6 files changed, 76 insertions, 75 deletions
diff --git a/modules/pam_userdb/Makefile.am b/modules/pam_userdb/Makefile.am
index aa70e7de..e31d9ccc 100644
--- a/modules/pam_userdb/Makefile.am
+++ b/modules/pam_userdb/Makefile.am
@@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_userdb
 TESTS = $(dist_check_SCRIPTS)
 
 securelibdir = $(SECUREDIR)
+if HAVE_VENDORDIR
+secureconfdir = $(VENDOR_SCONFIGDIR)
+else
 secureconfdir = $(SCONFIGDIR)
+endif
 
 AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
 	$(WARN_CFLAGS)
diff --git a/modules/pam_userdb/Makefile.in b/modules/pam_userdb/Makefile.in
index 6eb785f0..c19b4231 100644
--- a/modules/pam_userdb/Makefile.in
+++ b/modules/pam_userdb/Makefile.in
@@ -431,6 +431,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLTOOL = @DLLTOOL@
+DOCBOOK_RNG = @DOCBOOK_RNG@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -443,11 +444,13 @@ EXEEXT = @EXEEXT@
 EXE_CFLAGS = @EXE_CFLAGS@
 EXE_LDFLAGS = @EXE_LDFLAGS@
 FGREP = @FGREP@
+FILECMD = @FILECMD@
 FO2PDF = @FO2PDF@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GMSGFMT = @GMSGFMT@
 GMSGFMT_015 = @GMSGFMT_015@
 GREP = @GREP@
+HTML_STYLESHEET = @HTML_STYLESHEET@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
@@ -479,12 +482,14 @@ LIBSELINUX = @LIBSELINUX@
 LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
+LOGIND_CFLAGS = @LOGIND_CFLAGS@
 LTLIBICONV = @LTLIBICONV@
 LTLIBINTL = @LTLIBINTL@
 LTLIBOBJS = @LTLIBOBJS@
 LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
+MAN_STYLESHEET = @MAN_STYLESHEET@
 MKDIR_P = @MKDIR_P@
 MSGFMT = @MSGFMT@
 MSGFMT_015 = @MSGFMT_015@
@@ -507,6 +512,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PDF_STYLESHEET = @PDF_STYLESHEET@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
@@ -517,12 +523,16 @@ SECUREDIR = @SECUREDIR@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
-STRINGPARAM_HMAC = @STRINGPARAM_HMAC@
+STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@
 STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@
 STRIP = @STRIP@
+SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@
+SYSTEMD_LIBS = @SYSTEMD_LIBS@
 TIRPC_CFLAGS = @TIRPC_CFLAGS@
 TIRPC_LIBS = @TIRPC_LIBS@
+TXT_STYLESHEET = @TXT_STYLESHEET@
 USE_NLS = @USE_NLS@
+VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@
 VERSION = @VERSION@
 WARN_CFLAGS = @WARN_CFLAGS@
 XGETTEXT = @XGETTEXT@
@@ -596,7 +606,8 @@ XMLS = README.xml pam_userdb.8.xml
 dist_check_SCRIPTS = tst-pam_userdb
 TESTS = $(dist_check_SCRIPTS)
 securelibdir = $(SECUREDIR)
-secureconfdir = $(SCONFIGDIR)
+@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR)
+@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR)
 AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
 	$(WARN_CFLAGS)
 
diff --git a/modules/pam_userdb/README.xml b/modules/pam_userdb/README.xml
index b22c09e7..4e8f8ee7 100644
--- a/modules/pam_userdb/README.xml
+++ b/modules/pam_userdb/README.xml
@@ -1,41 +1,27 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-"http://www.docbook.org/xml/4.3/docbookx.dtd"
-[
-<!--
-<!ENTITY pamaccess SYSTEM "pam_userdb.8.xml">
--->
-]>
+<article xmlns="http://docbook.org/ns/docbook" version="5.0">
 
-<article>
-
-  <articleinfo>
+  <info>
 
     <title>
-      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-      href="pam_userdb.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_userdb-name"]/*)'/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_userdb.8.xml" xpointer='xpointer(id("pam_userdb-name")/*)'/>
     </title>
 
-  </articleinfo>
+  </info>
 
   <section>
-    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-      href="pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-description"]/*)'/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_userdb.8.xml" xpointer='xpointer(id("pam_userdb-description")/*)'/>
   </section>
 
   <section>
-    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-      href="pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-options"]/*)'/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_userdb.8.xml" xpointer='xpointer(id("pam_userdb-options")/*)'/>
   </section>
 
   <section>
-    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-      href="pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-examples"]/*)'/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_userdb.8.xml" xpointer='xpointer(id("pam_userdb-examples")/*)'/>
   </section>
 
   <section>
-    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-      href="pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-author"]/*)'/>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_userdb.8.xml" xpointer='xpointer(id("pam_userdb-author")/*)'/>
   </section>
 
-</article>
+</article>
+\ No newline at end of file
diff --git a/modules/pam_userdb/pam_userdb.8 b/modules/pam_userdb/pam_userdb.8
index fc002787..c6397723 100644
--- a/modules/pam_userdb/pam_userdb.8
+++ b/modules/pam_userdb/pam_userdb.8
@@ -1,13 +1,13 @@
 '\" t
 .\"     Title: pam_userdb
 .\"    Author: [see the "AUTHOR" section]
-.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 09/03/2021
+.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/>
+.\"      Date: 05/07/2023
 .\"    Manual: Linux-PAM Manual
-.\"    Source: Linux-PAM Manual
+.\"    Source: Linux-PAM
 .\"  Language: English
 .\"
-.TH "PAM_USERDB" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_USERDB" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -37,7 +37,7 @@ pam_userdb \- PAM module to authenticate against a db database
 The pam_userdb module is used to verify a username/password pair against values stored in a Berkeley DB database\&. The database is indexed by the username, and the data fields corresponding to the username keys are the passwords\&.
 .SH "OPTIONS"
 .PP
-\fBcrypt=[crypt|none]\fR
+crypt=[crypt|none]
 .RS 4
 Indicates whether encrypted or plaintext passwords are stored in the database\&. If it is
 \fBcrypt\fR, passwords should be stored in the database in
@@ -47,7 +47,7 @@ form\&. If
 is selected, passwords should be stored in the database as plaintext\&.
 .RE
 .PP
-\fBdb=\fR\fB\fI/path/database\fR\fR
+db=/path/database
 .RS 4
 Use the
 /path/database
@@ -58,37 +58,37 @@ if no database is provided\&. Note that the path to the database file should be
 suffix\&.
 .RE
 .PP
-\fBdebug\fR
+debug
 .RS 4
 Print debug information\&. Note that password hashes, both from db and computed, will be printed to syslog\&.
 .RE
 .PP
-\fBdump\fR
+dump
 .RS 4
 Dump all the entries in the database to the log\&. Don\*(Aqt do this by default!
 .RE
 .PP
-\fBicase\fR
+icase
 .RS 4
 Make the password verification to be case insensitive (ie when working with registration numbers and such)\&. Only works with plaintext password storage\&.
 .RE
 .PP
-\fBtry_first_pass\fR
+try_first_pass
 .RS 4
 Use the authentication token previously obtained by another module that did the conversation with the application\&. If this token can not be obtained then the module will try to converse\&. This option can be used for stacking different modules that need to deal with the authentication tokens\&.
 .RE
 .PP
-\fBuse_first_pass\fR
+use_first_pass
 .RS 4
 Use the authentication token previously obtained by another module that did the conversation with the application\&. If this token can not be obtained then the module will fail\&. This option can be used for stacking different modules that need to deal with the authentication tokens\&.
 .RE
 .PP
-\fBunknown_ok\fR
+unknown_ok
 .RS 4
 Do not return error when checking for a user that is not in the database\&. This can be used to stack more than one pam_userdb module that will check a username/password pair in more than a database\&.
 .RE
 .PP
-\fBkey_only\fR
+key_only
 .RS 4
 The username and password are concatenated together in the database hash as \*(Aqusername\-password\*(Aq with a random value\&. if the concatenation of the username and password with a dash in the middle returns any result, the user is valid\&. this is useful in cases where the username may not be unique but the username and password pair are\&.
 .RE
diff --git a/modules/pam_userdb/pam_userdb.8.xml b/modules/pam_userdb/pam_userdb.8.xml
index bce92850..0f964102 100644
--- a/modules/pam_userdb/pam_userdb.8.xml
+++ b/modules/pam_userdb/pam_userdb.8.xml
@@ -1,54 +1,51 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
-
-<refentry id="pam_userdb">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_userdb">
 
