1 files changed, 39 insertions, 0 deletions

diff --git a/debian/patches-applied/022_pam_unix_group_time_miscfixes b/debian/patches-applied/022_pam_unix_group_time_miscfixes
new file mode 100644
index 00000000..e96dd680
--- /dev/null
+++ b/debian/patches-applied/022_pam_unix_group_time_miscfixes
@@ -0,0 +1,39 @@
+  * Add support for credential reinitialization in pam_group, closes: #108697
+  * By default do complete matches not substring matches for pam_time.
+    You can include explicit wildcard for substring, closes: #66152 
+
+Index: Linux-PAM/modules/pam_time/pam_time.c
+===================================================================
+--- Linux-PAM/modules/pam_time/pam_time.c.orig
++++ Linux-PAM/modules/pam_time/pam_time.c
+@@ -324,7 +324,11 @@
+ 		    return FALSE;
+ 	  }
+      }
+-     return ( !len );
++     /* By this point we know that we didn't treat a * in b as a wildcard.
++	the only way we got done with the loop is if we consumed every
++	character in b.  Thus the strings are equal if their
++	lengths are the same otherwise not equal. */
++     return (strlen (a) == strlen (b));
+ }
+ 
+ typedef struct {
+Index: Linux-PAM/modules/pam_group/pam_group.c
+===================================================================
+--- Linux-PAM/modules/pam_group/pam_group.c.orig
++++ Linux-PAM/modules/pam_group/pam_group.c
+@@ -758,9 +758,12 @@
+     unsigned setting;
+ 
+     /* only interested in establishing credentials */
++    /* PAM docs say that an empty flag is to be treated as PAM_ESTABLISH_CRED.
++       Some people just pass PAM_SILENT, so cope with it, too. */
+ 
+     setting = flags;
+-    if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))) {
++    if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))
++        && (setting != 0) && (setting != PAM_SILENT)) {
+ 	D(("ignoring call - not for establishing credentials"));
+ 	return PAM_SUCCESS;            /* don't fail because of this */
+     }