summaryrefslogtreecommitdiff
path: root/debian/patches-applied
diff options
context:
space:
mode:
authorNiels Thykier <niels@thykier.net>2018-08-11 15:31:24 +0000
committerNiels Thykier <niels@thykier.net>2018-08-11 15:31:24 +0000
commit8d540fb940a9b4213f19c523c490642356d03edb (patch)
treee0565860842e57ceb47ab30e36c0b4325f1ff346 /debian/patches-applied
parent60fe4501b4194949d3117a937abdfa90d3f138e9 (diff)
pam (1.1.8-3.8) unstable; urgency=medium
* Non-maintainer upload. * Set Rules-Requires-Root to binary-targets as pam relies on chgrp in debian/rules. * Update pam-auth-update to detect write errors and properly fail when that happens. (Closes: #880501) * Remove Roger Leigh from uploaders as he has restired from Debian. (Closes: #869348) * Reduce priority of libpam0g to optional. * Rebuild with a recent version of dpkg-source, which ensures that the Build-Depends are correct in the .dsc file. (Closes: #890602) * Apply patch from Felix Lechner to make pam-auth-update ignore editor backup files. (Closes: #519361) * Apply update to Brazilian Portuguese translations of the debconf templates. Thanks to Adriano Rafael Gomes. (Closes: #799417) [dgit import package pam 1.1.8-3.8]
Diffstat (limited to 'debian/patches-applied')
-rw-r--r--debian/patches-applied/007_modules_pam_unix462
-rw-r--r--debian/patches-applied/008_modules_pam_limits_chroot132
-rw-r--r--debian/patches-applied/021_nis_cleanup44
-rw-r--r--debian/patches-applied/022_pam_unix_group_time_miscfixes22
-rw-r--r--debian/patches-applied/026_pam_unix_passwd_unknown_user33
-rw-r--r--debian/patches-applied/027_pam_limits_better_init_allow_explicit_root253
-rw-r--r--debian/patches-applied/031_pam_include72
-rw-r--r--debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL22
-rw-r--r--debian/patches-applied/036_pam_wheel_getlogin_considered_harmful145
-rw-r--r--debian/patches-applied/040_pam_limits_log_failure36
-rw-r--r--debian/patches-applied/045_pam_dispatch_jump_is_ignore31
-rw-r--r--debian/patches-applied/054_pam_security_abstract_securetty_handling199
-rw-r--r--debian/patches-applied/055_pam_unix_nullok_secure223
-rw-r--r--debian/patches-applied/PAM-manpage-section1637
-rw-r--r--debian/patches-applied/cve-2010-4708.patch64
-rw-r--r--debian/patches-applied/cve-2013-7041.patch44
-rw-r--r--debian/patches-applied/cve-2014-2583.patch47
-rw-r--r--debian/patches-applied/cve-2015-3238.patch180
-rw-r--r--debian/patches-applied/do_not_check_nis_accidentally22
-rw-r--r--debian/patches-applied/hurd_no_setfsuid77
-rw-r--r--debian/patches-applied/lib_security_multiarch_compat71
-rw-r--r--debian/patches-applied/make_documentation_reproducible.patch28
-rw-r--r--debian/patches-applied/no_PATH_MAX_on_hurd22
-rw-r--r--debian/patches-applied/pam-limits-nofile-fd-setsize-cap58
-rw-r--r--debian/patches-applied/pam-loginuid-in-containers146
-rw-r--r--debian/patches-applied/pam_namespace_fix_bashism.patch61
-rw-r--r--debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch25
-rw-r--r--debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch25
-rw-r--r--debian/patches-applied/series29
-rw-r--r--debian/patches-applied/update-motd168
30 files changed, 4378 insertions, 0 deletions
diff --git a/debian/patches-applied/007_modules_pam_unix b/debian/patches-applied/007_modules_pam_unix
new file mode 100644
index 00000000..5dae4064
--- /dev/null
+++ b/debian/patches-applied/007_modules_pam_unix
@@ -0,0 +1,462 @@
+Index: pam.debian/modules/pam_unix/pam_unix_passwd.c
+===================================================================
+--- pam.debian.orig/modules/pam_unix/pam_unix_passwd.c
++++ pam.debian/modules/pam_unix/pam_unix_passwd.c
+@@ -102,6 +102,9 @@
+ # endif /* GNU libc 2.1 */
+ #endif
+
++extern const char *obscure_msg(const char *, const char *, const struct passwd *,
++ unsigned int);
++
+ /*
+ How it works:
+ Gets in username (has to be done) from the calling program
+@@ -521,6 +524,11 @@
+ return retval;
+ }
+ }
++ if (!remark && pass_old != NULL) { /* only check if we don't already have a failure */
++ struct passwd *pwd;
++ pwd = pam_modutil_getpwnam(pamh, user);
++ remark = (char *)obscure_msg(pass_old,pass_new,pwd,ctrl); /* do obscure checks */
++ }
+ }
+ if (remark) {
+ _make_remark(pamh, ctrl, PAM_ERROR_MSG, remark);
+@@ -536,7 +544,7 @@
+ int retval;
+ int remember = -1;
+ int rounds = -1;
+- int pass_min_len = 0;
++ int pass_min_len = 6;
+
+ /* <DO NOT free() THESE> */
+ const char *user;
+Index: pam.debian/modules/pam_unix/support.h
+===================================================================
+--- pam.debian.orig/modules/pam_unix/support.h
++++ pam.debian/modules/pam_unix/support.h
+@@ -97,8 +97,9 @@
+ password hash algorithms */
+ #define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */
+ #define UNIX_MIN_PASS_LEN 27 /* min length for password */
++#define UNIX_OBSCURE_CHECKS 28 /* enable obscure checks on passwords */
+ /* -------------- */
+-#define UNIX_CTRLS_ 28 /* number of ctrl arguments defined */
++#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */
+
+ #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
+
+@@ -107,34 +108,35 @@
+ /* symbol token name ctrl mask ctrl *
+ * ----------------------- ------------------- --------------------- -------- */
+
+-/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01, 0},
+-/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02, 0},
+-/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04, 0},
+-/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010, 0},
+-/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060), 020, 0},
+-/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060), 040, 0},
+-/* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0100, 0},
+-/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0},
+-/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0},
+-/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0},
+-/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0},
+-/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0},
+-/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0},
+-/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0260420000), 020000, 1},
+-/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000), 0, 0},
+-/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000, 0},
+-/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000, 0},
+-/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000, 0},
+-/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0260420000), 0400000, 1},
+-/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000, 0},
+-/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000, 0},
+-/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000, 0},
+-/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000, 0},
+-/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0260420000), 020000000, 1},
+-/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0260420000), 040000000, 1},
+-/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0},
+-/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000, 1},
+-/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
++/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 0x1, 0},
++/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 0x2, 0},
++/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 0x4, 0},
++/* UNIX_AUDIT */ {"audit", _ALL_ON_, 0x8, 0},
++/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(0x30), 0x10, 0},
++/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(0x30), 0x20, 0},
++/* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0x40, 0},
++/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0x180), 0x80, 0},
++/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0x180), 0x100, 0},
++/* UNIX__NONULL */ {NULL, _ALL_ON_, 0x200, 0},
++/* UNIX__QUIET */ {NULL, _ALL_ON_, 0x400, 0},
++/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 0x800, 0},
++/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 0x1000, 0},
++/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0x2C22000), 0x2000, 1},
++/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(0x200), 0, 0},
++/* UNIX_DEBUG */ {"debug", _ALL_ON_, 0x4000, 0},
++/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0x8000, 0},
++/* UNIX_NIS */ {"nis", _ALL_ON_, 0x10000, 0},
++/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0x2C22000), 0x20000, 1},
++/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 0x40000, 0},
++/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 0x80000, 0},
++/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 0x100000, 0},
++/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 0x200000, 0},
++/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0x2C22000), 0x400000, 1},
++/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0x2C22000), 0x800000, 1},
++/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0x1000000, 0},
++/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0x2C22000),0x2000000, 1},
++/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0x4000000, 0},
++/* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x8000000, 0},
+ };
+
+ #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
+Index: pam.debian/modules/pam_unix/pam_unix.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_unix/pam_unix.8.xml
++++ pam.debian/modules/pam_unix/pam_unix.8.xml
+@@ -337,8 +337,81 @@
+ <listitem>
+ <para>
+ Set a minimum password length of <replaceable>n</replaceable>
+- characters. The max. for DES crypt based passwords are 8
+- characters.
++ characters. The default value is 6. The maximum for DES
++ crypt-based passwords is 8 characters.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>obscure</option>
++ </term>
++ <listitem>
++ <para>
++ Enable some extra checks on password strength. These checks
++ are based on the "obscure" checks in the original shadow
++ package. The behavior is similar to the pam_cracklib
++ module, but for non-dictionary-based checks. The following
++ checks are implemented:
++ <variablelist>
++ <varlistentry>
++ <term>
++ <option>Palindrome</option>
++ </term>
++ <listitem>
++ <para>
++ Verifies that the new password is not a palindrome
++ of (i.e., the reverse of) the previous one.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>Case Change Only</option>
++ </term>
++ <listitem>
++ <para>
++ Verifies that the new password isn't the same as the
++ old one with a change of case.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>Similar</option>
++ </term>
++ <listitem>
++ <para>
++ Verifies that the new password isn't too much like
++ the previous one.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>Simple</option>
++ </term>
++ <listitem>
++ <para>
++ Is the new password too simple? This is based on
++ the length of the password and the number of
++ different types of characters (alpha, numeric, etc.)
++ used.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>Rotated</option>
++ </term>
++ <listitem>
++ <para>
++ Is the new password a rotated version of the old
++ password? (E.g., "billy" and "illyb")
++ </para>
++ </listitem>
++ </varlistentry>
++ </variablelist>
+ </para>
+ </listitem>
+ </varlistentry>
+Index: pam.debian/modules/pam_unix/obscure.c
+===================================================================
+--- /dev/null
++++ pam.debian/modules/pam_unix/obscure.c
+@@ -0,0 +1,198 @@
++/*
++ * Copyright 1989 - 1994, Julianne Frances Haugh
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors
++ * may be used to endorse or promote products derived from this software
++ * without specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ */
++
++#include "config.h"
++
++#include <ctype.h>
++#include <stdio.h>
++#include <unistd.h>
++#include <string.h>
++#include <stdlib.h>
++#include <pwd.h>
++#include <security/pam_modules.h>
++#include <security/_pam_macros.h>
++
++
++#include "support.h"
++
++/* can't be a palindrome - like `R A D A R' or `M A D A M' */
++static int palindrome(const char *old, const char *new) {
++ int i, j;
++
++ i = strlen (new);
++
++ for (j = 0;j < i;j++)
++ if (new[i - j - 1] != new[j])
++ return 0;
++
++ return 1;
++}
++
++/* more than half of the characters are different ones. */
++static int similar(const char *old, const char *new) {
++ int i, j;
++
++ /*
++ * XXX - sometimes this fails when changing from a simple password
++ * to a really long one (MD5). For now, I just return success if
++ * the new password is long enough. Please feel free to suggest
++ * something better... --marekm
++ */
++ if (strlen(new) >= 8)
++ return 0;
++
++ for (i = j = 0; new[i] && old[i]; i++)
++ if (strchr(new, old[i]))
++ j++;
++
++ if (i >= j * 2)
++ return 0;
++
++ return 1;
++}
++
++/* a nice mix of characters. */
++static int simple(const char *old, const char *new) {
++ int digits = 0;
++ int uppers = 0;
++ int lowers = 0;
++ int others = 0;
++ int size;
++ int i;
++
++ for (i = 0;new[i];i++) {
++ if (isdigit (new[i]))
++ digits++;
++ else if (isupper (new[i]))
++ uppers++;
++ else if (islower (new[i]))
++ lowers++;
++ else
++ others++;
++ }
++
++ /*
++ * The scam is this - a password of only one character type
++ * must be 8 letters long. Two types, 7, and so on.
++ */
++
++ size = 9;
++ if (digits) size--;
++ if (uppers) size--;
++ if (lowers) size--;
++ if (others) size--;
++
++ if (size <= i)
++ return 0;
++
++ return 1;
++}
++
++static char *str_lower(char *string) {
++ char *cp;
++
++ for (cp = string; *cp; cp++)
++ *cp = tolower(*cp);
++ return string;
++}
++
++static const char * password_check(const char *old, const char *new,
++ const struct passwd *pwdp) {
++ const char *msg = NULL;
++ char *oldmono, *newmono, *wrapped;
++
++ if (strcmp(new, old) == 0)
++ return _("Bad: new password must be different than the old one");
++
++ newmono = str_lower(strdup(new));
++ oldmono = str_lower(strdup(old));
++ wrapped = (char *)malloc(strlen(oldmono) * 2 + 1);
++ strcpy (wrapped, oldmono);
++ strcat (wrapped, oldmono);
++
++ if (palindrome(oldmono, newmono)) {
++ msg = _("Bad: new password cannot be a palindrome");
++ } else if (strcmp(oldmono, newmono) == 0) {
++ msg = _("Bad: new and old password must differ by more than just case");
++ } else if (similar(oldmono, newmono)) {
++ msg = _("Bad: new and old password are too similar");
++ } else if (simple(old, new)) {
++ msg = _("Bad: new password is too simple");
++ } else if (strstr(wrapped, newmono)) {
++ msg = _("Bad: new password is just a wrapped version of the old one");
++ }
++
++ _pam_delete(newmono);
++ _pam_delete(oldmono);
++ _pam_delete(wrapped);
++
++ return msg;
++}
++
++const char *obscure_msg(const char *old, const char *new,
++ const struct passwd *pwdp, unsigned int ctrl) {
++ int oldlen, newlen;
++ char *new1, *old1;
++ const char *msg;
++
++ if (old == NULL)
++ return NULL; /* no check if old is NULL */
++
++ oldlen = strlen(old);
++ newlen = strlen(new);
++
++ /* Remaining checks are optional. */
++ if (off(UNIX_OBSCURE_CHECKS,ctrl))
++ return NULL;
++
++ if ((msg = password_check(old, new, pwdp)) != NULL)
++ return msg;
++
++ /* The traditional crypt() truncates passwords to 8 chars. It is
++ possible to circumvent the above checks by choosing an easy
++ 8-char password and adding some random characters to it...
++ Example: "password$%^&*123". So check it again, this time
++ truncated to the maximum length. Idea from npasswd. --marekm */
++
++ if (!UNIX_DES_CRYPT(ctrl))
++ return NULL; /* unlimited password length */
++
++ if (oldlen <= 8 && newlen <= 8)
++ return NULL;
++
++ new1 = strndup(new,8);
++ old1 = strndup(old,8);
++
++ msg = password_check(old1, new1, pwdp);
++
++ _pam_delete(new1);
++ _pam_delete(old1);
++
++ return msg;
++}
+Index: pam.debian/modules/pam_unix/Makefile.am
+===================================================================
+--- pam.debian.orig/modules/pam_unix/Makefile.am
++++ pam.debian/modules/pam_unix/Makefile.am
+@@ -43,7 +43,7 @@
+
+ pam_unix_la_SOURCES = bigcrypt.c pam_unix_acct.c \
+ pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \
+- passverify.c yppasswd_xdr.c md5_good.c md5_broken.c
++ passverify.c yppasswd_xdr.c md5_good.c md5_broken.c obscure.c
+ if STATIC_MODULES
+ pam_unix_la_SOURCES += pam_unix_static.c
+ endif
+Index: pam.debian/modules/pam_unix/pam_unix.8
+===================================================================
+--- pam.debian.orig/modules/pam_unix/pam_unix.8
++++ pam.debian/modules/pam_unix/pam_unix.8
+@@ -183,7 +183,38 @@
+ .RS 4
+ Set a minimum password length of
+ \fIn\fR
+-characters\&. The max\&. for DES crypt based passwords are 8 characters\&.
++characters\&. The default value is 6\&. The maximum for DES crypt\-based passwords is 8 characters\&.
++.RE
++.PP
++\fBobscure\fR
++.RS 4
++Enable some extra checks on password strength\&. These checks are based on the "obscure" checks in the original shadow package\&. The behavior is similar to the pam_cracklib module, but for non\-dictionary\-based checks\&. The following checks are implemented:
++.PP
++\fBPalindrome\fR
++.RS 4
++Verifies that the new password is not a palindrome of (i\&.e\&., the reverse of) the previous one\&.
++.RE
++.PP
++\fBCase Change Only\fR
++.RS 4
++Verifies that the new password isn\*(Aqt the same as the old one with a change of case\&.
++.RE
++.PP
++\fBSimilar\fR
++.RS 4
++Verifies that the new password isn\*(Aqt too much like the previous one\&.
++.RE
++.PP
++\fBSimple\fR
++.RS 4
++Is the new password too simple? This is based on the length of the password and the number of different types of characters (alpha, numeric, etc\&.) used\&.
++.RE
++.PP
++\fBRotated\fR
++.RS 4
++Is the new password a rotated version of the old password? (E\&.g\&., "billy" and "illyb")
++.RE
++.sp
+ .RE
+ .PP
+ Invalid arguments are logged with
diff --git a/debian/patches-applied/008_modules_pam_limits_chroot b/debian/patches-applied/008_modules_pam_limits_chroot
new file mode 100644
index 00000000..fd4fc3a8
--- /dev/null
+++ b/debian/patches-applied/008_modules_pam_limits_chroot
@@ -0,0 +1,132 @@
+Index: pam.debian/modules/pam_limits/pam_limits.c
+===================================================================
+--- pam.debian.orig/modules/pam_limits/pam_limits.c
++++ pam.debian/modules/pam_limits/pam_limits.c
+@@ -87,6 +87,7 @@
+ int flag_numsyslogins; /* whether to limit logins only for a
+ specific user or to count all logins */
+ int priority; /* the priority to run user process with */
++ char chroot_dir[8092]; /* directory to chroot into */
+ struct user_limits_struct limits[RLIM_NLIMITS];
+ const char *conf_file;
+ int utmp_after_pam_call;
+@@ -97,6 +98,7 @@
+ #define LIMIT_NUMSYSLOGINS RLIM_NLIMITS+2
+
+ #define LIMIT_PRI RLIM_NLIMITS+3
++#define LIMIT_CHROOT RLIM_NLIMITS+4
+
+ #define LIMIT_SOFT 1
+ #define LIMIT_HARD 2
+@@ -472,6 +474,8 @@
+ pl->login_limit = -2;
+ pl->login_limit_def = LIMITS_DEF_NONE;
+
++ pl->chroot_dir[0] = '\0';
++
+ return retval;
+ }
+
+@@ -542,6 +546,8 @@
+ pl->flag_numsyslogins = 1;
+ } else if (strcmp(lim_item, "priority") == 0) {
+ limit_item = LIMIT_PRI;
++ } else if (strcmp(lim_item, "chroot") == 0) {
++ limit_item = LIMIT_CHROOT;
+ } else {
+ pam_syslog(pamh, LOG_DEBUG, "unknown limit item '%s'", lim_item);
+ return;
+@@ -579,9 +585,9 @@
+ pam_syslog(pamh, LOG_DEBUG,
+ "wrong limit value '%s' for limit type '%s'",
+ lim_value, lim_type);
+- return;
++ return;
+ }
+- } else {
++ } else if (limit_item != LIMIT_CHROOT) {
+ #ifdef __USE_FILE_OFFSET64
+ rlimit_value = strtoull (lim_value, &endptr, 10);
+ #else
+@@ -642,7 +648,11 @@
+ #endif
+ }
+
+- if ( (limit_item != LIMIT_LOGIN)
++ if (limit_item == LIMIT_CHROOT) {
++ strncpy(pl->chroot_dir, value_orig, sizeof(pl->chroot_dir)-1);
++ pl->chroot_dir[sizeof(pl->chroot_dir)-1]='\0';
++ }
++ else if ( (limit_item != LIMIT_LOGIN)
+ && (limit_item != LIMIT_NUMSYSLOGINS)
+ && (limit_item != LIMIT_PRI) ) {
+ if (limit_type & LIMIT_SOFT) {
+@@ -986,6 +996,15 @@
+ retval |= LOGIN_ERR;
+ }
+
++ if (!retval && pl->chroot_dir[0]) {
++ i = chdir(pl->chroot_dir);
++ if (i == 0)
++ i = chroot(pl->chroot_dir);
++ if (i == 0)
++ i = chdir("/");
++ if (i != 0)
++ retval = LIMIT_ERR;
++ }
+ return retval;
+ }
+
+Index: pam.debian/modules/pam_limits/limits.conf.5.xml
+===================================================================
+--- pam.debian.orig/modules/pam_limits/limits.conf.5.xml
++++ pam.debian/modules/pam_limits/limits.conf.5.xml
+@@ -255,6 +255,12 @@
+ (Linux 2.6.12 and higher)</para>
+ </listitem>
+ </varlistentry>
++ <varlistentry>
++ <term><option>chroot</option></term>
++ <listitem>
++ <para>the directory to chroot the user to</para>
++ </listitem>
++ </varlistentry>
+ </variablelist>
+ </listitem>
+ </varlistentry>
+Index: pam.debian/modules/pam_limits/limits.conf.5
+===================================================================
+--- pam.debian.orig/modules/pam_limits/limits.conf.5
++++ pam.debian/modules/pam_limits/limits.conf.5
+@@ -260,6 +260,11 @@
+ .RS 4
+ maximum realtime priority allowed for non\-privileged processes (Linux 2\&.6\&.12 and higher)
+ .RE
++.PP
++\fBchroot\fR
++.RS 4
++the directory to chroot the user to
++.RE
+ .RE
+ .PP
+ All items support the values
+Index: pam.debian/modules/pam_limits/limits.conf
+===================================================================
+--- pam.debian.orig/modules/pam_limits/limits.conf
++++ pam.debian/modules/pam_limits/limits.conf
+@@ -35,6 +35,7 @@
+ # - msgqueue - max memory used by POSIX message queues (bytes)
+ # - nice - max nice priority allowed to raise to values: [-20, 19]
+ # - rtprio - max realtime priority
++# - chroot - change root to directory (Debian-specific)
+ #
+ #<domain> <type> <item> <value>
+ #
+@@ -45,6 +46,7 @@
+ #@faculty soft nproc 20
+ #@faculty hard nproc 50
+ #ftp hard nproc 0
++#ftp - chroot /ftp
+ #@student - maxlogins 4
+
+ # End of file
diff --git a/debian/patches-applied/021_nis_cleanup b/debian/patches-applied/021_nis_cleanup
new file mode 100644
index 00000000..6b62bb7a
--- /dev/null
+++ b/debian/patches-applied/021_nis_cleanup
@@ -0,0 +1,44 @@
+Patch from Philippe Troin <phil@fifi.org>
+
+Originally this included a bunch of changes to locking, but the more
+recent code pulled from Linux_pam CVS seems to fix that issue.
+
+Index: pam.deb/modules/pam_unix/pam_unix_passwd.c
+===================================================================
+--- pam.deb.orig/modules/pam_unix/pam_unix_passwd.c
++++ pam.deb/modules/pam_unix/pam_unix_passwd.c
+@@ -577,7 +577,7 @@
+
+ if (_unix_blankpasswd(pamh, ctrl, user)) {
+ return PAM_SUCCESS;
+- } else if (off(UNIX__IAMROOT, ctrl)) {
++ } else if (off(UNIX__IAMROOT, ctrl) || on(UNIX_NIS, ctrl)) {
+ /* instruct user what is happening */
+ if (asprintf(&Announce, _("Changing password for %s."),
+ user) < 0) {
+@@ -590,7 +590,9 @@
+ set(UNIX__OLD_PASSWD, lctrl);
+ retval = _unix_read_password(pamh, lctrl
+ ,Announce
+- ,_("(current) UNIX password: ")
++ ,(on(UNIX__IAMROOT, ctrl)
++ ? _("NIS server root password: ")
++ : _("(current) UNIX password: "))
+ ,NULL
+ ,_UNIX_OLD_AUTHTOK
+ ,&pass_old);
+@@ -601,9 +603,12 @@
+ "password - (old) token not obtained");
+ return retval;
+ }
+- /* verify that this is the password for this user */
++ /* verify that this is the password for this user
++ * if we're not using NIS */
+
+- retval = _unix_verify_password(pamh, user, pass_old, ctrl);
++ if (off(UNIX_NIS, ctrl)) {
++ retval = _unix_verify_password(pamh, user, pass_old, ctrl);
++ }
+ } else {
+ D(("process run by root so do nothing this time around"));
+ pass_old = NULL;
diff --git a/debian/patches-applied/022_pam_unix_group_time_miscfixes b/debian/patches-applied/022_pam_unix_group_time_miscfixes
new file mode 100644
index 00000000..73cba7a2
--- /dev/null
+++ b/debian/patches-applied/022_pam_unix_group_time_miscfixes
@@ -0,0 +1,22 @@
+Description: handle the case of flags being empty or only PAM_SILENT, which is
+ documented in other PAM implementations as meaning PAM_ESTABLISH_CRED:
+ http://publib.boulder.ibm.com/infocenter/aix/v6r1/index.jsp?topic=%2Fcom.ibm.aix.basetechref%2Fdoc%2Fbasetrf1%2Fpam_setcred.htm
+
+Index: pam.deb/modules/pam_group/pam_group.c
+===================================================================
+--- pam.deb.orig/modules/pam_group/pam_group.c
++++ pam.deb/modules/pam_group/pam_group.c
+@@ -765,9 +765,12 @@
+ unsigned setting;
+
+ /* only interested in establishing credentials */
++ /* PAM docs say that an empty flag is to be treated as PAM_ESTABLISH_CRED.
++ Some people just pass PAM_SILENT, so cope with it, too. */
+
+ setting = flags;
+- if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))) {
++ if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))
++ && (setting != 0) && (setting != PAM_SILENT)) {
+ D(("ignoring call - not for establishing credentials"));
+ return PAM_SUCCESS; /* don't fail because of this */
+ }
diff --git a/debian/patches-applied/026_pam_unix_passwd_unknown_user b/debian/patches-applied/026_pam_unix_passwd_unknown_user
new file mode 100644
index 00000000..1b1aade2
--- /dev/null
+++ b/debian/patches-applied/026_pam_unix_passwd_unknown_user
@@ -0,0 +1,33 @@
+Description: distinguish between password manipulation failure and missing user.
+Author: Martin Schwenke <martin@meltin.net>
+
+Index: pam.deb/modules/pam_unix/passverify.c
+===================================================================
+--- pam.deb.orig/modules/pam_unix/passverify.c
++++ pam.deb/modules/pam_unix/passverify.c
+@@ -719,7 +719,7 @@
+ struct passwd *tmpent = NULL;
+ struct stat st;
+ FILE *pwfile, *opwfile;
+- int err = 1;
++ int err = 1, found = 0;
+ int oldmask;
+ #ifdef WITH_SELINUX
+ security_context_t prev_context=NULL;
+@@ -790,6 +790,7 @@
+
+ tmpent->pw_passwd = assigned_passwd.charp;
+ err = 0;
++ found = 1;
+ }
+ if (putpwent(tmpent, pwfile)) {
+ D(("error writing entry to password file: %m"));
+@@ -832,7 +833,7 @@
+ return PAM_SUCCESS;
+ } else {
+ unlink(PW_TMPFILE);
+- return PAM_AUTHTOK_ERR;
++ return found ? PAM_AUTHTOK_ERR : PAM_USER_UNKNOWN;
+ }
+ }
+
diff --git a/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root
new file mode 100644
index 00000000..717fdd5c
--- /dev/null
+++ b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root
@@ -0,0 +1,253 @@
+Description: Allow explicit limits for root and reset limits on each session
+ When crossing session boundaries (such as when su'ing from one user to
+ another), if the target account has no limit specified in limits.conf we
+ want to use the default, not the current value configured for the
+ source account.
+ .
+ If /proc/1/limits is unavailable, fall back to a set of hard-coded values
+ that shadow the currently known defaults on Linux.
+ .
+ Also, don't apply wildcard limits to the root account; only apply limits to
+ root that reference root by name.
+Author: Peter Paluch <peterp@frcatel.fri.utc.sk>,
+ Ben Collins <bcollins@debian.org>,
+ Steve Langasek <vorlon@debian.org>,
+Bug-Debian: http://bugs.debian.org/63230
+Index: pam.debian/modules/pam_limits/pam_limits.c
+===================================================================
+--- pam.debian.orig/modules/pam_limits/pam_limits.c
++++ pam.debian/modules/pam_limits/pam_limits.c
+@@ -45,6 +45,14 @@
+ #include <libaudit.h>
+ #endif
+
++#ifndef MLOCK_LIMIT
++#ifdef __FreeBSD_kernel__
++#define MLOCK_LIMIT RLIM_INFINITY
++#else
++#define MLOCK_LIMIT (64*1024)
++#endif
++#endif
++
+ /* Module defines */
+ #define LINE_LENGTH 1024
+
+@@ -82,6 +90,7 @@
+
+ /* internal data */
+ struct pam_limit_s {
++ int root; /* running as root? */
+ int login_limit; /* the max logins limit */
+ int login_limit_def; /* which entry set the login limit */
+ int flag_numsyslogins; /* whether to limit logins only for a
+@@ -436,9 +445,18 @@
+ {
+ int i;
+ int retval = PAM_SUCCESS;
++ static int mlock_limit = 0;
+
+ D(("called."));
+
++ pl->root = 0;
++
++ if (mlock_limit == 0) {
++ mlock_limit = sysconf(_SC_PAGESIZE);
++ if (mlock_limit < MLOCK_LIMIT)
++ mlock_limit = MLOCK_LIMIT;
++ }
++
+ for(i = 0; i < RLIM_NLIMITS; i++) {
+ int r = getrlimit(i, &pl->limits[i].limit);
+ if (r == -1) {
+@@ -454,18 +472,68 @@
+ }
+
+ #ifdef __linux__
+- if (ctrl & PAM_SET_ALL) {
+- parse_kernel_limits(pamh, pl, ctrl);
++ parse_kernel_limits(pamh, pl, ctrl);
++#endif
+
+- for(i = 0; i < RLIM_NLIMITS; i++) {
++ for(i = 0; i < RLIM_NLIMITS; i++) {
+ if (pl->limits[i].supported &&
+ (pl->limits[i].src_soft == LIMITS_DEF_NONE ||
+ pl->limits[i].src_hard == LIMITS_DEF_NONE)) {
+- pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM default", rlimit2str(i));
++#ifdef __linux__
++ pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM default", rlimit2str(i));
++#endif
++ pl->limits[i].src_soft = LIMITS_DEF_DEFAULT;
++ pl->limits[i].src_hard = LIMITS_DEF_DEFAULT;
++ switch(i) {
++ case RLIMIT_CPU:
++ case RLIMIT_FSIZE:
++ case RLIMIT_DATA:
++ case RLIMIT_RSS:
++ case RLIMIT_NPROC:
++#ifdef RLIMIT_AS
++ case RLIMIT_AS:
++#endif
++#ifdef RLIMIT_LOCKS
++ case RLIMIT_LOCKS:
++#endif
++ pl->limits[i].limit.rlim_cur = RLIM_INFINITY;
++ pl->limits[i].limit.rlim_max = RLIM_INFINITY;
++ break;
++ case RLIMIT_MEMLOCK:
++ pl->limits[i].limit.rlim_cur = mlock_limit;
++ pl->limits[i].limit.rlim_max = mlock_limit;
++ break;
++#ifdef RLIMIT_SIGPENDING
++ case RLIMIT_SIGPENDING:
++ pl->limits[i].limit.rlim_cur = 16382;
++ pl->limits[i].limit.rlim_max = 16382;
++ break;
++#endif
++#ifdef RLIMIT_MSGQUEUE
++ case RLIMIT_MSGQUEUE:
++ pl->limits[i].limit.rlim_cur = 819200;
++ pl->limits[i].limit.rlim_max = 819200;
++ break;
++#endif
++ case RLIMIT_CORE:
++ pl->limits[i].limit.rlim_cur = 0;
++ pl->limits[i].limit.rlim_max = RLIM_INFINITY;
++ break;
++ case RLIMIT_STACK:
++ pl->limits[i].limit.rlim_cur = 8192*1024;
++ pl->limits[i].limit.rlim_max = RLIM_INFINITY;
++ break;
++ case RLIMIT_NOFILE:
++ pl->limits[i].limit.rlim_cur = 1024;
++ pl->limits[i].limit.rlim_max = 1024;
++ break;
++ default:
++ pl->limits[i].src_soft = LIMITS_DEF_NONE;
++ pl->limits[i].src_hard = LIMITS_DEF_NONE;
++ break;
++ }
+ }
+- }
+ }
+-#endif
+
+ errno = 0;
+ pl->priority = getpriority (PRIO_PROCESS, 0);
+@@ -804,7 +872,7 @@
+
+ if (strcmp(uname, domain) == 0) /* this user have a limit */
+ process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl);
+- else if (domain[0]=='@') {
++ else if (domain[0]=='@' && !pl->root) {
+ if (ctrl & PAM_DEBUG_ARG) {
+ pam_syslog(pamh, LOG_DEBUG,
+ "checking if %s is in group %s",
+@@ -830,7 +898,7 @@
+ process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl,
+ pl);
+ }
+- } else if (domain[0]=='%') {
++ } else if (domain[0]=='%' && !pl->root) {
+ if (ctrl & PAM_DEBUG_ARG) {
+ pam_syslog(pamh, LOG_DEBUG,
+ "checking if %s is in group %s",
+@@ -864,7 +932,7 @@
+ } else {
+ switch(rngtype) {
+ case LIMIT_RANGE_NONE:
+- if (strcmp(domain, "*") == 0)
++ if (strcmp(domain, "*") == 0 && !pl->root)
+ process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl,
+ pl);
+ break;
+@@ -1050,6 +1118,8 @@
+ return PAM_ABORT;
+ }
+
++ if (pwd->pw_uid == 0)
++ pl->root = 1;
+ retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl);
+ if (retval == PAM_IGNORE) {
+ D(("the configuration file ('%s') has an applicable '<domain> -' entry", CONF_FILE));
+Index: pam.debian/modules/pam_limits/limits.conf
+===================================================================
+--- pam.debian.orig/modules/pam_limits/limits.conf
++++ pam.debian/modules/pam_limits/limits.conf
+@@ -11,6 +11,9 @@
+ # - the wildcard *, for default entry
+ # - the wildcard %, can be also used with %group syntax,
+ # for maxlogin limit
++# - NOTE: group and wildcard limits are not applied to root.
++# To apply a limit to the root user, <domain> must be
++# the literal username root.
+ #
+ #<type> can have the two values:
+ # - "soft" for enforcing the soft limits
+@@ -41,6 +44,7 @@
+ #
+
+ #* soft core 0
++#root hard core 100000
+ #* hard rss 10000
+ #@student hard nproc 20
+ #@faculty soft nproc 20
+Index: pam.debian/modules/pam_limits/limits.conf.5.xml
+===================================================================
+--- pam.debian.orig/modules/pam_limits/limits.conf.5.xml
++++ pam.debian/modules/pam_limits/limits.conf.5.xml
+@@ -88,6 +88,11 @@
+ </para>
+ </listitem>
+ </itemizedlist>
++ <para>
++ <emphasis remap='B'>NOTE:</emphasis> group and wildcard limits are not
++ applied to the root user. To set a limit for the root user, this field
++ must contain the literal username <emphasis remap='B'>root</emphasis>.
++ </para>
+ </listitem>
+ </varlistentry>
+
+@@ -309,6 +314,7 @@
+ </para>
+ <programlisting>
+ * soft core 0
++root hard core 100000
+ * hard nofile 512
+ @student hard nproc 20
+ @faculty soft nproc 20
+Index: pam.debian/modules/pam_limits/limits.conf.5
+===================================================================
+--- pam.debian.orig/modules/pam_limits/limits.conf.5
++++ pam.debian/modules/pam_limits/limits.conf.5
+@@ -132,6 +132,10 @@
+ \fB%:\fR\fI<gid>\fR
+ applicable to maxlogins limit only\&. It limits the total number of logins of all users that are member of the group with the specified gid\&.
+ .RE
++.sp
++\fBNOTE:\fR
++group and wildcard limits are not applied to the root user\&. To set a limit for the root user, this field must contain the literal username
++\fBroot\fR\&.
+ .RE
+ .PP
+ \fB<type>\fR
+@@ -304,6 +308,7 @@
+ .\}
+ .nf
+ * soft core 0
++root hard core 100000
+ * hard nofile 512
+ @student hard nproc 20
+ @faculty soft nproc 20
+Index: pam.debian/modules/pam_limits/README
+===================================================================
+--- pam.debian.orig/modules/pam_limits/README
++++ pam.debian/modules/pam_limits/README
+@@ -54,6 +54,7 @@
+ limits.conf.
+
+ * soft core 0
++root hard core 100000
+ * hard nofile 512
+ @student hard nproc 20
+ @faculty soft nproc 20
diff --git a/debian/patches-applied/031_pam_include b/debian/patches-applied/031_pam_include
new file mode 100644
index 00000000..da689047
--- /dev/null
+++ b/debian/patches-applied/031_pam_include
@@ -0,0 +1,72 @@
+Patch to implement an @include directive for use in pam.d config files.
+
+Authors: Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>
+
+Upstream status: not yet submitted
+
+Index: pam.debian/libpam/pam_handlers.c
+===================================================================
+--- pam.debian.orig/libpam/pam_handlers.c
++++ pam.debian/libpam/pam_handlers.c
+@@ -122,6 +122,10 @@
+ module_type = PAM_T_ACCT;
+ } else if (!strcasecmp("password", tok)) {
+ module_type = PAM_T_PASS;
++ } else if (!strcasecmp("@include", tok)) {
++ pam_include = 1;
++ module_type = requested_module_type;
++ goto parsing_done;
+ } else {
+ /* Illegal module type */
+ D(("_pam_init_handlers: bad module type: %s", tok));
+@@ -192,8 +196,10 @@
+ _pam_set_default_control(actions, _PAM_ACTION_BAD);
+ }
+
++parsing_done:
+ tok = _pam_StrTok(NULL, " \n\t", &nexttok);
+ if (pam_include) {
++ struct stat include_dir;
+ if (substack) {
+ res = _pam_add_handler(pamh, PAM_HT_SUBSTACK, other,
+ stack_level, module_type, actions, tok,
+@@ -204,13 +210,35 @@
+ return PAM_ABORT;
+ }
+ }
+- if (_pam_load_conf_file(pamh, tok, this_service, module_type,
+- stack_level + substack
++ if (tok[0] == '/') {
++ if (_pam_load_conf_file(pamh, tok, this_service,
++ module_type, stack_level + substack
++#ifdef PAM_READ_BOTH_CONFS
++ , !other
++#endif /* PAM_READ_BOTH_CONFS */
++ ) == PAM_SUCCESS)
++ continue;
++ }
++ else if (!stat(PAM_CONFIG_D, &include_dir)
++ && S_ISDIR(include_dir.st_mode))
++ {
++ char *include_file;
++ if (asprintf (&include_file, PAM_CONFIG_DF, tok) < 0) {
++ pam_syslog(pamh, LOG_CRIT, "asprintf failed");
++ return PAM_ABORT;
++ }
++ if (_pam_load_conf_file(pamh, include_file, this_service,
++ module_type, stack_level + substack
+ #ifdef PAM_READ_BOTH_CONFS
+ , !other
+ #endif /* PAM_READ_BOTH_CONFS */
+- ) == PAM_SUCCESS)
+- continue;
++ ) == PAM_SUCCESS)
++ {
++ free(include_file);
++ continue;
++ }
++ free(include_file);
++ }
+ _pam_set_default_control(actions, _PAM_ACTION_BAD);
+ mod_path = NULL;
+ handler_type = PAM_HT_MUST_FAIL;
diff --git a/debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL b/debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL
new file mode 100644
index 00000000..58fab0ee
--- /dev/null
+++ b/debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL
@@ -0,0 +1,22 @@
+setrlimit will sometimes return EPERM for example if you try to increase the
+number of open files too much. This is not something we want to consider
+fatal. This also happens if you use non-root and try to decrease a limit.
+Running PAM as non-root is not so great.
+
+Authors: ?
+
+Upstream status: submitted in <20070830171918.GB30563@dario.dodds.net>
+
+Index: pam.deb/modules/pam_limits/pam_limits.c
+===================================================================
+--- pam.deb.orig/modules/pam_limits/pam_limits.c
++++ pam.deb/modules/pam_limits/pam_limits.c
+@@ -735,6 +735,8 @@
+ if (res != 0)
+ pam_syslog(pamh, LOG_ERR, "Could not set limit for '%s': %m",
+ rlimit2str(i));
++ if (res == -1 && errno == EPERM)
++ continue;
+ status |= res;
+ }
+
diff --git a/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful b/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful
new file mode 100644
index 00000000..146d3e0a
--- /dev/null
+++ b/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful
@@ -0,0 +1,145 @@
+Patch for Debian bug #163787 et al
+
+Always use the process uid, not getlogin(), to identify an applicant in
+pam_wheel; utmp may be wrong or may have no entry at all in the case of
+an xterm
+
+Authors: Ben Collins <bcollins@debian.org>
+
+Upstream status: submitted in <20070901175405.GA26092@dario.dodds.net>
+
+Index: pam.debian/modules/pam_wheel/pam_wheel.c
+===================================================================
+--- pam.debian.orig/modules/pam_wheel/pam_wheel.c
++++ pam.debian/modules/pam_wheel/pam_wheel.c
+@@ -60,9 +60,8 @@
+ /* argument parsing */
+
+ #define PAM_DEBUG_ARG 0x0001
+-#define PAM_USE_UID_ARG 0x0002
+-#define PAM_TRUST_ARG 0x0004
+-#define PAM_DENY_ARG 0x0010
++#define PAM_TRUST_ARG 0x0002
++#define PAM_DENY_ARG 0x0004
+ #define PAM_ROOT_ONLY_ARG 0x0020
+
+ static int
+@@ -80,8 +79,7 @@
+
+ if (!strcmp(*argv,"debug"))
+ ctrl |= PAM_DEBUG_ARG;
+- else if (!strcmp(*argv,"use_uid"))
+- ctrl |= PAM_USE_UID_ARG;
++ else if (!strcmp(*argv,"use_uid")); /* ignored for compat. */
+ else if (!strcmp(*argv,"trust"))
+ ctrl |= PAM_TRUST_ARG;
+ else if (!strcmp(*argv,"deny"))
+@@ -129,27 +127,14 @@
+ }
+ }
+
+- if (ctrl & PAM_USE_UID_ARG) {
+- tpwd = pam_modutil_getpwuid (pamh, getuid());
+- if (!tpwd) {
+- if (ctrl & PAM_DEBUG_ARG) {
+- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
+- }
+- return PAM_SERVICE_ERR;
+- }
+- fromsu = tpwd->pw_name;
+- } else {
+- fromsu = pam_modutil_getlogin(pamh);
+- if (fromsu) {
+- tpwd = pam_modutil_getpwnam (pamh, fromsu);
+- }
+- if (!fromsu || !tpwd) {
+- if (ctrl & PAM_DEBUG_ARG) {
+- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
+- }
+- return PAM_SERVICE_ERR;
++ tpwd = pam_modutil_getpwuid (pamh, getuid());
++ if (!tpwd) {
++ if (ctrl & PAM_DEBUG_ARG) {
++ pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
+ }
++ return PAM_SERVICE_ERR;
+ }
++ fromsu = tpwd->pw_name;
+
+ /*
+ * At this point fromsu = username-of-invoker; tpwd = pwd ptr for fromsu
+Index: pam.debian/modules/pam_wheel/pam_wheel.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_wheel/pam_wheel.8.xml
++++ pam.debian/modules/pam_wheel/pam_wheel.8.xml
+@@ -33,9 +33,6 @@
+ <arg choice="opt">
+ trust
+ </arg>
+- <arg choice="opt">
+- use_uid
+- </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+@@ -115,18 +112,6 @@
+ </para>
+ </listitem>
+ </varlistentry>
+- <varlistentry>
+- <term>
+- <option>use_uid</option>
+- </term>
+- <listitem>
+- <para>
+- The check for wheel membership will be done against
+- the current uid instead of the original one (useful when
+- jumping with su from one account to another for example).
+- </para>
+- </listitem>
+- </varlistentry>
+ </variablelist>
+ </refsect1>
+
+Index: pam.debian/modules/pam_wheel/pam_wheel.8
+===================================================================
+--- pam.debian.orig/modules/pam_wheel/pam_wheel.8
++++ pam.debian/modules/pam_wheel/pam_wheel.8
+@@ -31,7 +31,7 @@
+ pam_wheel \- Only permit root access to members of group wheel
+ .SH "SYNOPSIS"
+ .HP \w'\fBpam_wheel\&.so\fR\ 'u
+-\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid]
++\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust]
+ .SH "DESCRIPTION"
+ .PP
+ The pam_wheel PAM module is used to enforce the so\-called
+@@ -72,11 +72,6 @@
+ .RS 4
+ The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd)\&.
+ .RE
+-.PP
+-\fBuse_uid\fR
+-.RS 4
+-The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example)\&.
+-.RE
+ .SH "MODULE TYPES PROVIDED"
+ .PP
+ The
+Index: pam.debian/modules/pam_wheel/README
+===================================================================
+--- pam.debian.orig/modules/pam_wheel/README
++++ pam.debian/modules/pam_wheel/README
+@@ -39,12 +39,6 @@
+ modules the wheel members may be able to su to root without being prompted
+ for a passwd).
+
+-use_uid
+-
+- The check for wheel membership will be done against the current uid instead
+- of the original one (useful when jumping with su from one account to
+- another for example).
+-
+ EXAMPLES
+
+ The root account gains access by default (rootok), only wheel members can
diff --git a/debian/patches-applied/040_pam_limits_log_failure b/debian/patches-applied/040_pam_limits_log_failure
new file mode 100644
index 00000000..f80273e7
--- /dev/null
+++ b/debian/patches-applied/040_pam_limits_log_failure
@@ -0,0 +1,36 @@
+Patch for Debian bug #180310
+
+Generate some (low-severity) log information whenever setrlimit() fails,
+for debugging purposes.
+
+Authors: Sam Hartman <hartmans@debian.org>
+
+Upstream status: submitted in <20070830171918.GB30563@dario.dodds.net>
+
+Index: pam.deb/modules/pam_limits/pam_limits.c
+===================================================================
+--- pam.deb.orig/modules/pam_limits/pam_limits.c
++++ pam.deb/modules/pam_limits/pam_limits.c
+@@ -732,9 +732,19 @@
+ if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max)
+ pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max;
+ res = setrlimit(i, &pl->limits[i].limit);
+- if (res != 0)
+- pam_syslog(pamh, LOG_ERR, "Could not set limit for '%s': %m",
+- rlimit2str(i));
++ if (res != 0 && (i != RLIMIT_NOFILE
++ || pl->limits[i].limit.rlim_cur != RLIM_INFINITY))
++ {
++ int save_errno = errno;
++ pam_syslog(pamh, LOG_DEBUG,
++ "Could not set limit for '%s' to soft=%d, hard=%d:"
++ " %m; uid=%lu,euid=%lu", rlimit2str(i),
++ pl->limits[i].limit.rlim_cur,
++ pl->limits[i].limit.rlim_max,
++ (unsigned long) getuid(),
++ (unsigned long) geteuid());
++ errno = save_errno;
++ }
+ if (res == -1 && errno == EPERM)
+ continue;
+ status |= res;
diff --git a/debian/patches-applied/045_pam_dispatch_jump_is_ignore b/debian/patches-applied/045_pam_dispatch_jump_is_ignore
new file mode 100644
index 00000000..0e3491d3
--- /dev/null
+++ b/debian/patches-applied/045_pam_dispatch_jump_is_ignore
@@ -0,0 +1,31 @@
+
+Previously jumps were treated as PAM_IGNORE in the freezing part of
+the chain and PAM_OK (aka required) in the frozen part of the chain.
+No one on pam-list was able to explain this behavior, so I changed it
+to be consistent.
+
+Index: pam.debian/libpam/pam_dispatch.c
+===================================================================
+--- pam.debian.orig/libpam/pam_dispatch.c
++++ pam.debian/libpam/pam_dispatch.c
+@@ -254,19 +254,7 @@
+ if ( _PAM_ACTION_IS_JUMP(action) ) {
+
+ /* If we are evaluating a cached chain, we treat this
+- module as required (aka _PAM_ACTION_OK) as well as
+- executing the jump. */
+-
+- if (use_cached_chain) {
+- if (impression == _PAM_UNDEF
+- || (impression == _PAM_POSITIVE
+- && status == PAM_SUCCESS) ) {
+- if ( retval != PAM_IGNORE || cached_retval == retval ) {
+- impression = _PAM_POSITIVE;
+- status = retval;
+- }
+- }
+- }
++ module as ignored as well as executing the jump. */
+
+ /* this means that we need to skip #action stacked modules */
+ while (h->next != NULL && h->next->stack_level >= stack_level && action > 0) {
diff --git a/debian/patches-applied/054_pam_security_abstract_securetty_handling b/debian/patches-applied/054_pam_security_abstract_securetty_handling
new file mode 100644
index 00000000..91d6809f
--- /dev/null
+++ b/debian/patches-applied/054_pam_security_abstract_securetty_handling
@@ -0,0 +1,199 @@
+Description: extract the securetty logic for use with the "nullok_secure" option
+ introduced in the "055_pam_unix_nullok_secure" patch.
+
+Index: pam.debian/modules/pam_securetty/pam_securetty.c
+===================================================================
+--- pam.debian.orig/modules/pam_securetty/pam_securetty.c
++++ pam.debian/modules/pam_securetty/pam_securetty.c
+@@ -1,7 +1,5 @@
+ /* pam_securetty module */
+
+-#define SECURETTY_FILE "/etc/securetty"
+-#define TTY_PREFIX "/dev/"
+ #define CMDLINE_FILE "/proc/cmdline"
+ #define CONSOLEACTIVE_FILE "/sys/class/tty/console/active"
+
+@@ -40,6 +38,9 @@
+ #include <security/pam_modutil.h>
+ #include <security/pam_ext.h>
+
++extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
++ const char *uttyname);
++
+ #define PAM_DEBUG_ARG 0x0001
+ #define PAM_NOCONSOLE_ARG 0x0002
+
+@@ -73,11 +74,7 @@
+ const char *username;
+ const char *uttyname;
+ const void *void_uttyname;
+- char ttyfileline[256];
+- char ptname[256];
+- struct stat ttyfileinfo;
+ struct passwd *user_pwd;
+- FILE *ttyfile;
+
+ /* log a trail for debugging */
+ if (ctrl & PAM_DEBUG_ARG) {
+@@ -105,50 +102,7 @@
+ return PAM_SERVICE_ERR;
+ }
+
+- /* The PAM_TTY item may be prefixed with "/dev/" - skip that */
+- if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) {
+- uttyname += sizeof(TTY_PREFIX)-1;
+- }
+-
+- if (stat(SECURETTY_FILE, &ttyfileinfo)) {
+- pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE);
+- return PAM_SUCCESS; /* for compatibility with old securetty handling,
+- this needs to succeed. But we still log the
+- error. */
+- }
+-
+- if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) {
+- /* If the file is world writable or is not a
+- normal file, return error */
+- pam_syslog(pamh, LOG_ERR,
+- "%s is either world writable or not a normal file",
+- SECURETTY_FILE);
+- return PAM_AUTH_ERR;
+- }
+-
+- ttyfile = fopen(SECURETTY_FILE,"r");
+- if (ttyfile == NULL) { /* Check that we opened it successfully */
+- pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE);
+- return PAM_SERVICE_ERR;
+- }
+-
+- if (isdigit(uttyname[0])) {
+- snprintf(ptname, sizeof(ptname), "pts/%s", uttyname);
+- } else {
+- ptname[0] = '\0';
+- }
+-
+- retval = 1;
+-
+- while ((fgets(ttyfileline, sizeof(ttyfileline)-1, ttyfile) != NULL)
+- && retval) {
+- if (ttyfileline[strlen(ttyfileline) - 1] == '\n')
+- ttyfileline[strlen(ttyfileline) - 1] = '\0';
+-
+- retval = ( strcmp(ttyfileline, uttyname)
+- && (!ptname[0] || strcmp(ptname, uttyname)) );
+- }
+- fclose(ttyfile);
++ retval = _pammodutil_tty_secure(pamh, uttyname);
+
+ if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) {
+ FILE *cmdlinefile;
+Index: pam.debian/modules/pam_securetty/tty_secure.c
+===================================================================
+--- /dev/null
++++ pam.debian/modules/pam_securetty/tty_secure.c
+@@ -0,0 +1,90 @@
++/*
++ * A function to determine if a particular line is in /etc/securetty
++ */
++
++
++#define SECURETTY_FILE "/etc/securetty"
++#define TTY_PREFIX "/dev/"
++
++/* This function taken out of pam_securetty by Sam Hartman
++ * <hartmans@debian.org>*/
++/*
++ * by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
++ * July 25, 1996.
++ * Slight modifications AGM. 1996/12/3
++ */
++
++#include <unistd.h>
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <security/pam_modules.h>
++#include <stdarg.h>
++#include <syslog.h>
++#include <sys/syslog.h>
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++#include <ctype.h>
++#include <security/pam_modutil.h>
++#include <security/pam_ext.h>
++
++extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
++ const char *uttyname);
++
++int _pammodutil_tty_secure(const pam_handle_t *pamh, const char *uttyname)
++{
++ int retval = PAM_AUTH_ERR;
++ char ttyfileline[256];
++ char ptname[256];
++ struct stat ttyfileinfo;
++ FILE *ttyfile;
++ /* The PAM_TTY item may be prefixed with "/dev/" - skip that */
++ if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0)
++ uttyname += sizeof(TTY_PREFIX)-1;
++
++ if (stat(SECURETTY_FILE, &ttyfileinfo)) {
++ pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m",
++ SECURETTY_FILE);
++ return PAM_SUCCESS; /* for compatibility with old securetty handling,
++ this needs to succeed. But we still log the
++ error. */
++ }
++
++ if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) {
++ /* If the file is world writable or is not a
++ normal file, return error */
++ pam_syslog(pamh, LOG_ERR,
++ "%s is either world writable or not a normal file",
++ SECURETTY_FILE);
++ return PAM_AUTH_ERR;
++ }
++
++ ttyfile = fopen(SECURETTY_FILE,"r");
++ if(ttyfile == NULL) { /* Check that we opened it successfully */
++ pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE);
++ return PAM_SERVICE_ERR;
++ }
++
++ if (isdigit(uttyname[0])) {
++ snprintf(ptname, sizeof(ptname), "pts/%s", uttyname);
++ } else {
++ ptname[0] = '\0';
++ }
++
++ retval = 1;
++
++ while ((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL)
++ && retval) {
++ if(ttyfileline[strlen(ttyfileline) - 1] == '\n')
++ ttyfileline[strlen(ttyfileline) - 1] = '\0';
++ retval = ( strcmp(ttyfileline,uttyname)
++ && (!ptname[0] || strcmp(ptname, uttyname)) );
++ }
++ fclose(ttyfile);
++
++ if(retval) {
++ retval = PAM_AUTH_ERR;
++ }
++
++ return retval;
++}
+Index: pam.debian/modules/pam_securetty/Makefile.am
+===================================================================
+--- pam.debian.orig/modules/pam_securetty/Makefile.am
++++ pam.debian/modules/pam_securetty/Makefile.am
+@@ -24,6 +24,10 @@
+ securelib_LTLIBRARIES = pam_securetty.la
+ pam_securetty_la_LIBADD = -L$(top_builddir)/libpam -lpam
+
++pam_securetty_la_SOURCES = \
++ pam_securetty.c \
++ tty_secure.c
++
+ if ENABLE_REGENERATE_MAN
+ noinst_DATA = README
+ README: pam_securetty.8.xml
diff --git a/debian/patches-applied/055_pam_unix_nullok_secure b/debian/patches-applied/055_pam_unix_nullok_secure
new file mode 100644
index 00000000..8c1b84c7
--- /dev/null
+++ b/debian/patches-applied/055_pam_unix_nullok_secure
@@ -0,0 +1,223 @@
+Debian patch to add a new 'nullok_secure' option to pam_unix, which
+accepts users with null passwords only when the applicant is connected
+from a tty listed in /etc/securetty.
+
+Authors: Sam Hartman <hartmans@debian.org>,
+ Steve Langasek <vorlon@debian.org>
+
+Upstream status: not yet submitted
+
+Index: pam.debian/modules/pam_unix/support.c
+===================================================================
+--- pam.debian.orig/modules/pam_unix/support.c
++++ pam.debian/modules/pam_unix/support.c
+@@ -189,13 +189,22 @@
+ /* now parse the arguments to this module */
+
+ for (; argc-- > 0; ++argv) {
++ int sl;
+
+ D(("pam_unix arg: %s", *argv));
+
+ for (j = 0; j < UNIX_CTRLS_; ++j) {
+- if (unix_args[j].token
+- && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) {
+- break;
++ if (unix_args[j].token) {
++ sl = strlen(unix_args[j].token);
++ if (unix_args[j].token[sl-1] == '=') {
++ /* exclude argument from comparison */
++ if (!strncmp(*argv, unix_args[j].token, sl))
++ break;
++ } else {
++ /* compare full strings */
++ if (!strcmp(*argv, unix_args[j].token))
++ break;
++ }
+ }
+ }
+
+@@ -565,6 +574,7 @@
+ child = fork();
+ if (child == 0) {
+ int i=0;
++ int nullok = off(UNIX__NONULL, ctrl);
+ struct rlimit rlim;
+ static char *envp[] = { NULL };
+ char *args[] = { NULL, NULL, NULL, NULL };
+@@ -595,7 +605,18 @@
+ /* exec binary helper */
+ args[0] = strdup(CHKPWD_HELPER);
+ args[1] = x_strdup(user);
+- if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */
++
++ if (on(UNIX_NULLOK_SECURE, ctrl)) {
++ const void *uttyname;
++ retval = pam_get_item(pamh, PAM_TTY, &uttyname);
++ if (retval != PAM_SUCCESS || uttyname == NULL
++ || _pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS)
++ {
++ nullok = 0;
++ }
++ }
++
++ if (nullok) {
+ args[2]=strdup("nullok");
+ } else {
+ args[2]=strdup("nonull");
+@@ -675,6 +696,17 @@
+ if (on(UNIX__NONULL, ctrl))
+ return 0; /* will fail but don't let on yet */
+
++ if (on(UNIX_NULLOK_SECURE, ctrl)) {
++ int retval2;
++ const void *uttyname;
++ retval2 = pam_get_item(pamh, PAM_TTY, &uttyname);
++ if (retval2 != PAM_SUCCESS || uttyname == NULL)
++ return 0;
++
++ if (_pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS)
++ return 0;
++ }
++
+ /* UNIX passwords area */
+
+ retval = get_pwd_hash(pamh, name, &pwd, &salt);
+@@ -761,7 +793,8 @@
+ }
+ }
+ } else {
+- retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl));
++ retval = verify_pwd_hash(p, salt,
++ _unix_blankpasswd(pamh, ctrl, name));
+ }
+
+ if (retval == PAM_SUCCESS) {
+Index: pam.debian/modules/pam_unix/support.h
+===================================================================
+--- pam.debian.orig/modules/pam_unix/support.h
++++ pam.debian/modules/pam_unix/support.h
+@@ -98,8 +98,9 @@
+ #define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */
+ #define UNIX_MIN_PASS_LEN 27 /* min length for password */
+ #define UNIX_OBSCURE_CHECKS 28 /* enable obscure checks on passwords */
++#define UNIX_NULLOK_SECURE 29 /* NULL passwords allowed only on secure ttys */
+ /* -------------- */
+-#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */
++#define UNIX_CTRLS_ 30 /* number of ctrl arguments defined */
+
+ #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
+
+@@ -117,7 +118,7 @@
+ /* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0x40, 0},
+ /* UNIX__PRELIM */ {NULL, _ALL_ON_^(0x180), 0x80, 0},
+ /* UNIX__UPDATE */ {NULL, _ALL_ON_^(0x180), 0x100, 0},
+-/* UNIX__NONULL */ {NULL, _ALL_ON_, 0x200, 0},
++/* UNIX__NONULL */ {NULL, _ALL_ON_^(0x10000000), 0x200, 0},
+ /* UNIX__QUIET */ {NULL, _ALL_ON_, 0x400, 0},
+ /* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 0x800, 0},
+ /* UNIX_SHADOW */ {"shadow", _ALL_ON_, 0x1000, 0},
+@@ -137,6 +138,7 @@
+ /* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0x2C22000),0x2000000, 1},
+ /* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0x4000000, 0},
+ /* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x8000000, 0},
++/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(0x200), 0x10000000, 0},
+ };
+
+ #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
+@@ -172,6 +174,9 @@
+ ,const char *data_name
+ ,const void **pass);
+
++extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
++ const char *uttyname);
++
+ extern int _unix_run_verify_binary(pam_handle_t *pamh,
+ unsigned int ctrl, const char *user, int *daysleft);
+ #endif /* _PAM_UNIX_SUPPORT_H */
+Index: pam.debian/modules/pam_unix/Makefile.am
+===================================================================
+--- pam.debian.orig/modules/pam_unix/Makefile.am
++++ pam.debian/modules/pam_unix/Makefile.am
+@@ -30,7 +30,8 @@
+ pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
+ endif
+ pam_unix_la_LIBADD = $(top_builddir)/libpam/libpam.la \
+- @LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS)
++ @LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS) \
++ ../pam_securetty/tty_secure.lo
+
+ securelib_LTLIBRARIES = pam_unix.la
+
+Index: pam.debian/modules/pam_unix/README
+===================================================================
+--- pam.debian.orig/modules/pam_unix/README
++++ pam.debian/modules/pam_unix/README
+@@ -58,7 +58,16 @@
+
+ The default action of this module is to not permit the user access to a
+ service if their official password is blank. The nullok argument overrides
+- this default.
++ this default and allows any user with a blank password to access the
++ service.
++
++nullok_secure
++
++ The default action of this module is to not permit the user access to a
++ service if their official password is blank. The nullok_secure argument
++ overrides this default and allows any user with a blank password to access
++ the service as long as the value of PAM_TTY is set to one of the values
++ found in /etc/securetty.
+
+ try_first_pass
+
+Index: pam.debian/modules/pam_unix/pam_unix.8
+===================================================================
+--- pam.debian.orig/modules/pam_unix/pam_unix.8
++++ pam.debian/modules/pam_unix/pam_unix.8
+@@ -82,7 +82,14 @@
+ .RS 4
+ The default action of this module is to not permit the user access to a service if their official password is blank\&. The
+ \fBnullok\fR
+-argument overrides this default\&.
++argument overrides this default and allows any user with a blank password to access the service\&.
++.RE
++.PP
++\fBnullok_secure\fR
++.RS 4
++The default action of this module is to not permit the user access to a service if their official password is blank\&. The
++\fBnullok_secure\fR
++argument overrides this default and allows any user with a blank password to access the service as long as the value of PAM_TTY is set to one of the values found in /etc/securetty\&.
+ .RE
+ .PP
+ \fBtry_first_pass\fR
+Index: pam.debian/modules/pam_unix/pam_unix.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_unix/pam_unix.8.xml
++++ pam.debian/modules/pam_unix/pam_unix.8.xml
+@@ -137,7 +137,24 @@
+ <para>
+ The default action of this module is to not permit the
+ user access to a service if their official password is blank.
+- The <option>nullok</option> argument overrides this default.
++ The <option>nullok</option> argument overrides this default
++ and allows any user with a blank password to access the
++ service.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>nullok_secure</option>
++ </term>
++ <listitem>
++ <para>
++ The default action of this module is to not permit the
++ user access to a service if their official password is blank.
++ The <option>nullok_secure</option> argument overrides this
++ default and allows any user with a blank password to access
++ the service as long as the value of PAM_TTY is set to one of
++ the values found in /etc/securetty.
+ </para>
+ </listitem>
+ </varlistentry>
diff --git a/debian/patches-applied/PAM-manpage-section b/debian/patches-applied/PAM-manpage-section
new file mode 100644
index 00000000..fc0dcab4
--- /dev/null
+++ b/debian/patches-applied/PAM-manpage-section
@@ -0,0 +1,1637 @@
+Patch to put the PAM manpage in section 7 (general topics) instead of 8
+(system administration commands)
+
+Authors: Steve Langasek <vorlon@debian.org>
+
+Upstream status: maybe provide a backwards-compatibility link first?
+
+Index: pam.debian/doc/man/pam.8.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam.8.xml
++++ pam.debian/doc/man/pam.8.xml
+@@ -6,7 +6,7 @@
+
+ <refmeta>
+ <refentrytitle>pam</refentrytitle>
+- <manvolnum>8</manvolnum>
++ <manvolnum>7</manvolnum>
+ <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+ </refmeta>
+
+@@ -179,7 +179,7 @@
+ <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>PAM</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/PAM.8
+===================================================================
+--- pam.debian.orig/doc/man/PAM.8
++++ pam.debian/doc/man/PAM.8
+@@ -2,12 +2,12 @@
+ .\" Title: pam
+ .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
+ .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+-.\" Date: 09/19/2013
++.\" Date: 01/16/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM" "8" "09/19/2013" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM" "7" "01/16/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+ .\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+@@ -118,4 +118,4 @@
+ \fBpam_authenticate\fR(3),
+ \fBpam_sm_setcred\fR(3),
+ \fBpam_strerror\fR(3),
+-\fBPAM\fR(8)
++\fBPAM\fR(7)
+Index: pam.debian/modules/pam_access/access.conf.5.xml
+===================================================================
+--- pam.debian.orig/modules/pam_access/access.conf.5.xml
++++ pam.debian/modules/pam_access/access.conf.5.xml
+@@ -191,7 +191,7 @@
+ <para>
+ <citerefentry><refentrytitle>pam_access</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+Index: pam.debian/modules/pam_access/access.conf.5
+===================================================================
+--- pam.debian.orig/modules/pam_access/access.conf.5
++++ pam.debian/modules/pam_access/access.conf.5
+@@ -181,7 +181,7 @@
+ .PP
+ \fBpam_access\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHORS"
+ .PP
+ Original
+Index: pam.debian/modules/pam_env/pam_env.conf.5.xml
+===================================================================
+--- pam.debian.orig/modules/pam_env/pam_env.conf.5.xml
++++ pam.debian/modules/pam_env/pam_env.conf.5.xml
+@@ -110,7 +110,7 @@
+ <para>
+ <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+Index: pam.debian/modules/pam_env/pam_env.conf.5
+===================================================================
+--- pam.debian.orig/modules/pam_env/pam_env.conf.5
++++ pam.debian/modules/pam_env/pam_env.conf.5
+@@ -112,7 +112,7 @@
+ .PP
+ \fBpam_env\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_env was written by Dave Kinchlea <kinch@kinch\&.ark\&.com>\&.
+Index: pam.debian/modules/pam_group/group.conf.5.xml
+===================================================================
+--- pam.debian.orig/modules/pam_group/group.conf.5.xml
++++ pam.debian/modules/pam_group/group.conf.5.xml
+@@ -128,7 +128,7 @@
+ <para>
+ <citerefentry><refentrytitle>pam_group</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+Index: pam.debian/modules/pam_group/group.conf.5
+===================================================================
+--- pam.debian.orig/modules/pam_group/group.conf.5
++++ pam.debian/modules/pam_group/group.conf.5
+@@ -113,7 +113,7 @@
+ .PP
+ \fBpam_group\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_group was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam.debian/modules/pam_limits/limits.conf.5.xml
+===================================================================
+--- pam.debian.orig/modules/pam_limits/limits.conf.5.xml
++++ pam.debian/modules/pam_limits/limits.conf.5.xml
+@@ -343,7 +343,7 @@
+ <para>
+ <citerefentry><refentrytitle>pam_limits</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>getrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>getrlimit</refentrytitle><manvolnum>3p</manvolnum></citerefentry>
+ </para>
+Index: pam.debian/modules/pam_limits/limits.conf.5
+===================================================================
+--- pam.debian.orig/modules/pam_limits/limits.conf.5
++++ pam.debian/modules/pam_limits/limits.conf.5
+@@ -339,7 +339,7 @@
+ .PP
+ \fBpam_limits\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8),
++\fBpam\fR(7),
+ \fBgetrlimit\fR(2)\fBgetrlimit\fR(3p)
+ .SH "AUTHOR"
+ .PP
+Index: pam.debian/modules/pam_namespace/namespace.conf.5.xml
+===================================================================
+--- pam.debian.orig/modules/pam_namespace/namespace.conf.5.xml
++++ pam.debian/modules/pam_namespace/namespace.conf.5.xml
+@@ -204,7 +204,7 @@
+ <para>
+ <citerefentry><refentrytitle>pam_namespace</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+Index: pam.debian/modules/pam_namespace/namespace.conf.5
+===================================================================
+--- pam.debian.orig/modules/pam_namespace/namespace.conf.5
++++ pam.debian/modules/pam_namespace/namespace.conf.5
+@@ -155,7 +155,7 @@
+ .PP
+ \fBpam_namespace\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHORS"
+ .PP
+ The namespace\&.conf manual page was written by Janak Desai <janak@us\&.ibm\&.com>\&. More features added by Tomas Mraz <tmraz@redhat\&.com>\&.
+Index: pam.debian/modules/pam_time/time.conf.5.xml
+===================================================================
+--- pam.debian.orig/modules/pam_time/time.conf.5.xml
++++ pam.debian/modules/pam_time/time.conf.5.xml
+@@ -130,7 +130,7 @@
+ <para>
+ <citerefentry><refentrytitle>pam_time</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+Index: pam.debian/modules/pam_time/time.conf.5
+===================================================================
+--- pam.debian.orig/modules/pam_time/time.conf.5
++++ pam.debian/modules/pam_time/time.conf.5
+@@ -107,7 +107,7 @@
+ .PP
+ \fBpam_time\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_time was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam.debian/modules/pam_access/pam_access.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_access/pam_access.8.xml
++++ pam.debian/modules/pam_access/pam_access.8.xml
+@@ -237,7 +237,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_access/pam_access.8
+===================================================================
+--- pam.debian.orig/modules/pam_access/pam_access.8
++++ pam.debian/modules/pam_access/pam_access.8
+@@ -125,7 +125,7 @@
+ .PP
+ \fBaccess.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)\&.
++\fBpam\fR(7)\&.
+ .SH "AUTHORS"
+ .PP
+ The logdaemon style login access control scheme was designed and implemented by Wietse Venema\&. The pam_access PAM module was developed by Alexei Nogin <alexei@nogin\&.dnttm\&.ru>\&. The IPv6 support and the network(address) / netmask feature was developed and provided by Mike Becher <mike\&.becher@lrz\-muenchen\&.de>\&.
+Index: pam.debian/modules/pam_cracklib/pam_cracklib.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_cracklib/pam_cracklib.8.xml
++++ pam.debian/modules/pam_cracklib/pam_cracklib.8.xml
+@@ -577,7 +577,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_cracklib/pam_cracklib.8
+===================================================================
+--- pam.debian.orig/modules/pam_cracklib/pam_cracklib.8
++++ pam.debian/modules/pam_cracklib/pam_cracklib.8
+@@ -357,7 +357,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_cracklib was written by Cristian Gafton <gafton@redhat\&.com>
+Index: pam.debian/modules/pam_debug/pam_debug.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_debug/pam_debug.8.xml
++++ pam.debian/modules/pam_debug/pam_debug.8.xml
+@@ -216,7 +216,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_debug/pam_debug.8
+===================================================================
+--- pam.debian.orig/modules/pam_debug/pam_debug.8
++++ pam.debian/modules/pam_debug/pam_debug.8
+@@ -138,7 +138,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_debug was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam.debian/modules/pam_deny/pam_deny.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_deny/pam_deny.8.xml
++++ pam.debian/modules/pam_deny/pam_deny.8.xml
+@@ -120,7 +120,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_deny/pam_deny.8
+===================================================================
+--- pam.debian.orig/modules/pam_deny/pam_deny.8
++++ pam.debian/modules/pam_deny/pam_deny.8
+@@ -96,7 +96,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_deny was written by Andrew G\&. Morgan <morgan@kernel\&.org>
+Index: pam.debian/modules/pam_echo/pam_echo.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_echo/pam_echo.8.xml
++++ pam.debian/modules/pam_echo/pam_echo.8.xml
+@@ -159,7 +159,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry></para>
+ </refsect1>
+
+Index: pam.debian/modules/pam_echo/pam_echo.8
+===================================================================
+--- pam.debian.orig/modules/pam_echo/pam_echo.8
++++ pam.debian/modules/pam_echo/pam_echo.8
+@@ -126,7 +126,7 @@
+ .PP
+ \fBpam.conf\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ Thorsten Kukuk <kukuk@thkukuk\&.de>
+Index: pam.debian/modules/pam_env/pam_env.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_env/pam_env.8.xml
++++ pam.debian/modules/pam_env/pam_env.8.xml
+@@ -235,7 +235,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_exec/pam_exec.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_exec/pam_exec.8.xml
++++ pam.debian/modules/pam_exec/pam_exec.8.xml
+@@ -257,7 +257,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_exec/pam_exec.8
+===================================================================
+--- pam.debian.orig/modules/pam_exec/pam_exec.8
++++ pam.debian/modules/pam_exec/pam_exec.8
+@@ -160,7 +160,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_exec was written by Thorsten Kukuk <kukuk@thkukuk\&.de> and Josh Triplett <josh@joshtriplett\&.org>\&.
+Index: pam.debian/modules/pam_faildelay/pam_faildelay.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_faildelay/pam_faildelay.8.xml
++++ pam.debian/modules/pam_faildelay/pam_faildelay.8.xml
+@@ -121,7 +121,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_faildelay/pam_faildelay.8
+===================================================================
+--- pam.debian.orig/modules/pam_faildelay/pam_faildelay.8
++++ pam.debian/modules/pam_faildelay/pam_faildelay.8
+@@ -87,7 +87,7 @@
+ \fBpam_fail_delay\fR(3),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_faildelay was written by Darren Tucker <dtucker@zip\&.com\&.au>\&.
+Index: pam.debian/modules/pam_filter/pam_filter.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_filter/pam_filter.8.xml
++++ pam.debian/modules/pam_filter/pam_filter.8.xml
+@@ -246,7 +246,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_filter/pam_filter.8
+===================================================================
+--- pam.debian.orig/modules/pam_filter/pam_filter.8
++++ pam.debian/modules/pam_filter/pam_filter.8
+@@ -166,7 +166,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_filter was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam.debian/modules/pam_ftp/pam_ftp.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_ftp/pam_ftp.8.xml
++++ pam.debian/modules/pam_ftp/pam_ftp.8.xml
+@@ -168,7 +168,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_ftp/pam_ftp.8
+===================================================================
+--- pam.debian.orig/modules/pam_ftp/pam_ftp.8
++++ pam.debian/modules/pam_ftp/pam_ftp.8
+@@ -119,7 +119,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_ftp was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam.debian/modules/pam_group/pam_group.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_group/pam_group.8.xml
++++ pam.debian/modules/pam_group/pam_group.8.xml
+@@ -148,7 +148,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_group/pam_group.8
+===================================================================
+--- pam.debian.orig/modules/pam_group/pam_group.8
++++ pam.debian/modules/pam_group/pam_group.8
+@@ -103,7 +103,7 @@
+ .PP
+ \fBgroup.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)\&.
++\fBpam\fR(7)\&.
+ .SH "AUTHORS"
+ .PP
+ pam_group was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam.debian/modules/pam_issue/pam_issue.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_issue/pam_issue.8.xml
++++ pam.debian/modules/pam_issue/pam_issue.8.xml
+@@ -219,7 +219,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_issue/pam_issue.8
+===================================================================
+--- pam.debian.orig/modules/pam_issue/pam_issue.8
++++ pam.debian/modules/pam_issue/pam_issue.8
+@@ -152,7 +152,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_issue was written by Ben Collins <bcollins@debian\&.org>\&.
+Index: pam.debian/modules/pam_keyinit/pam_keyinit.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_keyinit/pam_keyinit.8.xml
++++ pam.debian/modules/pam_keyinit/pam_keyinit.8.xml
+@@ -223,7 +223,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ <citerefentry>
+ <refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum>
+Index: pam.debian/modules/pam_keyinit/pam_keyinit.8
+===================================================================
+--- pam.debian.orig/modules/pam_keyinit/pam_keyinit.8
++++ pam.debian/modules/pam_keyinit/pam_keyinit.8
+@@ -130,7 +130,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)\fBkeyctl\fR(1)
++\fBpam\fR(7)\fBkeyctl\fR(1)
+ .SH "AUTHOR"
+ .PP
+ pam_keyinit was written by David Howells, <dhowells@redhat\&.com>\&.
+Index: pam.debian/modules/pam_lastlog/pam_lastlog.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_lastlog/pam_lastlog.8.xml
++++ pam.debian/modules/pam_lastlog/pam_lastlog.8.xml
+@@ -298,7 +298,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_lastlog/pam_lastlog.8
+===================================================================
+--- pam.debian.orig/modules/pam_lastlog/pam_lastlog.8
++++ pam.debian/modules/pam_lastlog/pam_lastlog.8
+@@ -173,7 +173,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_lastlog was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam.debian/modules/pam_limits/pam_limits.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_limits/pam_limits.8.xml
++++ pam.debian/modules/pam_limits/pam_limits.8.xml
+@@ -241,7 +241,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_limits/pam_limits.8
+===================================================================
+--- pam.debian.orig/modules/pam_limits/pam_limits.8
++++ pam.debian/modules/pam_limits/pam_limits.8
+@@ -146,7 +146,7 @@
+ .PP
+ \fBlimits.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)\&.
++\fBpam\fR(7)\&.
+ .SH "AUTHORS"
+ .PP
+ pam_limits was initially written by Cristian Gafton <gafton@redhat\&.com>
+Index: pam.debian/modules/pam_listfile/pam_listfile.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_listfile/pam_listfile.8.xml
++++ pam.debian/modules/pam_listfile/pam_listfile.8.xml
+@@ -281,7 +281,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_listfile/pam_listfile.8
+===================================================================
+--- pam.debian.orig/modules/pam_listfile/pam_listfile.8
++++ pam.debian/modules/pam_listfile/pam_listfile.8
+@@ -205,7 +205,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_listfile was written by Michael K\&. Johnson <johnsonm@redhat\&.com> and Elliot Lee <sopwith@cuc\&.edu>\&.
+Index: pam.debian/modules/pam_localuser/pam_localuser.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_localuser/pam_localuser.8.xml
++++ pam.debian/modules/pam_localuser/pam_localuser.8.xml
+@@ -158,7 +158,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_localuser/pam_localuser.8
+===================================================================
+--- pam.debian.orig/modules/pam_localuser/pam_localuser.8
++++ pam.debian/modules/pam_localuser/pam_localuser.8
+@@ -102,7 +102,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_localuser was written by Nalin Dahyabhai <nalin@redhat\&.com>\&.
+Index: pam.debian/modules/pam_loginuid/pam_loginuid.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_loginuid/pam_loginuid.8.xml
++++ pam.debian/modules/pam_loginuid/pam_loginuid.8.xml
+@@ -104,7 +104,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>auditctl</refentrytitle><manvolnum>8</manvolnum>
+Index: pam.debian/modules/pam_loginuid/pam_loginuid.8
+===================================================================
+--- pam.debian.orig/modules/pam_loginuid/pam_loginuid.8
++++ pam.debian/modules/pam_loginuid/pam_loginuid.8
+@@ -75,7 +75,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8),
++\fBpam\fR(7),
+ \fBauditctl\fR(8),
+ \fBauditd\fR(8)
+ .SH "AUTHOR"
+Index: pam.debian/modules/pam_mail/pam_mail.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_mail/pam_mail.8.xml
++++ pam.debian/modules/pam_mail/pam_mail.8.xml
+@@ -265,7 +265,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_mail/pam_mail.8
+===================================================================
+--- pam.debian.orig/modules/pam_mail/pam_mail.8
++++ pam.debian/modules/pam_mail/pam_mail.8
+@@ -153,7 +153,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_mail was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam.debian/modules/pam_mkhomedir/pam_mkhomedir.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_mkhomedir/pam_mkhomedir.8.xml
++++ pam.debian/modules/pam_mkhomedir/pam_mkhomedir.8.xml
+@@ -189,7 +189,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_mkhomedir/pam_mkhomedir.8
+===================================================================
+--- pam.debian.orig/modules/pam_mkhomedir/pam_mkhomedir.8
++++ pam.debian/modules/pam_mkhomedir/pam_mkhomedir.8
+@@ -123,7 +123,7 @@
+ .SH "SEE ALSO"
+ .PP
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)\&.
++\fBpam\fR(7)\&.
+ .SH "AUTHOR"
+ .PP
+ pam_mkhomedir was written by Jason Gunthorpe <jgg@debian\&.org>\&.
+Index: pam.debian/modules/pam_motd/pam_motd.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_motd/pam_motd.8.xml
++++ pam.debian/modules/pam_motd/pam_motd.8.xml
+@@ -99,7 +99,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_motd/pam_motd.8
+===================================================================
+--- pam.debian.orig/modules/pam_motd/pam_motd.8
++++ pam.debian/modules/pam_motd/pam_motd.8
+@@ -78,7 +78,7 @@
+ \fBmotd\fR(5),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_motd was written by Ben Collins <bcollins@debian\&.org>\&.
+Index: pam.debian/modules/pam_namespace/pam_namespace.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_namespace/pam_namespace.8.xml
++++ pam.debian/modules/pam_namespace/pam_namespace.8.xml
+@@ -399,7 +399,7 @@
+ <refentrytitle>mount</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_namespace/pam_namespace.8
+===================================================================
+--- pam.debian.orig/modules/pam_namespace/pam_namespace.8
++++ pam.debian/modules/pam_namespace/pam_namespace.8
+@@ -178,7 +178,7 @@
+ \fBnamespace.conf\fR(5),
+ \fBpam.d\fR(5),
+ \fBmount\fR(8),
+-\fBpam\fR(8)\&.
++\fBpam\fR(7)\&.
+ .SH "AUTHORS"
+ .PP
+ The namespace setup scheme was designed by Stephen Smalley, Janak Desai and Chad Sellers\&. The pam_namespace PAM module was developed by Janak Desai <janak@us\&.ibm\&.com>, Chad Sellers <csellers@tresys\&.com> and Steve Grubb <sgrubb@redhat\&.com>\&. Additional improvements by Xavier Toth <txtoth@gmail\&.com> and Tomas Mraz <tmraz@redhat\&.com>\&.
+Index: pam.debian/modules/pam_nologin/pam_nologin.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_nologin/pam_nologin.8.xml
++++ pam.debian/modules/pam_nologin/pam_nologin.8.xml
+@@ -160,7 +160,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_nologin/pam_nologin.8
+===================================================================
+--- pam.debian.orig/modules/pam_nologin/pam_nologin.8
++++ pam.debian/modules/pam_nologin/pam_nologin.8
+@@ -124,7 +124,7 @@
+ \fBnologin\fR(5),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_nologin was written by Michael K\&. Johnson <johnsonm@redhat\&.com>\&.
+Index: pam.debian/modules/pam_permit/pam_permit.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_permit/pam_permit.8.xml
++++ pam.debian/modules/pam_permit/pam_permit.8.xml
+@@ -91,7 +91,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_permit/pam_permit.8
+===================================================================
+--- pam.debian.orig/modules/pam_permit/pam_permit.8
++++ pam.debian/modules/pam_permit/pam_permit.8
+@@ -78,7 +78,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_permit was written by Andrew G\&. Morgan, <morgan@kernel\&.org>\&.
+Index: pam.debian/modules/pam_rhosts/pam_rhosts.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_rhosts/pam_rhosts.8.xml
++++ pam.debian/modules/pam_rhosts/pam_rhosts.8.xml
+@@ -156,7 +156,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_rhosts/pam_rhosts.8
+===================================================================
+--- pam.debian.orig/modules/pam_rhosts/pam_rhosts.8
++++ pam.debian/modules/pam_rhosts/pam_rhosts.8
+@@ -122,7 +122,7 @@
+ \fBrhosts\fR(5),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_rhosts was written by Thorsten Kukuk <kukuk@thkukuk\&.de>
+Index: pam.debian/modules/pam_rootok/pam_rootok.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_rootok/pam_rootok.8.xml
++++ pam.debian/modules/pam_rootok/pam_rootok.8.xml
+@@ -116,7 +116,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_rootok/pam_rootok.8
+===================================================================
+--- pam.debian.orig/modules/pam_rootok/pam_rootok.8
++++ pam.debian/modules/pam_rootok/pam_rootok.8
+@@ -99,7 +99,7 @@
+ \fBsu\fR(1),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_rootok was written by Andrew G\&. Morgan, <morgan@kernel\&.org>\&.
+Index: pam.debian/modules/pam_securetty/pam_securetty.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_securetty/pam_securetty.8.xml
++++ pam.debian/modules/pam_securetty/pam_securetty.8.xml
+@@ -168,7 +168,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_securetty/pam_securetty.8
+===================================================================
+--- pam.debian.orig/modules/pam_securetty/pam_securetty.8
++++ pam.debian/modules/pam_securetty/pam_securetty.8
+@@ -119,7 +119,7 @@
+ \fBsecuretty\fR(5),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_securetty was written by Elliot Lee <sopwith@cuc\&.edu>\&.
+Index: pam.debian/modules/pam_selinux/pam_selinux.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_selinux/pam_selinux.8.xml
++++ pam.debian/modules/pam_selinux/pam_selinux.8.xml
+@@ -258,7 +258,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum>
+Index: pam.debian/modules/pam_selinux/pam_selinux.8
+===================================================================
+--- pam.debian.orig/modules/pam_selinux/pam_selinux.8
++++ pam.debian/modules/pam_selinux/pam_selinux.8
+@@ -2,12 +2,12 @@
+ .\" Title: pam_selinux
+ .\" Author: [see the "AUTHOR" section]
+ .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+-.\" Date: 06/18/2013
++.\" Date: 01/14/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_SELINUX" "8" "06/18/2013" "Linux-PAM Manual" "Linux\-PAM Manual"
++.TH "PAM_SELINUX" "8" "01/14/2014" "Linux-PAM Manual" "Linux\-PAM Manual"
+ .\" -----------------------------------------------------------------
+ .\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+@@ -144,7 +144,7 @@
+ \fBexecve\fR(2),
+ \fBtty\fR(4),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8),
++\fBpam\fR(7),
+ \fBselinux\fR(8)
+ .SH "AUTHOR"
+ .PP
+Index: pam.debian/modules/pam_sepermit/pam_sepermit.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_sepermit/pam_sepermit.8.xml
++++ pam.debian/modules/pam_sepermit/pam_sepermit.8.xml
+@@ -176,7 +176,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ <citerefentry>
+ <refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum>
+Index: pam.debian/modules/pam_sepermit/pam_sepermit.8
+===================================================================
+--- pam.debian.orig/modules/pam_sepermit/pam_sepermit.8
++++ pam.debian/modules/pam_sepermit/pam_sepermit.8
+@@ -124,7 +124,7 @@
+ \fBsepermit.conf\fR(5),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)\fBselinux\fR(8)
++\fBpam\fR(7)\fBselinux\fR(8)
+ .SH "AUTHOR"
+ .PP
+ pam_sepermit and this manual page were written by Tomas Mraz <tmraz@redhat\&.com>\&.
+Index: pam.debian/modules/pam_shells/pam_shells.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_shells/pam_shells.8.xml
++++ pam.debian/modules/pam_shells/pam_shells.8.xml
+@@ -102,7 +102,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_shells/pam_shells.8
+===================================================================
+--- pam.debian.orig/modules/pam_shells/pam_shells.8
++++ pam.debian/modules/pam_shells/pam_shells.8
+@@ -85,7 +85,7 @@
+ \fBshells\fR(5),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_shells was written by Erik Troan <ewt@redhat\&.com>\&.
+Index: pam.debian/modules/pam_succeed_if/pam_succeed_if.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_succeed_if/pam_succeed_if.8.xml
++++ pam.debian/modules/pam_succeed_if/pam_succeed_if.8.xml
+@@ -295,7 +295,7 @@
+ <refentrytitle>glob</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_succeed_if/pam_succeed_if.8
+===================================================================
+--- pam.debian.orig/modules/pam_succeed_if/pam_succeed_if.8
++++ pam.debian/modules/pam_succeed_if/pam_succeed_if.8
+@@ -220,7 +220,7 @@
+ .SH "SEE ALSO"
+ .PP
+ \fBglob\fR(7),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ Nalin Dahyabhai <nalin@redhat\&.com>
+Index: pam.debian/modules/pam_tally/pam_tally.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_tally/pam_tally.8.xml
++++ pam.debian/modules/pam_tally/pam_tally.8.xml
+@@ -444,7 +444,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_tally/pam_tally.8
+===================================================================
+--- pam.debian.orig/modules/pam_tally/pam_tally.8
++++ pam.debian/modules/pam_tally/pam_tally.8
+@@ -248,7 +248,7 @@
+ \fBfaillog\fR(8),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_tally was written by Tim Baverstock and Tomas Mraz\&.
+Index: pam.debian/modules/pam_time/pam_time.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_time/pam_time.8.xml
++++ pam.debian/modules/pam_time/pam_time.8.xml
+@@ -169,7 +169,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_time/pam_time.8
+===================================================================
+--- pam.debian.orig/modules/pam_time/pam_time.8
++++ pam.debian/modules/pam_time/pam_time.8
+@@ -109,7 +109,7 @@
+ .PP
+ \fBtime.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)\&.
++\fBpam\fR(7)\&.
+ .SH "AUTHOR"
+ .PP
+ pam_time was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam.debian/modules/pam_umask/pam_umask.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_umask/pam_umask.8.xml
++++ pam.debian/modules/pam_umask/pam_umask.8.xml
+@@ -201,7 +201,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_umask/pam_umask.8
+===================================================================
+--- pam.debian.orig/modules/pam_umask/pam_umask.8
++++ pam.debian/modules/pam_umask/pam_umask.8
+@@ -150,7 +150,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_umask was written by Thorsten Kukuk <kukuk@thkukuk\&.de>\&.
+Index: pam.debian/modules/pam_unix/pam_unix.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_unix/pam_unix.8.xml
++++ pam.debian/modules/pam_unix/pam_unix.8.xml
+@@ -494,7 +494,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_unix/pam_unix.8
+===================================================================
+--- pam.debian.orig/modules/pam_unix/pam_unix.8
++++ pam.debian/modules/pam_unix/pam_unix.8
+@@ -269,7 +269,7 @@
+ \fBlogin.defs\fR(5),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_unix was written by various people\&.
+Index: pam.debian/doc/man/misc_conv.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/misc_conv.3.xml
++++ pam.debian/doc/man/misc_conv.3.xml
+@@ -171,7 +171,7 @@
+ <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/misc_conv.3
+===================================================================
+--- pam.debian.orig/doc/man/misc_conv.3
++++ pam.debian/doc/man/misc_conv.3
+@@ -117,7 +117,7 @@
+ .SH "SEE ALSO"
+ .PP
+ \fBpam_conv\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
+Index: pam.debian/doc/man/pam_acct_mgmt.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_acct_mgmt.3.xml
++++ pam.debian/doc/man/pam_acct_mgmt.3.xml
+@@ -138,7 +138,7 @@
+ <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/pam_acct_mgmt.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_acct_mgmt.3
++++ pam.debian/doc/man/pam_acct_mgmt.3
+@@ -97,4 +97,4 @@
+ \fBpam_authenticate\fR(3),
+ \fBpam_chauthtok\fR(3),
+ \fBpam_strerror\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam.debian/doc/man/pam_authenticate.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_authenticate.3.xml
++++ pam.debian/doc/man/pam_authenticate.3.xml
+@@ -162,7 +162,7 @@
+ <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/pam_authenticate.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_authenticate.3
++++ pam.debian/doc/man/pam_authenticate.3
+@@ -107,4 +107,4 @@
+ \fBpam_setcred\fR(3),
+ \fBpam_chauthtok\fR(3),
+ \fBpam_strerror\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam.debian/doc/man/pam_chauthtok.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_chauthtok.3.xml
++++ pam.debian/doc/man/pam_chauthtok.3.xml
+@@ -157,7 +157,7 @@
+ <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/pam_chauthtok.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_chauthtok.3
++++ pam.debian/doc/man/pam_chauthtok.3
+@@ -106,4 +106,4 @@
+ \fBpam_setcred\fR(3),
+ \fBpam_get_item\fR(3),
+ \fBpam_strerror\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam.debian/doc/man/pam_conv.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_conv.3.xml
++++ pam.debian/doc/man/pam_conv.3.xml
+@@ -221,7 +221,7 @@
+ <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/pam_conv.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_conv.3
++++ pam.debian/doc/man/pam_conv.3
+@@ -174,4 +174,4 @@
+ \fBpam_set_item\fR(3),
+ \fBpam_get_item\fR(3),
+ \fBpam_strerror\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam.debian/doc/man/pam_error.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_error.3.xml
++++ pam.debian/doc/man/pam_error.3.xml
+@@ -105,7 +105,7 @@
+ <refentrytitle>pam_vprompt</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/pam_error.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_error.3
++++ pam.debian/doc/man/pam_error.3
+@@ -80,7 +80,7 @@
+ \fBpam_vinfo\fR(3),
+ \fBpam_prompt\fR(3),
+ \fBpam_vprompt\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
+Index: pam.debian/doc/man/pam_getenv.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_getenv.3.xml
++++ pam.debian/doc/man/pam_getenv.3.xml
+@@ -60,7 +60,7 @@
+ <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/pam_getenv.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_getenv.3
++++ pam.debian/doc/man/pam_getenv.3
+@@ -57,4 +57,4 @@
+ \fBpam_start\fR(3),
+ \fBpam_getenvlist\fR(3),
+ \fBpam_putenv\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam.debian/doc/man/pam_getenvlist.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_getenvlist.3.xml
++++ pam.debian/doc/man/pam_getenvlist.3.xml
+@@ -78,7 +78,7 @@
+ <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/pam_getenvlist.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_getenvlist.3
++++ pam.debian/doc/man/pam_getenvlist.3
+@@ -63,4 +63,4 @@
+ \fBpam_start\fR(3),
+ \fBpam_getenv\fR(3),
+ \fBpam_putenv\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam.debian/doc/man/pam_info.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_info.3.xml
++++ pam.debian/doc/man/pam_info.3.xml
+@@ -93,7 +93,7 @@
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/pam_info.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_info.3
++++ pam.debian/doc/man/pam_info.3
+@@ -76,7 +76,7 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
+Index: pam.debian/doc/man/pam_misc_drop_env.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_misc_drop_env.3.xml
++++ pam.debian/doc/man/pam_misc_drop_env.3.xml
+@@ -46,7 +46,7 @@
+ <refentrytitle>pam_getenvlist</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/pam_misc_drop_env.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_misc_drop_env.3
++++ pam.debian/doc/man/pam_misc_drop_env.3
+@@ -52,7 +52,7 @@
+ .SH "SEE ALSO"
+ .PP
+ \fBpam_getenvlist\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
+Index: pam.debian/doc/man/pam_misc_paste_env.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_misc_paste_env.3.xml
++++ pam.debian/doc/man/pam_misc_paste_env.3.xml
+@@ -44,7 +44,7 @@
+ <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/pam_misc_paste_env.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_misc_paste_env.3
++++ pam.debian/doc/man/pam_misc_paste_env.3
+@@ -47,7 +47,7 @@
+ .SH "SEE ALSO"
+ .PP
+ \fBpam_putenv\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
+Index: pam.debian/doc/man/pam_misc_setenv.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_misc_setenv.3.xml
++++ pam.debian/doc/man/pam_misc_setenv.3.xml
+@@ -51,7 +51,7 @@
+ <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/pam_misc_setenv.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_misc_setenv.3
++++ pam.debian/doc/man/pam_misc_setenv.3
+@@ -52,7 +52,7 @@
+ .SH "SEE ALSO"
+ .PP
+ \fBpam_putenv\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
+Index: pam.debian/doc/man/pam_prompt.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_prompt.3.xml
++++ pam.debian/doc/man/pam_prompt.3.xml
+@@ -95,7 +95,7 @@
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum>
+Index: pam.debian/doc/man/pam_prompt.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_prompt.3
++++ pam.debian/doc/man/pam_prompt.3
+@@ -70,7 +70,7 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-\fBpam\fR(8),
++\fBpam\fR(7),
+ \fBpam_conv\fR(3)
+ .SH "STANDARDS"
+ .PP
+Index: pam.debian/doc/man/pam_putenv.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_putenv.3.xml
++++ pam.debian/doc/man/pam_putenv.3.xml
+@@ -145,7 +145,7 @@
+ <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/pam_putenv.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_putenv.3
++++ pam.debian/doc/man/pam_putenv.3
+@@ -108,4 +108,4 @@
+ \fBpam_getenv\fR(3),
+ \fBpam_getenvlist\fR(3),
+ \fBpam_strerror\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam.debian/doc/man/pam_strerror.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_strerror.3.xml
++++ pam.debian/doc/man/pam_strerror.3.xml
+@@ -51,7 +51,7 @@
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/pam_strerror.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_strerror.3
++++ pam.debian/doc/man/pam_strerror.3
+@@ -49,4 +49,4 @@
+ This function returns always a pointer to a string\&.
+ .SH "SEE ALSO"
+ .PP
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam.debian/doc/man/pam_syslog.3.xml
+===================================================================
+--- pam.debian.orig/doc/man/pam_syslog.3.xml
++++ pam.debian/doc/man/pam_syslog.3.xml
+@@ -66,7 +66,7 @@
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/doc/man/pam_syslog.3
+===================================================================
+--- pam.debian.orig/doc/man/pam_syslog.3
++++ pam.debian/doc/man/pam_syslog.3
+@@ -67,7 +67,7 @@
+ variable argument list macros\&.
+ .SH "SEE ALSO"
+ .PP
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
+Index: pam.debian/modules/pam_userdb/pam_userdb.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_userdb/pam_userdb.8.xml
++++ pam.debian/modules/pam_userdb/pam_userdb.8.xml
+@@ -277,7 +277,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_userdb/pam_userdb.8
+===================================================================
+--- pam.debian.orig/modules/pam_userdb/pam_userdb.8
++++ pam.debian/modules/pam_userdb/pam_userdb.8
+@@ -150,7 +150,7 @@
+ \fBcrypt\fR(3),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_userdb was written by Cristian Gafton >gafton@redhat\&.com<\&.
+Index: pam.debian/modules/pam_warn/pam_warn.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_warn/pam_warn.8.xml
++++ pam.debian/modules/pam_warn/pam_warn.8.xml
+@@ -90,7 +90,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_warn/pam_warn.8
+===================================================================
+--- pam.debian.orig/modules/pam_warn/pam_warn.8
++++ pam.debian/modules/pam_warn/pam_warn.8
+@@ -83,7 +83,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_warn was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam.debian/modules/pam_wheel/pam_wheel.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_wheel/pam_wheel.8.xml
++++ pam.debian/modules/pam_wheel/pam_wheel.8.xml
+@@ -212,7 +212,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_wheel/pam_wheel.8
+===================================================================
+--- pam.debian.orig/modules/pam_wheel/pam_wheel.8
++++ pam.debian/modules/pam_wheel/pam_wheel.8
+@@ -136,7 +136,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_wheel was written by Cristian Gafton <gafton@redhat\&.com>\&.
+Index: pam.debian/modules/pam_xauth/pam_xauth.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_xauth/pam_xauth.8.xml
++++ pam.debian/modules/pam_xauth/pam_xauth.8.xml
+@@ -276,7 +276,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam.debian/modules/pam_xauth/pam_xauth.8
+===================================================================
+--- pam.debian.orig/modules/pam_xauth/pam_xauth.8
++++ pam.debian/modules/pam_xauth/pam_xauth.8
+@@ -177,7 +177,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_xauth was written by Nalin Dahyabhai <nalin@redhat\&.com>, based on original version by Michael K\&. Johnson <johnsonm@redhat\&.com>\&.
+Index: pam.debian/modules/pam_env/pam_env.8
+===================================================================
+--- pam.debian.orig/modules/pam_env/pam_env.8
++++ pam.debian/modules/pam_env/pam_env.8
+@@ -2,12 +2,12 @@
+ .\" Title: pam_env
+ .\" Author: [see the "AUTHOR" section]
+ .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+-.\" Date: 01/15/2014
++.\" Date: 01/16/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_ENV" "8" "01/15/2014" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_ENV" "8" "01/16/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+ .\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
diff --git a/debian/patches-applied/cve-2010-4708.patch b/debian/patches-applied/cve-2010-4708.patch
new file mode 100644
index 00000000..cf23e318
--- /dev/null
+++ b/debian/patches-applied/cve-2010-4708.patch
@@ -0,0 +1,64 @@
+Description: fix cve-2010-4708: .pam_environment privilege issue
+Index: pam.debian/modules/pam_env/pam_env.c
+===================================================================
+--- pam.debian.orig/modules/pam_env/pam_env.c
++++ pam.debian/modules/pam_env/pam_env.c
+@@ -10,7 +10,7 @@
+ #define DEFAULT_READ_ENVFILE 1
+
+ #define DEFAULT_USER_ENVFILE ".pam_environment"
+-#define DEFAULT_USER_READ_ENVFILE 1
++#define DEFAULT_USER_READ_ENVFILE 0
+
+ #include "config.h"
+
+Index: pam.debian/modules/pam_env/pam_env.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_env/pam_env.8.xml
++++ pam.debian/modules/pam_env/pam_env.8.xml
+@@ -147,7 +147,7 @@
+ <listitem>
+ <para>
+ Turns on or off the reading of the user specific environment
+- file. 0 is off, 1 is on. By default this option is on.
++ file. 0 is off, 1 is on. By default this option is off.
+ </para>
+ </listitem>
+ </varlistentry>
+Index: pam.debian/modules/pam_env/pam_env.8
+===================================================================
+--- pam.debian.orig/modules/pam_env/pam_env.8
++++ pam.debian/modules/pam_env/pam_env.8
+@@ -2,12 +2,12 @@
+ .\" Title: pam_env
+ .\" Author: [see the "AUTHOR" section]
+ .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+-.\" Date: 09/19/2013
++.\" Date: 01/15/2014
+ .\" Manual: Linux-PAM Manual
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_ENV" "8" "09/19/2013" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_ENV" "8" "01/15/2014" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+ .\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+@@ -88,7 +88,7 @@
+ .PP
+ \fBuser_readenv=\fR\fB\fI0|1\fR\fR
+ .RS 4
+-Turns on or off the reading of the user specific environment file\&. 0 is off, 1 is on\&. By default this option is on\&.
++Turns on or off the reading of the user specific environment file\&. 0 is off, 1 is on\&. By default this option is off\&.
+ .RE
+ .SH "MODULE TYPES PROVIDED"
+ .PP
+@@ -138,7 +138,7 @@
+ .PP
+ \fBpam_env.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)\&.
++\fBpam\fR(7)\&.
+ .SH "AUTHOR"
+ .PP
+ pam_env was written by Dave Kinchlea <kinch@kinch\&.ark\&.com>\&.
diff --git a/debian/patches-applied/cve-2013-7041.patch b/debian/patches-applied/cve-2013-7041.patch
new file mode 100644
index 00000000..dac35b25
--- /dev/null
+++ b/debian/patches-applied/cve-2013-7041.patch
@@ -0,0 +1,44 @@
+From 57a1e2b274d0a6376d92ada9926e5c5741e7da20 Mon Sep 17 00:00:00 2001
+From: "Dmitry V. Levin" <ldv@altlinux.org>
+Date: Fri, 24 Jan 2014 22:18:32 +0000
+Subject: pam_userdb: fix password hash comparison
+
+Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed
+passwords support in pam_userdb, hashes are compared case-insensitively.
+This bug leads to accepting hashes for completely different passwords in
+addition to those that should be accepted.
+
+Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for
+modern password hashes with different lengths and settings, did not
+update the hash comparison accordingly, which leads to accepting
+computed hashes longer than stored hashes when the latter is a prefix
+of the former.
+
+* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed
+hash whose length differs from the stored hash length.
+Compare computed and stored hashes case-sensitively.
+Fixes CVE-2013-7041.
+
+Bug-Debian: http://bugs.debian.org/731368
+
+--- a/modules/pam_userdb/pam_userdb.c
++++ b/modules/pam_userdb/pam_userdb.c
+@@ -222,12 +222,15 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
+ } else {
+ cryptpw = crypt (pass, data.dptr);
+
+- if (cryptpw) {
+- compare = strncasecmp (data.dptr, cryptpw, data.dsize);
++ if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) {
++ compare = memcmp(data.dptr, cryptpw, data.dsize);
+ } else {
+ compare = -2;
+ if (ctrl & PAM_DEBUG_ARG) {
+- pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
++ if (cryptpw)
++ pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ");
++ else
++ pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
+ }
+ };
+
diff --git a/debian/patches-applied/cve-2014-2583.patch b/debian/patches-applied/cve-2014-2583.patch
new file mode 100644
index 00000000..3eb91702
--- /dev/null
+++ b/debian/patches-applied/cve-2014-2583.patch
@@ -0,0 +1,47 @@
+From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
+From: "Dmitry V. Levin" <ldv@altlinux.org>
+Date: Wed, 26 Mar 2014 22:17:23 +0000
+Subject: pam_timestamp: fix potential directory traversal issue (ticket #27)
+
+pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
+the timestamp pathname it creates, so extra care should be taken to
+avoid potential directory traversal issues.
+
+* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
+"." and ".." tty values as invalid.
+(get_ruser): Treat "." and ".." ruser values, as well as any ruser
+value containing '/', as invalid.
+
+Fixes CVE-2014-2583.
+
+Reported-by: Sebastian Krahmer <krahmer@suse.de>
+
+--- a/modules/pam_timestamp/pam_timestamp.c
++++ b/modules/pam_timestamp/pam_timestamp.c
+@@ -158,7 +158,7 @@ check_tty(const char *tty)
+ tty = strrchr(tty, '/') + 1;
+ }
+ /* Make sure the tty wasn't actually a directory (no basename). */
+- if (strlen(tty) == 0) {
++ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
+ return NULL;
+ }
+ return tty;
+@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
+ if (pwd != NULL) {
+ ruser = pwd->pw_name;
+ }
++ } else {
++ /*
++ * This ruser is used by format_timestamp_name as a component
++ * of constructed timestamp pathname, so ".", "..", and '/'
++ * are disallowed to avoid potential path traversal issues.
++ */
++ if (!strcmp(ruser, ".") ||
++ !strcmp(ruser, "..") ||
++ strchr(ruser, '/')) {
++ ruser = NULL;
++ }
+ }
+ if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
+ *ruserbuf = '\0';
diff --git a/debian/patches-applied/cve-2015-3238.patch b/debian/patches-applied/cve-2015-3238.patch
new file mode 100644
index 00000000..cb5e8c06
--- /dev/null
+++ b/debian/patches-applied/cve-2015-3238.patch
@@ -0,0 +1,180 @@
+From e89d4c97385ff8180e6e81e84c5aa745daf28a79 Mon Sep 17 00:00:00 2001
+From: Thorsten Kukuk <kukuk@thkukuk.de>
+Date: Mon, 22 Jun 2015 14:53:01 +0200
+Subject: Release version 1.2.1
+
+Security fix: CVE-2015-3238
+
+If the process executing pam_sm_authenticate or pam_sm_chauthtok method
+of pam_unix is not privileged enough to check the password, e.g.
+if selinux is enabled, the _unix_run_helper_binary function is called.
+When a long enough password is supplied (16 pages or more, i.e. 65536+
+bytes on a system with 4K pages), this helper function hangs
+indefinitely, blocked in the write(2) call while writing to a blocking
+pipe that has a limited capacity.
+With this fix, the verifiable password length will be limited to
+PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix.
+
+diff --git a/modules/pam_exec/pam_exec.8.xml b/modules/pam_exec/pam_exec.8.xml
+index 2379366..d1b00a2 100644
+--- a/modules/pam_exec/pam_exec.8.xml
++++ b/modules/pam_exec/pam_exec.8.xml
+@@ -106,7 +106,8 @@
+ During authentication the calling command can read
+ the password from <citerefentry>
+ <refentrytitle>stdin</refentrytitle><manvolnum>3</manvolnum>
+- </citerefentry>.
++ </citerefentry>. Only first <emphasis>PAM_MAX_RESP_SIZE</emphasis>
++ bytes of a password are provided to the command.
+ </para>
+ </listitem>
+ </varlistentry>
+diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c
+index 5ab9630..17ba6ca 100644
+--- a/modules/pam_exec/pam_exec.c
++++ b/modules/pam_exec/pam_exec.c
+@@ -178,11 +178,11 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
+ }
+
+ pam_set_item (pamh, PAM_AUTHTOK, resp);
+- authtok = strdupa (resp);
++ authtok = strndupa (resp, PAM_MAX_RESP_SIZE);
+ _pam_drop (resp);
+ }
+ else
+- authtok = void_pass;
++ authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE);
+
+ if (pipe(fds) != 0)
+ {
+diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
+index 4008402..a8b64bb 100644
+--- a/modules/pam_unix/pam_unix.8.xml
++++ b/modules/pam_unix/pam_unix.8.xml
+@@ -80,6 +80,13 @@
+ </para>
+
+ <para>
++ The maximum length of a password supported by the pam_unix module
++ via the helper binary is <emphasis>PAM_MAX_RESP_SIZE</emphasis>
++ - currently 512 bytes. The rest of the password provided by the
++ conversation function to the module will be ignored.
++ </para>
++
++ <para>
+ The password component of this module performs the task of updating
+ the user's password. The default encryption hash is taken from the
+ <emphasis remap='B'>ENCRYPT_METHOD</emphasis> variable from
+diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
+index 2d330e5..c2e5de5 100644
+--- a/modules/pam_unix/pam_unix_passwd.c
++++ b/modules/pam_unix/pam_unix_passwd.c
+@@ -240,15 +240,22 @@ static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const
+ /* wait for child */
+ /* if the stored password is NULL */
+ int rc=0;
+- if (fromwhat)
+- pam_modutil_write(fds[1], fromwhat, strlen(fromwhat)+1);
+- else
+- pam_modutil_write(fds[1], "", 1);
+- if (towhat) {
+- pam_modutil_write(fds[1], towhat, strlen(towhat)+1);
++ if (fromwhat) {
++ int len = strlen(fromwhat);
++
++ if (len > PAM_MAX_RESP_SIZE)
++ len = PAM_MAX_RESP_SIZE;
++ pam_modutil_write(fds[1], fromwhat, len);
+ }
+- else
+- pam_modutil_write(fds[1], "", 1);
++ pam_modutil_write(fds[1], "", 1);
++ if (towhat) {
++ int len = strlen(towhat);
++
++ if (len > PAM_MAX_RESP_SIZE)
++ len = PAM_MAX_RESP_SIZE;
++ pam_modutil_write(fds[1], towhat, len);
++ }
++ pam_modutil_write(fds[1], "", 1);
+
+ close(fds[0]); /* close here to avoid possible SIGPIPE above */
+ close(fds[1]);
+diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
+index b325602..e79b55e 100644
+--- a/modules/pam_unix/passverify.c
++++ b/modules/pam_unix/passverify.c
+@@ -1115,12 +1115,15 @@ getuidname(uid_t uid)
+ int
+ read_passwords(int fd, int npass, char **passwords)
+ {
++ /* The passwords array must contain npass preallocated
++ * buffers of length MAXPASS + 1
++ */
+ int rbytes = 0;
+ int offset = 0;
+ int i = 0;
+ char *pptr;
+ while (npass > 0) {
+- rbytes = read(fd, passwords[i]+offset, MAXPASS-offset);
++ rbytes = read(fd, passwords[i]+offset, MAXPASS+1-offset);
+
+ if (rbytes < 0) {
+ if (errno == EINTR) continue;
+diff --git a/modules/pam_unix/passverify.h b/modules/pam_unix/passverify.h
+index 3de6759..caf7ae8 100644
+--- a/modules/pam_unix/passverify.h
++++ b/modules/pam_unix/passverify.h
+@@ -8,7 +8,7 @@
+
+ #define PAM_UNIX_RUN_HELPER PAM_CRED_INSUFFICIENT
+
+-#define MAXPASS 200 /* the maximum length of a password */
++#define MAXPASS PAM_MAX_RESP_SIZE /* the maximum length of a password */
+
+ #define OLD_PASSWORDS_FILE "/etc/security/opasswd"
+
+diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
+index fdb45c2..abccd82 100644
+--- a/modules/pam_unix/support.c
++++ b/modules/pam_unix/support.c
+@@ -609,7 +609,12 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+ /* if the stored password is NULL */
+ int rc=0;
+ if (passwd != NULL) { /* send the password to the child */
+- if (write(fds[1], passwd, strlen(passwd)+1) == -1) {
++ int len = strlen(passwd);
++
++ if (len > PAM_MAX_RESP_SIZE)
++ len = PAM_MAX_RESP_SIZE;
++ if (write(fds[1], passwd, len) == -1 ||
++ write(fds[1], "", 1) == -1) {
+ pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m");
+ retval = PAM_AUTH_ERR;
+ }
+--- a/modules/pam_unix/pam_unix.8 2017-05-27 15:38:27.000000000 +0000
++++ b/modules/pam_unix/pam_unix.8 2017-05-27 15:34:49.000000000 +0000
+@@ -56,6 +56,10 @@
+ \fBnoreap\fR
+ module argument can be used to suppress this temporary shielding and may be needed for use with certain applications\&.
+ .PP
++The maximum length of a password supported by the pam_unix module via the helper binary is
++\fIPAM_MAX_RESP_SIZE\fR
++\- currently 512 bytes\&. The rest of the password provided by the conversation function to the module will be ignored\&.
++.PP
+ The password component of this module performs the task of updating the user\*(Aqs password\&. The default encryption hash is taken from the
+ \fBENCRYPT_METHOD\fR
+ variable from
+--- a/modules/pam_exec/pam_exec.8 2017-05-27 15:38:27.000000000 +0000
++++ b/modules/pam_exec/pam_exec.8 2017-05-27 15:56:25.000000000 +0000
+@@ -65,7 +65,9 @@
+ \fBexpose_authtok\fR
+ .RS 4
+ During authentication the calling command can read the password from
+-\fBstdin\fR(3)\&.
++\fBstdin\fR(3)\&. Only first
++\fIPAM_MAX_RESP_SIZE\fR
++bytes of a password are provided to the command\&.
+ .RE
+ .PP
+ \fBlog=\fR\fB\fIfile\fR\fR
diff --git a/debian/patches-applied/do_not_check_nis_accidentally b/debian/patches-applied/do_not_check_nis_accidentally
new file mode 100644
index 00000000..8d85bfc3
--- /dev/null
+++ b/debian/patches-applied/do_not_check_nis_accidentally
@@ -0,0 +1,22 @@
+Patch for Debian bug #469635
+
+Always call _unix_getpwnam() consistent with the value of the 'nis'
+option, so that we only grab from the backends we're expecting.
+
+Authors: Quentin Godfroy <godfroy@clipper.ens.fr>
+
+Upstream status: should be submitted
+
+Index: pam.deb/modules/pam_unix/pam_unix_passwd.c
+===================================================================
+--- pam.deb.orig/modules/pam_unix/pam_unix_passwd.c
++++ pam.deb/modules/pam_unix/pam_unix_passwd.c
+@@ -551,7 +551,7 @@
+ return PAM_USER_UNKNOWN;
+ } else {
+ struct passwd *pwd;
+- _unix_getpwnam(pamh, user, 1, 1, &pwd);
++ _unix_getpwnam(pamh, user, 1, on(UNIX_NIS, ctrl), &pwd);
+ if (pwd == NULL) {
+ pam_syslog(pamh, LOG_DEBUG,
+ "user \"%s\" has corrupted passwd entry",
diff --git a/debian/patches-applied/hurd_no_setfsuid b/debian/patches-applied/hurd_no_setfsuid
new file mode 100644
index 00000000..a2bf783c
--- /dev/null
+++ b/debian/patches-applied/hurd_no_setfsuid
@@ -0,0 +1,77 @@
+On systems without setfsuid(), use setreuid() instead.
+
+Authors: Steve Langasek <vorlon@debian.org>
+
+Upstream status: to be forwarded, now that pam_modutil_{drop,regain}_priv
+ are implemented
+
+Index: pam.debian/libpam/pam_modutil_priv.c
+===================================================================
+--- pam.debian.orig/libpam/pam_modutil_priv.c
++++ pam.debian/libpam/pam_modutil_priv.c
+@@ -14,7 +14,9 @@
+ #include <syslog.h>
+ #include <pwd.h>
+ #include <grp.h>
++#ifdef HAVE_SYS_FSUID_H
+ #include <sys/fsuid.h>
++#endif /* HAVE_SYS_FSUID_H */
+
+ /*
+ * Two setfsuid() calls in a row are necessary to check
+@@ -22,17 +24,55 @@
+ */
+ static int change_uid(uid_t uid, uid_t *save)
+ {
++#ifdef HAVE_SYS_FSUID_H
+ uid_t tmp = setfsuid(uid);
+ if (save)
+ *save = tmp;
+ return (uid_t) setfsuid(uid) == uid ? 0 : -1;
++#else
++ uid_t euid = geteuid();
++ uid_t ruid = getuid();
++ if (save)
++ *save = ruid;
++ if (ruid == uid && uid != 0)
++ if (setreuid(euid, uid))
++ return -1;
++ else {
++ setreuid(0, -1);
++ if (setreuid(-1, uid)) {
++ setreuid(-1, 0);
++ setreuid(0, -1);
++ if (setreuid(-1, uid))
++ return -1;
++ }
++ }
++#endif
+ }
+ static int change_gid(gid_t gid, gid_t *save)
+ {
++#ifdef HAVE_SYS_FSUID_H
+ gid_t tmp = setfsgid(gid);
+ if (save)
+ *save = tmp;
+ return (gid_t) setfsgid(gid) == gid ? 0 : -1;
++#else
++ gid_t egid = getegid();
++ gid_t rgid = getgid();
++ if (save)
++ *save = rgid;
++ if (rgid == gid)
++ if (setregid(egid, gid))
++ return -1;
++ else {
++ setregid(0, -1);
++ if (setregid(-1, gid)) {
++ setregid(-1, 0);
++ setregid(0, -1);
++ if (setregid(-1, gid))
++ return -1;
++ }
++ }
++#endif
+ }
+
+ static int cleanup(struct pam_modutil_privs *p)
diff --git a/debian/patches-applied/lib_security_multiarch_compat b/debian/patches-applied/lib_security_multiarch_compat
new file mode 100644
index 00000000..9d6d40a9
--- /dev/null
+++ b/debian/patches-applied/lib_security_multiarch_compat
@@ -0,0 +1,71 @@
+Unqualified module paths should always be looked up in *both* the default
+module dir, *and* the ISA dir. That's what paths are for.
+
+This lets us have a soft transition to multiarch for modules without having
+to rewrite /etc/pam.d/ files or add ugly symlinks.
+
+Authors: Steve Langasek <vorlon@debian.org>
+
+Upstream status: not ready to be committed - this needs tweaked, we're
+currently abusing the existing variables and inverting their meaning in
+order to get everything installed where we want it and get absolute paths
+the way we want them.
+
+Index: multiarch/libpam/pam_handlers.c
+===================================================================
+--- multiarch.orig/libpam/pam_handlers.c
++++ multiarch/libpam/pam_handlers.c
+@@ -705,7 +705,26 @@
+ }
+ #else
+ D(("_pam_load_module: _pam_dlopen(%s)", mod_path));
+- mod->dl_handle = _pam_dlopen(mod_path);
++ if (mod_path[0] == '/') {
++ mod->dl_handle = _pam_dlopen(mod_path);
++ } else {
++ if (asprintf(&mod_full_isa_path, "%s%s",
++ DEFAULT_MODULE_PATH, mod_path) >= 0) {
++ mod->dl_handle = _pam_dlopen(mod_full_isa_path);
++ _pam_drop(mod_full_isa_path);
++ } else {
++ pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path");
++ }
++ if (!mod->dl_handle) {
++ if (asprintf(&mod_full_isa_path, "%s/%s",
++ _PAM_ISA, mod_path) >= 0) {
++ mod->dl_handle = _pam_dlopen(mod_full_isa_path);
++ _pam_drop(mod_full_isa_path);
++ } else {
++ pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path");
++ }
++ }
++ }
+ D(("_pam_load_module: _pam_dlopen'ed"));
+ D(("_pam_load_module: dlopen'ed"));
+ if (mod->dl_handle == NULL) {
+@@ -775,7 +794,6 @@
+ struct handler **handler_p2;
+ struct handlers *the_handlers;
+ const char *sym, *sym2;
+- char *mod_full_path;
+ servicefn func, func2;
+ int mod_type = PAM_MT_FAULTY_MOD;
+
+@@ -787,16 +805,7 @@
+
+ if ((handler_type == PAM_HT_MODULE || handler_type == PAM_HT_SILENT_MODULE) &&
+ mod_path != NULL) {
+- if (mod_path[0] == '/') {
+- mod = _pam_load_module(pamh, mod_path, handler_type);
+- } else if (asprintf(&mod_full_path, "%s%s",
+- DEFAULT_MODULE_PATH, mod_path) >= 0) {
+- mod = _pam_load_module(pamh, mod_full_path, handler_type);
+- _pam_drop(mod_full_path);
+- } else {
+- pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path");
+- return PAM_ABORT;
+- }
++ mod = _pam_load_module(pamh, mod_path, handler_type);
+
+ if (mod == NULL) {
+ /* if we get here with NULL it means allocation error */
diff --git a/debian/patches-applied/make_documentation_reproducible.patch b/debian/patches-applied/make_documentation_reproducible.patch
new file mode 100644
index 00000000..26f16503
--- /dev/null
+++ b/debian/patches-applied/make_documentation_reproducible.patch
@@ -0,0 +1,28 @@
+Description: Make documentation reproducible
+ Add LC_ALL=C to w3m to avoid changes in the output when build the
+ documentation with different locales.
+Author: Juan Picca <jumapico@gmail.com>
+Last-Update: 2015-07-11
+
+--- pam.orig/configure
++++ pam/configure
+@@ -15162,7 +15162,7 @@ fi
+
+
+ if test ! -z "$BROWSER"; then
+- BROWSER="$BROWSER -T text/html -dump"
++ BROWSER="LC_ALL=C $BROWSER -T text/html -dump"
+ else
+ enable_docu=no
+ fi
+--- pam.orig/configure.in
++++ pam/configure.in
+@@ -554,7 +554,7 @@ JH_CHECK_XML_CATALOG([http://docbook.sou
+
+ AC_PATH_PROG([BROWSER], [w3m])
+ if test ! -z "$BROWSER"; then
+- BROWSER="$BROWSER -T text/html -dump"
++ BROWSER="LC_ALL=C $BROWSER -T text/html -dump"
+ else
+ enable_docu=no
+ fi
diff --git a/debian/patches-applied/no_PATH_MAX_on_hurd b/debian/patches-applied/no_PATH_MAX_on_hurd
new file mode 100644
index 00000000..ab7d506c
--- /dev/null
+++ b/debian/patches-applied/no_PATH_MAX_on_hurd
@@ -0,0 +1,22 @@
+Description: define PATH_MAX for compatibility when it's not already set
+ Some platforms, such as the Hurd, don't set PATH_MAX. Set a reasonable
+ default value in this case.
+Author: Steve Langasek <vorlon@debian.org>
+Bug-Debian: http://bugs.debian.org/552043
+
+Index: pam.deb/tests/tst-dlopen.c
+===================================================================
+--- pam.deb.orig/tests/tst-dlopen.c
++++ pam.deb/tests/tst-dlopen.c
+@@ -16,6 +16,11 @@
+ #include <limits.h>
+ #include <sys/stat.h>
+
++/* Hurd compatibility */
++#ifndef PATH_MAX
++#define PATH_MAX 4096
++#endif
++
+ /* Simple program to see if dlopen() would succeed. */
+ int main(int argc, char **argv)
+ {
diff --git a/debian/patches-applied/pam-limits-nofile-fd-setsize-cap b/debian/patches-applied/pam-limits-nofile-fd-setsize-cap
new file mode 100644
index 00000000..176d7845
--- /dev/null
+++ b/debian/patches-applied/pam-limits-nofile-fd-setsize-cap
@@ -0,0 +1,58 @@
+From: Robie Basak <robie.basak@ubuntu.com>
+Subject: pam_limits: cap the default soft nofile limit read from pid 1 to FD_SETSIZE
+
+Cap the default soft nofile limit read from pid 1 to FD_SETSIZE since
+larger values can cause problems with fd_set overflow and systemd sets
+itself higher.
+
+See:
+https://lists.ubuntu.com/archives/ubuntu-devel/2010-September/031446.html
+http://www.outflux.net/blog/archives/2014/06/13/5-year-old-glibc-select-weakness-fixed/
+https://sourceware.org/bugzilla/show_bug.cgi?id=10352
+https://github.com/systemd/systemd/commit/4096d6f5879aef73e20dd7b62a01f447629945b0
+
+pam_limits reads the default limits from /proc/1/limits. Previously,
+using upstart, this resulted in a 1024 nofile soft limit on Ubuntu
+systems by default. Using systemd, this results in a limit of 65536
+instead. This is not the intention of systemd upstream. See systemd
+commit 4096d6f for an explanation of systemd's behaviour.
+
+If we want to make such a change to the default distribution soft limit
+in PAM, we should do it deliberately and carefully, not accidentally. A
+change should consider what uses select(2) and might inadvertently (and
+incorrectly) assume that file descriptors will always fit into an
+fd_set, what vulnerabilities or crashes the change could consequently
+create, and whether the protection now present with FORTIFY_SOURCE is
+suitably enabled in all relevant builds.
+
+So this keeps the soft limit at 1024 for now. The hard limit will rise
+to 65536 along with systemd. Anything that knows that it will not be
+buggy with respect to fd_set and FD_SETSIZE, such as by using poll(2) or
+epoll(7) instead of select(2), can always raise the soft limit itself
+without issue.
+
+20:54 <rbasak> slangasek: [...] I'm also not sure how to go about
+upstreaming this as pam_limits seems to be heavily patched already.
+
+Forwarded: no
+Reviewed-by: Adam Conrad <adconrad@ubuntu.com>
+Reviewed-by: Martin Pitt <martin.pitt@ubuntu.com>
+Last-Update: 2015-04-22
+
+--- a/modules/pam_limits/pam_limits.c
++++ b/modules/pam_limits/pam_limits.c
+@@ -439,6 +439,14 @@ static void parse_kernel_limits(pam_hand
+ pl->limits[i].src_hard = LIMITS_DEF_KERNEL;
+ }
+ fclose(limitsfile);
++
++ /* Cap the default soft nofile limit read from pid 1 to FD_SETSIZE
++ * since larger values can cause problems with fd_set overflow and
++ * systemd sets itself higher. */
++ if (pl->limits[RLIMIT_NOFILE].src_soft == LIMITS_DEF_KERNEL &&
++ pl->limits[RLIMIT_NOFILE].limit.rlim_cur > FD_SETSIZE) {
++ pl->limits[RLIMIT_NOFILE].limit.rlim_cur = FD_SETSIZE;
++ }
+ }
+
+ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl)
diff --git a/debian/patches-applied/pam-loginuid-in-containers b/debian/patches-applied/pam-loginuid-in-containers
new file mode 100644
index 00000000..1e965b2d
--- /dev/null
+++ b/debian/patches-applied/pam-loginuid-in-containers
@@ -0,0 +1,146 @@
+Author: St├ęphane Graber <stgraber@ubuntu.com>
+Description: pam_loginuid: Ignore failure in user namespaces
+ When running pam_loginuid in a container using the user namespaces, even
+ uid 0 isn't allowed to set the loginuid property.
+ .
+ This change catches the EACCES from opening loginuid, checks if the user
+ is in the host namespace (by comparing the uid_map with the host's one)
+ and only if that's the case, sets rc to 1.
+ .
+ Should uid_map not exist or be unreadable for some reason, it'll be
+ assumed that the process is running on the host's namespace.
+ .
+ The initial reason behind this change was failure to ssh into an
+ unprivileged container (using a 3.13 kernel and current LXC) when using
+ a standard pam profile for sshd (which requires success from
+ pam_loginuid).
+ .
+ I believe this solution doesn't have any drawback and will allow people
+ to use unprivileged containers normally. An alternative would be to have
+ all distros set pam_loginuid as optional but that'd be bad for any of
+ the other potential failure case which people may care about.
+ .
+ There has also been some discussions to get some of the audit features
+ tied with the user namespaces but currently none of that has been merged
+ upstream and the currently proposed implementation doesn't cover
+ loginuid (nor is it clear how this should even work when loginuid is set
+ as immutable after initial write).
+ .
+ Signed-off-by: Steve Langasek <vorlon@debian.org>
+ Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
+
+Index: ubuntu/modules/pam_loginuid/pam_loginuid.c
+===================================================================
+--- ubuntu.orig/modules/pam_loginuid/pam_loginuid.c 2014-01-31 21:07:08.665185675 +0000
++++ ubuntu/modules/pam_loginuid/pam_loginuid.c 2014-01-31 21:05:05.000000000 +0000
+@@ -47,25 +47,56 @@
+
+ /*
+ * This function writes the loginuid to the /proc system. It returns
+- * 0 on success and 1 on failure.
++ * PAM_SUCCESS on success,
++ * PAM_IGNORE when /proc/self/loginuid does not exist,
++ * PAM_SESSION_ERR in case of any other error.
+ */
+ static int set_loginuid(pam_handle_t *pamh, uid_t uid)
+ {
+- int fd, count, rc = 0;
+- char loginuid[24];
++ int fd, count, rc = PAM_SESSION_ERR;
++ char loginuid[24], buf[24];
++ static const char host_uid_map[] = " 0 0 4294967295\n";
++ char uid_map[sizeof(host_uid_map)];
++
++ /* loginuid in user namespaces currently isn't writable and in some
++ case, not even readable, so consider any failure as ignorable (but try
++ anyway, in case we hit a kernel which supports it). */
++ fd = open("/proc/self/uid_map", O_RDONLY);
++ if (fd >= 0) {
++ count = pam_modutil_read(fd, uid_map, sizeof(uid_map));
++ if (strncmp(uid_map, host_uid_map, count) != 0)
++ rc = PAM_IGNORE;
++ close(fd);
++ }
+
+- count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
+- fd = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC);
++ fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDWR);
+ if (fd < 0) {
+- if (errno != ENOENT) {
+- rc = 1;
+- pam_syslog(pamh, LOG_ERR,
+- "Cannot open /proc/self/loginuid: %m");
++ if (errno == ENOENT) {
++ rc = PAM_IGNORE;
++ }
++ if (rc != PAM_IGNORE) {
++ pam_syslog(pamh, LOG_ERR, "Cannot open %s: %m",
++ "/proc/self/loginuid");
+ }
+ return rc;
+ }
+- if (pam_modutil_write(fd, loginuid, count) != count)
+- rc = 1;
++
++ count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
++ if (pam_modutil_read(fd, buf, sizeof(buf)) == count &&
++ memcmp(buf, loginuid, count) == 0) {
++ rc = PAM_SUCCESS;
++ goto done; /* already correct */
++ }
++ if (lseek(fd, 0, SEEK_SET) == 0 && ftruncate(fd, 0) == 0 &&
++ pam_modutil_write(fd, loginuid, count) == count) {
++ rc = PAM_SUCCESS;
++ } else {
++ if (rc != PAM_IGNORE) {
++ pam_syslog(pamh, LOG_ERR, "Error writing %s: %m",
++ "/proc/self/loginuid");
++ }
++ }
++ done:
+ close(fd);
+ return rc;
+ }
+@@ -165,6 +196,7 @@
+ {
+ const char *user = NULL;
+ struct passwd *pwd;
++ int ret;
+ #ifdef HAVE_LIBAUDIT
+ int require_auditd = 0;
+ #endif
+@@ -183,9 +215,14 @@
+ return PAM_SESSION_ERR;
+ }
+
+- if (set_loginuid(pamh, pwd->pw_uid)) {
+- pam_syslog(pamh, LOG_ERR, "set_loginuid failed\n");
+- return PAM_SESSION_ERR;
++ ret = set_loginuid(pamh, pwd->pw_uid);
++ switch (ret) {
++ case PAM_SUCCESS:
++ case PAM_IGNORE:
++ break;
++ default:
++ pam_syslog(pamh, LOG_ERR, "set_loginuid failed");
++ return ret;
+ }
+
+ #ifdef HAVE_LIBAUDIT
+@@ -195,11 +232,12 @@
+ argv++;
+ }
+
+- if (require_auditd)
+- return check_auditd();
+- else
++ if (require_auditd) {
++ int rc = check_auditd();
++ return rc != PAM_SUCCESS ? rc : ret;
++ } else
+ #endif
+- return PAM_SUCCESS;
++ return ret;
+ }
+
+ /*
diff --git a/debian/patches-applied/pam_namespace_fix_bashism.patch b/debian/patches-applied/pam_namespace_fix_bashism.patch
new file mode 100644
index 00000000..6c6f1861
--- /dev/null
+++ b/debian/patches-applied/pam_namespace_fix_bashism.patch
@@ -0,0 +1,61 @@
+From fbc65c39d6853af268c9a093923afc876d0b138e Mon Sep 17 00:00:00 2001
+From: Steve Langasek <vorlon@debian.org>
+Date: Tue, 14 Jan 2014 19:48:51 -0800
+Subject: pam_namespace: don't use bashisms in default namespace.init script
+
+* modules/pam_namespace/pam_namespace.c: call setuid() before execing the
+namespace init script, so that scripts run with maximum privilege regardless
+of the shell implementation.
+* modules/pam_namespace/namespace.init: drop the '-p' bashism from the
+shebang line
+
+This is not a POSIX standard option, it's a bashism. The bash manpage says
+that it's used to prevent the effective user id from being reset to the real
+user id on startup, and to ignore certain unsafe variables from the
+environment.
+
+In the case of pam_namespace, the -p is not necessary for environment
+sanitizing because the PAM module (properly) sanitizes the environment
+before execing the script.
+
+The stated reason given in CVS history for passing -p is to "preserve euid
+when called from setuid apps (su, newrole)." This should be done more
+portably, by calling setuid() before spawning the shell.
+
+Signed-off-by: Steve Langasek <vorlon@debian.org>
+Bug-Debian: http://bugs.debian.org/624842
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1081323
+---
+ modules/pam_namespace/namespace.init | 2 +-
+ modules/pam_namespace/pam_namespace.c | 5 +++++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/modules/pam_namespace/namespace.init b/modules/pam_namespace/namespace.init
+index 9ab5806..67d4aa2 100755
+--- a/modules/pam_namespace/namespace.init
++++ b/modules/pam_namespace/namespace.init
+@@ -1,4 +1,4 @@
+-#!/bin/sh -p
++#!/bin/sh
+ # It receives polydir path as $1, the instance path as $2,
+ # a flag whether the instance dir was newly created (0 - no, 1 - yes) in $3,
+ # and user name in $4.
+diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
+index e0d5e30..92883f5 100644
+--- a/modules/pam_namespace/pam_namespace.c
++++ b/modules/pam_namespace/pam_namespace.c
+@@ -1205,6 +1205,11 @@ static int inst_init(const struct polydir_s *polyptr, const char *ipath,
+ _exit(1);
+ }
+ #endif
++ /* Pass maximum privs when we exec() */
++ if (setuid(geteuid()) < 0) {
++ /* ignore failures, they don't matter */
++ }
++
+ if (execle(init_script, init_script,
+ polyptr->dir, ipath, newdir?"1":"0", idata->user, NULL, envp) < 0)
+ _exit(1);
+--
+cgit v0.12
+
diff --git a/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch
new file mode 100644
index 00000000..87336651
--- /dev/null
+++ b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch
@@ -0,0 +1,25 @@
+Dropping suid bits is not enough to let us trust the caller; the unix_chkpwd
+helper could be sgid shadow instead of suid root, as it is in Debian and
+Ubuntu by default. Drop any sgid bits as well.
+
+Authors: Steve Langasek <vorlon@debian.org>,
+ Michael Spang <mspang@csclub.uwaterloo.ca>
+
+Upstream status: to be submitted
+
+Index: pam-debian/modules/pam_unix/unix_chkpwd.c
+===================================================================
+--- pam-debian.orig/modules/pam_unix/unix_chkpwd.c 2011-10-10 16:22:06.270705822 -0700
++++ pam-debian/modules/pam_unix/unix_chkpwd.c 2011-10-10 16:24:06.080224301 -0700
+@@ -137,9 +137,10 @@
+ /* if the caller specifies the username, verify that user
+ matches it */
+ if (strcmp(user, argv[1])) {
++ gid_t gid = getgid();
+ user = argv[1];
+ /* no match -> permanently change to the real user and proceed */
+- if (setuid(getuid()) != 0)
++ if (setresgid(gid, gid, gid) != 0 || setuid(getuid()) != 0)
+ return PAM_AUTH_ERR;
+ }
+ }
diff --git a/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch b/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch
new file mode 100644
index 00000000..df3dc65a
--- /dev/null
+++ b/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch
@@ -0,0 +1,25 @@
+Revert upstream change that prevents pam_unix from working with sgid
+shadow applications.
+
+Authors: Steve Langasek <vorlon@debian.org>
+
+Upstream status: to be submitted (and debated...)
+
+Index: debian-pkg-pam/modules/pam_unix/passverify.c
+===================================================================
+--- debian-pkg-pam.orig/modules/pam_unix/passverify.c 2009-04-17 12:46:39.000000000 -0700
++++ debian-pkg-pam/modules/pam_unix/passverify.c 2009-04-17 12:46:40.000000000 -0700
+@@ -203,11 +203,11 @@
+ * ...and shadow password file entry for this user,
+ * if shadowing is enabled
+ */
++ *spwdent = pam_modutil_getspnam(pamh, name);
+ #ifndef HELPER_COMPILE
+- if (geteuid() || SELINUX_ENABLED)
++ if (*spwdent == NULL && (geteuid() || SELINUX_ENABLED))
+ return PAM_UNIX_RUN_HELPER;
+ #endif
+- *spwdent = pam_modutil_getspnam(pamh, name);
+ if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL)
+ return PAM_AUTHINFO_UNAVAIL;
+ }
diff --git a/debian/patches-applied/series b/debian/patches-applied/series
new file mode 100644
index 00000000..51598ca8
--- /dev/null
+++ b/debian/patches-applied/series
@@ -0,0 +1,29 @@
+pam_unix_fix_sgid_shadow_auth.patch
+pam_unix_dont_trust_chkpwd_caller.patch
+007_modules_pam_unix
+008_modules_pam_limits_chroot
+021_nis_cleanup
+022_pam_unix_group_time_miscfixes
+026_pam_unix_passwd_unknown_user
+do_not_check_nis_accidentally
+027_pam_limits_better_init_allow_explicit_root
+031_pam_include
+032_pam_limits_EPERM_NOT_FATAL
+036_pam_wheel_getlogin_considered_harmful
+hurd_no_setfsuid
+040_pam_limits_log_failure
+045_pam_dispatch_jump_is_ignore
+054_pam_security_abstract_securetty_handling
+055_pam_unix_nullok_secure
+cve-2010-4708.patch
+PAM-manpage-section
+update-motd
+no_PATH_MAX_on_hurd
+lib_security_multiarch_compat
+pam-loginuid-in-containers
+cve-2013-7041.patch
+cve-2014-2583.patch
+cve-2015-3238.patch
+pam-limits-nofile-fd-setsize-cap
+pam_namespace_fix_bashism.patch
+make_documentation_reproducible.patch
diff --git a/debian/patches-applied/update-motd b/debian/patches-applied/update-motd
new file mode 100644
index 00000000..6c2af5bb
--- /dev/null
+++ b/debian/patches-applied/update-motd
@@ -0,0 +1,168 @@
+Patch for Ubuntu bug #399071
+
+Provide a more dynamic MOTD, based on the short-lived update-motd project.
+
+Authors: Dustin Kirkland <kirkland@canonical.com>
+
+Upstream status: not yet submitted
+
+Index: pam.debian/modules/pam_motd/pam_motd.c
+===================================================================
+--- pam.debian.orig/modules/pam_motd/pam_motd.c
++++ pam.debian/modules/pam_motd/pam_motd.c
+@@ -48,14 +48,39 @@
+
+ static char default_motd[] = DEFAULT_MOTD;
+
++static void display_file(pam_handle_t *pamh, const char *motd_path)
++{
++ int fd;
++ char *mtmp = NULL;
++ while ((fd = open(motd_path, O_RDONLY, 0)) >= 0) {
++ struct stat st;
++ /* fill in message buffer with contents of motd */
++ if ((fstat(fd, &st) < 0) || !st.st_size || st.st_size > 0x10000)
++ break;
++ if (!(mtmp = malloc(st.st_size+1)))
++ break;
++ if (pam_modutil_read(fd, mtmp, st.st_size) != st.st_size)
++ break;
++ if (mtmp[st.st_size-1] == '\n')
++ mtmp[st.st_size-1] = '\0';
++ else
++ mtmp[st.st_size] = '\0';
++ pam_info (pamh, "%s", mtmp);
++ break;
++ }
++ _pam_drop (mtmp);
++ if (fd >= 0)
++ close(fd);
++}
++
+ PAM_EXTERN
+ int pam_sm_open_session(pam_handle_t *pamh, int flags,
+ int argc, const char **argv)
+ {
+ int retval = PAM_IGNORE;
+- int fd;
++ int do_update = 1;
+ const char *motd_path = NULL;
+- char *mtmp = NULL;
++ struct stat st;
+
+ if (flags & PAM_SILENT) {
+ return retval;
+@@ -73,6 +98,9 @@
+ "motd= specification missing argument - ignored");
+ }
+ }
++ else if (!strcmp(*argv,"noupdate")) {
++ do_update = 0;
++ }
+ else
+ pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
+ }
+@@ -80,34 +108,23 @@
+ if (motd_path == NULL)
+ motd_path = default_motd;
+
+- while ((fd = open(motd_path, O_RDONLY, 0)) >= 0) {
+- struct stat st;
+-
+- /* fill in message buffer with contents of motd */
+- if ((fstat(fd, &st) < 0) || !st.st_size || st.st_size > 0x10000)
+- break;
+-
+- if (!(mtmp = malloc(st.st_size+1)))
+- break;
+-
+- if (pam_modutil_read(fd, mtmp, st.st_size) != st.st_size)
+- break;
+-
+- if (mtmp[st.st_size-1] == '\n')
+- mtmp[st.st_size-1] = '\0';
+- else
+- mtmp[st.st_size] = '\0';
+-
+- pam_info (pamh, "%s", mtmp);
+- break;
++ /* Run the update-motd dynamic motd scripts, outputting to /run/motd.dynamic.
++ This will be displayed only when calling pam_motd with
++ motd=/run/motd.dynamic; current /etc/pam.d/login and /etc/pam.d/sshd
++ display both this file and /etc/motd. */
++ if (do_update && (stat("/etc/update-motd.d", &st) == 0)
++ && S_ISDIR(st.st_mode))
++ {
++ mode_t old_mask = umask(0022);
++ if (!system("/usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new"))
++ rename("/run/motd.dynamic.new", "/run/motd.dynamic");
++ umask(old_mask);
+ }
+
+- _pam_drop (mtmp);
+-
+- if (fd >= 0)
+- close(fd);
++ /* Display the updated motd */
++ display_file(pamh, motd_path);
+
+- return retval;
++ return retval;
+ }
+
+
+Index: pam.debian/modules/pam_motd/pam_motd.8.xml
+===================================================================
+--- pam.debian.orig/modules/pam_motd/pam_motd.8.xml
++++ pam.debian/modules/pam_motd/pam_motd.8.xml
+@@ -52,6 +52,17 @@
+ </para>
+ </listitem>
+ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>noupdate</option>
++ </term>
++ <listitem>
++ <para>
++ Don't run the scripts in <filename>/etc/update-motd.d</filename>
++ to refresh the motd file.
++ </para>
++ </listitem>
++ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+Index: pam.debian/modules/pam_motd/pam_motd.8
+===================================================================
+--- pam.debian.orig/modules/pam_motd/pam_motd.8
++++ pam.debian/modules/pam_motd/pam_motd.8
+@@ -45,6 +45,13 @@
+ /path/filename
+ file is displayed as message of the day\&.
+ .RE
++.PP
++\fBnoupdate\fR
++.RS 4
++Don\*(Aqt run the scripts in
++/etc/update\-motd\&.d
++to refresh the motd file\&.
++.RE
+ .SH "MODULE TYPES PROVIDED"
+ .PP
+ Only the
+Index: pam.debian/modules/pam_motd/README
+===================================================================
+--- pam.debian.orig/modules/pam_motd/README
++++ pam.debian/modules/pam_motd/README
+@@ -14,6 +14,10 @@
+
+ The /path/filename file is displayed as message of the day.
+
++noupdate
++
++ Don't run the scripts in /etc/update-motd.d to refresh the motd file.
++
+ EXAMPLES
+
+ The suggested usage for /etc/pam.d/login is: