diff options
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/changelog | 178 | ||||
| -rw-r--r-- | debian/control | 9 | ||||
| -rw-r--r-- | debian/libpam-doc.doc-base.applications-guide | 2 | ||||
| -rw-r--r-- | debian/libpam-modules.install | 1 | ||||
| -rw-r--r-- | debian/libpam0g-dev.examples | 4 | ||||
| -rw-r--r-- | debian/local/pam-auth-update | 36 | ||||
| -rw-r--r-- | debian/local/pam-auth-update.8 | 4 | ||||
| -rw-r--r-- | debian/local/pam_getenv | 2 | ||||
| -rw-r--r-- | debian/pam-configs/mkhomedir | 7 | ||||
| -rw-r--r-- | debian/patches-applied/cve-2010-4708.patch (renamed from debian/patches-applied/cve-2011-4708.patch) | 2 | ||||
| -rw-r--r-- | debian/patches-applied/cve-2015-3238.patch | 180 | ||||
| -rw-r--r-- | debian/patches-applied/make_documentation_reproducible.patch | 28 | ||||
| -rw-r--r-- | debian/patches-applied/pam-loginuid-in-containers | 52 | ||||
| -rw-r--r-- | debian/patches-applied/pam_namespace_fix_bashism.patch | 61 | ||||
| -rw-r--r-- | debian/patches-applied/series | 5 | ||||
| -rw-r--r-- | debian/patches-applied/update-motd | 12 | ||||
| -rw-r--r-- | debian/po/pt_BR.po | 56 | ||||
| -rw-r--r-- | debian/watch | 5 |
18 files changed, 531 insertions, 113 deletions
diff --git a/debian/changelog b/debian/changelog index c2d673f7..145812d2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,77 @@ pam (1.1.8-4) UNRELEASED; urgency=medium + * Acknowledge various NMUs; thanks to the various folks who have helped + keep this package in good condition. + * debian/control: update VCS headers to point to git (temporarily under + my personal salsa namespace, until I get around to restoring team + setup). + + -- Steve Langasek <vorlon@debian.org> Wed, 09 Apr 2014 14:04:10 -0700 + +pam (1.1.8-3.8) unstable; urgency=medium + + * Non-maintainer upload. + * Set Rules-Requires-Root to binary-targets as pam relies on + chgrp in debian/rules. + * Update pam-auth-update to detect write errors and properly + fail when that happens. (Closes: #880501) + * Remove Roger Leigh from uploaders as he has restired from + Debian. (Closes: #869348) + * Reduce priority of libpam0g to optional. + * Rebuild with a recent version of dpkg-source, which ensures + that the Build-Depends are correct in the .dsc file. + (Closes: #890602) + * Apply patch from Felix Lechner to make pam-auth-update ignore + editor backup files. (Closes: #519361) + * Apply update to Brazilian Portuguese translations of the + debconf templates. Thanks to Adriano Rafael Gomes. + (Closes: #799417) + + -- Niels Thykier <niels@thykier.net> Sat, 11 Aug 2018 15:31:24 +0000 + +pam (1.1.8-3.7) unstable; urgency=medium + + * Non-maintainer upload. + * libpam-modules: Added a config for pam_mkhomedir, disabled by default. + (Closes: #568577) + * pam-auth-update: Add support for --enable option which is useful for + enabling non-default configs without prompting the admin. (LP: #1192719) + + -- Timo Aaltonen <tjaalton@debian.org> Fri, 02 Feb 2018 16:57:43 +0200 + +pam (1.1.8-3.6) unstable; urgency=medium + + * Non-maintainer upload. + * cve-2015-3238.patch: Add the changes in the generated pam_exec.8 + and pam_unix.8 in addition to (and after) the changes to the + source .xml files. This avoids unwanted rebuilds that can cause + problems due to differing files on different architectures of + the Multi-Arch: same libpam-modules. (Closes: #851545) + + -- Adrian Bunk <bunk@debian.org> Sat, 27 May 2017 18:44:02 +0300 + +pam (1.1.8-3.5) unstable; urgency=medium + + * Non-maintainer upload. + * Build-Depend on libfl-dev:native as well, for cross builds. + Re-closes: #846459 + * Fix "Unescaped left brace in regex" with Perl 5.22. Closes: #810873 + + -- Adam Borowski <kilobyte@angband.pl> Fri, 30 Dec 2016 14:37:29 +0100 + +pam (1.1.8-3.4) unstable; urgency=medium + + * Non-maintainer upload. + * Add libfl-dev to Build-Depends, fixing FTBFS. Closes: #846459 + * Move xsl stuff to Build-Depends from -Indep to fix misbuilt manpages. + Closes: #812566 + + -- Adam Borowski <kilobyte@angband.pl> Sun, 18 Dec 2016 01:03:58 +0100 + +pam (1.1.8-3.3) unstable; urgency=low + + * Non-maintainer upload. + [ Steve Langasek ] * Updated Swedish translation to correct a typo, thanks to Anders Jonsson and Martin Bagge. Closes: #743875 * Updated Turkish translation, thanks to Mert Dirik <mertdirik@gmail.com>. @@ -10,11 +82,37 @@ pam (1.1.8-4) UNRELEASED; urgency=medium * Acknowledge security NMU. * pam-auth-update: don't mishandle trailing whitespace in profiles. LP: #1487103. - * debian/control: update VCS headers to point to git (temporarily under - my personal salsa namespace, until I get around to restoring team - setup). - -- Steve Langasek <vorlon@debian.org> Wed, 09 Apr 2014 14:04:10 -0700 + [ Laurent Bigonville ] + * debian/control: Fix Vcs-* and Homepage fields (Closes: #752343) + * debian/watch: Update watch file and point it to http://www.linux-pam.org + * debian/patches-applied/pam_namespace_fix_bashism.patch: Fix bashism in + namespace.init script (Closes: #624842) + * debian/control: Build-depends against debhelper (>= 9) to match the + defined debhelper compatibility + * Rename the cve-2011-4708.patch to cve-2010-4708.patch to match reality, + thanks to Jakub Wilk <jwilk@debian.org> for noticing (Closes: #761594) + * debian/control: Bump Standards-Version to 3.9.8 (no further changes) + * debian/libpam-doc.doc-base.applications-guide: Fix spelling + * debian/libpam0g-dev.examples: Do not use shell brace expansion + * debian/patches-applied/pam-loginuid-in-containers: Updated with the version + from Ubuntu, this should fix logins in containers (Closes: #726661) + * debian/patches-applied/update-motd: Updated with the version from Ubuntu: + use /run/motd.dynamic instead of /var/run/motd, nothing in the archive + uses the later (Closes: #743286) + * debian/patches-applied/make_documentation_reproducible.patch: Make the + build reproducible, removes differences when building with different + locale values (Closes: #792127) + + -- Laurent Bigonville <bigon@debian.org> Wed, 18 May 2016 02:04:29 +0200 + +pam (1.1.8-3.2) unstable; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2015-3238: DoS/user enumeration due to blocking pipe in pam_unix + module (Closes: #789986) + + -- Tianon