Relevant BUGIDs:

Purpose of commit: new feature

Commit summary:
---------------

2006-06-04  Thorsten Kukuk  <kukuk@thkukuk.de>

        * modules/pam_nologin/Makefile.am: Include Make.xml.rules.
        * modules/pam_nologin/pam_nologin.8.xml: New.
        * modules/pam_nologin/pam_nologin.8: Regenerated from xml file.
        * modules/pam_nologin/README.xml: New.
        * modules/pam_nologin/README: Regenerated from xml file.

7 files changed, 354 insertions, 90 deletions

diff --git a/ChangeLog b/ChangeLog
index 3c93fa45..d3d05f77 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2006-06-04  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	* modules/pam_nologin/Makefile.am: Include Make.xml.rules.
+	* modules/pam_nologin/pam_nologin.8.xml: New.
+	* modules/pam_nologin/pam_nologin.8: Regenerated from xml file.
+	* modules/pam_nologin/README.xml: New.
+	* modules/pam_nologin/README: Regenerated from xml file.
+
 2006-06-03  Thorsten Kukuk  <kukuk@thkukuk.de>
 
 	* modules/pam_motd/Makefile.am: Include Make.xml.rules.
diff --git a/NEWS b/NEWS
index fe45b04f..da5f8a75 100644
--- a/NEWS
+++ b/NEWS
@@ -5,7 +5,7 @@ Linux-PAM NEWS -- history of user-visible changes.
 * Fixed all problems found by Coverity
 * Add manual page for pam_mkhomedir, pam_umask, pam_filter,
   pam_issue, pam_ftp, pam_group, pam_lastlog, pam_listfile,
-  pam_localuser, pam_mail, pam_motd
+  pam_localuser, pam_mail, pam_motd, pam_nologin
 
 Release 0.99.4.0
 
diff --git a/modules/pam_nologin/Makefile.am b/modules/pam_nologin/Makefile.am
index f65fb5e1..dc5fe58f 100644
--- a/modules/pam_nologin/Makefile.am
+++ b/modules/pam_nologin/Makefile.am
@@ -4,11 +4,12 @@
 
 CLEANFILES = *~
 
-EXTRA_DIST = README $(MANS) tst-pam_nologin
+EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_nologin
 
 TESTS = tst-pam_nologin
 
 man_MANS = pam_nologin.8
+XMLS = README.xml pam_nologin.8.xml
 
 securelibdir = $(SECUREDIR)
 secureconfdir = $(SCONFIGDIR)
@@ -21,3 +22,10 @@ if HAVE_VERSIONING
 endif
 
 securelib_LTLIBRARIES = pam_nologin.la
+
+if ENABLE_REGENERATE_MAN
+noinst_DATA = README
+README: pam_nologin.8.xml
+-include $(top_srcdir)/Make.xml.rules
+endif
+
diff --git a/modules/pam_nologin/README b/modules/pam_nologin/README
index 11dc7635..3ffa591d 100644
--- a/modules/pam_nologin/README
+++ b/modules/pam_nologin/README
@@ -1,23 +1,41 @@
-# $Id$
-#
+pam_nologin — Prevent non-root users from login
 
-This module always lets root in; it lets other users in only if the file
-/etc/nologin doesn't exist.  In any case, if /etc/nologin exists, it's
-contents are displayed to the user.
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 
-The default return value for this module is PAM_IGNORE, you can
-override this with the successok module argument.
+DESCRIPTION
 
-module services provided:
+pam_nologin is a PAM module that prevents users from logging into the system
+when /etc/nologin exists. The contents of the /etc/nologin file are displayed
+to the user. The pam_nologin module has no effect on the root user's ability to
+log in.
 
-	auth		_authenticate and _setcred
-	account		_acct_mgmt
+OPTIONS
 
-optional arguments:
+file=/path/nologin
 
-	file=<alternative-nologin-pathname>  - choose a different file
-	successok                            - return PAM_SUCCESS if no file
+    Use this file instead the default /etc/nologin.
 
-[Original README by Michael K. Johnson]
+successok
 
+    Return PAM_SUCCESS if no file exists, the default is PAM_IGNORE.
+
+EXAMPLES
+
+The suggested usage for /etc/pam.d/login is:
+
+auth  required  pam_nologin.so
+
+
+NOTES
+
+In order to make this module effective, all login methods should be secured by
+it. It should be used as a required method listed before any sufficient methods
+in order to get standard Unix nologin semantics. Note, the use of successok
+module argument causes the module to return PAM_SUCCESS and as such would break
+such a configuration - failing sufficient modules would lead to a successful
+login because the nologin module succeeded.
+
+AUTHOR
+
+pam_nologin was written by Michael K. Johnson <johnsonm@redhat.com>.
 
diff --git a/modules/pam_nologin/README.xml b/modules/pam_nologin/README.xml
new file mode 100644
index 00000000..bc0808e7
--- /dev/null
+++ b/modules/pam_nologin/README.xml
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+"http://www.docbook.org/xml/4.3/docbookx.dtd"
+[
+<!--
+<!ENTITY pamaccess SYSTEM "pam_nologin.8.xml">
+-->
+]>
+
+<article>
+
+  <articleinfo>
+
+    <title>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+      href="pam_nologin.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_nologin-name"]/*)'/>
+    </title>
+
+  </articleinfo>
+
+  <section>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+      href="pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-description"]/*)'/>
+  </section>
+
+  <section>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+      href="pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-options"]/*)'/>
+  </section>
+
+  <section>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+      href="pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-examples"]/*)'/>
+  </section>
+
+  <section>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+      href="pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-note"]/*)'/>
+  </section>
+
+  <section>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+      href="pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-author"]/*)'/>
+  </section>
+
+</article>
diff --git a/modules/pam_nologin/pam_nologin.8 b/modules/pam_nologin/pam_nologin.8
index e68a6a15..5e502266 100644
--- a/modules/pam_nologin/pam_nologin.8
+++ b/modules/pam_nologin/pam_nologin.8
@@ -1,86 +1,96 @@
-.\" Copyright (C) 2003 International Business Machines Corp.
-.\" This file is distributed according to the GNU General Public License.
-.\" See the file COPYING in the top level source directory for details.
-.\" 
-.de Sh \" Subsection
-.br
-.if t .Sp
-.ne 5
-.PP
-\fB\\$1\fR
-.PP
-..
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
-.TH "PAM_NOLOGIN" 8 "2003-03-21" "Linux 2.4" "System Administrator's Manual"
-.SH NAME
-pam_nologin \- Disables login for all except root when 
-\fI/etc/nologin\fR exists
-.SH "SYNOPSIS"
+.\"     Title: pam_nologin
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/04/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_NOLOGIN" "8" "06/04/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
 .ad l
-.hy 0
-
-/lib/security/pam_nologin
-.sp
-.ad
-.hy
-
+.SH "NAME"
+pam_nologin \- Prevent non\-root users from login
+.SH "SYNOPSIS"
+.HP 15
+\fBpam_nologin.so\fR [file=\fI/path/nologin\fR] [successok]
 .SH "DESCRIPTION"
-
 .PP
-\fBpam_nologin\fR is a PAM module that prevents users from logging 
-into the system when \fI/etc/nologin\fR exists. 
-The contents of the \fI/etc/nologin\fR file are displayed to the user. 
-The \fBpam_nologin\fR module has no effect on the root user's ability to log in.
-
+pam_nologin is a PAM module that prevents users from logging into the system when
+\fI/etc/nologin\fR
+exists. The contents of the
+\fI/etc/nologin\fR
+file are displayed to the user. The pam_nologin module has no effect on the root user's ability to log in.
 .SH "OPTIONS"
-
-.PP
-\fBpam_login\fR has no options.
-
+.TP 3n
+\fBfile=\fR\fB\fI/path/nologin\fR\fR
+Use this file instead the default
+\fI/etc/nologin\fR.
+.TP 3n
+\fBsuccessok\fR
+Return PAM_SUCCESS if no file exists, the default is PAM_IGNORE.
 .SH "MODULE SERVICES PROVIDED"
-
-.TP
-auth
-_authentication and _setcred (blank)
-
-.SH "RETURN CODES"
 .PP
-\fBpam_nologin\fR has the following return codes:
-.TP
+The
+\fBauth\fR
+and
+\fBacct\fR
+services are supported.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_AUTH_ERR
+The user is not root and
+\fI/etc/nologin\fR
+exists, so the user is not permitted to log in.
+.TP 3n
+PAM_BUF_ERR
+Memory buffer error.
+.TP 3n
+PAM_IGNORE
+This is the default return value.
+.TP 3n
 PAM_SUCCESS
-Success: either the user is root or the \fI/etc/nologin\fR file does not exist.
-
-.TP
-PAM_SERVICE_ERR
-The module was unable to get the user name.
-
-.TP
+Success: either the user is root or the
+\fI/etc/nologin\fR
+file does not exist.
+.TP 3n
 PAM_USER_UNKNOWN
-The module cannot get the UID associated with this user.
-
-.TP
-PAM_AUTH_ERR
-The user is not root and \fI/etc/nologin\fR exists, so the user is 
-not permitted to log in.
-
-.SH "HISTORY"
-
+User not known to the underlying authentication module.
+.SH "EXAMPLES"
 .PP
-\fBpam_nologin\fR was written by Michael K. Johnson.
-
+The suggested usage for
+\fI/etc/pam.d/login\fR
+is:
+.sp
+.RS 3n
+.nf
+auth  required  pam_nologin.so
+      
+.fi
+.RE
+.sp
+.SH "NOTES"
+.PP
+In order to make this module effective, all login methods should be secured by it. It should be used as a
+\fIrequired\fR
+method listed before any
+\fIsufficient\fR
+methods in order to get standard Unix nologin semantics. Note, the use of
+\fBsuccessok\fR
+module argument causes the module to return
+\fIPAM_SUCCESS\fR
+and as such would break such a configuration \- failing
+\fIsufficient\fR
+modules would lead to a successful login because the nologin module
+\fIsucceeded\fR.
 .SH "SEE ALSO"
-
 .PP
-\fBpam.conf\fR(8), \fBpam.d\fR(8), \fBpam\fR(8), \fBnologin\fR(8).
 
-.SH AUTHOR
-Emily Ratliff.
+\fBnologin\fR(5),
+\fBpam.conf\fR(5),
+\fBpam.d\fR(8),
+\fBpam\fR(8)
+.SH "AUTHOR"
+.PP
+pam_nologin was written by Michael K. Johnson <johnsonm@redhat.com>.
diff --git a/modules/pam_nologin/pam_nologin.8.xml b/modules/pam_nologin/pam_nologin.8.xml
new file mode 100644
index 00000000..9710df9d
--- /dev/null
+++ b/modules/pam_nologin/pam_nologin.8.xml
@@ -0,0 +1,174 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="pam_nologin">
+
+  <refmeta>
+    <refentrytitle>pam_nologin</refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_nologin-name">
+    <refname>pam_nologin</refname>
+    <refpurpose>Prevent non-root users from login</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis id="pam_nologin-cmdsynopsis">
+      <command>pam_nologin.so</command>
+      <arg choice="opt">
+        file=<replaceable>/path/nologin</replaceable>
+      </arg>
+      <arg choice="opt">
+        successok
+      </arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1 id="pam_nologin-description">
+
+    <title>DESCRIPTION</title>
+
+    <para>
+      pam_nologin is a PAM module that prevents users from logging into
+      the system when <filename>/etc/nologin</filename> exists. The contents
+      of the <filename>/etc/nologin</filename> file are displayed to the
+      user. The pam_nologin module has no effect on the root user's ability
+      to log in.
+    </para>
+  </refsect1>
+
+  <refsect1 id="pam_nologin-options">
+
+    <title>OPTIONS</title>
+    <variablelist>
+      <varlistentry>
+        <term>
+          <option>file=<replaceable>/path/nologin</replaceable></option>
+        </term>
+        <listitem>
+          <para>
+            Use this file instead the default
+            <filename>/etc/nologin</filename>.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>
+          <option>successok</option>
+        </term>
+        <listitem>
+          <para>
+            Return PAM_SUCCESS if no file exists, the default is PAM_IGNORE.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id="pam_nologin-services">
+    <title>MODULE SERVICES PROVIDED</title>
+    <para>
+      The <option>auth</option> and <option>acct</option> services are
+      supported.
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_nologin-return_values'>
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_AUTH_ERR</term>
+        <listitem>
+          <para>
+            The user is not root and <filename>/etc/nologin</filename>
+            exists, so the user is not permitted to log in.
+          </para>
+        </listitem>
+      </varlistentry>
+     <varlistentry>
+        <term>PAM_BUF_ERR</term>
+        <listitem>
+          <para>Memory buffer error.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_IGNORE</term>
+        <listitem>
+          <para>
+            This is the default return value.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+          <para>
+            Success:  either  the user is root or the
+            <filename>/etc/nologin</filename> file does not exist.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_USER_UNKNOWN</term>
+        <listitem>
+          <para>
+            User not known to the underlying authentication module.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id='pam_nologin-examples'>
+    <title>EXAMPLES</title>
+    <para>
+      The suggested usage for <filename>/etc/pam.d/login</filename> is:
+      <programlisting>
+auth  required  pam_nologin.so
+      </programlisting>
+    </para>
+  </refsect1>
+  <refsect1 id='pam_nologin-note'>
+    <title>NOTES</title>
+    <para>
+      In order to make this module effective, all login methods should be
+      secured by it. It should be used as a <emphasis>required</emphasis>
+      method listed before any <emphasis>sufficient</emphasis> methods in
+      order to get standard Unix nologin semantics. Note, the use of
+      <option>successok</option> module argument causes the module to
+      return <emphasis>PAM_SUCCESS</emphasis> and as such would break
+      such a configuration - failing <emphasis>sufficient</emphasis> modules
+      would lead to a successful login because the nologin module
+      <emphasis>succeeded</emphasis>.
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_nologin-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+	<refentrytitle>nologin</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_nologin-author'>
+    <title>AUTHOR</title>
+      <para>
+        pam_nologin was written by Michael K. Johnson &lt;johnsonm@redhat.com&gt;.
+      </para>
+  </refsect1>
+
+</refentry>