--- pam-1.1.8.orig/debian/NEWS +++ pam-1.1.8/debian/NEWS @@ -0,0 +1,85 @@ +pam (1.1.2-1) unstable; urgency=low + + * Name of option for minimum Unix password length has changed + + The Debian-specific 'min=n' option to pam_unix for specifying minimum + lengths for new passwords has been replaced by a new upstream option + called 'minlen=n'. If you are using 'min=n' in + /etc/pam.d/common-password, this will be migrated to the new option name + for you on upgrade. If you have configured pam_unix password changing + elsewhere on your system, such as in a PAM profile under + /usr/share/pam-configs or in other files in /etc/pam.d, you will need to + update them by hand for this change. + + -- Steve Langasek Tue, 31 Aug 2010 23:09:30 -0700 + +pam (1.1.0-3) unstable; urgency=low + + * pam_rhosts_auth module obsolete, symlink removed + + The pam_rhosts_auth module was dropped upstream prior to the lenny + release and a compatibility symlink provided in the libpam-modules + package, pointing at the new (and not 100% compatible) pam_rhosts + module. This symlink has now been dropped. If you still have + references to pam_rhosts_auth in your /etc/pam.d/* config files, you + will need to fix these, since they no longer work. + + For information on using pam_rhosts, see the pam_rhosts(8) manpage. + + -- Steve Langasek Wed, 02 Sep 2009 16:17:16 -0700 + +pam (1.1.0-1) unstable; urgency=low + + * pam_cracklib no longer checks for reuse of old passwords + + The pam_cracklib module no longer checks /etc/security/opasswd to see + if the proposed password is one that was previously used. This + functionality has been split out into a new module, pam_pwhistory. + + The pam_unix module still does its own check of /etc/security/opasswd, + so if you are using this module you should not need to change anything. + + * Change in handling of /etc/shadow fields + + The Debian PAM package included a patch to treat a value of 0 in certain + fields in /etc/shadow as the same as an empty field. This patch has + been dropped, since it caused the behavior of pam_unix to differ from + both that of PAM upstream and that of the shadow package. + + The main consequences of this change are that: + + - a "0" in the sp_expire field will be treated as a date of Jan 1, 1970 + instead of a "never expires" value, so users with this set will be + unable to log in + + - a "0" in the sp_inact field will indicate that the user should not be + allowed to change an expired password at all, instead of being allowed + to change an expired at any time after the expiry. + + See Debian bug #308229 for more information about this change. + + -- Steve Langasek Tue, 25 Aug 2009 00:13:57 -0700 + +pam (0.99.7.1-5) unstable; urgency=low + + * Default Unix minimum password length has changed + + Previous versions of pam_unix on Debian had a built-in minimum password + length of 1 character, and a minimum password length configured in + /etc/pam.d/common-password of 4 characters. This differed from the + upstream default of 6 characters. This has been changed, so the + default /etc/pam.d/common-password no longer overrides the compile-time + default and the compile-time default has been raised to 6 characters. + If you are using pam_unix but are not using the default + /etc/pam.d/common-password file, it is recommended that you drop any + min= options to pam_unix from your config unless you have stronger + local password requirements that the upstream default. + + The password length 'max' option has also been deprecated in this + version because it was never written to work as suggested in the + documentation. If you are using pam_unix but are not using the default + /etc/pam.d/common-password file, you should remove any old max= options + to pam_unix from your config as this option will be considered an error + in future versions of pam. + + -- Steve Langasek Sat, 01 Sep 2007 21:27:11 -0700 --- pam-1.1.8.orig/debian/README.debian +++ pam-1.1.8/debian/README.debian @@ -0,0 +1,13 @@ +PAM for Debian +-------------- + +PAM (Pluggable Authentication Modules) provides system administrators with a +powerful method of controlling system access and methods of authentication. + +The documentation for PAM is packaged in the "libpam-doc" package. The +"Linux-PAM System Administrator's Guide" covers configuring PAM, what +modules are available etc. The documentation also includes "The Linux-PAM +Application Developers' Guide" and "The Linux-PAM Module Writers' Guide". + +The Debian default configuration is to emulate the old UNIX authentication. + --- pam-1.1.8.orig/debian/README.source +++ pam-1.1.8/debian/README.source @@ -0,0 +1,8 @@ +This package uses quilt to manage all modifications to the upstream +source. Changes are stored in the source package as diffs in +debian/patches-applied and applied during the build. Please see: + + /usr/share/doc/quilt/README.source + +for more information on how to apply the patches, modify patches, or +remove a patch. --- pam-1.1.8.orig/debian/TODO +++ pam-1.1.8/debian/TODO @@ -0,0 +1,7 @@ +- make pam_unix.so modules have some means of allowing other than root + to auth users via unix_chkpwd (maybe unix_chkpwd needs a secure conf + file?) +- Put in some of the Hurd related fixes +- Build-Depend-Indep on fop and install PDF docs, and add them to + doc-base. This depends on fop being patched to build using Java in + main so it can move out of contrib. --- pam-1.1.8.orig/debian/changelog +++ pam-1.1.8/debian/changelog @@ -0,0 +1,4509 @@ +pam (1.1.8-3.2ubuntu2.3) xenial; urgency=medium + + * Move patch fixing LP: #1666203 from debian/patches to + debian/patches-applied so it actually gets applied. + * debian/libpam-modules.postinst: Add /snap/bin to $PATH in + /etc/environment. (LP: #1659719) + + -- Michael Hudson-Doyle Thu, 01 Oct 2020 10:03:21 +1300 + +pam (1.1.8-3.2ubuntu2.2) xenial; urgency=medium + + * Fix: pam_tty_audit failed in pam_open_session (LP: #1666203) + + -- Don van der Haghen Fri, 01 Mar 2019 09:36:08 +0000 + +pam (1.1.8-3.2ubuntu2.1) xenial; urgency=medium + + * d/local/pam_getenv: + - Fix "Unescaped left brace in regex" with Perl 5.22. (LP: #1538284) + + -- Seyeong Kim Thu, 05 Apr 2018 17:33:57 -0700 + +pam (1.1.8-3.2ubuntu2) xenial; urgency=medium + + * debian/patches-applied/cve-2015-3238.patch: removed manpage changes + so they don't get regenerated during build and cause a multiarch + installation issue. (LP: #1558114) + + -- Marc Deslauriers Wed, 16 Mar 2016 13:34:02 -0400 + +pam (1.1.8-3.2ubuntu1) xenial; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's + not present there or in /etc/security/pam_env.conf. (should send to + Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/libpam0g.postinst: check if gdm is actually running before + trying to reload it. + - debian/libpam0g.postinst: the init script for 'samba' is now named + 'smbd' in Ubuntu, so fix the restart handling. + - Change Vcs-Bzr to point at the Ubuntu branch. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch: + Deprecate pam_unix's explicit "usergroups" option and instead read it + from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined + there. This restores compatibility with the pre-PAM behaviour of login. + - debian/patches-applied/pam_motd-legal-notice: display the contents of + /etc/legal once, then set a flag in the user's homedir to prevent + showing it again. + - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage + for update-motd, with some best practices and notes of explanation. + - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8) + to update-motd(5) + - debian/local/common-session{,-noninteractive}: Enable pam_umask by + default, now that the umask setting is gone from /etc/profile. + - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition. + - Build-depend on libfl-dev in addition to flex, for cross-building + support. + - Add /usr/local/games to PATH. + - Adjust debian/patches-applied/update-motd to write to + /run/motd.dynamic, as sysvinit/ssh/login in Debian have been changed + to use this file and no longer links /etc/motd to /var/run/motd. + - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch: + include patch to autogenerated manpage file + - debian/patches-applied/pam-loginuid-in-containers: pam_loginuid: + Update patch with follow-up changes to loginuid.c + - debian/patches-applied/extrausers.patch: Add a pam_extrausers module + that is basically just a copy of pam_unix but looks at + /var/lib/extrausers/{group,passwd,shadow} instead of /etc/ + - debian/libpam-modules-bin.install: install the helper binaries for + pam_extrausers to /sbin + - debian/rules: Make pam_extrausers_chkpwd sguid shadow + - debian/patches-applied/extrausers.patch: Ship pre-generated man page + - debian/patches-applied/pam-limits-nofile-fd-setsize-cap: cap the default + soft nofile limit read from pid 1 to FD_SETSIZE. + - debian/control: have libpam-modules recommend update-motd package + + -- Marc Deslauriers Wed, 16 Mar 2016 09:50:51 -0400 + +pam (1.1.8-3.2) unstable; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2015-3238: DoS/user enumeration due to blocking pipe in pam_unix + module (Closes: #789986) + + -- Tianon Gravi Wed, 06 Jan 2016 15:53:31 -0800 + +pam (1.1.8-3.1ubuntu3) vivid; urgency=medium + + * d/applied-patches/pam-limits-nofile-fd-setsize-cap: cap the default + soft nofile limit read from pid 1 to FD_SETSIZE. + + -- Robie Basak Wed, 22 Apr 2015 08:55:24 +0000 + +pam (1.1.8-3.1ubuntu2) vivid; urgency=medium + + * debian/control: + - have libpam-modules recommend update-motd package + + while libpam-modules provides pam_motd, which does dynamically + generate the motd from /etc/update-motd.d on login, hundreds of + users have asked in the past few years how they might "force" + a MOTD update; this is provided by /usr/sbin/update-motd + in the tiny update-motd package (already in main); recommend + this package + + -- Dustin Kirkland Tue, 11 Nov 2014 12:49:14 -0600 + +pam (1.1.8-3.1ubuntu1) vivid; urgency=low + + * Merge from Debian unstable. Remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's + not present there or in /etc/security/pam_env.conf. (should send to + Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/libpam0g.postinst: check if gdm is actually running before + trying to reload it. + - debian/libpam0g.postinst: the init script for 'samba' is now named + 'smbd' in Ubuntu, so fix the restart handling. + - Change Vcs-Bzr to point at the Ubuntu branch. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch: + Deprecate pam_unix's explicit "usergroups" option and instead read it + from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined + there. This restores compatibility with the pre-PAM behaviour of login. + - debian/patches-applied/pam_motd-legal-notice: display the contents of + /etc/legal once, then set a flag in the user's homedir to prevent + showing it again. + - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage + for update-motd, with some best practices and notes of explanation. + - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8) + to update-motd(5) + - debian/local/common-session{,-noninteractive}: Enable pam_umask by + default, now that the umask setting is gone from /etc/profile. + - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition. + - Build-depend on libfl-dev in addition to flex, for cross-building + support. + - Add /usr/local/games to PATH. + - Adjust debian/patches-applied/update-motd to write to + /run/motd.dynamic, as sysvinit/ssh/login in Debian have been changed + to use this file and no longer links /etc/motd to /var/run/motd. + - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch: + include patch to autogenerated manpage file + - debian/patches-applied/pam-loginuid-in-containers: pam_loginuid: + Update patch with follow-up changes to loginuid.c + - debian/patches-applied/extrausers.patch: Add a pam_extrausers module + that is basically just a copy of pam_unix but looks at + /var/lib/extrausers/{group,passwd,shadow} instead of /etc/ + - debian/libpam-modules-bin.install: install the helper binaries for + pam_extrausers to /sbin + - debian/rules: Make pam_extrausers_chkpwd sguid shadow + - debian/patches-applied/extrausers.patch: Ship pre-generated man page + + -- Michael Vogt Mon, 27 Oct 2014 09:57:52 +0100 + +pam (1.1.8-3.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix CVE-2013-7041: case-insensitive comparison used for verifying + passwords in the pam_userdb module (closes: #731368). + * Fix CVE-2014-2583: multiple directory traversal issues in the + pam_timestamp module (closes: 757555) + + -- Michael Gilbert Sat, 09 Aug 2014 09:50:42 +0000 + +pam (1.1.8-3ubuntu4) utopic; urgency=medium + + * No-change rebuild to get debug symbols on all architectures. + + -- Brian Murray Tue, 21 Oct 2014 12:32:23 -0700 + +pam (1.1.8-3ubuntu3) utopic; urgency=medium + + * debian/patches-applied/extrausers.patch: + - Ship pre-generated man page + + -- Michael Terry Tue, 22 Jul 2014 14:13:31 -0400 + +pam (1.1.8-3ubuntu2) utopic; urgency=medium + + * debian/patches-applied/extrausers.patch: Add a pam_extrausers module + that is basically just a copy of pam_unix but looks at + /var/lib/extrausers/{group,passwd,shadow} instead of /etc/ + * debian/libpam-modules-bin.install: install the helper binaries for + pam_extrausers to /sbin + * debian/rules: Make pam_extrausers_chkpwd sguid shadow + + -- Michael Terry Fri, 18 Jul 2014 14:52:08 -0400 + +pam (1.1.8-3ubuntu1) utopic; urgency=medium + + [ Stéphane Graber ] + * Merge from Debian unstable, remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's + not present there or in /etc/security/pam_env.conf. (should send to + Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/libpam0g.postinst: check if gdm is actually running before + trying to reload it. + - debian/libpam0g.postinst: the init script for 'samba' is now named + 'smbd' in Ubuntu, so fix the restart handling. + - Change Vcs-Bzr to point at the Ubuntu branch. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch: + Deprecate pam_unix's explicit "usergroups" option and instead read it + from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined + there. This restores compatibility with the pre-PAM behaviour of login. + - debian/patches-applied/pam_motd-legal-notice: display the contents of + /etc/legal once, then set a flag in the user's homedir to prevent + showing it again. + - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage + for update-motd, with some best practices and notes of explanation. + - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8) + to update-motd(5) + - debian/local/common-session{,-noninteractive}: Enable pam_umask by + default, now that the umask setting is gone from /etc/profile. + - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition. + - Build-depend on libfl-dev in addition to flex, for cross-building + support. + - Add /usr/local/games to PATH. + - Adjust debian/patches-applied/update-motd to write to + /run/motd.dynamic, as sysvinit/ssh/login in Debian have been changed + to use this file and no longer links /etc/motd to /var/run/motd. + - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch: + include patch to autogenerated manpage file + - debian/patches-applied/pam-loginuid-in-containers: pam_loginuid: + Update patch with follow-up changes to loginuid.c + + [ Timo Aaltonen ] + * pam-configs/mkhomedir: Added a config for pam_mkhomedir, disabled + by default. (LP: #557013) + + -- Stéphane Graber Fri, 02 May 2014 14:59:10 -0400 + +pam (1.1.8-3) unstable; urgency=low + + * debian/rules: On hurd, link libpam explicitly with -lpthread since glibc + will not dynamically switch between the libc stubs and the libpthread + implementations on this architecture. Thanks to Samuel Thibault for the + patch. Closes: #743891. + + -- Steve Langasek Mon, 07 Apr 2014 17:49:38 -0700 + +pam (1.1.8-2) unstable; urgency=medium + + * Mark the libaudit-dev build-dependency linux-any, since it's not + available on non-Linux archs. Closes: #737035. + + -- Steve Langasek Thu, 13 Feb 2014 15:02:00 -0800 + +pam (1.1.8-1ubuntu2) trusty; urgency=medium + + * debian/patches-applied/pam-loginuid-in-containers: pam_loginuid: + Update patch with follow-up changes to loginuid.c + + -- Stéphane Graber Fri, 31 Jan 2014 22:11:02 +0000 + +pam (1.1.8-1ubuntu1) trusty; urgency=medium + + * Merge from Debian unstable, remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's + not present there or in /etc/security/pam_env.conf. (should send to + Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/libpam0g.postinst: check if gdm is actually running before + trying to reload it. + - debian/libpam0g.postinst: the init script for 'samba' is now named + 'smbd' in Ubuntu, so fix the restart handling. + - Change Vcs-Bzr to point at the Ubuntu branch. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch: + Deprecate pam_unix's explicit "usergroups" option and instead read it + from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined + there. This restores compatibility with the pre-PAM behaviour of login. + - debian/patches-applied/pam_motd-legal-notice: display the contents of + /etc/legal once, then set a flag in the user's homedir to prevent + showing it again. + - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage + for update-motd, with some best practices and notes of explanation. + - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8) + to update-motd(5) + - debian/local/common-session{,-noninteractive}: Enable pam_umask by + default, now that the umask setting is gone from /etc/profile. + - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition. + - Build-depend on libfl-dev in addition to flex, for cross-building + support. + - Add /usr/local/games to PATH. + - Adjust debian/patches-applied/update-motd to write to + /run/motd.dynamic, as sysvinit/ssh/login in Debian have been changed + to use this file and no longer links /etc/motd to /var/run/motd. + * debian/patches-applied/pam_umask_usergroups_from_login.defs.patch: include + patch to autogenerated manpage file + + -- Steve Langasek Thu, 16 Jan 2014 02:40:41 +0000 + +pam (1.1.8-1) unstable; urgency=medium + + * New upstream release. + - includes upstream changes to pam_exec. Closes: #670147. + - adds support for newer hashing algorithms to pam_userdb. + Closes: #671740. + - fixes handling of 'quiet' argument to pam_listfile, to match the + documentation. Closes: #592219. + - fixes handling of @users@@hosts netgroup syntax in access.conf. + Closes: #681223. + - fixes installation of the /etc/security/namespace.d directory. + Closes: #710998. + - 027_pam_limits_better_init_allow_explicit_root: support for reading + /proc/1/limits is upstream, this patch now only handles the policy + of resetting limits by default and not applying glob limits to root. + - debian/patches/fix-manpage-crud: drop, manpages now being generated + upstream with a newer, fixed xsltproc. + - debian/patches/pam_env-fix-overflow.patch, pam_env-fix-dos.patch, + glibc-2_16-compilation-fix.patch, sys-types-include.patch: drop, + included upstream. + * Add build-dependency on pkg-config. + * Ensure autogenerated files are after source files in all relevant patches, + so that regenerating documentation doesn't cause build skew. + * Drop the --disable-regenerate-docu argument, restoring the HTML manuals + to the libpam-doc package. Closes: #700485. + * No need to override dh_compress in debian/rules, it already handles .html + files correctly. + * debian/libpam-cracklib.prerm: use $DPKG_MAINTSCRIPT_PACKAGE_COUNT to avoid + prematurely removing the PAM config when the package is installed for + multiple architectures. Closes: #647428. + + -- Steve Langasek Thu, 16 Jan 2014 00:38:42 +0000 + +pam (1.1.3-11ubuntu1) trusty; urgency=medium + + * Merge from Debian unstable, remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's + not present there or in /etc/security/pam_env.conf. (should send to + Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/libpam0g.postinst: check if gdm is actually running before + trying to reload it. + - debian/libpam0g.postinst: the init script for 'samba' is now named + 'smbd' in Ubuntu, so fix the restart handling. + - Change Vcs-Bzr to point at the Ubuntu branch. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch: + Deprecate pam_unix's explicit "usergroups" option and instead read it + from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined + there. This restores compatibility with the pre-PAM behaviour of login. + - debian/patches-applied/pam_motd-legal-notice: display the contents of + /etc/legal once, then set a flag in the user's homedir to prevent + showing it again. + - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage + for update-motd, with some best practices and notes of explanation. + - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8) + to update-motd(5) + - debian/local/common-session{,-noninteractive}: Enable pam_umask by + default, now that the umask setting is gone from /etc/profile. + - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition. + - Build-depend on libfl-dev in addition to flex, for cross-building + support. + - Add /usr/local/games to PATH. + - Adjust debian/patches-applied/update-motd to write to + /run/motd.dynamic, as sysvinit/ssh/login in Debian have been changed + to use this file and no longer links /etc/motd to /var/run/motd. + * Dropped changes, merged in Debian: + - Disable libaudit for stage1 bootstrap. + + -- Steve Langasek Mon, 13 Jan 2014 21:41:05 -0800 + +pam (1.1.3-11) unstable; urgency=low + + [ Wookey ] + * Disable libaudit for stage1 bootstrap. + + [ Steve Langasek ] + * debian/patches-applied/pam-loginuid-in-containers: pam_loginuid: + Ignore failure in user namespaces. + * Use [linux-any] in build-deps, instead of hard-coding a list of + non-Linux archs. Closes: #634516. + + -- Steve Langasek Tue, 14 Jan 2014 03:33:31 +0000 + +pam (1.1.3-10ubuntu1) trusty; urgency=low + + * Merge from Debian unstable, remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's + not present there or in /etc/security/pam_env.conf. (should send to + Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/libpam0g.postinst: check if gdm is actually running before + trying to reload it. + - debian/libpam0g.postinst: the init script for 'samba' is now named + 'smbd' in Ubuntu, so fix the restart handling. + - Change Vcs-Bzr to point at the Ubuntu branch. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch: + Deprecate pam_unix's explicit "usergroups" option and instead read it + from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined + there. This restores compatibility with the pre-PAM behaviour of login. + - debian/patches-applied/pam_motd-legal-notice: display the contents of + /etc/legal once, then set a flag in the user's homedir to prevent + showing it again. + - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage + for update-motd, with some best practices and notes of explanation. + - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8) + to update-motd(5) + - debian/local/common-session{,-noninteractive}: Enable pam_umask by + default, now that the umask setting is gone from /etc/profile. + - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition. + - Build-depend on libfl-dev in addition to flex, for cross-building + support. + - Add /usr/local/games to PATH. + - Disable libaudit for stage1 bootstrap. + - Adjust debian/patches-applied/update-motd to write to + /run/motd.dynamic, as sysvinit/ssh/login in Debian have been changed + to use this file and no longer links /etc/motd to /var/run/motd. + + -- Steve Langasek Sun, 20 Oct 2013 18:21:34 -0700 + +pam (1.1.3-10) unstable; urgency=low + + * Fix pam-auth-update handling of trailing blank lines in the fields of + profiles. LP: #1160288. + * Reintroduce libaudit support now that libaudit has been multiarched. + Closes: #699159. + + -- Steve Langasek Sun, 20 Oct 2013 15:30:46 -0700 + +pam (1.1.3-9) unstable; urgency=low + + * Revert libaudit support for now, because libaudit isn't multiarched yet + in unstable so this regresses cross-installability. Reopens bug + #699159. + * Add an or'ed dependency on cdebconf, which also implements the + xloadtemplatefile extension that prevents us from depending on just + 'debconf-2.0'. Thanks to Régis Boudin for the info. + Closes: #677278. + + -- Steve Langasek Tue, 12 Feb 2013 23:06:30 +0000 + +pam (1.1.3-8ubuntu3) saucy; urgency=low + + * Adjust debian/patches-applied/update-motd to write to /run/motd.dynamic, + as sysvinit/ssh/login in Debian have been changed to use this file and + no longer links /etc/motd to /var/run/motd. + + -- Steve Langasek Sat, 18 May 2013 00:07:43 -0500 + +pam (1.1.3-8ubuntu2) raring; urgency=low + + * Disable libaudit for stage1 bootstrap (LP: #1126404) + + -- Wookey Fri, 15 Feb 2013 12:45:27 +0000 + +pam (1.1.3-8ubuntu1) raring; urgency=low + + * Merge from Debian unstable, remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's + not present there or in /etc/security/pam_env.conf. (should send to + Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/libpam0g.postinst: check if gdm is actually running before + trying to reload it. + - debian/libpam0g.postinst: the init script for 'samba' is now named + 'smbd' in Ubuntu, so fix the restart handling. + - Change Vcs-Bzr to point at the Ubuntu branch. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch: + Deprecate pam_unix' explicit "usergroups" option and instead read it + from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined + there. This restores compatibility with the pre-PAM behaviour of login. + - debian/patches-applied/pam_motd-legal-notice: display the contents of + /etc/legal once, then set a flag in the user's homedir to prevent + showing it again. + - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage + for update-motd, with some best practices and notes of explanation. + - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8) + to update-motd(5) + - debian/local/common-session{,-noninteractive}: Enable pam_umask by + default, now that the umask setting is gone from /etc/profile. + - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition. + - Build-depend on libfl-dev in addition to flex, for cross-building + support. + - Add /usr/local/games to PATH. LP: #110287. + + -- Steve Langasek Mon, 11 Feb 2013 22:08:44 -0800 + +pam (1.1.3-8) unstable; urgency=low + + * Confirm NMU for bug #611136; thanks to Michael Gilbert. + - As a side effect, there will no longer be errors from reading the + .pam_environment twice since we are now reading it 0 times. + LP: #955032. + * Adjust the pam_env documentation to match the module behavior resulting + from the previous security upload. Closes: #693995. + * debian/rules: never regenerate manpages at build time; this may cause + build skew that breaks the world in a multiarch context. LP: #1095887. + * debian/patches-applied/glibc-2_16-compilation-fix.patch: fix missing + include causing build failure with eglibc 2.16. Thanks to Daniel + Schepler . Closes: #693450. + * Ditch autoconf patch in favor of a build-dependency on dh-autoreconf, + which will let us keep up-to-date with newer autotools. In the present + instance, this gets us aarch64 support. + * Install pam_timestamp_check - and while we're at it, move the manpage + to the correct binary package. Closes: #648695. + * Update lintian overrides to suppress some noise about hardening and + manpages. + * Enable audit support, by popular demand. This should have no major + impact unless you're also running auditd; but I reserve the right to + disable this again in the event that this causes a performance hit or + breaks upgrades (since the dependency is pulled into libpam, not just + into pam_tty_audit). Closes: #699159, LP: #937005. + + -- Steve Langasek Tue, 12 Feb 2013 05:36:29 +0000 + +pam (1.1.3-7.1) unstable; urgency=low + + * Non-maintainer upload. + * Fix cve-2010-4708: user-configurable .pam_environment allows + administrator-level changes without root access (closes: #611136). + + -- Michael Gilbert Sun, 29 Apr 2012 02:23:26 -0400 + +pam (1.1.3-7ubuntu3) quantal; urgency=low + + [ Nathan Williams ] + * Add /usr/local/games to PATH. LP: #110287. + + -- Steve Langasek Tue, 03 Jul 2012 06:55:25 +0000 + +pam (1.1.3-7ubuntu2) precise; urgency=low + + * No-change rebuild with gzip 1.4-1ubuntu2 to get multiarch-clean + compression of manpages. LP: #871083. + + -- Steve Langasek Wed, 08 Feb 2012 17:15:39 -0800 + +pam (1.1.3-7ubuntu1) precise; urgency=low + + * Merge from Debian unstable, remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's + not present there or in /etc/security/pam_env.conf. (should send to + Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/libpam0g.postinst: check if gdm is actually running before + trying to reload it. + - debian/libpam0g.postinst: the init script for 'samba' is now named + 'smbd' in Ubuntu, so fix the restart handling. + - Change Vcs-Bzr to point at the Ubuntu branch. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch: + Deprecate pam_unix' explicit "usergroups" option and instead read it + from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined + there. This restores compatibility with the pre-PAM behaviour of login. + - debian/patches-applied/pam_motd-legal-notice: display the contents of + /etc/legal once, then set a flag in the user's homedir to prevent + showing it again. + - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage + for update-motd, with some best practices and notes of explanation. + - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8) + to update-motd(5) + - debian/local/common-session{,-noninteractive}: Enable pam_umask by + default, now that the umask setting is gone from /etc/profile. + - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition. + - Build-depend on libfl-dev in addition to flex, for cross-building + support. + + -- Steve Langasek Sat, 28 Jan 2012 11:36:07 -0800 + +pam (1.1.3-7) unstable; urgency=low + + * Updated debconf translations: + - Danish, thanks to Joe Dalton (closes: #648382) + - French, thanks to Jean-Baka Domelevo Entfellner + (closes: #649850) + - Dutch, thanks to Jeroen Schot + (closes: #650755) + - Russian, thanks to Yuri Kozlov (closes: #650867) + - Portuguese, thanks to Pedro Ribeiro + (closes: #652493) + - German, thanks to Sven Joachim (closes: #653407) + - Spanish, thanks to Javier Fernandez-Sanguino Peña + (closes: #654043) + - Bulgarian, thanks to Damyan Ivanov (closes: #656518) + - Slovak, thanks to Ivan Masár (closes: #656521) + - Japanese, thanks to Kenshi Muto (closes: #656834) + - Polish, thanks to Michał Kułach + (closes: #657476) + - Catalan, thanks to Innocent De Marchi + (closes: #657489) + - Czech, thanks to Miroslav Kure + (closes: #657578) + - Swedish, thanks to Martin Bagge (closes: #651349) + + -- Steve Langasek Sat, 28 Jan 2012 10:57:49 -0800 + +pam (1.1.3-6ubuntu1) precise; urgency=low + + * Merge from Debian unstable. Remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's + not present there or in /etc/security/pam_env.conf. (should send to + Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/libpam0g.postinst: check if gdm is actually running before + trying to reload it. + - debian/libpam0g.postinst: the init script for 'samba' is now named + 'smbd' in Ubuntu, so fix the restart handling. + - Change Vcs-Bzr to point at the Ubuntu branch. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch: + Deprecate pam_unix' explicit "usergroups" option and instead read it + from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined + there. This restores compatibility with the pre-PAM behaviour of login. + - debian/patches-applied/pam_motd-legal-notice: display the contents of + /etc/legal once, then set a flag in the user's homedir to prevent + showing it again. + - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage + for update-motd, with some best practices and notes of explanation. + - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8) + to update-motd(5) + - debian/local/common-session{,-noninteractive}: Enable pam_umask by + default, now that the umask setting is gone from /etc/profile. + - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition. + * Dropped changes, included in Debian: + - debian/patches-applied/update-motd: set a sane umask before calling + run-parts, and restore the old mask afterwards, so /run/motd gets + consistent permissions. + - debian/patches-applied/update-motd: new module option for pam_motd, + 'noupdate', which suppresses the call to run-parts /etc/update-motd.d. + - debian/libpam0g.postinst: drop kdm from the list of services to + restart. + * Build-depend on libfl-dev in addition to flex, for cross-building + support. + + -- Steve Langasek Mon, 07 Nov 2011 21:15:00 -0800 + +pam (1.1.3-6) unstable; urgency=low + + * debian/patches-applied/hurd_no_setfsuid: we don't want to check all + setre*id() calls; we know that there are situations where some of these + may fail but we don't care. As long as the last setre*id() call in each + set succeeds, that's the state we mean to be in. + * debian/libpam0g.postinst: according to Kubuntu developers, kdm no longer + keeps libpam loaded persistently at runtime, so it's not necessary to + force a kdm restart on ABI bump. Which is good, since restarting kdm + now seems to also log users out of running sessions, which we rather + want to avoid. Closes: #632673, LP: #744944. + * debian/patches-applied/update-motd: set a sane umask before calling + run-parts, and restore the old mask afterwards, so /run/motd gets + consistent permissions. LP: #871943. + * debian/patches-applied/update-motd: new module option for pam_motd, + 'noupdate', which suppresses the call to run-parts /etc/update-motd.d. + LP: #805423. + * debian/libpam0g.templates, debian/libpam0g.postinst: add a new question, + libraries/restart-without-asking, that allows admins to accept the + service restarts once for all so that they don't have to repeatedly + say "ok". LP: #745004. + * debian/libpam-runtime.templates, debian/local/pam-auth-update: add a + new 'title' template, so pam-auth-update doesn't give a blank title + when called outside of a maintainer script. LP: #882794. + + -- Steve Langasek Sun, 06 Nov 2011 19:43:14 -0800 + +pam (1.1.3-5ubuntu2) precise; urgency=low + + * Rebuild with dpkg 1.16.1.1ubuntu2 to restore large file support. + + -- Colin Watson Tue, 01 Nov 2011 16:59:55 -0400 + +pam (1.1.3-5ubuntu1) precise; urgency=low + + * Merge from Debian unstable. Remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's + not present there or in /etc/security/pam_env.conf. (should send to + Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - Change Vcs-Bzr to point at the Ubuntu branch. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - debian/patches-applied/pam_motd-legal-notice: display the contents of + /etc/legal once, then set a flag in the user's homedir to prevent + showing it again. + - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage + for update-motd, with some best practices and notes of explanation. + - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8) + to update-motd(5) + - debian/libpam0g.postinst: drop kdm from the list of services to + restart. + - debian/libpam0g.postinst: check if gdm is actually running before + trying to reload it. + - debian/local/common-session{,-noninteractive}: Enable pam_umask by + default, now that the umask setting is gone from /etc/profile. + - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition. + - add debian/patches-applied/pam_umask_usergroups_from_login.defs.patch: + Deprecate pam_unix' explicit "usergroups" option and instead read it + from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined + there. This restores compatibility with the pre-PAM behaviour of login. + (Closes: #583958) + * Dropped changes, included in Debian: + - debian/patches-applied/CVE-2011-3148.patch + - debian/patches-applied/CVE-2011-3149.patch + - debian/patches-applied/update-motd: updated to use clean environment + and absolute paths in modules/pam_motd/pam_motd.c. + * debian/libpam0g.postinst: the init script for 'samba' is now named 'smbd' + in Ubuntu, so fix the restart handling. + * debian/patches-applied/update-motd: set a sane umask before calling + run-parts, and restore the old mask afterwards, so /run/motd gets + consistent permissions. LP: #871943. + * debian/patches-applied/update-motd: new module option for pam_motd, + 'noupdate', which suppresses the call to run-parts /etc/update-motd.d. + LP: #805423. + + -- Steve Langasek Sun, 30 Oct 2011 09:45:00 -0600 + +pam (1.1.3-5) unstable; urgency=low + + [ Kees Cook ] + * debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch: use + setresgid() to wipe out saved-gid just in case. + * debian/patches-applied/008_modules_pam_limits_chroot: + - fix off-by-one when parsing configuration file. + - when using chroot, chdir() to root to lose links to old tree. + * debian/patches-applied/022_pam_unix_group_time_miscfixes, + debian/patches-applied/026_pam_unix_passwd_unknown_user, + debian/patches-applied/054_pam_security_abstract_securetty_handling: + improve descriptions. + * debian/patches-applied/{007_modules_pam_unix,055_pam_unix_nullok_secure}: + drop unneeded no-op change to reduce delta from upstream. + * debian/patches-applied/hurd_no_setfsuid: check all set*id() calls. + * debian/patches-applied/update-motd: correctly clear environment when + building motd. + * debian/patches-applied/pam_env-fix-overflow.patch: fix stack overflow + in environment file parsing (CVE-2011-3148). + * debian/patches-applied/pam_env-fix-dos.patch: fix DoS in environment + file parsing (CVE-2011-3149). + + -- Steve Langasek Thu, 27 Oct 2011 21:33:57 -0700 + +pam (1.1.3-4) unstable; urgency=low + + * Make sure shared library links are also installed to the multiarch + directory, not just the .a files; otherwise the static libs get found + first by the linker. Thanks to Russ Allbery for catching this. + Closes: #642952. + + -- Steve Langasek Sun, 25 Sep 2011 22:33:55 +0000 + +pam (1.1.3-3) unstable; urgency=low + + * Look for /etc/init.d/postgresql, not /etc/init.d/postgresql-8.{2,3}, + for service restarts; the latter are obsolete since squeeze. + Closes: #631511. + * Move debian/libpam0g-dev.install to debian/libpam0g-dev.install.in + and substitute the multiarch path at build time, so our .a files go to + the multiarch dir instead of to /usr/lib. Thanks to Riku Voipio for + pointing out the bug. + * debian/control: adjust the package descriptions, as the current ones + use some awkward language that's gone unnoticed for a long time. Thanks + to Martin Eberhard Schauer for pointing this + out. Closes: #633863. + * Build-depend on debhelper 8.9.4 and bump debian/compat to 9 for + dpkg-buildflags integration, and drop manual setting of -g -O options in + CFLAGS now that we can let dh do it for us + * Don't set --sbindir when calling configure; upstream takes care of this + for us + + -- Steve Langasek Sat, 24 Sep 2011 20:08:56 +0000 + +pam (1.1.3-2ubuntu2.1) oneiric-security; urgency=low + + * SECURITY UPDATE: possible code execution via incorrect environment file + parsing (LP: #874469) + - debian/patches-applied/CVE-2011-3148.patch: correctly count leading + whitespace when parsing environment file in modules/pam_env/pam_env.c. + - CVE-2011-3148 + * SECURITY UPDATE: denial of service via overflowed environment variable + expansion (LP: #874565) + - debian/patches-applied/CVE-2011-3149.patch: when overflowing, exit + with PAM_BUF_ERR in modules/pam_env/pam_env.c. + - CVE-2011-3149 + * SECURITY UPDATE: code execution via incorrect environment cleaning + - debian/patches-applied/update-motd: updated to use clean environment + and absolute paths in modules/pam_motd/pam_motd.c. + - CVE-2011-XXXX + + -- Marc Deslauriers Tue, 18 Oct 2011 09:33:47 -0400 + +pam (1.1.3-2ubuntu1) oneiric; urgency=low + + * Merge with Debian to get bug fix for unknown kernel rlimits. Remaining + changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's + not present there or in /etc/security/pam_env.conf. (should send to + Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - Change Vcs-Bzr to point at the Ubuntu branch. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - debian/patches-applied/pam_motd-legal-notice: display the contents of + /etc/legal once, then set a flag in the user's homedir to prevent + showing it again. + - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage + for update-motd, with some best practices and notes of explanation. + - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8) + to update-motd(5) + - debian/libpam0g.postinst: drop kdm from the list of services to + restart. + - debian/libpam0g.postinst: check if gdm is actually running before + trying to reload it. + - debian/local/common-session{,-noninteractive}: Enable pam_umask by + default, now that the umask setting is gone from /etc/profile. + - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition. + - add debian/patches-applied/pam_umask_usergroups_from_login.defs.patch: + Deprecate pam_unix' explicit "usergroups" option and instead read it + from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined + there. This restores compatibility with the pre-PAM behaviour of login. + (Closes: #583958) + * Dropped changes: + - debian/patches-applied/027_pam_limits_better_init_allow_explicit_root: + no need to bump the hard limit for number of file descriptors any more + since we read kernel limits directly now. + + -- Kees Cook Thu, 18 Aug 2011 16:41:18 -0500 + +pam (1.1.3-2) unstable; urgency=low + + [ Kees Cook ] + * debian/patches-applied/027_pam_limits_better_init_allow_explicit_root: + - only report about unknown kernel rlimits when "debug" is set + (Closes: 625226, LP: #794531). + + [ Steve Langasek ] + * Build for multiarch. Closes: #463420. + * debian/patches-applied/027_pam_limits_better_init_allow_explicit_root: + don't reset the process niceness for root; since it's root, they can + still renice to a lower nice level if they need to and changing the + nice level by default is unexpected behavior. Closes: #594377. + + -- Steve Langasek Tue, 21 Jun 2011 11:41:12 -0700 + +pam (1.1.3-1ubuntu3) oneiric; urgency=low + + [ Steve Langasek ] + * debian/patches/pam_motd-legal-notice: use pam_modutil_gain/drop_priv + common helper functions, instead of hand-rolled uid-setting code. + + [ Martin Pitt ] + * debian/local/common-session{,-noninteractive}: Enable pam_umask by + default, now that the umask setting is gone from /etc/profile. + (LP: #253096, UbuntuSpec:umask-to-0002) + * debian/local/pam-auth-update: Add the new md5sum of above files. + * Add debian/patches-applied/pam_umask_usergroups_from_login.defs.patch: + Deprecate pam_unix' explicit "usergroups" option and instead read it from + /etc/login.def's "USERGROUP_ENAB" option if umask is only defined there. + This restores compatibility with the pre-PAM behaviour of login. + (Closes: #583958) + + -- Martin Pitt Fri, 24 Jun 2011 11:07:57 +0200 + +pam (1.1.3-1ubuntu2) oneiric; urgency=low + + * debian/patches-applied/update-motd-manpage-ref: refresh patch to apply + cleanly against new upstream. + + -- Steve Langasek Sat, 04 Jun 2011 14:20:17 -0700 + +pam (1.1.3-1ubuntu1) oneiric; urgency=low + + * Merge from Debian unstable, remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's + not present there or in /etc/security/pam_env.conf. (should send to + Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - Change Vcs-Bzr to point at the Ubuntu branch. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - debian/patches-applied/027_pam_limits_better_init_allow_explicit_root: + bump the hard limit for number of file descriptors, to keep pace with + the changes in the kernel. + - debian/patches-applied/pam_motd-legal-notice: display the contents of + /etc/legal once, then set a flag in the user's homedir to prevent + showing it again. + - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage + for update-motd, with some best practices and notes of explanation. + - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8) + to update-motd(5) + - debian/libpam0g.postinst: drop kdm from the list of services to + restart. + - debian/libpam0g.postinst: check if gdm is actually running before + trying to reload it. + - New patch, lib_security_multiarch_compat, which lets us reuse the + upstream --enable-isadir functionality to support a true path for + module lookups; this way we don't have to force a hard transition to + multiarch, but can support resolving modules in both the multiarch and + non-multiarch directories. + - build for multiarch, splitting our executables out of libpam-modules + into a new package, libpam-modules-bin, so that modules can be + co-installable between architectures. + * Dropped changes: + - bumping the service restart version in libpam0g.postinst to ensure + servers don't fail to find the pam modules in the new paths; the min + version requirement upstream is higher than this now. + + -- Steve Langasek Sat, 04 Jun 2011 14:04:19 -0700 + +pam (1.1.3-1) unstable; urgency=low + + * New upstream release. + - Fixes CVE-2010-3853, executing namespace.init with an insecure + environment set by the caller. Closes: #608273. + - Fixes CVE-2010-3316 CVE-2010-3430 CVE-2010-3431 CVE-2010-3435. + Closes: #599832. + * Port hurd_no_setfsuid patch to new pam_modutil_{drop,restore}_priv + interface; now possibly upstreamable + * debian/patches-applied/027_pam_limits_better_init_allow_explicit_root: + set a better default RLIMIT_MEMLOCK value for BSD kernels. Thanks to + Petr Salinger for the fix. Closes: #602902. + * bump the minimum version check in maintainer scripts for the restart + handling. + + -- Steve Langasek Sat, 04 Jun 2011 03:10:50 -0700 + +pam (1.1.2-3ubuntu1) oneiric; urgency=low + + * Merge from Debian unstable, remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's + not present there or in /etc/security/pam_env.conf. (should send to + Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - Change Vcs-Bzr to point at the Ubuntu branch. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - debian/patches-applied/027_pam_limits_better_init_allow_explicit_root: + bump the hard limit for number of file descriptors, to keep pace with + the changes in the kernel. + - debian/patches-applied/pam_motd-legal-notice: display the contents of + /etc/legal once, then set a flag in the user's homedir to prevent + showing it again. + - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage + for update-motd, with some best practices and notes of explanation. + - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8) + to update-motd(5) + - debian/libpam0g.postinst: drop kdm from the list of services to + restart. + - debian/libpam0g.postinst: check if gdm is actually running before + trying to reload it. + - New patch, lib_security_multiarch_compat, which lets us reuse the + upstream --enable-isadir functionality to support a true path for + module lookups; this way we don't have to force a hard transition to + multiarch, but can support resolving modules in both the multiarch and + non-multiarch directories. + - build for multiarch, splitting our executables out of libpam-modules + into a new package, libpam-modules-bin, so that modules can be + co-installable between architectures. + - bumping the service restart version in libpam0g.postinst to ensure + servers don't fail to find the pam modules in the new paths. + * bump debhelper build-dep for final multiarch support. + + -- Steve Langasek Fri, 20 May 2011 12:53:24 -0700 + +pam (1.1.2-3) unstable; urgency=low + + [ Kees Cook ] + * 027_pam_limits_better_init_allow_explicit_root: load rlimit defaults + from the kernel (via /proc/1/limits), instead of continuing to hardcode + the settings internally. Fall back to internal defaults when the kernel + rlimits are not found. Closes: #620302. (LP: #746655, #391761) + + * Updated debconf translations: + - Vietnamese, thanks to Clytie Siddall + (closes: #601197) + - Dutch, thanks to Eric Spreen (closes: #605592) + - Danish, thanks to Joe Dalton (closes: #606739) + - Catalan, thanks to Innocent De Marchi + (closes: #622786) + + -- Steve Langasek Sun, 01 May 2011 01:49:11 -0700 + +pam (1.1.2-2ubuntu8) natty; urgency=low + + * Check if gdm is actually running before trying to reload it. (LP: #745532) + + -- Stéphane Graber Mon, 11 Apr 2011 21:57:36 -0400 + +pam (1.1.2-2ubuntu7) natty; urgency=low + + * debian/patches-applied/027_pam_limits_better_init_allow_explicit_root: + bump the hard limit for number of file descriptors, to keep pace with + the changes in the kernel. Fortunately this shadowing should all go + away next cycle when we can start to grab defaults directly from /proc. + LP: #663090 + + -- Steve Langasek Tue, 05 Apr 2011 13:02:02 -0700 + +pam (1.1.2-2ubuntu6) natty; urgency=low + + * debian/libpam0g.postinst: according to Kubuntu developers, kdm no longer + keeps libpam loaded persistently at runtime, so it's not necessary to + force a kdm restart on ABI bump. Which is good, since restarting kdm + now seems to also log users out of running sessions, which we rather + want to avoid. LP: #744944. + + -- Steve Langasek Tue, 29 Mar 2011 13:16:26 -0700 + +pam (1.1.2-2ubuntu5) natty; urgency=low + + * Force a service restart on upgrade to the new libpam0g, to ensure + servers don't fail to find the pam modules in the new paths. + * libpam-modules should also Pre-Depend: on the multiarch-aware libpam0g, + for the same reason. + + -- Steve Langasek Tue, 22 Mar 2011 02:19:51 -0700 + +pam (1.1.2-2ubuntu4) natty; urgency=low + + * Build for multiarch; FFe LP: #733501. + * Split our executables out of libpam-modules into a new package, + libpam-modules-bin, so that modules can be co-installable between + architectures. + * New patch, lib_security_multiarch_compat, which lets us reuse the + upstream --enable-isadir functionality to support a true path for module + lookups; this way we don't have to force a hard transition to multiarch, + but can support resolving modules in both the multiarch and + non-multiarch directories. + * Build-Depend on the multiarchified debhelper. + * Add Pre-Depends: ${misc:Pre-Depends} for multiarch-support. + + -- Steve Langasek Fri, 18 Mar 2011 00:12:26 -0700 + +pam (1.1.2-2ubuntu3) natty; urgency=low + + * Er, but let's get this patch applying cleanly. + + -- Steve Langasek Mon, 21 Feb 2011 16:10:11 -0800 + +pam (1.1.2-2ubuntu2) natty; urgency=low + + * debian/patches/update-motd-manpage-ref: patch the manpage too, not just + the xml source. + + -- Steve Langasek Mon, 21 Feb 2011 15:47:27 -0800 + +pam (1.1.2-2ubuntu1) natty; urgency=low + + * Merge from Debian unstable, remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's + not present there or in /etc/security/pam_env.conf. (should send to + Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - Change Vcs-Bzr to point at the Ubuntu branch. + - debian/patches-applied/pam_motd-legal-notice: display the contents of + /etc/legal once, then set a flag in the user's homedir to prevent + showing it again. + - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage + for update-motd, with some best practices and notes of explanation. + - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8) + to update-motd(5) + + -- Steve Langasek Thu, 17 Feb 2011 16:15:47 -0800 + +pam (1.1.2-2) unstable; urgency=low + + * debian/patches-applied/hurd_no_setfsuid: handle some new calls to + setfsuid in pam_xauth that I overlooked, so that the build works again + on non-Linux. Closes: #613630. + + -- Steve Langasek Wed, 16 Feb 2011 09:27:11 -0800 + +pam (1.1.2-1) unstable; urgency=low + + * New upstream release. + - Add support for NSS groups to pam_group. Closes: #589019, + LP: #297408. + - Support cross-building the package. Thanks to Neil Williams + for the patch. Closes: #284854. + * debian/rules: pass getconf LFS_CFLAGS so that we get a 64-bit rlimit + interface. Closes: #579402. + * Drop patches conditional_module,_conditional_man and + mkhomedir_linking.patch, which are included upstream. + * debian/patches/hurd_no_setfsuid: pam_env and pam_mail now also use + setfsuid, so patch them to be likewise Hurd-safe. + * Update debian/source.lintian-overrides to clean up some spurious + warnings. + * debian/libpam-modules.postinst: if any 'min=n' options are found in + /etc/pam.d/common-password, convert them on upgrade to 'minlen=n' for + compatibility with upstream. + * debian/NEWS: document the disappearance of 'min=n', in case users have + encoded this option elsewhere outside of /etc/pam.d/common-password. + * debian/patches/007_modules_pam_unix: drop compatibility handling of + 'max=' no-op; use of this option will now log an error, as warned three + years ago. + * Bump Standards-Version to 3.9.1. + * Add lintian overrides for a few more spurious warnings. + * debian/patches-applied/no_PATH_MAX_on_hurd: define PATH_MAX for + compatibility when it's not already set. Closes: #552043. + * debian/local/pam-auth-update: Don't try to pass embedded newlines to + debconf; backslash-escape them instead and use CAPB escape. + * debian/local/pam-auth-update: sort additional module options before + writing them out, so that we don't wind up with a different config file + on every invocation. Thanks to Jim Paris for the patch. + Closes: #594123. + * debian/libpam-runtime.{postinst,templates}: since 1.1.2-1 is targeted + for post-squeeze, we don't need to support upgrades from 1.0.1-6 to + 1.0.1-10 anymore. Drop the debconf error note about having configured + your system with a lack of authentication, so that translators don't + spend any more time on it. + * Updated debconf translations: + - Swedish, thanks to Martin Bagge (closes: #575875) + + -- Steve Langasek Tue, 15 Feb 2011 23:21:41 -0800 + +pam (1.1.1-7) UNRELEASED; urgency=low + + * Updated debconf translations: + - Italian, thanks to Nicole B. (closes: #602112) + + -- Steve Langasek Wed, 17 Nov 2010 16:53:46 -0800 + +pam (1.1.1-6.1ubuntu1) natty; urgency=low + + * Merge from Debian unstable, remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's + not present there or in /etc/security/pam_env.conf. (should send to + Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - Change Vcs-Bzr to point at the Ubuntu branch. + - debian/patches-applied/pam_motd-legal-notice: display the contents of + /etc/legal once, then set a flag in the user's homedir to prevent + showing it again. + - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage + for update-motd, with some best practices and notes of explanation. + - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8) + to update-motd(5) + * Dropped changes: + - libpam-modules depend on base-files (>= 5.0.0ubuntu6): 5.0.0ubuntu20 + is in 10.04 LTS and this is an essential package, so no more need for + the versioned dependency. + + -- Steve Langasek Tue, 15 Feb 2011 23:36:47 -0800 + +pam (1.1.1-6.1) unstable; urgency=low + + * Non-maintainer upload. + * Fix pending l10n issues. Debconf translations: + - Czech (Miroslav Kure). Closes: #598329 + - Slovak (Ivan Masár). Closes: #600164 + - Japanese (Kenshi Muto). Closes: #600247 + - Finnish (Esko Arajärvi). Closes: #600641 + + -- Christian Perrier Tue, 19 Oct 2010 07:30:49 +0200 + +pam (1.1.1-6) unstable; urgency=low + + * Updated debconf translations: + - Swedish, thanks to Martin Bagge (closes: #575875) + + -- Steve Langasek Sun, 05 Sep 2010 23:36:35 -0700 + +pam (1.1.1-5) unstable; urgency=low + + * debian/rules: pass getconf LFS_CFLAGS so that we get a 64-bit rlimit + interface. Closes: #579402. + * Update debian/source.lintian-overrides to clean up some spurious + warnings. + * Bump Standards-Version to 3.9.1. + * Add lintian overrides for a few more spurious warnings. + * debian/patches-applied/no_PATH_MAX_on_hurd: define PATH_MAX for + compatibility when it's not already set. Closes: #552043. + * debian/local/pam-auth-update: Don't try to pass embedded newlines to + debconf; backslash-escape them instead and use CAPB escape. + * debian/local/pam-auth-update: sort additional module options before + writing them out, so that we don't wind up with a different config file + on every invocation. Thanks to Jim Paris for the patch. + Closes: #594123. + + -- Steve Langasek Sun, 05 Sep 2010 12:42:34 -0700 + +pam (1.1.1-4ubuntu2) maverick-security; urgency=low + + * SECURITY UPDATE: root privilege escalation via symlink following. + - debian/patches-applied/pam_motd-legal-notice: drop privs for work. + - CVE-2010-0832 + + -- Kees Cook Mon, 25 Oct 2010 06:40:32 -0700 + +pam (1.1.1-4ubuntu1) maverick; urgency=low + + * Merge from Debian unstable, remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's + not present there or in /etc/security/pam_env.conf. (should send to + Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - Change Vcs-Bzr to point at the Ubuntu branch. + - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure + run-parts does the right thing in /etc/update-motd.d. + - debian/patches-applied/pam_motd-legal-notice: display the contents of + /etc/legal once, then set a flag in the user's homedir to prevent + showing it again. + - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage + for update-motd, with some best practices and notes of explanation. + - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8) + to update-motd(5) + + -- Steve Langasek Mon, 16 Aug 2010 19:12:35 -0700 + +pam (1.1.1-4) unstable; urgency=low + + * debian/patches/conditional_module,_conditional_man: if we don't have the + libraries required for building pam_tty_audit, we shouldn't install the + manpage either. LP: #588547. + * Updated debconf translations: + - Portuguese, thanks to Eder L. Marques + (closes: #581746) + - Spanish, thanks to Javier Fernandez-Sanguino Peña + (closes: #592172) + - Galician, thanks to Jorge Barreiro + (closes: #592808) + * Don't pass --version-script options when linking executables, + only when linking libraries. Thanks to Julien Cristau + for the fix. Closes: #582362. + + -- Steve Langasek Sun, 15 Aug 2010 21:53:46 -0700 + +pam (1.1.1-3ubuntu2) maverick; urgency=low + + * Trigger a rebuild, applying changes from 1.1.1-2ubuntu2 which + were previously not committed to bzr + + -- Dustin Kirkland Thu, 13 May 2010 10:04:23 +0200 + +pam (1.1.1-3ubuntu1) maverick; urgency=low + + * Merge from Debian, remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf. (should send to Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - Change Vcs-Bzr to point at the Ubuntu branch. + - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure + run-parts does the right thing in /etc/update-motd.d. + - debian/patches-applied/pam_motd-legal-notice: display the contents of + /etc/legal once, then set a flag in the user's homedir to prevent showing + it again. + * Dropped changes: + - debian/local/common-{auth,account,password}.md5sums: include the + Ubuntu-specific intrepid,jaunty md5sums for use during the + common-session-noninteractive upgrade - upgrades to maverick are + only supported from lucid, so this delta can be dropped. + - debian/patches-applied/ubuntu-no-error-if-missingok: 'missingok' option + is obsoleted by 10.04 LTS and no longer needs to be supported for + upgrades. + + -- Steve Langasek Thu, 13 May 2010 00:39:44 +0200 + +pam (1.1.1-3) unstable; urgency=low + + * pam-auth-update: fix a bug in our handling of module options when the + module name contains digits, caused by a buggy regexp. :/ Partially + addresses LP #369575. + * Install /sbin/pam_tally2 in the libpam-modules package; thanks to + Olivier BONHOMME for reporting. Closes: #554010. + + -- Steve Langasek Sun, 25 Apr 2010 05:53:44 -0700 + +pam (1.1.1-2ubuntu2) lucid; urgency=low + + * debian/update-motd.5, debian/libpam-modules.manpages: add a manpage + for update-motd, with some best practices and notes of explanation, + LP: #562566 + * debian/patches/update-motd-manpage-ref: add a reference in pam_mod(8) + to update-motd(5), LP: #552175 + + -- Dustin Kirkland Tue, 13 Apr 2010 16:58:12 -0500 + +pam (1.1.1-2ubuntu1) lucid; urgency=low + + * Merge from Debian, remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf. (should send to Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic + module option 'missingok' which will suppress logging of errors by + libpam if the module is not found. + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - Change Vcs-Bzr to point at the Ubuntu branch. + - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure + run-parts does the right thing in /etc/update-motd.d. + - debian/patches-applied/pam_motd-legal-notice: display the contents of + /etc/legal once, then set a flag in the user's homedir to prevent showing + it again. + - debian/local/common-{auth,account,password}.md5sums: include the + Ubuntu-specific intrepid,jaunty md5sums for use during the + common-session-noninteractive upgrade. + + -- Steve Langasek Thu, 18 Feb 2010 12:04:18 +0000 + +pam (1.1.1-2) unstable; urgency=low + + * Document the new symbols added in 1.1.1 in debian/libpam0g.symbols, and + raise the minimum version for the service restarting code. + Closes: #568480. + + -- Steve Langasek Wed, 17 Feb 2010 23:21:23 -0800 + +pam (1.1.1-1ubuntu1) lucid; urgency=low + + * Merge from Debian, remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf. (should send to Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic + module option 'missingok' which will suppress logging of errors by + libpam if the module is not found. + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - Change Vcs-Bzr to point at the Ubuntu branch. + - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure + run-parts does the right thing in /etc/update-motd.d. + - debian/patches-applied/pam_motd-legal-notice: display the contents of + /etc/legal once, then set a flag in the user's homedir to prevent showing + it again. + - debian/local/common-{auth,account,password}.md5sums: include the + Ubuntu-specific intrepid,jaunty md5sums for use during the + common-session-noninteractive upgrade. + + -- Steve Langasek Mon, 01 Feb 2010 09:55:02 -0800 + +pam (1.1.1-1) unstable; urgency=low + + * New upstream version. + - restore proper netgroup handling in pam_access. + Closes: #567385, LP: #513955. + * Drop patches pam.d-manpage-section, namespace_with_awk_not_gawk, and + pam_securetty_tty_check_before_user_check, which are included upstream. + * debian/patches/026_pam_unix_passwd_unknown_user: don't return + PAM_USER_UNKNOWN on password change of a user that has no shadow entry, + upstream now implements auto-creating the shadow entry in this case. + * Updated debconf translations: + - French, thanks to Jean-Baka Domelevo Entfellner + (closes: #547039) + - Bulgarian, thanks to Damyan Ivanov (closes: #562835) + * debian/patches/sys-types-include.patch: fix pam_modutil.h so that it can + be included directly, without having to include sys/types.h first. + Closes: #556203. + * Add postgresql-8.3 to the list of services in need of restart on upgrade. + Closes: #563674. + * And drop postgresql-{7.4,8.1} from the list, neither of which is present + in stable. + * debian/patches/007_modules_pam_unix: recognize that *all* of the password + hashes other than traditional crypt handle passwords >8 chars in length. + LP: #356766. + + -- Steve Langasek Mon, 01 Feb 2010 02:04:33 -0800 + +pam (1.1.0-4ubuntu3) lucid; urgency=low + + * Brown paper bag: remove the right patch from the series file. + + -- Steve Langasek Thu, 10 Dec 2009 23:09:03 -0800 + +pam (1.1.0-4ubuntu2) lucid; urgency=low + + * "Rebase" Ubuntu patches to apply them last in the series. + * Drop patch ubuntu-regression_fix_securetty, superseded by the more + precise fix in pam_securetty_tty_check_before_user_check. + + -- Steve Langasek Thu, 10 Dec 2009 22:52:20 -0800 + +pam (1.1.0-4ubuntu1) lucid; urgency=low + + * Merge from Debian, remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf. (should send to Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic + module option 'missingok' which will suppress logging of errors by + libpam if the module is not found. + - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for + password on bad username. + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - Change Vcs-Bzr to point at the Ubuntu branch. + - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure + run-parts does the right thing in /etc/update-motd.d. + - debian/patches-applied/pam_motd-legal-notice: display the contents of + /etc/legal once, then set a flag in the user's homedir to prevent showing + it again. + - debian/local/common-{auth,account,password}.md5sums: include the + Ubuntu-specific intrepid,jaunty md5sums for use during the + common-session-noninteractive upgrade. + + -- Steve Langasek Thu, 05 Nov 2009 21:33:15 -0800 + +pam (1.1.0-4) unstable; urgency=low + + * debian/patches/pam_securetty_tty_check_before_user_check: new patch, + to make pam_securetty always return success on a secure tty regardless + of what username was passed. Thanks to Nicolas François + for the patch. Closes: #537848 + * debian/local/pam-auth-update: only reset the seen flag on the template + when there's new information; this avoids reprompting users for the same + information on upgrade, regardless of the debconf priority used. + Closes: #544805. + * libpam0g no longer depends on libpam-runtime; packages that use + /etc/pam.d/common-* must depend directly on libpam-runtime, and most do + (including the Essential: yes ones), so let's break this circular + dependency. Closes: #545086, LP: #424566. + + -- Steve Langasek Mon, 14 Sep 2009 18:47:25 -0700 + +pam (1.1.0-3) unstable; urgency=low + + * Bump debian/compat to 7, so we can use sane contents in debian/*.install + * Switch all packages over to dh_install + * Rename debian/*.lintian to debian/*.lintian-overrides and use dh_lintian + * Move installation logic out of debian/rules into individual .install + files + * Drop superfluous options to dh_installchangelogs, dh_shlibdeps + * Use debian/clean instead of rm -f'ing files in debian/rules clean target + * Drop ./configure options that are no-ops + * Drop the /lib/security/pam_unix_*.so symlinks, which have been deprecated + now for 10 years and are not used at all if pam-auth-update is in play. + * Drop the pam_rhosts_auth.so symlink as well, and document in NEWS.Debian + that this is now obsolete. + * Drop stale content from README.debian: some of this should have been in + NEWS.Debian instead (but is so old it's not worth putting it there now), + some of it is obsolete by the change in package VCS. + * Convert debian/rules to debhelper 7 and add versioned build-dependencies + on debhelper and quilt to suit. + * Drop CFLAGS that we don't need anymore (-fPIC, -D_REENTRANT, + -D_GNU_SOURCE). + * Explicitly add -O0 to CFLAGS when noopt is set. + * debian/patches/autoconf.patch: pull ltmain.sh in, to fix some spurious + library linkage in the modules. + * Move pam_cracklib manpage to the libpam-cracklib package, and add the + requisite Replaces + * Drop dh_makeshlibs -V; everything from lenny on should use the .symbols + file instead, making the shlibs redundant so we don't need to care what + version gets listed there. + + -- Steve Langasek Mon, 07 Sep 2009 18:47:45 -0700 + +pam (1.1.0-2ubuntu1) karmic; urgency=low + + * Merge from Debian, remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf. (should send to Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic + module option 'missingok' which will suppress logging of errors by + libpam if the module is not found. + - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for + password on bad username. + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - Change Vcs-Bzr to point at the Ubuntu branch. + - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure + run-parts does the right thing in /etc/update-motd.d. + - debian/patches-applied/pam_motd-legal-notice: display the contents of + /etc/legal once, then set a flag in the user's homedir to prevent showing + it again. + - debian/local/common-{auth,account,password}.md5sums: include the + Ubuntu-specific intrepid,jaunty md5sums for use during the + common-session-noninteractive upgrade. + * Changes merged in Debian: + - debian/local/common-password, debian/pam-configs/unix: switch from + "md5" to "sha512" as password crypt default. + + -- Steve Langasek Fri, 04 Sep 2009 01:11:48 -0700 + +pam (1.1.0-2) unstable; urgency=low + + [ Steve Langasek ] + * debian/patches/pam_unix_dont_trust_chkpwd_caller.patch: fix this patch + to call setregid() instead of always returning an error on username + mismatch in unix_chkpwd, needed in the SELinux case and in some corner + cases with the broken_shadow option. Thanks to Michael Spang for the + analysis. Closes: #543589. + * fix the PAM mini-policy to not tell app maintainers that they don't need + to depend on libpam-modules if they reference modules from there. + * make libpam-runtime depend on libpam-modules (>= 1.0.1-6) - nothing else + guarantees that we have pam_unix available for use by pam-auth-update. + * Use /bin/sh instead of /bin/bash for libpam0g.postinst, since we've + confirmed there are no longer any bashisms there. Closes: #519973. + * Clean up the libpam0g postinst a bit; invoke-rc.d has been a guaranteed + interface for two stable release cycles now + * debian/patches/namespace_with_awk_not_gawk: fix the sample + namespace.init script's dependency on non-POSIX features of gawk, since + we don't use gawk by default. Closes: #518908. + * Updated debconf translations: + - German, thanks to Sven Joachim (closes: #544464) + + [ Kees Cook ] + * debian/local/common-password, debian/pam-configs/unix: switch from "md5" + to "sha512" as password crypt default. + + -- Steve Langasek Mon, 31 Aug 2009 14:21:27 -0700 + +pam (1.1.0-1ubuntu1) karmic; urgency=low + + * Merge from Debian, remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf. (should send to Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic + module option 'missingok' which will suppress logging of errors by + libpam if the module is not found. + - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for + password on bad username. + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - Change Vcs-Bzr to point at the Ubuntu branch. + - debian/local/common-password, debian/pam-configs/unix: switch from + "md5" to "sha512" as password crypt default. + - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure + run-parts does the right thing in /etc/update-motd.d. + - debian/patches-applied/pam_motd-legal-notice: display the contents of + /etc/legal once, then set a flag in the user's homedir to prevent showing + it again. + - debian/local/common-{auth,account,password}.md5sums: include the + Ubuntu-specific intrepid,jaunty md5sums for use during the + common-session-noninteractive upgrade. + * Dropped changes, superseded upstream: + - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t + type rather than __u8. + - debian/patches-applied/ubuntu-user_defined_environment: Look at + ~/.pam_environment too, with the same format as + /etc/security/pam_env.conf. + + -- Steve Langasek Wed, 26 Aug 2009 00:40:14 -0700 + +pam (1.1.0-1) unstable; urgency=low + + * New upstream version. + - pam_access no longer does DNS lookups when we know we're comparing + with a tty name or a service name. Closes: #376209. + - fixes for manpage spelling. Closes: #488690. + - fix evaluation of or'ed list of users in time.conf and group.conf. + Closes: #326407, #514423. + * Drop patches pam_unix_thread-safe_save_old_password.patch, + pam_env_ignore_garbage.patch, dont_freeze_password_chain, + pam_1.0.4_mindays, pam_mail-fix-quiet, pam_unix-chkpwd-wait, and + cve-2009-0887-libpam-pam_misc.patch, which are included upstream. + * Trim pam.d-manpage-section patch, which was mostly but not completely + applied upstream. + * Update debian/libpam0g.symbols for new extension. + * Bump the shlibs version as well, for our dpkg-shlibdeps fallback. + * And bump the version checks in the libpam-modules {pre,post}inst, so that + the necessary services get restarted for any modules that need the new + symbols. + * Add /sbin/mkhomedir_helper to libpam-modules. + * Document that pam_cracklib no longer checks /etc/security/opasswd. + Closes: #263767. + * debian/patches/007_modules_pam_unix: drop divergence from upstream + that treats "0" as a special value in various fields in /etc/shadow, + and document this in debian/NEWS. Thanks to Nicolas François + for the detailed analysis. + Closes: #308229. + * Updated debconf translations: + - French, thanks to Jean-Baka Domelevo Entfellner + (closes: #521266) + * Build with LDFLAGS=-Wl,-z,defs to guard against the possibility of + any undefined symbols (due to typos or otherwise) at build time. + Closes: #102311. + * On upgrade from versions before 1.1.0-1, if + /etc/pam.d/common-session-noninteractive has not been created (because + the user declined use of pam-auth-update), create it by copying + /etc/pam.d/common-session. Closes: #543401. + * debian/patches/fix-man-crud: new patch, fix "undefined macro" errors in + manpages caused by oddities of toolchain used when generating them + upstream. + + -- Steve Langasek Tue, 25 Aug 2009 20:35:26 -0700 + +pam (1.0.1-11ubuntu1) karmic; urgency=low + + * Merge from Debian, remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf. (should send to Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t + type rather than __u8. + - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic + module option 'missingok' which will suppress logging of errors by + libpam if the module is not found. + - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for + password on bad username. + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - debian/patches-applied/ubuntu-user_defined_environment: Look at + ~/.pam_environment too, with the same format as + /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.) + - Change Vcs-Bzr to point at the Ubuntu branch. + - debian/local/common-password, debian/pam-configs/unix: switch from + "md5" to "sha512" as password crypt default. + - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure + run-parts does the right thing in /etc/update-motd.d. + - debian/patches-applied/pam_motd-legal-notice: display the contents of + /etc/legal once, then set a flag in the user's homedir to prevent showing + it again. + * debian/local/pam-auth-update: prune some more md5sums from intrepid + pre-release versions, reducing the Ubuntu delta some + * debian/local/common-{auth,account,password}.md5sums: include the + Ubuntu-specific intrepid,jaunty md5sums for use during the + common-session-noninteractive upgrade. + + -- Steve Langasek Sun, 23 Aug 2009 20:14:58 -0700 + +pam (1.0.1-11) unstable; urgency=low + + * debian/libpam-runtime.postinst: bump the --force version check to + 1.0.1-11, to allow for a new common-session-noninteractive config file; + and include md5sum checking logic that will work the same with old + unmanaged and new managed /etc/pam.d/common-* files. + * debian/local/common-{auth,account,session,password}.md5sums: document + the known md5sums for the new managed files. + * debian/local/common-session-noninteractive{,.md5sums}, + debian/local/pam-auth-update: split out a session-noninteractive include + file, so that we can at last distinguish between interactive and + non-interactive PAM sessions at a policy level. Closes: #169930, + LP: #287715. + * debian/local/pam-auth-update: prune md5sums for unsupported upgrade + paths (intrepid pre-release -> karmic/squeeze) + * Clean up the PAM mini-policy, which hasn't been touched in a number of + years and was looking a bit crufty + * debian/libpam-runtime.templates: correctly tag the URL as a + non-translatable string. + * Updated debconf translations: + - Swedish, thanks to Martin Bagge (closes: #541399) + - Portuguese, thanks to Américo Monteiro + (closes: #541108) + - Russian, thanks to Yuri Kozlov (closes: #541094) + + -- Steve Langasek Sun, 23 Aug 2009 18:07:11 -0700 + +pam (1.0.1-10ubuntu1) karmic; urgency=low + + * Merge from Debian, remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf. (should send to Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t + type rather than __u8. + - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic + module option 'missingok' which will suppress logging of errors by + libpam if the module is not found. + - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for + password on bad username. + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - debian/patches-applied/ubuntu-user_defined_environment: Look at + ~/.pam_environment too, with the same format as + /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.) + - Change Vcs-Bzr to point at the Ubuntu branch. + - debian/local/common-password, debian/pam-configs/unix: switch from + "md5" to "sha512" as password crypt default. + - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure + run-parts does the right thing in /etc/update-motd.d. + - debian/patches-applied/pam_motd-legal-notice: display the contents of + /etc/legal once, then set a flag in the user's homedir to prevent showing + it again. + + -- Steve Langasek Fri, 07 Aug 2009 09:50:02 +0100 + +pam (1.0.1-10) unstable; urgency=high + + [ Steve Langasek ] + * Updated debconf translations: + - Finnish, thanks to Esko Arajärvi (closes: #520785) + - Russian, thanks to Yuri Kozlov (closes: #521874) + - German, thanks to Sven Joachim (closes: #521530) + - Basque, thanks to Piarres Beobide + (closes: #524285) + * When no profiles are chosen in pam-auth-update, throw an error message + and prompt again instead of letting the user end up with an insecure + system. This introduces a new debconf template. Closes: #519927, + LP: #410171. + + [ Kees Cook ] + * Add debian/patches/pam_1.0.4_mindays: backport upstream 1.0.4 fixes + for MINDAYS-Field regression (closes: #514437). + * debian/control: add missing misc:Depends for packages that need it. + + [ Sam Hartman ] + * Remove conflicts information for transitions prior to woody release + * Fix lintian overrides for libpam-runtime + * Overrides for lintian finding quilt patches + * pam_mail-fix-quiet: patch from Andreas Henriksson + applied upstream to fix quiet option of pam_mail, Closes: #439268 + + [ Dustin Kirkland ] + * debian/patches/update-motd: run the update-motd scripts in pam_motd; + render update-motd obsolete, LP: #399071 + + [ Sam Hartman ] + * cve-2009-0887-libpam-pam_misc.patch: avoid integer signedness problem + (CVE-2009-0887) (Closes: #520115) + + -- Steve Langasek Thu, 06 Aug 2009 17:54:32 +0100 + +pam (1.0.1-9ubuntu3) karmic; urgency=low + + * Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure + run-parts does the right thing in /etc/update-motd.d. + + -- Steve Langasek Wed, 15 Jul 2009 23:55:50 -0700 + +pam (1.0.1-9ubuntu2) karmic; urgency=low + + [ Dustin Kirkland ] + * debian/patches/update-motd: run the update-motd scripts in pam_motd; + render update-motd obsolete, LP: #399071 + * debian/patches-applied/pam_motd-legal-notice: display the contents of + /etc/legal once, then set a flag in the user's homedir to prevent showing + it again. + + -- Steve Langasek Wed, 15 Jul 2009 20:41:52 -0700 + +pam (1.0.1-9ubuntu1) jaunty; urgency=low + + * Merge from Debian unstable + * Remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf. (should send to Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t + type rather than __u8. + - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic + module option 'missingok' which will suppress logging of errors by + libpam if the module is not found. + - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for + password on bad username. + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - debian/patches-applied/ubuntu-user_defined_environment: Look at + ~/.pam_environment too, with the same format as + /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.) + - Change Vcs-Bzr to point at the Ubuntu branch. + - debian/local/common-password, debian/pam-configs/unix: switch from + "md5" to "sha512" as password crypt default. + + -- Steve Langasek Fri, 20 Mar 2009 19:12:10 -0700 + +pam (1.0.1-9) unstable; urgency=low + + * Move the pam module packages to section 'admin'. + * 027_pam_limits_better_init_allow_explicit_root: defaults need to be + declared as LIMITS_DEF_DEFAULT instead of LIMITS_DEF_ALL, otherwise + global limits will fail to be applied. LP: #314222. + + -- Steve Langasek Fri, 20 Mar 2009 19:48:47 -0700 + +pam (1.0.1-8) unstable; urgency=low + + * Updated debconf translations: + - Bulgarian, thanks to Damyan Ivanov (closes: #518121) + - Spanish, thanks to Javier Fernandez-Sanguino Peña + (closes: #518214) + - Swedish, thanks to Martin Bagge (closes: #518324) + - Vietnamese, thanks to Clytie Siddall + (closes: #518329) + - Japanese, thanks to Kenshi Muto (closes: #518335) + - Slovak, thanks to Ivan Masár (closes: #518341) + - Czech, thanks to Miroslav Kure (closes: #518992) + - Portuguese, thanks to Américo Monteiro + (closes: #519204) + - Galician, thanks to Marce Villarino + (closes: #519447) + - Romanian, thanks to Eddy Petrișor + (closes: #520552) + * 027_pam_limits_better_init_allow_explicit_root: set the RLIMIT_MEMLOCK + limit correctly to match the kernel default, which is not RLIM_INFINITY. + Closes: #472629. + + -- Steve Langasek Fri, 20 Mar 2009 18:15:07 -0700 + +pam (1.0.1-7ubuntu1) jaunty; urgency=low + + * Merge from Debian unstable + * Remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf. (should send to Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t + type rather than __u8. + - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic + module option 'missingok' which will suppress logging of errors by + libpam if the module is not found. + - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for + password on bad username. + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - debian/patches-applied/ubuntu-user_defined_environment: Look at + ~/.pam_environment too, with the same format as + /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.) + - Change Vcs-Bzr to point at the Ubuntu branch. + - debian/local/common-password, debian/pam-configs/unix: switch from + "md5" to "sha512" as password crypt default. + * Dropped changes, merged in Debian: + - debian/local/pam-auth-update (et al): new interface for managing + /etc/pam.d/common-*, using drop-in config snippets provided by module + packages. + - New patch dont_freeze_password_chain, cherry-picked from upstream: + don't always follow the same path through the password stack on + the PAM_UPDATE_AUTHTOK pass as was used in the PAM_PRELIM_CHECK + pass; this Linux-PAM deviation from the original PAM spec causes a + number of problems, in particular causing wrong return values when + using the refactored pam-auth-update stack. LP: #303515, #305882. + - debian/patches/027_pam_limits_better_init_allow_explicit_root: + Add documentation to the patch showing how to set limits for root. + * Bump the libpam-cracklib dependency on libpam-runtime to 1.0.1-6, + reducing the delta with Debian. + * Drop upgrade handling code from libpam-runtime.postinst that's only + needed when upgrading from 1.0.1-2ubuntu1, a superseded intrepid + pre-release version of the package. + * pam-auth-update: swap out known md5sums from intrepid pre-release versions + with the md5sums from the released intrepid version + * pam-auth-update: drop some md5sums that will only be seen on upgrade from + pre-intrepid versions; skipping over the 8.10 final release is not + supported, and upgrading via 8.10 means those config files will be + replaced so the old md5sums will never be seen again. + + -- Steve Langasek Tue, 03 Mar 2009 17:34:19 -0800 + +pam (1.0.1-7) unstable; urgency=low + + * 027_pam_limits_better_init_allow_explicit_root: + - fix the patch so that our limit resets are actually *applied*, + which has apparently been broken for who knows how long! + - shadow the finite kernel defaults for RLIMIT_SIGPENDING and + RLIMIT_MSGQUEUE as well, so that the preceding change doesn't + suddenly expose systems to DoS or other issues. + - include documentation in the patch, giving examples of how to set + limits for root. Thanks to Jonathan Marsden. + * pam-auth-update: swap out known md5sums from intrepid pre-release + versions with the md5sums from the released intrepid version + * pam-auth-update: set the umask, so we don't accidentally mark + /etc/pam.d/common-* unreadable. Thanks to Martin Krafft for catching. + Closes: #518042. + + -- Steve Langasek Tue, 03 Mar 2009 17:18:42 -0800 + +pam (1.0.1-6) unstable; urgency=low + + * Updated debconf translations: + - Vietnamese, thanks to Clytie Siddall + * New patch dont_freeze_password_chain, cherry-picked from upstream: + don't always follow the same path through the password stack on + the PAM_UPDATE_AUTHTOK pass as was used in the PAM_PRELIM_CHECK + pass; this Linux-PAM deviation from the original PAM spec causes a + number of problems, in particular causing wrong return values when + using the refactored pam-auth-update stack. LP: #303515, #305882. + * debian/local/pam-auth-update (et al): new interface for managing + /etc/pam.d/common-*, using drop-in config snippets provided by module + packages. + + -- Steve Langasek Sat, 28 Feb 2009 13:36:57 -0800 + +pam (1.0.1-5ubuntu2) jaunty; urgency=low + + * New patch dont_freeze_password_chain, cherry-picked from upstream: + don't always follow the same path through the password stack on + the PAM_UPDATE_AUTHTOK pass as was used in the PAM_PRELIM_CHECK + pass; this Linux-PAM deviation from the original PAM spec causes a + number of problems, in particular causing wrong return values when + using the refactored pam-auth-update stack. LP: #303515, #305882. + + -- Steve Langasek Fri, 27 Feb 2009 16:20:24 -0800 + +pam (1.0.1-5ubuntu1) jaunty; urgency=low + + * Merge from Debian unstable + * Remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf. (should send to Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t + type rather than __u8. + - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic + module option 'missingok' which will suppress logging of errors by + libpam if the module is not found. + - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for + password on bad username. + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - debian/patches-applied/ubuntu-user_defined_environment: Look at + ~/.pam_environment too, with the same format as + /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.) + - Change Vcs-Bzr to point at the Ubuntu branch. + - debian/local/pam-auth-update (et al): new interface for managing + /etc/pam.d/common-*, using drop-in config snippets provided by module + packages. + - debian/local/common-password, debian/pam-configs/unix: switch from + "md5" to "sha512" as password crypt default. + * Bump the version numbers referenced in the config files, again, as pam + has revved in Debian and moved the bar. + * pam-auth-update: If /var/lib/pam/seen is absent, treat this the same + as a present but empty file; thanks to Greg Price for the patch. + LP: #294513. + * pam-auth-update: Ignore removed profiles when detecting an empty set + of currently-enabled modules. Thanks to Greg Price for this as well. + * debian/control: libpam-runtime needs a versioned dependency on + debconf, because it uses the x_loadtemplatefile extension that's + not supported by debconf versions before hardy. LP: #295135. + * pam-auth-update: trim leading whitespace from multiline fields when + parsing PAM profiles. LP: #295441. + * pam-auth-update: factor out the duplicate code used for returning + the lines for a given module + + [ Jonathan Marsden ] + * debian/patches/027_pam_limits_better_init_allow_explicit_root: + Add to patch, documenting how to set limits for root user. + Include an example. Alters limits.conf, limits.conf.5.xml, + and limits.conf.5 . (LP: #65244) + + -- Steve Langasek Thu, 08 Jan 2009 20:26:25 +0000 + +pam (1.0.1-5) unstable; urgency=low + + * Build-conflict with libxcrypt-dev, which otherwise pulls libxcrypt in as + a dependency of libpam-modules if it's installed during the build. + Thanks to Larry Doolittle for catching. + * Don't refer to gnome-screensaver in the debconf template; it isn't + actually affected by the libpam symbol issue because it forks a separate + process to display the screensaver dialog. + * Have libpam-modules Pre-Depend on ${misc:Depends}, so that we can + warn users about needing to disable xscreensaver and xlockmore + before libpam-modules is unpacked. Closes: #502140, LP: #256238. + * Updated debconf translations for the new template: + - Italian, thanks to David Paleino + - Simplified Chinese, thanks to Deng Xiyue + (closes: #510371) + - Portuguese, thanks to Américo Monteiro + - Swedish, thanks to Martin Bagge (closes: #510379) + - Japanese, thanks to Kenshi Muto (closes: #510380) + - Finnish, thanks to Esko Arajärvi (closes: #510382) + - Spanish, thanks to Javier Fernandez-Sanguino Peña + (closes: #510389) + - Galician, thanks to Marce Villarino + - Slovak, thanks to helix84 (closes: #510412) + - Bulgarian, thanks to Damyan Ivanov + - Czech, thanks to Miroslav Kure < + (closes: #510608) + - French, thanks to Steve Petruzzello + - German, thanks to Sven Joachim (closes: #510617) + - Basque, thanks to Piarres Beobide + (closes: #510699) + - Russian, thanks to Yuri Kozlov (closes: #510701) + - Turkish, thanks to Mert Dirik (closes: #510707) + + -- Steve Langasek Tue, 06 Jan 2009 00:05:13 -0800 + +pam (1.0.1-4ubuntu5.4) jaunty; urgency=low + + * No-change upload to jaunty to fix publication on armel. + + -- Colin Watson Tue, 18 Nov 2008 14:09:00 +0000 + +pam (1.0.1-4ubuntu5.3) intrepid-updates; urgency=low + + * No-change upload of 1.0.1-4ubuntu5.1 to -updates. -proposed package was + copied while some ports were not built yet. + + -- Martin Pitt Tue, 11 Nov 2008 14:50:12 +0100 + +pam (1.0.1-4ubuntu5.2) intrepid-proposed; urgency=low + + * No-change rebuild because the archive admin (me) copied the package + to jaunty too soon. + + -- Steve Langasek Wed, 05 Nov 2008 20:28:11 +0000 + +pam (1.0.1-4ubuntu5.1) intrepid-proposed; urgency=low + + * Allow passwords to change on expired accounts, by passing + new_authtok_reqd return codes immediately (LP: #291091). + + -- Kees Cook Wed, 05 Nov 2008 09:31:45 -0800 + +pam (1.0.1-4ubuntu5) intrepid; urgency=low + + * debian/libpam0g.postinst: change 'cupsys' to 'cups' in the list of + default desktop services that are ignored in deciding whether to prompt + for service restarts on upgrade. Partially addresses LP #278117. + * debian/libpam0g.postinst: also filter out samba, which may be installed + on the desktop to enable filesharing. + * debian/libpam-cracklib.prerm, debian/libpam-runtime.prerm: add the + ubiquitous debhelper tokens (currently a no-op) + * pam-auth-update: Use -Initial only for the first profile, even when + there's no explicit -Initial config for that first profile + * fix common-session/common-password to use the same overall stack + structure as auth/account, so that we get the correct behavior when + all password modules fail. LP: #272232. + + -- Steve Langasek Wed, 15 Oct 2008 18:11:13 -0700 + +pam (1.0.1-4ubuntu4) intrepid; urgency=low + + * Fix a bug in the parser that caused spewing of errors when there + were more lines in the config file following the managed block. + LP: #270328. + + -- Steve Langasek Tue, 23 Sep 2008 06:34:56 +0000 + +pam (1.0.1-4ubuntu3) intrepid; urgency=low + + * Fix up the code that saves state to /var/lib/pam, so that it matches + what's expected by the code which later compares the saved and active + profiles in the case that there are both primary and additional + modules present. + + -- Steve Langasek Tue, 16 Sep 2008 06:49:56 +0000 + +pam (1.0.1-4ubuntu2) intrepid; urgency=low + + * Brown paper bag bug: fix a missing comma in pam-auth-update. + + -- Steve Langasek Sat, 13 Sep 2008 08:55:32 +0000 + +pam (1.0.1-4ubuntu1) intrepid; urgency=low + + * Merge from Debian unstable + * Remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf. (should send to Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t + type rather than __u8. + - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic + module option 'missingok' which will suppress logging of errors by + libpam if the module is not found. + - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for + password on bad username. + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - debian/patches-applied/ubuntu-user_defined_environment: Look at + ~/.pam_environment too, with the same format as + /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.) + - Change Vcs-Bzr to point at the Ubuntu branch. + - debian/local/pam-auth-update (et al): new interface for managing + /etc/pam.d/common-*, using drop-in config snippets provided by module + packages. + - debian/local/common-password, debian/pam-configs/unix: switch from + "md5" to "sha512" as password crypt default. + * Bump the version numbers referenced in the config files, again, as pam + has revved in Debian and moved the bar. + * debian/pam-config/*: refine the password profiles to use a 'primary' + block, to better parallel the auth structure. + * Drop '-Final' from the field names in /usr/share/pam-configs, supporting + these field names for backwards compatibility only + * Bump the dependency version requirement to 1.0.1-4ubuntu1 for the above + change + + -- Steve Langasek Sat, 13 Sep 2008 08:55:19 +0000 + +pam (1.0.1-4) unstable; urgency=high + + * High-urgency upload for RC bugfix. + + [ Julien Cristau ] + * pam_unix-chkpwd-wait: don't assume that the unix_chkpwd process exits + normally; if it was killed by a signal, we don't want to accept the + password. Closes: #495879. + + [ Steve Langasek ] + * 007_modules_pam_unix: update the manpage at the same time as the xml + source (grr, autogenerated files in source packages). Closes: #495804. + * 055_pam_unix_nullok_secure: also don't call the helper at all from + _unix_blankpasswd when we can detect that null passwords are disallowed, + to avoid causing spammy logs on successful authentications. + Closes: #496620. + * debian/rules: call chgrp *before* calling chmod, lest the sgid bit + on unix_chkpwd be cleared during the build when using -rsudo. + Closes: #496983. + + -- Steve Langasek Thu, 28 Aug 2008 22:59:23 -0700 + +pam (1.0.1-3ubuntu5) intrepid; urgency=low + + [ Steve Langasek ] + * Never remove the .pam-old files; just avoid creating them if --force isn't + set. + * Add a manpage for pam-auth-update. + * Automatically upgrade the boilerplate for /etc/pam.d/common-* if we + detect that they have not been locally modified. + + [ Kees Cook ] + * debian/local/common-password, debian/pam-configs/unix: switch from "md5" + to "sha512" as password crypt default. + + -- Steve Langasek Tue, 26 Aug 2008 06:33:07 +0000 + +pam (1.0.1-3ubuntu4) intrepid; urgency=low + + * If two profiles have the same Priority, sort by the profile name to + ensure a complete sort so we can filter out all the duplicates from the + list and not write out broken configs. LP: #260371. + + -- Steve Langasek Fri, 22 Aug 2008 17:33:14 +0000 + +pam (1.0.1-3ubuntu3) intrepid; urgency=low + + * s/pam-auth-config/pam-auth-update/ in the source, I can't seem to get + this name consistent to save my life - I'm starting to think I named it + wrong... + * Fix the regex used when suppressing jump counts when reading the saved + config, so that we don't clobber module options with numbers in them. + * If the target doesn't already exist, don't try to copy it. + * Filter the config list to exclude configs that no longer exist. + LP: #260122. + * Avoid unnecessary sort/grep in the case where we already have a sorted + list. + * Implement pam-auth-update --remove, for use in package prerms when called + with "remove". + + -- Steve Langasek Thu, 21 Aug 2008 15:38:37 -0700 + +pam (1.0.1-3ubuntu2) intrepid; urgency=high + + * debian/local/common-session: the session stack needs to be handled the + same way as the password stack, with the possibility of zero primary + modules; required to fix build failures on the Ubuntu buildds due to + su not being able to open sessions by default. LP: #259867. + * debian/libpam-runtime.postinst: when upgrading from the broken + 1.0.1-2ubuntu1 version, manually edit /etc/pam.d/common-session to + recover. + + -- Steve Langasek Wed, 20 Aug 2008 13:27:10 -0700 + +pam (1.0.1-3ubuntu1) intrepid; urgency=low + + * Merge from Debian unstable + * Remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf. (should send to Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t + type rather than __u8. + - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic + module option 'missingok' which will suppress logging of errors by + libpam if the module is not found. + - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for + password on bad username. + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - debian/patches-applied/ubuntu-user_defined_environment: Look at + ~/.pam_environment too, with the same format as + /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.) + - Change Vcs-Bzr to point at the Ubuntu branch. + - debian/local/pam-auth-update (et al): new interface for managing + /etc/pam.d/common-*, using drop-in config snippets provided by module + packages. + * Remove spurious 'conflict' with a non-existent module, which was added + just as an example + + -- Steve Langasek Wed, 20 Aug 2008 11:58:35 -0700 + +pam (1.0.1-3) unstable; urgency=high + + * 055_pam_unix_nullok_secure: don't call _pammodutil_tty_secure with a NULL + tty argument, since this will cause our helper to segfault instead of + returning a useful value. Thanks to Troy Davis for the report. + Closes: #495806. + + -- Steve Langasek Wed, 20 Aug 2008 11:55:47 -0700 + +pam (1.0.1-2ubuntu1) intrepid; urgency=low + + * Merge from Debian unstable + * Remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf. (should send to Debian). + - debian/libpam-runtime.postinst, + debian/local/common-{auth,password}{,.md5sums}: + Use the new 'missingok' option by default for pam_smbpass in case + libpam-smbpass is not installed (LP: #216990); must use "requisite" + rather than "required" to prevent "pam_smbpass migrate" from firing in + the event of an auth failure; md5sums updated accordingly. + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t + type rather than __u8. + - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic + module option 'missingok' which will suppress logging of errors by + libpam if the module is not found. + - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for + password on bad username. + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - debian/patches-applied/ubuntu-user_defined_environment: Look at + ~/.pam_environment too, with the same format as + /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.) + - Change Vcs-Bzr to point at the Ubuntu branch. + * debian/local/pam-auth-update (et al): new interface for managing + /etc/pam.d/common-*, using drop-in config snippets provided by module + packages. + + -- Steve Langasek Wed, 20 Aug 2008 09:17:28 +0000 + +pam (1.0.1-2) unstable; urgency=low + + * 007_modules_pam_unix: update the documentation to correctly document + the default minimum password length is 6, not 1. + * Look for cups instead of cupsys as an init script name when restarting + services; thanks to Stephen Olander-Waters for pointing this out. + Closes: #492977. + * Update the Debian PAM mini-policy to remove references to the + long-obsolete pam_pwdb, and clarify the relationship between pam_stack + and @include. + * Drop various bits of unused cruft from the debian/ directory. + * Drop libpam-runtime.preinst, only used for upgrades from woody to sarge + to deal with modified conffiles. + * Build-Conflict with libdb4.2-dev, which satisfies the libdb-dev + build-dependency but causes pam_userdb to be silently omitted. + Closes: #493574. + * 054_pam_security_abstract_securetty_handling: move the warning log about + an insecure tty back to pam_securetty proper; we don't want to generate + log messages every time pam_unix is called as non-root. + Closes: #493283. As a side-effect, pam_unix no longer logs any warnings + about NULL password + insecure tty, but I don't think this is critical. + + -- Steve Langasek Fri, 08 Aug 2008 10:47:26 -0700 + +pam (1.0.1-1ubuntu1) intrepid; urgency=low + + * Merge from Debian unstable + * Dropped changes: + - Linux-PAM/modules/pam_selinux/pam_selinux.8: Ubuntu pam_selinux manpage + is 2 years newer than Debian's, contains a number of character escaping + fixes plus content updates + - debian/patches-applied/ubuntu-pam_selinux_seusers: patch pam_selinux to + correctly support seusers (backported from changes in PAM 0.99.8). + - debian/rules: install unix_chkpwd setgid shadow instead of setuid root. + The nis package handles overriding this as necessary. + - debian/patches-applied/ubuntu-rlimit_nice_correction: Bound RLIMIT_NICE + from below as well as from above. Fix off-by-one error when converting + RLIMIT_NICE to the range of values used by the kernel. + * Remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf. (should send to Debian). + - debian/libpam-runtime.postinst, + debian/local/common-{auth,password}{,.md5sums}: + Use the new 'missingok' option by default for pam_smbpass in case + libpam-smbpass is not installed (LP: #216990); must use "requisite" + rather than "required" to prevent "pam_smbpass migrate" from firing in + the event of an auth failure; md5sums updated accordingly. + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t + type rather than __u8. + - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic + module option 'missingok' which will suppress logging of errors by + libpam if the module is not found. + - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for + password on bad username. + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - debian/patches-applied/ubuntu-user_defined_environment: Look at + ~/.pam_environment too, with the same format as + /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.) + * Refresh patch ubuntu-no-error-if-missingok for the new upstream version. + * Change Vcs-Bzr to point at the new Ubuntu branch. + + -- Steve Langasek Mon, 28 Jul 2008 20:58:26 +0000 + +pam (1.0.1-1) unstable; urgency=low + + * New upstream version. + - pam_limits: bound RLIMIT_NICE from below. Closes: #403718. + - pam_mail: set the MAIL variable even when .hushlogin is set. + Closes: #421010. + - new minclass option introduced for pam_cracklib. Closes: #454237. + - fix a failure to check the string length when matching usernames in + pam_group. Closes: #444427. + - fix setting shell security context in pam_selinux. Closes: #451722. + - use --disable-audit, to avoid libaudit being linked in + accidentally + - pam_unix now supports SHA-256 and SHA-512 password hashes. + Closes: #484249, LP: #245786. + - pam_rhosts_auth is dropped upstream (closes: #382987); add a compat + symlink to pam_rhosts to support upgrades for a release, and give a + warning in NEWS.Debian. + - new symbol in libpam.so.0, pam_modutil_audit_write; shlibs bump, and + do another round of service restarts on upgrade. + - pam_unix helper is now called whenever an unprivileged process + tries and fails to query a user's account status. Closes: #367834. + * Drop patches 006_docs_cleanup, 015_hurd_portability, + 019_pam_listfile_quiet, 024_debian_cracklib_dict_path, 038_support_hurd, + 043_pam_unix_unknown_user_not_alert, 046_pam_group_example, + no_pthread_mutexes, limits_wrong_strncpy, misc_conv_allow_sigint.patch, + pam_tally_audit.patch, 057_pam_unix_passwd_OOM_check, and + 065_pam_unix_cracklib_disable which have been merged upstream. + * Patch 022_pam_unix_group_time_miscfixes: partially merged upstream; + now is really just "pam_group_miscfixes". + * Patch 007_modules_pam_unix partially superseded upstream; stripping + hpux-style expiry information off of password fields is now supported. + * New patch pam_unix_thread-safe_save_old_password.patch, to make sure all + our getpwnam() use in pam_unix is thread-safe (fixes an upstream + regression) + * New patch pam_unix_fix_sgid_shadow_auth.patch, fixing an upstream + regression which prevents sgid shadow apps from being able to authenticate + any more because the module forces use of the helper and the helper won't + allow authentication of arbitrary users. This change does mean we're + going to be noisier for the time being in an SELinux environment, which + should be addressed but is not a regression on Debian. + * New patch pam_unix_dont_trust_chkpwd_caller.patch, rolling back an + upstream change that causes unix_chkpwd to assume that setuid(getuid()) + is sufficient to drop permissions and attempt any authentication on + behalf of the user. + * The password-changing helper functionality for SELinux systems has been + split out into a separate unix_update binary, so at long last we can + change unix_chkpwd to be sgid shadow instead of suid root. + Closes: #155583. + - Update the lintian override to match. + * Install the new unix_update helper into libpam-modules. + * Use a pristine upstream tarball instead of repacking; requires various + changes to debian/rules and debhelper files. + * Replace the Vcs-Svn field with a Vcs-Bzr field; jumping ship from svn, + and how! + * Debconf translations: + - Romanian, thanks to Igor Stirbu + (closes: #491821) + * Add libpam0g.symbols, for finer-grained package dependencies with + dpkg-gensymbols. + * Fix debian/copyright to list the known copyright holders + * Fix up the doc-base sections for the libpam-doc documentation, "Apps" + should not be part of the section name + * Also fix up whitespace issues in the doc-base abstracts + * Fix a typo in the libpam0g-dev description. + * 027_pam_limits_better_init_allow_explicit_root: RLIM_INFINITY is also + invalid for RLIMIT_NOFILE, so when resetting the limits for a new session, + use the kernel default of 1024 instead. Closes: #404836. + * Create /etc/environment on initial install of libpam-modules (or on + upgrade from an old version), to quell warnings in the logs about it + being missing. Closes: #442049. + * 026_pam_unix_passwd_unknown_user: drop a redundant, and broken, check for + the NSS source of our user; this was preventing password changes for NIS + users, which otherwise should have worked. Closes: #203222, LP: #9224. + * New patch do_not_check_nis_accidentally: respect the 'nis' option + (set or unset) when looking up the user's password entry for password + changes. Thanks to Quentin Godfroy for the + patch. Closes: #469635. + * Drop patch 049_pam_unix_sane_locking, which upon review is not needed; + it reduces the length of time we hold the lock, but at the expense of + being able to enforce minimum times between password changes. + * debian/watch: upstream has hit 1.0, so we're no longer in a "pre" + directory. Fix up the regex for uscan. + * Fix the libpam0g-dev examples directory to not include a gratuitous + .cvsignore file. + * New patch, pam.d-manpage-section, to fix the manpage references to + point to section 5 instead of section 8. + * Update patch PAM-manpage-section to fix the references to pam(7) from + other manpages. Closes: #470137. + * Add debian/README.source documenting that this package uses quilt. + * Bump Standards-Version to 3.8.0. + * Fix a bug in the uid-restoring code in the hurd_no_setfsuid patch; thanks + to Tomas Mraz for indirectly bringing this to my + attention + + -- Steve Langasek Mon, 28 Jul 2008 13:56:26 -0700 + +pam (0.99.7.1-7) unstable; urgency=medium + + * Medium-urgency upload for RC bugfix + * Debconf translations: + - Italian, thanks to David Paleino (closes: #483913) + - Slovak, thanks to Ivan Masár (closes: #488908) + - Turkish, thanks to Mert Dirik (closes: #490880) + - Basque, thanks to Piarres Beobide + (closes: #473975) + * Drop the 'XS' from Vcs-Svn/Vcs-Browser, since these are now officially + recognized fields. + * Add a Homepage field. Closes: #473338. + * Drop -DCRACKLIB_DICTS from CFLAGS, since the referenced define is no + longer provided by cracklib2-dev 2.8 and above. This requires a + build-dependency on the corresponding version of libcrack2-dev. + Closes: #490236. + + -- Steve Langasek Mon, 21 Jul 2008 11:49:59 -0700 + +pam (0.99.7.1-6ubuntu2) intrepid; urgency=low + + * debian/libpam-modules.postinst: revert addition of ~/bin to the end of the + default PATH set in /etc/environment as it was pointed out by Colin + Watson that getenv() does not properly expand '~' + + -- Jamie Strandboge Tue, 24 Jun 2008 06:29:40 -0400 + +pam (0.99.7.1-6ubuntu1) intrepid; urgency=low + + * Merge from debian unstable + * Dropped changes: + - Linux-PAM/modules/pam_limits/README, + Linux-PAM/modules/pam_selinux/README: Ubuntu versions had some + insignificant character differences, dropping in favor of Debian + versions; pam_selinux documentation has dropped "multiple", and added + "select_context", and "use_current_range" as options. + - debian/control, debian/local/common-session{,md5sums}: use + libpam-foreground for session management. + - Build using db4.5 instead of db4.6. + * Remaining changes: + - Linux-PAM/modules/pam_selinux/pam_selinux.8: Ubuntu pam_selinux manpage + is 2 years newer than Debian's, contains a number of character escaping + fixes plus content updates; (should send to Debian). + - debian/control: Maintainer updated. + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf; add ~/bin to PATH + (LP: #64064); (should send to Debian). + - debian/libpam-runtime.postinst, + debian/local/common-{auth,password}{,.md5sums}: + Use the new 'missingok' option by default for pam_smbpass in case + libpam-smbpass is not installed (LP: #216990); must use "requisite" + rather than "required" to prevent "pam_smbpass migrate" from firing in + the event of an auth failure; md5sums updated accordingly. + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running (LP: #141309). + - debian/applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t + type rather than __u8. + - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic + module option 'missingok' which will suppress logging of errors by + libpam if the module is not found. + - debian/patches-applied/ubuntu-pam_selinux_seusers: patch pam_selinux to + correctly support seusers (backported from changes in PAM 0.99.8). + Without this patch login will not get correct security context when + using libselinux >= 1.27.2 (LP: #187822). + - debian/patches-applied/ubuntu-regression_fix_securetty: securetty's + earlier behavior would correctly prompt for password on bad usernames + (LP: #139075). + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. Bound + RLIMIT_NICE from below as well as from above. Fix off-by-one error when + converting RLIMIT_NICE to the range of values used by the kernel. + - debian/patches-applied/ubuntu-user_defined_environment: Look at + ~/.pam_environment too, with the same format as + /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.) + - debian/rules: install unix_chkpwd setgid shadow instead of setuid root. + The nis package handles overriding this as necessary. + * Alphabetized this merge changelog entry by filename (easier reading + against Ubuntu patch). + + -- Dustin Kirkland Fri, 20 Jun 2008 10:32:00 -0500 + +pam (0.99.7.1-6) unstable; urgency=low + + * Debconf translations: + - Updated Vietnamese, thanks to Clytie Siddall + (closes: #444437) + - Updated Spanish, thanks to Javier Fernández-Sanguino Peña + (closes: #444479) + - Updated German, thanks to Sven Joachim + (closes: #444566) + - Galician, thanks to Jacobo Tarrio (closes: #444758) + - Updated Czech, thanks to Miroslav Kure + (closes: #445022) + - French, thanks to Cyril Brulebois + (closes: #445869) + - Japanese, thanks to Kenshi Muto (closes: #446584) + - Dutch, thanks to Bart Cornelis (closes: #448930) + - Basque, thanks to Piarres Beobide (closes: #457042) + - Updated Finnish, thanks to Esko Arajärvi (closes: #458264) + - Swedish, thanks to Christer Andersson + (closes: #457674) + * Make sure the "audit" option is specified in octal instead of in decimal, + so that it doesn't randomly set other options. Thanks to Corey Wright + for the catch. Closes: #446327. + + -- Steve Langasek Sun, 16 Mar 2008 02:06:28 -0700 + +pam (0.99.7.1-5ubuntu8) intrepid; urgency=low + + * debian/libpam-modules.postinst: Add ~/bin to the end of the default PATH + set in /etc/environment (LP: #64064). + + -- Dustin Kirkland Thu, 19 Jun 2008 12:52:48 -0500 + +pam (0.99.7.1-5ubuntu7) intrepid; urgency=low + + * debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic + module option 'missingok' which will suppress logging of errors by + libpam if the module is not found. + * debian/local/common-{auth,password}, debian/libpam-runtime.postinst: + Use the new 'missingok' option by default for pam_smbpass, to + correct the problem of very loud logging introduced in the previous + upload when libpam-smbpass is not installed. LP: #216990. + + -- Steve Langasek Tue, 22 Apr 2008 18:53:37 +0000 + +pam (0.99.7.1-5ubuntu6) hardy; urgency=low + + * debian/local/common-{auth,password}, debian/libpam-runtime.postinst: + Add pam_smbpass as an optional module in the stack, to keep NTLM + passwords (for filesharing) in sync with the main system passwords on a + best-effort basis. LP: #208419. + + -- Steve Langasek Tue, 08 Apr 2008 18:21:40 +0000 + +pam (0.99.7.1-5ubuntu5) hardy; urgency=low + + * debian/local/common-session: Drop libpam-foreground. It's gone for good, + and we do not want this in the PAM config for new installations, since it + just spams syslog with error messages. (LP: #198714) + + -- Martin Pitt Tue, 11 Mar 2008 11:22:11 +0100 + +pam (0.99.7.1-5ubuntu4) hardy; urgency=low + + * ubuntu-pam_selinux_seusers: patch pam_selinux to correctly support + seusers (backported from changes in PAM 0.99.8). Without this patch + login will not get correct security context when using libselinux + >= 1.27.2 (LP: #187822). + + -- Caleb Case Wed, 30 Jan 2008 06:39:48 -0500 + +pam (0.99.7.1-5ubuntu3) hardy; urgency=low + + * Temporarily reenable libpam-foreground in common-session again, until + dbus' at_console policy works with ConsoleKit. + + -- Martin Pitt Thu, 29 Nov 2007 15:17:54 +0100 + +pam (0.99.7.1-5ubuntu2) hardy; urgency=low + + * debian/local/common-session{,.md5sums}, debian/control: Drop + libpam-foreground, superseded by ConsoleKit integration into hal. + * debian/control: Build against libdb4.6 again. This drops this Debian delta + and 4.6 is our target version in Hardy. + + -- Martin Pitt Thu, 22 Nov 2007 18:56:47 +0100 + +pam (0.99.7.1-5ubuntu1) gutsy; urgency=low + + * Resynchronise with Debian. Remaining changes: + - debian/control, debian/local/common-session{,md5sums}: use + libpam-foreground for session management. + - debian/rules: install unix_chkpwd setgid shadow instead of setuid root. + The nis package handles overriding this as necessary. + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf. + - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t + type rather than __u8. + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. Bound + RLIMIT_NICE from below as well as from above. Fix off-by-one error when + converting RLIMIT_NICE to the range of values used by the kernel. + (Originally patch 101; converted to quilt.) + - debian/patches-applied/ubuntu-user_defined_environment: Look at + ~/.pam_environment too, with the same format as + /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.) + - debian/patches-applied/ubuntu-regression_fix_securetty: securetty's + earlier behavior would correctly prompt for password on bad usernames + (LP: #139075). + - Build using db4.5 instead of db4.6. + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running (LP: #141309). + * debian/libpam0g.postinst: don't display a debconf warning about display + managers that need restarting when update-manager is running, instead + signal to update-notifier if a reboot is required. + + -- Steve Langasek Fri, 28 Sep 2007 23:45:24 -0700 + +pam (0.99.7.1-5) unstable; urgency=low + + * More lintian overrides, related to debconf prompting in the postinst + * Debconf translations: + - Brazilian Portuguese, thanks to Eder L. Marques + (closes: #440385) + - Russian, thanks to Yuri Kozlov + (closes: #440390, #440953, #444039) + - Bulgarian, thanks to Damyan Ivanov + (closes: #441863) + - Finnish, thanks to Esko Arajärvi (closes: #443720) + - Simplified Chinese, thanks to Ming Hua + (closes: #443924) + - Updated Portuguese, thanks to Américo Monteiro + - Updated Vietnamese, thanks to Clytie Siddall + (closes: #440800) + - Updated German, thanks to Sven Joachim + - Updated Spanish, thanks to Javier Fernández-Sanguino Peña + + - Updated Czech, thanks to Miroslav Kure + (closes: #441325) + * Further cleanups of 007_modules_pam_unix -- don't use a global variable + for pass_min_len, don't gratuitously move the length checking into the + "obscure" checks, and internationalize the error strings. + * Stop overriding the built-in default minimum password length in + /etc/pam.d/common-password, and also drop the "max" option which has now + been obsoleted. + * Fix up the comments in /etc/pam.d/common-password to make it clear that + the options are specific to pam_unix. Closes: #414559. + * Patch 038: fix another thinko in the getline handling. Closes: #442276. + * If there are active X logins, don't restart kdm, wdm, and xdm by default; + instead, display a debconf error if they haven't been restarted. + Closes: #441843. + * Drop the local patch for Linux capabilities in pam_limits; Linux + capabilities are not generally useful in a PAM context, and the PAM + capabilities patch has been broken through much of its life. + Closes: #440130. + * -Wl,-z,defs was never enabled correctly, drop it since upstream is + already using -no-undefined + * Pass --build and --host args to ./configure as necessary, for + cross-building support. + + -- Steve Langasek Fri, 28 Sep 2007 00:17:00 -0700 + +pam (0.99.7.1-4ubuntu4) gutsy; urgency=low + + * debian/libpam0g.postinst: call "reload" for all display managers + (LP: #139065). + * debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running (LP: #141309). + + -- Kees Cook Mon, 24 Sep 2007 15:01:29 -0700 + +pam (0.99.7.1-4ubuntu3) gutsy; urgency=low + + * ubuntu-regression_fix_securetty: securetty's earlier behavior would + correctly prompt for password on bad usernames (LP: #139075). + + -- Kees Cook Wed, 12 Sep 2007 15:20:09 -0700 + +pam (0.99.7.1-4ubuntu2) gutsy; urgency=low + + * Build using db4.5 (instead of db4.6). One db4.x version less on the CD. + + -- Matthias Klose Wed, 12 Sep 2007 17:44:25 +0200 + +pam (0.99.7.1-4ubuntu1) gutsy; urgency=low + + * Resynchronise with Debian (LP: #43169, #14505, #80431). Remaining changes: + - debian/control, debian/local/common-session{,md5sums}: use + libpam-foreground for session management. + - debian/rules: install unix_chkpwd setgid shadow instead of setuid root. + The nis package handles overriding this as necessary. + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf. + - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t + type rather than __u8. + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. Bound + RLIMIT_NICE from below as well as from above. Fix off-by-one error when + converting RLIMIT_NICE to the range of values used by the kernel. + (Originally patch 101; converted to quilt.) + - debian/patches-applied/ubuntu-user_defined_environment: Look at + ~/.pam_environment too, with the same format as + /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.) + * Dropped: + - debian/rules: bashism fixes (merged upstream). + - debian/control: Conflict on ancient nis (expired with Breezy). + - debian/libpam-runtime.postinst: check for ancient pam (expired with + Breezy). + + -- Kees Cook Wed, 05 Sep 2007 15:18:36 -0700 + +pam (0.99.7.1-4) unstable; urgency=low + + * libpam0g.postinst, libpam0g.templates: gdm doesn't need to be restarted + to fix the library skew, only reloaded; special-case this daemon in the + postinst and remove the mention of it from the debconf template, also + tightening the language of the debconf template in the process. + Closes: #440074. + * Add courier-authdaemon to the list of services that need to be + restarted; thanks to Micah Anderson for reporting. + * New patch pam_env_ignore_garbage.patch: fix pam_env to really skip over + garbage lines in /etc/environment and log an error, instead of failing + with an obscure error; and ignore any PAM_BAD_ITEM values returned + by pam_putenv(), since this is the expected error return when trying + to delete a non-existent var. Closes: #439984. + * Yet another thinko in hurd_no_setfsuid and in + 029_pam_limits_capabilities; this code should really be Hurd-safe at + last... + * getline() returns -1 on EOF, not 0; check this appropriately, to fix + an infinite loop in pam_rhosts_auth. Thanks to Stephan Springl + for the fix. Closes: #440019. + * Use ${misc:Depends} for libpam0g, so we get a proper dependency on + debconf. + * 019_pam_listfile_quiet: per discussion with upstream, don't suppress + errors about missing files or files with wrong permissions; these are + real errors that should not be buried. + * Drop the remainder of 061_pam_issue_double_free, not required for the + original bugfix. + * Drop patch 064_pam_unix_cracklib_dictpath, which is not needed now that + we define CRACKLIB_DICTS in debian/rules. + * Drop patch 063_paswd_segv, superseded by a different upstream fix + * Split 047_pam_limits_chroot_string_value up between + 008_modules_pam_limits_chroot and 029_pam_limits_capabilites + * Updates to patch 007_modules_pam_unix: restore the same built-in min + password len of 6 that upstream uses; fix a typo panlindrome -> + palindrome. + * The 'max=' option was never intended to be used to limit maximum password + length for users, only to declare what the number of significant + characters /is/ for a password. But we don't need a config option to + tell us that, we know the answer based on which crypt type we're using, + so drop this as a config file option. Closes: #389197. + * Debconf translations: + - Spanish, thanks to Javier Fernández-Sanguino Peña + - Vietnamese, thanks to Clytie Siddall + - German, thanks to Sven Joachim (closes: #440355) + - Czech, thanks to Miroslav Kure + (closes: #440362) + - Portuguese, thanks to Américo Monteiro + (closes: #440368) + + -- Steve Langasek Fri, 31 Aug 2007 17:11:05 -0700 + +pam (0.99.7.1-3) unstable; urgency=low + + * New patch limits_wrong_strncpy: fix unnecessary manipulations of string + buffers, including an illegal use of strncpy(). Thanks to Paul Hampson + for reporting. Closes: #331278. + * New patch misc_conv_allow_sigint.patch: allow SIGINT to be handled by the + application, instead of blocking it when misc_conv is in use and + preventing users from being able to ^C at any PAM prompt. Closes: #1708. + * 024_debian_cracklib_dict_path: default to NULL instead of a specific + dictionary path when none is defined for consistency with the new upstream + version of cracklib, and define our path in debian/rules. + * 055_pam_unix_nullok_secure: document the pam_unix "nullok_secure" option, + a prereq for forwarding this patch upstream. Closes: #325974. + * Create /etc/security/opasswd on new installs or on upgrades from + 0.99.7.1-2 or below, so that users that enable the remember= option to + pam_unix aren't left unable to change passwords. Closes: #95324. + * Fix a couple of thinkos in hurd_no_setfsuid, that were preventing the code + from compiling on the Hurd still. Thanks to Michael Banck for the catch. + * Fix a memory leak in the pam_limits capabilities patch: always + cap_free() the cap_t before returning from pam_sm_open_session(). + Closes: #153157. + * libpam0g.postinst, libpam0g.templates: on upgrades from versions + prior to 0.99.7.1-3, restart known PAM-using services so that they + get the new libpam symbols, since otherwise the newer PAM modules + will fail to load. Postinst taken from libssl0.9.8; thanks to + Christoph Martin for the fine example! Closes: #439835. + * Build-depend on po-debconf to support l10n of the debconf questions + from the above. + + -- Steve Langasek Tue, 28 Aug 2007 06:33:33 -0700 + +pam (0.99.7.1-2) unstable; urgency=low + + * New upstream release; thanks to Roger Leigh and Jan Christoph Nordholz + for their extensive work in helping to prepare for this update in Debian. + Closes: #360460. + - now uses autoconf for library detection, so SELinux should not be + unconditionally enabled on non-Linux archs. Closes: #333141. + - pam_mail notice handling has been completely reworked, so there should + no longer be missing spaces in the messages. Closes: #119689. + - with libtool and autoconf, now behaves "sensibly" on unknown + platforms. Closes: #165067. + - the source now builds without warnings. Closes: #212165. + - uses automake instead of hand-rolled makefiles with indentation + bugs. Closes: #241661, #328084. + - pam_mkhomedir now creates directories recursively as needed. + Closes: #178225. + - pam_listfile now supports being used as a session module too. + Closes: #416665. + - misspelled pam_userdb log message has been corrected. Closes: #305058. + - the current pam_strerror manpage no longer mentions "Unknown + Linux-PAM error". Closes: #220157. + - the text documentation no longer uses ANSI bold sequences. + Closes: #181451. + - pam_localuser now supports being used as a session module. + Closes: #412484. + - package no longer fails to build with dash as /bin/sh. + Closes: #331208. + - All modules should now be documented in the system administrator + guide. Closes: #350620. + - pam_userdb now logs an error instead of segfaulting when no db= + option is provided. Closes: #436005. + - pam_time now warns on a missing tty instead of erroring out, + making it possible to use the module with non-console services. + Closes: #127931. + - upstream changelog is now 'ChangeLog' instead of 'CHANGELOG'; install + accordingly + - bump the shlibs + - the 'test.c' example no longer exists + - add /usr/share/locale to libpam-runtime. + - CVE-2005-2977: only uid=0 is allowed to invoke unix_chkpwd with an + arbitrary username, and then only when SELinux is active. + Closes: #336344. + * Mark myself as primary maintainer as previously discussed with Sam, and + add Roger as an uploader. + * Refactor to use quilt. + * Update to Standards-Version 3.7.2. + * Drop unnecessary build-dependency on patch, which is + build-essential (and no longer invoked directly). + * Drop patches 002_debian_no_ldconfig_call, 010_pam_cplusplus, + 018_man_fixes, 030_makefile_link_against_libpam, + 037_pam_issue_ttyname_can_be_null, 044_configure_supports_bsd, + 050_configure_in_gnu and 052_pam_unix_no_openlog, which have been + superseded upstream. + * Drop patches 005_pam_limits_099_6, + 012_pam_group_less_restrictive_charset, 023_pam_env_limits_miscfixes, + 048_pam_group_colon_valid_char, 058_pam_env_enable, 059_pam_userdb_segv, + 060_pam_tally_segv and 062_c++_safe_headers, which have been integrated + upstream. + * Patch 057: SELinux support is merged upstream, leaving only an + unrelated OOM check for pam_unix_passwd. Rename as + 057_pam_unix_passwd_OOM_check. + * Patches 006, 008, 036: update for the switch from SGML to XML. + * Patch 007: update for the switch from SGML to XML; drop some log + messages that were already added upstream; update for the pam_modutil + changes; tighten the flag handling of the 'obscure' option; drop bogus + check in unix_chkpwd for null passwords. Also fix a grammar error + along the way. Closes: #362855. + * Patch 024: CRACKLIB_DICTPATH is no longer set in configure.in, so patch + pam_cracklib.c instead to use the default dictpath already available + from crack.h; and patch configure.in to use AC_CHECK_HEADERS instead + of AC_CHECK_HEADER, so crack.h is actually included. Also remove + unnecessary string copies, which break on the Hurd due to PATH_MAX. + * Patch 038: partially merged/superseded upstream; also add new Hurd + fix for pam_xauth. + * Patch 061: partially merged upstream + * Use ${binary:Version} instead of ${Source-Version} in + debian/control. + * Remove empty maintainer scripts debian/libpam0g-dev.{postinst,prerm}, + debian/libpam0g.{postinst,prerm}, and + debian/libpam-modules.{postinst,prerm}; debhelper can autogenerate these + just fine without our help. + * Build-Depend on xsltproc, libxml2-utils, docbook-xml, docbook-xsl + and w3m instead of on linuxdoc-tools, linuxdoc-tools-latex, tetex-extra, + groff, and opensp. + * Also build-depend on flex for libfl.a. + * Updates for documentation handling: + - move debian/local/pam-*-guide to debian/libpam-doc.doc-base.foo-guide, + and invoke dh_installdocs instead of installing these by hand. + - drop libpam-doc.{postinst,prerm}, which are no longer needed. + - add an install target to debian/rules, and have binary-indep depend on + it instead of trying to install doc files individually from the source + tree + - consequently, drop libpam-doc.dirs as well which is no longer needed + and no longer accurate + - add debian/libpam-doc.install for moving the docs to the right place, + and also replace libpam-runtime.files with libpam-runtime.install; + for the moment this means we're using both dh_movefiles and + dh_install... + - libpam0g.docs: install the Debian-PAM-MiniPolicy from here, further + cleaning up debian/rules + * Drop debian/libpam0g.links, no longer needed because upstream now has a + working install target which creates the library symlinks + * Add libpam-modules.links: create pam_unix_{acct,auth,passwd,session}.so + symlinks by hand, no longer provided upstream. + * debian/patches-applied/PAM-manpage-section: "PAM" is not a daemon, manpage + belongs in section 7, not in section 8. + * Actually ship the pam, pam.conf, and pam.d manpages in libpam-runtime. + * debian/patches-applied/autoconf.patch: move all changes to autotools + generated files into a single patch at the end of the stack. + - don't touch configure in debian/rules, the quilt patch takes care + of this for us. + * New patch 064_pam_unix_cracklib_dictpath: correctly define + CRACKLIB_DICTS, since this is not defined by configure. Thanks to Jan + Christoph Nordholz. + * New patch 065_pam_unix_cracklib_disable: Debian-specific patch to disable + cracklib support in pam_unix. Thanks to Christoph Nordholz. + * debian/rules: + - Rename OS_CFLAGS to CFLAGS. + - kill off references to unused variables + - make binary-arch also depend on the install target, and streamline the + rules + - fix up the clean target to not ignore errors; thanks to Roger Leigh + - drop the local module_check target in favor of using -Wl,-z,defs + in LDFLAGS to enforce correct linkage of all objects at build time + * Drop debian/local/unix_chkpwd.8 in favor of the upstream manpage. + * libpam-modules.files: /usr/sbin/pam_tally has moved to /sbin/pam_tally + for consistency. + * Update to debhelper V5. + * Don't ship Makefiles as part of the libpam0g-dev examples. + * libpam-modules.manpages, libpam-runtime.manpages, libpam0g-dev.manpages: + put all the manpages in the correct packages. Closes: #411812, + #62193, #313486, #300773, #330545, #184270. + * Drop libpam{0g,0g-dev,-modules,-runtime}.dirs, not needed for anything + because we aren't trying to ship empty directories in the packages + * Build-Conflict with fop, to avoid unreproducible builds of pdf + documentation from a tool in contrib. + * libpam-cracklib should depend on a real wordlist package, per policy; + use wamerican as the default. + * Drop local/pam-undocumented.7 from the package, since we no longer have + a reason to ship it + * Add lintian overrides for known false-positives + * Conflicts/Replaces/Provides libpam-umask, now included upstream. + Closes: #436222. + * Upstream no longer marks unix_chkpwd suid-root for us, so set the perms + by hand in debian/rules. In the process, unix_chkpwd is now writable + by the owner, as expected by policy. Closes: #368100. + * Migrate from db4.3 to db4.6; once again, no administrator action should + be needed for upgrading on-disk database formats. Closes: #354309. + * Add XS-Vcs-Svn and XS-Vcs-Browser fields to debian/control; thanks to + Laurent Bigonville for the hint. Closes: #439038. + * Add a watch file for use with uscan; thanks to Laurent Bigonville for + this patch as well. Closes: #439040. + * Rewrite of 031_pam_include, fixing a memory leak and letting us drop + patch 056_no_label_at_end; thanks to Jan Christoph Nordholz + for this much-improved version! + * New patch no_pthread_mutexes: don't use pthread mutexes in + pam_modutil functions, they're not needed because pam handles + themselves should not be used concurrently by multiple threads and + using pthreads causes problems for portable linking. + * New patch hurd_no_setfsuid: if we don't have sys/fsuid.h, work around + using setreuid instead. + + -- Steve Langasek Sun, 26 Aug 2007 19:15:09 -0700 + +pam (0.79-4ubuntu2) feisty; urgency=low + + * Remove /usr/bin/X11 from default PATH (new installs only). + + -- Colin Watson Wed, 20 Dec 2006 16:14:37 +0000 + +pam (0.79-4ubuntu1) feisty; urgency=low + + * Resynchronise with Debian. Remaining changes: + - Patch 100 (renumbered from 060): Look at ~/.pam_environment too, with + the same format as /etc/security/pam_env.conf. + - Patch 101 (renumbered from 061): Explicitly initialise RLIMIT_NICE + rather than relying on the kernel limits. Bound RLIMIT_NICE from below + as well as from above. Fix off-by-one error when converting + RLIMIT_NICE to the range of values used by the kernel. + - Add PATH to /etc/environment if it's not present there or in + /etc/security/pam_env.conf. + - debian/rules: Fix a bashism. + - Install unix_chkpwd setgid shadow instead of setuid root. The nis + package handles overriding this as necessary. + - Use pam_foreground in the default session. + - Linux-PAM/libpamc/test/regress/test.libpamc.c: Use standard u_int8_t + type rather than __u8. + + -- Colin Watson Tue, 19 Dec 2006 10:32:47 +0000 + +pam (0.79-4) unstable; urgency=medium + + * Medium-urgency upload; at least one RC bugfix, but also a + significant number of changes, hence not urgency=high. + * Move libpam-modules and libpam0g to Section: libs and libpam-runtime + to section: admin, to match the overrides in the archive. + * Move old changelog entries (well, entry) that don't follow the current + format to debian/changelog.old, since there's no way to figure out a + timestamp for an 8-year-old upload, and this is the most effective + way to clear a glut of lintian warnings. + * Fix the formatting of the libpam-cracklib package description. + * Patch 010: remove parts of the patch that aren't necessary for C++ + compatibility. + * Patch 060: fix a segfault in pam_tally caused by misuse of + pam_get_data(); already fixed upstream. Closes: #335273. + * Patch 061: fix a double free in pam_issue, caused by overuse (and misuse) + of strdup (similar to patch 059). Already fixed upstream. + Closes: #327272. + * Don't build-depend on libselinux1-dev and libcap-dev on kfreebsd archs. + Closes: #352329. + * Patch 005: sync pam_limits with upstream: + - support "-" (unlimited) for all limit types except process priority. + - support the additional aliases "-1", "unlimited", and "infinity" for + clearing the limits; closes: #122400, #149027. + - restrict the range of process priority, login count, and system login + count settings to (INT_MIN,INT_MAX) (heh). + - special-case RLIM_INFINITY when applying multipliers to values from + the config. + - document maxsyslogins in the default limits.conf; closes: #149883. + - use the current process priority as a default instead of resetting to + 0; closes: #241663. + - add support for (and document) new RLIMIT_NICE and RLIMIT_RTPRIO + settings in Linux 2.6.12 and above; closes: #313542, #313588. + - allow imposing limits on uid=0. + * Patch 027: only set RLIM_INFINITY as the default for the limits where + we know this is sensible, so that recompiling in an environment with new + limits doesn't create a security hole -- as happened with RLIMIT_NICE and + RLIMIT_RTPRIO! Thanks to Ville Hallik for the initial patch. + Closes: #388431. + * Patch 029, 047: Fix up the broken pam_limits capabilities patch so it + actually works -- which may well be a first... Closes: #318452. + + -- Steve Langasek Mon, 23 Oct 2006 05:36:08 -0700 + +pam (0.79-3.2) unstable; urgency=low + + * Non-maintainer upload to fix important bug, that makes passwd segfault + when CTRL-D is pressed at the password prompt. Applied the patch + provided by Dann Frazier. (Closes: #360657) + + -- Margarita Manterola Sat, 5 Aug 2006 02:11:22 -0300 + +pam (0.79-3.1ubuntu1) edgy; urgency=low + + * Resynchronise with Debian. + + -- Colin Watson Thu, 29 Jun 2006 17:27:34 +0100 + +pam (0.79-3.1) unstable; urgency=low + + * Non-maintainer upload. + * Linux-PAM/libpamc/include/security/pam_client.h, + Linux-PAM/libpamc/pamc_converse.c: Apply patch from + latest upstream version to remove redefinition of internal + glibc/libstdc++ types. Closes: #344447. + + -- Roger Leigh Sun, 5 Feb 2006 21:46:59 +0000 + +pam (0.79-3ubuntu14) dapper; urgency=low + + * debian/patches-applied/061_pam_rlimits_nice_rtprio: Protect use of + RLIMIT_NICE in init_limits() with an #ifdef. + + -- Colin Watson Fri, 12 May 2006 17:42:40 +0100 + +pam (0.79-3ubuntu13) dapper; urgency=low + + * debian/patches-applied/061_pam_rlimits_nice_rtprio: Set soft and hard + nice limits to 20 (= userland nice value 0) rather than unlimited by + default. Correct off-by-one error (the same error as in Linux 2.6.12, + but fixed in 2.6.13) in user<->kernel translation of nice limit. + + -- Colin Watson Thu, 11 May 2006 11:29:58 +0100 + +pam (0.79-3ubuntu12) dapper; urgency=low + + * debian/control: Add libpam-foreground dependency to libpam-runtime, since + the default /etc/pam.d/common-session refers to it. Closes: LP#35142 + + -- Martin Pitt Mon, 10 Apr 2006 14:42:40 +0200 + +pam (0.79-3ubuntu11) dapper; urgency=low + + [ Dana Olson ] + * debian/patches-applied/061_pam_rlimits_nice_rtprio: removed glibc + workaround now that glibc is aware of rlimits. + + [ Martin Pitt ] + * debian/rules: Fix bashisms. + + -- Martin Pitt Thu, 6 Apr 2006 15:03:37 +0200 + +pam (0.79-3ubuntu10) dapper; urgency=low + + * debian/patches-applied/061_pam_rlimits_nice_rtprio: Support "nice" and + "rtprio" rlimits, new in Linux 2.6.12. Backported from upstream thanks + to Dana Olson and others (closes: Malone #17348). + + -- Colin Watson Thu, 23 Feb 2006 16:22:12 +0000 + +pam (0.79-3ubuntu9) dapper; urgency=low + + * Fix operator precedence in libpam-modules.postinst. + + -- Colin Watson Thu, 16 Feb 2006 15:23:04 +0000 + +pam (0.79-3ubuntu8) dapper; urgency=low + + * Make pam_env be quiet if it can't find the user's configuration file, + since it's optional. + + -- Tollef Fog Heen Sat, 4 Feb 2006 16:44:12 +0100 + +pam (0.79-3ubuntu7) dapper; urgency=low + + * Add the PATH on initial install for real this time. + + -- Tollef Fog Heen Thu, 2 Feb 2006 20:33:42 +0100 + +pam (0.79-3ubuntu6) dapper; urgency=low + + * Changes from Roger Leigh: + + * Linux-PAM/libpamc/include/security/pam_client.h, + Linux-PAM/libpamc/pamc_converse.c: Apply patch from + latest upstream version to remove redefinition of internal + glibc/libstdc++ types. Closes: #344447. + * Linux-PAM/libpamc/test/regress/test.libpamc.c: Also switch to standard + types; not taken from upstream. + + -- Reinhard Tartler Wed, 1 Feb 2006 13:14:24 +0000 + +pam (0.79-3ubuntu5) dapper; urgency=low + + * Add pam_foreground to /etc/pam.d/common-session + + -- Matthew Garrett Tue, 24 Jan 2006 02:26:19 +0000 + +pam (0.79-3ubuntu4) dapper; urgency=low + + * Add PATH on initial install, too. + + -- Tollef Fog Heen Mon, 23 Jan 2006 15:55:40 +0100 + +pam (0.79-3ubuntu3) dapper; urgency=low + + * Add PATH to /etc/environment if it's not present there or in + /etc/security/pam_env.conf and we are upgrading from a version which + didn't add it. + + -- Tollef Fog Heen Tue, 17 Jan 2006 15:54:01 +0100 + +pam (0.79-3ubuntu2) dapper; urgency=low + + * Look at ~/.pam_environment too. Same format as + /etc/security/pam_env.conf. The patch is recorded as + patches-applied/060_pam_env_per_user + + -- Tollef Fog Heen Tue, 17 Jan 2006 15:32:55 +0100 + +pam (0.79-3ubuntu1) dapper; urgency=low + + * Resynchronise with Debian. + + -- Colin Watson Mon, 21 Nov 2005 12:15:44 +0000 + +pam (0.79-3) unstable; urgency=low + + * Patch 059 + - Fix a segfault in pam_userdb when the new "crypt=" option + is unset, as will be the case for all existing users; already fixed + upstream. Closes: #330829. + - Fix a memory leak in the same code due to gratuitous strdup()s. + * Further regression in pam_env: don't treat a missing /etc/environment + as a fatal error, either. Amend patch 058 accordingly. Closes: #330852. + + -- Steve Langasek Fri, 30 Sep 2005 01:17:53 -0700 + +pam (0.79-2) unstable; urgency=low + + The ".c.o: rm -rf $@" release + * Fix debian/rules so that make clean doesn't remove ./configure when the + timestamp on configure.in is newer (!). + * Switch pam_userdb from db3 to db4.3, which according to the libdb + maintainers should require no manual intervention for upgrading on-disk + database formats. Closes: #165068. + * Patch 058: yes, of course we want to read /etc/environment by + default. Grr! Revert upstream change which disables this for no + apparent reason (closes: #330458). + * Tweak selinux rootok code to use the version of the function call that + doesn't pollute namespace + + -- Steve Langasek Tue, 27 Sep 2005 02:44:36 -0700 + +pam (0.79-1) unstable; urgency=low + + * New upstream version (closes: #284954, #300775). + - includes some fixes for typos (closes: #319026). + - pam_unix should now be LSB 3.0-compliant (closes: #323982). + - fixes segfaults in libpam on config file syntax errors + (closes: #330097). + * Drop patches 000_bootstrap, 004_libpam_makefile_static_works, + 011_pam_access, 013_pam_filter_termio_to_termios, 017_misc_fixes, + 025_pam_group_conffile_name, 028_pam_mail_delete_only_when_set, + 033_use_gcc_not_ld, 034_pam_dispatch_ignore_PAM_IGNORE, + 035_pam_unix_security, 039_pam_mkhomedir_no_maxpathlen_required, + 041_call_bootstrap, 042_pam_mkhomedir_dest_not_source_for_errors, + 051_32_bit_pam_lastlog_ll_time, and + 053_pam_unix_user_known_returns_user_unknown which have been + integrated upstream. + * Merge one last bit of patch 053 into patch 043, where it should have + been in the first place + * Patch 057: SELinux support: + - add support to pam_unix for copying SELinux security contexts when + writing out new passwd/shadow files and creating lockfiles + - support calling unix_chkpwd if opening /etc/shadow fails due to + SELinux permissions + - allow unix_chkpwd to authenticate for any user when in an SELinux + context (hurray!); we depend on SELinux policies to prevent the + helper's use as a brute force tool + - also support querying user expiration info via unix_chkpwd + - misc cleanup: clean up file descriptors when invoking unix_chkpwd + (closes: #248310) + - make pam_rootok check the SELinux passwd class permissions, not just + the uid + - add new pam_selinux module (closes: #249499) + * Build-depend on libselinux1-dev. + * Fix pam_getenv, so that it can read the actual format of /etc/environment + instead of trying to read it using the syntax of + /etc/security/pam_env.conf; thanks to Colin Watson for the patch. + Closes: #327876. + * Set LC_COLLATE=C when using alphabetic range expressions in + debian/rules; bah, so *that's* what kept happening to my README file + when trying to build out of svn! Closes: #295296. + * Add a reference to the text of the GPL to debian/copyright. + + -- Steve Langasek Sun, 25 Sep 2005 22:08:20 -0700 + +pam (0.76-23) unstable; urgency=low + + * Fix Gcc 3.4 compilation, Closes: #259634 + * Note that pam.conf is not read if /etc/pam.d exists, Closes: #248928 + * Fix typo in pam_env.conf, Closes: #277633 + + -- Sam Hartman Sun, 10 Jul 2005 16:42:25 -0400 + +pam (0.76-22ubuntu3) breezy; urgency=low + + * Fix pam_getenv, which never worked: + - Parse /etc/security/pam_env.conf using its own syntax, and then + /etc/environment using its own syntax rather than the syntax of + /etc/security/pam_env.conf. + - 'my $val' was used in an incorrect scope; fixed. + - Exit non-zero if the requested environment variable is not found. + + -- Colin Watson Mon, 12 Sep 2005 18:32:54 +0100 + +pam (0.76-22ubuntu2) breezy; urgency=low + + * debian/rules: Install unix_chkpwd setgid shadow instead of setuid root. + This only breaks when using NIS lookups, therefore the new nis package + dpkg-statoverrides it back to setuid root while being installed. + (Debian #155583, http://udu.wiki.ubuntu.com/ProactiveSecurityRoadmap) + * debian/control: Added conflict to nis (<< 3.13-3ubuntu1): This is the + version that corrects the permissions for usage with NIS. + + -- Martin Pitt Fri, 17 Jun 2005 12:34:23 +0200 + +pam (0.76-22ubuntu1) breezy; urgency=low + + * Fix FTBFS with gcc-3.4 (closes: #259634). Ubuntu 9037. + + -- Matthias Klose Wed, 4 May 2005 18:14:51 +0200 + +pam (0.76-22) unstable; urgency=medium + + * Add uploaders + * Document location of repository + * Fix options containing arguments in pam_unix, Closes: #254904 + + -- Sam Hartman Mon, 28 Jun 2004 14:28:08 -0400 + +pam (0.76-21) unstable; urgency=medium + + * Fix patch 055 again because -20 was broken and didn't actually fix the + problem. + + -- Sam Hartman Tue, 4 May 2004 21:37:38 -0400 + +pam (0.76-20) unstable; urgency=medium + + * Update to patch 55 to only check securetty when we are sure the + password is null, Closes: #243698 + * Medium urgency because the version now in testing has confusing and + verbose log messages. + * Include pam_getenv script which hopefully will be used by some people + somewhere for some purpose + + -- Sam Hartman Wed, 28 Apr 2004 22:51:18 -0400 + +pam (0.76-19) unstable; urgency=low + + * Oops, too busy testing the upgrade from woody to make sure the upgrade + from -16 to -18 worked. Thanks to all those who reported, + Closes: #243413 + + -- Sam Hartman Tue, 13 Apr 2004 16:08:54 -0400 + +pam (0.76-18) unstable; urgency=low + + * Manipulate conffiles to avoid unnecessary prompt in woody to sarge + upgrade, Closes: #218318 + + -- Sam Hartman Sat, 10 Apr 2004 18:10:35 -0400 + +pam (0.76-17) unstable; urgency=low + + * common-password now includes length restrictions and cracklib + examples, Closes: #227681, #237537 + * Patch 054: abstract out the logic from pam_securetty to determine if a + tty is in /etc/securetty into a library function + * Patch 55: Add nullok_secure option to pam_unix. If set, then null + passwords are accepted from terminals in /etc/securetty. + * common-auth now includes nullok_secure, Closes: #228114 + + + -- Sam Hartman Sun, 4 Apr 2004 23:10:11 -0400 + +pam (0.76-16) unstable; urgency=low + + * Patch 51 from the x86-64 folks to support 32-bit ll_time in + pam_lastlog even if time_t is 64-bits + * Don't call openlog in pam_unix (patch 52), Closes: #213566 + * Return PAM_USER_UNKNOWN for unknown users in pam_unix (patch 53), Closes: #204506 + + -- Sam Hartman Tue, 23 Mar 2004 22:26:04 -0500 + +pam (0.76-15) unstable; urgency=low + + * Fix description of libpam-runtime, Closes: #209755 + * Fix description of libpam-cracklib, Closes: #210014 + * Depend on libc6-dev|libc-dev not libc6-dev, Closes: #212354 + * Clean up binaries, Thanks Russell, Closes: #212158 + * Depend on sufficiently new cracklib2-dev, Closes: #214092 + * Treate GNU/* as GNU for OS variable to make pam_limits compile, + (patch 050) Closes: #220980 + * No longer build-depend on latex2html, Closes: #221318 + * Allow : in tty specification for pam_group, (patch 048) Closes: #220439 + * Pull in locking patch from Linux-PAM CVS; this ended up causing + 021_pam_nis_locking to be reworked and that patch now no longer + contains locking fixes, but just NIS cleanup in general. See + 049_pam_unix_sane_locking for the locking changes, Closes: #220158 + + -- Sam Hartman Mon, 12 Jan 2004 02:23:59 -0500 + +pam (0.76-14) unstable; urgency=low + + * Pull in NMU diff from 13.1, Closes: #186011 + * Split out common-password into its own file, Closes: #207497 + * Make other a conffile again and update to @include stuff + * Add missing symlink, Closes: #196605 + * Remove undocumented manpages + * Update PAM mini-policy + + -- Sam Hartman Mon, 1 Sep 2003 18:08:54 -0400 + +pam (0.76-13.1) unstable; urgency=low + + * NMU with maintainer's permission. + * Add three new config files (/etc/pam.d/common-{auth,account,session}) + to libpam-runtime. Other packages which depend on libpam-runtime + can now @include these files from their own PAM configs. + * Convert /etc/pam.d/other from a conffile to a non-conffile config + file. Closes: #186011. + * Remove empty libpam-runtime.prerm script (debhelper will autocreate if needed) + + -- Steve Langasek Tue, 19 Aug 2003 19:41:03 -0500 + +pam (0.76-13) unstable; urgency=low + + * Nope, that dependency didn't work, so let's remove it. If we run into other module versioning issues, I now have an arm build environment to debug with. Closes: #198618 + + -- Sam Hartman Mon, 7 Jul 2003 00:22:34 -0400 + +pam (0.76-12) unstable; urgency=low + + * Fix group.conf example, (patch 046) Closes: #197080 + * Ignore module return value in jumps, (patch 045) Closes: #176693 + * Accept string value for chroot limit, thanks Andrei Pelinescu-Onciul, + Patch (047), Closes: #196903 + * Depend on libpam-modules instead of conflicting with older versions. + This creates a circular dependency between libpam0g and + libpam-modules. James says this works fine; we hope he's right. + Closes: #196949 + -- Sam Hartman Sat, 21 Jun 2003 17:19:29 -0400 + +pam (0.76-11) unstable; urgency=low + + * Don't allow db4 to satisfy build-depends because it doesn't actually + work, and sometimes building with it would be wrong. + * Don't depend on libpcap-dev on Debian BSD + * Conflict with old libpam-modules, Closes: #191906 + * Incorrect username should not be logged at alert (patch 43), + Closes: #175900 + * Patch to support FreeBSD (patch 44, thanks Robert), Closes: #191906 + + -- Sam Hartman Sat, 31 May 2003 19:55:26 -0400 + +pam (0.76-10) unstable; urgency=low + + * Don't double list conffiles, Closes: #190954 + * Only install example sources not executables, Closes: #185286 + * Display correct directory in error message for pam_mkhomedir, patch + 042 thanks to Akira TAGOH, Closes: #165240 + * Don't log EPERM when setting NOFILE limit as Linux doesn't let you + set that to -1, Closes: #180310 + * Add newline to end of distributed time.conf, Closes: #172229 + * Up our standards version and support noopt in DEB_BUILD_OPTIONS + + -- Sam Hartman Sat, 3 May 2003 22:28:37 -0400 + +pam (0.76-9) unstable; urgency=low + + * Fix pam_rhosts hurd patch so it actually works, Closes: #172914 + * Fix patch 040 not to clobber errno when logging the error fails, + Closes: #172186 + * Fix dependency for linuxdoc-tools, Closes: #173097 + + -- Sam Hartman Sun, 15 Dec 2002 17:10:58 -0500 + +pam (0.76-8) unstable; urgency=low + + * Have makefile appropriately depend on bootstrap-libpam + * Install pam minipolicy, Closes: #167798 + * Don't segfault if ttyname is null; this avoids the segfault but does + not actually make pam_issue useful for ssh. I believe the way + pam_issue works is fundamentally incompatible with what sshd expects + from PAM (patch 037), Closes: #153152 + * We actually fixed passwords containing , in 0.76-6, but failed to + document it. They do work, Closes: #164713 + * Note that /etc/pam.d/other is a fall back for each service + * Patches from Michal 'hramrach' Suchanek" to + make HURD work, Closes: #165066 (patch 038 and 039) + * Don't depend on gs and other doc prep tools for build-depends, just + build-depends-indep, Closes: #165065 + * Patch from Eric Anderson to log failures of + setrlimit (patch 040), Closes: #169836 + * Build pam_limits on hurd, Closes: #165190 + + -- Sam Hartman Sun, 24 Nov 2002 22:04:28 -0500 + +pam (0.76-7) unstable; urgency=low + + * Fix handling of pam_ignore in case where we're skipping modules; + update to patch 034 + + -- Sam Hartman Sun, 20 Oct 2002 21:49:22 -0400 + +pam (0.76-6) unstable; urgency=low + + * The "No, I don't think I actually want any of what upstream is + smoking" release + * If this were already in testing, this would be an severity emergency + upload + * pam_unix currently treats * in shadow file as no password not + disabled; major security issue; fixed in upstream CVS, (patch 035) Closes: #164659 + * OK, I think this actually fixes the rest of the manpage symlinks, + Closes: #163839, #164298 + * You don't want to use getlogin for pam_wheel because utmp may be wrong or for xterm have no entry, pull forward patch from the 0.72 packages (patch 036), Closes: #163787 + + -- Sam Hartman Tue, 15 Oct 2002 10:44:56 -0400 + +pam (0.76-5) unstable; urgency=low + + * Fix library links from 0.75 to 0.76 + * Ignore PAM_IGNORE in _pam_dispatch_aux (patch 34), Closes: #163841 + * Fix man page symlinks, Closes: #163839 + + -- Sam Hartman Fri, 11 Oct 2002 01:08:06 -0400 + +pam (0.76-4) unstable; urgency=low + + * Upstream correctly states that one should use gcc not ld when + linking and then hapilly proceeds to actually use ld, fixed, Closes: #163711 + + * Remove experimental warning from readme, Closes: 163742 + + -- Sam Hartman Mon, 7 Oct 2002 23:45:53 -0400 + +pam (0.76-3) unstable; urgency=low + + * Oops, let's try building -fpic. This currently builds everything + -fpic which is somewhat wrong, but doing more than that requires + significant build system hacking (touch every makefile for dynamic + objects), so it will wait, Closes: #163600 + + -- Sam Hartman Sun, 6 Oct 2002 23:33:12 -0400 + +pam (0.76-2) unstable; urgency=low + + * Link against appropriate libraries so we find the symbols we need, + Closes: #162175 + * The if everyone's going to complain when I upload broken software to + experimental release, I might as well upload to unstable and give them + something worth actually complaining about release. + * Also the remove the scourge of dbs release + * Include patch 034 from the 0.72 packages, meaning that we've included + all the patches we need before release + * Reject the patch to pam_wheel as I cannot find out what reasonable + thing it was trying to do and it seemed broken + * libpam-cracklib should depend on wordlist so it actually works; + thanks Olaf Meeuwissen, + Closes: #112965 + * Merge build-depends and build-depends-indep because I'm a bad person + and was too lazy to make docs build in a separate pass. I'll deal in + a few versions. + + -- Sam Hartman Sun, 6 Oct 2002 18:52:13 -0400 + +pam (0.76-1) experimental; urgency=low + + * New upstream version + * Upstream includes fix to not break cron, Closes: 160566 + * New Upstream correctly handles priority < 0 for pam_limits, Closes: #126251 + * .cvsignores removed, Closes: #159961 + + -- Sam Hartman Sun, 22 Sep 2002 16:11:35 -0400 + +pam (0.75-3) experimental; urgency=low + + * Apply patch 027 pam_limits so that we initialize to wide open not + current limits. + * In pam_mail, don't complain about deleting environment variable if + we never set it, Closes: #58429 + * Don't set default max procs limit in pam_limits, Closes: #116874 + * libpam-runtime now arch all since it has no arch-specific files, + Closes: #132545 + * Update mini policy to reflect confusion on debian-devel + + -- Sam Hartman Tue, 16 Jul 2002 09:30:50 -0400 + +pam (0.75-2) experimental; urgency=low + + * Fix pam_userdb to build and to build against db3, fixes patch 020 + * Fix upstream makefile so pam_group has valid configuration, closes: #148657 + * time.conf reference to logoutd removed, closes: #143801 + * The static library contains all the appropriate symbols in this + version. You may find the complete lack of PAM modules somewhat + frustrating; currently the static pam library is only useful if you + register your own modules. Fixing this would require annoying hacking + on the upstream build system, closes: #103495 + * unix_chkpwd.8 typo fixes thanks to dancer@anthill.echidna.id.au, + Closes: #139949 + * Since we're working on the new upstream version, we also have the new docs, closes: #147763 + * Patch from Martin Schwenke to only change + passwords in pam_unix when they exist in the password file; hopefully + does not break NIS, closes: #135990 + * Another patch from Martin to return PAM_USER_UNKNOWN if we ever + actually do get into the password changing routine only to find that + we have no password to change, closes: #135604 + * .cvsignore no longer installed, closes: #120795 + * We're using debhelper 3, just in time to be obselete, Closes: #93414 + + -- Sam Hartman Sat, 8 Jun 2002 18:04:40 -0400 + +pam (0.75-1) experimental; urgency=low + + * Preliminary test packages + * New upstream version + * Hopefully works mostly the same as 0.72 except for upstream bug + fixes and for the fact that pam_limits is fairly broken right now. + * If it breaks you are lucky if you get to keep both pieces release. + + -- Sam Hartman Sat, 25 May 2002 22:57:57 -0400 + +pam (0.72-35) unstable; urgency=medium + + * Fix like_auth to make libpam-krb5 and libpam-heimdal actually useful, + patch from RISKO Gergely , closes: #126251 + + -- Sam Hartman Mon, 21 Jan 2002 15:20:22 -0500 + +pam (0.72-34) unstable; urgency=medium + + * Note that HOME may not be useful in pam_environment, closes: #109281 + * Don't smash case domains (groups/users) in pam_limits, closes: #119893 + * Remove double the from description, closes: #107705 + * Fix typo on mail message, closes: #119689 + * Medium since these are small fixes that should go into woody + + -- Sam Hartman Fri, 23 Nov 2001 21:24:20 -0500 + +pam (0.72-33) unstable; urgency=low + + * Fix pam_mail to look in /var/mail not /var/spool/mail, thanks mjb. + + -- Sam Hartman Thu, 11 Oct 2001 15:44:32 -0400 + +pam (0.72-32) unstable; urgency=medium + + * This should probably get into testing before freeze; medium. + * Patch from Volker Stolz to fix bug in previous pam_group patch, + closes: #111854 + + -- Sam Hartman Sat, 22 Sep 2001 06:32:29 -0400 + +pam (0.72-31) unstable; urgency=low + + * Add support for credential reinitialization in pam_group, closes: #108697 + + -- Sam Hartman Fri, 31 Aug 2001 13:16:39 -0400 + +pam (0.72-30) unstable; urgency=low + + * Include patch from robbe@orcus.priv.at to build pam_limits on hurd, + closes: #103556 + * Start installing limits.conf for hurd (may not work quite right) + + -- Sam Hartman Mon, 16 Jul 2001 09:35:51 -0400 + +pam (0.72-29) unstable; urgency=low + + * Correctly declare uint32 type for ia64, closes: #104584 + + -- Sam Hartman Sat, 14 Jul 2001 01:30:39 -0400 + +pam (0.72-28) unstable; urgency=low + + * Fix scanf string so pam_limits chroot works, closes: #100812 + * Only log unknown user at warning, not alert, closes: #95220 + * By default do complete matches not substring matches for pam_time. + You can include explicit wildcard for substring, closes: #66152 + + -- Sam Hartman Tue, 3 Jul 2001 17:31:45 -0400 + +pam (0.72-27) unstable; urgency=low + + * Fix typo in last patch + + -- Sam Hartman Mon, 25 Jun 2001 18:27:42 -0400 + +pam (0.72-26) unstable; urgency=low + + * Block SIGCHLD when calling unix password verification program, patch from mdz@debian.org, fixes pam part of #97977 + + -- Sam Hartman Mon, 25 Jun 2001 08:47:12 -0400 + +pam (0.72-25) unstable; urgency=medium + + * Depend on opensp, working around #89063, closes: #100125 + * This is urgency medium to get docs back into testing. + + -- Sam Hartman Fri, 8 Jun 2001 11:44:12 -0400 + +pam (0.72-24) unstable; urgency=low + + * New NIS double locking and root password patch from Philippe Troin + , fixes bug in unreleased patch submitted for + 0.72-23. Also improves changing root password so it does something; + ongoing discussion on whether this is right. + + -- Sam Hartman Mon, 21 May 2001 08:06:05 -0400 + +pam (0.72-23) unstable; urgency=low + + * Patch from Benoit Gaussen , Don't trim from , to end + of string in user input, only trim from salt + grabbed from passwd file, closes: #96779 + * Fix NIS double locking, closes: #96736 + + -- Sam Hartman Wed, 16 May 2001 15:46:34 -0400 + +pam (0.72-22) unstable; urgency=low + + * Fix pam.8 to be pam.7, closes: #92874 + + -- Sam Hartman Tue, 17 Apr 2001 23:04:04 -0400 + +pam (0.72-21) unstable; urgency=low + + * Don't depend on libcap for hurd, closes: #91998 + * Don't list scurity/limits.conf as a conffile for hurd + + -- Sam Hartman Mon, 9 Apr 2001 12:30:18 -0400 + +pam (0.72-20) unstable; urgency=low + + * Install pam-undocumented in -runtime not -dev, closes: #93063 + * Mark pam-runtime as replacing files from -dev in case you installed + -19 and have pam-undocumented in the wrong place + + -- Sam Hartman Fri, 6 Apr 2001 06:38:15 -0400 + +pam (0.72-19) unstable; urgency=low + + * New maintainer, closes: #92353 + * Install pam-undocumented; somehow it was not installed in -18 + + -- Sam Hartman Wed, 4 Apr 2001 21:32:17 -0400 + +pam (0.72-18) unstable; urgency=low + + * pam_securetty: log failed tty checks. Normally this was only done if + the "debug" option was on...do it regardless now, closes: #89390 + * Get rid of log message for when "root" is not applied to group checks. + closes: #88825 + * Add quiet option to pam_listfile, closes: #84428 + * pam(8) should be pam(7), pam.conf(8) should be pam.conf(5), closes: + #89322 + * Added groff to Build-Depends-Indep, closes: #88794 + + -- Ben Collins Sun, 25 Mar 2001 21:40:32 -0500 + +pam (0.72-17) unstable; urgency=low + + * Fixed login in pam_limits where the max logins could be ignored. + + -- Ben Collins Fri, 9 Mar 2001 09:14:48 -0500 + +pam (0.72-16) unstable; urgency=low + + * New pam limits cap patch from Topi Miettinen + , closes: #88401, #88406, #88525, #88399, + #86197 + * pwdb no longer used, closes: #59917 + * fix patch 023 for gethostbyname build failure, closes: #86156 + * Make sure unix_chkpwd gets installed as suid root, closes: #88519 + * Fix whatis parse of manpages, closes: #86203 + * pam_listfile, fix arg parsing when arg does not contain '=', closes: + #86070 + + -- Ben Collins Sun, 4 Mar 2001 22:45:58 -0500 + +pam (0.72-15) unstable; urgency=low + + * Doh, added build-depends for libcap, closes: #85352 + * Change section of libpam-cracklib from admin to libs to match + overrides. + + -- Ben Collins Fri, 9 Feb 2001 09:06:40 -0500 + +pam (0.72-14) unstable; urgency=low + + * Added fix to pam_access for gethostname decleration. closes: #82100 + * Just name the lib/security directory instead of all the modules + seperately for dh_movefiles. closes: #76119 + * Fix pam_env corruption, closes: #66849, #77229 + * Add patch to allow recursive /etc/skel copy in pam_mkhomedir, closes: + #67211 + * remove dh_suidregister call, added conflict for old suidregister + package + * Applied patch for Linux capabilities in pam_limits, closes: #74176 + * pam_issue.so works for me, without segv, and even with escapes. This + is with login. Note, things like pam_issue do not work with ssh simply + because ssh is not able to work in that way (does not support + arbiitrary conversations). So if you want it to work there, file a bug + on ssh, not on libpam-modules. closes: #77228 + * unix_chkpwd: check for NULL password, closes: #69960 + + -- Ben Collins Thu, 8 Feb 2001 11:06:03 -0500 + +pam (0.72-13) unstable; urgency=low + + * Fix grammar in pam_source.sgml, closes: #78959 + * pam_undocumented.7: Fix escaped 's, closes: #75987 + * Fix build ordering, closes: #71442, #80397, #77017 + * Applied Hurd patch, closes: #76119 + * Use gcc for linking, not ld. closes: #71941 + * Pretty sure this was fixed, closes: #67172 + * Applied spealang fixes to Debian-mini-policy. closes: #80249 + * Applied patch to allow devfs style terminal devices with pam_group, + closes: #77661 + * Could not reproduce, even using md5 passwords. User, if you still have + * this problem, you need to tell me with what service (login, which I + tested, sshd, telnet, etc...) and also send me the entire pam.d file + for that service. closes: #76087 + * Fixed awhile back, closes: #72858 + * Closing this since I am not going to include any modules in this + package that aren't in upstream. If someone else wants to package + these modules seperately, they can do so. closes: #69550 + * For correct usage, pam_wheel.so should be used with "sufficient" and + not "required". This is documented. If you use "required", then you + must also use the "trust" option, but that doesn't give you the + results you want. closes: #76236 + + -- Ben Collins Sun, 31 Dec 2000 05:38:23 -0500 + +pam (0.72-12) frozen unstable; urgency=low + + * Recompile against db2 for glibc change + * Add db2 to build-deps + + -- Ben Collins Wed, 27 Sep 2000 12:08:11 -0400 + +pam (0.72-11) frozen unstable; urgency=low + + * Removed all traces of pwdb in packages. libpwdb has been removed from + the archive. This means that the pam_pwdb and pam_radius modules are + no longer available (from the libpam-pwdb package). + * doc/modules/pam_wheel.sgml: Really spell out that being a member of a + group meands the user is listed in /etc/group, closes: #69242 + * doc/*: s/PAM_AUTHOK_RECOVERY_ERR/PAM_AUTHOK_RECOVER_ERR/g, + closes: #64473 + * pam_wheel: PAM does not distinguish it, the libc calls make the + distinction. The users gid is returned in their passwd info, while + getgrent() returns only the members of the group listed in /etc/group. + This is ok, because if it's really that important, you can actually + have it in both places. The fact that it's documented should suffice + in making this clear, closes: #69236 + * Sorry, but seperate modules generally need to be packaged seperately. + I don't want to overload this package with everyone's pet module, so I + have to put my foot down, closes: #61759 + * Actually, I'm going to move in Woody to make packages depend more on + the defaults in /etc/pam.d/other, so that admins have less to + maintain. For one, all packages should not have a password service + listed, closes: #70000 (YAY! I got the 70k rollover bug number!) + * Sorry, I can't include this. "," is a legitimate char in a password + salt/hash. If you can code up something that is super intelligent + about lenghts of the field, I can go for it, maybe, closes: #59459 + * modules/pam_limits: Added chroot feature patch, closes: #61090 + * modules/pam_access: Allow last field to contain ':', closes: #67291 + * modules/pam_limits: Allow explicit limits for root, closes: #62448 + * modules/pam_unix: Do not zero old/new password fields, libpam does + this itself, and doing so in the module breaks stacking, + closes: #66270 + * modules/pam_group: Allow alpha *and* numeric in tty field (duh), + closes: #63752 + * modules/pam_access: Enable NIS, closes: #64854 + * libpam0g-dbg: removed, useless anyway + + -- Ben Collins Wed, 30 Aug 2000 18:39:32 -0400 + +pam (0.72-10) frozen unstable; urgency=low + + * Update build depends + * Fixed logic for showing non-existent user names when auth failed in + pam_unix.so, closes: #67786 (thanks to Jim Breton for being patient in + helping track this down). It would sometimes show them, even if we + didn't want to. + + -- Ben Collins Thu, 27 Jul 2000 09:17:08 -0400 + +pam (0.72-9) frozen unstable; urgency=low + + * pam_unix: do not call obscure_msg() of pass_old is NULL, + closes: #65321 + * pam_access: check for from[0] == '\0' so that tty logic is actually + used, closes: #65401 + + -- Ben Collins Wed, 14 Jun 2000 11:38:35 -0400 + +pam (0.72-8) frozen unstable; urgency=low + + * Build depends added in previous version, closes: #60817, #61439 + * Allow use of ":0" in group.conf, closes: #61966 + * Added syslog entry to notify that a user succesfully changed their + password, closes: #61724 + * Make pam_unix compatible with HP-UX style NIS+ password information, + patch from ldaffner@rsn.hp.com, closes: #61942 + * If "audit" is not enabled, don't let pam_unix print the names of + unknown users for auth attempts, closes: #61942 + * Fixed ttyname() parsing in pam_access to match that of the old shadow + access.conf s,/dev/,, closes: #61644 + * Set some sane defaults for pam_limits.so instead of carrying over + potentially bad defaults, patch from Peter Paluch + closes: #63230 + * Allow explicit (e.g. specified specifically for) limits for root, + patch from Topi Miettinen , closes: #62448 + * Added information to time.conf about logoutd, which is now enabled via + this file. + * cracklib maintainer claims this isn't a bug, closes: #54180 + * fixed control syntax handling which was causing segfaults, closes: #62237 + + -- Ben Collins Sat, 29 Apr 2000 11:39:59 -0400 + +pam (0.72-7) frozen unstable; urgency=low + + * pam_limits: fix parsing of users which explicitly removes limits, + closes: #59911, #60287 + * Added build-depends + + -- Ben Collins Mon, 20 Mar 2000 16:06:28 -0500 + +pam (0.72-6) frozen unstable; urgency=low + + * Remove conflict for libpam0g-util from libpam0g and put it in + libpam-runtime. This should fix a problem with upgrades that apt + experiences, closes: #58677 + + -- Ben Collins Mon, 28 Feb 2000 14:05:28 -0500 + +pam (0.72-5) frozen unstable; urgency=low + + * Added obscure password checks to pam_unix. Required for shadow to be + able to emulate the pre-PAM setup (referenced in a bug on passwd). + * Applied patch from #57800 to fix NIS/NIS+ shadow accounting checks, + closes: #57800, #58164 + * Fixed two typos in the PAM System Administrators Guide, + closes: #56578, #56587 + + -- Ben Collins Mon, 28 Feb 2000 10:58:09 -0500 + +pam (0.72-4) frozen unstable; urgency=low + + * unix_chkpwd: check for NULL on stdin aswell as 0 reads, closes: #56375 + * pam_unix/Makefile: removed bashism, closes: #56370 + * fixed in shadow upload, closes: #49832 + + -- Ben Collins Sat, 29 Jan 2000 00:27:28 -0500 + +pam (0.72-3) unstable; urgency=low + + * Added cpluplus wraps in all the headers, closes: #53653 + + -- Ben Collins Sun, 2 Jan 2000 15:15:40 -0500 + +pam (0.72-2) unstable; urgency=low + + * Well, this is an odd one. A recompile fixes it. So it must have been a + problem from linking with 0.71 when this is version 0.72. All of this + build daemons seem to have compiled the latest 0.72, so this should be + resolved after this gets recompiled on all of them, closes: #51619, #49584 + * This is from a very old version (0.56) of libpam0. It is not relevant + to the latest version, closes: #47162 + + -- Ben Collins Sun, 26 Dec 1999 09:10:13 -0500 + +pam (0.72-1) unstable; urgency=low + + * New upstream source release, lots of patches merged upstream (thanks + Andrew). + * libpam-doc: now provides pam-doc, closes: #45631 + * cleanups to the build system + * shlibs.local: bumped shlib deps + + -- Ben Collins Tue, 14 Dec 1999 11:17:36 -0500 + +pam (0.71-3) unstable; urgency=low + + * Debian-PAM-MiniPolicy: new document describing how PAM is implemented + in Debian + + -- Ben Collins Fri, 26 Nov 1999 17:26:40 -0500 + +pam (0.71-2) unstable; urgency=low + + * pam_listfile: lstat -> stat, closes: #49833 + * pam_tally: install the pam_tally program, closes: #50314 + * debian/control: libpam-modules, replaces libpam0g-util, closes: #50716 + + -- Ben Collins Thu, 25 Nov 1999 21:02:23 -0500 + +pam (0.71-1) unstable; urgency=low + + * New upstream release, merges lots of patches from the Debian source, + also merges the pam_{motd,mkhomedir,issue} modules into the main + source. Lots of minor bugs fixed, and compiler warnings + * pam_mail: Reimplemented the authentication handlers, so now this works + as both (changes nothing in Debian, but was required to get the patch + accepted upstream) + * general: Lots of small edits to fix compiler warnings + * pam_userdb: fixed potential usage of an unitialized value as + PAM_AUTHTOK, doesn't look particularly exploitable, but better safe + than sorry + + -- Ben Collins Mon, 8 Nov 1999 19:21:52 -0500 + +pam (0.70-4) unstable; urgency=low + + * pam_wheel/pam_wheel.c: change to use getpwuid(getuid()) by default, so + avoid the problems associated with getlogin() + + -- Ben Collins Mon, 1 Nov 1999 13:33:10 -0500 + +pam (0.70-3) unstable; urgency=low + + * Applied patch from Herbert Xu to enable PAM_CONV_AGAIN support in + pam_ftp, closes: #47288 + + -- Ben Collins Wed, 13 Oct 1999 13:25:21 -0400 + +pam (0.70-2) unstable; urgency=low + + * 100_pam_pwdb_security_fix: new patch fixes security problem with + regard to NIS accounts + + -- Ben Collins Wed, 13 Oct 1999 11:42:41 -0400 + +pam (0.70-1) unstable; urgency=low + + * New upstream release + * Seems there were a lot of fixes merged/matches upstream, looks good, + (maybe it's time I start sending my patches in, since the maintainer + is active again). + * libpamc: new library (libpam client library), this actually used to be + in the Debian packages for a few versions, but it was removed upstream. + Guess what, it's back :) + + -- Ben Collins Sun, 10 Oct 1999 01:07:43 -0400 + +pam (0.69-11) unstable; urgency=low + + * {pwdb,unix}_chkpwd.8: fixed format to get rid of "no whatis" warnings + from mandb, closes: #47004 + * pam_unix.sgml: new file, documents the pam_unix.so module, + closes: #46511 + + -- Ben Collins Sat, 9 Oct 1999 12:41:58 -0400 + +pam (0.69-10) unstable; urgency=low + + * libpam/pam_item.c: fixed debug message being in wrong place + * 013_pam_issue: new patch, provides issue file parsing for PAM + applications (helps to replace lost functionality in login). + + -- Ben Collins Wed, 6 Oct 1999 20:30:17 -0400 + +pam (0.69-9) unstable; urgency=low + + * Fix typo in pam_mail.so module's "no" return + + -- Ben Collins Sun, 3 Oct 1999 15:08:56 -0400 + +pam (0.69-8) unstable; urgency=low + + * docs/modules/pam_mkhomedir.sgml: Fixed module name + * changed build system structure + * libpam/Makefile: add -lcrypt to the linked libs, closes: #46104 + * increase shlib deps to 0.69-7, closes: #45801 + * pam_motd.c: close motd file after reading, closes: #46122 + * pam_motd.c: fix setting \0 in the wrong place when motd file is + zero length, closes: #45686, #45632 + * pam_unix_acct.c: allow '0' to denote disabled for some expiry fields + since chage(1) documents it this way, closes: #45446 + * pam_mail.c|modules/pam_mail.sgml: added 2 options, one "standard" to + give the old style "You have ..." response and "quiet" which only + reports new mail for both formats, documented both options, + closes: #45670 + * with the new pam_unix module, this bug is fixed, closes: #42230 + * pam_limits.c: make sure that we not