Gravi <tianon@debian.org> Wed, 06 Jan 2016 15:53:31 -0800 pam (1.1.8-3.1) unstable; urgency=high @@ -318,7 +416,7 @@ pam (1.1.2-1) unstable; urgency=low - Add support for NSS groups to pam_group. Closes: #589019, LP: #297408. - Support cross-building the package. Thanks to Neil Williams - <codehelp@debian.org> for the patch. Closes: #284854. + <codehelp@debian.org> for the patch. Closes: #284854. * debian/rules: pass getconf LFS_CFLAGS so that we get a 64-bit rlimit interface. Closes: #579402. * Drop patches conditional_module,_conditional_man and @@ -633,7 +731,7 @@ pam (1.0.1-10) unstable; urgency=high * Fix lintian overrides for libpam-runtime * Overrides for lintian finding quilt patches * pam_mail-fix-quiet: patch from Andreas Henriksson - applied upstream to fix quiet option of pam_mail, Closes: #439268 + applied upstream to fix quiet option of pam_mail, Closes: #439268 [ Dustin Kirkland ] * debian/patches/update-motd: run the update-motd scripts in pam_motd; @@ -641,7 +739,7 @@ pam (1.0.1-10) unstable; urgency=high [ Sam Hartman ] * cve-2009-0887-libpam-pam_misc.patch: avoid integer signedness problem - (CVE-2009-0887) (Closes: #520115) + (CVE-2009-0887) (Closes: #520115) -- Steve Langasek <vorlon@debian.org> Thu, 06 Aug 2009 17:54:32 +0100 @@ -663,7 +761,7 @@ pam (1.0.1-8) unstable; urgency=low - Swedish, thanks to Martin Bagge <brother@bsnet.se> (closes: #518324) - Vietnamese, thanks to Clytie Siddall <clytie@riverland.net.au> (closes: #518329) - - Japanese, thanks to Kenshi Muto <kmuto@debian.org> (closes: #518335) + - Japanese, thanks to Kenshi Muto <kmuto@debian.org> (closes: #518335) - Slovak, thanks to Ivan Masár <helix84@centrum.sk> (closes: #518341) - Czech, thanks to Miroslav Kure <kurem@debian.cz> (closes: #518992) - Portuguese, thanks to Américo Monteiro <a_monteiro@netcabo.pt> @@ -681,14 +779,14 @@ pam (1.0.1-8) unstable; urgency=low pam (1.0.1-7) unstable; urgency=low * 027_pam_limits_better_init_allow_explicit_root: - - fix the patch so that our limit resets are actually *applied*, + - fix the patch so that our limit resets are actually *applied*, which has apparently been broken for who knows how long! - shadow the finite kernel defaults for RLIMIT_SIGPENDING and RLIMIT_MSGQUEUE as well, so that the preceding change doesn't suddenly expose systems to DoS or other issues. - - include documentation in the patch, giving examples of how to set + - include documentation in the patch, giving examples of how to set limits for root. Thanks to Jonathan Marsden. - * pam-auth-update: swap out known md5sums from intrepid pre-release + * pam-auth-update: swap out known md5sums from intrepid pre-release versions with the md5sums from the released intrepid version * pam-auth-update: set the umask, so we don't accidentally mark /etc/pam.d/common-* unreadable. Thanks to Martin Krafft for catching. @@ -739,7 +837,7 @@ pam (1.0.1-5) unstable; urgency=low - Czech, thanks to Miroslav Kure <<kurem@upcase.inf.upol.cz> (closes: #510608) - French, thanks to Steve Petruzzello <dlist@bluewin.ch> - - German, thanks to Sven Joachim <svenjoac@gmx.de> (closes: #510617) + - German, thanks to Sven Joachim <svenjoac@gmx.de> (closes: #510617) - Basque, thanks to Piarres Beobide <pi+debian@beobide.net> (closes: #510699) - Russian, thanks to Yuri Kozlov <yuray@komyakino.ru> (closes: #510701) @@ -1280,7 +1378,7 @@ pam (0.79-4) unstable; urgency=medium pam (0.79-3.2) unstable; urgency=low * Non-maintainer upload to fix important bug, that makes passwd segfault - when CTRL-D is pressed at the password prompt. Applied the patch + when CTRL-D is pressed at the password prompt. Applied the patch provided by Dann Frazier. (Closes: #360657) -- Margarita Manterola <marga@debian.org> Sat, 5 Aug 2006 02:11:22 -0300 @@ -1386,7 +1484,7 @@ pam (0.76-22) unstable; urgency=medium pam (0.76-21) unstable; urgency=medium * Fix patch 055 again because -20 was broken and didn't actually fix the - problem. + problem. -- Sam Hartman <hartmans@debian.org> Tue, 4 May 2004 21:37:38 -0400 @@ -1397,22 +1495,22 @@ pam (0.76-20) unstable; urgency=medium * Medium urgency because the version now in testing has confusing and verbose log messages. * Include pam_getenv script which hopefully will be used by some people - somewhere for some purpose + somewhere for some purpose -- Sam Hartman <hartmans@debian.org> Wed, 28 Apr 2004 22:51:18 -0400 pam (0.76-19) unstable; urgency=low * Oops, too busy testing the upgrade from woody to make sure the upgrade - from -16 to -18 worked. Thanks to all those who reported, - Closes: #243413 + from -16 to -18 worked. Thanks to all those who reported, + Closes: #243413 -- Sam Hartman <hartmans@debian.org> Tue, 13 Apr 2004 16:08:54 -0400 pam (0.76-18) unstable; urgency=low * Manipulate conffiles to avoid unnecessary prompt in woody to sarge - upgrade, Closes: #218318 + upgrade, Closes: #218318 -- Sam Hartman <hartmans@debian.org> Sat, 10 Apr 2004 18:10:35 -0400 @@ -1421,9 +1519,9 @@ pam (0.76-17) unstable; urgency=low * common-password now includes length restrictions and cracklib examples, Closes: #227681, #237537 * Patch 054: abstract out the logic from pam_securetty to determine if a - tty is in /etc/securetty into a library function + tty is in /etc/securetty into a library function * Patch 55: Add nullok_secure option to pam_unix. If set, then null - passwords are accepted from terminals in /etc/securetty. + passwords are accepted from terminals in /etc/securetty. * common-auth now includes nullok_secure, Closes: #228114 @@ -1432,8 +1530,8 @@ pam (0.76-17) unstable; urgency=low pam (0.76-16) unstable; urgency=low * Patch 51 from the x86-64 folks to support 32-bit ll_time in - pam_lastlog even if time_t is 64-bits - * Don't call openlog in pam_unix (patch 52), Closes: #213566 + pam_lastlog even if time_t is 64-bits + * Don't call openlog in pam_unix (patch 52), Closes: #213566 * Return PAM_USER_UNKNOWN for unknown users in pam_unix (patch 53), Closes: #204506 -- Sam Hartman <hartmans@debian.org> Tue, 23 Mar 2004 22:26:04 -0500 @@ -1446,8 +1544,8 @@ pam (0.76-15) unstable; urgency=low * Clean up binaries, Thanks Russell, Closes: #212158 * Depend on sufficiently new cracklib2-dev, Closes: #214092 * Treate GNU/* as GNU for OS