New upstream version 0.99.10.0

294 files changed, 12964 insertions, 6003 deletions

diff --git a/Linux-PAM/ChangeLog b/Linux-PAM/ChangeLog
index ebef2ce3..fa01eac7 100644
--- a/Linux-PAM/ChangeLog
+++ b/Linux-PAM/ChangeLog
@@ -1,3 +1,496 @@
+2008-02-13  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	* release version 0.99.10.0
+
+	* configure.in: set version number.
+
+	* modules/pam_rhosts/Makefile.am: Remove pam_rhosts_auth.
+	* modules/pam_rhosts/pam_rhosts_auth.c: Removed.
+	* modules/pam_rhosts/tst-pam_rhosts_auth: Removed.
+
+	* modules/pam_namespace/Makefile.am (noinst_HEADERS): Add
+	pam_namespace.h.
+
+2008-02-13  Tomas Mraz  <t8m@centrum.cz>
+
+	* modules/pam_namespace/Makefile.am: Add argv_parse files and namespace.d
+	dir.
+	* modules/pam_namespace/argv_parse.c: New file.
+	* modules/pam_namespace/argv_parse.h: New file.
+	* modules/pam_namespace/namespace.conf.5.xml: Document new features.
+	* modules/pam_namespace/pam_namespace.8.xml: Likewise.
+	* modules/pam_namespace/pam_namespace.h: Use SECURECONF_DIR define.
+	Define NAMESPACE_D_DIR and NAMESPACE_D_GLOB. Define new option flags
+	and polydir flags.
+	(polydir_s): Add rdir, replace exclusive with flags, add init_script,
+	owner, group, and mode.
+	(instance_data): Add ruser, gid, and ruid.
+	* modules/pam_namespace/pam_namespace.c: Remove now unused copy_ent().
+	(add_polydir_entry): Add the entry directly, no copy.
+	(del_polydir): New function.
+	(del_polydir_list): Call del_polydir().
+	(expand_variables, parse_create_params, parse_iscript_params,
+	parse_method): New functions.
+	(process_line): Call expand_variables() on polydir and instance prefix.
+	Call argv_parse() instead of strtok_r(). Allocate struct polydir_s on heap.
+	(parse_config_file): Parse .conf files from namespace.d dir after
+	namespace.conf.
+	(form_context): Call getcon() or get_default_context_with_level() when
+	appropriate flags are set.
+	(poly_name): Handle shared polydir flag.
+	(inst_init): Execute non-default init script when specified.
+	(create_polydir): New function.
+	(create_dirs): Remove the code which checks the polydir. Do not call
+	inst_init() when noinit flag is set.
+	(ns_setup): Check the polydir and eventually create it if the create flag
+	is set.
+	(setup_namespace): Use ruser uid from idata. Set the namespace polydir
+	pam data only when namespace was set up correctly. Unmount polydir
+	based on ruser.
+	(get_user_data): New function.
+	(pam_sm_open_session): Check for use_current_context and
+	use_default_context options. Call get_user_data().
+	(pam_sm_close_session): Call get_user_data().
+
+2008-02-06  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	* po/de.po: Translate some more strings.
+
+2008-02-05  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	* modules/pam_unix/unix_update.c: Remove unused declarations.
+
+2008-02-04  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	* libpam/pam_static_modules.h: Add _pam_sepermit_modstruct.
+	* modules/pam_sepermit/pam_sepermit.c: Fix typo.
+	* modules/pam_sepermit/Makefile.am: Install config file only
+	if we build the module.
+
+	* README: Add --disable-pie to configure options for static library.
+
+	* doc/man/Makefile.am: Fix building outside of src directory.
+
+	* libpam/Makefile.am: Bump version number of libpam.
+
+	* modules/Makefile.am: Add pam_sepermit.
+
+	* doc/Makefile.am: Fix build out of source directory.
+
+	* po/POTFILES.in: Add pam_sepermit.c.
+
+	* modules/pam_exec/pam_exec.c: Set PAM environment variables and
+	add 'quiet' option.
+	* modules/pam_exec/pam_exec.8.xml: Document new behavior.
+	Patch from Julien Lecomte <julien@lecomte.at>.
+
+2008-02-01  Tomas Mraz  <t8m@centrum.cz>
+
+	* modules/pam_namespace/namespace.conf.5.xml: Add documentation for
+	tmpfs and tmpdir polyinst and for ~ user list modifier.
+	* modules/pam_namespace/namespace.init: Add documentation for the
+	new init parameter. Add home directory initialization script.
+	* modules/pam_namespace/pam_namespace.8.xml: Document the new
+	init parameter of the namespace.init script.
+	* modules/pam_namespace/pam_namespace.c(copy_ent): Copy exclusive flag.
+	(cleanup_data): New function.
+	(process_line): Set exclusive flag. Add tmpfs and tmpdir methods.
+	(ns_override): Change behavior on the exclusive flag.
+	(poly_name): Process tmpfs and tmpdir methods.
+	(inst_init): Add flag for new directory initialization.
+	(create_dirs): Process the tmpdir method, add the new directory
+	flag.
+	(ns_setup): Remove unused code. Process the tmpfs method.
+	(cleanup_tmpdirs): New function.
+	(setup_namespace): Set data for proper cleanup. Cleanup the tmpdirs
+	on failures.
+	(pam_sm_close_session): Instead of parsing the config file again use
+	the previously set data for cleanup.
+	* modules/pam_namespace/pam_namespace.h: Add TMPFS and TMPDIR methods
+	and exclusive flag.
+
+2008-01-29  Tomas Mraz  <t8m@centrum.cz>
+
+	* configure.in: Test for setkeycreatecon needs libselinux.
+	Add new module pam_sepermit.
+	* modules/Makefile.am: Add new module pam_sepermit.
+	* modules/pam_sepermit/.cvsignore: New file.
+	* modules/pam_sepermit/Makefile.am: Likewise.
+	* modules/pam_sepermit/README.xml: Likewise.
+	* modules/pam_sepermit/pam_sepermit.8.xml: Likewise.
+	* modules/pam_sepermit/pam_sepermit.c: Likewise.
+	* modules/pam_sepermit/sepermit.conf: Likewise.
+	* modules/pam_sepermit/tst-pam_sepermit: Likewise.
+	* doc/sag/pam_sepermit.xml: Likewise.
+
+	* doc/sag/pam_tty_audit.xml: Add pam_tty_audit to SAG.
+
+2008-01-29  Miloslav Trmac  <mitr@redhat.com>
+
+	* modules/pam_tty_audit/README.xml: Add notes section.
+	* modules/pam_tty_audit/pam_tty_audit.8.xml: Describe patterns
+	support and open_only option. Add notes.
+	* modules/pam_tty_audit/pam_tty_audit.c(pam_sm_open_session): Add
+	support for pattern matching and the open_only option.
+
+2008-01-28  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	* libpam/pam_audit.c: Include pam_modutil_private.h.
+
+	* libpam/pam_item.c (pam_set_item): Fix compiler warning.
+
+	* libpam/pam_end.c (pam_end): Cast to correct pointer type.
+	* libpam/include/security/_pam_macros.h (_pam_overwrite_n): Use
+	unsigned int.
+
+	* modules/pam_unix/passverify.c: Fix compiling without SELinux
+	support.
+
+2008-01-24  Tomas Mraz  <t8m@centrum.cz>
+
+	* modules/pam_unix/bigcrypt.c (bigcrypt): Use crypt_r() when
+	available.
+	* modules/pam_unix/passverify.c (strip_hpux_aging): New function
+	to strip HP/UX aging info from password hash.
+	(verify_pwd_hash): Call strip_hpux_aging(), use crypt_r() when
+	available.
+
+2008-01-23  Tomas Mraz  <t8m@centrum.cz>
+
+	* configure.in: Add test for crypt_r(). Add setting/disabling random
+	device support.
+
+	* modules/pam_unix/Makefile.am: Add unix_update.8 manpage generated from
+	XML, generate also unix_chkpwd.8 from XML.
+	* modules/pam_unix/pam_unix_acct.c: Add rounds parameter to _set_ctrl().
+	* modules/pam_unix/pam_unix_auth.c: Likewise.
+	* modules/pam_unix/pam_unix_sess.c: Likewise.
+	* modules/pam_unix/pam_unix_passwd.c: Likewise.
+	* modules/pam_unix/support.c(_set_ctrl): Likewise.
+	* modules/pam_unix/support.h: Likewise. Add UNIX_SHA256_PASS,
+	UNIX_SHA512_PASS, and UNIX_ALGO_ROUNDS ctrls.
+	(pam_sm_chauthtok): Refactor out new password encryption.
+	* modules/pam_unix/passverify.c(crypt_make_salt): New function.
+	(crypt_md5_wrapper): Call crypt_make_salt().
+	(create_password_hash): New function refactored out of
+	pam_sm_chauthtok(). Support for new password hashes.
+	* modules/pam_unix/passverify.h: Drop ascii_to_bin() and bin_to_ascii()
+	macros. Add prototype for create_password_hash().
+	* modules/pam_unix/unix_update.8.xml: New file.
+	* modules/pam_unix/unix_chkpwd.8.xml: Likewise.
+
+	* modules/pam_unix/Makefile.am: Add unix_update helper.
+	* modules/pam_unix/pam_unix_passwd.c: Move functions i64c(),
+	crypt_md5_wrapper(), save_old_password(), _update_passwd() and
+	_update_shadow() to passverify.c file. Rename _unix_run_shadow_binary()
+	to _unix_run_update_binary(), which also verifies old password and
+	does all writing.
+	(_do_setpass, pam_sm_chauthtok): lckpwdf()->lock_pwdf(), the same for unlock.
+	Call _unix_run_update_binary() appropriately.
+	_update_passwd()->unix_update_passwd(), the same for shadow.
+	* modules/pam_unix/passverify.c: Add new functions moved from
+	pam_unix_passwd.c and unix_chkpwd.c.
+	* modules/pam_unix/passverify.h: Likewise.
+	* modules/pam_unix/unix_chkpwd.c: Remove SELinux checks. Move
+	su_sighandler(), setup_signals(), getuidname() to passverify.c.
+	(main): Remove 'shadow' option. Refactor out read_passwords() and
+	call it. More strict checking how the binary is called.
+	* modules/pam_unix/unix_update.c: New helper binary - non-setuid,
+	called from SELinux confined apps only.
+
+	* modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Return
+	status and daysleft instead of fake shadow entry.
+	(pam_sm_acct_mgmt): Call _unix_run_verify_binary() appropriately.
+	* modules/pam_unix/pam_unix_passwd.c (_unix_verify_shadow): Call
+	get_account_info() and check_shadow_expiry().
+	* modules/pam_unix/support.h: Adjust _unix_run_verify_binary()
+	prototype.
+	* modules/pam_unix/support.c (_unix_run_helper_binary): Remove check
+	on selinux enabled/disabled.
+	* modules/pam_unix/unix_chkpwd.c (_verify_account): Rename to
+	_check_expiry(), now checks shadow expiry info.
+	(main): Remove check on selinux enabled/disabled. Check shadow
+	expiry through _check_expiry().
+
+	* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Call
+	get_account_info() and check_shadow_expiry().
+	* modules/pam_unix/passverify.c: Add get_account_info() to
+	obtain shadow and passwd entry. Add check_shadow_expiry() to
+	for shadow password expiry check.
+	(get_pwd_hash): Call get_account_info().
+	* modules/pam_unix/passverify.h: Add prototypes for get_account_info()
+	and check_shadow_expiry().
+
+2008-01-08  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	* doc/man/Makefile.am: Fix manual page dependencies,
+	add hack for bug in xsl stylestheets.
+
+2008-01-07  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	* po/it.po: Fix typos.
+	* po/de.po: Few new translations.
+	* po/POTFILES.in: Add pam_tty_audit.c and passverify.c.
+	* doc/man/pam_xauth_data.3.xml: Added to CVS.
+	* doc/man/pam_xauth_data.3: Likewise.
+	* modules/pam_tty_audit/README: Likewise.
+	* modules/pam_tty_audit/pam_tty_audit.8: Likewise.
+	* po/sv.po: Update swedish translation [#1857531].
+	* modules/pam_succeed_if/pam_succeed_if.8.xml: Fix
+	cut & paste error [#1863490].
+
+2008-01-02  Petteri Räty  <betelgeuse@gentoo.org>
+	* modules/pam_limits/limits.conf: document allowed values for
+	nice.
+	* modules/pam_limits/limits.conf.5.xml: Likewise.
+
+2007-12-18  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	* README: Document how to run make check with static modules
+	(SF#1822779).
+
+2007-12-18  Peter Breitenlohner  <peb@mppmu.mpg.de>
+	* README: Document that "make check" requires a file
+	/etc/pam.d/other (SF#1822764).
+
+2007-12-12  Eamon Walsh  <ewalsh@tycho.nsa.gov>
+
+	* doc/man/pam_item_types_ext.inc.xml: More appropriate wording
+	for PAM_XDISPLAY doc.
+
+2007-12-07  Tomas Mraz  <t8m@centrum.cz>
+
+	* po/cs.po: Updated translations.
+
+	* libpam/libpam.map: Add LIBPAM_MODUTIL_1.1 version.
+	* libpam/pam_audit.c: Add _pam_audit_open() and
+	pam_modutil_audit_write().
+	(_pam_auditlog): Call _pam_audit_open().
+	* libpam/include/security/pam_modutil.h: Add pam_modutil_audit_write().
+	* modules/pam_access/pam_access.8.xml: Add noaudit option.
+	Document auditing.
+	* modules/pam_access/pam_access.c: Move fs, sep, pam_access_debug, and
+	only_new_group_syntax variables to struct login_info. Add noaudit
+	member.
+	(_parse_args): Adjust for the move of variables and add support for
+	noaudit option.
+	(group_match): Add debug parameter.
+	(string_match): Likewise.
+	(network_netmask_match): Likewise.
+	(login_access): Adjust for the move of variables. Add nonall_match.
+	Add call to pam_modutil_audit_write().
+	(list_match): Adjust for the move of variables.
+	(user_match): Likewise.
+	(from_match): Likewise.
+	(pam_sm_authenticate): Call _parse_args() earlier.
+	* modules/pam_limits/pam_limits.8.xml: Add noaudit option.
+	Document auditing.
+	* modules/pam_limits/pam_limits.c (_pam_parse): Add noaudit option.
+	(setup_limits): Call pam_modutil_audit_write().
+	* modules/pam_time/pam_time.8.xml: Add debug and noaudit options.
+	Document auditing.
+	* modules/pam_time/pam_time.c: Add option parsing (_pam_parse()).
+	(check_account): Call _pam_parse(). Call pam_modutil_audit_write()
+	and pam_syslog() on login denials.
+
+2007-12-07  Luca Bruno  <luca.br@uno.it>
+
+	* po/it.po: Updated translations.
+
+2007-12-06  Eamon Walsh  <ewalsh@tycho.nsa.gov>
+
+	* libpam/include/security/_pam_macros.h: Add _pam_overwrite_n()
+	macro.
+	* libpam/include/security/_pam_types.h: Add PAM_XDISPLAY,
+	PAM_XAUTHDATA items, pam_xauth_data struct.
+	* libpam/pam_item.c (pam_set_item, pam_get_item): Handle
+	PAM_XDISPLAY and PAM_XAUTHDATA items.
+	* libpam/pam_end.c (pam_end): Destroy the new items.
+	* libpam/pam_private.h (pam_handle): Add data members for new
+	items. Add prototype for _pam_memdup.
+	* libpam/pam_misc.c: Add _pam_memdup.
+	* doc/man/Makefile.am: Add pam_xauth_data.3. Replace
+	pam_item_types.inc.xml with pam_item_types_std.inc.xml and
+	pam_item_types_ext.inc.xml.
+	* doc/man/pam_get_item.3.xml: Replace pam_item_types.inc.xml
+	with pam_item_types_std.inc.xml and pam_item_types_ext.inc.xml.
+	* doc/man/pam_set_item.3.xml: Likewise.
+	* doc/man/pam_item_types.inc.xml: Removed file.
+	* doc/man/pam_item_types_ext.inc.xml: New file.
+	* doc/man/pam_item_types_std.inc.xml: New file.
+
+2007-12-06  Tomas Mraz  <t8m@centrum.cz>
+
+	* modules/pam_tty_audit/pam_tty_audit.8.xml: Fix example.
+
+2007-12-05  Miloslav Trmac  <mitr@redhat.com>
+
+	* configure.in: Add test for audit_tty_status struct. Add
+	pam_tty_audit module.
+	* libpam/pam_static_modules.h: Add pam_tty_audit module.
+	* modules/pam_tty_audit/Makefile.am: New file.
+	* modules/pam_tty_audit/README.xml: Likewise.
+	* modules/pam_tty_audit/pam_tty_audit.8.xml: Likewise.
+	* modules/pam_tty_audit/pam_tty_audit.c: Likewise.
+
+2007-12-05  Tomas Mraz  <t8m@centrum.cz>
+
+	* modules/pam_unix/Makefile.am: Add passverify.h and passverify.c
+	as first part of pam_unix refactorization.
+	* modules/pam_unix/pam_unix/pam_unix_acct.c: Include passverify.h.
+	* modules/pam_unix/pam_unix_passwd.c: Likewise.
+	* modules/pam_unix/passverify.c: New file with common functions.
+	* modules/pam_unix/passverify.h: Prototypes for the common functions.
+	* modules/pam_unix/support.c: Include passverify.h, move
+	_unix_shadowed() to passverify.c.
+	(_unix_verify_password): Refactor out verify_pwd_hash() function.
+	* modules/pam_unix/support.h: Move _unix_shadowed() prototype to
+	passverify.h
+	* modules/pam_unix/unix_chkpwd.c: Use _unix_shadowed() and
+	verify_pwd_hash() from passverify.c.
+
+2007-11-20  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	* modules/pam_unix/Makefile.am (unix_chkpwd_LDADD): Don't link
+	unix_chkpwd unnecessary against libpam (#1822779).
+
+	* modules/pam_tally/pam_tally.c (tally_log): Map
+	pam_modutil_getpwnam to getpwnam if we don't compile
+	as module.
+	* modules/pam_tally/Makefile.am: Don't link pam_tally_app
+	against libpam (#1822779).
+
+2007-11-06  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	* xtests/tst-pam_group1.c: Include stdlib.h
+	* xtests/tst-pam_succeed_if1.c: Likewise.
+	* xtests/tst-pam_limits1.c: Likewise.
+	* xtests/tst-pam_access1.c: Likewise.
+	* xtests/tst-pam_access2.c: Likewise.
+	* xtests/tst-pam_access3.c: Likewise.
+	* xtests/tst-pam_access4.c: Likewise.
+	* xtests/tst-pam_unix1.c: Likewise.
+	* xtests/tst-pam_unix2.c: Likewise.
+	* xtests/tst-pam_unix3.c: Likewise.
+	* xtests/tst-pam_cracklib1.c: Likewise.
+	* xtests/tst-pam_cracklib2.c: Likewise.
+
+	* libpam/pam_static_modules.h: Fix name of pam_namespace variable.
+
+2007-11-01  Peter Breitenlohner <peb@mppmu.mpg.de>
+
+	* doc/man/pam_conv.3.xml: Correct typo.
+
+2007-10-30  Peter Breitenlohner <peb@mppmu.mpg.de>
+
+	* modules/pam_rhosts/pam_rhosts_auth.c (__icheckhost): Correct
+	misplaced parenthesis.
+	* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Prevent use of
+	dngettext() when NLS is disabled.
+	* modules/pam_exec/pam_exec.c (call_exec): Avoid gcc warning.
+	* doc/specs/parse_y.y (set_label, new_counter): Break trigraphs to
+	avoid gcc warning.
+	* modules/pam_wheel/pam_wheel.c: Remove excessive initializer
+	elements.
+
+	* modules/pam_cracklib/pam_cracklib.8.xml: Correct typo.
+	* modules/pam_limits/limits.conf.5.xml: Likewise.
+	* modules/pam_listfile/pam_listfile.8.xml: Likewise.
+	* modules/pam_xauth/pam_xauth.8.xml: Likewise.
+
+	* modules/pam_deny/pam_deny.8.xml: Correct spelling.
+	* modules/pam_group/pam_group.8.xml: Likewise.
+	* modules/pam_permit/pam_permit.8.xml: Likewise.
+	* modules/pam_shells/pam_shells.8.xml: Likewise.
+	* modules/pam_time/pam_time.8.xml: Likewise.
+	* modules/pam_warn/pam_warn.8.xml: Likewise.
+
+	* tests/tst-dlopen.c: Return 77 in case of static modules, such that
+	all modules/pam_*/tst-pam_* tests yield SKIP instead of FAIL.
+	* libpam/Makefile.am (libpam_la_LIBADD): Use "$(shell ls ...)" instead
+	of "`ls ...`", to allow for static modules.
+	* libpam/pam_static_modules.h: Make pam_keyinit module depend on
+	HAVE_KEY_MANAGEMENT; correct name of pam_faildelay pam_module struct.
+	* modules/pam_faildelay/pam_faildelay.c: Correct name of pam_module
+	struct.
+
+2007-10-25  Steve Langasek  <vorlon@debian.org>
+
+	* modules/pam_tally/pam_tally.c: fix the definition of OPT_AUDIT
+	to be octal instead of decimal, so that it works properly in a
+	bit field instead of forcing the "even_deny_root_account" and
+	"no_reset" options to on.
+	Patch from Corey Wright <undefined@pobox.com>.
+
+2007-10-19  Tomas Mraz  <t8m@centrum.cz>
+
+	* xtests/tst-pam_access1.c: Use different name for user and group.
+	* xtests/tst-pam_access1.sh: Likewise.
+	* xtests/tst-pam_access2.c: Likewise.
+	* xtests/tst-pam_access2.sh: Likewise.
+	* xtests/tst-pam_access4.c: Likewise.
+	* xtests/tst-pam_access4.sh: Likewise.
+	* xtests/group.conf: Likewise.
+	* xtests/tst-pam_group1.c: Likewise.
+	* xtests/tst-pam_group1.sh: Likewise.
+
+	* libpam/pam_dispatch.c (_pam_dispatch_aux): Save states for substacks,
+	record substack level, skip over virtual substack modules, implement
+	evaluation of done, die, reset and jumps in substacks. Also fixes
+	too far jumps in substacks.
+	* libpam/pam_end.c (pam_end): Drop substack evaluation states.
+	* libpam/pam_handlers.c (_pam_parse_conf_file): Add substack level
+	parameter, instead of must_fail use handler_type needed for virtual
+	substack modules.
+	(_pam_load_conf_file): Add substack level parameter.
+	(_pam_init_handlers): Substack level parameter added to
+	_pam_parse_conf_file() calls.
+	(_pam_load_module): New function.
+	(_pam_add_handler): Refactor code into the _pam_load_module(). Add
+	support for virtual substack modules.
+	* libpam/pam_private.h: Rename must_fail to handler_type, add stack_level
+	to struct handler. Define handler type constants. Add struct
+	for substack evaluation states. Define constant for maximum
+	substack level. Add substack states pointer to former state struct.
+	* libpam/pam_start.c (pam_start): Initialize pointer to substack states.
+	* doc/man/pam.conf-syntax.xml: Document substack control.
+	* xtests/Makefile.am: Add new tests for substack evaluation.
+	* xtests/run_xtests.sh: Support multiple .pamd files in a test.
+	* xtests/tst-pam_authfail.pamd: New tests for substack evaluation.
+	* xtests/tst-pam_authsucceed.pamd: Likewise.
+	* xtests/tst-pam_substack1.pamd: Likewise.
+	* xtests/tst-pam_substack1a.pamd: Likewise.
+	* xtests/tst-pam_substack1.sh: Likewise.
+	* xtests/tst-pam_substack2.pamd: Likewise.
+	* xtests/tst-pam_substack2a.pamd: Likewise.
+	* xtests/tst-pam_substack2.sh: Likewise.
+	* xtests/tst-pam_substack3.pamd: Likewise.
+	* xtests/tst-pam_substack3a.pamd: Likewise.
+	* xtests/tst-pam_substack3.sh: Likewise.
+	* xtests/tst-pam_substack4.pamd: Likewise.
+	* xtests/tst-pam_substack4a.pamd: Likewise.
+	* xtests/tst-pam_substack4.sh: Likewise.
+	* xtests/tst-pam_substack5.pamd: Likewise.
+	* xtests/tst-pam_substack5a.pamd: Likewise.
+	* xtests/tst-pam_substack5.sh: Likewise.
+
+2007-10-18  Tomas Mraz  <t8m@centrum.cz>
+
+	* xtests/tst-pam_dispatch4.c: Fix comment about the test.
+	* xtests/tst-pam_dispatch4.pamd: Improve the testcase.
+	* xtests/tst-pam_cracklib2.c: Make the testcase more robust.
+
+2007-10-12  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	* xtests/Makefile.am: Add tst-pam_dispatch5 sources
+	* xtests/tst-pam_dispatch5.c: New test for jump too far.
+	* xtests/tst-pam_dispatch5.pamd: New test configuration.
+
+2007-10-09  Tomas Mraz  <t8m@centrum.cz>
+
+	* modules/pam_tally/pam_tally.8.xml: Document audit option
+	correctly.
+
 2007-10-09  Thorsten Kukuk  <kukuk@thkukuk.de>
 
 	* release version 0.99.9.0
diff --git a/Linux-PAM/NEWS b/Linux-PAM/NEWS
index 2b14fec9..4cceb634 100644
--- a/Linux-PAM/NEWS
+++ b/Linux-PAM/NEWS
@@ -1,16 +1,36 @@
 Linux-PAM NEWS -- history of user-visible changes.
 
+Release 0.99.10.0
+
+* New substack directive in config file syntax.
+* New module pam_tty_audit.so for enabling and disabling tty
+  auditing.
+* New PAM items PAM_XDISPLAY and PAM_XAUTHDATA.
+* Auditing login denials based by origin (pam_access), time (pam_time),
+  and number of sessions (pam_limits) to the Linux audit subsystem.
+* Support sha256 and sha512 algorithms in pam_unix when they are supported
+  by crypt().
+* New pam_sepermit.so module for allowing/rejecting access based on
+  SELinux mode.
+* Improved functionality of pam_namespace.so module (method flags,
+  namespace.d configuration directory, new options).
+* Finaly removed deprecated pam_rhosts_auth module.
+
 
 Release 0.99.9.0
+
 * misc_conv no longer blocks SIGINT; applications that don't want
   user-interruptable prompts should block SIGINT themselves
 * Merge fixes from Debian
 * Fix parser for pam_group and pam_time
 
+
 Release 0.99.8.1
+
 * Fix a regression in audit code introduced with last release
 * Fix compiling with --disable-nls
 
+
 Release 0.99.8.0
 
 * Add translations for ar, ca, da, ru, sv and zu.
diff --git a/Linux-PAM/README b/Linux-PAM/README
index 364890db..81159140 100644
--- a/Linux-PAM/README
+++ b/Linux-PAM/README
@@ -15,7 +15,16 @@ To make sure everything was compiled correct, run:
 
       make check
 
-If a test failes, you should not continue to install this build.
+If a test fails, you should not continue to install this build.
+These tests require a suitable file /etc/pam.d/other; if necessary,
+create such a file containing, e.g., these five lines (not indented)
+
+	#%PAM-1.0
+	auth	 required	pam_deny.so
+	account	 required	pam_deny.so
+	password required	pam_deny.so
+	session	 required	pam_deny.so
+
 
 Note, if you are worried - don't even think about doing the next line
 (most Linux distributions already support PAM out of the box, so if
@@ -37,15 +46,20 @@ WARNING: Running "make xtests" can overwrite configuration data
 or make the system insecure/unfunctional for a short time!
 Backup all important data before!
 
+
 If you do not wish to make the modules dynamically loadable, but
 build a static libpam including all PAM modules, you have to call:
 
-      ./configure --enable-static-modules
+      ./configure --enable-static-modules --disable-pie
 
 In this case you cannot use pam_unix in the PAM config files instead you
 have to use pam_unix_acct, pam_unix_auth, pam_unix_passwd and
 pam_unix_session.
 
+To run the build checks with static modules, you need to run the
+following command: make -C test check && make check
+
+
 To regenerate manual pages from the XML source files you need the
 docbook-xsl stylesheets in version 1.69.1 or newer, older versions had
 a bug which generates a broken layout.
diff --git a/Linux-PAM/configure.in b/Linux-PAM/configure.in
index db00a62b..d22c0aa2 100644
--- a/Linux-PAM/configure.in
+++ b/Linux-PAM/configure.in
@@ -1,6 +1,6 @@
 dnl Process this file with autoconf to produce a configure script.
 AC_INIT(conf/pam_conv1/pam_conv_y.y)
-AM_INIT_AUTOMAKE("Linux-PAM", 0.99.9.0)
+AM_INIT_AUTOMAKE("Linux-PAM", 0.99.10.0)
 AC_PREREQ([2.60])
 AM_CONFIG_HEADER(config.h)
 AC_CANONICAL_HOST
@@ -45,6 +45,13 @@ dnl Add security to include directory
 	then
 		includedir="${prefix}/include/security"
 	fi
+
+dnl Add /var directory
+        if test ${localstatedir} = '${prefix}/var'
+        then
+                localstatedir="/var"
+        fi
+
 fi
 
 dnl
@@ -331,21 +338,41 @@ AC_ARG_ENABLE([audit],
         WITH_LIBAUDIT=$enableval, WITH_LIBAUDIT=yes)
 if test x"$WITH_LIBAUDIT" != xno ; then
         AC_CHECK_HEADER([libaudit.h],
-              [AC_CHECK_LIB(audit, audit_log_acct_message, LIBAUDIT=-laudit, LIBAUDIT="")]
+              [AC_CHECK_LIB(audit, audit_log_acct_message, LIBAUDIT=-laudit, LIBAUDIT="")
+	       AC_CHECK_TYPE([struct audit_tty_status],
+		             [HAVE_AUDIT_TTY_STATUS=yes],
+			     [HAVE_AUDIT_TTY_STATUS=""],
+			     [#include <libaudit.h>])]
         )
         if test ! -z "$LIBAUDIT" -a "ac_cv_header_libaudit_h" != "no" ; then
-            AC_DEFINE([HAVE_LIBAUDIT], 1, [Defined if audit support should be compiled in])
+            AC_DEFINE([HAVE_LIBAUDIT], 1, [Define to 1 if audit support should be compiled in.])
+        fi
+        if test ! -z "$HAVE_AUDIT_TTY_STATUS" ; then
+            AC_DEFINE([HAVE_AUDIT_TTY_STATUS], 1, [Define to 1 if struct audit_tty_status exists.])
         fi
 else
 	LIBAUDIT=""
 fi
 AC_SUBST(LIBAUDIT)
+AM_CONDITIONAL([HAVE_AUDIT_TTY_STATUS],
+	       [test "x$HAVE_AUDIT_TTY_STATUS" = xyes])
 
 BACKUP_LIBS=$LIBS
 AC_SEARCH_LIBS([crypt],[xcrypt crypt], LIBCRYPT="-l$ac_lib", LIBCRYPT="")
+AC_CHECK_FUNCS(crypt_r)
 LIBS=$BACKUP_LIBS
 AC_SUBST(LIBCRYPT)
 
+AC_ARG_WITH([randomdev], AC_HELP_STRING([--with-randomdev=(<path>|yes|no)], [use specified random device instead of /dev/urandom or 'no' to disable]), opt_randomdev=$withval)
+if test "$opt_randomdev" = yes -o -z "$opt_randomdev"; then
+       opt_randomdev="/dev/urandom"
+elif test "$opt_randomdev" = no; then
+       opt_randomdev=
+fi
+if test -n "$opt_randomdev"; then
+       AC_DEFINE_UNQUOTED(PAM_PATH_RANDOMDEV, "$opt_randomdev", [Random device path.])
+fi
+
 dnl check for libdb or libndbm as fallback. Some libndbm compat
 dnl libraries are unuseable, so try libdb first.
 AC_ARG_ENABLE([db],
@@ -373,6 +400,7 @@ AC_SUBST(LIBDB)
 AM_CONDITIONAL([HAVE_LIBDB], [test ! -z "$LIBDB"])
 
 AC_CHECK_LIB([nsl],[yp_get_default_domain], LIBNSL="-lnsl", LIBNSL="")
+BACKUP_LIBS=$LIBS
 LIBS="$LIBS $LIBNSL"
 AC_CHECK_FUNCS(yp_get_default_domain)
 LIBS=$BACKUP_LIBS
@@ -390,6 +418,10 @@ AC_SUBST(LIBSELINUX)
 AM_CONDITIONAL([HAVE_LIBSELINUX], [test ! -z "$LIBSELINUX"])
 if test ! -z "$LIBSELINUX" ; then
     AC_DEFINE([WITH_SELINUX], 1, [Defined if SE Linux support is compiled in])
+    BACKUP_LIBS=$LIBS
+    LIBS="$LIBS $LIBSELINUX"
+    AC_CHECK_FUNCS(setkeycreatecon)
+    LIBS=$BACKUP_LIBS
 fi
 
 dnl Checks for header files.
@@ -422,7 +454,7 @@ AC_CHECK_FUNCS(fseeko gethostname gettimeofday lckpwdf mkdir select)
 AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname)
 AC_CHECK_FUNCS(getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r)
 AC_CHECK_FUNCS(getgrouplist getline getdelim)
-AC_CHECK_FUNCS(inet_ntop inet_pton ruserok_af setkeycreatecon)
+AC_CHECK_FUNCS(inet_ntop inet_pton ruserok_af)
 
 AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
 AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])
@@ -511,9 +543,11 @@ AC_OUTPUT(Makefile libpam/Makefile libpamc/Makefile libpamc/test/Makefile \
 	modules/pam_rhosts/Makefile \
 	modules/pam_rootok/Makefile modules/pam_exec/Makefile \
 	modules/pam_securetty/Makefile modules/pam_selinux/Makefile \
+	modules/pam_sepermit/Makefile \
 	modules/pam_shells/Makefile modules/pam_stress/Makefile \
 	modules/pam_succeed_if/Makefile modules/pam_tally/Makefile \
-	modules/pam_time/Makefile modules/pam_umask/Makefile \
+	modules/pam_time/Makefile modules/pam_tty_audit/Makefile \
+	modules/pam_umask/Makefile \
 	modules/pam_unix/Makefile modules/pam_userdb/Makefile \
 	modules/pam_warn/Makefile modules/pam_wheel/Makefile \
 	modules/pam_xauth/Makefile doc/Makefile doc/specs/Makefile \
diff --git a/Linux-PAM/doc/Makefile.am b/Linux-PAM/doc/Makefile.am
index 3b893899..4a300e15 100644
--- a/Linux-PAM/doc/Makefile.am
+++ b/Linux-PAM/doc/Makefile.am
@@ -14,7 +14,7 @@ releasedocs: all
 	$(mkinstalldirs) $(top_builddir)/Linux-PAM-$(VERSION)/doc/specs
 	cp -av specs/draft-morgan-pam-current.txt \
 		$(top_builddir)/Linux-PAM-$(VERSION)/doc/specs/
-	cp -av specs/rfc86.0.txt \
+	cp -av $(srcdir)/specs/rfc86.0.txt \
 		$(top_builddir)/Linux-PAM-$(VERSION)/doc/specs/
 	make -C sag releasedocs
 	make -C adg releasedocs
diff --git a/Linux-PAM/doc/man/Makefile.am b/Linux-PAM/doc/man/Makefile.am
index 7d17a439..52e5caab 100644
--- a/Linux-PAM/doc/man/Makefile.am
+++ b/Linux-PAM/doc/man/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de>
+# Copyright (c) 2006, 2007 Thorsten Kukuk <kukuk@thkukuk.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS)
 
 EXTRA_DIST = $(MANS) $(XMLS)
 
@@ -10,7 +11,7 @@ man_MANS = pam.3 PAM.8 pam.8 pam.conf.5 pam.d.5 \
 	pam_acct_mgmt.3 pam_authenticate.3 \
 	pam_chauthtok.3 pam_close_session.3 pam_conv.3 \
 	pam_end.3 pam_error.3 \
-	pam_fail_delay.3 \
+	pam_fail_delay.3 pam_xauth_data.3 \
 	pam_get_data.3 pam_get_item.3 pam_get_user.3 pam_getenv.3 \
 	pam_getenvlist.3 \
 	pam_info.3 \
@@ -27,7 +28,7 @@ XMLS = pam.3.xml pam.8.xml \
 	pam_acct_mgmt.3.xml pam_authenticate.3.xml \
 	pam_chauthtok.3.xml pam_close_session.3.xml pam_conv.3.xml \
 	pam_end.3.xml pam_error.3.xml \
-	pam_fail_delay.3.xml \
+	pam_fail_delay.3.xml pam_xauth_data.3 \
 	pam_get_data.3.xml pam_get_item.3.xml pam_get_user.3.xml \
 	pam_getenv.3.xml pam_getenvlist.3.xml \
         pam_info.3.xml \
@@ -38,14 +39,18 @@ XMLS = pam.3.xml pam.8.xml \
 	pam_sm_close_session.3.xml pam_sm_open_session.3.xml \
 	pam_sm_setcred.3.xml pam_start.3.xml pam_strerror.3.xml \
 	pam_sm_chauthtok.3.xml \
-	pam_item_types.inc.xml \
+	pam_item_types_std.inc.xml pam_item_types_ext.inc.xml \
 	pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml \
 	misc_conv.3.xml pam_misc_paste_env.3.xml pam_misc_drop_env.3.xml \
 	pam_misc_setenv.3.xml
 
 if ENABLE_REGENERATE_MAN
-pam_get_item.3: pam_item_types.inc.xml
-pam_set_data.3: pam_item_types.inc.xml
+PAM.8: pam.8
+pam.d.5: pam.conf.5
+	test -f $(srcdir)/pam\\.d.5 && mv $(srcdir)/pam\\.d.5 $(srcdir)/pam.d.5 ||:
+
+pam_get_item.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml
+pam_set_data.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml
 pam.conf.5: pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml
 -include $(top_srcdir)/Make.xml.rules
 endif
diff --git a/Linux-PAM/doc/man/PAM.8 b/Linux-PAM/doc/man/PAM.8
index 112ea7d7..a385ea3e 100644
--- a/Linux-PAM/doc/man/PAM.8
+++ b/Linux-PAM/doc/man/PAM.8
@@ -1,48 +1,48 @@
 .\"     Title: pam
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM" "8" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM" "8" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-PAM, pam \- Pluggable Authentication Modules for Linux
+PAM, pam - Pluggable Authentication Modules for Linux
 .SH "DESCRIPTION"
 .PP
 This manual is intended to offer a quick introduction to
-\fBLinux\-PAM\fR. For more information the reader is directed to the
-\fBLinux\-PAM system administrators' guide\fR.
+\fBLinux\-PAM\fR\. For more information the reader is directed to the
+\fBLinux\-PAM system administrators\' guide\fR\.
 .PP
 
 \fBLinux\-PAM\fR
-is a system of libraries that handle the authentication tasks of applications (services) on the system. The library provides a stable general interface (Application Programming Interface \- API) that privilege granting programs (such as
+is a system of libraries that handle the authentication tasks of applications (services) on the system\. The library provides a stable general interface (Application Programming Interface \- API) that privilege granting programs (such as
 \fBlogin\fR(1)
 and
-\fBsu\fR(1)) defer to to perform standard authentication tasks.
+\fBsu\fR(1)) defer to to perform standard authentication tasks\.
 .PP
-The principal feature of the PAM approach is that the nature of the authentication is dynamically configurable. In other words, the system administrator is free to choose how individual service\-providing applications will authenticate users. This dynamic configuration is set by the contents of the single
+The principal feature of the PAM approach is that the nature of the authentication is dynamically configurable\. In other words, the system administrator is free to choose how individual service\-providing applications will authenticate users\. This dynamic configuration is set by the contents of the single
 \fBLinux\-PAM\fR
 configuration file
-\fI/etc/pam.conf\fR. Alternatively, the configuration can be set by individual configuration files located in the
-\fI/etc/pam.d/\fR
-directory. The presence of this directory will cause
+\fI/etc/pam\.conf\fR\. Alternatively, the configuration can be set by individual configuration files located in the
+\fI/etc/pam\.d/\fR
+directory\. The presence of this directory will cause
 \fBLinux\-PAM\fR
 to
 \fIignore\fR
-\fI/etc/pam.conf\fR.
+\fI/etc/pam\.conf\fR\.
 .PP
 From the point of view of the system administrator, for whom this manual is provided, it is not of primary importance to understand the internal behavior of the
 \fBLinux\-PAM\fR
-library. The important point to recognize is that the configuration file(s)
+library\. The important point to recognize is that the configuration file(s)
 \fIdefine\fR
 the connection between applications
 (\fBservices\fR) and the pluggable authentication modules
-(\fBPAM\fRs) that perform the actual authentication tasks.
+(\fBPAM\fRs) that perform the actual authentication tasks\.
 .PP
 \fBLinux\-PAM\fR
 separates the tasks of
@@ -54,45 +54,49 @@ management;
 \fBpassword\fR
 management; and
 \fBsession\fR
-management. (We highlight the abbreviations used for these groups in the configuration file.)
+management\. (We highlight the abbreviations used for these groups in the configuration file\.)
 .PP
-Simply put, these groups take care of different aspects of a typical user's request for a restricted service:
+Simply put, these groups take care of different aspects of a typical user\'s request for a restricted service:
 .PP
 \fBaccount\fR
-\- provide account verification types of service: has the user's password expired?; is this user permitted access to the requested service?
+\- provide account verification types of service: has the user\'s password expired?; is this user permitted access to the requested service?
 .PP
-\fBauth\fRentication \- authenticate a user and set up user credentials. Typically this is via some challenge\-response request that the user must satisfy: if you are who you claim to be please enter your password. Not all authentications are of this type, there exist hardware based authentication schemes (such as the use of smart\-cards and biometric devices), with suitable modules, these may be substituted seamlessly for more standard approaches to authentication \- such is the flexibility of
-\fBLinux\-PAM\fR.
+\fBauth\fRentication \- authenticate a user and set up user credentials\. Typically this is via some challenge\-response request that the user must satisfy: if you are who you claim to be please enter your password\. Not all authentications are of this type, there exist hardware based authentication schemes (such as the use of smart\-cards and biometric devices), with suitable modules, these may be substituted seamlessly for more standard approaches to authentication \- such is the flexibility of
+\fBLinux\-PAM\fR\.
 .PP
 \fBpassword\fR
-\- this group's responsibility is the task of updating authentication mechanisms. Typically, such services are strongly coupled to those of the
+\- this group\'s responsibility is the task of updating authentication mechanisms\. Typically, such services are strongly coupled to those of the
 \fBauth\fR
-group. Some authentication mechanisms lend themselves well to being updated with such a function. Standard UN*X password\-based access is the obvious example: please enter a replacement password.
+group\. Some authentication mechanisms lend themselves well to being updated with such a function\. Standard UN*X password\-based access is the obvious example: please enter a replacement password\.
 .PP
 \fBsession\fR
-\- this group of tasks cover things that should be done prior to a service being given and after it is withdrawn. Such tasks include the maintenance of audit trails and the mounting of the user's home directory. The
+\- this group of tasks cover things that should be done prior to a service being given and after it is withdrawn\. Such tasks include the maintenance of audit trails and the mounting of the user\'s home directory\. The
 \fBsession\fR
-management group is important as it provides both an opening and closing hook for modules to affect the services available to a user.
+management group is important as it provides both an opening and closing hook for modules to affect the services available to a user\.
 .SH "FILES"
-.TP 3n
-\fI/etc/pam.conf\fR
+.PP
+\fI/etc/pam\.conf\fR
+.RS 4
 the configuration file
-.TP 3n
-\fI/etc/pam.d\fR
+.RE
+.PP
+\fI/etc/pam\.d\fR
+.RS 4
 the
 \fBLinux\-PAM\fR
-configuration directory. Generally, if this directory is present, the
-\fI/etc/pam.conf\fR
-file is ignored.
+configuration directory\. Generally, if this directory is present, the
+\fI/etc/pam\.conf\fR
+file is ignored\.
+.RE
 .SH "ERRORS"
 .PP
 Typically errors generated by the
 \fBLinux\-PAM\fR
 system of libraries, will be written to
-\fBsyslog\fR(3).
+\fBsyslog\fR(3)\.
 .SH "CONFORMING TO"
 .PP
-DCE\-RFC 86.0, October 1995. Contains additional features, but remains backwardly compatible with this RFC.
+DCE\-RFC 86\.0, October 1995\. Contains additional features, but remains backwardly compatible with this RFC\.
 .SH "SEE ALSO"
 .PP
 
diff --git a/Linux-PAM/doc/man/misc_conv.3 b/Linux-PAM/doc/man/misc_conv.3
index bb8cbd87..610348d4 100644
--- a/Linux-PAM/doc/man/misc_conv.3
+++ b/Linux-PAM/doc/man/misc_conv.3
@@ -1,22 +1,22 @@
 .\"     Title: misc_conv
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "MISC_CONV" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "MISC_CONV" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-misc_conv \- text based conversation function
+misc_conv - text based conversation function
 .SH "SYNOPSIS"
 .sp
 .ft B
 .nf
-#include <security/pam_misc.h>
+#include <security/pam_misc\.h>
 .fi
 .ft
 .HP 15
@@ -29,60 +29,74 @@ function is part of
 \fBlibpam_misc\fR
 and not of the standard
 \fBlibpam\fR
-library. This function will prompt the user with the appropriate comments and obtain the appropriate inputs as directed by authentication modules.
+library\. This function will prompt the user with the appropriate comments and obtain the appropriate inputs as directed by authentication modules\.
 .PP
 In addition to simply slotting into the appropriate
-\fBpam_conv\fR(3), this function provides some time\-out facilities. The function exports five variables that can be used by an application programmer to limit the amount of time this conversation function will spend waiting for the user to type something. The five variabls are as follows:
-.TP 3n
+\fBpam_conv\fR(3), this function provides some time\-out facilities\. The function exports five variables that can be used by an application programmer to limit the amount of time this conversation function will spend waiting for the user to type something\. The five variabls are as follows:
+.PP
 \fBtime_t\fR \fIpam_misc_conv_warn_time\fR;
+.RS 4
 This variable contains the
 \fItime\fR
 (as returned by
-\fBtime\fR(2)) that the user should be first warned that the clock is ticking. By default it has the value
-0, which indicates that no such warning will be given. The application may set its value to sometime in the future, but this should be done prior to passing control to the
+\fBtime\fR(2)) that the user should be first warned that the clock is ticking\. By default it has the value
+0, which indicates that no such warning will be given\. The application may set its value to sometime in the future, but this should be done prior to passing control to the
 \fILinux\-PAM\fR
-library.
-.TP 3n
+library\.
+.RE
+.PP
 \fBconst char *\fR\fIpam_misc_conv_warn_line\fR;
+.RS 4
 Used in conjuction with
-\fIpam_misc_conv_warn_time\fR, this variable is a pointer to the string that will be displayed when it becomes time to warn the user that the timeout is approaching. Its default value is a translated version of
-\(lq...Time is running out...\(rq, but this can be changed by the application prior to passing control to
-\fILinux\-PAM\fR.
-.TP 3n
+\fIpam_misc_conv_warn_time\fR, this variable is a pointer to the string that will be displayed when it becomes time to warn the user that the timeout is approaching\. Its default value is a translated version of
+\(lq\.\.\.Time is running out\.\.\.\(rq, but this can be changed by the application prior to passing control to
+\fILinux\-PAM\fR\.
+.RE
+.PP
 \fBtime_t\fR \fIpam_misc_conv_die_time\fR;
+.RS 4
 This variable contains the
 \fItime\fR
 (as returned by
-\fBtime\fR(2)) that the will time out. By default it has the value
-0, which indicates that the conversation function will not timeout. The application may set its value to sometime in the future, but this should be done prior to passing control to the
+\fBtime\fR(2)) that the will time out\. By default it has the value
+0, which indicates that the conversation function will not timeout\. The application may set its value to sometime in the future, but this should be done prior to passing control to the
 \fILinux\-PAM\fR
-library.
-.TP 3n
+library\.
+.RE
+.PP
 \fBconst char *\fR\fIpam_misc_conv_die_line\fR;
+.RS 4
 Used in conjuction with
-\fIpam_misc_conv_die_time\fR, this variable is a pointer to the string that will be displayed when the conversation times out. Its default value is a translated version of
-\(lq...Sorry, your time is up!\(rq, but this can be changed by the application prior to passing control to
-\fILinux\-PAM\fR.
-.TP 3n
+\fIpam_misc_conv_die_time\fR, this variable is a pointer to the string that will be displayed when the conversation times out\. Its default value is a translated version of
+\(lq\.\.\.Sorry, your time is up!\(rq, but this can be changed by the application prior to passing control to
+\fILinux\-PAM\fR\.
+.RE
+.PP
 \fBint\fR \fIpam_misc_conv_died\fR;
+.RS 4
 Following a return from the
 \fILinux\-PAM\fR
-libraray, the value of this variable indicates whether the conversation has timed out. A value of
+libraray, the value of this variable indicates whether the conversation has timed out\. A value of
 1
-indicates the time\-out occurred.
+indicates the time\-out occurred\.
+.RE
 .PP
-The following two function pointers are available for supporting binary prompts in the conversation function. They are optimized for the current incarnation of the
+The following two function pointers are available for supporting binary prompts in the conversation function\. They are optimized for the current incarnation of the
 \fBlibpamc\fR
-library and are subject to change.
-.TP 3n
+library and are subject to change\.
+.PP
 \fBint\fR \fI(*pam_binary_handler_fn)\fR(\fBvoid *\fR\fIappdata\fR, \fBpamc_bp_t *\fR\fIprompt_p\fR);
+.RS 4
 This function pointer is initialized to
 NULL
-but can be filled with a function that provides machine\-machine (hidden) message exchange. It is intended for use with hidden authentication protocols such as RSA or Diffie\-Hellman key exchanges. (This is still under development.)
-.TP 3n
+but can be filled with a function that provides machine\-machine (hidden) message exchange\. It is intended for use with hidden authentication protocols such as RSA or Diffie\-Hellman key exchanges\. (This is still under development\.)
+.RE
+.PP
 \fBint\fR \fI(*pam_binary_handler_free)\fR(\fBvoid *\fR\fIappdata\fR, \fBpamc_bp_t *\fR\fIdelete_me\fR);
+.RS 4
 This function pointer is initialized to
-\fBPAM_BP_RENEW(delete_me, 0, 0)\fR, but can be redefined as desired by the application.
+\fBPAM_BP_RENEW(delete_me, 0, 0)\fR, but can be redefined as desired by the application\.
+.RE
 .SH "SEE ALSO"
 .PP
 
@@ -94,4 +108,4 @@ The
 \fBmisc_conv\fR
 function is part of the
 \fBlibpam_misc\fR
-Library and not defined in any standard.
+Library and not defined in any standard\.
diff --git a/Linux-PAM/doc/man/pam.3 b/Linux-PAM/doc/man/pam.3
index a3582242..0e80617d 100644
--- a/Linux-PAM/doc/man/pam.3
+++ b/Linux-PAM/doc/man/pam.3
@@ -1,104 +1,104 @@
 .\"     Title: pam
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.0 <http://docbook.sf.net/>
-.\"      Date: 10/26/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM" "3" "10/26/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam \- Pluggable Authentication Modules Library
+pam - Pluggable Authentication Modules Library
 .SH "SYNOPSIS"
 .sp
 .ft B
 .nf
-#include <security/pam_appl.h>
+#include <security/pam_appl\.h>
 .fi
 .ft
 .sp
 .ft B
 .nf
-#include <security/pam_modules.h>
+#include <security/pam_modules\.h>
 .fi
 .ft
 .sp
 .ft B
 .nf
-#include <security/pam_ext.h>
+#include <security/pam_ext\.h>
 .fi
 .ft
 .SH "DESCRIPTION"
 .PP
 
 \fBPAM\fR
-is a system of libraries that handle the authentication tasks of applications (services) on the system. The library provides a stable general interface (Application Programming Interface \- API) that privilege granting programs (such as
+is a system of libraries that handle the authentication tasks of applications (services) on the system\. The library provides a stable general interface (Application Programming Interface \- API) that privilege granting programs (such as
 \fBlogin\fR(1)
 and
-\fBsu\fR(1)) defer to to perform standard authentication tasks.
+\fBsu\fR(1)) defer to to perform standard authentication tasks\.
 .SS "Initialization and Cleanup"
 .PP
 The
 \fBpam_start\fR(3)
-function creates the PAM context and initiates the PAM transaction. It is the first of the PAM functions that needs to be called by an application. The transaction state is contained entirely within the structure identified by this handle, so it is possible to have multiple transactions in parallel. But it is not possible to use the same handle for different transactions, a new one is needed for every new context.
+function creates the PAM context and initiates the PAM transaction\. It is the first of the PAM functions that needs to be called by an application\. The transaction state is contained entirely within the structure identified by this handle, so it is possible to have multiple transactions in parallel\. But it is not possible to use the same handle for different transactions, a new one is needed for every new context\.
 .PP
 The
 \fBpam_end\fR(3)
-function terminates the PAM transaction and is the last function an application should call in the PAM context. Upon return the handle pamh is no longer valid and all memory associated with it will be invalid. It can be called at any time to terminate a PAM transaction.
+function terminates the PAM transaction and is the last function an application should call in the PAM context\. Upon return the handle pamh is no longer valid and all memory associated with it will be invalid\. It can be called at any time to terminate a PAM transaction\.
 .SS "Authentication"
 .PP
 The
 \fBpam_authenticate\fR(3)
-function is used to authenticate the user. The user is required to provide an authentication token depending upon the authentication service, usually this is a password, but could also be a finger print.
+function is used to authenticate the user\. The user is required to provide an authentication token depending upon the authentication service, usually this is a password, but could also be a finger print\.
 .PP
 The
 \fBpam_setcred\fR(3)
-function manages the userscredentials.
+function manages the userscredentials\.
 .SS "Account Management"
 .PP
 The
 \fBpam_acct_mgmt\fR(3)
-function is used to determine if the users account is valid. It checks for authentication token and account expiration and verifies access restrictions. It is typically called after the user has been authenticated.
+function is used to determine if the users account is valid\. It checks for authentication token and account expiration and verifies access restrictions\. It is typically called after the user has been authenticated\.
 .SS "Password Management"
 .PP
 The
 \fBpam_chauthtok\fR(3)
-function is used to change the authentication token for a given user on request or because the token has expired.
+function is used to change the authentication token for a given user on request or because the token has expired\.
 .SS "Session Management"
 .PP
 The
 \fBpam_open_session\fR(3)
-function sets up a user session for a previously successful authenticated user. The session should later be terminated with a call to
-\fBpam_close_session\fR(3).
+function sets up a user session for a previously successful authenticated user\. The session should later be terminated with a call to
+\fBpam_close_session\fR(3)\.
 .SS "Conversation"
 .PP
-The PAM library uses an application\-defined callback to allow a direct communication between a loaded module and the application. This callback is specified by the
+The PAM library uses an application\-defined callback to allow a direct communication between a loaded module and the application\. This callback is specified by the
 \fIstruct pam_conv\fR
 passed to
 \fBpam_start\fR(3)
-at the start of the transaction. See
+at the start of the transaction\. See
 \fBpam_conv\fR(3)
-for details.
+for details\.
 .SS "Data Objects"
 .PP
 The
 \fBpam_set_item\fR(3)
 and
 \fBpam_get_item\fR(3)
-functions allows applications and PAM service modules to set and retrieve PAM informations.
+functions allows applications and PAM service modules to set and retrieve PAM informations\.
 .PP
 The
 \fBpam_get_user\fR(3)
-function is the preferred method to obtain the username.
+function is the preferred method to obtain the username\.
 .PP
 The
 \fBpam_set_data\fR(3)
 and
 \fBpam_get_data\fR(3)
-functions allows PAM service modules to set and retrieve free\-form data from one invocation to another.
+functions allows PAM service modules to set and retrieve free\-form data from one invocation to another\.
 .SS "Environment and Error Management"
 .PP
 The
@@ -106,158 +106,158 @@ The
 \fBpam_getenv\fR(3)
 and
 \fBpam_getenvlist\fR(3)
-functions are for maintaining a set of private environment variables.
+functions are for maintaining a set of private environment variables\.
 .PP
 The
 \fBpam_strerror\fR(3)
-function returns a pointer to a string describing the given PAM error code.
+function returns a pointer to a string describing the given PAM error code\.
 .SH "RETURN VALUES"
 .PP
 The following return codes are known by PAM:
 .PP
 PAM_ABORT
-.RS 3n
-Critical error, immediate abort.
+.RS 4
+Critical error, immediate abort\.
 .RE
 .PP
 PAM_ACCT_EXPIRED
-.RS 3n
-User account has expired.
+.RS 4
+User account has expired\.
 .RE
 .PP
 PAM_AUTHINFO_UNAVAIL
-.RS 3n
-Authentication service cannot retrieve authentication info.
+.RS 4
+Authentication service cannot retrieve authentication info\.
 .RE
 .PP
 PAM_AUTHTOK_DISABLE_AGING
-.RS 3n
-Authentication token aging disabled.
+.RS 4
+Authentication token aging disabled\.
 .RE
 .PP
 PAM_AUTHTOK_ERR
-.RS 3n
-Authentication token manipulation error.
+.RS 4
+Authentication token manipulation error\.
 .RE
 .PP
 PAM_AUTHTOK_EXPIRED
-.RS 3n
-Authentication token expired.
+.RS 4
+Authentication token expired\.
 .RE
 .PP
 PAM_AUTHTOK_LOCK_BUSY
-.RS 3n
-Authentication token lock busy.
+.RS 4
+Authentication token lock busy\.
 .RE
 .PP
 PAM_AUTHTOK_RECOVERY_ERR
-.RS 3n
-Authentication information cannot be recovered.
+.RS 4
+Authentication information cannot be recovered\.
 .RE
 .PP
 PAM_AUTH_ERR
-.RS 3n
-Authentication failure.
+.RS 4
+Authentication failure\.
 .RE
 .PP
 PAM_BUF_ERR
-.RS 3n
-Memory buffer error.
+.RS 4
+Memory buffer error\.
 .RE
 .PP
 PAM_CONV_ERR
-.RS 3n
-Conversation failure.
+.RS 4
+Conversation failure\.
 .RE
 .PP
 PAM_CRED_ERR
-.RS 3n
-Failure setting user credentials.
+.RS 4
+Failure setting user credentials\.
 .RE
 .PP
 PAM_CRED_EXPIRED
-.RS 3n
-User credentials expired.
+.RS 4
+User credentials expired\.
 .RE
 .PP
 PAM_CRED_INSUFFICIENT
-.RS 3n
-Insufficient credentials to access authentication data.
+.RS 4
+Insufficient credentials to access authentication data\.
 .RE
 .PP
 PAM_CRED_UNAVAIL
-.RS 3n
-Authentication service cannot retrieve user credentials.
+.RS 4
+Authentication service cannot retrieve user credentials\.
 .RE
 .PP
 PAM_IGNORE
-.RS 3n
-The return value should be ignored by PAM dispatch.
+.RS 4
+The return value should be ignored by PAM dispatch\.
 .RE
 .PP
 PAM_MAXTRIES
-.RS 3n
-Have exhausted maximum number of retries for service.
+.RS 4
+Have exhausted maximum number of retries for service\.
 .RE
 .PP
 PAM_MODULE_UNKNOWN
-.RS 3n
-Module is unknown.
+.RS 4
+Module is unknown\.
 .RE
 .PP
 PAM_NEW_AUTHTOK_REQD
-.RS 3n
-Authentication token is no longer valid; new one required.
+.RS 4
+Authentication token is no longer valid; new one required\.
 .RE
 .PP
 PAM_NO_MODULE_DATA
-.RS 3n
-No module specific data is present.
+.RS 4
+No module specific data is present\.
 .RE
 .PP
 PAM_OPEN_ERR
-.RS 3n
-Failed to load module.
+.RS 4
+Failed to load module\.
 .RE
 .PP
 PAM_PERM_DENIED
-.RS 3n
-Permission denied.
+.RS 4
+Permission denied\.
 .RE
 .PP
 PAM_SERVICE_ERR
-.RS 3n
-Error in service module.
+.RS 4
+Error in service module\.
 .RE
 .PP
 PAM_SESSION_ERR
-.RS 3n
-Cannot make/remove an entry for the specified session.
+.RS 4
+Cannot make/remove an entry for the specified session\.
 .RE
 .PP
 PAM_SUCCESS
-.RS 3n
-Success.
+.RS 4
+Success\.
 .RE
 .PP
 PAM_SYMBOL_ERR
-.RS 3n
-Symbol not found.
+.RS 4
+Symbol not found\.
 .RE
 .PP
 PAM_SYSTEM_ERR
-.RS 3n
-System error.
+.RS 4
+System error\.
 .RE
 .PP
 PAM_TRY_AGAIN
-.RS 3n
-Failed preliminary check by password service.
+.RS 4
+Failed preliminary check by password service\.
 .RE
 .PP
 PAM_USER_UNKNOWN
-.RS 3n
-User not known to the underlying authentication module.
+.RS 4
+User not known to the underlying authentication module\.
 .RE
 .SH "SEE ALSO"
 .PP
diff --git a/Linux-PAM/doc/man/pam.conf-syntax.xml b/Linux-PAM/doc/man/pam.conf-syntax.xml
index f098a26a..1460c6f6 100644
--- a/Linux-PAM/doc/man/pam.conf-syntax.xml
+++ b/Linux-PAM/doc/man/pam.conf-syntax.xml
@@ -180,6 +180,24 @@
           </para>
         </listitem>
       </varlistentry>
+      <varlistentry>
+        <term>substack</term>
+        <listitem>
+          <para>
+            include all lines of given type from the configuration
+            file specified as an argument to this control. This differs from
+            <emphasis>include</emphasis> in that evaluation of the
+            <emphasis>done</emphasis> and <emphasis>die</emphasis> actions
+            in a substack does not cause skipping the rest of the complete
+            module stack, but only of the substack. Jumps in a substack
+            also can not make evaluation jump out of it, and the whole substack
+            is counted as one module when the jump is done in a parent stack.
+            The <emphasis>reset</emphasis> action will reset the state of a
+            module stack to the state it was in as of beginning of the substack
+            evaluation.
+          </para>
+        </listitem>
+      </varlistentry>
     </variablelist>
 
     <para>
diff --git a/Linux-PAM/doc/man/pam.conf.5 b/Linux-PAM/doc/man/pam.conf.5
index 850a8fa1..e9806bb7 100644
--- a/Linux-PAM/doc/man/pam.conf.5
+++ b/Linux-PAM/doc/man/pam.conf.5
@@ -1,34 +1,34 @@
 .\"     Title: pam.conf
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: 01/16/2007
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM.CONF" "5" "01/16/2007" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM\.CONF" "5" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam.conf, pam.d \- PAM configuration files
+pam.conf, pam.d - PAM configuration files
 .SH "DESCRIPTION"
 .PP
 When a
 \fIPAM\fR
-aware privilege granting application is started, it activates its attachment to the PAM\-API. This activation performs a number of tasks, the most important being the reading of the configuration file(s):
-\fI/etc/pam.conf\fR. Alternatively, this may be the contents of the
-\fI/etc/pam.d/\fR
-directory. The presence of this directory will cause Linux\-PAM to ignore
-\fI/etc/pam.conf\fR.
+aware privilege granting application is started, it activates its attachment to the PAM\-API\. This activation performs a number of tasks, the most important being the reading of the configuration file(s):
+\fI/etc/pam\.conf\fR\. Alternatively, this may be the contents of the
+\fI/etc/pam\.d/\fR
+directory\. The presence of this directory will cause Linux\-PAM to ignore
+\fI/etc/pam\.conf\fR\.
 .PP
 These files list the
 \fIPAM\fRs that will do the authentication tasks required by this service, and the appropriate behavior of the PAM\-API in the event that individual
-\fIPAM\fRs fail.
+\fIPAM\fRs fail\.
 .PP
 The syntax of the
-\fI/etc/pam.conf\fR
-configuration file is as follows. The file is made up of a list of rules, each rule is typically placed on a single line, but may be extended with an escaped end of line: `\\<LF>'. Comments are preceded with `#' marks and extend to the next end of line.
+\fI/etc/pam\.conf\fR
+configuration file is as follows\. The file is made up of a list of rules, each rule is typically placed on a single line, but may be extended with an escaped end of line: `\e<LF>\'\. Comments are preceded with `#\' marks and extend to the next end of line\.
 .PP
 The format of each rule is a space separated collection of tokens, the first three being case\-insensitive:
 .PP
@@ -36,19 +36,19 @@ The format of each rule is a space separated collection of tokens, the first thr
 \fB service type control module\-path module\-arguments\fR
 .PP
 The syntax of files contained in the
-\fI/etc/pam.d/\fR
+\fI/etc/pam\.d/\fR
 directory, are identical except for the absence of any
 \fIservice\fR
-field. In this case, the
+field\. In this case, the
 \fIservice\fR
 is the name of the file in the
-\fI/etc/pam.d/\fR
-directory. This filename must be in lower case.
+\fI/etc/pam\.d/\fR
+directory\. This filename must be in lower case\.
 .PP
 An important feature of
 \fIPAM\fR, is that a number of rules may be
 \fIstacked\fR
-to combine the services of a number of PAMs for a given authentication task.
+to combine the services of a number of PAMs for a given authentication task\.
 .PP
 The
 \fIservice\fR
@@ -56,42 +56,42 @@ is typically the familiar name of the corresponding application:
 \fIlogin\fR
 and
 \fIsu\fR
-are good examples. The
+are good examples\. The
 \fIservice\fR\-name,
 \fIother\fR, is reserved for giving
 \fIdefault\fR
-rules. Only lines that mention the current service (or in the absence of such, the
+rules\. Only lines that mention the current service (or in the absence of such, the
 \fIother\fR
-entries) will be associated with the given service\-application.
+entries) will be associated with the given service\-application\.
 .PP
 The
 \fItype\fR
-is the management group that the rule corresponds to. It is used to specify which of the management groups the subsequent module is to be associated with. Valid entries are:
+is the management group that the rule corresponds to\. It is used to specify which of the management groups the subsequent module is to be associated with\. Valid entries are:
 .PP
 account
 .RS 4
-this module type performs non\-authentication based account management. It is typically used to restrict/permit access to a service based on the time of day, currently available system resources (maximum number of users) or perhaps the location of the applicant user \-\- 'root' login only on the console.
+this module type performs non\-authentication based account management\. It is typically used to restrict/permit access to a service based on the time of day, currently available system resources (maximum number of users) or perhaps the location of the applicant user \-\- \'root\' login only on the console\.
 .RE
 .PP
 auth
 .RS 4
-this module type provides two aspects of authenticating the user. Firstly, it establishes that the user is who they claim to be, by instructing the application to prompt the user for a password or other means of identification. Secondly, the module can grant group membership or other privileges through its credential granting properties.
+this module type provides two aspects of authenticating the user\. Firstly, it establishes that the user is who they claim to be, by instructing the application to prompt the user for a password or other means of identification\. Secondly, the module can grant group membership or other privileges through its credential granting properties\.
 .RE
 .PP
 password
 .RS 4
-this module type is required for updating the authentication token associated with the user. Typically, there is one module for each 'challenge/response' based authentication (auth) type.
+this module type is required for updating the authentication token associated with the user\. Typically, there is one module for each \'challenge/response\' based authentication (auth) type\.
 .RE
 .PP
 session
 .RS 4
-this module type is associated with doing things that need to be done for the user before/after they can be given service. Such things include the logging of information concerning the opening/closing of some data exchange with a user, mounting directories, etc.
+this module type is associated with doing things that need to be done for the user before/after they can be given service\. Such things include the logging of information concerning the opening/closing of some data exchange with a user, mounting directories, etc\.
 .RE
 .PP
 The third field,
-\fIcontrol\fR, indicates the behavior of the PAM\-API should the module fail to succeed in its authentication task. There are two types of syntax for this control field: the simple one has a single simple keyword; the more complicated one involves a square\-bracketed selection of
+\fIcontrol\fR, indicates the behavior of the PAM\-API should the module fail to succeed in its authentication task\. There are two types of syntax for this control field: the simple one has a single simple keyword; the more complicated one involves a square\-bracketed selection of
 \fIvalue=action\fR
-pairs.
+pairs\.
 .PP
 For the simple (historical) syntax valid
 \fIcontrol\fR
@@ -104,13 +104,13 @@ failure of such a PAM will ultimately lead to the PAM\-API returning failure but
 modules (for this
 \fIservice\fR
 and
-\fItype\fR) have been invoked.
+\fItype\fR) have been invoked\.
 .RE
 .PP
 requisite
 .RS 4
 like
-\fIrequired\fR, however, in the case that such a module returns a failure, control is directly returned to the application. The return value is that associated with the first required or requisite module to fail. Note, this flag can be used to protect against the possibility of a user getting the opportunity to enter a password over an unsafe medium. It is conceivable that such behavior might inform an attacker of valid accounts on a system. This possibility should be weighed against the not insignificant concerns of exposing a sensitive password in a hostile environment.
+\fIrequired\fR, however, in the case that such a module returns a failure, control is directly returned to the application\. The return value is that associated with the first required or requisite module to fail\. Note, this flag can be used to protect against the possibility of a user getting the opportunity to enter a password over an unsafe medium\. It is conceivable that such behavior might inform an attacker of valid accounts on a system\. This possibility should be weighed against the not insignificant concerns of exposing a sensitive password in a hostile environment\.
 .RE
 .PP
 sufficient
@@ -118,18 +118,31 @@ sufficient
 success of such a module is enough to satisfy the authentication requirements of the stack of modules (if a prior
 \fIrequired\fR
 module has failed the success of this one is
-\fIignored\fR). A failure of this module is not deemed as fatal to satisfying the application that this type has succeeded. If the module succeeds the PAM framework returns success to the application immediately without trying any other modules.
+\fIignored\fR)\. A failure of this module is not deemed as fatal to satisfying the application that this type has succeeded\. If the module succeeds the PAM framework returns success to the application immediately without trying any other modules\.
 .RE
 .PP
 optional
 .RS 4
 the success or failure of this module is only important if it is the only module in the stack associated with this
-\fIservice\fR+\fItype\fR.
+\fIservice\fR+\fItype\fR\.
 .RE
 .PP
 include
 .RS 4
-include all lines of given type from the configuration file specified as an argument to this control.
+include all lines of given type from the configuration file specified as an argument to this control\.
+.RE
+.PP
+substack
+.RS 4
+include all lines of given type from the configuration file specified as an argument to this control\. This differs from
+\fIinclude\fR
+in that evaluation of the
+\fIdone\fR
+and
+\fIdie\fR
+actions in a substack does not cause skipping the rest of the complete module stack, but only of the substack\. Jumps in a substack also can not make evaluation jump out of it, and the whole substack is counted as one module when the jump is done in a parent stack\. The
+\fIreset\fR
+action will reset the state of a module stack to the state it was in as of beginning of the substack evaluation\.
 .RE
 .PP
 For the more complicated syntax valid
@@ -138,14 +151,14 @@ values have the following form:
 .sp
 .RS 4
 .nf
-      [value1=action1 value2=action2 ...]
+      [value1=action1 value2=action2 \.\.\.]
     
 .fi
 .RE
 .PP
 Where
 \fIvalueN\fR
-corresponds to the return code from the function invoked in the module for which the line is defined. It is selected from one of these:
+corresponds to the return code from the function invoked in the module for which the line is defined\. It is selected from one of these:
 \fIsuccess\fR,
 \fIopen_err\fR,
 \fIsymbol_err\fR,
@@ -177,52 +190,51 @@ corresponds to the return code from the function invoked in the module for which
 \fImodule_unknown\fR,
 \fIbad_item\fR,
 \fIconv_again\fR,
-\fIincomplete\fR,
-and
-\fIdefault\fR.
+\fIincomplete\fR, and
+\fIdefault\fR\.
 .PP
 The last of these,
-\fIdefault\fR, implies 'all
-\fIvalueN\fR's not mentioned explicitly. Note, the full list of PAM errors is available in
-\fI/usr/include/security/_pam_types.h\fR. The
+\fIdefault\fR, implies \'all
+\fIvalueN\fR\'s not mentioned explicitly\. Note, the full list of PAM errors is available in
+\fI/usr/include/security/_pam_types\.h\fR\. The
 \fIactionN\fR
 can be: an unsigned integer,
-\fIn\fR, signifying an action of 'jump over the next
+\fIn\fR, signifying an action of \'jump over the next
 \fIn\fR
-modules in the stack', or take one of the following forms:
+modules in the stack\'; or take one of the following forms:
 .PP
 ignore
 .RS 4
-when used with a stack of modules, the module's return status will not contribute to the return code the application obtains.
+when used with a stack of modules, the module\'s return status will not contribute to the return code the application obtains\.
 .RE
 .PP
 bad
 .RS 4
-this action indicates that the return code should be thought of as indicative of the module failing. If this module is the first in the stack to fail, its status value will be used for that of the whole stack.
+this action indicates that the return code should be thought of as indicative of the module failing\. If this module is the first in the stack to fail, its status value will be used for that of the whole stack\.
 .RE
 .PP
 die
 .RS 4
-equivalent to bad with the side effect of terminating the module stack and PAM immediately returning to the application.
+equivalent to bad with the side effect of terminating the module stack and PAM immediately returning to the application\.
 .RE
 .PP
 ok
 .RS 4
-this tells PAM that the administrator thinks this return code should contribute directly to the return code of the full stack of modules. In other words, if the former state of the stack would lead to a return of
-\fIPAM_SUCCESS\fR, the module's return code will override this value. Note, if the former state of the stack holds some value that is indicative of a modules failure, this 'ok' value will not be used to override that value.
+this tells PAM that the administrator thinks this return code should contribute directly to the return code of the full stack of modules\. In other words, if the former state of the stack would lead to a return of
+\fIPAM_SUCCESS\fR, the module\'s return code will override this value\. Note, if the former state of the stack holds some value that is indicative of a modules failure, this \'ok\' value will not be used to override that value\.
 .RE
 .PP
 done
 .RS 4
-equivalent to ok with the side effect of terminating the module stack and PAM immediately returning to the application.
+equivalent to ok with the side effect of terminating the module stack and PAM immediately returning to the application\.
 .RE
 .PP
 reset
 .RS 4
-clear all memory of the state of the module stack and start again with the next stacked module.
+clear all memory of the state of the module stack and start again with the next stacked module\.
 .RE
 .PP
-Each of the four keywords: required; requisite; sufficient; and optional, have an equivalent expression in terms of the [...] syntax. They are as follows:
+Each of the four keywords: required; requisite; sufficient; and optional, have an equivalent expression in terms of the [\.\.\.] syntax\. They are as follows:
 .PP
 required
 .RS 4
@@ -246,43 +258,43 @@ optional
 .PP
 
 \fImodule\-path\fR
-is either the full filename of the PAM to be used by the application (it begins with a '/'), or a relative pathname from the default module location:
+is either the full filename of the PAM to be used by the application (it begins with a \'/\'), or a relative pathname from the default module location:
 \fI/lib/security/\fR
 or
-\fI/lib64/security/\fR, depending on the architecture.
+\fI/lib64/security/\fR, depending on the architecture\.
 .PP
 
 \fImodule\-arguments\fR
-are a space separated list of tokens that can be used to modify the specific behavior of the given PAM. Such arguments will be documented for each individual module. Note, if you wish to include spaces in an argument, you should surround that argument with square brackets.
+are a space separated list of tokens that can be used to modify the specific behavior of the given PAM\. Such arguments will be documented for each individual module\. Note, if you wish to include spaces in an argument, you should surround that argument with square brackets\.
 .sp
 .RS 4
 .nf
-    squid auth required pam_mysql.so user=passwd_query passwd=mada \\
-          db=eminence [query=select user_name from internet_service \\
-          where user_name='%u' and password=PASSWORD('%p') and \\
-        service='web_proxy']
+    squid auth required pam_mysql\.so user=passwd_query passwd=mada \e
+          db=eminence [query=select user_name from internet_service \e
+          where user_name=\'%u\' and password=PASSWORD(\'%p\') and \e
+        service=\'web_proxy\']
     
 .fi
 .RE
 .PP
-When using this convention, you can include `[' characters inside the string, and if you wish to include a `]' character inside the string that will survive the argument parsing, you should use `\\['. In other words:
+When using this convention, you can include `[\' characters inside the string, and if you wish to include a `]\' character inside the string that will survive the argument parsing, you should use `\e]\'\. In other words:
 .sp
 .RS 4
 .nf
-    [..[..\\]..]    \-\->   ..[..]..
+    [\.\.[\.\.\e]\.\.]    \-\->   \.\.[\.\.]\.\.
     
 .fi
 .RE
 .PP
-Any line in (one of) the configuration file(s), that is not formatted correctly, will generally tend (erring on the side of caution) to make the authentication process fail. A corresponding error is written to the system log files with a call to
-\fBsyslog\fR(3).
+Any line in (one of) the configuration file(s), that is not formatted correctly, will generally tend (erring on the side of caution) to make the authentication process fail\. A corresponding error is written to the system log files with a call to
+\fBsyslog\fR(3)\.
 .PP
 More flexible than the single configuration file is it to configure libpam via the contents of the
-\fI/etc/pam.d/\fR
-directory. In this case the directory is filled with files each of which has a filename equal to a service\-name (in lower\-case): it is the personal configuration file for the named service.
+\fI/etc/pam\.d/\fR
+directory\. In this case the directory is filled with files each of which has a filename equal to a service\-name (in lower\-case): it is the personal configuration file for the named service\.
 .PP
-The syntax of each file in /etc/pam.d/ is similar to that of the
-\fI/etc/pam.conf\fR
+The syntax of each file in /etc/pam\.d/ is similar to that of the
+\fI/etc/pam\.conf\fR
 file and is made up of lines of the following form:
 .sp
 .RS 4
@@ -292,11 +304,11 @@ type  control  module\-path  module\-arguments
 .fi
 .RE
 .PP
-The only difference being that the service\-name is not present. The service\-name is of course the name of the given configuration file. For example,
-\fI/etc/pam.d/login\fR
+The only difference being that the service\-name is not present\. The service\-name is of course the name of the given configuration file\. For example,
+\fI/etc/pam\.d/login\fR
 contains the configuration for the
 \fBlogin\fR
-service.
+service\.
 .SH "SEE ALSO"
 .PP
 
diff --git a/Linux-PAM/doc/man/pam_acct_mgmt.3 b/Linux-PAM/doc/man/pam_acct_mgmt.3
index 352df7d1..b7b2160f 100644
--- a/Linux-PAM/doc/man/pam_acct_mgmt.3
+++ b/Linux-PAM/doc/man/pam_acct_mgmt.3
@@ -1,22 +1,22 @@
 .\"     Title: pam_acct_mgmt
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_ACCT_MGMT" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_ACCT_MGMT" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_acct_mgmt \- PAM account validation management
+pam_acct_mgmt - PAM account validation management
 .SH "SYNOPSIS"
 .sp
 .ft B
 .nf
-#include <security/pam_appl.h>
+#include <security/pam_appl\.h>
 .fi
 .ft
 .HP 18
@@ -25,39 +25,55 @@ pam_acct_mgmt \- PAM account validation management
 .PP
 The
 \fBpam_acct_mgmt\fR
-function is used to determine if the users account is valid. It checks for authentication token and account expiration and verifies access restrictions. It is typically called after the user has been authenticated.
+function is used to determine if the users account is valid\. It checks for authentication token and account expiration and verifies access restrictions\. It is typically called after the user has been authenticated\.
 .PP
 The
 \fIpamh\fR
-argument is an authentication handle obtained by a prior call to pam_start(). The flags argument is the binary or of zero or more of the following values:
-.TP 3n
+argument is an authentication handle obtained by a prior call to pam_start()\. The flags argument is the binary or of zero or more of the following values:
+.PP
 PAM_SILENT
-Do not emit any messages.
-.TP 3n
+.RS 4
+Do not emit any messages\.
+.RE
+.PP
 PAM_DISALLOW_NULL_AUTHTOK
-The PAM module service should return PAM_NEW_AUTHTOK_REQD if the user has a null authentication token.
+.RS 4
+The PAM module service should return PAM_NEW_AUTHTOK_REQD if the user has a null authentication token\.
+.RE
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_ACCT_EXPIRED
-User account has expired.
-.TP 3n
+.RS 4
+User account has expired\.
+.RE
+.PP
 PAM_AUTH_ERR
-Authentication failure.
-.TP 3n
+.RS 4
+Authentication failure\.
+.RE
+.PP
 PAM_NEW_AUTHTOK_REQD
+.RS 4
 The user account is valid but their authentication token is
-\fIexpired\fR. The correct response to this return\-value is to require that the user satisfies the
+\fIexpired\fR\. The correct response to this return\-value is to require that the user satisfies the
 \fBpam_chauthtok()\fR
-function before obtaining service. It may not be possible for some applications to do this. In such cases, the user should be denied access until such time as they can update their password.
-.TP 3n
+function before obtaining service\. It may not be possible for some applications to do this\. In such cases, the user should be denied access until such time as they can update their password\.
+.RE
+.PP
 PAM_PERM_DENIED
-Permission denied.
-.TP 3n
+.RS 4
+Permission denied\.
+.RE
+.PP
 PAM_SUCCESS
-The authentication token was successfully updated.
-.TP 3n
+.RS 4
+The authentication token was successfully updated\.
+.RE
+.PP
 PAM_USER_UNKNOWN
-User unknown to password service.
+.RS 4
+User unknown to password service\.
+.RE
 .SH "SEE ALSO"
 .PP
 
diff --git a/Linux-PAM/doc/man/pam_authenticate.3 b/Linux-PAM/doc/man/pam_authenticate.3
index 576a7a2c..13c60f0a 100644
--- a/Linux-PAM/doc/man/pam_authenticate.3
+++ b/Linux-PAM/doc/man/pam_authenticate.3
@@ -1,22 +1,22 @@
 .\"     Title: pam_authenticate
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_AUTHENTICATE" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_AUTHENTICATE" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_authenticate \- account authentication
+pam_authenticate - account authentication
 .SH "SYNOPSIS"
 .sp
 .ft B
 .nf
-#include <security/pam_appl.h>
+#include <security/pam_appl\.h>
 .fi
 .ft
 .HP 21
@@ -25,47 +25,65 @@ pam_authenticate \- account authentication
 .PP
 The
 \fBpam_authenticate\fR
-function is used to authenticate the user. The user is required to provide an authentication token depending upon the authentication service, usually this is a password, but could also be a finger print.
+function is used to authenticate the user\. The user is required to provide an authentication token depending upon the authentication service, usually this is a password, but could also be a finger print\.
 .PP
 The PAM service module may request that the user enter their username vio the the conversation mechanism (see
 \fBpam_start\fR(3)
 and
-\fBpam_conv\fR(3)). The name of the authenticated user will be present in the PAM item PAM_USER. This item may be recovered with a call to
-\fBpam_get_item\fR(3).
+\fBpam_conv\fR(3))\. The name of the authenticated user will be present in the PAM item PAM_USER\. This item may be recovered with a call to
+\fBpam_get_item\fR(3)\.
 .PP
 The
 \fIpamh\fR
-argument is an authentication handle obtained by a prior call to pam_start(). The flags argument is the binary or of zero or more of the following values:
-.TP 3n
+argument is an authentication handle obtained by a prior call to pam_start()\. The flags argument is the binary or of zero or more of the following values:
+.PP
 PAM_SILENT
-Do not emit any messages.
-.TP 3n
+.RS 4
+Do not emit any messages\.
+.RE
+.PP
 PAM_DISALLOW_NULL_AUTHTOK
-The PAM module service should return PAM_AUTH_ERR if the user does not have a registered authentication token.
+.RS 4
+The PAM module service should return PAM_AUTH_ERR if the user does not have a registered authentication token\.
+.RE
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_ABORT
+.RS 4
 The application should exit immediately after calling
 \fBpam_end\fR(3)
-first.
-.TP 3n
+first\.
+.RE
+.PP
 PAM_AUTH_ERR
-The user was not authenticated.
-.TP 3n
+.RS 4
+The user was not authenticated\.
+.RE
+.PP
 PAM_CRED_INSUFFICIENT
-For some reason the application does not have sufficient credentials to authenticate the user.
-.TP 3n
+.RS 4
+For some reason the application does not have sufficient credentials to authenticate the user\.
+.RE
+.PP
 PAM_AUTHINFO_UNVAIL
-The modules were not able to access the authentication information. This might be due to a network or hardware failure etc.
-.TP 3n
+.RS 4
+The modules were not able to access the authentication information\. This might be due to a network or hardware failure etc\.
+.RE
+.PP
 PAM_MAXTRIES
-One or more of the authentication modules has reached its limit of tries authenticating the user. Do not try again.
-.TP 3n
+.RS 4
+One or more of the authentication modules has reached its limit of tries authenticating the user\. Do not try again\.
+.RE
+.PP
 PAM_SUCCESS
-The user was successfully authenticated.
-.TP 3n
+.RS 4
+The user was successfully authenticated\.
+.RE
+.PP
 PAM_USER_UNKNOWN
-User unknown to authentication service.
+.RS 4
+User unknown to authentication service\.
+.RE
 .SH "SEE ALSO"
 .PP
 
diff --git a/Linux-PAM/doc/man/pam_chauthtok.3 b/Linux-PAM/doc/man/pam_chauthtok.3
index 16c673b5..2c6b379e 100644
--- a/Linux-PAM/doc/man/pam_chauthtok.3
+++ b/Linux-PAM/doc/man/pam_chauthtok.3
@@ -1,22 +1,22 @@
 .\"     Title: pam_chauthtok
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_CHAUTHTOK" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_CHAUTHTOK" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_chauthtok \- updating authentication tokens
+pam_chauthtok - updating authentication tokens
 .SH "SYNOPSIS"
 .sp
 .ft B
 .nf
-#include <security/pam_appl.h>
+#include <security/pam_appl\.h>
 .fi
 .ft
 .HP 18
@@ -26,42 +26,62 @@ pam_chauthtok \- updating authentication tokens
 The
 \fBpam_chauthtok\fR
 function is used to change the authentication token for a given user (as indicated by the state associated with the handle
-\fIpamh\fR).
+\fIpamh\fR)\.
 .PP
 The
 \fIpamh\fR
-argument is an authentication handle obtained by a prior call to pam_start(). The flags argument is the binary or of zero or more of the following values:
-.TP 3n
+argument is an authentication handle obtained by a prior call to pam_start()\. The flags argument is the binary or of zero or more of the following values:
+.PP
 PAM_SILENT
-Do not emit any messages.
-.TP 3n
+.RS 4
+Do not emit any messages\.
+.RE
+.PP
 PAM_CHANGE_EXPIRED_AUTHTOK
-This argument indicates to the modules that the users authentication token (password) should only be changed if it has expired. If this argument is not passed, the application requires that all authentication tokens are to be changed.
+.RS 4
+This argument indicates to the modules that the users authentication token (password) should only be changed if it has expired\. If this argument is not passed, the application requires that all authentication tokens are to be changed\.
+.RE
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_AUTHTOK_ERR
-A module was unable to obtain the new authentication token.
-.TP 3n
+.RS 4
+A module was unable to obtain the new authentication token\.
+.RE
+.PP
 PAM_AUTHTOK_RECOVERY_ERR
-A module was unable to obtain the old authentication token.
-.TP 3n
+.RS 4
+A module was unable to obtain the old authentication token\.
+.RE
+.PP
 PAM_AUTHTOK_LOCK_BUSY
-One or more of the modules was unable to change the authentication token since it is currently locked.
-.TP 3n
+.RS 4
+One or more of the modules was unable to change the authentication token since it is currently locked\.
+.RE
+.PP
 PAM_AUTHTOK_DISABLE_AGING
-Authentication token aging has been disabled for at least one of the modules.
-.TP 3n
+.RS 4
+Authentication token aging has been disabled for at least one of the modules\.
+.RE
+.PP
 PAM_PERM_DENIED
-Permission denied.
-.TP 3n
+.RS 4
+Permission denied\.
+.RE
+.PP
 PAM_SUCCESS
-The authentication token was successfully updated.
-.TP 3n
+.RS 4
+The authentication token was successfully updated\.
+.RE
+.PP
 PAM_TRY_AGAIN
-Not all of the modules were in a position to update the authentication token(s). In such a case none of the user's authentication tokens are updated.
-.TP 3n
+.RS 4
+Not all of the modules were in a position to update the authentication token(s)\. In such a case none of the user\'s authentication tokens are updated\.
+.RE
+.PP
 PAM_USER_UNKNOWN
-User unknown to password service.
+.RS 4
+User unknown to password service\.
+.RE
 .SH "SEE ALSO"
 .PP
 
diff --git a/Linux-PAM/doc/man/pam_close_session.3 b/Linux-PAM/doc/man/pam_close_session.3
index 622c10e9..5e25f755 100644
--- a/Linux-PAM/doc/man/pam_close_session.3
+++ b/Linux-PAM/doc/man/pam_close_session.3
@@ -1,22 +1,22 @@
 .\"     Title: pam_close_session
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_CLOSE_SESSION" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_CLOSE_SESSION" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_close_session \- terminate PAM session management
+pam_close_session - terminate PAM session management
 .SH "SYNOPSIS"
 .sp
 .ft B
 .nf
-#include <security/pam_appl.h>
+#include <security/pam_appl\.h>
 .fi
 .ft
 .HP 22
@@ -25,29 +25,39 @@ pam_close_session \- terminate PAM session management
 .PP
 The
 \fBpam_close_session\fR
-function is used to indicate that an authenticated session has ended. The session should have been created with a call to
-\fBpam_open_session\fR(3).
+function is used to indicate that an authenticated session has ended\. The session should have been created with a call to
+\fBpam_open_session\fR(3)\.
 .PP
 It should be noted that the effective uid,
-\fBgeteuid\fR(2). of the application should be of sufficient privilege to perform such tasks as unmounting the user's home directory for example.
+\fBgeteuid\fR(2)\. of the application should be of sufficient privilege to perform such tasks as unmounting the user\'s home directory for example\.
 .PP
 The flags argument is the binary or of zero or more of the following values:
-.TP 3n
+.PP
 PAM_SILENT
-Do not emit any messages.
+.RS 4
+Do not emit any messages\.
+.RE
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_ABORT
-General failure.
-.TP 3n
+.RS 4
+General failure\.
+.RE
+.PP
 PAM_BUF_ERR
-Memory buffer error.
-.TP 3n
+.RS 4
+Memory buffer error\.
+.RE
+.PP
 PAM_SESSION_ERR
-Session failure.
-.TP 3n
+.RS 4
+Session failure\.
+.RE
+.PP
 PAM_SUCCESS
-Session was successful terminated.
+.RS 4
+Session was successful terminated\.
+.RE
 .SH "SEE ALSO"
 .PP
 
diff --git a/Linux-PAM/doc/man/pam_conv.3 b/Linux-PAM/doc/man/pam_conv.3
index 34b61fb3..cdf329da 100644
--- a/Linux-PAM/doc/man/pam_conv.3
+++ b/Linux-PAM/doc/man/pam_conv.3
@@ -1,26 +1,26 @@
 .\"     Title: pam_conv
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_CONV" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_CONV" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_conv \- PAM conversation function
+pam_conv - PAM conversation function
 .SH "SYNOPSIS"
 .sp
 .ft B
 .nf
-#include <security/pam_appl.h>
+#include <security/pam_appl\.h>
 .fi
 .ft
 .sp
-.RS 3n
+.RS 4
 .nf
 struct pam_message {
     int msg_style;
@@ -42,83 +42,99 @@ struct pam_conv {
 .RE
 .SH "DESCRIPTION"
 .PP
-The PAM library uses an application\-defined callback to allow a direct communication between a loaded module and the application. This callback is specified by the
+The PAM library uses an application\-defined callback to allow a direct communication between a loaded module and the application\. This callback is specified by the
 \fIstruct pam_conv\fR
 passed to
 \fBpam_start\fR(3)
-at the start of the transaction.
+at the start of the transaction\.
 .PP
 When a module calls the referenced conv() function, the argument
 \fIappdata_ptr\fR
-is set to the second element of this structure.
+is set to the second element of this structure\.
 .PP
-The other arguments of a call to conv() concern the information exchanged by module and application. That is to say,
+The other arguments of a call to conv() concern the information exchanged by module and application\. That is to say,
 \fInum_msg\fR
 holds the length of the array of pointers,
-\fImsg\fR. After a successful return, the pointer
+\fImsg\fR\. After a successful return, the pointer
 \fIresp\fR
-points to an array of pam_response structures, holding the application supplied text. The
+points to an array of pam_response structures, holding the application supplied text\. The
 \fIresp_retcode\fR
-member of this struct is unused and should be set to zero. It is the caller's responsibility to release both, this array and the responses themselves, using
-\fBfree\fR(3). Note,
+member of this struct is unused and should be set to zero\. It is the caller\'s responsibility to release both, this array and the responses themselves, using
+\fBfree\fR(3)\. Note,
 \fI*resp\fR
 is a
 \fIstruct pam_response\fR
-array and not an array of pointers.
+array and not an array of pointers\.
 .PP
 The number of responses is always equal to the
 \fInum_msg\fR
-conversation function argument. This does require that the response array is
-\fBfree\fR(3)'d after every call to the conversation function. The index of the responses corresponds directly to the prompt index in the pam_message array.
+conversation function argument\. This does require that the response array is
+\fBfree\fR(3)\'d after every call to the conversation function\. The index of the responses corresponds directly to the prompt index in the pam_message array\.
 .PP
-On failure, the conversation function should release any resources it has allocated, and return one of the predefined PAM error codes.
+On failure, the conversation function should release any resources it has allocated, and return one of the predefined PAM error codes\.
 .PP
 Each message can have one of four types, specified by the
 \fImsg_style\fR
 member of
 \fIstruct pam_message\fR:
-.TP 3n
+.PP
 PAM_PROMPT_ECHO_OFF
-Obtain a string without echoing any text.
-.TP 3n
+.RS 4
+Obtain a string without echoing any text\.
+.RE
+.PP
 PAM_PROMPT_ECHO_ON
-Obtain a string whilst echoing text.
-.TP 3n
+.RS 4
+Obtain a string whilst echoing text\.
+.RE
+.PP
 PAM_ERROR_MSG
-Display an error message.
-.TP 3n
+.RS 4
+Display an error message\.
+.RE
+.PP
 PAM_TEXT_INFO
-Display some text.
+.RS 4
+Display some text\.
+.RE
 .PP
-The point of having an array of messages is that it becomes possible to pass a number of things to the application in a single call from the module. It can also be convenient for the application that related things come at once: a windows based application can then present a single form with many messages/prompts on at once.
+The point of having an array of messages is that it becomes possible to pass a number of things to the application in a single call from the module\. It can also be convenient for the application that related things come at once: a windows based application can then present a single form with many messages/prompts on at once\.
 .PP
-In passing, it is worth noting that there is a descrepency between the way Linux\-PAM handles the const struct pam_message **msg conversation function argument from the way that Solaris' PAM (and derivitives, known to include HP/UX, are there others?) does. Linux\-PAM interprets the msg argument as entirely equivalent to the following prototype const struct pam_message *msg[] (which, in spirit, is consistent with the commonly used prototypes for argv argument to the familiar main() function: char **argv; and char *argv[]). Said another way Linux\-PAM interprets the msg argument as a pointer to an array of num_meg read only 'struct pam_message' pointers. Solaris' PAM implementation interprets this argument as a pointer to a pointer to an array of num_meg pam_message structures. Fortunately, perhaps, for most module/application developers when num_msg has a value of one these two definitions are entirely equivalent. Unfortunately, casually raising this number to two has led to unanticipated compatibility problems.
+In passing, it is worth noting that there is a descrepency between the way Linux\-PAM handles the const struct pam_message **msg conversation function argument from the way that Solaris\' PAM (and derivitives, known to include HP/UX, are there others?) does\. Linux\-PAM interprets the msg argument as entirely equivalent to the following prototype const struct pam_message *msg[] (which, in spirit, is consistent with the commonly used prototypes for argv argument to the familiar main() function: char **argv; and char *argv[])\. Said another way Linux\-PAM interprets the msg argument as a pointer to an array of num_msg read only \'struct pam_message\' pointers\. Solaris\' PAM implementation interprets this argument as a pointer to a pointer to an array of num_msg pam_message structures\. Fortunately, perhaps, for most module/application developers when num_msg has a value of one these two definitions are entirely equivalent\. Unfortunately, casually raising this number to two has led to unanticipated compatibility problems\.
 .PP
 For what its worth the two known module writer work\-arounds for trying to maintain source level compatibility with both PAM implementations are:
-.TP 3n
-\(bu
-never call the conversation function with num_msg greater than one.
-.TP 3n
-\(bu
-set up msg as doubly referenced so both types of conversation function can find the messages. That is, make
 .sp
-.RS 3n
+.RS 4
+\h'-04'\(bu\h'+03'never call the conversation function with num_msg greater than one\.
+.RE
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'set up msg as doubly referenced so both types of conversation function can find the messages\. That is, make
+.sp
+.RS 4
 .nf
        msg[n] = & (( *msg )[n])
        
 .fi
 .RE
+.RE
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_BUF_ERR
-Memory buffer error.
-.TP 3n
+.RS 4
+Memory buffer error\.
+.RE
+.PP
 PAM_CONV_ERR
-Conversation failure. The application should not set
-\fI*resp\fR.
-.TP 3n
+.RS 4
+Conversation failure\. The application should not set
+\fI*resp\fR\.
+.RE
+.PP
 PAM_SUCCESS
-Success.
+.RS 4
+Success\.
+.RE
 .SH "SEE ALSO"
 .PP
 
diff --git a/Linux-PAM/doc/man/pam_conv.3.xml b/Linux-PAM/doc/man/pam_conv.3.xml
index 73bb37cc..0098ff94 100644
--- a/Linux-PAM/doc/man/pam_conv.3.xml
+++ b/Linux-PAM/doc/man/pam_conv.3.xml
@@ -142,10 +142,10 @@ struct pam_conv {
   const struct pam_message *msg[] (which, in spirit, is consistent with
   the commonly used prototypes for argv argument to the familiar main()
   function: char **argv; and char *argv[]). Said another way Linux-PAM
-  interprets the msg argument as a pointer to an array of num_meg read
+  interprets the msg argument as a pointer to an array of num_msg read
   only 'struct pam_message' pointers.  Solaris' PAM implementation
   interprets this argument as a pointer to a pointer to an array of
-  num_meg pam_message structures.  Fortunately, perhaps, for most
+  num_msg pam_message structures.  Fortunately, perhaps, for most
   module/application developers when num_msg has a value of one these
   two definitions are entirely equivalent. Unfortunately, casually
   raising this number to two has led to unanticipated compatibility
diff --git a/Linux-PAM/doc/man/pam_end.3 b/Linux-PAM/doc/man/pam_end.3
index 3b28a265..85bd11ea 100644
--- a/Linux-PAM/doc/man/pam_end.3
+++ b/Linux-PAM/doc/man/pam_end.3
@@ -1,22 +1,22 @@
 .\"     Title: pam_end
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_END" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_END" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_end \- termination of PAM transaction
+pam_end - termination of PAM transaction
 .SH "SYNOPSIS"
 .sp
 .ft B
 .nf
-#include <security/pam_appl.h>
+#include <security/pam_appl\.h>
 .fi
 .ft
 .HP 12
@@ -25,13 +25,13 @@ pam_end \- termination of PAM transaction
 .PP
 The
 \fBpam_end\fR
-function terminates the PAM transaction and is the last function an application should call in the PAM context. Upon return the handle
+function terminates the PAM transaction and is the last function an application should call in the PAM context\. Upon return the handle
 \fIpamh\fR
-is no longer valid and all memory associated with it will be invalid.
+is no longer valid and all memory associated with it will be invalid\.
 .PP
 The
 \fIpam_status\fR
-argument should be set to the value returned to the application by the last PAM library call.
+argument should be set to the value returned to the application by the last PAM library call\.
 .PP
 The value taken by
 \fIpam_status\fR
@@ -40,26 +40,30 @@ is used as an argument to the module specific callback function,
 (See
 \fBpam_set_data\fR(3)
 and
-\fBpam_get_data\fR(3)). In this way the module can be given notification of the pass/fail nature of the tear\-down process, and perform any last minute tasks that are appropriate to the module before it is unlinked. This argument can be logically OR'd with
+\fBpam_get_data\fR(3))\. In this way the module can be given notification of the pass/fail nature of the tear\-down process, and perform any last minute tasks that are appropriate to the module before it is unlinked\. This argument can be logically OR\'d with
 \fIPAM_DATA_SILENT\fR
-to indicate to indicate that the module should not treat the call too seriously. It is generally used to indicate that the current closing of the library is in a
-\fBfork\fR(2)ed process, and that the parent will take care of cleaning up things that exist outside of the current process space (files etc.).
+to indicate to indicate that the module should not treat the call too seriously\. It is generally used to indicate that the current closing of the library is in a
+\fBfork\fR(2)ed process, and that the parent will take care of cleaning up things that exist outside of the current process space (files etc\.)\.
 .PP
 This function
-\fIfree\fR's all memory for items associated with the
+\fIfree\fR\'s all memory for items associated with the
 \fBpam_set_item\fR(3)
 and
 \fBpam_get_item\fR(3)
-functions. Pointers associated with such objects are not valid anymore after
+functions\. Pointers associated with such objects are not valid anymore after
 \fBpam_end\fR
-was called.
+was called\.
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_SUCCESS
-Transaction was successful terminated.
-.TP 3n
+.RS 4
+Transaction was successful terminated\.
+.RE
+.PP
 PAM_SYSTEM_ERR
-System error, for example a NULL pointer was submitted as PAM handle or the function was called by a module.
+.RS 4
+System error, for example a NULL pointer was submitted as PAM handle or the function was called by a module\.
+.RE
 .SH "SEE ALSO"
 .PP
 
diff --git a/Linux-PAM/doc/man/pam_error.3 b/Linux-PAM/doc/man/pam_error.3
index f295f98b..6962d329 100644
--- a/Linux-PAM/doc/man/pam_error.3
+++ b/Linux-PAM/doc/man/pam_error.3
@@ -1,33 +1,33 @@
 .\"     Title: pam_error
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_ERROR" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_ERROR" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_error, pam_verror \- display error messages to the user
+pam_error, pam_verror - display error messages to the user
 .SH "SYNOPSIS"
 .sp
 .ft B
 .nf
-#include <security/pam_ext.h>
+#include <security/pam_ext\.h>
 .fi
 .ft
 .HP 14
-.BI "int pam_error(pam_handle_t\ *" "pamh" ", const\ char\ *" "fmt" ", " "..." ");"
+.BI "int pam_error(pam_handle_t\ *" "pamh" ", const\ char\ *" "fmt" ", " "\.\.\." ");"
 .HP 15
 .BI "int pam_verror(pam_handle_t\ *" "pamh" ", const\ char\ *" "fmt" ", va_list\ " "args" ");"
 .SH "DESCRIPTION"
 .PP
 The
 \fBpam_error\fR
-function prints error messages through the conversation function to the user.
+function prints error messages through the conversation function to the user\.
 .PP
 The
 \fBpam_verror\fR
@@ -35,20 +35,28 @@ function performs the same task as
 \fBpam_error()\fR
 with the difference that it takes a set of arguments which have been obtained using the
 \fBstdarg\fR(3)
-variable argument list macros.
+variable argument list macros\.
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_BUF_ERR
-Memory buffer error.
-.TP 3n
+.RS 4
+Memory buffer error\.
+.RE
+.PP
 PAM_CONV_ERR
-Conversation failure.
-.TP 3n
+.RS 4
+Conversation failure\.
+.RE
+.PP
 PAM_SUCCESS
-Error message was displayed.
-.TP 3n
+.RS 4
+Error message was displayed\.
+.RE
+.PP
 PAM_SYSTEM_ERR
-System error.
+.RS 4
+System error\.
+.RE
 .SH "SEE ALSO"
 .PP
 
@@ -63,4 +71,4 @@ The
 \fBpam_error\fR
 and
 \fBpam_verror\fR
-functions are Linux\-PAM extensions.
+functions are Linux\-PAM extensions\.
diff --git a/Linux-PAM/doc/man/pam_fail_delay.3 b/Linux-PAM/doc/man/pam_fail_delay.3
index 000276ed..942ff382 100644
--- a/Linux-PAM/doc/man/pam_fail_delay.3
+++ b/Linux-PAM/doc/man/pam_fail_delay.3
@@ -1,22 +1,22 @@
 .\"     Title: pam_fail_delay
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 08/01/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_FAIL_DELAY" "3" "08/01/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_FAIL_DELAY" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_fail_delay \- request a delay on failure
+pam_fail_delay - request a delay on failure
 .SH "SYNOPSIS"
 .sp
 .ft B
 .nf
-#include <security/pam_appl.h>
+#include <security/pam_appl\.h>
 .fi
 .ft
 .HP 19
@@ -27,36 +27,36 @@ The
 \fBpam_fail_delay\fR
 function provides a mechanism by which an application or module can suggest a minimum delay of
 \fIusec\fR
-micro\-seconds. The function keeps a record of the longest time requested with this function. Should
+micro\-seconds\. The function keeps a record of the longest time requested with this function\. Should
 \fBpam_authenticate\fR(3)
-fail, the failing return to the application is delayed by an amount of time randomly distributed (by up to 25%) about this longest value.
+fail, the failing return to the application is delayed by an amount of time randomly distributed (by up to 25%) about this longest value\.
 .PP
-Independent of success, the delay time is reset to its zero default value when the PAM service module returns control to the application. The delay occurs
+Independent of success, the delay time is reset to its zero default value when the PAM service module returns control to the application\. The delay occurs
 \fIafter\fR
 all authentication modules have been called, but
 \fIbefore\fR
-control is returned to the service application.
+control is returned to the service application\.
 .PP
 When using this function the programmer should check if it is available with:
 .sp
-.RS 3n
+.RS 4
 .nf
 #ifdef HAVE_PAM_FAIL_DELAY
-    ....
+    \.\.\.\.
 #endif /* HAVE_PAM_FAIL_DELAY */
       
 .fi
 .RE
 .PP
-For applications written with a single thread that are event driven in nature, generating this delay may be undesirable. Instead, the application may want to register the delay in some other way. For example, in a single threaded server that serves multiple authentication requests from a single event loop, the application might want to simply mark a given connection as blocked until an application timer expires. For this reason the delay function can be changed with the
+For applications written with a single thread that are event driven in nature, generating this delay may be undesirable\. Instead, the application may want to register the delay in some other way\. For example, in a single threaded server that serves multiple authentication requests from a single event loop, the application might want to simply mark a given connection as blocked until an application timer expires\. For this reason the delay function can be changed with the
 \fIPAM_FAIL_DELAY\fR
-item. It can be queried and set with
+item\. It can be queried and set with
 \fBpam_get_item\fR(3)
 and
 \fBpam_set_item \fR(3)
-respectively. The value used to set it should be a function pointer of the following prototype:
+respectively\. The value used to set it should be a function pointer of the following prototype:
 .sp
-.RS 3n
+.RS 4
 .nf
 void (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr);
       
@@ -70,26 +70,26 @@ return code of the module stack, the
 micro\-second delay that libpam is requesting and the
 \fIappdata_ptr\fR
 that the application has associated with the current
-\fIpamh\fR. This last value was set by the application when it called
+\fIpamh\fR\. This last value was set by the application when it called
 \fBpam_start\fR(3)
 or explicitly with
-\fBpam_set_item\fR(3). Note, if PAM_FAIL_DELAY item is unset (or set to NULL), then no delay will be performed.
+\fBpam_set_item\fR(3)\. Note, if PAM_FAIL_DELAY item is unset (or set to NULL), then no delay will be performed\.
 .SH "RATIONALE"
 .PP
-It is often possible to attack an authentication scheme by exploiting the time it takes the scheme to deny access to an applicant user. In cases of
+It is often possible to attack an authentication scheme by exploiting the time it takes the scheme to deny access to an applicant user\. In cases of
 \fIshort\fR
 timeouts, it may prove possible to attempt a
 \fIbrute force\fR
-dictionary attack \-\- with an automated process, the attacker tries all possible passwords to gain access to the system. In other cases, where individual failures can take measurable amounts of time (indicating the nature of the failure), an attacker can obtain useful information about the authentication process. These latter attacks make use of procedural delays that constitute a
+dictionary attack \-\- with an automated process, the attacker tries all possible passwords to gain access to the system\. In other cases, where individual failures can take measurable amounts of time (indicating the nature of the failure), an attacker can obtain useful information about the authentication process\. These latter attacks make use of procedural delays that constitute a
 \fIcovert channel\fR
-of useful information.
+of useful information\.
 .PP
-To minimize the effectiveness of such attacks, it is desirable to introduce a random delay in a failed authentication process. Preferable this value should be set by the application or a special PAM module. Standard PAM modules should not modify the delay unconditional.
+To minimize the effectiveness of such attacks, it is desirable to introduce a random delay in a failed authentication process\. Preferable this value should be set by the application or a special PAM module\. Standard PAM modules should not modify the delay unconditional\.
 .SH "EXAMPLE"
 .PP
-For example, a login application may require a failure delay of roughly 3 seconds. It will contain the following code:
+For example, a login application may require a failure delay of roughly 3 seconds\. It will contain the following code:
 .sp
-.RS 3n
+.RS 4
 .nf
     pam_fail_delay (pamh, 3000000 /* micro\-seconds */ );
     pam_authenticate (pamh, 0);
@@ -97,11 +97,11 @@ For example, a login application may require a failure delay of roughly 3 second
 .fi
 .RE
 .PP
-if the modules do not request a delay, the failure delay will be between 2.25 and 3.75 seconds.
+if the modules do not request a delay, the failure delay will be between 2\.25 and 3\.75 seconds\.
 .PP
 However, the modules, invoked in the authentication process, may also request delays:
 .sp
-.RS 3n
+.RS 4
 .nf
 module #1:    pam_fail_delay (pamh, 2000000);
 module #2:    pam_fail_delay (pamh, 4000000);
@@ -109,14 +109,18 @@ module #2:    pam_fail_delay (pamh, 4000000);
 .fi
 .RE
 .PP
-in this case, it is the largest requested value that is used to compute the actual failed delay: here between 3 and 5 seconds.
+in this case, it is the largest requested value that is used to compute the actual failed delay: here between 3 and 5 seconds\.
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_SUCCESS
-Delay was successful adjusted.
-.TP 3n
+.RS 4
+Delay was successful adjusted\.
+.RE
+.PP
 PAM_SYSTEM_ERR
-A NULL pointer was submitted as PAM handle.
+.RS 4
+A NULL pointer was submitted as PAM handle\.
+.RE
 .SH "SEE ALSO"
 .PP
 
@@ -127,4 +131,4 @@ A NULL pointer was submitted as PAM handle.
 .PP
 The
 \fBpam_fail_delay\fR
-function is an Linux\-PAM extension.
+function is an Linux\-PAM extension\.
diff --git a/Linux-PAM/doc/man/pam_get_data.3 b/Linux-PAM/doc/man/pam_get_data.3
index cacec733..ae4da784 100644
--- a/Linux-PAM/doc/man/pam_get_data.3
+++ b/Linux-PAM/doc/man/pam_get_data.3
@@ -1,22 +1,22 @@
 .\"     Title: pam_get_data
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_GET_DATA" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_GET_DATA" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_get_data \- get module internal data
+pam_get_data - get module internal data
 .SH "SYNOPSIS"
 .sp
 .ft B
 .nf
-#include <security/pam_modules.h>
+#include <security/pam_modules\.h>
 .fi
 .ft
 .HP 17
@@ -25,7 +25,7 @@ pam_get_data \- get module internal data
 .PP
 This function together with the
 \fBpam_set_data\fR(3)
-function is useful to manage module\-specific data meaningful only to the calling PAM module.
+function is useful to manage module\-specific data meaningful only to the calling PAM module\.
 .PP
 The
 \fBpam_get_data\fR
@@ -33,25 +33,31 @@ function looks up the object associated with the (hopefully) unique string
 \fImodule_data_name\fR
 in the PAM context specified by the
 \fIpamh\fR
-argument. A successful call to
+argument\. A successful call to
 \fBpam_get_data\fR
 will result in
 \fIdata\fR
-pointing to the object. Note, this data is
+pointing to the object\. Note, this data is
 \fInot\fR
 a copy and should be treated as
 \fIconstant\fR
-by the module.
+by the module\.
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_SUCCESS
-Data was successful retrieved.
-.TP 3n
+.RS 4
+Data was successful retrieved\.
+.RE
+.PP
 PAM_SYSTEM_ERR
-A NULL pointer was submitted as PAM handle or the function was called by an application.
-.TP 3n
+.RS 4
+A NULL pointer was submitted as PAM handle or the function was called by an application\.
+.RE
+.PP
 PAM_NO_MODULE_DATA
-Module data not found or there is an entry, but it has the value NULL.
+.RS 4
+Module data not found or there is an entry, but it has the value NULL\.
+.RE
 .SH "SEE ALSO"
 .PP
 
diff --git a/Linux-PAM/doc/man/pam_get_item.3 b/Linux-PAM/doc/man/pam_get_item.3
index ae63d298..a02edc64 100644
--- a/Linux-PAM/doc/man/pam_get_item.3
+++ b/Linux-PAM/doc/man/pam_get_item.3
@@ -1,22 +1,22 @@
 .\"     Title: pam_get_item
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_GET_ITEM" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_GET_ITEM" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_get_item \- getting PAM informations
+pam_get_item - getting PAM informations
 .SH "SYNOPSIS"
 .sp
 .ft B
 .nf
-#include <security/pam_modules.h>
+#include <security/pam_modules\.h>
 .fi
 .ft
 .HP 17
@@ -26,98 +26,146 @@ pam_get_item \- getting PAM informations
 The
 \fBpam_get_item\fR
 function allows applications and PAM service modules to access and retrieve PAM informations of
-\fIitem_type\fR. Upon successful return,
+\fIitem_type\fR\. Upon successful return,
 \fIitem\fR
-contains a pointer to the value of the corresponding item. Note, this is a pointer to the
+contains a pointer to the value of the corresponding item\. Note, this is a pointer to the
 \fIactual\fR
 data and should
 \fBnot\fR
 be
-\fIfree()\fR'ed or over\-written! The following values are supported for
+\fIfree()\fR\'ed or over\-written! The following values are supported for
 \fIitem_type\fR:
-.TP 3n
+.PP
 PAM_SERVICE
-The service name (which identifies that PAM stack that the PAM functions will use to authenticate the program).
-.TP 3n
+.RS 4
+The service name (which identifies that PAM stack that the PAM functions will use to authenticate the program)\.
+.RE
+.PP
 PAM_USER
-The username of the entity under whose identity service will be given. That is, following authentication,
+.RS 4
+The username of the entity under whose identity service will be given\. That is, following authentication,
 \fIPAM_USER\fR
-identifies the local entity that gets to use the service. Note, this value can be mapped from something (eg., "anonymous") to something else (eg. "guest119") by any module in the PAM stack. As such an application should consult the value of
+identifies the local entity that gets to use the service\. Note, this value can be mapped from something (eg\., "anonymous") to something else (eg\. "guest119") by any module in the PAM stack\. As such an application should consult the value of
 \fIPAM_USER\fR
-after each call to a PAM function.
-.TP 3n
+after each call to a PAM function\.
+.RE
+.PP
 PAM_USER_PROMPT
-The string used when prompting for a user's name. The default value for this string is a localized version of "login: ".
-.TP 3n
+.RS 4
+The string used when prompting for a user\'s name\. The default value for this string is a localized version of "login: "\.
+.RE
+.PP
 PAM_TTY
+.RS 4
 The terminal name: prefixed by
 \fI/dev/\fR
 if it is a device file; for graphical, X\-based, applications the value for this item should be the
 \fI$DISPLAY\fR
-variable.
-.TP 3n
+variable\.
+.RE
+.PP
 PAM_RUSER
-The requesting user name: local name for a locally requesting user or a remote user name for a remote requesting user.
+.RS 4
+The requesting user name: local name for a locally requesting user or a remote user name for a remote requesting user\.
 .sp
-Generally an application or module will attempt to supply the value that is most strongly authenticated (a local account before a remote one. The level of trust in this value is embodied in the actual authentication stack associated with the application, so it is ultimately at the discretion of the system administrator.
+Generally an application or module will attempt to supply the value that is most strongly authenticated (a local account before a remote one\. The level of trust in this value is embodied in the actual authentication stack associated with the application, so it is ultimately at the discretion of the system administrator\.
 .sp
 
 \fIPAM_RUSER@PAM_RHOST\fR
-should always identify the requesting user. In some cases,
+should always identify the requesting user\. In some cases,
 \fIPAM_RUSER\fR
-may be NULL. In such situations, it is unclear who the requesting entity is.
-.TP 3n
+may be NULL\. In such situations, it is unclear who the requesting entity is\.
+.RE
+.PP
 PAM_RHOST
+.RS 4
 The requesting hostname (the hostname of the machine from which the
 \fIPAM_RUSER\fR
-entity is requesting service). That is
+entity is requesting service)\. That is
 \fIPAM_RUSER@PAM_RHOST\fR
-does identify the requesting user. In some applications,
+does identify the requesting user\. In some applications,
 \fIPAM_RHOST\fR
-may be NULL. In such situations, it is unclear where the authentication request is originating from.
-.TP 3n
+may be NULL\. In such situations, it is unclear where the authentication request is originating from\.
+.RE
+.PP
 PAM_AUTHTOK
-The authentication token (often a password). This token should be ignored by all module functions besides
+.RS 4
+The authentication token (often a password)\. This token should be ignored by all module functions besides
 \fBpam_sm_authenticate\fR(3)
 and
-\fBpam_sm_chauthtok\fR(3). In the former function it is used to pass the most recent authentication token from one stacked module to another. In the latter function the token is used for another purpose. It contains the currently active authentication token.
-.TP 3n
+\fBpam_sm_chauthtok\fR(3)\. In the former function it is used to pass the most recent authentication token from one stacked module to another\. In the latter function the token is used for another purpose\. It contains the currently active authentication token\.
+.RE
+.PP
 PAM_OLDAUTHTOK
-The old authentication token. This token should be ignored by all module functions except
-\fBpam_sm_chauthtok\fR(3).
-.TP 3n
+.RS 4
+The old authentication token\. This token should be ignored by all module functions except
+\fBpam_sm_chauthtok\fR(3)\.
+.RE
+.PP
 PAM_CONV
-The pam_conv structure. See
-\fBpam_conv\fR(3).
-.TP 3n
+.RS 4
+The pam_conv structure\. See
+\fBpam_conv\fR(3)\.
+.RE
+.PP
+The following additional items are specific to Linux\-PAM and should not be used in portable applications:
+.PP
 PAM_FAIL_DELAY
-A function pointer to redirect centrally managed failure delays. See
-\fBpam_fail_delay\fR(3).
+.RS 4
+A function pointer to redirect centrally managed failure delays\. See
+\fBpam_fail_delay\fR(3)\.
+.RE
+.PP
+PAM_XDISPLAY
+.RS 4
+The name of the X display\. For graphical, X\-based applications the value for this item should be the
+\fI$DISPLAY\fR
+variable\. This value may be used independently of
+\fIPAM_TTY\fR
+for passing the name of the display\.
+.RE
+.PP
+PAM_XAUTHDATA
+.RS 4
+A pointer to a structure containing the X authentication data required to make a connection to the display specified by
+\fIPAM_XDISPLAY\fR, if such information is necessary\. See
+\fBpam_xauth_data\fR(3)\.
+.RE
 .PP
 If a service module wishes to obtain the name of the user, it should not use this function, but instead perform a call to
-\fBpam_get_user\fR(3).
+\fBpam_get_user\fR(3)\.
 .PP
-Only a service module is privileged to read the authentication tokens, PAM_AUTHTOK and PAM_OLDAUTHTOK.
+Only a service module is privileged to read the authentication tokens, PAM_AUTHTOK and PAM_OLDAUTHTOK\.
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_BAD_ITEM
-The application attempted to set an undefined or inaccessible item.
-.TP 3n
+.RS 4
+The application attempted to set an undefined or inaccessible item\.
+.RE
+.PP
 PAM_BUF_ERR
-Memory buffer error.
-.TP 3n
+.RS 4
+Memory buffer error\.
+.RE
+.PP
 PAM_PERM_DENIED
+.RS 4
 The value of
 \fIitem\fR
-was NULL.
-.TP 3n
+was NULL\.
+.RE
+.PP
 PAM_SUCCESS
-Data was successful updated.
-.TP 3n
+.RS 4
+Data was successful updated\.
+.RE
+.PP
 PAM_SYSTEM_ERR
+.RS 4
 The
 \fIpam_handle_t\fR
-passed as first argument was invalid.
+passed as first argument was invalid\.
+.RE
 .SH "SEE ALSO"
 .PP
 
diff --git a/Linux-PAM/doc/man/pam_get_item.3.xml b/Linux-PAM/doc/man/pam_get_item.3.xml
index e5806d11..d07862e0 100644
--- a/Linux-PAM/doc/man/pam_get_item.3.xml
+++ b/Linux-PAM/doc/man/pam_get_item.3.xml
@@ -3,7 +3,8 @@
                    "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"
 [
 <!--
-<!ENTITY accessconf SYSTEM "pam_item_types.inc.xml">
+<!ENTITY accessconf SYSTEM "pam_item_types_std.inc.xml">
+<!ENTITY accessconf SYSTEM "pam_item_types_ext.inc.xml">
 -->
 ]>
 
@@ -55,7 +56,15 @@
    </para>
 
    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-      href="pam_item_types.inc.xml"/>
+      href="pam_item_types_std.inc.xml"/>
+
+   <para>
+     The following additional items are specific to Linux-PAM and should not be used in
+     portable applications:
+   </para>
+
+   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+      href="pam_item_types_ext.inc.xml"/>
 
     <para>
       If a service module wishes to obtain the name of the user,
diff --git a/Linux-PAM/doc/man/pam_get_user.3 b/Linux-PAM/doc/man/pam_get_user.3
index f4ab776b..e4817865 100644
--- a/Linux-PAM/doc/man/pam_get_user.3
+++ b/Linux-PAM/doc/man/pam_get_user.3
@@ -1,22 +1,22 @@
 .\"     Title: pam_get_user
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_GET_USER" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_GET_USER" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_get_user \- get user name
+pam_get_user - get user name
 .SH "SYNOPSIS"
 .sp
 .ft B
 .nf
-#include <security/pam_modules.h>
+#include <security/pam_modules\.h>
 .fi
 .ft
 .HP 17
@@ -26,32 +26,33 @@ pam_get_user \- get user name
 The
 \fBpam_get_user\fR
 function returns the name of the user specified by
-\fBpam_start\fR(3). If no user was specified it what
-\fBpam_get_item (pamh, PAM_USER, ... );\fR
-would have returned. If this is NULL it obtains the username via the
+\fBpam_start\fR(3)\. If no user was specified it what
+\fBpam_get_item (pamh, PAM_USER, \.\.\. );\fR
+would have returned\. If this is NULL it obtains the username via the
 \fBpam_conv\fR(3)
 mechanism, it prompts the user with the first non\-NULL string in the following list:
-.TP 3n
-\(bu
-The
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'The
 \fIprompt\fR
-argument passed to the function.
-.TP 3n
-\(bu
-What is returned by pam_get_item (pamh, PAM_USER_PROMPT, ... );
-.TP 3n
-\(bu
-The default prompt: "login: "
+argument passed to the function\.
+.RE
 .sp
+.RS 4
+\h'-04'\(bu\h'+03'What is returned by pam_get_item (pamh, PAM_USER_PROMPT, \.\.\. );
+.RE
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'The default prompt: "login: "
 .RE
 .PP
 By whatever means the username is obtained, a pointer to it is returned as the contents of
-\fI*user\fR. Note, this memory should
+\fI*user\fR\. Note, this memory should
 \fBnot\fR
 be
-\fIfree()\fR'd or
+\fIfree()\fR\'d or
 \fImodified\fR
-by the module.
+by the module\.
 .PP
 This function sets the
 \fIPAM_USER\fR
@@ -59,17 +60,23 @@ item associated with the
 \fBpam_set_item\fR(3)
 and
 \fBpam_get_item\fR(3)
-functions.
+functions\.
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_SUCCESS
-User name was successful retrieved.
-.TP 3n
+.RS 4
+User name was successful retrieved\.
+.RE
+.PP
 PAM_SYSTEM_ERR
-A NULL pointer was submitted.
-.TP 3n
+.RS 4
+A NULL pointer was submitted\.
+.RE
+.PP
 PAM_CONV_ERR
-The conversation method supplied by the application failed to obtain the username.
+.RS 4
+The conversation method supplied by the application failed to obtain the username\.
+.RE
 .SH "SEE ALSO"
 .PP
 
diff --git a/Linux-PAM/doc/man/pam_getenv.3 b/Linux-PAM/doc/man/pam_getenv.3
index 3882d080..7ad6db67 100644
--- a/Linux-PAM/doc/man/pam_getenv.3
+++ b/Linux-PAM/doc/man/pam_getenv.3
@@ -1,22 +1,22 @@
 .\"     Title: pam_getenv
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_GETENV" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_GETENV" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_getenv \- get a PAM environment variable
+pam_getenv - get a PAM environment variable
 .SH "SYNOPSIS"
 .sp
 .ft B
 .nf
-#include <security/pam_appl.h>
+#include <security/pam_appl\.h>
 .fi
 .ft
 .HP 23
@@ -28,12 +28,12 @@ The
 function searches the PAM environment list as associated with the handle
 \fIpamh\fR
 for a string that matches the string pointed to by
-\fIname\fR. The return values are of the form: "\fIname=value\fR".
+\fIname\fR\. The return values are of the form: "\fIname=value\fR"\.
 .SH "RETURN VALUES"
 .PP
 The
 \fBpam_getenv\fR
-function returns NULL on failure.
+function returns NULL on failure\.
 .SH "SEE ALSO"
 .PP
 
diff --git a/Linux-PAM/doc/man/pam_getenvlist.3 b/Linux-PAM/doc/man/pam_getenvlist.3
index 57c1d70e..66dec1c6 100644
--- a/Linux-PAM/doc/man/pam_getenvlist.3
+++ b/Linux-PAM/doc/man/pam_getenvlist.3
@@ -1,22 +1,22 @@
 .\"     Title: pam_getenvlist
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_GETENVLIST" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_GETENVLIST" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_getenvlist \- getting the PAM environment
+pam_getenvlist - getting the PAM environment
 .SH "SYNOPSIS"
 .sp
 .ft B
 .nf
-#include <security/pam_appl.h>
+#include <security/pam_appl\.h>
 .fi
 .ft
 .HP 22
@@ -26,21 +26,21 @@ pam_getenvlist \- getting the PAM environment
 The
 \fBpam_getenvlist\fR
 function returns a complete copy of the PAM environment as associated with the handle
-\fIpamh\fR. The PAM environment variables represent the contents of the regular environment variables of the authenticated user when service is granted.
+\fIpamh\fR\. The PAM environment variables represent the contents of the regular environment variables of the authenticated user when service is granted\.
 .PP
-The format of the memory is a malloc()'d array of char pointers, the last element of which is set to NULL. Each of the non\-NULL entries in this array point to a NUL terminated and malloc()'d char string of the form: "\fIname=value\fR".
+The format of the memory is a malloc()\'d array of char pointers, the last element of which is set to NULL\. Each of the non\-NULL entries in this array point to a NUL terminated and malloc()\'d char string of the form: "\fIname=value\fR"\.
 .PP
-It should be noted that this memory will never be free()'d by libpam. Once obtained by a call to
-\fBpam_getenvlist\fR, it is the responsibility of the calling application to free() this memory.
+It should be noted that this memory will never be free()\'d by libpam\. Once obtained by a call to
+\fBpam_getenvlist\fR, it is the responsibility of the calling application to free() this memory\.
 .PP
 It is by design, and not a coincidence, that the format and contents of the returned array matches that required for the third argument of the
 \fBexecle\fR(3)
-function call.
+function call\.
 .SH "RETURN VALUES"
 .PP
 The
 \fBpam_getenvlist\fR
-function returns NULL on failure.
+function returns NULL on failure\.
 .SH "SEE ALSO"
 .PP
 
diff --git a/Linux-PAM/doc/man/pam_info.3 b/Linux-PAM/doc/man/pam_info.3
index fabb5aa7..39f3be3c 100644
--- a/Linux-PAM/doc/man/pam_info.3
+++ b/Linux-PAM/doc/man/pam_info.3
@@ -1,33 +1,33 @@
 .\"     Title: pam_info
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_INFO" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_INFO" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_info, pam_vinfo \- display messages to the user
+pam_info, pam_vinfo - display messages to the user
 .SH "SYNOPSIS"
 .sp
 .ft B
 .nf
-#include <security/pam_ext.h>
+#include <security/pam_ext\.h>
 .fi
 .ft
 .HP 13
-.BI "int pam_info(pam_handle_t\ *" "pamh" ", const\ char\ *" "fmt" ", " "..." ");"
+.BI "int pam_info(pam_handle_t\ *" "pamh" ", const\ char\ *" "fmt" ", " "\.\.\." ");"
 .HP 14
 .BI "int pam_vinfo(pam_handle_t\ *" "pamh" ", const\ char\ *" "fmt" ", va_list\ " "args" ");"
 .SH "DESCRIPTION"
 .PP
 The
 \fBpam_info\fR
-function prints messages through the conversation function to the user.
+function prints messages through the conversation function to the user\.
 .PP
 The
 \fBpam_vinfo\fR
@@ -35,20 +35,28 @@ function performs the same task as
 \fBpam_info()\fR
 with the difference that it takes a set of arguments which have been obtained using the
 \fBstdarg\fR(3)
-variable argument list macros.
+variable argument list macros\.
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_BUF_ERR
-Memory buffer error.
-.TP 3n
+.RS 4
+Memory buffer error\.
+.RE
+.PP
 PAM_CONV_ERR
-Conversation failure.
-.TP 3n
+.RS 4
+Conversation failure\.
+.RE
+.PP
 PAM_SUCCESS
-Transaction was successful created.
-.TP 3n
+.RS 4
+Transaction was successful created\.
+.RE
+.PP
 PAM_SYSTEM_ERR
-System error.
+.RS 4
+System error\.
+.RE
 .SH "SEE ALSO"
 .PP
 
@@ -59,4 +67,4 @@ The
 \fBpam_info\fR
 and
 \fBpam_vinfo\fR
-functions are Linux\-PAM extensions.
+functions are Linux\-PAM extensions\.
diff --git a/Linux-PAM/doc/man/pam_item_types_ext.inc.xml b/Linux-PAM/doc/man/pam_item_types_ext.inc.xml
new file mode 100644
index 00000000..89f19875
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_item_types_ext.inc.xml
@@ -0,0 +1,45 @@
+<!-- this file is included by pam_set_item and pam_get_item -->
+
+    <variablelist>
+      <varlistentry>
+        <term>PAM_FAIL_DELAY</term>
+        <listitem>
+          <para>
+            A function pointer to redirect centrally managed
+            failure delays. See
+            <citerefentry>
+              <refentrytitle>pam_fail_delay</refentrytitle><manvolnum>3</manvolnum>
+            </citerefentry>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PAM_XDISPLAY</term>
+        <listitem>
+          <para>
+            The name of the X display.  For graphical, X-based applications the
+	    value for this item should be the <emphasis>$DISPLAY</emphasis>
+	    variable.  This value may be used independently of
+	    <emphasis>PAM_TTY</emphasis> for passing the
+	    name of the display.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PAM_XAUTHDATA</term>
+        <listitem>
+          <para>
+            A pointer to a structure containing the X authentication data
+	    required to make a connection to the display specified by
+	    <emphasis>PAM_XDISPLAY</emphasis>, if such information is
+	    necessary.  See
+            <citerefentry>
+              <refentrytitle>pam_xauth_data</refentrytitle><manvolnum>3</manvolnum>
+            </citerefentry>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+    </variablelist>
diff --git a/Linux-PAM/doc/man/pam_item_types_std.inc.xml b/Linux-PAM/doc/man/pam_item_types_std.inc.xml
new file mode 100644
index 00000000..81f240b0
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_item_types_std.inc.xml
@@ -0,0 +1,138 @@
+<!-- this file is included by pam_set_item and pam_get_item -->
+
+    <variablelist>
+      <varlistentry>
+        <term>PAM_SERVICE</term>
+        <listitem>
+          <para>
+            The service name (which identifies that PAM stack that
+            the PAM functions will use to authenticate the program).
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PAM_USER</term>
+        <listitem>
+          <para>
+            The username of the entity under whose identity service
+            will be given. That is, following authentication,
+            <emphasis>PAM_USER</emphasis> identifies the local entity
+            that gets to use the service. Note, this value can be mapped
+            from something (eg., "anonymous") to something else (eg.
+            "guest119") by any module in the PAM stack. As such an
+            application should consult the value of
+            <emphasis>PAM_USER</emphasis> after each call to a PAM function.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PAM_USER_PROMPT</term>
+        <listitem>
+          <para>
+            The string used when prompting for a user's name. The default
+            value for this string is a localized version of "login: ".
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PAM_TTY</term>
+        <listitem>
+          <para>
+            The terminal name: prefixed by <filename>/dev/</filename> if
+            it is a device file; for graphical, X-based, applications the
+            value for this item should be the
+            <emphasis>$DISPLAY</emphasis> variable.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PAM_RUSER</term>
+        <listitem>
+          <para>
+            The requesting user name: local name for a locally
+            requesting user or a remote user name for a remote
+            requesting user.
+          </para>
+          <para>
+            Generally an application or module will attempt to supply
+            the value that is most strongly authenticated (a local account
+            before a remote one. The level of trust in this value is
+            embodied in the actual authentication stack associated with
+            the application, so it is ultimately at the discretion of the
+            system administrator.
+          </para>
+          <para>
+            <emphasis>PAM_RUSER@PAM_RHOST</emphasis> should always identify
+             the requesting user. In some cases,
+             <emphasis>PAM_RUSER</emphasis> may be NULL. In such situations,
+             it is unclear who the requesting entity is.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PAM_RHOST</term>
+        <listitem>
+          <para>
+            The requesting hostname (the hostname of the machine from
+            which the <emphasis>PAM_RUSER</emphasis> entity is requesting
+            service). That is <emphasis>PAM_RUSER@PAM_RHOST</emphasis>
+            does identify the requesting user. In some applications,
+            <emphasis>PAM_RHOST</emphasis> may be NULL. In such situations,
+            it is unclear where the authentication request is originating
+            from.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PAM_AUTHTOK</term>
+        <listitem>
+          <para>
+            The authentication token (often a password). This token
+            should be ignored by all module functions besides
+            <citerefentry>
+              <refentrytitle>pam_sm_authenticate</refentrytitle><manvolnum>3</manvolnum>
+            </citerefentry> and
+            <citerefentry>
+              <refentrytitle>pam_sm_chauthtok</refentrytitle><manvolnum>3</manvolnum>
+            </citerefentry>.
+            In the former function it is used to pass the most recent
+            authentication token from one stacked module to another. In
+            the latter function the token is used for another purpose.
+            It contains the currently active authentication token.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PAM_OLDAUTHTOK</term>
+        <listitem>
+          <para>
+            The old authentication token. This token should be ignored
+            by all module functions except
+            <citerefentry>
+              <refentrytitle>pam_sm_chauthtok</refentrytitle><manvolnum>3</manvolnum>
+            </citerefentry>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+
+      <varlistentry>
+        <term>PAM_CONV</term>
+        <listitem>
+          <para>
+            The pam_conv structure. See
+            <citerefentry>
+              <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum>
+            </citerefentry>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+    </variablelist>
diff --git a/Linux-PAM/doc/man/pam_misc_drop_env.3 b/Linux-PAM/doc/man/pam_misc_drop_env.3
index 5708d5bc..03c0529c 100644
--- a/Linux-PAM/doc/man/pam_misc_drop_env.3
+++ b/Linux-PAM/doc/man/pam_misc_drop_env.3
@@ -1,22 +1,22 @@
 .\"     Title: pam_misc_drop_env
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_MISC_DROP_ENV" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_MISC_DROP_ENV" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_misc_drop_env \- liberating a locally saved environment
+pam_misc_drop_env - liberating a locally saved environment
 .SH "SYNOPSIS"
 .sp
 .ft B
 .nf
-#include <security/pam_misc.h>
+#include <security/pam_misc\.h>
 .fi
 .ft
 .HP 22
@@ -25,13 +25,13 @@ pam_misc_drop_env \- liberating a locally saved environment
 .PP
 This function is defined to complement the
 \fBpam_getenvlist\fR(3)
-function. It liberates the memory associated with
+function\. It liberates the memory associated with
 \fIenv\fR,
 \fIoverwriting\fR
 with
 \fI0\fR
 all memory before
-\fBfree()\fRing it.
+\fBfree()\fRing it\.
 .SH "SEE ALSO"
 .PP
 
@@ -43,4 +43,4 @@ The
 \fBpam_misc_drop_env\fR
 function is part of the
 \fBlibpam_misc\fR
-Library and not defined in any standard.
+Library and not defined in any standard\.
diff --git a/Linux-PAM/doc/man/pam_misc_paste_env.3 b/Linux-PAM/doc/man/pam_misc_paste_env.3
index 9ba1e8fe..9b00912c 100644
--- a/Linux-PAM/doc/man/pam_misc_paste_env.3
+++ b/Linux-PAM/doc/man/pam_misc_paste_env.3
@@ -1,22 +1,22 @@
 .\"     Title: pam_misc_paste_env
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_MISC_PASTE_ENV" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_MISC_PASTE_ENV" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_misc_paste_env \- transcribing an environment to that of PAM
+pam_misc_paste_env - transcribing an environment to that of PAM
 .SH "SYNOPSIS"
 .sp
 .ft B
 .nf
-#include <security/pam_misc.h>
+#include <security/pam_misc\.h>
 .fi
 .ft
 .HP 23
@@ -25,8 +25,8 @@ pam_misc_paste_env \- transcribing an environment to that of PAM
 .PP
 This function takes the supplied list of environment pointers and
 \fIuploads\fR
-its contents to the PAM environment. Success is indicated by
-PAM_SUCCESS.
+its contents to the PAM environment\. Success is indicated by
+PAM_SUCCESS\.
 .SH "SEE ALSO"
 .PP
 
@@ -38,4 +38,4 @@ The
 \fBpam_misc_paste_env\fR
 function is part of the
 \fBlibpam_misc\fR
-Library and not defined in any standard.
+Library and not defined in any standard\.
diff --git a/Linux-PAM/doc/man/pam_misc_setenv.3 b/Linux-PAM/doc/man/pam_misc_setenv.3
index 49e8138c..47521367 100644
--- a/Linux-PAM/doc/man/pam_misc_setenv.3
+++ b/Linux-PAM/doc/man/pam_misc_setenv.3
@@ -1,22 +1,22 @@
 .\"     Title: pam_misc_setenv
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_MISC_SETENV" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_MISC_SETENV" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_misc_setenv \- BSD like PAM environment variable setting
+pam_misc_setenv - BSD like PAM environment variable setting
 .SH "SYNOPSIS"
 .sp
 .ft B
 .nf
-#include <security/pam_misc.h>
+#include <security/pam_misc\.h>
 .fi
 .ft
 .HP 20
@@ -25,13 +25,13 @@ pam_misc_setenv \- BSD like PAM environment variable setting
 .PP
 This function performs a task equivalent to
 \fBpam_putenv\fR(3), its syntax is, however, more like the BSD style function;
-\fBsetenv()\fR. The
+\fBsetenv()\fR\. The
 \fIname\fR
 and
 \fIvalue\fR
-are concatenated with an '=' to form a name=value and passed to
-\fBpam_putenv()\fR. If, however, the PAM variable is already set, the replacement will only be applied if the last argument,
-\fIreadonly\fR, is zero.
+are concatenated with an \'=\' to form a name=value and passed to
+\fBpam_putenv()\fR\. If, however, the PAM variable is already set, the replacement will only be applied if the last argument,
+\fIreadonly\fR, is zero\.
 .SH "SEE ALSO"
 .PP
 
@@ -43,4 +43,4 @@ The
 \fBpam_misc_setenv\fR
 function is part of the
 \fBlibpam_misc\fR
-Library and not defined in any standard.
+Library and not defined in any standard\.
diff --git a/Linux-PAM/doc/man/pam_open_session.3 b/Linux-PAM/doc/man/pam_open_session.3
index e61b5ed8..194de310 100644
--- a/Linux-PAM/doc/man/pam_open_session.3
+++ b/Linux-PAM/doc/man/pam_open_session.3
@@ -1,22 +1,22 @@
 .\"     Title: pam_open_session
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_OPEN_SESSION" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_OPEN_SESSION" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_open_session \- start PAM session management
+pam_open_session - start PAM session management
 .SH "SYNOPSIS"
 .sp
 .ft B
 .nf
-#include <security/pam_appl.h>
+#include <security/pam_appl\.h>
 .fi
 .ft
 .HP 21
@@ -25,29 +25,39 @@ pam_open_session \- start PAM session management
 .PP
 The
 \fBpam_open_session\fR
-function sets up a user session for a previously successful authenticated user. The session should later be terminated with a call to
-\fBpam_close_session\fR(3).
+function sets up a user session for a previously successful authenticated user\. The session should later be terminated with a call to
+\fBpam_close_session\fR(3)\.
 .PP
 It should be noted that the effective uid,
-\fBgeteuid\fR(2). of the application should be of sufficient privilege to perform such tasks as creating or mounting the user's home directory for example.
+\fBgeteuid\fR(2)\. of the application should be of sufficient privilege to perform such tasks as creating or mounting the user\'s home directory for example\.
 .PP
 The flags argument is the binary or of zero or more of the following values:
-.TP 3n
+.PP
 PAM_SILENT
-Do not emit any messages.
+.RS 4
+Do not emit any messages\.
+.RE
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_ABORT
-General failure.
-.TP 3n
+.RS 4
+General failure\.
+.RE
+.PP
 PAM_BUF_ERR
-Memory buffer error.
-.TP 3n
+.RS 4
+Memory buffer error\.
+.RE
+.PP
 PAM_SESSION_ERR
-Session failure.
-.TP 3n
+.RS 4
+Session failure\.
+.RE
+.PP
 PAM_SUCCESS
-Session was successful created.
+.RS 4
+Session was successful created\.
+.RE
 .SH "SEE ALSO"
 .PP
 
diff --git a/Linux-PAM/doc/man/pam_prompt.3 b/Linux-PAM/doc/man/pam_prompt.3
index ce3b2a96..f89683dd 100644
--- a/Linux-PAM/doc/man/pam_prompt.3
+++ b/Linux-PAM/doc/man/pam_prompt.3
@@ -1,26 +1,26 @@
 .\"     Title: pam_prompt
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_PROMPT" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_PROMPT" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_prompt, pam_vprompt \- interface to conversation function
+pam_prompt, pam_vprompt - interface to conversation function
 .SH "SYNOPSIS"
 .sp
 .ft B
 .nf
-#include <security/pam_ext.h>
+#include <security/pam_ext\.h>
 .fi
 .ft
 .HP 16
-.BI "void pam_prompt(pam_handle_t\ *" "pamh" ", int\ " "style" ", char\ **" "response" ", const\ char\ *" "fmt" ", " "..." ");"
+.BI "void pam_prompt(pam_handle_t\ *" "pamh" ", int\ " "style" ", char\ **" "response" ", const\ char\ *" "fmt" ", " "\.\.\." ");"
 .HP 17
 .BI "void pam_vprompt(pam_handle_t\ *" "pamh" ", int\ " "style" ", char\ **" "response" ", const\ char\ *" "fmt" ", va_list\ " "args" ");"
 .SH "DESCRIPTION"
@@ -29,18 +29,26 @@ The
 \fBpam_prompt\fR
 function constructs a message from the specified format string and arguments and passes it to
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_BUF_ERR
-Memory buffer error.
-.TP 3n
+.RS 4
+Memory buffer error\.
+.RE
+.PP
 PAM_CONV_ERR
-Conversation failure.
-.TP 3n
+.RS 4
+Conversation failure\.
+.RE
+.PP
 PAM_SUCCESS
-Transaction was successful created.
-.TP 3n
+.RS 4
+Transaction was successful created\.
+.RE
+.PP
 PAM_SYSTEM_ERR
-System error.
+.RS 4
+System error\.
+.RE
 .SH "SEE ALSO"
 .PP
 
@@ -52,4 +60,4 @@ The
 \fBpam_prompt\fR
 and
 \fBpam_vprompt\fR
-functions are Linux\-PAM extensions.
+functions are Linux\-PAM extensions\.
diff --git a/Linux-PAM/doc/man/pam_putenv.3 b/Linux-PAM/doc/man/pam_putenv.3
index b0edc103..00b1678e 100644
--- a/Linux-PAM/doc/man/pam_putenv.3
+++ b/Linux-PAM/doc/man/pam_putenv.3
@@ -1,11 +1,11 @@
 .\"     Title: pam_putenv
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
-.\"      Date: 09/28/2007
+.\"      Date: 02/04/2008
 .\"    Manual: Linux-PAM Manual
 .\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_PUTENV" "3" "09/28/2007" "Linux-PAM Manual" "Linux-PAM Manual"
+.TH "PAM_PUTENV" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
diff --git a/Linux-PAM/doc/man/pam_set_data.3 b/Linux-PAM/doc/man/pam_set_data.3
index c3a2a689..e3c1cc84 100644
--- a/Linux-PAM/doc/man/pam_set_data.3
+++ b/Linux-PAM/doc/man/pam_set_data.3
@@ -1,22 +1,22 @@
 .\"     Title: pam_set_data
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_SET_DATA" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_SET_DATA" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_set_data \- set module internal data
+pam_set_data - set module internal data
 .SH "SYNOPSIS"
 .sp
 .ft B
 .nf
-#include <security/pam_modules.h>
+#include <security/pam_modules\.h>
 .fi
 .ft
 .HP 17
@@ -29,30 +29,30 @@ function associates a pointer to an object with the (hopefully) unique string
 \fImodule_data_name\fR
 in the PAM context specified by the
 \fIpamh\fR
-argument.
+argument\.
 .PP
-PAM modules may be dynamically loadable objects. In general such files should not contain
+PAM modules may be dynamically loadable objects\. In general such files should not contain
 \fIstatic\fR
-variables. This function and its counterpart
+variables\. This function and its counterpart
 \fBpam_get_data\fR(3), provide a mechanism for a module to associate some data with the handle
-\fIpamh\fR. Typically a module will call the
+\fIpamh\fR\. Typically a module will call the
 \fBpam_set_data\fR
 function to register some data under a (hopefully) unique
-\fImodule_data_name\fR. The data is available for use by other modules too but
+\fImodule_data_name\fR\. The data is available for use by other modules too but
 \fInot\fR
-by an application. Since this functions stores only a pointer to the
-\fIdata\fR, the module should not modify or free the content of it.
+by an application\. Since this functions stores only a pointer to the
+\fIdata\fR, the module should not modify or free the content of it\.
 .PP
 The function
 \fBcleanup()\fR
 is associated with the
 \fIdata\fR
 and, if non\-NULL, it is called when this data is over\-written or following a call to
-\fBpam_end\fR(3).
+\fBpam_end\fR(3)\.
 .PP
 The
 \fIerror_status\fR
-argument is used to indicate to the module the sort of action it is to take in cleaning this data item. As an example, Kerberos creates a ticket file during the authentication phase, this file might be associated with a data item. When
+argument is used to indicate to the module the sort of action it is to take in cleaning this data item\. As an example, Kerberos creates a ticket file during the authentication phase, this file might be associated with a data item\. When
 \fBpam_end\fR(3)
 is called by the module, the
 \fIerror_status\fR
@@ -60,31 +60,41 @@ carries the return value of the
 \fBpam_authenticate\fR(3)
 or other
 \fIlibpam\fR
-function as appropriate. Based on this value the Kerberos module may choose to delete the ticket file (\fIauthentication failure\fR) or leave it in place.
+function as appropriate\. Based on this value the Kerberos module may choose to delete the ticket file (\fIauthentication failure\fR) or leave it in place\.
 .PP
 The
 \fIerror_status\fR
-may have been logically OR'd with either of the following two values:
-.TP 3n
+may have been logically OR\'d with either of the following two values:
+.PP
 PAM_DATA_REPLACE
+.RS 4
 When a data item is being replaced (through a second call to
-\fBpam_set_data\fR) this mask is used. Otherwise, the call is assumed to be from
-\fBpam_end\fR(3).
-.TP 3n
+\fBpam_set_data\fR) this mask is used\. Otherwise, the call is assumed to be from
+\fBpam_end\fR(3)\.
+.RE
+.PP
 PAM_DATA_SILENT
+.RS 4
 Which indicates that the process would prefer to perform the
 \fBcleanup()\fR
-quietly. That is, discourages logging/messages to the user.
+quietly\. That is, discourages logging/messages to the user\.
+.RE
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_BUF_ERR
-Memory buffer error.
-.TP 3n
+.RS 4
+Memory buffer error\.
+.RE
+.PP
 PAM_SUCCESS
-Data was successful stored.
-.TP 3n
+.RS 4
+Data was successful stored\.
+.RE
+.PP
 PAM_SYSTEM_ERR
-A NULL pointer was submitted as PAM handle or the function was called by an application.
+.RS 4
+A NULL pointer was submitted as PAM handle or the function was called by an application\.
+.RE
 .SH "SEE ALSO"
 .PP
 
diff --git a/Linux-PAM/doc/man/pam_set_item.3 b/Linux-PAM/doc/man/pam_set_item.3
index fa802747..bfb7c0ff 100644
--- a/Linux-PAM/doc/man/pam_set_item.3
+++ b/Linux-PAM/doc/man/pam_set_item.3
@@ -1,22 +1,22 @@
 .\"     Title: pam_set_item
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_SET_ITEM" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_SET_ITEM" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_set_item \- set and update PAM informations
+pam_set_item - set and update PAM informations
 .SH "SYNOPSIS"
 .sp
 .ft B
 .nf
-#include <security/pam_modules.h>
+#include <security/pam_modules\.h>
 .fi
 .ft
 .HP 17
@@ -26,97 +26,143 @@ pam_set_item \- set and update PAM informations
 The
 \fBpam_set_item\fR
 function allows applications and PAM service modules to access and to update PAM informations of
-\fIitem_type\fR. For this a copy of the object pointed to by the
+\fIitem_type\fR\. For this a copy of the object pointed to by the
 \fIitem\fR
-argument is created. The following
+argument is created\. The following
 \fIitem_type\fRs are supported:
-.TP 3n
+.PP
 PAM_SERVICE
-The service name (which identifies that PAM stack that the PAM functions will use to authenticate the program).
-.TP 3n
+.RS 4
+The service name (which identifies that PAM stack that the PAM functions will use to authenticate the program)\.
+.RE
+.PP
 PAM_USER
-The username of the entity under whose identity service will be given. That is, following authentication,
+.RS 4
+The username of the entity under whose identity service will be given\. That is, following authentication,
 \fIPAM_USER\fR
-identifies the local entity that gets to use the service. Note, this value can be mapped from something (eg., "anonymous") to something else (eg. "guest119") by any module in the PAM stack. As such an application should consult the value of
+identifies the local entity that gets to use the service\. Note, this value can be mapped from something (eg\., "anonymous") to something else (eg\. "guest119") by any module in the PAM stack\. As such an application should consult the value of
 \fIPAM_USER\fR
-after each call to a PAM function.
-.TP 3n
+after each call to a PAM function\.
+.RE
+.PP
 PAM_USER_PROMPT
-The string used when prompting for a user's name. The default value for this string is a localized version of "login: ".
-.TP 3n
+.RS 4
+The string used when prompting for a user\'s name\. The default value for this string is a localized version of "login: "\.
+.RE
+.PP
 PAM_TTY
+.RS 4
 The terminal name: prefixed by
 \fI/dev/\fR
 if it is a device file; for graphical, X\-based, applications the value for this item should be the
 \fI$DISPLAY\fR
-variable.
-.TP 3n
+variable\.
+.RE
+.PP
 PAM_RUSER
-The requesting user name: local name for a locally requesting user or a remote user name for a remote requesting user.
+.RS 4
+The requesting user name: local name for a locally requesting user or a remote user name for a remote requesting user\.
 .sp
-Generally an application or module will attempt to supply the value that is most strongly authenticated (a local account before a remote one. The level of trust in this value is embodied in the actual authentication stack associated with the application, so it is ultimately at the discretion of the system administrator.
+Generally an application or module will attempt to supply the value that is most strongly authenticated (a local account before a remote one\. The level of trust in this value is embodied in the actual authentication stack associated with the application, so it is ultimately at the discretion of the system administrator\.
 .sp
 
 \fIPAM_RUSER@PAM_RHOST\fR
-should always identify the requesting user. In some cases,
+should always identify the requesting user\. In some cases,
 \fIPAM_RUSER\fR
-may be NULL. In such situations, it is unclear who the requesting entity is.
-.TP 3n
+may be NULL\. In such situations, it is unclear who the requesting entity is\.
+.RE
+.PP
 PAM_RHOST
+.RS 4
 The requesting hostname (the hostname of the machine from which the
 \fIPAM_RUSER\fR
-entity is requesting service). That is
+entity is requesting service)\. That is
 \fIPAM_RUSER@PAM_RHOST\fR
-does identify the requesting user. In some applications,
+does identify the requesting user\. In some applications,
 \fIPAM_RHOST\fR
-may be NULL. In such situations, it is unclear where the authentication request is originating from.
-.TP 3n
+may be NULL\. In such situations, it is unclear where the authentication request is originating from\.
+.RE
+.PP
 PAM_AUTHTOK
-The authentication token (often a password). This token should be ignored by all module functions besides
+.RS 4
+The authentication token (often a password)\. This token should be ignored by all module functions besides
 \fBpam_sm_authenticate\fR(3)
 and
-\fBpam_sm_chauthtok\fR(3). In the former function it is used to pass the most recent authentication token from one stacked module to another. In the latter function the token is used for another purpose. It contains the currently active authentication token.
-.TP 3n
+\fBpam_sm_chauthtok\fR(3)\. In the former function it is used to pass the most recent authentication token from one stacked module to another\. In the latter function the token is used for another purpose\. It contains the currently active authentication token\.
+.RE
+.PP
 PAM_OLDAUTHTOK
-The old authentication token. This token should be ignored by all module functions except
-\fBpam_sm_chauthtok\fR(3).
-.TP 3n
+.RS 4
+The old authentication token\. This token should be ignored by all module functions except
+\fBpam_sm_chauthtok\fR(3)\.
+.RE
+.PP
 PAM_CONV
-The pam_conv structure. See
-\fBpam_conv\fR(3).
-.TP 3n
+.RS 4
+The pam_conv structure\. See
+\fBpam_conv\fR(3)\.
+.RE
+.PP
+The following additional items are specific to Linux\-PAM and should not be used in portable applications:
+.PP
 PAM_FAIL_DELAY
-A function pointer to redirect centrally managed failure delays. See
-\fBpam_fail_delay\fR(3).
+.RS 4
+A function pointer to redirect centrally managed failure delays\. See
+\fBpam_fail_delay\fR(3)\.
+.RE
+.PP
+PAM_XDISPLAY
+.RS 4
+The name of the X display\. For graphical, X\-based applications the value for this item should be the
+\fI$DISPLAY\fR
+variable\. This value may be used independently of
+\fIPAM_TTY\fR
+for passing the name of the display\.
+.RE
+.PP
+PAM_XAUTHDATA
+.RS 4
+A pointer to a structure containing the X authentication data required to make a connection to the display specified by
+\fIPAM_XDISPLAY\fR, if such information is necessary\. See
+\fBpam_xauth_data\fR(3)\.
+.RE
 .PP
 For all
 \fIitem_type\fRs, other than PAM_CONV and PAM_FAIL_DELAY,
 \fIitem\fR
-is a pointer to a <NUL> terminated character string. In the case of PAM_CONV,
+is a pointer to a <NUL> terminated character string\. In the case of PAM_CONV,
 \fIitem\fR
 points to an initialized
 \fIpam_conv\fR
-structure. In the case of PAM_FAIL_DELAY,
+structure\. In the case of PAM_FAIL_DELAY,
 \fIitem\fR
 is a function pointer:
 \fBvoid (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr)\fR
 .PP
-Both, PAM_AUTHTOK and PAM_OLDAUTHTOK, will be reseted before returning to the application. Which means an application is not able to access the authentication tokens.
+Both, PAM_AUTHTOK and PAM_OLDAUTHTOK, will be reseted before returning to the application\. Which means an application is not able to access the authentication tokens\.
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_BAD_ITEM
-The application attempted to set an undefined or inaccessible item.
-.TP 3n
+.RS 4
+The application attempted to set an undefined or inaccessible item\.
+.RE
+.PP
 PAM_BUF_ERR
-Memory buffer error.
-.TP 3n
+.RS 4
+Memory buffer error\.
+.RE
+.PP
 PAM_SUCCESS
-Data was successful updated.
-.TP 3n
+.RS 4
+Data was successful updated\.
+.RE
+.PP
 PAM_SYSTEM_ERR
+.RS 4
 The
 \fIpam_handle_t\fR
-passed as first argument was invalid.
+passed as first argument was invalid\.
+.RE
 .SH "SEE ALSO"
 .PP
 
diff --git a/Linux-PAM/doc/man/pam_set_item.3.xml b/Linux-PAM/doc/man/pam_set_item.3.xml
index cbac8413..39758313 100644
--- a/Linux-PAM/doc/man/pam_set_item.3.xml
+++ b/Linux-PAM/doc/man/pam_set_item.3.xml
@@ -3,7 +3,8 @@
                    "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"
 [
 <!--
-<!ENTITY accessconf SYSTEM "pam_item_types.inc.xml">
+<!ENTITY accessconf SYSTEM "pam_item_types_std.inc.xml">
+<!ENTITY accessconf SYSTEM "pam_item_types_ext.inc.xml">
 -->
 ]>
 
@@ -52,7 +53,15 @@
    </para>
 
    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-      href="pam_item_types.inc.xml"/>
+      href="pam_item_types_std.inc.xml"/>
+
+   <para>
+     The following additional items are specific to Linux-PAM and should not be used in
+     portable applications:
+   </para>
+
+   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+      href="pam_item_types_ext.inc.xml"/>
 
     <para>
       For all <emphasis>item_type</emphasis>s, other than PAM_CONV and
diff --git a/Linux-PAM/doc/man/pam_setcred.3 b/Linux-PAM/doc/man/pam_setcred.3
index 055ee56e..67f06e62 100644
--- a/Linux-PAM/doc/man/pam_setcred.3
+++ b/Linux-PAM/doc/man/pam_setcred.3
@@ -1,22 +1,22 @@
 .\"     Title: pam_setcred
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_SETCRED" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_SETCRED" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_setcred \- establish / delete user credentials
+pam_setcred - establish / delete user credentials
 .SH "SYNOPSIS"
 .sp
 .ft B
 .nf
-#include <security/pam_appl.h>
+#include <security/pam_appl\.h>
 .fi
 .ft
 .HP 16
@@ -25,55 +25,77 @@ pam_setcred \- establish / delete user credentials
 .PP
 The
 \fBpam_setcred\fR
-function is used to establish, maintain and delete the credentials of a user. It should be called after a user has been authenticated and before a session is opened for the user (with
-\fBpam_open_session\fR(3)).
+function is used to establish, maintain and delete the credentials of a user\. It should be called after a user has been authenticated and before a session is opened for the user (with
+\fBpam_open_session\fR(3))\.
 .PP
-A credential is something that the user possesses. It is some property, such as a
+A credential is something that the user possesses\. It is some property, such as a
 \fIKerberos\fR
-ticket, or a supplementary group membership that make up the uniqueness of a given user. On a Linux system the user's
+ticket, or a supplementary group membership that make up the uniqueness of a given user\. On a Linux system the user\'s
 \fIUID\fR
 and
-\fIGID\fR's are credentials too. However, it has been decided that these properties (along with the default supplementary groups of which the user is a member) are credentials that should be set directly by the application and not by PAM. Such credentials should be established, by the application, prior to a call to this function. For example,
+\fIGID\fR\'s are credentials too\. However, it has been decided that these properties (along with the default supplementary groups of which the user is a member) are credentials that should be set directly by the application and not by PAM\. Such credentials should be established, by the application, prior to a call to this function\. For example,
 \fBinitgroups\fR(2)
-(or equivalent) should have been performed.
+(or equivalent) should have been performed\.
 .PP
 Valid
-\fIflags\fR, any one of which, may be logically OR'd with
+\fIflags\fR, any one of which, may be logically OR\'d with
 \fBPAM_SILENT\fR, are:
-.TP 3n
+.PP
 PAM_ESTABLISH_CRED
-Initialize the credentials for the user.
-.TP 3n
+.RS 4
+Initialize the credentials for the user\.
+.RE
+.PP
 PAM_DELETE_CRED
-Delete the user's credentials.
-.TP 3n
+.RS 4
+Delete the user\'s credentials\.
+.RE
+.PP
 PAM_REINITIALIZE_CRED
-Fully reinitialize the user's credentials.
-.TP 3n
+.RS 4
+Fully reinitialize the user\'s credentials\.
+.RE
+.PP
 PAM_REFRESH_CRED
-Extend the lifetime of the existing credentials.
+.RS 4
+Extend the lifetime of the existing credentials\.
+.RE
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_BUF_ERR
-Memory buffer error.
-.TP 3n
+.RS 4
+Memory buffer error\.
+.RE
+.PP
 PAM_CRED_ERR
-Failed to set user credentials.
-.TP 3n
+.RS 4
+Failed to set user credentials\.
+.RE
+.PP
 PAM_CRED_EXPIRED
-User credentials are expired.
-.TP 3n
+.RS 4
+User credentials are expired\.
+.RE
+.PP
 PAM_CRED_UNAVAIL
-Failed to retrieve user credentials.
-.TP 3n
+.RS 4
+Failed to retrieve user credentials\.
+.RE
+.PP
 PAM_SUCCESS
-Data was successful stored.
-.TP 3n
+.RS 4
+Data was successful stored\.
+.RE
+.PP
 PAM_SYSTEM_ERR
-A NULL pointer was submitted as PAM handle, the function was called by a module or another system error occured.
-.TP 3n
+.RS 4
+A NULL pointer was submitted as PAM handle, the function was called by a module or another system error occured\.
+.RE
+.PP
 PAM_USER_UNKNOWN
-User is not known to an authentication module.
+.RS 4
+User is not known to an authentication module\.
+.RE
 .SH "SEE ALSO"
 .PP
 
diff --git a/Linux-PAM/doc/man/pam_sm_acct_mgmt.3 b/Linux-PAM/doc/man/pam_sm_acct_mgmt.3
index b720e3af..a3ddf2f7 100644
--- a/Linux-PAM/doc/man/pam_sm_acct_mgmt.3
+++ b/Linux-PAM/doc/man/pam_sm_acct_mgmt.3
@@ -1,17 +1,17 @@
 .\"     Title: pam_sm_acct_mgmt
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_SM_ACCT_MGMT" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_SM_ACCT_MGMT" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_sm_acct_mgmt \- PAM service function for account management
+pam_sm_acct_mgmt - PAM service function for account management
 .SH "SYNOPSIS"
 .sp
 .ft B
@@ -22,7 +22,7 @@ pam_sm_acct_mgmt \- PAM service function for account management
 .sp
 .ft B
 .nf
-#include <security/pam_modules.h>
+#include <security/pam_modules\.h>
 .fi
 .ft
 .HP 32
@@ -31,44 +31,60 @@ pam_sm_acct_mgmt \- PAM service function for account management
 .PP
 The
 \fBpam_sm_acct_mgmt\fR
-function is the service module's implementation of the
+function is the service module\'s implementation of the
 \fBpam_acct_mgmt\fR(3)
-interface.
+interface\.
 .PP
-This function performs the task of establishing whether the user is permitted to gain access at this time. It should be understood that the user has previously been validated by an authentication module. This function checks for other things. Such things might be: the time of day or the date, the terminal line, remote hostname, etc. This function may also determine things like the expiration on passwords, and respond that the user change it before continuing.
+This function performs the task of establishing whether the user is permitted to gain access at this time\. It should be understood that the user has previously been validated by an authentication module\. This function checks for other things\. Such things might be: the time of day or the date, the terminal line, remote hostname, etc\. This function may also determine things like the expiration on passwords, and respond that the user change it before continuing\.
 .PP
-Valid flags, which may be logically OR'd with
+Valid flags, which may be logically OR\'d with
 \fIPAM_SILENT\fR, are:
-.TP 3n
+.PP
 PAM_SILENT
-Do not emit any messages.
-.TP 3n
+.RS 4
+Do not emit any messages\.
+.RE
+.PP
 PAM_DISALLOW_NULL_AUTHTOK
+.RS 4
 Return
 \fBPAM_AUTH_ERR\fR
 if the database of authentication tokens for this authentication mechanism has a
 \fINULL\fR
-entry for the user.
+entry for the user\.
+.RE
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_ACCT_EXPIRED
-User account has expired.
-.TP 3n
+.RS 4
+User account has expired\.
+.RE
+.PP
 PAM_AUTH_ERR
-Authentication failure.
-.TP 3n
+.RS 4
+Authentication failure\.
+.RE
+.PP
 PAM_NEW_AUTHTOK_REQD
-The user's authentication token has expired. Before calling this function again the application will arrange for a new one to be given. This will likely result in a call to
-\fBpam_sm_chauthtok()\fR.
-.TP 3n
+.RS 4
+The user\'s authentication token has expired\. Before calling this function again the application will arrange for a new one to be given\. This will likely result in a call to
+\fBpam_sm_chauthtok()\fR\.
+.RE
+.PP
 PAM_PERM_DENIED
-Permission denied.
-.TP 3n
+.RS 4
+Permission denied\.
+.RE
+.PP
 PAM_SUCCESS
-The authentication token was successfully updated.
-.TP 3n
+.RS 4
+The authentication token was successfully updated\.
+.RE
+.PP
 PAM_USER_UNKNOWN
-User unknown to password service.
+.RS 4
+User unknown to password service\.
+.RE
 .SH "SEE ALSO"
 .PP
 
diff --git a/Linux-PAM/doc/man/pam_sm_authenticate.3 b/Linux-PAM/doc/man/pam_sm_authenticate.3
index 7487f6af..a61e9a2c 100644
--- a/Linux-PAM/doc/man/pam_sm_authenticate.3
+++ b/Linux-PAM/doc/man/pam_sm_authenticate.3
@@ -1,17 +1,17 @@
 .\"     Title: pam_sm_authenticate
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_SM_AUTHENTICATE" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_SM_AUTHENTICATE" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_sm_authenticate \- PAM service function for user authentication
+pam_sm_authenticate - PAM service function for user authentication
 .SH "SYNOPSIS"
 .sp
 .ft B
@@ -22,7 +22,7 @@ pam_sm_authenticate \- PAM service function for user authentication
 .sp
 .ft B
 .nf
-#include <security/pam_modules.h>
+#include <security/pam_modules\.h>
 .fi
 .ft
 .HP 35
@@ -31,45 +31,61 @@ pam_sm_authenticate \- PAM service function for user authentication
 .PP
 The
 \fBpam_sm_authenticate\fR
-function is the service module's implementation of the
+function is the service module\'s implementation of the
 \fBpam_authenticate\fR(3)
-interface.
+interface\.
 .PP
-This function performs the task of authenticating the user.
+This function performs the task of authenticating the user\.
 .PP
-Valid flags, which may be logically OR'd with
+Valid flags, which may be logically OR\'d with
 \fIPAM_SILENT\fR, are:
-.TP 3n
+.PP
 PAM_SILENT
-Do not emit any messages.
-.TP 3n
+.RS 4
+Do not emit any messages\.
+.RE
+.PP
 PAM_DISALLOW_NULL_AUTHTOK
+.RS 4
 Return
 \fBPAM_AUTH_ERR\fR
 if the database of authentication tokens for this authentication mechanism has a
 \fINULL\fR
-entry for the user. Without this flag, such a
+entry for the user\. Without this flag, such a
 \fINULL\fR
-token will lead to a success without the user being prompted.
+token will lead to a success without the user being prompted\.
+.RE
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_AUTH_ERR
-Authentication failure.
-.TP 3n
+.RS 4
+Authentication failure\.
+.RE
+.PP
 PAM_CRED_INSUFFICIENT
-For some reason the application does not have sufficient credentials to authenticate the user.
-.TP 3n
+.RS 4
+For some reason the application does not have sufficient credentials to authenticate the user\.
+.RE
+.PP
 PAM_AUTHINFO_UNAVAIL
-The modules were not able to access the authentication information. This might be due to a network or hardware failure etc.
-.TP 3n
+.RS 4
+The modules were not able to access the authentication information\. This might be due to a network or hardware failure etc\.
+.RE
+.PP
 PAM_SUCCESS
-The authentication token was successfully updated.
-.TP 3n
+.RS 4
+The authentication token was successfully updated\.
+.RE
+.PP
 PAM_USER_UNKNOWN
-The supplied username is not known to the authentication service.
-.TP 3n
+.RS 4
+The supplied username is not known to the authentication service\.
+.RE
+.PP
 PAM_MAXTRIES
-One or more of the authentication modules has reached its limit of tries authenticating the user. Do not try again.
+.RS 4
+One or more of the authentication modules has reached its limit of tries authenticating the user\. Do not try again\.
+.RE
 .SH "SEE ALSO"
 .PP
 
diff --git a/Linux-PAM/doc/man/pam_sm_chauthtok.3 b/Linux-PAM/doc/man/pam_sm_chauthtok.3
index c247f68f..00655692 100644
--- a/Linux-PAM/doc/man/pam_sm_chauthtok.3
+++ b/Linux-PAM/doc/man/pam_sm_chauthtok.3
@@ -1,17 +1,17 @@
 .\"     Title: pam_sm_chauthtok
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_SM_CHAUTHTOK" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_SM_CHAUTHTOK" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_sm_chauthtok \- PAM service function for authentication token management
+pam_sm_chauthtok - PAM service function for authentication token management
 .SH "SYNOPSIS"
 .sp
 .ft B
@@ -22,7 +22,7 @@ pam_sm_chauthtok \- PAM service function for authentication token management
 .sp
 .ft B
 .nf
-#include <security/pam_modules.h>
+#include <security/pam_modules\.h>
 .fi
 .ft
 .HP 32
@@ -31,62 +31,86 @@ pam_sm_chauthtok \- PAM service function for authentication token management
 .PP
 The
 \fBpam_sm_chauthtok\fR
-function is the service module's implementation of the
+function is the service module\'s implementation of the
 \fBpam_chauthtok\fR(3)
-interface.
+interface\.
 .PP
-This function is used to (re\-)set the authentication token of the user.
+This function is used to (re\-)set the authentication token of the user\.
 .PP
-Valid flags, which may be logically OR'd with
+Valid flags, which may be logically OR\'d with
 \fIPAM_SILENT\fR, are:
-.TP 3n
+.PP
 PAM_SILENT
-Do not emit any messages.
-.TP 3n
+.RS 4
+Do not emit any messages\.
+.RE
+.PP
 PAM_CHANGE_EXPIRED_AUTHTOK
-This argument indicates to the module that the users authentication token (password) should only be changed if it has expired. This flag is optional and
+.RS 4
+This argument indicates to the module that the users authentication token (password) should only be changed if it has expired\. This flag is optional and
 \fImust\fR
-be combined with one of the following two flags. Note, however, the following two options are
-\fImutually exclusive\fR.
-.TP 3n
+be combined with one of the following two flags\. Note, however, the following two options are
+\fImutually exclusive\fR\.
+.RE
+.PP
 PAM_PRELIM_CHECK
-This indicates that the modules are being probed as to their ready status for altering the user's authentication token. If the module requires access to another system over some network it should attempt to verify it can connect to this system on receiving this flag. If a module cannot establish it is ready to update the user's authentication token it should return
-\fBPAM_TRY_AGAIN\fR, this information will be passed back to the application.
-.TP 3n
+.RS 4
+This indicates that the modules are being probed as to their ready status for altering the user\'s authentication token\. If the module requires access to another system over some network it should attempt to verify it can connect to this system on receiving this flag\. If a module cannot establish it is ready to update the user\'s authentication token it should return
+\fBPAM_TRY_AGAIN\fR, this information will be passed back to the application\.
+.RE
+.PP
 PAM_UPDATE_AUTHTOK
-This informs the module that this is the call it should change the authorization tokens. If the flag is logically OR'd with
-\fBPAM_CHANGE_EXPIRED_AUTHTOK\fR, the token is only changed if it has actually expired.
+.RS 4
+This informs the module that this is the call it should change the authorization tokens\. If the flag is logically OR\'d with
+\fBPAM_CHANGE_EXPIRED_AUTHTOK\fR, the token is only changed if it has actually expired\.
+.RE
 .PP
-The PAM library calls this function twice in succession. The first time with
+The PAM library calls this function twice in succession\. The first time with
 \fBPAM_PRELIM_CHECK\fR
 and then, if the module does not return
 \fBPAM_TRY_AGAIN\fR, subsequently with
-\fBPAM_UPDATE_AUTHTOK\fR. It is only on the second call that the authorization token is (possibly) changed.
+\fBPAM_UPDATE_AUTHTOK\fR\. It is only on the second call that the authorization token is (possibly) changed\.
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_AUTHTOK_ERR
-The module was unable to obtain the new authentication token.
-.TP 3n
+.RS 4
+The module was unable to obtain the new authentication token\.
+.RE
+.PP
 PAM_AUTHTOK_RECOVERY_ERR
-The module was unable to obtain the old authentication token.
-.TP 3n
+.RS 4
+The module was unable to obtain the old authentication token\.
+.RE
+.PP
 PAM_AUTHTOK_LOCK_BUSY
-Cannot change the authentication token since it is currently locked.
-.TP 3n
+.RS 4
+Cannot change the authentication token since it is currently locked\.
+.RE
+.PP
 PAM_AUTHTOK_DISABLE_AGING
-Authentication token aging has been disabled.
-.TP 3n
+.RS 4
+Authentication token aging has been disabled\.
+.RE
+.PP
 PAM_PERM_DENIED
-Permission denied.
-.TP 3n
+.RS 4
+Permission denied\.
+.RE
+.PP
 PAM_TRY_AGAIN
-Preliminary check was unsuccessful. Signals an immediate return to the application is desired.
-.TP 3n
+.RS 4
+Preliminary check was unsuccessful\. Signals an immediate return to the application is desired\.
+.RE
+.PP
 PAM_SUCCESS
-The authentication token was successfully updated.
-.TP 3n
+.RS 4
+The authentication token was successfully updated\.
+.RE
+.PP
 PAM_USER_UNKNOWN
-User unknown to password service.
+.RS 4
+User unknown to password service\.
+.RE
 .SH "SEE ALSO"
 .PP
 
diff --git a/Linux-PAM/doc/man/pam_sm_close_session.3 b/Linux-PAM/doc/man/pam_sm_close_session.3
index 4d0f081b..dec0650b 100644
--- a/Linux-PAM/doc/man/pam_sm_close_session.3
+++ b/Linux-PAM/doc/man/pam_sm_close_session.3
@@ -1,17 +1,17 @@
 .\"     Title: pam_sm_close_session
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_SM_CLOSE_SESSION" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_SM_CLOSE_SESSION" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_sm_close_session \- PAM service function to terminate session management
+pam_sm_close_session - PAM service function to terminate session management
 .SH "SYNOPSIS"
 .sp
 .ft B
@@ -22,7 +22,7 @@ pam_sm_close_session \- PAM service function to terminate session management
 .sp
 .ft B
 .nf
-#include <security/pam_modules.h>
+#include <security/pam_modules\.h>
 .fi
 .ft
 .HP 36
@@ -31,23 +31,29 @@ pam_sm_close_session \- PAM service function to terminate session management
 .PP
 The
 \fBpam_sm_close_session\fR
-function is the service module's implementation of the
+function is the service module\'s implementation of the
 \fBpam_close_session\fR(3)
-interface.
+interface\.
 .PP
-This function is called to terminate a session. The only valid value for
+This function is called to terminate a session\. The only valid value for
 \fIflags\fR
 is zero or:
-.TP 3n
+.PP
 PAM_SILENT
-Do not emit any messages.
+.RS 4
+Do not emit any messages\.
+.RE
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_SESSION_ERR
-Cannot make/remove an entry for the specified session.
-.TP 3n
+.RS 4
+Cannot make/remove an entry for the specified session\.
+.RE
+.PP
 PAM_SUCCESS
-The session was successfully terminated.
+.RS 4
+The session was successfully terminated\.
+.RE
 .SH "SEE ALSO"
 .PP
 
diff --git a/Linux-PAM/doc/man/pam_sm_open_session.3 b/Linux-PAM/doc/man/pam_sm_open_session.3
index b97f6005..ec9aebf9 100644
--- a/Linux-PAM/doc/man/pam_sm_open_session.3
+++ b/Linux-PAM/doc/man/pam_sm_open_session.3
@@ -1,17 +1,17 @@
 .\"     Title: pam_sm_open_session
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_SM_OPEN_SESSION" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_SM_OPEN_SESSION" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_sm_open_session \- PAM service function to start session management
+pam_sm_open_session - PAM service function to start session management
 .SH "SYNOPSIS"
 .sp
 .ft B
@@ -22,7 +22,7 @@ pam_sm_open_session \- PAM service function to start session management
 .sp
 .ft B
 .nf
-#include <security/pam_modules.h>
+#include <security/pam_modules\.h>
 .fi
 .ft
 .HP 35
@@ -31,23 +31,29 @@ pam_sm_open_session \- PAM service function to start session management
 .PP
 The
 \fBpam_sm_open_session\fR
-function is the service module's implementation of the
+function is the service module\'s implementation of the
 \fBpam_open_session\fR(3)
-interface.
+interface\.
 .PP
-This function is called to commence a session. The only valid value for
+This function is called to commence a session\. The only valid value for
 \fIflags\fR
 is zero or:
-.TP 3n
+.PP
 PAM_SILENT
-Do not emit any messages.
+.RS 4
+Do not emit any messages\.
+.RE
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_SESSION_ERR
-Cannot make/remove an entry for the specified session.
-.TP 3n
+.RS 4
+Cannot make/remove an entry for the specified session\.
+.RE
+.PP
 PAM_SUCCESS
-The session was successfully started.
+.RS 4
+The session was successfully started\.
+.RE
 .SH "SEE ALSO"
 .PP
 
diff --git a/Linux-PAM/doc/man/pam_sm_setcred.3 b/Linux-PAM/doc/man/pam_sm_setcred.3
index b4cb70e8..078fdd59 100644
--- a/Linux-PAM/doc/man/pam_sm_setcred.3
+++ b/Linux-PAM/doc/man/pam_sm_setcred.3
@@ -1,17 +1,17 @@
 .\"     Title: pam_sm_setcred
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_SM_SETCRED" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_SM_SETCRED" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_sm_setcred \- PAM service function to alter credentials
+pam_sm_setcred - PAM service function to alter credentials
 .SH "SYNOPSIS"
 .sp
 .ft B
@@ -22,7 +22,7 @@ pam_sm_setcred \- PAM service function to alter credentials
 .sp
 .ft B
 .nf
-#include <security/pam_modules.h>
+#include <security/pam_modules\.h>
 .fi
 .ft
 .HP 30
@@ -31,59 +31,77 @@ pam_sm_setcred \- PAM service function to alter credentials
 .PP
 The
 \fBpam_sm_setcred\fR
-function is the service module's implementation of the
+function is the service module\'s implementation of the
 \fBpam_setcred\fR(3)
-interface.
+interface\.
 .PP
-This function performs the task of altering the credentials of the user with respect to the corresponding authorization scheme. Generally, an authentication module may have access to more information about a user than their authentication token. This function is used to make such information available to the application. It should only be called
+This function performs the task of altering the credentials of the user with respect to the corresponding authorization scheme\. Generally, an authentication module may have access to more information about a user than their authentication token\. This function is used to make such information available to the application\. It should only be called
 \fIafter\fR
-the user has been authenticated but before a session has been established.
+the user has been authenticated but before a session has been established\.
 .PP
-Valid flags, which may be logically OR'd with
+Valid flags, which may be logically OR\'d with
 \fIPAM_SILENT\fR, are:
-.TP 3n
+.PP
 PAM_SILENT
-Do not emit any messages.
-.TP 3n
+.RS 4
+Do not emit any messages\.
+.RE
+.PP
 PAM_DELETE_CRED
-Delete the credentials associated with the authentication service.
-.TP 3n
+.RS 4
+Delete the credentials associated with the authentication service\.
+.RE
+.PP
 PAM_REINITIALIZE_CRED
-Reinitialize the user credentials.
-.TP 3n
+.RS 4
+Reinitialize the user credentials\.
+.RE
+.PP
 PAM_REFRESH_CRED
-Extend the lifetime of the user credentials.
+.RS 4
+Extend the lifetime of the user credentials\.
+.RE
 .PP
 The way the
 \fBauth\fR
 stack is navigated in order to evaluate the
 \fBpam_setcred\fR() function call, independent of the
 \fBpam_sm_setcred\fR() return codes, is exactly the same way that it was navigated when evaluating the
-\fBpam_authenticate\fR() library call. Typically, if a stack entry was ignored in evaluating
+\fBpam_authenticate\fR() library call\. Typically, if a stack entry was ignored in evaluating
 \fBpam_authenticate\fR(), it will be ignored when libpam evaluates the
-\fBpam_setcred\fR() function call. Otherwise, the return codes from each module specific
+\fBpam_setcred\fR() function call\. Otherwise, the return codes from each module specific
 \fBpam_sm_setcred\fR() call are treated as
-\fBrequired\fR.
+\fBrequired\fR\.
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_CRED_UNAVAIL
-This module cannot retrieve the user's credentials.
-.TP 3n
+.RS 4
+This module cannot retrieve the user\'s credentials\.
+.RE
+.PP
 PAM_CRED_EXPIRED
-The user's credentials have expired.
-.TP 3n
+.RS 4
+The user\'s credentials have expired\.
+.RE
+.PP
 PAM_CRED_ERR
-This module was unable to set the credentials of the user.
-.TP 3n
+.RS 4
+This module was unable to set the credentials of the user\.
+.RE
+.PP
 PAM_SUCCESS
-The user credential was successfully set.
-.TP 3n
+.RS 4
+The user credential was successfully set\.
+.RE
+.PP
 PAM_USER_UNKNOWN
-The user is not known to this authentication module.
+.RS 4
+The user is not known to this authentication module\.
+.RE
 .PP
 These, non\-\fIPAM_SUCCESS\fR, return values will typically lead to the credential stack
-\fIfailing\fR. The first such error will dominate in the return value of
-\fBpam_setcred\fR().
+\fIfailing\fR\. The first such error will dominate in the return value of
+\fBpam_setcred\fR()\.
 .SH "SEE ALSO"
 .PP
 
diff --git a/Linux-PAM/doc/man/pam_start.3 b/Linux-PAM/doc/man/pam_start.3
index 22521213..bc46400b 100644
--- a/Linux-PAM/doc/man/pam_start.3
+++ b/Linux-PAM/doc/man/pam_start.3
@@ -1,22 +1,22 @@
 .\"     Title: pam_start
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_START" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_START" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_start \- initialization of PAM transaction
+pam_start - initialization of PAM transaction
 .SH "SYNOPSIS"
 .sp
 .ft B
 .nf
-#include <security/pam_appl.h>
+#include <security/pam_appl\.h>
 .fi
 .ft
 .HP 14
@@ -25,52 +25,60 @@ pam_start \- initialization of PAM transaction
 .PP
 The
 \fBpam_start\fR
-function creates the PAM context and initiates the PAM transaction. It is the first of the PAM functions that needs to be called by an application. The transaction state is contained entirely within the structure identified by this handle, so it is possible to have multiple transactions in parallel. But it is not possible to use the same handle for different transactions, a new one is needed for every new context.
+function creates the PAM context and initiates the PAM transaction\. It is the first of the PAM functions that needs to be called by an application\. The transaction state is contained entirely within the structure identified by this handle, so it is possible to have multiple transactions in parallel\. But it is not possible to use the same handle for different transactions, a new one is needed for every new context\.
 .PP
 The
 \fIservice_name\fR
-argument specifies the name of the service to apply and will be stored as PAM_SERVICE item in the new context. The policy for the service will be read from the file
-\fI/etc/pam.d/service_name\fR
+argument specifies the name of the service to apply and will be stored as PAM_SERVICE item in the new context\. The policy for the service will be read from the file
+\fI/etc/pam\.d/service_name\fR
 or, if that file does not exist, from
-\fI/etc/pam.conf\fR.
+\fI/etc/pam\.conf\fR\.
 .PP
 The
 \fIuser\fR
-argument can specify the name of the target user and will be stored as PAM_USER item. If the argument is NULL, the module has to ask for this item if necessary.
+argument can specify the name of the target user and will be stored as PAM_USER item\. If the argument is NULL, the module has to ask for this item if necessary\.
 .PP
 The
 \fIpam_conversation\fR
 argument points to a
 \fIstruct pam_conv\fR
-describing the conversation function to use. An application must provide this for direct communication between a loaded module and the application.
+describing the conversation function to use\. An application must provide this for direct communication between a loaded module and the application\.
 .PP
 Following a successful return (PAM_SUCCESS) the contents of
 \fIpamh\fR
-is a handle that contains the PAM context for successive calls to the PAM functions. In an error case is the content of
+is a handle that contains the PAM context for successive calls to the PAM functions\. In an error case is the content of
 \fIpamh\fR
-undefined.
+undefined\.
 .PP
 The
 \fIpam_handle_t\fR
-is a blind structure and the application should not attempt to probe it directly for information. Instead the PAM library provides the functions
+is a blind structure and the application should not attempt to probe it directly for information\. Instead the PAM library provides the functions
 \fBpam_set_item\fR(3)
 and
-\fBpam_get_item\fR(3). The PAM handle cannot be used for mulitiple authentications at the same time as long as
+\fBpam_get_item\fR(3)\. The PAM handle cannot be used for mulitiple authentications at the same time as long as
 \fBpam_end\fR
-was not called on it before.
+was not called on it before\.
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_ABORT
-General failure.
-.TP 3n
+.RS 4
+General failure\.
+.RE
+.PP
 PAM_BUF_ERR
-Memory buffer error.
-.TP 3n
+.RS 4
+Memory buffer error\.
+.RE
+.PP
 PAM_SUCCESS
-Transaction was successful created.
-.TP 3n
+.RS 4
+Transaction was successful created\.
+.RE
+.PP
 PAM_SYSTEM_ERR
-System error, for example a NULL pointer was submitted instead of a pointer to data.
+.RS 4
+System error, for example a NULL pointer was submitted instead of a pointer to data\.
+.RE
 .SH "SEE ALSO"
 .PP
 
diff --git a/Linux-PAM/doc/man/pam_strerror.3 b/Linux-PAM/doc/man/pam_strerror.3
index 2d1e8849..504e2bfa 100644
--- a/Linux-PAM/doc/man/pam_strerror.3
+++ b/Linux-PAM/doc/man/pam_strerror.3
@@ -1,22 +1,22 @@
 .\"     Title: pam_strerror
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_STRERROR" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_STRERROR" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_strerror \- return string describing PAM error code
+pam_strerror - return string describing PAM error code
 .SH "SYNOPSIS"
 .sp
 .ft B
 .nf
-#include <security/pam_appl.h>
+#include <security/pam_appl\.h>
 .fi
 .ft
 .HP 25
@@ -26,10 +26,10 @@ pam_strerror \- return string describing PAM error code
 The
 \fBpam_strerror\fR
 function returns a pointer to a string describing the error code passed in the argument
-\fIerrnum\fR, possibly using the LC_MESSAGES part of the current locale to select the appropriate language. This string must not be modified by the application. No library function will modify this string.
+\fIerrnum\fR, possibly using the LC_MESSAGES part of the current locale to select the appropriate language\. This string must not be modified by the application\. No library function will modify this string\.
 .SH "RETURN VALUES"
 .PP
-This function returns always a pointer to a string.
+This function returns always a pointer to a string\.
 .SH "SEE ALSO"
 .PP
 
diff --git a/Linux-PAM/doc/man/pam_syslog.3 b/Linux-PAM/doc/man/pam_syslog.3
index 112066d9..908c9229 100644
--- a/Linux-PAM/doc/man/pam_syslog.3
+++ b/Linux-PAM/doc/man/pam_syslog.3
@@ -1,32 +1,32 @@
 .\"     Title: pam_syslog
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_SYSLOG" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_SYSLOG" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_syslog, pam_vsyslog \- send messages to the system logger
+pam_syslog, pam_vsyslog - send messages to the system logger
 .SH "SYNOPSIS"
 .sp
 .ft B
 .nf
-#include <syslog.h>
+#include <syslog\.h>
 .fi
 .ft
 .sp
 .ft B
 .nf
-#include <security/pam_ext.h>
+#include <security/pam_ext\.h>
 .fi
 .ft
 .HP 16
-.BI "void pam_syslog(pam_handle_t\ *" "pamh" ", int\ " "priority" ", const\ char\ *" "fmt" ", " "..." ");"
+.BI "void pam_syslog(pam_handle_t\ *" "pamh" ", int\ " "priority" ", const\ char\ *" "fmt" ", " "\.\.\." ");"
 .HP 17
 .BI "void pam_vsyslog(pam_handle_t\ *" "pamh" ", int\ " "priority" ", const\ char\ *" "fmt" ", va_list\ " "args" ");"
 .SH "DESCRIPTION"
@@ -35,11 +35,11 @@ The
 \fBpam_syslog\fR
 function logs messages using
 \fBsyslog\fR(3)
-and is intended for internal use by Linux\-PAM and PAM service modules. The
+and is intended for internal use by Linux\-PAM and PAM service modules\. The
 \fIpriority\fR
 argument is formed by ORing the facility and the level values as documented in the
 \fBsyslog\fR(3)
-manual page.
+manual page\.
 .PP
 The
 \fBpam_vsyslog\fR
@@ -47,7 +47,7 @@ function performs the same task as
 \fBpam_syslog()\fR
 with the difference that it takes a set of arguments which have been obtained using the
 \fBstdarg\fR(3)
-variable argument list macros.
+variable argument list macros\.
 .SH "SEE ALSO"
 .PP
 
@@ -58,4 +58,4 @@ The
 \fBpam_syslog\fR
 and
 \fBpam_vsyslog\fR
-functions are Linux\-PAM extensions.
+functions are Linux\-PAM extensions\.
diff --git a/Linux-PAM/doc/man/pam_xauth_data.3 b/Linux-PAM/doc/man/pam_xauth_data.3
new file mode 100644
index 00000000..ed43e598
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_xauth_data.3
@@ -0,0 +1,70 @@
+.\"     Title: pam_xauth_data
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
+.\"
+.TH "PAM_XAUTH_DATA" "3" "02/04/2008" "Linux-PAM Manual" "Linux-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_xauth_data - structure containing X authentication data
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <security/pam_appl\.h>
+.fi
+.ft
+.sp
+.RS 4
+.nf
+struct pam_xauth_data {
+    int namelen;
+    char *name;
+    int datalen;
+    char *data;
+};
+    
+.fi
+.RE
+.SH "DESCRIPTION"
+.PP
+The
+\fBpam_xauth_data\fR
+structure contains X authentication data used to make a connection to an X display\. Using this mechanism, an application can communicate X authentication data to PAM service modules\. This allows modules to make a connection to the user\'s X display in order to label the user\'s session on login, display visual feedback or for other purposes\.
+.PP
+The
+\fIname\fR
+field contains the name of the authentication method, such as "MIT\-MAGIC\-COOKIE\-1"\. The
+\fInamelen\fR
+field contains the length of this string, not including the trailing NUL character\.
+.PP
+The
+\fIdata\fR
+field contains the authentication method\-specific data corresponding to the specified name\. The
+\fIdatalen\fR
+field contains its length in bytes\.
+.PP
+The X authentication data can be changed with the
+\fIPAM_XAUTH_DATA\fR
+item\. It can be queried and set with
+\fBpam_get_item\fR(3)
+and
+\fBpam_set_item \fR(3)
+respectively\. The value used to set it should be a pointer to a pam_xauth_data structure\. An internal copy of both the structure itself and its fields is made by PAM when setting the item\.
+.SH "SEE ALSO"
+.PP
+
+\fBpam_start\fR(3),
+\fBpam_get_item\fR(3),
+.SH "STANDARDS"
+.PP
+The
+\fBpam_xauth_data\fR
+structure and
+\fIPAM_XAUTH_DATA\fR
+item are Linux\-PAM extensions\.
diff --git a/Linux-PAM/doc/man/pam_xauth_data.3.xml b/Linux-PAM/doc/man/pam_xauth_data.3.xml
new file mode 100644
index 00000000..0cd6730b
--- /dev/null
+++ b/Linux-PAM/doc/man/pam_xauth_data.3.xml
@@ -0,0 +1,94 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+
+<refentry id="pam_xauth_data">
+
+  <refmeta>
+    <refentrytitle>pam_xauth_data</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_xauth_data-name">
+    <refname>pam_xauth_data</refname>
+    <refpurpose>structure containing X authentication data</refpurpose>
+  </refnamediv>
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+    <funcsynopsis id="pam_xauth_data-synopsis">
+      <funcsynopsisinfo>#include &lt;security/pam_appl.h&gt;</funcsynopsisinfo>
+    </funcsynopsis>
+    <programlisting>
+struct pam_xauth_data {
+    int namelen;
+    char *name;
+    int datalen;
+    char *data;
+};
+    </programlisting>
+  </refsynopsisdiv>
+
+  <refsect1 id='pam_xauth_data-description'>
+    <title>DESCRIPTION</title>
+    <para>
+      The <function>pam_xauth_data</function> structure contains X
+      authentication data used to make a connection to an X display.  
+      Using this mechanism, an application can communicate X
+      authentication data to PAM service modules.  This allows modules to
+      make a connection to the user's X display in order to label the
+      user's session on login, display visual feedback or for other
+      purposes.
+    </para>
+    <para>
+      The <emphasis>name</emphasis> field contains the name of the
+      authentication method, such as "MIT-MAGIC-COOKIE-1".  The
+      <emphasis>namelen</emphasis> field contains the length of this string,
+      not including the trailing NUL character.
+    </para>
+    <para>
+      The <emphasis>data</emphasis> field contains the authentication
+      method-specific data corresponding to the specified name.  The
+      <emphasis>datalen</emphasis> field contains its length in bytes.
+    </para>
+    <para>
+      The X authentication data can be changed with the
+      <emphasis>PAM_XAUTH_DATA</emphasis> item. It can be queried and
+      set with
+      <citerefentry>
+        <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+      and
+      <citerefentry>
+        <refentrytitle>pam_set_item </refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>  respectively.  The value used to set it should be
+      a pointer to a pam_xauth_data structure.  An internal copy of both
+      the structure itself and its fields is made by PAM when setting the
+      item.
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_xauth_data-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_xauth_data-standards'>
+    <title>STANDARDS</title>
+    <para>
+      The <function>pam_xauth_data</function> structure and
+      <emphasis>PAM_XAUTH_DATA</emphasis> item are
+      Linux-PAM extensions.
+    </para>
+  </refsect1>
+
+</refentry>
diff --git a/Linux-PAM/doc/sag/pam_sepermit.xml b/Linux-PAM/doc/sag/pam_sepermit.xml
new file mode 100644
index 00000000..6ef9e0f8
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_sepermit.xml
@@ -0,0 +1,38 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_sepermit'>
+  <title>pam_sepermit - allow/reject access based on SELinux mode</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_sepermit/pam_sepermit.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_sepermit-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_sepermit-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_sepermit/pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-description"]/*)'/>
+  </section>
+  <section id='sag-pam_sepermit-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_sepermit/pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-options"]/*)'/>
+  </section>
+  <section id='sag-pam_sepermit-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_sepermit/pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-services"]/*)'/>
+  </section>
+  <section id='sag-pam_sepermit-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_sepermit/pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_sepermit-files'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_sepermit/pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-files"]/*)'/>
+  </section>
+  <section id='sag-pam_sepermit-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_sepermit/pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_sepermit-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_sepermit/pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/sag/pam_tty_audit.xml b/Linux-PAM/doc/sag/pam_tty_audit.xml
new file mode 100644
index 00000000..55e73862
--- /dev/null
+++ b/Linux-PAM/doc/sag/pam_tty_audit.xml
@@ -0,0 +1,38 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_tty_audit'>
+  <title>pam_tty_audit - enable/disable tty auditing</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_tty_audit/pam_tty_audit.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_tty_audit-cmdsynopsis"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_tty_audit-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_tty_audit/pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-description"]/*)'/>
+  </section>
+  <section id='sag-pam_tty_audit-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_tty_audit/pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-options"]/*)'/>
+  </section>
+  <section id='sag-pam_tty_audit-services'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_tty_audit/pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-services"]/*)'/>
+  </section>
+  <section id='sag-pam_tty_audit-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_tty_audit/pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_tty_audit-notes'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_tty_audit/pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-notes"]/*)'/>
+  </section>
+  <section id='sag-pam_tty_audit-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_tty_audit/pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_tty_audit-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_tty_audit/pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-author"]/*)'/>
+  </section>
+</section>
diff --git a/Linux-PAM/doc/specs/parse_y.y b/Linux-PAM/doc/specs/parse_y.y
index 9ea51654..87fc54ea 100644
--- a/Linux-PAM/doc/specs/parse_y.y
+++ b/Linux-PAM/doc/specs/parse_y.y
@@ -229,7 +229,7 @@ void set_label(const char *label, const char *target)
 {
     if (target == NULL) {
 	yyerror("no hanging value for label");
-	target = "<??>";
+	target = "<??" ">";	/* avoid trigraph warning */
     }
     label_root = set_key(label_root, label, target);
 }
@@ -242,7 +242,7 @@ char *new_counter(const char *key)
 
     if (key[i++] != '#') {
 	yyerror("bad index");
-	return strdup("<???>");
+	return strdup("<???" ">");	/* avoid trigraph warning */
     }
 
     while (key[i] == '$') {
diff --git a/Linux-PAM/libpam/Makefile.am b/Linux-PAM/libpam/Makefile.am
index a0955441..0daca423 100644
--- a/Linux-PAM/libpam/Makefile.am
+++ b/Linux-PAM/libpam/Makefile.am
@@ -20,11 +20,11 @@ include_HEADERS = include/security/_pam_compat.h \
 noinst_HEADERS = pam_prelude.h pam_private.h pam_tokens.h \
 		pam_modutil_private.h pam_static_modules.h
 
-libpam_la_LDFLAGS = -no-undefined -version-info 81:9:81
+libpam_la_LDFLAGS = -no-undefined -version-info 81:10:81
 libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) @LIBDL@
 
 if STATIC_MODULES
-  libpam_la_LIBADD += `ls ../modules/pam_*/*.lo` \
+  libpam_la_LIBADD += $(shell ls ../modules/pam_*/*.lo) \
 	@LIBDB@ @LIBCRYPT@ @LIBNSL@ @LIBCRACK@ -lutil
 endif
 if HAVE_VERSIONING
diff --git a/Linux-PAM/libpam/include/security/_pam_macros.h b/Linux-PAM/libpam/include/security/_pam_macros.h
index f7da10a7..bd107cfb 100644
--- a/Linux-PAM/libpam/include/security/_pam_macros.h
+++ b/Linux-PAM/libpam/include/security/_pam_macros.h
@@ -25,6 +25,15 @@ do {                             \
                *__xx__++ = '\0'; \
 } while (0)
 
+#define _pam_overwrite_n(x,n)   \
+do {                             \
+     register char *__xx__;      \
+     register unsigned int __i__ = 0;    \
+     if ((__xx__=(x)))           \
+        for (;__i__<n; __i__++) \
+            __xx__[__i__] = 0; \
+} while (0)
+
 /*
  * Don't just free it, forget it too.
  */
@@ -85,7 +94,7 @@ static void _pam_output_debug_info(const char *file, const char *fn
 {
     FILE *logfile;
     int must_close = 1, fd;
-   
+
 #ifdef O_NOFOLLOW
     if ((fd = open(_PAM_LOGFILE, O_WRONLY|O_NOFOLLOW|O_APPEND)) != -1) {
 #else
@@ -111,7 +120,7 @@ static void _pam_output_debug(const char *format, ...)
     va_list args;
     FILE *logfile;
     int must_close = 1, fd;
-    
+
     va_start(args, format);
 
 #ifdef O_NOFOLLOW
diff --git a/Linux-PAM/libpam/include/security/_pam_types.h b/Linux-PAM/libpam/include/security/_pam_types.h
index 45bae97b..2f7e807f 100644
--- a/Linux-PAM/libpam/include/security/_pam_types.h
+++ b/Linux-PAM/libpam/include/security/_pam_types.h
@@ -138,8 +138,11 @@ typedef struct pam_handle pam_handle_t;
 #define PAM_OLDAUTHTOK     7	/* The old authentication token */
 #define PAM_RUSER          8	/* The remote user name */
 #define PAM_USER_PROMPT    9    /* the prompt for getting a username */
+/* Linux-PAM extensions */
 #define PAM_FAIL_DELAY     10   /* app supplied function to override failure
 				   delays */
+#define PAM_XDISPLAY       11   /* X display name */
+#define PAM_XAUTHDATA      12   /* X server authentication data */
 
 /* -------------- Special defines used by Linux-PAM -------------- */
 
@@ -279,6 +282,17 @@ struct pam_conv {
     void *appdata_ptr;
 };
 
+/* Used by the PAM_XAUTHDATA pam item.  Contains X authentication
+   data used by modules to connect to the user's X display.  Note:
+   this structure is intentionally compatible with xcb_auth_info_t. */
+
+struct pam_xauth_data {
+    int namelen;
+    char *name;
+    int datalen;
+    char *data;
+};
+
 /* ... adapted from the pam_appl.h file created by Theodore Ts'o and
  *
  * Copyright Theodore Ts'o, 1996.  All rights reserved.
diff --git a/Linux-PAM/libpam/include/security/pam_modutil.h b/Linux-PAM/libpam/include/security/pam_modutil.h
index efb72436..ffdf5ad0 100644
--- a/Linux-PAM/libpam/include/security/pam_modutil.h
+++ b/Linux-PAM/libpam/include/security/pam_modutil.h
@@ -97,6 +97,9 @@ pam_modutil_read(int fd, char *buffer, int count);
 extern int
 pam_modutil_write(int fd, const char *buffer, int count);
 
+extern int PAM_NONNULL((1,3))
+pam_modutil_audit_write(pam_handle_t *pamh, int type,
+			const char *message, int retval);
 #ifdef __cplusplus
 }
 #endif
diff --git a/Linux-PAM/libpam/libpam.map b/Linux-PAM/libpam/libpam.map
index 1c2c4480..e37fc356 100644
--- a/Linux-PAM/libpam/libpam.map
+++ b/Linux-PAM/libpam/libpam.map
@@ -45,3 +45,8 @@ LIBPAM_MODUTIL_1.0 {
     pam_modutil_read;
     pam_modutil_write;
 };
+
+LIBPAM_MODUTIL_1.1 {
+  global:
+    pam_modutil_audit_write;
+} LIBPAM_MODUTIL_1.0;
diff --git a/Linux-PAM/libpam/pam_audit.c b/Linux-PAM/libpam/pam_audit.c
index 240d4a89..6fd6a0c1 100644
--- a/Linux-PAM/libpam/pam_audit.c
+++ b/Linux-PAM/libpam/pam_audit.c
@@ -6,9 +6,10 @@
    Authors:
    Steve Grubb <sgrubb@redhat.com> */
 
-#include "pam_private.h"
 #include <stdio.h>
 #include <syslog.h>
+#include "pam_private.h"
+#include "pam_modutil_private.h"
 
 #ifdef HAVE_LIBAUDIT
 #include <libaudit.h>
@@ -56,26 +57,39 @@ _pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type,
     return rc;
 }
 
-int
-_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags)
+static int
+_pam_audit_open(pam_handle_t *pamh)
 {
-  const char *message;
-  int type;
   int audit_fd;
-
   audit_fd = audit_open();
   if (audit_fd < 0) {
     /* You get these error codes only when the kernel doesn't have
      * audit compiled in. */
     if (errno == EINVAL || errno == EPROTONOSUPPORT ||
         errno == EAFNOSUPPORT)
-        return retval;
+        return -2;
 
     /* this should only fail in case of extreme resource shortage,
      * need to prevent login in that case for CAPP compliance.
      */
     pam_syslog(pamh, LOG_CRIT, "audit_open() failed: %m");
+    return -1;
+  }
+
+  return audit_fd;
+}
+
+int
+_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags)
+{
+  const char *message;
+  int type;
+  int audit_fd;
+
+  if ((audit_fd=_pam_audit_open(pamh)) == -1) {
     return PAM_SYSTEM_ERR;
+  } else if (audit_fd == -2) {
+    return retval;
   }
 
   switch (action) {
@@ -142,4 +156,30 @@ _pam_audit_end(pam_handle_t *pamh, int status UNUSED)
   return 0;
 }
 
+int
+pam_modutil_audit_write(pam_handle_t *pamh, int type,
+    const char *message, int retval)
+{
+  int audit_fd;
+  int rc;
+	
+  if ((audit_fd=_pam_audit_open(pamh)) == -1) {
+    return PAM_SYSTEM_ERR;
+  } else if (audit_fd == -2) {
+    return retval;
+  }
+
+  rc = _pam_audit_writelog(pamh, audit_fd, type, message, retval);
+
+  audit_close(audit_fd);
+  
+  return rc < 0 ? PAM_SYSTEM_ERR : PAM_SUCCESS;
+}
+
+#else
+int pam_modutil_audit_write(pam_handle_t *pamh UNUSED, int type UNUSED,
+    const char *message UNUSED, int retval UNUSED)
+{
+  return PAM_SUCCESS;
+}
 #endif /* HAVE_LIBAUDIT */
diff --git a/Linux-PAM/libpam/pam_dispatch.c b/Linux-PAM/libpam/pam_dispatch.c
index ab032d74..fa4e5ed4 100644
--- a/Linux-PAM/libpam/pam_dispatch.c
+++ b/Linux-PAM/libpam/pam_dispatch.c
@@ -34,7 +34,8 @@
 static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
 			     _pam_boolean resumed, int use_cached_chain)
 {
-    int depth, impression, status, skip_depth;
+    int depth, impression, status, skip_depth, prev_level, stack_level;
+    struct _pam_substack_state *substates = NULL;
 
     IF_NO_PAMH("_pam_dispatch_aux", pamh, PAM_SYSTEM_ERR);
 
@@ -54,27 +55,51 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
 	skip_depth = pamh->former.depth;
 	status = pamh->former.status;
 	impression = pamh->former.impression;
+	substates = pamh->former.substates;
 	/* forget all that */
 	pamh->former.impression = _PAM_UNDEF;
 	pamh->former.status = PAM_MUST_FAIL_CODE;
 	pamh->former.depth = 0;
+	pamh->former.substates = NULL;
     } else {
 	skip_depth = 0;
-	impression = _PAM_UNDEF;
-	status = PAM_MUST_FAIL_CODE;
+	substates = malloc(PAM_SUBSTACK_MAX_LEVEL * sizeof(*substates));
+	if (substates == NULL) {
+	    pam_syslog(pamh, LOG_CRIT,
+		       "_pam_dispatch_aux: no memory for substack states");
+	    return PAM_BUF_ERR;
+	}
+	substates[0].impression = impression = _PAM_UNDEF;
+	substates[0].status = status = PAM_MUST_FAIL_CODE;
     }
 
+    prev_level = 0;
+
     /* Loop through module logic stack */
-    for (depth=0 ; h != NULL ; h = h->next, ++depth) {
+    for (depth=0 ; h != NULL ; prev_level = stack_level, h = h->next, ++depth) {
 	int retval, cached_retval, action;
 
+        stack_level = h->stack_level;
+
 	/* skip leading modules if they have already returned */
 	if (depth < skip_depth) {
 	    continue;
 	}
 
+	/* remember state if we are entering a substack */
+	if (prev_level < stack_level) { 
+	    substates[stack_level].impression = impression;
+	    substates[stack_level].status = status;
+	}
+
 	/* attempt to call the module */
-	if (h->func == NULL) {
+	if (h->handler_type == PAM_HT_MUST_FAIL) {
+	    D(("module poorly listed in PAM config; forcing failure"));
+	    retval = PAM_MUST_FAIL_CODE;
+	} else if (h->handler_type == PAM_HT_SUBSTACK) {
+	    D(("skipping substack handler"));
+	    continue;
+	} else if (h->func == NULL) {
 	    D(("module function is not defined, indicating failure"));
 	    retval = PAM_MODULE_UNKNOWN;
 	} else {
@@ -83,10 +108,6 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
 	    retval = h->func(pamh, flags, h->argc, h->argv);
 	    pamh->mod_name=NULL;
 	    D(("module returned: %s", pam_strerror(pamh, retval)));
-	    if (h->must_fail) {
-		D(("module poorly listed in PAM config; forcing failure"));
-		retval = PAM_MUST_FAIL_CODE;
-	    }
 	}
 
 	/*
@@ -100,6 +121,7 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
 	    pamh->former.impression = impression;
 	    pamh->former.status = status;
 	    pamh->former.depth = depth;
+	    pamh->former.substates = substates;
 
 	    D(("module %d returned PAM_INCOMPLETE", depth));
 	    return retval;
@@ -176,8 +198,8 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
 	switch (action) {
 	case _PAM_ACTION_RESET:
 
-	    impression = _PAM_UNDEF;
-	    status = PAM_MUST_FAIL_CODE;
+	    impression = substates[stack_level].impression;
+	    status = substates[stack_level].status;
 	    break;
 
 	case _PAM_ACTION_OK:
@@ -244,9 +266,13 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
 		}
 
 		/* this means that we need to skip #action stacked modules */
-		do {
- 		    h = h->next;
-		} while ( --action > 0 && h != NULL );
+		while (h->next != NULL && h->next->stack_level >= stack_level && action > 0) {
+ 		    do {
+			h = h->next;
+			++depth;
+		    } while (h->next != NULL && h->next->stack_level > stack_level);
+		    --action;
+		}
 
 		/* note if we try to skip too many modules action is
                    still non-zero and we snag the next if. */
@@ -254,14 +280,19 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
 
 	    /* this case is a syntax error: we can't succeed */
 	    if (action) {
-		D(("action syntax error"));
+		pam_syslog(pamh, LOG_ERR, "bad jump in stack");
 		impression = _PAM_NEGATIVE;
 		status = PAM_MUST_FAIL_CODE;
 	    }
 	}
-    }
-
+	continue;
+	
 decision_made:     /* by getting  here we have made a decision */
+	while (h->next != NULL && h->next->stack_level >= stack_level) {
+	    h = h->next;
+	    ++depth;
+	}
+    }
 
     /* Sanity check */
     if ( status == PAM_SUCCESS && impression != _PAM_POSITIVE ) {
@@ -269,6 +300,7 @@ decision_made:     /* by getting  here we have made a decision */
 	status = PAM_MUST_FAIL_CODE;
     }
 
+    free(substates);
     /* We have made a decision about the modules executed */
     return status;
 }
diff --git a/Linux-PAM/libpam/pam_end.c b/Linux-PAM/libpam/pam_end.c
index 23a9dd5d..a2d94085 100644
--- a/Linux-PAM/libpam/pam_end.c
+++ b/Linux-PAM/libpam/pam_end.c
@@ -1,7 +1,7 @@
 /* pam_end.c */
 
 /*
- * $Id: pam_end.c,v 1.4 2006/01/12 10:06:49 t8m Exp $
+ * $Id: pam_end.c,v 1.7 2008/01/28 14:50:21 kukuk Exp $
  */
 
 #include "pam_private.h"
@@ -71,6 +71,17 @@ int pam_end(pam_handle_t *pamh, int pam_status)
     _pam_drop(pamh->pam_conversation);
     pamh->fail_delay.delay_fn_ptr = NULL;
 
+    _pam_drop(pamh->former.substates);
+
+    _pam_overwrite(pamh->xdisplay);
+    _pam_drop(pamh->xdisplay);
+
+    _pam_overwrite(pamh->xauth.name);
+    _pam_drop(pamh->xauth.name);
+    _pam_overwrite_n(pamh->xauth.data, (unsigned int)pamh->xauth.datalen);
+    _pam_drop(pamh->xauth.data);
+    _pam_overwrite_n((char *)&pamh->xauth, sizeof(pamh->xauth));
+
     /* and finally liberate the memory for the pam_handle structure */
 
     _pam_drop(pamh);
diff --git a/Linux-PAM/libpam/pam_handlers.c b/Linux-PAM/libpam/pam_handlers.c
index 87d781d2..11508145 100644
--- a/Linux-PAM/libpam/pam_handlers.c
+++ b/Linux-PAM/libpam/pam_handlers.c
@@ -18,7 +18,7 @@
 
 #define BUF_SIZE                  1024
 #define MODULE_CHUNK              4
-#define UNKNOWN_MODULE_PATH       "<*unknown module path*>"
+#define UNKNOWN_MODULE       "<*unknown module*>"
 #ifndef _PAM_ISA
 #define _PAM_ISA "."
 #endif
@@ -28,7 +28,7 @@ static int _pam_assemble_line(FILE *f, char *buf, int buf_len);
 static void _pam_free_handlers_aux(struct handler **hp);
 
 static int _pam_add_handler(pam_handle_t *pamh
-		     , int must_fail, int other, int type
+		     , int must_fail, int other, int stack_level, int type
 		     , int *actions, const char *mod_path
 		     , int argc, char **argv, int argvlen);
 
@@ -43,6 +43,7 @@ static int _pam_add_handler(pam_handle_t *pamh
 static int _pam_load_conf_file(pam_handle_t *pamh, const char *config_name
 				, const char *service /* specific file */
 				, int module_type /* specific type */
+				, int stack_level /* level of substack */
 #ifdef PAM_READ_BOTH_CONFS
 				, int not_other
 #endif /* PAM_READ_BOTH_CONFS */
@@ -51,6 +52,7 @@ static int _pam_load_conf_file(pam_handle_t *pamh, const char *config_name
 static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
 				, const char *known_service /* specific file */
 				, int requested_module_type /* specific type */
+				, int stack_level /* level of substack */
 #ifdef PAM_READ_BOTH_CONFS
 				, int not_other
 #endif /* PAM_READ_BOTH_CONFS */
@@ -68,7 +70,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
 	int module_type, actions[_PAM_RETURN_VALUES];
 	int other;            /* set if module is for PAM_DEFAULT_SERVICE */
 	int res;              /* module added successfully? */
-	int must_fail=0;      /* a badly formatted line must fail when used */
+	int handler_type = PAM_HT_MODULE; /* regular handler from a module */
 	int argc;
 	char **argv;
 	int argvlen;
@@ -92,6 +94,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
 	/* accept "service name" or PAM_DEFAULT_SERVICE modules */
 	if (!strcasecmp(this_service, pamh->service_name) || other) {
 	    int pam_include = 0;
+	    int substack = 0;
 
 	    /* This is a service we are looking for */
 	    D(("_pam_init_handlers: Found PAM config entry for: %s"
@@ -105,7 +108,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
 			   "(%s) empty module type", this_service);
 	        module_type = (requested_module_type != PAM_T_ANY) ?
 		  requested_module_type : PAM_T_AUTH;	/* most sensitive */
-	        must_fail = 1; /* install as normal but fail when dispatched */
+	        handler_type = PAM_HT_MUST_FAIL; /* install as normal but fail when dispatched */
 	    } else if (!strcasecmp("auth", tok)) {
 		module_type = PAM_T_AUTH;
 	    } else if (!strcasecmp("session", tok)) {
@@ -121,9 +124,9 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
 			   this_service, tok);
 		module_type = (requested_module_type != PAM_T_ANY) ?
 			      requested_module_type : PAM_T_AUTH;	/* most sensitive */
-		must_fail = 1; /* install as normal but fail when dispatched */
+		handler_type = PAM_HT_MUST_FAIL; /* install as normal but fail when dispatched */
 	    }
-	    D(("Using %s config entry: %s", must_fail?"BAD ":"", tok));
+	    D(("Using %s config entry: %s", handler_type?"BAD ":"", tok));
 	    if (requested_module_type != PAM_T_ANY &&
 	        module_type != requested_module_type) {
 		D(("Skipping config entry: %s (requested=%d, found=%d)",
@@ -145,7 +148,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
 		pam_syslog(pamh, LOG_ERR,
 			   "(%s) no control flag supplied", this_service);
 		_pam_set_default_control(actions, _PAM_ACTION_BAD);
-		must_fail = 1;
+		handler_type = PAM_HT_MUST_FAIL;
 	    } else if (!strcasecmp("required", tok)) {
 		D(("*PAM_F_REQUIRED*"));
 		actions[PAM_SUCCESS] = _PAM_ACTION_OK;
@@ -171,6 +174,11 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
 	    } else if (!strcasecmp("include", tok)) {
 		D(("*PAM_F_INCLUDE*"));
 		pam_include = 1;
+		substack = 0;
+	    } else if (!strcasecmp("substack", tok)) {
+		D(("*PAM_F_SUBSTACK*"));
+		pam_include = 1;
+		substack = 1;
 	    } else {
 		D(("will need to parse %s", tok));
 		_pam_parse_control(actions, tok);
@@ -180,7 +188,18 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
 
 	    tok = _pam_StrTok(NULL, " \n\t", &nexttok);
 	    if (pam_include) {
-		if (_pam_load_conf_file(pamh, tok, this_service, module_type
+	    	if (substack) {
+		    res = _pam_add_handler(pamh, PAM_HT_SUBSTACK, other,
+		    		stack_level, module_type, actions, tok,
+		    		0, NULL, 0);
+		    if (res != PAM_SUCCESS) {
+			pam_syslog(pamh, LOG_ERR, "error adding substack %s", tok);
+			D(("failed to load module - aborting"));
+			return PAM_ABORT;
+		    }  	    
+	    	}
+		if (_pam_load_conf_file(pamh, tok, this_service, module_type,
+		    stack_level + substack
 #ifdef PAM_READ_BOTH_CONFS
 					      , !other
 #endif /* PAM_READ_BOTH_CONFS */
@@ -188,7 +207,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
 		    continue;
 		_pam_set_default_control(actions, _PAM_ACTION_BAD);
 		mod_path = NULL;
-		must_fail = 1;
+		handler_type = PAM_HT_MUST_FAIL;
 		nexttok = NULL;
 	    } else if (tok != NULL) {
 		mod_path = tok;
@@ -199,7 +218,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
 		pam_syslog(pamh, LOG_ERR,
 		           "(%s) no module name supplied", this_service);
 		mod_path = NULL;
-		must_fail = 1;
+		handler_type = PAM_HT_MUST_FAIL;
 	    }
 
 	    /* nexttok points to remaining arguments... */
@@ -219,7 +238,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
 		int y;
 
 		D(("CONF%s: %s%s %d %s %d"
-		   , must_fail?"<*will fail*>":""
+		   , handler_type==PAM_HT_MUST_FAIL?"<*will fail*>":""
 		   , this_service, other ? "(backup)":""
 		   , module_type
 		   , mod_path, argc));
@@ -235,7 +254,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
 	    }
 #endif
 
-	    res = _pam_add_handler(pamh, must_fail, other
+	    res = _pam_add_handler(pamh, handler_type, other, stack_level
 				   , module_type, actions, mod_path
 				   , argc, argv, argvlen);
 	    if (res != PAM_SUCCESS) {
@@ -252,6 +271,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
 static int _pam_load_conf_file(pam_handle_t *pamh, const char *config_name
 				, const char *service /* specific file */
 				, int module_type /* specific type */
+				, int stack_level /* level of substack */
 #ifdef PAM_READ_BOTH_CONFS
 				, int not_other
 #endif /* PAM_READ_BOTH_CONFS */
@@ -263,6 +283,12 @@ static int _pam_load_conf_file(pam_handle_t *pamh, const char *config_name
 
     D(("_pam_load_conf_file called"));
 
+    if (stack_level >= PAM_SUBSTACK_MAX_LEVEL) {
+	D(("maximum level of substacks reached"));
+	pam_syslog(pamh, LOG_ERR, "maximum level of substacks reached");
+	return PAM_ABORT;
+    }
+
     if (config_name == NULL) {
 	D(("no config file supplied"));
 	pam_syslog(pamh, LOG_ERR, "(%s) no config file supplied", service);
@@ -280,7 +306,7 @@ static int _pam_load_conf_file(pam_handle_t *pamh, const char *config_name
     D(("opening %s", config_name));
     f = fopen(config_name, "r");
     if (f != NULL) {
-	retval = _pam_parse_conf_file(pamh, f, service, module_type
+	retval = _pam_parse_conf_file(pamh, f, service, module_type, stack_level
 #ifdef PAM_READ_BOTH_CONFS
 					      , not_other
 #endif /* PAM_READ_BOTH_CONFS */
@@ -379,7 +405,8 @@ int _pam_init_handlers(pam_handle_t *pamh)
 	    f = fopen(filename, "r");
 	    if (f != NULL) {
 		/* would test magic here? */
-		retval = _pam_parse_conf_file(pamh, f, pamh->service_name, PAM_T_ANY
+		retval = _pam_parse_conf_file(pamh, f, pamh->service_name,
+		    PAM_T_ANY, 0
 #ifdef PAM_READ_BOTH_CONFS
 					      , 0
 #endif /* PAM_READ_BOTH_CONFS */
@@ -400,7 +427,7 @@ int _pam_init_handlers(pam_handle_t *pamh)
 		D(("checking %s", PAM_CONFIG));
 
 		if ((f = fopen(PAM_CONFIG,"r")) != NULL) {
-		    retval = _pam_parse_conf_file(pamh, f, NULL, PAM_T_ANY, 1);
+		    retval = _pam_parse_conf_file(pamh, f, NULL, PAM_T_ANY, 0, 1);
 		    fclose(f);
 		} else
 #endif /* PAM_READ_BOTH_CONFS */
@@ -419,9 +446,8 @@ int _pam_init_handlers(pam_handle_t *pamh)
 		f = fopen(PAM_DEFAULT_SERVICE_FILE, "r");
 		if (f != NULL) {
 		    /* would test magic here? */
-		    retval = _pam_parse_conf_file(pamh, f
-						  , PAM_DEFAULT_SERVICE
-						  , PAM_T_ANY
+		    retval = _pam_parse_conf_file(pamh, f, PAM_DEFAULT_SERVICE,
+			PAM_T_ANY, 0
 #ifdef PAM_READ_BOTH_CONFS
 						  , 0
 #endif /* PAM_READ_BOTH_CONFS */
@@ -454,7 +480,7 @@ int _pam_init_handlers(pam_handle_t *pamh)
 		return PAM_ABORT;
 	    }
 
-	    retval = _pam_parse_conf_file(pamh, f, NULL, PAM_T_ANY
+	    retval = _pam_parse_conf_file(pamh, f, NULL, PAM_T_ANY, 0
 #ifdef PAM_READ_BOTH_CONFS
 					  , 0
 #endif /* PAM_READ_BOTH_CONFS */
@@ -581,46 +607,19 @@ extract_modulename(const char *mod_path)
   return retval;
 }
 
-int _pam_add_handler(pam_handle_t *pamh
-		     , int must_fail, int other, int type
-		     , int *actions, const char *mod_path
-		     , int argc, char **argv, int argvlen)
+static struct loaded_module *
+_pam_load_module(pam_handle_t *pamh, const char *mod_path)
 {
-    struct loaded_module *mod;
     int x = 0;
-    struct handler **handler_p;
-    struct handler **handler_p2;
-    struct handlers *the_handlers;
-    const char *sym, *sym2;
-    char *mod_full_path=NULL;
+    int success;
 #ifndef PAM_STATIC
     char *mod_full_isa_path=NULL, *isa=NULL;
 #endif
-    servicefn func, func2;
-    int success;
-
-    D(("called."));
-    IF_NO_PAMH("_pam_add_handler",pamh,PAM_SYSTEM_ERR);
-
-    /* if NULL set to something that can be searched for */
-    switch (mod_path != NULL) {
-    default:
-	if (mod_path[0] == '/') {
-	    break;
-	}
-	if (asprintf(&mod_full_path, "%s%s",
-		     DEFAULT_MODULE_PATH, mod_path) >= 0) {
-	    mod_path = mod_full_path;
-	    break;
-	}
-	mod_full_path = NULL;
-	pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path");
-    case 0:
-	mod_path = UNKNOWN_MODULE_PATH;
-    }
+    struct loaded_module *mod;
 
-    D(("_pam_add_handler: adding type %d, module `%s'",type,mod_path));
-    mod  = pamh->handlers.module;
+    D(("_pam_load_module: loading module `%s'", mod_path));
+    
+    mod = pamh->handlers.module;
 
     /* First, ensure the module is loaded */
     while (x < pamh->handlers.modules_used) {
@@ -639,9 +638,8 @@ int _pam_add_handler(pam_handle_t *pamh
 	    if (tmp == NULL) {
 		D(("cannot enlarge module pointer memory"));
 		pam_syslog(pamh, LOG_ERR,
-				"realloc returned NULL in _pam_add_handler");
-		_pam_drop(mod_full_path);
-		return PAM_ABORT;
+				"realloc returned NULL in _pam_load_module");
+		return NULL;
 	    }
 	    pamh->handlers.module = tmp;
 	    pamh->handlers.modules_allocated += MODULE_CHUNK;
@@ -654,10 +652,10 @@ int _pam_add_handler(pam_handle_t *pamh
 	/* Only load static function if function was not found dynamically.
 	 * This code should work even if no dynamic loading is available. */
 	if (success != PAM_SUCCESS) {
-	    D(("_pam_add_handler: open static handler %s", mod_path));
+	    D(("_pam_load_module: open static handler %s", mod_path));
 	    mod->dl_handle = _pam_open_static_handler(pamh, mod_path);
 	    if (mod->dl_handle == NULL) {
-	        D(("_pam_add_handler: unable to find static handler %s",
+	        D(("_pam_load_module: unable to find static handler %s",
 		   mod_path));
 		pam_syslog(pamh, LOG_ERR,
 				"unable to open static handler %s", mod_path);
@@ -670,15 +668,15 @@ int _pam_add_handler(pam_handle_t *pamh
 	    }
 	}
 #else
-	D(("_pam_add_handler: _pam_dlopen(%s)", mod_path));
+	D(("_pam_load_module: _pam_dlopen(%s)", mod_path));
 	mod->dl_handle = _pam_dlopen(mod_path);
-	D(("_pam_add_handler: _pam_dlopen'ed"));
-	D(("_pam_add_handler: dlopen'ed"));
+	D(("_pam_load_module: _pam_dlopen'ed"));
+	D(("_pam_load_module: dlopen'ed"));
 	if (mod->dl_handle == NULL) {
 	    if (strstr(mod_path, "$ISA")) {
 		mod_full_isa_path = malloc(strlen(mod_path) + strlen(_PAM_ISA) + 1);
 		if (mod_full_isa_path == NULL) {
-		    D(("_pam_handler: couldn't get memory for mod_path"));
+		    D(("_pam_load_module: couldn't get memory for mod_path"));
 		    pam_syslog(pamh, LOG_ERR, "no memory for module path");
 		    success = PAM_ABORT;
 		} else {
@@ -694,9 +692,9 @@ int _pam_add_handler(pam_handle_t *pamh
 	    }
 	}
 	if (mod->dl_handle == NULL) {
-	    D(("_pam_add_handler: _pam_dlopen(%s) failed", mod_path));
-	    pam_syslog(pamh, LOG_ERR, "unable to dlopen(%s)", mod_path);
-	    pam_syslog(pamh, LOG_ERR, "[error: %s]", _pam_dlerror());
+	    D(("_pam_load_module: _pam_dlopen(%s) failed", mod_path));
+	    pam_syslog(pamh, LOG_ERR, "unable to dlopen(%s): %s", mod_path,
+	        _pam_dlerror());
 	    /* Don't abort yet; static code may be able to find function.
 	     * But defaults to abort if nothing found below... */
 	} else {
@@ -717,7 +715,7 @@ int _pam_add_handler(pam_handle_t *pamh
 
 	/* indicate its name - later we will search for it by this */
 	if ((mod->name = _pam_strdup(mod_path)) == NULL) {
-	    D(("_pam_handler: couldn't get memory for mod_path"));
+	    D(("_pam_load_module: couldn't get memory for mod_path"));
 	    pam_syslog(pamh, LOG_ERR, "no memory for module path");
 	    success = PAM_ABORT;
 	}
@@ -726,18 +724,54 @@ int _pam_add_handler(pam_handle_t *pamh
 	mod += x;                                    /* the located module */
 	success = PAM_SUCCESS;
     }
+    return success == PAM_SUCCESS ? mod : NULL;
+}
+
+int _pam_add_handler(pam_handle_t *pamh
+		     , int handler_type, int other, int stack_level, int type
+		     , int *actions, const char *mod_path
+		     , int argc, char **argv, int argvlen)
+{
+    struct loaded_module *mod = NULL;
+    struct handler **handler_p;
+    struct handler **handler_p2;
+    struct handlers *the_handlers;
+    const char *sym, *sym2;
+    char *mod_full_path;
+    servicefn func, func2;
+    int mod_type = PAM_MT_FAULTY_MOD;
+
+    D(("called."));
+    IF_NO_PAMH("_pam_add_handler",pamh,PAM_SYSTEM_ERR);
 
-    _pam_drop(mod_full_path);
-    mod_path = NULL;                        /* no longer needed or trusted */
+    D(("_pam_add_handler: adding type %d, handler_type %d, module `%s'",
+	type, handler_type, mod_path));
 
-    /* Now return error if necessary after trying all possible ways... */
-    if (success != PAM_SUCCESS)
-	return(success);
+    if (handler_type == PAM_HT_MODULE && mod_path != NULL) {
+	if (mod_path[0] == '/') {
+	    mod = _pam_load_module(pamh, mod_path);
+	} else if (asprintf(&mod_full_path, "%s%s",
+			     DEFAULT_MODULE_PATH, mod_path) >= 0) {
+	    mod = _pam_load_module(pamh, mod_full_path);
+	    _pam_drop(mod_full_path);
+	} else {
+	    pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path");
+	    return PAM_ABORT;
+	}
+
+	if (mod == NULL) {
+	    /* if we get here with NULL it means allocation error */
+	    return PAM_ABORT;
+	}
+	
+	mod_type = mod->type;
+    }
+    
+    if (mod_path == NULL)
+    	mod_path = UNKNOWN_MODULE;
 
     /*
-     * At this point 'mod' points to the stored/loaded module. If its
-     * dl_handle is unknown, then we must be able to indicate dispatch
-     * failure with 'must_fail'
+     * At this point 'mod' points to the stored/loaded module.
      */
 
     /* Now define the handler(s) based on mod->dlhandle and type */
@@ -780,43 +814,43 @@ int _pam_add_handler(pam_handle_t *pamh
     /* are the modules reliable? */
     if (
 #ifdef PAM_STATIC
-	 mod->type != PAM_MT_STATIC_MOD
+	 mod_type != PAM_MT_STATIC_MOD
 	 &&
 #else
-	 mod->type != PAM_MT_DYNAMIC_MOD
+	 mod_type != PAM_MT_DYNAMIC_MOD
 	 &&
 #endif
-	 mod->type != PAM_MT_FAULTY_MOD
+	 mod_type != PAM_MT_FAULTY_MOD
 	) {
-	D(("_pam_add_handlers: illegal module library type; %d", mod->type));
+	D(("_pam_add_handlers: illegal module library type; %d", mod_type));
 	pam_syslog(pamh, LOG_ERR,
 			"internal error: module library type not known: %s;%d",
-			sym, mod->type);
+			sym, mod_type);
 	return PAM_ABORT;
     }
 
     /* now identify this module's functions - for non-faulty modules */
 
 #ifdef PAM_STATIC
-    if ((mod->type == PAM_MT_STATIC_MOD) &&
+    if ((mod_type == PAM_MT_STATIC_MOD) &&
         (func = (servicefn)_pam_get_static_sym(mod->dl_handle, sym)) == NULL) {
 	pam_syslog(pamh, LOG_ERR, "unable to resolve static symbol: %s", sym);
     }
 #else
-    if ((mod->type == PAM_MT_DYNAMIC_MOD) &&
+    if ((mod_type == PAM_MT_DYNAMIC_MOD) &&
         !(func = _pam_dlsym(mod->dl_handle, sym)) ) {
 	pam_syslog(pamh, LOG_ERR, "unable to resolve symbol: %s", sym);
     }
 #endif
     if (sym2) {
 #ifdef PAM_STATIC
-	if ((mod->type == PAM_MT_STATIC_MOD) &&
+	if ((mod_type == PAM_MT_STATIC_MOD) &&
 	    (func2 = (servicefn)_pam_get_static_sym(mod->dl_handle, sym2))
 	    == NULL) {
 	    pam_syslog(pamh, LOG_ERR, "unable to resolve symbol: %s", sym2);
 	}
 #else
-	if ((mod->type == PAM_MT_DYNAMIC_MOD) &&
+	if ((mod_type == PAM_MT_DYNAMIC_MOD) &&
 	    !(func2 = _pam_dlsym(mod->dl_handle, sym2)) ) {
 	    pam_syslog(pamh, LOG_ERR, "unable to resolve symbol: %s", sym2);
 	}
@@ -835,14 +869,15 @@ int _pam_add_handler(pam_handle_t *pamh
 	return (PAM_ABORT);
     }
 
-    (*handler_p)->must_fail = must_fail;        /* failure forced? */
+    (*handler_p)->handler_type = handler_type;
+    (*handler_p)->stack_level = stack_level;
     (*handler_p)->func = func;
     memcpy((*handler_p)->actions,actions,sizeof((*handler_p)->actions));
     (*handler_p)->cached_retval = _PAM_INVALID_RETVAL;
     (*handler_p)->cached_retval_p = &((*handler_p)->cached_retval);
     (*handler_p)->argc = argc;
     (*handler_p)->argv = argv;                       /* not a copy */
-    (*handler_p)->mod_name = extract_modulename(mod->name);
+    (*handler_p)->mod_name = extract_modulename(mod_path);
     (*handler_p)->next = NULL;
 
     /* some of the modules have a second calling function */
@@ -857,7 +892,8 @@ int _pam_add_handler(pam_handle_t *pamh
 	    return (PAM_ABORT);
 	}
 
-	(*handler_p2)->must_fail = must_fail;        /* failure forced? */
+	(*handler_p2)->handler_type = handler_type;
+	(*handler_p2)->stack_level = stack_level;
 	(*handler_p2)->func = func2;
 	memcpy((*handler_p2)->actions,actions,sizeof((*handler_p2)->actions));
 	(*handler_p2)->cached_retval =  _PAM_INVALID_RETVAL;     /* ignored */
@@ -873,7 +909,7 @@ int _pam_add_handler(pam_handle_t *pamh
 	} else {
 	    (*handler_p2)->argv = NULL;              /* no arguments */
 	}
-	(*handler_p2)->mod_name = extract_modulename(mod->name);
+	(*handler_p2)->mod_name = extract_modulename(mod_path);
 	(*handler_p2)->next = NULL;
     }
 
diff --git a/Linux-PAM/libpam/pam_item.c b/Linux-PAM/libpam/pam_item.c
index 41d5b816..2d7985c8 100644
--- a/Linux-PAM/libpam/pam_item.c
+++ b/Linux-PAM/libpam/pam_item.c
@@ -1,7 +1,7 @@
 /* pam_item.c */
 
 /*
- * $Id: pam_item.c,v 1.13 2006/03/12 10:26:30 kukuk Exp $
+ * $Id: pam_item.c,v 1.15 2008/01/28 14:50:21 kukuk Exp $
  */
 
 #include "pam_private.h"
@@ -138,6 +138,25 @@ int pam_set_item (pam_handle_t *pamh, int item_type, const void *item)
 	pamh->fail_delay.delay_fn_ptr = item;
 	break;
 
+    case PAM_XDISPLAY:
+	RESET(pamh->xdisplay, item);
+	break;
+
+    case PAM_XAUTHDATA:
+	if (pamh->xauth.namelen) {
+	    _pam_overwrite(pamh->xauth.name);
+	    free(pamh->xauth.name);
+	}
+	if (pamh->xauth.datalen) {
+	  _pam_overwrite_n(pamh->xauth.data,
+			   (unsigned int) pamh->xauth.datalen);
+	    free(pamh->xauth.data);
+	}
+	pamh->xauth = *((const struct pam_xauth_data *) item);
+	pamh->xauth.name = _pam_strdup(pamh->xauth.name);
+	pamh->xauth.data = _pam_memdup(pamh->xauth.data, pamh->xauth.datalen);
+	break;
+
     default:
 	retval = PAM_BAD_ITEM;
     }
@@ -220,6 +239,14 @@ int pam_get_item (const pam_handle_t *pamh, int item_type, const void **item)
 	*item = pamh->fail_delay.delay_fn_ptr;
 	break;
 
+    case PAM_XDISPLAY:
+	*item = pamh->xdisplay;
+	break;
+
+    case PAM_XAUTHDATA:
+	*item = &pamh->xauth;
+	break;
+
     default:
 	retval = PAM_BAD_ITEM;
     }
diff --git a/Linux-PAM/libpam/pam_misc.c b/Linux-PAM/libpam/pam_misc.c
index 770c9cce..574a570e 100644
--- a/Linux-PAM/libpam/pam_misc.c
+++ b/Linux-PAM/libpam/pam_misc.c
@@ -137,6 +137,28 @@ char *_pam_strdup(const char *x)
      return new;                 /* return the duplicate or NULL on error */
 }
 
+/*
+ * Safe duplication of memory buffers. "Paranoid"; don't leave
+ * evidence of old token around for later stack analysis.
+ */
+
+char *_pam_memdup(const char *x, int len)
+{
+     register char *new=NULL;
+
+     if (x != NULL) {
+         if ((new = malloc(len)) == NULL) {
+             len = 0;
+             pam_syslog(NULL, LOG_CRIT, "_pam_memdup: failed to get memory");
+         } else {
+             memcpy (new, x, len);
+         }
+         x = NULL;
+     }
+
+     return new;                 /* return the duplicate or NULL on error */
+}
+
 /* Generate argv, argc from s */
 /* caller must free(argv)     */
 
diff --git a/Linux-PAM/libpam/pam_modutil_getgrgid.c b/Linux-PAM/libpam/pam_modutil_getgrgid.c
index 420068f7..5b862872 100644
--- a/Linux-PAM/libpam/pam_modutil_getgrgid.c
+++ b/Linux-PAM/libpam/pam_modutil_getgrgid.c
@@ -1,5 +1,5 @@
 /*
- * $Id: pam_modutil_getgrgid.c,v 1.1 2005/09/21 10:00:58 t8m Exp $
+ * $Id: pam_modutil_getgrgid.c,v 1.2 2007/08/30 04:00:39 vorlon Exp $
  *
  * This function provides a thread safer version of getgrgid() for use
  * with PAM modules that care about this sort of thing.
diff --git a/Linux-PAM/libpam/pam_modutil_getgrnam.c b/Linux-PAM/libpam/pam_modutil_getgrnam.c
index 908f816d..99c90800 100644
--- a/Linux-PAM/libpam/pam_modutil_getgrnam.c
+++ b/Linux-PAM/libpam/pam_modutil_getgrnam.c
@@ -1,5 +1,5 @@
 /*
- * $Id: pam_modutil_getgrnam.c,v 1.1 2005/09/21 10:00:58 t8m Exp $
+ * $Id: pam_modutil_getgrnam.c,v 1.2 2007/08/30 04:00:39 vorlon Exp $
  *
  * This function provides a thread safer version of getgrnam() for use
  * with PAM modules that care about this sort of thing.
diff --git a/Linux-PAM/libpam/pam_modutil_getpwnam.c b/Linux-PAM/libpam/pam_modutil_getpwnam.c
index 6bb7d195..b81617d5 100644
--- a/Linux-PAM/libpam/pam_modutil_getpwnam.c
+++ b/Linux-PAM/libpam/pam_modutil_getpwnam.c
@@ -1,5 +1,5 @@
 /*
- * $Id: pam_modutil_getpwnam.c,v 1.1 2005/09/21 10:00:58 t8m Exp $
+ * $Id: pam_modutil_getpwnam.c,v 1.2 2007/08/30 04:00:39 vorlon Exp $
  *
  * This function provides a thread safer version of getpwnam() for use
  * with PAM modules that care about this sort of thing.
diff --git a/Linux-PAM/libpam/pam_modutil_getpwuid.c b/Linux-PAM/libpam/pam_modutil_getpwuid.c
index 15fe077c..3ea02488 100644
--- a/Linux-PAM/libpam/pam_modutil_getpwuid.c
+++ b/Linux-PAM/libpam/pam_modutil_getpwuid.c
@@ -1,5 +1,5 @@
 /*
- * $Id: pam_modutil_getpwuid.c,v 1.1 2005/09/21 10:00:58 t8m Exp $
+ * $Id: pam_modutil_getpwuid.c,v 1.2 2007/08/30 04:00:39 vorlon Exp $
  *
  * This function provides a thread safer version of getpwuid() for use
  * with PAM modules that care about this sort of thing.
diff --git a/Linux-PAM/libpam/pam_modutil_getspnam.c b/Linux-PAM/libpam/pam_modutil_getspnam.c
index 1c926063..6c02e9c2 100644
--- a/Linux-PAM/libpam/pam_modutil_getspnam.c
+++ b/Linux-PAM/libpam/pam_modutil_getspnam.c
@@ -1,5 +1,5 @@
 /*
- * $Id: pam_modutil_getspnam.c,v 1.1 2005/09/21 10:00:58 t8m Exp $
+ * $Id: pam_modutil_getspnam.c,v 1.2 2007/08/30 04:00:39 vorlon Exp $
  *
  * This function provides a thread safer version of getspnam() for use
  * with PAM modules that care about this sort of thing.
diff --git a/Linux-PAM/libpam/pam_private.h b/Linux-PAM/libpam/pam_private.h
index 8b7d9146..333f4d0f 100644
--- a/Linux-PAM/libpam/pam_private.h
+++ b/Linux-PAM/libpam/pam_private.h
@@ -44,7 +44,7 @@
 #define _PAM_INVALID_RETVAL  -1    /* default value for cached_retval */
 
 struct handler {
-    int must_fail;
+    int handler_type;
     int (*func)(pam_handle_t *pamh, int flags, int argc, char **argv);
     int actions[_PAM_RETURN_VALUES];
     /* set by authenticate, open_session, chauthtok(1st)
@@ -54,8 +54,13 @@ struct handler {
     char **argv;
     struct handler *next;
     char *mod_name;
+    int stack_level;
 };
 
+#define PAM_HT_MODULE       0
+#define PAM_HT_MUST_FAIL    1
+#define PAM_HT_SUBSTACK     2
+
 struct loaded_module {
     char *name;
     int type; /* PAM_STATIC_MOD or PAM_DYNAMIC_MOD */
@@ -76,7 +81,7 @@ struct handlers {
 };
 
 struct service {
-    struct loaded_module *module; /* Only used for dynamic loading */
+    struct loaded_module *module; /* Array of modules */
     int modules_allocated;
     int modules_used;
     int handlers_loaded;
@@ -111,6 +116,12 @@ struct _pam_fail_delay {
     const void *delay_fn_ptr;
 };
 
+/* initial state in substack */
+struct _pam_substack_state {
+    int impression;
+    int status;
+};
+
 struct _pam_former_state {
 /* this is known and set by _pam_dispatch() */
     int choice;            /* which flavor of module function did we call? */
@@ -119,6 +130,7 @@ struct _pam_former_state {
     int depth;             /* how deep in the stack were we? */
     int impression;        /* the impression at that time */
     int status;            /* the status before returning incomplete */
+    struct _pam_substack_state *substates; /* array of initial substack states */
 
 /* state info used by pam_get_user() function */
     int fail_user;
@@ -140,9 +152,11 @@ struct pam_handle {
     char *rhost;
     char *ruser;
     char *tty;
+    char *xdisplay;
     struct pam_data *data;
     struct pam_environ *env;      /* structure to maintain environment list */
     struct _pam_fail_delay fail_delay;   /* helper function for easy delays */
+    struct pam_xauth_data xauth;        /* auth info for X display */
     struct service handlers;
     struct _pam_former_state former;  /* library state - support for
 					 event driven applications */
@@ -175,6 +189,8 @@ struct pam_handle {
 #define _PAM_ACTION_UNDEF      -6   /* this is treated as an error
 				       ( = _PAM_ACTION_BAD) */
 
+#define PAM_SUBSTACK_MAX_LEVEL 16   /* maximum level of substacks */
+
 /* character tables for parsing config files */
 extern const char * const _pam_token_actions[-_PAM_ACTION_UNDEF];
 extern const char * const _pam_token_returns[_PAM_RETURN_VALUES+1];
@@ -253,6 +269,8 @@ char *_pam_StrTok(char *from, const char *format, char **next);
 
 char *_pam_strdup(const char *s);
 
+char *_pam_memdup(const char *s, int len);
+
 int _pam_mkargv(char *s, char ***argv, int *argc);
 
 void _pam_sanitize(pam_handle_t *pamh);
diff --git a/Linux-PAM/libpam/pam_start.c b/Linux-PAM/libpam/pam_start.c
index b2c62e54..d7198323 100644
--- a/Linux-PAM/libpam/pam_start.c
+++ b/Linux-PAM/libpam/pam_start.c
@@ -3,7 +3,7 @@
 /* Creator Marc Ewing
  * Maintained by AGM
  *
- * $Id: pam_start.c,v 1.9 2006/07/24 15:47:40 kukuk Exp $
+ * $Id: pam_start.c,v 1.10 2007/10/19 17:06:30 t8m Exp $
  *
  */
 
@@ -88,6 +88,7 @@ int pam_start (
     (*pamh)->oldauthtok = NULL;
     (*pamh)->fail_delay.delay_fn_ptr = NULL;
     (*pamh)->former.choice = PAM_NOT_STACKED;
+    (*pamh)->former.substates = NULL;
 #ifdef HAVE_LIBAUDIT
     (*pamh)->audit_state = 0;
 #endif
diff --git a/Linux-PAM/libpam/pam_static_modules.h b/Linux-PAM/libpam/pam_static_modules.h
index 27b70826..a66b486d 100644
--- a/Linux-PAM/libpam/pam_static_modules.h
+++ b/Linux-PAM/libpam/pam_static_modules.h
@@ -45,7 +45,9 @@ extern struct pam_module _pam_filter_modstruct;
 extern struct pam_module _pam_ftp_modstruct;
 extern struct pam_module _pam_group_modstruct;
 extern struct pam_module _pam_issue_modstruct;
+#ifdef HAVE_KEY_MANAGEMENT
 extern struct pam_module _pam_keyinit_modstruct;
+#endif
 extern struct pam_module _pam_lastlog_modstruct;
 extern struct pam_module _pam_limits_modstruct;
 extern struct pam_module _pam_listfile_modstruct;
@@ -55,7 +57,7 @@ extern struct pam_module _pam_mail_modstruct;
 extern struct pam_module _pam_mkhomedir_modstruct;
 extern struct pam_module _pam_motd_modstruct;
 #ifdef HAVE_UNSHARE
-extern struct pam_module _pam_namespace;
+extern struct pam_module _pam_namespace_modstruct;
 #endif
 extern struct pam_module _pam_nologin_modstruct;
 extern struct pam_module _pam_permit_modstruct;
@@ -65,12 +67,16 @@ extern struct pam_module _pam_rootok_modstruct;
 extern struct pam_module _pam_securetty_modstruct;
 #ifdef WITH_SELINUX
 extern struct pam_module _pam_selinux_modstruct;
+extern struct pam_module _pam_sepermit_modstruct;
 #endif
 extern struct pam_module _pam_shells_modstruct;
 extern struct pam_module _pam_stress_modstruct;
 extern struct pam_module _pam_succeed_if_modstruct;
 extern struct pam_module _pam_tally_modstruct;
 extern struct pam_module _pam_time_modstruct;
+#ifdef HAVE_AUDIT_TTY_STATUS
+extern struct pam_module _pam_tty_audit_modstruct;
+#endif
 extern struct pam_module _pam_umask_modstruct;
 extern struct pam_module _pam_unix_acct_modstruct;
 extern struct pam_module _pam_unix_auth_modstruct;
@@ -92,12 +98,14 @@ static struct pam_module *static_modules[] = {
   &_pam_echo_modstruct,
   &_pam_env_modstruct,
   &_pam_exec_modstruct,
-  &_pam_faildelay,
+  &_pam_faildelay_modstruct,
   &_pam_filter_modstruct,
   &_pam_ftp_modstruct,
   &_pam_group_modstruct,
   &_pam_issue_modstruct,
+#ifdef HAVE_KEY_MANAGEMENT
   &_pam_keyinit_modstruct,
+#endif
   &_pam_lastlog_modstruct,
   &_pam_limits_modstruct,
   &_pam_listfile_modstruct,
@@ -107,7 +115,7 @@ static struct pam_module *static_modules[] = {
   &_pam_mkhomedir_modstruct,
   &_pam_motd_modstruct,
 #ifdef HAVE_UNSHARE
-  &_pam_namespace,
+  &_pam_namespace_modstruct,
 #endif
   &_pam_nologin_modstruct,
   &_pam_permit_modstruct,
@@ -117,12 +125,16 @@ static struct pam_module *static_modules[] = {
   &_pam_securetty_modstruct,
 #ifdef WITH_SELINUX
   &_pam_selinux_modstruct,
+  &_pam_sepermit_modstruct,
 #endif
   &_pam_shells_modstruct,
   &_pam_stress_modstruct,
   &_pam_succeed_if_modstruct,
   &_pam_tally_modstruct,
   &_pam_time_modstruct,
+#ifdef HAVE_AUDIT_TTY_STATUS
+  &_pam_tty_audit_modstruct,
+#endif
   &_pam_umask_modstruct,
   &_pam_unix_acct_modstruct,
   &_pam_unix_auth_modstruct,
diff --git a/Linux-PAM/modules/Makefile.am b/Linux-PAM/modules/Makefile.am
index 1272b0e8..c79f5957 100644
--- a/Linux-PAM/modules/Makefile.am
+++ b/Linux-PAM/modules/Makefile.am
@@ -6,10 +6,10 @@ SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \
 	pam_env pam_filter pam_ftp pam_group pam_issue pam_keyinit \
 	pam_lastlog pam_limits pam_listfile pam_localuser pam_mail \
 	pam_mkhomedir pam_motd pam_nologin pam_permit pam_rhosts pam_rootok \
-	pam_securetty pam_selinux pam_shells pam_stress pam_succeed_if \
-	pam_tally pam_time pam_umask pam_unix pam_userdb pam_warn \
-	pam_wheel pam_xauth pam_exec pam_namespace pam_loginuid \
-	pam_faildelay
+	pam_securetty pam_selinux pam_sepermit pam_shells pam_stress \
+	pam_succeed_if pam_tally pam_time pam_tty_audit pam_umask \
+	pam_unix pam_userdb pam_warn pam_wheel pam_xauth pam_exec \
+	pam_namespace pam_loginuid pam_faildelay
 
 CLEANFILES = *~
 
diff --git a/Linux-PAM/modules/pam_access/README b/Linux-PAM/modules/pam_access/README
index a3adcc8f..ec0d67e0 100644
--- a/Linux-PAM/modules/pam_access/README
+++ b/Linux-PAM/modules/pam_access/README
@@ -12,6 +12,9 @@ of non-networked logins.
 By default rules for access management are taken from config file /etc/security
 /access.conf if you don't specify another file.
 
+If Linux PAM is compiled with audit support the module will report when it
+denies access based on origin (host or tty).
+
 OPTIONS
 
 accessfile=/path/to/access.conf
@@ -24,6 +27,10 @@ debug
 
     A lot of debug informations are printed with syslog(3).
 
+noaudit
+
+    Do not report logins from disallowed hosts and ttys to the audit subsystem.
+
 fieldsep=separators
 
     This option modifies the field separator character that pam_access will
diff --git a/Linux-PAM/modules/pam_access/access.conf.5 b/Linux-PAM/modules/pam_access/access.conf.5
index fcd33bb4..9b8fb70b 100644
--- a/Linux-PAM/modules/pam_access/access.conf.5
+++ b/Linux-PAM/modules/pam_access/access.conf.5
@@ -1,32 +1,32 @@
 .\"     Title: access.conf
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: 06/22/2007
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "ACCESS.CONF" "5" "06/22/2007" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "ACCESS\.CONF" "5" "01/08/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-access.conf \- the login access control table file
+access.conf - the login access control table file
 .SH "DESCRIPTION"
 .PP
 The
-\fI/etc/security/access.conf\fR
+\fI/etc/security/access\.conf\fR
 file specifies (\fIuser/group\fR,
 \fIhost\fR), (\fIuser/group\fR,
 \fInetwork/netmask\fR) or (\fIuser/group\fR,
-\fItty\fR) combinations for which a login will be either accepted or refused.
+\fItty\fR) combinations for which a login will be either accepted or refused\.
 .PP
 When someone logs in, the file
-\fIaccess.conf\fR
+\fIaccess\.conf\fR
 is scanned for the first entry that matches the (\fIuser/group\fR,
 \fIhost\fR) or (\fIuser/group\fR,
 \fInetwork/netmask\fR) combination, or, in case of non\-networked logins, the first entry that matches the (\fIuser/group\fR,
-\fItty\fR) combination. The permissions field of that table entry determines whether the login will be accepted or refused.
+\fItty\fR) combination\. The permissions field of that table entry determines whether the login will be accepted or refused\.
 .PP
 Each line of the login access control table has three fields separated by a ":" character (colon):
 .PP
@@ -35,92 +35,92 @@ Each line of the login access control table has three fields separated by a ":"
 .PP
 The first field, the
 \fIpermission\fR
-field, can be either a "\fI+\fR" character (plus) for access granted or a "\fI\-\fR" character (minus) for access denied.
+field, can be either a "\fI+\fR" character (plus) for access granted or a "\fI\-\fR" character (minus) for access denied\.
 .PP
 The second field, the
 \fIusers\fR/\fIgroup\fR
 field, should be a list of one or more login names, group names, or
 \fIALL\fR
-(which always matches). To differentiate user entries from group entries, group entries should be written with brackets, e.g.
-\fI(group)\fR.
+(which always matches)\. To differentiate user entries from group entries, group entries should be written with brackets, e\.g\.
+\fI(group)\fR\.
 .PP
 The third field, the
 \fIorigins\fR
-field, should be a list of one or more tty names (for non\-networked logins), host names, domain names (begin with "."), host addresses, internet network numbers (end with "."), internet network addresses with network mask (where network mask can be a decimal number or an internet address also),
+field, should be a list of one or more tty names (for non\-networked logins), host names, domain names (begin with "\."), host addresses, internet network numbers (end with "\."), internet network addresses with network mask (where network mask can be a decimal number or an internet address also),
 \fIALL\fR
 (which always matches) or
 \fILOCAL\fR
-(which matches any string that does not contain a "." character). If supported by the system you can use
+(which matches any string that does not contain a "\." character)\. If supported by the system you can use
 \fI@netgroupname\fR
-in host or user patterns.
+in host or user patterns\.
 .PP
 The
 \fIEXCEPT\fR
-operator makes it possible to write very compact rules.
+operator makes it possible to write very compact rules\.
 .PP
 If the
 \fBnodefgroup\fR
-is not set, the group file is searched when a name does not match that of the logged\-in user. Only groups are matched in which users are explicitly listed. However the PAM module does not look at the primary group id of a user.
+is not set, the group file is searched when a name does not match that of the logged\-in user\. Only groups are matched in which users are explicitly listed\. However the PAM module does not look at the primary group id of a user\.
 .PP
-The "\fI#\fR" character at start of line (no space at front) can be used to mark this line as a comment line.
+The "\fI#\fR" character at start of line (no space at front) can be used to mark this line as a comment line\.
 .SH "EXAMPLES"
 .PP
 These are some example lines which might be specified in
-\fI/etc/security/access.conf\fR.
+\fI/etc/security/access\.conf\fR\.
 .PP
 User
 \fIroot\fR
 should be allowed to get access via
 \fIcron\fR, X11 terminal
 \fI:0\fR,
-\fItty1\fR, ...,
+\fItty1\fR, \.\.\.,
 \fItty5\fR,
-\fItty6\fR.
+\fItty6\fR\.
 .PP
 + : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6
 .PP
 User
 \fIroot\fR
-should be allowed to get access from hosts which own the IPv4 addresses. This does not mean that the connection have to be a IPv4 one, a IPv6 connection from a host with one of this IPv4 addresses does work, too.
+should be allowed to get access from hosts which own the IPv4 addresses\. This does not mean that the connection have to be a IPv4 one, a IPv6 connection from a host with one of this IPv4 addresses does work, too\.
 .PP
-+ : root : 192.168.200.1 192.168.200.4 192.168.200.9
++ : root : 192\.168\.200\.1 192\.168\.200\.4 192\.168\.200\.9
 .PP
-+ : root : 127.0.0.1
++ : root : 127\.0\.0\.1
 .PP
 User
 \fIroot\fR
 should get access from network
-192.168.201.
-where the term will be evaluated by string matching. But it might be better to use network/netmask instead. The same meaning of
-192.168.201.
+192\.168\.201\.
+where the term will be evaluated by string matching\. But it might be better to use network/netmask instead\. The same meaning of
+192\.168\.201\.
 is
-\fI192.168.201.0/24\fR
+\fI192\.168\.201\.0/24\fR
 or
-\fI192.168.201.0/255.255.255.0\fR.
+\fI192\.168\.201\.0/255\.255\.255\.0\fR\.
 .PP
-+ : root : 192.168.201.
++ : root : 192\.168\.201\.
 .PP
 User
 \fIroot\fR
 should be able to have access from hosts
-\fIfoo1.bar.org\fR
+\fIfoo1\.bar\.org\fR
 and
-\fIfoo2.bar.org\fR
-(uses string matching also).
+\fIfoo2\.bar\.org\fR
+(uses string matching also)\.
 .PP
-+ : root : foo1.bar.org foo2.bar.org
++ : root : foo1\.bar\.org foo2\.bar\.org
 .PP
 User
 \fIroot\fR
 should be able to have access from domain
-\fIfoo.bar.org\fR
-(uses string matching also).
+\fIfoo\.bar\.org\fR
+(uses string matching also)\.
 .PP
-+ : root : .foo.bar.org
++ : root : \.foo\.bar\.org
 .PP
 User
 \fIroot\fR
-should be denied to get access from all other sources.
+should be denied to get access from all other sources\.
 .PP
 \- : root : ALL
 .PP
@@ -128,7 +128,7 @@ User
 \fIfoo\fR
 and members of netgroup
 \fIadmins\fR
-should be allowed to get access from all sources. This will only work if netgroup service is available.
+should be allowed to get access from all sources\. This will only work if netgroup service is available\.
 .PP
 + : @admins foo : ALL
 .PP
@@ -136,21 +136,21 @@ User
 \fIjohn\fR
 and
 \fIfoo\fR
-should get access from IPv6 host address.
+should get access from IPv6 host address\.
 .PP
 + : john foo : 2001:4ca0:0:101::1
 .PP
 User
 \fIjohn\fR
-should get access from IPv6 net/mask.
+should get access from IPv6 net/mask\.
 .PP
 + : john : 2001:4ca0:0:101::/64
 .PP
-Disallow console logins to all but the shutdown, sync and all other accounts, which are a member of the wheel group.
+Disallow console logins to all but the shutdown, sync and all other accounts, which are a member of the wheel group\.
 .PP
 \-:ALL EXCEPT (wheel) shutdown sync:LOCAL
 .PP
-All other users should be denied to get access from all sources.
+All other users should be denied to get access from all sources\.
 .PP
 \- : ALL : ALL
 .SH "SEE ALSO"
@@ -165,6 +165,6 @@ Original
 \fBlogin.access\fR(5)
 manual was provided by Guido van Rooij which was renamed to
 \fBaccess.conf\fR(5)
-to reflect relation to default config file.
+to reflect relation to default config file\.
 .PP
-Network address / netmask description and example text was introduced by Mike Becher <mike.becher@lrz\-muenchen.de>.
+Network address / netmask description and example text was introduced by Mike Becher <mike\.becher@lrz\-muenchen\.de>\.
diff --git a/Linux-PAM/modules/pam_access/pam_access.8 b/Linux-PAM/modules/pam_access/pam_access.8
index ca8cc5b0..415df624 100644
--- a/Linux-PAM/modules/pam_access/pam_access.8
+++ b/Linux-PAM/modules/pam_access/pam_access.8
@@ -1,96 +1,103 @@
 .\"     Title: pam_access
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: 06/22/2007
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_ACCESS" "8" "06/22/2007" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_ACCESS" "8" "01/08/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_access \- PAM module for logdaemon style login access control
+pam_access - PAM module for logdaemon style login access control
 .SH "SYNOPSIS"
 .HP 14
-\fBpam_access.so\fR [debug] [nodefgroup] [accessfile=\fIfile\fR] [fieldsep=\fIsep\fR] [listsep=\fIsep\fR]
+\fBpam_access\.so\fR [debug] [nodefgroup] [noaudit] [accessfile=\fIfile\fR] [fieldsep=\fIsep\fR] [listsep=\fIsep\fR]
 .SH "DESCRIPTION"
 .PP
-The pam_access PAM module is mainly for access management. It provides logdaemon style login access control based on login names, host or domain names, internet addresses or network numbers, or on terminal line names in case of non\-networked logins.
+The pam_access PAM module is mainly for access management\. It provides logdaemon style login access control based on login names, host or domain names, internet addresses or network numbers, or on terminal line names in case of non\-networked logins\.
 .PP
 By default rules for access management are taken from config file
-\fI/etc/security/access.conf\fR
-if you don't specify another file.
+\fI/etc/security/access\.conf\fR
+if you don\'t specify another file\.
+.PP
+If Linux PAM is compiled with audit support the module will report when it denies access based on origin (host or tty)\.
 .SH "OPTIONS"
 .PP
-\fBaccessfile=\fR\fB\fI/path/to/access.conf\fR\fR
+\fBaccessfile=\fR\fB\fI/path/to/access\.conf\fR\fR
 .RS 4
 Indicate an alternative
-\fIaccess.conf\fR
-style configuration file to override the default. This can be useful when different services need different access lists.
+\fIaccess\.conf\fR
+style configuration file to override the default\. This can be useful when different services need different access lists\.
 .RE
 .PP
 \fBdebug\fR
 .RS 4
 A lot of debug informations are printed with
-\fBsyslog\fR(3).
+\fBsyslog\fR(3)\.
+.RE
+.PP
+\fBnoaudit\fR
+.RS 4
+Do not report logins from disallowed hosts and ttys to the audit subsystem\.
 .RE
 .PP
 \fBfieldsep=\fR\fB\fIseparators\fR\fR
 .RS 4
-This option modifies the field separator character that pam_access will recognize when parsing the access configuration file. For example:
+This option modifies the field separator character that pam_access will recognize when parsing the access configuration file\. For example:
 \fBfieldsep=|\fR
-will cause the default `:' character to be treated as part of a field value and `|' becomes the field separator. Doing this may be useful in conjuction with a system that wants to use pam_access with X based applications, since the
+will cause the default `:\' character to be treated as part of a field value and `|\' becomes the field separator\. Doing this may be useful in conjuction with a system that wants to use pam_access with X based applications, since the
 \fBPAM_TTY\fR
-item is likely to be of the form "hostname:0" which includes a `:' character in its value. But you should not need this.
+item is likely to be of the form "hostname:0" which includes a `:\' character in its value\. But you should not need this\.
 .RE
 .PP
 \fBlistsep=\fR\fB\fIseparators\fR\fR
 .RS 4
-This option modifies the list separator character that pam_access will recognize when parsing the access configuration file. For example:
+This option modifies the list separator character that pam_access will recognize when parsing the access configuration file\. For example:
 \fBlistsep=,\fR
-will cause the default ` ' (space) and `\\t' (tab) characters to be treated as part of a list element value and `,' becomes the only list element separator. Doing this may be useful on a system with group information obtained from a Windows domain, where the default built\-in groups "Domain Users", "Domain Admins" contain a space.
+will cause the default ` \' (space) and `\et\' (tab) characters to be treated as part of a list element value and `,\' becomes the only list element separator\. Doing this may be useful on a system with group information obtained from a Windows domain, where the default built\-in groups "Domain Users", "Domain Admins" contain a space\.
 .RE
 .PP
 \fBnodefgroup\fR
 .RS 4
-The group database will not be used for tokens not identified as account name.
+The group database will not be used for tokens not identified as account name\.
 .RE
 .SH "MODULE SERVICES PROVIDED"
 .PP
-All services are supported.
+All services are supported\.
 .SH "RETURN VALUES"
 .PP
 PAM_SUCCESS
 .RS 4
-Access was granted.
+Access was granted\.
 .RE
 .PP
 PAM_PERM_DENIED
 .RS 4
-Access was not granted.
+Access was not granted\.
 .RE
 .PP
 PAM_IGNORE
 .RS 4
 
 \fBpam_setcred\fR
-was called which does nothing.
+was called which does nothing\.
 .RE
 .PP
 PAM_ABORT
 .RS 4
-Not all relevant data or options could be gotten.
+Not all relevant data or options could be gotten\.
 .RE
 .PP
 PAM_USER_UNKNOWN
 .RS 4
-The user is not known to the system.
+The user is not known to the system\.
 .RE
 .SH "FILES"
 .PP
-\fI/etc/security/access.conf\fR
+\fI/etc/security/access\.conf\fR
 .RS 4
 Default configuration file
 .RE
@@ -99,7 +106,7 @@ Default configuration file
 
 \fBaccess.conf\fR(5),
 \fBpam.d\fR(8),
-\fBpam\fR(8).
+\fBpam\fR(8)\.
 .SH "AUTHORS"
 .PP
-The logdaemon style login access control scheme was designed and implemented by Wietse Venema. The pam_access PAM module was developed by Alexei Nogin <alexei@nogin.dnttm.ru>. The IPv6 support and the network(address) / netmask feature was developed and provided by Mike Becher <mike.becher@lrz\-muenchen.de>.
+The logdaemon style login access control scheme was designed and implemented by Wietse Venema\. The pam_access PAM module was developed by Alexei Nogin <alexei@nogin\.dnttm\.ru>\. The IPv6 support and the network(address) / netmask feature was developed and provided by Mike Becher <mike\.becher@lrz\-muenchen\.de>\.
diff --git a/Linux-PAM/modules/pam_access/pam_access.8.xml b/Linux-PAM/modules/pam_access/pam_access.8.xml
index 1d814e88..21970d49 100644
--- a/Linux-PAM/modules/pam_access/pam_access.8.xml
+++ b/Linux-PAM/modules/pam_access/pam_access.8.xml
@@ -29,6 +29,9 @@
         nodefgroup
       </arg>
       <arg choice="opt">
+        noaudit
+      </arg>
+      <arg choice="opt">
         accessfile=<replaceable>file</replaceable>
       </arg>
       <arg choice="opt">
@@ -54,6 +57,10 @@
       <filename>/etc/security/access.conf</filename> if you don't specify
       another file.
     </para>
+    <para>
+      If Linux PAM is compiled with audit support the module will report
+      when it denies access based on origin (host or tty). 
+    </para>
   </refsect1>
 
   <refsect1 id="pam_access-options">
@@ -87,6 +94,17 @@
 
       <varlistentry>
         <term>
+          <option>noaudit</option>
+        </term>
+        <listitem>
+          <para>
+            Do not report logins from disallowed hosts and ttys to the audit subsystem.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>
           <option>fieldsep=<replaceable>separators</replaceable></option>
         </term>
         <listitem>
diff --git a/Linux-PAM/modules/pam_access/pam_access.c b/Linux-PAM/modules/pam_access/pam_access.c
index e12bc721..edb8fb0a 100644
--- a/Linux-PAM/modules/pam_access/pam_access.c
+++ b/Linux-PAM/modules/pam_access/pam_access.c
@@ -46,6 +46,10 @@
 #include <netdb.h>
 #include <sys/socket.h>
 
+#ifdef HAVE_LIBAUDIT
+#include <libaudit.h>
+#endif                                                                                                                                         
+
 /*
  * here, we make definitions for the externally accessible functions
  * in this file (these definitions are required for static modules
@@ -81,17 +85,11 @@
 
  /* Delimiters for fields and for lists of users, ttys or hosts. */
 
-static const char *fs = ":";			/* field separator */
-static const char *sep = ", \t";		/* list-element separator */
-
- /* Constants to be used in assignments only, not in comparisons... */
 
+#define ALL             2
 #define YES             1
 #define NO              0
 
-/* Only allow group entries of the form "(xyz)" */
-static int only_new_group_syntax = NO;
-
  /*
   * A structure to bundle up all login-related information to keep the
   * functional interfaces as generic as possible.
@@ -100,12 +98,13 @@ struct login_info {
     const struct passwd *user;
     const char *from;
     const char *config_file;
+    int debug;              		/* Print debugging messages. */
+    int only_new_group_syntax;		/* Only allow group entries of the form "(xyz)" */
+    int noaudit;			/* Do not audit denials */
+    const char *fs;			/* field separator */
+    const char *sep;			/* list-element separator */
 };
 
-/* Print debugging messages.
-   Default is NO which means don't print debugging messages.  */
-static char pam_access_debug = NO;
-
 /* Parse module config arguments */
 
 static int
@@ -113,17 +112,22 @@ parse_args(pam_handle_t *pamh, struct login_info *loginfo,
            int argc, const char **argv)
 {
     int i;
-
+    
+    loginfo->noaudit = NO;
+    loginfo->debug = NO;
+    loginfo->only_new_group_syntax = NO;
+    loginfo->fs = ":";
+    loginfo->sep = ", \t";
     for (i=0; i<argc; ++i) {
 	if (!strncmp("fieldsep=", argv[i], 9)) {
 
 	    /* the admin wants to override the default field separators */
-	    fs = argv[i]+9;
+	    loginfo->fs = argv[i]+9;
 
 	} else if (!strncmp("listsep=", argv[i], 8)) {
 
 	    /* the admin wants to override the default list separators */
-	    sep = argv[i]+8;
+	    loginfo->sep = argv[i]+8;
 
 	} else if (!strncmp("accessfile=", argv[i], 11)) {
 	    FILE *fp = fopen(11 + argv[i], "r");
@@ -138,9 +142,11 @@ parse_args(pam_handle_t *pamh, struct login_info *loginfo,
 	    }
 
 	} else if (strcmp (argv[i], "debug") == 0) {
-	    pam_access_debug = YES;
+	    loginfo->debug = YES;
 	} else if (strcmp (argv[i], "nodefgroup") == 0) {
-	    only_new_group_syntax = YES;
+	    loginfo->only_new_group_syntax = YES;
+	} else if (strcmp (argv[i], "noaudit") == 0) {
+	    loginfo->noaudit = YES;
 	} else {
 	    pam_syslog(pamh, LOG_ERR, "unrecognized option [%s]", argv[i]);
 	}
@@ -156,10 +162,10 @@ typedef int match_func (pam_handle_t *, char *, struct login_info *);
 static int list_match (pam_handle_t *, char *, char *, struct login_info *,
 		       match_func *);
 static int user_match (pam_handle_t *, char *, struct login_info *);
-static int group_match (pam_handle_t *, const char *, const char *);
+static int group_match (pam_handle_t *, const char *, const char *, int);
 static int from_match (pam_handle_t *, char *, struct login_info *);
-static int string_match (pam_handle_t *, const char *, const char *);
-static int network_netmask_match (pam_handle_t *, const char *, const char *);
+static int string_match (pam_handle_t *, const char *, const char *, int);
+static int network_netmask_match (pam_handle_t *, const char *, const char *, int);
 
 
 /* isipaddr - find out if string provided is an IP address or not */
@@ -325,11 +331,12 @@ login_access (pam_handle_t *pamh, struct login_info *item)
     char   *users;		/* becomes list of login names */
     char   *froms;		/* becomes list of terminals or hosts */
     int     match = NO;
+    int     nonall_match = NO;
     int     end;
     int     lineno = 0;		/* for diagnostics */
     char   *sptr;
 
-    if (pam_access_debug)
+    if (item->debug)
       pam_syslog (pamh, LOG_DEBUG,
 		  "login_access: user=%s, from=%s, file=%s",
 		  item->user->pw_name,
@@ -361,8 +368,8 @@ login_access (pam_handle_t *pamh, struct login_info *item)
 		continue;
 
 	    /* Allow field seperator in last field of froms */
-	    if (!(perm = strtok_r(line, fs, &sptr))
-		|| !(users = strtok_r(NULL, fs, &sptr))
+	    if (!(perm = strtok_r(line, item->fs, &sptr))
+		|| !(users = strtok_r(NULL, item->fs, &sptr))
   	        || !(froms = strtok_r(NULL, "\n", &sptr))) {
 		pam_syslog(pamh, LOG_ERR, "%s: line %d: bad field count",
 			   item->config_file, lineno);
@@ -373,17 +380,22 @@ login_access (pam_handle_t *pamh, struct login_info *item)
 			   item->config_file, lineno);
 		continue;
 	    }
-	    if (pam_access_debug)
+	    if (item->debug)
 	      pam_syslog (pamh, LOG_DEBUG,
 			  "line %d: %s : %s : %s", lineno, perm, users, froms);
-	    match = list_match(pamh, froms, NULL, item, from_match);
-	    if (pam_access_debug)
-	      pam_syslog (pamh, LOG_DEBUG,
-			  "from_match=%d, \"%s\"", match, item->from);
-	    match = match && list_match (pamh, users, NULL, item, user_match);
-	    if (pam_access_debug)
+	    match = list_match(pamh, users, NULL, item, user_match);
+	    if (item->debug)
 	      pam_syslog (pamh, LOG_DEBUG, "user_match=%d, \"%s\"",
 			  match, item->user->pw_name);
+	    if (match) {
+		match = list_match(pamh, froms, NULL, item, from_match);
+		if (!match && perm[0] == '+') {
+		    nonall_match = YES;
+		}
+		if (item->debug)
+	    	    pam_syslog (pamh, LOG_DEBUG,
+			  "from_match=%d, \"%s\"", match, item->from);
+	    }
 	}
 	(void) fclose(fp);
     } else if (errno == ENOENT) {
@@ -394,6 +406,13 @@ login_access (pam_handle_t *pamh, struct login_info *item)
         pam_syslog(pamh, LOG_ERR, "cannot open %s: %m", item->config_file);
 	return NO;
     }
+#ifdef HAVE_LIBAUDIT
+    if (!item->noaudit && line[0] == '-' && (match == YES || (match == ALL &&
+	nonall_match == YES))) {
+	pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_LOCATION,
+	    "pam_access", 0);
+    }
+#endif
     return (match == NO || (line[0] == '+'));
 }
 
@@ -407,7 +426,7 @@ list_match(pam_handle_t *pamh, char *list, char *sptr,
     char   *tok;
     int     match = NO;
 
-    if (pam_access_debug && list != NULL)
+    if (item->debug && list != NULL)
       pam_syslog (pamh, LOG_DEBUG,
 		  "list_match: list=%s, item=%s", list, item->user->pw_name);
 
@@ -418,8 +437,8 @@ list_match(pam_handle_t *pamh, char *list, char *sptr,
      * the match is affected by any exceptions.
      */
 
-    for (tok = strtok_r(list, sep, &sptr); tok != 0;
-	 tok = strtok_r(NULL, sep, &sptr)) {
+    for (tok = strtok_r(list, item->sep, &sptr); tok != 0;
+	 tok = strtok_r(NULL, item->sep, &sptr)) {
 	if (strcasecmp(tok, "EXCEPT") == 0)	/* EXCEPT: give up */
 	    break;
 	if ((match = (*match_fn) (pamh, tok, item)))	/* YES */
@@ -428,10 +447,12 @@ list_match(pam_handle_t *pamh, char *list, char *sptr,
     /* Process exceptions to matches. */
 
     if (match != NO) {
-	while ((tok = strtok_r(NULL, sep, &sptr)) && strcasecmp(tok, "EXCEPT"))
+	while ((tok = strtok_r(NULL, item->sep, &sptr)) && strcasecmp(tok, "EXCEPT"))
 	     /* VOID */ ;
-	if (tok == 0 || list_match(pamh, NULL, sptr, item, match_fn) == NO)
-	    return (match);
+	if (tok == 0)
+	    return match;
+	if (list_match(pamh, NULL, sptr, item, match_fn) == NO)
+	    return YES; /* drop special meaning of ALL */
     }
     return (NO);
 }
@@ -453,7 +474,7 @@ static char *myhostname(void)
 
 static int
 netgroup_match (pam_handle_t *pamh, const char *netgroup,
-		const char *machine, const char *user)
+		const char *machine, const char *user, int debug)
 {
   char *mydomain = NULL;
   int retval;
@@ -462,7 +483,7 @@ netgroup_match (pam_handle_t *pamh, const char *netgroup,
 
 
   retval = innetgr (netgroup, machine, user, mydomain);
-  if (pam_access_debug == YES)
+  if (debug == YES)
     pam_syslog (pamh, LOG_DEBUG,
 		"netgroup_match: %d (netgroup=%s, machine=%s, user=%s, domain=%s)",
 		retval, netgroup ? netgroup : "NULL",
@@ -480,8 +501,9 @@ user_match (pam_handle_t *pamh, char *tok, struct login_info *item)
     char   *string = item->user->pw_name;
     struct login_info fake_item;
     char   *at;
+    int    rv;
 
-    if (pam_access_debug)
+    if (item->debug)
       pam_syslog (pamh, LOG_DEBUG,
 		  "user_match: tok=%s, item=%s", tok, string);
 
@@ -500,12 +522,12 @@ user_match (pam_handle_t *pamh, char *tok, struct login_info *item)
 	return (user_match (pamh, tok, item) &&
 		from_match (pamh, at + 1, &fake_item));
     } else if (tok[0] == '@') /* netgroup */
-      return (netgroup_match (pamh, tok + 1, (char *) 0, string));
+      return (netgroup_match (pamh, tok + 1, (char *) 0, string, item->debug));
     else if (tok[0] == '(' && tok[strlen(tok) - 1] == ')')
-      return (group_match (pamh, tok, string));
-    else if (string_match (pamh, tok, string)) /* ALL or exact match */
-      return YES;
-    else if (only_new_group_syntax == NO &&
+      return (group_match (pamh, tok, string, item->debug));
+    else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */
+      return rv;
+    else if (item->only_new_group_syntax == NO &&
 	     pam_modutil_user_in_group_nam_nam (pamh,
 						item->user->pw_name, tok))
       /* try group membership */
@@ -518,11 +540,12 @@ user_match (pam_handle_t *pamh, char *tok, struct login_info *item)
 /* group_match - match a username against token named group */
 
 static int
-group_match (pam_handle_t *pamh, const char *tok, const char* usr)
+group_match (pam_handle_t *pamh, const char *tok, const char* usr,
+    int debug)
 {
     char grptok[BUFSIZ];
 
-    if (pam_access_debug)
+    if (debug)
         pam_syslog (pamh, LOG_DEBUG,
 		    "group_match: grp=%s, user=%s", grptok, usr);
 
@@ -548,8 +571,9 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item)
     const char *string = item->from;
     int        tok_len;
     int        str_len;
+    int        rv;
 
-    if (pam_access_debug)
+    if (item->debug)
       pam_syslog (pamh, LOG_DEBUG,
 		  "from_match: tok=%s, item=%s", tok, string);
 
@@ -565,10 +589,10 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item)
     if (string == NULL) {
 	return NO;
     } else if (tok[0] == '@') {			/* netgroup */
-        return (netgroup_match (pamh, tok + 1, string, (char *) 0));
-    } else if (string_match(pamh, tok, string)) {
+        return (netgroup_match (pamh, tok + 1, string, (char *) 0, item->debug));
+    } else if ((rv = string_match(pamh, tok, string, item->debug)) != NO) {
         /* ALL or exact match */
-	return (YES);
+	return rv;
     } else if (tok[0] == '.') {			/* domain: match last fields */
 	if ((str_len = strlen(string)) > (tok_len = strlen(tok))
 	    && strcasecmp(tok, string + str_len - tok_len) == 0)
@@ -614,7 +638,7 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item)
 	}
     } else  if (isipaddr(string, NULL, NULL) == YES) {
       /* Assume network/netmask with a IP of a host.  */
-      if (network_netmask_match(pamh, tok, string))
+      if (network_netmask_match(pamh, tok, string, item->debug))
 	return YES;
     } else {
       /* Assume network/netmask with a name of a host.  */
@@ -641,7 +665,7 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item)
 			 : (void *) &((struct sockaddr_in6 *) runp->ai_addr)->sin6_addr,
 			 buf, sizeof (buf));
 
-	      if (network_netmask_match(pamh, tok, buf))
+	      if (network_netmask_match(pamh, tok, buf, item->debug))
 		{
 		  freeaddrinfo (res);
 		  return YES;
@@ -658,10 +682,11 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item)
 /* string_match - match a string against one token */
 
 static int
-string_match (pam_handle_t *pamh, const char *tok, const char *string)
+string_match (pam_handle_t *pamh, const char *tok, const char *string,
+    int debug)
 {
 
-    if (pam_access_debug)
+    if (debug)
         pam_syslog (pamh, LOG_DEBUG,
 		    "string_match: tok=%s, item=%s", tok, string);
 
@@ -672,7 +697,7 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string)
      */
 
     if (strcasecmp(tok, "ALL") == 0) {		/* all: always matches */
-	return (YES);
+	return (ALL);
     } else if (string != NULL) {
 	if (strcasecmp(tok, string) == 0) {	/* try exact match */
 	    return (YES);
@@ -690,9 +715,9 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string)
  */
 static int
 network_netmask_match (pam_handle_t *pamh,
-		       const char *tok, const char *string)
+		       const char *tok, const char *string, int debug)
 {
-  if (pam_access_debug)
+  if (debug)
     pam_syslog (pamh, LOG_DEBUG,
 		"network_netmask_match: tok=%s, item=%s", tok, string);
 
@@ -771,6 +796,22 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
 	return PAM_USER_UNKNOWN;
     }
 
+    if ((user_pw=pam_modutil_getpwnam(pamh, user))==NULL)
+      return (PAM_USER_UNKNOWN);
+
+    /*
+     * Bundle up the arguments to avoid unnecessary clumsiness later on.
+     */
+    loginfo.user = user_pw;
+    loginfo.config_file = PAM_ACCESS_CONFIG;
+
+    /* parse the argument list */
+
+    if (!parse_args(pamh, &loginfo, argc, argv)) {
+	pam_syslog(pamh, LOG_ERR, "failed to parse the module arguments");
+	return PAM_ABORT;
+    }
+
     /* remote host name */
 
     if (pam_get_item(pamh, PAM_RHOST, &void_from)
@@ -799,7 +840,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
 		return PAM_ABORT;
 	      }
 	      from = void_from;
-	      if (pam_access_debug)
+	      if (loginfo.debug)
 		pam_syslog (pamh, LOG_DEBUG,
 			    "cannot determine tty or remote hostname, using service %s",
 			    from);
@@ -817,22 +858,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
 	}
     }
 
-    if ((user_pw=pam_modutil_getpwnam(pamh, user))==NULL)
-      return (PAM_USER_UNKNOWN);
-
-    /*
-     * Bundle up the arguments to avoid unnecessary clumsiness later on.
-     */
-    loginfo.user = user_pw;
     loginfo.from = from;
-    loginfo.config_file = PAM_ACCESS_CONFIG;
-
-    /* parse the argument list */
-
-    if (!parse_args(pamh, &loginfo, argc, argv)) {
-	pam_syslog(pamh, LOG_ERR, "failed to parse the module arguments");
-	return PAM_ABORT;
-    }
 
     if (login_access(pamh, &loginfo)) {
 	return (PAM_SUCCESS);
diff --git a/Linux-PAM/modules/pam_cracklib/pam_cracklib.8 b/Linux-PAM/modules/pam_cracklib/pam_cracklib.8
index 8ccf8059..7796b419 100644
--- a/Linux-PAM/modules/pam_cracklib/pam_cracklib.8
+++ b/Linux-PAM/modules/pam_cracklib/pam_cracklib.8
@@ -1,33 +1,33 @@
 .\"     Title: pam_cracklib
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: 06/20/2007
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_CRACKLIB" "8" "06/20/2007" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_CRACKLIB" "8" "01/08/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_cracklib \- PAM module to check the password against dictionary words
+pam_cracklib - PAM module to check the password against dictionary words
 .SH "SYNOPSIS"
 .HP 16
-\fBpam_cracklib.so\fR [\fI...\fR]
+\fBpam_cracklib\.so\fR [\fI\.\.\.\fR]
 .SH "DESCRIPTION"
 .PP
 This module can be plugged into the
 \fIpassword\fR
-stack of a given application to provide some plug\-in strength\-checking for passwords.
+stack of a given application to provide some plug\-in strength\-checking for passwords\.
 .PP
-The action of this module is to prompt the user for a password and check its strength against a system dictionary and a set of rules for identifying poor choices.
+The action of this module is to prompt the user for a password and check its strength against a system dictionary and a set of rules for identifying poor choices\.
 .PP
-The first action is to prompt for a single password, check its strength and then, if it is considered strong, prompt for the password a second time (to verify that it was typed correctly on the first occasion). All being well, the password is passed on to subsequent modules to be installed as the new authentication token.
+The first action is to prompt for a single password, check its strength and then, if it is considered strong, prompt for the password a second time (to verify that it was typed correctly on the first occasion)\. All being well, the password is passed on to subsequent modules to be installed as the new authentication token\.
 .PP
 The strength checks works in the following manner: at first the
 \fBCracklib\fR
-routine is called to check if the password is part of a dictionary; if this is not the case an additional set of strength checks is done. These checks are:
+routine is called to check if the password is part of a dictionary; if this is not the case an additional set of strength checks is done\. These checks are:
 .PP
 Palindrome
 .RS 4
@@ -43,15 +43,15 @@ Similar
 .RS 4
 Is the new password too much like the old one? This is primarily controlled by one argument,
 \fBdifok\fR
-which is a number of characters that if different between the old and new are enough to accept the new password, this defaults to 10 or 1/2 the size of the new password whichever is smaller.
+which is a number of characters that if different between the old and new are enough to accept the new password, this defaults to 10 or 1/2 the size of the new password whichever is smaller\.
 .sp
 To avoid the lockup associated with trying to change a long and complicated password,
 \fBdifignore\fR
-is available. This argument can be used to specify the minimum length a new password needs to be before the
+is available\. This argument can be used to specify the minimum length a new password needs to be before the
 \fBdifok\fR
-value is ignored. The default value for
+value is ignored\. The default value for
 \fBdifignore\fR
-is 23.
+is 23\.
 .RE
 .PP
 Simple
@@ -61,7 +61,7 @@ Is the new password too small? This is controlled by 5 arguments
 \fBdcredit\fR,
 \fBucredit\fR,
 \fBlcredit\fR, and
-\fBocredit\fR. See the section on the arguments for the details of how these work and there defaults.
+\fBocredit\fR\. See the section on the arguments for the details of how these work and there defaults\.
 .RE
 .PP
 Rotated
@@ -72,10 +72,10 @@ Is the new password a rotated version of the old password?
 Already used
 .RS 4
 Was the password used in the past? Previously used passwords are to be found in
-\fI/etc/security/opasswd\fR.
+\fI/etc/security/opasswd\fR\.
 .RE
 .PP
-This module with no arguments will work well for standard unix password encryption. With md5 encryption, passwords can be longer than 8 characters and the default settings for this module can make it hard for the user to choose a satisfactory new password. Notably, the requirement that the new password contain no more than 1/2 of the characters in the old password becomes a non\-trivial constraint. For example, an old password of the form "the quick brown fox jumped over the lazy dogs" would be difficult to change... In addition, the default action is to allow passwords as small as 5 characters in length. For a md5 systems it can be a good idea to increase the required minimum size of a password. One can then allow more credit for different kinds of characters but accept that the new password may share most of these characters with the old password.
+This module with no arguments will work well for standard unix password encryption\. With md5 encryption, passwords can be longer than 8 characters and the default settings for this module can make it hard for the user to choose a satisfactory new password\. Notably, the requirement that the new password contain no more than 1/2 of the characters in the old password becomes a non\-trivial constraint\. For example, an old password of the form "the quick brown fox jumped over the lazy dogs" would be difficult to change\.\.\. In addition, the default action is to allow passwords as small as 5 characters in length\. For a md5 systems it can be a good idea to increase the required minimum size of a password\. One can then allow more credit for different kinds of characters but accept that the new password may share most of these characters with the old password\.
 .SH "OPTIONS"
 .PP
 .PP
@@ -83,21 +83,21 @@ This module with no arguments will work well for standard unix password encrypti
 .RS 4
 This option makes the module write information to
 \fBsyslog\fR(3)
-indicating the behavior of the module (this option does not write password information to the log file).
+indicating the behavior of the module (this option does not write password information to the log file)\.
 .RE
 .PP
 \fBtype=\fR\fB\fIXXX\fR\fR
 .RS 4
-The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: ". The default word
+The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: "\. The default word
 \fIUNIX\fR
-can be replaced with this option.
+can be replaced with this option\.
 .RE
 .PP
 \fBretry=\fR\fB\fIN\fR\fR
 .RS 4
 Prompt user at most
 \fIN\fR
-times before returning with error. The default is
+times before returning with error\. The default is
 \fI1\fR
 .RE
 .PP
@@ -105,98 +105,98 @@ times before returning with error. The default is
 .RS 4
 This argument will change the default of
 \fI5\fR
-for the number of characters in the new password that must not be present in the old password. In addition, if 1/2 of the characters in the new password are different then the new password will be accepted anyway.
+for the number of characters in the new password that must not be present in the old password\. In addition, if 1/2 of the characters in the new password are different then the new password will be accepted anyway\.
 .RE
 .PP
 \fBdifignore=\fR\fB\fIN\fR\fR
 .RS 4
-How many characters should the password have before difok will be ignored. The default is
-\fI23\fR.
+How many characters should the password have before difok will be ignored\. The default is
+\fI23\fR\.
 .RE
 .PP
 \fBminlen=\fR\fB\fIN\fR\fR
 .RS 4
-The minimum acceptable size for the new password (plus one if credits are not disabled which is the default). In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (\fIother\fR,
+The minimum acceptable size for the new password (plus one if credits are not disabled which is the default)\. In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (\fIother\fR,
 \fIupper\fR,
 \fIlower\fR
 and
-\fIdigit\fR). The default for this parameter is
+\fIdigit\fR)\. The default for this parameter is
 \fI9\fR
-which is good for a old style UNIX password all of the same type of character but may be too low to exploit the added security of a md5 system. Note that there is a pair of length limits in
+which is good for a old style UNIX password all of the same type of character but may be too low to exploit the added security of a md5 system\. Note that there is a pair of length limits in
 \fICracklib\fR
 itself, a "way too short" limit of 4 which is hard coded in and a defined limit (6) that will be checked without reference to
-\fBminlen\fR. If you want to allow passwords as short as 5 characters you should not use this module.
+\fBminlen\fR\. If you want to allow passwords as short as 5 characters you should not use this module\.
 .RE
 .PP
 \fBdcredit=\fR\fB\fIN\fR\fR
 .RS 4
-(N >= 0) This is the maximum credit for having digits in the new password. If you have less than or
+(N >= 0) This is the maximum credit for having digits in the new password\. If you have less than or
 \fIN\fR
 digits, each digit will count +1 towards meeting the current
 \fBminlen\fR
-value. The default for
+value\. The default for
 \fBdcredit\fR
 is 1 which is the recommended value for
 \fBminlen\fR
-less than 10.
+less than 10\.
 .sp
-(N < 0) This is the minimum number of digits that must be met for a new password.
+(N < 0) This is the minimum number of digits that must be met for a new password\.
 .RE
 .PP
 \fBucredit=\fR\fB\fIN\fR\fR
 .RS 4
-(N >= 0) This is the maximum credit for having upper case letters in the new password. If you have less than or
+(N >= 0) This is the maximum credit for having upper case letters in the new password\. If you have less than or
 \fIN\fR
 upper case letters each letter will count +1 towards meeting the current
 \fBminlen\fR
-value. The default for
+value\. The default for
 \fBucredit\fR
 is
 \fI1\fR
 which is the recommended value for
 \fBminlen\fR
-less than 10.
+less than 10\.
 .sp
-(N > 0) This is the minimum number of upper case letters that must be met for a new password.
+(N > 0) This is the minimum number of upper case letters that must be met for a new password\.
 .RE
 .PP
 \fBlcredit=\fR\fB\fIN\fR\fR
 .RS 4
-(N >= 0) This is the maximum credit for having lower case letters in the new password. If you have less than or
+(N >= 0) This is the maximum credit for having lower case letters in the new password\. If you have less than or
 \fIN\fR
 lower case letters, each letter will count +1 towards meeting the current
 \fBminlen\fR
-value. The default for
+value\. The default for
 \fBlcredit\fR
 is 1 which is the recommended value for
 \fBminlen\fR
-less than 10.
+less than 10\.
 .sp
-(N < 0) This is the minimum number of lower case letters that must be met for a new password.
+(N < 0) This is the minimum number of lower case letters that must be met for a new password\.
 .RE
 .PP
 \fBocredit=\fR\fB\fIN\fR\fR
 .RS 4
-(N >= 0) This is the maximum credit for having other characters in the new password. If you have less than or
+(N >= 0) This is the maximum credit for having other characters in the new password\. If you have less than or
 \fIN\fR
 other characters, each character will count +1 towards meeting the current
 \fBminlen\fR
-value. The default for
+value\. The default for
 \fBocredit\fR
 is 1 which is the recommended value for
 \fBminlen\fR
-less than 10.
+less than 10\.
 .sp
-(N < 0) This is the minimum number of other characters that must be met for a new password.
+(N < 0) This is the minimum number of other characters that must be met for a new password\.
 .RE
 .PP
 \fBminclass=\fR\fB\fIN\fR\fR
 .RS 4
-The minimum number of required classes of characters for the new password. The default number is zero. The four classes are digits, upper and lower letters and other characters. The difference to the
+The minimum number of required classes of characters for the new password\. The default number is zero\. The four classes are digits, upper and lower letters and other characters\. The difference to the
 \fBcredit\fR
-check is that a specific class if of characters is not required. Instead
+check is that a specific class if of characters is not required\. Instead
 \fIN\fR
-out of four of the classes are required.
+out of four of the classes are required\.
 .RE
 .PP
 \fBuse_authtok\fR
@@ -205,41 +205,41 @@ This argument is used to
 \fIforce\fR
 the module to not prompt the user for a new password but use the one provided by the previously stacked
 \fIpassword\fR
-module.
+module\.
 .RE
 .PP
 \fBdictpath=\fR\fB\fI/path/to/dict\fR\fR
 .RS 4
-Path to the cracklib dictionaries.
+Path to the cracklib dictionaries\.
 .RE
 .SH "MODULE SERVICES PROVIDED"
 .PP
 Only he
 \fBpassword\fR
-service is supported.
+service is supported\.
 .SH "RETURN VALUES"
 .PP
 .PP
 PAM_SUCCESS
 .RS 4
-The new password passes all checks.
+The new password passes all checks\.
 .RE
 .PP
 PAM_AUTHTOK_ERR
 .RS 4
-No new password was entered, the username could not be determined or the new password fails the strength checks.
+No new password was entered, the username could not be determined or the new password fails the strength checks\.
 .RE
 .PP
 PAM_AUTHTOK_RECOVERY_ERR
 .RS 4
-The old password was not supplied by a previous stackked module or got not requested from the user. The first error can happen if
+The old password was not supplied by a previous stacked module or got not requested from the user\. The first error can happen if
 \fBuse_authtok\fR
-is specified.
+is specified\.
 .RE
 .PP
 PAM_SERVICE_ERR
 .RS 4
-A internal error occured.
+A internal error occured\.
 .RE
 .SH "EXAMPLES"
 .PP
@@ -249,53 +249,51 @@ For an example of the use of this module, we show how it may be stacked with the
 .RS 4
 .nf
 #
-# These lines stack two password type modules. In this example the
-# user is given 3 opportunities to enter a strong password. The
+# These lines stack two password type modules\. In this example the
+# user is given 3 opportunities to enter a strong password\. The
 # "use_authtok" argument ensures that the pam_unix module does not
 # prompt for a password, but instead uses the one provided by
-# pam_cracklib.
+# pam_cracklib\.
 #
-passwd  password required       pam_cracklib.so retry=3
-passwd  password required       pam_unix.so use_authtok
+passwd  password required       pam_cracklib\.so retry=3
+passwd  password required       pam_unix\.so use_authtok
       
 .fi
 .RE
-.sp
 .PP
 Another example (in the
-\fI/etc/pam.d/passwd\fR
+\fI/etc/pam\.d/passwd\fR
 format) is for the case that you want to use md5 password encryption:
 .sp
 .RS 4
 .nf
-#%PAM\-1.0
+#%PAM\-1\.0
 #
 # These lines allow a md5 systems to support passwords of at least 14
 # bytes with extra credit of 2 for digits and 2 for others the new
 # password must have at least three bytes that are not present in the
 # old password
 #
-password  required pam_cracklib.so \\
+password  required pam_cracklib\.so \e
                difok=3 minlen=15 dcredit= 2 ocredit=2
-password  required pam_unix.so use_authtok nullok md5
+password  required pam_unix\.so use_authtok nullok md5
       
 .fi
 .RE
-.sp
 .PP
-And here is another example in case you don't want to use credits:
+And here is another example in case you don\'t want to use credits:
 .sp
 .RS 4
 .nf
-#%PAM\-1.0
+#%PAM\-1\.0
 #
 # These lines require the user to select a password with a minimum
 # length of 8 and with at least 1 digit number, 1 upper case letter,
 # and 1 other character
 #
-password  required pam_cracklib.so \\
+password  required pam_cracklib\.so \e
                dcredit=\-1 ucredit=\-1 ocredit=\-1 lcredit=0 minlen=8
-password  required pam_unix.so use_authtok nullok md5
+password  required pam_unix\.so use_authtok nullok md5
       
 .fi
 .RE
@@ -308,4 +306,4 @@ password  required pam_unix.so use_authtok nullok md5
 \fBpam\fR(8)
 .SH "AUTHOR"
 .PP
-pam_cracklib was written by Cristian Gafton <gafton@redhat.com>
+pam_cracklib was written by Cristian Gafton <gafton@redhat\.com>
diff --git a/Linux-PAM/modules/pam_cracklib/pam_cracklib.8.xml b/Linux-PAM/modules/pam_cracklib/pam_cracklib.8.xml
index f97ad8fb..589e7b44 100644
--- a/Linux-PAM/modules/pam_cracklib/pam_cracklib.8.xml
+++ b/Linux-PAM/modules/pam_cracklib/pam_cracklib.8.xml
@@ -412,7 +412,7 @@
           <term>PAM_AUTHTOK_RECOVERY_ERR</term>
           <listitem>
             <para>
-              The old password was not supplied by a previous stackked
+              The old password was not supplied by a previous stacked
               module or got not requested from the user.
               The first error can happen if <option>use_authtok</option>
               is specified.
diff --git a/Linux-PAM/modules/pam_debug/pam_debug.8 b/Linux-PAM/modules/pam_debug/pam_debug.8
index ae4a1407..a50b9bfe 100644
--- a/Linux-PAM/modules/pam_debug/pam_debug.8
+++ b/Linux-PAM/modules/pam_debug/pam_debug.8
@@ -1,53 +1,62 @@
 .\"     Title: pam_debug
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/23/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_DEBUG" "8" "06/23/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_DEBUG" "8" "01/08/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_debug \- PAM module to debug the PAM stack
+pam_debug - PAM module to debug the PAM stack
 .SH "SYNOPSIS"
 .HP 13
-\fBpam_debug.so\fR [auth=\fIvalue\fR] [cred=\fIvalue\fR] [acct=\fIvalue\fR] [prechauthtok=\fIvalue\fR] [chauthtok=\fIvalue\fR] [auth=\fIvalue\fR] [open_session=\fIvalue\fR] [close_session=\fIvalue\fR]
+\fBpam_debug\.so\fR [auth=\fIvalue\fR] [cred=\fIvalue\fR] [acct=\fIvalue\fR] [prechauthtok=\fIvalue\fR] [chauthtok=\fIvalue\fR] [auth=\fIvalue\fR] [open_session=\fIvalue\fR] [close_session=\fIvalue\fR]
 .SH "DESCRIPTION"
 .PP
-The pam_debug PAM module is intended as a debugging aide for determining how the PAM stack is operating. This module returns what its module arguments tell it to return.
+The pam_debug PAM module is intended as a debugging aide for determining how the PAM stack is operating\. This module returns what its module arguments tell it to return\.
 .SH "OPTIONS"
-.TP 3n
+.PP
 \fBauth=\fR\fB\fIvalue\fR\fR
+.RS 4
 The
 \fBpam_sm_authenticate\fR(3)
 function will return
-\fIvalue\fR.
-.TP 3n
+\fIvalue\fR\.
+.RE
+.PP
 \fBcred=\fR\fB\fIvalue\fR\fR
+.RS 4
 The
 \fBpam_sm_setcred\fR(3)
 function will return
-\fIvalue\fR.
-.TP 3n
+\fIvalue\fR\.
+.RE
+.PP
 \fBacct=\fR\fB\fIvalue\fR\fR
+.RS 4
 The
 \fBpam_sm_acct_mgmt\fR(3)
 function will return
-\fIvalue\fR.
-.TP 3n
+\fIvalue\fR\.
+.RE
+.PP
 \fBprechauthtok=\fR\fB\fIvalue\fR\fR
+.RS 4
 The
 \fBpam_sm_chauthtok\fR(3)
 function will return
 \fIvalue\fR
 if the
 \fIPAM_PRELIM_CHECK\fR
-flag is set.
-.TP 3n
+flag is set\.
+.RE
+.PP
 \fBchauthtok=\fR\fB\fIvalue\fR\fR
+.RS 4
 The
 \fBpam_sm_chauthtok\fR(3)
 function will return
@@ -56,23 +65,28 @@ if the
 \fIPAM_PRELIM_CHECK\fR
 flag is
 \fBnot\fR
-set.
-.TP 3n
+set\.
+.RE
+.PP
 \fBopen_session=\fR\fB\fIvalue\fR\fR
+.RS 4
 The
 \fBpam_sm_open_session\fR(3)
 function will return
-\fIvalue\fR.
-.TP 3n
+\fIvalue\fR\.
+.RE
+.PP
 \fBclose_session=\fR\fB\fIvalue\fR\fR
+.RS 4
 The
 \fBpam_sm_close_session\fR(3)
 function will return
-\fIvalue\fR.
+\fIvalue\fR\.
+.RE
 .PP
 Where
 \fIvalue\fR
-can be one of: success, open_err, symbol_err, service_err, system_err, buf_err, perm_denied, auth_err, cred_insufficient, authinfo_unavail, user_unknown, maxtries, new_authtok_reqd, acct_expired, session_err, cred_unavail, cred_expired, cred_err, no_module_data, conv_err, authtok_err, authtok_recover_err, authtok_lock_busy, authtok_disable_aging, try_again, ignore, abort, authtok_expired, module_unknown, bad_item, conv_again, incomplete.
+can be one of: success, open_err, symbol_err, service_err, system_err, buf_err, perm_denied, auth_err, cred_insufficient, authinfo_unavail, user_unknown, maxtries, new_authtok_reqd, acct_expired, session_err, cred_unavail, cred_expired, cred_err, no_module_data, conv_err, authtok_err, authtok_recover_err, authtok_lock_busy, authtok_disable_aging, try_again, ignore, abort, authtok_expired, module_unknown, bad_item, conv_again, incomplete\.
 .SH "MODULE SERVICES PROVIDED"
 .PP
 The services
@@ -81,21 +95,23 @@ The services
 \fBpassword\fR
 and
 \fBsession\fR
-are supported.
+are supported\.
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_SUCCESS
-Default return code if no other value was specified, else specified return value.
+.RS 4
+Default return code if no other value was specified, else specified return value\.
+.RE
 .SH "EXAMPLES"
 .sp
-.RS 3n
+.RS 4
 .nf
-auth    requisite       pam_permit.so
-auth    [success=2 default=ok]  pam_debug.so auth=perm_denied cred=success
-auth    [default=reset]         pam_debug.so auth=success cred=perm_denied
-auth    [success=done default=die] pam_debug.so
-auth    optional        pam_debug.so auth=perm_denied cred=perm_denied
-auth    sufficient      pam_debug.so auth=success cred=success
+auth    requisite       pam_permit\.so
+auth    [success=2 default=ok]  pam_debug\.so auth=perm_denied cred=success
+auth    [default=reset]         pam_debug\.so auth=success cred=perm_denied
+auth    [success=done default=die] pam_debug\.so
+auth    optional        pam_debug\.so auth=perm_denied cred=perm_denied
+auth    sufficient      pam_debug\.so auth=success cred=success
     
 .fi
 .RE
@@ -107,4 +123,4 @@ auth    sufficient      pam_debug.so auth=success cred=success
 \fBpam\fR(8)
 .SH "AUTHOR"
 .PP
-pam_debug was written by Andrew G. Morgan <morgan@kernel.org>.
+pam_debug was written by Andrew G\. Morgan <morgan@kernel\.org>\.
diff --git a/Linux-PAM/modules/pam_deny/pam_deny.8 b/Linux-PAM/modules/pam_deny/pam_deny.8
index f9f2d439..7e078d34 100644
--- a/Linux-PAM/modules/pam_deny/pam_deny.8
+++ b/Linux-PAM/modules/pam_deny/pam_deny.8
@@ -1,65 +1,73 @@
 .\"     Title: pam_deny
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/21/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_DENY" "8" "06/21/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_DENY" "8" "01/08/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_deny \- The locking\-out PAM module
+pam_deny - The locking-out PAM module
 .SH "SYNOPSIS"
 .HP 12
-\fBpam_deny.so\fR
+\fBpam_deny\.so\fR
 .SH "DESCRIPTION"
 .PP
-This module can be used to deny access. It always indicates a failure to the application through the PAM framework. It might be suitable for using for default (the
-\fIOTHER\fR) entries.
+This module can be used to deny access\. It always indicates a failure to the application through the PAM framework\. It might be suitable for using for default (the
+\fIOTHER\fR) entries\.
 .SH "OPTIONS"
 .PP
-This module does not recognice any options.
+This module does not recognise any options\.
 .SH "MODULE SERVICES PROVIDED"
 .PP
 All services (\fBaccount\fR,
 \fBauth\fR,
 \fBpassword\fR
 and
-\fBsession\fR) are supported.
+\fBsession\fR) are supported\.
 .SH "RETURN VALUES"
 .PP
-.TP 3n
+.PP
 PAM_AUTH_ERR
-This is returned by the account and auth services.
-.TP 3n
+.RS 4
+This is returned by the account and auth services\.
+.RE
+.PP
 PAM_CRED_ERR
-This is returned by the setcred function.
-.TP 3n
+.RS 4
+This is returned by the setcred function\.
+.RE
+.PP
 PAM_AUTHTOK_ERR
-This is returned by the password service.
-.TP 3n
+.RS 4
+This is returned by the password service\.
+.RE
+.PP
 PAM_SESSION_ERR
-This is returned by the session service.
+.RS 4
+This is returned by the session service\.
+.RE
 .SH "EXAMPLES"
 .sp
-.RS 3n
+.RS 4
 .nf
-#%PAM\-1.0
+#%PAM\-1\.0
 #
-# If we don't have config entries for a service, the
-# OTHER entries are used. To be secure, warn and deny
-# access to everything.
-other auth     required       pam_warn.so
-other auth     required       pam_deny.so
-other account  required       pam_warn.so
-other account  required       pam_deny.so
-other password required       pam_warn.so
-other password required       pam_deny.so
-other session  required       pam_warn.so
-other session  required       pam_deny.so
+# If we don\'t have config entries for a service, the
+# OTHER entries are used\. To be secure, warn and deny
+# access to everything\.
+other auth     required       pam_warn\.so
+other auth     required       pam_deny\.so
+other account  required       pam_warn\.so
+other account  required       pam_deny\.so
+other password required       pam_warn\.so
+other password required       pam_deny\.so
+other session  required       pam_warn\.so
+other session  required       pam_deny\.so
     
 .fi
 .RE
@@ -71,4 +79,4 @@ other session  required       pam_deny.so
 \fBpam\fR(8)
 .SH "AUTHOR"
 .PP
-pam_deny was written by Andrew G. Morgan <morgan@kernel.org>
+pam_deny was written by Andrew G\. Morgan <morgan@kernel\.org>
diff --git a/Linux-PAM/modules/pam_deny/pam_deny.8.xml b/Linux-PAM/modules/pam_deny/pam_deny.8.xml
index 91916003..e50beb2d 100644
--- a/Linux-PAM/modules/pam_deny/pam_deny.8.xml
+++ b/Linux-PAM/modules/pam_deny/pam_deny.8.xml
@@ -35,7 +35,7 @@
 
   <refsect1 id="pam_deny-options">
     <title>OPTIONS</title>
-    <para>This module does not recognice any options.</para>
+    <para>This module does not recognise any options.</para>
   </refsect1>
 
   <refsect1 id="pam_deny-services">
diff --git a/Linux-PAM/modules/pam_echo/pam_echo.8 b/Linux-PAM/modules/pam_echo/pam_echo.8
index 423a8e1b..7c996d89 100644
--- a/Linux-PAM/modules/pam_echo/pam_echo.8
+++ b/Linux-PAM/modules/pam_echo/pam_echo.8
@@ -1,78 +1,98 @@
 .\"     Title: pam_echo
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/21/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_ECHO" "8" "06/21/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_ECHO" "8" "01/08/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_echo \- PAM module for printing text messages
+pam_echo - PAM module for printing text messages
 .SH "SYNOPSIS"
 .HP 12
-\fBpam_echo.so\fR [file=\fI/path/message\fR]
+\fBpam_echo\.so\fR [file=\fI/path/message\fR]
 .SH "DESCRIPTION"
 .PP
 The
 \fIpam_echo\fR
-PAM module is for printing text messages to inform user about special things. Sequences starting with the
+PAM module is for printing text messages to inform user about special things\. Sequences starting with the
 \fI%\fR
 character are interpreted in the following way:
-.TP 3n
+.PP
 \fI%H\fR
-The name of the remote host (PAM_RHOST).
-.TP 3n
+.RS 4
+The name of the remote host (PAM_RHOST)\.
+.RE
+.PP
 \fB%h\fR
-The name of the local host.
-.TP 3n
+.RS 4
+The name of the local host\.
+.RE
+.PP
 \fI%s\fR
-The service name (PAM_SERVICE).
-.TP 3n
+.RS 4
+The service name (PAM_SERVICE)\.
+.RE
+.PP
 \fI%t\fR
-The name of the controlling terminal (PAM_TTY).
-.TP 3n
+.RS 4
+The name of the controlling terminal (PAM_TTY)\.
+.RE
+.PP
 \fI%U\fR
-The remote user name (PAM_RUSER).
-.TP 3n
+.RS 4
+The remote user name (PAM_RUSER)\.
+.RE
+.PP
 \fI%u\fR
-The local user name (PAM_USER).
+.RS 4
+The local user name (PAM_USER)\.
+.RE
 .PP
 All other sequences beginning with
 \fI%\fR
 expands to the characters following the
 \fI%\fR
-character.
+character\.
 .SH "OPTIONS"
-.TP 3n
+.PP
 \fBfile=\fR\fB\fI/path/message\fR\fR
+.RS 4
 The content of the file
 \fI/path/message\fR
-will be printed with the PAM conversion function as PAM_TEXT_INFO.
+will be printed with the PAM conversion function as PAM_TEXT_INFO\.
+.RE
 .SH "MODULE SERVICES PROVIDED"
 .PP
-All services are supported.
+All services are supported\.
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_BUF_ERR
-Memory buffer error.
-.TP 3n
+.RS 4
+Memory buffer error\.
+.RE
+.PP
 PAM_SUCCESS
-Message was successful printed.
-.TP 3n
+.RS 4
+Message was successful printed\.
+.RE
+.PP
 PAM_IGNORE
-PAM_SILENT flag was given or message file does not exist, no message printed.
+.RS 4
+PAM_SILENT flag was given or message file does not exist, no message printed\.
+.RE
 .SH "EXAMPLES"
 .PP
 For an example of the use of this module, we show how it may be used to print informations about good passwords:
 .sp
-.RS 3n
+.RS 4
 .nf
-password optional pam_echo.so file=/usr/share/doc/good\-password.txt
-password required pam_unix.so
+password optional pam_echo\.so file=/usr/share/doc/good\-password\.txt
+password required pam_unix\.so
       
 .fi
 .RE
@@ -85,4 +105,4 @@ password required pam_unix.so
 \fBpam\fR(8)
 .SH "AUTHOR"
 .PP
-Thorsten Kukuk <kukuk@thkukuk.de>
+Thorsten Kukuk <kukuk@thkukuk\.de>
diff --git a/Linux-PAM/modules/pam_env/pam_env.8 b/Linux-PAM/modules/pam_env/pam_env.8
index e7746de3..9d3a9d59 100644
--- a/Linux-PAM/modules/pam_env/pam_env.8
+++ b/Linux-PAM/modules/pam_env/pam_env.8
@@ -1,89 +1,109 @@
 .\"     Title: pam_env
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/21/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_ENV" "8" "06/21/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_ENV" "8" "01/08/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_env \- PAM module to set/unset environment variables
+pam_env - PAM module to set/unset environment variables
 .SH "SYNOPSIS"
 .HP 11
-\fBpam_env.so\fR [debug] [conffile=\fIconf\-file\fR] [envfile=\fIenv\-file\fR] [readenv=\fI0|1\fR]
+\fBpam_env\.so\fR [debug] [conffile=\fIconf\-file\fR] [envfile=\fIenv\-file\fR] [readenv=\fI0|1\fR]
 .SH "DESCRIPTION"
 .PP
-The pam_env PAM module allows the (un)setting of environment variables. Supported is the use of previously set environment variables as well as
+The pam_env PAM module allows the (un)setting of environment variables\. Supported is the use of previously set environment variables as well as
 \fIPAM_ITEM\fRs such as
-\fIPAM_RHOST\fR.
+\fIPAM_RHOST\fR\.
 .PP
 By default rules for (un)setting of variables is taken from the config file
-\fI/etc/security/pam_env.conf\fR
-if no other file is specified.
+\fI/etc/security/pam_env\.conf\fR
+if no other file is specified\.
 .PP
 This module can also parse a file with simple
 \fIKEY=VAL\fR
 pairs on seperate lines (\fI/etc/environment\fR
-by default). You can change the default file to parse, with the
+by default)\. You can change the default file to parse, with the
 \fIenvfile\fR
 flag and turn it on or off by setting the
 \fIreadenv\fR
-flag to 1 or 0 respectively.
+flag to 1 or 0 respectively\.
 .SH "OPTIONS"
-.TP 3n
-\fBconffile=\fR\fB\fI/path/to/pam_env.conf\fR\fR
+.PP
+\fBconffile=\fR\fB\fI/path/to/pam_env\.conf\fR\fR
+.RS 4
 Indicate an alternative
-\fIpam_env.conf\fR
-style configuration file to override the default. This can be useful when different services need different environments.
-.TP 3n
+\fIpam_env\.conf\fR
+style configuration file to override the default\. This can be useful when different services need different environments\.
+.RE
+.PP
 \fBdebug\fR
+.RS 4
 A lot of debug informations are printed with
-\fBsyslog\fR(3).
-.TP 3n
+\fBsyslog\fR(3)\.
+.RE
+.PP
 \fBenvfile=\fR\fB\fI/path/to/environment\fR\fR
+.RS 4
 Indicate an alternative
 \fIenvironment\fR
-file to override the default. This can be useful when different services need different environments.
-.TP 3n
+file to override the default\. This can be useful when different services need different environments\.
+.RE
+.PP
 \fBreadenv=\fR\fB\fI0|1\fR\fR
-Turns on or off the reading of the file specified by envfile (0 is off, 1 is on). By default this option is on.
+.RS 4
+Turns on or off the reading of the file specified by envfile (0 is off, 1 is on)\. By default this option is on\.
+.RE
 .SH "MODULE SERVICES PROVIDED"
 .PP
 The
 \fBauth\fR
 and
 \fBsession\fR
-services are supported.
+services are supported\.
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_ABORT
-Not all relevant data or options could be gotten.
-.TP 3n
+.RS 4
+Not all relevant data or options could be gotten\.
+.RE
+.PP
 PAM_BUF_ERR
-Memory buffer error.
-.TP 3n
+.RS 4
+Memory buffer error\.
+.RE
+.PP
 PAM_IGNORE
-No pam_env.conf and environment file was found.
-.TP 3n
+.RS 4
+No pam_env\.conf and environment file was found\.
+.RE
+.PP
 PAM_SUCCESS
-Environment variables were set.
+.RS 4
+Environment variables were set\.
+.RE
 .SH "FILES"
-.TP 3n
-\fI/etc/security/pam_env.conf\fR
+.PP
+\fI/etc/security/pam_env\.conf\fR
+.RS 4
 Default configuration file
-.TP 3n
+.RE
+.PP
 \fI/etc/environment\fR
+.RS 4
 Default environment file
+.RE
 .SH "SEE ALSO"
 .PP
 
 \fBpam_env.conf\fR(5),
 \fBpam.d\fR(8),
-\fBpam\fR(8).
+\fBpam\fR(8)\.
 .SH "AUTHOR"
 .PP
-pam_env was written by Dave Kinchlea <kinch@kinch.ark.com>.
+pam_env was written by Dave Kinchlea <kinch@kinch\.ark\.com>\.
diff --git a/Linux-PAM/modules/pam_env/pam_env.conf.5 b/Linux-PAM/modules/pam_env/pam_env.conf.5
index 17c1a19d..3840407f 100644
--- a/Linux-PAM/modules/pam_env/pam_env.conf.5
+++ b/Linux-PAM/modules/pam_env/pam_env.conf.5
@@ -1,41 +1,41 @@
 .\"     Title: pam_env.conf
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/21/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_ENV.CONF" "5" "06/21/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_ENV\.CONF" "5" "01/08/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_env.conf \- the environment variables config file
+pam_env.conf - the environment variables config file
 .SH "DESCRIPTION"
 .PP
 The
-\fI/etc/security/pam_env.conf\fR
+\fI/etc/security/pam_env\.conf\fR
 file specifies the environment variables to be set, unset or modified by
-\fBpam_env\fR(8). When someone logs in, this file is read and the environment variables are set according.
+\fBpam_env\fR(8)\. When someone logs in, this file is read and the environment variables are set according\.
 .PP
-Each line starts with the variable name, there are then two possible options for each variable DEFAULT and OVERRIDE. DEFAULT allows and administrator to set the value of the variable to some default value, if none is supplied then the empty string is assumed. The OVERRIDE option tells pam_env that it should enter in its value (overriding the default value) if there is one to use. OVERRIDE is not used, "" is assumed and no override will be done.
+Each line starts with the variable name, there are then two possible options for each variable DEFAULT and OVERRIDE\. DEFAULT allows and administrator to set the value of the variable to some default value, if none is supplied then the empty string is assumed\. The OVERRIDE option tells pam_env that it should enter in its value (overriding the default value) if there is one to use\. OVERRIDE is not used, "" is assumed and no override will be done\.
 .PP
 
 \fIVARIABLE\fR
 [\fIDEFAULT=[value]\fR] [\fIOVERRIDE=[value]\fR]
 .PP
-(Possibly non\-existent) environment variables may be used in values using the ${string} syntax and (possibly non\-existent) PAM_ITEMs may be used in values using the @{string} syntax. Both the $ and @ characters can be backslash escaped to be used as literal values values can be delimited with "", escaped " not supported. Note that many environment variables that you would like to use may not be set by the time the module is called. For example, HOME is used below several times, but many PAM applications don't make it available by the time you need it.
+(Possibly non\-existent) environment variables may be used in values using the ${string} syntax and (possibly non\-existent) PAM_ITEMs may be used in values using the @{string} syntax\. Both the $ and @ characters can be backslash escaped to be used as literal values values can be delimited with "", escaped " not supported\. Note that many environment variables that you would like to use may not be set by the time the module is called\. For example, HOME is used below several times, but many PAM applications don\'t make it available by the time you need it\.
 .PP
-The "\fI#\fR" character at start of line (no space at front) can be used to mark this line as a comment line.
+The "\fI#\fR" character at start of line (no space at front) can be used to mark this line as a comment line\.
 .SH "EXAMPLES"
 .PP
 These are some example lines which might be specified in
-\fI/etc/security/pam_env.conf\fR.
+\fI/etc/security/pam_env\.conf\fR\.
 .PP
 Set the REMOTEHOST variable for any hosts that are remote, default to "localhost" rather than not being set at all
 .sp
-.RS 3n
+.RS 4
 .nf
       REMOTEHOST     DEFAULT=localhost OVERRIDE=@{PAM_RHOST}
     
@@ -44,35 +44,35 @@ Set the REMOTEHOST variable for any hosts that are remote, default to "localhost
 .PP
 Set the DISPLAY variable if it seems reasonable
 .sp
-.RS 3n
+.RS 4
 .nf
-      DISPLAY        DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}
+      DISPLAY        DEFAULT=${REMOTEHOST}:0\.0 OVERRIDE=${DISPLAY}
     
 .fi
 .RE
 .PP
 Now some simple variables
 .sp
-.RS 3n
+.RS 4
 .nf
       PAGER          DEFAULT=less
       MANPAGER       DEFAULT=less
       LESS           DEFAULT="M q e h15 z23 b80"
       NNTPSERVER     DEFAULT=localhost
-      PATH           DEFAULT=${HOME}/bin:/usr/local/bin:/bin\\
+      PATH           DEFAULT=${HOME}/bin:/usr/local/bin:/bin\e
       :/usr/bin:/usr/local/bin/X11:/usr/bin/X11
     
 .fi
 .RE
 .PP
-Silly examples of escaped variables, just to show how they work.
+Silly examples of escaped variables, just to show how they work\.
 .sp
-.RS 3n
+.RS 4
 .nf
-      DOLLAR         DEFAULT=\\$
-      DOLLARDOLLAR   DEFAULT=        OVERRIDE=\\$${DOLLAR}
-      DOLLARPLUS     DEFAULT=\\${REMOTEHOST}${REMOTEHOST}
-      ATSIGN         DEFAULT=""      OVERRIDE=\\@
+      DOLLAR         DEFAULT=\e$
+      DOLLARDOLLAR   DEFAULT=        OVERRIDE=\e$${DOLLAR}
+      DOLLARPLUS     DEFAULT=\e${REMOTEHOST}${REMOTEHOST}
+      ATSIGN         DEFAULT=""      OVERRIDE=\e@
     
 .fi
 .RE
@@ -84,4 +84,4 @@ Silly examples of escaped variables, just to show how they work.
 \fBpam\fR(8)
 .SH "AUTHOR"
 .PP
-pam_env was written by Dave Kinchlea <kinch@kinch.ark.com>.
+pam_env was written by Dave Kinchlea <kinch@kinch\.ark\.com>\.
diff --git a/Linux-PAM/modules/pam_exec/README b/Linux-PAM/modules/pam_exec/README
index 8ff9a742..f0845205 100644
--- a/Linux-PAM/modules/pam_exec/README
+++ b/Linux-PAM/modules/pam_exec/README
@@ -6,6 +6,11 @@ DESCRIPTION
 
 pam_exec is a PAM module that can be used to run an external command.
 
+The child's environment is set to the current PAM environment list, as returned
+by pam_getenvlist(3) In addition, the following PAM items are exported as
+environment variables: PAM_RHOST, PAM_RUSER, PAM_SERVICE, PAM_TTY, and PAM_USER
+.
+
 OPTIONS
 
 debug
@@ -16,6 +21,11 @@ log=file
 
     The output of the command is appended to file
 
+quiet
+
+    Per default pam_exec.so will echo the exit status of the external command
+    if it fails. Specifying this option will suppress the message.
+
 seteuid
 
     Per default pam_exec.so will execute the external command with the real
diff --git a/Linux-PAM/modules/pam_exec/pam_exec.8 b/Linux-PAM/modules/pam_exec/pam_exec.8
index ae8f8a46..9ac2ccbb 100644
--- a/Linux-PAM/modules/pam_exec/pam_exec.8
+++ b/Linux-PAM/modules/pam_exec/pam_exec.8
@@ -1,35 +1,55 @@
 .\"     Title: pam_exec
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/09/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/04/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_EXEC" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_EXEC" "8" "02/04/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_exec \- PAM module which calls an external command
+pam_exec - PAM module which calls an external command
 .SH "SYNOPSIS"
 .HP 12
-\fBpam_exec.so\fR [debug] [seteuid] [log=\fIfile\fR] \fIcommand\fR [\fI...\fR]
+\fBpam_exec\.so\fR [debug] [seteuid] [quiet] [log=\fIfile\fR] \fIcommand\fR [\fI\.\.\.\fR]
 .SH "DESCRIPTION"
 .PP
-pam_exec is a PAM module that can be used to run an external command.
+pam_exec is a PAM module that can be used to run an external command\.
+.PP
+The child\'s environment is set to the current PAM environment list, as returned by
+\fBpam_getenvlist\fR(3)
+In addition, the following PAM items are exported as environment variables:
+\fIPAM_RHOST\fR,
+\fIPAM_RUSER\fR,
+\fIPAM_SERVICE\fR,
+\fIPAM_TTY\fR, and
+\fIPAM_USER\fR\.
 .SH "OPTIONS"
 .PP
-.TP 3n
+.PP
 \fBdebug\fR
-Print debug information.
-.TP 3n
+.RS 4
+Print debug information\.
+.RE
+.PP
 \fBlog=\fR\fB\fIfile\fR\fR
+.RS 4
 The output of the command is appended to
 \fIfile\fR
-.TP 3n
+.RE
+.PP
+\fBquiet\fR
+.RS 4
+Per default pam_exec\.so will echo the exit status of the external command if it fails\. Specifying this option will suppress the message\.
+.RE
+.PP
 \fBseteuid\fR
-Per default pam_exec.so will execute the external command with the real user ID of the calling process. Specifying this option means the command is run with the effective user ID.
+.RS 4
+Per default pam_exec\.so will execute the external command with the real user ID of the calling process\. Specifying this option means the command is run with the effective user ID\.
+.RE
 .SH "MODULE SERVICES PROVIDED"
 .PP
 The services
@@ -38,45 +58,53 @@ The services
 \fBpassword\fR
 and
 \fBsession\fR
-are supported.
+are supported\.
 .SH "RETURN VALUES"
 .PP
-.TP 3n
+.PP
 PAM_SUCCESS
-The external command runs successfull.
-.TP 3n
+.RS 4
+The external command runs successfull\.
+.RE
+.PP
 PAM_SERVICE_ERR
-No argument or a wrong number of arguments were given.
-.TP 3n
+.RS 4
+No argument or a wrong number of arguments were given\.
+.RE
+.PP
 PAM_SYSTEM_ERR
-A system error occured or the command to execute failed.
-.TP 3n
+.RS 4
+A system error occured or the command to execute failed\.
+.RE
+.PP
 PAM_IGNORE
+.RS 4
 
 \fBpam_setcred\fR
-was called, which does not execute the command.
+was called, which does not execute the command\.
+.RE
 .SH "EXAMPLES"
 .PP
 Add the following line to
-\fI/etc/pam.d/passwd\fR
+\fI/etc/pam\.d/passwd\fR
 to rebuild the NIS database after each local password change:
 .sp
-.RS 3n
+.RS 4
 .nf
-        passwd optional pam_exec.so seteuid make \-C /var/yp
+        passwd optional pam_exec\.so seteuid make \-C /var/yp
       
 .fi
 .RE
 .sp
 This will execute the command
 .sp
-.RS 3n
+.RS 4
 .nf
 make \-C /var/yp
 .fi
 .RE
 .sp
-with effective user ID.
+with effective user ID\.
 .SH "SEE ALSO"
 .PP
 
@@ -85,4 +113,4 @@ with effective user ID.
 \fBpam\fR(8)
 .SH "AUTHOR"
 .PP
-pam_exec was written by Thorsten Kukuk <kukuk@thkukuk.de>.
+pam_exec was written by Thorsten Kukuk <kukuk@thkukuk\.de>\.
diff --git a/Linux-PAM/modules/pam_exec/pam_exec.8.xml b/Linux-PAM/modules/pam_exec/pam_exec.8.xml
index 1e8bb0ba..f4dc1e15 100644
--- a/Linux-PAM/modules/pam_exec/pam_exec.8.xml
+++ b/Linux-PAM/modules/pam_exec/pam_exec.8.xml
@@ -25,6 +25,9 @@
         seteuid
       </arg>
       <arg choice="opt">
+        quiet
+      </arg>
+      <arg choice="opt">
         log=<replaceable>file</replaceable>
       </arg>
       <arg choice="plain">
@@ -45,6 +48,18 @@
       an external command.
     </para>
 
+    <para>
+     The child's environment is set to the current PAM environment list, as
+     returned by
+     <citerefentry>
+        <refentrytitle>pam_getenvlist</refentrytitle><manvolnum>3</manvolnum>
+     </citerefentry>
+     In addition, the following PAM items are
+     exported as environment variables: <emphasis>PAM_RHOST</emphasis>,
+     <emphasis>PAM_RUSER</emphasis>, <emphasis>PAM_SERVICE</emphasis>,
+     <emphasis>PAM_TTY</emphasis>, and <emphasis>PAM_USER</emphasis>.
+    </para>
+
   </refsect1>
 
   <refsect1 id="pam_exec-options">
@@ -78,6 +93,19 @@
 
         <varlistentry>
           <term>
+            <option>quiet</option>
+          </term>
+          <listitem>
+            <para>
+  	      Per default pam_exec.so will echo the exit status of the
+     	      external command if it fails.
+              Specifying this option will suppress the message.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
             <option>seteuid</option>
           </term>
           <listitem>
diff --git a/Linux-PAM/modules/pam_exec/pam_exec.c b/Linux-PAM/modules/pam_exec/pam_exec.c
index 34ba7404..766c0a06 100644
--- a/Linux-PAM/modules/pam_exec/pam_exec.c
+++ b/Linux-PAM/modules/pam_exec/pam_exec.c
@@ -59,11 +59,24 @@
 #include <security/pam_modutil.h>
 #include <security/pam_ext.h>
 
+#define ENV_ITEM(n) { (n), #n }
+static struct {
+  int item;
+  const char *name;
+} env_items[] = {
+  ENV_ITEM(PAM_SERVICE),
+  ENV_ITEM(PAM_USER),
+  ENV_ITEM(PAM_TTY),
+  ENV_ITEM(PAM_RHOST),
+  ENV_ITEM(PAM_RUSER),
+};
+
 static int
 call_exec (pam_handle_t *pamh, int argc, const char **argv)
 {
   int debug = 0;
   int call_setuid = 0;
+  int quiet = 0;
   int optargc;
   const char *logfile = NULL;
   pid_t pid;
@@ -85,6 +98,8 @@ call_exec (pam_handle_t *pamh, int argc, const char **argv)
 	logfile = &argv[optargc][4];
       else if (strcasecmp (argv[optargc], "seteuid") == 0)
 	call_setuid = 1;
+      else if (strcasecmp (argv[optargc], "quiet") == 0)
+	quiet = 1;
       else
 	break; /* Unknown option, assume program to execute. */
     }
@@ -115,6 +130,7 @@ call_exec (pam_handle_t *pamh, int argc, const char **argv)
 	    {
 	      pam_syslog (pamh, LOG_ERR, "%s failed: exit code %d",
 			  argv[optargc], WEXITSTATUS(status));
+		if (!quiet)
 	      pam_error (pamh, _("%s failed: exit code %d"),
 			 argv[optargc], WEXITSTATUS(status));
 	    }
@@ -123,6 +139,7 @@ call_exec (pam_handle_t *pamh, int argc, const char **argv)
 	      pam_syslog (pamh, LOG_ERR, "%s failed: caught signal %d%s",
 			  argv[optargc], WTERMSIG(status),
 			  WCOREDUMP(status) ? " (core dumped)" : "");
+		if (!quiet)
 	      pam_error (pamh, _("%s failed: caught signal %d%s"),
 			 argv[optargc], WTERMSIG(status),
 			 WCOREDUMP(status) ? " (core dumped)" : "");
@@ -131,6 +148,7 @@ call_exec (pam_handle_t *pamh, int argc, const char **argv)
 	    {
 	      pam_syslog (pamh, LOG_ERR, "%s failed: unknown status 0x%x",
 			  argv[optargc], status);
+		if (!quiet)
 	      pam_error (pamh, _("%s failed: unknown status 0x%x"),
 			 argv[optargc], status);
 	    }
@@ -208,22 +226,61 @@ call_exec (pam_handle_t *pamh, int argc, const char **argv)
 	exit (ENOMEM);
 
       for (i = 0; i < (argc - optargc); i++)
-	arggv[i] = argv[i+optargc];
+	arggv[i] = strdup(argv[i+optargc]);
       arggv[i] = NULL;
 
+      char **envlist, **tmp;
+      int envlen, nitems;
+
+      /*
+       * Set up the child's environment list.  It consists of the PAM
+       * environment, plus a few hand-picked PAM items.
+       */
+      envlist = pam_getenvlist(pamh);
+      for (envlen = 0; envlist[envlen] != NULL; ++envlen)
+        /* nothing */ ;
+      nitems = sizeof(env_items) / sizeof(*env_items);
+      tmp = realloc(envlist, (envlen + nitems + 1) * sizeof(*envlist));
+      if (tmp == NULL)
+      {
+        free(envlist);
+        pam_syslog (pamh, LOG_ERR, "realloc environment failed : %m");
+        exit (ENOMEM); 
+      }
+      envlist = tmp;
+      for (i = 0; i < nitems; ++i)
+      {
+        const void *item;
+        char *envstr;
+
+        if (pam_get_item(pamh, env_items[i].item, &item) != PAM_SUCCESS || item == NULL)
+          continue;
+        asprintf(&envstr, "%s=%s", env_items[i].name, (const char *)item);
+        if (envstr == NULL)
+        {
+          free(envlist);
+          pam_syslog (pamh, LOG_ERR, "prepare environment failed : %m");
+          exit (ENOMEM);
+        }
+        envlist[envlen++] = envstr;
+        envlist[envlen] = NULL;
+      }
+
       if (debug)
 	pam_syslog (pamh, LOG_DEBUG, "Calling %s ...", arggv[0]);
 
-      if (execv (arggv[0], arggv) == -1)
+      if (execve (arggv[0], arggv, envlist) == -1)
 	{
 	  int err = errno;
-	  pam_syslog (pamh, LOG_ERR, "execv(%s,...) failed: %m",
+	  pam_syslog (pamh, LOG_ERR, "execve(%s,...) failed: %m",
 		      arggv[0]);
+          free(envlist);
 	  exit (err);
 	}
+      free(envlist);
       exit (1); /* should never be reached. */
     }
-  return PAM_SYSTEM_ERR;
+  return PAM_SYSTEM_ERR; /* will never be reached. */
 }
 
 PAM_EXTERN int
diff --git a/Linux-PAM/modules/pam_faildelay/pam_faildelay.8 b/Linux-PAM/modules/pam_faildelay/pam_faildelay.8
index 86eb031a..7e5312a4 100644
--- a/Linux-PAM/modules/pam_faildelay/pam_faildelay.8
+++ b/Linux-PAM/modules/pam_faildelay/pam_faildelay.8
@@ -1,54 +1,62 @@
 .\"     Title: pam_faildelay
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 12/06/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_FAILDELAY" "8" "12/06/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_FAILDELAY" "8" "01/08/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_faildelay \- Change the delay on failure per\-application
+pam_faildelay - Change the delay on failure per-application
 .SH "SYNOPSIS"
 .HP 17
-\fBpam_faildelay.so\fR [debug] [delay=\fImicroseconds\fR]
+\fBpam_faildelay\.so\fR [debug] [delay=\fImicroseconds\fR]
 .SH "DESCRIPTION"
 .PP
-pam_faildelay is a PAM module that can be used to set the delay on failure per\-application.
+pam_faildelay is a PAM module that can be used to set the delay on failure per\-application\.
 .PP
 If no
 \fBdelay\fR
 is given, pam_faildelay will use the value of FAIL_DELAY from
-\fI/etc/login.defs\fR.
+\fI/etc/login\.defs\fR\.
 .SH "OPTIONS"
-.TP 3n
+.PP
 \fBdebug\fR
-Turns on debugging messages sent to syslog.
-.TP 3n
+.RS 4
+Turns on debugging messages sent to syslog\.
+.RE
+.PP
 \fBdelay=\fR\fB\fIN\fR\fR
-Set the delay on failure to N microseconds.
+.RS 4
+Set the delay on failure to N microseconds\.
+.RE
 .SH "MODULE SERVICES PROVIDED"
 .PP
 Only the
 \fBauth\fR
-service is supported.
+service is supported\.
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_IGNORE
-Delay was successful adjusted.
-.TP 3n
+.RS 4
+Delay was successful adjusted\.
+.RE
+.PP
 PAM_SYSTEM_ERR
-The specified delay was not valid.
+.RS 4
+The specified delay was not valid\.
+.RE
 .SH "EXAMPLES"
 .PP
 The following example will set the delay on failure to 10 seconds:
 .sp
-.RS 3n
+.RS 4
 .nf
-auth  optional  pam_faildelay.so  delay=10000000
+auth  optional  pam_faildelay\.so  delay=10000000
       
 .fi
 .RE
@@ -62,4 +70,4 @@ auth  optional  pam_faildelay.so  delay=10000000
 \fBpam\fR(8)
 .SH "AUTHOR"
 .PP
-pam_faildelay was written by Darren Tucker <dtucker@zip.com.au>.
+pam_faildelay was written by Darren Tucker <dtucker@zip\.com\.au>\.
diff --git a/Linux-PAM/modules/pam_faildelay/pam_faildelay.c b/Linux-PAM/modules/pam_faildelay/pam_faildelay.c
index 16cb7458..072b7dd3 100644
--- a/Linux-PAM/modules/pam_faildelay/pam_faildelay.c
+++ b/Linux-PAM/modules/pam_faildelay/pam_faildelay.c
@@ -216,7 +216,7 @@ int pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED,
 
 /* static module data */
 
-struct pam_module _pam_rootok_modstruct = {
+struct pam_module _pam_faildelay_modstruct = {
     "pam_faildelay",
     pam_sm_authenticate,
     pam_sm_setcred,
diff --git a/Linux-PAM/modules/pam_filter/pam_filter.8 b/Linux-PAM/modules/pam_filter/pam_filter.8
index 7def7fe9..5b91a4be 100644
--- a/Linux-PAM/modules/pam_filter/pam_filter.8
+++ b/Linux-PAM/modules/pam_filter/pam_filter.8
@@ -1,66 +1,73 @@
 .\"     Title: pam_filter
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/09/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_FILTER" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_FILTER" "8" "01/08/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_filter \- PAM filter module
+pam_filter - PAM filter module
 .SH "SYNOPSIS"
 .HP 14
-\fBpam_filter.so\fR [debug] [new_term] [non_term] run1|run2 \fIfilter\fR [\fI...\fR]
+\fBpam_filter\.so\fR [debug] [new_term] [non_term] run1|run2 \fIfilter\fR [\fI\.\.\.\fR]
 .SH "DESCRIPTION"
 .PP
-This module is intended to be a platform for providing access to all of the input/output that passes between the user and the application. It is only suitable for tty\-based and (stdin/stdout) applications.
+This module is intended to be a platform for providing access to all of the input/output that passes between the user and the application\. It is only suitable for tty\-based and (stdin/stdout) applications\.
 .PP
 To function this module requires
 \fIfilters\fR
-to be installed on the system. The single filter provided with the module simply transposes upper and lower case letters in the input and output streams. (This can be very annoying and is not kind to termcap based editors).
+to be installed on the system\. The single filter provided with the module simply transposes upper and lower case letters in the input and output streams\. (This can be very annoying and is not kind to termcap based editors)\.
 .PP
-Each component of the module has the potential to invoke the desired filter. The filter is always
+Each component of the module has the potential to invoke the desired filter\. The filter is always
 \fBexecv\fR(2)
 with the privilege of the calling application and
 \fInot\fR
-that of the user. For this reason it cannot usually be killed by the user without closing their session.
+that of the user\. For this reason it cannot usually be killed by the user without closing their session\.
 .SH "OPTIONS"
 .PP
-.TP 3n
+.PP
 \fBdebug\fR
-Print debug information.
-.TP 3n
+.RS 4
+Print debug information\.
+.RE
+.PP
 \fBnew_term\fR
+.RS 4
 The default action of the filter is to set the
 \fIPAM_TTY\fR
-item to indicate the terminal that the user is using to connect to the application. This argument indicates that the filter should set
+item to indicate the terminal that the user is using to connect to the application\. This argument indicates that the filter should set
 \fIPAM_TTY\fR
-to the filtered pseudo\-terminal.
-.TP 3n
+to the filtered pseudo\-terminal\.
+.RE
+.PP
 \fBnon_term\fR
-don't try to set the
+.RS 4
+don\'t try to set the
 \fIPAM_TTY\fR
-item.
-.TP 3n
+item\.
+.RE
+.PP
 \fBrunX\fR
-In order that the module can invoke a filter it should know when to invoke it. This argument is required to tell the filter when to do this.
+.RS 4
+In order that the module can invoke a filter it should know when to invoke it\. This argument is required to tell the filter when to do this\.
 .sp
 Permitted values for
 \fIX\fR
 are
 \fI1\fR
 and
-\fI2\fR. These indicate the precise time that the filter is to be run. To understand this concept it will be useful to have read the
+\fI2\fR\. These indicate the precise time that the filter is to be run\. To understand this concept it will be useful to have read the
 \fBpam\fR(3)
-manual page. Basically, for each management group there are up to two ways of calling the module's functions. In the case of the
+manual page\. Basically, for each management group there are up to two ways of calling the module\'s functions\. In the case of the
 \fIauthentication\fR
 and
 \fIsession\fR
-components there are actually two separate functions. For the case of authentication, these functions are
+components there are actually two separate functions\. For the case of authentication, these functions are
 \fBpam_authenticate\fR(3)
 and
 \fBpam_setcred\fR(3), here
@@ -70,20 +77,20 @@ means run the filter from the
 function and
 \fBrun2\fR
 means run the filter from
-\fBpam_setcred\fR. In the case of the session modules,
+\fBpam_setcred\fR\. In the case of the session modules,
 \fIrun1\fR
 implies that the filter is invoked at the
 \fBpam_open_session\fR(3)
 stage, and
 \fIrun2\fR
 for
-\fBpam_close_session\fR(3).
+\fBpam_close_session\fR(3)\.
 .sp
-For the case of the account component. Either
+For the case of the account component\. Either
 \fIrun1\fR
 or
 \fIrun2\fR
-may be used.
+may be used\.
 .sp
 For the case of the password component,
 \fIrun1\fR
@@ -95,10 +102,13 @@ phase) and
 \fIrun2\fR
 is used to indicate that the filter is run on the second occasion (the
 \fIPAM_UPDATE_AUTHTOK\fR
-phase).
-.TP 3n
+phase)\.
+.RE
+.PP
 \fBfilter\fR
-The full pathname of the filter to be run and any command line arguments that the filter might expect.
+.RS 4
+The full pathname of the filter to be run and any command line arguments that the filter might expect\.
+.RE
 .SH "MODULE SERVICES PROVIDED"
 .PP
 The services
@@ -107,24 +117,28 @@ The services
 \fBpassword\fR
 and
 \fBsession\fR
-are supported.
+are supported\.
 .SH "RETURN VALUES"
 .PP
-.TP 3n
+.PP
 PAM_SUCCESS
-The new filter was set successfull.
-.TP 3n
+.RS 4
+The new filter was set successfull\.
+.RE
+.PP
 PAM_ABORT
-Critical error, immediate abort.
+.RS 4
+Critical error, immediate abort\.
+.RE
 .SH "EXAMPLES"
 .PP
 Add the following line to
-\fI/etc/pam.d/login\fR
+\fI/etc/pam\.d/login\fR
 to see how to configure login to transpose upper and lower case letters once the user has logged in:
 .sp
-.RS 3n
+.RS 4
 .nf
-        session required pam_filter.so run1 /lib/security/pam_filter/upperLOWER
+        session required pam_filter\.so run1 /lib/security/pam_filter/upperLOWER
       
 .fi
 .RE
@@ -137,4 +151,4 @@ to see how to configure login to transpose upper and lower case letters once the
 \fBpam\fR(8)
 .SH "AUTHOR"
 .PP
-pam_filter was written by Andrew G. Morgan <morgan@kernel.org>.
+pam_filter was written by Andrew G\. Morgan <morgan@kernel\.org>\.
diff --git a/Linux-PAM/modules/pam_filter/upperLOWER/upperLOWER.c b/Linux-PAM/modules/pam_filter/upperLOWER/upperLOWER.c
index c0fc5b17..0ede4a0d 100644
--- a/Linux-PAM/modules/pam_filter/upperLOWER/upperLOWER.c
+++ b/Linux-PAM/modules/pam_filter/upperLOWER/upperLOWER.c
@@ -7,6 +7,7 @@
 
 #include "config.h"
 
+#include <ctype.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <syslog.h>
@@ -15,14 +16,10 @@
 #include <unistd.h>
 
 #include "pam_filter.h"
-#include <security/pam_modules.h>
-#include <security/_pam_macros.h>
 #include <security/pam_modutil.h>
 
 /* ---------------------------------------------------------------- */
 
-#include <ctype.h>
-
 static void do_transpose(char *buffer,int len)
 {
      int i;
diff --git a/Linux-PAM/modules/pam_ftp/pam_ftp.8 b/Linux-PAM/modules/pam_ftp/pam_ftp.8
index 0c730267..e07c9885 100644
--- a/Linux-PAM/modules/pam_ftp/pam_ftp.8
+++ b/Linux-PAM/modules/pam_ftp/pam_ftp.8
@@ -1,84 +1,94 @@
 .\"     Title: pam_ftp
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/09/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_FTP" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_FTP" "8" "01/08/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_ftp \- PAM module for anonymous access module
+pam_ftp - PAM module for anonymous access module
 .SH "SYNOPSIS"
 .HP 11
-\fBpam_ftp.so\fR [debug] [ignore] [users=\fIXXX,YYY,\fR...]
+\fBpam_ftp\.so\fR [debug] [ignore] [users=\fIXXX,YYY,\fR...]
 .SH "DESCRIPTION"
 .PP
-pam_ftp is a PAM module which provides a pluggable anonymous ftp mode of access.
+pam_ftp is a PAM module which provides a pluggable anonymous ftp mode of access\.
 .PP
-This module intercepts the user's name and password. If the name is
+This module intercepts the user\'s name and password\. If the name is
 \fIftp\fR
 or
-\fIanonymous\fR, the user's password is broken up at the
+\fIanonymous\fR, the user\'s password is broken up at the
 \fI@\fR
 delimiter into a
 \fIPAM_RUSER\fR
 and a
 \fIPAM_RHOST\fR
-part; these pam\-items being set accordingly. The username (\fIPAM_USER\fR) is set to
-\fIftp\fR. In this case the module succeeds. Alternatively, the module sets the
+part; these pam\-items being set accordingly\. The username (\fIPAM_USER\fR) is set to
+\fIftp\fR\. In this case the module succeeds\. Alternatively, the module sets the
 \fIPAM_AUTHTOK\fR
-item with the entered password and fails.
+item with the entered password and fails\.
 .PP
-This module is not safe and easily spoofable.
+This module is not safe and easily spoofable\.
 .SH "OPTIONS"
 .PP
-.TP 3n
+.PP
 \fBdebug\fR
-Print debug information.
-.TP 3n
+.RS 4
+Print debug information\.
+.RE
+.PP
 \fBignore\fR
-Pay no attention to the email address of the user (if supplied).
-.TP 3n
-\fBftp=\fR\fB\fIXXX,YYY,...\fR\fR
+.RS 4
+Pay no attention to the email address of the user (if supplied)\.
+.RE
+.PP
+\fBftp=\fR\fB\fIXXX,YYY,\.\.\.\fR\fR
+.RS 4
 Instead of
 \fIftp\fR
 or
 \fIanonymous\fR, provide anonymous login to the comma separated list of users:
-\fB\fIXXX,YYY,...\fR\fR. Should the applicant enter one of these usernames the returned username is set to the first in the list:
-\fIXXX\fR.
+\fB\fIXXX,YYY,\.\.\.\fR\fR\. Should the applicant enter one of these usernames the returned username is set to the first in the list:
+\fIXXX\fR\.
+.RE
 .SH "MODULE SERVICES PROVIDED"
 .PP
 Only the
 \fBauth\fR
-service is supported.
+service is supported\.
 .SH "RETURN VALUES"
 .PP
-.TP 3n
+.PP
 PAM_SUCCESS
-The authentication was successfull.
-.TP 3n
+.RS 4
+The authentication was successfull\.
+.RE
+.PP
 PAM_USER_UNKNOWN
-User not known.
+.RS 4
+User not known\.
+.RE
 .SH "EXAMPLES"
 .PP
 Add the following line to
-\fI/etc/pam.d/ftpd\fR
+\fI/etc/pam\.d/ftpd\fR
 to handle ftp style anonymous login:
 .sp
-.RS 3n
+.RS 4
 .nf
 #
-# ftpd; add ftp\-specifics. These lines enable anonymous ftp over
+# ftpd; add ftp\-specifics\. These lines enable anonymous ftp over
 #       standard UN*X access (the listfile entry blocks access to
 #       users listed in /etc/ftpusers)
 #
-auth    sufficient  pam_ftp.so
-auth    required    pam_unix.so use_first_pass
-auth    required    pam_listfile.so \\
+auth    sufficient  pam_ftp\.so
+auth    required    pam_unix\.so use_first_pass
+auth    required    pam_listfile\.so \e
            onerr=succeed item=user sense=deny file=/etc/ftpusers
       
 .fi
@@ -92,4 +102,4 @@ auth    required    pam_listfile.so \\
 \fBpam\fR(8)
 .SH "AUTHOR"
 .PP
-pam_ftp was written by Andrew G. Morgan <morgan@kernel.org>.
+pam_ftp was written by Andrew G\. Morgan <morgan@kernel\.org>\.
diff --git a/Linux-PAM/modules/pam_group/group.conf.5 b/Linux-PAM/modules/pam_group/group.conf.5
index 0e36ebf4..8a0cc9f0 100644
--- a/Linux-PAM/modules/pam_group/group.conf.5
+++ b/Linux-PAM/modules/pam_group/group.conf.5
@@ -1,24 +1,24 @@
 .\"     Title: group.conf
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/21/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "GROUP.CONF" "5" "06/21/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "GROUP\.CONF" "5" "01/08/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-group.conf \- configuration file for the pam_group module
+group.conf - configuration file for the pam_group module
 .SH "DESCRIPTION"
 .PP
-The pam_group PAM module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user. Such memberships are based on the service they are applying for.
+The pam_group PAM module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user\. Such memberships are based on the service they are applying for\.
 .PP
 For this module to function correctly there must be a correctly formatted
-\fI/etc/security/group.conf\fR
-file present. White spaces are ignored and lines maybe extended with '\\' (escaped newlines). Text following a '#' is ignored to the end of the line.
+\fI/etc/security/group\.conf\fR
+file present\. White spaces are ignored and lines maybe extended with \'\e\' (escaped newlines)\. Text following a \'#\' is ignored to the end of the line\.
 .PP
 The syntax of the lines is as follows:
 .PP
@@ -27,45 +27,45 @@ The syntax of the lines is as follows:
 .PP
 The first field, the
 \fIservices\fR
-field, is a logic list of PAM service names that the rule applies to.
+field, is a logic list of PAM service names that the rule applies to\.
 .PP
 The second field, the
 \fItty\fR
-field, is a logic list of terminal names that this rule applies to.
+field, is a logic list of terminal names that this rule applies to\.
 .PP
 The third field, the
 \fIusers\fR
-field, is a logic list of users or a netgroup of users to whom this rule applies.
+field, is a logic list of users or a netgroup of users to whom this rule applies\.
 .PP
-For these items the simple wildcard '*' may be used only once. With netgroups no wildcards or logic operators are allowed.
+For these items the simple wildcard \'*\' may be used only once\. With netgroups no wildcards or logic operators are allowed\.
 .PP
 The
 \fItimes\fR
-field is used to indicate "when" these groups are to be given to the user. The format here is a logic list of day/time\-range entries. The days are specified by a sequence of two character entries, MoTuSa for example is Monday Tuesday and Saturday. Note that repeated days are unset MoMo = no day, and MoWk = all weekdays bar Monday. The two character combinations accepted are Mo Tu We Th Fr Sa Su Wk Wd Al, the last two being week\-end days and all 7 days of the week respectively. As a final example, AlFr means all days except Friday.
+field is used to indicate "when" these groups are to be given to the user\. The format here is a logic list of day/time\-range entries\. The days are specified by a sequence of two character entries, MoTuSa for example is Monday Tuesday and Saturday\. Note that repeated days are unset MoMo = no day, and MoWk = all weekdays bar Monday\. The two character combinations accepted are Mo Tu We Th Fr Sa Su Wk Wd Al, the last two being week\-end days and all 7 days of the week respectively\. As a final example, AlFr means all days except Friday\.
 .PP
-Each day/time\-range can be prefixed with a '!' to indicate "anything but". The time\-range part is two 24\-hour times HHMM, separated by a hyphen, indicating the start and finish time (if the finish time is smaller than the start time it is deemed to apply on the following day).
+Each day/time\-range can be prefixed with a \'!\' to indicate "anything but"\. The time\-range part is two 24\-hour times HHMM, separated by a hyphen, indicating the start and finish time (if the finish time is smaller than the start time it is deemed to apply on the following day)\.
 .PP
 The
 \fIgroups\fR
-field is a comma or space separated list of groups that the user inherits membership of. These groups are added if the previous fields are satisfied by the user's request.
+field is a comma or space separated list of groups that the user inherits membership of\. These groups are added if the previous fields are satisfied by the user\'s request\.
 .PP
-For a rule to be active, ALL of service+ttys+users must be satisfied by the applying process.
+For a rule to be active, ALL of service+ttys+users must be satisfied by the applying process\.
 .SH "EXAMPLES"
 .PP
 These are some example lines which might be specified in
-\fI/etc/security/group.conf\fR.
+\fI/etc/security/group\.conf\fR\.
 .PP
-Running 'xsh' on tty* (any ttyXXX device), the user 'us' is given access to the floppy (through membership of the floppy group)
+Running \'xsh\' on tty* (any ttyXXX device), the user \'us\' is given access to the floppy (through membership of the floppy group)
 .sp
-.RS 3n
+.RS 4
 .nf
 xsh;tty*&!ttyp*;us;Al0000\-2400;floppy
 .fi
 .RE
 .PP
-Running 'xsh' on tty* (any ttyXXX device), the user 'sword' is given access to games (through membership of the floppy group) after work hours.
+Running \'xsh\' on tty* (any ttyXXX device), the user \'sword\' is given access to games (through membership of the floppy group) after work hours\.
 .sp
-.RS 3n
+.RS 4
 .nf
 xsh; tty* ;sword;!Wk0900\-1800;games, sound
 xsh; tty* ;*;Al0900\-1800;floppy
@@ -80,4 +80,4 @@ xsh; tty* ;*;Al0900\-1800;floppy
 \fBpam\fR(8)
 .SH "AUTHOR"
 .PP
-pam_group was written by Andrew G. Morgan <morgan@kernel.org>.
+pam_group was written by Andrew G\. Morgan <morgan@kernel\.org>\.
diff --git a/Linux-PAM/modules/pam_group/pam_group.8 b/Linux-PAM/modules/pam_group/pam_group.8
index 7058f1aa..5d40198a 100644
--- a/Linux-PAM/modules/pam_group/pam_group.8
+++ b/Linux-PAM/modules/pam_group/pam_group.8
@@ -1,80 +1,94 @@
 .\"     Title: pam_group
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/22/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_GROUP" "8" "06/22/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_GROUP" "8" "01/08/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_group \- PAM module for group access
+pam_group - PAM module for group access
 .SH "SYNOPSIS"
 .HP 13
-\fBpam_group.so\fR
+\fBpam_group\.so\fR
 .SH "DESCRIPTION"
 .PP
-The pam_group PAM module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user. Such memberships are based on the service they are applying for.
+The pam_group PAM module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user\. Such memberships are based on the service they are applying for\.
 .PP
 By default rules for group memberships are taken from config file
-\fI/etc/security/group.conf\fR.
+\fI/etc/security/group\.conf\fR\.
 .PP
-This module's usefulness relies on the file\-systems accessible to the user. The point being that once granted the membership of a group, the user may attempt to create a
+This module\'s usefulness relies on the file\-systems accessible to the user\. The point being that once granted the membership of a group, the user may attempt to create a
 \fBsetgid\fR
-binary with a restricted group ownership. Later, when the user is not given membership to this group, they can recover group membership with the precompiled binary. The reason that the file\-systems that the user has access to are so significant, is the fact that when a system is mounted
+binary with a restricted group ownership\. Later, when the user is not given membership to this group, they can recover group membership with the precompiled binary\. The reason that the file\-systems that the user has access to are so significant, is the fact that when a system is mounted
 \fInosuid\fR
-the user is unable to create or execute such a binary file. For this module to provide any level of security, all file\-systems that the user has write access to should be mounted
-\fInosuid\fR.
+the user is unable to create or execute such a binary file\. For this module to provide any level of security, all file\-systems that the user has write access to should be mounted
+\fInosuid\fR\.
 .PP
 The pam_group module fuctions in parallel with the
 \fI/etc/group\fR
-file. If the user is granted any groups based on the behavior of this module, they are granted
+file\. If the user is granted any groups based on the behavior of this module, they are granted
 \fIin addition\fR
 to those entries
 \fI/etc/group\fR
-(or equivalent).
+(or equivalent)\.
 .SH "OPTIONS"
 .PP
-This module does not recognice any options.
+This module does not recognise any options\.
 .SH "MODULE SERVICES PROVIDED"
 .PP
 Only the
 \fBauth\fR
-service is supported.
+service is supported\.
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_SUCCESS
-group membership was granted.
-.TP 3n
+.RS 4
+group membership was granted\.
+.RE
+.PP
 PAM_ABORT
-Not all relevant data could be gotten.
-.TP 3n
+.RS 4
+Not all relevant data could be gotten\.
+.RE
+.PP
 PAM_BUF_ERR
-Memory buffer error.
-.TP 3n
+.RS 4
+Memory buffer error\.
+.RE
+.PP
 PAM_CRED_ERR
-Group membership was not granted.
-.TP 3n
+.RS 4
+Group membership was not granted\.
+.RE
+.PP
 PAM_IGNORE
+.RS 4
 
 \fBpam_sm_authenticate\fR
-was called which does nothing.
-.TP 3n
+was called which does nothing\.
+.RE
+.PP
 PAM_USER_UNKNOWN
-The user is not known to the system.
+.RS 4
+The user is not known to the system\.
+.RE
 .SH "FILES"
-.TP 3n
-\fI/etc/security/group.conf\fR
+.PP
+\fI/etc/security/group\.conf\fR
+.RS 4
 Default configuration file
+.RE
 .SH "SEE ALSO"
 .PP
 
 \fBgroup.conf\fR(5),
 \fBpam.d\fR(8),
-\fBpam\fR(8).
+\fBpam\fR(8)\.
 .SH "AUTHORS"
 .PP
-pam_group was written by Andrew G. Morgan <morgan@kernel.org>.
+pam_group was written by Andrew G\. Morgan <morgan@kernel\.org>\.
diff --git a/Linux-PAM/modules/pam_group/pam_group.8.xml b/Linux-PAM/modules/pam_group/pam_group.8.xml
index 61c7eef1..f7488fb3 100644
--- a/Linux-PAM/modules/pam_group/pam_group.8.xml
+++ b/Linux-PAM/modules/pam_group/pam_group.8.xml
@@ -62,7 +62,7 @@
 
   <refsect1 id="pam_group-options">
     <title>OPTIONS</title>
-    <para>This module does not recognice any options.</para>
+    <para>This module does not recognise any options.</para>
   </refsect1>
 
   <refsect1 id="pam_group-services">
diff --git a/Linux-PAM/modules/pam_issue/pam_issue.8 b/Linux-PAM/modules/pam_issue/pam_issue.8
index 011a5e91..dd94c246 100644
--- a/Linux-PAM/modules/pam_issue/pam_issue.8
+++ b/Linux-PAM/modules/pam_issue/pam_issue.8
@@ -1,94 +1,128 @@
 .\"     Title: pam_issue
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/17/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_ISSUE" "8" "06/17/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_ISSUE" "8" "01/08/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_issue \- PAM module to add issue file to user prompt
+pam_issue - PAM module to add issue file to user prompt
 .SH "SYNOPSIS"
 .HP 13
-\fBpam_issue.so\fR [noesc] [issue=\fIissue\-file\-name\fR]
+\fBpam_issue\.so\fR [noesc] [issue=\fIissue\-file\-name\fR]
 .SH "DESCRIPTION"
 .PP
-pam_issue is a PAM module to prepend an issue file to the username prompt. It also by default parses escape codes in the issue file similar to some common getty's (using \\x format).
+pam_issue is a PAM module to prepend an issue file to the username prompt\. It also by default parses escape codes in the issue file similar to some common getty\'s (using \ex format)\.
 .PP
 Recognized escapes:
-.TP 3n
-\fB\\d\fR
+.PP
+\fB\ed\fR
+.RS 4
 current day
-.TP 3n
-\fB\\l\fR
+.RE
+.PP
+\fB\el\fR
+.RS 4
 name of this tty
-.TP 3n
-\fB\\m\fR
+.RE
+.PP
+\fB\em\fR
+.RS 4
 machine architecture (uname \-m)
-.TP 3n
-\fB\\n\fR
-machine's network node hostname (uname \-n)
-.TP 3n
-\fB\\o\fR
+.RE
+.PP
+\fB\en\fR
+.RS 4
+machine\'s network node hostname (uname \-n)
+.RE
+.PP
+\fB\eo\fR
+.RS 4
 domain name of this system
-.TP 3n
-\fB\\r\fR
+.RE
+.PP
+\fB\er\fR
+.RS 4
 release number of operating system (uname \-r)
-.TP 3n
-\fB\\t\fR
+.RE
+.PP
+\fB\et\fR
+.RS 4
 current time
-.TP 3n
-\fB\\s\fR
+.RE
+.PP
+\fB\es\fR
+.RS 4
 operating system name (uname \-s)
-.TP 3n
-\fB\\u\fR
+.RE
+.PP
+\fB\eu\fR
+.RS 4
 number of users currently logged in
-.TP 3n
-\fB\\U\fR
-same as \\u except it is suffixed with "user" or "users" (eg. "1 user" or "10 users")
-.TP 3n
-\fB\\v\fR
+.RE
+.PP
+\fB\eU\fR
+.RS 4
+same as \eu except it is suffixed with "user" or "users" (eg\. "1 user" or "10 users")
+.RE
+.PP
+\fB\ev\fR
+.RS 4
 operating system version and build date (uname \-v)
+.RE
 .SH "OPTIONS"
 .PP
-.TP 3n
+.PP
 \fBnoesc\fR
-Turns off escape code parsing.
-.TP 3n
+.RS 4
+Turns off escape code parsing\.
+.RE
+.PP
 \fBissue=\fR\fB\fIissue\-file\-name\fR\fR
-The file to output if not using the default.
+.RS 4
+The file to output if not using the default\.
+.RE
 .SH "MODULE SERVICES PROVIDED"
 .PP
 Only the
 \fBauth\fR
-service is supported.
+service is supported\.
 .SH "RETURN VALUES"
 .PP
-.TP 3n
+.PP
 PAM_BUF_ERR
-Memory buffer error.
-.TP 3n
+.RS 4
+Memory buffer error\.
+.RE
+.PP
 PAM_IGNORE
-The prompt was already changed.
-.TP 3n
+.RS 4
+The prompt was already changed\.
+.RE
+.PP
 PAM_SERVICE_ERR
-A service module error occured.
-.TP 3n
+.RS 4
+A service module error occured\.
+.RE
+.PP
 PAM_SUCCESS
-The new prompt was set successfull.
+.RS 4
+The new prompt was set successfull\.
+.RE
 .SH "EXAMPLES"
 .PP
 Add the following line to
-\fI/etc/pam.d/login\fR
+\fI/etc/pam\.d/login\fR
 to set the user specific issue at login:
 .sp
-.RS 3n
+.RS 4
 .nf
-        auth optional pam_issue.so issue=/etc/issue
+        auth optional pam_issue\.so issue=/etc/issue
       
 .fi
 .RE
@@ -101,4 +135,4 @@ to set the user specific issue at login:
 \fBpam\fR(8)
 .SH "AUTHOR"
 .PP
-pam_issue was written by Ben Collins <bcollins@debian.org>.
+pam_issue was written by Ben Collins <bcollins@debian\.org>\.
diff --git a/Linux-PAM/modules/pam_keyinit/README b/Linux-PAM/modules/pam_keyinit/README
index da22a535..38344d9a 100644
--- a/Linux-PAM/modules/pam_keyinit/README
+++ b/Linux-PAM/modules/pam_keyinit/README
@@ -1,24 +1,68 @@
-# $Id: README,v 1.1 2006/06/27 12:34:07 t8m Exp $ -*- text -*-
-#
+pam_keyinit — Kernel session keyring initialiser module
 
-This module makes sure the calling process has its own session keyring rather
-than using the default per-user session keyring.
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 
-The following words may be supplied as arguments to the module through the PAM
-configuration scripts:
+DESCRIPTION
 
- (*) "force"
+The pam_keyinit PAM module ensures that the invoking process has a session
+keyring other than the user default session keyring.
 
-     This will cause the process's current session keyring to be replaced with
-     a new one. If this isn't supplied, a session keyring will only be created
-     if the process doesn't already have its own.
+The session component of the module checks to see if the process's session
+keyring is the user default, and, if it is, creates a new anonymous session
+keyring with which to replace it.
 
- (*) "revoke"
+If a new session keyring is created, it will install a link to the user common
+keyring in the session keyring so that keys common to the user will be
+automatically accessible through it.
 
-     If the module actually created a keyring, this will cause that keyring to
-     be revoked on session closure.
+The session keyring of the invoking process will thenceforth be inherited by
+all its children unless they override it.
 
- (*) "debug"
+This module is intended primarily for use by login processes. Be aware that
+after the session keyring has been replaced, the old session keyring and the
+keys it contains will no longer be accessible.
+
+This module should not, generally, be invoked by programs like su, since it is
+usually desirable for the key set to percolate through to the alternate
+context. The keys have their own permissions system to manage this.
+
+This module should be included as early as possible in a PAM configuration, so
+that other PAM modules can attach tokens to the keyring.
+
+The keyutils package is used to manipulate keys more directly. This can be
+obtained from:
+
+Keyutils
+
+OPTIONS
+
+debug
+
+    Log debug information with syslog(3).
+
+force
+
+    Causes the session keyring of the invoking process to be replaced
+    unconditionally.
+
+revoke
+
+    Causes the session keyring of the invoking process to be revoked when the
+    invoking process exits if the session keyring was created for this process
+    in the first place.
+
+EXAMPLES
+
+Add this line to your login entries to start each login session with its own
+session keyring:
+
+session  required  pam_keyinit.so
+
+
+This will prevent keys from one session leaking into another session for the
+same user.
+
+AUTHOR
+
+pam_keyinit was written by David Howells, <dhowells@redhat.com>.
 
-     This will cause the module to write some debugging information to the
-     syslog.
diff --git a/Linux-PAM/modules/pam_keyinit/pam_keyinit.8 b/Linux-PAM/modules/pam_keyinit/pam_keyinit.8
index 40b1e125..b833cfee 100644
--- a/Linux-PAM/modules/pam_keyinit/pam_keyinit.8
+++ b/Linux-PAM/modules/pam_keyinit/pam_keyinit.8
@@ -1,133 +1,124 @@
-.\"Generated by db2man.xsl. Don't modify this, modify the source.
-.de Sh \" Subsection
-.br
-.if t .Sp
-.ne 5
-.PP
-\fB\\$1\fR
-.PP
-..
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
-.TH "PAM_KEYINIT" 8 "" "" ""
-.SH NAME
-pam_keyinit \- Kernel session keyring initialiser module
-.SH "SYNOPSIS"
+.\"     Title: pam_keyinit
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
+.\"
+.TH "PAM_KEYINIT" "8" "01/08/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
 .ad l
-.hy 0
+.SH "NAME"
+pam_keyinit - Kernel session keyring initialiser module
+.SH "SYNOPSIS"
 .HP 15
-\fBpam_keyinit\&.so\fR [debug] [force] [revoke]
-.ad
-.hy
-
+\fBpam_keyinit\.so\fR [debug] [force] [revoke]
 .SH "DESCRIPTION"
-
 .PP
-The pam_keyinit PAM module ensures that the invoking process has a session keyring other than the user default session keyring\&.
-
+The pam_keyinit PAM module ensures that the invoking process has a session keyring other than the user default session keyring\.
 .PP
-The session component of the module checks to see if the process's session keyring is the user default, and, if it is, creates a new anonymous session keyring with which to replace it\&.
-
+The session component of the module checks to see if the process\'s session keyring is the user default, and, if it is, creates a new anonymous session keyring with which to replace it\.
 .PP
-If a new session keyring is created, it will install a link to the user common keyring in the session keyring so that keys common to the user will be automatically accessible through it\&.
-
+If a new session keyring is created, it will install a link to the user common keyring in the session keyring so that keys common to the user will be automatically accessible through it\.
 .PP
-The session keyring of the invoking process will thenceforth be inherited by all its children unless they override it\&.
-
+The session keyring of the invoking process will thenceforth be inherited by all its children unless they override it\.
 .PP
-This module is intended primarily for use by login processes\&. Be aware that after the session keyring has been replaced, the old session keyring and the keys it contains will no longer be accessible\&.
-
+This module is intended primarily for use by login processes\. Be aware that after the session keyring has been replaced, the old session keyring and the keys it contains will no longer be accessible\.
 .PP
-This module should not, generally, be invoked by programs like \fIsu\fR, since it is usually desirable for the key set to percolate through to the alternate context\&. The keys have their own permissions system to manage this\&.
-
+This module should not, generally, be invoked by programs like
+\fBsu\fR, since it is usually desirable for the key set to percolate through to the alternate context\. The keys have their own permissions system to manage this\.
 .PP
-This module should be included as early as possible in a PAM configuration, so that other PAM modules can attach tokens to the keyring\&.
-
+This module should be included as early as possible in a PAM configuration, so that other PAM modules can attach tokens to the keyring\.
 .PP
-The keyutils package is used to manipulate keys more directly\&. This included in the Fedora Extras 5+ and Red Hat Enterprise Linux 4 U2+ and can also be obtained from:
-
+The keyutils package is used to manipulate keys more directly\. This can be obtained from:
 .PP
- Keyutils : \fIhttp://people.redhat.com/~dhowells/keyutils/\fR 
 
+\fI Keyutils \fR\&[1]
 .SH "OPTIONS"
-
-.TP
+.PP
 \fBdebug\fR
-Log debug information with \fBsyslog\fR(3)\&.
-
-.TP
+.RS 4
+Log debug information with
+\fBsyslog\fR(3)\.
+.RE
+.PP
 \fBforce\fR
-Causes the session keyring of the invoking process to be replaced unconditionally\&.
-
-.TP
+.RS 4
+Causes the session keyring of the invoking process to be replaced unconditionally\.
+.RE
+.PP
 \fBrevoke\fR
-Causes the session keyring of the invoking process to be revoked when the invoking process exits if the session keyring was created for this process in the first place\&.
-
+.RS 4
+Causes the session keyring of the invoking process to be revoked when the invoking process exits if the session keyring was created for this process in the first place\.
+.RE
 .SH "MODULE SERVICES PROVIDED"
-
 .PP
-Only the \fIsession\fR service is supported\&.
-
+Only the
+\fBsession\fR
+service is supported\.
 .SH "RETURN VALUES"
-
-.TP
+.PP
 PAM_SUCCESS
+.RS 4
 This module will usually return this value
-
-.TP
+.RE
+.PP
 PAM_AUTH_ERR
-Authentication failure\&.
-
-.TP
+.RS 4
+Authentication failure\.
+.RE
+.PP
 PAM_BUF_ERR
-Memory buffer error\&.
-
-.TP
+.RS 4
+Memory buffer error\.
+.RE
+.PP
 PAM_IGNORE
-The return value should be ignored by PAM dispatch\&.
-
-.TP
+.RS 4
+The return value should be ignored by PAM dispatch\.
+.RE
+.PP
 PAM_SERVICE_ERR
-Cannot determine the user name\&.
-
-.TP
+.RS 4
+Cannot determine the user name\.
+.RE
+.PP
 PAM_SESSION_ERR
-This module will return this value if its arguments are invalid or if a system error such as ENOMEM occurs\&.
-
-.TP
+.RS 4
+This module will return this value if its arguments are invalid or if a system error such as ENOMEM occurs\.
+.RE
+.PP
 PAM_USER_UNKNOWN
-User not known\&.
-
+.RS 4
+User not known\.
+.RE
 .SH "EXAMPLES"
-
 .PP
-Add this line to your login entries to start each login session with its own session keyring: 
-
+Add this line to your login entries to start each login session with its own session keyring:
+.sp
+.RS 4
 .nf
-
-session  required  pam_keyinit\&.so
+session  required  pam_keyinit\.so
       
 .fi
- 
-
+.RE
 .PP
-This will prevent keys from one session leaking into another session for the same user\&.
-
+This will prevent keys from one session leaking into another session for the same user\.
 .SH "SEE ALSO"
-
 .PP
- \fBpam\&.conf\fR(5), \fBpam\&.d\fR(8), \fBpam\fR(8)  \fBkeyctl\fR(1) 
 
+\fBpam.conf\fR(5),
+\fBpam.d\fR(8),
+\fBpam\fR(8)
+\fBkeyctl\fR(1)
 .SH "AUTHOR"
-
 .PP
-pam_keyinit was written by David Howells, <dhowells@redhat\&.com>\&.
-
+pam_keyinit was written by David Howells, <dhowells@redhat\.com>\.
+.SH "NOTES"
+.IP " 1." 4
+Keyutils
+.RS 4
+\%http://people.redhat.com/~dhowells/keyutils/
+.RE
diff --git a/Linux-PAM/modules/pam_lastlog/pam_lastlog.8 b/Linux-PAM/modules/pam_lastlog/pam_lastlog.8
index 81b04470..95cb99df 100644
--- a/Linux-PAM/modules/pam_lastlog/pam_lastlog.8
+++ b/Linux-PAM/modules/pam_lastlog/pam_lastlog.8
@@ -1,85 +1,107 @@
 .\"     Title: pam_lastlog
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/09/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_LASTLOG" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_LASTLOG" "8" "01/08/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_lastlog \- PAM module to display date of last login
+pam_lastlog - PAM module to display date of last login
 .SH "SYNOPSIS"
 .HP 15
-\fBpam_lastlog.so\fR [debug] [silent] [never] [nodate] [nohost] [noterm] [nowtmp]
+\fBpam_lastlog\.so\fR [debug] [silent] [never] [nodate] [nohost] [noterm] [nowtmp]
 .SH "DESCRIPTION"
 .PP
-pam_lastlog is a PAM module to display a line of information about the last login of the user. In addition, the module maintains the
+pam_lastlog is a PAM module to display a line of information about the last login of the user\. In addition, the module maintains the
 \fI/var/log/lastlog\fR
-file.
+file\.
 .PP
-Some applications may perform this function themselves. In such cases, this module is not necessary.
+Some applications may perform this function themselves\. In such cases, this module is not necessary\.
 .SH "OPTIONS"
-.TP 3n
+.PP
 \fBdebug\fR
-Print debug information.
-.TP 3n
+.RS 4
+Print debug information\.
+.RE
+.PP
 \fBsilent\fR
-Don't inform the user about any previous login, just upate the
+.RS 4
+Don\'t inform the user about any previous login, just upate the
 \fI/var/log/lastlog\fR
-file.
-.TP 3n
+file\.
+.RE
+.PP
 \fBnever\fR
+.RS 4
 If the
 \fI/var/log/lastlog\fR
-file does not contain any old entries for the user, indicate that the user has never previously logged in with a welcome message.
-.TP 3n
+file does not contain any old entries for the user, indicate that the user has never previously logged in with a welcome message\.
+.RE
+.PP
 \fBnodate\fR
-Don't display the date of the last login.
-.TP 3n
+.RS 4
+Don\'t display the date of the last login\.
+.RE
+.PP
 \fBnoterm\fR
-Don't display the terminal name on which the last login was attempted.
-.TP 3n
+.RS 4
+Don\'t display the terminal name on which the last login was attempted\.
+.RE
+.PP
 \fBnohost\fR
-Don't indicate from which host the last login was attempted.
-.TP 3n
+.RS 4
+Don\'t indicate from which host the last login was attempted\.
+.RE
+.PP
 \fBnowtmp\fR
-Don't update the wtmp entry.
+.RS 4
+Don\'t update the wtmp entry\.
+.RE
 .SH "MODULE SERVICES PROVIDED"
 .PP
 Only the
 \fBsession\fR
-service is supported.
+service is supported\.
 .SH "RETURN VALUES"
 .PP
-.TP 3n
+.PP
 PAM_SUCCESS
-Everything was successfull.
-.TP 3n
+.RS 4
+Everything was successfull\.
+.RE
+.PP
 PAM_SERVICE_ERR
-Internal service module error.
-.TP 3n
+.RS 4
+Internal service module error\.
+.RE
+.PP
 PAM_USER_UNKNOWN
-User not known.
+.RS 4
+User not known\.
+.RE
 .SH "EXAMPLES"
 .PP
 Add the following line to
-\fI/etc/pam.d/login\fR
+\fI/etc/pam\.d/login\fR
 to display the last login time of an user:
 .sp
-.RS 3n
+.RS 4
 .nf
-    session  required  pam_lastlog.so nowtmp
+    session  required  pam_lastlog\.so nowtmp
       
 .fi
 .RE
 .SH "FILES"
-.TP 3n
+.PP
 \fI/var/log/lastlog\fR
+.RS 4
 Lastlog logging file
+.RE
 .SH "SEE ALSO"
 .PP
 
@@ -88,4 +110,4 @@ Lastlog logging file
 \fBpam\fR(8)
 .SH "AUTHOR"
 .PP
-pam_lastlog was written by Andrew G. Morgan <morgan@kernel.org>.
+pam_lastlog was written by Andrew G\. Morgan <morgan@kernel\.org>\.
diff --git a/Linux-PAM/modules/pam_limits/README b/Linux-PAM/modules/pam_limits/README
index 26336711..3c59052a 100644
--- a/Linux-PAM/modules/pam_limits/README
+++ b/Linux-PAM/modules/pam_limits/README
@@ -16,6 +16,9 @@ module option then the files in the above directory are not parsed.
 
 The module must not be called by a multithreaded application.
 
+If Linux PAM is compiled with audit support the module will report when it
+denies access based on limit of maximum number of concurrent login sessions.
+
 OPTIONS
 
 change_uid
@@ -41,6 +44,10 @@ utmp_early
     to compensate for this behavior and at the same time maintain system-wide
     consistency with a single limits.conf file.
 
+noaudit
+
+    Do not report exceeded maximum logins count to the audit subsystem.
+
 EXAMPLES
 
 These are some example lines which might be specified in /etc/security/
diff --git a/Linux-PAM/modules/pam_limits/limits.conf b/Linux-PAM/modules/pam_limits/limits.conf
index d3463638..5d5c3f70 100644
--- a/Linux-PAM/modules/pam_limits/limits.conf
+++ b/Linux-PAM/modules/pam_limits/limits.conf
@@ -33,7 +33,7 @@
 #        - locks - max number of file locks the user can hold
 #        - sigpending - max number of pending signals
 #        - msgqueue - max memory used by POSIX message queues (bytes)
-#        - nice - max nice priority allowed to raise to
+#        - nice - max nice priority allowed to raise to values: [-20, 19]
 #        - rtprio - max realtime priority
 #
 #<domain>      <type>  <item>         <value>
diff --git a/Linux-PAM/modules/pam_limits/limits.conf.5 b/Linux-PAM/modules/pam_limits/limits.conf.5
index 9fef98d7..134dc741 100644
--- a/Linux-PAM/modules/pam_limits/limits.conf.5
+++ b/Linux-PAM/modules/pam_limits/limits.conf.5
@@ -1,17 +1,17 @@
 .\"     Title: limits.conf
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.72.0 <http://docbook.sf.net/>
-.\"      Date: 08/30/2007
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
 .\"    Manual: Linux-PAM Manual
 .\"    Source: Linux-PAM Manual
 .\"
-.TH "LIMITS.CONF" "5" "08/30/2007" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "LIMITS\.CONF" "5" "01/08/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-limits.conf \- configuration file for the pam_limits module
+limits.conf - configuration file for the pam_limits module
 .SH "DESCRIPTION"
 .PP
 The syntax of the lines is as follows:
@@ -26,46 +26,49 @@ The fields listed above should be filled as follows:
 .PP
 \fB<domain>\fR
 .RS 4
+.sp
 .RS 4
 \h'-04'\(bu\h'+03'a username
 .RE
+.sp
 .RS 4
 \h'-04'\(bu\h'+03'a groupname, with
 \fB@group\fR
-syntax. This should not be confused with netgroups.
+syntax\. This should not be confused with netgroups\.
 .RE
+.sp
 .RS 4
 \h'-04'\(bu\h'+03'the wildcard
-\fB*\fR, for default entry.
+\fB*\fR, for default entry\.
 .RE
+.sp
 .RS 4
 \h'-04'\(bu\h'+03'the wildcard
 \fB%\fR, for maxlogins limit only, can also be used with
 \fI%group\fR
-syntax.
+syntax\.
 .RE
 .RE
 .PP
 \fB<type>\fR
 .RS 4
-.RS 4
 .PP
 \fBhard\fR
 .RS 4
 for enforcing
 \fBhard\fR
-resource limits. These limits are set by the superuser and enforced by the Kernel. The user cannot raise his requirement of system resources above such values.
+resource limits\. These limits are set by the superuser and enforced by the Kernel\. The user cannot raise his requirement of system resources above such values\.
 .RE
 .PP
 \fBsoft\fR
 .RS 4
 for enforcing
 \fBsoft\fR
-resource limits. These limits are ones that the user can move up or down within the permitted range by any pre\-exisiting
+resource limits\. These limits are ones that the user can move up or down within the permitted range by any pre\-existing
 \fBhard\fR
-limits. The values specified with this token can be thought of as
+limits\. The values specified with this token can be thought of as
 \fIdefault\fR
-values, for normal system usage.
+values, for normal system usage\.
 .RE
 .PP
 \fB\-\fR
@@ -74,16 +77,14 @@ for enforcing both
 \fBsoft\fR
 and
 \fBhard\fR
-resource limits together.
+resource limits together\.
 .sp
-Note, if you specify a type of '\-' but neglect to supply the item and value fields then the module will never enforce any limits on the specified user/group etc. .
-.RE
+Note, if you specify a type of \'\-\' but neglect to supply the item and value fields then the module will never enforce any limits on the specified user/group etc\. \.
 .RE
 .RE
 .PP
 \fB<item>\fR
 .RS 4
-.RS 4
 .PP
 \fBcore\fR
 .RS 4
@@ -153,48 +154,47 @@ the priority to run user process with (negative values boost process priority)
 .PP
 \fBlocks\fR
 .RS 4
-maximum locked files (Linux 2.4 and higher)
+maximum locked files (Linux 2\.4 and higher)
 .RE
 .PP
 \fBsigpending\fR
 .RS 4
-maximum number of pending signals (Linux 2.6 and higher)
+maximum number of pending signals (Linux 2\.6 and higher)
 .RE
 .PP
 \fBmsqqueue\fR
 .RS 4
-maximum memory used by POSIX message queues (bytes) (Linux 2.6 and higher)
+maximum memory used by POSIX message queues (bytes) (Linux 2\.6 and higher)
 .RE
 .PP
 \fBnice\fR
 .RS 4
-maximum nice priority allowed to raise to (Linux 2.6.12 and higher)
+maximum nice priority allowed to raise to (Linux 2\.6\.12 and higher) values: [\-20,19]
 .RE
 .PP
 \fBrtprio\fR
 .RS 4
-maximum realtime priority allowed for non\-privileged processes (Linux 2.6.12 and higher)
-.RE
+maximum realtime priority allowed for non\-privileged processes (Linux 2\.6\.12 and higher)
 .RE
 .RE
 .PP
 In general, individual limits have priority over group limits, so if you impose no limits for
 \fIadmin\fR
-group, but one of the members in this group have a limits line, the user will have its limits set according to this line.
+group, but one of the members in this group have a limits line, the user will have its limits set according to this line\.
 .PP
 Also, please note that all limit settings are set
-\fIper login\fR. They are not global, nor are they permanent; existing only for the duration of the session.
+\fIper login\fR\. They are not global, nor are they permanent; existing only for the duration of the session\.
 .PP
 In the
 \fIlimits\fR
-configuration file, the '\fB#\fR' character introduces a comment \- after which the rest of the line is ignored.
+configuration file, the \'\fB#\fR\' character introduces a comment \- after which the rest of the line is ignored\.
 .PP
 The pam_limits module does its best to report configuration problems found in its configuration file via
-\fBsyslog\fR(3).
+\fBsyslog\fR(3)\.
 .SH "EXAMPLES"
 .PP
 These are some example lines which might be specified in
-\fI/etc/security/limits.conf\fR.
+\fI/etc/security/limits\.conf\fR\.
 .sp
 .RS 4
 .nf
@@ -216,4 +216,4 @@ ftp             hard    nproc           0
 \fBpam\fR(8)
 .SH "AUTHOR"
 .PP
-pam_limits was initially written by Cristian Gafton <gafton@redhat.com>
+pam_limits was initially written by Cristian Gafton <gafton@redhat\.com>
diff --git a/Linux-PAM/modules/pam_limits/limits.conf.5.xml b/Linux-PAM/modules/pam_limits/limits.conf.5.xml
index 48798470..fb1fad27 100644
--- a/Linux-PAM/modules/pam_limits/limits.conf.5.xml
+++ b/Linux-PAM/modules/pam_limits/limits.conf.5.xml
@@ -82,7 +82,7 @@
                 <para>
                   for enforcing <emphasis remap='B'>soft</emphasis> resource limits.
                   These limits are ones that the user can move up or down within the
-                  permitted range by any pre-exisiting <emphasis remap='B'>hard</emphasis>
+                  permitted range by any pre-existing <emphasis remap='B'>hard</emphasis>
                   limits. The values specified with this token can be thought of as
                   <emphasis>default</emphasis> values, for normal system usage.
                 </para>
@@ -214,7 +214,7 @@
             <varlistentry>
               <term><option>nice</option></term>
               <listitem>
-                <para>maximum nice priority allowed to raise to (Linux 2.6.12 and higher)</para>
+                <para>maximum nice priority allowed to raise to (Linux 2.6.12 and higher) values: [-20,19]</para>
               </listitem>
             </varlistentry>
             <varlistentry>
diff --git a/Linux-PAM/modules/pam_limits/pam_limits.8 b/Linux-PAM/modules/pam_limits/pam_limits.8
index 4f01e4cf..dffb5c81 100644
--- a/Linux-PAM/modules/pam_limits/pam_limits.8
+++ b/Linux-PAM/modules/pam_limits/pam_limits.8
@@ -1,125 +1,132 @@
 .\"     Title: pam_limits
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: 04/30/2007
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_LIMITS" "8" "04/30/2007" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_LIMITS" "8" "01/08/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_limits \- PAM module to limit resources
+pam_limits - PAM module to limit resources
 .SH "SYNOPSIS"
 .HP 14
-\fBpam_limits.so\fR [change_uid] [conf=\fI/path/to/limits.conf\fR] [debug] [utmp_early]
+\fBpam_limits\.so\fR [change_uid] [conf=\fI/path/to/limits\.conf\fR] [debug] [utmp_early] [noaudit]
 .SH "DESCRIPTION"
 .PP
-The pam_limits PAM module sets limits on the system resources that can be obtained in a user\-session. Users of
+The pam_limits PAM module sets limits on the system resources that can be obtained in a user\-session\. Users of
 \fIuid=0\fR
-are affected by this limits, too.
+are affected by this limits, too\.
 .PP
 By default limits are taken from the
-\fI/etc/security/limits.conf\fR
-config file. Then individual files from the
-\fI/etc/security/limits.d/\fR
-directory are read. The files are parsed one after another in the order of "C" locale. The effect of the individual files is the same as if all the files were concatenated together in the order of parsing. If a config file is explicitely specified with a module option then the files in the above directory are not parsed.
+\fI/etc/security/limits\.conf\fR
+config file\. Then individual files from the
+\fI/etc/security/limits\.d/\fR
+directory are read\. The files are parsed one after another in the order of "C" locale\. The effect of the individual files is the same as if all the files were concatenated together in the order of parsing\. If a config file is explicitely specified with a module option then the files in the above directory are not parsed\.
 .PP
-The module must not be called by a multithreaded application.
+The module must not be called by a multithreaded application\.
+.PP
+If Linux PAM is compiled with audit support the module will report when it denies access based on limit of maximum number of concurrent login sessions\.
 .SH "OPTIONS"
 .PP
 \fBchange_uid\fR
 .RS 4
-Change real uid to the user for who the limits are set up. Use this option if you have problems like login not forking a shell for user who has no processes. Be warned that something else may break when you do this.
+Change real uid to the user for who the limits are set up\. Use this option if you have problems like login not forking a shell for user who has no processes\. Be warned that something else may break when you do this\.
 .RE
 .PP
-\fBconf=\fR\fB\fI/path/to/limits.conf\fR\fR
+\fBconf=\fR\fB\fI/path/to/limits\.conf\fR\fR
 .RS 4
-Indicate an alternative limits.conf style configuration file to override the default.
+Indicate an alternative limits\.conf style configuration file to override the default\.
 .RE
 .PP
 \fBdebug\fR
 .RS 4
-Print debug information.
+Print debug information\.
 .RE
 .PP
 \fButmp_early\fR
 .RS 4
-Some broken applications actually allocate a utmp entry for the user before the user is admitted to the system. If some of the services you are configuring PAM for do this, you can selectively use this module argument to compensate for this behavior and at the same time maintain system\-wide consistency with a single limits.conf file.
+Some broken applications actually allocate a utmp entry for the user before the user is admitted to the system\. If some of the services you are configuring PAM for do this, you can selectively use this module argument to compensate for this behavior and at the same time maintain system\-wide consistency with a single limits\.conf file\.
+.RE
+.PP
+\fBnoaudit\fR
+.RS 4
+Do not report exceeded maximum logins count to the audit subsystem\.
 .RE
 .SH "MODULE SERVICES PROVIDED"
 .PP
 Only the
 \fBsession\fR
-service is supported.
+service is supported\.
 .SH "RETURN VALUES"
 .PP
 PAM_ABORT
 .RS 4
-Cannot get current limits.
+Cannot get current limits\.
 .RE
 .PP
 PAM_IGNORE
 .RS 4
-No limits found for this user.
+No limits found for this user\.
 .RE
 .PP
 PAM_PERM_DENIED
 .RS 4
-New limits could not be set.
+New limits could not be set\.
 .RE
 .PP
 PAM_SERVICE_ERR
 .RS 4
-Cannot read config file.
+Cannot read config file\.
 .RE
 .PP
 PAM_SESSEION_ERR
 .RS 4
-Error recovering account name.
+Error recovering account name\.
 .RE
 .PP
 PAM_SUCCESS
 .RS 4
-Limits were changed.
+Limits were changed\.
 .RE
 .PP
 PAM_USER_UNKNOWN
 .RS 4
-The user is not known to the system.
+The user is not known to the system\.
 .RE
 .SH "FILES"
 .PP
-\fI/etc/security/limits.conf\fR
+\fI/etc/security/limits\.conf\fR
 .RS 4
 Default configuration file
 .RE
 .SH "EXAMPLES"
 .PP
 For the services you need resources limits (login for example) put a the following line in
-\fI/etc/pam.d/login\fR
+\fI/etc/pam\.d/login\fR
 as the last line for that service (usually after the pam_unix session line):
 .sp
 .RS 4
 .nf
-#%PAM\-1.0
+#%PAM\-1\.0
 #
 # Resource limits imposed on login sessions via pam_limits
 #
-session  required  pam_limits.so
+session  required  pam_limits\.so
     
 .fi
 .RE
 .PP
-Replace "login" for each service you are using this module.
+Replace "login" for each service you are using this module\.
 .SH "SEE ALSO"
 .PP
 
 \fBlimits.conf\fR(5),
 \fBpam.d\fR(8),
-\fBpam\fR(8).
+\fBpam\fR(8)\.
 .SH "AUTHORS"
 .PP
-pam_limits was initially written by Cristian Gafton <gafton@redhat.com>
+pam_limits was initially written by Cristian Gafton <gafton@redhat\.com>
diff --git a/Linux-PAM/modules/pam_limits/pam_limits.8.xml b/Linux-PAM/modules/pam_limits/pam_limits.8.xml
index 9f13bb68..98afdcd4 100644
--- a/Linux-PAM/modules/pam_limits/pam_limits.8.xml
+++ b/Linux-PAM/modules/pam_limits/pam_limits.8.xml
@@ -34,6 +34,9 @@
       <arg choice="opt">
         utmp_early
       </arg>
+      <arg choice="opt">
+        noaudit
+      </arg>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -57,6 +60,11 @@
     <para>
       The module must not be called by a multithreaded application.
     </para>
+    <para>
+      If Linux PAM is compiled with audit support the module will report
+      when it denies access based on limit of maximum number of concurrent
+      login sessions.
+    </para>
   </refsect1>
 
   <refsect1 id="pam_limits-options">
@@ -111,6 +119,16 @@
           </para>
         </listitem>
       </varlistentry>
+      <varlistentry>
+        <term>
+          <option>noaudit</option>
+        </term>
+        <listitem>
+          <para>
+            Do not report exceeded maximum logins count to the audit subsystem.
+          </para>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 
diff --git a/Linux-PAM/modules/pam_limits/pam_limits.c b/Linux-PAM/modules/pam_limits/pam_limits.c
index d65e64bf..f1e29b85 100644
--- a/Linux-PAM/modules/pam_limits/pam_limits.c
+++ b/Linux-PAM/modules/pam_limits/pam_limits.c
@@ -41,6 +41,10 @@
 #include <pwd.h>
 #include <locale.h>
 
+#ifdef HAVE_LIBAUDIT
+#include <libaudit.h>                                                                                                                                            
+#endif
+
 /* Module defines */
 #define LINE_LENGTH 1024
 
@@ -101,6 +105,7 @@ struct pam_limit_s {
 #define PAM_DEBUG_ARG       0x0001
 #define PAM_DO_SETREUID     0x0002
 #define PAM_UTMP_EARLY      0x0004
+#define PAM_NO_AUDIT        0x0008
 
 /* Limits from globbed files. */
 #define LIMITS_CONF_GLOB LIMITS_FILE_DIR
@@ -126,6 +131,8 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv,
 	    ctrl |= PAM_DO_SETREUID;
 	} else if (!strcmp(*argv,"utmp_early")) {
 	    ctrl |= PAM_UTMP_EARLY;
+	} else if (!strcmp(*argv,"noaudit")) {
+	    ctrl |= PAM_NO_AUDIT;
 	} else {
 	    pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
 	}
@@ -595,6 +602,13 @@ static int setup_limits(pam_handle_t *pamh,
 	D(("skip login limit check for uid=0"));
     } else if (pl->login_limit > 0) {
         if (check_logins(pamh, uname, pl->login_limit, ctrl, pl) == LOGIN_ERR) {
+#ifdef HAVE_LIBAUDIT
+	    if (!(ctrl & PAM_NO_AUDIT)) {
+        	pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_SESSIONS,
+            	    "pam_limits", PAM_PERM_DENIED);
+		/* ignore return value as we fail anyway */
+            }
+#endif
             retval |= LOGIN_ERR;
 	}
     } else if (pl->login_limit == 0) {
diff --git a/Linux-PAM/modules/pam_listfile/README b/Linux-PAM/modules/pam_listfile/README
index 51bb13d2..7fe7051b 100644
--- a/Linux-PAM/modules/pam_listfile/README
+++ b/Linux-PAM/modules/pam_listfile/README
@@ -55,7 +55,7 @@ onerr=[succeed|fail]
 apply=[user|@group]
 
     Restrict the user class for which the restriction apply. Note that with
-    item=[user|ruser|group] this oes not make sense, but for item=[tty|rhost|
+    item=[user|ruser|group] this does not make sense, but for item=[tty|rhost|
     shell] it have a meaning.
 
 quiet
diff --git a/Linux-PAM/modules/pam_listfile/pam_listfile.8 b/Linux-PAM/modules/pam_listfile/pam_listfile.8
index 0103aa5e..e14525d8 100644
--- a/Linux-PAM/modules/pam_listfile/pam_listfile.8
+++ b/Linux-PAM/modules/pam_listfile/pam_listfile.8
@@ -1,23 +1,23 @@
 .\"     Title: pam_listfile
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.72.0 <http://docbook.sf.net/>
-.\"      Date: 08/25/2007
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
 .\"    Manual: Linux-PAM Manual
 .\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_LISTFILE" "8" "08/25/2007" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_LISTFILE" "8" "01/08/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_listfile \- deny or allow services based on an arbitrary file
+pam_listfile - deny or allow services based on an arbitrary file
 .SH "SYNOPSIS"
 .HP 16
-\fBpam_listfile.so\fR item=[tty|user|rhost|ruser|group|shell] sense=[allow|deny] file=\fI/path/filename\fR onerr=[succeed|fail] [apply=[\fIuser\fR|\fI@group\fR]] [quiet]
+\fBpam_listfile\.so\fR item=[tty|user|rhost|ruser|group|shell] sense=[allow|deny] file=\fI/path/filename\fR onerr=[succeed|fail] [apply=[\fIuser\fR|\fI@group\fR]] [quiet]
 .SH "DESCRIPTION"
 .PP
-pam_listfile is a PAM module which provides a way to deny or allow services based on an arbitrary file.
+pam_listfile is a PAM module which provides a way to deny or allow services based on an arbitrary file\.
 .PP
 The module gets the
 \fBitem\fR
@@ -29,15 +29,15 @@ specifies the username,
 \fIPAM_RHOST\fR; and ruser specifies the name of the remote user (if available) who made the request,
 \fIPAM_RUSER\fR
 \-\- and looks for an instance of that item in the
-\fBfile=\fR\fB\fIfilename\fR\fR.
+\fBfile=\fR\fB\fIfilename\fR\fR\.
 \fIfilename\fR
-contains one line per item listed. If the item is found, then if
+contains one line per item listed\. If the item is found, then if
 \fBsense=\fR\fB\fIallow\fR\fR,
 \fIPAM_SUCCESS\fR
 is returned, causing the authorization request to succeed; else if
 \fBsense=\fR\fB\fIdeny\fR\fR,
 \fIPAM_AUTH_ERR\fR
-is returned, causing the authorization request to fail.
+is returned, causing the authorization request to fail\.
 .PP
 If an error is encountered (for instance, if
 \fIfilename\fR
@@ -49,54 +49,54 @@ is returned, otherwise if
 \fIPAM_AUTH_ERR\fR
 or
 \fIPAM_SERVICE_ERR\fR
-(as appropriate) will be returned.
+(as appropriate) will be returned\.
 .PP
 An additional argument,
-\fBapply=\fR, can be used to restrict the application of the above to a specific user (\fBapply=\fR\fB\fIusername\fR\fR) or a given group (\fBapply=\fR\fB\fI@groupname\fR\fR). This added restriction is only meaningful when used with the
+\fBapply=\fR, can be used to restrict the application of the above to a specific user (\fBapply=\fR\fB\fIusername\fR\fR) or a given group (\fBapply=\fR\fB\fI@groupname\fR\fR)\. This added restriction is only meaningful when used with the
 \fItty\fR,
 \fIrhost\fR
 and
 \fIshell\fR
-items.
+items\.
 .PP
-Besides this last one, all arguments should be specified; do not count on any default behavior.
+Besides this last one, all arguments should be specified; do not count on any default behavior\.
 .PP
-No credentials are awarded by this module.
+No credentials are awarded by this module\.
 .SH "OPTIONS"
 .PP
 .PP
 \fBitem=[tty|user|rhost|ruser|group|shell]\fR
 .RS 4
-What is listed in the file and should be checked for.
+What is listed in the file and should be checked for\.
 .RE
 .PP
 \fBsense=[allow|deny]\fR
 .RS 4
-Action to take if found in file, if the item is NOT found in the file, then the opposite action is requested.
+Action to take if found in file, if the item is NOT found in the file, then the opposite action is requested\.
 .RE
 .PP
 \fBfile=\fR\fB\fI/path/filename\fR\fR
 .RS 4
-File containing one item per line. The file needs to be a plain file and not world writeable.
+File containing one item per line\. The file needs to be a plain file and not world writeable\.
 .RE
 .PP
 \fBonerr=[succeed|fail]\fR
 .RS 4
-What to do if something weird happens like being unable to open the file.
+What to do if something weird happens like being unable to open the file\.
 .RE
 .PP
 \fBapply=[\fR\fB\fIuser\fR\fR\fB|\fR\fB\fI@group\fR\fR\fB]\fR
 .RS 4
-Restrict the user class for which the restriction apply. Note that with
+Restrict the user class for which the restriction apply\. Note that with
 \fBitem=[user|ruser|group]\fR
-this oes not make sense, but for
+this does not make sense, but for
 \fBitem=[tty|rhost|shell]\fR
-it have a meaning.
+it have a meaning\.
 .RE
 .PP
 \fBquiet\fR
 .RS 4
-Do not treat service refusals or missing list files as errors that need to be logged.
+Do not treat service refusals or missing list files as errors that need to be logged\.
 .RE
 .SH "MODULE SERVICES PROVIDED"
 .PP
@@ -106,47 +106,47 @@ The services
 \fBpassword\fR
 and
 \fBsession\fR
-are supported.
+are supported\.
 .SH "RETURN VALUES"
 .PP
 .PP
 PAM_AUTH_ERR
 .RS 4
-Authentication failure.
+Authentication failure\.
 .RE
 .PP
 PAM_BUF_ERR
 .RS 4
-Memory buffer error.
+Memory buffer error\.
 .RE
 .PP
 PAM_IGNORE
 .RS 4
 The rule does not apply to the
 \fBapply\fR
-option.
+option\.
 .RE
 .PP
 PAM_SERVICE_ERR
 .RS 4
-Error in service module.
+Error in service module\.
 .RE
 .PP
 PAM_SUCCESS
 .RS 4
-Success.
+Success\.
 .RE
 .SH "EXAMPLES"
 .PP
-Classic 'ftpusers' authentication can be implemented with this entry in
-\fI/etc/pam.d/ftpd\fR:
+Classic \'ftpusers\' authentication can be implemented with this entry in
+\fI/etc/pam\.d/ftpd\fR:
 .sp
 .RS 4
 .nf
 #
 # deny ftp\-access to users listed in the /etc/ftpusers file
 #
-auth    required       pam_listfile.so \e
+auth    required       pam_listfile\.so \e
         onerr=succeed item=user sense=deny file=/etc/ftpusers
       
 .fi
@@ -156,10 +156,10 @@ Note, users listed in
 \fI/etc/ftpusers\fR
 file are (counterintuitively)
 \fInot\fR
-allowed access to the ftp service.
+allowed access to the ftp service\.
 .PP
 To allow login access only for certain users, you can use a
-\fI/etc/pam.d/login\fR
+\fI/etc/pam\.d/login\fR
 entry like this:
 .sp
 .RS 4
@@ -167,17 +167,17 @@ entry like this:
 #
 # permit login to users listed in /etc/loginusers
 #
-auth    required       pam_listfile.so \e
+auth    required       pam_listfile\.so \e
         onerr=fail item=user sense=allow file=/etc/loginusers
       
 .fi
 .RE
 .sp
 For this example to work, all users who are allowed to use the login service should be listed in the file
-\fI/etc/loginusers\fR. Unless you are explicitly trying to lock out root, make sure that when you do this, you leave a way for root to log in, either by listing root in
+\fI/etc/loginusers\fR\. Unless you are explicitly trying to lock out root, make sure that when you do this, you leave a way for root to log in, either by listing root in
 \fI/etc/loginusers\fR, or by listing a user who is able to
 \fIsu\fR
-to the root account.
+to the root account\.
 .SH "SEE ALSO"
 .PP
 
@@ -186,4 +186,4 @@ to the root account.
 \fBpam\fR(8)
 .SH "AUTHOR"
 .PP
-pam_listfile was written by Michael K. Johnson <johnsonm@redhat.com> and Elliot Lee <sopwith@cuc.edu>.
+pam_listfile was written by Michael K\. Johnson <johnsonm@redhat\.com> and Elliot Lee <sopwith@cuc\.edu>\.
diff --git a/Linux-PAM/modules/pam_listfile/pam_listfile.8.xml b/Linux-PAM/modules/pam_listfile/pam_listfile.8.xml
index 2aab4962..e54e80a4 100644
--- a/Linux-PAM/modules/pam_listfile/pam_listfile.8.xml
+++ b/Linux-PAM/modules/pam_listfile/pam_listfile.8.xml
@@ -153,7 +153,7 @@
           <listitem>
             <para>
               Restrict the user class for which the restriction apply. Note that
-              with <option>item=[user|ruser|group]</option> this oes not make sense,
+              with <option>item=[user|ruser|group]</option> this does not make sense,
               but for <option>item=[tty|rhost|shell]</option> it have a meaning.
             </para>
           </listitem>
diff --git a/Linux-PAM/modules/pam_localuser/pam_localuser.8 b/Linux-PAM/modules/pam_localuser/pam_localuser.8
index e88f0b57..24709bf1 100644
--- a/Linux-PAM/modules/pam_localuser/pam_localuser.8
+++ b/Linux-PAM/modules/pam_localuser/pam_localuser.8
@@ -1,37 +1,37 @@
 .\"     Title: pam_localuser
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.0 <http://docbook.sf.net/>
-.\"      Date: 12/13/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_LOCALUSER" "8" "12/13/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_LOCALUSER" "8" "01/08/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_localuser \- require users to be listed in /etc/passwd
+pam_localuser - require users to be listed in /etc/passwd
 .SH "SYNOPSIS"
 .HP 17
-\fBpam_localuser.so\fR [debug] [file=\fI/path/passwd\fR]
+\fBpam_localuser\.so\fR [debug] [file=\fI/path/passwd\fR]
 .SH "DESCRIPTION"
 .PP
-pam_localuser is a PAM module to help implementing site\-wide login policies, where they typically include a subset of the network's users and a few accounts that are local to a particular workstation. Using pam_localuser and pam_wheel or pam_listfile is an effective way to restrict access to either local users and/or a subset of the network's users.
+pam_localuser is a PAM module to help implementing site\-wide login policies, where they typically include a subset of the network\'s users and a few accounts that are local to a particular workstation\. Using pam_localuser and pam_wheel or pam_listfile is an effective way to restrict access to either local users and/or a subset of the network\'s users\.
 .PP
-This could also be implemented using pam_listfile.so and a very short awk script invoked by cron, but it's common enough to have been separated out.
+This could also be implemented using pam_listfile\.so and a very short awk script invoked by cron, but it\'s common enough to have been separated out\.
 .SH "OPTIONS"
 .PP
 .PP
 \fBdebug\fR
-.RS 3n
-Print debug information.
+.RS 4
+Print debug information\.
 .RE
 .PP
 \fBfile=\fR\fB\fI/path/passwd\fR\fR
-.RS 3n
+.RS 4
 Use a file other than
-\fI/etc/passwd\fR.
+\fI/etc/passwd\fR\.
 .RE
 .SH "MODULE SERVICES PROVIDED"
 .PP
@@ -39,34 +39,34 @@ All services (\fBaccount\fR,
 \fBauth\fR,
 \fBpassword\fR
 and
-\fBsession\fR) are supported.
+\fBsession\fR) are supported\.
 .SH "RETURN VALUES"
 .PP
 .PP
 PAM_SUCCESS
-.RS 3n
-The new localuser was set successfull.
+.RS 4
+The new localuser was set successfull\.
 .RE
 .PP
 PAM_SERVICE_ERR
-.RS 3n
-No username was given.
+.RS 4
+No username was given\.
 .RE
 .PP
 PAM_USER_UNKNOWN
-.RS 3n
-User not known.
+.RS 4
+User not known\.
 .RE
 .SH "EXAMPLES"
 .PP
 Add the following line to
-\fI/etc/pam.d/su\fR
-to allow only local users in group wheel to use su.
+\fI/etc/pam\.d/su\fR
+to allow only local users in group wheel to use su\.
 .sp
-.RS 3n
+.RS 4
 .nf
-account sufficient pam_localuser.so
-account required pam_wheel.so
+account sufficient pam_localuser\.so
+account required pam_wheel\.so
       
 .fi
 .RE
@@ -74,8 +74,8 @@ account required pam_wheel.so
 .SH "FILES"
 .PP
 \fI/etc/passwd\fR
-.RS 3n
-Local user account information.
+.RS 4
+Local user account information\.
 .RE
 .SH "SEE ALSO"
 .PP
@@ -85,4 +85,4 @@ Local user account information.
 \fBpam\fR(8)
 .SH "AUTHOR"
 .PP
-pam_localuser was written by Nalin Dahyabhai <nalin@redhat.com>.
+pam_localuser was written by Nalin Dahyabhai <nalin@redhat\.com>\.
diff --git a/Linux-PAM/modules/pam_loginuid/pam_loginuid.8 b/Linux-PAM/modules/pam_loginuid/pam_loginuid.8
index ef0f95f1..f914c41d 100644
--- a/Linux-PAM/modules/pam_loginuid/pam_loginuid.8
+++ b/Linux-PAM/modules/pam_loginuid/pam_loginuid.8
@@ -1,48 +1,52 @@
 .\"     Title: pam_loginuid
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets vsnapshot_2006\-08\-24_0226 <http://docbook.sf.net/>
-.\"      Date: 09/06/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_LOGINUID" "8" "09/06/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_LOGINUID" "8" "01/08/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_loginuid \- Record user's login uid to the process attribute
+pam_loginuid - Record user's login uid to the process attribute
 .SH "SYNOPSIS"
 .HP 16
-\fBpam_loginuid.so\fR [require_auditd]
+\fBpam_loginuid\.so\fR [require_auditd]
 .SH "DESCRIPTION"
 .PP
-The pam_loginuid module sets the loginuid process attribute for the process that was authenticated. This is necessary for applications to be correctly audited. This PAM module should only be used for entry point applications like: login, sshd, gdm, vsftpd, crond and atd. There are probably other entry point applications besides these. You should not use it for applications like sudo or su as that defeats the purpose by changing the loginuid to the account they just switched to.
+The pam_loginuid module sets the loginuid process attribute for the process that was authenticated\. This is necessary for applications to be correctly audited\. This PAM module should only be used for entry point applications like: login, sshd, gdm, vsftpd, crond and atd\. There are probably other entry point applications besides these\. You should not use it for applications like sudo or su as that defeats the purpose by changing the loginuid to the account they just switched to\.
 .SH "OPTIONS"
-.TP 3n
+.PP
 \fBrequire_auditd\fR
-This option, when given, will cause this module to query the audit daemon status and deny logins if it is not running.
+.RS 4
+This option, when given, will cause this module to query the audit daemon status and deny logins if it is not running\.
+.RE
 .SH "MODULE SERVICES PROVIDED"
 .PP
 The
 \fBsession\fR
-service is supported.
+service is supported\.
 .SH "RETURN VALUES"
 .PP
-.TP 3n
+.PP
 PAM_SESSION_ERR
-An error occured during session management.
+.RS 4
+An error occured during session management\.
+.RE
 .SH "EXAMPLES"
 .sp
-.RS 3n
+.RS 4
 .nf
-#%PAM\-1.0
-auth       required     pam_unix.so
-auth       required     pam_nologin.so
-account    required     pam_unix.so
-password   required     pam_unix.so
-session    required     pam_unix.so
-session    required     pam_loginuid.so
+#%PAM\-1\.0
+auth       required     pam_unix\.so
+auth       required     pam_nologin\.so
+account    required     pam_unix\.so
+password   required     pam_unix\.so
+session    required     pam_unix\.so
+session    required     pam_loginuid\.so
     
 .fi
 .RE
@@ -56,4 +60,4 @@ session    required     pam_loginuid.so
 \fBauditd\fR(8)
 .SH "AUTHOR"
 .PP
-pam_loginuid was written by Steve Grubb <sgrubb@redhat.com>
+pam_loginuid was written by Steve Grubb <sgrubb@redhat\.com>
diff --git a/Linux-PAM/modules/pam_mail/pam_mail.8 b/Linux-PAM/modules/pam_mail/pam_mail.8
index 6d8a69a8..4c575a90 100644
--- a/Linux-PAM/modules/pam_mail/pam_mail.8
+++ b/Linux-PAM/modules/pam_mail/pam_mail.8
@@ -1,26 +1,26 @@
 .\"     Title: pam_mail
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/09/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_MAIL" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_MAIL" "8" "01/08/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_mail \- Inform about available mail
+pam_mail - Inform about available mail
 .SH "SYNOPSIS"
 .HP 12
-\fBpam_mail.so\fR [close] [debug] [dir=\fImaildir\fR] [empty] [hash=\fIcount\fR] [noenv] [nopen] [quit] [standard]
+\fBpam_mail\.so\fR [close] [debug] [dir=\fImaildir\fR] [empty] [hash=\fIcount\fR] [noenv] [nopen] [quit] [standard]
 .SH "DESCRIPTION"
 .PP
-The pam_mail PAM module provides the "you have new mail" service to the user. It can be plugged into any application that has credential or session hooks. It gives a single message indicating the
+The pam_mail PAM module provides the "you have new mail" service to the user\. It can be plugged into any application that has credential or session hooks\. It gives a single message indicating the
 \fInewness\fR
-of any mail it finds in the user's mail folder. This module also sets the PAM environment variable,
-\fBMAIL\fR, to the user's mail directory.
+of any mail it finds in the user\'s mail folder\. This module also sets the PAM environment variable,
+\fBMAIL\fR, to the user\'s mail directory\.
 .PP
 If the mail spool file (be it
 \fI/var/mail/$USER\fR
@@ -28,76 +28,102 @@ or a pathname given with the
 \fBdir=\fR
 parameter) is a directory then pam_mail assumes it is in the
 \fIMaildir\fR
-format.
+format\.
 .SH "OPTIONS"
 .PP
-.TP 3n
+.PP
 \fBclose\fR
-Indicate if the user has any mail also on logout.
-.TP 3n
+.RS 4
+Indicate if the user has any mail also on logout\.
+.RE
+.PP
 \fBdebug\fR
-Print debug information.
-.TP 3n
+.RS 4
+Print debug information\.
+.RE
+.PP
 \fBdir=\fR\fB\fImaildir\fR\fR
-Look for the users' mail in an alternative location defined by
-\fImaildir/<login>\fR. The default location for mail is
-\fI/var/mail/<login>\fR. Note, if the supplied
+.RS 4
+Look for the users\' mail in an alternative location defined by
+\fImaildir/<login>\fR\. The default location for mail is
+\fI/var/mail/<login>\fR\. Note, if the supplied
 \fImaildir\fR
-is prefixed by a '~', the directory is interpreted as indicating a file in the user's home directory.
-.TP 3n
+is prefixed by a \'~\', the directory is interpreted as indicating a file in the user\'s home directory\.
+.RE
+.PP
 \fBempty\fR
-Also print message if user has no mail.
-.TP 3n
+.RS 4
+Also print message if user has no mail\.
+.RE
+.PP
 \fBhash=\fR\fB\fIcount\fR\fR
-Mail directory hash depth. For example, a
+.RS 4
+Mail directory hash depth\. For example, a
 \fIhashcount\fR
 of 2 would make the mail file be
-\fI/var/spool/mail/u/s/user\fR.
-.TP 3n
+\fI/var/spool/mail/u/s/user\fR\.
+.RE
+.PP
 \fBnoenv\fR
+.RS 4
 Do not set the
 \fBMAIL\fR
-environment variable.
-.TP 3n
+environment variable\.
+.RE
+.PP
 \fBnopen\fR
-Don't print any mail information on login. This flag is useful to get the
+.RS 4
+Don\'t print any mail information on login\. This flag is useful to get the
 \fBMAIL\fR
-environment variable set, but to not display any information about it.
-.TP 3n
+environment variable set, but to not display any information about it\.
+.RE
+.PP
 \fBquiet\fR
-Only report when there is new mail.
-.TP 3n
+.RS 4
+Only report when there is new mail\.
+.RE
+.PP
 \fBstandard\fR
-Old style "You have..." format which doesn't show the mail spool being used. This also implies "empty".
+.RS 4
+Old style "You have\.\.\." format which doesn\'t show the mail spool being used\. This also implies "empty"\.
+.RE
 .SH "MODULE SERVICES PROVIDED"
 .PP
 The
 \fBauth\fR
 and
 \fBaccount\fR
-services are supported.
+services are supported\.
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_BUF_ERR
-Memory buffer error.
-.TP 3n
+.RS 4
+Memory buffer error\.
+.RE
+.PP
 PAM_SERVICE_ERR
-Badly formed arguments.
-.TP 3n
+.RS 4
+Badly formed arguments\.
+.RE
+.PP
 PAM_SUCCESS
-Success.
-.TP 3n
+.RS 4
+Success\.
+.RE
+.PP
 PAM_USER_UNKNOWN
-User not known.
+.RS 4
+User not known\.
+.RE
 .SH "EXAMPLES"
 .PP
 Add the following line to
-\fI/etc/pam.d/login\fR
-to indicate that the user has new mail when they login to the system.
+\fI/etc/pam\.d/login\fR
+to indicate that the user has new mail when they login to the system\.
 .sp
-.RS 3n
+.RS 4
 .nf
-session  optional  pam_mail.so standard
+session  optional  pam_mail\.so standard
       
 .fi
 .RE
@@ -110,4 +136,4 @@ session  optional  pam_mail.so standard
 \fBpam\fR(8)
 .SH "AUTHOR"
 .PP
-pam_mail was written by Andrew G. Morgan <morgan@kernel.org>.
+pam_mail was written by Andrew G\. Morgan <morgan@kernel\.org>\.
diff --git a/Linux-PAM/modules/pam_mkhomedir/pam_mkhomedir.8 b/Linux-PAM/modules/pam_mkhomedir/pam_mkhomedir.8
index 1364e01f..a6a096d0 100644
--- a/Linux-PAM/modules/pam_mkhomedir/pam_mkhomedir.8
+++ b/Linux-PAM/modules/pam_mkhomedir/pam_mkhomedir.8
@@ -1,82 +1,100 @@
 .\"     Title: pam_mkhomedir
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/02/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_MKHOMEDIR" "8" "06/02/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_MKHOMEDIR" "8" "01/08/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_mkhomedir \- PAM module to create users home directory
+pam_mkhomedir - PAM module to create users home directory
 .SH "SYNOPSIS"
 .HP 17
-\fBpam_mkhomedir.so\fR [silent] [umask=\fImode\fR] [skel=\fIskeldir\fR]
+\fBpam_mkhomedir\.so\fR [silent] [umask=\fImode\fR] [skel=\fIskeldir\fR]
 .SH "DESCRIPTION"
 .PP
-The pam_mkhomedir PAM module will create a users home directory if it does not exist when the session begins. This allows users to be present in central database (such as NIS, kerberos or LDAP) without using a distributed file system or pre\-creating a large number of directories. The skeleton directory (usually
-\fI/etc/skel/\fR) is used to copy default files and also set's a umask for the creation.
+The pam_mkhomedir PAM module will create a users home directory if it does not exist when the session begins\. This allows users to be present in central database (such as NIS, kerberos or LDAP) without using a distributed file system or pre\-creating a large number of directories\. The skeleton directory (usually
+\fI/etc/skel/\fR) is used to copy default files and also set\'s a umask for the creation\.
 .PP
-The new users home directory will not be removed after logout of the user.
+The new users home directory will not be removed after logout of the user\.
 .SH "OPTIONS"
-.TP 3n
+.PP
 \fBsilent\fR
-Don't print informative messages.
-.TP 3n
+.RS 4
+Don\'t print informative messages\.
+.RE
+.PP
 \fBumask=\fR\fB\fImask\fR\fR
+.RS 4
 The user file\-creation mask is set to
-\fImask\fR. The default value of mask is 0022.
-.TP 3n
+\fImask\fR\. The default value of mask is 0022\.
+.RE
+.PP
 \fBskel=\fR\fB\fI/path/to/skel/directory\fR\fR
+.RS 4
 Indicate an alternative
 \fIskel\fR
 directory to override the default
-\fI/etc/skel\fR.
+\fI/etc/skel\fR\.
+.RE
 .SH "MODULE SERVICES PROVIDED"
 .PP
 Only the
 \fBsession\fR
-service is supported.
+service is supported\.
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_BUF_ERR
-Memory buffer error.
-.TP 3n
+.RS 4
+Memory buffer error\.
+.RE
+.PP
 PAM_CRED_INSUFFICIENT
-Insufficient credentials to access authentication data.
-.TP 3n
+.RS 4
+Insufficient credentials to access authentication data\.
+.RE
+.PP
 PAM_PERM_DENIED
-Not enough permissions to create the new directory or read the skel directory.
-.TP 3n
+.RS 4
+Not enough permissions to create the new directory or read the skel directory\.
+.RE
+.PP
 PAM_USER_UNKNOWN
-User not known to the underlying authentication module.
-.TP 3n
+.RS 4
+User not known to the underlying authentication module\.
+.RE
+.PP
 PAM_SUCCESS
-Environment variables were set.
+.RS 4
+Environment variables were set\.
+.RE
 .SH "FILES"
-.TP 3n
+.PP
 \fI/etc/skel\fR
+.RS 4
 Default skel directory
+.RE
 .SH "EXAMPLES"
 .PP
-A sample /etc/pam.d/login file:
+A sample /etc/pam\.d/login file:
 .sp
-.RS 3n
+.RS 4
 .nf
-  auth       requisite   pam_securetty.so
-  auth       sufficient  pam_ldap.so
-  auth       required    pam_unix.so
-  auth       required    pam_nologin.so
-  account    sufficient  pam_ldap.so
-  account    required    pam_unix.so
-  password   required    pam_unix.so
-  session    required    pam_mkhomedir.so skel=/etc/skel/ umask=0022
-  session    required    pam_unix.so
-  session    optional    pam_lastlog.so
-  session    optional    pam_mail.so standard
+  auth       requisite   pam_securetty\.so
+  auth       sufficient  pam_ldap\.so
+  auth       required    pam_unix\.so
+  auth       required    pam_nologin\.so
+  account    sufficient  pam_ldap\.so
+  account    required    pam_unix\.so
+  password   required    pam_unix\.so
+  session    required    pam_mkhomedir\.so skel=/etc/skel/ umask=0022
+  session    required    pam_unix\.so
+  session    optional    pam_lastlog\.so
+  session    optional    pam_mail\.so standard
       
 .fi
 .RE
@@ -85,7 +103,7 @@ A sample /etc/pam.d/login file:
 .PP
 
 \fBpam.d\fR(8),
-\fBpam\fR(8).
+\fBpam\fR(8)\.
 .SH "AUTHOR"
 .PP
-pam_mkhomedir was written by Jason Gunthorpe <jgg@debian.org>.
+pam_mkhomedir was written by Jason Gunthorpe <jgg@debian\.org>\.
diff --git a/Linux-PAM/modules/pam_motd/pam_motd.8 b/Linux-PAM/modules/pam_motd/pam_motd.8
index 74bfb586..0368be06 100644
--- a/Linux-PAM/modules/pam_motd/pam_motd.8
+++ b/Linux-PAM/modules/pam_motd/pam_motd.8
@@ -1,53 +1,53 @@
 .\"     Title: pam_motd
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.0 <http://docbook.sf.net/>
-.\"      Date: 10/26/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_MOTD" "8" "10/26/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_MOTD" "8" "01/08/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_motd \- Display the motd file
+pam_motd - Display the motd file
 .SH "SYNOPSIS"
 .HP 12
-\fBpam_motd.so\fR [motd=\fI/path/filename\fR]
+\fBpam_motd\.so\fR [motd=\fI/path/filename\fR]
 .SH "DESCRIPTION"
 .PP
-pam_motd is a PAM module that can be used to display arbitrary motd (message of the day) files after a succesful login. By default the
+pam_motd is a PAM module that can be used to display arbitrary motd (message of the day) files after a succesful login\. By default the
 \fI/etc/motd\fR
-file is shown. The message size is limited to 64KB.
+file is shown\. The message size is limited to 64KB\.
 .SH "OPTIONS"
 .PP
 \fBmotd=\fR\fB\fI/path/filename\fR\fR
-.RS 3n
+.RS 4
 The
 \fI/path/filename\fR
-file is displayed as message of the day.
+file is displayed as message of the day\.
 .RE
 .SH "MODULE SERVICES PROVIDED"
 .PP
 Only the
 \fBsession\fR
-service is supported.
+service is supported\.
 .SH "RETURN VALUES"
 .PP
 PAM_IGNORE
-.RS 3n
-This is the only return value of this module.
+.RS 4
+This is the only return value of this module\.
 .RE
 .SH "EXAMPLES"
 .PP
 The suggested usage for
-\fI/etc/pam.d/login\fR
+\fI/etc/pam\.d/login\fR
 is:
 .sp
-.RS 3n
+.RS 4
 .nf
-session  optional  pam_motd.so  motd=/etc/motd
+session  optional  pam_motd\.so  motd=/etc/motd
       
 .fi
 .RE
@@ -61,4 +61,4 @@ session  optional  pam_motd.so  motd=/etc/motd
 \fBpam\fR(8)
 .SH "AUTHOR"
 .PP
-pam_motd was written by Ben Collins <bcollins@debian.org>.
+pam_motd was written by Ben Collins <bcollins@debian\.org>\.
diff --git a/Linux-PAM/modules/pam_namespace/Makefile.am b/Linux-PAM/modules/pam_namespace/Makefile.am
index 002678ba..05d47cf3 100644
--- a/Linux-PAM/modules/pam_namespace/Makefile.am
+++ b/Linux-PAM/modules/pam_namespace/Makefile.am
@@ -15,13 +15,14 @@ endif
 
 EXTRA_DIST = README namespace.conf namespace.init $(MAN5) $(MAN8) $(XMLS) tst-pam_namespace
 
-noinst_HEADERS = md5.h
+noinst_HEADERS = md5.h pam_namespace.h argv_parse.h
 
 securelibdir = $(SECUREDIR)
 secureconfdir = $(SCONFIGDIR)
+namespaceddir = $(SCONFIGDIR)/namespace.d
 
 AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
-        -DPAM_NAMESPACE_CONFIG=\"$(SCONFIGDIR)/namespace.conf\"
+        -DSECURECONF_DIR=\"$(SCONFIGDIR)/\"
 AM_LDFLAGS =  -no-undefined -avoid-version -module
 if HAVE_VERSIONING
   AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
@@ -29,11 +30,13 @@ endif
 
 if HAVE_UNSHARE
 securelib_LTLIBRARIES = pam_namespace.la
-pam_namespace_la_SOURCES = pam_namespace.c pam_namespace.h md5.c md5.h
+pam_namespace_la_SOURCES = pam_namespace.c md5.c argv_parse.c
 pam_namespace_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBSELINUX@
 
 secureconf_DATA = namespace.conf
 secureconf_SCRIPTS = namespace.init
+namespaced_DATA =
+
 TESTS = tst-pam_namespace
 man_MANS = $(MAN5) $(MAN8)
 endif
diff --git a/Linux-PAM/modules/pam_namespace/argv_parse.c b/Linux-PAM/modules/pam_namespace/argv_parse.c
new file mode 100644
index 00000000..acc76d74
--- /dev/null
+++ b/Linux-PAM/modules/pam_namespace/argv_parse.c
@@ -0,0 +1,165 @@
+/*
+ * argv_parse.c --- utility function for parsing a string into a
+ * 	argc, argv array.
+ *
+ * This file defines a function argv_parse() which parsing a
+ * passed-in string, handling double quotes and backslashes, and
+ * creates an allocated argv vector which can be freed using the
+ * argv_free() function.
+ *
+ * See argv_parse.h for the formal definition of the functions.
+ *
+ * Copyright 1999 by Theodore Ts'o.
+ *
+ * Permission to use, copy, modify, and distribute this software for
+ * any purpose with or without fee is hereby granted, provided that
+ * the above copyright notice and this permission notice appear in all
+ * copies.  THE SOFTWARE IS PROVIDED "AS IS" AND THEODORE TS'O (THE
+ * AUTHOR) DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
+ * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER
+ * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.  (Isn't
+ * it sick that the U.S. culture of lawsuit-happy lawyers requires
+ * this kind of disclaimer?)
+ *
+ * Version 1.1, modified 2/27/1999
+ */
+
+#include <stdlib.h>
+#include <ctype.h>
+#include <string.h>
+#include "argv_parse.h"
+
+#define STATE_WHITESPACE	1
+#define STATE_TOKEN		2
+#define STATE_QUOTED		3
+
+/*
+ * Returns 0 on success, -1 on failure.
+ */
+int argv_parse(const char *in_buf, int *ret_argc, char ***ret_argv)
+{
+	int	argc = 0, max_argc = 0;
+	char 	**argv, **new_argv, *buf, ch;
+	const char *cp = 0;
+	char    *outcp = 0;
+	int	state = STATE_WHITESPACE;
+
+	buf = malloc(strlen(in_buf)+1);
+	if (!buf)
+		return -1;
+
+	max_argc = 0; argc = 0; argv = 0;
+	outcp = buf;
+	for (cp = in_buf; (ch = *cp); cp++) {
+		if (state == STATE_WHITESPACE) {
+			if (isspace((int) ch))
+				continue;
+			/* Not whitespace, so start a new token */
+			state = STATE_TOKEN;
+			if (argc >= max_argc) {
+				max_argc += 3;
+				new_argv = realloc(argv,
+						  (max_argc+1)*sizeof(char *));
+				if (!new_argv) {
+					if (argv) free(argv);
+					free(buf);
+					return -1;
+				}
+				argv = new_argv;
+			}
+			argv[argc++] = outcp;
+		}
+		if (state == STATE_QUOTED) {
+			if (ch == '"')
+				state = STATE_TOKEN;
+			else
+				*outcp++ = ch;
+			continue;
+		}
+		/* Must be processing characters in a word */
+		if (isspace((int) ch)) {
+			/*
+			 * Terminate the current word and start
+			 * looking for the beginning of the next word.
+			 */
+			*outcp++ = 0;
+			state = STATE_WHITESPACE;
+			continue;
+		}
+		if (ch == '"') {
+			state = STATE_QUOTED;
+			continue;
+		}
+		if (ch == '\\') {
+			ch = *++cp;
+			switch (ch) {
+			case '\0':
+				ch = '\\'; cp--; break;
+			case 'n':
+				ch = '\n'; break;
+			case 't':
+				ch = '\t'; break;
+			case 'b':
+				ch = '\b'; break;
+			}
+		}
+		*outcp++ = ch;
+	}
+	if (state != STATE_WHITESPACE)
+		*outcp++ = '\0';
+	if (argv == 0) {
+		argv = malloc(sizeof(char *));
+		free(buf);
+	}
+	argv[argc] = 0;
+	if (ret_argc)
+		*ret_argc = argc;
+	if (ret_argv)
+		*ret_argv = argv;
+	return 0;
+}
+
+void argv_free(char **argv)
+{
+	if (*argv)
+		free(*argv);
+	free(argv);
+}
+
+#ifdef DEBUG_ARGV_PARSE
+/*
+ * For debugging
+ */
+
+#include <stdio.h>
+
+int main(int argc, char **argv)
+{
+	int	ac, ret;
+	char	**av, **cpp;
+	char	buf[256];
+
+	while (!feof(stdin)) {
+		if (fgets(buf, sizeof(buf), stdin) == NULL)
+			break;
+		ret = argv_parse(buf, &ac, &av);
+		if (ret != 0) {
+			printf("Argv_parse returned %d!\n", ret);
+			continue;
+		}
+		printf("Argv_parse returned %d arguments...\n", ac);
+		for (cpp = av; *cpp; cpp++) {
+			if (cpp != av)
+				printf(", ");
+			printf("'%s'", *cpp);
+		}
+		printf("\n");
+		argv_free(av);
+	}
+	exit(0);
+}
+#endif
diff --git a/Linux-PAM/modules/pam_namespace/argv_parse.h b/Linux-PAM/modules/pam_namespace/argv_parse.h
new file mode 100644
index 00000000..c7878fc1
--- /dev/null
+++ b/Linux-PAM/modules/pam_namespace/argv_parse.h
@@ -0,0 +1,43 @@
+/*
+ * argv_parse.h --- header file for the argv parser.
+ *
+ * This file defines the interface for the functions argv_parse() and
+ * argv_free().
+ *
+ ***********************************************************************
+ * int argv_parse(char *in_buf, int *ret_argc, char ***ret_argv)
+ *
+ * This function takes as its first argument a string which it will
+ * parse into an argv argument vector, with each white-space separated
+ * word placed into its own slot in the argv.  This function handles
+ * double quotes and backslashes so that the parsed words can contain
+ * special characters.   The count of the number words found in the
+ * parsed string, as well as the argument vector, are returned into
+ * ret_argc and ret_argv, respectively.
+ ***********************************************************************
+ * extern void argv_free(char **argv);
+ *
+ * This function frees the argument vector created by argv_parse().
+ ***********************************************************************
+ *
+ * Copyright 1999 by Theodore Ts'o.
+ *
+ * Permission to use, copy, modify, and distribute this software for
+ * any purpose with or without fee is hereby granted, provided that
+ * the above copyright notice and this permission notice appear in all
+ * copies.  THE SOFTWARE IS PROVIDED "AS IS" AND THEODORE TS'O (THE
+ * AUTHOR) DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
+ * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER
+ * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.  (Isn't
+ * it sick that the U.S. culture of lawsuit-happy lawyers requires
+ * this kind of disclaimer?)
+ *
+ * Version 1.1, modified 2/27/1999
+ */
+
+extern int argv_parse(const char *in_buf, int *ret_argc, char ***ret_argv);
+extern void argv_free(char **argv);
diff --git a/Linux-PAM/modules/pam_namespace/namespace.conf.5 b/Linux-PAM/modules/pam_namespace/namespace.conf.5
index 0a4d98e4..6a3cc9e3 100644
--- a/Linux-PAM/modules/pam_namespace/namespace.conf.5
+++ b/Linux-PAM/modules/pam_namespace/namespace.conf.5
@@ -1,95 +1,133 @@
 .\"     Title: namespace.conf
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: 06/20/2007
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/13/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "NAMESPACE.CONF" "5" "06/20/2007" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "NAMESPACE\.CONF" "5" "02/13/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-namespace.conf \- the namespace configuration file
+namespace.conf - the namespace configuration file
 .SH "DESCRIPTION"
 .PP
-This module allows setup of private namespaces with polyinstantiated directories. Directories can be polyinstantiated based on user name or, in the case of SELinux, user name, sensitivity level or complete security context. If an executable script
-\fI/etc/security/namespace.init\fR
-exists, it is used to initialize the namespace every time a new instance directory is setup. The script receives the polyinstantiated directory path and the instance directory path as its arguments.
+The
+\fIpam_namespace\.so\fR
+module allows setup of private namespaces with polyinstantiated directories\. Directories can be polyinstantiated based on user name or, in the case of SELinux, user name, sensitivity level or complete security context\. If an executable script
+\fI/etc/security/namespace\.init\fR
+exists, it is used to initialize the namespace every time a new instance directory is setup\. The script receives the polyinstantiated directory path and the instance directory path as its arguments\.
 .PP
 The
-\fI/etc/security/namespace.conf\fR
-file specifies which directories are polyinstantiated, how they are polyinstantiated, how instance directories would be named, and any users for whom polyinstantiation would not be performed.
+\fI/etc/security/namespace\.conf\fR
+file specifies which directories are polyinstantiated, how they are polyinstantiated, how instance directories would be named, and any users for whom polyinstantiation would not be performed\.
 .PP
 When someone logs in, the file
-\fInamespace.conf\fR
-is scanned where each non comment line represents one polyinstantiated directory with space separated fields as follows:
+\fInamespace\.conf\fR
+is scanned\. Comments are marked by
+\fI#\fR
+characters\. Each non comment line represents one polyinstantiated directory\. The fields are separated by spaces but can be quoted by
+\fI"\fR
+characters also escape sequences
+\fI\eb\fR,
+\fI\en\fR, and
+\fI\et\fR
+are recognized\. The fields are as follows:
 .PP
-
 \fIpolydir\fR
-\fI instance_prefix\fR
-\fI method\fR
-\fI list_of_uids\fR
+\fIinstance_prefix\fR
+\fImethod\fR
+\fIlist_of_uids\fR
 .PP
 The first field,
-\fIpolydir\fR, is the absolute pathname of the directory to polyinstantiate. Special entry $HOME is supported to designate user's home directory. This field cannot be blank.
+\fIpolydir\fR, is the absolute pathname of the directory to polyinstantiate\. The special string
+\fI$HOME\fR
+is replaced with the user\'s home directory, and
+\fI$USER\fR
+with the username\. This field cannot be blank\.
 .PP
 The second field,
 \fIinstance_prefix\fR
-is the string prefix used to build the pathname for the instantiation of <polydir>. Depending on the polyinstantiation
+is the string prefix used to build the pathname for the instantiation of <polydir>\. Depending on the polyinstantiation
 \fImethod\fR
-it is then appended with "instance differentiation string" to generate the final instance directory path. This directory is created if it did not exist already, and is then bind mounted on the <polydir> to provide an instance of <polydir> based on the <method> column. The special string $HOME is replaced with the user's home directory, and $USER with the username. This field cannot be blank. The directory where polyinstantiated instances are to be created, must exist and must have, by default, the mode of 000. The requirement that the instance parent be of mode 000 can be overridden with the command line option
-\fIignore_instance_parent_mode\fR
+it is then appended with "instance differentiation string" to generate the final instance directory path\. This directory is created if it did not exist already, and is then bind mounted on the <polydir> to provide an instance of <polydir> based on the <method> column\. The special string
+\fI$HOME\fR
+is replaced with the user\'s home directory, and
+\fI$USER\fR
+with the username\. This field cannot be blank\.
 .PP
 The third field,
-\fImethod\fR, is the method used for polyinstantiation. It can take 3 different values; "user" for polyinstantiation based on user name, "level" for polyinstantiation based on process MLS level and user name, and "context" for polyinstantiation based on process security context and user name Methods "context" and "level" are only available with SELinux. This field cannot be blank.
+\fImethod\fR, is the method used for polyinstantiation\. It can take these values; "user" for polyinstantiation based on user name, "level" for polyinstantiation based on process MLS level and user name, "context" for polyinstantiation based on process security context and user name, "tmpfs" for mounting tmpfs filesystem as an instance dir, and "tmpdir" for creating temporary directory as an instance dir which is removed when the user\'s session is closed\. Methods "context" and "level" are only available with SELinux\. This field cannot be blank\.
 .PP
 The fourth field,
-\fIlist_of_uids\fR, is a comma separated list of user names for whom the polyinstantiation is not performed. If left blank, polyinstantiation will be performed for all users.
+\fIlist_of_uids\fR, is a comma separated list of user names for whom the polyinstantiation is not performed\. If left blank, polyinstantiation will be performed for all users\. If the list is preceded with a single "~" character, polyinstantiation is performed only for users in the list\.
+.PP
+The
+\fImethod\fR
+field can contain also following optional flags separated by
+\fI:\fR
+characters\.
+.PP
+\fIcreate\fR=\fImode\fR,\fIowner\fR,\fIgroup\fR
+\- create the polyinstantiated directory\. The mode, owner and group parameters are optional\. The default for mode is determined by umask, the default owner is the user whose session is opened, the default group is the primary group of the user\.
+.PP
+\fIiscript\fR=\fIpath\fR
+\- path to the instance directory init script\. The base directory for relative paths is
+\fI/etc/security/namespace\.d\fR\.
+.PP
+\fInoinit\fR
+\- instance directory init script will not be executed\.
+.PP
+\fIshared\fR
+\- the instance directories for "context" and "level" methods will not contain the user name and will be shared among all users\.
+.PP
+The directory where polyinstantiated instances are to be created, must exist and must have, by default, the mode of 0000\. The requirement that the instance parent be of mode 0000 can be overridden with the command line option
+\fIignore_instance_parent_mode\fR
 .PP
-In case of context or level polyinstantiation the SELinux context which is used for polyinstantiation is the context used for executing a new process as obtained by getexeccon. This context must be set by the calling application or
-\fIpam_selinux.so\fR
-module. If this context is not set the polyinstatiation will be based just on user name.
+In case of context or level polyinstantiation the SELinux context which is used for polyinstantiation is the context used for executing a new process as obtained by getexeccon\. This context must be set by the calling application or
+\fIpam_selinux\.so\fR
+module\. If this context is not set the polyinstatiation will be based just on user name\.
 .PP
-The "instance differentiation string" is <user name> for "user" method and <user name>_<raw directory context> for "context" and "level" methods. If the whole string is too long the end of it is replaced with md5sum of itself. Also when command line option
+The "instance differentiation string" is <user name> for "user" method and <user name>_<raw directory context> for "context" and "level" methods\. If the whole string is too long the end of it is replaced with md5sum of itself\. Also when command line option
 \fIgen_hash\fR
-is used the whole string is replaced with md5sum of itself.
+is used the whole string is replaced with md5sum of itself\.
 .SH "EXAMPLES"
 .PP
 These are some example lines which might be specified in
-\fI/etc/security/namespace.conf\fR.
+\fI/etc/security/namespace\.conf\fR\.
 .sp
 .RS 4
 .nf
       # The following three lines will polyinstantiate /tmp,
-      # /var/tmp and user's home directories. /tmp and /var/tmp
+      # /var/tmp and user\'s home directories\. /tmp and /var/tmp
       # will be polyinstantiated based on the security level
       # as well as user name, whereas home directory will be
-      # polyinstantiated based on the full security context and user name.
+      # polyinstantiated based on the full security context and user name\.
       # Polyinstantiation will not be performed for user root
       # and adm for directories /tmp and /var/tmp, whereas home
-      # directories will be polyinstantiated for all users.
+      # directories will be polyinstantiated for all users\.
       #
       # Note that instance directories do not have to reside inside
-      # the polyinstantiated directory. In the examples below,
+      # the polyinstantiated directory\. In the examples below,
       # instances of /tmp will be created in /tmp\-inst directory,
       # where as instances of /var/tmp and users home directories
       # will reside within the directories that are being
-      # polyinstantiated.
+      # polyinstantiated\.
       #
       /tmp     /tmp\-inst/               level      root,adm
       /var/tmp /var/tmp/tmp\-inst/   	level      root,adm
-      $HOME    $HOME/$USER.inst/inst\- context
+      $HOME    $HOME/$USER\.inst/inst\- context
     
 .fi
 .RE
 .PP
-For the <service>s you need polyinstantiation (login for example) put the following line in /etc/pam.d/<service> as the last line for session group:
+For the <service>s you need polyinstantiation (login for example) put the following line in /etc/pam\.d/<service> as the last line for session group:
 .PP
-session required pam_namespace.so [arguments]
+session required pam_namespace\.so [arguments]
 .PP
-This module also depends on pam_selinux.so setting the context.
+This module also depends on pam_selinux\.so setting the context\.
 .SH "SEE ALSO"
 .PP
 
@@ -98,4 +136,4 @@ This module also depends on pam_selinux.so setting the context.
 \fBpam\fR(8)
 .SH "AUTHORS"
 .PP
-The namespace.conf manual page was written by Janak Desai <janak@us.ibm.com>.
+The namespace\.conf manual page was written by Janak Desai <janak@us\.ibm\.com>\. More features added by Tomas Mraz <tmraz@redhat\.com>\.
diff --git a/Linux-PAM/modules/pam_namespace/namespace.conf.5.xml b/Linux-PAM/modules/pam_namespace/namespace.conf.5.xml
index db48cdcb..a1769600 100644
--- a/Linux-PAM/modules/pam_namespace/namespace.conf.5.xml
+++ b/Linux-PAM/modules/pam_namespace/namespace.conf.5.xml
@@ -20,8 +20,9 @@
     <title>DESCRIPTION</title>
 
     <para>
-      This module allows setup of private namespaces with polyinstantiated
-      directories. Directories can be polyinstantiated based on user name
+      The <emphasis>pam_namespace.so</emphasis> module allows setup of
+      private namespaces with polyinstantiated directories.
+      Directories can be polyinstantiated based on user name
       or, in the case of SELinux, user name, sensitivity level or complete security context.  If an
       executable script <filename>/etc/security/namespace.init</filename>
       exists, it is used to initialize the namespace every time a new instance
@@ -38,19 +39,23 @@
 
     <para>
       When someone logs in, the file <filename>namespace.conf</filename> is
-      scanned where each non comment line represents one polyinstantiated
-      directory with space separated fields as follows:
+      scanned. Comments are marked by <emphasis>#</emphasis> characters.
+      Each non comment line represents one polyinstantiated
+      directory. The fields are separated by spaces but can be quoted by
+      <emphasis>"</emphasis> characters also escape
+      sequences <emphasis>\b</emphasis>, <emphasis>\n</emphasis>, and
+      <emphasis>\t</emphasis> are recognized. The fields are as follows:
    </para>
 
-    <para>
-      <replaceable>polydir</replaceable> <replaceable> instance_prefix</replaceable> <replaceable> method</replaceable> <replaceable> list_of_uids</replaceable>
+    <para><replaceable>polydir</replaceable> <replaceable>instance_prefix</replaceable> <replaceable>method</replaceable> <replaceable>list_of_uids</replaceable>
     </para>
 
     <para>
       The first field, <replaceable>polydir</replaceable>, is the absolute
-      pathname of the directory to polyinstantiate. Special entry $HOME is
-      supported to designate user's home directory. This field cannot be
-      blank.
+      pathname of the directory to polyinstantiate. The special string
+      <emphasis>$HOME</emphasis> is replaced with the user's home directory,
+      and <emphasis>$USER</emphasis> with the username. This field cannot
+      be blank.
     </para>
 
     <para>
@@ -62,20 +67,20 @@
       instance directory path. This directory is created if it did not exist
       already, and is then bind mounted on the &lt;polydir&gt; to provide an
       instance of &lt;polydir&gt; based on the &lt;method&gt; column.
-      The special string $HOME is replaced with the user's home directory,
-      and $USER with the username. This field cannot be blank. 
-      The directory where polyinstantiated instances are to be
-      created, must exist and must have, by default, the mode of 000.  The
-      requirement that the instance parent be of mode 000 can be overridden
-      with the command line option <replaceable>ignore_instance_parent_mode</replaceable>
+      The special string <emphasis>$HOME</emphasis> is replaced with the
+      user's home directory, and <emphasis>$USER</emphasis> with the username.
+      This field cannot be blank.
     </para>
 
     <para>
       The third field, <replaceable>method</replaceable>, is the method
-      used for polyinstantiation. It can take 3 different values; "user"
+      used for polyinstantiation. It can take these values; "user"
       for polyinstantiation based on user name, "level" for 
-      polyinstantiation based on process MLS level and user name, and "context" for
-      polyinstantiation based on process security context and user name
+      polyinstantiation based on process MLS level and user name, "context" for
+      polyinstantiation based on process security context and user name,
+      "tmpfs" for mounting tmpfs filesystem as an instance dir, and
+      "tmpdir" for creating temporary directory as an instance dir which is
+      removed when the user's session is closed.
       Methods "context" and "level" are only available with SELinux. This
       field cannot be blank.
     </para>
@@ -84,7 +89,41 @@
       The fourth field, <replaceable>list_of_uids</replaceable>, is
       a comma separated list of user names for whom the polyinstantiation
       is not performed. If left blank, polyinstantiation will be performed
-      for all users.
+      for all users. If the list is preceded with a single "~" character,
+      polyinstantiation is performed only for users in the list.
+    </para>
+
+    <para>
+      The <replaceable>method</replaceable> field can contain also following
+      optional flags separated by <emphasis>:</emphasis> characters.
+    </para>
+    
+    <para><emphasis>create</emphasis>=<replaceable>mode</replaceable>,<replaceable>owner</replaceable>,<replaceable>group</replaceable>
+      - create the polyinstantiated directory. The mode, owner and group parameters
+      are optional. The default for mode is determined by umask, the default
+      owner is the user whose session is opened, the default group is the
+      primary group of the user.
+    </para>
+
+    <para><emphasis>iscript</emphasis>=<replaceable>path</replaceable>
+      - path to the instance directory init script. The base directory for relative
+      paths is <filename>/etc/security/namespace.d</filename>.
+    </para>
+
+    <para><emphasis>noinit</emphasis>
+      - instance directory init script will not be executed.
+    </para>
+
+    <para><emphasis>shared</emphasis>
+      - the instance directories for "context" and "level" methods will not
+      contain the user name and will be shared among all users.
+    </para>
+
+    <para>
+      The directory where polyinstantiated instances are to be
+      created, must exist and must have, by default, the mode of 0000.  The
+      requirement that the instance parent be of mode 0000 can be overridden
+      with the command line option <emphasis>ignore_instance_parent_mode</emphasis>
     </para>
 
     <para>
@@ -101,7 +140,7 @@
       method and &lt;user name&gt;_&lt;raw directory context&gt; for "context"
       and "level" methods. If the whole string is too long the end of it is
       replaced with md5sum of itself. Also when command line option
-      <replaceable>gen_hash</replaceable> is used the whole string is replaced
+      <emphasis>gen_hash</emphasis> is used the whole string is replaced
       with md5sum of itself.
     </para>
 
@@ -165,6 +204,7 @@
     <title>AUTHORS</title>
     <para>
       The namespace.conf manual page was written by Janak Desai &lt;janak@us.ibm.com&gt;.
+      More features added by Tomas Mraz &lt;tmraz@redhat.com&gt;.
     </para>
   </refsect1>
 </refentry>
diff --git a/Linux-PAM/modules/pam_namespace/namespace.init b/Linux-PAM/modules/pam_namespace/namespace.init
index 0e9be68f..424c6d0c 100755
--- a/Linux-PAM/modules/pam_namespace/namespace.init
+++ b/Linux-PAM/modules/pam_namespace/namespace.init
@@ -1,24 +1,24 @@
 #!/bin/sh -p
-# This is only a boilerplate for the instance initialization script.
-# It receives polydir path as $1 and the instance path as $2.
+# It receives polydir path as $1, the instance path as $2, 
+# a flag whether the instance dir was newly created (0 - no, 1 - yes) in $3,
+# and user name in $4.
 #
-# If you intend to polyinstantiate /tmp and you also want to use the X windows
-# environment, you will have to use this script to bind mount the socket that
-# is used by the X server to communicate with its clients. X server places
-# this socket in /tmp/.X11-unix directory, which will get obscured by
-# polyinstantiation. Uncommenting the following lines will bind mount
-# the relevant directory at an alternative location (/.tmp/.X11-unix) such
-# that the X server, window manager and X clients, can still find the
-# socket X0 at the polyinstanted /tmp/.X11-unix.
-#
-#if [ $1 = /tmp ]; then
-#	if [ ! -f /.tmp/.X11-unix ]; then
-#		mkdir -p /.tmp/.X11-unix
-#	fi
-#	mount --bind /tmp/.X11-unix /.tmp/.X11-unix
-#	cp -fp -- /tmp/.X0-lock "$2/.X0-lock"
-#	mkdir -- "$2/.X11-unix"
-#	ln -fs -- /.tmp/.X11-unix/X0 "$2/.X11-unix/X0"
-#fi
+# The following section will copy the contents of /etc/skel if this is a
+# newly created home directory.
+if [ "$3" = 1 ]; then
+        # This line will fix the labeling on all newly created directories
+        [ -x /sbin/restorecon ] && /sbin/restorecon "$1"
+        user="$4"
+        passwd=$(getent passwd "$user")
+        homedir=$(echo "$passwd" | cut -f6 -d":")
+        if [ "$1" = "$homedir" ]; then
+                gid=$(echo "$passwd" | cut -f4 -d":")
+                cp -rT /etc/skel "$homedir"
+                chown -R "$user":"$gid" "$homedir"
+                mode=$(awk '/^UMASK/{gsub("#.*$", "", $2); printf "%o", and(0777,compl(strtonum("0" $2))); exit}' /etc/login.defs)
+                chmod ${mode:-700} "$homedir"
+                [ -x /sbin/restorecon ] && /sbin/restorecon -R "$homedir"
+        fi
+fi
 
 exit 0
diff --git a/Linux-PAM/modules/pam_namespace/pam_namespace.8 b/Linux-PAM/modules/pam_namespace/pam_namespace.8
index 8d136c99..a318c57f 100644
--- a/Linux-PAM/modules/pam_namespace/pam_namespace.8
+++ b/Linux-PAM/modules/pam_namespace/pam_namespace.8
@@ -1,27 +1,27 @@
 .\"     Title: pam_namespace
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: 06/20/2007
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 02/13/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_NAMESPACE" "8" "06/20/2007" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_NAMESPACE" "8" "02/13/2008" "Linux-PAM Manual" "Linux-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_namespace \- PAM module for configuring namespace for a session
+pam_namespace - PAM module for configuring namespace for a session
 .SH "SYNOPSIS"
 .HP 17
-\fBpam_namespace.so\fR [debug] [unmnt_remnt] [unmnt_only] [require_selinux] [gen_hash] [ignore_config_error] [ignore_instance_parent_mode] [no_unmount_on_close]
+\fBpam_namespace\.so\fR [debug] [unmnt_remnt] [unmnt_only] [require_selinux] [gen_hash] [ignore_config_error] [ignore_instance_parent_mode] [no_unmount_on_close] [use_current_context] [use_default_context]
 .SH "DESCRIPTION"
 .PP
-The pam_namespace PAM module sets up a private namespace for a session with polyinstantiated directories. A polyinstantiated directory provides a different instance of itself based on user name, or when using SELinux, user name, security context or both. If an executable script
-\fI/etc/security/namespace.init\fR
-exists, it is used to initialize the namespace every time a new instance directory is setup. The script receives the polyinstantiated directory path and the instance directory path as its arguments.
+The pam_namespace PAM module sets up a private namespace for a session with polyinstantiated directories\. A polyinstantiated directory provides a different instance of itself based on user name, or when using SELinux, user name, security context or both\. If an executable script
+\fI/etc/security/namespace\.init\fR
+exists, it is used to initialize the namespace every time a new instance directory is setup\. The script receives the polyinstantiated directory path, the instance directory path, flag whether the instance directory was newly created (0 for no, 1 for yes), and the user name as its arguments\.
 .PP
-The pam_namespace module disassociates the session namespace from the parent namespace. Any mounts/unmounts performed in the parent namespace, such as mounting of devices, are not reflected in the session namespace. To propagate selected mount/unmount events from the parent namespace into the disassociated session namespace, an administrator may use the special shared\-subtree feature. For additional information on shared\-subtree feature, please refer to the mount(8) man page and the shared\-subtree description at http://lwn.net/Articles/159077 and http://lwn.net/Articles/159092.
+The pam_namespace module disassociates the session namespace from the parent namespace\. Any mounts/unmounts performed in the parent namespace, such as mounting of devices, are not reflected in the session namespace\. To propagate selected mount/unmount events from the parent namespace into the disassociated session namespace, an administrator may use the special shared\-subtree feature\. For additional information on shared\-subtree feature, please refer to the mount(8) man page and the shared\-subtree description at http://lwn\.net/Articles/159077 and http://lwn\.net/Articles/159092\.
 .SH "OPTIONS"
 .PP
 \fBdebug\fR
@@ -31,7 +31,7 @@ A lot of debug information is logged using syslog
 .PP
 \fBunmnt_remnt\fR
 .RS 4
-For programs such as su and newrole, the login session has already setup a polyinstantiated namespace. For these programs, polyinstantiation is performed based on new user id or security context, however the command first needs to undo the polyinstantiation performed by login. This argument instructs the command to first undo previous polyinstantiation before proceeding with new polyinstantiation based on new id/context
+For programs such as su and newrole, the login session has already setup a polyinstantiated namespace\. For these programs, polyinstantiation is performed based on new user id or security context, however the command first needs to undo the polyinstantiation performed by login\. This argument instructs the command to first undo previous polyinstantiation before proceeding with new polyinstantiation based on new id/context
 .RE
 .PP
 \fBunmnt_only\fR
@@ -46,81 +46,101 @@ If selinux is not enabled, return failure
 .PP
 \fBgen_hash\fR
 .RS 4
-Instead of using the security context string for the instance name, generate and use its md5 hash.
+Instead of using the security context string for the instance name, generate and use its md5 hash\.
 .RE
 .PP
 \fBignore_config_error\fR
 .RS 4
-If a line in the configuration file corresponding to a polyinstantiated directory contains format error, skip that line process the next line. Without this option, pam will return an error to the calling program resulting in termination of the session.
+If a line in the configuration file corresponding to a polyinstantiated directory contains format error, skip that line process the next line\. Without this option, pam will return an error to the calling program resulting in termination of the session\.
 .RE
 .PP
 \fBignore_instance_parent_mode\fR
 .RS 4
-Instance parent directories by default are expected to have the restrictive mode of 000. Using this option, an administrator can choose to ignore the mode of the instance parent. This option should be used with caution as it will reduce security and isolation goals of the polyinstantiation mechanism.
+Instance parent directories by default are expected to have the restrictive mode of 000\. Using this option, an administrator can choose to ignore the mode of the instance parent\. This option should be used with caution as it will reduce security and isolation goals of the polyinstantiation mechanism\.
 .RE
 .PP
 \fBno_unmount_on_close\fR
 .RS 4
-For certain trusted programs such as newrole, open session is called from a child process while the parent perfoms close session and pam end functions. For these commands use this option to instruct pam_close_session to not unmount the bind mounted polyinstantiated directory in the parent.
+For certain trusted programs such as newrole, open session is called from a child process while the parent perfoms close session and pam end functions\. For these commands use this option to instruct pam_close_session to not unmount the bind mounted polyinstantiated directory in the parent\.
+.RE
+.PP
+\fBuse_current_context\fR
+.RS 4
+Useful for services which do not change the SELinux context with setexeccon call\. The module will use the current SELinux context of the calling process for the level and context polyinstantiation\.
+.RE
+.PP
+\fBuse_default_context\fR
+.RS 4
+Useful for services which do not use pam_selinux for changing the SELinux context with setexeccon call\. The module will use the default SELinux context of the user for the level and context polyinstantiation\.
 .RE
 .SH "MODULE SERVICES PROVIDED"
 .PP
 The
 \fBsession\fR
-service is supported.
+service is supported\. The module must not be called from multithreaded processes\.
 .SH "RETURN VALUES"
 .PP
 PAM_SUCCESS
 .RS 4
-Namespace setup was successful.
+Namespace setup was successful\.
 .RE
 .PP
 PAM_SERVICE_ERR
 .RS 4
-Unexpected system error occurred while setting up namespace.
+Unexpected system error occurred while setting up namespace\.
 .RE
 .PP
 PAM_SESSION_ERR
 .RS 4
-Unexpected namespace configuration error occurred.
+Unexpected namespace configuration error occurred\.
 .RE
 .SH "FILES"
 .PP
-\fI/etc/security/namespace.conf\fR
+\fI/etc/security/namespace\.conf\fR
+.RS 4
+Main configuration file
+.RE
+.PP
+\fI/etc/security/namespace\.d\fR
+.RS 4
+Directory for additional configuration files
+.RE
+.PP
+\fI/etc/security/namespace\.init\fR
 .RS 4
-Configuration file
+Init script for instance directories
 .RE
 .SH "EXAMPLES"
 .PP
-For the <service>s you need polyinstantiation (login for example) put the following line in /etc/pam.d/<service> as the last line for session group:
+For the <service>s you need polyinstantiation (login for example) put the following line in /etc/pam\.d/<service> as the last line for session group:
 .PP
-session required pam_namespace.so [arguments]
+session required pam_namespace\.so [arguments]
 .PP
 To use polyinstantiation with graphical display manager gdm, insert the following line, before exit 0, in /etc/gdm/PostSession/Default:
 .PP
 /usr/sbin/gdm\-safe\-restart
 .PP
-This allows gdm to restart after each session and appropriately adjust namespaces of display manager and the X server. If polyinstantiation of /tmp is desired along with the graphical environment, then additional configuration changes are needed to address the interaction of X server and font server namespaces with their use of /tmp to create communication sockets. Please use the initialization script
-\fI/etc/security/namespace.init\fR
-to ensure that the X server and its clients can appropriately access the communication socket X0. Please refer to the sample instructions provided in the comment section of the instance initialization script
-\fI/etc/security/namespace.init\fR. In addition, perform the following changes to use graphical environment with polyinstantiation of /tmp:
+This allows gdm to restart after each session and appropriately adjust namespaces of display manager and the X server\. If polyinstantiation of /tmp is desired along with the graphical environment, then additional configuration changes are needed to address the interaction of X server and font server namespaces with their use of /tmp to create communication sockets\. Please use the initialization script
+\fI/etc/security/namespace\.init\fR
+to ensure that the X server and its clients can appropriately access the communication socket X0\. Please refer to the sample instructions provided in the comment section of the instance initialization script
+\fI/etc/security/namespace\.init\fR\. In addition, perform the following changes to use graphical environment with polyinstantiation of /tmp:
 .PP
 
 .sp
 .RS 4
 .nf
-      1. Disable the use of font server by commenting out "FontPath"
-         line in /etc/X11/xorg.conf. If you do want to use the font server
+      1\. Disable the use of font server by commenting out "FontPath"
+         line in /etc/X11/xorg\.conf\. If you do want to use the font server
          then you will have to augment the instance initialization
-         script to appropriately provide /tmp/.font\-unix from the
-         polyinstantiated /tmp.
-      2. Ensure that the gdm service is setup to use pam_namespace,
-         as described above, by modifying /etc/pam.d/gdm.
-      3. Ensure that the display manager is configured to restart X server
-         with each new session. This default setup can be verified by
-         making sure that /usr/share/gdm/defaults.conf contains
+         script to appropriately provide /tmp/\.font\-unix from the
+         polyinstantiated /tmp\.
+      2\. Ensure that the gdm service is setup to use pam_namespace,
+         as described above, by modifying /etc/pam\.d/gdm\.
+      3\. Ensure that the display manager is configured to restart X server
+         with each new session\. This default setup can be verified by
+         making sure that /usr/share/gdm/defaults\.conf contains
          "AlwaysRestartServer=true", and it is not overridden by
-         /etc/gdm/custom.conf.
+         /etc/gdm/custom\.conf\.
     
 .fi
 .RE
@@ -131,7 +151,7 @@ to ensure that the X server and its clients can appropriately access the communi
 \fBnamespace.conf\fR(5),
 \fBpam.d\fR(8),
 \fBmount\fR(8),
-\fBpam\fR(8).
+\fBpam\fR(8)\.
 .SH "AUTHORS"
 .PP
-The namespace setup scheme was designed by Stephen Smalley, Janak Desai and Chad Sellers. The pam_namespace PAM module was developed by Janak Desai <janak@us.ibm.com>, Chad Sellers <csellers@tresys.com> and Steve Grubb <sgrubb@redhat.com>.
+The namespace setup scheme was designed by Stephen Smalley, Janak Desai and Chad Sellers\. The pam_namespace PAM module was developed by Janak Desai <janak@us\.ibm\.com>, Chad Sellers <csellers@tresys\.com> and Steve Grubb <sgrubb@redhat\.com>\. Additional improvements by Xavier Toth <txtoth@gmail\.com> and Tomas Mraz <tmraz@redhat\.com>\.
diff --git a/Linux-PAM/modules/pam_namespace/pam_namespace.8.xml b/Linux-PAM/modules/pam_namespace/pam_namespace.8.xml
index e1b307ae..32c5359d 100644
--- a/Linux-PAM/modules/pam_namespace/pam_namespace.8.xml
+++ b/Linux-PAM/modules/pam_namespace/pam_namespace.8.xml
@@ -46,6 +46,12 @@
       <arg choice="opt">
         no_unmount_on_close
       </arg>
+      <arg choice="opt">
+        use_current_context
+      </arg>
+      <arg choice="opt">
+        use_default_context
+      </arg>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -60,7 +66,9 @@
       script <filename>/etc/security/namespace.init</filename> exists, it
       is used to initialize the namespace every time a new instance
       directory is setup. The script receives the polyinstantiated
-      directory path and the instance directory path as its arguments.
+      directory path, the instance directory path, flag whether the instance
+      directory was newly created (0 for no, 1 for yes), and the user name
+      as its arguments.
     </para>
 
     <para>
@@ -198,13 +206,42 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>
+          <option>use_current_context</option>
+        </term>
+        <listitem>
+          <para>
+	    Useful for services which do not change the SELinux context
+	    with setexeccon call. The module will use the current SELinux
+	    context of the calling process for the level and context
+	    polyinstantiation.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>
+          <option>use_default_context</option>
+        </term>
+        <listitem>
+          <para>
+	    Useful for services which do not use pam_selinux for changing
+	    the SELinux context with setexeccon call. The module will use
+	    the default SELinux context of the user for the level and context
+	    polyinstantiation.
+          </para>
+        </listitem>
+      </varlistentry>
+
     </variablelist>
   </refsect1>
 
   <refsect1 id="pam_namespace-services">
     <title>MODULE SERVICES PROVIDED</title>
     <para>
-      The <option>session</option> service is supported.
+      The <option>session</option> service is supported. The module must not
+      be called from multithreaded processes.
     </para>
   </refsect1>
 
@@ -244,7 +281,21 @@
       <varlistentry>
         <term><filename>/etc/security/namespace.conf</filename></term>
         <listitem>
-          <para>Configuration file</para>
+          <para>Main configuration file</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><filename>/etc/security/namespace.d</filename></term>
+        <listitem>
+          <para>Directory for additional configuration files</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><filename>/etc/security/namespace.init</filename></term>
+        <listitem>
+          <para>Init script for instance directories</para>
         </listitem>
       </varlistentry>
     </variablelist>
@@ -330,7 +381,10 @@
     <para>
       The namespace setup scheme was designed by Stephen Smalley, Janak Desai
       and Chad Sellers.
-      The pam_namespace PAM module was developed by Janak Desai &lt;janak@us.ibm.com&gt;, Chad Sellers &lt;csellers@tresys.com&gt; and Steve Grubb &lt;sgrubb@redhat.com&gt;.
+      The pam_namespace PAM module was developed by Janak Desai &lt;janak@us.ibm.com&gt;,
+      Chad Sellers &lt;csellers@tresys.com&gt; and Steve Grubb &lt;sgrubb@redhat.com&gt;.
+      Additional improvements by Xavier Toth &lt;txtoth@gmail.com&gt; and Tomas Mraz
+      &lt;tmraz@redhat.com&gt;.
     </para>
   </refsect1>
 </refentry>
diff --git a/Linux-PAM/modules/pam_namespace/pam_namespace.c b/Linux-PAM/modules/pam_namespace/pam_namespace.c
index d3612f59..d0741fd2 100644
--- a/Linux-PAM/modules/pam_namespace/pam_namespace.c
+++ b/Linux-PAM/modules/pam_namespace/pam_namespace.c
@@ -3,11 +3,13 @@
  * establishing a session via PAM.
  *
  * (C) Copyright IBM Corporation 2005
- * (C) Copyright Red Hat 2006
+ * (C) Copyright Red Hat, Inc. 2006, 2008
  * All Rights Reserved.
  *
  * Written by: Janak Desai <janak@us.ibm.com>
  * With Revisions by: Steve Grubb <sgrubb@redhat.com>
+ * Contributions by: Xavier Toth <txtoth@gmail.com>,
+ *                   Tomas Mraz <tmraz@redhat.com>
  * Derived from a namespace setup patch by Chad Sellers <cdselle@tycho.nsa.gov>
  *
  * Permission is hereby granted, free of charge, to any person obtaining a
@@ -31,79 +33,36 @@
  */
 
 #include "pam_namespace.h"
-
-/*
- * Copies the contents of ent into pent
- */
-static int copy_ent(const struct polydir_s *ent, struct polydir_s *pent)
-{
-	unsigned int i;
-
-	strcpy(pent->dir, ent->dir);
-	strcpy(pent->instance_prefix, ent->instance_prefix);
-	pent->method = ent->method;
-	pent->num_uids = ent->num_uids;
-	if (ent->num_uids) {
-		uid_t *pptr, *eptr;
-
-		pent->uid = (uid_t *) malloc(ent->num_uids * sizeof(uid_t));
-		if (!(pent->uid)) {
-			return -1;
-		}
-		for (i = 0, pptr = pent->uid, eptr = ent->uid; i < ent->num_uids;
-				i++, eptr++, pptr++)
-			*pptr = *eptr;
-	} else
-		pent->uid = NULL;
-	return 0;
-}
+#include "argv_parse.h"
 
 /*
  * Adds an entry for a polyinstantiated directory to the linked list of
  * polyinstantiated directories. It is called from process_line() while
  * parsing the namespace configuration file.
  */
-static int add_polydir_entry(struct instance_data *idata,
-	const struct polydir_s *ent)
+static void add_polydir_entry(struct instance_data *idata,
+	struct polydir_s *ent)
 {
-    struct polydir_s *pent;
-    int rc = 0;
-
-    /*
-     * Allocate an entry to hold information about a directory to
-     * polyinstantiate, populate it with information from 2nd argument
-     * and add the entry to the linked list of polyinstantiated
-     * directories.
-     */
-    pent = (struct polydir_s *) malloc(sizeof(struct polydir_s));
-	if (!pent) {
-		rc = -1;
-		goto out;
-	}
-    /* Make copy */
-	rc = copy_ent(ent,pent);
-	if(rc < 0)
-		goto out_clean;
-
     /* Now attach to linked list */
-    pent->next = NULL;
+    ent->next = NULL;
     if (idata->polydirs_ptr == NULL)
-        idata->polydirs_ptr = pent;
+        idata->polydirs_ptr = ent;
     else {
         struct polydir_s *tail;
 
         tail = idata->polydirs_ptr;
         while (tail->next)
             tail = tail->next;
-        tail->next = pent;
+        tail->next = ent;
     }
-    goto out;
-out_clean:
-	free(pent);
-out:
-	return rc;
 }
 
+static void del_polydir(struct polydir_s *poly)
+{
+	free(poly->uid);
+	free(poly->init_script);
+	free(poly);
+}
 
 /*
  * Deletes all the entries in the linked list.
@@ -115,11 +74,184 @@ static void del_polydir_list(struct polydir_s *polydirs_ptr)
 	while (dptr) {
         	struct polydir_s *tptr = dptr;
 		dptr = dptr->next;
-            	free(tptr->uid);
-		free(tptr);
+		del_polydir(tptr);
+	}
+}
+
+static void cleanup_data(pam_handle_t *pamh UNUSED , void *data, int err UNUSED)
+{
+	del_polydir_list(data);
+}
+
+static char *expand_variables(const char *orig, const char *var_names[], const char *var_values[])
+{
+	const char *src = orig;
+	char *dst;
+	char *expanded;
+	char c;
+	size_t dstlen = 0;
+	while (*src) {
+		if (*src == '$') {
+			int i;
+			for (i = 0; var_names[i]; i++) {
+				int namelen = strlen(var_names[i]);
+				if (strncmp(var_names[i], src+1, namelen) == 0) {
+					dstlen += strlen(var_values[i]) - 1; /* $ */
+					src += namelen;
+					break;
+				}
+			}
+		}
+		++dstlen;
+		++src;
+	}
+	if ((dst=expanded=malloc(dstlen + 1)) == NULL)
+		return NULL;
+	src = orig;
+	while ((c=*src) != '\0') {
+		if (c == '$') {
+			int i;
+			for (i = 0; var_names[i]; i++) {
+				int namelen = strlen(var_names[i]);
+				if (strncmp(var_names[i], src+1, namelen) == 0) {
+					dst = stpcpy(dst, var_values[i]);
+					--dst;
+					c = *dst; /* replace $ */
+					src += namelen;
+					break;
+				}
+			}
+		}
+		*dst = c;
+		++dst;
+		++src;
+	}
+	*dst = '\0';
+	return expanded;
+}
+
+static int parse_create_params(char *params, struct polydir_s *poly)
+{
+    char *sptr;
+    struct passwd *pwd;
+    struct group *grp;
+
+    poly->mode = (mode_t)ULONG_MAX;
+    poly->owner = (uid_t)ULONG_MAX;
+    poly->group = (gid_t)ULONG_MAX;
+
+    if (*params != '=')
+    	return 0;
+    params++;
+    
+    params = strtok_r(params, ",", &sptr);
+    if (params == NULL)
+    	return 0;
+
+    errno = 0;
+    poly->mode = (mode_t)strtoul(params, NULL, 0);
+    if (errno != 0) {
+    	poly->mode = (mode_t)ULONG_MAX;
+    }
+
+    params = strtok_r(NULL, ",", &sptr);
+    if (params == NULL)
+    	return 0;
+
+    pwd = getpwnam(params); /* session modules are not reentrant */
+    if (pwd == NULL)
+    	return -1;
+    poly->owner = pwd->pw_uid;
+    
+    params = strtok_r(NULL, ",", &sptr);
+    if (params == NULL) {
+    	poly->group = pwd->pw_gid;
+    	return 0;
+    }
+    grp = getgrnam(params);
+    if (grp == NULL)
+    	return -1;
+    poly->group = grp->gr_gid;
+    
+    return 0;
+}
+
+static int parse_iscript_params(char *params, struct polydir_s *poly)
+{
+    if (*params != '=')
+    	return 0;
+    params++;
+    
+    if (*params != '\0') {
+	if (*params != '/') { /* path is relative to NAMESPACE_D_DIR */
+		if (asprintf(&poly->init_script, "%s%s", NAMESPACE_D_DIR, params) == -1)
+			return -1;
+	} else {
+		poly->init_script = strdup(params);
 	}
+	if (poly->init_script == NULL)
+		return -1;
+    }
+    return 0;
 }
 
+static int parse_method(char *method, struct polydir_s *poly,
+		struct instance_data *idata)
+{
+    enum polymethod pm;
+    char *sptr;
+    static const char *method_names[] = { "user", "context", "level", "tmpdir",
+    	"tmpfs", NULL };
+    static const char *flag_names[] = { "create", "noinit", "iscript",
+    	"shared", NULL };
+    static const unsigned int flag_values[] = { POLYDIR_CREATE, POLYDIR_NOINIT,
+    	POLYDIR_ISCRIPT, POLYDIR_SHARED };
+    int i;
+    char *flag;
+
+    method = strtok_r(method, ":", &sptr);
+    pm = NONE;
+
+    for (i = 0; method_names[i]; i++) {
+    	if (strcmp(method, method_names[i]) == 0) {
+    		pm = i + 1; /* 0 = NONE */
+    	}
+    }
+
+    if (pm == NONE) {
+        pam_syslog(idata->pamh, LOG_NOTICE, "Unknown method");
+        return -1;
+    }
+    
+    poly->method = pm;
+    
+    while ((flag=strtok_r(NULL, ":", &sptr)) != NULL) {
+    	for (i = 0; flag_names[i]; i++) {
+    		int namelen = strlen(flag_names[i]);
+
+    		if (strncmp(flag, flag_names[i], namelen) == 0) {
+    			poly->flags |= flag_values[i];
+    			switch (flag_values[i]) {
+    			    case POLYDIR_CREATE:
+    			    	if (parse_create_params(flag+namelen, poly) != 0) {
+				        pam_syslog(idata->pamh, LOG_CRIT, "Invalid create parameters");
+    			    		return -1;
+    			    	}
+    			    	break;
+
+    			    case POLYDIR_ISCRIPT:
+    			    	if (parse_iscript_params(flag+namelen, poly) != 0) {
+				        pam_syslog(idata->pamh, LOG_CRIT, "Memory allocation error");
+    			    		return -1;
+    			    	};
+    			    	break;
+    			}
+    		}
+    	}
+    }
+
+    return 0;
+}
 
 /*
  * Called from parse_config_file, this function processes a single line
@@ -129,17 +261,23 @@ static void del_polydir_list(struct polydir_s *polydirs_ptr)
  * polyinstatiated directory structure and then calling add_polydir_entry to
  * add that entry to the linked list of polyinstantiated directories.
  */
-static int process_line(char *line, const char *home,
+static int process_line(char *line, const char *home, const char *rhome,
 			struct instance_data *idata)
 {
-    const char *dir, *instance_prefix;
-    const char *method, *uids;
+    char *dir = NULL, *instance_prefix = NULL, *rdir = NULL;
+    char *method, *uids;
     char *tptr;
-    struct polydir_s poly;
+    struct polydir_s *poly;
     int retval = 0;
+    char **config_options = NULL;
+    static const char *var_names[] = {"HOME", "USER", NULL};
+    const char *var_values[] = {home, idata->user};
+    const char *rvar_values[] = {rhome, idata->ruser};
+    int len;
 
-    poly.uid = NULL;
-    poly.num_uids = 0;
+    poly = calloc(1, sizeof(*poly));
+    if (poly == NULL)
+    	goto erralloc;
 
     /*
      * skip the leading white space
@@ -171,19 +309,27 @@ static int process_line(char *line, const char *home,
      * Initialize and scan the five strings from the line from the
      * namespace configuration file.
      */
-    dir = strtok_r(line, " \t", &tptr);
+    retval = argv_parse(line, NULL, &config_options);
+    if (retval != 0) {
+        goto erralloc;
+    }
+
+    dir = config_options[0];
     if (dir == NULL) {
         pam_syslog(idata->pamh, LOG_NOTICE, "Invalid line missing polydir");
         goto skipping;
     }
-    instance_prefix = strtok_r(NULL, " \t", &tptr);
+    instance_prefix = config_options[1];
     if (instance_prefix == NULL) {
         pam_syslog(idata->pamh, LOG_NOTICE, "Invalid line missing instance_prefix");
+        instance_prefix = NULL;
         goto skipping;
     }
-    method = strtok_r(NULL, " \t", &tptr);
+    method = config_options[2];
     if (method == NULL) {
         pam_syslog(idata->pamh, LOG_NOTICE, "Invalid line missing method");
+        instance_prefix = NULL;
+        dir = NULL;
         goto skipping;
     }
 
@@ -193,81 +339,83 @@ static int process_line(char *line, const char *home,
      * any of the other fields are blank, the line is incomplete so
      * skip it.
      */
-    uids = strtok_r(NULL, " \t", &tptr);
+    uids = config_options[3];
 
     /*
-     * If the directory being polyinstantiated is the home directory
-     * of the user who is establishing a session, we have to swap
-     * the "$HOME" string with the user's home directory that is
-     * passed in as an argument.
+     * Expand $HOME and $USER in poly dir and instance dir prefix
      */
-    if (strcmp(dir, "$HOME") == 0) {
-	dir = home;
+    if ((rdir=expand_variables(dir, var_names, rvar_values)) == NULL) {
+	    instance_prefix = NULL;
+	    dir = NULL;
+	    goto erralloc;
     }
-
-    /*
-     * Expand $HOME and $USER in instance dir prefix
-     */
-    if ((tptr = strstr(instance_prefix, "$USER")) != 0) {
-	/* FIXME: should only support this if method is USER or BOTH */
-	char *expanded = alloca(strlen(idata->user) + strlen(instance_prefix)-5+1);
-	*tptr = 0;
-	sprintf(expanded, "%s%s%s", instance_prefix, idata->user, tptr+5);
-	instance_prefix = expanded;
+    
+    if ((dir=expand_variables(dir, var_names, var_values)) == NULL) {
+	    instance_prefix = NULL;
+	    goto erralloc;
     }
-    if ((tptr = strstr(instance_prefix, "$HOME")) != 0) {
-	char *expanded = alloca(strlen(home)+strlen(instance_prefix)-5+1);
-	*tptr = 0;
-	sprintf(expanded, "%s%s%s", instance_prefix, home, tptr+5);
-	instance_prefix = expanded;
+    
+    if ((instance_prefix=expand_variables(instance_prefix, var_names, var_values))
+	    == NULL) {
+	    goto erralloc;
     }
 
-    /*
-     * Ensure that all pathnames are absolute path names.
-     */
-    if ((dir[0] != '/') || (instance_prefix[0] != '/')) {
-        pam_syslog(idata->pamh, LOG_NOTICE,"Pathnames must start with '/'");
-        goto skipping;
+    if (idata->flags & PAMNS_DEBUG) {
+	    pam_syslog(idata->pamh, LOG_DEBUG, "Expanded polydir: '%s'", dir);
+	    pam_syslog(idata->pamh, LOG_DEBUG, "Expanded ruser polydir: '%s'", rdir);
+	    pam_syslog(idata->pamh, LOG_DEBUG, "Expanded instance prefix: '%s'", instance_prefix);
     }
-    if (strstr(dir, "..") || strstr(instance_prefix, "..")) {
-        pam_syslog(idata->pamh, LOG_NOTICE,"Pathnames must not contain '..'");
-        goto skipping;
+
+    len = strlen(dir);
+    if (len > 0 && dir[len-1] == '/') {
+	    dir[len-1] = '\0';
     }
 
+    len = strlen(rdir);
+    if (len > 0 && rdir[len-1] == '/') {
+	    rdir[len-1] = '\0';
+    }
+    
+    if (dir[0] == '\0' || rdir[0] == '\0') {
+    	    pam_syslog(idata->pamh, LOG_NOTICE, "Invalid polydir");
+    	    goto skipping;
+    }
+    
     /*
      * Populate polyinstantiated directory structure with appropriate
      * pathnames and the method with which to polyinstantiate.
      */
-    if (strlen(dir) >= sizeof(poly.dir)
-	|| strlen(instance_prefix) >= sizeof(poly.instance_prefix)) {
+    if (strlen(dir) >= sizeof(poly->dir)
+        || strlen(rdir) >= sizeof(poly->rdir)
+	|| strlen(instance_prefix) >= sizeof(poly->instance_prefix)) {
 	pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames too long");
+	goto skipping;
     }
-    strcpy(poly.dir, dir);
-    strcpy(poly.instance_prefix, instance_prefix);
-
-    poly.method = NONE;
-    if (strcmp(method, "user") == 0) 
-	    poly.method = USER;
+    strcpy(poly->dir, dir);
+    strcpy(poly->rdir, rdir);
+    strcpy(poly->instance_prefix, instance_prefix);
 
-#ifdef WITH_SELINUX
-    if (strcmp(method, "level") == 0) {
-        if (idata->flags & PAMNS_CTXT_BASED_INST)
-            poly.method = LEVEL;
-	else
-            poly.method = USER;
+    if (parse_method(method, poly, idata) != 0) {
+    	    goto skipping;
     }
 
-    if (strcmp(method, "context") == 0) {
-        if (idata->flags & PAMNS_CTXT_BASED_INST)
-            poly.method = CONTEXT;
-	else
-            poly.method = USER;
+    if (poly->method == TMPDIR) {
+    	if (sizeof(poly->instance_prefix) - strlen(poly->instance_prefix) < 7) {
+    		pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames too long");
+    		goto skipping;
+    	}
+	strcat(poly->instance_prefix, "XXXXXX");
     }
 
-#endif
-
-    if ( poly.method == NONE) {
-        pam_syslog(idata->pamh, LOG_NOTICE, "Illegal method");
+    /*
+     * Ensure that all pathnames are absolute path names.
+     */
+    if ((poly->dir[0] != '/') || (poly->method != TMPFS && poly->instance_prefix[0] != '/')) {
+        pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames must start with '/'");
+        goto skipping;
+    }
+    if (strstr(dir, "..") || strstr(poly->instance_prefix, "..")) {
+        pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames must not contain '..'");
         goto skipping;
     }
 
@@ -281,16 +429,19 @@ static int process_line(char *line, const char *home,
         uid_t *uidptr;
         const char *ustr, *sstr;
         int count, i;
-
+	
+	if (*uids == '~') {
+		poly->flags |= POLYDIR_EXCLUSIVE;
+		uids++;
+	}
         for (count = 0, ustr = sstr = uids; sstr; ustr = sstr + 1, count++)
            sstr = strchr(ustr, ',');
 
-        poly.num_uids = count;
-        poly.uid = (uid_t *) malloc(count * sizeof (uid_t));
-        uidptr = poly.uid;
+        poly->num_uids = count;
+        poly->uid = (uid_t *) malloc(count * sizeof (uid_t));
+        uidptr = poly->uid;
         if (uidptr == NULL) {
-            pam_syslog(idata->pamh, LOG_NOTICE, "out of memory");
-            goto skipping;
+            goto erralloc;
         }
 
         ustr = uids;
@@ -304,7 +455,7 @@ static int process_line(char *line, const char *home,
             pwd = pam_modutil_getpwnam(idata->pamh, ustr);
             if (pwd == NULL) {
         	pam_syslog(idata->pamh, LOG_ERR, "Unknown user %s in configuration", ustr);
-        	poly.num_uids--;	
+        	poly->num_uids--;
             } else {
                 *uidptr = pwd->pw_uid;
                 uidptr++;
@@ -317,20 +468,24 @@ static int process_line(char *line, const char *home,
      * Add polyinstantiated directory structure to the linked list
      * of all polyinstantiated directory structures.
      */
-    if (add_polydir_entry(idata, &poly) < 0) {
-        pam_syslog(idata->pamh, LOG_ERR, "Allocation Error");
-        retval = PAM_SERVICE_ERR;
-    }
-    free(poly.uid);
+    add_polydir_entry(idata, poly);
 
     goto out;
 
+erralloc:
+    pam_syslog(idata->pamh, LOG_CRIT, "Memory allocation error");
+    
 skipping:
     if (idata->flags & PAMNS_IGN_CONFIG_ERR)
         retval = 0;
     else
         retval = PAM_SERVICE_ERR;
+    del_polydir(poly);
 out:
+    free(rdir);
+    free(dir);
+    free(instance_prefix);
+    argv_free(config_options);
     return retval;
 }
 
@@ -344,15 +499,15 @@ out:
 static int parse_config_file(struct instance_data *idata)
 {
     FILE *fil;
-    char *home;
+    char *home, *rhome;
+    const char *confname;
     struct passwd *cpwd;
-    char *line = NULL;
+    char *line;
     int retval;
     size_t len = 0;
-
-    if (idata->flags & PAMNS_DEBUG)
-        pam_syslog(idata->pamh, LOG_DEBUG, "Parsing config file %s",
-		PAM_NAMESPACE_CONFIG);
+    glob_t globbuf;
+    const char *oldlocale;
+    size_t n;
 
     /*
      * Extract the user's home directory to resolve $HOME entries
@@ -364,35 +519,86 @@ static int parse_config_file(struct instance_data *idata)
                "Error getting home dir for '%s'", idata->user);
         return PAM_SESSION_ERR;
     }
-    home = strdupa(cpwd->pw_dir);
+    if ((home=strdup(cpwd->pw_dir)) == NULL) {
+    	pam_syslog(idata->pamh, LOG_CRIT,
+    		"Memory allocation error");
+    	return PAM_SESSION_ERR;
+    }
+
+    cpwd = pam_modutil_getpwnam(idata->pamh, idata->ruser);
+    if (!cpwd) {
+	pam_syslog(idata->pamh, LOG_ERR,
+	        "Error getting home dir for '%s'", idata->ruser);
+	free(home);
+	return PAM_SESSION_ERR;
+    }
+
+    if ((rhome=strdup(cpwd->pw_dir)) == NULL) {
+    	pam_syslog(idata->pamh, LOG_CRIT,
+    		"Memory allocation error");
+    	free(home);
+    	return PAM_SESSION_ERR;
+    }
 
     /*
      * Open configuration file, read one line at a time and call
      * process_line to process each line.
      */
-    fil = fopen(PAM_NAMESPACE_CONFIG, "r");
-    if (fil == NULL) {
-        pam_syslog(idata->pamh, LOG_ERR, "Error opening config file");
-        return PAM_SERVICE_ERR;
-    }
 
-    /* Use unlocked IO */
-    __fsetlocking(fil, FSETLOCKING_BYCALLER);
+    memset(&globbuf, '\0', sizeof(globbuf));
+    oldlocale = setlocale(LC_COLLATE, "C");
+    glob(NAMESPACE_D_GLOB, 0, NULL, &globbuf);
+    if (oldlocale != NULL)
+	setlocale(LC_COLLATE, oldlocale);
 
-    /* loop reading the file */
-    while (getline(&line, &len, fil) > 0) {
-        retval = process_line(line, home, idata);
-        if (retval) {
-            pam_syslog(idata->pamh, LOG_ERR,
-		"Error processing conf file line %s", line);
-            fclose(fil);
-            free(line);
-            return PAM_SERVICE_ERR;
-        }
-    }
-    fclose(fil);
-    free(line);
+    confname = PAM_NAMESPACE_CONFIG;
+    n = 0;
+    for (;;) {
+	if (idata->flags & PAMNS_DEBUG)
+		pam_syslog(idata->pamh, LOG_DEBUG, "Parsing config file %s",
+			confname);
+	fil = fopen(confname, "r");
+	if (fil == NULL) {
+	    pam_syslog(idata->pamh, LOG_ERR, "Error opening config file %s",
+		confname);	    
+            globfree(&globbuf);
+	    free(rhome);
+	    free(home);
+	    return PAM_SERVICE_ERR;
+	}
+
+	/* Use unlocked IO */
+	__fsetlocking(fil, FSETLOCKING_BYCALLER);
+
+	line = NULL;
+	/* loop reading the file */
+	while (getline(&line, &len, fil) > 0) {
+	    retval = process_line(line, home, rhome, idata);
+	    if (retval) {
+		pam_syslog(idata->pamh, LOG_ERR,
+		"Error processing conf file %s line %s", confname, line);
+	        fclose(fil);
+	        free(line);
+	        globfree(&globbuf);
+	        free(rhome);
+	        free(home);
+	        return PAM_SERVICE_ERR;
+	    }
+	}
+	fclose(fil);
+	free(line);
+
+	if (n >= globbuf.gl_pathc)
+	    break;
 
+	confname = globbuf.gl_pathv[n];	
+	n++;
+    }
+    
+    globfree(&globbuf);
+    free(rhome);
+    free(home);
+    
     /* All done...just some debug stuff */
     if (idata->flags & PAMNS_DEBUG) {
         struct polydir_s *dptr = idata->polydirs_ptr;
@@ -419,6 +625,7 @@ static int parse_config_file(struct instance_data *idata)
  * directory's list of override uids. If the uid is one of the override
  * uids for the polyinstantiated directory, polyinstantiation is not
  * performed for that user for that directory.
+ * If exclusive is set the returned values are opposite.
  */
 static int ns_override(struct polydir_s *polyptr, struct instance_data *idata,
 		uid_t uid)
@@ -432,11 +639,11 @@ static int ns_override(struct polydir_s *polyptr, struct instance_data *idata,
 
     for (i = 0; i < polyptr->num_uids; i++) {
         if (uid == polyptr->uid[i]) {
-            return 1;
+            return !(polyptr->flags & POLYDIR_EXCLUSIVE);
         }
     }
 
-    return 0;
+    return !!(polyptr->flags & POLYDIR_EXCLUSIVE);
 }
 
 /*
@@ -490,7 +697,19 @@ static int form_context(const struct polydir_s *polyptr,
 
 	if (polyptr->method == USER) return PAM_SUCCESS;
 
-	rc = getexeccon(&scon);
+	if (idata->flags & PAMNS_USE_CURRENT_CONTEXT) {
+		rc = getcon(&scon);
+	} else if (idata->flags & PAMNS_USE_DEFAULT_CONTEXT) {
+		char *seuser = NULL, *level = NULL;
+
+		if ((rc=getseuserbyname(idata->user, &seuser, &level)) == 0) {
+			rc = get_default_context_with_level(seuser, level, NULL, &scon);
+			free(seuser);
+			free(level);
+		}
+	} else {
+		rc = getexeccon(&scon);
+	}
 	if (rc < 0 || scon == NULL) {
 		pam_syslog(idata->pamh, LOG_ERR, 
 			   "Error getting exec context, %m");
@@ -565,7 +784,7 @@ static int form_context(const struct polydir_s *polyptr,
 
 /*
  * poly_name returns the name of the polyinstantiated instance directory
- * based on the method used for polyinstantiation (user, context or both)
+ * based on the method used for polyinstantiation (user, context or level)
  * In addition, the function also returns the security contexts of the
  * original directory to polyinstantiate and the polyinstantiated instance
  * directory.
@@ -581,6 +800,7 @@ static int poly_name(const struct polydir_s *polyptr, char **i_name,
 {
     int rc;
     char *hash = NULL;
+    enum polymethod pm;
 #ifdef WITH_SELINUX
     security_context_t rawcon = NULL;
 #endif
@@ -600,7 +820,23 @@ static int poly_name(const struct polydir_s *polyptr, char **i_name,
      * Set the name of the polyinstantiated instance dir based on the
      * polyinstantiation method.
      */
-    switch (polyptr->method) {
+
+    pm = polyptr->method;
+    if (pm == LEVEL || pm == USER) {
+#ifdef WITH_SELINUX
+        if (!(idata->flags & PAMNS_CTXT_BASED_INST))
+#else
+	pam_syslog(idata->pamh, LOG_NOTICE,
+		"Context and level methods not available, using user method");
+#endif
+	if (polyptr->flags & POLYDIR_SHARED) {
+		rc = PAM_IGNORE;
+		goto fail;
+	}
+        pm = USER;
+    }
+    
+    switch (pm) {
         case USER:
 	    if (asprintf(i_name, "%s", idata->user) < 0) {
 		*i_name = NULL;
@@ -614,15 +850,28 @@ static int poly_name(const struct polydir_s *polyptr, char **i_name,
 	    if (selinux_trans_to_raw_context(*i_context, &rawcon) < 0) {
 		pam_syslog(idata->pamh, LOG_ERR, "Error translating directory context");
 		goto fail;
-	    }    	     
-	    if (asprintf(i_name, "%s_%s", rawcon, idata->user) < 0) {
-		*i_name = NULL;
-		goto fail;
+	    }
+	    if (polyptr->flags & POLYDIR_SHARED) {
+		if (asprintf(i_name, "%s", rawcon) < 0) {
+			*i_name = NULL;
+			goto fail;
+	   	}
+	    } else {
+		if (asprintf(i_name, "%s_%s", rawcon, idata->user) < 0) {
+			*i_name = NULL;
+			goto fail;
+	   	}
 	    }
     	    break;
 
 #endif /* WITH_SELINUX */
 
+	case TMPDIR:
+	case TMPFS:
+	    if ((*i_name=strdup("")) == NULL)
+	    	goto fail;
+	    return PAM_SUCCESS;
+
     	default:
     	    if (idata->flags & PAMNS_DEBUG)
     	        pam_syslog(idata->pamh, LOG_ERR, "Unknown method");
@@ -643,7 +892,7 @@ static int poly_name(const struct polydir_s *polyptr, char **i_name,
 	    hash = NULL;
         } else {
     	    char *newname;
-    	    if (asprintf(&newname, "%.*s_%s", NAMESPACE_MAX_DIR_LEN-1-strlen(hash),
+    	    if (asprintf(&newname, "%.*s_%s", NAMESPACE_MAX_DIR_LEN-1-(int)strlen(hash),
     		*i_name, hash) < 0) {
     		goto fail;
     	    }
@@ -726,12 +975,13 @@ static int check_inst_parent(char *ipath, struct instance_data *idata)
 * execute it and pass directory to polyinstantiate and instance
 * directory as arguments.
 */
-static int inst_init(const struct polydir_s *polyptr, char *ipath,
-	   struct instance_data *idata)
+static int inst_init(const struct polydir_s *polyptr, const char *ipath,
+	   struct instance_data *idata, int newdir)
 {
 	pid_t rc, pid;
 	sighandler_t osighand = NULL;
 	int status;
+	const char *init_script = NAMESPACE_INIT_SCRIPT;
 
 	osighand = signal(SIGCHLD, SIG_DFL);
 	if (osighand == SIG_ERR) {
@@ -740,8 +990,11 @@ static int inst_init(const struct polydir_s *polyptr, char *ipath,
 		goto out;
 	}
 
-	if (access(NAMESPACE_INIT_SCRIPT, F_OK) == 0) {
-		if (access(NAMESPACE_INIT_SCRIPT, X_OK) < 0) {
+	if ((polyptr->flags & POLYDIR_ISCRIPT) && polyptr->init_script)
+		init_script = polyptr->init_script;
+
+	if (access(init_script, F_OK) == 0) {
+		if (access(init_script, X_OK) < 0) {
 			if (idata->flags & PAMNS_DEBUG)
 				pam_syslog(idata->pamh, LOG_ERR,
 						"Namespace init script not executable");
@@ -756,8 +1009,8 @@ static int inst_init(const struct polydir_s *polyptr, char *ipath,
 						exit(1);
 				}
 #endif
-				if (execl(NAMESPACE_INIT_SCRIPT, NAMESPACE_INIT_SCRIPT,
-							polyptr->dir, ipath, (char *)NULL) < 0)
+				if (execl(init_script, init_script,
+					polyptr->dir, ipath, newdir?"1":"0", idata->user, (char *)NULL) < 0)
 					exit(1);
 			} else if (pid > 0) {
 				while (((rc = waitpid(pid, &status, 0)) == (pid_t)-1) &&
@@ -788,46 +1041,116 @@ out:
    return rc;
 }
 
+static int create_polydir(struct polydir_s *polyptr,
+	struct instance_data *idata)
+{
+    mode_t mode;
+    int rc;
+#ifdef WITH_SELINUX
+    security_context_t dircon, oldcon = NULL;
+#endif
+    const char *dir = polyptr->dir;
+
+    if (polyptr->mode != (mode_t)ULONG_MAX)
+            mode = polyptr->mode;
+    else
+            mode = 0777;
+
+#ifdef WITH_SELINUX
+    if (idata->flags & PAMNS_SELINUX_ENABLED) {
+	getfscreatecon(&oldcon);
+        rc = matchpathcon(dir, S_IFDIR, &dircon);
+        if (rc) {
+            pam_syslog(idata->pamh, LOG_NOTICE,
+                       "Unable to get default context for directory %s, check your policy: %m", dir);
+        } else {
+	    if (idata->flags & PAMNS_DEBUG)
+		pam_syslog(idata->pamh, LOG_DEBUG,
+                       "Polydir %s context: %s", dir, (char *)dircon);
+	    if (setfscreatecon(dircon) != 0)
+            	pam_syslog(idata->pamh, LOG_NOTICE,
+                       "Error setting context for directory %s: %m", dir);
+	    freecon(dircon);
+        }
+        matchpathcon_fini();
+    }
+#endif
+
+    rc = mkdir(dir, mode);
+    if (rc != 0) {
+            pam_syslog(idata->pamh, LOG_ERR,
+                       "Error creating directory %s: %m", dir);
+            return PAM_SESSION_ERR;
+    }
+
+#ifdef WITH_SELINUX
+    if (idata->flags & PAMNS_SELINUX_ENABLED) {
+        if (setfscreatecon(oldcon) != 0)
+		pam_syslog(idata->pamh, LOG_NOTICE,
+                       "Error resetting fs create context: %m");
+        freecon(oldcon);
+    }
+#endif
+
+    if (idata->flags & PAMNS_DEBUG)
+            pam_syslog(idata->pamh, LOG_DEBUG, "Created polydir %s", dir);
+
+    if (polyptr->mode != (mode_t)ULONG_MAX) {
+    	/* explicit mode requested */
+    	if (chmod(dir, mode) != 0) {
+		pam_syslog(idata->pamh, LOG_ERR,
+                    	"Error changing mode of directory %s: %m", dir);
+    		rmdir(dir);
+        	return PAM_SESSION_ERR;
+    	}
+    }
+
+    if (polyptr->owner != (uid_t)ULONG_MAX) {
+            if (chown(dir, polyptr->owner, polyptr->group) != 0) {
+                    pam_syslog(idata->pamh, LOG_ERR,
+                               "Unable to change owner on directory %s: %m", dir);
+		    rmdir(dir);
+                    return PAM_SESSION_ERR;
+            }
+            if (idata->flags & PAMNS_DEBUG)
+                    pam_syslog(idata->pamh, LOG_DEBUG,
+                               "Polydir owner %u group %u from configuration", polyptr->owner, polyptr->group);
+    } else {
+            if (chown(dir, idata->uid, idata->gid) != 0) {
+                    pam_syslog(idata->pamh, LOG_ERR,
+                               "Unable to change owner on directory %s: %m", dir);
+		    rmdir(dir);
+                    return PAM_SESSION_ERR;
+            }
+            if (idata->flags & PAMNS_DEBUG)
+                    pam_syslog(idata->pamh, LOG_DEBUG,
+                               "Polydir owner %u group %u", idata->uid, idata->gid);
+    }
+
+    return PAM_SUCCESS;
+}
+
 /*
  * Create polyinstantiated instance directory (ipath).
  */
 #ifdef WITH_SELINUX
-static int create_dirs(const struct polydir_s *polyptr, char *ipath,
+static int create_dirs(struct polydir_s *polyptr, char *ipath, struct stat *statbuf,
         security_context_t icontext, security_context_t ocontext,
 	struct instance_data *idata)
 #else
-static int create_dirs(const struct polydir_s *polyptr, char *ipath,
+static int create_dirs(struct polydir_s *polyptr, char *ipath, struct stat *statbuf,
 	struct instance_data *idata)
 #endif
 {
-	struct stat statbuf, newstatbuf;
-	int rc, fd;
+    struct stat newstatbuf;
+    int fd;
+    int newdir = 0;
 
     /*
-     * stat the directory to polyinstantiate, so its owner-group-mode
-     * can be propagated to instance directory
+     * Check to make sure instance parent is valid.
      */
-	rc = PAM_SUCCESS;
-    if (stat(polyptr->dir, &statbuf) < 0) {
-        pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m",
-		polyptr->dir);
-        return PAM_SESSION_ERR;
-    }
-
-    /*
-     * Make sure we are dealing with a directory
-     */
-    if (!S_ISDIR(statbuf.st_mode)) {
-	pam_syslog(idata->pamh, LOG_ERR, "poly dir %s is not a dir",
-		polyptr->dir);
-        return PAM_SESSION_ERR;
-    }
-
-	/*
-	 * Check to make sure instance parent is valid.
-	 */
-	if (check_inst_parent(ipath, idata))
-		return PAM_SESSION_ERR;
+    if (check_inst_parent(ipath, idata))
+	return PAM_SESSION_ERR;
 
     /*
      * Create instance directory and set its security context to the context
@@ -835,7 +1158,17 @@ static int create_dirs(const struct polydir_s *polyptr, char *ipath,
      * attributes to match that of the original directory that is being
      * polyinstantiated.
      */
-    if (mkdir(ipath, S_IRUSR) < 0) {
+    
+    if (polyptr->method == TMPDIR) {
+    	if (mkdtemp(polyptr->instance_prefix) == NULL) {
+            pam_syslog(idata->pamh, LOG_ERR, "Error creating temporary instance %s, %m",
+			polyptr->instance_prefix);
+	    polyptr->method = NONE; /* do not clean up! */
+	    return PAM_SESSION_ERR;
+    	}
+	/* copy the actual directory name to ipath */
+	strcpy(ipath, polyptr->instance_prefix);
+    } else if (mkdir(ipath, S_IRUSR) < 0) {
         if (errno == EEXIST)
             goto inst_init;
         else {
@@ -845,6 +1178,7 @@ static int create_dirs(const struct polydir_s *polyptr, char *ipath,
         }
     }
 
+    newdir = 1;
     /* Open a descriptor to it to prevent races */
     fd = open(ipath, O_DIRECTORY | O_RDONLY);
     if (fd < 0) {
@@ -881,9 +1215,9 @@ static int create_dirs(const struct polydir_s *polyptr, char *ipath,
 	rmdir(ipath);
         return PAM_SESSION_ERR;
     }
-    if (newstatbuf.st_uid != statbuf.st_uid ||
-			 newstatbuf.st_gid != statbuf.st_gid) {
-        if (fchown(fd, statbuf.st_uid, statbuf.st_gid) < 0) {
+    if (newstatbuf.st_uid != statbuf->st_uid ||
+			 newstatbuf.st_gid != statbuf->st_gid) {
+        if (fchown(fd, statbuf->st_uid, statbuf->st_gid) < 0) {
             pam_syslog(idata->pamh, LOG_ERR,
 			"Error changing owner for %s, %m",
 			ipath);
@@ -892,7 +1226,7 @@ static int create_dirs(const struct polydir_s *polyptr, char *ipath,
             return PAM_SESSION_ERR;
         }
     }
-    if (fchmod(fd, statbuf.st_mode & 07777) < 0) {
+    if (fchmod(fd, statbuf->st_mode & 07777) < 0) {
         pam_syslog(idata->pamh, LOG_ERR, "Error changing mode for %s, %m",
 			ipath);
 	close(fd);
@@ -909,8 +1243,10 @@ static int create_dirs(const struct polydir_s *polyptr, char *ipath,
      */
 
 inst_init:
-	rc = inst_init(polyptr, ipath, idata);
-    return rc;
+    if (polyptr->flags & POLYDIR_NOINIT)
+    	return PAM_SUCCESS;
+
+    return inst_init(polyptr, ipath, idata, newdir);
 }
 
 
@@ -921,13 +1257,13 @@ inst_init:
  * security attributes, and performs bind mount to setup the process
  * namespace.
  */
-static int ns_setup(const struct polydir_s *polyptr,
+static int ns_setup(struct polydir_s *polyptr,
 	struct instance_data *idata)
 {
     int retval = 0;
     char *inst_dir = NULL;
     char *instname = NULL;
-    char *dir;
+    struct stat statbuf;
 #ifdef WITH_SELINUX
     security_context_t instcontext = NULL, origcontext = NULL;
 #endif
@@ -936,9 +1272,36 @@ static int ns_setup(const struct polydir_s *polyptr,
         pam_syslog(idata->pamh, LOG_DEBUG,
                "Set namespace for directory %s", polyptr->dir);
 
-    dir = strrchr(polyptr->dir, '/');
-    if (dir && strlen(dir) > 1)
-        dir++;
+    while (stat(polyptr->dir, &statbuf) < 0) {
+    	if (retval || !(polyptr->flags & POLYDIR_CREATE)) {
+        	pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m",
+			polyptr->dir);
+        	return PAM_SESSION_ERR;
+    	} else {
+    		if (create_polydir(polyptr, idata) != PAM_SUCCESS)
+    			return PAM_SESSION_ERR;
+    		retval = PAM_SESSION_ERR; /* bail out on next failed stat */
+    	}
+    }
+
+    /*
+     * Make sure we are dealing with a directory
+     */
+    if (!S_ISDIR(statbuf.st_mode)) {
+	pam_syslog(idata->pamh, LOG_ERR, "Polydir %s is not a dir",
+		polyptr->dir);
+        return PAM_SESSION_ERR;
+    }
+
+    if (polyptr->method == TMPFS) {
+	if (mount("tmpfs", polyptr->dir, "tmpfs", 0, NULL) < 0) {
+	    pam_syslog(idata->pamh, LOG_ERR, "Error mounting tmpfs on %s, %m",
+        	polyptr->dir);
+            return PAM_SESSION_ERR;
+	}
+	/* we must call inst_init after the mount in this case */
+	return inst_init(polyptr, "tmpfs", idata, 1);
+    }
 
     /*
      * Obtain the name of instance pathname based on the
@@ -952,9 +1315,10 @@ static int ns_setup(const struct polydir_s *polyptr,
     retval = poly_name(polyptr, &instname, idata);
 #endif
 
-    if (retval) {
-        pam_syslog(idata->pamh, LOG_ERR, "Error getting instance name");
-        goto error_out;
+    if (retval != PAM_SUCCESS) {
+    	if (retval != PAM_IGNORE)
+        	pam_syslog(idata->pamh, LOG_ERR, "Error getting instance name");
+        goto cleanup;
     } else {
 #ifdef WITH_SELINUX
         if ((idata->flags & PAMNS_DEBUG) &&
@@ -976,10 +1340,10 @@ static int ns_setup(const struct polydir_s *polyptr,
      * contexts, owner, group and mode bits.
      */
 #ifdef WITH_SELINUX
-    retval = create_dirs(polyptr, inst_dir, instcontext,
+    retval = create_dirs(polyptr, inst_dir, &statbuf, instcontext,
 			 origcontext, idata);
 #else
-    retval = create_dirs(polyptr, inst_dir, idata);
+    retval = create_dirs(polyptr, inst_dir, &statbuf, idata);
 #endif
 
     if (retval < 0) {
@@ -1044,6 +1408,58 @@ static int cwd_in(char *dir, struct instance_data *idata)
     return retval;
 }
 
+static int cleanup_tmpdirs(struct instance_data *idata)
+{
+    struct polydir_s *pptr;
+    pid_t rc, pid;
+    sighandler_t osighand = NULL;
+    int status;
+
+    osighand = signal(SIGCHLD, SIG_DFL);
+    if (osighand == SIG_ERR) {
+	pam_syslog(idata->pamh, LOG_ERR, "Cannot set signal value");
+	rc = PAM_SESSION_ERR;
+	goto out;
+    }
+
+    for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) {
+	if (pptr->method == TMPDIR && access(pptr->instance_prefix, F_OK) == 0) {
+	    pid = fork();
+	    if (pid == 0) {
+#ifdef WITH_SELINUX
+		if (idata->flags & PAMNS_SELINUX_ENABLED) {
+		    if (setexeccon(NULL) < 0)
+			exit(1);
+		}
+#endif
+		if (execl("/bin/rm", "/bin/rm", "-rf", pptr->instance_prefix, (char *)NULL) < 0)
+			exit(1);
+	    } else if (pid > 0) {
+		while (((rc = waitpid(pid, &status, 0)) == (pid_t)-1) &&
+		    (errno == EINTR));
+		if (rc == (pid_t)-1) {
+		    pam_syslog(idata->pamh, LOG_ERR, "waitpid failed- %m");
+		    rc = PAM_SESSION_ERR;
+		    goto out;
+		}
+		if (!WIFEXITED(status) || WIFSIGNALED(status) > 0) {
+		    pam_syslog(idata->pamh, LOG_ERR,
+		    	"Error removing %s", pptr->instance_prefix);
+		}
+	    } else if (pid < 0) {
+		pam_syslog(idata->pamh, LOG_ERR,
+			"Cannot fork to run namespace init script, %m");
+		rc = PAM_SESSION_ERR;
+		goto out;
+	    }
+        }
+    }
+
+    rc = PAM_SUCCESS;
+out:
+    signal(SIGCHLD, osighand);
+    return rc;
+}
 
 /*
  * This function checks to see if polyinstantiation is needed for any
@@ -1056,34 +1472,18 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt)
     int retval = 0, need_poly = 0, changing_dir = 0;
     char *cptr, *fptr, poly_parent[PATH_MAX];
     struct polydir_s *pptr;
-    uid_t req_uid;
-    const void *ruser_name;
-    struct passwd *pwd;
 
     if (idata->flags & PAMNS_DEBUG)
         pam_syslog(idata->pamh, LOG_DEBUG, "Set up namespace for pid %d",
 		getpid());
 
-    retval = pam_get_item(idata->pamh, PAM_RUSER, &ruser_name);
-    if (ruser_name == NULL || retval != PAM_SUCCESS) {
-	retval = PAM_SUCCESS;
-	req_uid = getuid();
-    } else {
-        pwd = pam_modutil_getpwnam(idata->pamh, ruser_name);
-        if (pwd != NULL) {
-    	    req_uid = pwd->pw_uid;
-        } else {
-	    req_uid = getuid();
-        }
-    }
-
     /*
      * Cycle through all polyinstantiated directory entries to see if
      * polyinstantiation is needed at all.
      */
     for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) {
         if (ns_override(pptr, idata, idata->uid)) {
-    	    if (unmnt == NO_UNMNT || ns_override(pptr, idata, req_uid)) {
+    	    if (unmnt == NO_UNMNT || ns_override(pptr, idata, idata->ruid)) {
         	if (idata->flags & PAMNS_DEBUG)
         	    pam_syslog(idata->pamh, LOG_DEBUG,
 			"Overriding poly for user %d for dir %s",
@@ -1092,7 +1492,7 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt)
         	if (idata->flags & PAMNS_DEBUG)
             	    pam_syslog(idata->pamh, LOG_DEBUG,
 			"Need unmount ns for user %d for dir %s",
-			idata->uid, pptr->dir);
+			idata->ruid, pptr->dir);
 		need_poly = 1;
 		break;
 	    }
@@ -1108,17 +1508,19 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt)
     }
 
     /*
-     * If polyinstnatiation is needed, call the unshare system call to
+     * If polyinstantiation is needed, call the unshare system call to
      * disassociate from the parent namespace.
      */
     if (need_poly) {
         if (unshare(CLONE_NEWNS) < 0) {
-            pam_syslog(idata->pamh, LOG_ERR,
+		pam_syslog(idata->pamh, LOG_ERR,
 		"Unable to unshare from parent namespace, %m");
             return PAM_SESSION_ERR;
         }
-    } else
+    } else {
+    	del_polydir_list(idata->polydirs_ptr);
         return PAM_SUCCESS;
+    }
 
     /*
      * Again cycle through all polyinstantiated directories, this time,
@@ -1127,7 +1529,7 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt)
     for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) {
 	enum unmnt_op dir_unmnt = unmnt;
         if (ns_override(pptr, idata, idata->uid)) {
-    	    if (unmnt == NO_UNMNT || ns_override(pptr, idata, req_uid)) {
+    	    if (unmnt == NO_UNMNT || ns_override(pptr, idata, idata->ruid)) {
     		continue;
 	    } else {
 		dir_unmnt = UNMNT_ONLY;
@@ -1144,8 +1546,9 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt)
                  * bind mounted instance_parent directory that we are trying to
                  * umount
                  */
-                if ((changing_dir = cwd_in(pptr->dir, idata)) < 0) {
-                    return PAM_SESSION_ERR;
+                if ((changing_dir = cwd_in(pptr->rdir, idata)) < 0) {
+                    retval = PAM_SESSION_ERR;
+                    goto out;
                 } else if (changing_dir) {
                     if (idata->flags & PAMNS_DEBUG)
                         pam_syslog(idata->pamh, LOG_DEBUG, "changing cwd");
@@ -1156,7 +1559,7 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt)
                      * directory where original contents of the polydir
                      * are available from
                      */
-                    strcpy(poly_parent, pptr->dir);
+                    strcpy(poly_parent, pptr->rdir);
     	            fptr = strchr(poly_parent, '/');
         	    cptr = strrchr(poly_parent, '/');
         	    if (fptr && cptr && (fptr == cptr))
@@ -1169,24 +1572,36 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt)
                     }
                 }
 
-                if (umount(pptr->dir) < 0) {
+                if (umount(pptr->rdir) < 0) {
             	    int saved_errno = errno;
             	    pam_syslog(idata->pamh, LOG_ERR, "Unmount of %s failed, %m",
-                    	pptr->dir);
-            	    if (saved_errno != EINVAL)
-                	return PAM_SESSION_ERR;
+                    	pptr->rdir);
+            	    if (saved_errno != EINVAL) {
+                	retval = PAM_SESSION_ERR;
+                	goto out;
+                    }
                 } else if (idata->flags & PAMNS_DEBUG)
                     pam_syslog(idata->pamh, LOG_DEBUG, "Umount succeeded %s",
-				pptr->dir);
+				pptr->rdir);
 	}
 
 	if (dir_unmnt != UNMNT_ONLY) {
                 retval = ns_setup(pptr, idata);
+                if (retval == PAM_IGNORE)
+                     retval = PAM_SUCCESS;
                 if (retval != PAM_SUCCESS)
                      break;
         }
     }
-
+out:
+    if (retval != PAM_SUCCESS)
+    	cleanup_tmpdirs(idata);
+    else if (pam_set_data(idata->pamh, NAMESPACE_POLYDIR_DATA, idata->polydirs_ptr,
+    		cleanup_data) != PAM_SUCCESS) {
+	pam_syslog(idata->pamh, LOG_ERR, "Unable to set namespace data");
+    	cleanup_tmpdirs(idata);
+	return PAM_SYSTEM_ERR;
+    }
     return retval;
 }
 
@@ -1225,8 +1640,10 @@ static int orig_namespace(struct instance_data *idata)
             } else if (idata->flags & PAMNS_DEBUG)
                 pam_syslog(idata->pamh, LOG_DEBUG, "Unmount of %s succeeded",
 			pptr->dir);
-        }
+	}
     }
+
+    cleanup_tmpdirs(idata);
     return 0;
 }
 
@@ -1239,7 +1656,7 @@ static int orig_namespace(struct instance_data *idata)
  * The return value from this function is used when selecting the
  * polyinstantiation method. If context change is not requested then
  * the polyinstantiation method is set to USER, even if the configuration
- * file lists the method as "context" or "both".
+ * file lists the method as "context" or "level".
  */
 static int ctxt_based_inst_needed(void)
 {
@@ -1257,6 +1674,55 @@ static int ctxt_based_inst_needed(void)
 #endif
 
 
+static int get_user_data(struct instance_data *idata)
+{
+    int retval;
+    char *user_name;
+    struct passwd *pwd;
+    /* 
+     * Lookup user and fill struct items
+     */
+    retval = pam_get_item(idata->pamh, PAM_USER, (void*) &user_name );
+    if ( user_name == NULL || retval != PAM_SUCCESS ) {
+        pam_syslog(idata->pamh, LOG_ERR, "Error recovering pam user name");
+        return PAM_SESSION_ERR;
+    }
+
+    pwd = pam_modutil_getpwnam(idata->pamh, user_name);
+    if (!pwd) {
+        pam_syslog(idata->pamh, LOG_ERR, "user unknown '%s'", user_name);
+        return PAM_USER_UNKNOWN;
+    }
+
+    /*
+     * Add the user info to the instance data so we can refer to them later.
+     */
+    idata->user[0] = 0;
+    strncat(idata->user, user_name, sizeof(idata->user) - 1);
+    idata->uid = pwd->pw_uid;
+    idata->gid = pwd->pw_gid;
+
+    /* Fill in RUSER too */
+    retval = pam_get_item(idata->pamh, PAM_RUSER, (void*) &user_name );
+    if ( user_name != NULL && retval == PAM_SUCCESS && user_name[0] != '\0' ) {
+    	strncat(idata->ruser, user_name, sizeof(idata->ruser) - 1);
+    	pwd = pam_modutil_getpwnam(idata->pamh, user_name);
+    } else {
+    	pwd = pam_modutil_getpwuid(idata->pamh, getuid());
+    }
+    if (!pwd) {
+	pam_syslog(idata->pamh, LOG_ERR, "user unknown '%s'", user_name);
+	return PAM_USER_UNKNOWN;
+    }
+    user_name = pwd->pw_name;
+
+    idata->ruser[0] = 0;
+    strncat(idata->ruser, user_name, sizeof(idata->ruser) - 1);
+    idata->ruid = pwd->pw_uid;
+
+    return PAM_SUCCESS;
+}
+
 /*
  * Entry point from pam_open_session call.
  */
@@ -1265,8 +1731,6 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED,
 {
     int i, retval;
     struct instance_data idata;
-    char *user_name;
-    struct passwd *pwd;
     enum unmnt_op unmnt = NO_UNMNT;
 
     /* init instance data */
@@ -1290,6 +1754,14 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED,
             idata.flags |= PAMNS_IGN_CONFIG_ERR;
         if (strcmp(argv[i], "ignore_instance_parent_mode") == 0)
             idata.flags |= PAMNS_IGN_INST_PARENT_MODE;
+        if (strcmp(argv[i], "use_current_context") == 0) {
+            idata.flags |= PAMNS_USE_CURRENT_CONTEXT;
+            idata.flags |= PAMNS_CTXT_BASED_INST;
+        }
+        if (strcmp(argv[i], "use_default_context") == 0) {
+            idata.flags |= PAMNS_USE_DEFAULT_CONTEXT;
+            idata.flags |= PAMNS_CTXT_BASED_INST;
+        }
         if (strcmp(argv[i], "unmnt_remnt") == 0)
             unmnt = UNMNT_REMNT;
         if (strcmp(argv[i], "unmnt_only") == 0)
@@ -1305,27 +1777,9 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED,
     if (idata.flags & PAMNS_DEBUG)
         pam_syslog(idata.pamh, LOG_DEBUG, "open_session - start");
 
-    /*
-     * Lookup user and fill struct items
-     */
-    retval = pam_get_item(idata.pamh, PAM_USER, (void*) &user_name );
-    if ( user_name == NULL || retval != PAM_SUCCESS ) {
-        pam_syslog(idata.pamh, LOG_ERR, "Error recovering pam user name");
-        return PAM_SESSION_ERR;
-    }
-
-    pwd = pam_modutil_getpwnam(idata.pamh, user_name);
-    if (!pwd) {
-        pam_syslog(idata.pamh, LOG_ERR, "user unknown '%s'", user_name);
-        return PAM_SESSION_ERR;
-    }
-
-    /*
-     * Add the user info to the instance data so we can refer to them later.
-     */
-    idata.user[0] = 0;
-    strncat(idata.user, user_name, sizeof(idata.user) - 1);
-    idata.uid = pwd->pw_uid;
+    retval = get_user_data(&idata);
+    if (retval != PAM_SUCCESS)
+    	return retval;
 
     /*
      * Parse namespace configuration file which lists directories to
@@ -1351,7 +1805,8 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED,
     } else if (idata.flags & PAMNS_DEBUG)
         pam_syslog(idata.pamh, LOG_DEBUG, "Nothing to polyinstantiate");
 
-    del_polydir_list(idata.polydirs_ptr);
+    if (retval != PAM_SUCCESS)
+	del_polydir_list(idata.polydirs_ptr);
     return retval;
 }
 
@@ -1364,8 +1819,7 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED,
 {
     int i, retval;
     struct instance_data idata;
-    char *user_name;
-    struct passwd *pwd;
+    void *polyptr;
 
     /* init instance data */
     idata.flags = 0;
@@ -1407,38 +1861,16 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED,
         return PAM_SUCCESS;
     }
 
-    /* 
-     * Lookup user and fill struct items
-     */
-    retval = pam_get_item(idata.pamh, PAM_USER, (void*) &user_name );
-    if ( user_name == NULL || retval != PAM_SUCCESS ) {
-        pam_syslog(idata.pamh, LOG_ERR, "Error recovering pam user name");
-        return PAM_SESSION_ERR;
-    }
-
-    pwd = pam_modutil_getpwnam(idata.pamh, user_name);
-    if (!pwd) {
-        pam_syslog(idata.pamh, LOG_ERR, "user unknown '%s'", user_name);
-        return PAM_SESSION_ERR;
-    }
-
-    /*
-     * Add the user info to the instance data so we can refer to them later.
-     */
-    idata.user[0] = 0;
-    strncat(idata.user, user_name, sizeof(idata.user) - 1);
-    idata.uid = pwd->pw_uid;
+    retval = get_user_data(&idata);
+    if (retval != PAM_SUCCESS)
+    	return retval;
 
-    /*
-     * Parse namespace configuration file which lists directories that
-     * are polyinstantiated, directories where instance directories are
-     * created and the method used for polyinstantiation.
-     */
-    retval = parse_config_file(&idata);
-    if ((retval != PAM_SUCCESS) || !idata.polydirs_ptr) {
-	del_polydir_list(idata.polydirs_ptr);
-        return PAM_SESSION_ERR;
-    }
+    retval = pam_get_data(idata.pamh, NAMESPACE_POLYDIR_DATA, (const void **)&polyptr);
+    if (retval != PAM_SUCCESS || polyptr == NULL)
+    	/* nothing to reset */
+    	return PAM_SUCCESS;
+    	
+    idata.polydirs_ptr = polyptr;
 
     if (idata.flags & PAMNS_DEBUG)
         pam_syslog(idata.pamh, LOG_DEBUG, "Resetting namespace for pid %d",
@@ -1453,7 +1885,9 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED,
             pam_syslog(idata.pamh, LOG_DEBUG,
 		"resetting namespace ok for pid %d", getpid());
     }
-    del_polydir_list(idata.polydirs_ptr);
+
+    pam_set_data(idata.pamh, NAMESPACE_POLYDIR_DATA, NULL, NULL);
+    
     return PAM_SUCCESS;
 }
 
diff --git a/Linux-PAM/modules/pam_namespace/pam_namespace.h b/Linux-PAM/modules/pam_namespace/pam_namespace.h
index 0847ec08..bfc0da17 100644
--- a/Linux-PAM/modules/pam_namespace/pam_namespace.h
+++ b/Linux-PAM/modules/pam_namespace/pam_namespace.h
@@ -47,6 +47,7 @@
 #include <dlfcn.h>
 #include <stdarg.h>
 #include <pwd.h>
+#include <grp.h>
 #include <limits.h>
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -56,6 +57,8 @@
 #include <libgen.h>
 #include <fcntl.h>
 #include <sched.h>
+#include <glob.h>
+#include <locale.h>
 #include "security/pam_modules.h"
 #include "security/pam_modutil.h"
 #include "security/pam_ext.h"
@@ -63,6 +66,7 @@
 
 #ifdef WITH_SELINUX
 #include <selinux/selinux.h>
+#include <selinux/get_context_list.h>
 #include <selinux/context.h>
 #endif
 
@@ -73,14 +77,16 @@
 /*
  * Module defines
  */
-#ifndef PAM_NAMESPACE_CONFIG
-#define PAM_NAMESPACE_CONFIG "/etc/security/namespace.conf"
+#ifndef SECURECONF_DIR
+#define SECURECONF_DIR "/etc/security/"
 #endif
 
-#ifndef NAMESPACE_INIT_SCRIPT
-#define NAMESPACE_INIT_SCRIPT "/etc/security/namespace.init"
-#endif
+#define PAM_NAMESPACE_CONFIG (SECURECONF_DIR "namespace.conf")
+#define NAMESPACE_INIT_SCRIPT (SECURECONF_DIR "namespace.init")
+#define NAMESPACE_D_DIR (SECURECONF_DIR "namespace.d/")
+#define NAMESPACE_D_GLOB (SECURECONF_DIR "namespace.d/*.conf")
 
+/* module flags */
 #define PAMNS_DEBUG           0x00000100 /* Running in debug mode */
 #define PAMNS_SELINUX_ENABLED 0x00000400 /* SELinux is enabled */
 #define PAMNS_CTXT_BASED_INST 0x00000800 /* Context based instance needed */
@@ -88,8 +94,19 @@
 #define PAMNS_IGN_CONFIG_ERR  0x00004000 /* Ignore format error in conf file */
 #define PAMNS_IGN_INST_PARENT_MODE  0x00008000 /* Ignore instance parent mode */
 #define PAMNS_NO_UNMOUNT_ON_CLOSE  0x00010000 /* no unmount at session close */
+#define PAMNS_USE_CURRENT_CONTEXT  0x00020000 /* use getcon instead of getexeccon */
+#define PAMNS_USE_DEFAULT_CONTEXT  0x00040000 /* use get_default_context instead of getexeccon */
+
+/* polydir flags */
+#define POLYDIR_EXCLUSIVE     0x00000001 /* polyinstatiate exclusively for override uids */
+#define POLYDIR_CREATE        0x00000002 /* create the polydir */
+#define POLYDIR_NOINIT        0x00000004 /* no init script */
+#define POLYDIR_SHARED        0x00000008 /* share context/level instances among users */
+#define POLYDIR_ISCRIPT       0x00000010 /* non default init script */
+
 
 #define NAMESPACE_MAX_DIR_LEN 80
+#define NAMESPACE_POLYDIR_DATA "pam_namespace:polydir_data"
 
 /*
  * Polyinstantiation method options, based on user, security context
@@ -100,6 +117,8 @@ enum polymethod {
     USER,
     CONTEXT,
     LEVEL,
+    TMPDIR,
+    TMPFS
 };
 
 /*
@@ -124,10 +143,16 @@ enum unmnt_op {
  */
 struct polydir_s {
     char dir[PATH_MAX];    	       	/* directory to polyinstantiate */
+    char rdir[PATH_MAX];    	       	/* directory to unmount (based on RUSER) */
     char instance_prefix[PATH_MAX];	/* prefix for instance dir path name */
     enum polymethod method;		/* method used to polyinstantiate */
     unsigned int num_uids;		/* number of override uids */
     uid_t *uid;				/* list of override uids */
+    unsigned int flags;			/* polydir flags */
+    char *init_script;			/* path to init script */
+    uid_t owner;			/* user which should own the polydir */
+    gid_t group;			/* group which should own the polydir */
+    mode_t mode;			/* mode of the polydir */
     struct polydir_s *next;		/* pointer to the next polydir entry */
 };
 
@@ -135,6 +160,9 @@ struct instance_data {
     pam_handle_t *pamh;		/* The pam handle for this instance */
     struct polydir_s *polydirs_ptr; /* The linked list pointer */
     char user[LOGIN_NAME_MAX];	/* User name */
+    char ruser[LOGIN_NAME_MAX];	/* Requesting user name */
     uid_t uid;			/* The uid of the user */
-    unsigned long flags;		/* Flags for debug, selinux etc */
+    gid_t gid;			/* The gid of the user's primary group */
+    uid_t ruid;			/* The uid of the requesting user */
+    unsigned long flags;	/* Flags for debug, selinux etc */
 };
diff --git a/Linux-PAM/modules/pam_nologin/pam_nologin.8 b/Linux-PAM/modules/pam_nologin/pam_nologin.8
index 5e502266..8d5d1742 100644
--- a/Linux-PAM/modules/pam_nologin/pam_nologin.8
+++ b/Linux-PAM/modules/pam_nologin/pam_nologin.8
@@ -1,89 +1,103 @@
 .\"     Title: pam_nologin
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/04/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_NOLOGIN" "8" "06/04/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_NOLOGIN" "8" "01/08/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_nologin \- Prevent non\-root users from login
+pam_nologin - Prevent non-root users from login
 .SH "SYNOPSIS"
 .HP 15
-\fBpam_nologin.so\fR [file=\fI/path/nologin\fR] [successok]
+\fBpam_nologin\.so\fR [file=\fI/path/nologin\fR] [successok]
 .SH "DESCRIPTION"
 .PP
 pam_nologin is a PAM module that prevents users from logging into the system when
 \fI/etc/nologin\fR
-exists. The contents of the
+exists\. The contents of the
 \fI/etc/nologin\fR
-file are displayed to the user. The pam_nologin module has no effect on the root user's ability to log in.
+file are displayed to the user\. The pam_nologin module has no effect on the root user\'s ability to log in\.
 .SH "OPTIONS"
-.TP 3n
+.PP
 \fBfile=\fR\fB\fI/path/nologin\fR\fR
+.RS 4
 Use this file instead the default
-\fI/etc/nologin\fR.
-.TP 3n
+\fI/etc/nologin\fR\.
+.RE
+.PP
 \fBsuccessok\fR
-Return PAM_SUCCESS if no file exists, the default is PAM_IGNORE.
+.RS 4
+Return PAM_SUCCESS if no file exists, the default is PAM_IGNORE\.
+.RE
 .SH "MODULE SERVICES PROVIDED"
 .PP
 The
 \fBauth\fR
 and
 \fBacct\fR
-services are supported.
+services are supported\.
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_AUTH_ERR
+.RS 4
 The user is not root and
 \fI/etc/nologin\fR
-exists, so the user is not permitted to log in.
-.TP 3n
+exists, so the user is not permitted to log in\.
+.RE
+.PP
 PAM_BUF_ERR
-Memory buffer error.
-.TP 3n
+.RS 4
+Memory buffer error\.
+.RE
+.PP
 PAM_IGNORE
-This is the default return value.
-.TP 3n
+.RS 4
+This is the default return value\.
+.RE
+.PP
 PAM_SUCCESS
+.RS 4
 Success: either the user is root or the
 \fI/etc/nologin\fR
-file does not exist.
-.TP 3n
+file does not exist\.
+.RE
+.PP
 PAM_USER_UNKNOWN
-User not known to the underlying authentication module.
+.RS 4
+User not known to the underlying authentication module\.
+.RE
 .SH "EXAMPLES"
 .PP
 The suggested usage for
-\fI/etc/pam.d/login\fR
+\fI/etc/pam\.d/login\fR
 is:
 .sp
-.RS 3n
+.RS 4
 .nf
-auth  required  pam_nologin.so
+auth  required  pam_nologin\.so
       
 .fi
 .RE
 .sp
 .SH "NOTES"
 .PP
-In order to make this module effective, all login methods should be secured by it. It should be used as a
+In order to make this module effective, all login methods should be secured by it\. It should be used as a
 \fIrequired\fR
 method listed before any
 \fIsufficient\fR
-methods in order to get standard Unix nologin semantics. Note, the use of
+methods in order to get standard Unix nologin semantics\. Note, the use of
 \fBsuccessok\fR
 module argument causes the module to return
 \fIPAM_SUCCESS\fR
 and as such would break such a configuration \- failing
 \fIsufficient\fR
 modules would lead to a successful login because the nologin module
-\fIsucceeded\fR.
+\fIsucceeded\fR\.
 .SH "SEE ALSO"
 .PP
 
@@ -93,4 +107,4 @@ modules would lead to a successful login because the nologin module
 \fBpam\fR(8)
 .SH "AUTHOR"
 .PP
-pam_nologin was written by Michael K. Johnson <johnsonm@redhat.com>.
+pam_nologin was written by Michael K\. Johnson <johnsonm@redhat\.com>\.
diff --git a/Linux-PAM/modules/pam_permit/README b/Linux-PAM/modules/pam_permit/README
index e09ec9cf..d479dccd 100644
--- a/Linux-PAM/modules/pam_permit/README
+++ b/Linux-PAM/modules/pam_permit/README
@@ -14,7 +14,7 @@ This module is very dangerous. It should be used with extreme caution.
 
 OPTIONS
 
-This module does not recognice any options.
+This module does not recognise any options.
 
 EXAMPLES
 
diff --git a/Linux-PAM/modules/pam_permit/pam_permit.8 b/Linux-PAM/modules/pam_permit/pam_permit.8
index ce3c3290..720ba32b 100644
--- a/Linux-PAM/modules/pam_permit/pam_permit.8
+++ b/Linux-PAM/modules/pam_permit/pam_permit.8
@@ -1,32 +1,32 @@
 .\"     Title: pam_permit
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/04/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_PERMIT" "8" "06/04/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_PERMIT" "8" "01/08/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_permit \- The promiscuous module
+pam_permit - The promiscuous module
 .SH "SYNOPSIS"
 .HP 14
-\fBpam_permit.so\fR
+\fBpam_permit\.so\fR
 .SH "DESCRIPTION"
 .PP
-pam_permit is a PAM module that always permit access. It does nothing else.
+pam_permit is a PAM module that always permit access\. It does nothing else\.
 .PP
-In the case of authentication, the user's name will be set to
+In the case of authentication, the user\'s name will be set to
 \fInobody\fR
-if the application didn't set one. Many applications and PAM modules become confused if this name is unknown.
+if the application didn\'t set one\. Many applications and PAM modules become confused if this name is unknown\.
 .PP
-This module is very dangerous. It should be used with extreme caution.
+This module is very dangerous\. It should be used with extreme caution\.
 .SH "OPTIONS"
 .PP
-This module does not recognice any options.
+This module does not recognise any options\.
 .SH "MODULE SERVICES PROVIDED"
 .PP
 The services
@@ -35,18 +35,20 @@ The services
 \fBpassword\fR
 and
 \fBsession\fR
-are supported.
+are supported\.
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_SUCCESS
-This module always returns this value.
+.RS 4
+This module always returns this value\.
+.RE
 .SH "EXAMPLES"
 .PP
-Add this line to your other login entries to disable account management, but continue to permit users to log in.
+Add this line to your other login entries to disable account management, but continue to permit users to log in\.
 .sp
-.RS 3n
+.RS 4
 .nf
-account  required  pam_permit.so
+account  required  pam_permit\.so
       
 .fi
 .RE
@@ -59,4 +61,4 @@ account  required  pam_permit.so
 \fBpam\fR(8)
 .SH "AUTHOR"
 .PP
-pam_permit was written by Andrew G. Morgan, <morgan@kernel.org>.
+pam_permit was written by Andrew G\. Morgan, <morgan@kernel\.org>\.
diff --git a/Linux-PAM/modules/pam_permit/pam_permit.8.xml b/Linux-PAM/modules/pam_permit/pam_permit.8.xml
index 3992f43f..4db7a963 100644
--- a/Linux-PAM/modules/pam_permit/pam_permit.8.xml
+++ b/Linux-PAM/modules/pam_permit/pam_permit.8.xml
@@ -44,7 +44,7 @@
   <refsect1 id="pam_permit-options">
 
     <title>OPTIONS</title>
-    <para> This module does not recognice any options.</para>
+    <para> This module does not recognise any options.</para>
   </refsect1>
 
   <refsect1 id="pam_permit-services">
diff --git a/Linux-PAM/modules/pam_rhosts/Makefile.am b/Linux-PAM/modules/pam_rhosts/Makefile.am
index 26fdf9c6..547ad621 100644
--- a/Linux-PAM/modules/pam_rhosts/Makefile.am
+++ b/Linux-PAM/modules/pam_rhosts/Makefile.am
@@ -1,12 +1,12 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2006, 2008 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
 
-EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_rhosts_auth tst-pam_rhosts
+EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_rhosts
 
-TESTS = tst-pam_rhosts_auth tst-pam_rhosts
+TESTS = tst-pam_rhosts
 
 man_MANS = pam_rhosts.8
 
@@ -21,8 +21,7 @@ if HAVE_VERSIONING
   AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
 endif
 
-securelib_LTLIBRARIES = pam_rhosts_auth.la pam_rhosts.la
-pam_rhosts_auth_la_LIBADD = -L$(top_builddir)/libpam -lpam
+securelib_LTLIBRARIES = pam_rhosts.la
 pam_rhosts_la_LIBADD = -L$(top_builddir)/libpam -lpam
 
 if ENABLE_REGENERATE_MAN
diff --git a/Linux-PAM/modules/pam_rhosts/pam_rhosts.8 b/Linux-PAM/modules/pam_rhosts/pam_rhosts.8
index 0d7f4a16..23f03112 100644
--- a/Linux-PAM/modules/pam_rhosts/pam_rhosts.8
+++ b/Linux-PAM/modules/pam_rhosts/pam_rhosts.8
@@ -1,85 +1,95 @@
 .\"     Title: pam_rhosts
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/28/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_RHOSTS" "8" "06/28/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_RHOSTS" "8" "01/08/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_rhosts \- The rhosts PAM module
+pam_rhosts - The rhosts PAM module
 .SH "SYNOPSIS"
 .HP 14
-\fBpam_rhosts.so\fR
+\fBpam_rhosts\.so\fR
 .SH "DESCRIPTION"
 .PP
 This module performs the standard network authentication for services, as used by traditional implementations of
 \fBrlogin\fR
 and
 \fBrsh\fR
-etc.
+etc\.
 .PP
 The authentication mechanism of this module is based on the contents of two files;
-\fI/etc/hosts.equiv\fR
+\fI/etc/hosts\.equiv\fR
 (or and
-\fI~/.rhosts\fR. Firstly, hosts listed in the former file are treated as equivalent to the localhost. Secondly, entries in the user's own copy of the latter file is used to map "\fIremote\-host remote\-user\fR" pairs to that user's account on the current host. Access is granted to the user if their host is present in
-\fI/etc/hosts.equiv\fR
-and their remote account is identical to their local one, or if their remote account has an entry in their personal configuration file.
+\fI~/\.rhosts\fR\. Firstly, hosts listed in the former file are treated as equivalent to the localhost\. Secondly, entries in the user\'s own copy of the latter file is used to map "\fIremote\-host remote\-user\fR" pairs to that user\'s account on the current host\. Access is granted to the user if their host is present in
+\fI/etc/hosts\.equiv\fR
+and their remote account is identical to their local one, or if their remote account has an entry in their personal configuration file\.
 .PP
 The module authenticates a remote user (internally specified by the item
 \fIPAM_RUSER\fR
 connecting from the remote host (internally specified by the item
-\fBPAM_RHOST\fR). Accordingly, for applications to be compatible this authentication module they must set these items prior to calling
-\fBpam_authenticate()\fR. The module is not capable of independently probing the network connection for such information.
+\fBPAM_RHOST\fR)\. Accordingly, for applications to be compatible this authentication module they must set these items prior to calling
+\fBpam_authenticate()\fR\. The module is not capable of independently probing the network connection for such information\.
 .SH "OPTIONS"
-.TP 3n
+.PP
 \fBdebug\fR
-Print debug information.
-.TP 3n
+.RS 4
+Print debug information\.
+.RE
+.PP
 \fBsilent\fR
-Don't print informative messages.
-.TP 3n
+.RS 4
+Don\'t print informative messages\.
+.RE
+.PP
 \fBsuperuser=\fR\fB\fIaccount\fR\fR
+.RS 4
 Handle
 \fIaccount\fR
-as root.
+as root\.
+.RE
 .SH "MODULE SERVICES PROVIDED"
 .PP
 Only the
 \fBauth\fR
-service is supported.
+service is supported\.
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_AUTH_ERR
-The remote host, remote user name or the local user name couldn't be determined or access was denied by
-\fI.rhosts\fR
-file.
-.TP 3n
+.RS 4
+The remote host, remote user name or the local user name couldn\'t be determined or access was denied by
+\fI\.rhosts\fR
+file\.
+.RE
+.PP
 PAM_USER_UNKNOWN
-User is not known to system.
+.RS 4
+User is not known to system\.
+.RE
 .SH "EXAMPLES"
 .PP
 To grant a remote user access by
-\fI/etc/hosts.equiv\fR
+\fI/etc/hosts\.equiv\fR
 or
-\fI.rhosts\fR
+\fI\.rhosts\fR
 for
 \fBrsh\fR
 add the following lines to
-\fI/etc/pam.d/rsh\fR:
+\fI/etc/pam\.d/rsh\fR:
 .sp
-.RS 3n
+.RS 4
 .nf
-#%PAM\-1.0
+#%PAM\-1\.0
 #
-auth     required       pam_rhosts.so
-auth     required       pam_nologin.so
-auth     required       pam_env.so
-auth     required       pam_unix.so
+auth     required       pam_rhosts\.so
+auth     required       pam_nologin\.so
+auth     required       pam_env\.so
+auth     required       pam_unix\.so
       
 .fi
 .RE
@@ -95,4 +105,4 @@ auth     required       pam_unix.so
 \fBpam\fR(8)
 .SH "AUTHOR"
 .PP
-pam_rhosts was written by Thorsten Kukuk <kukuk@thkukuk.de>
+pam_rhosts was written by Thorsten Kukuk <kukuk@thkukuk\.de>
diff --git a/Linux-PAM/modules/pam_rootok/pam_rootok.8 b/Linux-PAM/modules/pam_rootok/pam_rootok.8
index 79618050..ba86ea77 100644
--- a/Linux-PAM/modules/pam_rootok/pam_rootok.8
+++ b/Linux-PAM/modules/pam_rootok/pam_rootok.8
@@ -1,66 +1,72 @@
 .\"     Title: pam_rootok
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/23/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_ROOTOK" "8" "06/23/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_ROOTOK" "8" "01/08/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_rootok \- Gain only root access
+pam_rootok - Gain only root access
 .SH "SYNOPSIS"
 .HP 14
-\fBpam_rootok.so\fR [debug]
+\fBpam_rootok\.so\fR [debug]
 .SH "DESCRIPTION"
 .PP
 pam_rootok is a PAM module that authenticates the user if their
 \fIUID\fR
 is
-\fI0\fR. Applications that are created setuid\-root generally retain the
+\fI0\fR\. Applications that are created setuid\-root generally retain the
 \fIUID\fR
-of the user but run with the authority of an enhanced effective\-UID. It is the real
+of the user but run with the authority of an enhanced effective\-UID\. It is the real
 \fIUID\fR
-that is checked.
+that is checked\.
 .SH "OPTIONS"
-.TP 3n
+.PP
 \fBdebug\fR
-Print debug information.
+.RS 4
+Print debug information\.
+.RE
 .SH "MODULE SERVICES PROVIDED"
 .PP
 Only the
 \fBauth\fR
-service is supported.
+service is supported\.
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_SUCCESS
+.RS 4
 The
 \fIUID\fR
 is
-\fI0\fR.
-.TP 3n
+\fI0\fR\.
+.RE
+.PP
 PAM_AUTH_ERR
+.RS 4
 The
 \fIUID\fR
 is
 \fBnot\fR
-\fI0\fR.
+\fI0\fR\.
+.RE
 .SH "EXAMPLES"
 .PP
 In the case of the
 \fBsu\fR(1)
-application the historical usage is to permit the superuser to adopt the identity of a lesser user without the use of a password. To obtain this behavior with PAM the following pair of lines are needed for the corresponding entry in the
-\fI/etc/pam.d/su\fR
+application the historical usage is to permit the superuser to adopt the identity of a lesser user without the use of a password\. To obtain this behavior with PAM the following pair of lines are needed for the corresponding entry in the
+\fI/etc/pam\.d/su\fR
 configuration file:
 .sp
-.RS 3n
+.RS 4
 .nf
-# su authentication. Root is granted access by default.
-auth  sufficient   pam_rootok.so
-auth  required     pam_unix.so
+# su authentication\. Root is granted access by default\.
+auth  sufficient   pam_rootok\.so
+auth  required     pam_unix\.so
       
 .fi
 .RE
@@ -74,4 +80,4 @@ auth  required     pam_unix.so
 \fBpam\fR(8)
 .SH "AUTHOR"
 .PP
-pam_rootok was written by Andrew G. Morgan, <morgan@kernel.org>.
+pam_rootok was written by Andrew G\. Morgan, <morgan@kernel\.org>\.
diff --git a/Linux-PAM/modules/pam_securetty/pam_securetty.8 b/Linux-PAM/modules/pam_securetty/pam_securetty.8
index f72e611f..f37c5710 100644
--- a/Linux-PAM/modules/pam_securetty/pam_securetty.8
+++ b/Linux-PAM/modules/pam_securetty/pam_securetty.8
@@ -1,74 +1,86 @@
 .\"     Title: pam_securetty
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/04/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_SECURETTY" "8" "06/04/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_SECURETTY" "8" "01/08/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_securetty \- Limit root login to special devices
+pam_securetty - Limit root login to special devices
 .SH "SYNOPSIS"
 .HP 17
-\fBpam_securetty.so\fR [debug]
+\fBpam_securetty\.so\fR [debug]
 .SH "DESCRIPTION"
 .PP
 pam_securetty is a PAM module that allows root logins only if the user is logging in on a "secure" tty, as defined by the listing in
-\fI/etc/securetty\fR. pam_securetty also checks to make sure that
+\fI/etc/securetty\fR\. pam_securetty also checks to make sure that
 \fI/etc/securetty\fR
-is a plain file and not world writable.
+is a plain file and not world writable\.
 .PP
 This module has no effect on non\-root users and requires that the application fills in the
 \fBPAM_TTY\fR
-item correctly.
+item correctly\.
 .PP
 For canonical usage, should be listed as a
 \fBrequired\fR
 authentication method before any
 \fBsufficient\fR
-authentication methods.
+authentication methods\.
 .SH "OPTIONS"
-.TP 3n
+.PP
 \fBdebug\fR
-Print debug information.
+.RS 4
+Print debug information\.
+.RE
 .SH "MODULE SERVICES PROVIDED"
 .PP
 Only the
 \fBauth\fR
-service is supported.
+service is supported\.
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_SUCCESS
-The user is allowed to continue authentication. Either the user is not root, or the root user is trying to log in on an acceptable device.
-.TP 3n
+.RS 4
+The user is allowed to continue authentication\. Either the user is not root, or the root user is trying to log in on an acceptable device\.
+.RE
+.PP
 PAM_AUTH_ERR
-Authentication is rejected. Either root is attempting to log in via an unacceptable device, or the
+.RS 4
+Authentication is rejected\. Either root is attempting to log in via an unacceptable device, or the
 \fI/etc/securetty\fR
-file is world writable or not a normal file.
-.TP 3n
+file is world writable or not a normal file\.
+.RE
+.PP
 PAM_INCOMPLETE
-An application error occurred. pam_securetty was not able to get information it required from the application that called it.
-.TP 3n
+.RS 4
+An application error occurred\. pam_securetty was not able to get information it required from the application that called it\.
+.RE
+.PP
 PAM_SERVICE_ERR
-An error occurred while the module was determining the user's name or tty, or the module could not open
-\fI/etc/securetty\fR.
-.TP 3n
+.RS 4
+An error occurred while the module was determining the user\'s name or tty, or the module could not open
+\fI/etc/securetty\fR\.
+.RE
+.PP
 PAM_IGNORE
+.RS 4
 The module could not find the user name in the
 \fI/etc/passwd\fR
-file to verify whether the user had a UID of 0. Therefore, the results of running this module are ignored.
+file to verify whether the user had a UID of 0\. Therefore, the results of running this module are ignored\.
+.RE
 .SH "EXAMPLES"
 .PP
 
 .sp
-.RS 3n
+.RS 4
 .nf
-auth  required  pam_securetty.so
-auth  required  pam_unix.so
+auth  required  pam_securetty\.so
+auth  required  pam_unix\.so
       
 .fi
 .RE
@@ -82,4 +94,4 @@ auth  required  pam_unix.so
 \fBpam\fR(8)
 .SH "AUTHOR"
 .PP
-pam_securetty was written by Elliot Lee <sopwith@cuc.edu>.
+pam_securetty was written by Elliot Lee <sopwith@cuc\.edu>\.
diff --git a/Linux-PAM/modules/pam_selinux/Makefile.am b/Linux-PAM/modules/pam_selinux/Makefile.am
index d11b507c..baf782a8 100644
--- a/Linux-PAM/modules/pam_selinux/Makefile.am
+++ b/Linux-PAM/modules/pam_selinux/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@thkukuk.de>
+# Copyright (c) 2005, 2006, 2007 Thorsten Kukuk <kukuk@thkukuk.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README $(XMLS) pam_selinux.8 pam_selinux_check.8 \
 		tst-pam_selinux
diff --git a/Linux-PAM/modules/pam_selinux/pam_selinux.8 b/Linux-PAM/modules/pam_selinux/pam_selinux.8
index 6709ac9c..ec26025d 100644
--- a/Linux-PAM/modules/pam_selinux/pam_selinux.8
+++ b/Linux-PAM/modules/pam_selinux/pam_selinux.8
@@ -1,92 +1,92 @@
 .\"     Title: pam_selinux
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: 06/20/2007
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\"      Date: 01/08/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_SELINUX" "8" "06/20/2007" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_SELINUX" "8" "01/08/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_selinux \- PAM module to set the default security context
+pam_selinux - PAM module to set the default security context
 .SH "SYNOPSIS"
 .HP 15
-\fBpam_selinux.so\fR [close] [debug] [open] [nottys] [verbose] [select_context] [use_current_range]
+\fBpam_selinux\.so\fR [close] [debug] [open] [nottys] [verbose] [select_context] [use_current_range]
 .SH "DESCRIPTION"
 .PP
-In a nutshell, pam_selinux sets up the default security context for the next execed shell.
+In a nutshell, pam_selinux sets up the default security context for the next execed shell\.
 .PP
-When an application opens a session using pam_selinux, the shell that gets executed will be run in the default security context, or if the user chooses and the pam file allows the selected security context. Also the controlling tty will have it's security context modified to match the users.
+When an application opens a session using pam_selinux, the shell that gets executed will be run in the default security context, or if the user chooses and the pam file allows the selected security context\. Also the controlling tty will have it\'s security context modified to match the users\.
 .PP
-Adding pam_selinux into a pam file could cause other pam modules to change their behavior if the exec another application. The close and open option help mitigate this problem. close option will only cause the close portion of the pam_selinux to execute, and open will only cause the open portion to run. You can add pam_selinux to the config file twice. Add the pam_selinux close as the executes the open pass through the modules, pam_selinux open_session will happen last. When PAM executes the close pass through the modules pam_selinux close_session will happen first.
+Adding pam_selinux into a pam file could cause other pam modules to change their behavior if the exec another application\. The close and open option help mitigate this problem\. close option will only cause the close portion of the pam_selinux to execute, and open will only cause the open portion to run\. You can add pam_selinux to the config file twice\. Add the pam_selinux close as the executes the open pass through the modules, pam_selinux open_session will happen last\. When PAM executes the close pass through the modules pam_selinux close_session will happen first\.
 .SH "OPTIONS"
 .PP
 \fBclose\fR
 .RS 4
-Only execute the close_session portion of the module.
+Only execute the close_session portion of the module\.
 .RE
 .PP
 \fBdebug\fR
 .RS 4
 Turns on debugging via
-\fBsyslog\fR(3).
+\fBsyslog\fR(3)\.
 .RE
 .PP
 \fBopen\fR
 .RS 4
-Only execute the open_session portion of the module.
+Only execute the open_session portion of the module\.
 .RE
 .PP
 \fBnottys\fR
 .RS 4
-Do not try to setup the ttys security context.
+Do not try to setup the ttys security context\.
 .RE
 .PP
 \fBverbose\fR
 .RS 4
-attempt to inform the user when security context is set.
+attempt to inform the user when security context is set\.
 .RE
 .PP
 \fBselect_context\fR
 .RS 4
-Attempt to ask the user for a custom security context role. If MLS is on ask also for sensitivity level.
+Attempt to ask the user for a custom security context role\. If MLS is on ask also for sensitivity level\.
 .RE
 .PP
 \fBuse_current_range\fR
 .RS 4
-Use the sensitivity range of the process for the user context. This option and the select_context option are mutually exclusive.
+Use the sensitivity range of the process for the user context\. This option and the select_context option are mutually exclusive\.
 .RE
 .SH "MODULE SERVICES PROVIDED"
 .PP