136+ - debian/control: Conflict on ancient nis (expired with Breezy).
2137+ - debian/libpam-runtime.postinst: check for ancient pam (expired with
2138+ Breezy).
2139+
2140+ -- Kees Cook <kees@ubuntu.com> Wed, 05 Sep 2007 15:18:36 -0700
2141+
2142+>>>>>>> debian/changelog
2143 pam (0.99.7.1-4) unstable; urgency=low
2144
2145 * libpam0g.postinst, libpam0g.templates: gdm doesn't need to be restarted
2146@@ -1300,6 +3192,35 @@ pam (0.99.7.1-2) unstable; urgency=low
2147
2148 -- Steve Langasek <vorlon@debian.org> Sun, 26 Aug 2007 19:15:09 -0700
2149
2150+<<<<<<< debian/changelog
2151+=======
2152+pam (0.79-4ubuntu2) feisty; urgency=low
2153+
2154+ * Remove /usr/bin/X11 from default PATH (new installs only).
2155+
2156+ -- Colin Watson <cjwatson@ubuntu.com> Wed, 20 Dec 2006 16:14:37 +0000
2157+
2158+pam (0.79-4ubuntu1) feisty; urgency=low
2159+
2160+ * Resynchronise with Debian. Remaining changes:
2161+ - Patch 100 (renumbered from 060): Look at ~/.pam_environment too, with
2162+ the same format as /etc/security/pam_env.conf.
2163+ - Patch 101 (renumbered from 061): Explicitly initialise RLIMIT_NICE
2164+ rather than relying on the kernel limits. Bound RLIMIT_NICE from below
2165+ as well as from above. Fix off-by-one error when converting
2166+ RLIMIT_NICE to the range of values used by the kernel.
2167+ - Add PATH to /etc/environment if it's not present there or in
2168+ /etc/security/pam_env.conf.
2169+ - debian/rules: Fix a bashism.
2170+ - Install unix_chkpwd setgid shadow instead of setuid root. The nis
2171+ package handles overriding this as necessary.
2172+ - Use pam_foreground in the default session.
2173+ - Linux-PAM/libpamc/test/regress/test.libpamc.c: Use standard u_int8_t
2174+ type rather than __u8.
2175+
2176+ -- Colin Watson <cjwatson@ubuntu.com> Tue, 19 Dec 2006 10:32:47 +0000
2177+
2178+>>>>>>> debian/changelog
2179 pam (0.79-4) unstable; urgency=medium
2180
2181 * Medium-urgency upload; at least one RC bugfix, but also a
2182@@ -1352,6 +3273,15 @@ pam (0.79-3.2) unstable; urgency=low
2183
2184 -- Margarita Manterola <marga@debian.org> Sat, 5 Aug 2006 02:11:22 -0300
2185
2186+<<<<<<< debian/changelog
2187+=======
2188+pam (0.79-3.1ubuntu1) edgy; urgency=low
2189+
2190+ * Resynchronise with Debian.
2191+
2192+ -- Colin Watson <cjwatson@ubuntu.com> Thu, 29 Jun 2006 17:27:34 +0100
2193+
2194+>>>>>>> debian/changelog
2195 pam (0.79-3.1) unstable; urgency=low
2196
2197 * Non-maintainer upload.
2198@@ -1362,6 +3292,117 @@ pam (0.79-3.1) unstable; urgency=low
2199
2200 -- Roger Leigh <rleigh@debian.org> Sun, 5 Feb 2006 21:46:59 +0000
2201
2202+<<<<<<< debian/changelog
2203+=======
2204+pam (0.79-3ubuntu14) dapper; urgency=low
2205+
2206+ * debian/patches-applied/061_pam_rlimits_nice_rtprio: Protect use of
2207+ RLIMIT_NICE in init_limits() with an #ifdef.
2208+
2209+ -- Colin Watson <cjwatson@ubuntu.com> Fri, 12 May 2006 17:42:40 +0100
2210+
2211+pam (0.79-3ubuntu13) dapper; urgency=low
2212+
2213+ * debian/patches-applied/061_pam_rlimits_nice_rtprio: Set soft and hard
2214+ nice limits to 20 (= userland nice value 0) rather than unlimited by
2215+ default. Correct off-by-one error (the same error as in Linux 2.6.12,
2216+ but fixed in 2.6.13) in user<->kernel translation of nice limit.
2217+
2218+ -- Colin Watson <cjwatson@ubuntu.com> Thu, 11 May 2006 11:29:58 +0100
2219+
2220+pam (0.79-3ubuntu12) dapper; urgency=low
2221+
2222+ * debian/control: Add libpam-foreground dependency to libpam-runtime, since
2223+ the default /etc/pam.d/common-session refers to it. Closes: LP#35142
2224+
2225+ -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 10 Apr 2006 14:42:40 +0200
2226+
2227+pam (0.79-3ubuntu11) dapper; urgency=low
2228+
2229+ [ Dana Olson ]
2230+ * debian/patches-applied/061_pam_rlimits_nice_rtprio: removed glibc
2231+ workaround now that glibc is aware of rlimits.
2232+
2233+ [ Martin Pitt ]
2234+ * debian/rules: Fix bashisms.
2235+
2236+ -- Martin Pitt <martin.pitt@ubuntu.com> Thu, 6 Apr 2006 15:03:37 +0200
2237+
2238+pam (0.79-3ubuntu10) dapper; urgency=low
2239+
2240+ * debian/patches-applied/061_pam_rlimits_nice_rtprio: Support "nice" and
2241+ "rtprio" rlimits, new in Linux 2.6.12. Backported from upstream thanks
2242+ to Dana Olson and others (closes: Malone #17348).
2243+
2244+ -- Colin Watson <cjwatson@ubuntu.com> Thu, 23 Feb 2006 16:22:12 +0000
2245+
2246+pam (0.79-3ubuntu9) dapper; urgency=low
2247+
2248+ * Fix operator precedence in libpam-modules.postinst.
2249+
2250+ -- Colin Watson <cjwatson@ubuntu.com> Thu, 16 Feb 2006 15:23:04 +0000
2251+
2252+pam (0.79-3ubuntu8) dapper; urgency=low
2253+
2254+ * Make pam_env be quiet if it can't find the user's configuration file,
2255+ since it's optional.
2256+
2257+ -- Tollef Fog Heen <tfheen@ubuntu.com> Sat, 4 Feb 2006 16:44:12 +0100
2258+
2259+pam (0.79-3ubuntu7) dapper; urgency=low
2260+
2261+ * Add the PATH on initial install for real this time.
2262+
2263+ -- Tollef Fog Heen <tfheen@ubuntu.com> Thu, 2 Feb 2006 20:33:42 +0100
2264+
2265+pam (0.79-3ubuntu6) dapper; urgency=low
2266+
2267+ * Changes from Roger Leigh:
2268+
2269+ * Linux-PAM/libpamc/include/security/pam_client.h,
2270+ Linux-PAM/libpamc/pamc_converse.c: Apply patch from
2271+ latest upstream version to remove redefinition of internal
2272+ glibc/libstdc++ types. Closes: #344447.
2273+ * Linux-PAM/libpamc/test/regress/test.libpamc.c: Also switch to standard
2274+ types; not taken from upstream.
2275+
2276+ -- Reinhard Tartler <siretart@ubuntu.com> Wed, 1 Feb 2006 13:14:24 +0000
2277+
2278+pam (0.79-3ubuntu5) dapper; urgency=low
2279+
2280+ * Add pam_foreground to /etc/pam.d/common-session
2281+
2282+ -- Matthew Garrett <mjg59@srcf.ucam.org> Tue, 24 Jan 2006 02:26:19 +0000
2283+
2284+pam (0.79-3ubuntu4) dapper; urgency=low
2285+
2286+ * Add PATH on initial install, too.
2287+
2288+ -- Tollef Fog Heen <tfheen@ubuntu.com> Mon, 23 Jan 2006 15:55:40 +0100
2289+
2290+pam (0.79-3ubuntu3) dapper; urgency=low
2291+
2292+ * Add PATH to /etc/environment if it's not present there or in
2293+ /etc/security/pam_env.conf and we are upgrading from a version which
2294+ didn't add it.
2295+
2296+ -- Tollef Fog Heen <tfheen@ubuntu.com> Tue, 17 Jan 2006 15:54:01 +0100
2297+
2298+pam (0.79-3ubuntu2) dapper; urgency=low
2299+
2300+ * Look at ~/.pam_environment too. Same format as
2301+ /etc/security/pam_env.conf. The patch is recorded as
2302+ patches-applied/060_pam_env_per_user
2303+
2304+ -- Tollef Fog Heen <tfheen@ubuntu.com> Tue, 17 Jan 2006 15:32:55 +0100
2305+
2306+pam (0.79-3ubuntu1) dapper; urgency=low
2307+
2308+ * Resynchronise with Debian.
2309+
2310+ -- Colin Watson <cjwatson@ubuntu.com> Mon, 21 Nov 2005 12:15:44 +0000
2311+
2312+>>>>>>> debian/changelog
2313 pam (0.79-3) unstable; urgency=low
2314
2315 * Patch 059
2316@@ -1442,6 +3483,37 @@ pam (0.76-23) unstable; urgency=low
2317
2318 -- Sam Hartman <hartmans@debian.org> Sun, 10 Jul 2005 16:42:25 -0400
2319
2320+<<<<<<< debian/changelog
2321+=======
2322+pam (0.76-22ubuntu3) breezy; urgency=low
2323+
2324+ * Fix pam_getenv, which never worked:
2325+ - Parse /etc/security/pam_env.conf using its own syntax, and then
2326+ /etc/environment using its own syntax rather than the syntax of
2327+ /etc/security/pam_env.conf.
2328+ - 'my $val' was used in an incorrect scope; fixed.
2329+ - Exit non-zero if the requested environment variable is not found.
2330+
2331+ -- Colin Watson <cjwatson@ubuntu.com> Mon, 12 Sep 2005 18:32:54 +0100
2332+
2333+pam (0.76-22ubuntu2) breezy; urgency=low
2334+
2335+ * debian/rules: Install unix_chkpwd setgid shadow instead of setuid root.
2336+ This only breaks when using NIS lookups, therefore the new nis package
2337+ dpkg-statoverrides it back to setuid root while being installed.
2338+ (Debian #155583, http://udu.wiki.ubuntu.com/ProactiveSecurityRoadmap)
2339+ * debian/control: Added conflict to nis (<< 3.13-3ubuntu1): This is the
2340+ version that corrects the permissions for usage with NIS.
2341+
2342+ -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 17 Jun 2005 12:34:23 +0200
2343+
2344+pam (0.76-22ubuntu1) breezy; urgency=low
2345+
2346+ * Fix FTBFS with gcc-3.4 (closes: #259634). Ubuntu 9037.
2347+
2348+ -- Matthias Klose <doko@ubuntu.com> Wed, 4 May 2005 18:14:51 +0200
2349+
2350+>>>>>>> debian/changelog
2351 pam (0.76-22) unstable; urgency=medium
2352
2353 * Add uploaders
2354@@ -1861,8 +3933,11 @@ pam (0.72-20) unstable; urgency=low
2355
2356 -- Sam Hartman <hartmans@debian.org> Fri, 6 Apr 2001 06:38:15 -0400
2357
2358+<<<<<<< debian/changelog
2359
2360
2361+=======
2362+>>>>>>> debian/changelog
2363 pam (0.72-19) unstable; urgency=low
2364
2365 * New maintainer, closes: #92353
2366@@ -2668,3 +4743,7 @@ pam (0.56-1) unstable; urgency=low
2367 * Reorganization of package structure (-dev, -dbg, etc).