variable to make pam_limits compile, - (patch 050) Closes: #220980 - * No longer build-depend on latex2html, Closes: #221318 + (patch 050) Closes: #220980 + * No longer build-depend on latex2html, Closes: #221318 * Allow : in tty specification for pam_group, (patch 048) Closes: #220439 * Pull in locking patch from Linux-PAM CVS; this ended up causing 021_pam_nis_locking to be reworked and that patch now no longer @@ -1500,7 +1598,7 @@ pam (0.76-12) unstable; urgency=low pam (0.76-11) unstable; urgency=low * Don't allow db4 to satisfy build-depends because it doesn't actually - work, and sometimes building with it would be wrong. + work, and sometimes building with it would be wrong. * Don't depend on libpcap-dev on Debian BSD * Conflict with old libpam-modules, Closes: #191906 * Incorrect username should not be logged at alert (patch 43), @@ -1514,9 +1612,9 @@ pam (0.76-10) unstable; urgency=low * Don't double list conffiles, Closes: #190954 * Only install example sources not executables, Closes: #185286 * Display correct directory in error message for pam_mkhomedir, patch - 042 thanks to Akira TAGOH, Closes: #165240 + 042 thanks to Akira TAGOH, Closes: #165240 * Don't log EPERM when setting NOFILE limit as Linux doesn't let you - set that to -1, Closes: #180310 + set that to -1, Closes: #180310 * Add newline to end of distributed time.conf, Closes: #172229 * Up our standards version and support noopt in DEB_BUILD_OPTIONS @@ -1526,7 +1624,7 @@ pam (0.76-9) unstable; urgency=low * Fix pam_rhosts hurd patch so it actually works, Closes: #172914 * Fix patch 040 not to clobber errno when logging the error fails, - Closes: #172186 + Closes: #172186 * Fix dependency for linuxdoc-tools, Closes: #173097 -- Sam Hartman <hartmans@debian.org> Sun, 15 Dec 2002 17:10:58 -0500 @@ -1564,7 +1662,7 @@ pam (0.76-6) unstable; urgency=low * The "No, I don't think I actually want any of what upstream is smoking" release * If this were already in testing, this would be an severity emergency - upload + upload * pam_unix currently treats * in shadow file as no password not disabled; major security issue; fixed in upstream CVS, (patch 035) Closes: #164659 * OK, I think this actually fixes the rest of the manpage symlinks, @@ -1585,7 +1683,7 @@ pam (0.76-4) unstable; urgency=low * Upstream correctly states that one should use gcc not ld when linking and then hapilly proceeds to actually use ld, fixed, Closes: #163711 - + * Remove experimental warning from readme, Closes: 163742 -- Sam Hartman <hartmans@debian.org> Mon, 7 Oct 2002 23:45:53 -0400 @@ -1644,7 +1742,7 @@ pam (0.75-3) experimental; urgency=low pam (0.75-2) experimental; urgency=low - * Fix pam_userdb to build and to build against db3, fixes patch 020 + * Fix pam_userdb to build and to build against db3, fixes patch 020 * Fix upstream makefile so pam_group has valid configuration, closes: #148657 * time.conf reference to logoutd removed, closes: #143801 * The static library contains all the appropriate symbols in this @@ -1703,7 +1801,7 @@ pam (0.72-32) unstable; urgency=medium * This should probably get into testing before freeze; medium. * Patch from Volker Stolz to fix bug in previous pam_group patch, - closes: #111854 + closes: #111854 -- Sam Hartman <hartmans@debian.org> Sat, 22 Sep 2001 06:32:29 -0400 @@ -1716,7 +1814,7 @@ pam (0.72-31) unstable; urgency=low pam (0.72-30) unstable; urgency=low * Include patch from robbe@orcus.priv.at to build pam_limits on hurd, - closes: #103556 + closes: #103556 * Start installing limits.conf for hurd (may not work quite right) -- Sam Hartman <hartmans@debian.org> Mon, 16 Jul 2001 09:35:51 -0400 @@ -1732,7 +1830,7 @@ pam (0.72-28) unstable; urgency=low * Fix scanf string so pam_limits chroot works, closes: #100812 * Only log unknown user at warning, not alert, closes: #95220 * By default do complete matches not substring matches for pam_time. - You can include explicit wildcard for substring, closes: #66152 + You can include explicit wildcard for substring, closes: #66152 -- Sam Hartman <hartmans@debian.org> Tue, 3 Jul 2001 17:31:45 -0400 @@ -1767,8 +1865,8 @@ pam (0.72-24) unstable; urgency=low pam (0.72-23) unstable; urgency=low * Patch from Benoit Gaussen <ben@trez42.net> , Don't trim from , to end - of string in user input, only trim from salt - grabbed from passwd file, closes: #96779 + of string in user input, only trim from salt + grabbed from passwd file, closes: #96779 * Fix NIS double locking, closes: #96736 -- Sam Hartman <hartmans@debian.org> Wed, 16 May 2001 15:46:34 -0400 @@ -1800,7 +1898,7 @@ pam (0.72-19) unstable; urgency=low * New maintainer, closes: #92353 * Install pam-undocumented; somehow it was not installed in -18 - + -- Sam Hartman <hartmans@debian.org> Wed, 4 Apr 2001 21:32:17 -0400 pam (0.72-18) unstable; urgency=low @@ -2238,7 +2336,7 @@ pam (0.69-2) unstable; urgency=low * Fixed problem where libpam was getting built with -DDEBUG * pam_unix_passwd.c: Changed the perms on shadow to be 0.42 and 0640 instead of 0.0 and 0600 - * unix_chkpwd: fix it not being sgid shadow + * unix_chkpwd: fix it not being sgid shadow -- Ben Collins <bcollins@debian.org> Thu, 9 Sep 1999 13:52:01 -0400 @@ -2322,7 +2420,7 @@ pam (0.66-6) unstable; urgency=low pam (0.66-5) unstable; urgency=low - * Removed harcoded libc6 dependency from libpam0g-dev and changed it to + * Removed harcoded libc6 dependency from libpam0g-dev and changed it to libc6-dev. closes: #33615 * Added md5 flag for pam_unix_passwd.so * Removed upperLOWER program since it is just an example. Moved it's @@ -2439,7 +2537,7 @@ pam (0.65-0.8) frozen unstable; urgency=high pam (0.65-0.7) frozen unstable; urgency=high * Fixed security vulnerability in the pam_unix and pam_tally modules - (reported by Michal Zalewski on bugtraq; patch + (reported by Michal Zalewski on bugtraq; patch A000-SECURITY-PATCH-0.65-and-below.gz by Andrey V. Savochkin). -- J.H.M. Dassen (Ray) <jdassen@wi.LeidenUniv.nl> Tue, 29 Dec 1998 16:20:18 +0100 diff --git a/debian/control b/debian/control index 2f27f8f1..d8638647 100644 --- a/debian/control +++ b/debian/control @@ -3,17 +3,16 @@ Section: libs Priority: optional Uploaders: Sam Hartman <hartmans@debian.org>, Roger Leigh <rleigh@debian.org> Maintainer: Steve Langasek <vorlon@debian.org> -Standards-Version: 3.9.1 -Build-Depends: libcrack2-dev (>= 2.8), bzip2, debhelper (>= 8.9.4), quilt (>= 0.48-1), flex, libdb-dev, libselinux1-dev [linux-any], po-debconf, dh-autoreconf, autopoint, libaudit-dev [linux-any], pkg-config -Build-Depends-Indep: xsltproc, libxml2-utils, docbook-xml, docbook-xsl, w3m +Standards-Version: 3.9.8 +Build-Depends: libcrack2-dev (>= 2.8), bzip2, debhelper (>= 9), quilt (>= 0.48-1), flex, libdb-dev, libselinux1-dev [linux-any], po-debconf, dh-autoreconf, autopoint, libaudit-dev [linux-any], pkg-config, libfl-dev, libfl-dev:native, docbook-xsl, docbook-xml, xsltproc, libxml2-utils, w3m Build-Conflicts-Indep: fop Build-Conflicts: libdb4.2-dev, libxcrypt-dev Vcs-Browser: https://salsa.debian.org/vorlon/pam Vcs-Git: https://salsa.debian.org/vorlon/pam.git -Homepage: http://pam.sourceforge.net/ +Homepage: http://www.linux-pam.org/ +Rules-Requires-Root: binary-targets Package: libpam0g -Priority: required Architecture: any Multi-Arch: same Replaces: libpam0g-util diff --git a/debian/libpam-doc.doc-base.applications-guide b/debian/libpam-doc.doc-base.applications-guide index f38ef1e5..89768d7e 100644 --- a/debian/libpam-doc.doc-base.applications-guide +++ b/debian/libpam-doc.doc-base.applications-guide @@ -4,7 +4,7 @@ Author: Andrew G. Morgan <morgan@linux.kernel.org> Abstract: This manual documents what an application developer needs to know about the Linux-PAM library. It describes how an application might use the Linux-PAM library to authenticate users. In addition it contains a - description of the funtions to be found in libpam_misc library, that can + description of the functions to be found in libpam_misc library, that can be used in general applications. Finally, it contains some comments on PAM related security issues for the application developer. Section: Programming diff --git a/debian/libpam-modules.install b/debian/libpam-modules.install index 191a34ea..5fd57b44 100644 --- a/debian/libpam-modules.install +++ b/debian/libpam-modules.install @@ -1,2 +1,3 @@ etc/security/* etc/security lib/*/security/*.so +debian/pam-configs/mkhomedir usr/share/pam-configs/ diff --git a/debian/libpam0g-dev.examples b/debian/libpam0g-dev.examples index c1b7e77e..351b20ee 100644 --- a/debian/libpam0g-dev.examples +++ b/debian/libpam0g-dev.examples @@ -2,4 +2,6 @@ examples/blank.c examples/check_user.c examples/vpass.c examples/xsh.c -libpamc/test/{agents,modules,regress} +libpamc/test/agents +libpamc/test/modules +libpamc/test/regress diff --git a/debian/local/pam-auth-update b/debian/local/pam-auth-update index 60eb1e8f..6d17ab72 100644 --- a/debian/local/pam-auth-update +++ b/debian/local/pam-auth-update @@ -39,7 +39,7 @@ my $blanktemplate = 'libpam-runtime/no_profiles_chosen'; my $titletemplate = 'libpam-runtime/title'; my $confdir = '/etc/pam.d'; my $savedir = '/var/lib/pam'; -my (%profiles, @sorted, @enabled, @conflicts, @new, %removals); +my (%profiles, @sorted, @enabled, @conflicts, @new, %removals, %to_enable); my $force = 0; my $package = 0; my $priority = 'high'; @@ -62,7 +62,7 @@ my %md5sums = ( opendir(DIR, $inputdir) || die "could not open config directory: $!"; while (my $profile = readdir(DIR)) { - next if ($profile eq '.' || $profile eq '..'); + next if ($profile eq '.' || $profile eq '..' || $profile =~ m/~$/ || $profile =~ m/^#.+#$/); %{$profiles{$profile}} = parse_pam_profile($inputdir . '/' . $profile); } closedir DIR; @@ -89,6 +89,13 @@ while ($#ARGV >= 0) { } # --remove implies --package $package = 1 if (keys(%removals)); + } elsif ($opt eq '--enable') { + while ($#ARGV >= 0) { + last if ($ARGV[0] =~ /^--/); + $to_enable{shift @ARGV} = 1; + } + # --enable implies --package + $package = 1 if (keys(%to_enable)); } } @@ -119,7 +126,7 @@ if ($diff) { # find out what we've seen, so we can ignore those defaults my %seen; if (-e $savedir . '/seen') { - open(SEEN,$savedir . '/seen'); + open(SEEN,$savedir . '/seen') or die("open(${savedir}/seen) failed: $!"); while (<SEEN>) { chomp; $seen{$_} = 1; @@ -136,6 +143,10 @@ if (!@enabled) { $priority = 'high' unless ($force); } +# add configs to enable +push(@enabled, + grep { $to_enable{$_} } @sorted); + # add any previously-unseen configs push(@enabled, grep { $profiles{$_}->{'Default'} eq 'yes' && !$seen{$_} } @sorted); @@ -218,11 +229,11 @@ do { # the decision has been made about what configs to use, so even if # something fails after this, we shouldn't go munging the default # options again. Save the list of known configs to /var/lib/pam. -open(SEEN,"> $savedir/seen"); +open(SEEN,"> $savedir/seen") or die("open(${savedir}/seen) failed: $!"); for my $i (@sorted) { print SEEN "$i\n"; } -close(SEEN); +close(SEEN) or die("close(${savedir}/seen) failed: $!"); # @enabled now contains our list of profiles to use for piecing together # a config @@ -372,7 +383,7 @@ sub create_from_template } } close(INPUT); - close(OUTPUT); + close(OUTPUT) or die("close($dest) failed: $!"); if ($state < 4) { unlink($dest); @@ -525,16 +536,19 @@ sub write_profiles } } - close(OUTPUT); + close(OUTPUT) or die("close($dest) failed: $!"); # then do the renames, back-to-back # we have to use system because File::Copy is in # perl-modules, not perl-base - if (-e "$target" && $force) { - system('cp','-f',$target,$target . '.pam-old'); + if (-e $target && $force) { + system('cp','-f',$target,$target . '.pam-old') == 0 + or die("cp -f ${target} ${target}.pam.old failed"); } - rename($dest,$target); - rename("$savedir/$type.new","$savedir/$type"); + rename($dest,$target) + or die("rename($dest, $target) failed: $!"); + rename("$savedir/${type}.new","$savedir/$type") + or die("rename(${savedir}/${type}.new, ${savedir}/${type}) failed: $!"); } # at the end of a successful write, reset the 'seen' flag and the diff --git a/debian/local/pam-auth-update.8 b/debian/local/pam-auth-update.8 index fd5e2ad4..a5ebdbad 100644 --- a/debian/local/pam-auth-update.8 +++ b/debian/local/pam-auth-update.8 @@ -68,6 +68,10 @@ Indicate that the caller is a package maintainer script; lowers the priority of debconf questions to `medium' so that the user is not prompted by default. .TP +.B \-\-enable \fIprofile \fR[\fIprofile\fR...] +Enable the specified profiles in system configuration. This is used to +enable profiles that are not on by default. +.TP .B \-\-remove \fIprofile \fR[\fIprofile\fR...] Remove the specified profiles from the system configuration. .B pam\-auth\-update \-\-remove diff --git a/debian/local/pam_getenv b/debian/local/pam_getenv index 2abddcad..e409c3e5 100644 --- a/debian/local/pam_getenv +++ b/debian/local/pam_getenv @@ -75,7 +75,7 @@ sub expand_val($) { my ($val) = @_; return undef unless $val; die "Cannot handle PAM items\n" if /(?<!\\)\@/; - $val =~ s/(?<!\\)\${([^}]+)}/$ENV{$1}||""/eg; + $val =~ s/(?<!\\)\$\{([^}]+)\}/$ENV{$1}||""/eg; return $val; } diff --git a/debian/pam-configs/mkhomedir b/debian/pam-configs/mkhomedir new file mode 100644 index 00000000..9c27980a --- /dev/null +++ b/debian/pam-configs/mkhomedir @@ -0,0 +1,7 @@ +Name: Create home directory on login +Default: no +Priority: 0 +Session-Type: Additional +Session-Interactive-Only: yes +Session: + optional pam_mkhomedir.so diff --git a/debian/patches-applied/cve-2011-4708.patch b/debian/patches-applied/cve-2010-4708.patch index c0fbb1ee..cf23e318 100644 --- a/debian/patches-applied/cve-2011-4708.patch +++ b/debian/patches-applied/cve-2010-4708.patch @@ -1,4 +1,4 @@ -Description: fix cve-2011-4708: .pam_environment privilege issue +Description: fix cve-2010-4708: .pam_environment privilege issue Index: pam.debian/modules/pam_env/pam_env.c =================================================================== --- pam.debian.orig/modules/pam_env/pam_env.c diff --git a/debian/patches-applied/cve-2015-3238.patch b/debian/patches-applied/cve-2015-3238.patch new file mode 100644 index 00000000..cb5e8c06 --- /dev/null +++ b/debian/patches-applied/cve-2015-3238.patch @@ -0,0 +1,180 @@ +From e89d4c97385ff8180e6e81e84c5aa745daf28a79 Mon Sep 17 00:00:00 2001 +From: Thorsten Kukuk <kukuk@thkukuk.de> +Date: Mon, 22 Jun 2015 14:53:01 +0200 +Subject: Release version 1.2.1 + +Security fix: CVE-2015-3238 + +If the process executing pam_sm_authenticate or pam_sm_chauthtok method +of pam_unix is not privileged enough to check the password, e.g. +if selinux is enabled, the _unix_run_helper_binary function is called. +When a long enough password is supplied (16 pages or more, i.e. 65536+ +bytes on a system with 4K pages), this helper function hangs +indefinitely, blocked in the write(2) call while writing to a blocking +pipe that has a limited capacity. +With this fix, the verifiable password length will be limited to +PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix. + +diff --git a/modules/pam_exec/pam_exec.8.xml b/modules/pam_exec/pam_exec.8.xml +index 2379366..d1b00a2 100644 +--- a/modules/pam_exec/pam_exec.8.xml ++++ b/modules/pam_exec/pam_exec.8.xml +@@ -106,7 +106,8 @@ + During authentication the calling command can read + the password from <citerefentry> + <refentrytitle>stdin</refentrytitle><manvolnum>3</manvolnum> +- </citerefentry>. ++ </citerefentry>. Only first <emphasis>PAM_MAX_RESP_SIZE</emphasis> ++ bytes of a password are provided to the command. + </para> + </listitem> + </varlistentry> +diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c +index 5ab9630..17ba6ca 100644 +--- a/modules/pam_exec/pam_exec.c ++++ b/modules/pam_exec/pam_exec.c +@@ -178,11 +178,11 @@ call_exec (const char *pam_type, pam_handle_t *pamh, + } + + pam_set_item (pamh, PAM_AUTHTOK, resp); +- authtok = strdupa (resp); ++ authtok = strndupa (resp, PAM_MAX_RESP_SIZE); + _pam_drop (resp); + } + else +- authtok = void_pass; ++ authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE); + + if (pipe(fds) != 0) + { +diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml +index 4008402..a8b64bb 100644 +--- a/modules/pam_unix/pam_unix.8.xml ++++ b/modules/pam_unix/pam_unix.8.xml +@@ -80,6 +80,13 @@ + </para> + + <para> ++ The maximum length of a password supported by the pam_unix module ++ via the helper binary is <emphasis>PAM_MAX_RESP_SIZE</emphasis> ++ - currently 512 bytes. The rest of the password provided by the ++ conversation function to the module will be ignored. ++ </para> ++ ++ <para> + The password component of this module performs the task of updating + the user's password. The default encryption hash is taken from the + <emphasis remap='B'>ENCRYPT_METHOD</emphasis> variable from +diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c +index 2d330e5..c2e5de5 100644 +--- a/modules/pam_unix/pam_unix_passwd.c ++++ b/modules/pam_unix/pam_unix_passwd.c +@@ -240,15 +240,22 @@ static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const + /* wait for child */ + /* if the stored password is NULL */ + int rc=0; +- if (fromwhat) +- pam_modutil_write(fds[1], fromwhat, strlen(fromwhat)+1); +- else +- pam_modutil_write(fds[1], "", 1); +- if (towhat) { +- pam_modutil_write(fds[1], towhat, strlen(towhat)+1); ++ if (fromwhat) { ++ int len = strlen(fromwhat); ++ ++ if (len > PAM_MAX_RESP_SIZE) ++ len = PAM_MAX_RESP_SIZE; ++ pam_modutil_write(fds[1], fromwhat, len); + } +- else +- pam_modutil_write(fds[1], "", 1); ++ pam_modutil_write(fds[1], "", 1); ++ if (towhat) { ++ int len = strlen(towhat); ++ ++ if (len > PAM_MAX_RESP_SIZE) ++ len = PAM_MAX_RESP_SIZE; ++ pam_modutil_write(fds[1], towhat, len); ++ } ++ pam_modutil_write(fds[1], "", 1); + + close(fds[0]); /* close here to avoid possible SIGPIPE above */ + close(fds[1]); +diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c +index b325602..e79b55e 100644 +--- a/modules/pam_unix/passverify.c ++++ b/modules/pam_unix/passverify.c +@@ -1115,12 +1115,15 @@ getuidname(uid_t uid) + int + read_passwords(int fd, int npass, char **passwords) + { ++ /* The passwords array must contain npass preallocated ++ * buffers of length MAXPASS + 1 ++ */ + int rbytes = 0; + int offset = 0; + int i = 0; + char *pptr; + while (npass > 0) { +- rbytes = read(fd, passwords[i]+offset, MAXPASS-offset); ++ rbytes = read(fd, passwords[i]+offset, MAXPASS+1-offset); + + if (rbytes < 0) { + if (errno == EINTR) continue; +diff --git a/modules/pam_unix/passverify.h b/modules/pam_unix/passverify.h +index 3de6759..caf7ae8 100644 +--- a/modules/pam_unix/passverify.h ++++ b/modules/pam_unix/passverify.h +@@ -8,7 +8,7 @@ + + #define PAM_UNIX_RUN_HELPER PAM_CRED_INSUFFICIENT + +-#define MAXPASS 200 /* the maximum length of a password */ ++#define MAXPASS PAM_MAX_RESP_SIZE /* the maximum length of a password */ + + #define OLD_PASSWORDS_FILE "/etc/security/opasswd" + +diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c +index fdb45c2..abccd82 100644 +--- a/modules/pam_unix/support.c ++++ b/modules/pam_unix/support.c +@@ -609,7 +609,12 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, + /* if the stored password is NULL */ + int rc=0; + if (passwd != NULL) { /* send the password to the child */ +- if (write(fds[1], passwd, strlen(passwd)+1) == -1) { ++ int len = strlen(passwd); ++ ++ if (len > PAM_MAX_RESP_SIZE) ++ len = PAM_MAX_RESP_SIZE; ++ if (write(fds[1], passwd, len) == -1 || ++ write(fds[1], "", 1) == -1) { + pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m"); + retval = PAM_AUTH_ERR; + } +--- a/modules/pam_unix/pam_unix.8 2017-05-27 15:38:27.000000000 +0000 ++++ b/modules/pam_unix/pam_unix.8 2017-05-27 15:34:49.000000000 +0000 +@@ -56,6 +56,10 @@ + \fBnoreap\fR + module argument can be used to suppress this temporary shielding and may be needed for use with certain applications\&. + .PP ++The maximum length of a password supported by the pam_unix module via the helper binary is ++\fIPAM_MAX_RESP_SIZE\fR ++\- currently 512 bytes\&. The rest of the password provided by the conversation function to the module will be ignored\&. ++.PP + The password component of this module performs the task of updating the user\*(Aqs password\&. The default encryption hash is taken from the + \fBENCRYPT_METHOD\fR + variable from +--- a/modules/pam_exec/pam_exec.8 2017-05-27 15:38:27.000000000 +0000 ++++ b/modules/pam_exec/pam_exec.8 2017-05-27 15:56:25.000000000 +0000 +@@ -65,7 +65,9 @@ + \fBexpose_authtok\fR + .RS 4 + During authentication the calling command can read the password from +-\fBstdin\fR(3)\&. ++\fBstdin\fR(3)\&. Only first ++\fIPAM_MAX_RESP_SIZE\fR ++bytes of a password are provided to the command\&. + .RE + .PP + \fBlog=\fR\fB\fIfile\fR\fR diff --git a/debian/patches-applied/make_documentation_reproducible.patch b/debian/patches-applied/make_documentation_reproducible.patch new file mode 100644 index 00000000..26f16503 --- /dev/null +++ b/debian/patches-applied/make_documentation_reproducible.patch @@ -0,0 +1,28 @@ +Description: Make documentation reproducible + Add LC_ALL=C to w3m to avoid changes in the output when build the + documentation with different locales. +Author: Juan Picca <jumapico@gmail.com> +Last-Update: 2015-07-11 + +--- pam.orig/configure ++++ pam/configure +@@ -15162,7 +15162,7 @@ fi + + + if test ! -z "$BROWSER"; then +- BROWSER="$BROWSER -T text/html -dump" ++ BROWSER="LC_ALL=C $BROWSER -T text/html -dump" + else + enable_docu=no + fi +--- pam.orig/configure.in ++++ pam/configure.in +@@ -554,7 +554,7 @@ JH_CHECK_XML_CATALOG([http://docbook.sou + + AC_PATH_PROG([BROWSER], [w3m]) + if test ! -z "$BROWSER"; then +- BROWSER="$BROWSER -T text/html -dump" ++ BROWSER="LC_ALL=C $BROWSER -T text/html -dump" + else + enable_docu=no + fi diff --git a/debian/patches-applied/pam-loginuid-in-containers b/debian/patches-applied/pam-loginuid-in-containers index bea1e32f..1e965b2d 100644 --- a/debian/patches-applied/pam-loginuid-in-containers +++ b/debian/patches-applied/pam-loginuid-in-containers @@ -29,11 +29,11 @@ Description: pam_loginuid: Ignore failure in user namespaces Signed-off-by: Steve Langasek <vorlon@debian.org> Signed-off-by: Dmitry V. Levin <ldv@altlinux.org> -Index: pam.deb/modules/pam_loginuid/pam_loginuid.c +Index: ubuntu/modules/pam_loginuid/pam_loginuid.c =================================================================== ---- pam.deb.orig/modules/pam_loginuid/pam_loginuid.c -+++ pam.deb/modules/pam_loginuid/pam_loginuid.c -@@ -46,25 +46,49 @@ +--- ubuntu.orig/modules/pam_loginuid/pam_loginuid.c 2014-01-31 21:07:08.665185675 +0000 ++++ ubuntu/modules/pam_loginuid/pam_loginuid.c 2014-01-31 21:05:05.000000000 +0000 +@@ -47,25 +47,56 @@ /* * This function writes the loginuid to the /proc system. It returns @@ -50,48 +50,58 @@ Index: pam.deb/modules/pam_loginuid/pam_loginuid.c + char loginuid[24], buf[24]; + static const char host_uid_map[] = " 0 0 4294967295\n"; + char uid_map[sizeof(host_uid_map)]; ++ ++ /* loginuid in user namespaces currently isn't writable and in some ++ case, not even readable, so consider any failure as ignorable (but try ++ anyway, in case we hit a kernel which supports it). */ ++ fd = open("/proc/self/uid_map", O_RDONLY); ++ if (fd >= 0) { ++ count = pam_modutil_read(fd, uid_map, sizeof(uid_map)); ++ if (strncmp(uid_map, host_uid_map, count) != 0) ++ rc = PAM_IGNORE; ++ close(fd); ++ } - count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid); +- count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid); - fd = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC); + fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDWR); if (fd < 0) { - if (errno != ENOENT) { - rc = 1; +- pam_syslog(pamh, LOG_ERR, +- "Cannot open /proc/self/loginuid: %m"); + if (errno == ENOENT) { + rc = PAM_IGNORE; -+ } else if (errno == EACCES) { -+ fd = open("/proc/self/uid_map", O_RDONLY); -+ if (fd >= 0) { -+ count = pam_modutil_read(fd, uid_map, sizeof(uid_map)); -+ if (strncmp(uid_map, host_uid_map, count) != 0) -+ rc = PAM_IGNORE; -+ close(fd); -+ } -+ if (rc != PAM_IGNORE) -+ errno = EACCES; + } + if (rc != PAM_IGNORE) { - pam_syslog(pamh, LOG_ERR, - "Cannot open /proc/self/loginuid: %m"); ++ pam_syslog(pamh, LOG_ERR, "Cannot open %s: %m", ++ "/proc/self/loginuid"); } return rc; } - if (pam_modutil_write(fd, loginuid, count) != count) - rc = 1; + ++ count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid); + if (pam_modutil_read(fd, buf, sizeof(buf)) == count && + memcmp(buf, loginuid, count) == 0) { + rc = PAM_SUCCESS; + goto done; /* already correct */ + } + if (lseek(fd, 0, SEEK_SET) == 0 && ftruncate(fd, 0) == 0 && -+ pam_modutil_write(fd, loginuid, count) == count) ++ pam_modutil_write(fd, loginuid, count) == count) { + rc = PAM_SUCCESS; ++ } else { ++ if (rc != PAM_IGNORE) { ++ pam_syslog(pamh, LOG_ERR, "Error writing %s: %m", ++ "/proc/self/loginuid"); ++ } ++ } + done: close(fd); return rc; } -@@ -164,6 +188,7 @@ +@@ -165,6 +196,7 @@ { const char *user = NULL; struct passwd *pwd; @@ -99,7 +109,7 @@ Index: pam.deb/modules/pam_loginuid/pam_loginuid.c #ifdef HAVE_LIBAUDIT int require_auditd = 0; #endif -@@ -182,9 +207,14 @@ +@@ -183,9 +215,14 @@ return PAM_SESSION_ERR; } @@ -117,7 +127,7 @@ Index: pam.deb/modules/pam_loginuid/pam_loginuid.c } #ifdef HAVE_LIBAUDIT -@@ -194,11 +224,12 @@ +@@ -195,11 +232,12 @@ argv++; } diff --git a/debian/patches-applied/pam_namespace_fix_bashism.patch b/debian/patches-applied/pam_namespace_fix_bashism.patch new file mode 100644 index 00000000..6c6f1861 --- /dev/null +++ b/debian/patches-applied/pam_namespace_fix_bashism.patch @@ -0,0 +1,61 @@ +From fbc65c39d6853af268c9a093923afc876d0b138e Mon Sep 17 00:00:00 2001 +From: Steve Langasek <vorlon@debian.org> +Date: Tue, 14 Jan 2014 19:48:51 -0800 +Subject: pam_namespace: don't use bashisms in default namespace.init script + +* modules/pam_namespace/pam_namespace.c: call setuid() before execing the +namespace init script, so that scripts run with maximum privilege regardless +of the shell implementation. +* modules/pam_namespace/namespace.init: drop the '-p' bashism from the +shebang line + +This is not a POSIX standard option, it's a bashism. The bash manpage says +that it's used to prevent the effective user id from being reset to the real +user id on startup, and to ignore certain unsafe variables from the +environment. + +In the case of pam_namespace, the -p is not necessary for environment +sanitizing because the PAM module (properly) sanitizes the environment +before execing the script. + +The stated reason given in CVS history for passing -p is to "preserve euid +when called from setuid apps (su, newrole)." This should be done more +portably, by calling setuid() before spawning the shell. + +Signed-off-by: Steve Langasek <vorlon@debian.org> +Bug-Debian: http://bugs.debian.org/624842 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1081323 +--- + modules/pam_namespace/namespace.init | 2 +- + modules/pam_namespace/pam_namespace.c | 5 +++++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/modules/pam_namespace/namespace.init b/modules/pam_namespace/namespace.init +index 9ab5806..67d4aa2 100755 +--- a/modules/pam_namespace/namespace.init ++++ b/modules/pam_namespace/namespace.init +@@ -1,4 +1,4 @@ +-#!/bin/sh -p ++#!/bin/sh + # It receives polydir path as $1, the instance path as $2, + # a flag whether the instance dir was newly created (0 - no, 1 - yes) in $3, + # and user name in $4. +diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c +index e0d5e30..92883f5 100644 +--- a/modules/pam_namespace/pam_namespace.c ++++ b/modules/pam_namespace/pam_namespace.c +@@ -1205,6 +1205,11 @@ static int inst_init(const struct polydir_s *polyptr, const char *ipath, + _exit(1); + } + #endif ++ /* Pass maximum privs when we exec() */ ++ if (setuid(geteuid()) < 0) { ++ /* ignore failures, they don't matter */ ++ } ++ + if (execle(init_script, init_script, + polyptr->dir, ipath, newdir?"1":"0", idata->user, NULL, envp) < 0) + _exit(1); +-- +cgit v0.12 + diff --git a/debian/patches-applied/series b/debian/patches-applied/series index d0e5fe69..51598ca8 100644 --- a/debian/patches-applied/series +++ b/debian/patches-applied/series @@ -15,7 +15,7 @@ hurd_no_setfsuid 045_pam_dispatch_jump_is_ignore 054_pam_security_abstract_securetty_handling 055_pam_unix_nullok_secure -cve-2011-4708.patch +cve-2010-4708.patch PAM-manpage-section update-motd no_PATH_MAX_on_hurd @@ -23,4 +23,7 @@ lib_security_multiarch_compat pam-loginuid-in-containers cve-2013-7041.patch cve-2014-2583.patch +cve-2015-3238.patch pam-limits-nofile-fd-setsize-cap +pam_namespace_fix_bashism.patch +make_documentation_reproducible.patch diff --git a/debian/patches-applied/update-motd b/debian/patches-applied/update-motd index a89655df..6c2af5bb 100644 --- a/debian/patches-applied/update-motd +++ b/debian/patches-applied/update-motd @@ -86,16 +86,16 @@ Index: pam.debian/modules/pam_motd/pam_motd.c - - pam_info (pamh, "%s", mtmp); - break; -+ /* Run the update-motd dynamic motd scripts, outputting to /var/run/motd. -+ If /etc/motd -> /var/run/motd, the displayed MOTD will be dynamic. -+ Otherwise, the admin can force a static MOTD by breaking that symlink -+ and publishing into an /etc/motd text file. */ ++ /* Run the update-motd dynamic motd scripts, outputting to /run/motd.dynamic. ++ This will be displayed only when calling pam_motd with ++ motd=/run/motd.dynamic; current /etc/pam.d/login and /etc/pam.d/sshd ++ display both this file and /etc/motd. */ + if (do_update && (stat("/etc/update-motd.d", &st) == 0) + && S_ISDIR(st.st_mode)) + { + mode_t old_mask = umask(0022); -+ if (!system("/usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /var/run/motd.new")) -+ rename("/var/run/motd.new", "/var/run/motd"); ++ if (!system("/usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new")) ++ rename("/run/motd.dynamic.new", "/run/motd.dynamic"); + umask(old_mask); } diff --git a/debian/po/pt_BR.po b/debian/po/pt_BR.po index e2ec8a50..d36ff2e5 100644 --- a/debian/po/pt_BR.po +++ b/debian/po/pt_BR.po @@ -2,27 +2,28 @@ # Copyright (c) 2007 Steve Langasek <vorlon@debian.org> # This file is distributed under the same license as the pam package. # Eder L. Marques <eder@edermarques.net>, 2007-2009. +# Fernando Ike de Oliveira <fike@midstorm.org>, 2013. +# Adriano Rafael Gomes <adrianorg@arg.eti.br>, 2009-2015. # msgid "" msgstr "" -"Project-Id-Version: pam_0.99.7.1-5\n" +"Project-Id-Version: pam\n" "Report-Msgid-Bugs-To: pam@packages.debian.org\n" "POT-Creation-Date: 2011-10-30 15:05-0400\n" -"PO-Revision-Date: 2011-03-29 13:01-0700\n" -"Last-Translator: Eder L. Marques <eder@edermarques.net>\n" +"PO-Revision-Date: 2015-09-18 20:27-0300\n" +"Last-Translator: Adriano Rafael Gomes <adrianorg@arg.eti.br>\n" "Language-Team: Brazilian Portuguese <debian-l10n-portuguese@lists.debian." "org>\n" "Language: pt_BR\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"pt_BR utf-8\n" #. Type: string #. Description #: ../libpam0g.templates:1001 msgid "Services to restart for PAM library upgrade:" -msgstr "Serviços a serem reiniciados para a atualização de bibliotecas PAM:" +msgstr "Serviços a serem reiniciados para atualização da biblioteca PAM:" #. Type: string #. Description @@ -35,14 +36,14 @@ msgid "" msgstr "" "A maioria dos serviços que utilizam PAM precisam ser reiniciados para usar " "os módulos construídos para esta nova versão da libpam. Por favor, revise a " -"seguinte lista separada por espaços de seus scripts init.d para os serviços " -"a serem reiniciados agora, e a corrija se necessário." +"seguinte lista separada por espaços de scripts init.d de serviços que serão " +"reiniciados agora, e a corrija, se necessário." #. Type: error #. Description #: ../libpam0g.templates:2001 msgid "Display manager must be restarted manually" -msgstr "Gerenciadores de display devem ser reiniciados manualmente" +msgstr "Gerenciador de display deve ser reiniciado manualmente" #. Type: error #. Description @@ -55,7 +56,7 @@ msgid "" msgstr "" "Os gerenciadores de display wdm e xdm precisam ser reiniciados para a nova " "versão da libpam, mas existem sessões de login X ativas em seu sistema que " -"podem ser terminadas por este reinicio. Você consequentemente necessitará " +"serão terminadas por este reinício. Você consequentemente necessitará " "reiniciar estes serviços manualmente antes que logins X adicionais sejam " "possíveis." @@ -63,7 +64,7 @@ msgstr "" #. Description #: ../libpam0g.templates:3001 msgid "Failure restarting some services for PAM upgrade" -msgstr "Falha ao reiniciar alguns serviços para a atualização da PAM" +msgstr "Falha ao reiniciar alguns serviços para atualização do PAM" #. Type: error #. Description @@ -81,13 +82,14 @@ msgid "" "You will need to start these manually by running '/etc/init.d/<service> " "start'." msgstr "" -"Você deverá iniciá-los manualmente executando '/etc/init.d/<serviço> start'." +"Você deverá iniciá-los manualmente executando \"/etc/init.d/<serviço> start" +"\"." #. Type: boolean #. Description #: ../libpam0g.templates:4001 msgid "Restart services during package upgrades without asking?" -msgstr "" +msgstr "Reiniciar serviços durante a atualização de pacotes sem perguntar?" #. Type: boolean #. Description @@ -101,12 +103,20 @@ msgid "" "necessary restarts will be done for you automatically so you can avoid being " "asked questions on each library upgrade." msgstr "" +"Existem serviços instalados no seu sistema que precisam ser reiniciados " +"quando determinadas bibliotecas, tais como libpam, libc e libssl são " +"atualizadas. Uma vez que essas reinicializações podem causar interrupções de " +"serviços para o sistema, normalmente você terá que responder a cada " +"atualização qual será a lista de serviços que quiser reiniciar. Você pode " +"escolher esta opção para evitar novas solicitações; ao invés disso, todas as " +"reinicializações necessárias serão realizadas automaticamente para evitar " +"que você responda a cada atualização de biblioteca." #. Type: title #. Description #: ../libpam-runtime.templates:1001 msgid "PAM configuration" -msgstr "" +msgstr "Configuração do PAM" #. Type: multiselect #. Description @@ -124,9 +134,9 @@ msgid "" "sessions." msgstr "" "O PAM (\"Pluggable Authentication Modules\") determina como a autenticação, " -"autorização e alteração de senha são tratados no sistema, assim como permite " -"a configuração de ações adicionais a serem tomadas quando sessões de usuário " -"são iniciadas." +"a autorização e a alteração de senha são tratadas no sistema, assim como " +"permite a configuração de ações adicionais a serem tomadas quando sessões de " +"usuário são iniciadas." #. Type: multiselect #. Description @@ -138,7 +148,7 @@ msgid "" msgstr "" "Alguns pacotes de módulos PAM fornecem perfis que podem ser usados para " "ajustar automaticamente o comportamento de todas as aplicações que usam PAM " -"no sistema. Por favor, indique quais destes comportamentos você deseja " +"no sistema. Por favor, indique quais desses comportamentos você deseja " "habilitar." #. Type: error @@ -178,7 +188,7 @@ msgid "" "configuration by hand." msgstr "" "Um ou mais dos arquivos /etc/pam.d/common-{auth,account,password,session} " -"foram modificados localmente. Por favor, indique quais destas modificações " +"foram modificados localmente. Por favor, indique se essas modificações " "locais devem ser sobrescritas usando a configuração fornecida pelo sistema. " "Se você recusar esta opção, você precisará gerenciar a configuração de " "autenticação do seu sistema manualmente." @@ -197,15 +207,15 @@ msgid "" "all users access without authenticating, and is not allowed. Please select " "at least one PAM profile from the available list." msgstr "" -"Nenhum perfil PAM foi selecionado para uso neste sistema. Isto irá garantir " -"a todos os usuários acesso sem autenticação, e isto não é permitido. Por " +"Nenhum perfil PAM foi selecionado para uso neste sistema. Isto garantiria a " +"todos os usuários acesso sem autenticação, e isto não é permitido. Por " "favor, selecione no mínimo um perfil PAM da lista disponível." #. Type: error #. Description #: ../libpam-modules.templates:1001 msgid "xscreensaver and xlockmore must be restarted before upgrading" -msgstr "O xscreensaver e xlockmore precisam ser reiniciados antes de atualizar" +msgstr "xscreensaver e xlockmore devem ser reiniciados antes da atualização" #. Type: error #. Description @@ -220,7 +230,7 @@ msgid "" msgstr "" "Uma ou mais instâncias do xscreensaver ou do xlockmore foram detectadas em " "execução neste sistema. Por causa de modificações incompatíveis de " -"biblioteca a atualização do pacote libpam-modules impossibilitará você de se " -"autenticar nestes programas. Você deve providenciar que estes programas " +"biblioteca, a atualização do pacote libpam-modules impossibilitará você de " +"se autenticar nestes programas. Você deve providenciar que estes programas " "sejam reiniciados ou parados antes de continuar com esta atualização, para " "evitar bloquear seus usuários fora de suas sessões atuais." diff --git a/debian/watch b/debian/watch index da5e1ef6..e137cd73 100644 --- a/debian/watch +++ b/debian/watch @@ -1,3 +1,4 @@ version=3 -opts=pasv ftp://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-(.*).tar.gz - +opts=uversionmangle=s/^(\S+-doc)/0.0.$1/ \ +http://www.linux-pam.org/library/ \ +(?:|.*/)Linux-PAM(?:[_\-]v?|)(\d[^\s/]*)\.(?:tar\.xz|txz|tar\.bz2|tbz2|tar\.gz|tgz) |