only ignore limits on root, we + also remove them just in case we are su'ing from a limited user to + the root account (since as root they can remove the limits anyway), + closes: #35302 + + -- Ben Collins Sun, 3 Oct 1999 12:07:28 -0400 + +pam (0.69-7) unstable; urgency=low + + * debian/rules: fixed module_check + * pam_env/pam_env.c: fixed env parsing to include values wrapped in '' + and also allow continued lines with a trailing '\'. + * pam_motd,pam_mail: converted to session modules, so that they could + be ordered with the lastlog module + * updated default pam.d/login to reflect above change (now login looks + the same as the non-PAM version, lastlog, then motd, and then mail + check) + * pam_motd: removed extraneous \n from output + * modules/pam_limits/pam_limits.c: Fixed parsing of lines with only + "domain -", which was documented as being able to get rid of limits + for that user or group. + * debian/control: (libpam-cracklib) Added depends for cracklib-runtime, + closes: #45488 + * modules/pam_env.c: Fixed /etc/environment parsing causing segfaults on + long lines, closes: #45408 + + -- Ben Collins Sun, 19 Sep 1999 13:50:40 -0400 + +pam (0.69-6) unstable; urgency=low + + * Install unix_chkpwd suid root, it's needed for NIS to work without + modification to the binary. + * modules/pam_limits/pam_limits.c: hmm, some how I got a strange broken + patch left over from the source upgrade...removed all but the pwdb + purging, closes: #45088 + * modules/pam_env/pam_env.c: Changed to a debug message, instead of a + syslog message when /etc/environment does not exist. + + -- Ben Collins Wed, 15 Sep 1999 04:25:21 -0400 + +pam (0.69-5) unstable; urgency=low + + * Removed libpam0g's preinst check for full paths in the pam.d files, + this should really be a lintian check at build (i think the old libpam + could not work like this, but hey...things change for the better some + times. This PAM works fine like that). closes: #45001 + +NOTE: Debian packages should not reference modules by the full path + so they don't break if I ever decide to move the modules to a different + default directory. Only the admin should reference full paths and only + for locally installed modules. I have submitted a request to check for + this in lintian along with a few other devious things. + * debian/patches/008_pam_mkhomedir: Fix title of sgml doc + * modules/pam_userdb/Makefile: added patch for building against glibc 2.0 + (request from Roman Hodek), closes: #45064 + + -- Ben Collins Tue, 14 Sep 1999 06:12:34 -0400 + +pam (0.69-4) unstable; urgency=low + + * Link all dynamic modules with libpam. For some reason, alpha doesn't + like it when we don't + + -- Ben Collins Mon, 13 Sep 1999 06:01:40 -0400 + +pam (0.69-3) unstable; urgency=low + + * doc/modules/pam_cracklib.sgml: changed to correct path for + cracklib_dict reference. + * modules/pam_env/pam_env.c: now groks bash style env's from + /etc/environment to be compatible with other programs that use it. + * modules/pam_securetty/pam_securetty.c: don't just plain fail when + root isn't allowed to login, fake a password request just like any + good auth module would. Keeps us from letting them know that they + are doing something bad :) + * modules/pam_{motd,mkhomedir}: merged these two modules into this + source, also wrote corresponding sgml files for libpam-doc, + closes: #40754 + * debian/control: Moved libpam0g, libpam-modules and libpam-runtime + to base with required priority since login depends on them and + policy will require this + + -- Ben Collins Sat, 11 Sep 1999 08:06:02 -0400 + +pam (0.69-2) unstable; urgency=low + + * Modified build so that it uses libs and headers in the build tree + rather than on the local system. This involved changint the build + order slightly and should make it easier to compile on new archs. + * Modified pam_limits so that it was invoked during pam_sm_setcred() + instead of during pam_sm_session_open() so that it will work with + shadow's su. + * Fixed missing symbols in libpam.so, they were caused by it thinking + it was supposed to have static modules built in. + * Fixed problem where libpam was getting built with -DDEBUG + * pam_unix_passwd.c: Changed the perms on shadow to be 0.42 and 0640 + instead of 0.0 and 0600 + * unix_chkpwd: fix it not being sgid shadow + + -- Ben Collins Thu, 9 Sep 1999 13:52:01 -0400 + +pam (0.69-1) unstable; urgency=low + + * New upstream source + - Now with a new and improved pam_unix module, closes: #38631 + - Lot's of documentation cleanups + * Converted build system to dbs (doogie's build system, aka Adam Heath) + * Fixed libpam.so compilation so that it did not link with any of the + modules (this was causing lot's of problems, closes; #43913, #40739 + * modules/pam_ftp/pam_ftp.c: Fixed sizeof, to use strlen, + closes: #44054, #41845, #44142, #39129, #39871, #44412 + * Postscript pages are now generated correctly, closes: #41608 + * Moved to FHS compliance (including use of debhelper 2.0.40), + this also raises the policy version to 3.0.1.1 + * Don't check the paths in /etc/pam.d files anymore. This is old + and causes nothing but complaints, closes: #39747 + * Build libpam0g-dbg with debuggable static and shared libraries, also + enabled the internal DEBUG_REL compile flag for these so that the + debugging messages will also be output + + -- Ben Collins Tue, 7 Sep 1999 17:45:20 -0400 + +pam (0.66-10) unstable; urgency=low + + * Added ability for pam_env to parse /etc/environment and updated + docs to reflect it + * Applied patch for pwdb_chkpwd man page, closes: #38976 + * Merged pam_unix_*.so modules into one pam_unix.so with symlinks + for backward compatibility. This helps centralize this module the + same way the pam_pwdb.so is and the way pam_unix.so is on other + operating systems (commercial ones specifically). + * Closed by pam-apps upload, closes: #38632 + * Fixed `sgml2latex' syntax, closes: #39119 + * Added doc-base support, closes: #37627 + + -- Ben Collins Wed, 16 Jun 1999 01:20:23 -0400 + +pam (0.66-9.1) unstable; urgency=low + + * SPARC NMU to fix chown symbols when compiling with glibc 2.1.1 + + -- Ben Collins Tue, 11 May 1999 13:33:33 +0000 + +pam (0.66-9) unstable; urgency=low + + * Changed the debian/rules to not mess with the library symlinks (ie + running ldconfig in the lib dir) and all is well, closes: #36169 + + -- Ben Collins Sun, 18 Apr 1999 09:09:51 -0400 + +pam (0.66-8) unstable; urgency=low + + * Compiled with libpam_client.so now (seperate lib in libpam0g) + * Made regex for libpam0g postinst a little more specific so it + didn't flag false problems. closes: #34626 + * Applied patch to fix pam_ftp, closes: #35388 + * Modified pam_mail and pam_lastlog to honor PAM_SILENT in order to + enable apps to use hushlogin/PAM_SILENT + * Fixed problem with libpam_client.so being static + + -- Ben Collins Mon, 15 Mar 1999 20:54:23 -0500 + +pam (0.66-7) unstable; urgency=low + + * Fixed XCASE in pam_filter.c (not really in glibc 2.1 by default) + + -- Ben Collins Sat, 6 Mar 1999 18:46:56 -0500 + +pam (0.66-6) unstable; urgency=low + + * Removed empty /lib/security/ from libpam0g (is created in + libpam-runtime) + * Added a depends for libpam-runtime to libpam0g (was supposed to be + there, must have deleted it) + * Removed empty /usr/bin from libpam-runtime (old directory where + upperLOWER was) + + -- Ben Collins Wed, 24 Feb 1999 13:14:25 -0500 + +pam (0.66-5) unstable; urgency=low + + * Removed harcoded libc6 dependency from libpam0g-dev and changed it to + libc6-dev. closes: #33615 + * Added md5 flag for pam_unix_passwd.so + * Removed upperLOWER program since it is just an example. Moved it's + source to the examples directory in libpam-modules + * Fixed documentation of pam_strerror() and examples. closes #31142 + * Made pam_unix_passwd.so leave /etc/shadow mode 640 and root.shadow + after changes + * Fixed problem in pam_unix_auth that didn't let you su from a normal + user to another normal user (ie. neither one was root) + * Closing misc fixed bugs. closes #32809, #32274 (have been fixed, + just need closing) + * Tested lockvc with pam support, works for normal users (pam_pwdb) + closes: #31150 + * Changed /var/log/wtmp in pam_lastlog docs to reflect correct + /var/log/lastlog file. closes: #26544 + * Added -ldl to libpam.so, so apps don't have to + + -- Ben Collins Fri, 19 Feb 1999 18:47:30 -0500 + +pam (0.66-4) unstable; urgency=low + + * Changed pwdb_chkpwd to sgid shadow instead of suid root since it only + needs read permissions to /etc/shadow and not write. + * Moved a lot of files arouns to get rid of libpam-runtime dependencies + * Put libpam-pwdb into it's own package + * Removed -lpwdb links for modules since libpwdb is somewhat buggy (or + alteast it's interaction with libpam is) + * Fixed bug in pam_unix_passwd.so that caused it to never authenticate + the correct passwd, making it so you couldn't change the passwd + + -- Ben Collins Tue, 16 Feb 1999 15:50:28 -0500 + +pam (0.66-3) unstable; urgency=low + + * Fixed defaults in /etc/pam.d/other to be pam_unix_*.so modules instead + of the accidental pam_pwdb.so module + * Fixed suid of pwdb_chkpwd (had to move dh_fixperms after + dh_suidregister) + * Added Replaces: libpam0g-util in order to help dpkg upgrade from + older packages + * Applied glibc 2.1 patch from Christian Meder. closes: #32809 + * Moved libpam-doc to Section doc. closes: #32274 + + -- Ben Collins Fri, 12 Feb 1999 02:01:43 -0500 + +pam (0.66-2) unstable; urgency=low + + * Removed all of the versioned module stuff. Modules are now in + /lib/security and stay there. Seems after discussion, that modules may + not change as often as thought + * Fixed suidregister for pwdb_chkpwd + * Fixed incomplete descriptions in control file + * This is a kludge to close some bugs since the last upload was yanked + before being installed in the archive, closes: #16882, #30862, #7725, + #10234, #10406, #12210, #14291, #15528, #15529, #20660, #25330, + #29868, #31088, #31128, #9131, #9919, #19383, #5132, #14533, #25915, + #28075, #31548, #31191 + + -- Ben Collins Tue, 2 Feb 1999 12:47:25 -0500 + +pam (0.66-1) unstable; urgency=low + + * New maintainer + * New upstream release. closes: #16882, #30862, #7725 + * Created a better split of the main lib and the runtime to kill the + circular dependencies and make it possible to have two .so version of + the library installed for upgrades. closes: #10234, #10406, #12210, + bug #14291, #15528, #15529, #20660, #25330, #29868, #31088, #31128, + bug #9131, #9919. + * Harcoded modules directory prefixed with the .so version, and + used alternatives to create the symlink to the 'default' modules + directory. libpam will use the full path when specified, but use the + versioned modules directory for relative names. + * Put libpam0g-cracklib modules back in (own package). This means that + cracklib support is _not_ in the static libpam.a, also cracklib + support is _not_ in pam_unix_passwd.o, but only in pam_cracklib.so + by itself. + * Fixed a few typos in the source causing compile errors + * Fixed source #include's so that pam _didn't_ have to be installed + in order to compile the source ( changed from <> to "" ) + * Removed empty directories from built packages + * Opted not to build examples, only going to put *.c files in examples + directory for libpam0g-dev + * Moved *.sgml files for modules into their own directory (looks like + that is what the original maintainer wanted to do, but it didn't go) + * Moved doc build to arch-indep build in rules so that it doesn't get + built when specifying -B with debuild/dpkg-buildpackage. + * Moved `touch .quiet...' to build-stamp in order to have -B builds not + ask about pam.conf + * Split out non-standard modules to their own package, so as to make the + base install smaller (planning for base inclusion here) + * Created small manpage for pwdb_chkpwd. closes: #10941 + * The Copright file in /usr/doc/*/ was already named copright and not + compressed. closes: #14533 + * Package is now lintian clean. closes #19383, #5132 + * There is a maintainer now and the patch for #25915 is still included + so.... closes: #25915 + * Added check for editor backup files in /etc/pam.d (*~). closes: #28075 + * Applied patch for md5.h in pam_pwdb module. closes: #31548 + * Added support for dhelp in libpam-doc. closes: #31191 + + -- Ben Collins Wed, 20 Jan 1999 07:09:15 -0500 + +pam (0.65-0.8) frozen unstable; urgency=high + + * Marked PAM as orphaned, given that there has been no maintainer upload + in almost two years. + * [defs/debian.defs] Removed superflous cracklib2 dependency. + (Urgent as cracklib still has release-critical bugs). + (Fixes #30862). + + -- J.H.M. Dassen (Ray) Wed, 20 Jan 1999 09:34:35 +0100 + +pam (0.65-0.7) frozen unstable; urgency=high + + * Fixed security vulnerability in the pam_unix and pam_tally modules + (reported by Michal Zalewski on bugtraq; patch + A000-SECURITY-PATCH-0.65-and-below.gz by Andrey V. Savochkin). + + -- J.H.M. Dassen (Ray) Tue, 29 Dec 1998 16:20:18 +0100 + +pam (0.65-0.6) unstable; urgency=high + + * Fixed distribution of files over the various packages, which was + severely messed up. + * Added appropriate Replaces: to ensure upgrading from both the hamm + version and previous slink versions. + * Fixed debug libraries, PAM module loading. + * Added examples. + * Added a "pam-undocumented" manpage pointing to libpam-doc, and + made links for functions without a manpage to that. + + -- J.H.M. Dassen (Ray) Sun, 11 Oct 1998 19:29:40 +0200 + +pam (0.65-0.5) unstable; urgency=low + + * Rewritten the preinst warning text (it still mentioned the search path). + + -- J.H.M. Dassen (Ray) Fri, 9 Oct 1998 14:23:18 +0200 + +pam (0.65-0.4) unstable; urgency=high + + * It looks like I misunderstood DEFAULT_MODULE_PATH: Linux-PAM does not + currently seem to be easily configured to look for modules in more than + one directory. With this version, it's configured to look only in + /lib/security . + + -- J.H.M. Dassen (Ray) Fri, 9 Oct 1998 11:43:34 +0200 + +pam (0.65-0.3) unstable; urgency=medium + + * Moving the PAM modules to /lib/security broke netatalk. + Added a preinst script to detect /etc/pam.d files with explicit paths to + PAM modules, give a warning about them, and offer to abort the install + (Fixes #27514). + + -- J.H.M. Dassen (Ray) Tue, 6 Oct 1998 20:10:43 +0200 + +pam (0.65-0.2) unstable; urgency=low + + * Argh. The tools didn't recognise -0.1 as a new upstream release, so + my previous upload was rejected due to a missing .orig.tar.gz . + + -- J.H.M. Dassen (Ray) Sun, 4 Oct 1998 17:15:09 +0200 + +pam (0.65-0.1) experimental; urgency=low + + * New upstream version. + * Non-maintainer upload. + * Major package overhaul; now uses debhelper. + * In experimental for now. *Please* provide feedback; if the feedback is + positive, we can put this in slink. + * Dropped libc5 support. + * [libpam/pam_static.c] Fixed compilation: "pamh" was undefined; use "NULL". + is this the correct fix? + * [defs/debian.defs] New. + * [Makefile] + * Exit when a make in a subdirectory fails. + * Compile statically too. + * New variables: LC, LP, LPLIBS, DEFAULT_MODULE_PATH . + * [libpam/Makefile] + * Use DEFAULT_MODULE_PATH if nonempty. + * Link libpam against LPLIBS. + * [modules/*/Makefile] + * Link the dynamic security objects against libpam and libc + (LP and LC). + * [modules/pam_pwdb/Makefile] + * Link dynamic security objects against libcrypt and libnsl. + * [conf/install_conf] Allow for non-interactive install (as the other + install_conf scripts already did). + * Automatically determine the list of /etc/security/* conffiles. + * Moved libpam to /lib, and PAM modules to /lib/security as they will + become part of the base system in the future. + * Built without cracklib support, to keep the base system smaller. + * /sbin/pwdb_chkpwd is undocumented, as is upperLOWER. + + -- J.H.M. Dassen (Ray) Fri, 2 Oct 1998 20:23:27 +0200 + +pam (0.57b-0.4) unstable; urgency=high + + * Non maintainer upload + My previous upload had removed the libc5 stuff from the controlfile + messing up things. Change 'Architecture: any' to 'i386 m68k' for those + .deb's instead. + + -- Turbo Fredriksson Thu, 20 Aug 1998 20:06:50 -0400 + +pam (0.57b-0.3) unstable; urgency=high + + * Non maintainer upload + On a glibc2.1 system, XCASE is only defined in the + _IF_ '__USE_MISC' or '__USE_UNIX98' is defined. + + -- Turbo Fredriksson Sun, 16 Aug 1998 22:13:45 -0400 + +pam (0.57b-0.2) unstable; urgency=high + + * Yet another non-maintainer release. + * Zero changes; simply a re-upload due to a rm-trigger happy release + ``manager''. + + -- James Troup Tue, 17 Mar 1998 19:55:16 +0100 + +pam (0.57b-0.1) unstable; urgency=medium + + * Non-maintainer release. + * debian/control (Standards-Version): Updated to 2.4.0.0. + * debian/control (libpam0g-dev): Also conflict with libpam-dbg. + * debian/postinst: use case statement instead of if. + * debian/rules (COMPAT_ARCHES): removed sparc. + * debian/rules (binary-libc6-dev, binary-libc5-altdev): strip static libraries with + --strip-debug, not --strip-unneeded. + * debian/rules: each package now has it's own doc directory under + /usr/doc/, containing at least the copyright file (Policy 5.6). + * debian/rules: install files with `install -m 644' not `cp -p' to avoid + read-only files. + * debian/rules (binary-libc6-util): strip /usr/lib/*/security/*.so with + --strip-unneeded. + * debian/rules (binary-libc5-util): ditto. + * debian/rules (binary-libc5): don't depend on binary-libc5. + + -- James Troup Sat, 7 Mar 1998 18:04:19 +0100 + +pam (0.57b-0) unstable; urgency=medium + + * Non-maintainer release. + * New upstream version. + * Doesn't use pristine upstream source as the upstream tar ball is broken. + * Added libc6 libraries libpam0g, libpam0g-dev, libpam0g-dbg and + libpam0g-util. [#11697] + * libpam-dev becomes libpam0-altdev, libpam-util -> libpam0-altutil and + libpam-dbg is removed. + * libpam0 depends on libpam0g because libpam0g contains the pam conffile. + * libpam0-util depends on libpam0g-util because libpam0g contains the binary. + * Compiled with -D_REENTRANT and link with -lc. + * Fixed permissions on shared libraries. + * Corrected syntax of /etc/pam.d/other. [#10497, #10758, #12030] + * Fixed typos in postinst. [#10474, #11365] + * Made /etc/pam.conf a conffile. + * Updated URL in copyright file. + * Removed over-zelaously installed README* files from libpam-doc. + + -- James Troup Sat, 22 Nov 1997 17:54:30 +0100 + +pam (0.56-2) unstable; urgency=low + + * Added /etc/pam.d/other with policy 'deny'. + * Add manual pages for PAM security modules. + + -- Klee Dienes Sat, 15 Mar 1997 22:33:22 -0500 + +pam (0.56-1) unstable; urgency=low + + * New upstream release. + * Converted to new packaging format. + * Reorganization of package structure (-dev, -dbg, etc). + + -- Klee Dienes Sat, 8 Mar 1997 01:21:17 -0500 + --- pam-1.1.8.orig/debian/changelog.old +++ pam-1.1.8/debian/changelog.old @@ -0,0 +1,13 @@ +pam (0.50-1) unstable; urgency=low + + * added Debian GNU/Linux package maintenance system files. + * changes to the installation procedure to fit the Debian packaging + system ($PREFIX handling, unconditionally install configuration files, + don't run ldconfig after installing the shared libraries). + * added documentation in the extradoc directory + * commented out all unused entries in etc/pam.conf, etc/secure/group.conf + and etc/secure/time.conf + + -- Patrick Weemeeuw + + --- pam-1.1.8.orig/debian/clean +++ pam-1.1.8/debian/clean @@ -0,0 +1,3 @@ +debian/local/pam_getenv.8 +debian/libpam0g-dev.links +debian/libpam0g-dev.install --- pam-1.1.8.orig/debian/compat +++ pam-1.1.8/debian/compat @@ -0,0 +1 @@ +9 --- pam-1.1.8.orig/debian/control +++ pam-1.1.8/debian/control @@ -0,0 +1,106 @@ +Source: pam +Section: libs +Priority: optional +Uploaders: Sam Hartman , Roger Leigh +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Steve Langasek +Standards-Version: 3.9.1 +Build-Depends: libcrack2-dev (>= 2.8), bzip2, debhelper (>= 8.9.4), quilt (>= 0.48-1), flex, libfl-dev, libdb-dev, libselinux1-dev [linux-any], po-debconf, dh-autoreconf, autopoint, libaudit-dev [linux-any], pkg-config +Build-Depends-Indep: xsltproc, libxml2-utils, docbook-xml, docbook-xsl, w3m +Build-Conflicts-Indep: fop +Build-Conflicts: libdb4.2-dev, libxcrypt-dev +Vcs-Bzr: https://code.launchpad.net/~ubuntu-core-dev/pam/ubuntu +Homepage: http://pam.sourceforge.net/ + +Package: libpam0g +Priority: required +Architecture: any +Multi-Arch: same +Replaces: libpam0g-util +Depends: ${shlibs:Depends}, ${misc:Depends} +Pre-Depends: ${misc:Pre-Depends} +Suggests: libpam-doc +Description: Pluggable Authentication Modules library + Contains the shared library for Linux-PAM, a library that enables the + local system administrator to choose how applications authenticate users. + In other words, without rewriting or recompiling a PAM-aware application, + it is possible to switch between the authentication mechanism(s) it uses. + One may entirely upgrade the local authentication system without touching + the applications themselves. + +Package: libpam-modules +Section: admin +Priority: required +Architecture: any +Multi-Arch: same +Pre-Depends: ${shlibs:Depends}, ${misc:Depends}, libpam0g (>= 1.1.3-2), + libpam-modules-bin (= ${binary:Version}) +Conflicts: libpam-motd, libpam-mkhomedir, libpam-umask +Replaces: libpam0g-util, libpam-umask +Recommends: update-motd +Provides: libpam-motd, libpam-mkhomedir, libpam-umask +Description: Pluggable Authentication Modules for PAM + This package completes the set of modules for PAM. It includes the + pam_unix.so module as well as some specialty modules. + +Package: libpam-modules-bin +Section: admin +Priority: required +Architecture: any +Multi-Arch: foreign +Depends: ${shlibs:Depends}, ${misc:Depends} +Replaces: libpam-modules (<< 1.1.3-8) +Description: Pluggable Authentication Modules for PAM - helper binaries + This package contains helper binaries used by the standard set of PAM + modules in the libpam-modules package. + +Package: libpam-runtime +Section: admin +Priority: required +Architecture: all +Multi-Arch: foreign +Depends: ${misc:Depends}, debconf (>= 1.5.19) | cdebconf, libpam-modules (>= 1.0.1-6) +Replaces: libpam0g-util, libpam0g-dev +Conflicts: libpam0g-util +Description: Runtime support for the PAM library + Contains configuration files and directories required for + authentication to work on Debian systems. This package is required + on almost all installations. + +Package: libpam0g-dev +Section: libdevel +Priority: optional +Architecture: any +Multi-Arch: same +Depends: ${misc:Depends}, libpam0g (= ${binary:Version}), libc6-dev|libc-dev +Provides: libpam-dev +Description: Development files for PAM + Contains C header files and development libraries for libpam, the Pluggable + Authentication Modules, a library that enables the local system + administrator to choose how applications authenticate users. + . + PAM decouples applications from the authentication mechanism, making it + possible to upgrade the authentication system without recompiling or + rewriting the applications. + +Package: libpam-cracklib +Section: admin +Priority: optional +Architecture: any +Multi-Arch: same +Replaces: libpam0g-cracklib, libpam-modules (<< 1.1.0-3) +Depends: ${misc:Depends}, ${shlibs:Depends}, libpam-runtime (>= 1.0.1-6), cracklib-runtime, wamerican | wordlist +Description: PAM module to enable cracklib support + This package includes libpam_cracklib, a PAM module that tests + passwords to make sure they are not too weak during password change. + +Package: libpam-doc +Provides: pam-doc +Section: doc +Priority: optional +Architecture: all +Depends: ${misc:Depends} +Description: Documentation of PAM + Contains documentation (in HTML, ASCII, and PostScript format) for libpam, + the Pluggable Authentication Modules library, a library that enables the + local system administrator to choose how applications authenticate users. --- pam-1.1.8.orig/debian/copyright +++ pam-1.1.8/debian/copyright @@ -0,0 +1,67 @@ +This package was debianized by J.H.M. Dassen (Ray) jdassen@debian.org on +Wed, 23 Sep 1998 20:29:32 +0200. + +It was downloaded from ftp://ftp.kernel.org/pub/linux/libs/pam/pre/ + +Copyright (C) 1994, 1995, 1996 Olaf Kirch, +Copyright (C) 1995 Wietse Venema +Copyright (C) 1995, 2001-2008 Red Hat, Inc. +Copyright (C) 1996-1999, 2000-2003, 2005 Andrew G. Morgan +Copyright (C) 1996, 1997, 1999 Cristian Gafton +Copyright (C) 1996, 1999 Theodore Ts'o +Copyright (C) 1996 Alexander O. Yuriev +Copyright (C) 1996 Elliot Lee +Copyright (C) 1997 Philip W. Dalrymple +Copyright (C) 1999 Jan Rękorajski +Copyright (C) 1999 Ben Collins +Copyright (C) 2000-2001, 2003, 2005, 2007 Steve Langasek +Copyright (C) 2003, 2005 IBM Corporation +Copyright (C) 2003, 2006 SuSE Linux AG. +Copyright (C) 2003 Nalin Dahyabhai +Copyright (C) 2005-2008 Thorsten Kukuk +Copyright (C) 2005 Darren Tucker + + +Unless otherwise *explicitly* stated the following text describes the +licensed conditions under which the contents of this Linux-PAM release +may be distributed: + +------------------------------------------------------------------------- +Redistribution and use in source and binary forms of Linux-PAM, with +or without modification, are permitted provided that the following +conditions are met: + +1. Redistributions of source code must retain any existing copyright + notice, and this entire permission notice in its entirety, + including the disclaimer of warranties. + +2. Redistributions in binary form must reproduce all prior and current + copyright notices, this list of conditions, and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + +3. The name of any author may not be used to endorse or promote + products derived from this software without their specific prior + written permission. + +ALTERNATIVELY, this product may be distributed under the terms of the +GNU General Public License, in which case the provisions of the GNU +GPL are required INSTEAD OF the above restrictions. (This clause is +necessary due to a potential conflict between the GNU GPL and the +restrictions contained in a BSD-style copyright.) + +THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED +WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, +INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS +OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR +TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH +DAMAGE. +------------------------------------------------------------------------- + +On Debian GNU/Linux systems, the complete text of the GNU General +Public License can be found in `/usr/share/common-licenses/GPL'. --- pam-1.1.8.orig/debian/libpam-cracklib.install +++ pam-1.1.8/debian/libpam-cracklib.install @@ -0,0 +1,2 @@ +lib/*/security/pam_cracklib.so +debian/pam-configs/cracklib usr/share/pam-configs --- pam-1.1.8.orig/debian/libpam-cracklib.lintian-overrides +++ pam-1.1.8/debian/libpam-cracklib.lintian-overrides @@ -0,0 +1,5 @@ +# This is afalse positive because it doesn't use any functions that need +# fortifying. Since we know we have hardening turned on globally, suppress +# this. If we ever see this warning again for *other* modules, then we know +# there's a real problem. +libpam-cracklib: hardening-no-fortify-functions lib/*/security/pam_cracklib.so --- pam-1.1.8.orig/debian/libpam-cracklib.manpages +++ pam-1.1.8/debian/libpam-cracklib.manpages @@ -0,0 +1 @@ +debian/tmp/usr/share/man/man8/pam_cracklib.8 --- pam-1.1.8.orig/debian/libpam-cracklib.postinst +++ pam-1.1.8/debian/libpam-cracklib.postinst @@ -0,0 +1,9 @@ +#!/bin/sh + +set -e + +if dpkg --compare-versions "$2" lt 1.0.1-6; then + pam-auth-update --package +fi + +#DEBHELPER# --- pam-1.1.8.orig/debian/libpam-cracklib.prerm +++ pam-1.1.8/debian/libpam-cracklib.prerm @@ -0,0 +1,9 @@ +#!/bin/sh + +set -e + +if [ "$1" = remove ] && [ "${DPKG_MAINTSCRIPT_PACKAGE_REFCOUNT:-1}" = 1 ]; then + pam-auth-update --package --remove cracklib +fi + +#DEBHELPER# --- pam-1.1.8.orig/debian/libpam-doc.doc-base.admin-guide +++ pam-1.1.8/debian/libpam-doc.doc-base.admin-guide @@ -0,0 +1,14 @@ +Document: pam-admin-guide +Title: The Linux-PAM System Administrators' Guide +Author: Andrew G. Morgan +Abstract: This manual documents what a system administrator needs to know + about the Linux-PAM library. It covers the correct syntax of the PAM + configuration file and discusses strategies for maintaining a secure system. +Section: System/Administration + +Format: HTML +Index: /usr/share/doc/libpam-doc/html/Linux-PAM_SAG.html +Files: /usr/share/doc/libpam-doc/html/Linux-PAM_SAG.html /usr/share/doc/libpam-doc/html/sag-*.html + +Format: text +Files: /usr/share/doc/libpam-doc/txt/Linux-PAM_SAG.txt.gz --- pam-1.1.8.orig/debian/libpam-doc.doc-base.applications-guide +++ pam-1.1.8/debian/libpam-doc.doc-base.applications-guide @@ -0,0 +1,17 @@ +Document: pam-applications-guide +Title: The Linux-PAM Application Developers' Guide +Author: Andrew G. Morgan +Abstract: This manual documents what an application developer needs to know + about the Linux-PAM library. It describes how an application might use + the Linux-PAM library to authenticate users. In addition it contains a + description of the funtions to be found in libpam_misc library, that can + be used in general applications. Finally, it contains some comments on PAM + related security issues for the application developer. +Section: Programming + +Format: HTML +Index: /usr/share/doc/libpam-doc/html/Linux-PAM_ADG.html +Files: /usr/share/doc/libpam-doc/html/Linux-PAM_ADG.html /usr/share/doc/libpam-doc/html/adg*.html + +Format: text +Files: /usr/share/doc/libpam-doc/txt/Linux-PAM_ADG.txt.gz --- pam-1.1.8.orig/debian/libpam-doc.doc-base.modules-guide +++ pam-1.1.8/debian/libpam-doc.doc-base.modules-guide @@ -0,0 +1,14 @@ +Document: pam-modules-guide +Title: The Linux-PAM Module Writers' Guide +Author: ndrew G. Morgan +Abstract: This manual documents what a programmer needs to know in order to + write a module that conforms to the Linux-PAM standard. It also discusses + some security issues from the point of view of the module programmer. +Section: Programming + +Format: HTML +Index: /usr/share/doc/libpam-doc/html/Linux-PAM_MWG.html +Files: /usr/share/doc/libpam-doc/html/Linux-PAM_MWG.html /usr/share/doc/libpam-doc/html/mwg*.html + +Format: text +Files: /usr/share/doc/libpam-doc/txt/Linux-PAM_MWG.txt.gz --- pam-1.1.8.orig/debian/libpam-doc.install +++ pam-1.1.8/debian/libpam-doc.install @@ -0,0 +1,3 @@ +debian/tmp/usr/share/doc/Linux-PAM/*.html usr/share/doc/libpam-doc/html +debian/tmp/usr/share/doc/Linux-PAM/*.txt usr/share/doc/libpam-doc/txt + --- pam-1.1.8.orig/debian/libpam-modules-bin.install +++ pam-1.1.8/debian/libpam-modules-bin.install @@ -0,0 +1,8 @@ +sbin/unix_chkpwd sbin +sbin/unix_update sbin +sbin/pam_tally sbin +sbin/pam_tally2 sbin +sbin/mkhomedir_helper sbin +sbin/pam_timestamp_check usr/sbin +sbin/pam_extrausers_chkpwd sbin +sbin/pam_extrausers_update sbin --- pam-1.1.8.orig/debian/libpam-modules-bin.lintian-overrides +++ pam-1.1.8/debian/libpam-modules-bin.lintian-overrides @@ -0,0 +1,6 @@ +# yes, we know it's sgid, that's the whole point... +libpam-modules-bin: setgid-binary sbin/unix_chkpwd 2755 root/shadow +# these manpages are in libpam-modules as they document both the module and +# the helper binary +libpam-modules-bin: binary-without-manpage sbin/pam_tally +libpam-modules-bin: binary-without-manpage sbin/pam_tally2 --- pam-1.1.8.orig/debian/libpam-modules-bin.manpages +++ pam-1.1.8/debian/libpam-modules-bin.manpages @@ -0,0 +1,3 @@ +debian/tmp/usr/share/man/man8/mkhomedir_helper.8 +debian/tmp/usr/share/man/man8/unix_*.8 +debian/tmp/usr/share/man/man8/pam_timestamp_check.8 --- pam-1.1.8.orig/debian/libpam-modules.examples +++ pam-1.1.8/debian/libpam-modules.examples @@ -0,0 +1,2 @@ +modules/pam_filter/upperLOWER/*.c + --- pam-1.1.8.orig/debian/libpam-modules.install +++ pam-1.1.8/debian/libpam-modules.install @@ -0,0 +1,3 @@ +etc/security/* etc/security +lib/*/security/*.so +debian/pam-configs/mkhomedir usr/share/pam-configs/ --- pam-1.1.8.orig/debian/libpam-modules.lintian-overrides +++ pam-1.1.8/debian/libpam-modules.lintian-overrides @@ -0,0 +1,13 @@ +# These are false positives because they don't use any functions that need +# fortifying. Since we know we have hardening turned on globally, suppress +# them. If we ever see this warning again for *other* modules, then we know +# there's a real problem. +libpam-modules: hardening-no-fortify-functions lib/*/security/pam_echo.so +libpam-modules: hardening-no-fortify-functions lib/*/security/pam_filter.so +libpam-modules: hardening-no-fortify-functions lib/*/security/pam_group.so +libpam-modules: hardening-no-fortify-functions lib/*/security/pam_limits.so +libpam-modules: hardening-no-fortify-functions lib/*/security/pam_shells.so +libpam-modules: hardening-no-fortify-functions lib/*/security/pam_tally.so +libpam-modules: hardening-no-fortify-functions lib/*/security/pam_tally2.so +libpam-modules: hardening-no-fortify-functions lib/*/security/pam_time.so +libpam-modules: hardening-no-fortify-functions lib/*/security/pam_wheel.so --- pam-1.1.8.orig/debian/libpam-modules.manpages +++ pam-1.1.8/debian/libpam-modules.manpages @@ -0,0 +1,3 @@ +debian/tmp/usr/share/man/man8/pam_*.8 +debian/tmp/usr/share/man/man5/*conf.5 +debian/update-motd.5 --- pam-1.1.8.orig/debian/libpam-modules.postinst +++ pam-1.1.8/debian/libpam-modules.postinst @@ -0,0 +1,40 @@ +#!/bin/sh -e + +# If the user has removed the config file, respect this sign of dementia +# -- only create on package install. + +if [ -z "$2" ] || dpkg --compare-versions "$2" lt 0.99.7.1-3 +then + if ! [ -f /etc/security/opasswd ]; then + umask 066 + touch /etc/security/opasswd + umask 022 + fi +fi + +if dpkg --compare-versions "$2" lt 0.99.9.0-1 && ! [ -f /etc/environment ] +then + touch /etc/environment +fi + +# Add PATH to /etc/environment if it's not present there or in +# /etc/security/pam_env.conf +if [ "$1" = "configure" ] && dpkg --compare-versions "$2" lt 1.1.8-3.2ubuntu2.3; then + if ! grep -qs ^PATH /etc/security/pam_env.conf; then + if ! grep -qs ^PATH= /etc/environment; then + echo 'PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin"' >> /etc/environment + elif ! grep -qs "^PATH=.*/snap/bin" /etc/environment; then + sed -i '/^PATH="/ s,"$,:/snap/bin",g' /etc/environment + fi + fi +fi + +if dpkg --compare-versions "$2" lt-nl 1.1.2-1 \ + && grep -q 'pam_unix.*\bmin=[0-9]\+' /etc/pam.d/common-password +then + echo "'min=' option to pam_unix is obsolete." + echo "replacing with 'minlen=' in /etc/pam.d/common-password." + sed -i -e'/pam_unix/ s/\bmin=/minlen=/' /etc/pam.d/common-password +fi + +#DEBHELPER# --- pam-1.1.8.orig/debian/libpam-modules.preinst +++ pam-1.1.8/debian/libpam-modules.preinst @@ -0,0 +1,16 @@ +#!/bin/sh + +set -e + +. /usr/share/debconf/confmodule + +if dpkg --compare-versions "$2" lt-nl 1.1.3-2; then + db_version 2.0 + + if pidof xscreensaver xlockmore >/dev/null; then + db_input critical libpam-modules/disable-screensaver || true + db_go || true + fi +fi + +#DEBHELPER# --- pam-1.1.8.orig/debian/libpam-modules.templates +++ pam-1.1.8/debian/libpam-modules.templates @@ -0,0 +1,9 @@ +Template: libpam-modules/disable-screensaver +Type: error +_Description: xscreensaver and xlockmore must be restarted before upgrading + One or more running instances of xscreensaver or xlockmore have been + detected on this system. Because of incompatible library changes, the + upgrade of the libpam-modules package will leave you unable to + authenticate to these programs. You should arrange for these programs + to be restarted or stopped before continuing this upgrade, to avoid + locking your users out of their current sessions. --- pam-1.1.8.orig/debian/libpam-runtime.dirs +++ pam-1.1.8/debian/libpam-runtime.dirs @@ -0,0 +1 @@ +/var/lib/pam --- pam-1.1.8.orig/debian/libpam-runtime.install +++ pam-1.1.8/debian/libpam-runtime.install @@ -0,0 +1,7 @@ +debian/local/pam.conf etc +debian/local/other etc/pam.d +debian/local/common-* usr/share/pam +debian/local/pam_getenv usr/sbin +debian/tmp/usr/share/locale usr/share +debian/local/pam-auth-update usr/sbin +debian/pam-configs/unix usr/share/pam-configs/ --- pam-1.1.8.orig/debian/libpam-runtime.links +++ pam-1.1.8/debian/libpam-runtime.links @@ -0,0 +1 @@ +usr/share/man/man7/PAM.7.gz usr/share/man/man7/pam.7.gz --- pam-1.1.8.orig/debian/libpam-runtime.lintian-overrides +++ pam-1.1.8/debian/libpam-runtime.lintian-overrides @@ -0,0 +1,9 @@ +# deliberate. +libpam-runtime: no-debconf-config +# this warning is just plain crack, there's no reason that using debconf +# outside of a maintainer script implies an error. +libpam-runtime: debconf-is-not-a-registry usr/sbin/pam-auth-update +# this warning is wrong for debconf error templates +libpam-runtime: postinst-uses-db-input +# meh. +libpam-runtime: using-first-person-in-templates libpam-runtime/you-had-no-auth --- pam-1.1.8.orig/debian/libpam-runtime.manpages +++ pam-1.1.8/debian/libpam-runtime.manpages @@ -0,0 +1,5 @@ +debian/tmp/usr/share/man/man5/pam.conf.5 +debian/tmp/usr/share/man/man5/pam.d.5 +debian/tmp/usr/share/man/man8/PAM.8 +debian/local/pam_getenv.8 +debian/local/pam-auth-update.8 --- pam-1.1.8.orig/debian/libpam-runtime.postinst +++ pam-1.1.8/debian/libpam-runtime.postinst @@ -0,0 +1,45 @@ +#!/bin/sh -e + +. /usr/share/debconf/confmodule + +calculate_md5sum() +{ + configfile="$1" + sed -n -e'1,/# here are the per-package modules (the "Primary" block)/p; + /# here.s the fallback if no module succeeds/,/# and here are more per-package modules (the "Additional" block)/p; + /# end of pam-auth-update config/,$p' \ + /etc/pam.d/"$configfile" | md5sum | awk '{ print $1 }' +} + +# If the user has removed the config file, respect this sign of dementia +# -- only create on package install. +force= +if [ -z "$2" ] || dpkg --compare-versions "$2" lt 1.0.1-11 +then + force=--force + for configfile in common-auth common-account common-session \ + common-password + do + if [ -f /etc/pam.d/$configfile ] && \ + ! fgrep -q $(calculate_md5sum $configfile) \ + /usr/share/pam/$configfile.md5sums 2>/dev/null + then + force= + fi + done +fi + +pam-auth-update --package $force + +if [ -n "$force" ]; then + rm -f /etc/pam.d/common-auth.pam-old \ + /etc/pam.d/common-account.pam-old \ + /etc/pam.d/common-password.pam-old \ + /etc/pam.d/common-session.pam-old +elif dpkg --compare-versions "$2" lt-nl 1.1.0-1 \ + && [ ! -e /etc/pam.d/common-session-noninteractive ] +then + cp -a /etc/pam.d/common-session /etc/pam.d/common-session-noninteractive +fi + +#DEBHELPER# --- pam-1.1.8.orig/debian/libpam-runtime.postrm +++ pam-1.1.8/debian/libpam-runtime.postrm @@ -0,0 +1,11 @@ +#!/bin/sh -e + +if [ "$1" = "purge" ]; then + rm -f /etc/pam.d/common-auth /etc/pam.d/common-account \ + /etc/pam.d/common-session /etc/pam.d/common-password + rm -f /var/lib/pam/auth /var/lib/pam/account /var/lib/pam/session \ + /var/lib/pam/password /var/lib/pam/seen + rmdir --ignore-fail-on-non-empty /var/lib/pam +fi + +#DEBHELPER# --- pam-1.1.8.orig/debian/libpam-runtime.prerm +++ pam-1.1.8/debian/libpam-runtime.prerm @@ -0,0 +1,9 @@ +#!/bin/sh + +set -e + +if [ "$1" = remove ]; then + pam-auth-update --package --remove unix +fi + +#DEBHELPER# --- pam-1.1.8.orig/debian/libpam-runtime.templates +++ pam-1.1.8/debian/libpam-runtime.templates @@ -0,0 +1,47 @@ +Template: libpam-runtime/title +Type: title +_Description: PAM configuration + +Template: libpam-runtime/profiles +Type: multiselect +Choices: ${profiles} +Choices-C: ${profile_names} +_Description: PAM profiles to enable: + Pluggable Authentication Modules (PAM) determine how authentication, + authorization, and password changing are handled on the system, as well + as allowing configuration of additional actions to take when starting + user sessions. + . + Some PAM module packages provide profiles that can be used to + automatically adjust the behavior of all PAM-using applications on the + system. Please indicate which of these behaviors you wish to enable. + +Template: libpam-runtime/conflicts +Type: error +#flag:translate!:3 +#flag:comment:2 +# This paragraph is followed by a (currently) non-translatable list of +# PAM profile names. +_Description: Incompatible PAM profiles selected. + The following PAM profiles cannot be used together: + . + ${conflicts} + . + Please select a different set of modules to enable. + +Template: libpam-runtime/override +Type: boolean +Default: false +_Description: Override local changes to /etc/pam.d/common-*? + One or more of the files /etc/pam.d/common-{auth,account,password,session} + have been locally modified. Please indicate whether these local changes + should be overridden using the system-provided configuration. If you + decline this option, you will need to manage your system's + authentication configuration by hand. + +Template: libpam-runtime/no_profiles_chosen +Type: error +_Description: No PAM profiles have been selected. + No PAM profiles have been selected for use on this system. This would grant + all users access without authenticating, and is not allowed. Please select + at least one PAM profile from the available list. --- pam-1.1.8.orig/debian/libpam0g-dev.examples +++ pam-1.1.8/debian/libpam0g-dev.examples @@ -0,0 +1,5 @@ +examples/blank.c +examples/check_user.c +examples/vpass.c +examples/xsh.c +libpamc/test/{agents,modules,regress} --- pam-1.1.8.orig/debian/libpam0g-dev.install.in +++ pam-1.1.8/debian/libpam0g-dev.install.in @@ -0,0 +1,2 @@ +usr/include/security/* +lib/@DEB_HOST_MULTIARCH@/*.a usr/lib/@DEB_HOST_MULTIARCH@ --- pam-1.1.8.orig/debian/libpam0g-dev.links.in +++ pam-1.1.8/debian/libpam0g-dev.links.in @@ -0,0 +1,3 @@ +/lib/@DEB_HOST_MULTIARCH@/libpam.so.0 usr/lib/@DEB_HOST_MULTIARCH@/libpam.so +/lib/@DEB_HOST_MULTIARCH@/libpamc.so.0 usr/lib/@DEB_HOST_MULTIARCH@/libpamc.so +/lib/@DEB_HOST_MULTIARCH@/libpam_misc.so.0 usr/lib/@DEB_HOST_MULTIARCH@/libpam_misc.so --- pam-1.1.8.orig/debian/libpam0g-dev.manpages +++ pam-1.1.8/debian/libpam0g-dev.manpages @@ -0,0 +1 @@ +debian/tmp/usr/share/man/man3/* --- pam-1.1.8.orig/debian/libpam0g.docs +++ pam-1.1.8/debian/libpam0g.docs @@ -0,0 +1,2 @@ +debian/local/Debian-PAM-MiniPolicy +README --- pam-1.1.8.orig/debian/libpam0g.install +++ pam-1.1.8/debian/libpam0g.install @@ -0,0 +1 @@ +lib/*/lib*.so.* --- pam-1.1.8.orig/debian/libpam0g.lintian-overrides +++ pam-1.1.8/debian/libpam0g.lintian-overrides @@ -0,0 +1,8 @@ +# obvious multilib package false-positive; also the package name hasn't +# changed since the glibc transition, go us! +libpam0g: package-name-doesnt-match-sonames libpam0 libpam-misc0 libpamc0 +# yes, these are deliberately asked in the postinst because the checking +# for daemons to be restarted needs to be done in the postinst and not +# before +libpam0g: no-debconf-config +libpam0g: postinst-uses-db-input --- pam-1.1.8.orig/debian/libpam0g.postinst +++ pam-1.1.8/debian/libpam0g.postinst @@ -0,0 +1,228 @@ +#!/bin/sh + +# postinst based heavily on the postinst of libssl0.9.8, courtesy of +# Christoph Martin. + +. /usr/share/debconf/confmodule + +set -e + +# element() is a helper function for file-rc: +element() { + local element list IFS + + element="$1" + + [ "$2" = "in" ] && shift + list="$2" + [ "$list" = "-" ] && return 1 + [ "$list" = "*" ] && return 0 + + IFS="," + set -- $list + case $element in + "$1"|"$2"|"$3"|"$4"|"$5"|"$6"|"$7"|"$8"|"$9") + return 0 + esac + return 1 +} + +# filerc (runlevel, service) returns /etc/init.d/service, if service is +# running in $runlevel: +filerc() { + local runlevel basename + runlevel=$1 + basename=$2 + while read LINE + do + case $LINE in + \#*|"") continue + esac + + set -- $LINE + SORT_NO="$1"; STOP="$2"; START="$3"; CMD="$4" + [ "$CMD" = "/etc/init.d/$basename" ] || continue + + if element "$runlevel" in "$START" || element "S" in "$START" + then + echo "/etc/init.d/$basename" + return 0 + fi + done < /etc/runlevel.conf + echo "" +} + +installed_services() { + check="$@" + + # Only get the ones that are installed, and configured + check=$(dpkg -s $check 2> /dev/null | egrep '^Package:|^Status:' | awk '{if ($1 ~ /^Package:/) { package=$2 } else if ($0 ~ /^Status: .* installed$/) { print package }}') + + # some init scripts don't match the package names + check=$(echo $check | \ + sed -e's/\bapache2-common\b/apache2/g' \ + -e's/\bat\b/atd/g' \ + -e's/\bdovecot-common\b/dovecot/g' \ + -e's/\bdante-server\b/danted/g' \ + -e's/\bexim4-base\b/exim4/g' \ + -e's/\bheartbeat-2\b/heartbeat/g' \ + -e's/\bhylafax-server\b/hylafax/g' \ + -e's/\bpartimage-server\b/partimaged/g' \ + -e's/\bpostgresql-common\b/postgresql/g' \ + -e's/\bsamba\b/smbd/g' \ + -e's/\bsasl2-bin\b/saslauthd/g' \ + ) + + for service in $check; do + idl="/etc/init.d/${service}" + if [ -n "$idl" ] && [ -x $idl ]; then + services="$service $services" + else + echo "WARNING: init script for $service not found." >&2 + fi + done + echo "$services" +} + +if [ "$1" = "configure" ] +then + if [ ! -z "$2" ]; then + if dpkg --compare-versions "$2" lt 1.1.3-2; then + db_version 2.0 + + echo -n "Checking for services that may need to be restarted..." + + check="apache2-common at bayonne cherokee courier-authdaemon" + check="$check cron cups" + check="$check dante-server diald dovecot-common exim exim4-base" + check="$check fcron fireflier-server freeradius gdm heartbeat" + check="$check heartbeat-2 hylafax-server iiimf-server inn2" + check="$check kannel linesrv linesrv-mysql lsh-server" + check="$check muddleftpd netatalk nuauth partimage-server" + check="$check perdition pgpool popa3d" + check="$check postgresql-common proftpd pure-ftpd" + check="$check pure-ftpd-ldap pure-ftpd-mysql" + check="$check pure-ftpd-postgresql racoon samba sasl2-bin" + check="$check sfs-server solid-pop3d squid squid3 tac-plus" + check="$check vsftpd wu-ftpd wzdftpd xrdp yardradius yaws" + + if ! who | awk '{print $2}'|grep -q ':[0-9]'; then + check="$check wdm xdm" + fi + + echo "Checking init scripts..." + services=$(installed_services "$check") + if [ -n "$services" ]; then + db_reset libpam0g/restart-services + db_set libpam0g/restart-services "$services" + question_priority="critical" + # Do not prompt when we're running in the upgrade-manager + # and only default services need restarting. + nondefault_services=$(echo "$services" | sed \ + -e's/\batd\b//g' \ + -e's/\bcron\b//g' \ + -e's/\bcups\b//g' \ + -e's/\bgdm\b//g' \ + -e's/\bsmbd\b//g' \ + -e's/^ *//g') + if [ -n "$RELEASE_UPGRADE_IN_PROGRESS" ] && [ -z "$nondefault_services" ]; then + question_priority="medium" + fi + db_input "$question_priority" libraries/restart-without-asking || true + db_go || true + db_get libraries/restart-without-asking + if [ "$RET" != true ]; then + db_reset libpam0g/restart-services + db_set libpam0g/restart-services "$services" + db_input "$question_priority" libpam0g/restart-services || true + db_go || true + db_get libpam0g/restart-services + + if [ "x$RET" != "x" ] + then + services=$RET + else + services="" + fi + fi + echo + if [ "$services" != "" ]; then + echo "Restarting services possibly affected by the upgrade:" + failed="" + rl=$(runlevel | sed 's/.*\ //') + for service in $services; do + idl="invoke-rc.d ${service}" + + case "$service" in + gdm) + # If gdm isn't running, there's no need to reload it (LP: #745532) + if $idl status | grep -q stop/waiting; then + echo " $service: not running, no reload needed." + continue + fi + + echo -n " $service: reloading..." + if $idl reload > /dev/null 2>&1; then + echo "done." + else + echo "FAILED! ($?)" + failed="$service $failed" + fi + continue + ;; + esac + echo -n " $service: stopping..." + $idl stop > /dev/null 2>&1 || true + sleep 1 + echo -n "starting..." + if $idl start > /dev/null 2>&1; then + echo "done." + else + echo "FAILED! ($?)" + failed="$service $failed" + fi + done + echo + if [ -n "$failed" ]; then + db_subst libpam0g/restart-failed services "$failed" + db_input critical libpam0g/restart-failed || true + db_go || true + else + echo "Services restarted successfully." + fi + echo + fi + else + echo "Nothing to restart." + fi + + if who | awk '{print $2}' | grep -q ':[0-9]'; then + dms="" + for service in wdm xdm; do + case "$services" in + *$service*) ;; + *) dms="$dms $service" + esac + done + services=$(installed_services "$dms") + if [ -n "$services" ]; then + if [ -n "$RELEASE_UPGRADE_IN_PROGRESS" ] \ + && [ -x /usr/share/update-notifier/notify-reboot-required ] + then + /usr/share/update-notifier/notify-reboot-required + else + db_input critical libpam0g/xdm-needs-restart || true + db_go || true + fi + fi + fi + + # Shut down the frontend, to make sure none of the + # restarted services keep a connection open to it + db_stop + fi # end upgrading and $2 lt 1.1.3-2 + fi # Upgrading +fi + +#DEBHELPER# + --- pam-1.1.8.orig/debian/libpam0g.symbols +++ pam-1.1.8/debian/libpam0g.symbols @@ -0,0 +1,12 @@ +libpam.so.0 libpam0g #MINVER# + *@LIBPAM_1.0 0.99.7.1 + *@LIBPAM_EXTENSION_1.0 0.99.7.1 + *@LIBPAM_EXTENSION_1.1 1.1.0 + *@LIBPAM_EXTENSION_1.1.1 1.1.1 + *@LIBPAM_MODUTIL_1.0 0.99.7.1 + *@LIBPAM_MODUTIL_1.1 0.99.10.0 + *@LIBPAM_MODUTIL_1.1.3 1.1.3 +libpam_misc.so.0 libpam0g #MINVER# + *@LIBPAM_MISC_1.0 0.99.7.1 +libpamc.so.0 libpam0g #MINVER# + *@LIBPAMC_1.0 0.99.7.1 --- pam-1.1.8.orig/debian/libpam0g.templates +++ pam-1.1.8/debian/libpam0g.templates @@ -0,0 +1,38 @@ +Template: libpam0g/restart-services +Type: string +_Description: Services to restart for PAM library upgrade: + Most services that use PAM need to be restarted to use modules built for + this new version of libpam. Please review the following space-separated + list of init.d scripts for services to be restarted now, and correct it + if needed. + +Template: libpam0g/xdm-needs-restart +Type: error +_Description: Display manager must be restarted manually + The wdm and xdm display managers require a restart for the new version of + libpam, but there are X login sessions active on your system that would be + terminated by this restart. You will therefore need to restart these + services by hand before further X logins will be possible. + +Template: libpam0g/restart-failed +Type: error +#flag:translate!:3 +_Description: Failure restarting some services for PAM upgrade + The following services could not be restarted for the PAM library upgrade: + . + ${services} + . + You will need to start these manually by running + '/etc/init.d/ start'. + +Template: libraries/restart-without-asking +Type: boolean +Default: false +_Description: Restart services during package upgrades without asking? + There are services installed on your system which need to be restarted + when certain libraries, such as libpam, libc, and libssl, are upgraded. + Since these restarts may cause interruptions of service for the system, + you will normally be prompted on each upgrade for the list of services + you wish to restart. You can choose this option to avoid being prompted; + instead, all necessary restarts will be done for you automatically so you + can avoid being asked questions on each library upgrade. --- pam-1.1.8.orig/debian/local/Debian-PAM-MiniPolicy +++ pam-1.1.8/debian/local/Debian-PAM-MiniPolicy @@ -0,0 +1,145 @@ +Author: Ben Collins +Modified by: Sam Hartman , + Steve Langasek + +Objective: To document a base set of policies regarding PAM (Pluggable +Authentication Modules) usage in Debian packages. + +=========================================================================== + +In order to have a consistent and stable implementation across packages +that use PAM, these guidelines will help to avoid some common mistakes and +be usable as a cross reference for FAQ's. + +This document will not go into the details of how to add PAM usage to +existing code; please read the documentation in the libpam-doc package for +info on that. However, it does specify behavior needed to make sure PAM +modules in Debian will work with your application. + +================== + PAM Applications +================== + +Each application that uses PAM also must contain a file in /etc/pam.d/. +This file specifies which PAM modules will be used for the common PAM +functions in that application. There are several notes concerning what +modules to use in this file. Most commonly, this file should use the +@include directive to include common-auth, common-account, and +common-password, and one of either common-session or +common-session-noninteractive. + +The selection of common-session or common-session-noninteractive is based +on whether the service provides "shell-like" interactive capabilities to +the user (e.g.: login, ssh, gdm) or is a non-interactive session or a +session mediated by a structured protocol (e.g.: cron, cups, samba, ppp). +This allows a service to avoid calling some modules, such as +pam_ck_connector, that only make sense in an interactive context and should +be avoided otherwise. It is expected that the modules used for +noninteractive sessions will always be a subset of those used for +interactive sessions. + +Under some circumstances (such as ftp auth, or auth based on tty) other +service-specific modules will need to be listed in the service's /etc/pam.d +file. + +Here is an example of a PAM configuration file that just includes the +common module fragments: + + # + # /etc/pam.d/other - specify the PAM fallback behaviour + # + # Note that this file is used for any unspecified service; for example + #if /etc/pam.d/cron specifies no session modules but cron calls + #pam_open_session, the session module out of /etc/pam.d/other is + #used. If you really want nothing to happen then use pam_permit.so or + #pam_deny.so as appropriate. + + # We fall back to the system default in /etc/pam.d/common-* + # + + @include common-auth + @include common-account + @include common-password + @include common-session + +The name of this file is determined by the call to pam_start() in the +application source code. The first parameter will be a string containing +the "service" name (eg. "login", "httpd", etc..). Please make sure that +the filename coincides with the value of this parameter used in your +application. + +The file should _not_ reference the full path of the modules. It only needs +to reference the basename (eg. "pam_unix.so"). This will ensure that the +program continues to work even if the module location changes, since +libpam itself will resolve the location. + + +Packages which configure their services by default to use modules other than +those provided by /etc/pam.d/common-* must depend on the package providing +those modules. E.g., /etc/pam.d/login includes the line: + + session required pam_limits.so + +therefore it must depend on libpam-modules, which provides +/lib/security/pam_limits.so. + +Applications need to depend on libpam-runtime (>= 0.76-14) to +guarantee that /etc/pam.d/common-* exist. + +Applications that use common-session-noninteractive must depend +on libpam-runtime (>= 1.0.1-11) for this file. + + +The pam_unix.so module allows programs to authenticate the uid of the +calling process without being setuid or setgid. NOTE: this means the user +executing the program; you cannot authenticate other users without suid +root (root makes sure the NIS and NIS+ works too) or at least sgid shadow +(won't work in the above cases). Most notably this affects programs like +apache being able to use PAM since it runs as www-data which has no +privileges and cannot use pam_unix.so to authenticate other users. On the +other hand it does allow programs like vlock to authenticate. + +The application needs to follow the following rules to make sure PAM +modules work: + +1) Use the same PAM handle for all operations. This means it is not OK to +call pam_start once for authentication and then later for session +management. Modules need to be able to store pam_data between entry +points. + +2) The pam_open_session and pam_setcred calls must be made in a parent +process of the eventual session. They need to be able to influence the +environment of the session. + +3) If you are started as root or have root privs for some other reason, +pam_open_session and pam_setcred should be called while still root. + +4) Implied by 1, make sure that pam_close_session and pam_end are called in +the same process or a process descended from the execution context as +pam_open_session and pam_setcred. The pam_close_session call may need +state stored in the handle by the open session entry point to clean up +properly. The pam_end call may need to free data (thus influencing system +state in some cases) allocated in the earlier calls. + + + +============= + PAM Modules +============= + +Separately packaged PAM modules should adhere to a few basic setup rules: + + 1) Packages should use the naming scheme of `libpam-' (eg. + libpam-ldap). + + 2) The modules should be located in the directory of the most recent + libpam-modules (currently /lib/security). + + 3) The module should be named as pam_.so. The module should not + contain a version suffix. + + 4) The module should be linked to libpam (-lpam) when compiled so that + proper version dependencies will work. + + 5) Any config files should be located in /etc/security. The filename + will be in the form of .conf. --- pam-1.1.8.orig/debian/local/common-account +++ pam-1.1.8/debian/local/common-account @@ -0,0 +1,26 @@ +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authorization modules that define +# the central access policy for use on the system. The default is to +# only deny service to users whose accounts are expired in /etc/shadow. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +# + +# here are the per-package modules (the "Primary" block) +$account_primary +# here's the fallback if no module succeeds +account requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +account required pam_permit.so +# and here are more per-package modules (the "Additional" block) +$account_additional +# end of pam-auth-update config --- pam-1.1.8.orig/debian/local/common-account.md5sums +++ pam-1.1.8/debian/local/common-account.md5sums @@ -0,0 +1,2 @@ +9f04221fe44762047894adeb96ffd069 debian/local/common-account +3c0c362eaf3421848b679d63fd48c3fa # 1.0.1-6 - --- pam-1.1.8.orig/debian/local/common-auth +++ pam-1.1.8/debian/local/common-auth @@ -0,0 +1,26 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +$auth_primary +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +# and here are more per-package modules (the "Additional" block) +$auth_additional +# end of pam-auth-update config --- pam-1.1.8.orig/debian/local/common-auth.md5sums +++ pam-1.1.8/debian/local/common-auth.md5sums @@ -0,0 +1,3 @@ +933d757dcd5974b00619f68955743be7 /etc/pam.d/common-auth +b58d8e0a6cadbf879df94869cca6be98 /etc/pam.d/common-auth +8d4fe17e66ba25de16a117035d1396aa # 1.0.1-6 - --- pam-1.1.8.orig/debian/local/common-password +++ pam-1.1.8/debian/local/common-password @@ -0,0 +1,34 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# +# The "sha512" option enables salted SHA512 passwords. Without this option, +# the default is Unix crypt. Prior releases used the option "md5". +# +# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in +# login.defs. +# +# See the pam_unix manpage for other options. + +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +$password_primary +# here's the fallback if no module succeeds +password requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +password required pam_permit.so +# and here are more per-package modules (the "Additional" block) +$password_additional +# end of pam-auth-update config --- pam-1.1.8.orig/debian/local/common-password.md5sums +++ pam-1.1.8/debian/local/common-password.md5sums @@ -0,0 +1,6 @@ +601ecfbc99fd359877552cb5298087ad /etc/pam.d/common-password +e5ae8ba8d00083c922d9d82a0432ef78 /etc/pam.d/common-password +5d518818f1c6c369040b782f7852f53e /etc/pam.d/common-password +9ba753d0824276b44bcadfee1f87b6bc # 1.0.1-4ubuntu5 - 1.0.1-4ubuntu5.5 +4bd7610f2e85f8ddaef79c7db7cb49eb # 1.0.1-6 - 1.1.0-1 +50fce2113dfda83ac8bdd5a6e706caec # 1.0.1-6ubuntu1 - --- pam-1.1.8.orig/debian/local/common-session +++ pam-1.1.8/debian/local/common-session @@ -0,0 +1,30 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive). +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +$session_primary +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# The pam_umask module will set the umask according to the system default in +# /etc/login.defs and user settings, solving the problem of different +# umask settings with different shells, display managers, remote sessions etc. +# See "man pam_umask". +session optional pam_umask.so +# and here are more per-package modules (the "Additional" block) +$session_additional +# end of pam-auth-update config --- pam-1.1.8.orig/debian/local/common-session-noninteractive +++ pam-1.1.8/debian/local/common-session-noninteractive @@ -0,0 +1,30 @@ +# +# /etc/pam.d/common-session-noninteractive - session-related modules +# common to all non-interactive services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of all non-interactive sessions. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +$session_nonint_primary +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# The pam_umask module will set the umask according to the system default in +# /etc/login.defs and user settings, solving the problem of different +# umask settings with different shells, display managers, remote sessions etc. +# See "man pam_umask". +session optional pam_umask.so +# and here are more per-package modules (the "Additional" block) +$session_nonint_additional +# end of pam-auth-update config --- pam-1.1.8.orig/debian/local/common-session-noninteractive.md5sums +++ pam-1.1.8/debian/local/common-session-noninteractive.md5sums @@ -0,0 +1 @@ +ad2b78ce1498dd637ef36469430b6ac6 # 1.0.1-11 - --- pam-1.1.8.orig/debian/local/common-session.md5sums +++ pam-1.1.8/debian/local/common-session.md5sums @@ -0,0 +1,3 @@ +4845c1632b3561a9debe8d59be1b238e /etc/pam.d/common-session +4a25673e8b36f1805219027d3be02cd2 # 1.0.1-4ubuntu5 - 1.0.1-4ubuntu5.5 +240fb92986c885b327cdb21dd641da8c # 1.0.1-6 - --- pam-1.1.8.orig/debian/local/other +++ pam-1.1.8/debian/local/other @@ -0,0 +1,16 @@ +# +# /etc/pam.d/other - specify the PAM fallback behaviour +# +# Note that this file is used for any unspecified service; for example +#if /etc/pam.d/cron specifies no session modules but cron calls +#pam_open_session, the session module out of /etc/pam.d/other is +#used. If you really want nothing to happen then use pam_permit.so or +#pam_deny.so as appropriate. + +# We fall back to the system default in /etc/pam.d/common-* +# + +@include common-auth +@include common-account +@include common-password +@include common-session --- pam-1.1.8.orig/debian/local/pam-auth-update +++ pam-1.1.8/debian/local/pam-auth-update @@ -0,0 +1,702 @@ +#!/usr/bin/perl -w + +# pam-auth-update: update /etc/pam.d/common-* from /usr/share/pam-configs +# +# Update the /etc/pam.d/common-* files based on the per-package profiles +# provided in /usr/share/pam-configs/ taking into consideration user's +# preferences (as determined via debconf prompting). +# +# Written by Steve Langasek +# +# Copyright (C) 2008 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of version 3 of the GNU General Public License as +# published by the Free Software Foundation. +# +# # This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, +# USA. + +use strict; +use Debconf::Client::ConfModule ':all'; +use IPC::Open2 'open2'; + +version('2.0'); +my $capb=capb('backup escape'); + +my $inputdir = '/usr/share/pam-configs'; +my $template = 'libpam-runtime/profiles'; +my $errtemplate = 'libpam-runtime/conflicts'; +my $overridetemplate = 'libpam-runtime/override'; +my $blanktemplate = 'libpam-runtime/no_profiles_chosen'; +my $titletemplate = 'libpam-runtime/title'; +my $confdir = '/etc/pam.d'; +my $savedir = '/var/lib/pam'; +my (%profiles, @sorted, @enabled, @conflicts, @new, %removals); +my $force = 0; +my $package = 0; +my $priority = 'high'; +my %md5sums = ( + 'auth' => ['8d4fe17e66ba25de16a117035d1396aa'], + 'account' => ['3c0c362eaf3421848b679d63fd48c3fa'], + 'password' => [ + '50fce2113dfda83ac8bdd5a6e706caec', + '4bd7610f2e85f8ddaef79c7db7cb49eb', + '9ba753d0824276b44bcadfee1f87b6bc', + ], + 'session' => [ + '240fb92986c885b327cdb21dd641da8c', + '4a25673e8b36f1805219027d3be02cd2', + '73144a2f4e609a922a51e301cd66a57e', + ], + 'session-noninteractive' => [ + 'ad2b78ce1498dd637ef36469430b6ac6', + 'a20e8df3469bfe25c13a3b39161b30f0', + ], +); + +opendir(DIR, $inputdir) || die "could not open config directory: $!"; +while (my $profile = readdir(DIR)) { + next if ($profile eq '.' || $profile eq '..'); + %{$profiles{$profile}} = parse_pam_profile($inputdir . '/' . $profile); +} +closedir DIR; + +# use a '--force' arg to specify that /etc/pam.d should be overwritten; +# used only on upgrades where the postinst has already determined that the +# checksums match. Module packages other than libpam-runtime itself must +# NEVER use this option! Document with big skullses and crossboneses! It +# needs to be exposed for libpam-runtime because that's the package that +# decides whether we have a pristine config to be converted, and knows +# whether the version being upgraded from is one for which the conversion +# should be done. + +while ($#ARGV >= 0) { + my $opt = shift; + if ($opt eq '--force') { + $force = 1; + } elsif ($opt eq '--package') { + $package = 1; + } elsif ($opt eq '--remove') { + while ($#ARGV >= 0) { + last if ($ARGV[0] =~ /^--/); + $removals{shift @ARGV} = 1; + } + # --remove implies --package + $package = 1 if (keys(%removals)); + } +} + +$priority = 'medium' if ($package); + +x_loadtemplatefile('/var/lib/dpkg/info/libpam-runtime.templates','libpam-runtime'); + +# always sort by priority, so we have consistency and don't have to +# shuffle later +@sorted = sort { $profiles{$b}->{'Priority'} <=> $profiles{$a}->{'Priority'} + || $b cmp $a } + keys(%profiles); +# If we're being called for package removal, filter out those options here +@sorted = grep { !$removals{$_} } @sorted; + +subst($template, 'profile_names', join(', ',@sorted)); +subst($template, 'profiles', + join(', ', map { $profiles{$_}->{'Name'} } @sorted)); + +my $diff = diff_profiles($confdir,$savedir); + +if ($diff) { + @enabled = grep { !$removals{$_} } @{$diff->{'mods'}}; +} else { + @enabled = split(/, /,get($template)); +} + +# find out what we've seen, so we can ignore those defaults +my %seen; +if (-e $savedir . '/seen') { + open(SEEN,$savedir . '/seen'); + while () { + chomp; + $seen{$_} = 1; + } + close(SEEN); +} + +# filter out any options that are no longer available for any reason +@enabled = grep { $profiles{$_} } @enabled; + +# an empty module set is an error, so in that case grab all the defaults +if (!@enabled) { + %seen = (); + $priority = 'high' unless ($force); +} + +# add any previously-unseen configs +push(@enabled, + grep { $profiles{$_}->{'Default'} eq 'yes' && !$seen{$_} } @sorted); +@enabled = sort { $profiles{$b}->{'Priority'} <=> $profiles{$a}->{'Priority'} + || $b cmp $a } + @enabled; +my $prev = ''; +@enabled = grep { $_ ne $prev && (($prev) = $_) } @enabled; + +# Do we have any new options to show? If not, we shouldn't reprompt the +# user, at any priority level, unless explicitly called. +@new = grep { !$seen{$_} } @sorted; + +settitle($titletemplate); + +# if diff_profiles() fails, and we weren't passed a 'force' argument +# (because this isn't an upgrade from an old version, or the checksum +# didn't match, or we're being called by some other module package), prompt +# the user whether to override. If the user declines (the default), we +# never again manage this config unless manually called with '--force'. +if (!$diff && !$force) { + input('high',$overridetemplate); + go(); + $force = 1 if (get($overridetemplate) eq 'true'); +} + +if (!$diff && !$force) { + print STDERR <= 0; $i--) + { + my $conflict = $enabled[$i]; + if ($profiles{$elem}->{'Conflicts'}->{$conflict}) { + splice(@enabled,$i,1); + my $desc = $profiles{$elem}->{'Name'} + . ', ' . $profiles{$conflict}->{'Name'}; + push(@conflicts,$desc); + } + } + } + if (@conflicts) { + subst($errtemplate, 'conflicts', join("\\n", @conflicts)); + input('high',$errtemplate); + } + set($template, join(', ', @enabled)); + if (!@enabled) { + input('high',$blanktemplate); + # we can only end up here by user error, but give them another + # shot at selecting a correct config anyway. + fset($template,'seen','false'); + } +} while (@conflicts || !@enabled); + +# the decision has been made about what configs to use, so even if +# something fails after this, we shouldn't go munging the default +# options again. Save the list of known configs to /var/lib/pam. +open(SEEN,"> $savedir/seen"); +for my $i (@sorted) { + print SEEN "$i\n"; +} +close(SEEN); + +# @enabled now contains our list of profiles to use for piecing together +# a config +# we have: +# - templates into which we insert the specialness +# - magic comments denoting the beginning and end of our managed block; +# looking at only the functional config lines would potentially let us +# handle more cases, at the expense of much greater complexity, so +# pass on this at least for the first round +# - a representation of the autogenerated config stored in /var/lib/pam, +# that we can diff against in order to account for changed options or +# manually dropped modules +# - a hash describing the local modifications the user has made to the +# config; these are always preserved unless manually overridden with +# the --force option + +write_profiles(\%profiles, \@enabled, $confdir, $savedir, $diff, $force); + + +# take a single line from a stock config, and merge it with the +# information about local admin edits +sub merge_one_line +{ + my ($line,$diff,$count) = @_; + my (@opts,$modline); + + my ($adds,$removes); + + $line =~ /^((\[[^]]+\]|\w+)\s+\S+)\s*(.*)/; + + @opts = split(/\s+/,$3); + $modline = $1; + $modline =~ s/end/$count/g; + if ($diff) { + my $mod = $modline; + $mod =~ s/(\[[^0-9]*)[0-9]+(.*\])/$1$2/g; + $adds = \%{$diff->{'add'}{$mod}}; + $removes = \%{$diff->{'remove'}{$mod}}; + } else { + $adds = $removes = undef; + } + + for (my $i = 0; $i <= $#opts; $i++) { + if ($adds->{$opts[$i]}) { + delete $adds->{$opts[$i]}; + } + if ($removes->{$opts[$i]}) { + splice(@opts,$i,1); + $i--; + } + } + return $modline . " " . join(' ',@opts,sort keys(%{$adds})) . "\n"; +} + +# return the lines for a given config name, type, and position in the stack +sub lines_for_module_and_type +{ + my ($profiles, $mod, $type, $modpos) = @_; + if ($modpos == 0 && $profiles->{$mod}{$type . '-Initial'}) { + return $profiles->{$mod}{$type . '-Initial'}; + } + return $profiles->{$mod}{$type}; +} + +# create a single PAM config from the indicated template and selections, +# writing to a new file +sub create_from_template +{ + my($template,$dest,$profiles,$enabled,$diff,$type) = @_; + my $state = 0; + my $uctype = ucfirst($type); + $type =~ s/-noninteractive//; + + open(INPUT,$template) || return 0; + open(OUTPUT,">$dest") || return 0; + + while () { + if ($state == 1) { + if (/^# here's the fallback if no module succeeds/) { + print OUTPUT; + $state++; + } + next; + } + if ($state == 3) { + if (/^# end of pam-auth-update config/) { + print OUTPUT; + $state++; + } + next; + } + + print OUTPUT; + + my ($pattern,$val); + if ($state == 0) { + $pattern = '^# here are the per-package modules \(the "Primary" block\)'; + $val = 'Primary'; + } elsif ($state == 2) { + $pattern = '^# and here are more per-package modules \(the "Additional" block\)'; + $val = 'Additional'; + } else { + next; + } + + if (/$pattern/) { + my $i = 0; + my $count = 0; + # first we need to get a count of lines that we're + # going to output, so we can fix up the jumps correctly + for my $mod (@{$enabled}) { + my $output; + next if (!$profiles->{$mod}{$uctype . '-Type'}); + next if $profiles->{$mod}{$uctype . '-Type'} ne $val; + $output = lines_for_module_and_type($profiles, $mod, $uctype, $i++); + # bypasses a perl warning about @_, sigh + my @tmparr = split("\n+",$output); + $count += @tmparr; + } + + # in case anything tries to jump in the 'additional' + # block, let's try not to jump off the stack... + $count-- if ($val eq 'Additional'); + + # no primary block, so output a stock pam_permit line + # to keep the stack intact + if ($val eq 'Primary' && $count == 0) + { + print OUTPUT "$type\t[default=1]\t\t\tpam_permit.so\n"; + } + + $i = 0; + for my $mod (@{$enabled}) { + my $output; + my @output; + next if (!$profiles->{$mod}{$uctype . '-Type'}); + next if $profiles->{$mod}{$uctype . '-Type'} ne $val; + $output = lines_for_module_and_type($profiles, $mod, $uctype, $i++); + for my $line (split("\n",$output)) { + $line = merge_one_line($line,$diff, + $count); + print OUTPUT "$type\t$line"; + $count--; + } + } + $state++; + } + } + close(INPUT); + close(OUTPUT); + + if ($state < 4) { + unlink($dest); + return 0; + } + return 1; +} + +# take a template file, strip out everything between the markers, and +# return the md5sum of the remaining contents. Used for testing for +# local modifications of the boilerplate. +sub get_template_md5sum +{ + my($template) = @_; + my $state = 0; + + open(INPUT,$template) || return ''; + my($md5sum_fd,$output_fd); + my $pid = open2($md5sum_fd, $output_fd, 'md5sum'); + return '' if (!$pid); + + while () { + if ($state == 1) { + if (/^# here's the fallback if no module succeeds/) { + print $output_fd $_; + $state++; + } + next; + } + if ($state == 3) { + if (/^# end of pam-auth-update config/) { + print $output_fd $_; + $state++; + } + next; + } + + print $output_fd $_; + + my ($pattern,$val); + if ($state == 0) { + $pattern = '^# here are the per-package modules \(the "Primary" block\)'; + } elsif ($state == 2) { + $pattern = '^# and here are more per-package modules \(the "Additional" block\)'; + } else { + next; + } + + if (/$pattern/) { + $state++; + } + } + close(INPUT); + close($output_fd); + my $md5sum = <$md5sum_fd>; + close($md5sum_fd); + waitpid $pid, 0; + + $md5sum = (split(/\s+/,$md5sum))[0]; + return $md5sum; +} + +# merge a set of module declarations into a set of new config files, +# using the information returned from diff_profiles(). +sub write_profiles +{ + my($profiles,$enabled,$confdir,$savedir,$diff,$force) = @_; + + if (! -d $savedir) { + mkdir($savedir); + } + + # because we can't atomically replace both /var/lib/pam/$foo and + # /etc/pam.d/common-$foo at the same time, take steps to make this + # somewhat robust + for my $type ('auth','account','password','session', + 'session-noninteractive') + { + my $target = $confdir . '/common-' . $type; + my $template = $target; + my $dest = $template . '.pam-new'; + + my $diff = $diff; + if ($diff) { + $diff = \%{$diff->{$type}}; + } + + # Detect if the template is unmodified, and if so, use + # the version from /usr/share. Depends on knowing the + # md5sums of the originals. + my $md5sum = get_template_md5sum($template); + for my $i (@{$md5sums{$type}}) { + if ($md5sum eq $i) { + $template = '/usr/share/pam/common-' . $type; + last; + } + } + + # first, write out the new config + if (!create_from_template($template,$dest,$profiles,$enabled, + $diff,$type)) + { + if (!$force) { + return 0; + } + $template = '/usr/share/pam/common-' . $type; + if (!create_from_template($template,$dest,$profiles, + $enabled,$diff,$type)) + { + return 0; + } + } + + # then write out the saved config + if (!open(OUTPUT, "> $savedir/$type.new")) { + unlink($dest); + return 0; + } + my $i = 0; + my $uctype = ucfirst($type); + for my $mod (@{$enabled}) { + my $output; + next if (!$profiles->{$mod}{$uctype . '-Type'}); + next if ($profiles->{$mod}{$uctype . '-Type'} eq 'Additional'); + + $output = lines_for_module_and_type($profiles, $mod, $uctype, $i++); + if ($output) { + print OUTPUT "Module: $mod\n"; + print OUTPUT $output . "\n"; + } + } + + # no primary block, so output a stock pam_permit line + if ($i == 0) + { + print OUTPUT "Module: null\n"; + print OUTPUT "[default=1]\t\t\tpam_permit.so\n"; + } + + $i = 0; + for my $mod (@{$enabled}) { + my $output; + next if (!$profiles->{$mod}{$uctype . '-Type'}); + next if ($profiles->{$mod}{$uctype . '-Type'} eq 'Primary'); + + $output = lines_for_module_and_type($profiles, $mod, $uctype, $i++); + if ($output) { + print OUTPUT "Module: $mod\n"; + print OUTPUT $output . "\n"; + } + } + + close(OUTPUT); + + # then do the renames, back-to-back + # we have to use system because File::Copy is in + # perl-modules, not perl-base + if (-e "$target" && $force) { + system('cp','-f',$target,$target . '.pam-old'); + } + rename($dest,$target); + rename("$savedir/$type.new","$savedir/$type"); + } + + # at the end of a successful write, reset the 'seen' flag and the + # value of the debconf override question. + fset($overridetemplate,'seen','false'); + set($overridetemplate,'false'); +} + +# reconcile the current config in /etc/pam.d with the saved ones in +# /var/lib/pam; returns a hash of profile names and the corresponding +# options that should be added/removed relative to the stock config. +# returns false if any of the markers are missing that permit a merge, +# or on any other failure. +sub diff_profiles +{ + my ($sourcedir,$savedir) = @_; + my (%diff); + + @{$diff{'mods'}} = (); + # Load the saved config from /var/lib/pam, then iterate through all + # lines in the current config that are in the managed block. + # If anything fails here, just return immediately since we then + # have nothing to merge; instead, the caller will decide later + # whether to force an overwrite. + for my $type ('auth','account','password','session', + 'session-noninteractive') + { + my (@saved,$modname); + + open(SAVED,$savedir . '/' . $type) || return 0; + while () { + if (/^Module: (.*)/) { + $modname = $1; + next; + } + chomp; + # trim out the destination of any jumps; this saves + # us from having to re-parse everything just to fix + # up the jump lengths, when changes to these will + # already show up as inconsistencies elsewhere + s/(\[[^0-9]*)[0-9]+(.*\])/$1$2/g; + s/(\[.*)end(.*\])/$1$2/g; + my (@temp) = ($modname,$_); + push(@saved,\@temp); + } + close(SAVED); + + my $state = 0; + my (@prev_opts,$curmod); + my $realtype = $type; + $realtype =~ s/-noninteractive//; + + open(CURRENT,$sourcedir . '/common-' . $type) || return 0; + while () { + if ($state == 0) { + $state = 1 + if (/^# here are the per-package modules \(the "Primary" block\)/); + next; + } + if ($state == 1) { + s/^$realtype\s+//; + if (/^# here's the fallback if no module succeeds/) { + $state = 2; + next; + } + } + if ($state == 2) { + $state = 3 + if (/^# and here are more per-package modules \(the "Additional" block\)/); + next; + } + if ($state == 3) { + last if (/^# end of pam-auth-update config/); + s/^$realtype\s+//; + } + + my $found = 0; + my $curopts; + while (!$found && $#saved >= 0) { + my $line; + ($modname,$line) = @{$saved[0]}; + shift(@saved); + $line =~ /^((\[[^]]+\]|\w+)\s+\S+)\s*(.*)/; + @prev_opts = split(/\s+/,$3); + $curmod = $1; + # FIXME: the key isn't derived from the config + # name, so collisions are possible if more + # than one config references the same module + + $_ =~ s/(\[[^0-9]*)[0-9]+(.*\])/$1$2/g; + # check if this is a match for the current line + if ($_ =~ /^\Q$curmod\E\s*(.*)$/) { + $found = 1; + $curopts = $1; + push(@{$diff{'mods'}},$modname); + } + } + + # there's a line in the live config that doesn't + # correspond to anything from the saved config. + # treat this as a failure; it's very error-prone + # to decide what to do with an added line that + # didn't come from a package. + return 0 if (!$found); + + for my $opt (split(/\s+/,$curopts)) { + my $found = 0; + for (my $i = 0; $i <= $#prev_opts; $i++) { + if ($prev_opts[$i] eq $opt) { + $found = 1; + splice(@prev_opts,$i,1); + } + } + $diff{$type}{'add'}{$curmod}{$opt} = 1 if (!$found); + } + for my $opt (@prev_opts) { + $diff{$type}{'remove'}{$curmod}{$opt} = 1; + } + } + close(CURRENT); + + # we couldn't parse the config, so the merge fails + return 0 if ($state < 3); + } + return \%diff; +} + +# simple function to parse a provided config file, in pseudo-RFC822 +# format, +sub parse_pam_profile +{ + my ($profile) = $_[0]; + my $fieldname; + my %profile; + open(PROFILE, $profile) || die "could not read profile $profile: $!"; + while () { + if (/^(\S+):\s+(.*)$/) { + $fieldname = $1; + # compatibility with the first implementation round; + # "Auth-Final" is now just called "Auth" + $fieldname =~ s/-Final$//; + if ($fieldname eq 'Conflicts') { + foreach my $elem (split(/, /, $2)) { + $profile{'Conflicts'}->{$elem} = 1; + } + } else { + $profile{$fieldname} = $2; + } + } else { + chomp; + s/^\s+//; + $profile{$fieldname} .= "\n$_" if ($_); + $profile{$fieldname} =~ s/^[\n\s]+//; + } + } + close(PROFILE); + if (!defined($profile{'Session-Interactive-Only'})) { + $profile{'Session-noninteractive-Type'} = $profile{'Session-Type'}; + $profile{'Session-noninteractive'} = $profile{'Session'}; + $profile{'Session-noninteractive-Initial'} = $profile{'Session-Initial'}; + } + return %profile; +} --- pam-1.1.8.orig/debian/local/pam-auth-update.8 +++ pam-1.1.8/debian/local/pam-auth-update.8 @@ -0,0 +1,101 @@ +.\" Copyright (C) 2008 Canonical Ltd. +.\" +.\" Author: Steve Langasek +.\" +.\" This program is free software; you can redistribute it and/or modify +.\" it under the terms of version 3 of the GNU General Public License as +.\" published by the Free Software Foundation. +.\" +.\" .\" This program is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program; if not, write to the Free Software +.\" Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, +.\" USA. +.TH "PAM\-AUTH\-UPDATE" "8" "08/23/2008" "Debian" +.SH NAME +pam\-auth\-update - manage PAM configuration using packaged profiles +.SH SYNOPSIS +.B pam\-auth\-update +.RB [ \-\-package " [" \-\-remove +.IR profile " [" profile\fR... "]]]" +.RB [ \-\-force ] +.SH DESCRIPTION +.I pam\-auth\-update +is a utility that permits configuring the central authentication policy +for the system using pre-defined profiles as supplied by PAM module +packages. +Profiles shipped in the +.I /usr/share/pam\-configs/ +directory specify the modules, with options, to enable; the preferred +ordering with respect to other profiles; and whether a profile should be +enabled by default. +Packages providing PAM modules register their profiles at install time +by calling +.BR "pam\-auth\-update \-\-package" . +Selection of profiles is done using the standard debconf interface. +The profile selection question will be asked at `medium' priority when +packages are added or removed, so no user interaction is required by +default. +Users may invoke +.B pam\-auth\-update +directly to change their authentication configuration. +.PP +The script makes every effort to respect local changes to +.IR "/etc/pam.d/common-*". +Local modifications to the list of module options will be preserved, and +additions of modules within the managed portion of the stack will cause +.B pam\-auth\-update +to treat the config files as locally modified and not make further +changes to the config files unless given the +.B \-\-force +option. +.PP +If the user specifies that +.B pam\-auth\-update +should override local configuration changes, the locally-modified files +will be saved in +.I /etc/pam.d/ +with a suffix of +.IR "\.pam\-old" . +.SH OPTIONS +.TP +.B \-\-package +Indicate that the caller is a package maintainer script; lowers the +priority of debconf questions to `medium' so that the user is not +prompted by default. +.TP +.B \-\-remove \fIprofile \fR[\fIprofile\fR...] +Remove the specified profiles from the system configuration. +.B pam\-auth\-update \-\-remove +should be used to remove profiles from the configuration before the +modules they reference are removed from disk, to ensure that PAM is in a +consistent and usable state at all times during package upgrades or +removals. +.TP +.B \-\-force +Overwrite the current PAM configuration, without prompting. +This option +.B must not +be used by package maintainer scripts; it is intended for use by +administrators only. +.SH FILES +.PP +.I /etc/pam.d/common\-* +.RS 4 +Global configuration of PAM, affecting all installed services. +.RE +.PP +.I /usr/share/pam\-configs/ +.RS 4 +Package-supplied authentication profiles. +.RE +.SH AUTHOR +Steve Langasek +.SH COPYRIGHT +Copyright (C) 2008 Canonical Ltd. +.SH "SEE ALSO" +PAM(7), pam.d(5), debconf(7) --- pam-1.1.8.orig/debian/local/pam.conf +++ pam-1.1.8/debian/local/pam.conf @@ -0,0 +1,15 @@ +# ---------------------------------------------------------------------------# +# /etc/pam.conf # +# ---------------------------------------------------------------------------# +# +# NOTE +# ---- +# +# NOTE: Most program use a file under the /etc/pam.d/ directory to setup their +# PAM service modules. This file is used only if that directory does not exist. +# ---------------------------------------------------------------------------# + +# Format: +# serv. module ctrl module [path] ...[args..] # +# name type flag # + --- pam-1.1.8.orig/debian/local/pam_getenv +++ pam-1.1.8/debian/local/pam_getenv @@ -0,0 +1,123 @@ +#!/usr/bin/perl -w + +=head1 NAME + +pam_getenv - get environment variables from /etc/environment + +=head1 SYNOPSIS + +pam_getenv B<[-l] [-s]> I + +=head1 DESCRIPTION + +This tool will print out the value of I from F. It will attempt to expand environment variable references in the definition of I but will fail if PAM items are expanded. + +The B<-l> option indicates the script should return an environment variable related to default locale information. + +The B<-s> option indicates that the script should return an +system default environment variable. + +Currently neither the B<-l> or B<-s> options do anything. They are +included because future versions of Debian may have a separate +repository for the initial environment used by init scripts and for +system locale information. These options will allow this script to be +a stable interface even in that environment. + +=cut + +# Copyright 2004 by Sam Hartman +# This script may be copied under the terms of the GNU GPL +# version 2, or at your option any later version. + +use strict; +use vars qw(*CONFIGFILE *ENVFILE); + +sub read_line($) { + my $fh = shift; + my $line; + local $_; + line: while (<$fh>) { + chomp; + s/^\s+//; +s/\#.*$//; + next if $_ eq ""; + if (s/\\\s*$//) { + $line .= $_; + next line; + } + + $line .= $_; + last; + } + $line; + +} + + +sub parse_line($) { + my $var; + my (%x, @x); + local $_ = shift; + return undef unless defined $_ and s/(\S+)\s//; + $var->{Name} = $1; + s/^\s*//; + @x = split(/=([^"\s]\S*|"[^"]*")\s*/, $_); + unless (scalar(@x)%2 == 0) { + push @x, undef; + } + %x = @x; + @{$var}{"Default", "Override"} = + @x{"DEFAULT", "OVERRIDE"}; + $var; +} + +sub expand_val($) { + my ($val) = @_; +return undef unless $val; + die "Cannot handle PAM items\n" if /(?{Override})) { + $val = expand_val($var->{Default}); + } + $allvars{$var->{Name}} = $val; +} + +if (open (ENVFILE, "/etc/environment")) { + while (my $line = read_line(\*ENVFILE)) { + $line =~ s/^export //; + $line =~ /(.*?)=(.+)/ or next; + my ($var, $val) = ($1, $2); + # This is bizarre logic (" and ' match each other, quotes are only + # significant at the start and end of the string, and the trailing quote + # may be omitted), but it's what pam_env does. + $val =~ s/^["'](.*?)["']?$/$1/; + $allvars{$var} = $val; + } +} + +if (exists $allvars{$lookup}) { + print $allvars{$lookup}, "\n"; + exit(0); +} --- pam-1.1.8.orig/debian/pam-configs/cracklib +++ pam-1.1.8/debian/pam-configs/cracklib @@ -0,0 +1,9 @@ +Name: Cracklib password strength checking +Default: yes +Priority: 1024 +Conflicts: unix-zany +Password-Type: Primary +Password: + requisite pam_cracklib.so retry=3 minlen=8 difok=3 +Password-Initial: + requisite pam_cracklib.so retry=3 minlen=8 difok=3 --- pam-1.1.8.orig/debian/pam-configs/mkhomedir +++ pam-1.1.8/debian/pam-configs/mkhomedir @@ -0,0 +1,7 @@ +Name: Create home directory on login +Default: no +Priority: 0 +Session-Type: Additional +Session-Interactive-Only: yes +Session: + optional pam_mkhomedir.so --- pam-1.1.8.orig/debian/pam-configs/unix +++ pam-1.1.8/debian/pam-configs/unix @@ -0,0 +1,23 @@ +Name: Unix authentication +Default: yes +Priority: 256 +Auth-Type: Primary +Auth: + [success=end default=ignore] pam_unix.so nullok_secure try_first_pass +Auth-Initial: + [success=end default=ignore] pam_unix.so nullok_secure +Account-Type: Primary +Account: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Account-Initial: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Session-Type: Additional +Session: + required pam_unix.so +Session-Initial: + required pam_unix.so +Password-Type: Primary +Password: + [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 +Password-Initial: + [success=end default=ignore] pam_unix.so obscure sha512 --- pam-1.1.8.orig/debian/patches-applied/007_modules_pam_unix +++ pam-1.1.8/debian/patches-applied/007_modules_pam_unix @@ -0,0 +1,462 @@ +Index: pam.debian/modules/pam_unix/pam_unix_passwd.c +=================================================================== +--- pam.debian.orig/modules/pam_unix/pam_unix_passwd.c ++++ pam.debian/modules/pam_unix/pam_unix_passwd.c +@@ -102,6 +102,9 @@ + # endif /* GNU libc 2.1 */ + #endif + ++extern const char *obscure_msg(const char *, const char *, const struct passwd *, ++ unsigned int); ++ + /* + How it works: + Gets in username (has to be done) from the calling program +@@ -521,6 +524,11 @@ + return retval; + } + } ++ if (!remark && pass_old != NULL) { /* only check if we don't already have a failure */ ++ struct passwd *pwd; ++ pwd = pam_modutil_getpwnam(pamh, user); ++ remark = (char *)obscure_msg(pass_old,pass_new,pwd,ctrl); /* do obscure checks */ ++ } + } + if (remark) { + _make_remark(pamh, ctrl, PAM_ERROR_MSG, remark); +@@ -536,7 +544,7 @@ + int retval; + int remember = -1; + int rounds = -1; +- int pass_min_len = 0; ++ int pass_min_len = 6; + + /* */ + const char *user; +Index: pam.debian/modules/pam_unix/support.h +=================================================================== +--- pam.debian.orig/modules/pam_unix/support.h ++++ pam.debian/modules/pam_unix/support.h +@@ -97,8 +97,9 @@ + password hash algorithms */ + #define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */ + #define UNIX_MIN_PASS_LEN 27 /* min length for password */ ++#define UNIX_OBSCURE_CHECKS 28 /* enable obscure checks on passwords */ + /* -------------- */ +-#define UNIX_CTRLS_ 28 /* number of ctrl arguments defined */ ++#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */ + + #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)) + +@@ -107,34 +108,35 @@ + /* symbol token name ctrl mask ctrl * + * ----------------------- ------------------- --------------------- -------- */ + +-/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01, 0}, +-/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02, 0}, +-/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04, 0}, +-/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010, 0}, +-/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060), 020, 0}, +-/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060), 040, 0}, +-/* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0100, 0}, +-/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0}, +-/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0}, +-/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0}, +-/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0}, +-/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0}, +-/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0}, +-/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0260420000), 020000, 1}, +-/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000), 0, 0}, +-/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000, 0}, +-/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000, 0}, +-/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000, 0}, +-/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0260420000), 0400000, 1}, +-/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000, 0}, +-/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000, 0}, +-/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000, 0}, +-/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000, 0}, +-/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0260420000), 020000000, 1}, +-/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0260420000), 040000000, 1}, +-/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0}, +-/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000, 1}, +-/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0}, ++/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 0x1, 0}, ++/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 0x2, 0}, ++/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 0x4, 0}, ++/* UNIX_AUDIT */ {"audit", _ALL_ON_, 0x8, 0}, ++/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(0x30), 0x10, 0}, ++/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(0x30), 0x20, 0}, ++/* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0x40, 0}, ++/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0x180), 0x80, 0}, ++/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0x180), 0x100, 0}, ++/* UNIX__NONULL */ {NULL, _ALL_ON_, 0x200, 0}, ++/* UNIX__QUIET */ {NULL, _ALL_ON_, 0x400, 0}, ++/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 0x800, 0}, ++/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 0x1000, 0}, ++/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0x2C22000), 0x2000, 1}, ++/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(0x200), 0, 0}, ++/* UNIX_DEBUG */ {"debug", _ALL_ON_, 0x4000, 0}, ++/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0x8000, 0}, ++/* UNIX_NIS */ {"nis", _ALL_ON_, 0x10000, 0}, ++/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0x2C22000), 0x20000, 1}, ++/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 0x40000, 0}, ++/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 0x80000, 0}, ++/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 0x100000, 0}, ++/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 0x200000, 0}, ++/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0x2C22000), 0x400000, 1}, ++/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0x2C22000), 0x800000, 1}, ++/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0x1000000, 0}, ++/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0x2C22000),0x2000000, 1}, ++/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0x4000000, 0}, ++/* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x8000000, 0}, + }; + + #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) +Index: pam.debian/modules/pam_unix/pam_unix.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_unix/pam_unix.8.xml ++++ pam.debian/modules/pam_unix/pam_unix.8.xml +@@ -337,8 +337,81 @@ + + + Set a minimum password length of n +- characters. The max. for DES crypt based passwords are 8 +- characters. ++ characters. The default value is 6. The maximum for DES ++ crypt-based passwords is 8 characters. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Enable some extra checks on password strength. These checks ++ are based on the "obscure" checks in the original shadow ++ package. The behavior is similar to the pam_cracklib ++ module, but for non-dictionary-based checks. The following ++ checks are implemented: ++ ++ ++ ++ ++ ++ ++ ++ Verifies that the new password is not a palindrome ++ of (i.e., the reverse of) the previous one. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Verifies that the new password isn't the same as the ++ old one with a change of case. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Verifies that the new password isn't too much like ++ the previous one. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Is the new password too simple? This is based on ++ the length of the password and the number of ++ different types of characters (alpha, numeric, etc.) ++ used. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Is the new password a rotated version of the old ++ password? (E.g., "billy" and "illyb") ++ ++ ++ ++ + + + +Index: pam.debian/modules/pam_unix/obscure.c +=================================================================== +--- /dev/null ++++ pam.debian/modules/pam_unix/obscure.c +@@ -0,0 +1,198 @@ ++/* ++ * Copyright 1989 - 1994, Julianne Frances Haugh ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors ++ * may be used to endorse or promote products derived from this software ++ * without specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND ++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE ++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT ++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY ++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ++ * SUCH DAMAGE. ++ */ ++ ++#include "config.h" ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++ ++#include "support.h" ++ ++/* can't be a palindrome - like `R A D A R' or `M A D A M' */ ++static int palindrome(const char *old, const char *new) { ++ int i, j; ++ ++ i = strlen (new); ++ ++ for (j = 0;j < i;j++) ++ if (new[i - j - 1] != new[j]) ++ return 0; ++ ++ return 1; ++} ++ ++/* more than half of the characters are different ones. */ ++static int similar(const char *old, const char *new) { ++ int i, j; ++ ++ /* ++ * XXX - sometimes this fails when changing from a simple password ++ * to a really long one (MD5). For now, I just return success if ++ * the new password is long enough. Please feel free to suggest ++ * something better... --marekm ++ */ ++ if (strlen(new) >= 8) ++ return 0; ++ ++ for (i = j = 0; new[i] && old[i]; i++) ++ if (strchr(new, old[i])) ++ j++; ++ ++ if (i >= j * 2) ++ return 0; ++ ++ return 1; ++} ++ ++/* a nice mix of characters. */ ++static int simple(const char *old, const char *new) { ++ int digits = 0; ++ int uppers = 0; ++ int lowers = 0; ++ int others = 0; ++ int size; ++ int i; ++ ++ for (i = 0;new[i];i++) { ++ if (isdigit (new[i])) ++ digits++; ++ else if (isupper (new[i])) ++ uppers++; ++ else if (islower (new[i])) ++ lowers++; ++ else ++ others++; ++ } ++ ++ /* ++ * The scam is this - a password of only one character type ++ * must be 8 letters long. Two types, 7, and so on. ++ */ ++ ++ size = 9; ++ if (digits) size--; ++ if (uppers) size--; ++ if (lowers) size--; ++ if (others) size--; ++ ++ if (size <= i) ++ return 0; ++ ++ return 1; ++} ++ ++static char *str_lower(char *string) { ++ char *cp; ++ ++ for (cp = string; *cp; cp++) ++ *cp = tolower(*cp); ++ return string; ++} ++ ++static const char * password_check(const char *old, const char *new, ++ const struct passwd *pwdp) { ++ const char *msg = NULL; ++ char *oldmono, *newmono, *wrapped; ++ ++ if (strcmp(new, old) == 0) ++ return _("Bad: new password must be different than the old one"); ++ ++ newmono = str_lower(strdup(new)); ++ oldmono = str_lower(strdup(old)); ++ wrapped = (char *)malloc(strlen(oldmono) * 2 + 1); ++ strcpy (wrapped, oldmono); ++ strcat (wrapped, oldmono); ++ ++ if (palindrome(oldmono, newmono)) { ++ msg = _("Bad: new password cannot be a palindrome"); ++ } else if (strcmp(oldmono, newmono) == 0) { ++ msg = _("Bad: new and old password must differ by more than just case"); ++ } else if (similar(oldmono, newmono)) { ++ msg = _("Bad: new and old password are too similar"); ++ } else if (simple(old, new)) { ++ msg = _("Bad: new password is too simple"); ++ } else if (strstr(wrapped, newmono)) { ++ msg = _("Bad: new password is just a wrapped version of the old one"); ++ } ++ ++ _pam_delete(newmono); ++ _pam_delete(oldmono); ++ _pam_delete(wrapped); ++ ++ return msg; ++} ++ ++const char *obscure_msg(const char *old, const char *new, ++ const struct passwd *pwdp, unsigned int ctrl) { ++ int oldlen, newlen; ++ char *new1, *old1; ++ const char *msg; ++ ++ if (old == NULL) ++ return NULL; /* no check if old is NULL */ ++ ++ oldlen = strlen(old); ++ newlen = strlen(new); ++ ++ /* Remaining checks are optional. */ ++ if (off(UNIX_OBSCURE_CHECKS,ctrl)) ++ return NULL; ++ ++ if ((msg = password_check(old, new, pwdp)) != NULL) ++ return msg; ++ ++ /* The traditional crypt() truncates passwords to 8 chars. It is ++ possible to circumvent the above checks by choosing an easy ++ 8-char password and adding some random characters to it... ++ Example: "password$%^&*123". So check it again, this time ++ truncated to the maximum length. Idea from npasswd. --marekm */ ++ ++ if (!UNIX_DES_CRYPT(ctrl)) ++ return NULL; /* unlimited password length */ ++ ++ if (oldlen <= 8 && newlen <= 8) ++ return NULL; ++ ++ new1 = strndup(new,8); ++ old1 = strndup(old,8); ++ ++ msg = password_check(old1, new1, pwdp); ++ ++ _pam_delete(new1); ++ _pam_delete(old1); ++ ++ return msg; ++} +Index: pam.debian/modules/pam_unix/Makefile.am +=================================================================== +--- pam.debian.orig/modules/pam_unix/Makefile.am ++++ pam.debian/modules/pam_unix/Makefile.am +@@ -43,7 +43,7 @@ + + pam_unix_la_SOURCES = bigcrypt.c pam_unix_acct.c \ + pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \ +- passverify.c yppasswd_xdr.c md5_good.c md5_broken.c ++ passverify.c yppasswd_xdr.c md5_good.c md5_broken.c obscure.c + if STATIC_MODULES + pam_unix_la_SOURCES += pam_unix_static.c + endif +Index: pam.debian/modules/pam_unix/pam_unix.8 +=================================================================== +--- pam.debian.orig/modules/pam_unix/pam_unix.8 ++++ pam.debian/modules/pam_unix/pam_unix.8 +@@ -183,7 +183,38 @@ + .RS 4 + Set a minimum password length of + \fIn\fR +-characters\&. The max\&. for DES crypt based passwords are 8 characters\&. ++characters\&. The default value is 6\&. The maximum for DES crypt\-based passwords is 8 characters\&. ++.RE ++.PP ++\fBobscure\fR ++.RS 4 ++Enable some extra checks on password strength\&. These checks are based on the "obscure" checks in the original shadow package\&. The behavior is similar to the pam_cracklib module, but for non\-dictionary\-based checks\&. The following checks are implemented: ++.PP ++\fBPalindrome\fR ++.RS 4 ++Verifies that the new password is not a palindrome of (i\&.e\&., the reverse of) the previous one\&. ++.RE ++.PP ++\fBCase Change Only\fR ++.RS 4 ++Verifies that the new password isn\*(Aqt the same as the old one with a change of case\&. ++.RE ++.PP ++\fBSimilar\fR ++.RS 4 ++Verifies that the new password isn\*(Aqt too much like the previous one\&. ++.RE ++.PP ++\fBSimple\fR ++.RS 4 ++Is the new password too simple? This is based on the length of the password and the number of different types of characters (alpha, numeric, etc\&.) used\&. ++.RE ++.PP ++\fBRotated\fR ++.RS 4 ++Is the new password a rotated version of the old password? (E\&.g\&., "billy" and "illyb") ++.RE ++.sp + .RE + .PP + Invalid arguments are logged with --- pam-1.1.8.orig/debian/patches-applied/008_modules_pam_limits_chroot +++ pam-1.1.8/debian/patches-applied/008_modules_pam_limits_chroot @@ -0,0 +1,132 @@ +Index: pam.debian/modules/pam_limits/pam_limits.c +=================================================================== +--- pam.debian.orig/modules/pam_limits/pam_limits.c ++++ pam.debian/modules/pam_limits/pam_limits.c +@@ -87,6 +87,7 @@ + int flag_numsyslogins; /* whether to limit logins only for a + specific user or to count all logins */ + int priority; /* the priority to run user process with */ ++ char chroot_dir[8092]; /* directory to chroot into */ + struct user_limits_struct limits[RLIM_NLIMITS]; + const char *conf_file; + int utmp_after_pam_call; +@@ -97,6 +98,7 @@ + #define LIMIT_NUMSYSLOGINS RLIM_NLIMITS+2 + + #define LIMIT_PRI RLIM_NLIMITS+3 ++#define LIMIT_CHROOT RLIM_NLIMITS+4 + + #define LIMIT_SOFT 1 + #define LIMIT_HARD 2 +@@ -472,6 +474,8 @@ + pl->login_limit = -2; + pl->login_limit_def = LIMITS_DEF_NONE; + ++ pl->chroot_dir[0] = '\0'; ++ + return retval; + } + +@@ -542,6 +546,8 @@ + pl->flag_numsyslogins = 1; + } else if (strcmp(lim_item, "priority") == 0) { + limit_item = LIMIT_PRI; ++ } else if (strcmp(lim_item, "chroot") == 0) { ++ limit_item = LIMIT_CHROOT; + } else { + pam_syslog(pamh, LOG_DEBUG, "unknown limit item '%s'", lim_item); + return; +@@ -579,9 +585,9 @@ + pam_syslog(pamh, LOG_DEBUG, + "wrong limit value '%s' for limit type '%s'", + lim_value, lim_type); +- return; ++ return; + } +- } else { ++ } else if (limit_item != LIMIT_CHROOT) { + #ifdef __USE_FILE_OFFSET64 + rlimit_value = strtoull (lim_value, &endptr, 10); + #else +@@ -642,7 +648,11 @@ + #endif + } + +- if ( (limit_item != LIMIT_LOGIN) ++ if (limit_item == LIMIT_CHROOT) { ++ strncpy(pl->chroot_dir, value_orig, sizeof(pl->chroot_dir)-1); ++ pl->chroot_dir[sizeof(pl->chroot_dir)-1]='\0'; ++ } ++ else if ( (limit_item != LIMIT_LOGIN) + && (limit_item != LIMIT_NUMSYSLOGINS) + && (limit_item != LIMIT_PRI) ) { + if (limit_type & LIMIT_SOFT) { +@@ -986,6 +996,15 @@ + retval |= LOGIN_ERR; + } + ++ if (!retval && pl->chroot_dir[0]) { ++ i = chdir(pl->chroot_dir); ++ if (i == 0) ++ i = chroot(pl->chroot_dir); ++ if (i == 0) ++ i = chdir("/"); ++ if (i != 0) ++ retval = LIMIT_ERR; ++ } + return retval; + } + +Index: pam.debian/modules/pam_limits/limits.conf.5.xml +=================================================================== +--- pam.debian.orig/modules/pam_limits/limits.conf.5.xml ++++ pam.debian/modules/pam_limits/limits.conf.5.xml +@@ -255,6 +255,12 @@ + (Linux 2.6.12 and higher) + + ++ ++ ++ ++ the directory to chroot the user to ++ ++ + + + +Index: pam.debian/modules/pam_limits/limits.conf.5 +=================================================================== +--- pam.debian.orig/modules/pam_limits/limits.conf.5 ++++ pam.debian/modules/pam_limits/limits.conf.5 +@@ -260,6 +260,11 @@ + .RS 4 + maximum realtime priority allowed for non\-privileged processes (Linux 2\&.6\&.12 and higher) + .RE ++.PP ++\fBchroot\fR ++.RS 4 ++the directory to chroot the user to ++.RE + .RE + .PP + All items support the values +Index: pam.debian/modules/pam_limits/limits.conf +=================================================================== +--- pam.debian.orig/modules/pam_limits/limits.conf ++++ pam.debian/modules/pam_limits/limits.conf +@@ -35,6 +35,7 @@ + # - msgqueue - max memory used by POSIX message queues (bytes) + # - nice - max nice priority allowed to raise to values: [-20, 19] + # - rtprio - max realtime priority ++# - chroot - change root to directory (Debian-specific) + # + # + # +@@ -45,6 +46,7 @@ + #@faculty soft nproc 20 + #@faculty hard nproc 50 + #ftp hard nproc 0 ++#ftp - chroot /ftp + #@student - maxlogins 4 + + # End of file --- pam-1.1.8.orig/debian/patches-applied/021_nis_cleanup +++ pam-1.1.8/debian/patches-applied/021_nis_cleanup @@ -0,0 +1,44 @@ +Patch from Philippe Troin + +Originally this included a bunch of changes to locking, but the more +recent code pulled from Linux_pam CVS seems to fix that issue. + +Index: pam.deb/modules/pam_unix/pam_unix_passwd.c +=================================================================== +--- pam.deb.orig/modules/pam_unix/pam_unix_passwd.c ++++ pam.deb/modules/pam_unix/pam_unix_passwd.c +@@ -577,7 +577,7 @@ + + if (_unix_blankpasswd(pamh, ctrl, user)) { + return PAM_SUCCESS; +- } else if (off(UNIX__IAMROOT, ctrl)) { ++ } else if (off(UNIX__IAMROOT, ctrl) || on(UNIX_NIS, ctrl)) { + /* instruct user what is happening */ + if (asprintf(&Announce, _("Changing password for %s."), + user) < 0) { +@@ -590,7 +590,9 @@ + set(UNIX__OLD_PASSWD, lctrl); + retval = _unix_read_password(pamh, lctrl + ,Announce +- ,_("(current) UNIX password: ") ++ ,(on(UNIX__IAMROOT, ctrl) ++ ? _("NIS server root password: ") ++ : _("(current) UNIX password: ")) + ,NULL + ,_UNIX_OLD_AUTHTOK + ,&pass_old); +@@ -601,9 +603,12 @@ + "password - (old) token not obtained"); + return retval; + } +- /* verify that this is the password for this user */ ++ /* verify that this is the password for this user ++ * if we're not using NIS */ + +- retval = _unix_verify_password(pamh, user, pass_old, ctrl); ++ if (off(UNIX_NIS, ctrl)) { ++ retval = _unix_verify_password(pamh, user, pass_old, ctrl); ++ } + } else { + D(("process run by root so do nothing this time around")); + pass_old = NULL; --- pam-1.1.8.orig/debian/patches-applied/022_pam_unix_group_time_miscfixes +++ pam-1.1.8/debian/patches-applied/022_pam_unix_group_time_miscfixes @@ -0,0 +1,22 @@ +Description: handle the case of flags being empty or only PAM_SILENT, which is + documented in other PAM implementations as meaning PAM_ESTABLISH_CRED: + http://publib.boulder.ibm.com/infocenter/aix/v6r1/index.jsp?topic=%2Fcom.ibm.aix.basetechref%2Fdoc%2Fbasetrf1%2Fpam_setcred.htm + +Index: pam.deb/modules/pam_group/pam_group.c +=================================================================== +--- pam.deb.orig/modules/pam_group/pam_group.c ++++ pam.deb/modules/pam_group/pam_group.c +@@ -765,9 +765,12 @@ + unsigned setting; + + /* only interested in establishing credentials */ ++ /* PAM docs say that an empty flag is to be treated as PAM_ESTABLISH_CRED. ++ Some people just pass PAM_SILENT, so cope with it, too. */ + + setting = flags; +- if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))) { ++ if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED)) ++ && (setting != 0) && (setting != PAM_SILENT)) { + D(("ignoring call - not for establishing credentials")); + return PAM_SUCCESS; /* don't fail because of this */ + } --- pam-1.1.8.orig/debian/patches-applied/026_pam_unix_passwd_unknown_user +++ pam-1.1.8/debian/patches-applied/026_pam_unix_passwd_unknown_user @@ -0,0 +1,33 @@ +Description: distinguish between password manipulation failure and missing user. +Author: Martin Schwenke + +Index: pam.deb/modules/pam_unix/passverify.c +=================================================================== +--- pam.deb.orig/modules/pam_unix/passverify.c ++++ pam.deb/modules/pam_unix/passverify.c +@@ -719,7 +719,7 @@ + struct passwd *tmpent = NULL; + struct stat st; + FILE *pwfile, *opwfile; +- int err = 1; ++ int err = 1, found = 0; + int oldmask; + #ifdef WITH_SELINUX + security_context_t prev_context=NULL; +@@ -790,6 +790,7 @@ + + tmpent->pw_passwd = assigned_passwd.charp; + err = 0; ++ found = 1; + } + if (putpwent(tmpent, pwfile)) { + D(("error writing entry to password file: %m")); +@@ -832,7 +833,7 @@ + return PAM_SUCCESS; + } else { + unlink(PW_TMPFILE); +- return PAM_AUTHTOK_ERR; ++ return found ? PAM_AUTHTOK_ERR : PAM_USER_UNKNOWN; + } + } + --- pam-1.1.8.orig/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root +++ pam-1.1.8/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root @@ -0,0 +1,253 @@ +Description: Allow explicit limits for root and reset limits on each session + When crossing session boundaries (such as when su'ing from one user to + another), if the target account has no limit specified in limits.conf we + want to use the default, not the current value configured for the + source account. + . + If /proc/1/limits is unavailable, fall back to a set of hard-coded values + that shadow the currently known defaults on Linux. + . + Also, don't apply wildcard limits to the root account; only apply limits to + root that reference root by name. +Author: Peter Paluch , + Ben Collins , + Steve Langasek , +Bug-Debian: http://bugs.debian.org/63230 +Index: pam.debian/modules/pam_limits/pam_limits.c +=================================================================== +--- pam.debian.orig/modules/pam_limits/pam_limits.c ++++ pam.debian/modules/pam_limits/pam_limits.c +@@ -45,6 +45,14 @@ + #include + #endif + ++#ifndef MLOCK_LIMIT ++#ifdef __FreeBSD_kernel__ ++#define MLOCK_LIMIT RLIM_INFINITY ++#else ++#define MLOCK_LIMIT (64*1024) ++#endif ++#endif ++ + /* Module defines */ + #define LINE_LENGTH 1024 + +@@ -82,6 +90,7 @@ + + /* internal data */ + struct pam_limit_s { ++ int root; /* running as root? */ + int login_limit; /* the max logins limit */ + int login_limit_def; /* which entry set the login limit */ + int flag_numsyslogins; /* whether to limit logins only for a +@@ -436,9 +445,18 @@ + { + int i; + int retval = PAM_SUCCESS; ++ static int mlock_limit = 0; + + D(("called.")); + ++ pl->root = 0; ++ ++ if (mlock_limit == 0) { ++ mlock_limit = sysconf(_SC_PAGESIZE); ++ if (mlock_limit < MLOCK_LIMIT) ++ mlock_limit = MLOCK_LIMIT; ++ } ++ + for(i = 0; i < RLIM_NLIMITS; i++) { + int r = getrlimit(i, &pl->limits[i].limit); + if (r == -1) { +@@ -454,18 +472,68 @@ + } + + #ifdef __linux__ +- if (ctrl & PAM_SET_ALL) { +- parse_kernel_limits(pamh, pl, ctrl); ++ parse_kernel_limits(pamh, pl, ctrl); ++#endif + +- for(i = 0; i < RLIM_NLIMITS; i++) { ++ for(i = 0; i < RLIM_NLIMITS; i++) { + if (pl->limits[i].supported && + (pl->limits[i].src_soft == LIMITS_DEF_NONE || + pl->limits[i].src_hard == LIMITS_DEF_NONE)) { +- pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM default", rlimit2str(i)); ++#ifdef __linux__ ++ pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM default", rlimit2str(i)); ++#endif ++ pl->limits[i].src_soft = LIMITS_DEF_DEFAULT; ++ pl->limits[i].src_hard = LIMITS_DEF_DEFAULT; ++ switch(i) { ++ case RLIMIT_CPU: ++ case RLIMIT_FSIZE: ++ case RLIMIT_DATA: ++ case RLIMIT_RSS: ++ case RLIMIT_NPROC: ++#ifdef RLIMIT_AS ++ case RLIMIT_AS: ++#endif ++#ifdef RLIMIT_LOCKS ++ case RLIMIT_LOCKS: ++#endif ++ pl->limits[i].limit.rlim_cur = RLIM_INFINITY; ++ pl->limits[i].limit.rlim_max = RLIM_INFINITY; ++ break; ++ case RLIMIT_MEMLOCK: ++ pl->limits[i].limit.rlim_cur = mlock_limit; ++ pl->limits[i].limit.rlim_max = mlock_limit; ++ break; ++#ifdef RLIMIT_SIGPENDING ++ case RLIMIT_SIGPENDING: ++ pl->limits[i].limit.rlim_cur = 16382; ++ pl->limits[i].limit.rlim_max = 16382; ++ break; ++#endif ++#ifdef RLIMIT_MSGQUEUE ++ case RLIMIT_MSGQUEUE: ++ pl->limits[i].limit.rlim_cur = 819200; ++ pl->limits[i].limit.rlim_max = 819200; ++ break; ++#endif ++ case RLIMIT_CORE: ++ pl->limits[i].limit.rlim_cur = 0; ++ pl->limits[i].limit.rlim_max = RLIM_INFINITY; ++ break; ++ case RLIMIT_STACK: ++ pl->limits[i].limit.rlim_cur = 8192*1024; ++ pl->limits[i].limit.rlim_max = RLIM_INFINITY; ++ break; ++ case RLIMIT_NOFILE: ++ pl->limits[i].limit.rlim_cur = 1024; ++ pl->limits[i].limit.rlim_max = 1024; ++ break; ++ default: ++ pl->limits[i].src_soft = LIMITS_DEF_NONE; ++ pl->limits[i].src_hard = LIMITS_DEF_NONE; ++ break; ++ } + } +- } + } +-#endif + + errno = 0; + pl->priority = getpriority (PRIO_PROCESS, 0); +@@ -804,7 +872,7 @@ + + if (strcmp(uname, domain) == 0) /* this user have a limit */ + process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl); +- else if (domain[0]=='@') { ++ else if (domain[0]=='@' && !pl->root) { + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_DEBUG, + "checking if %s is in group %s", +@@ -830,7 +898,7 @@ + process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, + pl); + } +- } else if (domain[0]=='%') { ++ } else if (domain[0]=='%' && !pl->root) { + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_DEBUG, + "checking if %s is in group %s", +@@ -864,7 +932,7 @@ + } else { + switch(rngtype) { + case LIMIT_RANGE_NONE: +- if (strcmp(domain, "*") == 0) ++ if (strcmp(domain, "*") == 0 && !pl->root) + process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl, + pl); + break; +@@ -1050,6 +1118,8 @@ + return PAM_ABORT; + } + ++ if (pwd->pw_uid == 0) ++ pl->root = 1; + retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl); + if (retval == PAM_IGNORE) { + D(("the configuration file ('%s') has an applicable ' -' entry", CONF_FILE)); +Index: pam.debian/modules/pam_limits/limits.conf +=================================================================== +--- pam.debian.orig/modules/pam_limits/limits.conf ++++ pam.debian/modules/pam_limits/limits.conf +@@ -11,6 +11,9 @@ + # - the wildcard *, for default entry + # - the wildcard %, can be also used with %group syntax, + # for maxlogin limit ++# - NOTE: group and wildcard limits are not applied to root. ++# To apply a limit to the root user, must be ++# the literal username root. + # + # can have the two values: + # - "soft" for enforcing the soft limits +@@ -41,6 +44,7 @@ + # + + #* soft core 0 ++#root hard core 100000 + #* hard rss 10000 + #@student hard nproc 20 + #@faculty soft nproc 20 +Index: pam.debian/modules/pam_limits/limits.conf.5.xml +=================================================================== +--- pam.debian.orig/modules/pam_limits/limits.conf.5.xml ++++ pam.debian/modules/pam_limits/limits.conf.5.xml +@@ -88,6 +88,11 @@ + + + ++ ++ NOTE: group and wildcard limits are not ++ applied to the root user. To set a limit for the root user, this field ++ must contain the literal username root. ++ + + + +@@ -309,6 +314,7 @@ + + + * soft core 0 ++root hard core 100000 + * hard nofile 512 + @student hard nproc 20 + @faculty soft nproc 20 +Index: pam.debian/modules/pam_limits/limits.conf.5 +=================================================================== +--- pam.debian.orig/modules/pam_limits/limits.conf.5 ++++ pam.debian/modules/pam_limits/limits.conf.5 +@@ -132,6 +132,10 @@ + \fB%:\fR\fI\fR + applicable to maxlogins limit only\&. It limits the total number of logins of all users that are member of the group with the specified gid\&. + .RE ++.sp ++\fBNOTE:\fR ++group and wildcard limits are not applied to the root user\&. To set a limit for the root user, this field must contain the literal username ++\fBroot\fR\&. + .RE + .PP + \fB\fR +@@ -304,6 +308,7 @@ + .\} + .nf + * soft core 0 ++root hard core 100000 + * hard nofile 512 + @student hard nproc 20 + @faculty soft nproc 20 +Index: pam.debian/modules/pam_limits/README +=================================================================== +--- pam.debian.orig/modules/pam_limits/README ++++ pam.debian/modules/pam_limits/README +@@ -54,6 +54,7 @@ + limits.conf. + + * soft core 0 ++root hard core 100000 + * hard nofile 512 + @student hard nproc 20 + @faculty soft nproc 20 --- pam-1.1.8.orig/debian/patches-applied/031_pam_include +++ pam-1.1.8/debian/patches-applied/031_pam_include @@ -0,0 +1,72 @@ +Patch to implement an @include directive for use in pam.d config files. + +Authors: Jan Christoph Nordholz + +Upstream status: not yet submitted + +Index: pam.debian/libpam/pam_handlers.c +=================================================================== +--- pam.debian.orig/libpam/pam_handlers.c ++++ pam.debian/libpam/pam_handlers.c +@@ -122,6 +122,10 @@ + module_type = PAM_T_ACCT; + } else if (!strcasecmp("password", tok)) { + module_type = PAM_T_PASS; ++ } else if (!strcasecmp("@include", tok)) { ++ pam_include = 1; ++ module_type = requested_module_type; ++ goto parsing_done; + } else { + /* Illegal module type */ + D(("_pam_init_handlers: bad module type: %s", tok)); +@@ -192,8 +196,10 @@ + _pam_set_default_control(actions, _PAM_ACTION_BAD); + } + ++parsing_done: + tok = _pam_StrTok(NULL, " \n\t", &nexttok); + if (pam_include) { ++ struct stat include_dir; + if (substack) { + res = _pam_add_handler(pamh, PAM_HT_SUBSTACK, other, + stack_level, module_type, actions, tok, +@@ -204,13 +210,35 @@ + return PAM_ABORT; + } + } +- if (_pam_load_conf_file(pamh, tok, this_service, module_type, +- stack_level + substack ++ if (tok[0] == '/') { ++ if (_pam_load_conf_file(pamh, tok, this_service, ++ module_type, stack_level + substack ++#ifdef PAM_READ_BOTH_CONFS ++ , !other ++#endif /* PAM_READ_BOTH_CONFS */ ++ ) == PAM_SUCCESS) ++ continue; ++ } ++ else if (!stat(PAM_CONFIG_D, &include_dir) ++ && S_ISDIR(include_dir.st_mode)) ++ { ++ char *include_file; ++ if (asprintf (&include_file, PAM_CONFIG_DF, tok) < 0) { ++ pam_syslog(pamh, LOG_CRIT, "asprintf failed"); ++ return PAM_ABORT; ++ } ++ if (_pam_load_conf_file(pamh, include_file, this_service, ++ module_type, stack_level + substack + #ifdef PAM_READ_BOTH_CONFS + , !other + #endif /* PAM_READ_BOTH_CONFS */ +- ) == PAM_SUCCESS) +- continue; ++ ) == PAM_SUCCESS) ++ { ++ free(include_file); ++ continue; ++ } ++ free(include_file); ++ } + _pam_set_default_control(actions, _PAM_ACTION_BAD); + mod_path = NULL; + handler_type = PAM_HT_MUST_FAIL; --- pam-1.1.8.orig/debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL +++ pam-1.1.8/debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL @@ -0,0 +1,22 @@ +setrlimit will sometimes return EPERM for example if you try to increase the +number of open files too much. This is not something we want to consider +fatal. This also happens if you use non-root and try to decrease a limit. +Running PAM as non-root is not so great. + +Authors: ? + +Upstream status: submitted in <20070830171918.GB30563@dario.dodds.net> + +Index: pam.deb/modules/pam_limits/pam_limits.c +=================================================================== +--- pam.deb.orig/modules/pam_limits/pam_limits.c ++++ pam.deb/modules/pam_limits/pam_limits.c +@@ -735,6 +735,8 @@ + if (res != 0) + pam_syslog(pamh, LOG_ERR, "Could not set limit for '%s': %m", + rlimit2str(i)); ++ if (res == -1 && errno == EPERM) ++ continue; + status |= res; + } + --- pam-1.1.8.orig/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful +++ pam-1.1.8/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful @@ -0,0 +1,145 @@ +Patch for Debian bug #163787 et al + +Always use the process uid, not getlogin(), to identify an applicant in +pam_wheel; utmp may be wrong or may have no entry at all in the case of +an xterm + +Authors: Ben Collins + +Upstream status: submitted in <20070901175405.GA26092@dario.dodds.net> + +Index: pam.debian/modules/pam_wheel/pam_wheel.c +=================================================================== +--- pam.debian.orig/modules/pam_wheel/pam_wheel.c ++++ pam.debian/modules/pam_wheel/pam_wheel.c +@@ -60,9 +60,8 @@ + /* argument parsing */ + + #define PAM_DEBUG_ARG 0x0001 +-#define PAM_USE_UID_ARG 0x0002 +-#define PAM_TRUST_ARG 0x0004 +-#define PAM_DENY_ARG 0x0010 ++#define PAM_TRUST_ARG 0x0002 ++#define PAM_DENY_ARG 0x0004 + #define PAM_ROOT_ONLY_ARG 0x0020 + + static int +@@ -80,8 +79,7 @@ + + if (!strcmp(*argv,"debug")) + ctrl |= PAM_DEBUG_ARG; +- else if (!strcmp(*argv,"use_uid")) +- ctrl |= PAM_USE_UID_ARG; ++ else if (!strcmp(*argv,"use_uid")); /* ignored for compat. */ + else if (!strcmp(*argv,"trust")) + ctrl |= PAM_TRUST_ARG; + else if (!strcmp(*argv,"deny")) +@@ -129,27 +127,14 @@ + } + } + +- if (ctrl & PAM_USE_UID_ARG) { +- tpwd = pam_modutil_getpwuid (pamh, getuid()); +- if (!tpwd) { +- if (ctrl & PAM_DEBUG_ARG) { +- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); +- } +- return PAM_SERVICE_ERR; +- } +- fromsu = tpwd->pw_name; +- } else { +- fromsu = pam_modutil_getlogin(pamh); +- if (fromsu) { +- tpwd = pam_modutil_getpwnam (pamh, fromsu); +- } +- if (!fromsu || !tpwd) { +- if (ctrl & PAM_DEBUG_ARG) { +- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); +- } +- return PAM_SERVICE_ERR; ++ tpwd = pam_modutil_getpwuid (pamh, getuid()); ++ if (!tpwd) { ++ if (ctrl & PAM_DEBUG_ARG) { ++ pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); + } ++ return PAM_SERVICE_ERR; + } ++ fromsu = tpwd->pw_name; + + /* + * At this point fromsu = username-of-invoker; tpwd = pwd ptr for fromsu +Index: pam.debian/modules/pam_wheel/pam_wheel.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_wheel/pam_wheel.8.xml ++++ pam.debian/modules/pam_wheel/pam_wheel.8.xml +@@ -33,9 +33,6 @@ + + trust + +- +- use_uid +- + + + +@@ -115,18 +112,6 @@ + + + +- +- +- +- +- +- +- The check for wheel membership will be done against +- the current uid instead of the original one (useful when +- jumping with su from one account to another for example). +- +- +- + + + +Index: pam.debian/modules/pam_wheel/pam_wheel.8 +=================================================================== +--- pam.debian.orig/modules/pam_wheel/pam_wheel.8 ++++ pam.debian/modules/pam_wheel/pam_wheel.8 +@@ -31,7 +31,7 @@ + pam_wheel \- Only permit root access to members of group wheel + .SH "SYNOPSIS" + .HP \w'\fBpam_wheel\&.so\fR\ 'u +-\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid] ++\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] + .SH "DESCRIPTION" + .PP + The pam_wheel PAM module is used to enforce the so\-called +@@ -72,11 +72,6 @@ + .RS 4 + The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd)\&. + .RE +-.PP +-\fBuse_uid\fR +-.RS 4 +-The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example)\&. +-.RE + .SH "MODULE TYPES PROVIDED" + .PP + The +Index: pam.debian/modules/pam_wheel/README +=================================================================== +--- pam.debian.orig/modules/pam_wheel/README ++++ pam.debian/modules/pam_wheel/README +@@ -39,12 +39,6 @@ + modules the wheel members may be able to su to root without being prompted + for a passwd). + +-use_uid +- +- The check for wheel membership will be done against the current uid instead +- of the original one (useful when jumping with su from one account to +- another for example). +- + EXAMPLES + + The root account gains access by default (rootok), only wheel members can --- pam-1.1.8.orig/debian/patches-applied/040_pam_limits_log_failure +++ pam-1.1.8/debian/patches-applied/040_pam_limits_log_failure @@ -0,0 +1,36 @@ +Patch for Debian bug #180310 + +Generate some (low-severity) log information whenever setrlimit() fails, +for debugging purposes. + +Authors: Sam Hartman + +Upstream status: submitted in <20070830171918.GB30563@dario.dodds.net> + +Index: pam.deb/modules/pam_limits/pam_limits.c +=================================================================== +--- pam.deb.orig/modules/pam_limits/pam_limits.c ++++ pam.deb/modules/pam_limits/pam_limits.c +@@ -732,9 +732,19 @@ + if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max) + pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max; + res = setrlimit(i, &pl->limits[i].limit); +- if (res != 0) +- pam_syslog(pamh, LOG_ERR, "Could not set limit for '%s': %m", +- rlimit2str(i)); ++ if (res != 0 && (i != RLIMIT_NOFILE ++ || pl->limits[i].limit.rlim_cur != RLIM_INFINITY)) ++ { ++ int save_errno = errno; ++ pam_syslog(pamh, LOG_DEBUG, ++ "Could not set limit for '%s' to soft=%d, hard=%d:" ++ " %m; uid=%lu,euid=%lu", rlimit2str(i), ++ pl->limits[i].limit.rlim_cur, ++ pl->limits[i].limit.rlim_max, ++ (unsigned long) getuid(), ++ (unsigned long) geteuid()); ++ errno = save_errno; ++ } + if (res == -1 && errno == EPERM) + continue; + status |= res; --- pam-1.1.8.orig/debian/patches-applied/045_pam_dispatch_jump_is_ignore +++ pam-1.1.8/debian/patches-applied/045_pam_dispatch_jump_is_ignore @@ -0,0 +1,31 @@ + +Previously jumps were treated as PAM_IGNORE in the freezing part of +the chain and PAM_OK (aka required) in the frozen part of the chain. +No one on pam-list was able to explain this behavior, so I changed it +to be consistent. + +Index: pam.debian/libpam/pam_dispatch.c +=================================================================== +--- pam.debian.orig/libpam/pam_dispatch.c ++++ pam.debian/libpam/pam_dispatch.c +@@ -254,19 +254,7 @@ + if ( _PAM_ACTION_IS_JUMP(action) ) { + + /* If we are evaluating a cached chain, we treat this +- module as required (aka _PAM_ACTION_OK) as well as +- executing the jump. */ +- +- if (use_cached_chain) { +- if (impression == _PAM_UNDEF +- || (impression == _PAM_POSITIVE +- && status == PAM_SUCCESS) ) { +- if ( retval != PAM_IGNORE || cached_retval == retval ) { +- impression = _PAM_POSITIVE; +- status = retval; +- } +- } +- } ++ module as ignored as well as executing the jump. */ + + /* this means that we need to skip #action stacked modules */ + while (h->next != NULL && h->next->stack_level >= stack_level && action > 0) { --- pam-1.1.8.orig/debian/patches-applied/054_pam_security_abstract_securetty_handling +++ pam-1.1.8/debian/patches-applied/054_pam_security_abstract_securetty_handling @@ -0,0 +1,199 @@ +Description: extract the securetty logic for use with the "nullok_secure" option + introduced in the "055_pam_unix_nullok_secure" patch. + +Index: pam.debian/modules/pam_securetty/pam_securetty.c +=================================================================== +--- pam.debian.orig/modules/pam_securetty/pam_securetty.c ++++ pam.debian/modules/pam_securetty/pam_securetty.c +@@ -1,7 +1,5 @@ + /* pam_securetty module */ + +-#define SECURETTY_FILE "/etc/securetty" +-#define TTY_PREFIX "/dev/" + #define CMDLINE_FILE "/proc/cmdline" + #define CONSOLEACTIVE_FILE "/sys/class/tty/console/active" + +@@ -40,6 +38,9 @@ + #include + #include + ++extern int _pammodutil_tty_secure(const pam_handle_t *pamh, ++ const char *uttyname); ++ + #define PAM_DEBUG_ARG 0x0001 + #define PAM_NOCONSOLE_ARG 0x0002 + +@@ -73,11 +74,7 @@ + const char *username; + const char *uttyname; + const void *void_uttyname; +- char ttyfileline[256]; +- char ptname[256]; +- struct stat ttyfileinfo; + struct passwd *user_pwd; +- FILE *ttyfile; + + /* log a trail for debugging */ + if (ctrl & PAM_DEBUG_ARG) { +@@ -105,50 +102,7 @@ + return PAM_SERVICE_ERR; + } + +- /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ +- if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) { +- uttyname += sizeof(TTY_PREFIX)-1; +- } +- +- if (stat(SECURETTY_FILE, &ttyfileinfo)) { +- pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE); +- return PAM_SUCCESS; /* for compatibility with old securetty handling, +- this needs to succeed. But we still log the +- error. */ +- } +- +- if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { +- /* If the file is world writable or is not a +- normal file, return error */ +- pam_syslog(pamh, LOG_ERR, +- "%s is either world writable or not a normal file", +- SECURETTY_FILE); +- return PAM_AUTH_ERR; +- } +- +- ttyfile = fopen(SECURETTY_FILE,"r"); +- if (ttyfile == NULL) { /* Check that we opened it successfully */ +- pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); +- return PAM_SERVICE_ERR; +- } +- +- if (isdigit(uttyname[0])) { +- snprintf(ptname, sizeof(ptname), "pts/%s", uttyname); +- } else { +- ptname[0] = '\0'; +- } +- +- retval = 1; +- +- while ((fgets(ttyfileline, sizeof(ttyfileline)-1, ttyfile) != NULL) +- && retval) { +- if (ttyfileline[strlen(ttyfileline) - 1] == '\n') +- ttyfileline[strlen(ttyfileline) - 1] = '\0'; +- +- retval = ( strcmp(ttyfileline, uttyname) +- && (!ptname[0] || strcmp(ptname, uttyname)) ); +- } +- fclose(ttyfile); ++ retval = _pammodutil_tty_secure(pamh, uttyname); + + if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) { + FILE *cmdlinefile; +Index: pam.debian/modules/pam_securetty/tty_secure.c +=================================================================== +--- /dev/null ++++ pam.debian/modules/pam_securetty/tty_secure.c +@@ -0,0 +1,90 @@ ++/* ++ * A function to determine if a particular line is in /etc/securetty ++ */ ++ ++ ++#define SECURETTY_FILE "/etc/securetty" ++#define TTY_PREFIX "/dev/" ++ ++/* This function taken out of pam_securetty by Sam Hartman ++ * */ ++/* ++ * by Elliot Lee , Red Hat Software. ++ * July 25, 1996. ++ * Slight modifications AGM. 1996/12/3 ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++extern int _pammodutil_tty_secure(const pam_handle_t *pamh, ++ const char *uttyname); ++ ++int _pammodutil_tty_secure(const pam_handle_t *pamh, const char *uttyname) ++{ ++ int retval = PAM_AUTH_ERR; ++ char ttyfileline[256]; ++ char ptname[256]; ++ struct stat ttyfileinfo; ++ FILE *ttyfile; ++ /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ ++ if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) ++ uttyname += sizeof(TTY_PREFIX)-1; ++ ++ if (stat(SECURETTY_FILE, &ttyfileinfo)) { ++ pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", ++ SECURETTY_FILE); ++ return PAM_SUCCESS; /* for compatibility with old securetty handling, ++ this needs to succeed. But we still log the ++ error. */ ++ } ++ ++ if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { ++ /* If the file is world writable or is not a ++ normal file, return error */ ++ pam_syslog(pamh, LOG_ERR, ++ "%s is either world writable or not a normal file", ++ SECURETTY_FILE); ++ return PAM_AUTH_ERR; ++ } ++ ++ ttyfile = fopen(SECURETTY_FILE,"r"); ++ if(ttyfile == NULL) { /* Check that we opened it successfully */ ++ pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); ++ return PAM_SERVICE_ERR; ++ } ++ ++ if (isdigit(uttyname[0])) { ++ snprintf(ptname, sizeof(ptname), "pts/%s", uttyname); ++ } else { ++ ptname[0] = '\0'; ++ } ++ ++ retval = 1; ++ ++ while ((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL) ++ && retval) { ++ if(ttyfileline[strlen(ttyfileline) - 1] == '\n') ++ ttyfileline[strlen(ttyfileline) - 1] = '\0'; ++ retval = ( strcmp(ttyfileline,uttyname) ++ && (!ptname[0] || strcmp(ptname, uttyname)) ); ++ } ++ fclose(ttyfile); ++ ++ if(retval) { ++ retval = PAM_AUTH_ERR; ++ } ++ ++ return retval; ++} +Index: pam.debian/modules/pam_securetty/Makefile.am +=================================================================== +--- pam.debian.orig/modules/pam_securetty/Makefile.am ++++ pam.debian/modules/pam_securetty/Makefile.am +@@ -24,6 +24,10 @@ + securelib_LTLIBRARIES = pam_securetty.la + pam_securetty_la_LIBADD = -L$(top_builddir)/libpam -lpam + ++pam_securetty_la_SOURCES = \ ++ pam_securetty.c \ ++ tty_secure.c ++ + if ENABLE_REGENERATE_MAN + noinst_DATA = README + README: pam_securetty.8.xml --- pam-1.1.8.orig/debian/patches-applied/055_pam_unix_nullok_secure +++ pam-1.1.8/debian/patches-applied/055_pam_unix_nullok_secure @@ -0,0 +1,223 @@ +Debian patch to add a new 'nullok_secure' option to pam_unix, which +accepts users with null passwords only when the applicant is connected +from a tty listed in /etc/securetty. + +Authors: Sam Hartman , + Steve Langasek + +Upstream status: not yet submitted + +Index: pam.debian/modules/pam_unix/support.c +=================================================================== +--- pam.debian.orig/modules/pam_unix/support.c ++++ pam.debian/modules/pam_unix/support.c +@@ -189,13 +189,22 @@ + /* now parse the arguments to this module */ + + for (; argc-- > 0; ++argv) { ++ int sl; + + D(("pam_unix arg: %s", *argv)); + + for (j = 0; j < UNIX_CTRLS_; ++j) { +- if (unix_args[j].token +- && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) { +- break; ++ if (unix_args[j].token) { ++ sl = strlen(unix_args[j].token); ++ if (unix_args[j].token[sl-1] == '=') { ++ /* exclude argument from comparison */ ++ if (!strncmp(*argv, unix_args[j].token, sl)) ++ break; ++ } else { ++ /* compare full strings */ ++ if (!strcmp(*argv, unix_args[j].token)) ++ break; ++ } + } + } + +@@ -565,6 +574,7 @@ + child = fork(); + if (child == 0) { + int i=0; ++ int nullok = off(UNIX__NONULL, ctrl); + struct rlimit rlim; + static char *envp[] = { NULL }; + char *args[] = { NULL, NULL, NULL, NULL }; +@@ -595,7 +605,18 @@ + /* exec binary helper */ + args[0] = strdup(CHKPWD_HELPER); + args[1] = x_strdup(user); +- if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */ ++ ++ if (on(UNIX_NULLOK_SECURE, ctrl)) { ++ const void *uttyname; ++ retval = pam_get_item(pamh, PAM_TTY, &uttyname); ++ if (retval != PAM_SUCCESS || uttyname == NULL ++ || _pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) ++ { ++ nullok = 0; ++ } ++ } ++ ++ if (nullok) { + args[2]=strdup("nullok"); + } else { + args[2]=strdup("nonull"); +@@ -675,6 +696,17 @@ + if (on(UNIX__NONULL, ctrl)) + return 0; /* will fail but don't let on yet */ + ++ if (on(UNIX_NULLOK_SECURE, ctrl)) { ++ int retval2; ++ const void *uttyname; ++ retval2 = pam_get_item(pamh, PAM_TTY, &uttyname); ++ if (retval2 != PAM_SUCCESS || uttyname == NULL) ++ return 0; ++ ++ if (_pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) ++ return 0; ++ } ++ + /* UNIX passwords area */ + + retval = get_pwd_hash(pamh, name, &pwd, &salt); +@@ -761,7 +793,8 @@ + } + } + } else { +- retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl)); ++ retval = verify_pwd_hash(p, salt, ++ _unix_blankpasswd(pamh, ctrl, name)); + } + + if (retval == PAM_SUCCESS) { +Index: pam.debian/modules/pam_unix/support.h +=================================================================== +--- pam.debian.orig/modules/pam_unix/support.h ++++ pam.debian/modules/pam_unix/support.h +@@ -98,8 +98,9 @@ + #define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */ + #define UNIX_MIN_PASS_LEN 27 /* min length for password */ + #define UNIX_OBSCURE_CHECKS 28 /* enable obscure checks on passwords */ ++#define UNIX_NULLOK_SECURE 29 /* NULL passwords allowed only on secure ttys */ + /* -------------- */ +-#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */ ++#define UNIX_CTRLS_ 30 /* number of ctrl arguments defined */ + + #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)) + +@@ -117,7 +118,7 @@ + /* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0x40, 0}, + /* UNIX__PRELIM */ {NULL, _ALL_ON_^(0x180), 0x80, 0}, + /* UNIX__UPDATE */ {NULL, _ALL_ON_^(0x180), 0x100, 0}, +-/* UNIX__NONULL */ {NULL, _ALL_ON_, 0x200, 0}, ++/* UNIX__NONULL */ {NULL, _ALL_ON_^(0x10000000), 0x200, 0}, + /* UNIX__QUIET */ {NULL, _ALL_ON_, 0x400, 0}, + /* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 0x800, 0}, + /* UNIX_SHADOW */ {"shadow", _ALL_ON_, 0x1000, 0}, +@@ -137,6 +138,7 @@ + /* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0x2C22000),0x2000000, 1}, + /* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0x4000000, 0}, + /* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x8000000, 0}, ++/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(0x200), 0x10000000, 0}, + }; + + #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) +@@ -172,6 +174,9 @@ + ,const char *data_name + ,const void **pass); + ++extern int _pammodutil_tty_secure(const pam_handle_t *pamh, ++ const char *uttyname); ++ + extern int _unix_run_verify_binary(pam_handle_t *pamh, + unsigned int ctrl, const char *user, int *daysleft); + #endif /* _PAM_UNIX_SUPPORT_H */ +Index: pam.debian/modules/pam_unix/Makefile.am +=================================================================== +--- pam.debian.orig/modules/pam_unix/Makefile.am ++++ pam.debian/modules/pam_unix/Makefile.am +@@ -30,7 +30,8 @@ + pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map + endif + pam_unix_la_LIBADD = $(top_builddir)/libpam/libpam.la \ +- @LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS) ++ @LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS) \ ++ ../pam_securetty/tty_secure.lo + + securelib_LTLIBRARIES = pam_unix.la + +Index: pam.debian/modules/pam_unix/README +=================================================================== +--- pam.debian.orig/modules/pam_unix/README ++++ pam.debian/modules/pam_unix/README +@@ -58,7 +58,16 @@ + + The default action of this module is to not permit the user access to a + service if their official password is blank. The nullok argument overrides +- this default. ++ this default and allows any user with a blank password to access the ++ service. ++ ++nullok_secure ++ ++ The default action of this module is to not permit the user access to a ++ service if their official password is blank. The nullok_secure argument ++ overrides this default and allows any user with a blank password to access ++ the service as long as the value of PAM_TTY is set to one of the values ++ found in /etc/securetty. + + try_first_pass + +Index: pam.debian/modules/pam_unix/pam_unix.8 +=================================================================== +--- pam.debian.orig/modules/pam_unix/pam_unix.8 ++++ pam.debian/modules/pam_unix/pam_unix.8 +@@ -82,7 +82,14 @@ + .RS 4 + The default action of this module is to not permit the user access to a service if their official password is blank\&. The + \fBnullok\fR +-argument overrides this default\&. ++argument overrides this default and allows any user with a blank password to access the service\&. ++.RE ++.PP ++\fBnullok_secure\fR ++.RS 4 ++The default action of this module is to not permit the user access to a service if their official password is blank\&. The ++\fBnullok_secure\fR ++argument overrides this default and allows any user with a blank password to access the service as long as the value of PAM_TTY is set to one of the values found in /etc/securetty\&. + .RE + .PP + \fBtry_first_pass\fR +Index: pam.debian/modules/pam_unix/pam_unix.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_unix/pam_unix.8.xml ++++ pam.debian/modules/pam_unix/pam_unix.8.xml +@@ -137,7 +137,24 @@ + + The default action of this module is to not permit the + user access to a service if their official password is blank. +- The argument overrides this default. ++ The argument overrides this default ++ and allows any user with a blank password to access the ++ service. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ The default action of this module is to not permit the ++ user access to a service if their official password is blank. ++ The argument overrides this ++ default and allows any user with a blank password to access ++ the service as long as the value of PAM_TTY is set to one of ++ the values found in /etc/securetty. + + + --- pam-1.1.8.orig/debian/patches-applied/PAM-manpage-section +++ pam-1.1.8/debian/patches-applied/PAM-manpage-section @@ -0,0 +1,1637 @@ +Patch to put the PAM manpage in section 7 (general topics) instead of 8 +(system administration commands) + +Authors: Steve Langasek + +Upstream status: maybe provide a backwards-compatibility link first? + +Index: pam.debian/doc/man/pam.8.xml +=================================================================== +--- pam.debian.orig/doc/man/pam.8.xml ++++ pam.debian/doc/man/pam.8.xml +@@ -6,7 +6,7 @@ + + + pam +- 8 ++ 7 + Linux-PAM Manual + + +@@ -179,7 +179,7 @@ + pam_strerror3 + , + +- PAM8 ++ PAM7 + + + +Index: pam.debian/doc/man/PAM.8 +=================================================================== +--- pam.debian.orig/doc/man/PAM.8 ++++ pam.debian/doc/man/PAM.8 +@@ -2,12 +2,12 @@ + .\" Title: pam + .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] + .\" Generator: DocBook XSL Stylesheets v1.78.1 +-.\" Date: 09/19/2013 ++.\" Date: 01/16/2014 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" Language: English + .\" +-.TH "PAM" "8" "09/19/2013" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM" "7" "01/16/2014" "Linux-PAM Manual" "Linux-PAM Manual" + .\" ----------------------------------------------------------------- + .\" * Define some portability stuff + .\" ----------------------------------------------------------------- +@@ -118,4 +118,4 @@ + \fBpam_authenticate\fR(3), + \fBpam_sm_setcred\fR(3), + \fBpam_strerror\fR(3), +-\fBPAM\fR(8) ++\fBPAM\fR(7) +Index: pam.debian/modules/pam_access/access.conf.5.xml +=================================================================== +--- pam.debian.orig/modules/pam_access/access.conf.5.xml ++++ pam.debian/modules/pam_access/access.conf.5.xml +@@ -191,7 +191,7 @@ + + pam_access8, + pam.d5, +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_access/access.conf.5 +=================================================================== +--- pam.debian.orig/modules/pam_access/access.conf.5 ++++ pam.debian/modules/pam_access/access.conf.5 +@@ -181,7 +181,7 @@ + .PP + \fBpam_access\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHORS" + .PP + Original +Index: pam.debian/modules/pam_env/pam_env.conf.5.xml +=================================================================== +--- pam.debian.orig/modules/pam_env/pam_env.conf.5.xml ++++ pam.debian/modules/pam_env/pam_env.conf.5.xml +@@ -110,7 +110,7 @@ + + pam_env8, + pam.d5, +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_env/pam_env.conf.5 +=================================================================== +--- pam.debian.orig/modules/pam_env/pam_env.conf.5 ++++ pam.debian/modules/pam_env/pam_env.conf.5 +@@ -112,7 +112,7 @@ + .PP + \fBpam_env\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_env was written by Dave Kinchlea \&. +Index: pam.debian/modules/pam_group/group.conf.5.xml +=================================================================== +--- pam.debian.orig/modules/pam_group/group.conf.5.xml ++++ pam.debian/modules/pam_group/group.conf.5.xml +@@ -128,7 +128,7 @@ + + pam_group8, + pam.d5, +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_group/group.conf.5 +=================================================================== +--- pam.debian.orig/modules/pam_group/group.conf.5 ++++ pam.debian/modules/pam_group/group.conf.5 +@@ -113,7 +113,7 @@ + .PP + \fBpam_group\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_group was written by Andrew G\&. Morgan \&. +Index: pam.debian/modules/pam_limits/limits.conf.5.xml +=================================================================== +--- pam.debian.orig/modules/pam_limits/limits.conf.5.xml ++++ pam.debian/modules/pam_limits/limits.conf.5.xml +@@ -343,7 +343,7 @@ + + pam_limits8, + pam.d5, +- pam8, ++ pam7, + getrlimit2 + getrlimit3p + +Index: pam.debian/modules/pam_limits/limits.conf.5 +=================================================================== +--- pam.debian.orig/modules/pam_limits/limits.conf.5 ++++ pam.debian/modules/pam_limits/limits.conf.5 +@@ -339,7 +339,7 @@ + .PP + \fBpam_limits\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8), ++\fBpam\fR(7), + \fBgetrlimit\fR(2)\fBgetrlimit\fR(3p) + .SH "AUTHOR" + .PP +Index: pam.debian/modules/pam_namespace/namespace.conf.5.xml +=================================================================== +--- pam.debian.orig/modules/pam_namespace/namespace.conf.5.xml ++++ pam.debian/modules/pam_namespace/namespace.conf.5.xml +@@ -204,7 +204,7 @@ + + pam_namespace8, + pam.d5, +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_namespace/namespace.conf.5 +=================================================================== +--- pam.debian.orig/modules/pam_namespace/namespace.conf.5 ++++ pam.debian/modules/pam_namespace/namespace.conf.5 +@@ -155,7 +155,7 @@ + .PP + \fBpam_namespace\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHORS" + .PP + The namespace\&.conf manual page was written by Janak Desai \&. More features added by Tomas Mraz \&. +Index: pam.debian/modules/pam_time/time.conf.5.xml +=================================================================== +--- pam.debian.orig/modules/pam_time/time.conf.5.xml ++++ pam.debian/modules/pam_time/time.conf.5.xml +@@ -130,7 +130,7 @@ + + pam_time8, + pam.d5, +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_time/time.conf.5 +=================================================================== +--- pam.debian.orig/modules/pam_time/time.conf.5 ++++ pam.debian/modules/pam_time/time.conf.5 +@@ -107,7 +107,7 @@ + .PP + \fBpam_time\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_time was written by Andrew G\&. Morgan \&. +Index: pam.debian/modules/pam_access/pam_access.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_access/pam_access.8.xml ++++ pam.debian/modules/pam_access/pam_access.8.xml +@@ -237,7 +237,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + . + + +Index: pam.debian/modules/pam_access/pam_access.8 +=================================================================== +--- pam.debian.orig/modules/pam_access/pam_access.8 ++++ pam.debian/modules/pam_access/pam_access.8 +@@ -125,7 +125,7 @@ + .PP + \fBaccess.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8)\&. ++\fBpam\fR(7)\&. + .SH "AUTHORS" + .PP + The logdaemon style login access control scheme was designed and implemented by Wietse Venema\&. The pam_access PAM module was developed by Alexei Nogin \&. The IPv6 support and the network(address) / netmask feature was developed and provided by Mike Becher \&. +Index: pam.debian/modules/pam_cracklib/pam_cracklib.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_cracklib/pam_cracklib.8.xml ++++ pam.debian/modules/pam_cracklib/pam_cracklib.8.xml +@@ -577,7 +577,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_cracklib/pam_cracklib.8 +=================================================================== +--- pam.debian.orig/modules/pam_cracklib/pam_cracklib.8 ++++ pam.debian/modules/pam_cracklib/pam_cracklib.8 +@@ -357,7 +357,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_cracklib was written by Cristian Gafton +Index: pam.debian/modules/pam_debug/pam_debug.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_debug/pam_debug.8.xml ++++ pam.debian/modules/pam_debug/pam_debug.8.xml +@@ -216,7 +216,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_debug/pam_debug.8 +=================================================================== +--- pam.debian.orig/modules/pam_debug/pam_debug.8 ++++ pam.debian/modules/pam_debug/pam_debug.8 +@@ -138,7 +138,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_debug was written by Andrew G\&. Morgan \&. +Index: pam.debian/modules/pam_deny/pam_deny.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_deny/pam_deny.8.xml ++++ pam.debian/modules/pam_deny/pam_deny.8.xml +@@ -120,7 +120,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_deny/pam_deny.8 +=================================================================== +--- pam.debian.orig/modules/pam_deny/pam_deny.8 ++++ pam.debian/modules/pam_deny/pam_deny.8 +@@ -96,7 +96,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_deny was written by Andrew G\&. Morgan +Index: pam.debian/modules/pam_echo/pam_echo.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_echo/pam_echo.8.xml ++++ pam.debian/modules/pam_echo/pam_echo.8.xml +@@ -159,7 +159,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_echo/pam_echo.8 +=================================================================== +--- pam.debian.orig/modules/pam_echo/pam_echo.8 ++++ pam.debian/modules/pam_echo/pam_echo.8 +@@ -126,7 +126,7 @@ + .PP + \fBpam.conf\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + Thorsten Kukuk +Index: pam.debian/modules/pam_env/pam_env.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_env/pam_env.8.xml ++++ pam.debian/modules/pam_env/pam_env.8.xml +@@ -235,7 +235,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + . + + +Index: pam.debian/modules/pam_exec/pam_exec.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_exec/pam_exec.8.xml ++++ pam.debian/modules/pam_exec/pam_exec.8.xml +@@ -257,7 +257,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_exec/pam_exec.8 +=================================================================== +--- pam.debian.orig/modules/pam_exec/pam_exec.8 ++++ pam.debian/modules/pam_exec/pam_exec.8 +@@ -160,7 +160,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_exec was written by Thorsten Kukuk and Josh Triplett \&. +Index: pam.debian/modules/pam_faildelay/pam_faildelay.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_faildelay/pam_faildelay.8.xml ++++ pam.debian/modules/pam_faildelay/pam_faildelay.8.xml +@@ -121,7 +121,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_faildelay/pam_faildelay.8 +=================================================================== +--- pam.debian.orig/modules/pam_faildelay/pam_faildelay.8 ++++ pam.debian/modules/pam_faildelay/pam_faildelay.8 +@@ -87,7 +87,7 @@ + \fBpam_fail_delay\fR(3), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_faildelay was written by Darren Tucker \&. +Index: pam.debian/modules/pam_filter/pam_filter.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_filter/pam_filter.8.xml ++++ pam.debian/modules/pam_filter/pam_filter.8.xml +@@ -246,7 +246,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_filter/pam_filter.8 +=================================================================== +--- pam.debian.orig/modules/pam_filter/pam_filter.8 ++++ pam.debian/modules/pam_filter/pam_filter.8 +@@ -166,7 +166,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_filter was written by Andrew G\&. Morgan \&. +Index: pam.debian/modules/pam_ftp/pam_ftp.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_ftp/pam_ftp.8.xml ++++ pam.debian/modules/pam_ftp/pam_ftp.8.xml +@@ -168,7 +168,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_ftp/pam_ftp.8 +=================================================================== +--- pam.debian.orig/modules/pam_ftp/pam_ftp.8 ++++ pam.debian/modules/pam_ftp/pam_ftp.8 +@@ -119,7 +119,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_ftp was written by Andrew G\&. Morgan \&. +Index: pam.debian/modules/pam_group/pam_group.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_group/pam_group.8.xml ++++ pam.debian/modules/pam_group/pam_group.8.xml +@@ -148,7 +148,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + . + + +Index: pam.debian/modules/pam_group/pam_group.8 +=================================================================== +--- pam.debian.orig/modules/pam_group/pam_group.8 ++++ pam.debian/modules/pam_group/pam_group.8 +@@ -103,7 +103,7 @@ + .PP + \fBgroup.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8)\&. ++\fBpam\fR(7)\&. + .SH "AUTHORS" + .PP + pam_group was written by Andrew G\&. Morgan \&. +Index: pam.debian/modules/pam_issue/pam_issue.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_issue/pam_issue.8.xml ++++ pam.debian/modules/pam_issue/pam_issue.8.xml +@@ -219,7 +219,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_issue/pam_issue.8 +=================================================================== +--- pam.debian.orig/modules/pam_issue/pam_issue.8 ++++ pam.debian/modules/pam_issue/pam_issue.8 +@@ -152,7 +152,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_issue was written by Ben Collins \&. +Index: pam.debian/modules/pam_keyinit/pam_keyinit.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_keyinit/pam_keyinit.8.xml ++++ pam.debian/modules/pam_keyinit/pam_keyinit.8.xml +@@ -223,7 +223,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + keyctl1 +Index: pam.debian/modules/pam_keyinit/pam_keyinit.8 +=================================================================== +--- pam.debian.orig/modules/pam_keyinit/pam_keyinit.8 ++++ pam.debian/modules/pam_keyinit/pam_keyinit.8 +@@ -130,7 +130,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8)\fBkeyctl\fR(1) ++\fBpam\fR(7)\fBkeyctl\fR(1) + .SH "AUTHOR" + .PP + pam_keyinit was written by David Howells, \&. +Index: pam.debian/modules/pam_lastlog/pam_lastlog.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_lastlog/pam_lastlog.8.xml ++++ pam.debian/modules/pam_lastlog/pam_lastlog.8.xml +@@ -298,7 +298,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_lastlog/pam_lastlog.8 +=================================================================== +--- pam.debian.orig/modules/pam_lastlog/pam_lastlog.8 ++++ pam.debian/modules/pam_lastlog/pam_lastlog.8 +@@ -173,7 +173,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_lastlog was written by Andrew G\&. Morgan \&. +Index: pam.debian/modules/pam_limits/pam_limits.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_limits/pam_limits.8.xml ++++ pam.debian/modules/pam_limits/pam_limits.8.xml +@@ -241,7 +241,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + . + + +Index: pam.debian/modules/pam_limits/pam_limits.8 +=================================================================== +--- pam.debian.orig/modules/pam_limits/pam_limits.8 ++++ pam.debian/modules/pam_limits/pam_limits.8 +@@ -146,7 +146,7 @@ + .PP + \fBlimits.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8)\&. ++\fBpam\fR(7)\&. + .SH "AUTHORS" + .PP + pam_limits was initially written by Cristian Gafton +Index: pam.debian/modules/pam_listfile/pam_listfile.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_listfile/pam_listfile.8.xml ++++ pam.debian/modules/pam_listfile/pam_listfile.8.xml +@@ -281,7 +281,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_listfile/pam_listfile.8 +=================================================================== +--- pam.debian.orig/modules/pam_listfile/pam_listfile.8 ++++ pam.debian/modules/pam_listfile/pam_listfile.8 +@@ -205,7 +205,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_listfile was written by Michael K\&. Johnson and Elliot Lee \&. +Index: pam.debian/modules/pam_localuser/pam_localuser.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_localuser/pam_localuser.8.xml ++++ pam.debian/modules/pam_localuser/pam_localuser.8.xml +@@ -158,7 +158,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_localuser/pam_localuser.8 +=================================================================== +--- pam.debian.orig/modules/pam_localuser/pam_localuser.8 ++++ pam.debian/modules/pam_localuser/pam_localuser.8 +@@ -102,7 +102,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_localuser was written by Nalin Dahyabhai \&. +Index: pam.debian/modules/pam_loginuid/pam_loginuid.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_loginuid/pam_loginuid.8.xml ++++ pam.debian/modules/pam_loginuid/pam_loginuid.8.xml +@@ -104,7 +104,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + , + + auditctl8 +Index: pam.debian/modules/pam_loginuid/pam_loginuid.8 +=================================================================== +--- pam.debian.orig/modules/pam_loginuid/pam_loginuid.8 ++++ pam.debian/modules/pam_loginuid/pam_loginuid.8 +@@ -75,7 +75,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8), ++\fBpam\fR(7), + \fBauditctl\fR(8), + \fBauditd\fR(8) + .SH "AUTHOR" +Index: pam.debian/modules/pam_mail/pam_mail.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_mail/pam_mail.8.xml ++++ pam.debian/modules/pam_mail/pam_mail.8.xml +@@ -265,7 +265,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_mail/pam_mail.8 +=================================================================== +--- pam.debian.orig/modules/pam_mail/pam_mail.8 ++++ pam.debian/modules/pam_mail/pam_mail.8 +@@ -153,7 +153,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_mail was written by Andrew G\&. Morgan \&. +Index: pam.debian/modules/pam_mkhomedir/pam_mkhomedir.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_mkhomedir/pam_mkhomedir.8.xml ++++ pam.debian/modules/pam_mkhomedir/pam_mkhomedir.8.xml +@@ -189,7 +189,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + . + + +Index: pam.debian/modules/pam_mkhomedir/pam_mkhomedir.8 +=================================================================== +--- pam.debian.orig/modules/pam_mkhomedir/pam_mkhomedir.8 ++++ pam.debian/modules/pam_mkhomedir/pam_mkhomedir.8 +@@ -123,7 +123,7 @@ + .SH "SEE ALSO" + .PP + \fBpam.d\fR(5), +-\fBpam\fR(8)\&. ++\fBpam\fR(7)\&. + .SH "AUTHOR" + .PP + pam_mkhomedir was written by Jason Gunthorpe \&. +Index: pam.debian/modules/pam_motd/pam_motd.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_motd/pam_motd.8.xml ++++ pam.debian/modules/pam_motd/pam_motd.8.xml +@@ -99,7 +99,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_motd/pam_motd.8 +=================================================================== +--- pam.debian.orig/modules/pam_motd/pam_motd.8 ++++ pam.debian/modules/pam_motd/pam_motd.8 +@@ -78,7 +78,7 @@ + \fBmotd\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_motd was written by Ben Collins \&. +Index: pam.debian/modules/pam_namespace/pam_namespace.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_namespace/pam_namespace.8.xml ++++ pam.debian/modules/pam_namespace/pam_namespace.8.xml +@@ -399,7 +399,7 @@ + mount8 + , + +- pam8 ++ pam7 + . + + +Index: pam.debian/modules/pam_namespace/pam_namespace.8 +=================================================================== +--- pam.debian.orig/modules/pam_namespace/pam_namespace.8 ++++ pam.debian/modules/pam_namespace/pam_namespace.8 +@@ -178,7 +178,7 @@ + \fBnamespace.conf\fR(5), + \fBpam.d\fR(5), + \fBmount\fR(8), +-\fBpam\fR(8)\&. ++\fBpam\fR(7)\&. + .SH "AUTHORS" + .PP + The namespace setup scheme was designed by Stephen Smalley, Janak Desai and Chad Sellers\&. The pam_namespace PAM module was developed by Janak Desai , Chad Sellers and Steve Grubb \&. Additional improvements by Xavier Toth and Tomas Mraz \&. +Index: pam.debian/modules/pam_nologin/pam_nologin.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_nologin/pam_nologin.8.xml ++++ pam.debian/modules/pam_nologin/pam_nologin.8.xml +@@ -160,7 +160,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_nologin/pam_nologin.8 +=================================================================== +--- pam.debian.orig/modules/pam_nologin/pam_nologin.8 ++++ pam.debian/modules/pam_nologin/pam_nologin.8 +@@ -124,7 +124,7 @@ + \fBnologin\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_nologin was written by Michael K\&. Johnson \&. +Index: pam.debian/modules/pam_permit/pam_permit.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_permit/pam_permit.8.xml ++++ pam.debian/modules/pam_permit/pam_permit.8.xml +@@ -91,7 +91,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_permit/pam_permit.8 +=================================================================== +--- pam.debian.orig/modules/pam_permit/pam_permit.8 ++++ pam.debian/modules/pam_permit/pam_permit.8 +@@ -78,7 +78,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_permit was written by Andrew G\&. Morgan, \&. +Index: pam.debian/modules/pam_rhosts/pam_rhosts.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_rhosts/pam_rhosts.8.xml ++++ pam.debian/modules/pam_rhosts/pam_rhosts.8.xml +@@ -156,7 +156,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_rhosts/pam_rhosts.8 +=================================================================== +--- pam.debian.orig/modules/pam_rhosts/pam_rhosts.8 ++++ pam.debian/modules/pam_rhosts/pam_rhosts.8 +@@ -122,7 +122,7 @@ + \fBrhosts\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_rhosts was written by Thorsten Kukuk +Index: pam.debian/modules/pam_rootok/pam_rootok.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_rootok/pam_rootok.8.xml ++++ pam.debian/modules/pam_rootok/pam_rootok.8.xml +@@ -116,7 +116,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_rootok/pam_rootok.8 +=================================================================== +--- pam.debian.orig/modules/pam_rootok/pam_rootok.8 ++++ pam.debian/modules/pam_rootok/pam_rootok.8 +@@ -99,7 +99,7 @@ + \fBsu\fR(1), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_rootok was written by Andrew G\&. Morgan, \&. +Index: pam.debian/modules/pam_securetty/pam_securetty.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_securetty/pam_securetty.8.xml ++++ pam.debian/modules/pam_securetty/pam_securetty.8.xml +@@ -168,7 +168,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_securetty/pam_securetty.8 +=================================================================== +--- pam.debian.orig/modules/pam_securetty/pam_securetty.8 ++++ pam.debian/modules/pam_securetty/pam_securetty.8 +@@ -119,7 +119,7 @@ + \fBsecuretty\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_securetty was written by Elliot Lee \&. +Index: pam.debian/modules/pam_selinux/pam_selinux.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_selinux/pam_selinux.8.xml ++++ pam.debian/modules/pam_selinux/pam_selinux.8.xml +@@ -258,7 +258,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + , + + selinux8 +Index: pam.debian/modules/pam_selinux/pam_selinux.8 +=================================================================== +--- pam.debian.orig/modules/pam_selinux/pam_selinux.8 ++++ pam.debian/modules/pam_selinux/pam_selinux.8 +@@ -2,12 +2,12 @@ + .\" Title: pam_selinux + .\" Author: [see the "AUTHOR" section] + .\" Generator: DocBook XSL Stylesheets v1.78.1 +-.\" Date: 06/18/2013 ++.\" Date: 01/14/2014 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" Language: English + .\" +-.TH "PAM_SELINUX" "8" "06/18/2013" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_SELINUX" "8" "01/14/2014" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" ----------------------------------------------------------------- + .\" * Define some portability stuff + .\" ----------------------------------------------------------------- +@@ -144,7 +144,7 @@ + \fBexecve\fR(2), + \fBtty\fR(4), + \fBpam.d\fR(5), +-\fBpam\fR(8), ++\fBpam\fR(7), + \fBselinux\fR(8) + .SH "AUTHOR" + .PP +Index: pam.debian/modules/pam_sepermit/pam_sepermit.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_sepermit/pam_sepermit.8.xml ++++ pam.debian/modules/pam_sepermit/pam_sepermit.8.xml +@@ -176,7 +176,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + selinux8 +Index: pam.debian/modules/pam_sepermit/pam_sepermit.8 +=================================================================== +--- pam.debian.orig/modules/pam_sepermit/pam_sepermit.8 ++++ pam.debian/modules/pam_sepermit/pam_sepermit.8 +@@ -124,7 +124,7 @@ + \fBsepermit.conf\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8)\fBselinux\fR(8) ++\fBpam\fR(7)\fBselinux\fR(8) + .SH "AUTHOR" + .PP + pam_sepermit and this manual page were written by Tomas Mraz \&. +Index: pam.debian/modules/pam_shells/pam_shells.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_shells/pam_shells.8.xml ++++ pam.debian/modules/pam_shells/pam_shells.8.xml +@@ -102,7 +102,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_shells/pam_shells.8 +=================================================================== +--- pam.debian.orig/modules/pam_shells/pam_shells.8 ++++ pam.debian/modules/pam_shells/pam_shells.8 +@@ -85,7 +85,7 @@ + \fBshells\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_shells was written by Erik Troan \&. +Index: pam.debian/modules/pam_succeed_if/pam_succeed_if.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_succeed_if/pam_succeed_if.8.xml ++++ pam.debian/modules/pam_succeed_if/pam_succeed_if.8.xml +@@ -295,7 +295,7 @@ + glob7 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_succeed_if/pam_succeed_if.8 +=================================================================== +--- pam.debian.orig/modules/pam_succeed_if/pam_succeed_if.8 ++++ pam.debian/modules/pam_succeed_if/pam_succeed_if.8 +@@ -220,7 +220,7 @@ + .SH "SEE ALSO" + .PP + \fBglob\fR(7), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + Nalin Dahyabhai +Index: pam.debian/modules/pam_tally/pam_tally.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_tally/pam_tally.8.xml ++++ pam.debian/modules/pam_tally/pam_tally.8.xml +@@ -444,7 +444,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_tally/pam_tally.8 +=================================================================== +--- pam.debian.orig/modules/pam_tally/pam_tally.8 ++++ pam.debian/modules/pam_tally/pam_tally.8 +@@ -248,7 +248,7 @@ + \fBfaillog\fR(8), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_tally was written by Tim Baverstock and Tomas Mraz\&. +Index: pam.debian/modules/pam_time/pam_time.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_time/pam_time.8.xml ++++ pam.debian/modules/pam_time/pam_time.8.xml +@@ -169,7 +169,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + . + + +Index: pam.debian/modules/pam_time/pam_time.8 +=================================================================== +--- pam.debian.orig/modules/pam_time/pam_time.8 ++++ pam.debian/modules/pam_time/pam_time.8 +@@ -109,7 +109,7 @@ + .PP + \fBtime.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8)\&. ++\fBpam\fR(7)\&. + .SH "AUTHOR" + .PP + pam_time was written by Andrew G\&. Morgan \&. +Index: pam.debian/modules/pam_umask/pam_umask.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_umask/pam_umask.8.xml ++++ pam.debian/modules/pam_umask/pam_umask.8.xml +@@ -201,7 +201,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_umask/pam_umask.8 +=================================================================== +--- pam.debian.orig/modules/pam_umask/pam_umask.8 ++++ pam.debian/modules/pam_umask/pam_umask.8 +@@ -150,7 +150,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_umask was written by Thorsten Kukuk \&. +Index: pam.debian/modules/pam_unix/pam_unix.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_unix/pam_unix.8.xml ++++ pam.debian/modules/pam_unix/pam_unix.8.xml +@@ -494,7 +494,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_unix/pam_unix.8 +=================================================================== +--- pam.debian.orig/modules/pam_unix/pam_unix.8 ++++ pam.debian/modules/pam_unix/pam_unix.8 +@@ -269,7 +269,7 @@ + \fBlogin.defs\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_unix was written by various people\&. +Index: pam.debian/doc/man/misc_conv.3.xml +=================================================================== +--- pam.debian.orig/doc/man/misc_conv.3.xml ++++ pam.debian/doc/man/misc_conv.3.xml +@@ -171,7 +171,7 @@ + pam_conv3 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/misc_conv.3 +=================================================================== +--- pam.debian.orig/doc/man/misc_conv.3 ++++ pam.debian/doc/man/misc_conv.3 +@@ -117,7 +117,7 @@ + .SH "SEE ALSO" + .PP + \fBpam_conv\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The +Index: pam.debian/doc/man/pam_acct_mgmt.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_acct_mgmt.3.xml ++++ pam.debian/doc/man/pam_acct_mgmt.3.xml +@@ -138,7 +138,7 @@ + pam_strerror3 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/pam_acct_mgmt.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_acct_mgmt.3 ++++ pam.debian/doc/man/pam_acct_mgmt.3 +@@ -97,4 +97,4 @@ + \fBpam_authenticate\fR(3), + \fBpam_chauthtok\fR(3), + \fBpam_strerror\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam.debian/doc/man/pam_authenticate.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_authenticate.3.xml ++++ pam.debian/doc/man/pam_authenticate.3.xml +@@ -162,7 +162,7 @@ + pam_strerror3 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/pam_authenticate.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_authenticate.3 ++++ pam.debian/doc/man/pam_authenticate.3 +@@ -107,4 +107,4 @@ + \fBpam_setcred\fR(3), + \fBpam_chauthtok\fR(3), + \fBpam_strerror\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam.debian/doc/man/pam_chauthtok.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_chauthtok.3.xml ++++ pam.debian/doc/man/pam_chauthtok.3.xml +@@ -157,7 +157,7 @@ + pam_strerror3 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/pam_chauthtok.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_chauthtok.3 ++++ pam.debian/doc/man/pam_chauthtok.3 +@@ -106,4 +106,4 @@ + \fBpam_setcred\fR(3), + \fBpam_get_item\fR(3), + \fBpam_strerror\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam.debian/doc/man/pam_conv.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_conv.3.xml ++++ pam.debian/doc/man/pam_conv.3.xml +@@ -221,7 +221,7 @@ + pam_strerror3 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/pam_conv.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_conv.3 ++++ pam.debian/doc/man/pam_conv.3 +@@ -174,4 +174,4 @@ + \fBpam_set_item\fR(3), + \fBpam_get_item\fR(3), + \fBpam_strerror\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam.debian/doc/man/pam_error.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_error.3.xml ++++ pam.debian/doc/man/pam_error.3.xml +@@ -105,7 +105,7 @@ + pam_vprompt3 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/pam_error.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_error.3 ++++ pam.debian/doc/man/pam_error.3 +@@ -80,7 +80,7 @@ + \fBpam_vinfo\fR(3), + \fBpam_prompt\fR(3), + \fBpam_vprompt\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The +Index: pam.debian/doc/man/pam_getenv.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_getenv.3.xml ++++ pam.debian/doc/man/pam_getenv.3.xml +@@ -60,7 +60,7 @@ + pam_putenv3 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/pam_getenv.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_getenv.3 ++++ pam.debian/doc/man/pam_getenv.3 +@@ -57,4 +57,4 @@ + \fBpam_start\fR(3), + \fBpam_getenvlist\fR(3), + \fBpam_putenv\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam.debian/doc/man/pam_getenvlist.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_getenvlist.3.xml ++++ pam.debian/doc/man/pam_getenvlist.3.xml +@@ -78,7 +78,7 @@ + pam_putenv3 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/pam_getenvlist.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_getenvlist.3 ++++ pam.debian/doc/man/pam_getenvlist.3 +@@ -63,4 +63,4 @@ + \fBpam_start\fR(3), + \fBpam_getenv\fR(3), + \fBpam_putenv\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam.debian/doc/man/pam_info.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_info.3.xml ++++ pam.debian/doc/man/pam_info.3.xml +@@ -93,7 +93,7 @@ + SEE ALSO + + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/pam_info.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_info.3 ++++ pam.debian/doc/man/pam_info.3 +@@ -76,7 +76,7 @@ + .RE + .SH "SEE ALSO" + .PP +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The +Index: pam.debian/doc/man/pam_misc_drop_env.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_misc_drop_env.3.xml ++++ pam.debian/doc/man/pam_misc_drop_env.3.xml +@@ -46,7 +46,7 @@ + pam_getenvlist3 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/pam_misc_drop_env.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_misc_drop_env.3 ++++ pam.debian/doc/man/pam_misc_drop_env.3 +@@ -52,7 +52,7 @@ + .SH "SEE ALSO" + .PP + \fBpam_getenvlist\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The +Index: pam.debian/doc/man/pam_misc_paste_env.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_misc_paste_env.3.xml ++++ pam.debian/doc/man/pam_misc_paste_env.3.xml +@@ -44,7 +44,7 @@ + pam_putenv3 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/pam_misc_paste_env.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_misc_paste_env.3 ++++ pam.debian/doc/man/pam_misc_paste_env.3 +@@ -47,7 +47,7 @@ + .SH "SEE ALSO" + .PP + \fBpam_putenv\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The +Index: pam.debian/doc/man/pam_misc_setenv.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_misc_setenv.3.xml ++++ pam.debian/doc/man/pam_misc_setenv.3.xml +@@ -51,7 +51,7 @@ + pam_putenv3 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/pam_misc_setenv.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_misc_setenv.3 ++++ pam.debian/doc/man/pam_misc_setenv.3 +@@ -52,7 +52,7 @@ + .SH "SEE ALSO" + .PP + \fBpam_putenv\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The +Index: pam.debian/doc/man/pam_prompt.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_prompt.3.xml ++++ pam.debian/doc/man/pam_prompt.3.xml +@@ -95,7 +95,7 @@ + SEE ALSO + + +- pam8 ++ pam7 + , + + pam_conv3 +Index: pam.debian/doc/man/pam_prompt.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_prompt.3 ++++ pam.debian/doc/man/pam_prompt.3 +@@ -70,7 +70,7 @@ + .RE + .SH "SEE ALSO" + .PP +-\fBpam\fR(8), ++\fBpam\fR(7), + \fBpam_conv\fR(3) + .SH "STANDARDS" + .PP +Index: pam.debian/doc/man/pam_putenv.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_putenv.3.xml ++++ pam.debian/doc/man/pam_putenv.3.xml +@@ -145,7 +145,7 @@ + pam_strerror3 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/pam_putenv.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_putenv.3 ++++ pam.debian/doc/man/pam_putenv.3 +@@ -108,4 +108,4 @@ + \fBpam_getenv\fR(3), + \fBpam_getenvlist\fR(3), + \fBpam_strerror\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam.debian/doc/man/pam_strerror.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_strerror.3.xml ++++ pam.debian/doc/man/pam_strerror.3.xml +@@ -51,7 +51,7 @@ + SEE ALSO + + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/pam_strerror.