2368
2369 -- Klee Dienes <klee@debian.org> Sat, 8 Mar 1997 01:21:17 -0500
2370+<<<<<<< debian/changelog
2371+=======
2372+
2373+>>>>>>> debian/changelog
2374diff --git a/debian/control b/debian/control
2375index 9c76380..766d319 100644
2376--- a/debian/control
2377+++ b/debian/control
2378@@ -2,13 +2,24 @@ Source: pam
2379 Section: libs
2380 Priority: optional
2381 Uploaders: Sam Hartman <hartmans@debian.org>, Roger Leigh <rleigh@debian.org>
2382+<<<<<<< debian/control
2383 Maintainer: Steve Langasek <vorlon@debian.org>
2384+=======
2385+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
2386+XSBC-Original-Maintainer: Steve Langasek <vorlon@debian.org>
2387+>>>>>>> debian/control
2388 Standards-Version: 3.9.8
2389 Build-Depends: libcrack2-dev (>= 2.8), bzip2, debhelper (>= 9), quilt (>= 0.48-1), flex, libdb-dev, libselinux1-dev [linux-any], po-debconf, dh-autoreconf, autopoint, libaudit-dev [linux-any], pkg-config, libfl-dev, libfl-dev:native, docbook-xsl, docbook-xml, xsltproc, libxml2-utils, w3m
2390 Build-Conflicts-Indep: fop
2391 Build-Conflicts: libdb4.2-dev, libxcrypt-dev
2392+<<<<<<< debian/control
2393 Vcs-Bzr: https://alioth.debian.org/scm/loggerhead/pkg-pam/debian/sid
2394 Vcs-Browser: https://alioth.debian.org/scm/loggerhead/pkg-pam/debian/sid/files
2395+=======
2396+Vcs-Bzr: https://code.launchpad.net/~ubuntu-core-dev/pam/ubuntu
2397+XS-Debian-Vcs-Bzr: https://alioth.debian.org/scm/loggerhead/pkg-pam/debian/sid
2398+XS-Debian-Vcs-Browser: https://alioth.debian.org/scm/loggerhead/pkg-pam/debian/sid/files
2399+>>>>>>> debian/control
2400 Homepage: http://www.linux-pam.org/
2401
2402 Package: libpam0g
2403@@ -36,6 +47,10 @@ Pre-Depends: ${shlibs:Depends}, ${misc:Depends}, libpam0g (>= 1.1.3-2),
2404 libpam-modules-bin (= ${binary:Version})
2405 Conflicts: libpam-motd, libpam-mkhomedir, libpam-umask
2406 Replaces: libpam0g-util, libpam-umask
2407+<<<<<<< debian/control
2408+=======
2409+Recommends: update-motd
2410+>>>>>>> debian/control
2411 Provides: libpam-motd, libpam-mkhomedir, libpam-umask
2412 Description: Pluggable Authentication Modules for PAM
2413 This package completes the set of modules for PAM. It includes the
2414diff --git a/debian/libpam-modules-bin.install b/debian/libpam-modules-bin.install
2415index fee3bce..6ab6ac7 100644
2416--- a/debian/libpam-modules-bin.install
2417+++ b/debian/libpam-modules-bin.install
2418@@ -4,3 +4,8 @@ sbin/pam_tally sbin
2419 sbin/pam_tally2 sbin
2420 sbin/mkhomedir_helper sbin
2421 sbin/pam_timestamp_check usr/sbin
2422+<<<<<<< debian/libpam-modules-bin.install
2423+=======
2424+sbin/pam_extrausers_chkpwd sbin
2425+sbin/pam_extrausers_update sbin
2426+>>>>>>> debian/libpam-modules-bin.install
2427diff --git a/debian/libpam-modules.manpages b/debian/libpam-modules.manpages
2428index a9f488d..9287b2e 100644
2429--- a/debian/libpam-modules.manpages
2430+++ b/debian/libpam-modules.manpages
2431@@ -1,2 +1,6 @@
2432 debian/tmp/usr/share/man/man8/pam_*.8
2433 debian/tmp/usr/share/man/man5/*conf.5
2434+<<<<<<< debian/libpam-modules.manpages
2435+=======
2436+debian/update-motd.5
2437+>>>>>>> debian/libpam-modules.manpages
2438diff --git a/debian/libpam-modules.postinst b/debian/libpam-modules.postinst
2439index ce03090..0969526 100644
2440--- a/debian/libpam-modules.postinst
2441+++ b/debian/libpam-modules.postinst
2442@@ -17,6 +17,21 @@ then
2443 touch /etc/environment
2444 fi
2445
2446+<<<<<<< debian/libpam-modules.postinst
2447+=======
2448+# Add PATH to /etc/environment if it's not present there or in
2449+# /etc/security/pam_env.conf
2450+if [ "$1" = "configure" ] && dpkg --compare-versions "$2" lt 1.1.3-7ubuntu3; then
2451+ if ! grep -qs ^PATH /etc/security/pam_env.conf; then
2452+ if ! grep -qs ^PATH= /etc/environment; then
2453+ echo 'PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games"' >> /etc/environment
2454+ elif ! grep -qs "^PATH=.*/usr/local/games" /etc/environment; then
2455+ sed -i '/^PATH=/ s,:/usr/games,:/usr/games:/usr/local/games,g' /etc/environment
2456+ fi
2457+ fi
2458+fi
2459+
2460+>>>>>>> debian/libpam-modules.postinst
2461 if dpkg --compare-versions "$2" lt-nl 1.1.2-1 \
2462 && grep -q 'pam_unix.*\bmin=[0-9]\+' /etc/pam.d/common-password
2463 then
2464diff --git a/debian/libpam0g.postinst b/debian/libpam0g.postinst
2465index bc8a52f..16affb8 100644
2466--- a/debian/libpam0g.postinst
2467+++ b/debian/libpam0g.postinst
2468@@ -69,6 +69,10 @@ installed_services() {
2469 -e's/\bhylafax-server\b/hylafax/g' \
2470 -e's/\bpartimage-server\b/partimaged/g' \
2471 -e's/\bpostgresql-common\b/postgresql/g' \
2472+<<<<<<< debian/libpam0g.postinst
2473+=======
2474+ -e's/\bsamba\b/smbd-ad-dc/g' \
2475+>>>>>>> debian/libpam0g.postinst
2476 -e's/\bsasl2-bin\b/saslauthd/g' \
2477 )
2478
2479@@ -112,13 +116,36 @@ then
2480 echo "Checking init scripts..."
2481 services=$(installed_services "$check")
2482 if [ -n "$services" ]; then
2483+<<<<<<< debian/libpam0g.postinst
2484 db_input critical libraries/restart-without-asking || true
2485+=======
2486+ db_reset libpam0g/restart-services
2487+ db_set libpam0g/restart-services "$services"
2488+ question_priority="critical"
2489+ # Do not prompt when we're running in the upgrade-manager
2490+ # and only default services need restarting.
2491+ nondefault_services=$(echo "$services" | sed \
2492+ -e's/\batd\b//g' \
2493+ -e's/\bcron\b//g' \
2494+ -e's/\bcups\b//g' \
2495+ -e's/\bgdm\b//g' \
2496+ -e's/\bsmbd\b//g' \
2497+ -e's/^ *//g')
2498+ if [ -n "$RELEASE_UPGRADE_IN_PROGRESS" ] && [ -z "$nondefault_services" ]; then
2499+ question_priority="medium"
2500+ fi
2501+ db_input "$question_priority" libraries/restart-without-asking || true
2502+>>>>>>> debian/libpam0g.postinst
2503 db_go || true
2504 db_get libraries/restart-without-asking
2505 if [ "$RET" != true ]; then
2506 db_reset libpam0g/restart-services
2507 db_set libpam0g/restart-services "$services"
2508+<<<<<<< debian/libpam0g.postinst
2509 db_input critical libpam0g/restart-services || true
2510+=======
2511+ db_input "$question_priority" libpam0g/restart-services || true
2512+>>>>>>> debian/libpam0g.postinst
2513 db_go || true
2514 db_get libpam0g/restart-services
2515
2516@@ -139,6 +166,16 @@ then
2517
2518 case "$service" in
2519 gdm)
2520+<<<<<<< debian/libpam0g.postinst
2521+=======
2522+ # If gdm isn't running, there's no need to reload it (LP: #745532)
2523+ if ! $idl status | grep -q 'Active: active (running)'
2524+ then
2525+ echo " $service: not running, no reload needed."
2526+ continue
2527+ fi
2528+
2529+>>>>>>> debian/libpam0g.postinst
2530 echo -n " $service: reloading..."
2531 if $idl reload > /dev/null 2>&1; then
2532 echo "done."
2533@@ -184,8 +221,19 @@ then
2534 done
2535 services=$(installed_services "$dms")
2536 if [ -n "$services" ]; then
2537+<<<<<<< debian/libpam0g.postinst
2538 db_input critical libpam0g/xdm-needs-restart || true
2539 db_go || true
2540+=======
2541+ if [ -n "$RELEASE_UPGRADE_IN_PROGRESS" ] \
2542+ && [ -x /usr/share/update-notifier/notify-reboot-required ]
2543+ then
2544+ /usr/share/update-notifier/notify-reboot-required
2545+ else
2546+ db_input critical libpam0g/xdm-needs-restart || true
2547+ db_go || true
2548+ fi
2549+>>>>>>> debian/libpam0g.postinst
2550 fi
2551 fi
2552
2553diff --git a/debian/local/common-session b/debian/local/common-session
2554index 2e94d6c..bd831f2 100644
2555--- a/debian/local/common-session
2556+++ b/debian/local/common-session
2557@@ -20,6 +20,14 @@ session requisite pam_deny.so
2558 # this avoids us returning an error just because nothing sets a success code
2559 # since the modules above will each just jump around
2560 session required pam_permit.so
2561+<<<<<<< debian/local/common-session
2562+=======
2563+# The pam_umask module will set the umask according to the system default in
2564+# /etc/login.defs and user settings, solving the problem of different
2565+# umask settings with different shells, display managers, remote sessions etc.
2566+# See "man pam_umask".
2567+session optional pam_umask.so
2568+>>>>>>> debian/local/common-session
2569 # and here are more per-package modules (the "Additional" block)
2570 $session_additional
2571 # end of pam-auth-update config
2572diff --git a/debian/local/common-session-noninteractive b/debian/local/common-session-noninteractive
2573index 1dd1a17..063f1ca 100644
2574--- a/debian/local/common-session-noninteractive
2575+++ b/debian/local/common-session-noninteractive
2576@@ -20,6 +20,14 @@ session requisite pam_deny.so
2577 # this avoids us returning an error just because nothing sets a success code
2578 # since the modules above will each just jump around
2579 session required pam_permit.so
2580+<<<<<<< debian/local/common-session-noninteractive
2581+=======
2582+# The pam_umask module will set the umask according to the system default in
2583+# /etc/login.defs and user settings, solving the problem of different
2584+# umask settings with different shells, display managers, remote sessions etc.
2585+# See "man pam_umask".
2586+session optional pam_umask.so
2587+>>>>>>> debian/local/common-session-noninteractive
2588 # and here are more per-package modules (the "Additional" block)
2589 $session_nonint_additional
2590 # end of pam-auth-update config
2591diff --git a/debian/local/pam-auth-update b/debian/local/pam-auth-update
2592index 5fb4f40..9682062 100644
2593--- a/debian/local/pam-auth-update
2594+++ b/debian/local/pam-auth-update
2595@@ -39,7 +39,11 @@ my $blanktemplate = 'libpam-runtime/no_profiles_chosen';
2596 my $titletemplate = 'libpam-runtime/title';
2597 my $confdir = '/etc/pam.d';
2598 my $savedir = '/var/lib/pam';
2599+<<<<<<< debian/local/pam-auth-update
2600 my (%profiles, @sorted, @enabled, @conflicts, @new, %removals, %to_enable);
2601+=======
2602+my (%profiles, @sorted, @enabled, @conflicts, @new, %removals);
2603+>>>>>>> debian/local/pam-auth-update
2604 my $force = 0;
2605 my $package = 0;
2606 my $priority = 'high';
2607@@ -54,9 +58,17 @@ my %md5sums = (
2608 'session' => [
2609 '240fb92986c885b327cdb21dd641da8c',
2610 '4a25673e8b36f1805219027d3be02cd2',
2611+<<<<<<< debian/local/pam-auth-update
2612 ],
2613 'session-noninteractive' => [
2614 'ad2b78ce1498dd637ef36469430b6ac6',
2615+=======
2616+ '73144a2f4e609a922a51e301cd66a57e',
2617+ ],
2618+ 'session-noninteractive' => [
2619+ 'ad2b78ce1498dd637ef36469430b6ac6',
2620+ 'a20e8df3469bfe25c13a3b39161b30f0',
2621+>>>>>>> debian/local/pam-auth-update
2622 ],
2623 );
2624
2625@@ -89,6 +101,7 @@ while ($#ARGV >= 0) {
2626 }
2627 # --remove implies --package
2628 $package = 1 if (keys(%removals));
2629+<<<<<<< debian/local/pam-auth-update
2630 } elsif ($opt eq '--enable') {
2631 while ($#ARGV >= 0) {
2632 last if ($ARGV[0] =~ /^--/);
2633@@ -96,6 +109,8 @@ while ($#ARGV >= 0) {
2634 }
2635 # --enable implies --package
2636 $package = 1 if (keys(%to_enable));
2637+=======
2638+>>>>>>> debian/local/pam-auth-update
2639 }
2640 }
2641
2642@@ -143,10 +158,13 @@ if (!@enabled) {
2643 $priority = 'high' unless ($force);
2644 }
2645
2646+<<<<<<< debian/local/pam-auth-update
2647 # add configs to enable
2648 push(@enabled,
2649 grep { $to_enable{$_} } @sorted);
2650
2651+=======
2652+>>>>>>> debian/local/pam-auth-update
2653 # add any previously-unseen configs
2654 push(@enabled,
2655 grep { $profiles{$_}->{'Default'} eq 'yes' && !$seen{$_} } @sorted);
2656diff --git a/debian/local/pam-auth-update.8 b/debian/local/pam-auth-update.8
2657index a5ebdba..933fb0f 100644
2658--- a/debian/local/pam-auth-update.8
2659+++ b/debian/local/pam-auth-update.8
2660@@ -68,10 +68,13 @@ Indicate that the caller is a package maintainer script; lowers the
2661 priority of debconf questions to `medium' so that the user is not
2662 prompted by default.
2663 .TP
2664+<<<<<<< debian/local/pam-auth-update.8
2665 .B \-\-enable \fIprofile \fR[\fIprofile\fR...]
2666 Enable the specified profiles in system configuration. This is used to
2667 enable profiles that are not on by default.
2668 .TP
2669+=======
2670+>>>>>>> debian/local/pam-auth-update.8
2671 .B \-\-remove \fIprofile \fR[\fIprofile\fR...]
2672 Remove the specified profiles from the system configuration.
2673 .B pam\-auth\-update \-\-remove
2674diff --git a/debian/patches-applied/cve-2015-3238.patch b/debian/patches-applied/cve-2015-3238.patch
2675index cb5e8c0..7515fad 100644
2676--- a/debian/patches-applied/cve-2015-3238.patch
2677+++ b/debian/patches-applied/cve-2015-3238.patch
2678@@ -15,6 +15,7 @@ pipe that has a limited capacity.
2679 With this fix, the verifiable password length will be limited to
2680 PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix.
2681
2682+<<<<<<< debian/patches-applied/cve-2015-3238.patch
2683 diff --git a/modules/pam_exec/pam_exec.8.xml b/modules/pam_exec/pam_exec.8.xml
2684 index 2379366..d1b00a2 100644
2685 --- a/modules/pam_exec/pam_exec.8.xml
2686@@ -29,6 +30,8 @@ index 2379366..d1b00a2 100644
2687 </para>
2688 </listitem>
2689 </varlistentry>
2690+=======
2691+>>>>>>> debian/patches-applied/cve-2015-3238.patch
2692 diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c
2693 index 5ab9630..17ba6ca 100644
2694 --- a/modules/pam_exec/pam_exec.c
2695@@ -47,6 +50,7 @@ index 5ab9630..17ba6ca 100644
2696
2697 if (pipe(fds) != 0)
2698 {
2699+<<<<<<< debian/patches-applied/cve-2015-3238.patch
2700 diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
2701 index 4008402..a8b64bb 100644
2702 --- a/modules/pam_unix/pam_unix.8.xml
2703@@ -65,6 +69,8 @@ index 4008402..a8b64bb 100644
2704 The password component of this module performs the task of updating
2705 the user's password. The default encryption hash is taken from the
2706 <emphasis remap='B'>ENCRYPT_METHOD</emphasis> variable from
2707+=======
2708+>>>>>>> debian/patches-applied/cve-2015-3238.patch
2709 diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
2710 index 2d330e5..c2e5de5 100644
2711 --- a/modules/pam_unix/pam_unix_passwd.c
2712diff --git a/debian/patches-applied/extrausers.patch b/debian/patches-applied/extrausers.patch
2713new file mode 100644
2714index 0000000..f316f1d
2715--- /dev/null
2716+++ b/debian/patches-applied/extrausers.patch
2717@@ -0,0 +1,6567 @@
2718+Index: pam-1.1.8/modules/pam_extrausers/Makefile.am
2719+===================================================================
2720+--- /dev/null
2721++++ pam-1.1.8/modules/pam_extrausers/Makefile.am
2722+@@ -0,0 +1,70 @@
2723++#
2724++# Copyright (c) 2005, 2006, 2009, 2011 Thorsten Kukuk <kukuk@suse.de>
2725++#
2726++
2727++CLEANFILES = *~
2728++MAINTAINERCLEANFILES = $(MANS)
2729++
2730++EXTRA_DIST = md5.c md5_crypt.c lckpwdf.-c $(MANS) \
2731++ tst-pam_extrausers $(XMLS)
2732++
2733++man_MANS = pam_extrausers.8
2734++XMLS = pam_extrausers.8.xml
2735++
2736++#TESTS = tst-pam_extrausers
2737++
2738++securelibdir = $(SECUREDIR)
2739++secureconfdir = $(SCONFIGDIR)
2740++
2741++AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
2742++ -DCHKPWD_HELPER=\"$(sbindir)/pam_extrausers_chkpwd\" \
2743++ -DUPDATE_HELPER=\"$(sbindir)/pam_extrausers_update\" \
2744++ $(NIS_CFLAGS)
2745++
2746++if HAVE_LIBSELINUX
2747++ AM_CFLAGS += -D"WITH_SELINUX"
2748++endif
2749++
2750++pam_extrausers_la_LDFLAGS = -no-undefined -avoid-version -module
2751++if HAVE_VERSIONING
2752++ pam_extrausers_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
2753++endif
2754++pam_extrausers_la_LIBADD = $(top_builddir)/libpam/libpam.la \
2755++ @LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS) \
2756++ ../pam_securetty/tty_secure.lo
2757++
2758++securelib_LTLIBRARIES = pam_extrausers.la
2759++
2760++noinst_HEADERS = md5.h support.h yppasswd.h bigcrypt.h passverify.h \
2761++ pam_unix_static.h
2762++
2763++sbin_PROGRAMS = pam_extrausers_chkpwd pam_extrausers_update
2764++
2765++noinst_PROGRAMS = bigcrypt
2766++
2767++pam_extrausers_la_SOURCES = bigcrypt.c pam_unix_acct.c \
2768++ pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \
2769++ passverify.c yppasswd_xdr.c md5_good.c md5_broken.c obscure.c
2770++if STATIC_MODULES
2771++pam_extrausers_la_SOURCES += pam_unix_static.c
2772++endif
2773++
2774++bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c
2775++bigcrypt_CFLAGS = $(AM_CFLAGS)
2776++bigcrypt_LDADD = @LIBCRYPT@
2777++
2778++pam_extrausers_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \
2779++ passverify.c
2780++pam_extrausers_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"pam_extrausers_chkpwd\"
2781++pam_extrausers_chkpwd_LDFLAGS = @PIE_LDFLAGS@
2782++pam_extrausers_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@
2783++
2784++pam_extrausers_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \
2785++ passverify.c
2786++pam_extrausers_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"pam_extrausers_update\"
2787++pam_extrausers_update_LDFLAGS = @PIE_LDFLAGS@
2788++pam_extrausers_update_LDADD = @LIBCRYPT@ @LIBSELINUX@
2789++
2790++if ENABLE_REGENERATE_MAN
2791++-include $(top_srcdir)/Make.xml.rules
2792++endif
2793+Index: pam-1.1.8/modules/pam_extrausers/README
2794+===================================================================
2795+--- /dev/null
2796++++ pam-1.1.8/modules/pam_extrausers/README
2797+@@ -0,0 +1,5 @@
2798++This is a simple fork of pam_unix, but with the following changes:
2799++
2800++ - The expected namespace changes
2801++ - References to /etc or /etc/secure are replaced with /var/lib/extrausers
2802++ - Unconditionally use our custom lckpwdf methods and namespace them
2803+Index: pam-1.1.8/modules/pam_extrausers/bigcrypt.c
2804+===================================================================
2805+--- /dev/null
2806++++ pam-1.1.8/modules/pam_extrausers/bigcrypt.c
2807+@@ -0,0 +1,159 @@
2808++/*
2809++ * This function implements the "bigcrypt" algorithm specifically for
2810++ * Linux-PAM.
2811++ *
2812++ * This algorithm is algorithm 0 (default) shipped with the C2 secure
2813++ * implementation of Digital UNIX.
2814++ *
2815++ * Disclaimer: This work is not based on the source code to Digital
2816++ * UNIX, nor am I connected to Digital Equipment Corp, in any way
2817++ * other than as a customer. This code is based on published
2818++ * interfaces and reasonable guesswork.
2819++ *
2820++ * Description: The cleartext is divided into blocks of SEGMENT_SIZE=8
2821++ * characters or less. Each block is encrypted using the standard UNIX
2822++ * libc crypt function. The result of the encryption for one block
2823++ * provides the salt for the suceeding block.
2824++ *
2825++ * Restrictions: The buffer used to hold the encrypted result is
2826++ * statically allocated. (see MAX_PASS_LEN below). This is necessary,
2827++ * as the returned pointer points to "static data that are overwritten
2828++ * by each call", (XPG3: XSI System Interface + Headers pg 109), and
2829++ * this is a drop in replacement for crypt();
2830++ *
2831++ * Andy Phillips <atp@mssl.ucl.ac.uk>
2832++ */
2833++
2834++#include "config.h"
2835++
2836++#include <string.h>
2837++#include <stdlib.h>
2838++#include <security/_pam_macros.h>
2839++#ifdef HAVE_LIBXCRYPT
2840++#include <xcrypt.h>
2841++#elif defined(HAVE_CRYPT_H)
2842++#include <crypt.h>
2843++#endif
2844++
2845++#include "bigcrypt.h"
2846++
2847++/*
2848++ * Max cleartext password length in segments of 8 characters this
2849++ * function can deal with (16 segments of 8 chars= max 128 character
2850++ * password).
2851++ */
2852++
2853++#define MAX_PASS_LEN 16
2854++#define SEGMENT_SIZE 8
2855++#define SALT_SIZE 2
2856++#define KEYBUF_SIZE ((MAX_PASS_LEN*SEGMENT_SIZE)+SALT_SIZE)
2857++#define ESEGMENT_SIZE 11
2858++#define CBUF_SIZE ((MAX_PASS_LEN*ESEGMENT_SIZE)+SALT_SIZE+1)
2859++
2860++char *bigcrypt(const char *key, const char *salt)
2861++{
2862++ char *dec_c2_cryptbuf;
2863++#ifdef HAVE_CRYPT_R
2864++ struct crypt_data *cdata;
2865++#endif
2866++ unsigned long int keylen, n_seg, j;
2867++ char *cipher_ptr, *plaintext_ptr, *tmp_ptr, *salt_ptr;
2868++ char keybuf[KEYBUF_SIZE + 1];
2869++
2870++ D(("called with key='%s', salt='%s'.", key, salt));
2871++
2872++ /* reset arrays */
2873++ dec_c2_cryptbuf = malloc(CBUF_SIZE);
2874++ if (!dec_c2_cryptbuf) {
2875++ return NULL;
2876++ }
2877++#ifdef HAVE_CRYPT_R
2878++ cdata = malloc(sizeof(*cdata));
2879++ if(!cdata) {
2880++ free(dec_c2_cryptbuf);
2881++ return NULL;
2882++ }
2883++ cdata->initialized = 0;
2884++#endif
2885++ memset(keybuf, 0, KEYBUF_SIZE + 1);
2886++ memset(dec_c2_cryptbuf, 0, CBUF_SIZE);
2887++
2888++ /* fill KEYBUF_SIZE with key */
2889++ strncpy(keybuf, key, KEYBUF_SIZE);
2890++
2891++ /* deal with case that we are doing a password check for a
2892++ conventially encrypted password: the salt will be
2893++ SALT_SIZE+ESEGMENT_SIZE long. */
2894++ if (strlen(salt) == (SALT_SIZE + ESEGMENT_SIZE))
2895++ keybuf[SEGMENT_SIZE] = '\0'; /* terminate password early(?) */
2896++
2897++ keylen = strlen(keybuf);
2898++
2899++ if (!keylen) {
2900++ n_seg = 1;
2901++ } else {
2902++ /* work out how many segments */
2903++ n_seg = 1 + ((keylen - 1) / SEGMENT_SIZE);
2904++ }
2905++
2906++ if (n_seg > MAX_PASS_LEN)
2907++ n_seg = MAX_PASS_LEN; /* truncate at max length */
2908++
2909++ /* set up some pointers */
2910++ cipher_ptr = dec_c2_cryptbuf;
2911++ plaintext_ptr = keybuf;
2912++
2913++ /* do the first block with supplied salt */
2914++#ifdef HAVE_CRYPT_R
2915++ tmp_ptr = crypt_r(plaintext_ptr, salt, cdata); /* libc crypt_r() */
2916++#else
2917++ tmp_ptr = crypt(plaintext_ptr, salt); /* libc crypt() */
2918++#endif
2919++ if (tmp_ptr == NULL) {
2920++ free(dec_c2_cryptbuf);
2921++ return NULL;
2922++ }
2923++ /* and place in the static area */
2924++ strncpy(cipher_ptr, tmp_ptr, 13);
2925++ cipher_ptr += ESEGMENT_SIZE + SALT_SIZE;
2926++ plaintext_ptr += SEGMENT_SIZE; /* first block of SEGMENT_SIZE */
2927++
2928++ /* change the salt (1st 2 chars of previous block) - this was found
2929++ by dowsing */
2930++
2931++ salt_ptr = cipher_ptr - ESEGMENT_SIZE;
2932++
2933++ /* so far this is identical to "return crypt(key, salt);", if
2934++ there is more than one block encrypt them... */
2935++
2936++ if (n_seg > 1) {
2937++ for (j = 2; j <= n_seg; j++) {
2938++
2939++#ifdef HAVE_CRYPT_R
2940++ tmp_ptr = crypt_r(plaintext_ptr, salt_ptr, cdata);
2941++#else
2942++ tmp_ptr = crypt(plaintext_ptr, salt_ptr);
2943++#endif
2944++ if (tmp_ptr == NULL) {
2945++ _pam_overwrite(dec_c2_cryptbuf);
2946++ free(dec_c2_cryptbuf);
2947++ return NULL;
2948++ }
2949++
2950++ /* skip the salt for seg!=0 */
2951++ strncpy(cipher_ptr, (tmp_ptr + SALT_SIZE), ESEGMENT_SIZE);
2952++
2953++ cipher_ptr += ESEGMENT_SIZE;
2954++ plaintext_ptr += SEGMENT_SIZE;
2955++ salt_ptr = cipher_ptr - ESEGMENT_SIZE;
2956++ }
2957++ }
2958++ D(("key=|%s|, salt=|%s|\nbuf=|%s|\n", key, salt, dec_c2_cryptbuf));
2959++
2960++#ifdef HAVE_CRYPT_R
2961++ free(cdata);
2962++#endif
2963++
2964++ /* this is the <NUL> terminated encrypted password */
2965++ return dec_c2_cryptbuf;
2966++}
2967+Index: pam-1.1.8/modules/pam_extrausers/bigcrypt.h
2968+===================================================================
2969+--- /dev/null
2970++++ pam-1.1.8/modules/pam_extrausers/bigcrypt.h
2971+@@ -0,0 +1 @@
2972++extern char *bigcrypt(const char *key, const char *salt);
2973+Index: pam-1.1.8/modules/pam_extrausers/bigcrypt_main.c
2974+===================================================================
2975+--- /dev/null
2976++++ pam-1.1.8/modules/pam_extrausers/bigcrypt_main.c
2977+@@ -0,0 +1,18 @@
2978++#include <stdio.h>
2979++#include <string.h>
2980++
2981++#include "bigcrypt.h"
2982++
2983++int
2984++main(int argc, char **argv)
2985++{
2986++ if (argc < 3) {
2987++ fprintf(stderr, "Usage: %s password salt\n",
2988++ strchr(argv[0], '/') ?
2989++ (strchr(argv[0], '/') + 1) :
2990++ argv[0]);
2991++ return 0;
2992++ }
2993++ fprintf(stdout, "%s\n", bigcrypt(argv[1], argv[2]));
2994++ return 0;
2995++}
2996+Index: pam-1.1.8/modules/pam_extrausers/lckpwdf.-c
2997+===================================================================
2998+--- /dev/null
2999++++ pam-1.1.8/modules/pam_extrausers/lckpwdf.-c
3000+@@ -0,0 +1,142 @@
3001++/*
3002++ * This is a hack, but until libc and glibc both include this function
3003++ * by default (libc only includes it if nys is not being used, at the
3004++ * moment, and glibc doesn't appear to have it at all) we need to have
3005++ * it here, too. :-(
3006++ *
3007++ * This should not become an official part of PAM.
3008++ *
3009++ * BEGIN_HACK
3010++ */
3011++
3012++/*
3013++ * lckpwdf.c -- prevent simultaneous updates of password files
3014++ *
3015++ * Before modifying any of the password files, call lckpwdf(). It may block
3016++ * for up to 15 seconds trying to get the lock. Return value is 0 on success
3017++ * or -1 on failure. When you are done, call ulckpwdf() to release the lock.
3018++ * The lock is also released automatically when the process exits. Only one
3019++ * process at a time may hold the lock.
3020++ *
3021++ * These functions are supposed to be conformant with AT&T SVID Issue 3.
3022++ *
3023++ * Written by Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>,
3024++ * public domain.