   <refmeta>
     <refentrytitle>pam_userdb</refentrytitle>
     <manvolnum>8</manvolnum>
-    <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+    <refmiscinfo class="source">Linux-PAM</refmiscinfo>
+    <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo>
   </refmeta>
 
-  <refnamediv id="pam_userdb-name">
+  <refnamediv xml:id="pam_userdb-name">
     <refname>pam_userdb</refname>
     <refpurpose>PAM module to authenticate against a db database</refpurpose>
   </refnamediv>
 
   <refsynopsisdiv>
-    <cmdsynopsis id="pam_userdb-cmdsynopsis">
+    <cmdsynopsis xml:id="pam_userdb-cmdsynopsis" sepchar=" ">
       <command>pam_userdb.so</command>
-      <arg choice="plain">
+      <arg choice="plain" rep="norepeat">
 	db=<replaceable>/path/database</replaceable>
       </arg>
-      <arg choice="opt">
+      <arg choice="opt" rep="norepeat">
 	debug
       </arg>
-      <arg choice="opt">
+      <arg choice="opt" rep="norepeat">
         crypt=[crypt|none]
       </arg>
-      <arg choice="opt">
+      <arg choice="opt" rep="norepeat">
         icase
       </arg>
-      <arg choice="opt">
+      <arg choice="opt" rep="norepeat">
         dump
       </arg>
-      <arg choice="opt">
+      <arg choice="opt" rep="norepeat">
         try_first_pass
       </arg>
-      <arg choice="opt">
+      <arg choice="opt" rep="norepeat">
         use_first_pass
       </arg>
-      <arg choice="opt">
+      <arg choice="opt" rep="norepeat">
         unknown_ok
       </arg>
-      <arg choice="opt">
+      <arg choice="opt" rep="norepeat">
         key_only
       </arg>
     </cmdsynopsis>
   </refsynopsisdiv>
 
-  <refsect1 id="pam_userdb-description">
+  <refsect1 xml:id="pam_userdb-description">
 
     <title>DESCRIPTION</title>
 
@@ -60,13 +57,13 @@
     </para>
   </refsect1>
 
-  <refsect1 id="pam_userdb-options">
+  <refsect1 xml:id="pam_userdb-options">
 
     <title>OPTIONS</title>
     <variablelist>
       <varlistentry>
         <term>
-          <option>crypt=[crypt|none]</option>
+          crypt=[crypt|none]
         </term>
         <listitem>
           <para>
@@ -82,13 +79,13 @@
       </varlistentry>
       <varlistentry>
         <term>
-          <option>db=<replaceable>/path/database</replaceable></option>
+          db=/path/database
         </term>
         <listitem>
           <para>
             Use the <filename>/path/database</filename> database for
             performing lookup. There is no default; the module will
-            return <emphasis remap='B'>PAM_IGNORE</emphasis> if no
+            return <emphasis remap="B">PAM_IGNORE</emphasis> if no
             database is provided. Note that the path to the database file
             should be specified without the <filename>.db</filename> suffix.
           </para>
@@ -96,7 +93,7 @@
       </varlistentry>
        <varlistentry>
         <term>
-          <option>debug</option>
+          debug
         </term>
         <listitem>
           <para>
@@ -107,7 +104,7 @@
       </varlistentry>
       <varlistentry>
         <term>
-          <option>dump</option>
+          dump
         </term>
         <listitem>
           <para>
@@ -118,7 +115,7 @@
       </varlistentry>
       <varlistentry>
         <term>
-          <option>icase</option>
+          icase
         </term>
         <listitem>
           <para>
@@ -131,7 +128,7 @@
 
       <varlistentry>
         <term>
-          <option>try_first_pass</option>
+          try_first_pass
         </term>
         <listitem>
           <para>
@@ -146,7 +143,7 @@
       </varlistentry>
       <varlistentry>
         <term>
-          <option>use_first_pass</option>
+          use_first_pass
         </term>
         <listitem>
           <para>
@@ -161,7 +158,7 @@
       </varlistentry>
       <varlistentry>
         <term>
-          <option>unknown_ok</option>
+          unknown_ok
         </term>
         <listitem>
           <para>
@@ -174,7 +171,7 @@
       </varlistentry>
       <varlistentry>
         <term>
-          <option>key_only</option>
+          key_only
         </term>
         <listitem>
           <para>
@@ -191,7 +188,7 @@
     </variablelist>
   </refsect1>
 
-  <refsect1 id="pam_userdb-types">
+  <refsect1 xml:id="pam_userdb-types">
     <title>MODULE TYPES PROVIDED</title>
     <para>
       The <option>auth</option> and <option>account</option> module
@@ -199,7 +196,7 @@
     </para>
   </refsect1>
 
-  <refsect1 id='pam_userdb-return_values'>
+  <refsect1 xml:id="pam_userdb-return_values">
     <title>RETURN VALUES</title>
     <variablelist>
       <varlistentry>
@@ -259,14 +256,14 @@
     </variablelist>
   </refsect1>
 
-  <refsect1 id='pam_userdb-examples'>
+  <refsect1 xml:id="pam_userdb-examples">
     <title>EXAMPLES</title>
     <programlisting>
 auth  sufficient pam_userdb.so icase db=/etc/dbtest
     </programlisting>
   </refsect1>
 
-  <refsect1 id='pam_userdb-see_also'>
+  <refsect1 xml:id="pam_userdb-see_also">
     <title>SEE ALSO</title>
     <para>
       <citerefentry>
@@ -284,11 +281,11 @@ auth  sufficient pam_userdb.so icase db=/etc/dbtest
     </para>
   </refsect1>
 
-  <refsect1 id='pam_userdb-author'>
+  <refsect1 xml:id="pam_userdb-author">
     <title>AUTHOR</title>
       <para>
         pam_userdb was written by Cristian Gafton &gt;gafton@redhat.com&lt;.
       </para>
   </refsect1>
 
-</refentry>
+</refentry>
+\ No newline at end of file
diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c
index f467ea4c..297403b0 100644
--- a/modules/pam_userdb/pam_userdb.c
+++ b/modules/pam_userdb/pam_userdb.c
@@ -62,7 +62,7 @@ obtain_authtok(pam_handle_t *pamh)
     retval = pam_set_item(pamh, PAM_AUTHTOK, resp);
 
     /* clean it up */
-    _pam_overwrite(resp);
+    pam_overwrite_string(resp);
     _pam_drop(resp);
 
     if ( (retval != PAM_SUCCESS) ||
@@ -181,7 +181,7 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
 
     if (key.dptr) {
 	data = dbm_fetch(dbm, key);
-	memset(key.dptr, 0, key.dsize);
+	pam_overwrite_n(key.dptr, key.dsize);
 	free(key.dptr);
     }
 
@@ -247,8 +247,11 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
 	      free(cdata);
 #endif
 	    }
+	    pam_overwrite_string(pwhash);
 	    free(pwhash);
 	  }
+
+	  pam_overwrite_string(cryptpw);
 	} else {
 
 	  /* Unknown password encryption method -