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_strerror.3 ++++ pam.debian/doc/man/pam_strerror.3 +@@ -49,4 +49,4 @@ + This function returns always a pointer to a string\&. + .SH "SEE ALSO" + .PP +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam.debian/doc/man/pam_syslog.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_syslog.3.xml ++++ pam.debian/doc/man/pam_syslog.3.xml +@@ -66,7 +66,7 @@ + SEE ALSO + + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/pam_syslog.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_syslog.3 ++++ pam.debian/doc/man/pam_syslog.3 +@@ -67,7 +67,7 @@ + variable argument list macros\&. + .SH "SEE ALSO" + .PP +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The +Index: pam.debian/modules/pam_userdb/pam_userdb.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_userdb/pam_userdb.8.xml ++++ pam.debian/modules/pam_userdb/pam_userdb.8.xml +@@ -277,7 +277,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_userdb/pam_userdb.8 +=================================================================== +--- pam.debian.orig/modules/pam_userdb/pam_userdb.8 ++++ pam.debian/modules/pam_userdb/pam_userdb.8 +@@ -150,7 +150,7 @@ + \fBcrypt\fR(3), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_userdb was written by Cristian Gafton >gafton@redhat\&.com<\&. +Index: pam.debian/modules/pam_warn/pam_warn.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_warn/pam_warn.8.xml ++++ pam.debian/modules/pam_warn/pam_warn.8.xml +@@ -90,7 +90,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_warn/pam_warn.8 +=================================================================== +--- pam.debian.orig/modules/pam_warn/pam_warn.8 ++++ pam.debian/modules/pam_warn/pam_warn.8 +@@ -83,7 +83,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_warn was written by Andrew G\&. Morgan \&. +Index: pam.debian/modules/pam_wheel/pam_wheel.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_wheel/pam_wheel.8.xml ++++ pam.debian/modules/pam_wheel/pam_wheel.8.xml +@@ -212,7 +212,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_wheel/pam_wheel.8 +=================================================================== +--- pam.debian.orig/modules/pam_wheel/pam_wheel.8 ++++ pam.debian/modules/pam_wheel/pam_wheel.8 +@@ -136,7 +136,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_wheel was written by Cristian Gafton \&. +Index: pam.debian/modules/pam_xauth/pam_xauth.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_xauth/pam_xauth.8.xml ++++ pam.debian/modules/pam_xauth/pam_xauth.8.xml +@@ -276,7 +276,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_xauth/pam_xauth.8 +=================================================================== +--- pam.debian.orig/modules/pam_xauth/pam_xauth.8 ++++ pam.debian/modules/pam_xauth/pam_xauth.8 +@@ -177,7 +177,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_xauth was written by Nalin Dahyabhai , based on original version by Michael K\&. Johnson \&. +Index: pam.debian/modules/pam_env/pam_env.8 +=================================================================== +--- pam.debian.orig/modules/pam_env/pam_env.8 ++++ pam.debian/modules/pam_env/pam_env.8 +@@ -2,12 +2,12 @@ + .\" Title: pam_env + .\" Author: [see the "AUTHOR" section] + .\" Generator: DocBook XSL Stylesheets v1.78.1 +-.\" Date: 01/15/2014 ++.\" Date: 01/16/2014 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" Language: English + .\" +-.TH "PAM_ENV" "8" "01/15/2014" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_ENV" "8" "01/16/2014" "Linux-PAM Manual" "Linux-PAM Manual" + .\" ----------------------------------------------------------------- + .\" * Define some portability stuff + .\" ----------------------------------------------------------------- --- pam-1.1.8.orig/debian/patches-applied/cve-2011-4708.patch +++ pam-1.1.8/debian/patches-applied/cve-2011-4708.patch @@ -0,0 +1,64 @@ +Description: fix cve-2011-4708: .pam_environment privilege issue +Index: pam.debian/modules/pam_env/pam_env.c +=================================================================== +--- pam.debian.orig/modules/pam_env/pam_env.c ++++ pam.debian/modules/pam_env/pam_env.c +@@ -10,7 +10,7 @@ + #define DEFAULT_READ_ENVFILE 1 + + #define DEFAULT_USER_ENVFILE ".pam_environment" +-#define DEFAULT_USER_READ_ENVFILE 1 ++#define DEFAULT_USER_READ_ENVFILE 0 + + #include "config.h" + +Index: pam.debian/modules/pam_env/pam_env.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_env/pam_env.8.xml ++++ pam.debian/modules/pam_env/pam_env.8.xml +@@ -147,7 +147,7 @@ + + + Turns on or off the reading of the user specific environment +- file. 0 is off, 1 is on. By default this option is on. ++ file. 0 is off, 1 is on. By default this option is off. + + + +Index: pam.debian/modules/pam_env/pam_env.8 +=================================================================== +--- pam.debian.orig/modules/pam_env/pam_env.8 ++++ pam.debian/modules/pam_env/pam_env.8 +@@ -2,12 +2,12 @@ + .\" Title: pam_env + .\" Author: [see the "AUTHOR" section] + .\" Generator: DocBook XSL Stylesheets v1.78.1 +-.\" Date: 09/19/2013 ++.\" Date: 01/15/2014 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" Language: English + .\" +-.TH "PAM_ENV" "8" "09/19/2013" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_ENV" "8" "01/15/2014" "Linux-PAM Manual" "Linux-PAM Manual" + .\" ----------------------------------------------------------------- + .\" * Define some portability stuff + .\" ----------------------------------------------------------------- +@@ -88,7 +88,7 @@ + .PP + \fBuser_readenv=\fR\fB\fI0|1\fR\fR + .RS 4 +-Turns on or off the reading of the user specific environment file\&. 0 is off, 1 is on\&. By default this option is on\&. ++Turns on or off the reading of the user specific environment file\&. 0 is off, 1 is on\&. By default this option is off\&. + .RE + .SH "MODULE TYPES PROVIDED" + .PP +@@ -138,7 +138,7 @@ + .PP + \fBpam_env.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8)\&. ++\fBpam\fR(7)\&. + .SH "AUTHOR" + .PP + pam_env was written by Dave Kinchlea \&. --- pam-1.1.8.orig/debian/patches-applied/cve-2013-7041.patch +++ pam-1.1.8/debian/patches-applied/cve-2013-7041.patch @@ -0,0 +1,44 @@ +From 57a1e2b274d0a6376d92ada9926e5c5741e7da20 Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Fri, 24 Jan 2014 22:18:32 +0000 +Subject: pam_userdb: fix password hash comparison + +Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed +passwords support in pam_userdb, hashes are compared case-insensitively. +This bug leads to accepting hashes for completely different passwords in +addition to those that should be accepted. + +Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for +modern password hashes with different lengths and settings, did not +update the hash comparison accordingly, which leads to accepting +computed hashes longer than stored hashes when the latter is a prefix +of the former. + +* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed +hash whose length differs from the stored hash length. +Compare computed and stored hashes case-sensitively. +Fixes CVE-2013-7041. + +Bug-Debian: http://bugs.debian.org/731368 + +--- a/modules/pam_userdb/pam_userdb.c ++++ b/modules/pam_userdb/pam_userdb.c +@@ -222,12 +222,15 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode, + } else { + cryptpw = crypt (pass, data.dptr); + +- if (cryptpw) { +- compare = strncasecmp (data.dptr, cryptpw, data.dsize); ++ if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) { ++ compare = memcmp(data.dptr, cryptpw, data.dsize); + } else { + compare = -2; + if (ctrl & PAM_DEBUG_ARG) { +- pam_syslog(pamh, LOG_INFO, "crypt() returned NULL"); ++ if (cryptpw) ++ pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ"); ++ else ++ pam_syslog(pamh, LOG_INFO, "crypt() returned NULL"); + } + }; + --- pam-1.1.8.orig/debian/patches-applied/cve-2014-2583.patch +++ pam-1.1.8/debian/patches-applied/cve-2014-2583.patch @@ -0,0 +1,47 @@ +From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Wed, 26 Mar 2014 22:17:23 +0000 +Subject: pam_timestamp: fix potential directory traversal issue (ticket #27) + +pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of +the timestamp pathname it creates, so extra care should be taken to +avoid potential directory traversal issues. + +* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat +"." and ".." tty values as invalid. +(get_ruser): Treat "." and ".." ruser values, as well as any ruser +value containing '/', as invalid. + +Fixes CVE-2014-2583. + +Reported-by: Sebastian Krahmer + +--- a/modules/pam_timestamp/pam_timestamp.c ++++ b/modules/pam_timestamp/pam_timestamp.c +@@ -158,7 +158,7 @@ check_tty(const char *tty) + tty = strrchr(tty, '/') + 1; + } + /* Make sure the tty wasn't actually a directory (no basename). */ +- if (strlen(tty) == 0) { ++ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) { + return NULL; + } + return tty; +@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen) + if (pwd != NULL) { + ruser = pwd->pw_name; + } ++ } else { ++ /* ++ * This ruser is used by format_timestamp_name as a component ++ * of constructed timestamp pathname, so ".", "..", and '/' ++ * are disallowed to avoid potential path traversal issues. ++ */ ++ if (!strcmp(ruser, ".") || ++ !strcmp(ruser, "..") || ++ strchr(ruser, '/')) { ++ ruser = NULL; ++ } + } + if (ruser == NULL || strlen(ruser) >= ruserbuflen) { + *ruserbuf = '\0'; --- pam-1.1.8.orig/debian/patches-applied/cve-2015-3238.patch +++ pam-1.1.8/debian/patches-applied/cve-2015-3238.patch @@ -0,0 +1,122 @@ +From e89d4c97385ff8180e6e81e84c5aa745daf28a79 Mon Sep 17 00:00:00 2001 +From: Thorsten Kukuk +Date: Mon, 22 Jun 2015 14:53:01 +0200 +Subject: Release version 1.2.1 + +Security fix: CVE-2015-3238 + +If the process executing pam_sm_authenticate or pam_sm_chauthtok method +of pam_unix is not privileged enough to check the password, e.g. +if selinux is enabled, the _unix_run_helper_binary function is called. +When a long enough password is supplied (16 pages or more, i.e. 65536+ +bytes on a system with 4K pages), this helper function hangs +indefinitely, blocked in the write(2) call while writing to a blocking +pipe that has a limited capacity. +With this fix, the verifiable password length will be limited to +PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix. + +diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c +index 5ab9630..17ba6ca 100644 +--- a/modules/pam_exec/pam_exec.c ++++ b/modules/pam_exec/pam_exec.c +@@ -178,11 +178,11 @@ call_exec (const char *pam_type, pam_handle_t *pamh, + } + + pam_set_item (pamh, PAM_AUTHTOK, resp); +- authtok = strdupa (resp); ++ authtok = strndupa (resp, PAM_MAX_RESP_SIZE); + _pam_drop (resp); + } + else +- authtok = void_pass; ++ authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE); + + if (pipe(fds) != 0) + { +diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c +index 2d330e5..c2e5de5 100644 +--- a/modules/pam_unix/pam_unix_passwd.c ++++ b/modules/pam_unix/pam_unix_passwd.c +@@ -240,15 +240,22 @@ static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const + /* wait for child */ + /* if the stored password is NULL */ + int rc=0; +- if (fromwhat) +- pam_modutil_write(fds[1], fromwhat, strlen(fromwhat)+1); +- else +- pam_modutil_write(fds[1], "", 1); +- if (towhat) { +- pam_modutil_write(fds[1], towhat, strlen(towhat)+1); ++ if (fromwhat) { ++ int len = strlen(fromwhat); ++ ++ if (len > PAM_MAX_RESP_SIZE) ++ len = PAM_MAX_RESP_SIZE; ++ pam_modutil_write(fds[1], fromwhat, len); + } +- else +- pam_modutil_write(fds[1], "", 1); ++ pam_modutil_write(fds[1], "", 1); ++ if (towhat) { ++ int len = strlen(towhat); ++ ++ if (len > PAM_MAX_RESP_SIZE) ++ len = PAM_MAX_RESP_SIZE; ++ pam_modutil_write(fds[1], towhat, len); ++ } ++ pam_modutil_write(fds[1], "", 1); + + close(fds[0]); /* close here to avoid possible SIGPIPE above */ + close(fds[1]); +diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c +index b325602..e79b55e 100644 +--- a/modules/pam_unix/passverify.c ++++ b/modules/pam_unix/passverify.c +@@ -1115,12 +1115,15 @@ getuidname(uid_t uid) + int + read_passwords(int fd, int npass, char **passwords) + { ++ /* The passwords array must contain npass preallocated ++ * buffers of length MAXPASS + 1 ++ */ + int rbytes = 0; + int offset = 0; + int i = 0; + char *pptr; + while (npass > 0) { +- rbytes = read(fd, passwords[i]+offset, MAXPASS-offset); ++ rbytes = read(fd, passwords[i]+offset, MAXPASS+1-offset); + + if (rbytes < 0) { + if (errno == EINTR) continue; +diff --git a/modules/pam_unix/passverify.h b/modules/pam_unix/passverify.h +index 3de6759..caf7ae8 100644 +--- a/modules/pam_unix/passverify.h ++++ b/modules/pam_unix/passverify.h +@@ -8,7 +8,7 @@ + + #define PAM_UNIX_RUN_HELPER PAM_CRED_INSUFFICIENT + +-#define MAXPASS 200 /* the maximum length of a password */ ++#define MAXPASS PAM_MAX_RESP_SIZE /* the maximum length of a password */ + + #define OLD_PASSWORDS_FILE "/etc/security/opasswd" + +diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c +index fdb45c2..abccd82 100644 +--- a/modules/pam_unix/support.c ++++ b/modules/pam_unix/support.c +@@ -609,7 +609,12 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, + /* if the stored password is NULL */ + int rc=0; + if (passwd != NULL) { /* send the password to the child */ +- if (write(fds[1], passwd, strlen(passwd)+1) == -1) { ++ int len = strlen(passwd); ++ ++ if (len > PAM_MAX_RESP_SIZE) ++ len = PAM_MAX_RESP_SIZE; ++ if (write(fds[1], passwd, len) == -1 || ++ write(fds[1], "", 1) == -1) { + pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m"); + retval = PAM_AUTH_ERR; + } --- pam-1.1.8.orig/debian/patches-applied/do_not_check_nis_accidentally +++ pam-1.1.8/debian/patches-applied/do_not_check_nis_accidentally @@ -0,0 +1,22 @@ +Patch for Debian bug #469635 + +Always call _unix_getpwnam() consistent with the value of the 'nis' +option, so that we only grab from the backends we're expecting. + +Authors: Quentin Godfroy + +Upstream status: should be submitted + +Index: pam.deb/modules/pam_unix/pam_unix_passwd.c +=================================================================== +--- pam.deb.orig/modules/pam_unix/pam_unix_passwd.c ++++ pam.deb/modules/pam_unix/pam_unix_passwd.c +@@ -551,7 +551,7 @@ + return PAM_USER_UNKNOWN; + } else { + struct passwd *pwd; +- _unix_getpwnam(pamh, user, 1, 1, &pwd); ++ _unix_getpwnam(pamh, user, 1, on(UNIX_NIS, ctrl), &pwd); + if (pwd == NULL) { + pam_syslog(pamh, LOG_DEBUG, + "user \"%s\" has corrupted passwd entry", --- pam-1.1.8.orig/debian/patches-applied/extrausers.patch +++ pam-1.1.8/debian/patches-applied/extrausers.patch @@ -0,0 +1,6567 @@ +Index: pam-1.1.8/modules/pam_extrausers/Makefile.am +=================================================================== +--- /dev/null ++++ pam-1.1.8/modules/pam_extrausers/Makefile.am +@@ -0,0 +1,70 @@ ++# ++# Copyright (c) 2005, 2006, 2009, 2011 Thorsten Kukuk ++# ++ ++CLEANFILES = *~ ++MAINTAINERCLEANFILES = $(MANS) ++ ++EXTRA_DIST = md5.c md5_crypt.c lckpwdf.-c $(MANS) \ ++ tst-pam_extrausers $(XMLS) ++ ++man_MANS = pam_extrausers.8 ++XMLS = pam_extrausers.8.xml ++ ++#TESTS = tst-pam_extrausers ++ ++securelibdir = $(SECUREDIR) ++secureconfdir = $(SCONFIGDIR) ++ ++AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ ++ -DCHKPWD_HELPER=\"$(sbindir)/pam_extrausers_chkpwd\" \ ++ -DUPDATE_HELPER=\"$(sbindir)/pam_extrausers_update\" \ ++ $(NIS_CFLAGS) ++ ++if HAVE_LIBSELINUX ++ AM_CFLAGS += -D"WITH_SELINUX" ++endif ++ ++pam_extrausers_la_LDFLAGS = -no-undefined -avoid-version -module ++if HAVE_VERSIONING ++ pam_extrausers_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map ++endif ++pam_extrausers_la_LIBADD = $(top_builddir)/libpam/libpam.la \ ++ @LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS) \ ++ ../pam_securetty/tty_secure.lo ++ ++securelib_LTLIBRARIES = pam_extrausers.la ++ ++noinst_HEADERS = md5.h support.h yppasswd.h bigcrypt.h passverify.h \ ++ pam_unix_static.h ++ ++sbin_PROGRAMS = pam_extrausers_chkpwd pam_extrausers_update ++ ++noinst_PROGRAMS = bigcrypt ++ ++pam_extrausers_la_SOURCES = bigcrypt.c pam_unix_acct.c \ ++ pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \ ++ passverify.c yppasswd_xdr.c md5_good.c md5_broken.c obscure.c ++if STATIC_MODULES ++pam_extrausers_la_SOURCES += pam_unix_static.c ++endif ++ ++bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c ++bigcrypt_CFLAGS = $(AM_CFLAGS) ++bigcrypt_LDADD = @LIBCRYPT@ ++ ++pam_extrausers_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \ ++ passverify.c ++pam_extrausers_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"pam_extrausers_chkpwd\" ++pam_extrausers_chkpwd_LDFLAGS = @PIE_LDFLAGS@ ++pam_extrausers_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@ ++ ++pam_extrausers_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \ ++ passverify.c ++pam_extrausers_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"pam_extrausers_update\" ++pam_extrausers_update_LDFLAGS = @PIE_LDFLAGS@ ++pam_extrausers_update_LDADD = @LIBCRYPT@ @LIBSELINUX@ ++ ++if ENABLE_REGENERATE_MAN ++-include $(top_srcdir)/Make.xml.rules ++endif +Index: pam-1.1.8/modules/pam_extrausers/README +=================================================================== +--- /dev/null ++++ pam-1.1.8/modules/pam_extrausers/README +@@ -0,0 +1,5 @@ ++This is a simple fork of pam_unix, but with the following changes: ++ ++ - The expected namespace changes ++ - References to /etc or /etc/secure are replaced with /var/lib/extrausers ++ - Unconditionally use our custom lckpwdf methods and namespace them +Index: pam-1.1.8/modules/pam_extrausers/bigcrypt.c +=================================================================== +--- /dev/null ++++ pam-1.1.8/modules/pam_extrausers/bigcrypt.c +@@ -0,0 +1,159 @@ ++/* ++ * This function implements the "bigcrypt" algorithm specifically for ++ * Linux-PAM. ++ * ++ * This algorithm is algorithm 0 (default) shipped with the C2 secure ++ * implementation of Digital UNIX. ++ * ++ * Disclaimer: This work is not based on the source code to Digital ++ * UNIX, nor am I connected to Digital Equipment Corp, in any way ++ * other than as a customer. This code is based on published ++ * interfaces and reasonable guesswork. ++ * ++ * Description: The cleartext is divided into blocks of SEGMENT_SIZE=8 ++ * characters or less. Each block is encrypted using the standard UNIX ++ * libc crypt function. The result of the encryption for one block ++ * provides the salt for the suceeding block. ++ * ++ * Restrictions: The buffer used to hold the encrypted result is ++ * statically allocated. (see MAX_PASS_LEN below). This is necessary, ++ * as the returned pointer points to "static data that are overwritten ++ * by each call", (XPG3: XSI System Interface + Headers pg 109), and ++ * this is a drop in replacement for crypt(); ++ * ++ * Andy Phillips ++ */ ++ ++#include "config.h" ++ ++#include ++#include ++#include ++#ifdef HAVE_LIBXCRYPT ++#include ++#elif defined(HAVE_CRYPT_H) ++#include ++#endif ++ ++#include "bigcrypt.h" ++ ++/* ++ * Max cleartext password length in segments of 8 characters this ++ * function can deal with (16 segments of 8 chars= max 128 character ++ * password). ++ */ ++ ++#define MAX_PASS_LEN 16 ++#define SEGMENT_SIZE 8 ++#define SALT_SIZE 2 ++#define KEYBUF_SIZE ((MAX_PASS_LEN*SEGMENT_SIZE)+SALT_SIZE) ++#define ESEGMENT_SIZE 11 ++#define CBUF_SIZE ((MAX_PASS_LEN*ESEGMENT_SIZE)+SALT_SIZE+1) ++ ++char *bigcrypt(const char *key, const char *salt) ++{ ++ char *dec_c2_cryptbuf; ++#ifdef HAVE_CRYPT_R ++ struct crypt_data *cdata; ++#endif ++ unsigned long int keylen, n_seg, j; ++ char *cipher_ptr, *plaintext_ptr, *tmp_ptr, *salt_ptr; ++ char keybuf[KEYBUF_SIZE + 1]; ++ ++ D(("called with key='%s', salt='%s'.", key, salt)); ++ ++ /* reset arrays */ ++ dec_c2_cryptbuf = malloc(CBUF_SIZE); ++ if (!dec_c2_cryptbuf) { ++ return NULL; ++ } ++#ifdef HAVE_CRYPT_R ++ cdata = malloc(sizeof(*cdata)); ++ if(!cdata) { ++ free(dec_c2_cryptbuf); ++ return NULL; ++ } ++ cdata->initialized = 0; ++#endif ++ memset(keybuf, 0, KEYBUF_SIZE + 1); ++ memset(dec_c2_cryptbuf, 0, CBUF_SIZE); ++ ++ /* fill KEYBUF_SIZE with key */ ++ strncpy(keybuf, key, KEYBUF_SIZE); ++ ++ /* deal with case that we are doing a password check for a ++ conventially encrypted password: the salt will be ++ SALT_SIZE+ESEGMENT_SIZE long. */ ++ if (strlen(salt) == (SALT_SIZE + ESEGMENT_SIZE)) ++ keybuf[SEGMENT_SIZE] = '\0'; /* terminate password early(?) */ ++ ++ keylen = strlen(keybuf); ++ ++ if (!keylen) { ++ n_seg = 1; ++ } else { ++ /* work out how many segments */ ++ n_seg = 1 + ((keylen - 1) / SEGMENT_SIZE); ++ } ++ ++ if (n_seg > MAX_PASS_LEN) ++ n_seg = MAX_PASS_LEN; /* truncate at max length */ ++ ++ /* set up some pointers */ ++ cipher_ptr = dec_c2_cryptbuf; ++ plaintext_ptr = keybuf; ++ ++ /* do the first block with supplied salt */ ++#ifdef HAVE_CRYPT_R ++ tmp_ptr = crypt_r(plaintext_ptr, salt, cdata); /* libc crypt_r() */ ++#else ++ tmp_ptr = crypt(plaintext_ptr, salt); /* libc crypt() */ ++#endif ++ if (tmp_ptr == NULL) { ++ free(dec_c2_cryptbuf); ++ return NULL; ++ } ++ /* and place in the static area */ ++ strncpy(cipher_ptr, tmp_ptr, 13); ++ cipher_ptr += ESEGMENT_SIZE + SALT_SIZE; ++ plaintext_ptr += SEGMENT_SIZE; /* first block of SEGMENT_SIZE */ ++ ++ /* change the salt (1st 2 chars of previous block) - this was found ++ by dowsing */ ++ ++ salt_ptr = cipher_ptr - ESEGMENT_SIZE; ++ ++ /* so far this is identical to "return crypt(key, salt);", if ++ there is more than one block encrypt them... */ ++ ++ if (n_seg > 1) { ++ for (j = 2; j <= n_seg; j++) { ++ ++#ifdef HAVE_CRYPT_R ++ tmp_ptr = crypt_r(plaintext_ptr, salt_ptr, cdata); ++#else ++ tmp_ptr = crypt(plaintext_ptr, salt_ptr); ++#endif ++ if (tmp_ptr == NULL) { ++ _pam_overwrite(dec_c2_cryptbuf); ++ free(dec_c2_cryptbuf); ++ return NULL; ++ } ++ ++ /* skip the salt for seg!=0 */ ++ strncpy(cipher_ptr, (tmp_ptr + SALT_SIZE), ESEGMENT_SIZE); ++ ++ cipher_ptr += ESEGMENT_SIZE; ++ plaintext_ptr += SEGMENT_SIZE; ++ salt_ptr = cipher_ptr - ESEGMENT_SIZE; ++ } ++ } ++ D(("key=|%s|, salt=|%s|\nbuf=|%s|\n", key, salt, dec_c2_cryptbuf)); ++ ++#ifdef HAVE_CRYPT_R ++ free(cdata); ++#endif ++ ++ /* this is the terminated encrypted password */ ++ return dec_c2_cryptbuf; ++} +Index: pam-1.1.8/modules/pam_extrausers/bigcrypt.h +=================================================================== +--- /dev/null ++++ pam-1.1.8/modules/pam_extrausers/bigcrypt.h +@@ -0,0 +1 @@ ++extern char *bigcrypt(const char *key, const char *salt); +Index: pam-1.1.8/modules/pam_extrausers/bigcrypt_main.c +=================================================================== +--- /dev/null ++++ pam-1.1.8/modules/pam_extrausers/bigcrypt_main.c +@@ -0,0 +1,18 @@ ++#include ++#include ++ ++#include "bigcrypt.h" ++ ++int ++main(int argc, char **argv) ++{ ++ if (argc < 3) { ++ fprintf(stderr, "Usage: %s password salt\n", ++ strchr(argv[0], '/') ? ++ (strchr(argv[0], '/') + 1) : ++ argv[0]); ++ return 0; ++ } ++ fprintf(stdout, "%s\n", bigcrypt(argv[1], argv[2])); ++ return 0; ++} +Index: pam-1.1.8/modules/pam_extrausers/lckpwdf.-c +=================================================================== +--- /dev/null ++++ pam-1.1.8/modules/pam_extrausers/lckpwdf.-c +@@ -0,0 +1,142 @@ ++/* ++ * This is a hack, but until libc and glibc both include this function ++ * by default (libc only includes it if nys is not being used, at the ++ * moment, and glibc doesn't appear to have it at all) we need to have ++ * it here, too. :-( ++ * ++ * This should not become an official part of PAM. ++ * ++ * BEGIN_HACK ++ */ ++ ++/* ++ * lckpwdf.c -- prevent simultaneous updates of password files ++ * ++ * Before modifying any of the password files, call lckpwdf(). It may block ++ * for up to 15 seconds trying to get the lock. Return value is 0 on success ++ * or -1 on failure. When you are done, call ulckpwdf() to release the lock. ++ * The lock is also released automatically when the process exits. Only one ++ * process at a time may hold the lock. ++ * ++ * These functions are supposed to be conformant with AT&T SVID Issue 3. ++ * ++ * Written by Marek Michalkiewicz , ++ * public domain. ++ */ ++ ++#include ++#include ++#ifdef WITH_SELINUX ++#include ++#endif ++ ++#define LOCKFILE "/var/lib/extrausers/.pwd.lock" ++#define TIMEOUT 15 ++ ++static int lockfd = -1; ++ ++static int set_close_on_exec(int fd) ++{ ++ int flags = fcntl(fd, F_GETFD, 0); ++ if (flags == -1) ++ return -1; ++ flags |= FD_CLOEXEC; ++ return fcntl(fd, F_SETFD, flags); ++} ++ ++static int do_lock(int fd) ++{ ++ struct flock fl; ++ ++ memset(&fl, 0, sizeof fl); ++ fl.l_type = F_WRLCK; ++ fl.l_whence = SEEK_SET; ++ return fcntl(fd, F_SETLKW, &fl); ++} ++ ++static void alarm_catch(int sig) ++{ ++/* does nothing, but fcntl F_SETLKW will fail with EINTR */ ++} ++ ++static int extrausers_lckpwdf(void) ++{ ++ struct sigaction act, oldact; ++ sigset_t set, oldset; ++ ++ if (lockfd != -1) ++ return -1; ++ ++#ifdef WITH_SELINUX ++ if(is_selinux_enabled()>0) ++ { ++ lockfd = open(LOCKFILE, O_WRONLY); ++ if(lockfd == -1 && errno == ENOENT) ++ { ++ security_context_t create_context; ++ int rc; ++ ++ if(getfilecon("/var/lib/extrausers/passwd", &create_context)) ++ return -1; ++ rc = setfscreatecon(create_context); ++ freecon(create_context); ++ if(rc) ++ return -1; ++ lockfd = open(LOCKFILE, O_CREAT | O_WRONLY, 0600); ++ if(setfscreatecon(NULL)) ++ return -1; ++ } ++ } ++ else ++#endif ++ lockfd = open(LOCKFILE, O_CREAT | O_WRONLY, 0600); ++ if (lockfd == -1) ++ return -1; ++ if (set_close_on_exec(lockfd) == -1) ++ goto cleanup_fd; ++ ++ memset(&act, 0, sizeof act); ++ act.sa_handler = alarm_catch; ++ act.sa_flags = 0; ++ sigfillset(&act.sa_mask); ++ if (sigaction(SIGALRM, &act, &oldact) == -1) ++ goto cleanup_fd; ++ ++ sigemptyset(&set); ++ sigaddset(&set, SIGALRM); ++ if (sigprocmask(SIG_UNBLOCK, &set, &oldset) == -1) ++ goto cleanup_sig; ++ ++ alarm(TIMEOUT); ++ if (do_lock(lockfd) == -1) ++ goto cleanup_alarm; ++ alarm(0); ++ sigprocmask(SIG_SETMASK, &oldset, NULL); ++ sigaction(SIGALRM, &oldact, NULL); ++ return 0; ++ ++ cleanup_alarm: ++ alarm(0); ++ sigprocmask(SIG_SETMASK, &oldset, NULL); ++ cleanup_sig: ++ sigaction(SIGALRM, &oldact, NULL); ++ cleanup_fd: ++ close(lockfd); ++ lockfd = -1; ++ return -1; ++} ++ ++static int extrausers_ulckpwdf(void) ++{ ++ unlink(LOCKFILE); ++ if (lockfd == -1) ++ return -1; ++ ++ if (close(lockfd) == -1) { ++ lockfd = -1; ++ return -1; ++ } ++ lockfd = -1; ++ return 0; ++} ++/* END_HACK */ +Index: pam-1.1.8/modules/pam_extrausers/md5.c +=================================================================== +--- /dev/null ++++ pam-1.1.8/modules/pam_extrausers/md5.c +@@ -0,0 +1,255 @@ ++/* ++ * $Id$ ++ * ++ * This code implements the MD5 message-digest algorithm. ++ * The algorithm is due to Ron Rivest. This code was ++ * written by Colin Plumb in 1993, no copyright is claimed. ++ * This code is in the public domain; do with it what you wish. ++ * ++ * Equivalent code is available from RSA Data Security, Inc. ++ * This code has been tested against that, and is equivalent, ++ * except that you don't need to include two pages of legalese ++ * with every copy. ++ * ++ * To compute the message digest of a chunk of bytes, declare an ++ * MD5Context structure, pass it to MD5Init, call MD5Update as ++ * needed on buffers full of bytes, and then call MD5Final, which ++ * will fill a supplied 16-byte array with the digest. ++ * ++ */ ++ ++#include ++#include "md5.h" ++ ++#ifndef HIGHFIRST ++#define byteReverse(buf, len) /* Nothing */ ++#else ++static void byteReverse(unsigned char *buf, unsigned longs); ++ ++#ifndef ASM_MD5 ++/* ++ * Note: this code is harmless on little-endian machines. ++ */ ++static void byteReverse(unsigned char *buf, unsigned longs) ++{ ++ uint32 t; ++ do { ++ t = (uint32) ((unsigned) buf[3] << 8 | buf[2]) << 16 | ++ ((unsigned) buf[1] << 8 | buf[0]); ++ *(uint32 *) buf = t; ++ buf += 4; ++ } while (--longs); ++} ++#endif ++#endif ++ ++/* ++ * Start MD5 accumulation. Set bit count to 0 and buffer to mysterious ++ * initialization constants. ++ */ ++void MD5Name(MD5Init)(struct MD5Context *ctx) ++{ ++ ctx->buf[0] = 0x67452301U; ++ ctx->buf[1] = 0xefcdab89U; ++ ctx->buf[2] = 0x98badcfeU; ++ ctx->buf[3] = 0x10325476U; ++ ++ ctx->bits[0] = 0; ++ ctx->bits[1] = 0; ++} ++ ++/* ++ * Update context to reflect the concatenation of another buffer full ++ * of bytes. ++ */ ++void MD5Name(MD5Update)(struct MD5Context *ctx, unsigned const char *buf, unsigned len) ++{ ++ uint32 t; ++ ++ /* Update bitcount */ ++ ++ t = ctx->bits[0]; ++ if ((ctx->bits[0] = t + ((uint32) len << 3)) < t) ++ ctx->bits[1]++; /* Carry from low to high */ ++ ctx->bits[1] += len >> 29; ++ ++ t = (t >> 3) & 0x3f; /* Bytes already in shsInfo->data */ ++ ++ /* Handle any leading odd-sized chunks */ ++ ++ if (t) { ++ unsigned char *p = (unsigned char *) ctx->in + t; ++ ++ t = 64 - t; ++ if (len < t) { ++ memcpy(p, buf, len); ++ return; ++ } ++ memcpy(p, buf, t); ++ byteReverse(ctx->in, 16); ++ MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); ++ buf += t; ++ len -= t; ++ } ++ /* Process data in 64-byte chunks */ ++ ++ while (len >= 64) { ++ memcpy(ctx->in, buf, 64); ++ byteReverse(ctx->in, 16); ++ MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); ++ buf += 64; ++ len -= 64; ++ } ++ ++ /* Handle any remaining bytes of data. */ ++ ++ memcpy(ctx->in, buf, len); ++} ++ ++/* ++ * Final wrapup - pad to 64-byte boundary with the bit pattern ++ * 1 0* (64-bit count of bits processed, MSB-first) ++ */ ++void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx) ++{ ++ unsigned count; ++ unsigned char *p; ++ ++ /* Compute number of bytes mod 64 */ ++ count = (ctx->bits[0] >> 3) & 0x3F; ++ ++ /* Set the first char of padding to 0x80. This is safe since there is ++ always at least one byte free */ ++ p = ctx->in + count; ++ *p++ = 0x80; ++ ++ /* Bytes of padding needed to make 64 bytes */ ++ count = 64 - 1 - count; ++ ++ /* Pad out to 56 mod 64 */ ++ if (count < 8) { ++ /* Two lots of padding: Pad the first block to 64 bytes */ ++ memset(p, 0, count); ++ byteReverse(ctx->in, 16); ++ MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); ++ ++ /* Now fill the next block with 56 bytes */ ++ memset(ctx->in, 0, 56); ++ } else { ++ /* Pad block to 56 bytes */ ++ memset(p, 0, count - 8); ++ } ++ byteReverse(ctx->in, 14); ++ ++ /* Append length in bits and transform */ ++ memcpy((uint32 *)ctx->in + 14, ctx->bits, 2*sizeof(uint32)); ++ ++ MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); ++ byteReverse((unsigned char *) ctx->buf, 4); ++ memcpy(digest, ctx->buf, 16); ++ memset(ctx, 0, sizeof(*ctx)); /* In case it's sensitive */ ++} ++ ++#ifndef ASM_MD5 ++ ++/* The four core functions - F1 is optimized somewhat */ ++ ++/* #define F1(x, y, z) (x & y | ~x & z) */ ++#define F1(x, y, z) (z ^ (x & (y ^ z))) ++#define F2(x, y, z) F1(z, x, y) ++#define F3(x, y, z) (x ^ y ^ z) ++#define F4(x, y, z) (y ^ (x | ~z)) ++ ++/* This is the central step in the MD5 algorithm. */ ++#define MD5STEP(f, w, x, y, z, data, s) \ ++ ( w += f(x, y, z) + data, w = w<>(32-s), w += x ) ++ ++/* ++ * The core of the MD5 algorithm, this alters an existing MD5 hash to ++ * reflect the addition of 16 longwords of new data. MD5Update blocks ++ * the data and converts bytes into longwords for this routine. ++ */ ++void MD5Name(MD5Transform)(uint32 buf[4], uint32 const in[16]) ++{ ++ register uint32 a, b, c, d; ++ ++ a = buf[0]; ++ b = buf[1]; ++ c = buf[2]; ++ d = buf[3]; ++ ++ MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478U, 7); ++ MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756U, 12); ++ MD5STEP(F1, c, d, a, b, in[2] + 0x242070dbU, 17); ++ MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceeeU, 22); ++ MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0fafU, 7); ++ MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62aU, 12); ++ MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613U, 17); ++ MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501U, 22); ++ MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8U, 7); ++ MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7afU, 12); ++ MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1U, 17); ++ MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7beU, 22); ++ MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122U, 7); ++ MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193U, 12); ++ MD5STEP(F1, c, d, a, b, in[14] + 0xa679438eU, 17); ++ MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821U, 22); ++ ++ MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562U, 5); ++ MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340U, 9); ++ MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51U, 14); ++ MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aaU, 20); ++ MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105dU, 5); ++ MD5STEP(F2, d, a, b, c, in[10] + 0x02441453U, 9); ++ MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681U, 14); ++ MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8U, 20); ++ MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6U, 5); ++ MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6U, 9); ++ MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87U, 14); ++ MD5STEP(F2, b, c, d, a, in[8] + 0x455a14edU, 20); ++ MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905U, 5); ++ MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8U, 9); ++ MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9U, 14); ++ MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8aU, 20); ++ ++ MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942U, 4); ++ MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681U, 11); ++ MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122U, 16); ++ MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380cU, 23); ++ MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44U, 4); ++ MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9U, 11); ++ MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60U, 16); ++ MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70U, 23); ++ MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6U, 4); ++ MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127faU, 11); ++ MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085U, 16); ++ MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05U, 23); ++ MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039U, 4); ++ MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5U, 11); ++ MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8U, 16); ++ MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665U, 23); ++ ++ MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244U, 6); ++ MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97U, 10); ++ MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7U, 15); ++ MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039U, 21); ++ MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3U, 6); ++ MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92U, 10); ++ MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47dU, 15); ++ MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1U, 21); ++ MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4fU, 6); ++ MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0U, 10); ++ MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314U, 15); ++ MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1U, 21); ++ MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82U, 6); ++ MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235U, 10); ++ MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bbU, 15); ++ MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391U, 21); ++ ++ buf[0] += a; ++ buf[1] += b; ++ buf[2] += c; ++ buf[3] += d; ++} ++ ++#endif +Index: pam-1.1.8/modules/pam_extrausers/md5.h +=================================================================== +--- /dev/null ++++ pam-1.1.8/modules/pam_extrausers/md5.h +@@ -0,0 +1,31 @@ ++ ++#ifndef MD5_H ++#define MD5_H ++ ++typedef unsigned int uint32; ++ ++struct MD5Context { ++ uint32 buf[4]; ++ uint32 bits[2]; ++ unsigned char in[64]; ++}; ++ ++void GoodMD5Init(struct MD5Context *); ++void GoodMD5Update(struct MD5Context *, unsigned const char *, unsigned); ++void GoodMD5Final(unsigned char digest[16], struct MD5Context *); ++void GoodMD5Transform(uint32 buf[4], uint32 const in[16]); ++void BrokenMD5Init(struct MD5Context *); ++void BrokenMD5Update(struct MD5Context *, unsigned const char *, unsigned); ++void BrokenMD5Final(unsigned char digest[16], struct MD5Context *); ++void BrokenMD5Transform(uint32 buf[4], uint32 const in[16]); ++ ++char *Goodcrypt_md5(const char *pw, const char *salt); ++char *Brokencrypt_md5(const char *pw, const char *salt); ++ ++/* ++ * This is needed to make RSAREF happy on some MS-DOS compilers. ++ */ ++ ++typedef struct MD5Context MD5_CTX; ++ ++#endif /* MD5_H */ +Index: pam-1.1.8/modules/pam_extrausers/md5_broken.c +=================================================================== +--- /dev/null ++++ pam-1.1.8/modules/pam_extrausers/md5_broken.c +@@ -0,0 +1,4 @@ ++#define MD5Name(x) Broken##x ++ ++#include "md5.c" ++#include "md5_crypt.c" +Index: pam-1.1.8/modules/pam_extrausers/md5_crypt.c +=================================================================== +--- /dev/null ++++ pam-1.1.8/modules/pam_extrausers/md5_crypt.c +@@ -0,0 +1,154 @@ ++/* ++ * $Id$ ++ * ++ * ---------------------------------------------------------------------------- ++ * "THE BEER-WARE LICENSE" (Revision 42): ++ * wrote this file. As long as you retain this notice you ++ * can do whatever you want with this stuff. If we meet some day, and you think ++ * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp ++ * ---------------------------------------------------------------------------- ++ * ++ * Origin: Id: crypt.c,v 1.3 1995/05/30 05:42:22 rgrimes Exp ++ * ++ */ ++ ++#include ++#include ++#include "md5.h" ++ ++static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */ ++"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; ++ ++static void to64(char *s, unsigned long v, int n) ++{ ++ while (--n >= 0) { ++ *s++ = itoa64[v & 0x3f]; ++ v >>= 6; ++ } ++} ++ ++/* ++ * UNIX password ++ * ++ * Use MD5 for what it is best at... ++ */ ++ ++char *MD5Name(crypt_md5)(const char *pw, const char *salt) ++{ ++ const char *magic = "$1$"; ++ /* This string is magic for this algorithm. Having ++ * it this way, we can get get better later on */ ++ char *passwd, *p; ++ const char *sp, *ep; ++ unsigned char final[16]; ++ int sl, pl, i, j; ++ MD5_CTX ctx, ctx1; ++ unsigned long l; ++ ++ /* Refine the Salt first */ ++ sp = salt; ++ ++ /* TODO: now that we're using malloc'ed memory, get rid of the ++ strange constant buffer size. */ ++ passwd = malloc(120); ++ ++ /* If it starts with the magic string, then skip that */ ++ if (!strncmp(sp, magic, strlen(magic))) ++ sp += strlen(magic); ++ ++ /* It stops at the first '$', max 8 chars */ ++ for (ep = sp; *ep && *ep != '$' && ep < (sp + 8); ep++) ++ continue; ++ ++ /* get the length of the true salt */ ++ sl = ep - sp; ++ ++ MD5Name(MD5Init)(&ctx); ++ ++ /* The password first, since that is what is most unknown */ ++ MD5Name(MD5Update)(&ctx,(unsigned const char *)pw,strlen(pw)); ++ ++ /* Then our magic string */ ++ MD5Name(MD5Update)(&ctx,(unsigned const char *)magic,strlen(magic)); ++ ++ /* Then the raw salt */ ++ MD5Name(MD5Update)(&ctx,(unsigned const char *)sp,sl); ++ ++ /* Then just as many characters of the MD5(pw,salt,pw) */ ++ MD5Name(MD5Init)(&ctx1); ++ MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw)); ++ MD5Name(MD5Update)(&ctx1,(unsigned const char *)sp,sl); ++ MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw)); ++ MD5Name(MD5Final)(final,&ctx1); ++ for (pl = strlen(pw); pl > 0; pl -= 16) ++ MD5Name(MD5Update)(&ctx,(unsigned const char *)final,pl>16 ? 16 : pl); ++ ++ /* Don't leave anything around in vm they could use. */ ++ memset(final, 0, sizeof final); ++ ++ /* Then something really weird... */ ++ for (j = 0, i = strlen(pw); i; i >>= 1) ++ if (i & 1) ++ MD5Name(MD5Update)(&ctx, (unsigned const char *)final+j, 1); ++ else ++ MD5Name(MD5Update)(&ctx, (unsigned const char *)pw+j, 1); ++ ++ /* Now make the output string */ ++ strcpy(passwd, magic); ++ strncat(passwd, sp, sl); ++ strcat(passwd, "$"); ++ ++ MD5Name(MD5Final)(final,&ctx); ++ ++ /* ++ * and now, just to make sure things don't run too fast ++ * On a 60 Mhz Pentium this takes 34 msec, so you would ++ * need 30 seconds to build a 1000 entry dictionary... ++ */ ++ for (i = 0; i < 1000; i++) { ++ MD5Name(MD5Init)(&ctx1); ++ if (i & 1) ++ MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw)); ++ else ++ MD5Name(MD5Update)(&ctx1,(unsigned const char *)final,16); ++ ++ if (i % 3) ++ MD5Name(MD5Update)(&ctx1,(unsigned const char *)sp,sl); ++ ++ if (i % 7) ++ MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw)); ++ ++ if (i & 1) ++ MD5Name(MD5Update)(&ctx1,(unsigned const char *)final,16); ++ else ++ MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw)); ++ MD5Name(MD5Final)(final,&ctx1); ++ } ++ ++ p = passwd + strlen(passwd); ++ ++ l = (final[0] << 16) | (final[6] << 8) | final[12]; ++ to64(p, l, 4); ++ p += 4; ++ l = (final[1] << 16) | (final[7] << 8) | final[13]; ++ to64(p, l, 4); ++ p += 4; ++ l = (final[2] << 16) | (final[8] << 8) | final[14]; ++ to64(p, l, 4); ++ p += 4; ++ l = (final[3] << 16) | (final[9] << 8) | final[15]; ++ to64(p, l, 4); ++ p += 4; ++ l = (final[4] << 16) | (final[10] << 8) | final[5]; ++ to64(p, l, 4); ++ p += 4; ++ l = final[11]; ++ to64(p, l, 2); ++ p += 2; ++ *p = '\0'; ++ ++ /* Don't leave anything around in vm they could use. */ ++ memset(final, 0, sizeof final); ++ ++ return passwd; ++} +Index: pam-1.1.8/modules/pam_extrausers/md5_good.c +=================================================================== +--- /dev/null ++++ pam-1.1.8/modules/pam_extrausers/md5_good.c +@@ -0,0 +1,5 @@ ++#define HIGHFIRST ++#define MD5Name(x) Good##x ++ ++#include "md5.c" ++#include "md5_crypt.c" +Index: pam-1.1.8/modules/pam_extrausers/obscure.c +=================================================================== +--- /dev/null ++++ pam-1.1.8/modules/pam_extrausers/obscure.c +@@ -0,0 +1,198 @@ ++/* ++ * Copyright 1989 - 1994, Julianne Frances Haugh ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors ++ * may be used to endorse or promote products derived from this software ++ * without specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND ++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE ++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT ++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY ++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ++ * SUCH DAMAGE. ++ */ ++ ++#include "config.h" ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++ ++#include "support.h" ++ ++/* can't be a palindrome - like `R A D A R' or `M A D A M' */ ++static int palindrome(const char *old, const char *new) { ++ int i, j; ++ ++ i = strlen (new); ++ ++ for (j = 0;j < i;j++) ++ if (new[i - j - 1] != new[j]) ++ return 0; ++ ++ return 1; ++} ++ ++/* more than half of the characters are different ones. */ ++static int similar(const char *old, const char *new) { ++ int i, j; ++ ++ /* ++ * XXX - sometimes this fails when changing from a simple password ++ * to a really long one (MD5). For now, I just return success if ++ * the new password is long enough. Please feel free to suggest ++ * something better... --marekm ++ */ ++ if (strlen(new) >= 8) ++ return 0; ++ ++ for (i = j = 0; new[i] && old[i]; i++) ++ if (strchr(new, old[i])) ++ j++; ++ ++ if (i >= j * 2) ++ return 0; ++ ++ return 1; ++} ++ ++/* a nice mix of characters. */ ++static int simple(const char *old, const char *new) { ++ int digits = 0; ++ int uppers = 0; ++ int lowers = 0; ++ int others = 0; ++ int size; ++ int i; ++ ++ for (i = 0;new[i];i++) { ++ if (isdigit (new[i])) ++ digits++; ++ else if (isupper (new[i])) ++ uppers++; ++ else if (islower (new[i])) ++ lowers++; ++ else ++ others++; ++ } ++ ++ /* ++ * The scam is this - a password of only one character type ++ * must be 8 letters long. Two types, 7, and so on. ++ */ ++ ++ size = 9; ++ if (digits) size--; ++ if (uppers) size--; ++ if (lowers) size--; ++ if (others) size--; ++ ++ if (size <= i) ++ return 0; ++ ++ return 1; ++} ++ ++static char *str_lower(char *string) { ++ char *cp; ++ ++ for (cp = string; *cp; cp++) ++ *cp = tolower(*cp); ++ return string; ++} ++ ++static const char * password_check(const char *old, const char *new, ++ const struct passwd *pwdp) { ++ const char *msg = NULL; ++ char *oldmono, *newmono, *wrapped; ++ ++ if (strcmp(new, old) == 0) ++ return _("Bad: new password must be different than the old one"); ++ ++ newmono = str_lower(strdup(new)); ++ oldmono = str_lower(strdup(old)); ++ wrapped = (char *)malloc(strlen(oldmono) * 2 + 1); ++ strcpy (wrapped, oldmono); ++ strcat (wrapped, oldmono); ++ ++ if (palindrome(oldmono, newmono)) { ++ msg = _("Bad: new password cannot be a palindrome"); ++ } else if (strcmp(oldmono, newmono) == 0) { ++ msg = _("Bad: new and old password must differ by more than just case"); ++ } else if (similar(oldmono, newmono)) { ++ msg = _("Bad: new and old password are too similar"); ++ } else if (simple(old, new)) { ++ msg = _("Bad: new password is too simple"); ++ } else if (strstr(wrapped, newmono)) { ++ msg = _("Bad: new password is just a wrapped version of the old one"); ++ } ++ ++ _pam_delete(newmono); ++ _pam_delete(oldmono); ++ _pam_delete(wrapped); ++ ++ return msg; ++} ++ ++const char *obscure_msg(const char *old, const char *new, ++ const struct passwd *pwdp, unsigned int ctrl) { ++ int oldlen, newlen; ++ char *new1, *old1; ++ const char *msg; ++ ++ if (old == NULL) ++ return NULL; /* no check if old is NULL */ ++ ++ oldlen = strlen(old); ++ newlen = strlen(new); ++ ++ /* Remaining checks are optional. */ ++ if (off(UNIX_OBSCURE_CHECKS,ctrl)) ++ return NULL; ++ ++ if ((msg = password_check(old, new, pwdp)) != NULL) ++ return msg; ++ ++ /* The traditional crypt() truncates passwords to 8 chars. It is ++ possible to circumvent the above checks by choosing an easy ++ 8-char password and adding some random characters to it... ++ Example: "password$%^&*123". So check it again, this time ++ truncated to the maximum length. Idea from npasswd. --marekm */ ++ ++ if (!UNIX_DES_CRYPT(ctrl)) ++ return NULL; /* unlimited password length */ ++ ++ if (oldlen <= 8 && newlen <= 8) ++ return NULL; ++ ++ new1 = strndup(new,8); ++ old1 = strndup(old,8); ++ ++ msg = password_check(old1, new1, pwdp); ++ ++ _pam_delete(new1); ++ _pam_delete(old1); ++ ++ return msg; ++} +Index: pam-1.1.8/modules/pam_extrausers/pam_unix_acct.c +=================================================================== +--- /dev/null ++++ pam-1.1.8/modules/pam_extrausers/pam_unix_acct.c +@@ -0,0 +1,304 @@ ++/* ++ * Copyright Elliot Lee, 1996. All rights reserved. ++ * Copyright Jan R\EAkorajski, 1999. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, and the entire permission notice in its entirety, ++ * including the disclaimer of warranties. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the author may not be used to endorse or promote ++ * products derived from this software without specific prior ++ * written permission. ++ * ++ * ALTERNATIVELY, this product may be distributed under the terms of ++ * the GNU Public License, in which case the provisions of the GPL are ++ * required INSTEAD OF the above restrictions. (This clause is ++ * necessary due to a potential bad interaction between the GPL and ++ * the restrictions contained in a BSD-style copyright.) ++ * ++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#include "config.h" ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include /* for time() */ ++#include ++#include ++ ++#include ++ ++/* indicate that the following groups are defined */ ++ ++#ifdef PAM_STATIC ++# include "pam_unix_static.h" ++#else ++# define PAM_SM_ACCOUNT ++#endif ++ ++#include ++#include ++#include ++ ++#include "support.h" ++#include "passverify.h" ++ ++int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, ++ const char *user, int *daysleft) ++{ ++ int retval=0, child, fds[2]; ++ struct sigaction newsa, oldsa; ++ D(("running verify_binary")); ++ ++ /* create a pipe for the messages */ ++ if (pipe(fds) != 0) { ++ D(("could not make pipe")); ++ pam_syslog(pamh, LOG_ERR, "Could not make pipe: %m"); ++ return PAM_AUTH_ERR; ++ } ++ D(("called.")); ++ ++ if (off(UNIX_NOREAP, ctrl)) { ++ /* ++ * This code arranges that the demise of the child does not cause ++ * the application to receive a signal it is not expecting - which ++ * may kill the application or worse. ++ * ++ * The "noreap" module argument is provided so that the admin can ++ * override this behavior. ++ */ ++ memset(&newsa, '\0', sizeof(newsa)); ++ newsa.sa_handler = SIG_DFL; ++ sigaction(SIGCHLD, &newsa, &oldsa); ++ } ++ ++ /* fork */ ++ child = fork(); ++ if (child == 0) { ++ int i=0; ++ struct rlimit rlim; ++ static char *envp[] = { NULL }; ++ char *args[] = { NULL, NULL, NULL, NULL }; ++ ++ /* reopen stdout as pipe */ ++ dup2(fds[1], STDOUT_FILENO); ++ ++ /* XXX - should really tidy up PAM here too */ ++ ++ if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { ++ if (rlim.rlim_max >= MAX_FD_NO) ++ rlim.rlim_max = MAX_FD_NO; ++ for (i=0; i < (int)rlim.rlim_max; i++) { ++ if (i != STDOUT_FILENO) { ++ close(i); ++ } ++ } ++ } ++ ++ if (geteuid() == 0) { ++ /* must set the real uid to 0 so the helper will not error ++ out if pam is called from setuid binary (su, sudo...) */ ++ if (setuid(0) == -1) { ++ pam_syslog(pamh, LOG_ERR, "setuid failed: %m"); ++ printf("-1\n"); ++ fflush(stdout); ++ _exit(PAM_AUTHINFO_UNAVAIL); ++ } ++ } ++ ++ /* exec binary helper */ ++ args[0] = x_strdup(CHKPWD_HELPER); ++ args[1] = x_strdup(user); ++ args[2] = x_strdup("chkexpiry"); ++ ++ execve(CHKPWD_HELPER, args, envp); ++ ++ pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %m"); ++ /* should not get here: exit with error */ ++ D(("helper binary is not available")); ++ printf("-1\n"); ++ fflush(stdout); ++ _exit(PAM_AUTHINFO_UNAVAIL); ++ } else { ++ close(fds[1]); ++ if (child > 0) { ++ char buf[32]; ++ int rc=0; ++ /* wait for helper to complete: */ ++ while ((rc=waitpid(child, &retval, 0)) < 0 && errno == EINTR); ++ if (rc<0) { ++ pam_syslog(pamh, LOG_ERR, "pam_extrausers_chkpwd waitpid returned %d: %m", rc); ++ retval = PAM_AUTH_ERR; ++ } else if (!WIFEXITED(retval)) { ++ pam_syslog(pamh, LOG_ERR, "pam_extrausers_chkpwd abnormal exit: %d", retval); ++ retval = PAM_AUTH_ERR; ++ } else { ++ retval = WEXITSTATUS(retval); ++ rc = pam_modutil_read(fds[0], buf, sizeof(buf) - 1); ++ if(rc > 0) { ++ buf[rc] = '\0'; ++ if (sscanf(buf,"%d", daysleft) != 1 ) ++ retval = PAM_AUTH_ERR; ++ } ++ else { ++ pam_syslog(pamh, LOG_ERR, "read pam_extrausers_chkpwd output error %d: %m", rc); ++ retval = PAM_AUTH_ERR; ++ } ++ } ++ } else { ++ pam_syslog(pamh, LOG_ERR, "Fork failed: %m"); ++ D(("fork failed")); ++ retval = PAM_AUTH_ERR; ++ } ++ close(fds[0]); ++ } ++ ++ if (off(UNIX_NOREAP, ctrl)) { ++ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */ ++ } ++ ++ D(("Returning %d",retval)); ++ return retval; ++} ++ ++/* ++ * PAM framework looks for this entry-point to pass control to the ++ * account management module. ++ */ ++ ++int ++pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) ++{ ++ unsigned int ctrl; ++ const void *void_uname; ++ const char *uname; ++ int retval, daysleft; ++ struct spwd *spent; ++ struct passwd *pwent; ++ char buf[256]; ++ ++ D(("called.")); ++ ++ ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv); ++ ++ retval = pam_get_item(pamh, PAM_USER, &void_uname); ++ uname = void_uname; ++ D(("user = `%s'", uname)); ++ if (retval != PAM_SUCCESS || uname == NULL) { ++ pam_syslog(pamh, LOG_ALERT, ++ "could not identify user (from uid=%lu)", ++ (unsigned long int)getuid()); ++ return PAM_USER_UNKNOWN; ++ } ++ ++ retval = get_account_info(pamh, uname, &pwent, &spent); ++ if (retval == PAM_USER_UNKNOWN) { ++ pam_syslog(pamh, LOG_ALERT, ++ "could not identify user (from getpwnam(%s))", ++ uname); ++ return retval; ++ } ++ ++ if (retval == PAM_SUCCESS && spent == NULL) ++ return PAM_SUCCESS; ++ ++ if (retval == PAM_UNIX_RUN_HELPER) { ++ retval = _unix_run_verify_binary(pamh, ctrl, uname, &daysleft); ++ if (retval == PAM_AUTHINFO_UNAVAIL && ++ on(UNIX_BROKEN_SHADOW, ctrl)) ++ return PAM_SUCCESS; ++ } else if (retval != PAM_SUCCESS) { ++ if (on(UNIX_BROKEN_SHADOW,ctrl)) ++ return PAM_SUCCESS; ++ else ++ return retval; ++ } else ++ retval = check_shadow_expiry(pamh, spent, &daysleft); ++ ++ switch (retval) { ++ case PAM_ACCT_EXPIRED: ++ pam_syslog(pamh, LOG_NOTICE, ++ "account %s has expired (account expired)", ++ uname); ++ _make_remark(pamh, ctrl, PAM_ERROR_MSG, ++ _("Your account has expired; please contact your system administrator")); ++ break; ++ case PAM_NEW_AUTHTOK_REQD: ++ if (daysleft == 0) { ++ pam_syslog(pamh, LOG_NOTICE, ++ "expired password for user %s (root enforced)", ++ uname); ++ _make_remark(pamh, ctrl, PAM_ERROR_MSG, ++ _("You are required to change your password immediately (root enforced)")); ++ } else { ++ pam_syslog(pamh, LOG_DEBUG, ++ "expired password for user %s (password aged)", ++ uname); ++ _make_remark(pamh, ctrl, PAM_ERROR_MSG, ++ _("You are required to change your password immediately (password aged)")); ++ } ++ break; ++ case PAM_AUTHTOK_EXPIRED: ++ pam_syslog(pamh, LOG_NOTICE, ++ "account %s has expired (failed to change password)", ++ uname); ++ _make_remark(pamh, ctrl, PAM_ERROR_MSG, ++ _("Your account has expired; please contact your system administrator")); ++ break; ++ case PAM_AUTHTOK_ERR: ++ retval = PAM_SUCCESS; ++ /* fallthrough */ ++ case PAM_SUCCESS: ++ if (daysleft >= 0) { ++ pam_syslog(pamh, LOG_DEBUG, ++ "password for user %s will expire in %d days", ++ uname, daysleft); ++#if defined HAVE_DNGETTEXT && defined ENABLE_NLS ++ snprintf (buf, sizeof (buf), ++ dngettext(PACKAGE, ++ "Warning: your password will expire in %d day", ++ "Warning: your password will expire in %d days", ++ daysleft), ++ daysleft); ++#else ++ if (daysleft == 1) ++ snprintf(buf, sizeof (buf), ++ _("Warning: your password will expire in %d day"), ++ daysleft); ++ else ++ snprintf(buf, sizeof (buf), ++ /* TRANSLATORS: only used if dngettext is not supported */ ++ _("Warning: your password will expire in %d days"), ++ daysleft); ++#endif ++ _make_remark(pamh, ctrl, PAM_TEXT_INFO, buf); ++ } ++ } ++ ++ D(("all done")); ++ ++ return retval; ++} +Index: pam-1.1.8/modules/pam_extrausers/pam_unix_auth.c +=================================================================== +--- /dev/null ++++ pam-1.1.8/modules/pam_extrausers/pam_unix_auth.c +@@ -0,0 +1,218 @@ ++/* ++ * Copyright Alexander O. Yuriev, 1996. All rights reserved. ++ * NIS+ support by Thorsten Kukuk ++ * Copyright Jan R\EAkorajski, 1999. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, and the entire permission notice in its entirety, ++ * including the disclaimer of warranties. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the author may not be used to endorse or promote ++ * products derived from this software without specific prior ++ * written permission. ++ * ++ * ALTERNATIVELY, this product may be distributed under the terms of ++ * the GNU Public License, in which case the provisions of the GPL are ++ * required INSTEAD OF the above restrictions. (This clause is ++ * necessary due to a potential bad interaction between the GPL and ++ * the restrictions contained in a BSD-style copyright.) ++ * ++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#include "config.h" ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++/* indicate the following groups are defined */ ++ ++#ifdef PAM_STATIC ++# include "pam_unix_static.h" ++#else ++# define PAM_SM_AUTH ++#endif ++ ++#define _PAM_EXTERN_FUNCTIONS ++#include ++#include ++#include ++ ++#include "support.h" ++ ++/* ++ * PAM framework looks for these entry-points to pass control to the ++ * authentication module. ++ */ ++ ++/* Fun starts here :) ++ ++ * pam_sm_authenticate() performs UNIX/shadow authentication ++ * ++ * First, if shadow support is available, attempt to perform ++ * authentication using shadow passwords. If shadow is not ++ * available, or user does not have a shadow password, fallback ++ * onto a normal UNIX authentication ++ */ ++ ++#define _UNIX_AUTHTOK "-UN*X-PASS" ++ ++#define AUTH_RETURN \ ++do { \ ++ if (on(UNIX_LIKE_AUTH, ctrl) && ret_data) { \ ++ D(("recording return code for next time [%d]", \ ++ retval)); \ ++ *ret_data = retval; \ ++ pam_set_data(pamh, "unix_setcred_return", \ ++ (void *) ret_data, setcred_free); \ ++ } else if (ret_data) \ ++ free (ret_data); \ ++ D(("done. [%s]", pam_strerror(pamh, retval))); \ ++ return retval; \ ++} while (0) ++ ++ ++static void ++setcred_free (pam_handle_t *pamh UNUSED, void *ptr, int err UNUSED) ++{ ++ if (ptr) ++ free (ptr); ++} ++ ++int ++pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) ++{ ++ unsigned int ctrl; ++ int retval, *ret_data = NULL; ++ const char *name; ++ const void *p; ++ ++ D(("called.")); ++ ++ ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv); ++ ++ /* Get a few bytes so we can pass our return value to ++ pam_sm_setcred(). */ ++ if (on(UNIX_LIKE_AUTH, ctrl)) ++ ret_data = malloc(sizeof(int)); ++ ++ /* get the user'name' */ ++ ++ retval = pam_get_user(pamh, &name, NULL); ++ if (retval == PAM_SUCCESS) { ++ /* ++ * Various libraries at various times have had bugs related to ++ * '+' or '-' as the first character of a user name. Don't ++ * allow this characters here. ++ */ ++ if (name == NULL || name[0] == '-' || name[0] == '+') { ++ pam_syslog(pamh, LOG_ERR, "bad username [%s]", name); ++ retval = PAM_USER_UNKNOWN; ++ AUTH_RETURN; ++ } ++ if (on(UNIX_DEBUG, ctrl)) ++ D(("username [%s] obtained", name)); ++ } else { ++ D(("trouble reading username")); ++ if (retval == PAM_CONV_AGAIN) { ++ D(("pam_get_user/conv() function is not ready yet")); ++ /* it is safe to resume this function so we translate this ++ * retval to the value that indicates we're happy to resume. ++ */ ++ retval = PAM_INCOMPLETE; ++ } ++ AUTH_RETURN; ++ } ++ ++ /* if this user does not have a password... */ ++ ++ if (_unix_blankpasswd(pamh, ctrl, name)) { ++ D(("user '%s' has blank passwd", name)); ++ name = NULL; ++ retval = PAM_SUCCESS; ++ AUTH_RETURN; ++ } ++ /* get this user's authentication token */ ++ ++ retval = _unix_read_password(pamh, ctrl, NULL, _("Password: "), NULL ++ ,_UNIX_AUTHTOK, &p); ++ if (retval != PAM_SUCCESS) { ++ if (retval != PAM_CONV_AGAIN) { ++ pam_syslog(pamh, LOG_CRIT, ++ "auth could not identify password for [%s]", name); ++ } else { ++ D(("conversation function is not ready yet")); ++ /* ++ * it is safe to resume this function so we translate this ++ * retval to the value that indicates we're happy to resume. ++ */ ++ retval = PAM_INCOMPLETE; ++ } ++ name = NULL; ++ AUTH_RETURN; ++ } ++ D(("user=%s, password=[%s]", name, p)); ++ ++ /* verify the password of this user */ ++ retval = _unix_verify_password(pamh, name, p, ctrl); ++ name = p = NULL; ++ ++ AUTH_RETURN; ++} ++ ++ ++/* ++ * The only thing _pam_set_credentials_unix() does is initialization of ++ * UNIX group IDs. ++ * ++ * Well, everybody but me on linux-pam is convinced that it should not ++ * initialize group IDs, so I am not doing it but don't say that I haven't ++ * warned you. -- AOY ++ */ ++ ++int ++pam_sm_setcred (pam_handle_t *pamh, int flags UNUSED, ++ int argc UNUSED, const char **argv UNUSED) ++{ ++ int retval; ++ const void *pretval = NULL; ++ ++ D(("called.")); ++ ++ retval = PAM_SUCCESS; ++ ++ D(("recovering return code from auth call")); ++ /* We will only find something here if UNIX_LIKE_AUTH is set -- ++ don't worry about an explicit check of argv. */ ++ if (pam_get_data(pamh, "unix_setcred_return", &pretval) == PAM_SUCCESS ++ && pretval) { ++ retval = *(const int *)pretval; ++ pam_set_data(pamh, "unix_setcred_return", NULL, NULL); ++ D(("recovered data indicates that old retval was %d", retval)); ++ } ++ ++ return retval; ++} +Index: pam-1.1.8/modules/pam_extrausers/pam_unix_passwd.c +=================================================================== +--- /dev/null ++++ pam-1.1.8/modules/pam_extrausers/pam_unix_passwd.c +@@ -0,0 +1,843 @@ ++/* ++ * Main coding by Elliot Lee , Red Hat Software. ++ * Copyright (C) 1996. ++ * Copyright (c) Jan Rêkorajski, 1999. ++ * Copyright (c) Red Hat, Inc., 2007, 2008. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, and the entire permission notice in its entirety, ++ * including the disclaimer of warranties. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the author may not be used to endorse or promote ++ * products derived from this software without specific prior ++ * written permission. ++ * ++ * ALTERNATIVELY, this product may be distributed under the terms of ++ * the GNU Public License, in which case the provisions of the GPL are ++ * required INSTEAD OF the above restrictions. (This clause is ++ * necessary due to a potential bad interaction between the GPL and ++ * the restrictions contained in a BSD-style copyright.) ++ * ++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#include "config.h" ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include /* for time() */ ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++ ++#include ++ ++/* indicate the following groups are defined */ ++ ++#ifdef PAM_STATIC ++# include "pam_unix_static.h" ++#else ++# define PAM_SM_PASSWORD ++#endif ++ ++#include ++#include ++#include ++ ++#include "md5.h" ++#include "support.h" ++#include "passverify.h" ++#include "bigcrypt.h" ++ ++#if (HAVE_YP_GET_DEFAULT_DOMAIN || HAVE_GETDOMAINNAME) && HAVE_YP_MASTER ++# define HAVE_NIS ++#endif ++ ++#ifdef HAVE_NIS ++# include ++ ++# if HAVE_RPCSVC_YP_PROT_H ++# include ++# endif ++ ++# if HAVE_RPCSVC_YPCLNT_H ++# include ++# endif ++ ++# include "yppasswd.h" ++ ++# if !HAVE_DECL_GETRPCPORT ++extern int getrpcport(const char *host, unsigned long prognum, ++ unsigned long versnum, unsigned int proto); ++# endif /* GNU libc 2.1 */ ++#endif ++ ++extern const char *obscure_msg(const char *, const char *, const struct passwd *, ++ unsigned int); ++ ++/* ++ How it works: ++ Gets in username (has to be done) from the calling program ++ Does authentication of user (only if we are not running as root) ++ Gets new password/checks for sanity ++ Sets it. ++ */ ++ ++/* data tokens */ ++ ++#define _UNIX_OLD_AUTHTOK "-UN*X-OLD-PASS" ++#define _UNIX_NEW_AUTHTOK "-UN*X-NEW-PASS" ++ ++#define MAX_PASSWD_TRIES 3 ++ ++#ifdef HAVE_NIS ++static char *getNISserver(pam_handle_t *pamh, unsigned int ctrl) ++{ ++ char *master; ++ char *domainname; ++ int port, err; ++ ++#ifdef HAVE_YP_GET_DEFAULT_DOMAIN ++ if ((err = yp_get_default_domain(&domainname)) != 0) { ++ pam_syslog(pamh, LOG_WARNING, "can't get local yp domain: %s", ++ yperr_string(err)); ++ return NULL; ++ } ++#elif defined(HAVE_GETDOMAINNAME) ++ char domainname_res[256]; ++ ++ if (getdomainname (domainname_res, sizeof (domainname_res)) == 0) ++ { ++ if (strcmp (domainname_res, "(none)") == 0) ++ { ++ /* If domainname is not set, some systems will return "(none)" */ ++ domainname_res[0] = '\0'; ++ } ++ domainname = domainname_res; ++ } ++ else domainname = NULL; ++#endif ++ ++ if ((err = yp_master(domainname, "passwd.byname", &master)) != 0) { ++ pam_syslog(pamh, LOG_WARNING, "can't find the master ypserver: %s", ++ yperr_string(err)); ++ return NULL; ++ } ++ port = getrpcport(master, YPPASSWDPROG, YPPASSWDPROC_UPDATE, IPPROTO_UDP); ++ if (port == 0) { ++ pam_syslog(pamh, LOG_WARNING, ++ "yppasswdd not running on NIS master host"); ++ return NULL; ++ } ++ if (port >= IPPORT_RESERVED) { ++ pam_syslog(pamh, LOG_WARNING, ++ "yppasswd daemon running on illegal port"); ++ return NULL; ++ } ++ if (on(UNIX_DEBUG, ctrl)) { ++ pam_syslog(pamh, LOG_DEBUG, "Use NIS server on %s with port %d", ++ master, port); ++ } ++ return master; ++} ++#endif ++ ++#ifdef WITH_SELINUX ++ ++static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user, ++ const char *fromwhat, const char *towhat, int remember) ++{ ++ int retval, child, fds[2]; ++ struct sigaction newsa, oldsa; ++ ++ D(("called.")); ++ /* create a pipe for the password */ ++ if (pipe(fds) != 0) { ++ D(("could not make pipe")); ++ return PAM_AUTH_ERR; ++ } ++ ++ if (off(UNIX_NOREAP, ctrl)) { ++ /* ++ * This code arranges that the demise of the child does not cause ++ * the application to receive a signal it is not expecting - which ++ * may kill the application or worse. ++ * ++ * The "noreap" module argument is provided so that the admin can ++ * override this behavior. ++ */ ++ memset(&newsa, '\0', sizeof(newsa)); ++ newsa.sa_handler = SIG_DFL; ++ sigaction(SIGCHLD, &newsa, &oldsa); ++ } ++ ++ /* fork */ ++ child = fork(); ++ if (child == 0) { ++ int i=0; ++ struct rlimit rlim; ++ static char *envp[] = { NULL }; ++ char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL }; ++ char buffer[16]; ++ ++ /* XXX - should really tidy up PAM here too */ ++ ++ /* reopen stdin as pipe */ ++ dup2(fds[0], STDIN_FILENO); ++ ++ if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { ++ if (rlim.rlim_max >= MAX_FD_NO) ++ rlim.rlim_max = MAX_FD_NO; ++ for (i=0; i < (int)rlim.rlim_max; i++) { ++ if (i != STDIN_FILENO) ++ close(i); ++ } ++ } ++ ++ /* exec binary helper */ ++ args[0] = x_strdup(UPDATE_HELPER); ++ args[1] = x_strdup(user); ++ args[2] = x_strdup("update"); ++ if (on(UNIX_SHADOW, ctrl)) ++ args[3] = x_strdup("1"); ++ else ++ args[3] = x_strdup("0"); ++ ++ snprintf(buffer, sizeof(buffer), "%d", remember); ++ args[4] = x_strdup(buffer); ++ ++ execve(UPDATE_HELPER, args, envp); ++ ++ /* should not get here: exit with error */ ++ D(("helper binary is not available")); ++ _exit(PAM_AUTHINFO_UNAVAIL); ++ } else if (child > 0) { ++ /* wait for child */ ++ /* if the stored password is NULL */ ++ int rc=0; ++ if (fromwhat) ++ pam_modutil_write(fds[1], fromwhat, strlen(fromwhat)+1); ++ else ++ pam_modutil_write(fds[1], "", 1); ++ if (towhat) { ++ pam_modutil_write(fds[1], towhat, strlen(towhat)+1); ++ } ++ else ++ pam_modutil_write(fds[1], "", 1); ++ ++ close(fds[0]); /* close here to avoid possible SIGPIPE above */ ++ close(fds[1]); ++ /* wait for helper to complete: */ ++ while ((rc=waitpid(child, &retval, 0)) < 0 && errno == EINTR); ++ if (rc<0) { ++ pam_syslog(pamh, LOG_ERR, "pam_extrausers_update waitpid failed: %m"); ++ retval = PAM_AUTHTOK_ERR; ++ } else if (!WIFEXITED(retval)) { ++ pam_syslog(pamh, LOG_ERR, "pam_extrausers_update abnormal exit: %d", retval); ++ retval = PAM_AUTHTOK_ERR; ++ } else { ++ retval = WEXITSTATUS(retval); ++ } ++ } else { ++ D(("fork failed")); ++ close(fds[0]); ++ close(fds[1]); ++ retval = PAM_AUTH_ERR; ++ } ++ ++ if (off(UNIX_NOREAP, ctrl)) { ++ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */ ++ } ++ ++ return retval; ++} ++#endif ++ ++static int check_old_password(const char *forwho, const char *newpass) ++{ ++ static char buf[16384]; ++ char *s_luser, *s_uid, *s_npas, *s_pas; ++ int retval = PAM_SUCCESS; ++ FILE *opwfile; ++ size_t len = strlen(forwho); ++ ++ opwfile = fopen(OLD_PASSWORDS_FILE, "r"); ++ if (opwfile == NULL) ++ return PAM_ABORT; ++ ++ while (fgets(buf, 16380, opwfile)) { ++ if (!strncmp(buf, forwho, len) && (buf[len] == ':' || ++ buf[len] == ',')) { ++ char *sptr; ++ buf[strlen(buf) - 1] = '\0'; ++ s_luser = strtok_r(buf, ":,", &sptr); ++ s_uid = strtok_r(NULL, ":,", &sptr); ++ s_npas = strtok_r(NULL, ":,", &sptr); ++ s_pas = strtok_r(NULL, ":,", &sptr); ++ while (s_pas != NULL) { ++ char *md5pass = Goodcrypt_md5(newpass, s_pas); ++ if (!strcmp(md5pass, s_pas)) { ++ _pam_delete(md5pass); ++ retval = PAM_AUTHTOK_ERR; ++ break; ++ } ++ s_pas = strtok_r(NULL, ":,", &sptr); ++ _pam_delete(md5pass); ++ } ++ break; ++ } ++ } ++ fclose(opwfile); ++ ++ return retval; ++} ++ ++static int _do_setpass(pam_handle_t* pamh, const char *forwho, ++ const char *fromwhat, ++ char *towhat, unsigned int ctrl, int remember) ++{ ++ struct passwd *pwd = NULL; ++ int retval = 0; ++ int unlocked = 0; ++ char *master = NULL; ++ ++ D(("called")); ++ ++ pwd = getpwnam(forwho); ++ ++ if (pwd == NULL) { ++ retval = PAM_AUTHTOK_ERR; ++ goto done; ++ } ++ ++ if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, forwho, 0, 1)) { ++#ifdef HAVE_NIS ++ if ((master=getNISserver(pamh, ctrl)) != NULL) { ++ struct timeval timeout; ++ struct yppasswd yppwd; ++ CLIENT *clnt; ++ int status; ++ enum clnt_stat err; ++ ++ /* Unlock passwd file to avoid deadlock */ ++ unlock_pwdf(); ++ unlocked = 1; ++ ++ /* Initialize password information */ ++ yppwd.newpw.pw_passwd = pwd->pw_passwd; ++ yppwd.newpw.pw_name = pwd->pw_name; ++ yppwd.newpw.pw_uid = pwd->pw_uid; ++ yppwd.newpw.pw_gid = pwd->pw_gid; ++ yppwd.newpw.pw_gecos = pwd->pw_gecos; ++ yppwd.newpw.pw_dir = pwd->pw_dir; ++ yppwd.newpw.pw_shell = pwd->pw_shell; ++ yppwd.oldpass = fromwhat ? strdup (fromwhat) : strdup (""); ++ yppwd.newpw.pw_passwd = towhat; ++ ++ D(("Set password %s for %s", yppwd.newpw.pw_passwd, forwho)); ++ ++ /* The yppasswd.x file said `unix authentication required', ++ * so I added it. This is the only reason it is in here. ++ * My yppasswdd doesn't use it, but maybe some others out there ++ * do. --okir ++ */ ++ clnt = clnt_create(master, YPPASSWDPROG, YPPASSWDVERS, "udp"); ++ clnt->cl_auth = authunix_create_default(); ++ memset((char *) &status, '\0', sizeof(status)); ++ timeout.tv_sec = 25; ++ timeout.tv_usec = 0; ++ err = clnt_call(clnt, YPPASSWDPROC_UPDATE, ++ (xdrproc_t) xdr_yppasswd, (char *) &yppwd, ++ (xdrproc_t) xdr_int, (char *) &status, ++ timeout); ++ ++ free (yppwd.oldpass); ++ ++ if (err) { ++ _make_remark(pamh, ctrl, PAM_TEXT_INFO, ++ clnt_sperrno(err)); ++ } else if (status) { ++ D(("Error while changing NIS password.\n")); ++ } ++ D(("The password has%s been changed on %s.", ++ (err || status) ? " not" : "", master)); ++ pam_syslog(pamh, LOG_NOTICE, "password%s changed for %s on %s", ++ (err || status) ? " not" : "", pwd->pw_name, master); ++ ++ auth_destroy(clnt->cl_auth); ++ clnt_destroy(clnt); ++ if (err || status) { ++ _make_remark(pamh, ctrl, PAM_TEXT_INFO, ++ _("NIS password could not be changed.")); ++ retval = PAM_TRY_AGAIN; ++ } ++#ifdef PAM_DEBUG ++ sleep(5); ++#endif ++ } else { ++ retval = PAM_TRY_AGAIN; ++ } ++#else ++ if (on(UNIX_DEBUG, ctrl)) { ++ pam_syslog(pamh, LOG_DEBUG, "No NIS support available"); ++ } ++ ++ retval = PAM_TRY_AGAIN; ++#endif ++ } ++ ++ if (_unix_comesfromsource(pamh, forwho, 1, 0)) { ++ if(unlocked) { ++ if (lock_pwdf() != PAM_SUCCESS) { ++ return PAM_AUTHTOK_LOCK_BUSY; ++ } ++ } ++#ifdef WITH_SELINUX ++ if (unix_selinux_confined()) ++ return _unix_run_update_binary(pamh, ctrl, forwho, fromwhat, towhat, remember); ++#endif ++ /* first, save old password */ ++ if (save_old_password(pamh, forwho, fromwhat, remember)) { ++ retval = PAM_AUTHTOK_ERR; ++ goto done; ++ } ++ if (on(UNIX_SHADOW, ctrl) || is_pwd_shadowed(pwd)) { ++ retval = unix_update_shadow(pamh, forwho, towhat); ++ if (retval == PAM_SUCCESS) ++ if (!is_pwd_shadowed(pwd)) ++ retval = unix_update_passwd(pamh, forwho, "x"); ++ } else { ++ retval = unix_update_passwd(pamh, forwho, towhat); ++ } ++ } ++ ++ ++done: ++ unlock_pwdf(); ++ ++ return retval; ++} ++ ++static int _unix_verify_shadow(pam_handle_t *pamh, const char *user, unsigned int ctrl) ++{ ++ struct passwd *pwent = NULL; /* Password and shadow password */ ++ struct spwd *spent = NULL; /* file entries for the user */ ++ int daysleft; ++ int retval; ++ ++ retval = get_account_info(pamh, user, &pwent, &spent); ++ if (retval == PAM_USER_UNKNOWN) { ++ return retval; ++ } ++ ++ if (retval == PAM_SUCCESS && spent == NULL) ++ return PAM_SUCCESS; ++ ++ if (retval == PAM_UNIX_RUN_HELPER) { ++ retval = _unix_run_verify_binary(pamh, ctrl, user, &daysleft); ++ if (retval == PAM_AUTH_ERR || retval == PAM_USER_UNKNOWN) ++ return retval; ++ } ++ else if (retval == PAM_SUCCESS) ++ retval = check_shadow_expiry(pamh, spent, &daysleft); ++ ++ if (on(UNIX__IAMROOT, ctrl) || retval == PAM_NEW_AUTHTOK_REQD) ++ return PAM_SUCCESS; ++ ++ return retval; ++} ++ ++static int _pam_unix_approve_pass(pam_handle_t * pamh ++ ,unsigned int ctrl ++ ,const char *pass_old ++ ,const char *pass_new, ++ int pass_min_len) ++{ ++ const void *user; ++ const char *remark = NULL; ++ int retval = PAM_SUCCESS; ++ ++ D(("&new=%p, &old=%p", pass_old, pass_new)); ++ D(("new=[%s]", pass_new)); ++ D(("old=[%s]", pass_old)); ++ ++ if (pass_new == NULL || (pass_old && !strcmp(pass_old, pass_new))) { ++ if (on(UNIX_DEBUG, ctrl)) { ++ pam_syslog(pamh, LOG_DEBUG, "bad authentication token"); ++ } ++ _make_remark(pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ? ++ _("No password supplied") : _("Password unchanged")); ++ return PAM_AUTHTOK_ERR; ++ } ++ /* ++ * if one wanted to hardwire authentication token strength ++ * checking this would be the place - AGM ++ */ ++ ++ retval = pam_get_item(pamh, PAM_USER, &user); ++ if (retval != PAM_SUCCESS) { ++ if (on(UNIX_DEBUG, ctrl)) { ++ pam_syslog(pamh, LOG_ERR, "Can not get username"); ++ return PAM_AUTHTOK_ERR; ++ } ++ } ++ if (off(UNIX__IAMROOT, ctrl)) { ++ if (strlen(pass_new) < pass_min_len) ++ remark = _("You must choose a longer password"); ++ D(("length check [%s]", remark)); ++ if (on(UNIX_REMEMBER_PASSWD, ctrl)) { ++ if ((retval = check_old_password(user, pass_new)) == PAM_AUTHTOK_ERR) ++ remark = _("Password has been already used. Choose another."); ++ if (retval == PAM_ABORT) { ++ pam_syslog(pamh, LOG_ERR, "can't open %s file to check old passwords", ++ OLD_PASSWORDS_FILE); ++ return retval; ++ } ++ } ++ if (!remark && pass_old != NULL) { /* only check if we don't already have a failure */ ++ struct passwd *pwd; ++ pwd = pam_modutil_getpwnam(pamh, user); ++ remark = (char *)obscure_msg(pass_old,pass_new,pwd,ctrl); /* do obscure checks */ ++ } ++ } ++ if (remark) { ++ _make_remark(pamh, ctrl, PAM_ERROR_MSG, remark); ++ retval = PAM_AUTHTOK_ERR; ++ } ++ return retval; ++} ++ ++int ++pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) ++{ ++ unsigned int ctrl, lctrl; ++ int retval; ++ int remember = -1; ++ int rounds = -1; ++ int pass_min_len = 6; ++ ++ /* */ ++ const char *user; ++ const void *pass_old, *pass_new; ++ /* */ ++ ++ D(("called.")); ++ ++ ctrl = _set_ctrl(pamh, flags, &remember, &rounds, &pass_min_len, ++ argc, argv); ++ ++ /* ++ * First get the name of a user ++ */ ++ retval = pam_get_user(pamh, &user, NULL); ++ if (retval == PAM_SUCCESS) { ++ /* ++ * Various libraries at various times have had bugs related to ++ * '+' or '-' as the first character of a user name. Don't ++ * allow them. ++ */ ++ if (user == NULL || user[0] == '-' || user[0] == '+') { ++ pam_syslog(pamh, LOG_ERR, "bad username [%s]", user); ++ return PAM_USER_UNKNOWN; ++ } ++ if (retval == PAM_SUCCESS && on(UNIX_DEBUG, ctrl)) ++ pam_syslog(pamh, LOG_DEBUG, "username [%s] obtained", ++ user); ++ } else { ++ if (on(UNIX_DEBUG, ctrl)) ++ pam_syslog(pamh, LOG_DEBUG, ++ "password - could not identify user"); ++ return retval; ++ } ++ ++ D(("Got username of %s", user)); ++ ++ /* ++ * Before we do anything else, check to make sure that the user's ++ * info is in one of the databases we can modify from this module, ++ * which currently is 'files' and 'nis'. We have to do this because ++ * getpwnam() doesn't tell you *where* the information it gives you ++ * came from, nor should it. That's our job. ++ */ ++ if (_unix_comesfromsource(pamh, user, 1, on(UNIX_NIS, ctrl)) == 0) { ++ pam_syslog(pamh, LOG_DEBUG, ++ "user \"%s\" does not exist in /var/lib/extrausers/passwd%s", ++ user, on(UNIX_NIS, ctrl) ? " or NIS" : ""); ++ return PAM_USER_UNKNOWN; ++ } else { ++ struct passwd *pwd; ++ _unix_getpwnam(pamh, user, 1, on(UNIX_NIS, ctrl), &pwd); ++ if (pwd == NULL) { ++ pam_syslog(pamh, LOG_DEBUG, ++ "user \"%s\" has corrupted passwd entry", ++ user); ++ return PAM_USER_UNKNOWN; ++ } ++ } ++ ++ /* ++ * This is not an AUTH module! ++ */ ++ if (on(UNIX__NONULL, ctrl)) ++ set(UNIX__NULLOK, ctrl); ++ ++ if (on(UNIX__PRELIM, ctrl)) { ++ /* ++ * obtain and verify the current password (OLDAUTHTOK) for ++ * the user. ++ */ ++ char *Announce; ++ ++ D(("prelim check")); ++ ++ if (_unix_blankpasswd(pamh, ctrl, user)) { ++ return PAM_SUCCESS; ++ } else if (off(UNIX__IAMROOT, ctrl) || on(UNIX_NIS, ctrl)) { ++ /* instruct user what is happening */ ++ if (asprintf(&Announce, _("Changing password for %s."), ++ user) < 0) { ++ pam_syslog(pamh, LOG_CRIT, ++ "password - out of memory"); ++ return PAM_BUF_ERR; ++ } ++ ++ lctrl = ctrl; ++ set(UNIX__OLD_PASSWD, lctrl); ++ retval = _unix_read_password(pamh, lctrl ++ ,Announce ++ ,(on(UNIX__IAMROOT, ctrl) ++ ? _("NIS server root password: ") ++ : _("(current) UNIX password: ")) ++ ,NULL ++ ,_UNIX_OLD_AUTHTOK ++ ,&pass_old); ++ free(Announce); ++ ++ if (retval != PAM_SUCCESS) { ++ pam_syslog(pamh, LOG_NOTICE, ++ "password - (old) token not obtained"); ++ return retval; ++ } ++ /* verify that this is the password for this user ++ * if we're not using NIS */ ++ ++ if (off(UNIX_NIS, ctrl)) { ++ retval = _unix_verify_password(pamh, user, pass_old, ctrl); ++ } ++ } else { ++ D(("process run by root so do nothing this time around")); ++ pass_old = NULL; ++ retval = PAM_SUCCESS; /* root doesn't have too */ ++ } ++ ++ if (retval != PAM_SUCCESS) { ++ D(("Authentication failed")); ++ pass_old = NULL; ++ return retval; ++ } ++ retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *) pass_old); ++ pass_old = NULL; ++ if (retval != PAM_SUCCESS) { ++ pam_syslog(pamh, LOG_CRIT, ++ "failed to set PAM_OLDAUTHTOK"); ++ } ++ retval = _unix_verify_shadow(pamh,user, ctrl); ++ if (retval == PAM_AUTHTOK_ERR) { ++ if (off(UNIX__IAMROOT, ctrl)) ++ _make_remark(pamh, ctrl, PAM_ERROR_MSG, ++ _("You must wait longer to change your password")); ++ else ++ retval = PAM_SUCCESS; ++ } ++ } else if (on(UNIX__UPDATE, ctrl)) { ++ /* ++ * tpass is used below to store the _pam_md() return; it ++ * should be _pam_delete()'d. ++ */ ++ ++ char *tpass = NULL; ++ int retry = 0; ++ ++ /* ++ * obtain the proposed password ++ */ ++ ++ D(("do update")); ++ ++ /* ++ * get the old token back. NULL was ok only if root [at this ++ * point we assume that this has already been enforced on a ++ * previous call to this function]. ++ */ ++ ++ if (off(UNIX_NOT_SET_PASS, ctrl)) { ++ retval = pam_get_item(pamh, PAM_OLDAUTHTOK ++ ,&pass_old); ++ } else { ++ retval = pam_get_data(pamh, _UNIX_OLD_AUTHTOK ++ ,&pass_old); ++ if (retval == PAM_NO_MODULE_DATA) { ++ retval = PAM_SUCCESS; ++ pass_old = NULL; ++ } ++ } ++ D(("pass_old [%s]", pass_old)); ++ ++ if (retval != PAM_SUCCESS) { ++ pam_syslog(pamh, LOG_NOTICE, "user not authenticated"); ++ return retval; ++ } ++ ++ D(("get new password now")); ++ ++ lctrl = ctrl; ++ ++ if (on(UNIX_USE_AUTHTOK, lctrl)) { ++ set(UNIX_USE_FIRST_PASS, lctrl); ++ } ++ retry = 0; ++ retval = PAM_AUTHTOK_ERR; ++ while ((retval != PAM_SUCCESS) && (retry++ < MAX_PASSWD_TRIES)) { ++ /* ++ * use_authtok is to force the use of a previously entered ++ * password -- needed for pluggable password strength checking ++ */ ++ ++ retval = _unix_read_password(pamh, lctrl ++ ,NULL ++ ,_("Enter new UNIX password: ") ++ ,_("Retype new UNIX password: ") ++ ,_UNIX_NEW_AUTHTOK ++ ,&pass_new); ++ ++ if (retval != PAM_SUCCESS) { ++ if (on(UNIX_DEBUG, ctrl)) { ++ pam_syslog(pamh, LOG_ALERT, ++ "password - new password not obtained"); ++ } ++ pass_old = NULL; /* tidy up */ ++ return retval; ++ } ++ D(("returned to _unix_chauthtok")); ++ ++ /* ++ * At this point we know who the user is and what they ++ * propose as their new password. Verify that the new ++ * password is acceptable. ++ */ ++ ++ if (*(const char *)pass_new == '\0') { /* "\0" password = NULL */ ++ pass_new = NULL; ++ } ++ retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, ++ pass_new, pass_min_len); ++ ++ if (retval != PAM_SUCCESS && off(UNIX_NOT_SET_PASS, ctrl)) { ++ pam_set_item(pamh, PAM_AUTHTOK, NULL); ++ } ++ } ++ ++ if (retval != PAM_SUCCESS) { ++ pam_syslog(pamh, LOG_NOTICE, ++ "new password not acceptable"); ++ pass_new = pass_old = NULL; /* tidy up */ ++ return retval; ++ } ++ if (lock_pwdf() != PAM_SUCCESS) { ++ return PAM_AUTHTOK_LOCK_BUSY; ++ } ++ ++ if (pass_old) { ++ retval = _unix_verify_password(pamh, user, pass_old, ctrl); ++ if (retval != PAM_SUCCESS) { ++ pam_syslog(pamh, LOG_NOTICE, "user password changed by another process"); ++ unlock_pwdf(); ++ return retval; ++ } ++ } ++ ++ retval = _unix_verify_shadow(pamh, user, ctrl); ++ if (retval != PAM_SUCCESS) { ++ pam_syslog(pamh, LOG_NOTICE, "user shadow entry expired"); ++ unlock_pwdf(); ++ return retval; ++ } ++ ++ retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new, ++ pass_min_len); ++ if (retval != PAM_SUCCESS) { ++ pam_syslog(pamh, LOG_NOTICE, ++ "new password not acceptable 2"); ++ pass_new = pass_old = NULL; /* tidy up */ ++ unlock_pwdf(); ++ return retval; ++ } ++ ++ /* ++ * By reaching here we have approved the passwords and must now ++ * rebuild the password database file. ++ */ ++ ++ /* ++ * First we encrypt the new password. ++ */ ++ ++ tpass = create_password_hash(pamh, pass_new, ctrl, rounds); ++ if (tpass == NULL) { ++ pam_syslog(pamh, LOG_CRIT, ++ "crypt() failure or out of memory for password"); ++ pass_new = pass_old = NULL; /* tidy up */ ++ unlock_pwdf(); ++ return PAM_BUF_ERR; ++ } ++ ++ D(("password processed")); ++ ++ /* update the password database(s) -- race conditions..? */ ++ ++ retval = _do_setpass(pamh, user, pass_old, tpass, ctrl, ++ remember); ++ /* _do_setpass has called unlock_pwdf for us */ ++ ++ _pam_delete(tpass); ++ pass_old = pass_new = NULL; ++ } else { /* something has broken with the module */ ++ pam_syslog(pamh, LOG_ALERT, ++ "password received unknown request"); ++ retval = PAM_ABORT; ++ } ++ ++ D(("retval was %d", retval)); ++ ++ return retval; ++} +Index: pam-1.1.8/modules/pam_extrausers/pam_unix_sess.c +=================================================================== +--- /dev/null ++++ pam-1.1.8/modules/pam_extrausers/pam_unix_sess.c +@@ -0,0 +1,133 @@ ++/* ++ * $Id$ ++ * ++ * Copyright Alexander O. Yuriev, 1996. All rights reserved. ++ * Copyright Jan R\EAkorajski, 1999. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, and the entire permission notice in its entirety, ++ * including the disclaimer of warranties. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the author may not be used to endorse or promote ++ * products derived from this software without specific prior ++ * written permission. ++ * ++ * ALTERNATIVELY, this product may be distributed under the terms of ++ * the GNU Public License, in which case the provisions of the GPL are ++ * required INSTEAD OF the above restrictions. (This clause is ++ * necessary due to a potential bad interaction between the GPL and ++ * the restrictions contained in a BSD-style copyright.) ++ * ++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#include "config.h" ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++/* indicate the following groups are defined */ ++ ++#ifdef PAM_STATIC ++# include "pam_unix_static.h" ++#else ++# define PAM_SM_SESSION ++#endif ++ ++#include ++#include ++#include ++#include ++ ++#include "support.h" ++ ++/* ++ * PAM framework looks for these entry-points to pass control to the ++ * session module. ++ */ ++ ++int ++pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) ++{ ++ char *user_name, *service; ++ unsigned int ctrl; ++ int retval; ++ const char *login_name; ++ ++ D(("called.")); ++ ++ ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv); ++ ++ retval = pam_get_item(pamh, PAM_USER, (void *) &user_name); ++ if (user_name == NULL || *user_name == '\0' || retval != PAM_SUCCESS) { ++ pam_syslog(pamh, LOG_CRIT, ++ "open_session - error recovering username"); ++ return PAM_SESSION_ERR; /* How did we get authenticated with ++ no username?! */ ++ } ++ retval = pam_get_item(pamh, PAM_SERVICE, (void *) &service); ++ if (service == NULL || *service == '\0' || retval != PAM_SUCCESS) { ++ pam_syslog(pamh, LOG_CRIT, ++ "open_session - error recovering service"); ++ return PAM_SESSION_ERR; ++ } ++ login_name = pam_modutil_getlogin(pamh); ++ if (login_name == NULL) { ++ login_name = ""; ++ } ++ pam_syslog(pamh, LOG_INFO, "session opened for user %s by %s(uid=%lu)", ++ user_name, login_name, (unsigned long)getuid()); ++ ++ return PAM_SUCCESS; ++} ++ ++int ++pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) ++{ ++ char *user_name, *service; ++ unsigned int ctrl; ++ int retval; ++ ++ D(("called.")); ++ ++ ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv); ++ ++ retval = pam_get_item(pamh, PAM_USER, (void *) &user_name); ++ if (user_name == NULL || *user_name == '\0' || retval != PAM_SUCCESS) { ++ pam_syslog(pamh, LOG_CRIT, ++ "close_session - error recovering username"); ++ return PAM_SESSION_ERR; /* How did we get authenticated with ++ no username?! */ ++ } ++ retval = pam_get_item(pamh, PAM_SERVICE, (void *) &service); ++ if (service == NULL || *service == '\0' || retval != PAM_SUCCESS) { ++ pam_syslog(pamh, LOG_CRIT, ++ "close_session - error recovering service"); ++ return PAM_SESSION_ERR; ++ } ++ pam_syslog(pamh, LOG_INFO, "session closed for user %s", ++ user_name); ++ ++ return PAM_SUCCESS; ++} +Index: pam-1.1.8/modules/pam_extrausers/pam_unix_static.c +=================================================================== +--- /dev/null ++++ pam-1.1.8/modules/pam_extrausers/pam_unix_static.c +@@ -0,0 +1,23 @@ ++#include "config.h" ++ ++#ifdef PAM_STATIC ++ ++#define static extern ++#define PAM_SM_ACCOUNT ++#define PAM_SM_AUTH ++#define PAM_SM_PASSWORD ++#define PAM_SM_SESSION ++#include "pam_unix_static.h" ++#include ++ ++struct pam_module _pam_extrausers_modstruct = { ++ "pam_extrausers", ++ pam_sm_authenticate, ++ pam_sm_setcred, ++ pam_sm_acct_mgmt, ++ pam_sm_open_session, ++ pam_sm_close_session, ++ pam_sm_chauthtok, ++}; ++ ++#endif +Index: pam-1.1.8/modules/pam_extrausers/pam_unix_static.h +=================================================================== +--- /dev/null ++++ pam-1.1.8/modules/pam_extrausers/pam_unix_static.h +@@ -0,0 +1,6 @@ ++#define pam_sm_acct_mgmt _pam_unix_sm_acct_mgmt ++#define pam_sm_authenticate _pam_unix_sm_authenticate ++#define pam_sm_setcred _pam_unix_sm_setcred ++#define pam_sm_chauthtok _pam_unix_sm_chauthtok ++#define pam_sm_open_session _pam_unix_sm_open_session ++#define pam_sm_close_session _pam_unix_sm_close_session +Index: pam-1.1.8/modules/pam_extrausers/passverify.c +=================================================================== +--- /dev/null ++++ pam-1.1.8/modules/pam_extrausers/passverify.c +@@ -0,0 +1,1164 @@ ++/* ++ * Copyright information at end of file. ++ */ ++#include "config.h" ++#include ++#include ++#include "support.h" ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#ifdef HAVE_LIBXCRYPT ++#include ++#elif defined(HAVE_CRYPT_H) ++#include ++#endif ++ ++#include "md5.h" ++#include "bigcrypt.h" ++#include "passverify.h" ++ ++#ifdef WITH_SELINUX ++#include ++#define SELINUX_ENABLED is_selinux_enabled()>0 ++#else ++#define SELINUX_ENABLED 0 ++#endif ++ ++#ifdef HELPER_COMPILE ++#define pam_modutil_getpwnam(h,n) getpwnam(n) ++#define pam_modutil_getspnam(h,n) getspnam(n) ++#define pam_syslog(h,a,b,c) helper_log_err(a,b,c) ++#else ++#include ++#include ++#endif ++ ++#if defined(USE_LCKPWDF) ++# include "./lckpwdf.-c" ++#endif ++ ++static void ++strip_hpux_aging(char *hash) ++{ ++ static const char valid[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" ++ "abcdefghijklmnopqrstuvwxyz" ++ "0123456789./"; ++ if ((*hash != '$') && (strlen(hash) > 13)) { ++ for (hash += 13; *hash != '\0'; hash++) { ++ if (strchr(valid, *hash) == NULL) { ++ *hash = '\0'; ++ break; ++ } ++ } ++ } ++} ++ ++int ++verify_pwd_hash(const char *p, char *hash, unsigned int nullok) ++{ ++ size_t hash_len; ++ char *pp = NULL; ++ int retval; ++ D(("called")); ++ ++ strip_hpux_aging(hash); ++ hash_len = strlen(hash); ++ if (!hash_len) { ++ /* the stored password is NULL */ ++ if (nullok) { /* this means we've succeeded */ ++ D(("user has empty password - access granted")); ++ retval = PAM_SUCCESS; ++ } else { ++ D(("user has empty password - access denied")); ++ retval = PAM_AUTH_ERR; ++ } ++ } else if (!p || *hash == '*' || *hash == '!') { ++ retval = PAM_AUTH_ERR; ++ } else { ++ if (!strncmp(hash, "$1$", 3)) { ++ pp = Goodcrypt_md5(p, hash); ++ if (pp && strcmp(pp, hash) != 0) { ++ _pam_delete(pp); ++ pp = Brokencrypt_md5(p, hash); ++ } ++ } else if (*hash != '$' && hash_len >= 13) { ++ pp = bigcrypt(p, hash); ++ if (pp && hash_len == 13 && strlen(pp) > hash_len) { ++ _pam_overwrite(pp + hash_len); ++ } ++ } else { ++ /* ++ * Ok, we don't know the crypt algorithm, but maybe ++ * libcrypt knows about it? We should try it. ++ */ ++#ifdef HAVE_CRYPT_R ++ struct crypt_data *cdata; ++ cdata = malloc(sizeof(*cdata)); ++ if (cdata != NULL) { ++ cdata->initialized = 0; ++ pp = x_strdup(crypt_r(p, hash, cdata)); ++ memset(cdata, '\0', sizeof(*cdata)); ++ free(cdata); ++ } ++#else ++ pp = x_strdup(crypt(p, hash)); ++#endif ++ } ++ p = NULL; /* no longer needed here */ ++ ++ /* the moment of truth -- do we agree with the password? */ ++ D(("comparing state of pp[%s] and hash[%s]", pp, hash)); ++ ++ if (pp && strcmp(pp, hash) == 0) { ++ retval = PAM_SUCCESS; ++ } else { ++ retval = PAM_AUTH_ERR; ++ } ++ } ++ ++ if (pp) ++ _pam_delete(pp); ++ D(("done [%d].", retval)); ++ ++ return retval; ++} ++ ++int ++is_pwd_shadowed(const struct passwd *pwd) ++{ ++ if (pwd != NULL) { ++ if (strcmp(pwd->pw_passwd, "x") == 0) { ++ return 1; ++ } ++ if ((pwd->pw_passwd[0] == '#') && ++ (pwd->pw_passwd[1] == '#') && ++ (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0)) { ++ return 1; ++ } ++ } ++ return 0; ++} ++ ++PAMH_ARG_DECL(int get_account_info, ++ const char *name, struct passwd **pwd, struct spwd **spwdent) ++{ ++ /* UNIX passwords area */ ++ *pwd = pam_modutil_getpwnam(pamh, name); /* Get password file entry... */ ++ *spwdent = NULL; ++ ++ if (*pwd != NULL) { ++ if (strcmp((*pwd)->pw_passwd, "*NP*") == 0) ++ { /* NIS+ */ ++#ifdef HELPER_COMPILE ++ uid_t save_euid, save_uid; ++ ++ save_euid = geteuid(); ++ save_uid = getuid(); ++ if (save_uid == (*pwd)->pw_uid) ++ setreuid(save_euid, save_uid); ++ else { ++ setreuid(0, -1); ++ if (setreuid(-1, (*pwd)->pw_uid) == -1) { ++ setreuid(-1, 0); ++ setreuid(0, -1); ++ if(setreuid(-1, (*pwd)->pw_uid) == -1) ++ return PAM_CRED_INSUFFICIENT; ++ } ++ } ++ ++ *spwdent = pam_modutil_getspnam(pamh, name); ++ if (save_uid == (*pwd)->pw_uid) ++ setreuid(save_uid, save_euid); ++ else { ++ setreuid(-1, 0); ++ setreuid(save_uid, -1); ++ setreuid(-1, save_euid); ++ } ++ ++ if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL) ++ return PAM_AUTHINFO_UNAVAIL; ++#else ++ /* we must run helper for NIS+ passwords */ ++ return PAM_UNIX_RUN_HELPER; ++#endif ++ } else if (is_pwd_shadowed(*pwd)) { ++ /* ++ * ...and shadow password file entry for this user, ++ * if shadowing is enabled ++ */ ++ *spwdent = pam_modutil_getspnam(pamh, name); ++#ifndef HELPER_COMPILE ++ if (*spwdent == NULL && (geteuid() || SELINUX_ENABLED)) ++ return PAM_UNIX_RUN_HELPER; ++#endif ++ if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL) ++ return PAM_AUTHINFO_UNAVAIL; ++ } ++ } else { ++ return PAM_USER_UNKNOWN; ++ } ++ return PAM_SUCCESS; ++} ++ ++PAMH_ARG_DECL(int get_pwd_hash, ++ const char *name, struct passwd **pwd, char **hash) ++{ ++ int retval; ++ struct spwd *spwdent = NULL; ++ ++ retval = get_account_info(PAMH_ARG(name, pwd, &spwdent)); ++ if (retval != PAM_SUCCESS) { ++ return retval; ++ } ++ ++ if (spwdent) ++ *hash = x_strdup(spwdent->sp_pwdp); ++ else ++ *hash = x_strdup((*pwd)->pw_passwd); ++ if (*hash == NULL) ++ return PAM_BUF_ERR; ++ ++ return PAM_SUCCESS; ++} ++ ++PAMH_ARG_DECL(int check_shadow_expiry, ++ struct spwd *spent, int *daysleft) ++{ ++ long int curdays; ++ *daysleft = -1; ++ curdays = (long int)(time(NULL) / (60 * 60 * 24)); ++ D(("today is %d, last change %d", curdays, spent->sp_lstchg)); ++ if ((curdays >= spent->sp_expire) && (spent->sp_expire != -1)) { ++ D(("account expired")); ++ return PAM_ACCT_EXPIRED; ++ } ++ if (spent->sp_lstchg == 0) { ++ D(("need a new password")); ++ *daysleft = 0; ++ return PAM_NEW_AUTHTOK_REQD; ++ } ++ if (curdays < spent->sp_lstchg) { ++ pam_syslog(pamh, LOG_DEBUG, ++ "account %s has password changed in future", ++ spent->sp_namp); ++ return PAM_SUCCESS; ++ } ++ if ((curdays - spent->sp_lstchg > spent->sp_max) ++ && (curdays - spent->sp_lstchg > spent->sp_inact) ++ && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact) ++ && (spent->sp_max != -1) && (spent->sp_inact != -1)) { ++ *daysleft = (int)((spent->sp_lstchg + spent->sp_max) - curdays); ++ D(("authtok expired")); ++ return PAM_AUTHTOK_EXPIRED; ++ } ++ if ((curdays - spent->sp_lstchg > spent->sp_max) && (spent->sp_max != -1)) { ++ D(("need a new password 2")); ++ return PAM_NEW_AUTHTOK_REQD; ++ } ++ if ((curdays - spent->sp_lstchg > spent->sp_max - spent->sp_warn) ++ && (spent->sp_max != -1) && (spent->sp_warn != -1)) { ++ *daysleft = (int)((spent->sp_lstchg + spent->sp_max) - curdays); ++ D(("warn before expiry")); ++ } ++ if ((curdays - spent->sp_lstchg < spent->sp_min) ++ && (spent->sp_min != -1)) { ++ /* ++ * The last password change was too recent. This error will be ignored ++ * if no password change is attempted. ++ */ ++ D(("password change too recent")); ++ return PAM_AUTHTOK_ERR; ++ } ++ return PAM_SUCCESS; ++} ++ ++/* passwd/salt conversion macros */ ++ ++#define PW_TMPFILE "/var/lib/extrausers/npasswd" ++#define SH_TMPFILE "/var/lib/extrausers/nshadow" ++#define OPW_TMPFILE "/var/lib/extrausers/nopasswd" ++ ++/* ++ * i64c - convert an integer to a radix 64 character ++ */ ++static int ++i64c(int i) ++{ ++ if (i < 0) ++ return ('.'); ++ else if (i > 63) ++ return ('z'); ++ if (i == 0) ++ return ('.'); ++ if (i == 1) ++ return ('/'); ++ if (i >= 2 && i <= 11) ++ return ('0' - 2 + i); ++ if (i >= 12 && i <= 37) ++ return ('A' - 12 + i); ++ if (i >= 38 && i <= 63) ++ return ('a' - 38 + i); ++ return ('\0'); ++} ++ ++/* must point to a buffer of at least +1 length */ ++static void ++crypt_make_salt(char *where, int length) ++{ ++ struct timeval tv; ++ MD5_CTX ctx; ++ unsigned char tmp[16]; ++ unsigned char *src = (unsigned char *)where; ++ int i; ++#ifdef PAM_PATH_RANDOMDEV ++ int fd; ++ int rv; ++ ++ if ((rv = fd = open(PAM_PATH_RANDOMDEV, O_RDONLY)) != -1) { ++ while ((rv = read(fd, where, length)) != length && errno == EINTR); ++ close (fd); ++ } ++ if (rv != length) { ++#endif ++ /* ++ * Code lifted from Marek Michalkiewicz's shadow suite. (CG) ++ * removed use of static variables (AGM) ++ * ++ * will work correctly only for length <= 16 */ ++ src = tmp; ++ GoodMD5Init(&ctx); ++ gettimeofday(&tv, (struct timezone *) 0); ++ GoodMD5Update(&ctx, (void *) &tv, sizeof tv); ++ i = getpid(); ++ GoodMD5Update(&ctx, (void *) &i, sizeof i); ++ i = clock(); ++ GoodMD5Update(&ctx, (void *) &i, sizeof i); ++ GoodMD5Update(&ctx, src, length); ++ GoodMD5Final(tmp, &ctx); ++#ifdef PAM_PATH_RANDOMDEV ++ } ++#endif ++ for (i = 0; i < length; i++) ++ *where++ = i64c(src[i] & 077); ++ *where = '\0'; ++} ++ ++char * ++crypt_md5_wrapper(const char *pass_new) ++{ ++ unsigned char result[16]; ++ char *cp = (char *) result; ++ ++ cp = stpcpy(cp, "$1$"); /* magic for the MD5 */ ++ crypt_make_salt(cp, 8); ++ ++ /* no longer need cleartext */ ++ cp = Goodcrypt_md5(pass_new, (const char *) result); ++ pass_new = NULL; ++ ++ return cp; ++} ++ ++PAMH_ARG_DECL(char * create_password_hash, ++ const char *password, unsigned int ctrl, int rounds) ++{ ++ const char *algoid; ++ char salt[64]; /* contains rounds number + max 16 bytes of salt + algo id */ ++ char *sp; ++ ++ if (on(UNIX_MD5_PASS, ctrl)) { ++ /* algoid = "$1" */ ++ return crypt_md5_wrapper(password); ++ } else if (on(UNIX_BLOWFISH_PASS, ctrl)) { ++ algoid = "$2a$"; ++ } else if (on(UNIX_SHA256_PASS, ctrl)) { ++ algoid = "$5$"; ++ } else if (on(UNIX_SHA512_PASS, ctrl)) { ++ algoid = "$6$"; ++ } else { /* must be crypt/bigcrypt */ ++ char tmppass[9]; ++ char *crypted; ++ ++ crypt_make_salt(salt, 2); ++ if (off(UNIX_BIGCRYPT, ctrl) && strlen(password) > 8) { ++ strncpy(tmppass, password, sizeof(tmppass)-1); ++ tmppass[sizeof(tmppass)-1] = '\0'; ++ password = tmppass; ++ } ++ crypted = bigcrypt(password, salt); ++ memset(tmppass, '\0', sizeof(tmppass)); ++ password = NULL; ++ return crypted; ++ } ++ ++#ifdef HAVE_CRYPT_GENSALT_R ++ if (on(UNIX_BLOWFISH_PASS, ctrl)) { ++ char entropy[17]; ++ crypt_make_salt(entropy, sizeof(entropy) - 1); ++ sp = crypt_gensalt_r (algoid, rounds, ++ entropy, sizeof(entropy), ++ salt, sizeof(salt)); ++ } else { ++#endif ++ sp = stpcpy(salt, algoid); ++ if (on(UNIX_ALGO_ROUNDS, ctrl)) { ++ sp += snprintf(sp, sizeof(salt) - 3, "rounds=%u$", rounds); ++ } ++ crypt_make_salt(sp, 8); ++ /* For now be conservative so the resulting hashes ++ * are not too long. 8 bytes of salt prevents dictionary ++ * attacks well enough. */ ++#ifdef HAVE_CRYPT_GENSALT_R ++ } ++#endif ++ sp = crypt(password, salt); ++ if (!sp || strncmp(algoid, sp, strlen(algoid)) != 0) { ++ /* libxcrypt/libc doesn't know the algorithm, use MD5 */ ++ pam_syslog(pamh, LOG_ERR, ++ "Algo %s not supported by the crypto backend, " ++ "falling back to MD5\n", ++ on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" : ++ on(UNIX_SHA256_PASS, ctrl) ? "sha256" : ++ on(UNIX_SHA512_PASS, ctrl) ? "sha512" : algoid); ++ if(sp) { ++ memset(sp, '\0', strlen(sp)); ++ } ++ return crypt_md5_wrapper(password); ++ } ++ ++ return x_strdup(sp); ++} ++ ++#ifdef WITH_SELINUX ++int ++unix_selinux_confined(void) ++{ ++ static int confined = -1; ++ int fd; ++ char tempfile[]="/var/lib/extrausers/.pwdXXXXXX"; ++ ++ if (confined != -1) ++ return confined; ++ ++ /* cannot be confined without SELinux enabled */ ++ if (!SELINUX_ENABLED){ ++ confined = 0; ++ return confined; ++ } ++ ++ /* let's try opening shadow read only */ ++ if ((fd=open("/var/lib/extrausers/shadow", O_RDONLY)) != -1) { ++ close(fd); ++ confined = 0; ++ return confined; ++ } ++ ++ if (errno == EACCES) { ++ confined = 1; ++ return confined; ++ } ++ ++ /* shadow opening failed because of other reasons let's try ++ creating a file in /var/lib/extrausers */ ++ if ((fd=mkstemp(tempfile)) != -1) { ++ unlink(tempfile); ++ close(fd); ++ confined = 0; ++ return confined; ++ } ++ ++ confined = 1; ++ return confined; ++} ++ ++#else ++int ++unix_selinux_confined(void) ++{ ++ return 0; ++} ++#endif ++ ++#ifdef USE_LCKPWDF ++int ++lock_pwdf(void) ++{ ++ int i; ++ int retval; ++ ++#ifndef HELPER_COMPILE ++ if (unix_selinux_confined()) { ++ return PAM_SUCCESS; ++ } ++#endif ++ /* These values for the number of attempts and the sleep time ++ are, of course, completely arbitrary. ++ My reading of the PAM docs is that, once pam_chauthtok() has been ++ called with PAM_UPDATE_AUTHTOK, we are obliged to take any ++ reasonable steps to make sure the token is updated; so retrying ++ for 1/10 sec. isn't overdoing it. */ ++ i=0; ++ while((retval = extrausers_lckpwdf()) != 0 && i < 100) { ++ usleep(1000); ++ i++; ++ } ++ if(retval != 0) { ++ return PAM_AUTHTOK_LOCK_BUSY; ++ } ++ return PAM_SUCCESS; ++} ++ ++void ++unlock_pwdf(void) ++{ ++#ifndef HELPER_COMPILE ++ if (unix_selinux_confined()) { ++ return; ++ } ++#endif ++ extrausers_ulckpwdf(); ++} ++#else ++int ++lock_pwdf(void) ++{ ++ return PAM_SUCCESS; ++} ++ ++void ++unlock_pwdf(void) ++{ ++ return; ++} ++#endif ++ ++#ifdef HELPER_COMPILE ++int ++save_old_password(const char *forwho, const char *oldpass, ++ int howmany) ++#else ++int ++save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass, ++ int howmany) ++#endif ++{ ++ static char buf[16384]; ++ static char nbuf[16384]; ++ char *s_luser, *s_uid, *s_npas, *s_pas, *pass; ++ int npas; ++ FILE *pwfile, *opwfile; ++ int err = 0; ++ int oldmask; ++ int found = 0; ++ struct passwd *pwd = NULL; ++ struct stat st; ++ size_t len = strlen(forwho); ++#ifdef WITH_SELINUX ++ security_context_t prev_context=NULL; ++#endif ++ ++ if (howmany < 0) { ++ return PAM_SUCCESS; ++ } ++ ++ if (oldpass == NULL) { ++ return PAM_SUCCESS; ++ } ++ ++ oldmask = umask(077); ++ ++#ifdef WITH_SELINUX ++ if (SELINUX_ENABLED) { ++ security_context_t passwd_context=NULL; ++ if (getfilecon("/var/lib/extrausers/passwd",&passwd_context)<0) { ++ return PAM_AUTHTOK_ERR; ++ }; ++ if (getfscreatecon(&prev_context)<0) { ++ freecon(passwd_context); ++ return PAM_AUTHTOK_ERR; ++ } ++ if (setfscreatecon(passwd_context)) { ++ freecon(passwd_context); ++ freecon(prev_context); ++ return PAM_AUTHTOK_ERR; ++ } ++ freecon(passwd_context); ++ } ++#endif ++ pwfile = fopen(OPW_TMPFILE, "w"); ++ umask(oldmask); ++ if (pwfile == NULL) { ++ err = 1; ++ goto done; ++ } ++ ++ opwfile = fopen(OLD_PASSWORDS_FILE, "r"); ++ if (opwfile == NULL) { ++ fclose(pwfile); ++ err = 1; ++ goto done; ++ } ++ ++ if (fstat(fileno(opwfile), &st) == -1) { ++ fclose(opwfile); ++ fclose(pwfile); ++ err = 1; ++ goto done; ++ } ++ ++ if (fchown(fileno(pwfile), st.st_uid, st.st_gid) == -1) { ++ fclose(opwfile); ++ fclose(pwfile); ++ err = 1; ++ goto done; ++ } ++ if (fchmod(fileno(pwfile), st.st_mode) == -1) { ++ fclose(opwfile); ++ fclose(pwfile); ++ err = 1; ++ goto done; ++ } ++ ++ while (fgets(buf, 16380, opwfile)) { ++ if (!strncmp(buf, forwho, len) && strchr(":,\n", buf[len]) != NULL) { ++ char *sptr = NULL; ++ found = 1; ++ if (howmany == 0) ++ continue; ++ buf[strlen(buf) - 1] = '\0'; ++ s_luser = strtok_r(buf, ":", &sptr); ++ s_uid = strtok_r(NULL, ":", &sptr); ++ s_npas = strtok_r(NULL, ":", &sptr); ++ s_pas = strtok_r(NULL, ":", &sptr); ++ npas = strtol(s_npas, NULL, 10) + 1; ++ while (npas > howmany) { ++ s_pas = strpbrk(s_pas, ","); ++ if (s_pas != NULL) ++ s_pas++; ++ npas--; ++ } ++ pass = crypt_md5_wrapper(oldpass); ++ if (s_pas == NULL) ++ snprintf(nbuf, sizeof(nbuf), "%s:%s:%d:%s\n", ++ s_luser, s_uid, npas, pass); ++ else ++ snprintf(nbuf, sizeof(nbuf),"%s:%s:%d:%s,%s\n", ++ s_luser, s_uid, npas, s_pas, pass); ++ _pam_delete(pass); ++ if (fputs(nbuf, pwfile) < 0) { ++ err = 1; ++ break; ++ } ++ } else if (fputs(buf, pwfile) < 0) { ++ err = 1; ++ break; ++ } ++ } ++ fclose(opwfile); ++ ++ if (!found) { ++ pwd = pam_modutil_getpwnam(pamh, forwho); ++ if (pwd == NULL) { ++ err = 1; ++ } else { ++ pass = crypt_md5_wrapper(oldpass); ++ snprintf(nbuf, sizeof(nbuf), "%s:%lu:1:%s\n", ++ forwho, (unsigned long)pwd->pw_uid, pass); ++ _pam_delete(pass); ++ if (fputs(nbuf, pwfile) < 0) { ++ err = 1; ++ } ++ } ++ } ++ ++ if (fflush(pwfile) || fsync(fileno(pwfile))) { ++ D(("fflush or fsync error writing entries to old passwords file: %m")); ++ err = 1; ++ } ++ ++ if (fclose(pwfile)) { ++ D(("fclose error writing entries to old passwords file: %m")); ++ err = 1; ++ } ++ ++done: ++ if (!err) { ++ if (rename(OPW_TMPFILE, OLD_PASSWORDS_FILE)) ++ err = 1; ++ } ++#ifdef WITH_SELINUX ++ if (SELINUX_ENABLED) { ++ if (setfscreatecon(prev_context)) { ++ err = 1; ++ } ++ if (prev_context) ++ freecon(prev_context); ++ prev_context=NULL; ++ } ++#endif ++ if (!err) { ++ return PAM_SUCCESS; ++ } else { ++ unlink(OPW_TMPFILE); ++ return PAM_AUTHTOK_ERR; ++ } ++} ++ ++PAMH_ARG_DECL(int unix_update_passwd, ++ const char *forwho, const char *towhat) ++{ ++ struct passwd *tmpent = NULL; ++ struct stat st; ++ FILE *pwfile, *opwfile; ++ int err = 1, found = 0; ++ int oldmask; ++#ifdef WITH_SELINUX ++ security_context_t prev_context=NULL; ++#endif ++ ++ oldmask = umask(077); ++#ifdef WITH_SELINUX ++ if (SELINUX_ENABLED) { ++ security_context_t passwd_context=NULL; ++ if (getfilecon("/var/lib/extrausers/passwd",&passwd_context)<0) { ++ return PAM_AUTHTOK_ERR; ++ }; ++ if (getfscreatecon(&prev_context)<0) { ++ freecon(passwd_context); ++ return PAM_AUTHTOK_ERR; ++ } ++ if (setfscreatecon(passwd_context)) { ++ freecon(passwd_context); ++ freecon(prev_context); ++ return PAM_AUTHTOK_ERR; ++ } ++ freecon(passwd_context); ++ } ++#endif ++ pwfile = fopen(PW_TMPFILE, "w"); ++ umask(oldmask); ++ if (pwfile == NULL) { ++ err = 1; ++ goto done; ++ } ++ ++ opwfile = fopen("/var/lib/extrausers/passwd", "r"); ++ if (opwfile == NULL) { ++ fclose(pwfile); ++ err = 1; ++ goto done; ++ } ++ ++ if (fstat(fileno(opwfile), &st) == -1) { ++ fclose(opwfile); ++ fclose(pwfile); ++ err = 1; ++ goto done; ++ } ++ ++ if (fchown(fileno(pwfile), st.st_uid, st.st_gid) == -1) { ++ fclose(opwfile); ++ fclose(pwfile); ++ err = 1; ++ goto done; ++ } ++ if (fchmod(fileno(pwfile), st.st_mode) == -1) { ++ fclose(opwfile); ++ fclose(pwfile); ++ err = 1; ++ goto done; ++ } ++ ++ tmpent = fgetpwent(opwfile); ++ while (tmpent) { ++ if (!strcmp(tmpent->pw_name, forwho)) { ++ /* To shut gcc up */ ++ union { ++ const char *const_charp; ++ char *charp; ++ } assigned_passwd; ++ assigned_passwd.const_charp = towhat; ++ ++ tmpent->pw_passwd = assigned_passwd.charp; ++ err = 0; ++ found = 1; ++ } ++ if (putpwent(tmpent, pwfile)) { ++ D(("error writing entry to password file: %m")); ++ err = 1; ++ break; ++ } ++ tmpent = fgetpwent(opwfile); ++ } ++ fclose(opwfile); ++ ++ if (fflush(pwfile) || fsync(fileno(pwfile))) { ++ D(("fflush or fsync error writing entries to password file: %m")); ++ err = 1; ++ } ++ ++ if (fclose(pwfile)) { ++ D(("fclose error writing entries to password file: %m")); ++ err = 1; ++ } ++ ++done: ++ if (!err) { ++ if (!rename(PW_TMPFILE, "/var/lib/extrausers/passwd")) ++ pam_syslog(pamh, ++ LOG_NOTICE, "password changed for %s", forwho); ++ else ++ err = 1; ++ } ++#ifdef WITH_SELINUX ++ if (SELINUX_ENABLED) { ++ if (setfscreatecon(prev_context)) { ++ err = 1; ++ } ++ if (prev_context) ++ freecon(prev_context); ++ prev_context=NULL; ++ } ++#endif ++ if (!err) { ++ return PAM_SUCCESS; ++ } else { ++ unlink(PW_TMPFILE); ++ return found ? PAM_AUTHTOK_ERR : PAM_USER_UNKNOWN; ++ } ++} ++ ++PAMH_ARG_DECL(int unix_update_shadow, ++ const char *forwho, char *towhat) ++{ ++ struct spwd spwdent, *stmpent = NULL; ++ struct stat st; ++ FILE *pwfile, *opwfile; ++ int err = 0; ++ int oldmask; ++ int wroteentry = 0; ++#ifdef WITH_SELINUX ++ security_context_t prev_context=NULL; ++#endif ++ ++ oldmask = umask(077); ++ ++#ifdef WITH_SELINUX ++ if (SELINUX_ENABLED) { ++ security_context_t shadow_context=NULL; ++ if (getfilecon("/var/lib/extrausers/shadow",&shadow_context)<0) { ++ return PAM_AUTHTOK_ERR; ++ }; ++ if (getfscreatecon(&prev_context)<0) { ++ freecon(shadow_context); ++ return PAM_AUTHTOK_ERR; ++ } ++ if (setfscreatecon(shadow_context)) { ++ freecon(shadow_context); ++ freecon(prev_context); ++ return PAM_AUTHTOK_ERR; ++ } ++ freecon(shadow_context); ++ } ++#endif ++ pwfile = fopen(SH_TMPFILE, "w"); ++ umask(oldmask); ++ if (pwfile == NULL) { ++ err = 1; ++ goto done; ++ } ++ ++ opwfile = fopen("/var/lib/extrausers/shadow", "r"); ++ if (opwfile == NULL) { ++ fclose(pwfile); ++ err = 1; ++ goto done; ++ } ++ ++ if (fstat(fileno(opwfile), &st) == -1) { ++ fclose(opwfile); ++ fclose(pwfile); ++ err = 1; ++ goto done; ++ } ++ ++ if (fchown(fileno(pwfile), st.st_uid, st.st_gid) == -1) { ++ fclose(opwfile); ++ fclose(pwfile); ++ err = 1; ++ goto done; ++ } ++ if (fchmod(fileno(pwfile), st.st_mode) == -1) { ++ fclose(opwfile); ++ fclose(pwfile); ++ err = 1; ++ goto done; ++ } ++ ++ stmpent = fgetspent(opwfile); ++ while (stmpent) { ++ ++ if (!strcmp(stmpent->sp_namp, forwho)) { ++ stmpent->sp_pwdp = towhat; ++ stmpent->sp_lstchg = time(NULL) / (60 * 60 * 24); ++ if (stmpent->sp_lstchg == 0) ++ stmpent->sp_lstchg = -1; /* Don't request passwort change ++ only because time isn't set yet. */ ++ wroteentry = 1; ++ D(("Set password %s for %s", stmpent->sp_pwdp, forwho)); ++ } ++ ++ if (putspent(stmpent, pwfile)) { ++ D(("error writing entry to shadow file: %m")); ++ err = 1; ++ break; ++ } ++ ++ stmpent = fgetspent(opwfile); ++ } ++ ++ fclose(opwfile); ++ ++ if (!wroteentry && !err) { ++ spwdent.sp_namp = forwho; ++ spwdent.sp_pwdp = towhat; ++ spwdent.sp_lstchg = time(NULL) / (60 * 60 * 24); ++ if (spwdent.sp_lstchg == 0) ++ spwdent.sp_lstchg = -1; /* Don't request passwort change ++ only because time isn't set yet. */ ++ spwdent.sp_min = spwdent.sp_max = spwdent.sp_warn = spwdent.sp_inact = ++ spwdent.sp_expire = -1; ++ spwdent.sp_flag = (unsigned long)-1l; ++ if (putspent(&spwdent, pwfile)) { ++ D(("error writing entry to shadow file: %m")); ++ err = 1; ++ } ++ } ++ ++ if (fflush(pwfile) || fsync(fileno(pwfile))) { ++ D(("fflush or fsync error writing entries to shadow file: %m")); ++ err = 1; ++ } ++ ++ if (fclose(pwfile)) { ++ D(("fclose error writing entries to shadow file: %m")); ++ err = 1; ++ } ++ ++ done: ++ if (!err) { ++ if (!rename(SH_TMPFILE, "/var/lib/extrausers/shadow")) ++ pam_syslog(pamh, ++ LOG_NOTICE, "password changed for %s", forwho); ++ else ++ err = 1; ++ } ++ ++#ifdef WITH_SELINUX ++ if (SELINUX_ENABLED) { ++ if (setfscreatecon(prev_context)) { ++ err = 1; ++ } ++ if (prev_context) ++ freecon(prev_context); ++ prev_context=NULL; ++ } ++#endif ++ ++ if (!err) { ++ return PAM_SUCCESS; ++ } else { ++ unlink(SH_TMPFILE); ++ return PAM_AUTHTOK_ERR; ++ } ++} ++ ++#ifdef HELPER_COMPILE ++ ++int ++helper_verify_password(const char *name, const char *p, int nullok) ++{ ++ struct passwd *pwd = NULL; ++ char *salt = NULL; ++ int retval; ++ ++ retval = get_pwd_hash(name, &pwd, &salt); ++ ++ if (pwd == NULL || salt == NULL) { ++ helper_log_err(LOG_WARNING, "check pass; user unknown"); ++ retval = PAM_USER_UNKNOWN; ++ } else { ++ retval = verify_pwd_hash(p, salt, nullok); ++ } ++ ++ if (salt) { ++ _pam_overwrite(salt); ++ _pam_drop(salt); ++ } ++ ++ p = NULL; /* no longer needed here */ ++ ++ return retval; ++} ++ ++void ++helper_log_err(int err, const char *format, ...) ++{ ++ va_list args; ++ ++ va_start(args, format); ++ openlog(HELPER_COMPILE, LOG_CONS | LOG_PID, LOG_AUTHPRIV); ++ vsyslog(err, format, args); ++ va_end(args); ++ closelog(); ++} ++ ++static void ++su_sighandler(int sig) ++{ ++#ifndef SA_RESETHAND ++ /* emulate the behaviour of the SA_RESETHAND flag */ ++ if ( sig == SIGILL || sig == SIGTRAP || sig == SIGBUS || sig = SIGSERV ) { ++ struct sigaction sa; ++ memset(&sa, '\0', sizeof(sa)); ++ sa.sa_handler = SIG_DFL; ++ sigaction(sig, &sa, NULL); ++ } ++#endif ++ if (sig > 0) { ++ _exit(sig); ++ } ++} ++ ++void ++setup_signals(void) ++{ ++ struct sigaction action; /* posix signal structure */ ++ ++ /* ++ * Setup signal handlers ++ */ ++ (void) memset((void *) &action, 0, sizeof(action)); ++ action.sa_handler = su_sighandler; ++#ifdef SA_RESETHAND ++ action.sa_flags = SA_RESETHAND; ++#endif ++ (void) sigaction(SIGILL, &action, NULL); ++ (void) sigaction(SIGTRAP, &action, NULL); ++ (void) sigaction(SIGBUS, &action, NULL); ++ (void) sigaction(SIGSEGV, &action, NULL); ++ action.sa_handler = SIG_IGN; ++ action.sa_flags = 0; ++ (void) sigaction(SIGTERM, &action, NULL); ++ (void) sigaction(SIGHUP, &action, NULL); ++ (void) sigaction(SIGINT, &action, NULL); ++ (void) sigaction(SIGQUIT, &action, NULL); ++} ++ ++char * ++getuidname(uid_t uid) ++{ ++ struct passwd *pw; ++ static char username[256]; ++ ++ pw = getpwuid(uid); ++ if (pw == NULL) ++ return NULL; ++ ++ strncpy(username, pw->pw_name, sizeof(username)); ++ username[sizeof(username) - 1] = '\0'; ++ ++ return username; ++} ++ ++int ++read_passwords(int fd, int npass, char **passwords) ++{ ++ int rbytes = 0; ++ int offset = 0; ++ int i = 0; ++ char *pptr; ++ while (npass > 0) { ++ rbytes = read(fd, passwords[i]+offset, MAXPASS-offset); ++ ++ if (rbytes < 0) { ++ if (errno == EINTR) continue; ++ break; ++ } ++ if (rbytes == 0) ++ break; ++ ++ while (npass > 0 && (pptr=memchr(passwords[i]+offset, '\0', rbytes)) ++ != NULL) { ++ rbytes -= pptr - (passwords[i]+offset) + 1; ++ i++; ++ offset = 0; ++ npass--; ++ if (rbytes > 0) { ++ if (npass > 0) ++ memcpy(passwords[i], pptr+1, rbytes); ++ memset(pptr+1, '\0', rbytes); ++ } ++ } ++ offset += rbytes; ++ } ++ ++ /* clear up */ ++ if (offset > 0 && npass > 0) { ++ memset(passwords[i], '\0', offset); ++ } ++ ++ return i; ++} ++ ++#endif ++/* ****************************************************************** * ++ * Copyright (c) Jan Rêkorajski 1999. ++ * Copyright (c) Andrew G. Morgan 1996-8. ++ * Copyright (c) Alex O. Yuriev, 1996. ++ * Copyright (c) Cristian Gafton 1996. ++ * Copyright (c) Red Hat, Inc. 1996, 2007, 2008. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, and the entire permission notice in its entirety, ++ * including the disclaimer of warranties. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the author may not be used to endorse or promote ++ * products derived from this software without specific prior ++ * written permission. ++ * ++ * ALTERNATIVELY, this product may be distributed under the terms of ++ * the GNU Public License, in which case the provisions of the GPL are ++ * required INSTEAD OF the above restrictions. (This clause is ++ * necessary due to a potential bad interaction between the GPL and ++ * the restrictions contained in a BSD-style copyright.) ++ * ++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ +Index: pam-1.1.8/modules/pam_extrausers/passverify.h +=================================================================== +--- /dev/null ++++ pam-1.1.8/modules/pam_extrausers/passverify.h +@@ -0,0 +1,119 @@ ++/* ++ * Copyright information at end of file. ++ */ ++ ++#include ++#include ++#include ++ ++#define PAM_UNIX_RUN_HELPER PAM_CRED_INSUFFICIENT ++ ++#define MAXPASS 200 /* the maximum length of a password */ ++ ++#define OLD_PASSWORDS_FILE "/var/lib/extrausers/opasswd" ++ ++int ++verify_pwd_hash(const char *p, char *hash, unsigned int nullok); ++ ++int ++is_pwd_shadowed(const struct passwd *pwd); ++ ++char * ++crypt_md5_wrapper(const char *pass_new); ++ ++int ++unix_selinux_confined(void); ++ ++int ++lock_pwdf(void); ++ ++void ++unlock_pwdf(void); ++ ++#ifdef HELPER_COMPILE ++int ++save_old_password(const char *forwho, const char *oldpass, ++ int howmany); ++#else ++int ++save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass, ++ int howmany); ++#endif ++ ++#ifdef HELPER_COMPILE ++void ++helper_log_err(int err, const char *format,...); ++ ++int ++helper_verify_password(const char *name, const char *p, int nullok); ++ ++void ++setup_signals(void); ++ ++char * ++getuidname(uid_t uid); ++ ++int ++read_passwords(int fd, int npass, char **passwords); ++#endif ++ ++#ifdef HELPER_COMPILE ++#define PAMH_ARG_DECL(fname, ...) fname(__VA_ARGS__) ++#define PAMH_ARG(...) __VA_ARGS__ ++#else ++#define PAMH_ARG_DECL(fname, ...) fname(pam_handle_t *pamh, __VA_ARGS__) ++#define PAMH_ARG(...) pamh, __VA_ARGS__ ++#endif ++ ++PAMH_ARG_DECL(char * create_password_hash, ++ const char *password, unsigned int ctrl, int rounds); ++ ++PAMH_ARG_DECL(int get_account_info, ++ const char *name, struct passwd **pwd, struct spwd **spwdent); ++ ++PAMH_ARG_DECL(int get_pwd_hash, ++ const char *name, struct passwd **pwd, char **hash); ++ ++PAMH_ARG_DECL(int check_shadow_expiry, ++ struct spwd *spent, int *daysleft); ++ ++PAMH_ARG_DECL(int unix_update_passwd, ++ const char *forwho, const char *towhat); ++ ++PAMH_ARG_DECL(int unix_update_shadow, ++ const char *forwho, char *towhat); ++ ++/* ****************************************************************** * ++ * Copyright (c) Red Hat, Inc. 2007. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, and the entire permission notice in its entirety, ++ * including the disclaimer of warranties. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the author may not be used to endorse or promote ++ * products derived from this software without specific prior ++ * written permission. ++ * ++ * ALTERNATIVELY, this product may be distributed under the terms of ++ * the GNU Public License, in which case the provisions of the GPL are ++ * required INSTEAD OF the above restrictions. (This clause is ++ * necessary due to a potential bad interaction between the GPL and ++ * the restrictions contained in a BSD-style copyright.) ++ * ++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ +Index: pam-1.1.8/modules/pam_extrausers/support.c +=================================================================== +--- /dev/null ++++ pam-1.1.8/modules/pam_extrausers/support.c +@@ -0,0 +1,1083 @@ ++/* ++ * Copyright information at end of file. ++ */ ++ ++#include "config.h" ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#ifdef HAVE_RPCSVC_YPCLNT_H ++#include ++#endif ++ ++#include ++#include ++#include ++#include ++ ++#include "support.h" ++#include "passverify.h" ++#ifdef WITH_SELINUX ++#include ++#define SELINUX_ENABLED is_selinux_enabled()>0 ++#else ++#define SELINUX_ENABLED 0 ++#endif ++ ++static char * ++search_key (const char *key, const char *filename) ++{ ++ FILE *fp; ++ char *buf = NULL; ++ size_t buflen = 0; ++ char *retval = NULL; ++ ++ fp = fopen (filename, "r"); ++ if (NULL == fp) ++ return NULL; ++ ++ while (!feof (fp)) ++ { ++ char *tmp, *cp; ++#if defined(HAVE_GETLINE) ++ ssize_t n = getline (&buf, &buflen, fp); ++#elif defined (HAVE_GETDELIM) ++ ssize_t n = getdelim (&buf, &buflen, '\n', fp); ++#else ++ ssize_t n; ++ ++ if (buf == NULL) ++ { ++ buflen = BUF_SIZE; ++ buf = malloc (buflen); ++ if (buf == NULL) { ++ fclose (fp); ++ return NULL; ++ } ++ } ++ buf[0] = '\0'; ++ if (fgets (buf, buflen - 1, fp) == NULL) ++ break; ++ else if (buf != NULL) ++ n = strlen (buf); ++ else ++ n = 0; ++#endif /* HAVE_GETLINE / HAVE_GETDELIM */ ++ cp = buf; ++ ++ if (n < 1) ++ break; ++ ++ tmp = strchr (cp, '#'); /* remove comments */ ++ if (tmp) ++ *tmp = '\0'; ++ while (isspace ((int)*cp)) /* remove spaces and tabs */ ++ ++cp; ++ if (*cp == '\0') /* ignore empty lines */ ++ continue; ++ ++ if (cp[strlen (cp) - 1] == '\n') ++ cp[strlen (cp) - 1] = '\0'; ++ ++ tmp = strsep (&cp, " \t="); ++ if (cp != NULL) ++ while (isspace ((int)*cp) || *cp == '=') ++ ++cp; ++ ++ if (strcasecmp (tmp, key) == 0) ++ { ++ retval = strdup (cp); ++ break; ++ } ++ } ++ fclose (fp); ++ ++ free (buf); ++ ++ return retval; ++} ++ ++ ++/* this is a front-end for module-application conversations */ ++ ++int _make_remark(pam_handle_t * pamh, unsigned int ctrl, ++ int type, const char *text) ++{ ++ int retval = PAM_SUCCESS; ++ ++ if (off(UNIX__QUIET, ctrl)) { ++ retval = pam_prompt(pamh, type, NULL, "%s", text); ++ } ++ return retval; ++} ++ ++/* ++ * set the control flags for the UNIX module. ++ */ ++ ++int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, ++ int *pass_min_len, int argc, const char **argv) ++{ ++ unsigned int ctrl; ++ char *val; ++ int j; ++ ++ D(("called.")); ++ ++ ctrl = UNIX_DEFAULTS; /* the default selection of options */ ++ ++ /* set some flags manually */ ++ ++ if (getuid() == 0 && !(flags & PAM_CHANGE_EXPIRED_AUTHTOK)) { ++ D(("IAMROOT")); ++ set(UNIX__IAMROOT, ctrl); ++ } ++ if (flags & PAM_UPDATE_AUTHTOK) { ++ D(("UPDATE_AUTHTOK")); ++ set(UNIX__UPDATE, ctrl); ++ } ++ if (flags & PAM_PRELIM_CHECK) { ++ D(("PRELIM_CHECK")); ++ set(UNIX__PRELIM, ctrl); ++ } ++ if (flags & PAM_SILENT) { ++ D(("SILENT")); ++ set(UNIX__QUIET, ctrl); ++ } ++ ++ /* preset encryption method with value from /etc/login.defs */ ++ val = search_key ("ENCRYPT_METHOD", LOGIN_DEFS); ++ if (val) { ++ for (j = 0; j < UNIX_CTRLS_; ++j) { ++ if (unix_args[j].token && unix_args[j].is_hash_algo ++ && !strncasecmp(val, unix_args[j].token, strlen(unix_args[j].token))) { ++ break; ++ } ++ } ++ if (j >= UNIX_CTRLS_) { ++ pam_syslog(pamh, LOG_WARNING, "unrecognized ENCRYPT_METHOD value [%s]", val); ++ } else { ++ ctrl &= unix_args[j].mask; /* for turning things off */ ++ ctrl |= unix_args[j].flag; /* for turning things on */ ++ } ++ free (val); ++ ++ /* read number of rounds for crypt algo */ ++ if (rounds && (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl))) { ++ val=search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS); ++ ++ if (val) { ++ *rounds = strtol(val, NULL, 10); ++ free (val); ++ } ++ } ++ } ++ ++ /* now parse the arguments to this module */ ++ ++ for (; argc-- > 0; ++argv) { ++ int sl; ++ ++ D(("pam_extrausers arg: %s", *argv)); ++ ++ for (j = 0; j < UNIX_CTRLS_; ++j) { ++ if (unix_args[j].token) { ++ sl = strlen(unix_args[j].token); ++ if (unix_args[j].token[sl-1] == '=') { ++ /* exclude argument from comparison */ ++ if (!strncmp(*argv, unix_args[j].token, sl)) ++ break; ++ } else { ++ /* compare full strings */ ++ if (!strcmp(*argv, unix_args[j].token)) ++ break; ++ } ++ } ++ } ++ ++ if (j >= UNIX_CTRLS_) { ++ pam_syslog(pamh, LOG_ERR, ++ "unrecognized option [%s]", *argv); ++ } else { ++ /* special cases */ ++ if (j == UNIX_REMEMBER_PASSWD) { ++ if (remember == NULL) { ++ pam_syslog(pamh, LOG_ERR, ++ "option remember not allowed for this module type"); ++ continue; ++ } ++ *remember = strtol(*argv + 9, NULL, 10); ++ if ((*remember == INT_MIN) || (*remember == INT_MAX)) ++ *remember = -1; ++ if (*remember > 400) ++ *remember = 400; ++ } else if (j == UNIX_MIN_PASS_LEN) { ++ if (pass_min_len == NULL) { ++ pam_syslog(pamh, LOG_ERR, ++ "option minlen not allowed for this module type"); ++ continue; ++ } ++ *pass_min_len = atoi(*argv + 7); ++ } else if (j == UNIX_ALGO_ROUNDS) { ++ if (rounds == NULL) { ++ pam_syslog(pamh, LOG_ERR, ++ "option rounds not allowed for this module type"); ++ continue; ++ } ++ *rounds = strtol(*argv + 7, NULL, 10); ++ } ++ ++ ctrl &= unix_args[j].mask; /* for turning things off */ ++ ctrl |= unix_args[j].flag; /* for turning things on */ ++ } ++ } ++ ++ if (UNIX_DES_CRYPT(ctrl) ++ && pass_min_len && *pass_min_len > 8) ++ { ++ pam_syslog (pamh, LOG_NOTICE, "Password minlen reset to 8 characters"); ++ *pass_min_len = 8; ++ } ++ ++ if (flags & PAM_DISALLOW_NULL_AUTHTOK) { ++ D(("DISALLOW_NULL_AUTHTOK")); ++ set(UNIX__NONULL, ctrl); ++ } ++ ++ /* Set default rounds for blowfish */ ++ if (on(UNIX_BLOWFISH_PASS, ctrl) && off(UNIX_ALGO_ROUNDS, ctrl) && rounds != NULL) { ++ *rounds = 5; ++ set(UNIX_ALGO_ROUNDS, ctrl); ++ } ++ ++ /* Enforce sane "rounds" values */ ++ if (on(UNIX_ALGO_ROUNDS, ctrl)) { ++ if (on(UNIX_BLOWFISH_PASS, ctrl)) { ++ if (*rounds < 4 || *rounds > 31) ++ *rounds = 5; ++ } else if (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl)) { ++ if ((*rounds < 1000) || (*rounds == INT_MAX)) ++ /* don't care about bogus values */ ++ unset(UNIX_ALGO_ROUNDS, ctrl); ++ if (*rounds >= 10000000) ++ *rounds = 9999999; ++ } ++ } ++ ++ /* auditing is a more sensitive version of debug */ ++ ++ if (on(UNIX_AUDIT, ctrl)) { ++ set(UNIX_DEBUG, ctrl); ++ } ++ /* return the set of flags */ ++ ++ D(("done.")); ++ return ctrl; ++} ++ ++static void _cleanup(pam_handle_t * pamh UNUSED, void *x, int error_status UNUSED) ++{ ++ _pam_delete(x); ++} ++ ++/* ************************************************************** * ++ * Useful non-trivial functions * ++ * ************************************************************** */ ++ ++ /* ++ * the following is used to keep track of the number of times a user fails ++ * to authenticate themself. ++ */ ++ ++#define FAIL_PREFIX "-UN*X-FAIL-" ++#define UNIX_MAX_RETRIES 3 ++ ++struct _pam_failed_auth { ++ char *user; /* user that's failed to be authenticated */ ++ char *name; /* attempt from user with name */ ++ int uid; /* uid of calling user */ ++ int euid; /* euid of calling process */ ++ int count; /* number of failures so far */ ++}; ++ ++#ifndef PAM_DATA_REPLACE ++#error "Need to get an updated libpam 0.52 or better" ++#endif ++ ++static void _cleanup_failures(pam_handle_t * pamh, void *fl, int err) ++{ ++ int quiet; ++ const void *service = NULL; ++ const void *ruser = NULL; ++ const void *rhost = NULL; ++ const void *tty = NULL; ++ struct _pam_failed_auth *failure; ++ ++ D(("called")); ++ ++ quiet = err & PAM_DATA_SILENT; /* should we log something? */ ++ err &= PAM_DATA_REPLACE; /* are we just replacing data? */ ++ failure = (struct _pam_failed_auth *) fl; ++ ++ if (failure != NULL) { ++ ++ if (!quiet && !err) { /* under advisement from Sun,may go away */ ++ ++ /* log the number of authentication failures */ ++ if (failure->count > 1) { ++ (void) pam_get_item(pamh, PAM_SERVICE, ++ &service); ++ (void) pam_get_item(pamh, PAM_RUSER, ++ &ruser); ++ (void) pam_get_item(pamh, PAM_RHOST, ++ &rhost); ++ (void) pam_get_item(pamh, PAM_TTY, ++ &tty); ++ pam_syslog(pamh, LOG_NOTICE, ++ "%d more authentication failure%s; " ++ "logname=%s uid=%d euid=%d " ++ "tty=%s ruser=%s rhost=%s " ++ "%s%s", ++ failure->count - 1, failure->count == 2 ? "" : "s", ++ failure->name, failure->uid, failure->euid, ++ tty ? (const char *)tty : "", ruser ? (const char *)ruser : "", ++ rhost ? (const char *)rhost : "", ++ (failure->user && failure->user[0] != '\0') ++ ? " user=" : "", failure->user ++ ); ++ ++ if (failure->count > UNIX_MAX_RETRIES) { ++ pam_syslog(pamh, LOG_ALERT, ++ "service(%s) ignoring max retries; %d > %d", ++ service == NULL ? "**unknown**" : (const char *)service, ++ failure->count, ++ UNIX_MAX_RETRIES); ++ } ++ } ++ } ++ _pam_delete(failure->user); /* tidy up */ ++ _pam_delete(failure->name); /* tidy up */ ++ free(failure); ++ } ++} ++ ++/* ++ * _unix_getpwnam() searches only /var/lib/extrausers/passwd and NIS to find user information ++ */ ++static void _unix_cleanup(pam_handle_t *pamh UNUSED, void *data, int error_status UNUSED) ++{ ++ free(data); ++} ++ ++int _unix_getpwnam(pam_handle_t *pamh, const char *name, ++ int files, int nis, struct passwd **ret) ++{ ++ FILE *passwd; ++ char buf[16384]; ++ int matched = 0, buflen; ++ char *slogin, *spasswd, *suid, *sgid, *sgecos, *shome, *sshell, *p; ++ ++ memset(buf, 0, sizeof(buf)); ++ ++ if (!matched && files) { ++ int userlen = strlen(name); ++ passwd = fopen("/var/lib/extrausers/passwd", "r"); ++ if (passwd != NULL) { ++ while (fgets(buf, sizeof(buf), passwd) != NULL) { ++ if ((buf[userlen] == ':') && ++ (strncmp(name, buf, userlen) == 0)) { ++ p = buf + strlen(buf) - 1; ++ while (isspace(*p) && (p >= buf)) { ++ *p-- = '\0'; ++ } ++ matched = 1; ++ break; ++ } ++ } ++ fclose(passwd); ++ } ++ } ++ ++#if defined(HAVE_YP_GET_DEFAULT_DOMAIN) && defined (HAVE_YP_BIND) && defined (HAVE_YP_MATCH) && defined (HAVE_YP_UNBIND) ++ if (!matched && nis) { ++ char *userinfo = NULL, *domain = NULL; ++ int len = 0, i; ++ len = yp_get_default_domain(&domain); ++ if (len == YPERR_SUCCESS) { ++ len = yp_bind(domain); ++ } ++ if (len == YPERR_SUCCESS) { ++ i = yp_match(domain, "passwd.byname", name, ++ strlen(name), &userinfo, &len); ++ yp_unbind(domain); ++ if ((i == YPERR_SUCCESS) && ((size_t)len < sizeof(buf))) { ++ strncpy(buf, userinfo, sizeof(buf) - 1); ++ buf[sizeof(buf) - 1] = '\0'; ++ matched = 1; ++ } ++ } ++ } ++#else ++ /* we don't have NIS support, make compiler happy. */ ++ nis = 0; ++#endif ++ ++ if (matched && (ret != NULL)) { ++ *ret = NULL; ++ ++ slogin = buf; ++ ++ spasswd = strchr(slogin, ':'); ++ if (spasswd == NULL) { ++ return matched; ++ } ++ *spasswd++ = '\0'; ++ ++ suid = strchr(spasswd, ':'); ++ if (suid == NULL) { ++ return matched; ++ } ++ *suid++ = '\0'; ++ ++ sgid = strchr(suid, ':'); ++ if (sgid == NULL) { ++ return matched; ++ } ++ *sgid++ = '\0'; ++ ++ sgecos = strchr(sgid, ':'); ++ if (sgecos == NULL) { ++ return matched; ++ } ++ *sgecos++ = '\0'; ++ ++ shome = strchr(sgecos, ':'); ++ if (shome == NULL) { ++ return matched; ++ } ++ *shome++ = '\0'; ++ ++ sshell = strchr(shome, ':'); ++ if (sshell == NULL) { ++ return matched; ++ } ++ *sshell++ = '\0'; ++ ++ buflen = sizeof(struct passwd) + ++ strlen(slogin) + 1 + ++ strlen(spasswd) + 1 + ++ strlen(sgecos) + 1 + ++ strlen(shome) + 1 + ++ strlen(sshell) + 1; ++ *ret = malloc(buflen); ++ if (*ret == NULL) { ++ return matched; ++ } ++ memset(*ret, '\0', buflen); ++ ++ (*ret)->pw_uid = strtol(suid, &p, 10); ++ if ((strlen(suid) == 0) || (*p != '\0')) { ++ free(*ret); ++ *ret = NULL; ++ return matched; ++ } ++ ++ (*ret)->pw_gid = strtol(sgid, &p, 10); ++ if ((strlen(sgid) == 0) || (*p != '\0')) { ++ free(*ret); ++ *ret = NULL; ++ return matched; ++ } ++ ++ p = ((char*)(*ret)) + sizeof(struct passwd); ++ (*ret)->pw_name = strcpy(p, slogin); ++ p += strlen(p) + 1; ++ (*ret)->pw_passwd = strcpy(p, spasswd); ++ p += strlen(p) + 1; ++ (*ret)->pw_gecos = strcpy(p, sgecos); ++ p += strlen(p) + 1; ++ (*ret)->pw_dir = strcpy(p, shome); ++ p += strlen(p) + 1; ++ (*ret)->pw_shell = strcpy(p, sshell); ++ ++ snprintf(buf, sizeof(buf), "_pam_unix_getpwnam_%s", name); ++ ++ if (pam_set_data(pamh, buf, ++ *ret, _unix_cleanup) != PAM_SUCCESS) { ++ free(*ret); ++ *ret = NULL; ++ } ++ } ++ ++ return matched; ++} ++ ++/* ++ * _unix_comsefromsource() is a quick check to see if information about a given ++ * user comes from a particular source (just files and nis for now) ++ * ++ */ ++int _unix_comesfromsource(pam_handle_t *pamh, ++ const char *name, int files, int nis) ++{ ++ return _unix_getpwnam(pamh, name, files, nis, NULL); ++} ++ ++/* ++ * verify the password of a user ++ */ ++ ++#include ++#include ++ ++static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, ++ unsigned int ctrl, const char *user) ++{ ++ int retval, child, fds[2]; ++ struct sigaction newsa, oldsa; ++ ++ D(("called.")); ++ /* create a pipe for the password */ ++ if (pipe(fds) != 0) { ++ D(("could not make pipe")); ++ return PAM_AUTH_ERR; ++ } ++ ++ if (off(UNIX_NOREAP, ctrl)) { ++ /* ++ * This code arranges that the demise of the child does not cause ++ * the application to receive a signal it is not expecting - which ++ * may kill the application or worse. ++ * ++ * The "noreap" module argument is provided so that the admin can ++ * override this behavior. ++ */ ++ memset(&newsa, '\0', sizeof(newsa)); ++ newsa.sa_handler = SIG_DFL; ++ sigaction(SIGCHLD, &newsa, &oldsa); ++ } ++ ++ /* fork */ ++ child = fork(); ++ if (child == 0) { ++ int i=0; ++ int nullok = off(UNIX__NONULL, ctrl); ++ struct rlimit rlim; ++ static char *envp[] = { NULL }; ++ char *args[] = { NULL, NULL, NULL, NULL }; ++ ++ /* XXX - should really tidy up PAM here too */ ++ ++ /* reopen stdin as pipe */ ++ dup2(fds[0], STDIN_FILENO); ++ ++ if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { ++ if (rlim.rlim_max >= MAX_FD_NO) ++ rlim.rlim_max = MAX_FD_NO; ++ for (i=0; i < (int)rlim.rlim_max; i++) { ++ if (i != STDIN_FILENO) ++ close(i); ++ } ++ } ++ ++ if (geteuid() == 0) { ++ /* must set the real uid to 0 so the helper will not error ++ out if pam is called from setuid binary (su, sudo...) */ ++ if (setuid(0) == -1) { ++ D(("setuid failed")); ++ _exit(PAM_AUTHINFO_UNAVAIL); ++ } ++ } ++ ++ /* exec binary helper */ ++ args[0] = strdup(CHKPWD_HELPER); ++ args[1] = x_strdup(user); ++ ++ if (on(UNIX_NULLOK_SECURE, ctrl)) { ++ const void *uttyname; ++ retval = pam_get_item(pamh, PAM_TTY, &uttyname); ++ if (retval != PAM_SUCCESS || uttyname == NULL ++ || _pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) ++ { ++ nullok = 0; ++ } ++ } ++ ++ if (nullok) { ++ args[2]=strdup("nullok"); ++ } else { ++ args[2]=strdup("nonull"); ++ } ++ ++ execve(CHKPWD_HELPER, args, envp); ++ ++ /* should not get here: exit with error */ ++ D(("helper binary is not available")); ++ _exit(PAM_AUTHINFO_UNAVAIL); ++ } else if (child > 0) { ++ /* wait for child */ ++ /* if the stored password is NULL */ ++ int rc=0; ++ if (passwd != NULL) { /* send the password to the child */ ++ if (write(fds[1], passwd, strlen(passwd)+1) == -1) { ++ pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m"); ++ retval = PAM_AUTH_ERR; ++ } ++ passwd = NULL; ++ } else { /* blank password */ ++ if (write(fds[1], "", 1) == -1) { ++ pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m"); ++ retval = PAM_AUTH_ERR; ++ } ++ } ++ close(fds[0]); /* close here to avoid possible SIGPIPE above */ ++ close(fds[1]); ++ /* wait for helper to complete: */ ++ while ((rc=waitpid(child, &retval, 0)) < 0 && errno == EINTR); ++ if (rc<0) { ++ pam_syslog(pamh, LOG_ERR, "pam_extrausers_chkpwd waitpid returned %d: %m", rc); ++ retval = PAM_AUTH_ERR; ++ } else if (!WIFEXITED(retval)) { ++ pam_syslog(pamh, LOG_ERR, "pam_extrausers_chkpwd abnormal exit: %d", retval); ++ retval = PAM_AUTH_ERR; ++ } else { ++ retval = WEXITSTATUS(retval); ++ } ++ } else { ++ D(("fork failed")); ++ close(fds[0]); ++ close(fds[1]); ++ retval = PAM_AUTH_ERR; ++ } ++ ++ if (off(UNIX_NOREAP, ctrl)) { ++ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */ ++ } ++ ++ D(("returning %d", retval)); ++ return retval; ++} ++ ++/* ++ * _unix_blankpasswd() is a quick check for a blank password ++ * ++ * returns TRUE if user does not have a password ++ * - to avoid prompting for one in such cases (CG) ++ */ ++ ++int ++_unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name) ++{ ++ struct passwd *pwd = NULL; ++ char *salt = NULL; ++ int retval; ++ ++ D(("called")); ++ ++ /* ++ * This function does not have to be too smart if something goes ++ * wrong, return FALSE and let this case to be treated somewhere ++ * else (CG) ++ */ ++ ++ if (on(UNIX__NONULL, ctrl)) ++ return 0; /* will fail but don't let on yet */ ++ ++ if (on(UNIX_NULLOK_SECURE, ctrl)) { ++ int retval2; ++ const void *uttyname; ++ retval2 = pam_get_item(pamh, PAM_TTY, &uttyname); ++ if (retval2 != PAM_SUCCESS || uttyname == NULL) ++ return 0; ++ ++ if (_pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) ++ return 0; ++ } ++ ++ /* UNIX passwords area */ ++ ++ retval = get_pwd_hash(pamh, name, &pwd, &salt); ++ ++ if (retval == PAM_UNIX_RUN_HELPER) { ++ /* salt will not be set here so we can return immediately */ ++ if (_unix_run_helper_binary(pamh, NULL, ctrl, name) == PAM_SUCCESS) ++ return 1; ++ else ++ return 0; ++ } ++ ++ /* Does this user have a password? */ ++ if (salt == NULL) { ++ retval = 0; ++ } else { ++ if (strlen(salt) == 0) ++ retval = 1; ++ else ++ retval = 0; ++ } ++ ++ /* tidy up */ ++ ++ if (salt) ++ _pam_delete(salt); ++ ++ return retval; ++} ++ ++int _unix_verify_password(pam_handle_t * pamh, const char *name ++ ,const char *p, unsigned int ctrl) ++{ ++ struct passwd *pwd = NULL; ++ char *salt = NULL; ++ char *data_name; ++ int retval; ++ ++ ++ D(("called")); ++ ++#ifdef HAVE_PAM_FAIL_DELAY ++ if (off(UNIX_NODELAY, ctrl)) { ++ D(("setting delay")); ++ (void) pam_fail_delay(pamh, 2000000); /* 2 sec delay for on failure */ ++ } ++#endif ++ ++ /* locate the entry for this user */ ++ ++ D(("locating user's record")); ++ ++ retval = get_pwd_hash(pamh, name, &pwd, &salt); ++ ++ data_name = (char *) malloc(sizeof(FAIL_PREFIX) + strlen(name)); ++ if (data_name == NULL) { ++ pam_syslog(pamh, LOG_CRIT, "no memory for data-name"); ++ } else { ++ strcpy(data_name, FAIL_PREFIX); ++ strcpy(data_name + sizeof(FAIL_PREFIX) - 1, name); ++ } ++ ++ if (retval != PAM_SUCCESS) { ++ if (retval == PAM_UNIX_RUN_HELPER) { ++ D(("running helper binary")); ++ retval = _unix_run_helper_binary(pamh, p, ctrl, name); ++ } else { ++ D(("user's record unavailable")); ++ p = NULL; ++ if (on(UNIX_AUDIT, ctrl)) { ++ /* this might be a typo and the user has given a password ++ instead of a username. Careful with this. */ ++ pam_syslog(pamh, LOG_WARNING, ++ "check pass; user (%s) unknown", name); ++ } else { ++ name = NULL; ++ if (on(UNIX_DEBUG, ctrl) || pwd == NULL) { ++ pam_syslog(pamh, LOG_WARNING, ++ "check pass; user unknown"); ++ } else { ++ /* don't log failure as another pam module can succeed */ ++ goto cleanup; ++ } ++ } ++ } ++ } else { ++ retval = verify_pwd_hash(p, salt, ++ _unix_blankpasswd(pamh, ctrl, name)); ++ } ++ ++ if (retval == PAM_SUCCESS) { ++ if (data_name) /* reset failures */ ++ pam_set_data(pamh, data_name, NULL, _cleanup_failures); ++ } else { ++ if (data_name != NULL) { ++ struct _pam_failed_auth *new = NULL; ++ const struct _pam_failed_auth *old = NULL; ++ ++ /* get a failure recorder */ ++ ++ new = (struct _pam_failed_auth *) ++ malloc(sizeof(struct _pam_failed_auth)); ++ ++ if (new != NULL) { ++ ++ const char *login_name; ++ const void *void_old; ++ ++ ++ login_name = pam_modutil_getlogin(pamh); ++ if (login_name == NULL) { ++ login_name = ""; ++ } ++ ++ new->user = x_strdup(name ? name : ""); ++ new->uid = getuid(); ++ new->euid = geteuid(); ++ new->name = x_strdup(login_name); ++ ++ /* any previous failures for this user ? */ ++ if (pam_get_data(pamh, data_name, &void_old) ++ == PAM_SUCCESS) ++ old = void_old; ++ else ++ old = NULL; ++ ++ if (old != NULL) { ++ new->count = old->count + 1; ++ if (new->count >= UNIX_MAX_RETRIES) { ++ retval = PAM_MAXTRIES; ++ } ++ } else { ++ const void *service=NULL; ++ const void *ruser=NULL; ++ const void *rhost=NULL; ++ const void *tty=NULL; ++ ++ (void) pam_get_item(pamh, PAM_SERVICE, ++ &service); ++ (void) pam_get_item(pamh, PAM_RUSER, ++ &ruser); ++ (void) pam_get_item(pamh, PAM_RHOST, ++ &rhost); ++ (void) pam_get_item(pamh, PAM_TTY, ++ &tty); ++ ++ pam_syslog(pamh, LOG_NOTICE, ++ "authentication failure; " ++ "logname=%s uid=%d euid=%d " ++ "tty=%s ruser=%s rhost=%s " ++ "%s%s", ++ new->name, new->uid, new->euid, ++ tty ? (const char *)tty : "", ++ ruser ? (const char *)ruser : "", ++ rhost ? (const char *)rhost : "", ++ (new->user && new->user[0] != '\0') ++ ? " user=" : "", ++ new->user ++ ); ++ new->count = 1; ++ } ++ ++ pam_set_data(pamh, data_name, new, _cleanup_failures); ++ ++ } else { ++ pam_syslog(pamh, LOG_CRIT, ++ "no memory for failure recorder"); ++ } ++ } ++ } ++ ++cleanup: ++ if (data_name) ++ _pam_delete(data_name); ++ if (salt) ++ _pam_delete(salt); ++ ++ D(("done [%d].", retval)); ++ ++ return retval; ++} ++ ++/* ++ * obtain a password from the user ++ */ ++ ++int _unix_read_password(pam_handle_t * pamh ++ ,unsigned int ctrl ++ ,const char *comment ++ ,const char *prompt1 ++ ,const char *prompt2 ++ ,const char *data_name ++ ,const void **pass) ++{ ++ int authtok_flag; ++ int retval = PAM_SUCCESS; ++ char *token; ++ ++ D(("called")); ++ ++ /* ++ * make sure nothing inappropriate gets returned ++ */ ++ ++ *pass = token = NULL; ++ ++ /* ++ * which authentication token are we getting? ++ */ ++ ++ authtok_flag = on(UNIX__OLD_PASSWD, ctrl) ? PAM_OLDAUTHTOK : PAM_AUTHTOK; ++ ++ /* ++ * should we obtain the password from a PAM item ? ++ */ ++ ++ if (on(UNIX_TRY_FIRST_PASS, ctrl) || on(UNIX_USE_FIRST_PASS, ctrl)) { ++ retval = pam_get_item(pamh, authtok_flag, pass); ++ if (retval != PAM_SUCCESS) { ++ /* very strange. */ ++ pam_syslog(pamh, LOG_ALERT, ++ "pam_get_item returned error to unix-read-password" ++ ); ++ return retval; ++ } else if (*pass != NULL) { /* we have a password! */ ++ return PAM_SUCCESS; ++ } else if (on(UNIX_USE_AUTHTOK, ctrl) ++ && off(UNIX__OLD_PASSWD, ctrl)) { ++ return PAM_AUTHTOK_ERR; ++ } else if (on(UNIX_USE_FIRST_PASS, ctrl)) { ++ return PAM_AUTHTOK_RECOVERY_ERR; /* didn't work */ ++ } ++ } ++ /* ++ * getting here implies we will have to get the password from the ++ * user directly. ++ */ ++ ++ { ++ int replies=1; ++ char *resp[2] = { NULL, NULL }; ++ ++ if (comment != NULL && off(UNIX__QUIET, ctrl)) { ++ retval = pam_info(pamh, "%s", comment); ++ } ++ ++ if (retval == PAM_SUCCESS) { ++ retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, ++ &resp[0], "%s", prompt1); ++ ++ if (retval == PAM_SUCCESS && prompt2 != NULL) { ++ retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, ++ &resp[1], "%s", prompt2); ++ ++replies; ++ } ++ } ++ ++ if (resp[0] != NULL && resp[replies-1] != NULL) { ++ /* interpret the response */ ++ ++ if (retval == PAM_SUCCESS) { /* a good conversation */ ++ ++ token = resp[0]; ++ if (token != NULL) { ++ if (replies == 2) { ++ /* verify that password entered correctly */ ++ if (strcmp(token, resp[replies - 1])) { ++ /* mistyped */ ++ retval = PAM_AUTHTOK_RECOVERY_ERR; ++ _make_remark(pamh, ctrl, ++ PAM_ERROR_MSG, MISTYPED_PASS); ++ } ++ } ++ } else { ++ pam_syslog(pamh, LOG_NOTICE, ++ "could not recover authentication token"); ++ } ++ ++ } ++ ++ } else { ++ retval = (retval == PAM_SUCCESS) ++ ? PAM_AUTHTOK_RECOVERY_ERR : retval; ++ } ++ ++ resp[0] = NULL; ++ if (replies > 1) ++ _pam_delete(resp[1]); ++ } ++ ++ if (retval != PAM_SUCCESS) { ++ _pam_delete(token); ++ ++ if (on(UNIX_DEBUG, ctrl)) ++ pam_syslog(pamh, LOG_DEBUG, ++ "unable to obtain a password"); ++ return retval; ++ } ++ /* 'token' is the entered password */ ++ ++ if (off(UNIX_NOT_SET_PASS, ctrl)) { ++ ++ /* we store this password as an item */ ++ ++ retval = pam_set_item(pamh, authtok_flag, token); ++ _pam_delete(token); /* clean it up */ ++ if (retval != PAM_SUCCESS ++ || (retval = pam_get_item(pamh, authtok_flag, pass)) ++ != PAM_SUCCESS) { ++ ++ *pass = NULL; ++ pam_syslog(pamh, LOG_CRIT, "error manipulating password"); ++ return retval; ++ ++ } ++ } else { ++ /* ++ * then store it as data specific to this module. pam_end() ++ * will arrange to clean it up. ++ */ ++ ++ retval = pam_set_data(pamh, data_name, (void *) token, _cleanup); ++ if (retval != PAM_SUCCESS) { ++ pam_syslog(pamh, LOG_CRIT, ++ "error manipulating password data [%s]", ++ pam_strerror(pamh, retval)); ++ _pam_delete(token); ++ return retval; ++ } ++ *pass = token; ++ token = NULL; /* break link to password */ ++ } ++ ++ return PAM_SUCCESS; ++} ++ ++/* ****************************************************************** * ++ * Copyright (c) Jan Rêkorajski 1999. ++ * Copyright (c) Andrew G. Morgan 1996-8. ++ * Copyright (c) Alex O. Yuriev, 1996. ++ * Copyright (c) Cristian Gafton 1996. ++ * Copyright (c) Red Hat, Inc. 2007. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, and the entire permission notice in its entirety, ++ * including the disclaimer of warranties. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the author may not be used to endorse or promote ++ * products derived from this software without specific prior ++ * written permission. ++ * ++ * ALTERNATIVELY, this product may be distributed under the terms of ++ * the GNU Public License, in which case the provisions of the GPL are ++ * required INSTEAD OF the above restrictions. (This clause is ++ * necessary due to a potential bad interaction between the GPL and ++ * the restrictions contained in a BSD-style copyright.) ++ * ++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ +Index: pam-1.1.8/modules/pam_extrausers/support.h +=================================================================== +--- /dev/null ++++ pam-1.1.8/modules/pam_extrausers/support.h +@@ -0,0 +1,182 @@ ++/* ++ * $Id$ ++ */ ++ ++#ifndef _PAM_UNIX_SUPPORT_H ++#define _PAM_UNIX_SUPPORT_H ++ ++#include ++ ++/* ++ * File to read value of ENCRYPT_METHOD from. ++ */ ++#define LOGIN_DEFS "/etc/login.defs" ++ ++ ++/* ++ * here is the string to inform the user that the new passwords they ++ * typed were not the same. ++ */ ++ ++#define MISTYPED_PASS "Sorry, passwords do not match" ++ ++/* type definition for the control options */ ++ ++typedef struct { ++ const char *token; ++ unsigned int mask; /* shall assume 32 bits of flags */ ++ unsigned int flag; ++ unsigned int is_hash_algo; ++} UNIX_Ctrls; ++ ++/* ++ * macro to determine if a given flag is on ++ */ ++ ++#define on(x,ctrl) (unix_args[x].flag & ctrl) ++ ++/* ++ * macro to determine that a given flag is NOT on ++ */ ++ ++#define off(x,ctrl) (!on(x,ctrl)) ++ ++/* ++ * macro to turn on/off a ctrl flag manually ++ */ ++ ++#define set(x,ctrl) (ctrl = ((ctrl)&unix_args[x].mask)|unix_args[x].flag) ++#define unset(x,ctrl) (ctrl &= ~(unix_args[x].flag)) ++ ++/* the generic mask */ ++ ++#define _ALL_ON_ (~0U) ++ ++/* end of macro definitions definitions for the control flags */ ++ ++/* ****************************************************************** * ++ * ctrl flags proper.. ++ */ ++ ++/* ++ * here are the various options recognized by the unix module. They ++ * are enumerated here and then defined below. Internal arguments are ++ * given NULL tokens. ++ */ ++ ++#define UNIX__OLD_PASSWD 0 /* internal */ ++#define UNIX__VERIFY_PASSWD 1 /* internal */ ++#define UNIX__IAMROOT 2 /* internal */ ++ ++#define UNIX_AUDIT 3 /* print more things than debug.. ++ some information may be sensitive */ ++#define UNIX_USE_FIRST_PASS 4 ++#define UNIX_TRY_FIRST_PASS 5 ++#define UNIX_NOT_SET_PASS 6 /* don't set the AUTHTOK items */ ++ ++#define UNIX__PRELIM 7 /* internal */ ++#define UNIX__UPDATE 8 /* internal */ ++#define UNIX__NONULL 9 /* internal */ ++#define UNIX__QUIET 10 /* internal */ ++#define UNIX_USE_AUTHTOK 11 /* insist on reading PAM_AUTHTOK */ ++#define UNIX_SHADOW 12 /* signal shadow on */ ++#define UNIX_MD5_PASS 13 /* force the use of MD5 passwords */ ++#define UNIX__NULLOK 14 /* Null token ok */ ++#define UNIX_DEBUG 15 /* send more info to syslog(3) */ ++#define UNIX_NODELAY 16 /* admin does not want a fail-delay */ ++#define UNIX_NIS 17 /* wish to use NIS for pwd */ ++#define UNIX_BIGCRYPT 18 /* use DEC-C2 crypt()^x function */ ++#define UNIX_LIKE_AUTH 19 /* need to auth for setcred to work */ ++#define UNIX_REMEMBER_PASSWD 20 /* Remember N previous passwords */ ++#define UNIX_NOREAP 21 /* don't reap child process */ ++#define UNIX_BROKEN_SHADOW 22 /* ignore errors reading password aging ++ * information during acct management */ ++#define UNIX_SHA256_PASS 23 /* new password hashes will use SHA256 */ ++#define UNIX_SHA512_PASS 24 /* new password hashes will use SHA512 */ ++#define UNIX_ALGO_ROUNDS 25 /* optional number of rounds for new ++ password hash algorithms */ ++#define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */ ++#define UNIX_MIN_PASS_LEN 27 /* min length for password */ ++#define UNIX_OBSCURE_CHECKS 28 /* enable obscure checks on passwords */ ++#define UNIX_NULLOK_SECURE 29 /* NULL passwords allowed only on secure ttys */ ++/* -------------- */ ++#define UNIX_CTRLS_ 30 /* number of ctrl arguments defined */ ++ ++#define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)) ++ ++static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = ++{ ++/* symbol token name ctrl mask ctrl * ++ * ----------------------- ------------------- --------------------- -------- */ ++ ++/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 0x1, 0}, ++/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 0x2, 0}, ++/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 0x4, 0}, ++/* UNIX_AUDIT */ {"audit", _ALL_ON_, 0x8, 0}, ++/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(0x30), 0x10, 0}, ++/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(0x30), 0x20, 0}, ++/* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0x40, 0}, ++/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0x180), 0x80, 0}, ++/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0x180), 0x100, 0}, ++/* UNIX__NONULL */ {NULL, _ALL_ON_^(0x10000000), 0x200, 0}, ++/* UNIX__QUIET */ {NULL, _ALL_ON_, 0x400, 0}, ++/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 0x800, 0}, ++/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 0x1000, 0}, ++/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0x2C22000), 0x2000, 1}, ++/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(0x200), 0, 0}, ++/* UNIX_DEBUG */ {"debug", _ALL_ON_, 0x4000, 0}, ++/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0x8000, 0}, ++/* UNIX_NIS */ {"nis", _ALL_ON_, 0x10000, 0}, ++/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0x2C22000), 0x20000, 1}, ++/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 0x40000, 0}, ++/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 0x80000, 0}, ++/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 0x100000, 0}, ++/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 0x200000, 0}, ++/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0x2C22000), 0x400000, 1}, ++/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0x2C22000), 0x800000, 1}, ++/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0x1000000, 0}, ++/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0x2C22000),0x2000000, 1}, ++/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0x4000000, 0}, ++/* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x8000000, 0}, ++/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(0x200), 0x10000000, 0}, ++}; ++ ++#define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) ++ ++#define MAX_FD_NO 2000000 ++ ++/* use this to free strings. ESPECIALLY password strings */ ++ ++#define _pam_delete(xx) \ ++{ \ ++ _pam_overwrite(xx); \ ++ _pam_drop(xx); \ ++} ++ ++extern int _make_remark(pam_handle_t * pamh, unsigned int ctrl ++ ,int type, const char *text); ++extern int _set_ctrl(pam_handle_t * pamh, int flags, int *remember, int *rounds, ++ int *pass_min_len, int argc, const char **argv); ++extern int _unix_getpwnam (pam_handle_t *pamh, ++ const char *name, int files, int nis, ++ struct passwd **ret); ++extern int _unix_comesfromsource (pam_handle_t *pamh, ++ const char *name, int files, int nis); ++extern int _unix_blankpasswd(pam_handle_t *pamh,unsigned int ctrl, ++ const char *name); ++extern int _unix_verify_password(pam_handle_t * pamh, const char *name ++ ,const char *p, unsigned int ctrl); ++extern int _unix_read_password(pam_handle_t * pamh ++ ,unsigned int ctrl ++ ,const char *comment ++ ,const char *prompt1 ++ ,const char *prompt2 ++ ,const char *data_name ++ ,const void **pass); ++ ++extern int _pammodutil_tty_secure(const pam_handle_t *pamh, ++ const char *uttyname); ++ ++extern int _unix_run_verify_binary(pam_handle_t *pamh, ++ unsigned int ctrl, const char *user, int *daysleft); ++#endif /* _PAM_UNIX_SUPPORT_H */ +Index: pam-1.1.8/modules/pam_extrausers/unix_chkpwd.c +=================================================================== +--- /dev/null ++++ pam-1.1.8/modules/pam_extrausers/unix_chkpwd.c +@@ -0,0 +1,239 @@ ++/* ++ * This program is designed to run setuid(root) or with sufficient ++ * privilege to read all of the unix password databases. It is designed ++ * to provide a mechanism for the current user (defined by this ++ * process' uid) to verify their own password. ++ * ++ * The password is read from the standard input. The exit status of ++ * this program indicates whether the user is authenticated or not. ++ * ++ * Copyright information is located at the end of the file. ++ * ++ */ ++ ++#include "config.h" ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#ifdef HAVE_LIBAUDIT ++#include ++#endif ++ ++#include ++#include ++ ++#include "passverify.h" ++ ++static int _check_expiry(const char *uname) ++{ ++ struct spwd *spent; ++ struct passwd *pwent; ++ int retval; ++ int daysleft; ++ ++ retval = get_account_info(uname, &pwent, &spent); ++ if (retval != PAM_SUCCESS) { ++ helper_log_err(LOG_ALERT, "could not obtain user info (%s)", uname); ++ printf("-1\n"); ++ return retval; ++ } ++ ++ if (spent == NULL) { ++ printf("-1\n"); ++ return retval; ++ } ++ ++ retval = check_shadow_expiry(spent, &daysleft); ++ printf("%d\n", daysleft); ++ return retval; ++} ++ ++#ifdef HAVE_LIBAUDIT ++static int _audit_log(int type, const char *uname, int rc) ++{ ++ int audit_fd; ++ ++ audit_fd = audit_open(); ++ if (audit_fd < 0) { ++ /* You get these error codes only when the kernel doesn't have ++ * audit compiled in. */ ++ if (errno == EINVAL || errno == EPROTONOSUPPORT || ++ errno == EAFNOSUPPORT) ++ return PAM_SUCCESS; ++ ++ helper_log_err(LOG_CRIT, "audit_open() failed: %m"); ++ return PAM_AUTH_ERR; ++ } ++ ++ rc = audit_log_acct_message(audit_fd, type, NULL, "PAM:pam_extrausers_chkpwd", ++ uname, -1, NULL, NULL, NULL, rc == PAM_SUCCESS); ++ if (rc == -EPERM && geteuid() != 0) { ++ rc = 0; ++ } ++ ++ audit_close(audit_fd); ++ ++ return rc < 0 ? PAM_AUTH_ERR : PAM_SUCCESS; ++} ++#endif ++ ++int main(int argc, char *argv[]) ++{ ++ char pass[MAXPASS + 1]; ++ char *option; ++ int npass, nullok; ++ int blankpass = 0; ++ int retval = PAM_AUTH_ERR; ++ char *user; ++ char *passwords[] = { pass }; ++ ++ /* ++ * Catch or ignore as many signal as possible. ++ */ ++ setup_signals(); ++ ++ /* ++ * we establish that this program is running with non-tty stdin. ++ * this is to discourage casual use. It does *NOT* prevent an ++ * intruder from repeatadly running this program to determine the ++ * password of the current user (brute force attack, but one for ++ * which the attacker must already have gained access to the user's ++ * account). ++ */ ++ ++ if (isatty(STDIN_FILENO) || argc != 3 ) { ++ helper_log_err(LOG_NOTICE ++ ,"inappropriate use of Unix helper binary [UID=%d]" ++ ,getuid()); ++#ifdef HAVE_LIBAUDIT ++ _audit_log(AUDIT_ANOM_EXEC, getuidname(getuid()), PAM_SYSTEM_ERR); ++#endif ++ fprintf(stderr ++ ,"This binary is not designed for running in this way\n" ++ "-- the system administrator has been informed\n"); ++ sleep(10); /* this should discourage/annoy the user */ ++ return PAM_SYSTEM_ERR; ++ } ++ ++ /* ++ * Determine what the current user's name is. ++ * We must thus skip the check if the real uid is 0. ++ */ ++ if (getuid() == 0) { ++ user=argv[1]; ++ } ++ else { ++ user = getuidname(getuid()); ++ /* if the caller specifies the username, verify that user ++ matches it */ ++ if (strcmp(user, argv[1])) { ++ gid_t gid = getgid(); ++ user = argv[1]; ++ /* no match -> permanently change to the real user and proceed */ ++ if (setresgid(gid, gid, gid) != 0 || setuid(getuid()) != 0) ++ return PAM_AUTH_ERR; ++ } ++ } ++ ++ option=argv[2]; ++ ++ if (strcmp(option, "chkexpiry") == 0) ++ /* Check account information from the shadow file */ ++ return _check_expiry(argv[1]); ++ /* read the nullok/nonull option */ ++ else if (strcmp(option, "nullok") == 0) ++ nullok = 1; ++ else if (strcmp(option, "nonull") == 0) ++ nullok = 0; ++ else { ++#ifdef HAVE_LIBAUDIT ++ _audit_log(AUDIT_ANOM_EXEC, getuidname(getuid()), PAM_SYSTEM_ERR); ++#endif ++ return PAM_SYSTEM_ERR; ++ } ++ /* read the password from stdin (a pipe from the pam_unix module) */ ++ ++ npass = read_passwords(STDIN_FILENO, 1, passwords); ++ ++ if (npass != 1) { /* is it a valid password? */ ++ helper_log_err(LOG_DEBUG, "no password supplied"); ++ *pass = '\0'; ++ } ++ ++ if (*pass == '\0') { ++ blankpass = 1; ++ } ++ ++ retval = helper_verify_password(user, pass, nullok); ++ ++ memset(pass, '\0', MAXPASS); /* clear memory of the password */ ++ ++ /* return pass or fail */ ++ ++ if (retval != PAM_SUCCESS) { ++ if (!nullok || !blankpass) { ++ /* no need to log blank pass test */ ++#ifdef HAVE_LIBAUDIT ++ if (getuid() != 0) ++ _audit_log(AUDIT_USER_AUTH, user, PAM_AUTH_ERR); ++#endif ++ helper_log_err(LOG_NOTICE, "password check failed for user (%s)", user); ++ } ++ return PAM_AUTH_ERR; ++ } else { ++ if (getuid() != 0) { ++#ifdef HAVE_LIBAUDIT ++ return _audit_log(AUDIT_USER_AUTH, user, PAM_SUCCESS); ++#else ++ return PAM_SUCCESS; ++#endif ++ } ++ return PAM_SUCCESS; ++ } ++} ++ ++/* ++ * Copyright (c) Andrew G. Morgan, 1996. All rights reserved ++ * Copyright (c) Red Hat, Inc., 2007,2008. All rights reserved ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, and the entire permission notice in its entirety, ++ * including the disclaimer of warranties. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the author may not be used to endorse or promote ++ * products derived from this software without specific prior ++ * written permission. ++ * ++ * ALTERNATIVELY, this product may be distributed under the terms of ++ * the GNU Public License, in which case the provisions of the GPL are ++ * required INSTEAD OF the above restrictions. (This clause is ++ * necessary due to a potential bad interaction between the GPL and ++ * the restrictions contained in a BSD-style copyright.) ++ * ++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ +Index: pam-1.1.8/modules/pam_extrausers/unix_update.c +=================================================================== +--- /dev/null ++++ pam-1.1.8/modules/pam_extrausers/unix_update.c +@@ -0,0 +1,191 @@ ++/* ++ * This program is designed to run with sufficient privilege ++ * to read and write all of the unix password databases. ++ * Its purpose is to allow updating the databases when ++ * SELinux confinement of the caller domain prevents them to ++ * do that themselves. ++ * ++ * The password is read from the standard input. The exit status of ++ * this program indicates whether the password was updated or not. ++ * ++ * Copyright information is located at the end of the file. ++ * ++ */ ++ ++#include "config.h" ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++ ++#include "passverify.h" ++ ++static int ++set_password(const char *forwho, const char *shadow, const char *remember) ++{ ++ struct passwd *pwd = NULL; ++ int retval; ++ char pass[MAXPASS + 1]; ++ char towhat[MAXPASS + 1]; ++ int npass = 0; ++ /* we don't care about number format errors because the helper ++ should be called internally only */ ++ int doshadow = atoi(shadow); ++ int nremember = atoi(remember); ++ char *passwords[] = { pass, towhat }; ++ ++ /* read the password from stdin (a pipe from the pam_unix module) */ ++ ++ npass = read_passwords(STDIN_FILENO, 2, passwords); ++ ++ if (npass != 2) { /* is it a valid password? */ ++ if (npass == 1) { ++ helper_log_err(LOG_DEBUG, "no new password supplied"); ++ memset(pass, '\0', MAXPASS); ++ } else { ++ helper_log_err(LOG_DEBUG, "no valid passwords supplied"); ++ } ++ return PAM_AUTHTOK_ERR; ++ } ++ ++ if (lock_pwdf() != PAM_SUCCESS) ++ return PAM_AUTHTOK_LOCK_BUSY; ++ ++ pwd = getpwnam(forwho); ++ ++ if (pwd == NULL) { ++ retval = PAM_USER_UNKNOWN; ++ goto done; ++ } ++ ++ /* If real caller uid is not root we must verify that ++ received old pass agrees with the current one. ++ We always allow change from null pass. */ ++ if (getuid()) { ++ retval = helper_verify_password(forwho, pass, 1); ++ if (retval != PAM_SUCCESS) { ++ goto done; ++ } ++ } ++ ++ /* first, save old password */ ++ if (save_old_password(forwho, pass, nremember)) { ++ retval = PAM_AUTHTOK_ERR; ++ goto done; ++ } ++ ++ if (doshadow || is_pwd_shadowed(pwd)) { ++ retval = unix_update_shadow(forwho, towhat); ++ if (retval == PAM_SUCCESS) ++ if (!is_pwd_shadowed(pwd)) ++ retval = unix_update_passwd(forwho, "x"); ++ } else { ++ retval = unix_update_passwd(forwho, towhat); ++ } ++ ++done: ++ memset(pass, '\0', MAXPASS); ++ memset(towhat, '\0', MAXPASS); ++ ++ unlock_pwdf(); ++ ++ if (retval == PAM_SUCCESS) { ++ return PAM_SUCCESS; ++ } else { ++ return PAM_AUTHTOK_ERR; ++ } ++} ++ ++int main(int argc, char *argv[]) ++{ ++ char *option; ++ ++ /* ++ * Catch or ignore as many signal as possible. ++ */ ++ setup_signals(); ++ ++ /* ++ * we establish that this program is running with non-tty stdin. ++ * this is to discourage casual use. It does *NOT* prevent an ++ * intruder from repeatadly running this program to determine the ++ * password of the current user (brute force attack, but one for ++ * which the attacker must already have gained access to the user's ++ * account). ++ */ ++ ++ if (isatty(STDIN_FILENO) || argc != 5 ) { ++ helper_log_err(LOG_NOTICE ++ ,"inappropriate use of Unix helper binary [UID=%d]" ++ ,getuid()); ++ fprintf(stderr ++ ,"This binary is not designed for running in this way\n" ++ "-- the system administrator has been informed\n"); ++ sleep(10); /* this should discourage/annoy the user */ ++ return PAM_SYSTEM_ERR; ++ } ++ ++ /* We must be root to read/update shadow. ++ */ ++ if (geteuid() != 0) { ++ return PAM_CRED_INSUFFICIENT; ++ } ++ ++ option = argv[2]; ++ ++ if (strcmp(option, "update") == 0) { ++ /* Attempting to change the password */ ++ return set_password(argv[1], argv[3], argv[4]); ++ } ++ ++ return PAM_SYSTEM_ERR; ++} ++ ++/* ++ * Copyright (c) Andrew G. Morgan, 1996. All rights reserved ++ * Copyright (c) Red Hat, Inc., 2007, 2008. All rights reserved ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, and the entire permission notice in its entirety, ++ * including the disclaimer of warranties. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the author may not be used to endorse or promote ++ * products derived from this software without specific prior ++ * written permission. ++ * ++ * ALTERNATIVELY, this product may be distributed under the terms of ++ * the GNU Public License, in which case the provisions of the GPL are ++ * required INSTEAD OF the above restrictions. (This clause is ++ * necessary due to a potential bad interaction between the GPL and ++ * the restrictions contained in a BSD-style copyright.) ++ * ++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ +Index: pam-1.1.8/modules/pam_extrausers/yppasswd.h +=================================================================== +--- /dev/null ++++ pam-1.1.8/modules/pam_extrausers/yppasswd.h +@@ -0,0 +1,51 @@ ++/* ++ * yppasswdd ++ * Copyright 1994, 1995, 1996 Olaf Kirch, ++ * ++ * This program is covered by the GNU General Public License, version 2 ++ * or later. It is provided in the hope that it is useful. However, the author ++ * disclaims ALL WARRANTIES, expressed or implied. See the GPL for details. ++ * ++ * This file was generated automatically by rpcgen from yppasswd.x, and ++ * editied manually. ++ */ ++ ++#ifndef _YPPASSWD_H_ ++#define _YPPASSWD_H_ ++ ++#define YPPASSWDPROG ((u_long)100009) ++#define YPPASSWDVERS ((u_long)1) ++#define YPPASSWDPROC_UPDATE ((u_long)1) ++ ++/* ++ * The password struct passed by the update call. I renamed it to ++ * xpasswd to avoid a type clash with the one defined in . ++ */ ++#ifndef __sgi ++typedef struct xpasswd { ++ char *pw_name; ++ char *pw_passwd; ++ int pw_uid; ++ int pw_gid; ++ char *pw_gecos; ++ char *pw_dir; ++ char *pw_shell; ++} xpasswd; ++ ++#else ++#include ++typedef struct xpasswd xpasswd; ++#endif ++ ++/* The updated password information, plus the old password. ++ */ ++typedef struct yppasswd { ++ char *oldpass; ++ xpasswd newpw; ++} yppasswd; ++ ++/* XDR encoding/decoding routines */ ++bool_t xdr_xpasswd(XDR * xdrs, xpasswd * objp); ++bool_t xdr_yppasswd(XDR * xdrs, yppasswd * objp); ++ ++#endif /* _YPPASSWD_H_ */ +Index: pam-1.1.8/modules/pam_extrausers/yppasswd_xdr.c +=================================================================== +--- /dev/null ++++ pam-1.1.8/modules/pam_extrausers/yppasswd_xdr.c +@@ -0,0 +1,40 @@ ++/* ++ * yppasswdd ++ * Copyright 1994, 1995, 1996 Olaf Kirch, ++ * ++ * This program is covered by the GNU General Public License, version 2 ++ * or later. It is provided in the hope that it is useful. However, the author ++ * disclaims ALL WARRANTIES, expressed or implied. See the GPL for details. ++ * ++ * This file was generated automatically by rpcgen from yppasswd.x, and ++ * editied manually. ++ */ ++ ++#include "config.h" ++ ++#ifdef HAVE_RPC_RPC_H ++ ++#include ++#include "yppasswd.h" ++ ++bool_t ++xdr_xpasswd(XDR * xdrs, xpasswd * objp) ++{ ++ return xdr_string(xdrs, &objp->pw_name, ~0) ++ && xdr_string(xdrs, &objp->pw_passwd, ~0) ++ && xdr_int(xdrs, &objp->pw_uid) ++ && xdr_int(xdrs, &objp->pw_gid) ++ && xdr_string(xdrs, &objp->pw_gecos, ~0) ++ && xdr_string(xdrs, &objp->pw_dir, ~0) ++ && xdr_string(xdrs, &objp->pw_shell, ~0); ++} ++ ++ ++bool_t ++xdr_yppasswd(XDR * xdrs, yppasswd * objp) ++{ ++ return xdr_string(xdrs, &objp->oldpass, ~0) ++ && xdr_xpasswd(xdrs, &objp->newpw); ++} ++ ++#endif +Index: pam-1.1.8/modules/Makefile.am +=================================================================== +--- pam-1.1.8.orig/modules/Makefile.am ++++ pam-1.1.8/modules/Makefile.am +@@ -3,7 +3,7 @@ + # + + SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \ +- pam_env pam_exec pam_faildelay pam_filter pam_ftp \ ++ pam_env pam_exec pam_extrausers pam_faildelay pam_filter pam_ftp \ + pam_group pam_issue pam_keyinit pam_lastlog pam_limits \ + pam_listfile pam_localuser pam_loginuid pam_mail \ + pam_mkhomedir pam_motd pam_namespace pam_nologin \ +Index: pam-1.1.8/configure.in +=================================================================== +--- pam-1.1.8.orig/configure.in ++++ pam-1.1.8/configure.in +@@ -607,6 +607,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefil + modules/pam_access/Makefile modules/pam_cracklib/Makefile \ + modules/pam_debug/Makefile modules/pam_deny/Makefile \ + modules/pam_echo/Makefile modules/pam_env/Makefile \ ++ modules/pam_extrausers/Makefile \ + modules/pam_faildelay/Makefile \ + modules/pam_filter/Makefile modules/pam_filter/upperLOWER/Makefile \ + modules/pam_ftp/Makefile modules/pam_group/Makefile \ +Index: pam-1.1.8/modules/pam_extrausers/tst-pam_extrausers +=================================================================== +--- /dev/null ++++ pam-1.1.8/modules/pam_extrausers/tst-pam_extrausers +@@ -0,0 +1,2 @@ ++#!/bin/sh ++../../tests/tst-dlopen .libs/pam_extrausers.so +Index: pam-1.1.8/modules/pam_extrausers/pam_extrausers.8.xml +=================================================================== +--- /dev/null ++++ pam-1.1.8/modules/pam_extrausers/pam_extrausers.8.xml +@@ -0,0 +1,488 @@ ++ ++ ++ ++ ++ ++ ++ pam_extrausers ++ 8 ++ Linux-PAM Manual ++ ++ ++ ++ pam_extrausers ++ Module for libnss-extrausers authentication ++ ++ ++ ++ ++ pam_extrausers.so ++ ++ ... ++ ++ ++ ++ ++ ++ ++ DESCRIPTION ++ ++ ++ This is similar to the standard Unix authentication module pam_unix. ++ But instead of using /etc/passwd and /etc/shadow, it uses ++ /var/lib/extrausers/passwd and /var/lib/extrausers/shadow. ++ ++ ++ ++ The account component performs the task of establishing the status ++ of the user's account and password based on the following ++ shadow elements: expire, last_change, max_change, ++ min_change, warn_change. In the case of the latter, it may offer advice ++ to the user on changing their password or, through the ++ PAM_AUTHTOKEN_REQD return, delay ++ giving service to the user until they have established a new password. ++ The entries listed above are documented in the ++ shadow5 ++ manual page. Should the user's record not contain ++ one or more of these entries, the corresponding ++ shadow check is not performed. ++ ++ ++ ++ The authentication component performs the task of checking the ++ users credentials (password). The default action of this module ++ is to not permit the user access to a service if their official ++ password is blank. ++ ++ ++ ++ The password component of this module performs the task of updating ++ the user's password. The default encryption hash is taken from the ++ ENCRYPT_METHOD variable from ++ /etc/login.defs ++ ++ ++ ++ The session component of this module logs when a user logins ++ or leave the system. ++ ++ ++ ++ Remaining arguments, supported by others functions of this ++ module, are silently ignored. Other arguments are logged as ++ errors through ++ syslog3 ++ . ++ ++ ++ ++ ++ ++ OPTIONS ++ ++ ++ ++ ++ ++ ++ ++ Turns on debugging via ++ ++ syslog3 ++ . ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ A little more extreme than debug. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ The default action of this module is to not permit the ++ user access to a service if their official password is blank. ++ The argument overrides this default ++ and allows any user with a blank password to access the ++ service. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ The default action of this module is to not permit the ++ user access to a service if their official password is blank. ++ The argument overrides this ++ default and allows any user with a blank password to access ++ the service as long as the value of PAM_TTY is set to one of ++ the values found in /etc/securetty. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Before prompting the user for their password, the module first ++ tries the previous stacked module's password in case that ++ satisfies this module as well. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ The argument forces the module ++ to use a previous stacked modules password and will never prompt ++ the user - if no password is available or the password is not ++ appropriate, the user will be denied access. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ This argument can be used to discourage the authentication ++ component from requesting a delay should the authentication ++ as a whole fail. The default action is for the module to ++ request a delay-on-failure of the order of two second. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ When password changing enforce the module to set the new ++ password to the one provided by a previously stacked ++ module (this is used in the ++ example of the stacking of the pam_cracklib ++ module documented below). ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ This argument is used to inform the module that it is not to ++ pay attention to/make available the old or new passwords from/to ++ other (stacked) password modules. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ NIS RPC is used for setting new passwords. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ The last n passwords for each ++ user are saved in /etc/security/opasswd ++ in order to force password change history and keep the user ++ from alternating between the same password too frequently. ++ Instead of this option the pam_pwhistory ++ module should be used. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Try to maintain a shadow based system. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ When a user changes their password next, encrypt ++ it with the MD5 algorithm. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ When a user changes their password next, ++ encrypt it with the DEC C2 algorithm. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ When a user changes their password next, ++ encrypt it with the SHA256 algorithm. If the ++ SHA256 algorithm is not known to the ++ crypt3 ++ function, ++ fall back to MD5. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ When a user changes their password next, ++ encrypt it with the SHA512 algorithm. If the ++ SHA512 algorithm is not known to the ++ crypt3 ++ function, ++ fall back to MD5. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ When a user changes their password next, ++ encrypt it with the blowfish algorithm. If the ++ blowfish algorithm is not known to the ++ crypt3 ++ function, ++ fall back to MD5. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Set the optional number of rounds of the SHA256, SHA512 ++ and blowfish password hashing algorithms to ++ n. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Ignore errors reading shadow information for ++ users in the account management module. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Set a minimum password length of n ++ characters. The default value is 6. The maximum for DES ++ crypt-based passwords is 8 characters. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Enable some extra checks on password strength. These checks ++ are based on the "obscure" checks in the original shadow ++ package. The behavior is similar to the pam_cracklib ++ module, but for non-dictionary-based checks. The following ++ checks are implemented: ++ ++ ++ ++ ++ ++ ++ ++ Verifies that the new password is not a palindrome ++ of (i.e., the reverse of) the previous one. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Verifies that the new password isn't the same as the ++ old one with a change of case. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Verifies that the new password isn't too much like ++ the previous one. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Is the new password too simple? This is based on ++ the length of the password and the number of ++ different types of characters (alpha, numeric, etc.) ++ used. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Is the new password a rotated version of the old ++ password? (E.g., "billy" and "illyb") ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Invalid arguments are logged with ++ syslog3 ++ . ++ ++ ++ ++ ++ MODULE TYPES PROVIDED ++ ++ All module types (, , ++ and ) are provided. ++ ++ ++ ++ ++ RETURN VALUES ++ ++ ++ PAM_IGNORE ++ ++ ++ Ignore this module. ++ ++ ++ ++ ++ ++ ++ ++ EXAMPLES ++ ++ An example usage for /etc/pam.d/common-password ++ might be: ++ ++password [success=2 default=ignore] pam_extrausers.so obscure sha512 ++password [success=1 default=ignore] pam_unix.so obscure sha512 ++# here's the fallback if no module succeeds ++password requisite pam_deny.so ++# prime the stack with a positive return value if there isn't one already; ++# this avoids us returning an error just because nothing sets a success code ++# since the modules above will each just jump around ++password required pam_permit.so ++# and here are more per-package modules (the "Additional" block) ++password optional pam_gnome_keyring.so ++password optional pam_ecryptfs.so ++ ++ ++ ++ ++ ++ SEE ALSO ++ ++ ++ login.defs5 ++ , ++ ++ pam.conf5 ++ , ++ ++ pam.d5 ++ , ++ ++ pam7 ++ ++ ++ ++ ++ ++ AUTHOR ++ ++ pam_extrausers was written by various people. ++ ++ ++ ++ +Index: pam-1.1.8/modules/pam_extrausers/pam_extrausers.8 +=================================================================== +--- /dev/null ++++ pam-1.1.8/modules/pam_extrausers/pam_extrausers.8 +@@ -0,0 +1,269 @@ ++'\" t ++.\" Title: pam_extrausers ++.\" Author: [see the "AUTHOR" section] ++.\" Generator: DocBook XSL Stylesheets v1.78.1 ++.\" Date: 07/22/2014 ++.\" Manual: Linux-PAM Manual ++.\" Source: Linux-PAM Manual ++.\" Language: English ++.\" ++.TH "PAM_EXTRAUSERS" "8" "07/22/2014" "Linux-PAM Manual" "Linux\-PAM Manual" ++.\" ----------------------------------------------------------------- ++.\" * Define some portability stuff ++.\" ----------------------------------------------------------------- ++.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ++.\" http://bugs.debian.org/507673 ++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html ++.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ++.ie \n(.g .ds Aq \(aq ++.el .ds Aq ' ++.\" ----------------------------------------------------------------- ++.\" * set default formatting ++.\" ----------------------------------------------------------------- ++.\" disable hyphenation ++.nh ++.\" disable justification (adjust text to left margin only) ++.ad l ++.\" ----------------------------------------------------------------- ++.\" * MAIN CONTENT STARTS HERE * ++.\" ----------------------------------------------------------------- ++.SH "NAME" ++pam_extrausers \- Module for libnss\-extrausers authentication ++.SH "SYNOPSIS" ++.HP \w'\fBpam_extrausers\&.so\fR\ 'u ++\fBpam_extrausers\&.so\fR [\&.\&.\&.] ++.SH "DESCRIPTION" ++.PP ++This is similar to the standard Unix authentication module pam_unix\&. But instead of using /etc/passwd and /etc/shadow, it uses /var/lib/extrausers/passwd and /var/lib/extrausers/shadow\&. ++.PP ++The account component performs the task of establishing the status of the user\*(Aqs account and password based on the following ++\fIshadow\fR ++elements: expire, last_change, max_change, min_change, warn_change\&. In the case of the latter, it may offer advice to the user on changing their password or, through the ++\fBPAM_AUTHTOKEN_REQD\fR ++return, delay giving service to the user until they have established a new password\&. The entries listed above are documented in the ++\fBshadow\fR(5) ++manual page\&. Should the user\*(Aqs record not contain one or more of these entries, the corresponding ++\fIshadow\fR ++check is not performed\&. ++.PP ++The authentication component performs the task of checking the users credentials (password)\&. The default action of this module is to not permit the user access to a service if their official password is blank\&. ++.PP ++The password component of this module performs the task of updating the user\*(Aqs password\&. The default encryption hash is taken from the ++\fBENCRYPT_METHOD\fR ++variable from ++\fI/etc/login\&.defs\fR ++.PP ++The session component of this module logs when a user logins or leave the system\&. ++.PP ++Remaining arguments, supported by others functions of this module, are silently ignored\&. Other arguments are logged as errors through ++\fBsyslog\fR(3)\&. ++.SH "OPTIONS" ++.PP ++\fBdebug\fR ++.RS 4 ++Turns on debugging via ++\fBsyslog\fR(3)\&. ++.RE ++.PP ++\fBaudit\fR ++.RS 4 ++A little more extreme than debug\&. ++.RE ++.PP ++\fBnullok\fR ++.RS 4 ++The default action of this module is to not permit the user access to a service if their official password is blank\&. The ++\fBnullok\fR ++argument overrides this default and allows any user with a blank password to access the service\&. ++.RE ++.PP ++\fBnullok_secure\fR ++.RS 4 ++The default action of this module is to not permit the user access to a service if their official password is blank\&. The ++\fBnullok_secure\fR ++argument overrides this default and allows any user with a blank password to access the service as long as the value of PAM_TTY is set to one of the values found in /etc/securetty\&. ++.RE ++.PP ++\fBtry_first_pass\fR ++.RS 4 ++Before prompting the user for their password, the module first tries the previous stacked module\*(Aqs password in case that satisfies this module as well\&. ++.RE ++.PP ++\fBuse_first_pass\fR ++.RS 4 ++The argument ++\fBuse_first_pass\fR ++forces the module to use a previous stacked modules password and will never prompt the user \- if no password is available or the password is not appropriate, the user will be denied access\&. ++.RE ++.PP ++\fBnodelay\fR ++.RS 4 ++This argument can be used to discourage the authentication component from requesting a delay should the authentication as a whole fail\&. The default action is for the module to request a delay\-on\-failure of the order of two second\&. ++.RE ++.PP ++\fBuse_authtok\fR ++.RS 4 ++When password changing enforce the module to set the new password to the one provided by a previously stacked ++\fBpassword\fR ++module (this is used in the example of the stacking of the ++\fBpam_cracklib\fR ++module documented below)\&. ++.RE ++.PP ++\fBnot_set_pass\fR ++.RS 4 ++This argument is used to inform the module that it is not to pay attention to/make available the old or new passwords from/to other (stacked) password modules\&. ++.RE ++.PP ++\fBnis\fR ++.RS 4 ++NIS RPC is used for setting new passwords\&. ++.RE ++.PP ++\fBremember=\fR\fB\fIn\fR\fR ++.RS 4 ++The last ++\fIn\fR ++passwords for each user are saved in ++/etc/security/opasswd ++in order to force password change history and keep the user from alternating between the same password too frequently\&. Instead of this option the ++\fBpam_pwhistory\fR ++module should be used\&. ++.RE ++.PP ++\fBshadow\fR ++.RS 4 ++Try to maintain a shadow based system\&. ++.RE ++.PP ++\fBmd5\fR ++.RS 4 ++When a user changes their password next, encrypt it with the MD5 algorithm\&. ++.RE ++.PP ++\fBbigcrypt\fR ++.RS 4 ++When a user changes their password next, encrypt it with the DEC C2 algorithm\&. ++.RE ++.PP ++\fBsha256\fR ++.RS 4 ++When a user changes their password next, encrypt it with the SHA256 algorithm\&. If the SHA256 algorithm is not known to the ++\fBcrypt\fR(3) ++function, fall back to MD5\&. ++.RE ++.PP ++\fBsha512\fR ++.RS 4 ++When a user changes their password next, encrypt it with the SHA512 algorithm\&. If the SHA512 algorithm is not known to the ++\fBcrypt\fR(3) ++function, fall back to MD5\&. ++.RE ++.PP ++\fBblowfish\fR ++.RS 4 ++When a user changes their password next, encrypt it with the blowfish algorithm\&. If the blowfish algorithm is not known to the ++\fBcrypt\fR(3) ++function, fall back to MD5\&. ++.RE ++.PP ++\fBrounds=\fR\fB\fIn\fR\fR ++.RS 4 ++Set the optional number of rounds of the SHA256, SHA512 and blowfish password hashing algorithms to ++\fIn\fR\&. ++.RE ++.PP ++\fBbroken_shadow\fR ++.RS 4 ++Ignore errors reading shadow information for users in the account management module\&. ++.RE ++.PP ++\fBminlen=\fR\fB\fIn\fR\fR ++.RS 4 ++Set a minimum password length of ++\fIn\fR ++characters\&. The default value is 6\&. The maximum for DES crypt\-based passwords is 8 characters\&. ++.RE ++.PP ++\fBobscure\fR ++.RS 4 ++Enable some extra checks on password strength\&. These checks are based on the "obscure" checks in the original shadow package\&. The behavior is similar to the pam_cracklib module, but for non\-dictionary\-based checks\&. The following checks are implemented: ++.PP ++\fBPalindrome\fR ++.RS 4 ++Verifies that the new password is not a palindrome of (i\&.e\&., the reverse of) the previous one\&. ++.RE ++.PP ++\fBCase Change Only\fR ++.RS 4 ++Verifies that the new password isn\*(Aqt the same as the old one with a change of case\&. ++.RE ++.PP ++\fBSimilar\fR ++.RS 4 ++Verifies that the new password isn\*(Aqt too much like the previous one\&. ++.RE ++.PP ++\fBSimple\fR ++.RS 4 ++Is the new password too simple? This is based on the length of the password and the number of different types of characters (alpha, numeric, etc\&.) used\&. ++.RE ++.PP ++\fBRotated\fR ++.RS 4 ++Is the new password a rotated version of the old password? (E\&.g\&., "billy" and "illyb") ++.RE ++.sp ++.RE ++.PP ++Invalid arguments are logged with ++\fBsyslog\fR(3)\&. ++.SH "MODULE TYPES PROVIDED" ++.PP ++All module types (\fBaccount\fR, ++\fBauth\fR, ++\fBpassword\fR ++and ++\fBsession\fR) are provided\&. ++.SH "RETURN VALUES" ++.PP ++PAM_IGNORE ++.RS 4 ++Ignore this module\&. ++.RE ++.SH "EXAMPLES" ++.PP ++An example usage for ++/etc/pam\&.d/common\-password ++would be: ++.sp ++.if n \{\ ++.RS 4 ++.\} ++.nf ++password [success=2 default=ignore] pam_extrausers\&.so obscure sha512 ++password [success=1 default=ignore] pam_unix\&.so obscure sha512 ++# here\*(Aqs the fallback if no module succeeds ++password requisite pam_deny\&.so ++# prime the stack with a positive return value if there isn\*(Aqt one already; ++# this avoids us returning an error just because nothing sets a success code ++# since the modules above will each just jump around ++password required pam_permit\&.so ++# and here are more per\-package modules (the "Additional" block) ++password optional pam_gnome_keyring\&.so ++password optional pam_ecryptfs\&.so ++ ++.fi ++.if n \{\ ++.RE ++.\} ++.sp ++.SH "SEE ALSO" ++.PP ++\fBlogin.defs\fR(5), ++\fBpam.conf\fR(5), ++\fBpam.d\fR(5), ++\fBpam\fR(7) ++.SH "AUTHOR" ++.PP ++pam_extrausers was written by various people\&. --- pam-1.1.8.orig/debian/patches-applied/hurd_no_setfsuid +++ pam-1.1.8/debian/patches-applied/hurd_no_setfsuid @@ -0,0 +1,77 @@ +On systems without setfsuid(), use setreuid() instead. + +Authors: Steve Langasek + +Upstream status: to be forwarded, now that pam_modutil_{drop,regain}_priv + are implemented + +Index: pam.debian/libpam/pam_modutil_priv.c +=================================================================== +--- pam.debian.orig/libpam/pam_modutil_priv.c ++++ pam.debian/libpam/pam_modutil_priv.c +@@ -14,7 +14,9 @@ + #include + #include + #include ++#ifdef HAVE_SYS_FSUID_H + #include ++#endif /* HAVE_SYS_FSUID_H */ + + /* + * Two setfsuid() calls in a row are necessary to check +@@ -22,17 +24,55 @@ + */ + static int change_uid(uid_t uid, uid_t *save) + { ++#ifdef HAVE_SYS_FSUID_H + uid_t tmp = setfsuid(uid); + if (save) + *save = tmp; + return (uid_t) setfsuid(uid) == uid ? 0 : -1; ++#else ++ uid_t euid = geteuid(); ++ uid_t ruid = getuid(); ++ if (save) ++ *save = ruid; ++ if (ruid == uid && uid != 0) ++ if (setreuid(euid, uid)) ++ return -1; ++ else { ++ setreuid(0, -1); ++ if (setreuid(-1, uid)) { ++ setreuid(-1, 0); ++ setreuid(0, -1); ++ if (setreuid(-1, uid)) ++ return -1; ++ } ++ } ++#endif + } + static int change_gid(gid_t gid, gid_t *save) + { ++#ifdef HAVE_SYS_FSUID_H + gid_t tmp = setfsgid(gid); + if (save) + *save = tmp; + return (gid_t) setfsgid(gid) == gid ? 0 : -1; ++#else ++ gid_t egid = getegid(); ++ gid_t rgid = getgid(); ++ if (save) ++ *save = rgid; ++ if (rgid == gid) ++ if (setregid(egid, gid)) ++ return -1; ++ else { ++ setregid(0, -1); ++ if (setregid(-1, gid)) { ++ setregid(-1, 0); ++ setregid(0, -1); ++ if (setregid(-1, gid)) ++ return -1; ++ } ++ } ++#endif + } + + static int cleanup(struct pam_modutil_privs *p) --- pam-1.1.8.orig/debian/patches-applied/lib_security_multiarch_compat +++ pam-1.1.8/debian/patches-applied/lib_security_multiarch_compat @@ -0,0 +1,71 @@ +Unqualified module paths should always be looked up in *both* the default +module dir, *and* the ISA dir. That's what paths are for. + +This lets us have a soft transition to multiarch for modules without having +to rewrite /etc/pam.d/ files or add ugly symlinks. + +Authors: Steve Langasek + +Upstream status: not ready to be committed - this needs tweaked, we're +currently abusing the existing variables and inverting their meaning in +order to get everything installed where we want it and get absolute paths +the way we want them. + +Index: multiarch/libpam/pam_handlers.c +=================================================================== +--- multiarch.orig/libpam/pam_handlers.c ++++ multiarch/libpam/pam_handlers.c +@@ -705,7 +705,26 @@ + } + #else + D(("_pam_load_module: _pam_dlopen(%s)", mod_path)); +- mod->dl_handle = _pam_dlopen(mod_path); ++ if (mod_path[0] == '/') { ++ mod->dl_handle = _pam_dlopen(mod_path); ++ } else { ++ if (asprintf(&mod_full_isa_path, "%s%s", ++ DEFAULT_MODULE_PATH, mod_path) >= 0) { ++ mod->dl_handle = _pam_dlopen(mod_full_isa_path); ++ _pam_drop(mod_full_isa_path); ++ } else { ++ pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path"); ++ } ++ if (!mod->dl_handle) { ++ if (asprintf(&mod_full_isa_path, "%s/%s", ++ _PAM_ISA, mod_path) >= 0) { ++ mod->dl_handle = _pam_dlopen(mod_full_isa_path); ++ _pam_drop(mod_full_isa_path); ++ } else { ++ pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path"); ++ } ++ } ++ } + D(("_pam_load_module: _pam_dlopen'ed")); + D(("_pam_load_module: dlopen'ed")); + if (mod->dl_handle == NULL) { +@@ -775,7 +794,6 @@ + struct handler **handler_p2; + struct handlers *the_handlers; + const char *sym, *sym2; +- char *mod_full_path; + servicefn func, func2; + int mod_type = PAM_MT_FAULTY_MOD; + +@@ -787,16 +805,7 @@ + + if ((handler_type == PAM_HT_MODULE || handler_type == PAM_HT_SILENT_MODULE) && + mod_path != NULL) { +- if (mod_path[0] == '/') { +- mod = _pam_load_module(pamh, mod_path, handler_type); +- } else if (asprintf(&mod_full_path, "%s%s", +- DEFAULT_MODULE_PATH, mod_path) >= 0) { +- mod = _pam_load_module(pamh, mod_full_path, handler_type); +- _pam_drop(mod_full_path); +- } else { +- pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path"); +- return PAM_ABORT; +- } ++ mod = _pam_load_module(pamh, mod_path, handler_type); + + if (mod == NULL) { + /* if we get here with NULL it means allocation error */ --- pam-1.1.8.orig/debian/patches-applied/lp1666203-tty-audit-failed-fix +++ pam-1.1.8/debian/patches-applied/lp1666203-tty-audit-failed-fix @@ -0,0 +1,24 @@ +Description: When pam_tty_audit is included in /etc/pam.d/common-sessions, users are unable to login. This patch resolves the issue. +Bug: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1666203 +Origin: https://github.com/linux-pam/linux-pam/commit/c5f829931a22c65feffee16570efdae036524bee +Index: pam-1.1.8/modules/pam_tty_audit/pam_tty_audit.c +=================================================================== +--- pam-1.1.8.orig/modules/pam_tty_audit/pam_tty_audit.c ++++ pam-1.1.8/modules/pam_tty_audit/pam_tty_audit.c +@@ -36,6 +36,7 @@ + USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + DAMAGE. */ + ++#include "config.h" + #include + #include + #include +@@ -275,6 +276,8 @@ pam_sm_open_session (pam_handle_t *pamh, + return PAM_SESSION_ERR; + } + ++ memcpy(&new_status, old_status, sizeof(new_status)); ++ + new_status.enabled = (command == CMD_ENABLE ? 1 : 0); + #ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD + new_status.log_passwd = log_passwd; --- pam-1.1.8.orig/debian/patches-applied/no_PATH_MAX_on_hurd +++ pam-1.1.8/debian/patches-applied/no_PATH_MAX_on_hurd @@ -0,0 +1,22 @@ +Description: define PATH_MAX for compatibility when it's not already set + Some platforms, such as the Hurd, don't set PATH_MAX. Set a reasonable + default value in this case. +Author: Steve Langasek +Bug-Debian: http://bugs.debian.org/552043 + +Index: pam.deb/tests/tst-dlopen.c +=================================================================== +--- pam.deb.orig/tests/tst-dlopen.c ++++ pam.deb/tests/tst-dlopen.c +@@ -16,6 +16,11 @@ + #include + #include + ++/* Hurd compatibility */ ++#ifndef PATH_MAX ++#define PATH_MAX 4096 ++#endif ++ + /* Simple program to see if dlopen() would succeed. */ + int main(int argc, char **argv) + { --- pam-1.1.8.orig/debian/patches-applied/pam-limits-nofile-fd-setsize-cap +++ pam-1.1.8/debian/patches-applied/pam-limits-nofile-fd-setsize-cap @@ -0,0 +1,58 @@ +From: Robie Basak +Subject: pam_limits: cap the default soft nofile limit read from pid 1 to FD_SETSIZE + +Cap the default soft nofile limit read from pid 1 to FD_SETSIZE since +larger values can cause problems with fd_set overflow and systemd sets +itself higher. + +See: +https://lists.ubuntu.com/archives/ubuntu-devel/2010-September/031446.html +http://www.outflux.net/blog/archives/2014/06/13/5-year-old-glibc-select-weakness-fixed/ +https://sourceware.org/bugzilla/show_bug.cgi?id=10352 +https://github.com/systemd/systemd/commit/4096d6f5879aef73e20dd7b62a01f447629945b0 + +pam_limits reads the default limits from /proc/1/limits. Previously, +using upstart, this resulted in a 1024 nofile soft limit on Ubuntu +systems by default. Using systemd, this results in a limit of 65536 +instead. This is not the intention of systemd upstream. See systemd +commit 4096d6f for an explanation of systemd's behaviour. + +If we want to make such a change to the default distribution soft limit +in PAM, we should do it deliberately and carefully, not accidentally. A +change should consider what uses select(2) and might inadvertently (and +incorrectly) assume that file descriptors will always fit into an +fd_set, what vulnerabilities or crashes the change could consequently +create, and whether the protection now present with FORTIFY_SOURCE is +suitably enabled in all relevant builds. + +So this keeps the soft limit at 1024 for now. The hard limit will rise +to 65536 along with systemd. Anything that knows that it will not be +buggy with respect to fd_set and FD_SETSIZE, such as by using poll(2) or +epoll(7) instead of select(2), can always raise the soft limit itself +without issue. + +20:54 slangasek: [...] I'm also not sure how to go about +upstreaming this as pam_limits seems to be heavily patched already. + +Forwarded: no +Reviewed-by: Adam Conrad +Reviewed-by: Martin Pitt +Last-Update: 2015-04-22 + +--- a/modules/pam_limits/pam_limits.c ++++ b/modules/pam_limits/pam_limits.c +@@ -439,6 +439,14 @@ static void parse_kernel_limits(pam_hand + pl->limits[i].src_hard = LIMITS_DEF_KERNEL; + } + fclose(limitsfile); ++ ++ /* Cap the default soft nofile limit read from pid 1 to FD_SETSIZE ++ * since larger values can cause problems with fd_set overflow and ++ * systemd sets itself higher. */ ++ if (pl->limits[RLIMIT_NOFILE].src_soft == LIMITS_DEF_KERNEL && ++ pl->limits[RLIMIT_NOFILE].limit.rlim_cur > FD_SETSIZE) { ++ pl->limits[RLIMIT_NOFILE].limit.rlim_cur = FD_SETSIZE; ++ } + } + + static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl) --- pam-1.1.8.orig/debian/patches-applied/pam-loginuid-in-containers +++ pam-1.1.8/debian/patches-applied/pam-loginuid-in-containers @@ -0,0 +1,146 @@ +Author: Stéphane Graber +Description: pam_loginuid: Ignore failure in user namespaces + When running pam_loginuid in a container using the user namespaces, even + uid 0 isn't allowed to set the loginuid property. + . + This change catches the EACCES from opening loginuid, checks if the user + is in the host namespace (by comparing the uid_map with the host's one) + and only if that's the case, sets rc to 1. + . + Should uid_map not exist or be unreadable for some reason, it'll be + assumed that the process is running on the host's namespace. + . + The initial reason behind this change was failure to ssh into an + unprivileged container (using a 3.13 kernel and current LXC) when using + a standard pam profile for sshd (which requires success from + pam_loginuid). + . + I believe this solution doesn't have any drawback and will allow people + to use unprivileged containers normally. An alternative would be to have + all distros set pam_loginuid as optional but that'd be bad for any of + the other potential failure case which people may care about. + . + There has also been some discussions to get some of the audit features + tied with the user namespaces but currently none of that has been merged + upstream and the currently proposed implementation doesn't cover + loginuid (nor is it clear how this should even work when loginuid is set + as immutable after initial write). + . + Signed-off-by: Steve Langasek + Signed-off-by: Dmitry V. Levin + +Index: ubuntu/modules/pam_loginuid/pam_loginuid.c +=================================================================== +--- ubuntu.orig/modules/pam_loginuid/pam_loginuid.c 2014-01-31 21:07:08.665185675 +0000 ++++ ubuntu/modules/pam_loginuid/pam_loginuid.c 2014-01-31 21:05:05.000000000 +0000 +@@ -47,25 +47,56 @@ + + /* + * This function writes the loginuid to the /proc system. It returns +- * 0 on success and 1 on failure. ++ * PAM_SUCCESS on success, ++ * PAM_IGNORE when /proc/self/loginuid does not exist, ++ * PAM_SESSION_ERR in case of any other error. + */ + static int set_loginuid(pam_handle_t *pamh, uid_t uid) + { +- int fd, count, rc = 0; +- char loginuid[24]; ++ int fd, count, rc = PAM_SESSION_ERR; ++ char loginuid[24], buf[24]; ++ static const char host_uid_map[] = " 0 0 4294967295\n"; ++ char uid_map[sizeof(host_uid_map)]; ++ ++ /* loginuid in user namespaces currently isn't writable and in some ++ case, not even readable, so consider any failure as ignorable (but try ++ anyway, in case we hit a kernel which supports it). */ ++ fd = open("/proc/self/uid_map", O_RDONLY); ++ if (fd >= 0) { ++ count = pam_modutil_read(fd, uid_map, sizeof(uid_map)); ++ if (strncmp(uid_map, host_uid_map, count) != 0) ++ rc = PAM_IGNORE; ++ close(fd); ++ } + +- count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid); +- fd = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC); ++ fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDWR); + if (fd < 0) { +- if (errno != ENOENT) { +- rc = 1; +- pam_syslog(pamh, LOG_ERR, +- "Cannot open /proc/self/loginuid: %m"); ++ if (errno == ENOENT) { ++ rc = PAM_IGNORE; ++ } ++ if (rc != PAM_IGNORE) { ++ pam_syslog(pamh, LOG_ERR, "Cannot open %s: %m", ++ "/proc/self/loginuid"); + } + return rc; + } +- if (pam_modutil_write(fd, loginuid, count) != count) +- rc = 1; ++ ++ count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid); ++ if (pam_modutil_read(fd, buf, sizeof(buf)) == count && ++ memcmp(buf, loginuid, count) == 0) { ++ rc = PAM_SUCCESS; ++ goto done; /* already correct */ ++ } ++ if (lseek(fd, 0, SEEK_SET) == 0 && ftruncate(fd, 0) == 0 && ++ pam_modutil_write(fd, loginuid, count) == count) { ++ rc = PAM_SUCCESS; ++ } else { ++ if (rc != PAM_IGNORE) { ++ pam_syslog(pamh, LOG_ERR, "Error writing %s: %m", ++ "/proc/self/loginuid"); ++ } ++ } ++ done: + close(fd); + return rc; + } +@@ -165,6 +196,7 @@ + { + const char *user = NULL; + struct passwd *pwd; ++ int ret; + #ifdef HAVE_LIBAUDIT + int require_auditd = 0; + #endif +@@ -183,9 +215,14 @@ + return PAM_SESSION_ERR; + } + +- if (set_loginuid(pamh, pwd->pw_uid)) { +- pam_syslog(pamh, LOG_ERR, "set_loginuid failed\n"); +- return PAM_SESSION_ERR; ++ ret = set_loginuid(pamh, pwd->pw_uid); ++ switch (ret) { ++ case PAM_SUCCESS: ++ case PAM_IGNORE: ++ break; ++ default: ++ pam_syslog(pamh, LOG_ERR, "set_loginuid failed"); ++ return ret; + } + + #ifdef HAVE_LIBAUDIT +@@ -195,11 +232,12 @@ + argv++; + } + +- if (require_auditd) +- return check_auditd(); +- else ++ if (require_auditd) { ++ int rc = check_auditd(); ++ return rc != PAM_SUCCESS ? rc : ret; ++ } else + #endif +- return PAM_SUCCESS; ++ return ret; + } + + /* --- pam-1.1.8.orig/debian/patches-applied/pam_motd-legal-notice +++ pam-1.1.8/debian/patches-applied/pam_motd-legal-notice @@ -0,0 +1,86 @@ +Patch for Ubuntu bug #399071 + +Display the contents of /etc/legal as part of the MOTD, the first time the +user logs in, and set a flag in the user's homedir if possible to prevent +repeat displays. + +Authors: Dustin Kirkland + +Upstream status: Ubuntu-specific, maybe submit to Debian + +Index: pam.ubuntu/modules/pam_motd/pam_motd.c +=================================================================== +--- pam.ubuntu.orig/modules/pam_motd/pam_motd.c ++++ pam.ubuntu/modules/pam_motd/pam_motd.c +@@ -73,6 +73,61 @@ + close(fd); + } + ++int display_legal(pam_handle_t *pamh) ++{ ++ int retval = PAM_IGNORE, rc; ++ char *user = NULL; ++ char *dir = NULL; ++ char *flag = NULL; ++ struct passwd *pwd = NULL; ++ struct stat s; ++ int f; ++ /* Get the user name to determine if we need to print the disclaimer */ ++ rc = pam_get_item(pamh, PAM_USER, &user); ++ if (rc == PAM_SUCCESS && user != NULL && *(const char *)user != '\0') ++ { ++ PAM_MODUTIL_DEF_PRIVS(privs); ++ ++ /* Get the password entry */ ++ pwd = pam_modutil_getpwnam (pamh, user); ++ if (pwd != NULL) ++ { ++ if (pam_modutil_drop_priv(pamh, &privs, pwd)) { ++ pam_syslog(pamh, LOG_ERR, ++ "Unable to change UID to %d temporarily\n", ++ pwd->pw_uid); ++ retval = PAM_SESSION_ERR; ++ goto finished; ++ } ++ ++ if (asprintf(&dir, "%s/.cache", pwd->pw_dir) == -1 || !dir) ++ goto finished; ++ if (asprintf(&flag, "%s/motd.legal-displayed", dir) == -1 || !flag) ++ goto finished; ++ ++ if (stat(flag, &s) != 0) ++ { ++ display_file(pamh, "/etc/legal"); ++ mkdir(dir, 0700); ++ f = open(flag, O_WRONLY|O_CREAT|O_EXCL, ++ S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); ++ if (f>=0) close(f); ++ } ++ ++finished: ++ if (pam_modutil_regain_priv(pamh, &privs)) { ++ pam_syslog(pamh, LOG_ERR, ++ "Unable to change UID back to %d\n", privs.old_uid); ++ retval = PAM_SESSION_ERR; ++ } ++ ++ _pam_drop(flag); ++ _pam_drop(dir); ++ } ++ } ++ return retval; ++} ++ + PAM_EXTERN + int pam_sm_open_session(pam_handle_t *pamh, int flags, + int argc, const char **argv) +@@ -116,6 +171,9 @@ + /* Display the updated motd */ + display_file(pamh, motd_path); + ++ /* Display the legal disclaimer only if necessary */ ++ retval = display_legal(pamh); ++ + return retval; + } + --- pam-1.1.8.orig/debian/patches-applied/pam_umask_usergroups_from_login.defs.patch +++ pam-1.1.8/debian/patches-applied/pam_umask_usergroups_from_login.defs.patch @@ -0,0 +1,127 @@ +Description: Deprecate pam_unix' explicit "usergroups" option and instead read it from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined there. This restores compatibility with the pre-PAM behaviour of login. See https://blueprints.launchpad.net/ubuntu/+spec/umask-to-0002. +Author: Martin Pitt +Bug-Debian: http://bugs.debian.org/583958 + +=== modified file 'modules/pam_umask/pam_umask.c' +Index: pam.ubuntu/modules/pam_umask/pam_umask.c +=================================================================== +--- pam.ubuntu.orig/modules/pam_umask/pam_umask.c ++++ pam.ubuntu/modules/pam_umask/pam_umask.c +@@ -87,7 +87,7 @@ + } + + static char * +-search_key (const char *filename) ++search_key (const char *filename, const char *key) + { + FILE *fp; + char *buf = NULL; +@@ -146,7 +146,7 @@ + while (isspace ((int)*cp) || *cp == '=') + ++cp; + +- if (strcasecmp (tmp, "UMASK") == 0) ++ if (strcasecmp (tmp, key) == 0) + { + retval = strdup (cp); + break; +@@ -163,15 +163,34 @@ + get_options (const pam_handle_t *pamh, options_t *options, + int argc, const char **argv) + { ++ char *result; ++ + memset (options, 0, sizeof (options_t)); + /* Parse parameters for module */ + for ( ; argc-- > 0; argv++) + parse_option (pamh, *argv, options); + + if (options->umask == NULL) +- options->umask = search_key (LOGIN_DEFS); ++ { ++ options->umask = search_key (LOGIN_DEFS, "UMASK"); ++ /* login.defs' USERGROUPS_ENAB will modify the UMASK setting there by way ++ * of usergroups; but we don't want it to influence umask definitions ++ * from other places (like GECOS). This restores compatibility with ++ * shadow from the pre-PAM age. ++ */ ++ if (options->umask != NULL) ++ { ++ result = search_key (LOGIN_DEFS, "USERGROUPS_ENAB"); ++ if (result != NULL) ++ { ++ options->usergroups = (strcasecmp (result, "yes") == 0); ++ free (result); ++ } ++ } ++ } ++ + if (options->umask == NULL) +- options->umask = search_key (LOGIN_CONF); ++ options->umask = search_key (LOGIN_CONF, "UMASK"); + + return 0; + } +Index: pam.ubuntu/modules/pam_umask/pam_umask.8.xml +=================================================================== +--- pam.ubuntu.orig/modules/pam_umask/pam_umask.8.xml ++++ pam.ubuntu/modules/pam_umask/pam_umask.8.xml +@@ -63,7 +63,8 @@ + + + +- UMASK entry from /etc/login.defs ++ UMASK entry from /etc/login.defs (influenced by USERGROUPS_ENAB in ++ /etc/login.defs) + + + +@@ -115,6 +116,11 @@ + If the user is not root and the username is the same as + primary group name, the umask group bits are set to be the + same as owner bits (examples: 022 -> 002, 077 -> 007). ++ Note that using this option explicitly is discouraged. pam_umask ++ enables this functionality by default if /etc/login.defs enables ++ USERGROUPS_ENAB, and the umask is not set explicitly in other ++ places than /etc/login.defs (this is compatible with login's ++ behaviour without PAM). + + + +Index: pam.ubuntu/modules/pam_umask/pam_umask.8 +=================================================================== +--- pam.ubuntu.orig/modules/pam_umask/pam_umask.8 ++++ pam.ubuntu/modules/pam_umask/pam_umask.8 +@@ -2,12 +2,12 @@ + .\" Title: pam_umask + .\" Author: [see the "AUTHOR" section] + .\" Generator: DocBook XSL Stylesheets v1.78.1 +-.\" Date: 09/19/2013 ++.\" Date: 01/16/2014 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" Language: English + .\" +-.TH "PAM_UMASK" "8" "09/19/2013" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_UMASK" "8" "01/16/2014" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" ----------------------------------------------------------------- + .\" * Define some portability stuff + .\" ----------------------------------------------------------------- +@@ -79,7 +79,7 @@ + .sp -1 + .IP \(bu 2.3 + .\} +-UMASK entry from /etc/login\&.defs ++UMASK entry from /etc/login\&.defs (influenced by USERGROUPS_ENAB in /etc/login\&.defs) + .RE + .PP + The GECOS field is split on comma \*(Aq,\*(Aq characters\&. The module also in addition to the umask= entry recognizes pri= entry, which sets the nice priority value for the session, and ulimit= entry, which sets the maximum size of files the processes in the session can create\&. +@@ -98,7 +98,7 @@ + .PP + \fBusergroups\fR + .RS 4 +-If the user is not root and the username is the same as primary group name, the umask group bits are set to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007)\&. ++If the user is not root and the username is the same as primary group name, the umask group bits are set to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007)\&. Note that using this option explicitly is discouraged\&. pam_umask enables this functionality by default if /etc/login\&.defs enables USERGROUPS_ENAB, and the umask is not set explicitly in other places than /etc/login\&.defs (this is compatible with login\*(Aqs behaviour without PAM)\&. + .RE + .PP + \fBumask=\fR\fB\fImask\fR\fR --- pam-1.1.8.orig/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch +++ pam-1.1.8/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch @@ -0,0 +1,25 @@ +Dropping suid bits is not enough to let us trust the caller; the unix_chkpwd +helper could be sgid shadow instead of suid root, as it is in Debian and +Ubuntu by default. Drop any sgid bits as well. + +Authors: Steve Langasek , + Michael Spang + +Upstream status: to be submitted + +Index: pam-debian/modules/pam_unix/unix_chkpwd.c +=================================================================== +--- pam-debian.orig/modules/pam_unix/unix_chkpwd.c 2011-10-10 16:22:06.270705822 -0700 ++++ pam-debian/modules/pam_unix/unix_chkpwd.c 2011-10-10 16:24:06.080224301 -0700 +@@ -137,9 +137,10 @@ + /* if the caller specifies the username, verify that user + matches it */ + if (strcmp(user, argv[1])) { ++ gid_t gid = getgid(); + user = argv[1]; + /* no match -> permanently change to the real user and proceed */ +- if (setuid(getuid()) != 0) ++ if (setresgid(gid, gid, gid) != 0 || setuid(getuid()) != 0) + return PAM_AUTH_ERR; + } + } --- pam-1.1.8.orig/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch +++ pam-1.1.8/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch @@ -0,0 +1,25 @@ +Revert upstream change that prevents pam_unix from working with sgid +shadow applications. + +Authors: Steve Langasek + +Upstream status: to be submitted (and debated...) + +Index: debian-pkg-pam/modules/pam_unix/passverify.c +=================================================================== +--- debian-pkg-pam.orig/modules/pam_unix/passverify.c 2009-04-17 12:46:39.000000000 -0700 ++++ debian-pkg-pam/modules/pam_unix/passverify.c 2009-04-17 12:46:40.000000000 -0700 +@@ -203,11 +203,11 @@ + * ...and shadow password file entry for this user, + * if shadowing is enabled + */ ++ *spwdent = pam_modutil_getspnam(pamh, name); + #ifndef HELPER_COMPILE +- if (geteuid() || SELINUX_ENABLED) ++ if (*spwdent == NULL && (geteuid() || SELINUX_ENABLED)) + return PAM_UNIX_RUN_HELPER; + #endif +- *spwdent = pam_modutil_getspnam(pamh, name); + if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL) + return PAM_AUTHINFO_UNAVAIL; + } --- pam-1.1.8.orig/debian/patches-applied/series +++ pam-1.1.8/debian/patches-applied/series @@ -0,0 +1,33 @@ +pam_unix_fix_sgid_shadow_auth.patch +pam_unix_dont_trust_chkpwd_caller.patch +007_modules_pam_unix +008_modules_pam_limits_chroot +021_nis_cleanup +022_pam_unix_group_time_miscfixes +026_pam_unix_passwd_unknown_user +do_not_check_nis_accidentally +027_pam_limits_better_init_allow_explicit_root +031_pam_include +032_pam_limits_EPERM_NOT_FATAL +036_pam_wheel_getlogin_considered_harmful +hurd_no_setfsuid +040_pam_limits_log_failure +045_pam_dispatch_jump_is_ignore +054_pam_security_abstract_securetty_handling +055_pam_unix_nullok_secure +cve-2011-4708.patch +PAM-manpage-section +update-motd +pam_motd-legal-notice +no_PATH_MAX_on_hurd +ubuntu-rlimit_nice_correction +update-motd-manpage-ref +lib_security_multiarch_compat +cve-2015-3238.patch +pam_umask_usergroups_from_login.defs.patch +pam-loginuid-in-containers +extrausers.patch +cve-2013-7041.patch +cve-2014-2583.patch +pam-limits-nofile-fd-setsize-cap +lp1666203-tty-audit-failed-fix --- pam-1.1.8.orig/debian/patches-applied/ubuntu-rlimit_nice_correction +++ pam-1.1.8/debian/patches-applied/ubuntu-rlimit_nice_correction @@ -0,0 +1,17 @@ +Index: pam.ubuntu/modules/pam_limits/pam_limits.c +=================================================================== +--- pam.ubuntu.orig/modules/pam_limits/pam_limits.c ++++ pam.ubuntu/modules/pam_limits/pam_limits.c +@@ -362,6 +362,12 @@ + pl->limits[i].limit.rlim_cur = 8192*1024; + pl->limits[i].limit.rlim_max = RLIM_INFINITY; + break; ++#ifdef RLIMIT_NICE ++ case RLIMIT_NICE: ++ pl->limits[i].limit.rlim_cur = 20; ++ pl->limits[i].limit.rlim_max = 20; ++ break; ++#endif + case RLIMIT_NOFILE: + pl->limits[i].limit.rlim_cur = 1024; + pl->limits[i].limit.rlim_max = 1024; --- pam-1.1.8.orig/debian/patches-applied/update-motd +++ pam-1.1.8/debian/patches-applied/update-motd @@ -0,0 +1,168 @@ +Patch for Ubuntu bug #399071 + +Provide a more dynamic MOTD, based on the short-lived update-motd project. + +Authors: Dustin Kirkland + +Upstream status: not yet submitted + +Index: pam.debian/modules/pam_motd/pam_motd.c +=================================================================== +--- pam.debian.orig/modules/pam_motd/pam_motd.c ++++ pam.debian/modules/pam_motd/pam_motd.c +@@ -48,14 +48,39 @@ + + static char default_motd[] = DEFAULT_MOTD; + ++static void display_file(pam_handle_t *pamh, const char *motd_path) ++{ ++ int fd; ++ char *mtmp = NULL; ++ while ((fd = open(motd_path, O_RDONLY, 0)) >= 0) { ++ struct stat st; ++ /* fill in message buffer with contents of motd */ ++ if ((fstat(fd, &st) < 0) || !st.st_size || st.st_size > 0x10000) ++ break; ++ if (!(mtmp = malloc(st.st_size+1))) ++ break; ++ if (pam_modutil_read(fd, mtmp, st.st_size) != st.st_size) ++ break; ++ if (mtmp[st.st_size-1] == '\n') ++ mtmp[st.st_size-1] = '\0'; ++ else ++ mtmp[st.st_size] = '\0'; ++ pam_info (pamh, "%s", mtmp); ++ break; ++ } ++ _pam_drop (mtmp); ++ if (fd >= 0) ++ close(fd); ++} ++ + PAM_EXTERN + int pam_sm_open_session(pam_handle_t *pamh, int flags, + int argc, const char **argv) + { + int retval = PAM_IGNORE; +- int fd; ++ int do_update = 1; + const char *motd_path = NULL; +- char *mtmp = NULL; ++ struct stat st; + + if (flags & PAM_SILENT) { + return retval; +@@ -73,6 +98,9 @@ + "motd= specification missing argument - ignored"); + } + } ++ else if (!strcmp(*argv,"noupdate")) { ++ do_update = 0; ++ } + else + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); + } +@@ -80,34 +108,23 @@ + if (motd_path == NULL) + motd_path = default_motd; + +- while ((fd = open(motd_path, O_RDONLY, 0)) >= 0) { +- struct stat st; +- +- /* fill in message buffer with contents of motd */ +- if ((fstat(fd, &st) < 0) || !st.st_size || st.st_size > 0x10000) +- break; +- +- if (!(mtmp = malloc(st.st_size+1))) +- break; +- +- if (pam_modutil_read(fd, mtmp, st.st_size) != st.st_size) +- break; +- +- if (mtmp[st.st_size-1] == '\n') +- mtmp[st.st_size-1] = '\0'; +- else +- mtmp[st.st_size] = '\0'; +- +- pam_info (pamh, "%s", mtmp); +- break; ++ /* Run the update-motd dynamic motd scripts, outputting to /run/motd.dynamic. ++ This will be displayed only when calling pam_motd with ++ motd=/run/motd.dynamic; current /etc/pam.d/login and /etc/pam.d/sshd ++ display both this file and /etc/motd. */ ++ if (do_update && (stat("/etc/update-motd.d", &st) == 0) ++ && S_ISDIR(st.st_mode)) ++ { ++ mode_t old_mask = umask(0022); ++ if (!system("/usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new")) ++ rename("/run/motd.dynamic.new", "/run/motd.dynamic"); ++ umask(old_mask); + } + +- _pam_drop (mtmp); +- +- if (fd >= 0) +- close(fd); ++ /* Display the updated motd */ ++ display_file(pamh, motd_path); + +- return retval; ++ return retval; + } + + +Index: pam.debian/modules/pam_motd/pam_motd.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_motd/pam_motd.8.xml ++++ pam.debian/modules/pam_motd/pam_motd.8.xml +@@ -52,6 +52,17 @@ + + + ++ ++ ++ ++ ++ ++ ++ Don't run the scripts in /etc/update-motd.d ++ to refresh the motd file. ++ ++ ++ + + + +Index: pam.debian/modules/pam_motd/pam_motd.8 +=================================================================== +--- pam.debian.orig/modules/pam_motd/pam_motd.8 ++++ pam.debian/modules/pam_motd/pam_motd.8 +@@ -45,6 +45,13 @@ + /path/filename + file is displayed as message of the day\&. + .RE ++.PP ++\fBnoupdate\fR ++.RS 4 ++Don\*(Aqt run the scripts in ++/etc/update\-motd\&.d ++to refresh the motd file\&. ++.RE + .SH "MODULE TYPES PROVIDED" + .PP + Only the +Index: pam.debian/modules/pam_motd/README +=================================================================== +--- pam.debian.orig/modules/pam_motd/README ++++ pam.debian/modules/pam_motd/README +@@ -14,6 +14,10 @@ + + The /path/filename file is displayed as message of the day. + ++noupdate ++ ++ Don't run the scripts in /etc/update-motd.d to refresh the motd file. ++ + EXAMPLES + + The suggested usage for /etc/pam.d/login is: --- pam-1.1.8.orig/debian/patches-applied/update-motd-manpage-ref +++ pam-1.1.8/debian/patches-applied/update-motd-manpage-ref @@ -0,0 +1,28 @@ +Index: pam.ubuntu/modules/pam_motd/pam_motd.8.xml +=================================================================== +--- pam.ubuntu.orig/modules/pam_motd/pam_motd.8.xml ++++ pam.ubuntu/modules/pam_motd/pam_motd.8.xml +@@ -100,6 +100,9 @@ + , + + pam7 ++ , ++ ++ update-motd5 + + + +Index: pam.ubuntu/modules/pam_motd/pam_motd.8 +=================================================================== +--- pam.ubuntu.orig/modules/pam_motd/pam_motd.8 ++++ pam.ubuntu/modules/pam_motd/pam_motd.8 +@@ -79,7 +79,8 @@ + \fBmotd\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(7) ++\fBpam\fR(7), ++\fBupdate-motd\fR(5) + .SH "AUTHOR" + .PP + pam_motd was written by Ben Collins \&. --- pam-1.1.8.orig/debian/po/POTFILES.in +++ pam-1.1.8/debian/po/POTFILES.in @@ -0,0 +1,3 @@ +[type: gettext/rfc822deb] libpam0g.templates +[type: gettext/rfc822deb] libpam-runtime.templates +[type: gettext/rfc822deb] libpam-modules.templates --- pam-1.1.8.orig/debian/po/bg.po +++ pam-1.1.8/debian/po/bg.po @@ -0,0 +1,226 @@ +# translation of bg.po to Bulgarian +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# Damyan Ivanov , 2007, 2009, 2012. +# +msgid "" +msgstr "" +"Project-Id-Version: bg\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2011-10-30 15:05-0400\n" +"PO-Revision-Date: 2012-01-19 22:36+0200\n" +"Last-Translator: Damyan Ivanov \n" +"Language-Team: Български \n" +"Language: bg\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" +"Plural-Forms: nplurals=2; plural=(n != 1)\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Рестартиране на услуги при обновяване на PAM:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"Повечето услуги, които използват PAM трябва да бъдат рестартирани за да " +"могат да използват модулите за новата версия на libpam. Прегледайте списъка " +"от init.d скриптове по-долу и го коригирайте ако е необходимо. Имената на " +"отделните скриптове трябва да са отделени с интервал." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Мениджъра на дисплеи трябва да бъде рестартиран ръчно" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The wdm and xdm display managers require a restart for the new version of " +"libpam, but there are X login sessions active on your system that would be " +"terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Мениджърите на дисплеи wdm и xdm трябва да бъдат рестартирани, но това би прекъснало активните влизания и затова тази операция няма да бъде извършена автоматично. Преди " +"да може отново да се влезе в системата " +"чрез тези услуги, те трябва да бъдат рестартирани ръчно." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Грешка при рестартиране на някои услуги за обновяване на PAM" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "Следните услуги не бяха рестартирани за обновяването на PAM:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "Ще трябва сами да ги стартирате чрез „/etc/init.d/<услуга> start“." + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "Restart services during package upgrades without asking?" +msgstr "Автоматично рестартиране на услугите при обновяване на пакета?" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"Системата има инсталирани услуги, които трябва да се рестартират при " +"обновяване на някои библиотеки като libpam, libc и libssl. Тъй като " +"рестартирането може да предизвика прекъсване на съответната услуга, " +"обикновено администраторите предпочитат да бъдат попитани кои услуги могат " +"да бъдат рестартиране при всяко обновяване на библиотеките. Ако потвърдите, " +"че не желаете да потвърждавате рестартирането, услугите ще бъдат " +"рестартирани автоматично без излишни въпроси при обновяване на някоя от " +"критичните библиотеки." + +#. Type: title +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM configuration" +msgstr "Настройване на PAM" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "PAM profiles to enable:" +msgstr "Разрешаване на PAM профили:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"Модулите за идентификация (PAM, Pluggable Authentication Modules) управляват " +"идентификацията, оторизацията и промяната на паролите. Те дават и възможност " +"за изпълняване на допълнителни действия при стартиране на нови потребителски " +"сесии." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"Някои пакети с PAM модули предлагат „профили“, чрез които може да се промени " +"поведението на всички приложения, използващи PAM. Изберете кои от профилите " +"желаете да разрешите." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Incompatible PAM profiles selected." +msgstr "Избрани са несъвместими PAM профили." + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:3001 +msgid "The following PAM profiles cannot be used together:" +msgstr "Следните PAM профили не могат да се използват едновременно:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Please select a different set of modules to enable." +msgstr "Изберете друга група профили." + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "Отмяна на локалните промени в /etc/pam.d/common-*?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"Някои от файловете /etc/pam.d/common-{auth,account,password,session} са " +"променени. Укажете дали желаете променените файлове да бъдат презаписани и " +"да се използват настройките доставени със системата. Ако откажете ще трябва " +"ръчно да настроите PAM." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "No PAM profiles have been selected." +msgstr "Не са избрани PAM профили." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "" +"No PAM profiles have been selected for use on this system. This would grant " +"all users access without authenticating, and is not allowed. Please select " +"at least one PAM profile from the available list." +msgstr "" +"Няма избрани PAM профили. Това ще разреши достъпа на всички потребители без " +"удостоверяване на самоличността и не е позволено. Изберете поне един профил " +"от списъка." + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "xscreensaver и xlockmore трябва да бъдат рестартирани" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"Открити са работещи процеси xscreensaver или xlockmore. Поради несъвместими " +"промени в библиотеката, обновяването на пакета libpam-modules ще направи " +"невъзможно идентифицирането с тези програми. Трябва да осигурите " +"рестартирането или спирането на xscreensaver и xlockmore за да избегнете " +"проблеми с идентификацията при потребителите, които ги използват." --- pam-1.1.8.orig/debian/po/ca.po +++ pam-1.1.8/debian/po/ca.po @@ -0,0 +1,241 @@ +# pam po-debconf translation to Catalan +# Copyright (C) 2007 Software in the Public Interest, SPI Inc. +# This file is distributed under the same license as the pam package. +# +# Innocent De Marchi , 2011-2012 +msgid "" +msgstr "" +"Project-Id-Version: pam 1.1.3-6.1\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2011-10-30 15:05-0400\n" +"PO-Revision-Date: 2012-01-21 08:33+0100\n" +"Last-Translator: Innocent De Marchi \n" +"Language-Team: Catalan \n" +"Language: ca\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Poedit-Language: Catalan\n" +"X-Poedit-Country: SPAIN\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "" +"Serveis que cal reiniciar per a l'actualització de la biblioteca de PAM:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"És necessari reiniciar la majoria dels serveis que fan servir PAM per a que " +"facin servir els mòduls d'aquesta versió de «libpam». Reviseu la següent " +"llista separada per espais dels scripts «init.d» que indica els serveis que " +"es reiniciaran ara i modificau-la si és necessari." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Cal reiniciar manualment el gestor de pantalla" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The wdm and xdm display managers require a restart for the new version of " +"libpam, but there are X login sessions active on your system that would be " +"terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Entre els serveis que cal reiniciar degut a la nova versió de «libpam» hi ha " +"els gestors de pantalla «wdm» i «xdm». Malgrat tot, hi ha sessions d'«X» en " +"execució en el sistema que s'aturaran si es reinicien aquests serveis. Cal " +"reiniciar-los manualment si desitjau que sigui possible iniciar una sessió " +"«X» més endavant." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "" +"S'ha produït un error en reiniciar algun dels serveis en l'actualització de " +"PAM" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"No ha estat possible reiniciar els serveis indicats a continuació en el " +"procés d'actualització de la biblioteca de PAM:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Caldrà engegar manualment aquests serveis executant «/etc/init.d/ " +"start»." + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "Restart services during package upgrades without asking?" +msgstr "" +"Voleu que es reiniciïn els serveis sense demanar confirmació durant les " +"actualitzacions del paquet?" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"Hi ha serveis instal·lats en el seu sistema que necessiten ser reiniciats en " +"actualitzar certes biblioteques, com libpam, libc i libssl. Ja que el procés " +"de reinicii pot causar interrupcions en el sistema, normalment se vos " +"demanarà, a cada actualització, per a la llista de serveis que voleu " +"reiniciar. Podeu triar aquesta opció per evitar que se vos demani; en canvi, " +"es faran automàticament tots els reinicis necessaris sense demanar-vos " +"confirmació en cada actualització de biblioteques." + +#. Type: title +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM configuration" +msgstr "Configuració de PAM" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "PAM profiles to enable:" +msgstr "Perfils PAM que cal habilitar:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"Els «Pluggable Authentication Modules» (PAM, o Mòduls d'autenticació " +"inseribles) determinen com es gestionen en el sistema l'autenticació, " +"autorització i modificació de contrasenyes. També permet la definició " +"d'accions addicionals a realitzar quan s'inicia la sessió d'un usuari." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"Alguns dels paquets de mòduls de PAM ofereixen perfils que poden utilitzar-" +"se per ajustar automàticament el comportament de totes les aplicacions que " +"fan servir PAM en el sistema. Indiqueu quin d'aquests comportaments desitjau " +"activar." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Incompatible PAM profiles selected." +msgstr "Heu seleccionat perfils PAM incompatibles." + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:3001 +msgid "The following PAM profiles cannot be used together:" +msgstr "" +"No és possible fer servir conjuntament els perfils de PAM indicats a " +"continuació:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Please select a different set of modules to enable." +msgstr "Seleccioneu un conjunt distint de mòduls a activar." + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "" +"Desitjau descartar els canvis locals realitzats a «/etc/pam.d/common-*»?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"S'ha modificat localment algun dels fitxers «/etc/pam.d/common-{auth,account," +"password,session}». Indicau si desitjau que aquests canvis locals siguin " +"substituïts amb la configuració definida pel sistema. Caldrà gestionar la " +"configuració d'autenticació del sistema manualment si rebutjau aquesta opció." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "No PAM profiles have been selected." +msgstr "No heu seleccionat cap perfil PAM." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "" +"No PAM profiles have been selected for use on this system. This would grant " +"all users access without authenticating, and is not allowed. Please select " +"at least one PAM profile from the available list." +msgstr "" +"No heu seleccionat cap perfil de PAM per a aquest sistema. Així és possible " +"que qualsevol usuari accedeixi sense autenticació, la qual cosa no és " +"permesa. Heu de seleccionar almenys un perfil de PAM de la llista." + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "Cal reiniciar «xscreensaver» i «xlockmore» abans de l'actualització" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"S'han detectat una o més instàncies dels programes «xscreensaver» o " +"«xlockmore». L'actualització del paquet «libpam-modules» podria impedir " +"l'autenticació en aquests programes degut a canvis incompatibles en la " +"biblioteca. Heu de procurar que aquests programes es reinicien o s'aturin " +"abans de continuar amb l'actualització. Així evitareu que els usuaris quedin " +"bloquejats i no puguin continuar les seves sessions actuals." --- pam-1.1.8.orig/debian/po/cs.po +++ pam-1.1.8/debian/po/cs.po @@ -0,0 +1,226 @@ +# Czech translation of pam debconf mesages. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the pam package. +# Miroslav Kure , 2007-2012. +# +msgid "" +msgstr "" +"Project-Id-Version: pam\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2011-10-30 15:05-0400\n" +"PO-Revision-Date: 2012-01-27 07:56+0100\n" +"Last-Translator: Miroslav Kure \n" +"Language-Team: Czech \n" +"Language: cs\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Služby, které se mají restartovat po aktualizaci knihovny PAM:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"Aby se začaly používat moduly z nové verze knihovny libpam, musí se většina " +"služeb používajících PAM restartovat. Zkontrolujte prosím následující seznam " +"služeb (init.d skriptů), které se mají nyní restartovat a v případě potřeby " +"seznam opravte." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Správce displeje se musí restartovat ručně" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The wdm and xdm display managers require a restart for the new version of " +"libpam, but there are X login sessions active on your system that would be " +"terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Správcové displejů wdm a xdm musí být s novou verzí knihovny libpam " +"restartováni. Restart těchto služeb by však ukončil probíhající X sezení a " +"proto je ponechán restart zmíněných správců displejů na vás, až určíte, že " +"nastal vhodný okamžik. S restartem byste neměli otálet, protože do té doby " +"se pomocí nich nebudou moci uživatelé přihlásit." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Restartování některých služeb při aktualizaci PAMu selhalo" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Následující služby nemohly být při aktualizaci knihovny PAM restartovány:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Tyto služby budete muset spustit ručně příkazem '/etc/init.d/ start'." + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "Restart services during package upgrades without asking?" +msgstr "Restartovat služby při aktualizaci balíku bez ptaní?" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"V systému jsou nainstalovány služby, které je nutno při aktualizaci " +"určitých knihoven (libpam, libc nebo libssl) restartovat. Během restartu " +"služeb jsou tyto po nějakou dobu nedostupné. Abychom předešli nechtěné " +"nedostupnosti, je při každé aktualizaci nabídnut seznam služeb, které se " +"mají restartovat. Povolíte-li tuto možnost, budou se všechny potřebné " +"služby restartovat při aktualizaci knihoven automaticky bez ptaní." + +#. Type: title +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM configuration" +msgstr "Nastavení PAM" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "PAM profiles to enable:" +msgstr "PAM profily, které se mají povolit:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"Moduly PAM (Pluggable Authentication Modules) určují, jakým způsobem je na " +"systému řešena autentizace, autorizace, změna hesel a také umožňují nastavit " +"dodatečné akce při spouštění uživatelských sezení." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"Některé balíky s PAM moduly poskytují profily, které mohou automaticky " +"upravit chování všech aplikací používajících PAM. Vyberte si, která chování " +"chcete povolit." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Incompatible PAM profiles selected." +msgstr "Vybrány nekompatibilní PAM profily." + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:3001 +msgid "The following PAM profiles cannot be used together:" +msgstr "Následující PAM profily nelze používat současně:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Please select a different set of modules to enable." +msgstr "Povolte prosím jinou sadu modulů." + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "Přepsat místní změny v /etc/pam.d/common-*?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"Některé ze souborů /etc/pam.d/common-{auth,account,password,session} " +"obsahují místní úpravy. Vyberte si, zda se mají tyto změny přepsat verzí z " +"balíku. Zamítnete-li tuto možnost, budete muset spravovat tyto soubory ručně." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "No PAM profiles have been selected." +msgstr "Nebyly vybrány žádné PAM profily." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "" +"No PAM profiles have been selected for use on this system. This would grant " +"all users access without authenticating, and is not allowed. Please select " +"at least one PAM profile from the available list." +msgstr "" +"Pro tento systém nebyly vybrány žádné PAM profily, což znamená, že všem " +"uživatelům umožňujete přístup bez autentizace. To není dovoleno. Vyberte " +"prosím ze seznamu alespoň jeden PAM profil." + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "" +"Programy xscreensaver a xlockmore musí být před aktualizací restartovány" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"Zdá se, že v systému běží jedna nebo více instancí programu xscreensaver " +"resp. xlockmore. Z důvodu nekompatibilních změn v knihovnách se po " +"aktualizaci balíku libpam-modules nebudete moci pomocí těchto programů " +"autentizovat. To jinými slovy znamená, že se uživatelé nedostanou ke svým " +"uzamčeným sezením. Abyste tomu předešli, měli byste před aktualizací zmíněné " +"programy zastavit, nebo je ve vhodný čas restartovat." --- pam-1.1.8.orig/debian/po/da.po +++ pam-1.1.8/debian/po/da.po @@ -0,0 +1,229 @@ +# Danish translation pam. +# Copyright (C) 2011 pam & nedenstående oversættere. +# This file is distributed under the same license as the pam package. +# Joe Hansen , 2010, 2011. +# +msgid "" +msgstr "" +"Project-Id-Version: pam\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2011-10-30 15:05-0400\n" +"PO-Revision-Date: 2011-11-10 19:21+0100\n" +"Last-Translator: Joe Hansen \n" +"Language-Team: Danish \n" +"Language: da\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Tjenester at genstarte for PAM-biblioteksopgradering:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"De fleste tjenester, som bruger PAM, har brug for at blive genstartet for at " +"kunne bruge moduler bygget til denne nye version af libpam. Gennemgå " +"venligst den følgende mellemrumsadskilte liste af init.d-skripter for " +"tjenester som genstartes nu, og ret den hvis behovet er der." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Visningshåndtering skal genstartes manuelt" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The wdm and xdm display managers require a restart for the new version of " +"libpam, but there are X login sessions active on your system that would be " +"terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"wdm- og xdm-visningshåndteringerne kræver en genstart for den nye version af " +"libpam, men der er X-logindsessioner, som er aktive på dit system og som vil " +"blive afsluttet af denne genstart. Du skal derfor manuelt genstarte disse " +"tjenester, før yderligere X-logind'er vil være mulige." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "" +"Der opstod en fejl under genstart af nogle tjenester til PAM-opgradering" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"De følgende tjenester kunne ikke genstartes for PAM-biblioteksopgraderingen:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Du skal starte disse manuelt ved at køre '/etc/init.d/ start'" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "Restart services during package upgrades without asking?" +msgstr "Genstart tjenester under pakkeopgradering uden at spørge?" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"Der er tjenester installeret på dit system som skal genstartes, når bestemte " +"biblioteker - såsom libpam, libc og libssl - opgraderes. Da disse genstarter " +"kan medføre afbrydelser af tjeneste for systemet, vil du normalt blive " +"spurgt ved hver opgradering for listen af tjenester, du ønsker at genstarte. " +"Du kan vælge denne indstilling for at undgå at blive spurgt; i stedet for " +"vil alle nødvendige genstarter automatisk blive udført, så du kan undgå at " +"få stillet spørgsmålene ved hver biblioteksopgradering." + +#. Type: title +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM configuration" +msgstr "PAM-konfiguration" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "PAM profiles to enable:" +msgstr "PAM-profiler at aktivere:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"Pluggable Authentication Modules (PAM) afgør hvordan ændring af godkendelse, " +"autorisation og adgangskode håndteres på systemet, samt tillader " +"konfiguration af yderligere handlinger, der skal igangsættes ved opstart af " +"brugersessioner." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"Nogle PAM-modulpakker tilbyder profiler som automatisk kan justere " +"opførelsen af alle PAM-brugende programmer på systemet. Indiker venligst " +"hvilke af disse profiler du ønsker at aktivere." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Incompatible PAM profiles selected." +msgstr "Inkompatible PAM-profiler valgt." + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:3001 +msgid "The following PAM profiles cannot be used together:" +msgstr "De følgende PAM-profiler kan ikke bruges sammen:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Please select a different set of modules to enable." +msgstr "Vælg venligst et andet sæt af moduler at aktivere." + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "Overskriv lokale ændringer til /etc/pam.d/common-*?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"En eller flere af filerne /etc/pam.d/common-{auth,account,password,session} " +"er blevet overskrevet lokalt. Indiker venligst hvorvidt disse lokale " +"ændringer skal overskrives med den systemtilbudte konfiguration. Hvis du " +"afslår denne indstilling, skal du på egen hånd håndtere systemets " +"godkendelseskonfiguration." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "No PAM profiles have been selected." +msgstr "Ingen PAM-profiler er blevet valgt." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "" +"No PAM profiles have been selected for use on this system. This would grant " +"all users access without authenticating, and is not allowed. Please select " +"at least one PAM profile from the available list." +msgstr "" +"Ingen PAM-profiler er blevet valgt til brug på dette system. Dette vil " +"tildele alle brugere adgang uden godkendelse, og er ikke tilladt. Vælg " +"venligst mindst en PAM-profil fra den tilgængelige liste." + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "xscreensaver og xlockmore skal genstartes før opgradering" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"En eller flere kørende instanser af xscreensaver eller xlockmore er blevet " +"fundet på dette system. På grund af inkompatible biblioteksændringer vil " +"opgradering af pakken libpam-modules gøre, at du ikke kan bekræfte ægtheden " +"af disse programmer. Du skal sørge for at disse programmer bliver genstartet " +"eller stoppet, før du fortsætter med opgraderingen, for at undgå låsning af " +"dine brugere i deres aktuelle sessioner." --- pam-1.1.8.orig/debian/po/de.po +++ pam-1.1.8/debian/po/de.po @@ -0,0 +1,235 @@ +# German translation of pam debconf templates +# Copyright (C) 2007, 2009, 2011 Sven Joachim . +# Copyright (C) Helge Kreutzmann , 2011. +# This file is distributed under the same license as the pam package. +# +msgid "" +msgstr "" +"Project-Id-Version: pam 1.1.3-6\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2011-10-30 15:05-0400\n" +"PO-Revision-Date: 2011-12-26 19:53+0100\n" +"Last-Translator: Sven Joachim \n" +"Language-Team: German \n" +"Language: de\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Neu zu startende Dienste für das Upgrade der PAM-Bibliothek:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"Die meisten Dienste, die PAM verwenden, müssen neu gestartet werden, um " +"Module dieser neuen Version von libpam verwenden zu können. Bitte überprüfen " +"Sie die folgende, Leerzeichen-getrennte Liste von init.d-Skripten für " +"Dienste, die jetzt neu zu starten sind, und korrigieren Sie diese Liste " +"falls notwendig." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Display-Manager müssen manuell neu gestartet werden" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The wdm and xdm display managers require a restart for the new version of " +"libpam, but there are X login sessions active on your system that would be " +"terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Die Display-Manager wdm und xdm erfordern einen Neustart für die neue " +"Version von libpam, aber auf Ihrem System sind X-Login-Sitzungen aktiv, die " +"durch diesen Neustart beendet würden. Sie müssen diese Dienste daher von " +"Hand neu starten, bevor Logins unter X wieder möglich sind." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Fehler beim Neustart einiger Dienste für das PAM-Upgrade" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Die folgenden Dienste konnten für das Upgrade der PAM-Bibliothek nicht neu " +"gestartet werden:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Sie müssen diese manuell neu starten, indem Sie »/etc/init.d/ start« " +"ausführen." + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "Restart services during package upgrades without asking?" +msgstr "Dienste bei Paket-Upgrades ohne Rückfrage neu starten?" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"Auf Ihrem System sind Dienste installiert, die beim Upgrade bestimmter " +"Bibliotheken, wie Libpam, Libc und Libssl, neu gestartet werden müssen. Da " +"diese Neustarts zu Unterbrechungen der Dienste für dieses System führen " +"können, werden Sie normalerweise bei jedem Upgrade über die Liste der neu zu " +"startenden Dienste befragt. Sie können diese Option wählen, um diese Abfrage " +"zu vermeiden; stattdessen werden alle notwendigen Dienste-Neustarts für Sie " +"automatisch vorgenommen und die Beantwortung von Fragen bei jedem Upgrade " +"von Bibliotheken vermieden." + +#. Type: title +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM configuration" +msgstr "PAM-Konfiguration" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "PAM profiles to enable:" +msgstr "Zu aktivierende PAM-Profile:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"Pluggable Authentication Modules (PAM) bestimmen, wie Authentifizierung, " +"Berechtigung und Passwort-Änderung auf dem System gehandhabt werden. Ebenso " +"erlauben sie die Konfiguration zusätzlicher Maßnahmen, die beim Start von " +"Benutzersitzungen vorgenommen werden." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"Einige Pakete mit PAM-Modulen stellen Profile bereit, die das Verhalten " +"aller Anwendungen, die PAM verwenden, automatisch anpassen können. Bitte " +"geben Sie an, welche dieser Verhaltensweisen Sie aktivieren möchten." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Incompatible PAM profiles selected." +msgstr "Inkompatible PAM-Profile ausgewählt." + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:3001 +msgid "The following PAM profiles cannot be used together:" +msgstr "Die folgenden PAM-Profile können nicht gemeinsam verwendet werden:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Please select a different set of modules to enable." +msgstr "" +"Bitte wählen Sie eine andere Zusammenstellung zu aktivierender Module aus." + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "Lokale Änderungen an /etc/pam.d/common-* außer Kraft setzen?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"Eine oder mehrere der Dateien /etc/pam.d/common-{auth,account,password," +"session} sind lokal verändert worden. Bitte geben Sie an, ob diese " +"Änderungen durch die mitgelieferte Konfiguration außer Kraft gesetzt werden " +"sollen. Falls Sie diese Option ablehnen, müssen Sie die Authentifizierungs-" +"Konfiguration Ihres Systems von Hand verwalten." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "No PAM profiles have been selected." +msgstr "Es wurden keine PAM-Profile ausgewählt." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "" +"No PAM profiles have been selected for use on this system. This would grant " +"all users access without authenticating, and is not allowed. Please select " +"at least one PAM profile from the available list." +msgstr "" +"Es wurden keine PAM-Profile für die Verwendung auf diesem System ausgewählt. " +"Dies würde allen Benutzern Zugang ohne Authentifizierung gestatten und ist " +"nicht erlaubt. Bitte wählen Sie mindestens ein PAM-Profil aus der " +"verfügbaren Liste aus." + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "Xscreensaver und xlockmore müssen vor dem Upgrade neu gestartet werden" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"Eine oder mehrere laufende Instanzen von xscreensaver oder xlockmore sind " +"auf diesem System entdeckt worden. Aufgrund inkompatibler Änderungen in " +"Bibliotheken wird das Upgrade des libpam-modules-Paketes Sie außerstande " +"setzen, sich gegenüber diesen Programmen zu authentifizieren. Sie sollten " +"dafür sorgen, dass diese Programme neu gestartet oder beendet werden, bevor " +"Sie dieses Upgrade fortsetzen, damit Ihre Benutzer nicht aus ihren laufenden " +"Sitzungen ausgesperrt werden." --- pam-1.1.8.orig/debian/po/es.po +++ pam-1.1.8/debian/po/es.po @@ -0,0 +1,270 @@ +# pam po-debconf translation to Spanish +# Copyright (C) 2007 Software in the Public Interest, SPI Inc. +# This file is distributed under the same license as the pam package. +# +# Changes: +# - Initial translation +# Javier Fernández-Sanguino , 2007 +# - Updates: +# Steve Langasek, 2008 +# Javier Fernández-Sanguino, 2009, 2012 +# +# Traductores, si no conoce el formato PO, merece la pena leer la +# documentación de gettext, especialmente las secciones dedicadas a este +# formato, por ejemplo ejecutando: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Equipo de traducción al español, por favor lean antes de traducir +# los siguientes documentos: +# +# - El proyecto de traducción de Debian al español +# http://www.debian.org/intl/spanish/ +# especialmente las notas y normas de traducción en +# http://www.debian.org/intl/spanish/notas +# +# - La guía de traducción de po's de debconf: +# /usr/share/doc/po-debconf/README-trans +# o http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Si tiene dudas o consultas sobre esta traducción consulte con el último +# traductor (campo Last-Translator) y ponga en copia a la lista de +# traducción de Debian al español () +# +msgid "" +msgstr "" +"Project-Id-Version: pam 0.79-4\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2011-10-30 15:05-0400\n" +"PO-Revision-Date: 2012-01-02 01:41+0100\n" +"Last-Translator: Javier Fernandez-Sanguino \n" +"Language-Team: Debian Spanish \n" +"Language: Spanish\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-POFile-SpellExtra: kdm gnome xscreensaver xdm xlockmore wdm start init\n" +"X-POFile-SpellExtra: screensaver PAM libpam corríjala account vd runtime\n" +"X-POFile-SpellExtra: Authentication auth Pluggable session insertables\n" +"X-POFile-SpellExtra: password pam common libc sobreescribir sobreescriban\n" +"X-POFile-SpellExtra: reinicios libssl\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Servicios a reiniciar para la actualización de la biblioteca de PAM:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"Es necesario reiniciar la mayoría de los servicios que utilizan PAM para que " +"usen los módulos de esta versión de libpam. Por favor, revise la lista " +"separada por espacios mostrada a continuación que indica los servicios a " +"reiniciar ahora y corríjala si es necesario." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Debe reiniciar manualmente los gestores de pantalla" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The wdm and xdm display managers require a restart for the new version of " +"libpam, but there are X login sessions active on your system that would be " +"terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Entre los servicios que deben reiniciarse debido a la nueva versión de " +"libpam están los gestores de pantalla wdm y xdm. Sin embargo, hay sesiones " +"de X ejecutándose en el sistema que se terminarían si se reiniciaran estos " +"servicios. Debe reiniciarlos manualmente si desea que funcionen los accesos " +"a través de una sesión X más adelante." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Fallo al reiniciar alguno de los servicios en la actualización de PAM" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"No fue posible reiniciar los servicios indicados a continuación dentro la " +"actualización de la biblioteca de PAM:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Deberá arrancar manualmente estos servicios ejecutando «/etc/init.d/" +" start»." + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "Restart services during package upgrades without asking?" +msgstr "" +"¿Reiniciar servicios durante la actualización de paquetes sin preguntar?" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"Su sistema tiene servicios instalados que deben reiniciarse cuando se " +"actualicen ciertas librerías, como «libpam», «libc» o «libssl». Generalmente " +"se le preguntará en cada actualización la lista de servicios que desea " +"reiniciar dado que estos reinicios generalmente provocarán una interrupción " +"del servicio. Puede seleccionar esta opción para que no se le pregunte. En " +"lugar de hacerse estas preguntas, se reiniciarán de forma automática los " +"servicios en cada actualización de librerías." + +#. Type: title +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM configuration" +msgstr "Configuración de PAM" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "PAM profiles to enable:" +msgstr "Perfiles PAM a habilitar:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"Los «Pluggable Authentication Modules» (PAM, o Módulos de autenticación " +"insertables, N. del T.) determinan cómo se gestiona dentro del sistema la " +"autenticación, autorización y modificación de contraseñas. También permiten " +"la definición de acciones adicionales a realizar cuando se inicia la sesión " +"de un usuario." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"Algunos de los paquetes de módulos de PAM ofrecen perfiles que pueden " +"utilizarse para ajustar automáticamente el comportamiento de todas las " +"aplicaciones que utilicen PAM en el sistema. Indique qué comportamiento " +"desea activar." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Incompatible PAM profiles selected." +msgstr "Se han seleccionado perfiles PAM incompatibles." + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:3001 +msgid "The following PAM profiles cannot be used together:" +msgstr "" +"No pueden utilizarse conjuntamente los perfiles de PAM indicados a " +"continuación:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Please select a different set of modules to enable." +msgstr "Seleccione un conjunto distinto de módulos a activar." + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "" +"¿Desea sobreescribir los cambios locales realizados a «/etc/pam.d/common-*»?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"Se ha modificado localmente alguno de los ficheros «/etc/pam.d/common-{auth," +"account,password,session}». Indique si desea que estos cambios locales se " +"sobreescriban con la configuración definida para el sistema. Deberá " +"gestionar la configuración de autenticación de su sistema manualmente si " +"rechaza esta opción." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "No PAM profiles have been selected." +msgstr "No ha seleccionado ningún perfil PAM." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "" +"No PAM profiles have been selected for use on this system. This would grant " +"all users access without authenticating, and is not allowed. Please select " +"at least one PAM profile from the available list." +msgstr "" +"No ha seleccionado ningún perfil de PAM para este sistema. Esto podría " +"permitir que cualquier usuario accediera sin autenticación, lo que no está " +"permitido. Debe seleccionar al menos un perfil de PAM de la lista." + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "Debe reiniciar xscreensaver y xlockmore antes de la actualización" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"Se han detectado una o más instancias de los programas xscreensaver o " +"xlockmore. La actualización del paquete libpam-modules podría impedir que " +"pueda autenticarse en estos programas debido a cambios incompatibles en las " +"librerías. Debería procurar que estos programas se reinicien o se paren " +"antes de continuar con la actualización. Así evitará que los usuarios queden " +"bloqueados y no puedan reanudar sus sesiones actuales." --- pam-1.1.8.orig/debian/po/eu.po +++ pam-1.1.8/debian/po/eu.po @@ -0,0 +1,230 @@ +# translation of pam_1.0.1-5_eu.po to Basque +# Debconf questions for the Linux-PAM package. +# Copyright (C) 2007 Steve Langasek +# This file is distributed under the same license as the pam package. +# +# Piarres Beobide , 2007, 2008. +# Iñaki Larrañaga Murgoitio , 2009. +msgid "" +msgstr "" +"Project-Id-Version: pam_1.0.1-5_eu\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2011-10-30 15:05-0400\n" +"PO-Revision-Date: 2009-01-02 12:30+0100\n" +"Last-Translator: Piarres Beobide \n" +"Language-Team: debian-eu \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "" +"PAM liburutegia bertsio-berritzean berrabiarazi behar diren zerbitzuak:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"PAM erabiltzen duten zerbitzu gehienak berrabiarazi egin behar dira libpam " +"bertsio honetako moduluak erabiltzeko. Mesedez gainbegiratu berrabiaraziko " +"diren hurrengo zuriunez bereiziriko init.d script zerrenda hau eta zuzendu " +"behar izanez gero." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Pantaila kudeatzailea eskuz berrabiarazi behar da" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +#, fuzzy +msgid "" +"The wdm and xdm display managers require a restart for the new version of " +"libpam, but there are X login sessions active on your system that would be " +"terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Kdm, wdm, eta xdm pantaila kudeatzaileek berrabiaraztea behar dute libpam " +"bertsio berria erabiltzeko. Baina berrabiarazteak eragin izan dezaken " +"abiarazitako X saioak daude sistema honetan. Zerbitzu hori beranduago eskuz " +"berrabiarazi beharko duzu X saioak hastea posible izateko." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Huts PAM bertsio-berritzeko zenbait zerbitzu berrabiaraztean" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Hurrengo zerbitzuak ezin izan dira berrabiarazi PAM liburutegia bertsio-" +"berritzean:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Hauek eskuz berrabiarazi beharko dituzu '/etc/init.d/ start' " +"exekutatuz." + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "Restart services during package upgrades without asking?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" + +#. Type: title +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM configuration" +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "PAM profiles to enable:" +msgstr "Gaitu behar diren PAM profilak:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"Autentifikazio modulu txertagarriak (PAM) ezartzen du zein autentifikazio, " +"autorizazio eta psahitz aldaketa kudeatzen diren sisteman, baita " +"erabiltzaile saioak hastekoan ekintza gehigarrien konfigurazioaren onarpena " +"du." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"Zenbait PAM modulu paketek sisteman PAM erbailtzen duten aplikazioak " +"automatikoki doitzeko erabili daitezkeen profilak ekartzen dituzte. Mesedez " +"profil hauetako zein gaitu nahi duzun." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Incompatible PAM profiles selected." +msgstr "PAM profil bateraezinak hautatuak." + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:3001 +msgid "The following PAM profiles cannot be used together:" +msgstr "Hurrengo PAM profilak ezin dira elkarrekin erabili:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Please select a different set of modules to enable." +msgstr "Mesedez hautatu gaitzeko beste modulu bilduma bat." + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "Gainidatzi aldaketa lokalak /etc/pam.d/common-* -era?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"/etc/pam.d/common-{auth,account,password,session} fitxategietako bat edo " +"gehiago lokalki eraldatua izan da. Mesedez zehaztu aldaketa horiek sistemak-" +"hornitutako konfigurazioaz gainidatzi behar diren ala ez. Aukera hau " +"baztertzea hautatzen baduzu sistemaren autentifikazio konfigurazioa eskuz " +"kudeatu behar duzu." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +#, fuzzy +msgid "No PAM profiles have been selected." +msgstr "PAM profil bateraezinak hautatuak." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "" +"No PAM profiles have been selected for use on this system. This would grant " +"all users access without authenticating, and is not allowed. Please select " +"at least one PAM profile from the available list." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "" +"xscreensaver eta xlockmore berrabiarazi egin behar dira bertsio-berritu " +"aurretik" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"xscreensaver edo xlockmore-ren instantzia bat edo gehiago exekutatzen " +"dagoela detektatu da sisteman. Liburutegiaren aldaketaren " +"bateraezintasunagatik libpam-modules paketearen bertsio-berritzeak programa " +"horiekin ezin autentifikatzea eragingo dizu. Programa horiek berrabiarazi " +"edop gelditu egin beharko zenituzke bertsio-berritzearekin jarraitu " +"aurretik, sistemako erabiltzaileak beraien uneko saioan blokeatzea " +"saihesteko." --- pam-1.1.8.orig/debian/po/fi.po +++ pam-1.1.8/debian/po/fi.po @@ -0,0 +1,226 @@ +# Esko Arajärvi , 2010. +msgid "" +msgstr "" +"Project-Id-Version: pam 0.99.7.1-4\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2011-10-30 15:05-0400\n" +"PO-Revision-Date: 2010-10-18 22:46+0300\n" +"Last-Translator: Esko Arajärvi \n" +"Language-Team: Finnish \n" +"Language: fi\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Poedit-Language: Finnish\n" +"X-Poedit-Country: FINLAND\n" +"X-Generator: Lokalize 1.0\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Palvelut, jotka käynnistetään uudelleen PAM-kirjastoa päivitettäessä:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"Useimmat PAMia käyttävät palvelut pitää käynnistää uudelleen libpamin uuden " +"version käyttöön ottamiseksi. Tarkista seuraava välilyönnein eroteltu lista " +"niiden palveluiden init.d-komentotiedostoista, jotka käynnistetään " +"uudelleen, ja muokkaa listaa tarvittaessa." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Näytönhallintaohjelma tulee käynnistää uudelleen käsin" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +#, fuzzy +msgid "" +"The wdm and xdm display managers require a restart for the new version of " +"libpam, but there are X login sessions active on your system that would be " +"terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Näytönhallintaohjelma kdm, wdm tai xdm tulee käynnistää uudelleen, jotta " +"libpamin uusi versio tulee käyttöön. Järjestelmässä on kuitenkin aktiivisia " +"X-istuntoja, jotka lopetettaisiin uudelleenkäynnistyksen yhteydessä. Tästä " +"syystä palvelu tulee käynnistää uudelleen käsin ennen kuin uusia X-istuntoja " +"voidaan avata." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Virhe käynnistettäessä uudelleen palveluita PAMin päivitystä varten" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Seuraavia palveluita ei voitu käynnistää uudelleen PAM-kirjastoa " +"päivitettäessä:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Nämä palvelut tulee käynnistää uudelleen ajamalla ”/etc/init.d/ " +"start”." + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "Restart services during package upgrades without asking?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" + +#. Type: title +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM configuration" +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "PAM profiles to enable:" +msgstr "Käyttöön otettavat PAM-profiilit:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"Pluggable Authentication Modules (PAM) määrittää kuinka tunnistautuminen, " +"oikeuksien hallinta ja salasanan vaihto tehdään järjestelmässä. Se " +"mahdollistaa myös käyttäjäistuntojen käynnistyksen yhdessä suoritettavien " +"lisätoimintojen asetusten muokkaamisen." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"Eräiden PAMin moduulipakettien tarjoamien profiilien avulla voidaan " +"automaattisesti muokata järjestelmän kaikkien PAMia käyttävien ohjelmien " +"toimintaa. Valitse mitkä näistä toiminnoista otetaan käyttöön." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Incompatible PAM profiles selected." +msgstr "Epäyhteensopivia PAM-profiileita valittu" + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:3001 +msgid "The following PAM profiles cannot be used together:" +msgstr "Seuraavia PAM-profiileita ei voida käyttää yhdessä:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Please select a different set of modules to enable." +msgstr "Valitse uusi käyttöön otettavien moduulien joukko." + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "" +"Kirjoitetaanko paikallisten muutosten päälle tiedostoissa /etc/pam.d/common-" +"*?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"Joitain tiedostoista /etc/pam.d/common-{auth,account,password,session} on " +"muokattu paikallisesti. Valitse tulisiko paikalliset muutokset korvata " +"järjestelmän tarjoamilla asetuksilla. Jos et valitse tätä vaihtoehtoa, " +"järjestelmän tunnistautumisasetuksia täytyy hallinnoida käsin." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "No PAM profiles have been selected." +msgstr "Yhtään PAM-profiilia ei ole valittu." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "" +"No PAM profiles have been selected for use on this system. This would grant " +"all users access without authenticating, and is not allowed. Please select " +"at least one PAM profile from the available list." +msgstr "" +"Yhtään PAM-profiilia ei ole valittu käytettäväksi tässä järjestelmässä. Tämä " +"sallisi kaikille käyttäjille pääsyn ilman tunnistautumista, eikä siksi ole " +"sallittua. Valitse ainakin yksi PAM-profiili annetulta listalta." + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "xscreensaver ja xlockmore täytyy käynnistää uudelleen ennen päivitystä" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"Järjestelmässä ajetaan parhaillaan yhtä tai useampaa xscreensaverin tai " +"xlockmoren instanssia. Paketin libpam-modules kirjastot ovat muuttuneet " +"niin, että päivityksen jälkeen näihin ohjelmiin ei voitaisi " +"yhteensopivuussyistä enää tunnistautua. Nämä ohjelmat tulisi pysäyttää tai " +"käynnistää uudelleen ennen päivityksen jatkamista, jotta käyttäjät eivät " +"lukitse itseään ulos nykyisistä istunnoistaan." --- pam-1.1.8.orig/debian/po/fr.po +++ pam-1.1.8/debian/po/fr.po @@ -0,0 +1,240 @@ +# Translation of pam to French +# Copyright (C) 2007 Cyril Brulebois +# Copyright (C) 2009, 2001 Jean-Baka Domelevo Entfellner +# This file is distributed under the same license as the pam package. +# Translators: +# Cyril Brulebois , 2007 +# Jean-Baka Domelevo Entfellner , 2009, 2011 +# +msgid "" +msgstr "" +"Project-Id-Version: pam 1.1.3-6\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2011-10-30 15:05-0400\n" +"PO-Revision-Date: 2011-11-11 20:19+0100\n" +"Last-Translator: Jean-Baka Domelevo Entfellner \n" +"Language-Team: French \n" +"Language: fr\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Poedit-Country: FRANCE\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "" +"Services à redémarrer lors de la mise à niveau de la bibliothèque PAM :" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"La plupart des services utilisant PAM doivent être redémarrés pour utiliser " +"les modules compilés pour cette nouvelle version de libpam. Veuillez " +"vérifier la liste suivante de scripts de démarrage à relancer maintenant, et " +"la corriger si nécessaire." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Pas de redémarrage automatique du gestionnaire graphique de sessions" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The wdm and xdm display managers require a restart for the new version of " +"libpam, but there are X login sessions active on your system that would be " +"terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Les gestionnaires graphiques de session wdm et xdm nécessitent un " +"redémarrage lors de la mise à niveau de libpam, mais il existe des sessions " +"X actives sur ce système, qui seraient fermées par ce redémarrage. Vous " +"devez donc redémarrer ces services vous-même avant de pouvoir effectuer à " +"nouveau une connexion au serveur graphique." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "" +"Erreur du redémarrage de certains services pour la mise à niveau de PAM" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Les services suivants n'ont pas pu être redémarrés lors de la mise à niveau " +"de la bibliothèque PAM :" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Vous devez les démarrer vous-même avec la commande « /etc/init.d/ " +"start »." + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "Restart services during package upgrades without asking?" +msgstr "Redémarrer les services automatiquement lors des mises à jour ?" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"Certains services installés sur le système demandent à être redémarrés " +"lors de la mise à jour de certaines bibliothèques (par exemple libpam, libc " +"ou encore libssl). Puisque de tels redémarrages peuvent causer des " +"interruptions de service, une confirmation est habituellement demandée lors " +"de chaque mise à jour, en présentant la liste des services à redémarrer. " +"Vous pouvez sélectionner cette option pour éviter ces demandes interactives " +"de confirmation. Tous les redémarrages nécessaires seront alors effectués " +"automatiquement lors de chaque mise à jour de bibliothèque." + +#. Type: title +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM configuration" +msgstr "Configuration de PAM" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "PAM profiles to enable:" +msgstr "Profils PAM à activer :" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"Les modules d'authentification PAM déterminent la façon dont le système gère " +"l'authentification, les autorisations et les changements de mots de passe. " +"PAM permet aussi de configurer des actions supplémentaires à effectuer au " +"démarrage des sessions utilisateur." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"Certains paquets de modules PAM fournissent des profils qui peuvent " +"être utilisés pour ajuster automatiquement le comportement de toutes les " +"applications utilisant PAM qui sont présentes sur le système." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Incompatible PAM profiles selected." +msgstr "Profils PAM incompatibles" + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:3001 +msgid "The following PAM profiles cannot be used together:" +msgstr "Les profils PAM suivants sont en conflit :" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Please select a different set of modules to enable." +msgstr "Veuillez choisir un autre jeu de modules à activer." + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "Écraser les modifications locales sur /etc/pam.d/common-* ?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"Au moins un des fichiers /etc/pam.d/common-{auth,account,password,session} " +"a été modifié localement. Veuillez indiquer s'il faut abandonner ces " +"changements locaux et revenir à la configuration standard du système. Dans " +"le cas contraire, vous devrez configurer vous-même le système " +"d'authentification." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "No PAM profiles have been selected." +msgstr "Aucun profil PAM n'a été choisi." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "" +"No PAM profiles have been selected for use on this system. This would grant " +"all users access without authenticating, and is not allowed. Please select " +"at least one PAM profile from the available list." +msgstr "" +"Aucun profil PAM n'a été mis en place pour ce système. N'en utiliser aucun " +"donnerait à tous les utilisateurs un accès sans authentification, ce qui " +"n'est pas autorisé. Merci de bien vouloir choisir au moins un profil PAM " +"dans la liste proposée." + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "" +"Redémarrage indispensable de xscreensaver et xlockmore avant la mise à niveau" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"Une ou plusieurs instances de xscreensaver et/ou de xlockmore ont été " +"détectées sur le système. À cause de la modification de certaines " +"bibliothèques, la mise à niveau du paquet libpam-modules entrainera " +"l'impossibilité de s'authentifier. Avant de poursuivre la mise à niveau, ces " +"programmes doivent être redémarrés ou arrêtés pour éviter que des " +"utilisateurs ne puissent plus accéder à leur session." --- pam-1.1.8.orig/debian/po/gl.po +++ pam-1.1.8/debian/po/gl.po @@ -0,0 +1,225 @@ +# translation of pam_1.1.1-3_gl.po to Galician +# Galician translation of pam's debconf templates +# This file is distributed under the same license as the pam package. +# +# Jacobo Tarrio , 2007. +# Marce Villarino , 2009. +# Jorge Barreiro , 2010. +msgid "" +msgstr "" +"Project-Id-Version: pam_1.1.1-3_gl\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2011-10-30 15:05-0400\n" +"PO-Revision-Date: 2011-03-29 13:01-0700\n" +"Last-Translator: Jorge Barreiro \n" +"Language-Team: Galician \n" +"Language: gl\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" +"Plural-Forms: nplurals=2; plural=n != 1;\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Servizos a reiniciar para a actualización da biblioteca PAM:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"A maioría dos servizos que empregan PAM deben reiniciarse para empregar os " +"módulos compilados para esta versión de libpam. Revise a seguinte lista de " +"scripts de init.d que se han reiniciar agora, e corríxaa se é preciso." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Débese reiniciar manualmente o xestor de pantallas" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The wdm and xdm display managers require a restart for the new version of " +"libpam, but there are X login sessions active on your system that would be " +"terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"É necesario reiniciar os xestores de pantallas wdm e xdm para a nova versión " +"de libpam, pero hai sesións de X activas no sistema que se pecharían co " +"reinicio. Polo tanto, ha ter que reiniciar eses servizos manualmente para " +"poder iniciar novas sesións mediante X." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Fallou o reinicio de algúns servizos para a actualización de PAM" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Non foi posíbel reiniciar os seguintes servizos para a actualización da " +"biblioteca PAM:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Ha ter que reinicialos manualmente executando «/etc/init.d/ start»." + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "Restart services during package upgrades without asking?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" + +#. Type: title +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM configuration" +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "PAM profiles to enable:" +msgstr "Perfís de PAM a activar:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"Os Pluggable Authentication Modules (PAM) determinan como se xestiona a " +"autenticación, autorización e mudanza do contrasinal no sistema, e tamén " +"permiten configurar accións adicionais a realizar cando se inician sesións " +"de usuario." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"Algúns paquetes de módulos de PAM fornecen perfís que poden empregarse para " +"axustar automaticamente o comportamento de todos os programas do sistema que " +"empregan PAM. Indique cais destes comportamentos desexa activar." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Incompatible PAM profiles selected." +msgstr "Escolléronse perfís de PAM incompatíbeis." + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:3001 +msgid "The following PAM profiles cannot be used together:" +msgstr "Non se poden empregar xuntos os seguintes perfís de PAM:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Please select a different set of modules to enable." +msgstr "Escolla un conxunto diferente de módulos para activalos." + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "Desexa sobrepor as mudanzas locais a /etc/pam.d/common-*?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"Modificouse localmente un ou varios dos ficheiros /etc/pam.d/common-{auth," +"account,password,session}. Indique se estas modificacións locais deben " +"sobrescribirse empregando a configuración fornecida polo sistema. Se rexeita " +"esta opción deberá xestionar manualmente a configuración da autenticación do " +"sistema." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "No PAM profiles have been selected." +msgstr "Non se escolleu ningún perfil PAM." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "" +"No PAM profiles have been selected for use on this system. This would grant " +"all users access without authenticating, and is not allowed. Please select " +"at least one PAM profile from the available list." +msgstr "" +"Non se escolleu ningún perfil PAM para este sistema. Esto daría acceso a " +"todos os usuarios sen necesidade de autenticarse, e isto non está permitido. " +"Escolla polo menos un perfil PAM desde a lista de perfís dispoñibeis." + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "xscreensaver e xlockmore deben ser reiniciados antes da actualización" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"Detectouse que se están a executar unha ou máis instancias de xscreensaver " +"ou xlockmore no sistema. Por mor de modificacións incompatíbeis en " +"bibliotecas, a actualización do paquete libpam-modules ha facer que non sexa " +"quen de autenticarse nestes programas. Deber reiniciar ou deter estes " +"programas antes de continuar coa actualización, para evitar deixar trancados " +"os usuarios fora das súas sesións de traballo actuais." --- pam-1.1.8.orig/debian/po/it.po +++ pam-1.1.8/debian/po/it.po @@ -0,0 +1,229 @@ +# Debconf questions for the Linux-PAM package. +# Copyright (C) 2007 Steve Langasek +# This file is distributed under the same license as the pam package. +# +# David Paleino , 2008, 2010. +# Nicole B. , 2010. +msgid "" +msgstr "" +"Project-Id-Version: pam 0.99.7.1-5\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2011-10-30 15:05-0400\n" +"PO-Revision-Date: 2010-10-23 21:21+0200\n" +"Last-Translator: Nicole B. \n" +"Language-Team: Italiano \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: Lokalize 1.0\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Servizi da riavviare per l'aggiornamento della libreria PAM:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"La maggior parte dei servizi che usano PAM hanno bisogno di essere riavviati " +"per utilizzare i moduli compilati per questa nuova versione di libpam. " +"Controllare e correggere, se necessario, il seguente elenco di script di " +"init.d, separati da spazi, inerente i servizi da riavviare." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Il display manager deve essere riavviato manualmente" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The wdm and xdm display managers require a restart for the new version of " +"libpam, but there are X login sessions active on your system that would be " +"terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"I display manager wdm e xdm richiedono di essere riavviati per la nuova " +"versione di libpam, ma ci sono sessioni di login X attive sul sistema che " +"verrebbero terminate da questo riavvio. Bisognerà riavviare questi servizi " +"manualmente prima che sia possibile ogni altro login al server X." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Fallito il riavvio di alcuni servizi per l'aggiornamento di PAM" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Non è stato possibile il riavvio dei seguenti servizi per l'aggiornamento " +"della libreria PAM:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Bisognerà avviarli manualmente eseguendo '/etc/init.d/ start'." + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "Restart services during package upgrades without asking?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" + +#. Type: title +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM configuration" +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "PAM profiles to enable:" +msgstr "Profili PAM abilitabili:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"PAM (Pluggable Authentication Modules) determina come le autenticazioni, le " +"autorizzazioni e i cambiamenti di password siano gestite dal sistema. Allo " +"stesso modo permette la configurazione di azioni addizionali da effettuarsi " +"all'inizio di una sessione utente." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"Alcuni pacchetti di moduli PAM forniscono profili che possono essere usati " +"per modificare il comportamento di tutte le applicazioni presenti sul " +"sistema che sfruttano PAM. Indicare quali di questi comportamenti devono " +"essere abilitati." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Incompatible PAM profiles selected." +msgstr "Sono stati scelti dei profili PAM incompatibili." + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:3001 +msgid "The following PAM profiles cannot be used together:" +msgstr "I seguenti profili PAM non possono essere usati contemporaneamente:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Please select a different set of modules to enable." +msgstr "Selezionare una serie differente di moduli da abilitare." + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "Ignorare i cambiamenti in /etc/pam.d/common-*?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"Uno o più dei file /etc/pam.d/common-{auth,account,password,session} sono " +"stati modificati. Indicare se questi cambiamenti locali debbono essere " +"annullati usando le configurazioni fornite dal sistema. Se questa opzione " +"verrà annullata, sarà necessario gestire manualmente la configurazione di " +"autenticazione del sistema." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "No PAM profiles have been selected." +msgstr "Non è stato selezionato alcun profilo PAM." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "" +"No PAM profiles have been selected for use on this system. This would grant " +"all users access without authenticating, and is not allowed. Please select " +"at least one PAM profile from the available list." +msgstr "" +"Non è stato selezonato alcun profilo PAM da usare su questo sistema. Questo " +"non è permesso, in quanto si consentirebbe l'acceso a qualunque utente senza " +"effettuare l'autenticazione. Selezionare come minimo un profilo PAM tra " +"quelli disponibili nell'elenco." + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "" +"xscreensaver e xlockmore devono essere riavviati prima dell'aggiornamento" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"Su questo sistema una o più istanze in esecuzione di xscreensaver o " +"xlockmore sono state rilevate. A causa di cambiamenti incompatibili nelle " +"librerie, l'aggiornamento del pacchetto libpam-modules renderà impossibile " +"l'autenticazione a questi programmi. Si dovrebbe procedere con il riavvio o " +"l'arresto di questi programmi prima di continuare con l'aggiornamento, al " +"fine di evitare che gli utenti siano bloccati al di fuori delle proprie " +"sessioni." --- pam-1.1.8.orig/debian/po/ja.po +++ pam-1.1.8/debian/po/ja.po @@ -0,0 +1,224 @@ +# Debconf questions for the Linux-PAM package. +# Copyright (C) 2007 Steve Langasek +# This file is distributed under the same license as the pam package. +# FIRST AUTHOR , YEAR. +# +msgid "" +msgstr "" +"Project-Id-Version: pam 1.3.6-1\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2011-10-30 15:05-0400\n" +"PO-Revision-Date: 2012-01-22 10:47+0900\n" +"Last-Translator: Kenshi Muto \n" +"Language-Team: Japanese \n" +"Language: ja\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "PAM ライブラリの更新のために再起動するサービス:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"PAM を利用するほとんどのサービスは、この libpam の新しいバージョンでビルドさ" +"れたモジュールを使うために再起動を必要とします。以下の、スペースで区切られた" +"今再起動するサービスの init.d スクリプトのリストを見て、必要なら修正してくだ" +"さい。" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "ディスプレイマネージャは手動で再起動されなければなりません" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The wdm and xdm display managers require a restart for the new version of " +"libpam, but there are X login sessions active on your system that would be " +"terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"wdm および xdm ディスプレイマネージャは libpam の新しいバージョンのために再起" +"動が必要ですが、あなたのシステムには、この再起動で強制終了してしまう実行中の " +"X ログインセッションが存在します。そのため、以降の X のログインが可能な状態の" +"うちに、これらのサービスを手動で再起動する必要があります。" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "PAM 更新のためのいくつかのサービスの再起動で失敗" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "PAM ライブラリ更新のための、以下のサービスの再起動ができませんでした:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"/etc/init.d/<サービス> start' を実行することで、これらを手動で起動する必要が" +"あります。" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "Restart services during package upgrades without asking?" +msgstr "パッケージの更新中、質問なしにサービスを再起動しますか?" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"あなたのシステムには、libpam、libc、libssl のようなごく一部のライブラリが更新" +"される際に、再起動を必要とするサービスがインストールされています。これらの再" +"起動はシステムのサービスの停止を引き起こす可能性があるので、通常、更新のたび" +"に再起動したいサービスの一覧が提示されます。この選択肢に「はい」を選ぶと、そ" +"の質問をしません。すべての必要な再起動が自動で行われるので、ライブラリ更新の" +"たびに質問されることから解放されます。" + +#. Type: title +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM configuration" +msgstr "PAM の設定" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "PAM profiles to enable:" +msgstr "有効化する PAM プロファイル:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"PAM (Pluggable Authentication Modules) は、ユーザのセッションが開始したときに" +"起こす追加のアクション設定の許可と共に、どのように認証、認可、パスワード変更" +"がシステムで扱われるかを決定します。" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"いくつかの PAM モジュールパッケージは、システム上のすべての PAM 利用アプリ" +"ケーションの挙動を自動で調整するのに利用できるプロファイルを提供しています。" +"これらの挙動の中から有効化したいものを指定してください。" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Incompatible PAM profiles selected." +msgstr "矛盾する PAM プロファイルが選択されました。" + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:3001 +msgid "The following PAM profiles cannot be used together:" +msgstr "次の PAM プロファイルは一緒に利用することはできません:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Please select a different set of modules to enable." +msgstr "有効化するために違うモジュールセットを選択してください。" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "/etc/pam.d/common-* にローカルの変更を上書きしますか?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"/etc/pam.d/common-{auth,account,password,session} のファイルのうちの 1 つ以上" +"がローカルで変更されています。これらのローカルの変更をシステムで提供される設" +"定を使って上書きすべきかどうかを指示してください。この選択肢で「いいえ」と答" +"える場合、あなたのシステムの認証設定を手動で管理する必要があります。" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "No PAM profiles have been selected." +msgstr "PAM プロファイルが何も選択されていません。" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "" +"No PAM profiles have been selected for use on this system. This would grant " +"all users access without authenticating, and is not allowed. Please select " +"at least one PAM profile from the available list." +msgstr "" +"このシステムで利用する PAM プロファイルが何も選択されていません。これは、すべ" +"てのユーザが認証なしにアクセスできてしまうことになるので、認められません。利" +"用可能な一覧から少なくとも 1 つの PAM プロファイルを選んでください。" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "xscreensaver と xlockmore を更新前に再起動する必要があります" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"このシステムで 1 つ以上の xscreensaver あるいは xlockmore の動作が検出されま" +"した。非互換のライブラリ変更のため、libpam-modules パッケージの更新はこれらの" +"プログラムでの認証ができなくなるという事態にあなたを追いやります。ユーザが現" +"在のセッションの外に締め出されるのを避けるため、このパッケージの更新を継続す" +"る前に、これらのプログラムを再起動するか停止するように手配すべきです。" --- pam-1.1.8.orig/debian/po/nl.po +++ pam-1.1.8/debian/po/nl.po @@ -0,0 +1,235 @@ +# Dutch translation of pam debconf templates. +# Copyright (C) 2007 Steve Langasek +# This file is distributed under the same license as the pam package. +# Bart Cornelis , 2007. +# Eric Spreen , 2010. +# Jeroen Schot , 2011. +# +msgid "" +msgstr "" +"Project-Id-Version: pam 1.1.3-6\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2011-10-30 15:05-0400\n" +"PO-Revision-Date: 2011-11-25 16:33+0100\n" +"Last-Translator: Jeroen Schot \n" +"Language-Team: Debian l10n Dutch \n" +"Language: nl\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Bij de opwaardering van de PAM-bibliotheek te herstarten diensten:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"De meeste PAM-gebruikende diensten moeten herstart worden voor ze gebruik " +"kunnen maken van modules die gebouwd zijn voor de nieuwe libpam-versie. De " +"volgende, met spaties gescheiden, lijst van init.d scripts wordt herstart. " +"Gelieve deze lijst te controleren en indien nodig aan te passen." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "De beeldschermbeheerder dient handmatig herstart te worden" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The wdm and xdm display managers require a restart for the new version of " +"libpam, but there are X login sessions active on your system that would be " +"terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"De beelschermbeheerders wdm en xdm vereisen een herstart vanwege de nieuwe " +"libpam-versie. Er zijn echter X-login-sessies actief op uw systeem die " +"hierdoor afgesloten zouden worden. Nieuwe X-sessies starten via deze " +"diensten is pas mogelijk eens u ze handmatig herstart heeft." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Herstarten van sommige diensten bij de PAM-opwaardering is mislukt" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"De volgende diensten konden niet herstart worden bij de opwaardering van de " +"PAM-bibliotheek:." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"U dient deze diensten handmatig op te starten via het commando '/etc/init.d/" +" start'." + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "Restart services during package upgrades without asking?" +msgstr "Diensten zonder vragen herstarten bij het opwaarderen van pakketten?" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"Er zijn diensten op uw systeem geïnstalleerd die moeten worden herstart " +"wanneer bepaalde bibliotheken, zoals libpam, libc en libssl, worden " +"opgewaardeerd. Omdat deze herstarts dienstonderbrekingen op uw systeem " +"kunnen veroorzaken wordt u normaal gesproken bij elke opwaardering gevraagd " +"welke diensten u wilt herstarten. Als u voor deze optie kiest wordt dit niet " +"meer aan u gevraagd. In plaats daarvan worden alle noodzakelijke herstarts " +"automatisch gedaan zodat u geen vragen krijgt bij elke opwaardering van een " +"bibliotheek." + +#. Type: title +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM configuration" +msgstr "PAM-configuratie" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "PAM profiles to enable:" +msgstr "PAM-profielen die ingeschakeld moeten worden:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"Pluggable Authentication Modules (PAM) bepalen hoe authenticatie, " +"autorisatie en wachtwoordverandering worden behandeld op het systeem. Ook " +"staat het het instellen van overige acties die moeten worden ondernomen bij " +"het starten van gebruikerssessies toe." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"Sommige PAM-modulepakketten leveren profielen die kunnen worden gebruikt om " +"automatisch het gedrag van alle programma's die PAM gebruiken aan te passen. " +"Geeft u alstublieft aan welk van deze instellingen u wilt gebruiken." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Incompatible PAM profiles selected." +msgstr "Strijdige PAM-profielen geselecteerd." + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:3001 +msgid "The following PAM profiles cannot be used together:" +msgstr "De volgende PAM-profielen kunnen niet samen worden gebruikt:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Please select a different set of modules to enable." +msgstr "Selecteer een andere set modules om in te schakelen." + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "Wilt u de locale veranderingen aan /etc/pam.d/common-* overschrijven?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"Een of meer van de bestanden /etc/pam.d/common-{auth,account,password," +"session} zijn lokaal aangepast. Geef aan of deze lokale veranderingen moeten " +"worden overschreven, door de door het systeem geleverde configuratie te " +"gebruiken. Als u dit weigert, zult u de configuratie van de authenticatie " +"van uw systeem met de hand moeten onderhouden." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "No PAM profiles have been selected." +msgstr "Er zijn geen PAM-profielen geselecteerd." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "" +"No PAM profiles have been selected for use on this system. This would grant " +"all users access without authenticating, and is not allowed. Please select " +"at least one PAM profile from the available list." +msgstr "" +"Er zijn geen PAM-profielen geselecteerd om gebruikt te worden op dit " +"systeem. Dit zou alle gebruikers toegang geven zonder authenticatie, hetgeen " +"niet is toegestaan. Selecteer minstens een PAM-profiel van de beschikbare " +"lijst." + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "xscreensaver en xlockmore moeten worden herstart voor u kunt upgraden" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"Er zijn een of meer draaiende instanties van xscreensaver of xlockmore " +"gedetecteerd op dit systeem. Wegens strijdige veranderingen in bibliotheken " +"zal de upgrade van het pakket libpam-modules een systeem veroorzaken waarin " +"u zich niet zult kunnen authenticeren tegenover deze programma's. U dient " +"ervoor te zorgen dat deze programma's worden herstart of gestopt voordat u " +"verder gaat met deze upgrade, om te voorkomen dat gebruikers worden " +"uitgesloten van hun huidige sessies." --- pam-1.1.8.orig/debian/po/pl.po +++ pam-1.1.8/debian/po/pl.po @@ -0,0 +1,231 @@ +# Copyright (C) 2011 +# This file is distributed under the same license as the pam package. +# +# Michał Kułach , 2012. +msgid "" +msgstr "" +"Project-Id-Version: \n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2011-10-30 15:05-0400\n" +"PO-Revision-Date: 2012-01-26 12:07+0100\n" +"Last-Translator: Michał Kułach \n" +"Language-Team: Polish \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: Lokalize 1.2\n" +"Plural-Forms: nplurals=3; plural=(n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 " +"|| n%100>=20) ? 1 : 2);\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "" +"Usługi które mają być zrestartowane, w związku z aktualizacją biblioteki PAM:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"Większość usług używających PAM musi być zrestartowana, aby używać modułów " +"zbudowanych do tej nowej wersji libpam. Proszę przeglądnąć poniższą listę " +"skryptów init.d (oddzieloną spacjami), pod kątem usług które mają być teraz " +"zrestartowane, i poprawić ją jeśli zachodzi taka potrzeba." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Menedżer logowania musi być zrestartowany ręcznie" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The wdm and xdm display managers require a restart for the new version of " +"libpam, but there are X login sessions active on your system that would be " +"terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Menedżery logowania wdm i xdm wymagają restartu z powodu nowej wersji " +"libpam, ale występują aktywne sesje logowania X, które mogą być przerwane " +"przez ten restart. Będzie istniała potrzeba ręcznego restartu tych usług, " +"aby kolejne logowania X stały się możliwe." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Nie udało się zrestartować niektórych usług w celu aktualizacji PAM" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Następujące usługi nie mogły zostać zrestartowane z celu aktualizacji PAM:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Należy zrestartować te usługi ręcznie, przez wykonanie \"/etc/init.d/" +" start\"" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "Restart services during package upgrades without asking?" +msgstr "Zrestartować usługi podczas aktualizacji pakietu bez pytania?" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"Niektóre z zainstalowanych usług wymagają restartu, gdy są aktualizowane " +"określone biblioteki (np. libpam, libc i libss1). Ponieważ restarty mogą " +"spowodować przerwanie tych usług, użytkownik jest zwykle pytany podczas " +"każdej aktualizacji o listę usług, które chce zrestartować. Można wybrać tę " +"opcję, aby zapobiec takim pytaniom; wtedy wszystkie potrzebne restarty " +"odbędą się automatycznie, a użytkownik uniknie pytania przy każdej " +"aktualizacji biblioteki." + +#. Type: title +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM configuration" +msgstr "Konfiguracja PAM" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "PAM profiles to enable:" +msgstr "Profile PAM do włączenia:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"Pluggable Authentication Modules (PAM) określa, jak obsługiwane jest przez " +"system uwierzytelnienie, autoryzacja i zmiana hasła, jak również pozwala na " +"konfigurację dodatkowych akcji do podjęcia podczas uruchamiania sesji " +"użytkownika." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"Niektóre moduły PAM dostarczają profile, które mogą być użyte do " +"automatycznego dostosowania zachowania wszystkich aplikacji używających PAM " +"w systemie. Proszę określić, które z tych zachowań mają być włączone." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Incompatible PAM profiles selected." +msgstr "Wybrano niezgodne profile PAM." + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:3001 +msgid "The following PAM profiles cannot be used together:" +msgstr "Następujące profile PAM nie mogą być używane razem:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Please select a different set of modules to enable." +msgstr "Proszę wybrać inny zestaw modułów do włączenia." + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "Nadpisać lokalne zmiany w /etc/pam.d/common-*?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"Jeden lub więcej plików /etc/pam.d/common-{auth,account,password,session}, " +"zostało lokalnie zmodyfikowanych. Proszę określić, czy zmiany te powinny " +"zostać nadpisane przez konfigurację dostarczaną z systemem. W przypadku " +"braku zgody użytkownika, konieczne będzie ręczne zarządzanie systemową " +"konfiguracją uwierzytelniania." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "No PAM profiles have been selected." +msgstr "Nie wybrano żadnych profili PAM." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "" +"No PAM profiles have been selected for use on this system. This would grant " +"all users access without authenticating, and is not allowed. Please select " +"at least one PAM profile from the available list." +msgstr "" +"Nie wybrano żadnych profili PAM, które mają być używane przez system. Dałoby " +"to dostęp wszystkim użytkownikom bez uwierzytelniania, co nie jest " +"dozwolone. Proszę wybrać przynajmniej jeden profil PAM z dostępnej listy." + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "xscreensaver i xlockmore muszą zostać zrestartowane przed aktualizacją" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"Wykryto jedną lub więcej działających kopii programu xscreensaver lub " +"xlockmore. Z powodu niekompatybilnych zmian biblioteki, aktualizacja pakietu " +"libpam-modules uniemożliwiła by autoryzację użytkownika do tych programów. " +"Należy zrestartować lub zatrzymać te programy przed aktualizacją, aby " +"zapobiec utknięciu użytkowników poza ich aktualnymi sesjami." --- pam-1.1.8.orig/debian/po/pt.po +++ pam-1.1.8/debian/po/pt.po @@ -0,0 +1,235 @@ +# translation of pam debconf to Portuguese +# Copyright (C) 2007 Américo Monteiro +# This file is distributed under the same license as the pam package. +# +# Américo Monteiro , 2007, 2009. +# Pedro Ribeiro , 2011. +# +msgid "" +msgstr "" +"Project-Id-Version: pam 1.1.3-6\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2011-10-30 15:05-0400\n" +"PO-Revision-Date: 2011-12-17 18:46+0000\n" +"Last-Translator: Pedro Ribeiro \n" +"Language-Team: Portuguese \n" +"Language: pt\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: Lokalize 1.0\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Serviços a reiniciar para a actualização da biblioteca PAM:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"A maioria dos serviços que usam PAM necessitam ser reiniciados para usarem " +"os módulos construídos para esta nova versão do libpam. Por favor, reveja a " +"seguinte lista de scripts init.d de serviços, separados por espaços, para " +"serem reiniciados agora e corrija-a se for necessário." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "O gestor de sessão gráfica deverá ser reiniciado manualmente" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The wdm and xdm display managers require a restart for the new version of " +"libpam, but there are X login sessions active on your system that would be " +"terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Os gestores de sessão gráfica wdm e xdm necessitam de reiniciar para a nova " +"versão de libpam, mas existem sessões de login X activas no seu sistema que " +"seriam terminadas por esta operação. Deverá reiniciar estes serviços " +"manualmente para permitir novos logins X." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Falha ao reiniciar alguns serviços para a actualização PAM" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Os seguintes serviços não puderam ser reiniciados para a actualização da " +"biblioteca PAM:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Você precisa iniciar manualmente estes serviços fazendo '/etc/init.d/" +" start'." + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "Restart services during package upgrades without asking?" +msgstr "Reiniciar os serviços durante actualizações do pacote sem perguntar?" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"Há serviços instalados no seu sistema que necessitam de ser reiniciados " +"quando certas bibliotecas, tais como libpam, libc e libssl, são " +"actualizadas. Uma vez que estes reinícios podem causar interrupções de " +"serviço do sistema, será normalmente questionado em cada actualização sobre " +"a lista de serviços que deseja reiniciar. Pode escolher esta opção para " +"evitar as questões; neste caso, todos os reinicios serão efectuados " +"automaticamente e não será questionado em cada actualização das bibliotecas." + +#. Type: title +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM configuration" +msgstr "Configuração PAM" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "PAM profiles to enable:" +msgstr "Perfis PAM para activar:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"O PAM (Pluggable Authentication Modules) determina como a autenticação, a " +"autorização, e a mudança de palavras-chave são manuseadas no sistema, assim " +"como permitir a configuração de acções adicionais a tomar quando arrancam " +"sessões de utilizador." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"Alguns pacotes de módulos do PAM disponibilizam perfis que podem ser usados " +"para ajustar automaticamente o comportamento de todas as aplicações no " +"sistema que usam o PAM. Por favor indique quais destes comportamentos deseja " +"activar." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Incompatible PAM profiles selected." +msgstr "Seleccionados perfis PAM incompatíveis." + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:3001 +msgid "The following PAM profiles cannot be used together:" +msgstr "Os seguintes perfis do PAM não podem ser usados juntamente:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Please select a different set of modules to enable." +msgstr "Por favor seleccione um conjunto diferente de módulos para activar." + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "Sobre-escrever as alterações locais em /etc/pam.d/common-*?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"Um ou mais dos ficheiros /etc/pam.d/common-{auth,account,password,session} " +"foi modificado localmente. Por favor indique se estas alterações locais " +"deverão ser sobre-escritas usando a configuração disponibilizada pelo " +"sistema. Se você recusar esta opção, terá que gerir a configuração de " +"autenticação do sistema manualmente." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "No PAM profiles have been selected." +msgstr "Nenhum perfil do PAM foi seleccionado." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "" +"No PAM profiles have been selected for use on this system. This would grant " +"all users access without authenticating, and is not allowed. Please select " +"at least one PAM profile from the available list." +msgstr "" +"Não foram seleccionados perfis do PAM para utilização neste sistema. Isto " +"irá permitir acesso sem autenticação ao todos os utilizadores, e não é " +"permitido. Por favor seleccione pelo menos um perfil PAM a partir da lista " +"disponível." + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "xscreensaver e xlockmore têm que ser reiniciados antes da actualização" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"Uma ou mais instâncias do xscreensaver ou xlockmore foram detectadas a " +"funcionar neste sistema. Devido a alterações incompatíveis em bibliotecas, a " +"actualização do pacote libpam-modules irá deixá-lo incapaz de se autenticar " +"nestes programas. Você deve fazer com que estes programas sejam reiniciados " +"ou parados antes de continuar com esta actualização, para evitar trancar os " +"seus utilizadores fora das suas sessões actuais." --- pam-1.1.8.orig/debian/po/pt_BR.po +++ pam-1.1.8/debian/po/pt_BR.po @@ -0,0 +1,226 @@ +# pam Brazilian Portuguese translation +# Copyright (c) 2007 Steve Langasek +# This file is distributed under the same license as the pam package. +# Eder L. Marques , 2007-2009. +# +msgid "" +msgstr "" +"Project-Id-Version: pam_0.99.7.1-5\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2011-10-30 15:05-0400\n" +"PO-Revision-Date: 2011-03-29 13:01-0700\n" +"Last-Translator: Eder L. Marques \n" +"Language-Team: Brazilian Portuguese \n" +"Language: pt_BR\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"pt_BR utf-8\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Serviços a serem reiniciados para a atualização de bibliotecas PAM:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"A maioria dos serviços que utilizam PAM precisam ser reiniciados para usar " +"os módulos construídos para esta nova versão da libpam. Por favor, revise a " +"seguinte lista separada por espaços de seus scripts init.d para os serviços " +"a serem reiniciados agora, e a corrija se necessário." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Gerenciadores de display devem ser reiniciados manualmente" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The wdm and xdm display managers require a restart for the new version of " +"libpam, but there are X login sessions active on your system that would be " +"terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Os gerenciadores de display wdm e xdm precisam ser reiniciados para a nova " +"versão da libpam, mas existem sessões de login X ativas em seu sistema que " +"podem ser terminadas por este reinicio. Você consequentemente necessitará " +"reiniciar estes serviços manualmente antes que logins X adicionais sejam " +"possíveis." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Falha ao reiniciar alguns serviços para a atualização da PAM" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Os seguintes serviços não puderam ser reiniciados para a atualização da " +"biblioteca PAM:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Você deverá iniciá-los manualmente executando '/etc/init.d/ start'." + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "Restart services during package upgrades without asking?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" + +#. Type: title +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM configuration" +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "PAM profiles to enable:" +msgstr "Perfis PAM para habilitar:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"O PAM (\"Pluggable Authentication Modules\") determina como a autenticação, " +"autorização e alteração de senha são tratados no sistema, assim como permite " +"a configuração de ações adicionais a serem tomadas quando sessões de usuário " +"são iniciadas." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"Alguns pacotes de módulos PAM fornecem perfis que podem ser usados para " +"ajustar automaticamente o comportamento de todas as aplicações que usam PAM " +"no sistema. Por favor, indique quais destes comportamentos você deseja " +"habilitar." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Incompatible PAM profiles selected." +msgstr "Perfis PAM incompatíveis foram selecionados." + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:3001 +msgid "The following PAM profiles cannot be used together:" +msgstr "Os seguintes perfis PAM não podem ser usados em conjunto:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Please select a different set of modules to enable." +msgstr "Por favor, selecione um conjunto diferente de módulos para habilitar." + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "Sobrescrever as modificações locais de /etc/pam.d/common-*?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"Um ou mais dos arquivos /etc/pam.d/common-{auth,account,password,session} " +"foram modificados localmente. Por favor, indique quais destas modificações " +"locais devem ser sobrescritas usando a configuração fornecida pelo sistema. " +"Se você recusar esta opção, você precisará gerenciar a configuração de " +"autenticação do seu sistema manualmente." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "No PAM profiles have been selected." +msgstr "Nenhum perfil PAM foi selecionado." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "" +"No PAM profiles have been selected for use on this system. This would grant " +"all users access without authenticating, and is not allowed. Please select " +"at least one PAM profile from the available list." +msgstr "" +"Nenhum perfil PAM foi selecionado para uso neste sistema. Isto irá garantir " +"a todos os usuários acesso sem autenticação, e isto não é permitido. Por " +"favor, selecione no mínimo um perfil PAM da lista disponível." + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "O xscreensaver e xlockmore precisam ser reiniciados antes de atualizar" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"Uma ou mais instâncias do xscreensaver ou do xlockmore foram detectadas em " +"execução neste sistema. Por causa de modificações incompatíveis de " +"biblioteca a atualização do pacote libpam-modules impossibilitará você de se " +"autenticar nestes programas. Você deve providenciar que estes programas " +"sejam reiniciados ou parados antes de continuar com esta atualização, para " +"evitar bloquear seus usuários fora de suas sessões atuais." --- pam-1.1.8.orig/debian/po/ro.po +++ pam-1.1.8/debian/po/ro.po @@ -0,0 +1,226 @@ +# Romanian translation of pam debconf templates +# Debconf questions for the Linux-PAM package. +# Copyright (C) 2007 Steve Langasek +# This file is distributed under the same license as the pam package. +# +# Igor Stirbu , 2008. +# Eddy Petrișor , 2009. +msgid "" +msgstr "" +"Project-Id-Version: pam 1.0.1-7\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2011-10-30 15:05-0400\n" +"PO-Revision-Date: 2011-03-29 13:01-0700\n" +"Last-Translator: Eddy Petrișor \n" +"Language-Team: Romanian \n" +"Language: ro\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" +"Plural-Forms: nplurals=3; plural=n==1 ? 0 : (n==0 || (n%100 > 0 && n%100 < " +"20)) ? 1 : 2;\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Serviciile repornite la actualizarea bibliotecii PAM:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"Majoritatea serviciilor ce folosesc PAM trebuie repornite pentru a folosi " +"modulele pentru noua versiune de libpam. Următoarea listă folosește ca " +"separator spațiul și conține script-uri init.d care urmează să fie repornite " +"acum; verificați-o și corectați-o, dacă este necesar." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Administratorul de ecran trebuie repornit manual" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The wdm and xdm display managers require a restart for the new version of " +"libpam, but there are X login sessions active on your system that would be " +"terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Administratorii de ecran wdm și xdm trebuie reporniți pentru ca să " +"folosească noua versiune de libpam, dar sunt sesiuni active de X pe sistemul " +"dumneavoastră care ar fi oprite odată cu această repornire. Drept urmare, " +"trebuie să reporniți manual aceste servicii înainte ca autentificările X " +"ulterioare să fie posibile." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Eșec la repornirea unor servicii la actualizarea PAM" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Următoarele servicii nu au putut fi repornite la actualizarea bibliotecii " +"PAM:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Trebuie să reporniți manual aceste servicii rulând „/etc/init.d/ " +"start”" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "Restart services during package upgrades without asking?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" + +#. Type: title +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM configuration" +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "PAM profiles to enable:" +msgstr "Profile PAM de activat:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"Modulele de autentificare conectabile (PAM) definesc cum se manevrează în " +"sistem autentificările, autorizațiile și schimbările de parole, dar permite " +"și adăugarea de diverse acțiuni ce se vor efectua la pornirea sesiunilor " +"utilizatorilor." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"Unele pachete de module PAM furnizează profile care pot fi folosite pentru " +"ajustarea automată a comportamentului aplicațiilor din sistem care folosesc " +"PAM. Indicați pe care dintre aceste comportamente le doriți activate." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Incompatible PAM profiles selected." +msgstr "Selecție de profile PAM incompatibile." + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:3001 +msgid "The following PAM profiles cannot be used together:" +msgstr "Următoarele profile PAM nu pot fi folosite împreună:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Please select a different set of modules to enable." +msgstr "Selectați un alt set de module de activat." + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "Se ignoră schimbările locale făcute în /etc/pam.d/common-*?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"Există modificari locale într-unul sau mai multe dintre fișierele /etc/pam.d/" +"common-{auth,account,password,session}. Precizați dacă aceste schimbări " +"locale trebuie suprascrise cu configurația oferită de sistem. Dacă refuzați, " +"va trebui să administrați manual configurația de autentificare a sistemului." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +#, fuzzy +msgid "No PAM profiles have been selected." +msgstr "Selecție de profile PAM incompatibile." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "" +"No PAM profiles have been selected for use on this system. This would grant " +"all users access without authenticating, and is not allowed. Please select " +"at least one PAM profile from the available list." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "xscreensaver și xlockmore trebuie repornite înainte de înnoire" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"în sistem s-a detectat cel puțin o instanță activa de xscreensaver sau " +"xlockmore. Datorită unor schimbări de compatibilitate în biblioteci, " +"înnoirea pachetului libpam-modules nu vă va mai permite să vă autentificați " +"în aceste programe. Va trebui să aranjați lucrurile în așa fel încât aceste " +"programe să fie repornite sau oprite înainte de a continua înnoirea pentru a " +"evita blocarea utilizatorilor în afara sesiunilor lor curente." --- pam-1.1.8.orig/debian/po/ru.po +++ pam-1.1.8/debian/po/ru.po @@ -0,0 +1,230 @@ +# translation of ru.po to Russian +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the pam package. +# +# Yuri Kozlov , 2007. +# Max Kosmach , 2009. +# Yuri Kozlov , 2009, 2011. +msgid "" +msgstr "" +"Project-Id-Version: pam 1.1.3-6\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2011-10-30 15:05-0400\n" +"PO-Revision-Date: 2011-12-04 09:00+0400\n" +"Last-Translator: Yuri Kozlov \n" +"Language-Team: Russian \n" +"Language: ru\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: Lokalize 1.0\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" +"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Службы, которые будут перезапущены после обновления библиотеки PAM:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"Чтобы задействовать новые версии модулей из libpam нужно перезапустить " +"большинство служб, использующих PAM. Внимательно просмотрите и, при " +"необходимости, отредактируйте список сценариев из init.d для служб, которые " +"будут перезапущены. Элементы списка разделяются пробелом." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Программу входа в систему нужно перезапустить вручную" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The wdm and xdm display managers require a restart for the new version of " +"libpam, but there are X login sessions active on your system that would be " +"terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Для работы с новой версией libpam программам для входа в систему wdm и xdm " +"требуется перезапуск, но это прервёт все запущенные X-сеансы. Поэтому вам " +"нужно перезапустить эти службы вручную для того, чтобы можно было снова " +"входить в систему через X." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "При обновлении PAM перезапуск некоторых служб завершился неудачно" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"При обновлении библиотеки PAM не удалось перезапустить следующие службы:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "Вам нужно запустить их вручную, выполнив '/etc/init.d/<служба> start'." + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "Restart services during package upgrades without asking?" +msgstr "Перезапускать службы при обновлении пакета не задавая вопрос?" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"В системе установлены службы, которые требуют перезапуска после обновления " +"определённых библиотек (например, libpam, libc и libssl). Так как это может " +"вызвать перерыв в работе службы, обычно, при каждом обновлении выдаётся " +"список служб, которые нужно перезапустить. Чтобы этот вопрос не задавался, " +"вы можете ответить утвердительно; в этом случае все необходимые службы будут " +"перезапущены автоматически." + +#. Type: title +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM configuration" +msgstr "Настройка PAM" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "PAM profiles to enable:" +msgstr "Активируемые профили PAM:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"Через подключаемые модули аутентификации (PAM) указывается как нужно " +"проводить аутентификацию, авторизацию и смену пароля в системе, а также " +"можно назначать запуск дополнительных действий при старте пользовательского " +"сеанса." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"Некоторые пакеты модулей PAM предоставляют профили, которые можно " +"использовать для автоматического регулирования поведения всех использующих " +"PAM программ в системе. Выберите профили, которые нужно применить." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Incompatible PAM profiles selected." +msgstr "Выбраны несовместимые профили PAM." + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:3001 +msgid "The following PAM profiles cannot be used together:" +msgstr "Следующие профили PAM нельзя использовать одновременно:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Please select a different set of modules to enable." +msgstr "Выберите другой набор активируемых модулей." + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "Переопределить локальные изменения в /etc/pam.d/common-*?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"Один или более файлов в /etc/pam.d/common-{auth,account,password,session} " +"был изменён вручную. Заметьте, что данные локальные изменения должны быть " +"переопределены через системные настройки. Если вы ответите отрицательно, то " +"вам придётся управлять настройками аутентификации системы вручную." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "No PAM profiles have been selected." +msgstr "Профили PAM не выбраны." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "" +"No PAM profiles have been selected for use on this system. This would grant " +"all users access without authenticating, and is not allowed. Please select " +"at least one PAM profile from the available list." +msgstr "" +"В системе для работы не выбрано ни одного профиля PAM. Это предоставит " +"полный доступ всем пользователям без аутентификации, что нежелательно. " +"Выберите, по крайней мере, один профиль PAM из доступных." + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "Перед обновлением требуется перезапустить xscreensaver и xlockmore" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"Обнаружено, что в системе запущен один или несколько процессов xscreensaver " +"или xlockmore. Из-за изменений в библиотеке, обновление пакета libpam-" +"modules приведёт к невозможности выполнения аутентификации из этих программ. " +"Перед тем как продолжить обновление вам нужно перезапустить или остановить " +"работу этих программ, чтобы избежать блокировки пользователей в их активных " +"сеансах." --- pam-1.1.8.orig/debian/po/sk.po +++ pam-1.1.8/debian/po/sk.po @@ -0,0 +1,227 @@ +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the pam package. +# Ivan Masár , 2008, 2009, 2010, 2012. +# +msgid "" +msgstr "" +"Project-Id-Version: pam\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2011-10-30 15:05-0400\n" +"PO-Revision-Date: 2012-01-19 22:37+0100\n" +"Last-Translator: Ivan Masár \n" +"Language-Team: Slovak \n" +"Language: sk\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Pri aktualizácii knižnice PAM reštartovať nasledovné služby:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"Väčšinu služieb využívajúcich PAM je potrebné reštartovať, aby začali " +"používať moduly zostavené pre túto novú verziu libpam. Prosím, skontrolujte " +"nasledovný zoznam init.d skriptov (oddelené čiarkami), ktoré sa majú teraz " +"reštartovať a ak je to potrebné, opravte ho." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Správcu obrazovky je potrebné reštartovať ručne" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The wdm and xdm display managers require a restart for the new version of " +"libpam, but there are X login sessions active on your system that would be " +"terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Správcovia obrazovky wdm a xdm vyžadujú reštart kvôli novej verzii libpam, " +"ale na vašom systéme sú aktívne prihlasovacie relácie X, ktoré by tento " +"reštart ukončil. Preto tieto služby budete musieť reštartovať ručne predtým, " +"než bude možné uskutočniť ďalšie prihlásenie k X." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Zlyhal reštart niektorých služieb pri aktualizácii PAM" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Nasledovné služby nebolo možné reštartovať pri aktualizácii knižnice PAM:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Budete ich musieť reštartovať ručne spustením „/etc/init.d/ start”." + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "Restart services during package upgrades without asking?" +msgstr "Reštartovať služby počas aktualizácií balíka bez pýtania?" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"Na vašom systéme bežia služby, ktoré ne potrebné reštartovať pri " +"aktualizácii určitých knižníc ako libpam, libc a libssl. Pretože tieto " +"reštarty môžu spôsobiť prerušenia služby systému, za bežných okolností " +"budete vyzvaní pri každej aktualizácie so zoznamom služieb, ktoré chcete " +"reštartovať. Túto voľbu môžete vybrať, ak nechcete byť vyzývaný, ale " +"namiesto toho chcete, aby sa všetky potrebné reštarty vykonali automaticky " +"za vás a tak sa vyhnúť kladeniu otázok pri každej aktualizácii knižnice." + +#. Type: title +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM configuration" +msgstr "Konfigurácia PAM" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "PAM profiles to enable:" +msgstr "Zapnúř nasledovné profily PAM:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"Zásuvné autentifikačné moduly (PAM) určujú ako systém pracuje s " +"autentifikáciou, autorizáciou, zmenou hesiel a umožňuje tiež nastavenie " +"ďalších operácií, ktoré sa majú vykonať pri prihlásení používateľa." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"Niektoré balíky modulov PAM poskytujú profily, ktorými možno automaticky " +"prisôpsobiť správanie všetkých aplikácií v systéme, ktoré používajú PAM. " +"Prosím označte tie z nich, ktoré chcete zapnúť." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Incompatible PAM profiles selected." +msgstr "Boli vybrané nekompatibilné profily PAM." + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:3001 +msgid "The following PAM profiles cannot be used together:" +msgstr "Nasledovné profily PAM nemožno použiť súčasne:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Please select a different set of modules to enable." +msgstr "Prosím, zmeňte množinu modulov, ktoré sa majú zapnúť." + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "Prepísať lokálne zmeny v /etc/pam.d/common-*?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"Jeden alebo viac zo súborov /etc/pam.d/common-{auth,account,password," +"session} bolo na lokálnom systéme zmenených. Uveďte prosím, či sa majú tieto " +"lokálne zmeny prepísať štandardnými konfiguračnými voľbami. Ak túto možnosť " +"zamietnete, budete musieť spravovať nastavenia autentifikácie tohto systému " +"ručne." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "No PAM profiles have been selected." +msgstr "Neboli vybrané žiadne profily PAM." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "" +"No PAM profiles have been selected for use on this system. This would grant " +"all users access without authenticating, and is not allowed. Please select " +"at least one PAM profile from the available list." +msgstr "" +"Pre tento systém neboli vybrané žiadne profily PAM. To by udelilo všetkým " +"používateľom prístup bez overovania a to nie je povolené. Prosím, vyberte " +"aspoň jeden profil PAM zo zoznamu dostupných profilov." + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "Pred aktualizáciou je potrebné reštartovať xscreensaver a xlockmore" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"Na tomto systéme bola zistená jedna alebo viacero bežiacich inštancií " +"programov xscreensaver alebo xlockmore. Z dôvodu nekomaptibilných zmien v " +"knižniciach balíka libpam-modules by ste po aktualizácii neboli schopní " +"overiť sa týmto programom. Mali by ste zariadiť, aby sa tieto programy " +"reštartovali alebo zastavili predtým, než budete v tejto aktualizácii " +"pokračovať, aby ste predišli tomu, že používatelia sa nebudú môcť prihlásiť " +"zo svojich súčasných relácií." --- pam-1.1.8.orig/debian/po/sv.po +++ pam-1.1.8/debian/po/sv.po @@ -0,0 +1,269 @@ +# Debconf questions for the pam package translated to Swedish. +# Copyright (C) 2007 Steve Langasek +# This file is distributed under the same license as the pam package. +# +# Martin Bagge , 2009, 2010, 2011 +# Christer Andersson , 2007. +msgid "" +msgstr "" +"Project-Id-Version: pam 0.99.7.1-5\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2011-10-30 15:05-0400\n" +"PO-Revision-Date: 2011-12-06 21:31+0100\n" +"Last-Translator: Martin Bagge / brother \n" +"Language-Team: Swedish \n" +"Language: sv\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=utf-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Poedit-Language: Swedish\n" +"X-Poedit-Country: Sweden\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Tjänster att starta om efter uppgradering av PAM-biblioteket:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"De flesta tjänster som använder PAM behöver startas om för att använda " +"moduler som byggts för denna nya libpam-version. Gå igenom följande lista av " +"init.d-skript (separerade med mellanslag) för tjänster som nu kommer att " +"startas om och korrigera den om nödvändigt." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Skärmhanterare måste startas om manuellt" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The wdm and xdm display managers require a restart for the new version of " +"libpam, but there are X login sessions active on your system that would be " +"terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Skärmhanterarna wdm och xdm måste startas om för den nya versionen av libpam " +"men det finns X-inloggningssessioner som skulle avslutas av en sådan " +"omstart. Du behöver därför starta om dessa tjänster manuellt innan " +"ytterligare X-inloggningar är möjliga." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Misslyckades med att starta om vissa tjänster för PAM-uppgradering" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Följande tjänster kunde inte startas om efter uppgraderingen av PAM-" +"biblioteket:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Du behöver starta om dessa manuellt genom att köra \"/etc/init.d/ " +"start\"." + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "Restart services during package upgrades without asking?" +msgstr "" +"Ska tjänster startas om vid paketuppgraderingar utan att först fråga om det?" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"Det finns tjänster installerade på systemet som behöver startas om när vissa " +"bibliotek (ex. libpam, libc och libssl) uppdateras. Eftersom dessa omstarter " +"kan innebära avbrott i tjänsterna på systemet kommer du vanligen att få en " +"fråga för varje uppgradering med en lista över tjänster som ska startas om. " +"Du kan välja detta alternativ för att undvika att frågan ställs. Istället " +"kommer alla nödvändiga omstarter att skötas automatiskt och du undviker " +"frågor vid varje biblioteksuppgradering." + +#. Type: title +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM configuration" +msgstr "PAM-inställningar" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "PAM profiles to enable:" +msgstr "Aktivera följande PAM-profiler:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"Pluggable Authentication Modules (PAM) hanterar hur autentisering, " +"identifiering och byte av lösenord ska utföras på systemet. Dessutom " +"hanteras särskilda åtgärder som ska vidtas vid uppstarta av " +"användarsessioner." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"Vissa paket med PAM-moduler tillhandahåller profiler som kan användas för " +"att automatiskt justera hur applikationer som använder PAM fungerar på " +"systemet. Ange vilka av dessa funktioner du önskar aktivera." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Incompatible PAM profiles selected." +msgstr "Inkompatibla PAM-profiler valdes." + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:3001 +msgid "The following PAM profiles cannot be used together:" +msgstr "Följande PAM-profiler kan inte användas tillsammans:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Please select a different set of modules to enable." +msgstr "Ange en annan uppsättning med moduler som ska aktiveras." + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "Skriv över lokala förändringar i /etc/pam.d/common-*?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"En eller flera av filerna /etc/pam.d/common-{auth,account.password,session} " +"har förändrats. Ange om dessa lokala förändringar ska skrivas över med " +"standardinställningarna. Om du avböjer detta alternativ kommer du behöva " +"hantera inställningarna för systemets autentisering manuellt." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "No PAM profiles have been selected." +msgstr "Inga PAM-profiler valdes." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "" +"No PAM profiles have been selected for use on this system. This would grant " +"all users access without authenticating, and is not allowed. Please select " +"at least one PAM profile from the available list." +msgstr "" +"Inga PAM-profiler används på detta system. Detta skulle ge alla användare " +"tillgång till systemet utan att behöva ange lösenord och det kan inte " +"tillåtas. välj åtminstone en PAM-profil från listan med tillgängliga " +"profiler." + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "" +"xscreensaver och xlockmore måste startas om innan uppgraderingen kan " +"genomföras" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"En eller flera instanser av xscreensaver eller xlockmore körs på det här " +"systemet. På grund av förändringar i biblioteket kan uppgraderingen av " +"paketet libpam-modules innebära att du inte kan identifiera dig i dessa " +"program. Programmen behöver startas om eller allra helst stängas av helt " +"före uppgraderingen, resultatet kan annars innebära att du inte kan komma åt " +"dina aktiva sessioner på systemet." + +#~ msgid "Your system allowed access without a password!" +#~ msgstr "Ditt system tillät anslutningar utan lösenord!" + +#~ msgid "" +#~ "A bug in a previous version of libpam-runtime resulted in no PAM profiles " +#~ "being selected for use on this system. As a result, access was allowed " +#~ "for a time to all accounts on your system, with or without a correct " +#~ "password. Especially if this system can be accessed from the Internet, it " +#~ "is likely that it has been compromised. Unless you are familiar with " +#~ "recovering from security failures, viruses, and malicious software, you " +#~ "should re-install this system from scratch or obtain the services of a " +#~ "skilled system administrator. For more information, see:" +#~ msgstr "" +#~ "Ett fel i en tidigare version av libpam-runtime innebar att inga PAM-" +#~ "profiler användes på systemet. Detta betydde i sin tur att alla konton på " +#~ "systemet kunde använda skal, med eller utan ett korrekt lösenord. Om " +#~ "detta system är åtkomligt via nätet är det mycket troligt att det kan ha " +#~ "infiltrerats. Om du inte är säker på hur du ska återställa eventuella fel " +#~ "på grund av intrång, virus eller skadlig programvara bör du installera om " +#~ "systemet från grunden eller inhämta hjälp av en erfaren " +#~ "systemadministratör. Läs mer om detta på:" + +#~ msgid "" +#~ "The bug that allowed this wrong configuration is fixed in the current " +#~ "version of libpam-runtime, and your configuration has now been corrected. " +#~ "We apologize that previous versions of libpam-runtime did not detect and " +#~ "prevent this situation." +#~ msgstr "" +#~ "Felet som orsakade dessa problem är åtgärdat i och med den aktuella " +#~ "versionen av libpam-runtime och dina inställningar ha korrigerats. Vi ber " +#~ "om ursäkt för att tidigare versioner av libpam-runtime inte upptäckte och " +#~ "förhindrade att dessa fel uppstod." --- pam-1.1.8.orig/debian/po/templates.pot +++ pam-1.1.8/debian/po/templates.pot @@ -0,0 +1,191 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# FIRST AUTHOR , YEAR. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2011-10-30 15:05-0400\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME \n" +"Language-Team: LANGUAGE \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=CHARSET\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The wdm and xdm display managers require a restart for the new version of " +"libpam, but there are X login sessions active on your system that would be " +"terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "Restart services during package upgrades without asking?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" + +#. Type: title +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM configuration" +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "PAM profiles to enable:" +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Incompatible PAM profiles selected." +msgstr "" + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:3001 +msgid "The following PAM profiles cannot be used together:" +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Please select a different set of modules to enable." +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "No PAM profiles have been selected." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "" +"No PAM profiles have been selected for use on this system. This would grant " +"all users access without authenticating, and is not allowed. Please select " +"at least one PAM profile from the available list." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" --- pam-1.1.8.orig/debian/po/tr.po +++ pam-1.1.8/debian/po/tr.po @@ -0,0 +1,212 @@ +# Debconf questions for the Linux-PAM package. +# Copyright (C) 2007 Steve Langasek +# This file is distributed under the same license as the pam package. +# Mert Dirik , 2008. +# +msgid "" +msgstr "" +"Project-Id-Version: pam 0.99.7.1-5\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2011-10-30 15:05-0400\n" +"PO-Revision-Date: 2009-01-01 19:20+0200\n" +"Last-Translator: Mert Dirik \n" +"Language-Team: Debian L10n Turkish \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Poedit-Language: Turkish\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "" +"PAM kitaplığının yükseltilmesi için yeniden başlatılacak olan hizmetler:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"PAM kullanan çoğu hizmet, libpam'ın bu yeni sürümü için derlenmiş " +"modüllerden yararlanabilmek için yeniden başlatılmak zorunda. Lütfen " +"yeniden başlatılacak hizmetlere ilişkin init.d betiklerinin boşluklarla " +"ayrılmış aşağıdaki listesini inceleyin ve gerekliyse listeyi düzeltin." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Görüntü yöneticisinin elle yeniden başlatılması gerekli" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +#, fuzzy +msgid "" +"The wdm and xdm display managers require a restart for the new version of " +"libpam, but there are X login sessions active on your system that would be " +"terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"kdm, wdm ve xdm görüntü yöneticileri, libpam'ın yeni sürümünden " +"yararlanabilmek için yeniden başlatılmalı; fakat sisteminizde etkin X " +"oturumları var. Görüntü yöneticisi yeniden başlatılırsa bu oturumlar da " +"kapatılır. Bu yüzden ileride yeni X oturumları açabilmek için bu hizmetleri " +"elle yeniden başlatmanız gerekecek. " + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Bazı hizmetler PAM yükseltmesi için yeniden başlatılamadı" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Aşağıdaki hizmetler PAM kitaplığının yükseltmesi için yeniden başlatılamadı:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Bu hizmetleri '/etc/init.d/ start' komutunu kullanarak elinizle " +"başlatmanız gerekecek." + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "Restart services during package upgrades without asking?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" + +#. Type: title +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM configuration" +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "PAM profiles to enable:" +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Incompatible PAM profiles selected." +msgstr "" + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:3001 +msgid "The following PAM profiles cannot be used together:" +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Please select a different set of modules to enable." +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "No PAM profiles have been selected." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "" +"No PAM profiles have been selected for use on this system. This would grant " +"all users access without authenticating, and is not allowed. Please select " +"at least one PAM profile from the available list." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "" +"Yükseltme işleminden önce xscreensaver ve xlockmore yeniden başlatılmalı" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"Sisteminizde çalışmakta olan birden fazla xscreensaver ya da xlockmore " +"örneğine rastlandı. Uyumsuz kitaplık değişiklikleri yüzünden, libpam-modules " +"paketinin yükseltilmesi bu programlarda kimlik doğrulamasını olanaksız hale " +"getirecek. Mevcut oturumların kilitlenmesi önlemek için, yükseltme işlemine " +"devam etmeden önce bu programları durdurmalı ya da yeniden başlatmalısınız." --- pam-1.1.8.orig/debian/po/vi.po +++ pam-1.1.8/debian/po/vi.po @@ -0,0 +1,257 @@ +# Vietnamese translation for PAM. +# Copyright © 2010 Free Software Foundation, Inc. +# Clytie Siddall , 2007-2010. +# +msgid "" +msgstr "" +"Project-Id-Version: pam 1.1.1-6.1\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2011-10-30 15:05-0400\n" +"PO-Revision-Date: 2010-10-24 20:46+1030\n" +"Last-Translator: Clytie Siddall \n" +"Language-Team: Vietnamese \n" +"Language: vi\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=1; plural=0;\n" +"X-Generator: LocFactoryEditor 1.8\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Dịch vụ cần khởi chạy lại để nâng cấp thư viện PAM:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"Phần lớn dịch vụ sử dụng PAM thì cũng cần phải được khởi chạy lại để sử dụng " +"những mô-đun được xây dựng cho phiên bản libpam mới này. Hãy xem lại danh " +"sách định giới bằng dấu cách theo đây hiển thị những văn lệnh khởi động " +"(init.d) cho dịch vụ cần khởi chạy lại ngay bây giờ, và sửa chữa nếu cần " +"thiết." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Trình quản lý trình bày phải được khởi chạy bằng tay" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +#, fuzzy +msgid "" +"The wdm and xdm display managers require a restart for the new version of " +"libpam, but there are X login sessions active on your system that would be " +"terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Trình quản lý trình bày kdm, wdm, hay xdm cần thiết được khởi chạy lại để sử " +"dụng phiên bản mới của thư viện libpam, nhưng việc khởi chạy lại sẽ cũng " +"chấm dứt một số buổi hợp đang nhập X đang chạy. Sau đó thì bạn cần phải tự " +"khởi chạy lại những dịch vụ này để đăng nhập lại vào X." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Lỗi khởi chạy lại một số dịch vụ để nâng cấp PAM" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Những dịch vụ theo đây không thể được khởi chạy lại để nâng cấp thư viện PAM:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Bạn cần phải tự khởi chạy lại chúng bằng cách chạy câu lệnh « /etc/init.d/" +" start »." + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "Restart services during package upgrades without asking?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" + +#. Type: title +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM configuration" +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "PAM profiles to enable:" +msgstr "Các hồ sơ PAM cần bật:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"Mô-đun Xác thực Dễ kết hợp (PAM) quyết định quá trình xác thực, cho phép và " +"thay đổi mật khẩu được quản lý như thế nào trên hệ thống, cũng như cho phép " +"cấu hình các hành vi bổ sung cần làm khi khởi chạy buổi hợp người dùng." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"Một số mô-đun PAM nào đó cũng cung cấp các hồ sơ có thể được dùng để tự động " +"điều chỉnh ứng xử của tất cả các ứng dụng dùng PAM trên hệ thống. Hãy ngụ ý " +"những ứng xử nào bạn muốn hiệu lực." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Incompatible PAM profiles selected." +msgstr "Bạn đã chọn một số hồ sơ PAM không tương thích với nhau." + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:3001 +msgid "The following PAM profiles cannot be used together:" +msgstr "Không thể sử dụng với nhau những hồ sơ PAM theo đây:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Please select a different set of modules to enable." +msgstr "Hãy chọn một tập hợp mô-đun khác để hiệu lực." + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "Có quyền cao hơn thay đổi cục bộ trong « /etc/pam.d/common-* » không?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"Một hay nhiều tập tin « /etc/pam.d/common-{auth,account,password,session} » " +"đã bị sửa đổi cục bộ. Hãy ngụ ý có nên ghi đè lên các thay đổi cục bộ này " +"dùng cấu hình được hệ thống cung cấp, hay không. Không bật tuỳ chọn này thì " +"bạn cần phải tự quản lý cấu hình xác thực của hệ thống này." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "No PAM profiles have been selected." +msgstr "Chưa chọn hồ sơ PAM." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "" +"No PAM profiles have been selected for use on this system. This would grant " +"all users access without authenticating, and is not allowed. Please select " +"at least one PAM profile from the available list." +msgstr "" +"Chưa chọn hồ sơ PAM nào để sử dụng trên hệ thống này. Trường hợp này cho " +"phép mọi người dùng truy cập đến hệ thống mà không xác thực: không tốt ! Xin " +"hãy chọn ít nhất một hồ sơ PAM trong danh sách sẵn sàng." + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "xscreensaver và xlockmore phải được khởi chạy lại trước khi nâng cấp" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"Một hai nhiều tiến trình xscreensaver hay xlockmore được phát hiện trên hệ " +"thống này. Do thay đổi thư viện không tương thích, việc nâng cấp gói libpam-" +"modules sẽ để lại trường hợp người dùng không thể xác thực với những chương " +"trình này. Vì thế bạn nên khởi chạy lại hoặc ngừng chạy những chương trình " +"này trước khi tiếp tục tiến trình nâng cấp, để tránh chặn người dùng đăng " +"nhập vào buổi hợp đang chạy." + +#~ msgid "Your system allowed access without a password!" +#~ msgstr "Hệ thống này cho phép truy cập mà không nhập mật khẩu !" + +#~ msgid "" +#~ "A bug in a previous version of libpam-runtime resulted in no PAM profiles " +#~ "being selected for use on this system. As a result, access was allowed " +#~ "for a time to all accounts on your system, with or without a correct " +#~ "password. Especially if this system can be accessed from the Internet, it " +#~ "is likely that it has been compromised. Unless you are familiar with " +#~ "recovering from security failures, viruses, and malicious software, you " +#~ "should re-install this system from scratch or obtain the services of a " +#~ "skilled system administrator. For more information, see:" +#~ msgstr "" +#~ "Một phiên bản libpam-runtime trước chứa một lỗi dẫn đến không có hồ sơ " +#~ "PAM nào được lựa chọn để sử dụng trên hệ thống này. Kết quả là trong một " +#~ "thời gian nào đó truy cập được phép đến mọi tài khoản trên hệ thống này, " +#~ "bất chấp nhập mật khẩu đúng hay không. Đặc biệt nếu hệ thống này cho phép " +#~ "truy cập từ Internet, rất có thể là hệ thống này bị hại thậm. Nếu bạn " +#~ "không quen với tiến trình phục hồi sau sự thất bại bảo mật, vi-rút và " +#~ "phần mềm hiểm độc, bạn nên cài đặt lại hệ thống này từ số không, hoặc yêu " +#~ "cầu dịch vụ của một quản trị hệ thống thành thạo. Để tìm thêm thông tin, " +#~ "xem:" + +#~ msgid "" +#~ "The bug that allowed this wrong configuration is fixed in the current " +#~ "version of libpam-runtime, and your configuration has now been corrected. " +#~ "We apologize that previous versions of libpam-runtime did not detect and " +#~ "prevent this situation." +#~ msgstr "" +#~ "Lỗi cho phép cấu hình sai này đã được sửa chữa trong phiên bản libpam-" +#~ "runtime hiện thời, và cấu hình của bạn giờ được sửa chữa. Chúng tôi xin " +#~ "lỗi vì phiên bản libpam-runtime trước không phát hiện và ngăn cản trường " +#~ "hợp này." --- pam-1.1.8.orig/debian/po/zh_CN.po +++ pam-1.1.8/debian/po/zh_CN.po @@ -0,0 +1,206 @@ +# Simplified Chinese translation for debconf templates of the pam package +# +# The original English strings (msgid) are: +# Copyright (C) 2007 Steve Langasek +# The translations (msgstr) are: +# Copyright (C) 2007 Ming Hua +# Copyright (C) 2009 Deng Xiyue +# +# This file is distributed under the same license as the pam package. +# +msgid "" +msgstr "" +"Project-Id-Version: pam\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2011-10-30 15:05-0400\n" +"PO-Revision-Date: 2009-01-01 12:30+0800\n" +"Last-Translator: Deng Xiyue \n" +"Language-Team: Debian Chinese [GB] \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "因 PAM 库升级而需要重新启动的服务:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"为了使用基于这个新版本 libpam 编译的模块,绝大部分使用 PAM 的服务都需要被重新" +"启动。请复查下面这个需要重新启动的服务所对应的 init.d script 列表,script 名" +"称之间以半角空格分隔。如列表有误,请直接更正。" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "必须手动重新启动显示管理器" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +#, fuzzy +msgid "" +"The wdm and xdm display managers require a restart for the new version of " +"libpam, but there are X login sessions active on your system that would be " +"terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"由于 lipam 更新到新版本,显示管理器 kdm、wdm 和 xdm 需要被重新启动。但是您的" +"系统上有正在运行的 X 登录会话,而如果重新启动显示管理器服务,这些 X 会话就会" +"被强行结束。因此,您需要手动重新启动这些服务,否则您将无法再登录进 X 窗口系" +"统。" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "为 PAM 升级重新启动某些服务失败" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "升级 PAM 库时,下列服务无法被重新启动:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "您需要运行“/etc/init.d/<服务> start”来手动启动这些服务。" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "Restart services during package upgrades without asking?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam0g.templates:4001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" + +#. Type: title +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM configuration" +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "PAM profiles to enable:" +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:2001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Incompatible PAM profiles selected." +msgstr "" + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:3001 +msgid "The following PAM profiles cannot be used together:" +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Please select a different set of modules to enable." +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:4001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "No PAM profiles have been selected." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:5001 +msgid "" +"No PAM profiles have been selected for use on this system. This would grant " +"all users access without authenticating, and is not allowed. Please select " +"at least one PAM profile from the available list." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "在升级前必须重新启动 xscreensaver 和 xlockmore" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"检测到一个或多个 xscreensaver 或 xlockmore 运行实例。因为不兼容的库的变化," +"libpam-module 软件包的升级将使您无法向这些程序认证。您需要在继续此升级前安排" +"这些程序重新启动或者停止运行,以避免将您的用户锁在他们的当前会话之外。" --- pam-1.1.8.orig/debian/rules +++ pam-1.1.8/debian/rules @@ -0,0 +1,67 @@ +#!/usr/bin/make -f + +DEB_LDFLAGS_MAINT_APPEND := -Wl,-z,defs +DEB_CFLAGS_MAINT_APPEND := $(shell getconf LFS_CFLAGS) +export DEB_LDFLAGS_MAINT_APPEND DEB_CFLAGS_MAINT_APPEND +ifeq ($(shell dpkg-architecture -qDEB_BUILD_ARCH_OS),hurd) +DEB_LDFLAGS_MAINT_APPEND += -lpthread +endif + +DEB_HOST_MULTIARCH := $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) + +LC_COLLATE=C +export LC_COLLATE + +export QUILT_PATCH_DIR = debian/patches-applied + +d = $(CURDIR)/debian +dl = $(d)/local + +%: + dh $@ --with quilt,autoreconf + +# avoid libaudit-dev when bootstrapping +ifneq (,$(filter $(DEB_BUILD_PROFILE),stage1)) + CONFIGURE_OPTS += --disable-audit +endif + +override_dh_auto_configure: + dh_auto_configure -- --enable-static --enable-shared \ + --libdir=/lib/$(DEB_HOST_MULTIARCH) \ + --enable-isadir=/lib/security \ + $(CONFIGURE_OPTS) + +# .install files don't have "except for" handling, so we need to exclude +# our module that doesn't match right here +override_dh_install: + sed -e"s/@DEB_HOST_MULTIARCH@/$(DEB_HOST_MULTIARCH)/g" $(d)/libpam0g-dev.install.in > $(d)/libpam0g-dev.install +ifneq (,$(findstring libpam-modules, $(shell dh_listpackages))) + dh_install -plibpam-modules -Xpam_cracklib +endif + dh_install -Nlibpam-modules + +# again, excluding files by hand; also, build our local manpage for pam_getenv +# from the XML +override_dh_installman: + pod2man --section 8 --release="Debian GNU/Linux" $(dl)/pam_getenv >$(dl)/pam_getenv.8 + dh_installman + rm -f $(d)/libpam-modules/usr/share/man/man5/pam.conf.5 + rm -f $(d)/libpam-modules/usr/share/man/man8/pam_cracklib.8 + rm -f $(d)/libpam-modules/usr/share/man/man8/pam_timestamp_check.8 + +# dh_link doesn't do wildcards, so we can't auto-link to the right per-arch +# directory +override_dh_link: + sed -e"s/@DEB_HOST_MULTIARCH@/$(DEB_HOST_MULTIARCH)/g" $(d)/libpam0g-dev.links.in > $(d)/libpam0g-dev.links + dh_link + +# using perms that differ from upstream (sgid instead of suid) /and/ that +# dh_fixperms doesn't want +override_dh_fixperms: + dh_fixperms +ifneq (,$(findstring libpam-modules, $(shell dh_listpackages))) + chgrp shadow $(d)/libpam-modules-bin/sbin/unix_chkpwd + chmod 02755 $(d)/libpam-modules-bin/sbin/unix_chkpwd + chgrp shadow $(d)/libpam-modules-bin/sbin/pam_extrausers_chkpwd + chmod 02755 $(d)/libpam-modules-bin/sbin/pam_extrausers_chkpwd +endif --- pam-1.1.8.orig/debian/source.lintian-overrides +++ pam-1.1.8/debian/source.lintian-overrides @@ -0,0 +1,3 @@ +pam source: quilt-build-dep-but-no-series-file +pam source: build-depends-on-1-revision build-depends: quilt (>= 0.48-1) + --- pam-1.1.8.orig/debian/update-motd.5 +++ pam-1.1.8/debian/update-motd.5 @@ -0,0 +1,67 @@ +.TH update-motd 5 "13 April 2010" "update-motd" + +.SH NAME +update-motd \- dynamic MOTD generation + +.SH SYNOPSIS +.B /etc/update-motd.d/* + +.SH DESCRIPTION +UNIX/Linux system adminstrators often communicate important information to console and remote users by maintaining text in the file \fI/etc/motd\fP, which is displayed by the \fBpam_motd\fP(8) module on interactive shell logins. + +Traditionally, this file is static text, typically installed by the distribution and only updated on release upgrades, or overwritten by the local administrator with pertinent information. + +Ubuntu introduced the \fBupdate-motd\fP framework, by which the \fBmotd\fP(5) is dynamically assembled from a collection of scripts at login. + +Executable scripts in \fI/etc/update-motd.d/*\fP are executed by \fBpam_motd\fP(8) as the root user at each login, and this information is concatenated in \fI/var/run/motd\fP. The order of script execution is determined by the \fBrun-parts\fP(8) --lsbsysinit option (basically alphabetical order, with a few caveats). + +On Ubuntu systems, \fI/etc/motd\fP is typically a symbolic link to \fI/var/run/motd\fP. + +.SH BEST PRACTICES +MOTD fragments must be scripts in \fI/etc/update-motd.d\fP, must be executable, and must emit information on standard out. + +Scripts should be named named NN-xxxxxx where NN is a two digit number indicating their position in the MOTD, and xxxxxx is an appropriate name for the script. + +Scripts must not have filename extensions, per \fBrun-parts\fP(8) --lsbsysinit instructions. + +Packages should add scripts directly into \fI/etc/update-motd.d\fP, rather than symlinks to other scripts, such that administrators can modify or remove these scripts and upgrades will not wipe the local changes. Consider using a simple shell script that simply calls \fBexec\fP on the external utility. + +Long running operations (such as network calls) or resource intensive scripts should cache output, and only update that output if it is deemed expired. For instance: + + /etc/update-motd.d/50-news + #!/bin/sh + out=/var/run/foo + script="w3m -dump http://news.google.com/" + if [ -f "$out" ]; then + # Output exists, print it + echo + cat "$out" + # See if it's expired, and background update + lastrun=$(stat -c %Y "$out") || lastrun=0 + expiration=$(expr $lastrun + 86400) + if [ $(date +%s) -ge $expiration ]; then + $script > "$out" & + fi + else + # No cache at all, so update in the background + $script > "$out" & + fi + +Scripts should emit a blank line before output, and end with a newline character. For instance: + + /etc/update-motd/05-lsb-release + #!/bin/sh + echo + lsb-release -a + +.SH FILES +\fI/etc/motd\fP, \fI/var/run/motd\fP, \fI/etc/update-motd.d\fP + + +.SH SEE ALSO +\fBmotd\fP(5), \fBpam_motd\fP(8), \fBrun-parts\fP(8) + +.SH AUTHOR +This manpage and the update-motd framework was written by Dustin Kirkland for Ubuntu systems (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 3 published by the Free Software Foundation. + +On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. --- pam-1.1.8.orig/debian/watch +++ pam-1.1.8/debian/watch @@ -0,0 +1,3 @@ +version=3 +opts=pasv ftp://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-(.*).tar.gz +