3025++ */
3026++
3027++#include <fcntl.h>
3028++#include <signal.h>
3029++#ifdef WITH_SELINUX
3030++#include <selinux/selinux.h>
3031++#endif
3032++
3033++#define LOCKFILE "/var/lib/extrausers/.pwd.lock"
3034++#define TIMEOUT 15
3035++
3036++static int lockfd = -1;
3037++
3038++static int set_close_on_exec(int fd)
3039++{
3040++ int flags = fcntl(fd, F_GETFD, 0);
3041++ if (flags == -1)
3042++ return -1;
3043++ flags |= FD_CLOEXEC;
3044++ return fcntl(fd, F_SETFD, flags);
3045++}
3046++
3047++static int do_lock(int fd)
3048++{
3049++ struct flock fl;
3050++
3051++ memset(&fl, 0, sizeof fl);
3052++ fl.l_type = F_WRLCK;
3053++ fl.l_whence = SEEK_SET;
3054++ return fcntl(fd, F_SETLKW, &fl);
3055++}
3056++
3057++static void alarm_catch(int sig)
3058++{
3059++/* does nothing, but fcntl F_SETLKW will fail with EINTR */
3060++}
3061++
3062++static int extrausers_lckpwdf(void)
3063++{
3064++ struct sigaction act, oldact;
3065++ sigset_t set, oldset;
3066++
3067++ if (lockfd != -1)
3068++ return -1;
3069++
3070++#ifdef WITH_SELINUX
3071++ if(is_selinux_enabled()>0)
3072++ {
3073++ lockfd = open(LOCKFILE, O_WRONLY);
3074++ if(lockfd == -1 && errno == ENOENT)
3075++ {
3076++ security_context_t create_context;
3077++ int rc;
3078++
3079++ if(getfilecon("/var/lib/extrausers/passwd", &create_context))
3080++ return -1;
3081++ rc = setfscreatecon(create_context);
3082++ freecon(create_context);
3083++ if(rc)
3084++ return -1;
3085++ lockfd = open(LOCKFILE, O_CREAT | O_WRONLY, 0600);
3086++ if(setfscreatecon(NULL))
3087++ return -1;
3088++ }
3089++ }
3090++ else
3091++#endif
3092++ lockfd = open(LOCKFILE, O_CREAT | O_WRONLY, 0600);
3093++ if (lockfd == -1)
3094++ return -1;
3095++ if (set_close_on_exec(lockfd) == -1)
3096++ goto cleanup_fd;
3097++
3098++ memset(&act, 0, sizeof act);
3099++ act.sa_handler = alarm_catch;
3100++ act.sa_flags = 0;
3101++ sigfillset(&act.sa_mask);
3102++ if (sigaction(SIGALRM, &act, &oldact) == -1)
3103++ goto cleanup_fd;
3104++
3105++ sigemptyset(&set);
3106++ sigaddset(&set, SIGALRM);
3107++ if (sigprocmask(SIG_UNBLOCK, &set, &oldset) == -1)
3108++ goto cleanup_sig;
3109++
3110++ alarm(TIMEOUT);
3111++ if (do_lock(lockfd) == -1)
3112++ goto cleanup_alarm;
3113++ alarm(0);
3114++ sigprocmask(SIG_SETMASK, &oldset, NULL);
3115++ sigaction(SIGALRM, &oldact, NULL);
3116++ return 0;
3117++
3118++ cleanup_alarm:
3119++ alarm(0);
3120++ sigprocmask(SIG_SETMASK, &oldset, NULL);
3121++ cleanup_sig:
3122++ sigaction(SIGALRM, &oldact, NULL);
3123++ cleanup_fd:
3124++ close(lockfd);
3125++ lockfd = -1;
3126++ return -1;
3127++}
3128++
3129++static int extrausers_ulckpwdf(void)
3130++{
3131++ unlink(LOCKFILE);
3132++ if (lockfd == -1)
3133++ return -1;
3134++
3135++ if (close(lockfd) == -1) {
3136++ lockfd = -1;
3137++ return -1;
3138++ }
3139++ lockfd = -1;
3140++ return 0;
3141++}
3142++/* END_HACK */
3143+Index: pam-1.1.8/modules/pam_extrausers/md5.c
3144+===================================================================
3145+--- /dev/null
3146++++ pam-1.1.8/modules/pam_extrausers/md5.c
3147+@@ -0,0 +1,255 @@
3148++/*
3149++ * $Id$
3150++ *
3151++ * This code implements the MD5 message-digest algorithm.
3152++ * The algorithm is due to Ron Rivest. This code was
3153++ * written by Colin Plumb in 1993, no copyright is claimed.
3154++ * This code is in the public domain; do with it what you wish.
3155++ *
3156++ * Equivalent code is available from RSA Data Security, Inc.
3157++ * This code has been tested against that, and is equivalent,
3158++ * except that you don't need to include two pages of legalese
3159++ * with every copy.
3160++ *
3161++ * To compute the message digest of a chunk of bytes, declare an
3162++ * MD5Context structure, pass it to MD5Init, call MD5Update as
3163++ * needed on buffers full of bytes, and then call MD5Final, which
3164++ * will fill a supplied 16-byte array with the digest.
3165++ *
3166++ */
3167++
3168++#include <string.h>
3169++#include "md5.h"
3170++
3171++#ifndef HIGHFIRST
3172++#define byteReverse(buf, len) /* Nothing */
3173++#else
3174++static void byteReverse(unsigned char *buf, unsigned longs);
3175++
3176++#ifndef ASM_MD5
3177++/*
3178++ * Note: this code is harmless on little-endian machines.
3179++ */
3180++static void byteReverse(unsigned char *buf, unsigned longs)
3181++{
3182++ uint32 t;
3183++ do {
3184++ t = (uint32) ((unsigned) buf[3] << 8 | buf[2]) << 16 |
3185++ ((unsigned) buf[1] << 8 | buf[0]);
3186++ *(uint32 *) buf = t;
3187++ buf += 4;
3188++ } while (--longs);
3189++}
3190++#endif
3191++#endif
3192++
3193++/*
3194++ * Start MD5 accumulation. Set bit count to 0 and buffer to mysterious
3195++ * initialization constants.
3196++ */
3197++void MD5Name(MD5Init)(struct MD5Context *ctx)
3198++{
3199++ ctx->buf[0] = 0x67452301U;
3200++ ctx->buf[1] = 0xefcdab89U;
3201++ ctx->buf[2] = 0x98badcfeU;
3202++ ctx->buf[3] = 0x10325476U;
3203++
3204++ ctx->bits[0] = 0;
3205++ ctx->bits[1] = 0;
3206++}
3207++
3208++/*
3209++ * Update context to reflect the concatenation of another buffer full
3210++ * of bytes.
3211++ */
3212++void MD5Name(MD5Update)(struct MD5Context *ctx, unsigned const char *buf, unsigned len)
3213++{
3214++ uint32 t;
3215++
3216++ /* Update bitcount */
3217++
3218++ t = ctx->bits[0];
3219++ if ((ctx->bits[0] = t + ((uint32) len << 3)) < t)
3220++ ctx->bits[1]++; /* Carry from low to high */
3221++ ctx->bits[1] += len >> 29;
3222++
3223++ t = (t >> 3) & 0x3f; /* Bytes already in shsInfo->data */
3224++
3225++ /* Handle any leading odd-sized chunks */
3226++
3227++ if (t) {
3228++ unsigned char *p = (unsigned char *) ctx->in + t;
3229++
3230++ t = 64 - t;
3231++ if (len < t) {
3232++ memcpy(p, buf, len);
3233++ return;
3234++ }
3235++ memcpy(p, buf, t);
3236++ byteReverse(ctx->in, 16);
3237++ MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
3238++ buf += t;
3239++ len -= t;
3240++ }
3241++ /* Process data in 64-byte chunks */
3242++
3243++ while (len >= 64) {
3244++ memcpy(ctx->in, buf, 64);
3245++ byteReverse(ctx->in, 16);
3246++ MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
3247++ buf += 64;
3248++ len -= 64;
3249++ }
3250++
3251++ /* Handle any remaining bytes of data. */
3252++
3253++ memcpy(ctx->in, buf, len);
3254++}
3255++
3256++/*
3257++ * Final wrapup - pad to 64-byte boundary with the bit pattern
3258++ * 1 0* (64-bit count of bits processed, MSB-first)
3259++ */
3260++void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx)
3261++{
3262++ unsigned count;
3263++ unsigned char *p;
3264++
3265++ /* Compute number of bytes mod 64 */
3266++ count = (ctx->bits[0] >> 3) & 0x3F;
3267++
3268++ /* Set the first char of padding to 0x80. This is safe since there is
3269++ always at least one byte free */
3270++ p = ctx->in + count;
3271++ *p++ = 0x80;
3272++
3273++ /* Bytes of padding needed to make 64 bytes */
3274++ count = 64 - 1 - count;
3275++
3276++ /* Pad out to 56 mod 64 */
3277++ if (count < 8) {
3278++ /* Two lots of padding: Pad the first block to 64 bytes */
3279++ memset(p, 0, count);
3280++ byteReverse(ctx->in, 16);
3281++ MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
3282++
3283++ /* Now fill the next block with 56 bytes */
3284++ memset(ctx->in, 0, 56);
3285++ } else {
3286++ /* Pad block to 56 bytes */
3287++ memset(p, 0, count - 8);
3288++ }
3289++ byteReverse(ctx->in, 14);
3290++
3291++ /* Append length in bits and transform */
3292++ memcpy((uint32 *)ctx->in + 14, ctx->bits, 2*sizeof(uint32));
3293++
3294++ MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
3295++ byteReverse((unsigned char *) ctx->buf, 4);
3296++ memcpy(digest, ctx->buf, 16);
3297++ memset(ctx, 0, sizeof(*ctx)); /* In case it's sensitive */
3298++}
3299++
3300++#ifndef ASM_MD5
3301++
3302++/* The four core functions - F1 is optimized somewhat */
3303++
3304++/* #define F1(x, y, z) (x & y | ~x & z) */
3305++#define F1(x, y, z) (z ^ (x & (y ^ z)))
3306++#define F2(x, y, z) F1(z, x, y)
3307++#define F3(x, y, z) (x ^ y ^ z)
3308++#define F4(x, y, z) (y ^ (x | ~z))
3309++
3310++/* This is the central step in the MD5 algorithm. */
3311++#define MD5STEP(f, w, x, y, z, data, s) \
3312++ ( w += f(x, y, z) + data, w = w<<s | w>>(32-s), w += x )
3313++
3314++/*
3315++ * The core of the MD5 algorithm, this alters an existing MD5 hash to
3316++ * reflect the addition of 16 longwords of new data. MD5Update blocks
3317++ * the data and converts bytes into longwords for this routine.
3318++ */
3319++void MD5Name(MD5Transform)(uint32 buf[4], uint32 const in[16])
3320++{
3321++ register uint32 a, b, c, d;
3322++
3323++ a = buf[0];
3324++ b = buf[1];
3325++ c = buf[2];
3326++ d = buf[3];
3327++
3328++ MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478U, 7);
3329++ MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756U, 12);
3330++ MD5STEP(F1, c, d, a, b, in[2] + 0x242070dbU, 17);
3331++ MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceeeU, 22);
3332++ MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0fafU, 7);
3333++ MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62aU, 12);
3334++ MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613U, 17);
3335++ MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501U, 22);
3336++ MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8U, 7);
3337++ MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7afU, 12);
3338++ MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1U, 17);
3339++ MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7beU, 22);
3340++ MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122U, 7);
3341++ MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193U, 12);
3342++ MD5STEP(F1, c, d, a, b, in[14] + 0xa679438eU, 17);
3343++ MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821U, 22);
3344++
3345++ MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562U, 5);
3346++ MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340U, 9);
3347++ MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51U, 14);
3348++ MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aaU, 20);
3349++ MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105dU, 5);
3350++ MD5STEP(F2, d, a, b, c, in[10] + 0x02441453U, 9);
3351++ MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681U, 14);
3352++ MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8U, 20);
3353++ MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6U, 5);
3354++ MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6U, 9);
3355++ MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87U, 14);
3356++ MD5STEP(F2, b, c, d, a, in[8] + 0x455a14edU, 20);
3357++ MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905U, 5);
3358++ MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8U, 9);
3359++ MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9U, 14);
3360++ MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8aU, 20);
3361++
3362++ MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942U, 4);
3363++ MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681U, 11);
3364++ MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122U, 16);
3365++ MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380cU, 23);
3366++ MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44U, 4);
3367++ MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9U, 11);
3368++ MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60U, 16);
3369++ MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70U, 23);
3370++ MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6U, 4);
3371++ MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127faU, 11);
3372++ MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085U, 16);
3373++ MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05U, 23);
3374++ MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039U, 4);
3375++ MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5U, 11);
3376++ MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8U, 16);
3377++ MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665U, 23);
3378++
3379++ MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244U, 6);
3380++ MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97U, 10);
3381++ MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7U, 15);
3382++ MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039U, 21);
3383++ MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3U, 6);
3384++ MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92U, 10);
3385++ MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47dU, 15);
3386++ MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1U, 21);
3387++ MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4fU, 6);
3388++ MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0U, 10);
3389++ MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314U, 15);
3390++ MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1U, 21);
3391++ MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82U, 6);
3392++ MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235U, 10);
3393++ MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bbU, 15);
3394++ MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391U, 21);
3395++
3396++ buf[0] += a;
3397++ buf[1] += b;
3398++ buf[2] += c;
3399++ buf[3] += d;
3400++}
3401++
3402++#endif
3403+Index: pam-1.1.8/modules/pam_extrausers/md5.h
3404+===================================================================
3405+--- /dev/null
3406++++ pam-1.1.8/modules/pam_extrausers/md5.h
3407+@@ -0,0 +1,31 @@
3408++
3409++#ifndef MD5_H
3410++#define MD5_H
3411++
3412++typedef unsigned int uint32;
3413++
3414++struct MD5Context {
3415++ uint32 buf[4];
3416++ uint32 bits[2];
3417++ unsigned char in[64];
3418++};
3419++
3420++void GoodMD5Init(struct MD5Context *);
3421++void GoodMD5Update(struct MD5Context *, unsigned const char *, unsigned);
3422++void GoodMD5Final(unsigned char digest[16], struct MD5Context *);
3423++void GoodMD5Transform(uint32 buf[4], uint32 const in[16]);
3424++void BrokenMD5Init(struct MD5Context *);
3425++void BrokenMD5Update(struct MD5Context *, unsigned const char *, unsigned);
3426++void BrokenMD5Final(unsigned char digest[16], struct MD5Context *);
3427++void BrokenMD5Transform(uint32 buf[4], uint32 const in[16]);
3428++
3429++char *Goodcrypt_md5(const char *pw, const char *salt);
3430++char *Brokencrypt_md5(const char *pw, const char *salt);
3431++
3432++/*
3433++ * This is needed to make RSAREF happy on some MS-DOS compilers.
3434++ */
3435++
3436++typedef struct MD5Context MD5_CTX;
3437++
3438++#endif /* MD5_H */
3439+Index: pam-1.1.8/modules/pam_extrausers/md5_broken.c
3440+===================================================================
3441+--- /dev/null
3442++++ pam-1.1.8/modules/pam_extrausers/md5_broken.c
3443+@@ -0,0 +1,4 @@
3444++#define MD5Name(x) Broken##x
3445++
3446++#include "md5.c"
3447++#include "md5_crypt.c"
3448+Index: pam-1.1.8/modules/pam_extrausers/md5_crypt.c
3449+===================================================================
3450+--- /dev/null
3451++++ pam-1.1.8/modules/pam_extrausers/md5_crypt.c
3452+@@ -0,0 +1,154 @@
3453++/*
3454++ * $Id$
3455++ *
3456++ * ----------------------------------------------------------------------------
3457++ * "THE BEER-WARE LICENSE" (Revision 42):
3458++ * <phk@login.dknet.dk> wrote this file. As long as you retain this notice you
3459++ * can do whatever you want with this stuff. If we meet some day, and you think
3460++ * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
3461++ * ----------------------------------------------------------------------------
3462++ *
3463++ * Origin: Id: crypt.c,v 1.3 1995/05/30 05:42:22 rgrimes Exp
3464++ *
3465++ */
3466++
3467++#include <string.h>
3468++#include <stdlib.h>
3469++#include "md5.h"
3470++
3471++static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */
3472++"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
3473++
3474++static void to64(char *s, unsigned long v, int n)
3475++{
3476++ while (--n >= 0) {
3477++ *s++ = itoa64[v & 0x3f];
3478++ v >>= 6;
3479++ }
3480++}
3481++
3482++/*
3483++ * UNIX password
3484++ *
3485++ * Use MD5 for what it is best at...
3486++ */
3487++
3488++char *MD5Name(crypt_md5)(const char *pw, const char *salt)
3489++{
3490++ const char *magic = "$1$";
3491++ /* This string is magic for this algorithm. Having
3492++ * it this way, we can get get better later on */
3493++ char *passwd, *p;
3494++ const char *sp, *ep;
3495++ unsigned char final[16];
3496++ int sl, pl, i, j;
3497++ MD5_CTX ctx, ctx1;
3498++ unsigned long l;
3499++
3500++ /* Refine the Salt first */
3501++ sp = salt;
3502++
3503++ /* TODO: now that we're using malloc'ed memory, get rid of the
3504++ strange constant buffer size. */
3505++ passwd = malloc(120);
3506++
3507++ /* If it starts with the magic string, then skip that */
3508++ if (!strncmp(sp, magic, strlen(magic)))
3509++ sp += strlen(magic);
3510++
3511++ /* It stops at the first '$', max 8 chars */
3512++ for (ep = sp; *ep && *ep != '$' && ep < (sp + 8); ep++)
3513++ continue;
3514++
3515++ /* get the length of the true salt */
3516++ sl = ep - sp;
3517++
3518++ MD5Name(MD5Init)(&ctx);
3519++
3520++ /* The password first, since that is what is most unknown */
3521++ MD5Name(MD5Update)(&ctx,(unsigned const char *)pw,strlen(pw));
3522++
3523++ /* Then our magic string */
3524++ MD5Name(MD5Update)(&ctx,(unsigned const char *)magic,strlen(magic));
3525++
3526++ /* Then the raw salt */
3527++ MD5Name(MD5Update)(&ctx,(unsigned const char *)sp,sl);
3528++
3529++ /* Then just as many characters of the MD5(pw,salt,pw) */
3530++ MD5Name(MD5Init)(&ctx1);
3531++ MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw));
3532++ MD5Name(MD5Update)(&ctx1,(unsigned const char *)sp,sl);
3533++ MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw));
3534++ MD5Name(MD5Final)(final,&ctx1);
3535++ for (pl = strlen(pw); pl > 0; pl -= 16)
3536++ MD5Name(MD5Update)(&ctx,(unsigned const char *)final,pl>16 ? 16 : pl);
3537++
3538++ /* Don't leave anything around in vm they could use. */
3539++ memset(final, 0, sizeof final);
3540++
3541++ /* Then something really weird... */
3542++ for (j = 0, i = strlen(pw); i; i >>= 1)
3543++ if (i & 1)
3544++ MD5Name(MD5Update)(&ctx, (unsigned const char *)final+j, 1);
3545++ else
3546++ MD5Name(MD5Update)(&ctx, (unsigned const char *)pw+j, 1);
3547++
3548++ /* Now make the output string */
3549++ strcpy(passwd, magic);
3550++ strncat(passwd, sp, sl);
3551++ strcat(passwd, "$");
3552++
3553++ MD5Name(MD5Final)(final,&ctx);
3554++
3555++ /*
3556++ * and now, just to make sure things don't run too fast
3557++ * On a 60 Mhz Pentium this takes 34 msec, so you would
3558++ * need 30 seconds to build a 1000 entry dictionary...
3559++ */
3560++ for (i = 0; i < 1000; i++) {
3561++ MD5Name(MD5Init)(&ctx1);
3562++ if (i & 1)
3563++ MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw));
3564++ else
3565++ MD5Name(MD5Update)(&ctx1,(unsigned const char *)final,16);
3566++
3567++ if (i % 3)
3568++ MD5Name(MD5Update)(&ctx1,(unsigned const char *)sp,sl);
3569++
3570++ if (i % 7)
3571++ MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw));
3572++
3573++ if (i & 1)
3574++ MD5Name(MD5Update)(&ctx1,(unsigned const char *)final,16);
3575++ else
3576++ MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw));
3577++ MD5Name(MD5Final)(final,&ctx1);
3578++ }
3579++
3580++ p = passwd + strlen(passwd);
3581++
3582++ l = (final[0] << 16) | (final[6] << 8) | final[12];
3583++ to64(p, l, 4);
3584++ p += 4;
3585++ l = (final[1] << 16) | (final[7] << 8) | final[13];
3586++ to64(p, l, 4);
3587++ p += 4;
3588++ l = (final[2] << 16) | (final[8] << 8) | final[14];
3589++ to64(p, l, 4);
3590++ p += 4;
3591++ l = (final[3] << 16) | (final[9] << 8) | final[15];
3592++ to64(p, l, 4);
3593++ p += 4;
3594++ l = (final[4] << 16) | (final[10] << 8) | final[5];
3595++ to64(p, l, 4);
3596++ p += 4;
3597++ l = final[11];
3598++ to64(p, l, 2);
3599++ p += 2;
3600++ *p = '\0';
3601++
3602++ /* Don't leave anything around in vm they could use. */
3603++ memset(final, 0, sizeof final);
3604++
3605++ return passwd;
3606++}
3607+Index: pam-1.1.8/modules/pam_extrausers/md5_good.c
3608+===================================================================
3609+--- /dev/null
3610++++ pam-1.1.8/modules/pam_extrausers/md5_good.c
3611+@@ -0,0 +1,5 @@
3612++#define HIGHFIRST
3613++#define MD5Name(x) Good##x
3614++
3615++#include "md5.c"
3616++#include "md5_crypt.c"
3617+Index: pam-1.1.8/modules/pam_extrausers/obscure.c
3618+===================================================================
3619+--- /dev/null
3620++++ pam-1.1.8/modules/pam_extrausers/obscure.c
3621+@@ -0,0 +1,198 @@
3622++/*
3623++ * Copyright 1989 - 1994, Julianne Frances Haugh
3624++ * All rights reserved.
3625++ *
3626++ * Redistribution and use in source and binary forms, with or without
3627++ * modification, are permitted provided that the following conditions
3628++ * are met:
3629++ * 1. Redistributions of source code must retain the above copyright
3630++ * notice, this list of conditions and the following disclaimer.
3631++ * 2. Redistributions in binary form must reproduce the above copyright
3632++ * notice, this list of conditions and the following disclaimer in the
3633++ * documentation and/or other materials provided with the distribution.
3634++ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors
3635++ * may be used to endorse or promote products derived from this software
3636++ * without specific prior written permission.
3637++ *
3638++ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
3639++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
3640++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
3641++ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
3642++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
3643++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
3644++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
3645++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
3646++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
3647++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
3648++ * SUCH DAMAGE.
3649++ */
3650++
3651++#include "config.h"
3652++
3653++#include <ctype.h>
3654++#include <stdio.h>
3655++#include <unistd.h>
3656++#include <string.h>
3657++#include <stdlib.h>
3658++#include <pwd.h>
3659++#include <security/pam_modules.h>
3660++#include <security/_pam_macros.h>
3661++
3662++
3663++#include "support.h"
3664++
3665++/* can't be a palindrome - like `R A D A R' or `M A D A M' */
3666++static int palindrome(const char *old, const char *new) {
3667++ int i, j;
3668++
3669++ i = strlen (new);
3670++
3671++ for (j = 0;j < i;j++)
3672++ if (new[i - j - 1] != new[j])
3673++ return 0;
3674++
3675++ return 1;
3676++}
3677++
3678++/* more than half of the characters are different ones. */
3679++static int similar(const char *old, const char *new) {
3680++ int i, j;
3681++
3682++ /*
3683++ * XXX - sometimes this fails when changing from a simple password
3684++ * to a really long one (MD5). For now, I just return success if
3685++ * the new password is long enough. Please feel free to suggest
3686++ * something better... --marekm
3687++ */
3688++ if (strlen(new) >= 8)
3689++ return 0;
3690++
3691++ for (i = j = 0; new[i] && old[i]; i++)
3692++ if (strchr(new, old[i]))
3693++ j++;
3694++
3695++ if (i >= j * 2)
3696++ return 0;
3697++
3698++ return 1;
3699++}
3700++
3701++/* a nice mix of characters. */
3702++static int simple(const char *old, const char *new) {
3703++ int digits = 0;
3704++ int uppers = 0;
3705++ int lowers = 0;
3706++ int others = 0;
3707++ int size;
3708++ int i;
3709++
3710++ for (i = 0;new[i];i++) {
3711++ if (isdigit (new[i]))
3712++ digits++;
3713++ else if (isupper (new[i]))
3714++ uppers++;
3715++ else if (islower (new[i]))
3716++ lowers++;
3717++ else
3718++ others++;
3719++ }
3720++
3721++ /*
3722++ * The scam is this - a password of only one character type
3723++ * must be 8 letters long. Two types, 7, and so on.
3724++ */
3725++
3726++ size = 9;
3727++ if (digits) size--;
3728++ if (uppers) size--;
3729++ if (lowers) size--;
3730++ if (others) size--;
3731++
3732++ if (size <= i)
3733++ return 0;
3734++
3735++ return 1;
3736++}
3737++
3738++static char *str_lower(char *string) {
3739++ char *cp;
3740++
3741++ for (cp = string; *cp; cp++)
3742++ *cp = tolower(*cp);
3743++ return string;
3744++}
3745++
3746++static const char * password_check(const char *old, const char *new,
3747++ const struct passwd *pwdp) {
3748++ const char *msg = NULL;
3749++ char *oldmono, *newmono, *wrapped;
3750++
3751++ if (strcmp(new, old) == 0)
3752++ return _("Bad: new password must be different than the old one");
3753++
3754++ newmono = str_lower(strdup(new));
3755++ oldmono = str_lower(strdup(old));
3756++ wrapped = (char *)malloc(strlen(oldmono) * 2 + 1);
3757++ strcpy (wrapped, oldmono);
3758++ strcat (wrapped, oldmono);
3759++
3760++ if (palindrome(oldmono, newmono)) {
3761++ msg = _("Bad: new password cannot be a palindrome");
3762++ } else if (strcmp(oldmono, newmono) == 0) {
3763++ msg = _("Bad: new and old password must differ by more than just case");
3764++ } else if (similar(oldmono, newmono)) {
3765++ msg = _("Bad: new and old password are too similar");
3766++ } else if (simple(old, new)) {
3767++ msg = _("Bad: new password is too simple");
3768++ } else if (strstr(wrapped, newmono)) {
3769++ msg = _("Bad: new password is just a wrapped version of the old one");
3770++ }
3771++
3772++ _pam_delete(newmono);
3773++ _pam_delete(oldmono);
3774++ _pam_delete(wrapped);
3775++
3776++ return msg;
3777++}
3778++
3779++const char *obscure_msg(const char *old, const char *new,
3780++ const struct passwd *pwdp, unsigned int ctrl) {
3781++ int oldlen, newlen;
3782++ char *new1, *old1;
3783++ const char *msg;
3784++
3785++ if (old == NULL)
3786++ return NULL; /* no check if old is NULL */
3787++
3788++ oldlen = strlen(old);
3789++ newlen = strlen(new);
3790++
3791++ /* Remaining checks are optional. */
3792++ if (off(UNIX_OBSCURE_CHECKS,ctrl))
3793++ return NULL;
3794++
3795++ if ((msg = password_check(old, new, pwdp)) != NULL)
3796++ return msg;
3797++
3798++ /* The traditional crypt() truncates passwords to 8 chars. It is
3799++ possible to circumvent the above checks by choosing an easy
3800++ 8-char password and adding some random characters to it...
3801++ Example: "password$%^&*123". So check it again, this time
3802++ truncated to the maximum length. Idea from npasswd. --marekm */
3803++
3804++ if (!UNIX_DES_CRYPT(ctrl))
3805++ return NULL; /* unlimited password length */
3806++
3807++ if (oldlen <= 8 && newlen <= 8)
3808++ return NULL;
3809++
3810++ new1 = strndup(new,8);
3811++ old1 = strndup(old,8);
3812++
3813++ msg = password_check(old1, new1, pwdp);
3814++
3815++ _pam_delete(new1);
3816++ _pam_delete(old1);
3817++
3818++ return msg;
3819++}
3820+Index: pam-1.1.8/modules/pam_extrausers/pam_unix_acct.c
3821+===================================================================
3822+--- /dev/null
3823++++ pam-1.1.8/modules/pam_extrausers/pam_unix_acct.c
3824+@@ -0,0 +1,304 @@
3825++/*
3826++ * Copyright Elliot Lee, 1996. All rights reserved.
3827++ * Copyright Jan R\EAkorajski, 1999. All rights reserved.
3828++ *
3829++ * Redistribution and use in source and binary forms, with or without
3830++ * modification, are permitted provided that the following conditions
3831++ * are met:
3832++ * 1. Redistributions of source code must retain the above copyright
3833++ * notice, and the entire permission notice in its entirety,
3834++ * including the disclaimer of warranties.
3835++ * 2. Redistributions in binary form must reproduce the above copyright
3836++ * notice, this list of conditions and the following disclaimer in the
3837++ * documentation and/or other materials provided with the distribution.
3838++ * 3. The name of the author may not be used to endorse or promote
3839++ * products derived from this software without specific prior
3840++ * written permission.
3841++ *
3842++ * ALTERNATIVELY, this product may be distributed under the terms of
3843++ * the GNU Public License, in which case the provisions of the GPL are
3844++ * required INSTEAD OF the above restrictions. (This clause is
3845++ * necessary due to a potential bad interaction between the GPL and
3846++ * the restrictions contained in a BSD-style copyright.)
3847++ *
3848++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
3849++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
3850++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
3851++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
3852++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
3853++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
3854++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
3855++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
3856++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
3857++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
3858++ * OF THE POSSIBILITY OF SUCH DAMAGE.
3859++ */
3860++
3861++#include "config.h"
3862++
3863++#include <stdlib.h>
3864++#include <stdio.h>
3865++#include <string.h>
3866++#include <unistd.h>
3867++#include <sys/types.h>
3868++#include <sys/resource.h>
3869++#include <syslog.h>
3870++#include <pwd.h>
3871++#include <shadow.h>
3872++#include <time.h> /* for time() */
3873++#include <errno.h>
3874++#include <sys/wait.h>
3875++
3876++#include <security/_pam_macros.h>
3877++
3878++/* indicate that the following groups are defined */
3879++
3880++#ifdef PAM_STATIC
3881++# include "pam_unix_static.h"
3882++#else
3883++# define PAM_SM_ACCOUNT
3884++#endif
3885++
3886++#include <security/pam_modules.h>
3887++#include <security/pam_ext.h>
3888++#include <security/pam_modutil.h>
3889++
3890++#include "support.h"
3891++#include "passverify.h"
3892++
3893++int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl,
3894++ const char *user, int *daysleft)
3895++{
3896++ int retval=0, child, fds[2];
3897++ struct sigaction newsa, oldsa;
3898++ D(("running verify_binary"));
3899++
3900++ /* create a pipe for the messages */
3901++ if (pipe(fds) != 0) {
3902++ D(("could not make pipe"));
3903++ pam_syslog(pamh, LOG_ERR, "Could not make pipe: %m");
3904++ return PAM_AUTH_ERR;
3905++ }
3906++ D(("called."));
3907++
3908++ if (off(UNIX_NOREAP, ctrl)) {
3909++ /*
3910++ * This code arranges that the demise of the child does not cause
3911++ * the application to receive a signal it is not expecting - which
3912++ * may kill the application or worse.
3913++ *
3914++ * The "noreap" module argument is provided so that the admin can
3915++ * override this behavior.
3916++ */
3917++ memset(&newsa, '\0', sizeof(newsa));
3918++ newsa.sa_handler = SIG_DFL;
3919++ sigaction(SIGCHLD, &newsa, &oldsa);
3920++ }
3921++
3922++ /* fork */
3923++ child = fork();
3924++ if (child == 0) {
3925++ int i=0;
3926++ struct rlimit rlim;
3927++ static char *envp[] = { NULL };
3928++ char *args[] = { NULL, NULL, NULL, NULL };
3929++
3930++ /* reopen stdout as pipe */
3931++ dup2(fds[1], STDOUT_FILENO);
3932++
3933++ /* XXX - should really tidy up PAM here too */
3934++
3935++ if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
3936++ if (rlim.rlim_max >= MAX_FD_NO)
3937++ rlim.rlim_max = MAX_FD_NO;
3938++ for (i=0; i < (int)rlim.rlim_max; i++) {
3939++ if (i != STDOUT_FILENO) {
3940++ close(i);
3941++ }
3942++ }
3943++ }
3944++
3945++ if (geteuid() == 0) {
3946++ /* must set the real uid to 0 so the helper will not error
3947++ out if pam is called from setuid binary (su, sudo...) */
3948++ if (setuid(0) == -1) {
3949++ pam_syslog(pamh, LOG_ERR, "setuid failed: %m");
3950++ printf("-1\n");
3951++ fflush(stdout);
3952++ _exit(PAM_AUTHINFO_UNAVAIL);
3953++ }
3954++ }
3955++
3956++ /* exec binary helper */
3957++ args[0] = x_strdup(CHKPWD_HELPER);
3958++ args[1] = x_strdup(user);
3959++ args[2] = x_strdup("chkexpiry");
3960++
3961++ execve(CHKPWD_HELPER, args, envp);
3962++
3963++ pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %m");
3964++ /* should not get here: exit with error */
3965++ D(("helper binary is not available"));
3966++ printf("-1\n");
3967++ fflush(stdout);
3968++ _exit(PAM_AUTHINFO_UNAVAIL);
3969++ } else {
3970++ close(fds[1]);
3971++ if (child > 0) {
3972++ char buf[32];
3973++ int rc=0;
3974++ /* wait for helper to complete: */
3975++ while ((rc=waitpid(child, &retval, 0)) < 0 && errno == EINTR);
3976++ if (rc<0) {
3977++ pam_syslog(pamh, LOG_ERR, "pam_extrausers_chkpwd waitpid returned %d: %m", rc);
3978++ retval = PAM_AUTH_ERR;
3979++ } else if (!WIFEXITED(retval)) {
3980++ pam_syslog(pamh, LOG_ERR, "pam_extrausers_chkpwd abnormal exit: %d", retval);
3981++ retval = PAM_AUTH_ERR;
3982++ } else {
3983++ retval = WEXITSTATUS(retval);
3984++ rc = pam_modutil_read(fds[0], buf, sizeof(buf) - 1);
3985++ if(rc > 0) {
3986++ buf[rc] = '\0';
3987++ if (sscanf(buf,"%d", daysleft) != 1 )
3988++ retval = PAM_AUTH_ERR;
3989++ }
3990++ else {
3991++ pam_syslog(pamh, LOG_ERR, "read pam_extrausers_chkpwd output error %d: %m", rc);
3992++ retval = PAM_AUTH_ERR;
3993++ }
3994++ }
3995++ } else {
3996++ pam_syslog(pamh, LOG_ERR, "Fork failed: %m");
3997++ D(("fork failed"));
3998++ retval = PAM_AUTH_ERR;
3999++ }
4000++ close(fds[0]);
4001++ }
4002++
4003++ if (off(UNIX_NOREAP, ctrl)) {
4004++ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */
4005++ }
4006++
4007++ D(("Returning %d",retval));
4008++ return retval;
4009++}
4010++
4011++/*
4012++ * PAM framework looks for this entry-point to pass control to the
4013++ * account management module.
4014++ */
4015++
4016++int
4017++pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
4018++{
4019++ unsigned int ctrl;
4020++ const void *void_uname;
4021++ const char *uname;
4022++ int retval, daysleft;
4023++ struct spwd *spent;
4024++ struct passwd *pwent;
4025++ char buf[256];
4026++
4027++ D(("called."));
4028++
4029++ ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv);
4030++
4031++ retval = pam_get_item(pamh, PAM_USER, &void_uname);
4032++ uname = void_uname;
4033++ D(("user = `%s'", uname));
4034++ if (retval != PAM_SUCCESS || uname == NULL) {
4035++ pam_syslog(pamh, LOG_ALERT,
4036++ "could not identify user (from uid=%lu)",
4037++ (unsigned long int)getuid());
4038++ return PAM_USER_UNKNOWN;
4039++ }
4040++
4041++ retval = get_account_info(pamh, uname, &pwent, &spent);
4042++ if (retval == PAM_USER_UNKNOWN) {
4043++ pam_syslog(pamh, LOG_ALERT,
4044++ "could not identify user (from getpwnam(%s))",
4045++ uname);
4046++ return retval;
4047++ }
4048++
4049++ if (retval == PAM_SUCCESS && spent == NULL)
4050++ return PAM_SUCCESS;
4051++
4052++ if (retval == PAM_UNIX_RUN_HELPER) {
4053++ retval = _unix_run_verify_binary(pamh, ctrl, uname, &daysleft);
4054++ if (retval == PAM_AUTHINFO_UNAVAIL &&
4055++ on(UNIX_BROKEN_SHADOW, ctrl))
4056++ return PAM_SUCCESS;
4057++ } else if (retval != PAM_SUCCESS) {
4058++ if (on(UNIX_BROKEN_SHADOW,ctrl))
4059++ return PAM_SUCCESS;
4060++ else
4061++ return retval;
4062++ } else
4063++ retval = check_shadow_expiry(pamh, spent, &daysleft);
4064++
4065++ switch (retval) {
4066++ case PAM_ACCT_EXPIRED:
4067++ pam_syslog(pamh, LOG_NOTICE,
4068++ "account %s has expired (account expired)",
4069++ uname);
4070++ _make_remark(pamh, ctrl, PAM_ERROR_MSG,
4071++ _("Your account has expired; please contact your system administrator"));
4072++ break;
4073++ case PAM_NEW_AUTHTOK_REQD:
4074++ if (daysleft == 0) {
4075++ pam_syslog(pamh, LOG_NOTICE,
4076++ "expired password for user %s (root enforced)",
4077++ uname);
4078++ _make_remark(pamh, ctrl, PAM_ERROR_MSG,
4079++ _("You are required to change your password immediately (root enforced)"));
4080++ } else {
4081++ pam_syslog(pamh, LOG_DEBUG,
4082++ "expired password for user %s (password aged)",
4083++ uname);
4084++ _make_remark(pamh, ctrl, PAM_ERROR_MSG,
4085++ _("You are required to change your password immediately (password aged)"));
4086++ }
4087++ break;
4088++ case PAM_AUTHTOK_EXPIRED:
4089++ pam_syslog(pamh, LOG_NOTICE,
4090++ "account %s has expired (failed to change password)",
4091++ uname);
4092++ _make_remark(pamh, ctrl, PAM_ERROR_MSG,
4093++ _("Your account has expired; please contact your system administrator"));
4094++ break;
4095++ case PAM_AUTHTOK_ERR:
4096++ retval = PAM_SUCCESS;
4097++ /* fallthrough */
4098++ case PAM_SUCCESS:
4099++ if (daysleft >= 0) {
4100++ pam_syslog(pamh, LOG_DEBUG,
4101++ "password for user %s will expire in %d days",
4102++ uname, daysleft);
4103++#if defined HAVE_DNGETTEXT && defined ENABLE_NLS
4104++ snprintf (buf, sizeof (buf),
4105++ dngettext(PACKAGE,
4106++ "Warning: your password will expire in %d day",
4107++ "Warning: your password will expire in %d days",
4108++ daysleft),
4109++ daysleft);
4110++#else
4111++ if (daysleft == 1)
4112++ snprintf(buf, sizeof (buf),
4113++ _("Warning: your password will expire in %d day"),
4114++ daysleft);
4115++ else
4116++ snprintf(buf, sizeof (buf),
4117++ /* TRANSLATORS: only used if dngettext is not supported */
4118++ _("Warning: your password will expire in %d days"),
4119++ daysleft);
4120++#endif
4121++ _make_remark(pamh, ctrl, PAM_TEXT_INFO, buf);
4122++ }
4123++ }
4124++
4125++ D(("all done"));
4126++
4127++ return retval;
4128++}
4129+Index: pam-1.1.8/modules/pam_extrausers/pam_unix_auth.c
4130+===================================================================
4131+--- /dev/null
4132++++ pam-1.1.8/modules/pam_extrausers/pam_unix_auth.c
4133+@@ -0,0 +1,218 @@
4134++/*
4135++ * Copyright Alexander O. Yuriev, 1996. All rights reserved.
4136++ * NIS+ support by Thorsten Kukuk <kukuk@weber.uni-paderborn.de>
4137++ * Copyright Jan R\EAkorajski, 1999. All rights reserved.
4138++ *
4139++ * Redistribution and use in source and binary forms, with or without
4140++ * modification, are permitted provided that the following conditions
4141++ * are met:
4142++ * 1. Redistributions of source code must retain the above copyright
4143++ * notice, and the entire permission notice in its entirety,
4144++ * including the disclaimer of warranties.
4145++ * 2. Redistributions in binary form must reproduce the above copyright
4146++ * notice, this list of conditions and the following disclaimer in the
4147++ * documentation and/or other materials provided with the distribution.
4148++ * 3. The name of the author may not be used to endorse or promote
4149++ * products derived from this software without specific prior
4150++ * written permission.
4151++ *
4152++ * ALTERNATIVELY, this product may be distributed under the terms of
4153++ * the GNU Public License, in which case the provisions of the GPL are
4154++ * required INSTEAD OF the above restrictions. (This clause is
4155++ * necessary due to a potential bad interaction between the GPL and
4156++ * the restrictions contained in a BSD-style copyright.)
4157++ *
4158++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
4159++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
4160++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
4161++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
4162++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
4163++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
4164++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
4165++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
4166++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
4167++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
4168++ * OF THE POSSIBILITY OF SUCH DAMAGE.
4169++ */
4170++
4171++#include "config.h"
4172++
4173++#include <stdio.h>
4174++#include <stdlib.h>
4175++#include <stdarg.h>
4176++#include <string.h>
4177++#include <unistd.h>
4178++#include <fcntl.h>
4179++#include <ctype.h>
4180++#include <sys/types.h>
4181++#include <sys/stat.h>
4182++#include <syslog.h>
4183++
4184++/* indicate the following groups are defined */
4185++
4186++#ifdef PAM_STATIC
4187++# include "pam_unix_static.h"
4188++#else
4189++# define PAM_SM_AUTH
4190++#endif
4191++
4192++#define _PAM_EXTERN_FUNCTIONS
4193++#include <security/_pam_macros.h>
4194++#include <security/pam_modules.h>
4195++#include <security/pam_ext.h>
4196++
4197++#include "support.h"
4198++
4199++/*
4200++ * PAM framework looks for these entry-points to pass control to the
4201++ * authentication module.
4202++ */
4203++
4204++/* Fun starts here :)
4205++
4206++ * pam_sm_authenticate() performs UNIX/shadow authentication
4207++ *
4208++ * First, if shadow support is available, attempt to perform
4209++ * authentication using shadow passwords. If shadow is not
4210++ * available, or user does not have a shadow password, fallback
4211++ * onto a normal UNIX authentication
4212++ */
4213++
4214++#define _UNIX_AUTHTOK "-UN*X-PASS"
4215++
4216++#define AUTH_RETURN \
4217++do { \
4218++ if (on(UNIX_LIKE_AUTH, ctrl) && ret_data) { \
4219++ D(("recording return code for next time [%d]", \
4220++ retval)); \
4221++ *ret_data = retval; \
4222++ pam_set_data(pamh, "unix_setcred_return", \
4223++ (void *) ret_data, setcred_free); \
4224++ } else if (ret_data) \
4225++ free (ret_data); \
4226++ D(("done. [%s]", pam_strerror(pamh, retval))); \
4227++ return retval; \
4228++} while (0)
4229++
4230++
4231++static void
4232++setcred_free (pam_handle_t *pamh UNUSED, void *ptr, int err UNUSED)
4233++{
4234++ if (ptr)
4235++ free (ptr);
4236++}
4237++
4238++int
4239++pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
4240++{
4241++ unsigned int ctrl;
4242++ int retval, *ret_data = NULL;
4243++ const char *name;
4244++ const void *p;
4245++
4246++ D(("called."));
4247++
4248++ ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv);
4249++
4250++ /* Get a few bytes so we can pass our return value to
4251++ pam_sm_setcred(). */
4252++ if (on(UNIX_LIKE_AUTH, ctrl))
4253++ ret_data = malloc(sizeof(int));
4254++
4255++ /* get the user'name' */
4256++
4257++ retval = pam_get_user(pamh, &name, NULL);
4258++ if (retval == PAM_SUCCESS) {
4259++ /*
4260++ * Various libraries at various times have had bugs related to
4261++ * '+' or '-' as the first character of a user name. Don't
4262++ * allow this characters here.
4263++ */
4264++ if (name == NULL || name[0] == '-' || name[0] == '+') {
4265++ pam_syslog(pamh, LOG_ERR, "bad username [%s]", name);
4266++ retval = PAM_USER_UNKNOWN;
4267++ AUTH_RETURN;
4268++ }
4269++ if (on(UNIX_DEBUG, ctrl))
4270++ D(("username [%s] obtained", name));
4271++ } else {
4272++ D(("trouble reading username"));
4273++ if (retval == PAM_CONV_AGAIN) {
4274++ D(("pam_get_user/conv() function is not ready yet"));
4275++ /* it is safe to resume this function so we translate this
4276++ * retval to the value that indicates we're happy to resume.
4277++ */
4278++ retval = PAM_INCOMPLETE;
4279++ }
4280++ AUTH_RETURN;
4281++ }
4282++
4283++ /* if this user does not have a password... */
4284++
4285++ if (_unix_blankpasswd(pamh, ctrl, name)) {
4286++ D(("user '%s' has blank passwd", name));
4287++ name = NULL;
4288++ retval = PAM_SUCCESS;
4289++ AUTH_RETURN;
4290++ }
4291++ /* get this user's authentication token */
4292++
4293++ retval = _unix_read_password(pamh, ctrl, NULL, _("Password: "), NULL
4294++ ,_UNIX_AUTHTOK, &p);
4295++ if (retval != PAM_SUCCESS) {
4296++ if (retval != PAM_CONV_AGAIN) {
4297++ pam_syslog(pamh, LOG_CRIT,
4298++ "auth could not identify password for [%s]", name);
4299++ } else {
4300++ D(("conversation function is not ready yet"));
4301++ /*
4302++ * it is safe to resume this function so we translate this
4303++ * retval to the value that indicates we're happy to resume.
4304++ */
4305++ retval = PAM_INCOMPLETE;
4306++ }
4307++ name = NULL;
4308++ AUTH_RETURN;
4309++ }
4310++ D(("user=%s, password=[%s]", name, p));
4311++
4312++ /* verify the password of this user */
4313++ retval = _unix_verify_password(pamh, name, p, ctrl);
4314++ name = p = NULL;
4315++
4316++ AUTH_RETURN;
4317++}
4318++
4319++
4320++/*
4321++ * The only thing _pam_set_credentials_unix() does is initialization of
4322++ * UNIX group IDs.
4323++ *
4324++ * Well, everybody but me on linux-pam is convinced that it should not
4325++ * initialize group IDs, so I am not doing it but don't say that I haven't
4326++ * warned you. -- AOY
4327++ */
4328++
4329++int
4330++pam_sm_setcred (pam_handle_t *pamh, int flags UNUSED,
4331++ int argc UNUSED, const char **argv UNUSED)
4332++{
4333++ int retval;
4334++ const void *pretval = NULL;
4335++
4336++ D(("called."));
4337++
4338++ retval = PAM_SUCCESS;
4339++
4340++ D(("recovering return code from auth call"));
4341++ /* We will only find something here if UNIX_LIKE_AUTH is set --
4342++ don't worry about an explicit check of argv. */
4343++ if (pam_get_data(pamh, "unix_setcred_return", &pretval) == PAM_SUCCESS
4344++ && pretval) {
4345++ retval = *(const int *)pretval;
4346++ pam_set_data(pamh, "unix_setcred_return", NULL, NULL);
4347++ D(("recovered data indicates that old retval was %d", retval));
4348++ }
4349++
4350++ return retval;
4351++}
4352+Index: pam-1.1.8/modules/pam_extrausers/pam_unix_passwd.c
4353+===================================================================
4354+--- /dev/null
4355++++ pam-1.1.8/modules/pam_extrausers/pam_unix_passwd.c
4356+@@ -0,0 +1,843 @@
4357++/*
4358++ * Main coding by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
4359++ * Copyright (C) 1996.
4360++ * Copyright (c) Jan Rêkorajski, 1999.
4361++ * Copyright (c) Red Hat, Inc., 2007, 2008.
4362++ *
4363++ * Redistribution and use in source and binary forms, with or without
4364++ * modification, are permitted provided that the following conditions
4365++ * are met:
4366++ * 1. Redistributions of source code must retain the above copyright
4367++ * notice, and the entire permission notice in its entirety,
4368++ * including the disclaimer of warranties.
4369++ * 2. Redistributions in binary form must reproduce the above copyright
4370++ * notice, this list of conditions and the following disclaimer in the
4371++ * documentation and/or other materials provided with the distribution.
4372++ * 3. The name of the author may not be used to endorse or promote
4373++ * products derived from this software without specific prior
4374++ * written permission.
4375++ *
4376++ * ALTERNATIVELY, this product may be distributed under the terms of
4377++ * the GNU Public License, in which case the provisions of the GPL are
4378++ * required INSTEAD OF the above restrictions. (This clause is
4379++ * necessary due to a potential bad interaction between the GPL and
4380++ * the restrictions contained in a BSD-style copyright.)
4381++ *
4382++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
4383++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
4384++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
4385++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
4386++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
4387++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
4388++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
4389++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
4390++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
4391++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
4392++ * OF THE POSSIBILITY OF SUCH DAMAGE.
4393++ */
4394++
4395++#include "config.h"
4396++
4397++#include <stdio.h>
4398++#include <stdlib.h>
4399++#include <stdarg.h>
4400++#include <string.h>
4401++#include <malloc.h>
4402++#include <unistd.h>
4403++#include <errno.h>
4404++#include <sys/types.h>
4405++#include <pwd.h>
4406++#include <syslog.h>
4407++#include <shadow.h>
4408++#include <time.h> /* for time() */
4409++#include <fcntl.h>
4410++#include <ctype.h>
4411++#include <sys/time.h>
4412++#include <sys/stat.h>
4413++
4414++#include <signal.h>
4415++#include <errno.h>
4416++#include <sys/wait.h>
4417++#include <sys/resource.h>
4418++
4419++#include <security/_pam_macros.h>
4420++
4421++/* indicate the following groups are defined */
4422++
4423++#ifdef PAM_STATIC
4424++# include "pam_unix_static.h"
4425++#else
4426++# define PAM_SM_PASSWORD
4427++#endif
4428++
4429++#include <security/pam_modules.h>
4430++#include <security/pam_ext.h>
4431++#include <security/pam_modutil.h>
4432++
4433++#include "md5.h"
4434++#include "support.h"
4435++#include "passverify.h"
4436++#include "bigcrypt.h"
4437++
4438++#if (HAVE_YP_GET_DEFAULT_DOMAIN || HAVE_GETDOMAINNAME) && HAVE_YP_MASTER
4439++# define HAVE_NIS
4440++#endif
4441++
4442++#ifdef HAVE_NIS
4443++# include <rpc/rpc.h>
4444++
4445++# if HAVE_RPCSVC_YP_PROT_H
4446++# include <rpcsvc/yp_prot.h>
4447++# endif
4448++
4449++# if HAVE_RPCSVC_YPCLNT_H
4450++# include <rpcsvc/ypclnt.h>
4451++# endif
4452++
4453++# include "yppasswd.h"
4454++
4455++# if !HAVE_DECL_GETRPCPORT
4456++extern int getrpcport(const char *host, unsigned long prognum,
4457++ unsigned long versnum, unsigned int proto);
4458++# endif /* GNU libc 2.1 */
4459++#endif
4460++
4461++extern const char *obscure_msg(const char *, const char *, const struct passwd *,
4462++ unsigned int);
4463++
4464++/*
4465++ How it works:
4466++ Gets in username (has to be done) from the calling program
4467++ Does authentication of user (only if we are not running as root)
4468++ Gets new password/checks for sanity
4469++ Sets it.
4470++ */
4471++
4472++/* data tokens */
4473++
4474++#define _UNIX_OLD_AUTHTOK "-UN*X-OLD-PASS"
4475++#define _UNIX_NEW_AUTHTOK "-UN*X-NEW-PASS"
4476++
4477++#define MAX_PASSWD_TRIES 3
4478++
4479++#ifdef HAVE_NIS
4480++static char *getNISserver(pam_handle_t *pamh, unsigned int ctrl)
4481++{
4482++ char *master;
4483++ char *domainname;
4484++ int port, err;
4485++
4486++#ifdef HAVE_YP_GET_DEFAULT_DOMAIN
4487++ if ((err = yp_get_default_domain(&domainname)) != 0) {
4488++ pam_syslog(pamh, LOG_WARNING, "can't get local yp domain: %s",
4489++ yperr_string(err));
4490++ return NULL;
4491++ }
4492++#elif defined(HAVE_GETDOMAINNAME)
4493++ char domainname_res[256];
4494++
4495++ if (getdomainname (domainname_res, sizeof (domainname_res)) == 0)
4496++ {
4497++ if (strcmp (domainname_res, "(none)") == 0)
4498++ {
4499++ /* If domainname is not set, some systems will return "(none)" */
4500++ domainname_res[0] = '\0';
4501++ }
4502++ domainname = domainname_res;
4503++ }
4504++ else domainname = NULL;
4505++#endif
4506++
4507++ if ((err = yp_master(domainname, "passwd.byname", &master)) != 0) {
4508++ pam_syslog(pamh, LOG_WARNING, "can't find the master ypserver: %s",
4509++ yperr_string(err));
4510++ return NULL;
4511++ }
4512++ port = getrpcport(master, YPPASSWDPROG, YPPASSWDPROC_UPDATE, IPPROTO_UDP);
4513++ if (port == 0) {
4514++ pam_syslog(pamh, LOG_WARNING,
4515++ "yppasswdd not running on NIS master host");
4516++ return NULL;
4517++ }
4518++ if (port >= IPPORT_RESERVED) {
4519++ pam_syslog(pamh, LOG_WARNING,
4520++ "yppasswd daemon running on illegal port");
4521++ return NULL;
4522++ }
4523++ if (on(UNIX_DEBUG, ctrl)) {
4524++ pam_syslog(pamh, LOG_DEBUG, "Use NIS server on %s with port %d",
4525++ master, port);
4526++ }
4527++ return master;
4528++}
4529++#endif
4530++
4531++#ifdef WITH_SELINUX
4532++
4533++static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user,
4534++ const char *fromwhat, const char *towhat, int remember)
4535++{
4536++ int retval, child, fds[2];
4537++ struct sigaction newsa, oldsa;
4538++
4539++ D(("called."));
4540++ /* create a pipe for the password */
4541++ if (pipe(fds) != 0) {
4542++ D(("could not make pipe"));
4543++ return PAM_AUTH_ERR;
4544++ }
4545++
4546++ if (off(UNIX_NOREAP, ctrl)) {
4547++ /*
4548++ * This code arranges that the demise of the child does not cause
4549++ * the application to receive a signal it is not expecting - which
4550++ * may kill the application or worse.
4551++ *
4552++ * The "noreap" module argument is provided so that the admin can
4553++ * override this behavior.
4554++ */
4555++ memset(&newsa, '\0', sizeof(newsa));
4556++ newsa.sa_handler = SIG_DFL;
4557++ sigaction(SIGCHLD, &newsa, &oldsa);
4558++ }
4559++
4560++ /* fork */
4561++ child = fork();
4562++ if (child == 0) {
4563++ int i=0;
4564++ struct rlimit rlim;
4565++ static char *envp[] = { NULL };
4566++ char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL };
4567++ char buffer[16];
4568++
4569++ /* XXX - should really tidy up PAM here too */
4570++
4571++ /* reopen stdin as pipe */
4572++ dup2(fds[0], STDIN_FILENO);
4573++
4574++ if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
4575++ if (rlim.rlim_max >= MAX_FD_NO)
4576++ rlim.rlim_max = MAX_FD_NO;
4577++ for (i=0; i < (int)rlim.rlim_max; i++) {
4578++ if (i != STDIN_FILENO)
4579++ close(i);
4580++ }
4581++ }
4582++
4583++ /* exec binary helper */
4584++ args[0] = x_strdup(UPDATE_HELPER);
4585++ args[1] = x_strdup(user);
4586++ args[2] = x_strdup("update");
4587++ if (on(UNIX_SHADOW, ctrl))
4588++ args[3] = x_strdup("1");
4589++ else
4590++ args[3] = x_strdup("0");
4591++
4592++ snprintf(buffer, sizeof(buffer), "%d", remember);
4593++ args[4] = x_strdup(buffer);
4594++
4595++ execve(UPDATE_HELPER, args, envp);
4596++
4597++ /* should not get here: exit with error */
4598++ D(("helper binary is not available"));
4599++ _exit(PAM_AUTHINFO_UNAVAIL);
4600++ } else if (child > 0) {
4601++ /* wait for child */
4602++ /* if the stored password is NULL */
4603++ int rc=0;
4604++ if (fromwhat)
4605++ pam_modutil_write(fds[1], fromwhat, strlen(fromwhat)+1);
4606++ else
4607++ pam_modutil_write(fds[1], "", 1);
4608++ if (towhat) {
4609++ pam_modutil_write(fds[1], towhat, strlen(towhat)+1);
4610++ }
4611++ else
4612++ pam_modutil_write(fds[1], "", 1);
4613++
4614++ close(fds[0]); /* close here to avoid possible SIGPIPE above */
4615++ close(fds[1]);
4616++ /* wait for helper to complete: */
4617++ while ((rc=waitpid(child, &retval, 0)) < 0 && errno == EINTR);
4618++ if (rc<0) {
4619++ pam_syslog(pamh, LOG_ERR, "pam_extrausers_update waitpid failed: %m");
4620++ retval = PAM_AUTHTOK_ERR;
4621++ } else if (!WIFEXITED(retval)) {
4622++ pam_syslog(pamh, LOG_ERR, "pam_extrausers_update abnormal exit: %d", retval);
4623++ retval = PAM_AUTHTOK_ERR;
4624++ } else {
4625++ retval = WEXITSTATUS(retval);
4626++ }
4627++ } else {
4628++ D(("fork failed"));
4629++ close(fds[0]);
4630++ close(fds[1]);
4631++ retval = PAM_AUTH_ERR;
4632++ }
4633++
4634++ if (off(UNIX_NOREAP, ctrl)) {
4635++ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */
4636++ }
4637++
4638++ return retval;
4639++}
4640++#endif
4641++
4642++static int check_old_password(const char *forwho, const char *newpass)
4643++{
4644++ static char buf[16384];
4645++ char *s_luser, *s_uid, *s_npas, *s_pas;
4646++ int retval = PAM_SUCCESS;
4647++ FILE *opwfile;
4648++ size_t len = strlen(forwho);
4649++
4650++ opwfile = fopen(OLD_PASSWORDS_FILE, "r");
4651++ if (opwfile == NULL)
4652++ return PAM_ABORT;
4653++
4654++ while (fgets(buf, 16380, opwfile)) {
4655++ if (!strncmp(buf, forwho, len) && (buf[len] == ':' ||
4656++ buf[len] == ',')) {
4657++ char *sptr;
4658++ buf[strlen(buf) - 1] = '\0';
4659++ s_luser = strtok_r(buf, ":,", &sptr);
4660++ s_uid = strtok_r(NULL, ":,", &sptr);
4661++ s_npas = strtok_r(NULL, ":,", &sptr);
4662++ s_pas = strtok_r(NULL, ":,", &sptr);
4663++ while (s_pas != NULL) {
4664++ char *md5pass = Goodcrypt_md5(newpass, s_pas);
4665++ if (!strcmp(md5pass, s_pas)) {
4666++ _pam_delete(md5pass);
4667++ retval = PAM_AUTHTOK_ERR;
4668++ break;
4669++ }
4670++ s_pas = strtok_r(NULL, ":,", &sptr);
4671++ _pam_delete(md5pass);
4672++ }
4673++ break;
4674++ }
4675++ }
4676++ fclose(opwfile);
4677++
4678++ return retval;
4679++}
4680++
4681++static int _do_setpass(pam_handle_t* pamh, const char *forwho,
4682++ const char *fromwhat,
4683++ char *towhat, unsigned int ctrl, int remember)
4684++{
4685++ struct passwd *pwd = NULL;
4686++ int retval = 0;
4687++ int unlocked = 0;
4688++ char *master = NULL;
4689++
4690++ D(("called"));
4691++
4692++ pwd = getpwnam(forwho);
4693++
4694++ if (pwd == NULL) {
4695++ retval = PAM_AUTHTOK_ERR;
4696++ goto done;
4697++ }
4698++
4699++ if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, forwho, 0, 1)) {
4700++#ifdef HAVE_NIS
4701++ if ((master=getNISserver(pamh, ctrl)) != NULL) {
4702++ struct timeval timeout;
4703++ struct yppasswd yppwd;
4704++ CLIENT *clnt;
4705++ int status;
4706++ enum clnt_stat err;
4707++
4708++ /* Unlock passwd file to avoid deadlock */
4709++ unlock_pwdf();
4710++ unlocked = 1;
4711++
4712++ /* Initialize password information */
4713++ yppwd.newpw.pw_passwd = pwd->pw_passwd;
4714++ yppwd.newpw.pw_name = pwd->pw_name;
4715++ yppwd.newpw.pw_uid = pwd->pw_uid;
4716++ yppwd.newpw.pw_gid = pwd->pw_gid;
4717++ yppwd.newpw.pw_gecos = pwd->pw_gecos;
4718++ yppwd.newpw.pw_dir = pwd->pw_dir;
4719++ yppwd.newpw.pw_shell = pwd->pw_shell;
4720++ yppwd.oldpass = fromwhat ? strdup (fromwhat) : strdup ("");
4721++ yppwd.newpw.pw_passwd = towhat;
4722++
4723++ D(("Set password %s for %s", yppwd.newpw.pw_passwd, forwho));
4724++
4725++ /* The yppasswd.x file said `unix authentication required',
4726++ * so I added it. This is the only reason it is in here.
4727++ * My yppasswdd doesn't use it, but maybe some others out there
4728++ * do. --okir
4729++ */
4730++ clnt = clnt_create(master, YPPASSWDPROG, YPPASSWDVERS, "udp");
4731++ clnt->cl_auth = authunix_create_default();
4732++ memset((char *) &status, '\0', sizeof(status));
4733++ timeout.tv_sec = 25;
4734++ timeout.tv_usec = 0;
4735++ err = clnt_call(clnt, YPPASSWDPROC_UPDATE,
4736++ (xdrproc_t) xdr_yppasswd, (char *) &yppwd,
4737++ (xdrproc_t) xdr_int, (char *) &status,
4738++ timeout);
4739++
4740++ free (yppwd.oldpass);
4741++
4742++ if (err) {
4743++ _make_remark(pamh, ctrl, PAM_TEXT_INFO,
4744++ clnt_sperrno(err));
4745++ } else if (status) {
4746++ D(("Error while changing NIS password.\n"));
4747++ }
4748++ D(("The password has%s been changed on %s.",
4749++ (err || status) ? " not" : "", master));
4750++ pam_syslog(pamh, LOG_NOTICE, "password%s changed for %s on %s",
4751++ (err || status) ? " not" : "", pwd->pw_name, master);
4752++
4753++ auth_destroy(clnt->cl_auth);
4754++ clnt_destroy(clnt);
4755++ if (err || status) {
4756++ _make_remark(pamh, ctrl, PAM_TEXT_INFO,
4757++ _("NIS password could not be changed."));
4758++ retval = PAM_TRY_AGAIN;
4759++ }
4760++#ifdef PAM_DEBUG
4761++ sleep(5);
4762++#endif
4763++ } else {
4764++ retval = PAM_TRY_AGAIN;
4765++ }
4766++#else
4767++ if (on(UNIX_DEBUG, ctrl)) {
4768++ pam_syslog(pamh, LOG_DEBUG, "No NIS support available");
4769++ }
4770++
4771++ retval = PAM_TRY_AGAIN;
4772++#endif
4773++ }
4774++
4775++ if (_unix_comesfromsource(pamh, forwho, 1, 0)) {
4776++ if(unlocked) {
4777++ if (lock_pwdf() != PAM_SUCCESS) {
4778++ return PAM_AUTHTOK_LOCK_BUSY;
4779++ }
4780++ }
4781++#ifdef WITH_SELINUX
4782++ if (unix_selinux_confined())
4783++ return _unix_run_update_binary(pamh, ctrl, forwho, fromwhat, towhat, remember);
4784++#endif
4785++ /* first, save old password */
4786++ if (save_old_password(pamh, forwho, fromwhat, remember)) {
4787++ retval = PAM_AUTHTOK_ERR;
4788++ goto done;
4789++ }
4790++ if (on(UNIX_SHADOW, ctrl) || is_pwd_shadowed(pwd)) {
4791++ retval = unix_update_shadow(pamh, forwho, towhat);
4792++ if (retval == PAM_SUCCESS)
4793++ if (!is_pwd_shadowed(pwd))
4794++ retval = unix_update_passwd(pamh, forwho, "x");
4795++ } else {
4796++ retval = unix_update_passwd(pamh, forwho, towhat);
4797++ }
4798++ }
4799++
4800++
4801++done:
4802++ unlock_pwdf();
4803++
4804++ return retval;
4805++}
4806++
4807++static int _unix_verify_shadow(pam_handle_t *pamh, const char *user, unsigned int ctrl)
4808++{
4809++ struct passwd *pwent = NULL; /* Password and shadow password */
4810++ struct spwd *spent = NULL; /* file entries for the user */
4811++ int daysleft;
4812++ int retval;
4813++
4814++ retval = get_account_info(pamh, user, &pwent, &spent);
4815++ if (retval == PAM_USER_UNKNOWN) {
4816++ return retval;
4817++ }
4818++
4819++ if (retval == PAM_SUCCESS && spent == NULL)
4820++ return PAM_SUCCESS;
4821++
4822++ if (retval == PAM_UNIX_RUN_HELPER) {
4823++ retval = _unix_run_verify_binary(pamh, ctrl, user, &daysleft);
4824++ if (retval == PAM_AUTH_ERR || retval == PAM_USER_UNKNOWN)
4825++ return retval;
4826++ }
4827++ else if (retval == PAM_SUCCESS)
4828++ retval = check_shadow_expiry(pamh, spent, &daysleft);
4829++
4830++ if (on(UNIX__IAMROOT, ctrl) || retval == PAM_NEW_AUTHTOK_REQD)
4831++ return PAM_SUCCESS;
4832++
4833++ return retval;
4834++}
4835++
4836++static int _pam_unix_approve_pass(pam_handle_t * pamh
4837++ ,unsigned int ctrl
4838++ ,const char *pass_old
4839++ ,const char *pass_new,
4840++ int pass_min_len)
4841++{
4842++ const void *user;
4843++ const char *remark = NULL;
4844++ int retval = PAM_SUCCESS;
4845++
4846++ D(("&new=%p, &old=%p", pass_old, pass_new));
4847++ D(("new=[%s]", pass_new));
4848++ D(("old=[%s]", pass_old));
4849++
4850++ if (pass_new == NULL || (pass_old && !strcmp(pass_old, pass_new))) {
4851++ if (on(UNIX_DEBUG, ctrl)) {
4852++ pam_syslog(pamh, LOG_DEBUG, "bad authentication token");
4853++ }
4854++ _make_remark(pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ?
4855++ _("No password supplied") : _("Password unchanged"));
4856++ return PAM_AUTHTOK_ERR;
4857++ }
4858++ /*
4859++ * if one wanted to hardwire authentication token strength
4860++ * checking this would be the place - AGM
4861++ */
4862++
4863++ retval = pam_get_item(pamh, PAM_USER, &user);
4864++ if (retval != PAM_SUCCESS) {
4865++ if (on(UNIX_DEBUG, ctrl)) {
4866++ pam_syslog(pamh, LOG_ERR, "Can not get username");
4867++ return PAM_AUTHTOK_ERR;
4868++ }
4869++ }
4870++ if (off(UNIX__IAMROOT, ctrl)) {
4871++ if (strlen(pass_new) < pass_min_len)
4872++ remark = _("You must choose a longer password");
4873++ D(("length check [%s]", remark));
4874++ if (on(UNIX_REMEMBER_PASSWD, ctrl)) {
4875++ if ((retval = check_old_password(user, pass_new)) == PAM_AUTHTOK_ERR)
4876++ remark = _("Password has been already used. Choose another.");
4877++ if (retval == PAM_ABORT) {
4878++ pam_syslog(pamh, LOG_ERR, "can't open %s file to check old passwords",
4879++ OLD_PASSWORDS_FILE);
4880++ return retval;
4881++ }
4882++ }
4883++ if (!remark && pass_old != NULL) { /* only check if we don't already have a failure */
4884++ struct passwd *pwd;
4885++ pwd = pam_modutil_getpwnam(pamh, user);
4886++ remark = (char *)obscure_msg(pass_old,pass_new,pwd,ctrl); /* do obscure checks */
4887++ }
4888++ }
4889++ if (remark) {
4890++ _make_remark(pamh, ctrl, PAM_ERROR_MSG, remark);
4891++ retval = PAM_AUTHTOK_ERR;
4892++ }
4893++ return retval;
4894++}
4895++
4896++int
4897++pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
4898++{
4899++ unsigned int ctrl, lctrl;
4900++ int retval;
4901++ int remember = -1;
4902++ int rounds = -1;
4903++ int pass_min_len = 6;
4904++
4905++ /* <DO NOT free() THESE> */
4906++ const char *user;
4907++ const void *pass_old, *pass_new;
4908++ /* </DO NOT free() THESE> */
4909++
4910++ D(("called."));
4911++
4912++ ctrl = _set_ctrl(pamh, flags, &remember, &rounds, &pass_min_len,
4913++ argc, argv);
4914++
4915++ /*
4916++ * First get the name of a user
4917++ */
4918++ retval = pam_get_user(pamh, &user, NULL);
4919++ if (retval == PAM_SUCCESS) {
4920++ /*
4921++ * Various libraries at various times have had bugs related to
4922++ * '+' or '-' as the first character of a user name. Don't
4923++ * allow them.
4924++ */
4925++ if (user == NULL || user[0] == '-' || user[0] == '+') {
4926++ pam_syslog(pamh, LOG_ERR, "bad username [%s]", user);
4927++ return PAM_USER_UNKNOWN;
4928++ }
4929++ if (retval == PAM_SUCCESS && on(UNIX_DEBUG, ctrl))
4930++ pam_syslog(pamh, LOG_DEBUG, "username [%s] obtained",
4931++ user);
4932++ } else {
4933++ if (on(UNIX_DEBUG, ctrl))
4934++ pam_syslog(pamh, LOG_DEBUG,
4935++ "password - could not identify user");
4936++ return retval;
4937++ }
4938++
4939++ D(("Got username of %s", user));
4940++
4941++ /*
4942++ * Before we do anything else, check to make sure that the user's
4943++ * info is in one of the databases we can modify from this module,
4944++ * which currently is 'files' and 'nis'. We have to do this because
4945++ * getpwnam() doesn't tell you *where* the information it gives you
4946++ * came from, nor should it. That's our job.
4947++ */
4948++ if (_unix_comesfromsource(pamh, user, 1, on(UNIX_NIS, ctrl)) == 0) {
4949++ pam_syslog(pamh, LOG_DEBUG,
4950++ "user \"%s\" does not exist in /var/lib/extrausers/passwd%s",
4951++ user, on(UNIX_NIS, ctrl) ? " or NIS" : "");
4952++ return PAM_USER_UNKNOWN;
4953++ } else {
4954++ struct passwd *pwd;
4955++ _unix_getpwnam(pamh, user, 1, on(UNIX_NIS, ctrl), &pwd);
4956++ if (pwd == NULL) {
4957++ pam_syslog(pamh, LOG_DEBUG,
4958++ "user \"%s\" has corrupted passwd entry",
4959++ user);
4960++ return PAM_USER_UNKNOWN;
4961++ }
4962++ }
4963++
4964++ /*
4965++ * This is not an AUTH module!
4966++ */
4967++ if (on(UNIX__NONULL, ctrl))
4968++ set(UNIX__NULLOK, ctrl);
4969++
4970++ if (on(UNIX__PRELIM, ctrl)) {
4971++ /*
4972++ * obtain and verify the current password (OLDAUTHTOK) for
4973++ * the user.
4974++ */
4975++ char *Announce;
4976++
4977++ D(("prelim check"));
4978++
4979++ if (_unix_blankpasswd(pamh, ctrl, user)) {
4980++ return PAM_SUCCESS;
4981++ } else if (off(UNIX__IAMROOT, ctrl) || on(UNIX_NIS, ctrl)) {
4982++ /* instruct user what is happening */
4983++ if (asprintf(&Announce, _("Changing password for %s."),
4984++ user) < 0) {
4985++ pam_syslog(pamh, LOG_CRIT,
4986++ "password - out of memory");
4987++ return PAM_BUF_ERR;
4988++ }
4989++
4990++ lctrl = ctrl;
4991++ set(UNIX__OLD_PASSWD, lctrl);
4992++ retval = _unix_read_password(pamh, lctrl
4993++ ,Announce
4994++ ,(on(UNIX__IAMROOT, ctrl)
4995++ ? _("NIS server root password: ")
4996++ : _("(current) UNIX password: "))
4997++ ,NULL
4998++ ,_UNIX_OLD_AUTHTOK
4999++ ,&pass_old);
5000++ free(Announce);
The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches