From 8d540fb940a9b4213f19c523c490642356d03edb Mon Sep 17 00:00:00 2001 From: Niels Thykier Date: Sat, 11 Aug 2018 15:31:24 +0000 Subject: pam (1.1.8-3.8) unstable; urgency=medium * Non-maintainer upload. * Set Rules-Requires-Root to binary-targets as pam relies on chgrp in debian/rules. * Update pam-auth-update to detect write errors and properly fail when that happens. (Closes: #880501) * Remove Roger Leigh from uploaders as he has restired from Debian. (Closes: #869348) * Reduce priority of libpam0g to optional. * Rebuild with a recent version of dpkg-source, which ensures that the Build-Depends are correct in the .dsc file. (Closes: #890602) * Apply patch from Felix Lechner to make pam-auth-update ignore editor backup files. (Closes: #519361) * Apply update to Brazilian Portuguese translations of the debconf templates. Thanks to Adriano Rafael Gomes. (Closes: #799417) [dgit import package pam 1.1.8-3.8] --- debian/patches-applied/007_modules_pam_unix | 462 ++++++ .../patches-applied/008_modules_pam_limits_chroot | 132 ++ debian/patches-applied/021_nis_cleanup | 44 + .../022_pam_unix_group_time_miscfixes | 22 + .../026_pam_unix_passwd_unknown_user | 33 + .../027_pam_limits_better_init_allow_explicit_root | 253 +++ debian/patches-applied/031_pam_include | 72 + .../patches-applied/032_pam_limits_EPERM_NOT_FATAL | 22 + .../036_pam_wheel_getlogin_considered_harmful | 145 ++ debian/patches-applied/040_pam_limits_log_failure | 36 + .../045_pam_dispatch_jump_is_ignore | 31 + .../054_pam_security_abstract_securetty_handling | 199 +++ debian/patches-applied/055_pam_unix_nullok_secure | 223 +++ debian/patches-applied/PAM-manpage-section | 1637 ++++++++++++++++++++ debian/patches-applied/cve-2010-4708.patch | 64 + debian/patches-applied/cve-2013-7041.patch | 44 + debian/patches-applied/cve-2014-2583.patch | 47 + debian/patches-applied/cve-2015-3238.patch | 180 +++ .../patches-applied/do_not_check_nis_accidentally | 22 + debian/patches-applied/hurd_no_setfsuid | 77 + .../patches-applied/lib_security_multiarch_compat | 71 + .../make_documentation_reproducible.patch | 28 + debian/patches-applied/no_PATH_MAX_on_hurd | 22 + .../pam-limits-nofile-fd-setsize-cap | 58 + debian/patches-applied/pam-loginuid-in-containers | 146 ++ .../pam_namespace_fix_bashism.patch | 61 + .../pam_unix_dont_trust_chkpwd_caller.patch | 25 + .../pam_unix_fix_sgid_shadow_auth.patch | 25 + debian/patches-applied/series | 29 + debian/patches-applied/update-motd | 168 ++ 30 files changed, 4378 insertions(+) create mode 100644 debian/patches-applied/007_modules_pam_unix create mode 100644 debian/patches-applied/008_modules_pam_limits_chroot create mode 100644 debian/patches-applied/021_nis_cleanup create mode 100644 debian/patches-applied/022_pam_unix_group_time_miscfixes create mode 100644 debian/patches-applied/026_pam_unix_passwd_unknown_user create mode 100644 debian/patches-applied/027_pam_limits_better_init_allow_explicit_root create mode 100644 debian/patches-applied/031_pam_include create mode 100644 debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL create mode 100644 debian/patches-applied/036_pam_wheel_getlogin_considered_harmful create mode 100644 debian/patches-applied/040_pam_limits_log_failure create mode 100644 debian/patches-applied/045_pam_dispatch_jump_is_ignore create mode 100644 debian/patches-applied/054_pam_security_abstract_securetty_handling create mode 100644 debian/patches-applied/055_pam_unix_nullok_secure create mode 100644 debian/patches-applied/PAM-manpage-section create mode 100644 debian/patches-applied/cve-2010-4708.patch create mode 100644 debian/patches-applied/cve-2013-7041.patch create mode 100644 debian/patches-applied/cve-2014-2583.patch create mode 100644 debian/patches-applied/cve-2015-3238.patch create mode 100644 debian/patches-applied/do_not_check_nis_accidentally create mode 100644 debian/patches-applied/hurd_no_setfsuid create mode 100644 debian/patches-applied/lib_security_multiarch_compat create mode 100644 debian/patches-applied/make_documentation_reproducible.patch create mode 100644 debian/patches-applied/no_PATH_MAX_on_hurd create mode 100644 debian/patches-applied/pam-limits-nofile-fd-setsize-cap create mode 100644 debian/patches-applied/pam-loginuid-in-containers create mode 100644 debian/patches-applied/pam_namespace_fix_bashism.patch create mode 100644 debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch create mode 100644 debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch create mode 100644 debian/patches-applied/series create mode 100644 debian/patches-applied/update-motd (limited to 'debian/patches-applied') diff --git a/debian/patches-applied/007_modules_pam_unix b/debian/patches-applied/007_modules_pam_unix new file mode 100644 index 00000000..5dae4064 --- /dev/null +++ b/debian/patches-applied/007_modules_pam_unix @@ -0,0 +1,462 @@ +Index: pam.debian/modules/pam_unix/pam_unix_passwd.c +=================================================================== +--- pam.debian.orig/modules/pam_unix/pam_unix_passwd.c ++++ pam.debian/modules/pam_unix/pam_unix_passwd.c +@@ -102,6 +102,9 @@ + # endif /* GNU libc 2.1 */ + #endif + ++extern const char *obscure_msg(const char *, const char *, const struct passwd *, ++ unsigned int); ++ + /* + How it works: + Gets in username (has to be done) from the calling program +@@ -521,6 +524,11 @@ + return retval; + } + } ++ if (!remark && pass_old != NULL) { /* only check if we don't already have a failure */ ++ struct passwd *pwd; ++ pwd = pam_modutil_getpwnam(pamh, user); ++ remark = (char *)obscure_msg(pass_old,pass_new,pwd,ctrl); /* do obscure checks */ ++ } + } + if (remark) { + _make_remark(pamh, ctrl, PAM_ERROR_MSG, remark); +@@ -536,7 +544,7 @@ + int retval; + int remember = -1; + int rounds = -1; +- int pass_min_len = 0; ++ int pass_min_len = 6; + + /* */ + const char *user; +Index: pam.debian/modules/pam_unix/support.h +=================================================================== +--- pam.debian.orig/modules/pam_unix/support.h ++++ pam.debian/modules/pam_unix/support.h +@@ -97,8 +97,9 @@ + password hash algorithms */ + #define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */ + #define UNIX_MIN_PASS_LEN 27 /* min length for password */ ++#define UNIX_OBSCURE_CHECKS 28 /* enable obscure checks on passwords */ + /* -------------- */ +-#define UNIX_CTRLS_ 28 /* number of ctrl arguments defined */ ++#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */ + + #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)) + +@@ -107,34 +108,35 @@ + /* symbol token name ctrl mask ctrl * + * ----------------------- ------------------- --------------------- -------- */ + +-/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01, 0}, +-/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02, 0}, +-/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04, 0}, +-/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010, 0}, +-/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060), 020, 0}, +-/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060), 040, 0}, +-/* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0100, 0}, +-/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0}, +-/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0}, +-/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0}, +-/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0}, +-/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0}, +-/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0}, +-/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0260420000), 020000, 1}, +-/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000), 0, 0}, +-/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000, 0}, +-/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000, 0}, +-/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000, 0}, +-/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0260420000), 0400000, 1}, +-/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000, 0}, +-/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000, 0}, +-/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000, 0}, +-/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000, 0}, +-/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0260420000), 020000000, 1}, +-/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0260420000), 040000000, 1}, +-/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0}, +-/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000, 1}, +-/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0}, ++/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 0x1, 0}, ++/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 0x2, 0}, ++/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 0x4, 0}, ++/* UNIX_AUDIT */ {"audit", _ALL_ON_, 0x8, 0}, ++/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(0x30), 0x10, 0}, ++/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(0x30), 0x20, 0}, ++/* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0x40, 0}, ++/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0x180), 0x80, 0}, ++/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0x180), 0x100, 0}, ++/* UNIX__NONULL */ {NULL, _ALL_ON_, 0x200, 0}, ++/* UNIX__QUIET */ {NULL, _ALL_ON_, 0x400, 0}, ++/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 0x800, 0}, ++/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 0x1000, 0}, ++/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0x2C22000), 0x2000, 1}, ++/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(0x200), 0, 0}, ++/* UNIX_DEBUG */ {"debug", _ALL_ON_, 0x4000, 0}, ++/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0x8000, 0}, ++/* UNIX_NIS */ {"nis", _ALL_ON_, 0x10000, 0}, ++/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0x2C22000), 0x20000, 1}, ++/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 0x40000, 0}, ++/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 0x80000, 0}, ++/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 0x100000, 0}, ++/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 0x200000, 0}, ++/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0x2C22000), 0x400000, 1}, ++/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0x2C22000), 0x800000, 1}, ++/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0x1000000, 0}, ++/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0x2C22000),0x2000000, 1}, ++/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0x4000000, 0}, ++/* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x8000000, 0}, + }; + + #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) +Index: pam.debian/modules/pam_unix/pam_unix.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_unix/pam_unix.8.xml ++++ pam.debian/modules/pam_unix/pam_unix.8.xml +@@ -337,8 +337,81 @@ + + + Set a minimum password length of n +- characters. The max. for DES crypt based passwords are 8 +- characters. ++ characters. The default value is 6. The maximum for DES ++ crypt-based passwords is 8 characters. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Enable some extra checks on password strength. These checks ++ are based on the "obscure" checks in the original shadow ++ package. The behavior is similar to the pam_cracklib ++ module, but for non-dictionary-based checks. The following ++ checks are implemented: ++ ++ ++ ++ ++ ++ ++ ++ Verifies that the new password is not a palindrome ++ of (i.e., the reverse of) the previous one. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Verifies that the new password isn't the same as the ++ old one with a change of case. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Verifies that the new password isn't too much like ++ the previous one. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Is the new password too simple? This is based on ++ the length of the password and the number of ++ different types of characters (alpha, numeric, etc.) ++ used. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Is the new password a rotated version of the old ++ password? (E.g., "billy" and "illyb") ++ ++ ++ ++ + + + +Index: pam.debian/modules/pam_unix/obscure.c +=================================================================== +--- /dev/null ++++ pam.debian/modules/pam_unix/obscure.c +@@ -0,0 +1,198 @@ ++/* ++ * Copyright 1989 - 1994, Julianne Frances Haugh ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors ++ * may be used to endorse or promote products derived from this software ++ * without specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND ++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE ++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT ++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY ++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ++ * SUCH DAMAGE. ++ */ ++ ++#include "config.h" ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++ ++#include "support.h" ++ ++/* can't be a palindrome - like `R A D A R' or `M A D A M' */ ++static int palindrome(const char *old, const char *new) { ++ int i, j; ++ ++ i = strlen (new); ++ ++ for (j = 0;j < i;j++) ++ if (new[i - j - 1] != new[j]) ++ return 0; ++ ++ return 1; ++} ++ ++/* more than half of the characters are different ones. */ ++static int similar(const char *old, const char *new) { ++ int i, j; ++ ++ /* ++ * XXX - sometimes this fails when changing from a simple password ++ * to a really long one (MD5). For now, I just return success if ++ * the new password is long enough. Please feel free to suggest ++ * something better... --marekm ++ */ ++ if (strlen(new) >= 8) ++ return 0; ++ ++ for (i = j = 0; new[i] && old[i]; i++) ++ if (strchr(new, old[i])) ++ j++; ++ ++ if (i >= j * 2) ++ return 0; ++ ++ return 1; ++} ++ ++/* a nice mix of characters. */ ++static int simple(const char *old, const char *new) { ++ int digits = 0; ++ int uppers = 0; ++ int lowers = 0; ++ int others = 0; ++ int size; ++ int i; ++ ++ for (i = 0;new[i];i++) { ++ if (isdigit (new[i])) ++ digits++; ++ else if (isupper (new[i])) ++ uppers++; ++ else if (islower (new[i])) ++ lowers++; ++ else ++ others++; ++ } ++ ++ /* ++ * The scam is this - a password of only one character type ++ * must be 8 letters long. Two types, 7, and so on. ++ */ ++ ++ size = 9; ++ if (digits) size--; ++ if (uppers) size--; ++ if (lowers) size--; ++ if (others) size--; ++ ++ if (size <= i) ++ return 0; ++ ++ return 1; ++} ++ ++static char *str_lower(char *string) { ++ char *cp; ++ ++ for (cp = string; *cp; cp++) ++ *cp = tolower(*cp); ++ return string; ++} ++ ++static const char * password_check(const char *old, const char *new, ++ const struct passwd *pwdp) { ++ const char *msg = NULL; ++ char *oldmono, *newmono, *wrapped; ++ ++ if (strcmp(new, old) == 0) ++ return _("Bad: new password must be different than the old one"); ++ ++ newmono = str_lower(strdup(new)); ++ oldmono = str_lower(strdup(old)); ++ wrapped = (char *)malloc(strlen(oldmono) * 2 + 1); ++ strcpy (wrapped, oldmono); ++ strcat (wrapped, oldmono); ++ ++ if (palindrome(oldmono, newmono)) { ++ msg = _("Bad: new password cannot be a palindrome"); ++ } else if (strcmp(oldmono, newmono) == 0) { ++ msg = _("Bad: new and old password must differ by more than just case"); ++ } else if (similar(oldmono, newmono)) { ++ msg = _("Bad: new and old password are too similar"); ++ } else if (simple(old, new)) { ++ msg = _("Bad: new password is too simple"); ++ } else if (strstr(wrapped, newmono)) { ++ msg = _("Bad: new password is just a wrapped version of the old one"); ++ } ++ ++ _pam_delete(newmono); ++ _pam_delete(oldmono); ++ _pam_delete(wrapped); ++ ++ return msg; ++} ++ ++const char *obscure_msg(const char *old, const char *new, ++ const struct passwd *pwdp, unsigned int ctrl) { ++ int oldlen, newlen; ++ char *new1, *old1; ++ const char *msg; ++ ++ if (old == NULL) ++ return NULL; /* no check if old is NULL */ ++ ++ oldlen = strlen(old); ++ newlen = strlen(new); ++ ++ /* Remaining checks are optional. */ ++ if (off(UNIX_OBSCURE_CHECKS,ctrl)) ++ return NULL; ++ ++ if ((msg = password_check(old, new, pwdp)) != NULL) ++ return msg; ++ ++ /* The traditional crypt() truncates passwords to 8 chars. It is ++ possible to circumvent the above checks by choosing an easy ++ 8-char password and adding some random characters to it... ++ Example: "password$%^&*123". So check it again, this time ++ truncated to the maximum length. Idea from npasswd. --marekm */ ++ ++ if (!UNIX_DES_CRYPT(ctrl)) ++ return NULL; /* unlimited password length */ ++ ++ if (oldlen <= 8 && newlen <= 8) ++ return NULL; ++ ++ new1 = strndup(new,8); ++ old1 = strndup(old,8); ++ ++ msg = password_check(old1, new1, pwdp); ++ ++ _pam_delete(new1); ++ _pam_delete(old1); ++ ++ return msg; ++} +Index: pam.debian/modules/pam_unix/Makefile.am +=================================================================== +--- pam.debian.orig/modules/pam_unix/Makefile.am ++++ pam.debian/modules/pam_unix/Makefile.am +@@ -43,7 +43,7 @@ + + pam_unix_la_SOURCES = bigcrypt.c pam_unix_acct.c \ + pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \ +- passverify.c yppasswd_xdr.c md5_good.c md5_broken.c ++ passverify.c yppasswd_xdr.c md5_good.c md5_broken.c obscure.c + if STATIC_MODULES + pam_unix_la_SOURCES += pam_unix_static.c + endif +Index: pam.debian/modules/pam_unix/pam_unix.8 +=================================================================== +--- pam.debian.orig/modules/pam_unix/pam_unix.8 ++++ pam.debian/modules/pam_unix/pam_unix.8 +@@ -183,7 +183,38 @@ + .RS 4 + Set a minimum password length of + \fIn\fR +-characters\&. The max\&. for DES crypt based passwords are 8 characters\&. ++characters\&. The default value is 6\&. The maximum for DES crypt\-based passwords is 8 characters\&. ++.RE ++.PP ++\fBobscure\fR ++.RS 4 ++Enable some extra checks on password strength\&. These checks are based on the "obscure" checks in the original shadow package\&. The behavior is similar to the pam_cracklib module, but for non\-dictionary\-based checks\&. The following checks are implemented: ++.PP ++\fBPalindrome\fR ++.RS 4 ++Verifies that the new password is not a palindrome of (i\&.e\&., the reverse of) the previous one\&. ++.RE ++.PP ++\fBCase Change Only\fR ++.RS 4 ++Verifies that the new password isn\*(Aqt the same as the old one with a change of case\&. ++.RE ++.PP ++\fBSimilar\fR ++.RS 4 ++Verifies that the new password isn\*(Aqt too much like the previous one\&. ++.RE ++.PP ++\fBSimple\fR ++.RS 4 ++Is the new password too simple? This is based on the length of the password and the number of different types of characters (alpha, numeric, etc\&.) used\&. ++.RE ++.PP ++\fBRotated\fR ++.RS 4 ++Is the new password a rotated version of the old password? (E\&.g\&., "billy" and "illyb") ++.RE ++.sp + .RE + .PP + Invalid arguments are logged with diff --git a/debian/patches-applied/008_modules_pam_limits_chroot b/debian/patches-applied/008_modules_pam_limits_chroot new file mode 100644 index 00000000..fd4fc3a8 --- /dev/null +++ b/debian/patches-applied/008_modules_pam_limits_chroot @@ -0,0 +1,132 @@ +Index: pam.debian/modules/pam_limits/pam_limits.c +=================================================================== +--- pam.debian.orig/modules/pam_limits/pam_limits.c ++++ pam.debian/modules/pam_limits/pam_limits.c +@@ -87,6 +87,7 @@ + int flag_numsyslogins; /* whether to limit logins only for a + specific user or to count all logins */ + int priority; /* the priority to run user process with */ ++ char chroot_dir[8092]; /* directory to chroot into */ + struct user_limits_struct limits[RLIM_NLIMITS]; + const char *conf_file; + int utmp_after_pam_call; +@@ -97,6 +98,7 @@ + #define LIMIT_NUMSYSLOGINS RLIM_NLIMITS+2 + + #define LIMIT_PRI RLIM_NLIMITS+3 ++#define LIMIT_CHROOT RLIM_NLIMITS+4 + + #define LIMIT_SOFT 1 + #define LIMIT_HARD 2 +@@ -472,6 +474,8 @@ + pl->login_limit = -2; + pl->login_limit_def = LIMITS_DEF_NONE; + ++ pl->chroot_dir[0] = '\0'; ++ + return retval; + } + +@@ -542,6 +546,8 @@ + pl->flag_numsyslogins = 1; + } else if (strcmp(lim_item, "priority") == 0) { + limit_item = LIMIT_PRI; ++ } else if (strcmp(lim_item, "chroot") == 0) { ++ limit_item = LIMIT_CHROOT; + } else { + pam_syslog(pamh, LOG_DEBUG, "unknown limit item '%s'", lim_item); + return; +@@ -579,9 +585,9 @@ + pam_syslog(pamh, LOG_DEBUG, + "wrong limit value '%s' for limit type '%s'", + lim_value, lim_type); +- return; ++ return; + } +- } else { ++ } else if (limit_item != LIMIT_CHROOT) { + #ifdef __USE_FILE_OFFSET64 + rlimit_value = strtoull (lim_value, &endptr, 10); + #else +@@ -642,7 +648,11 @@ + #endif + } + +- if ( (limit_item != LIMIT_LOGIN) ++ if (limit_item == LIMIT_CHROOT) { ++ strncpy(pl->chroot_dir, value_orig, sizeof(pl->chroot_dir)-1); ++ pl->chroot_dir[sizeof(pl->chroot_dir)-1]='\0'; ++ } ++ else if ( (limit_item != LIMIT_LOGIN) + && (limit_item != LIMIT_NUMSYSLOGINS) + && (limit_item != LIMIT_PRI) ) { + if (limit_type & LIMIT_SOFT) { +@@ -986,6 +996,15 @@ + retval |= LOGIN_ERR; + } + ++ if (!retval && pl->chroot_dir[0]) { ++ i = chdir(pl->chroot_dir); ++ if (i == 0) ++ i = chroot(pl->chroot_dir); ++ if (i == 0) ++ i = chdir("/"); ++ if (i != 0) ++ retval = LIMIT_ERR; ++ } + return retval; + } + +Index: pam.debian/modules/pam_limits/limits.conf.5.xml +=================================================================== +--- pam.debian.orig/modules/pam_limits/limits.conf.5.xml ++++ pam.debian/modules/pam_limits/limits.conf.5.xml +@@ -255,6 +255,12 @@ + (Linux 2.6.12 and higher) + + ++ ++ ++ ++ the directory to chroot the user to ++ ++ + + + +Index: pam.debian/modules/pam_limits/limits.conf.5 +=================================================================== +--- pam.debian.orig/modules/pam_limits/limits.conf.5 ++++ pam.debian/modules/pam_limits/limits.conf.5 +@@ -260,6 +260,11 @@ + .RS 4 + maximum realtime priority allowed for non\-privileged processes (Linux 2\&.6\&.12 and higher) + .RE ++.PP ++\fBchroot\fR ++.RS 4 ++the directory to chroot the user to ++.RE + .RE + .PP + All items support the values +Index: pam.debian/modules/pam_limits/limits.conf +=================================================================== +--- pam.debian.orig/modules/pam_limits/limits.conf ++++ pam.debian/modules/pam_limits/limits.conf +@@ -35,6 +35,7 @@ + # - msgqueue - max memory used by POSIX message queues (bytes) + # - nice - max nice priority allowed to raise to values: [-20, 19] + # - rtprio - max realtime priority ++# - chroot - change root to directory (Debian-specific) + # + # + # +@@ -45,6 +46,7 @@ + #@faculty soft nproc 20 + #@faculty hard nproc 50 + #ftp hard nproc 0 ++#ftp - chroot /ftp + #@student - maxlogins 4 + + # End of file diff --git a/debian/patches-applied/021_nis_cleanup b/debian/patches-applied/021_nis_cleanup new file mode 100644 index 00000000..6b62bb7a --- /dev/null +++ b/debian/patches-applied/021_nis_cleanup @@ -0,0 +1,44 @@ +Patch from Philippe Troin + +Originally this included a bunch of changes to locking, but the more +recent code pulled from Linux_pam CVS seems to fix that issue. + +Index: pam.deb/modules/pam_unix/pam_unix_passwd.c +=================================================================== +--- pam.deb.orig/modules/pam_unix/pam_unix_passwd.c ++++ pam.deb/modules/pam_unix/pam_unix_passwd.c +@@ -577,7 +577,7 @@ + + if (_unix_blankpasswd(pamh, ctrl, user)) { + return PAM_SUCCESS; +- } else if (off(UNIX__IAMROOT, ctrl)) { ++ } else if (off(UNIX__IAMROOT, ctrl) || on(UNIX_NIS, ctrl)) { + /* instruct user what is happening */ + if (asprintf(&Announce, _("Changing password for %s."), + user) < 0) { +@@ -590,7 +590,9 @@ + set(UNIX__OLD_PASSWD, lctrl); + retval = _unix_read_password(pamh, lctrl + ,Announce +- ,_("(current) UNIX password: ") ++ ,(on(UNIX__IAMROOT, ctrl) ++ ? _("NIS server root password: ") ++ : _("(current) UNIX password: ")) + ,NULL + ,_UNIX_OLD_AUTHTOK + ,&pass_old); +@@ -601,9 +603,12 @@ + "password - (old) token not obtained"); + return retval; + } +- /* verify that this is the password for this user */ ++ /* verify that this is the password for this user ++ * if we're not using NIS */ + +- retval = _unix_verify_password(pamh, user, pass_old, ctrl); ++ if (off(UNIX_NIS, ctrl)) { ++ retval = _unix_verify_password(pamh, user, pass_old, ctrl); ++ } + } else { + D(("process run by root so do nothing this time around")); + pass_old = NULL; diff --git a/debian/patches-applied/022_pam_unix_group_time_miscfixes b/debian/patches-applied/022_pam_unix_group_time_miscfixes new file mode 100644 index 00000000..73cba7a2 --- /dev/null +++ b/debian/patches-applied/022_pam_unix_group_time_miscfixes @@ -0,0 +1,22 @@ +Description: handle the case of flags being empty or only PAM_SILENT, which is + documented in other PAM implementations as meaning PAM_ESTABLISH_CRED: + http://publib.boulder.ibm.com/infocenter/aix/v6r1/index.jsp?topic=%2Fcom.ibm.aix.basetechref%2Fdoc%2Fbasetrf1%2Fpam_setcred.htm + +Index: pam.deb/modules/pam_group/pam_group.c +=================================================================== +--- pam.deb.orig/modules/pam_group/pam_group.c ++++ pam.deb/modules/pam_group/pam_group.c +@@ -765,9 +765,12 @@ + unsigned setting; + + /* only interested in establishing credentials */ ++ /* PAM docs say that an empty flag is to be treated as PAM_ESTABLISH_CRED. ++ Some people just pass PAM_SILENT, so cope with it, too. */ + + setting = flags; +- if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))) { ++ if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED)) ++ && (setting != 0) && (setting != PAM_SILENT)) { + D(("ignoring call - not for establishing credentials")); + return PAM_SUCCESS; /* don't fail because of this */ + } diff --git a/debian/patches-applied/026_pam_unix_passwd_unknown_user b/debian/patches-applied/026_pam_unix_passwd_unknown_user new file mode 100644 index 00000000..1b1aade2 --- /dev/null +++ b/debian/patches-applied/026_pam_unix_passwd_unknown_user @@ -0,0 +1,33 @@ +Description: distinguish between password manipulation failure and missing user. +Author: Martin Schwenke + +Index: pam.deb/modules/pam_unix/passverify.c +=================================================================== +--- pam.deb.orig/modules/pam_unix/passverify.c ++++ pam.deb/modules/pam_unix/passverify.c +@@ -719,7 +719,7 @@ + struct passwd *tmpent = NULL; + struct stat st; + FILE *pwfile, *opwfile; +- int err = 1; ++ int err = 1, found = 0; + int oldmask; + #ifdef WITH_SELINUX + security_context_t prev_context=NULL; +@@ -790,6 +790,7 @@ + + tmpent->pw_passwd = assigned_passwd.charp; + err = 0; ++ found = 1; + } + if (putpwent(tmpent, pwfile)) { + D(("error writing entry to password file: %m")); +@@ -832,7 +833,7 @@ + return PAM_SUCCESS; + } else { + unlink(PW_TMPFILE); +- return PAM_AUTHTOK_ERR; ++ return found ? PAM_AUTHTOK_ERR : PAM_USER_UNKNOWN; + } + } + diff --git a/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root new file mode 100644 index 00000000..717fdd5c --- /dev/null +++ b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root @@ -0,0 +1,253 @@ +Description: Allow explicit limits for root and reset limits on each session + When crossing session boundaries (such as when su'ing from one user to + another), if the target account has no limit specified in limits.conf we + want to use the default, not the current value configured for the + source account. + . + If /proc/1/limits is unavailable, fall back to a set of hard-coded values + that shadow the currently known defaults on Linux. + . + Also, don't apply wildcard limits to the root account; only apply limits to + root that reference root by name. +Author: Peter Paluch , + Ben Collins , + Steve Langasek , +Bug-Debian: http://bugs.debian.org/63230 +Index: pam.debian/modules/pam_limits/pam_limits.c +=================================================================== +--- pam.debian.orig/modules/pam_limits/pam_limits.c ++++ pam.debian/modules/pam_limits/pam_limits.c +@@ -45,6 +45,14 @@ + #include + #endif + ++#ifndef MLOCK_LIMIT ++#ifdef __FreeBSD_kernel__ ++#define MLOCK_LIMIT RLIM_INFINITY ++#else ++#define MLOCK_LIMIT (64*1024) ++#endif ++#endif ++ + /* Module defines */ + #define LINE_LENGTH 1024 + +@@ -82,6 +90,7 @@ + + /* internal data */ + struct pam_limit_s { ++ int root; /* running as root? */ + int login_limit; /* the max logins limit */ + int login_limit_def; /* which entry set the login limit */ + int flag_numsyslogins; /* whether to limit logins only for a +@@ -436,9 +445,18 @@ + { + int i; + int retval = PAM_SUCCESS; ++ static int mlock_limit = 0; + + D(("called.")); + ++ pl->root = 0; ++ ++ if (mlock_limit == 0) { ++ mlock_limit = sysconf(_SC_PAGESIZE); ++ if (mlock_limit < MLOCK_LIMIT) ++ mlock_limit = MLOCK_LIMIT; ++ } ++ + for(i = 0; i < RLIM_NLIMITS; i++) { + int r = getrlimit(i, &pl->limits[i].limit); + if (r == -1) { +@@ -454,18 +472,68 @@ + } + + #ifdef __linux__ +- if (ctrl & PAM_SET_ALL) { +- parse_kernel_limits(pamh, pl, ctrl); ++ parse_kernel_limits(pamh, pl, ctrl); ++#endif + +- for(i = 0; i < RLIM_NLIMITS; i++) { ++ for(i = 0; i < RLIM_NLIMITS; i++) { + if (pl->limits[i].supported && + (pl->limits[i].src_soft == LIMITS_DEF_NONE || + pl->limits[i].src_hard == LIMITS_DEF_NONE)) { +- pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM default", rlimit2str(i)); ++#ifdef __linux__ ++ pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM default", rlimit2str(i)); ++#endif ++ pl->limits[i].src_soft = LIMITS_DEF_DEFAULT; ++ pl->limits[i].src_hard = LIMITS_DEF_DEFAULT; ++ switch(i) { ++ case RLIMIT_CPU: ++ case RLIMIT_FSIZE: ++ case RLIMIT_DATA: ++ case RLIMIT_RSS: ++ case RLIMIT_NPROC: ++#ifdef RLIMIT_AS ++ case RLIMIT_AS: ++#endif ++#ifdef RLIMIT_LOCKS ++ case RLIMIT_LOCKS: ++#endif ++ pl->limits[i].limit.rlim_cur = RLIM_INFINITY; ++ pl->limits[i].limit.rlim_max = RLIM_INFINITY; ++ break; ++ case RLIMIT_MEMLOCK: ++ pl->limits[i].limit.rlim_cur = mlock_limit; ++ pl->limits[i].limit.rlim_max = mlock_limit; ++ break; ++#ifdef RLIMIT_SIGPENDING ++ case RLIMIT_SIGPENDING: ++ pl->limits[i].limit.rlim_cur = 16382; ++ pl->limits[i].limit.rlim_max = 16382; ++ break; ++#endif ++#ifdef RLIMIT_MSGQUEUE ++ case RLIMIT_MSGQUEUE: ++ pl->limits[i].limit.rlim_cur = 819200; ++ pl->limits[i].limit.rlim_max = 819200; ++ break; ++#endif ++ case RLIMIT_CORE: ++ pl->limits[i].limit.rlim_cur = 0; ++ pl->limits[i].limit.rlim_max = RLIM_INFINITY; ++ break; ++ case RLIMIT_STACK: ++ pl->limits[i].limit.rlim_cur = 8192*1024; ++ pl->limits[i].limit.rlim_max = RLIM_INFINITY; ++ break; ++ case RLIMIT_NOFILE: ++ pl->limits[i].limit.rlim_cur = 1024; ++ pl->limits[i].limit.rlim_max = 1024; ++ break; ++ default: ++ pl->limits[i].src_soft = LIMITS_DEF_NONE; ++ pl->limits[i].src_hard = LIMITS_DEF_NONE; ++ break; ++ } + } +- } + } +-#endif + + errno = 0; + pl->priority = getpriority (PRIO_PROCESS, 0); +@@ -804,7 +872,7 @@ + + if (strcmp(uname, domain) == 0) /* this user have a limit */ + process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl); +- else if (domain[0]=='@') { ++ else if (domain[0]=='@' && !pl->root) { + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_DEBUG, + "checking if %s is in group %s", +@@ -830,7 +898,7 @@ + process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, + pl); + } +- } else if (domain[0]=='%') { ++ } else if (domain[0]=='%' && !pl->root) { + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_DEBUG, + "checking if %s is in group %s", +@@ -864,7 +932,7 @@ + } else { + switch(rngtype) { + case LIMIT_RANGE_NONE: +- if (strcmp(domain, "*") == 0) ++ if (strcmp(domain, "*") == 0 && !pl->root) + process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl, + pl); + break; +@@ -1050,6 +1118,8 @@ + return PAM_ABORT; + } + ++ if (pwd->pw_uid == 0) ++ pl->root = 1; + retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl); + if (retval == PAM_IGNORE) { + D(("the configuration file ('%s') has an applicable ' -' entry", CONF_FILE)); +Index: pam.debian/modules/pam_limits/limits.conf +=================================================================== +--- pam.debian.orig/modules/pam_limits/limits.conf ++++ pam.debian/modules/pam_limits/limits.conf +@@ -11,6 +11,9 @@ + # - the wildcard *, for default entry + # - the wildcard %, can be also used with %group syntax, + # for maxlogin limit ++# - NOTE: group and wildcard limits are not applied to root. ++# To apply a limit to the root user, must be ++# the literal username root. + # + # can have the two values: + # - "soft" for enforcing the soft limits +@@ -41,6 +44,7 @@ + # + + #* soft core 0 ++#root hard core 100000 + #* hard rss 10000 + #@student hard nproc 20 + #@faculty soft nproc 20 +Index: pam.debian/modules/pam_limits/limits.conf.5.xml +=================================================================== +--- pam.debian.orig/modules/pam_limits/limits.conf.5.xml ++++ pam.debian/modules/pam_limits/limits.conf.5.xml +@@ -88,6 +88,11 @@ + + + ++ ++ NOTE: group and wildcard limits are not ++ applied to the root user. To set a limit for the root user, this field ++ must contain the literal username root. ++ + + + +@@ -309,6 +314,7 @@ + + + * soft core 0 ++root hard core 100000 + * hard nofile 512 + @student hard nproc 20 + @faculty soft nproc 20 +Index: pam.debian/modules/pam_limits/limits.conf.5 +=================================================================== +--- pam.debian.orig/modules/pam_limits/limits.conf.5 ++++ pam.debian/modules/pam_limits/limits.conf.5 +@@ -132,6 +132,10 @@ + \fB%:\fR\fI\fR + applicable to maxlogins limit only\&. It limits the total number of logins of all users that are member of the group with the specified gid\&. + .RE ++.sp ++\fBNOTE:\fR ++group and wildcard limits are not applied to the root user\&. To set a limit for the root user, this field must contain the literal username ++\fBroot\fR\&. + .RE + .PP + \fB\fR +@@ -304,6 +308,7 @@ + .\} + .nf + * soft core 0 ++root hard core 100000 + * hard nofile 512 + @student hard nproc 20 + @faculty soft nproc 20 +Index: pam.debian/modules/pam_limits/README +=================================================================== +--- pam.debian.orig/modules/pam_limits/README ++++ pam.debian/modules/pam_limits/README +@@ -54,6 +54,7 @@ + limits.conf. + + * soft core 0 ++root hard core 100000 + * hard nofile 512 + @student hard nproc 20 + @faculty soft nproc 20 diff --git a/debian/patches-applied/031_pam_include b/debian/patches-applied/031_pam_include new file mode 100644 index 00000000..da689047 --- /dev/null +++ b/debian/patches-applied/031_pam_include @@ -0,0 +1,72 @@ +Patch to implement an @include directive for use in pam.d config files. + +Authors: Jan Christoph Nordholz + +Upstream status: not yet submitted + +Index: pam.debian/libpam/pam_handlers.c +=================================================================== +--- pam.debian.orig/libpam/pam_handlers.c ++++ pam.debian/libpam/pam_handlers.c +@@ -122,6 +122,10 @@ + module_type = PAM_T_ACCT; + } else if (!strcasecmp("password", tok)) { + module_type = PAM_T_PASS; ++ } else if (!strcasecmp("@include", tok)) { ++ pam_include = 1; ++ module_type = requested_module_type; ++ goto parsing_done; + } else { + /* Illegal module type */ + D(("_pam_init_handlers: bad module type: %s", tok)); +@@ -192,8 +196,10 @@ + _pam_set_default_control(actions, _PAM_ACTION_BAD); + } + ++parsing_done: + tok = _pam_StrTok(NULL, " \n\t", &nexttok); + if (pam_include) { ++ struct stat include_dir; + if (substack) { + res = _pam_add_handler(pamh, PAM_HT_SUBSTACK, other, + stack_level, module_type, actions, tok, +@@ -204,13 +210,35 @@ + return PAM_ABORT; + } + } +- if (_pam_load_conf_file(pamh, tok, this_service, module_type, +- stack_level + substack ++ if (tok[0] == '/') { ++ if (_pam_load_conf_file(pamh, tok, this_service, ++ module_type, stack_level + substack ++#ifdef PAM_READ_BOTH_CONFS ++ , !other ++#endif /* PAM_READ_BOTH_CONFS */ ++ ) == PAM_SUCCESS) ++ continue; ++ } ++ else if (!stat(PAM_CONFIG_D, &include_dir) ++ && S_ISDIR(include_dir.st_mode)) ++ { ++ char *include_file; ++ if (asprintf (&include_file, PAM_CONFIG_DF, tok) < 0) { ++ pam_syslog(pamh, LOG_CRIT, "asprintf failed"); ++ return PAM_ABORT; ++ } ++ if (_pam_load_conf_file(pamh, include_file, this_service, ++ module_type, stack_level + substack + #ifdef PAM_READ_BOTH_CONFS + , !other + #endif /* PAM_READ_BOTH_CONFS */ +- ) == PAM_SUCCESS) +- continue; ++ ) == PAM_SUCCESS) ++ { ++ free(include_file); ++ continue; ++ } ++ free(include_file); ++ } + _pam_set_default_control(actions, _PAM_ACTION_BAD); + mod_path = NULL; + handler_type = PAM_HT_MUST_FAIL; diff --git a/debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL b/debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL new file mode 100644 index 00000000..58fab0ee --- /dev/null +++ b/debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL @@ -0,0 +1,22 @@ +setrlimit will sometimes return EPERM for example if you try to increase the +number of open files too much. This is not something we want to consider +fatal. This also happens if you use non-root and try to decrease a limit. +Running PAM as non-root is not so great. + +Authors: ? + +Upstream status: submitted in <20070830171918.GB30563@dario.dodds.net> + +Index: pam.deb/modules/pam_limits/pam_limits.c +=================================================================== +--- pam.deb.orig/modules/pam_limits/pam_limits.c ++++ pam.deb/modules/pam_limits/pam_limits.c +@@ -735,6 +735,8 @@ + if (res != 0) + pam_syslog(pamh, LOG_ERR, "Could not set limit for '%s': %m", + rlimit2str(i)); ++ if (res == -1 && errno == EPERM) ++ continue; + status |= res; + } + diff --git a/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful b/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful new file mode 100644 index 00000000..146d3e0a --- /dev/null +++ b/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful @@ -0,0 +1,145 @@ +Patch for Debian bug #163787 et al + +Always use the process uid, not getlogin(), to identify an applicant in +pam_wheel; utmp may be wrong or may have no entry at all in the case of +an xterm + +Authors: Ben Collins + +Upstream status: submitted in <20070901175405.GA26092@dario.dodds.net> + +Index: pam.debian/modules/pam_wheel/pam_wheel.c +=================================================================== +--- pam.debian.orig/modules/pam_wheel/pam_wheel.c ++++ pam.debian/modules/pam_wheel/pam_wheel.c +@@ -60,9 +60,8 @@ + /* argument parsing */ + + #define PAM_DEBUG_ARG 0x0001 +-#define PAM_USE_UID_ARG 0x0002 +-#define PAM_TRUST_ARG 0x0004 +-#define PAM_DENY_ARG 0x0010 ++#define PAM_TRUST_ARG 0x0002 ++#define PAM_DENY_ARG 0x0004 + #define PAM_ROOT_ONLY_ARG 0x0020 + + static int +@@ -80,8 +79,7 @@ + + if (!strcmp(*argv,"debug")) + ctrl |= PAM_DEBUG_ARG; +- else if (!strcmp(*argv,"use_uid")) +- ctrl |= PAM_USE_UID_ARG; ++ else if (!strcmp(*argv,"use_uid")); /* ignored for compat. */ + else if (!strcmp(*argv,"trust")) + ctrl |= PAM_TRUST_ARG; + else if (!strcmp(*argv,"deny")) +@@ -129,27 +127,14 @@ + } + } + +- if (ctrl & PAM_USE_UID_ARG) { +- tpwd = pam_modutil_getpwuid (pamh, getuid()); +- if (!tpwd) { +- if (ctrl & PAM_DEBUG_ARG) { +- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); +- } +- return PAM_SERVICE_ERR; +- } +- fromsu = tpwd->pw_name; +- } else { +- fromsu = pam_modutil_getlogin(pamh); +- if (fromsu) { +- tpwd = pam_modutil_getpwnam (pamh, fromsu); +- } +- if (!fromsu || !tpwd) { +- if (ctrl & PAM_DEBUG_ARG) { +- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); +- } +- return PAM_SERVICE_ERR; ++ tpwd = pam_modutil_getpwuid (pamh, getuid()); ++ if (!tpwd) { ++ if (ctrl & PAM_DEBUG_ARG) { ++ pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); + } ++ return PAM_SERVICE_ERR; + } ++ fromsu = tpwd->pw_name; + + /* + * At this point fromsu = username-of-invoker; tpwd = pwd ptr for fromsu +Index: pam.debian/modules/pam_wheel/pam_wheel.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_wheel/pam_wheel.8.xml ++++ pam.debian/modules/pam_wheel/pam_wheel.8.xml +@@ -33,9 +33,6 @@ + + trust + +- +- use_uid +- + + + +@@ -115,18 +112,6 @@ + + + +- +- +- +- +- +- +- The check for wheel membership will be done against +- the current uid instead of the original one (useful when +- jumping with su from one account to another for example). +- +- +- + + + +Index: pam.debian/modules/pam_wheel/pam_wheel.8 +=================================================================== +--- pam.debian.orig/modules/pam_wheel/pam_wheel.8 ++++ pam.debian/modules/pam_wheel/pam_wheel.8 +@@ -31,7 +31,7 @@ + pam_wheel \- Only permit root access to members of group wheel + .SH "SYNOPSIS" + .HP \w'\fBpam_wheel\&.so\fR\ 'u +-\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid] ++\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] + .SH "DESCRIPTION" + .PP + The pam_wheel PAM module is used to enforce the so\-called +@@ -72,11 +72,6 @@ + .RS 4 + The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd)\&. + .RE +-.PP +-\fBuse_uid\fR +-.RS 4 +-The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example)\&. +-.RE + .SH "MODULE TYPES PROVIDED" + .PP + The +Index: pam.debian/modules/pam_wheel/README +=================================================================== +--- pam.debian.orig/modules/pam_wheel/README ++++ pam.debian/modules/pam_wheel/README +@@ -39,12 +39,6 @@ + modules the wheel members may be able to su to root without being prompted + for a passwd). + +-use_uid +- +- The check for wheel membership will be done against the current uid instead +- of the original one (useful when jumping with su from one account to +- another for example). +- + EXAMPLES + + The root account gains access by default (rootok), only wheel members can diff --git a/debian/patches-applied/040_pam_limits_log_failure b/debian/patches-applied/040_pam_limits_log_failure new file mode 100644 index 00000000..f80273e7 --- /dev/null +++ b/debian/patches-applied/040_pam_limits_log_failure @@ -0,0 +1,36 @@ +Patch for Debian bug #180310 + +Generate some (low-severity) log information whenever setrlimit() fails, +for debugging purposes. + +Authors: Sam Hartman + +Upstream status: submitted in <20070830171918.GB30563@dario.dodds.net> + +Index: pam.deb/modules/pam_limits/pam_limits.c +=================================================================== +--- pam.deb.orig/modules/pam_limits/pam_limits.c ++++ pam.deb/modules/pam_limits/pam_limits.c +@@ -732,9 +732,19 @@ + if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max) + pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max; + res = setrlimit(i, &pl->limits[i].limit); +- if (res != 0) +- pam_syslog(pamh, LOG_ERR, "Could not set limit for '%s': %m", +- rlimit2str(i)); ++ if (res != 0 && (i != RLIMIT_NOFILE ++ || pl->limits[i].limit.rlim_cur != RLIM_INFINITY)) ++ { ++ int save_errno = errno; ++ pam_syslog(pamh, LOG_DEBUG, ++ "Could not set limit for '%s' to soft=%d, hard=%d:" ++ " %m; uid=%lu,euid=%lu", rlimit2str(i), ++ pl->limits[i].limit.rlim_cur, ++ pl->limits[i].limit.rlim_max, ++ (unsigned long) getuid(), ++ (unsigned long) geteuid()); ++ errno = save_errno; ++ } + if (res == -1 && errno == EPERM) + continue; + status |= res; diff --git a/debian/patches-applied/045_pam_dispatch_jump_is_ignore b/debian/patches-applied/045_pam_dispatch_jump_is_ignore new file mode 100644 index 00000000..0e3491d3 --- /dev/null +++ b/debian/patches-applied/045_pam_dispatch_jump_is_ignore @@ -0,0 +1,31 @@ + +Previously jumps were treated as PAM_IGNORE in the freezing part of +the chain and PAM_OK (aka required) in the frozen part of the chain. +No one on pam-list was able to explain this behavior, so I changed it +to be consistent. + +Index: pam.debian/libpam/pam_dispatch.c +=================================================================== +--- pam.debian.orig/libpam/pam_dispatch.c ++++ pam.debian/libpam/pam_dispatch.c +@@ -254,19 +254,7 @@ + if ( _PAM_ACTION_IS_JUMP(action) ) { + + /* If we are evaluating a cached chain, we treat this +- module as required (aka _PAM_ACTION_OK) as well as +- executing the jump. */ +- +- if (use_cached_chain) { +- if (impression == _PAM_UNDEF +- || (impression == _PAM_POSITIVE +- && status == PAM_SUCCESS) ) { +- if ( retval != PAM_IGNORE || cached_retval == retval ) { +- impression = _PAM_POSITIVE; +- status = retval; +- } +- } +- } ++ module as ignored as well as executing the jump. */ + + /* this means that we need to skip #action stacked modules */ + while (h->next != NULL && h->next->stack_level >= stack_level && action > 0) { diff --git a/debian/patches-applied/054_pam_security_abstract_securetty_handling b/debian/patches-applied/054_pam_security_abstract_securetty_handling new file mode 100644 index 00000000..91d6809f --- /dev/null +++ b/debian/patches-applied/054_pam_security_abstract_securetty_handling @@ -0,0 +1,199 @@ +Description: extract the securetty logic for use with the "nullok_secure" option + introduced in the "055_pam_unix_nullok_secure" patch. + +Index: pam.debian/modules/pam_securetty/pam_securetty.c +=================================================================== +--- pam.debian.orig/modules/pam_securetty/pam_securetty.c ++++ pam.debian/modules/pam_securetty/pam_securetty.c +@@ -1,7 +1,5 @@ + /* pam_securetty module */ + +-#define SECURETTY_FILE "/etc/securetty" +-#define TTY_PREFIX "/dev/" + #define CMDLINE_FILE "/proc/cmdline" + #define CONSOLEACTIVE_FILE "/sys/class/tty/console/active" + +@@ -40,6 +38,9 @@ + #include + #include + ++extern int _pammodutil_tty_secure(const pam_handle_t *pamh, ++ const char *uttyname); ++ + #define PAM_DEBUG_ARG 0x0001 + #define PAM_NOCONSOLE_ARG 0x0002 + +@@ -73,11 +74,7 @@ + const char *username; + const char *uttyname; + const void *void_uttyname; +- char ttyfileline[256]; +- char ptname[256]; +- struct stat ttyfileinfo; + struct passwd *user_pwd; +- FILE *ttyfile; + + /* log a trail for debugging */ + if (ctrl & PAM_DEBUG_ARG) { +@@ -105,50 +102,7 @@ + return PAM_SERVICE_ERR; + } + +- /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ +- if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) { +- uttyname += sizeof(TTY_PREFIX)-1; +- } +- +- if (stat(SECURETTY_FILE, &ttyfileinfo)) { +- pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE); +- return PAM_SUCCESS; /* for compatibility with old securetty handling, +- this needs to succeed. But we still log the +- error. */ +- } +- +- if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { +- /* If the file is world writable or is not a +- normal file, return error */ +- pam_syslog(pamh, LOG_ERR, +- "%s is either world writable or not a normal file", +- SECURETTY_FILE); +- return PAM_AUTH_ERR; +- } +- +- ttyfile = fopen(SECURETTY_FILE,"r"); +- if (ttyfile == NULL) { /* Check that we opened it successfully */ +- pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); +- return PAM_SERVICE_ERR; +- } +- +- if (isdigit(uttyname[0])) { +- snprintf(ptname, sizeof(ptname), "pts/%s", uttyname); +- } else { +- ptname[0] = '\0'; +- } +- +- retval = 1; +- +- while ((fgets(ttyfileline, sizeof(ttyfileline)-1, ttyfile) != NULL) +- && retval) { +- if (ttyfileline[strlen(ttyfileline) - 1] == '\n') +- ttyfileline[strlen(ttyfileline) - 1] = '\0'; +- +- retval = ( strcmp(ttyfileline, uttyname) +- && (!ptname[0] || strcmp(ptname, uttyname)) ); +- } +- fclose(ttyfile); ++ retval = _pammodutil_tty_secure(pamh, uttyname); + + if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) { + FILE *cmdlinefile; +Index: pam.debian/modules/pam_securetty/tty_secure.c +=================================================================== +--- /dev/null ++++ pam.debian/modules/pam_securetty/tty_secure.c +@@ -0,0 +1,90 @@ ++/* ++ * A function to determine if a particular line is in /etc/securetty ++ */ ++ ++ ++#define SECURETTY_FILE "/etc/securetty" ++#define TTY_PREFIX "/dev/" ++ ++/* This function taken out of pam_securetty by Sam Hartman ++ * */ ++/* ++ * by Elliot Lee , Red Hat Software. ++ * July 25, 1996. ++ * Slight modifications AGM. 1996/12/3 ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++extern int _pammodutil_tty_secure(const pam_handle_t *pamh, ++ const char *uttyname); ++ ++int _pammodutil_tty_secure(const pam_handle_t *pamh, const char *uttyname) ++{ ++ int retval = PAM_AUTH_ERR; ++ char ttyfileline[256]; ++ char ptname[256]; ++ struct stat ttyfileinfo; ++ FILE *ttyfile; ++ /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ ++ if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) ++ uttyname += sizeof(TTY_PREFIX)-1; ++ ++ if (stat(SECURETTY_FILE, &ttyfileinfo)) { ++ pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", ++ SECURETTY_FILE); ++ return PAM_SUCCESS; /* for compatibility with old securetty handling, ++ this needs to succeed. But we still log the ++ error. */ ++ } ++ ++ if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { ++ /* If the file is world writable or is not a ++ normal file, return error */ ++ pam_syslog(pamh, LOG_ERR, ++ "%s is either world writable or not a normal file", ++ SECURETTY_FILE); ++ return PAM_AUTH_ERR; ++ } ++ ++ ttyfile = fopen(SECURETTY_FILE,"r"); ++ if(ttyfile == NULL) { /* Check that we opened it successfully */ ++ pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); ++ return PAM_SERVICE_ERR; ++ } ++ ++ if (isdigit(uttyname[0])) { ++ snprintf(ptname, sizeof(ptname), "pts/%s", uttyname); ++ } else { ++ ptname[0] = '\0'; ++ } ++ ++ retval = 1; ++ ++ while ((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL) ++ && retval) { ++ if(ttyfileline[strlen(ttyfileline) - 1] == '\n') ++ ttyfileline[strlen(ttyfileline) - 1] = '\0'; ++ retval = ( strcmp(ttyfileline,uttyname) ++ && (!ptname[0] || strcmp(ptname, uttyname)) ); ++ } ++ fclose(ttyfile); ++ ++ if(retval) { ++ retval = PAM_AUTH_ERR; ++ } ++ ++ return retval; ++} +Index: pam.debian/modules/pam_securetty/Makefile.am +=================================================================== +--- pam.debian.orig/modules/pam_securetty/Makefile.am ++++ pam.debian/modules/pam_securetty/Makefile.am +@@ -24,6 +24,10 @@ + securelib_LTLIBRARIES = pam_securetty.la + pam_securetty_la_LIBADD = -L$(top_builddir)/libpam -lpam + ++pam_securetty_la_SOURCES = \ ++ pam_securetty.c \ ++ tty_secure.c ++ + if ENABLE_REGENERATE_MAN + noinst_DATA = README + README: pam_securetty.8.xml diff --git a/debian/patches-applied/055_pam_unix_nullok_secure b/debian/patches-applied/055_pam_unix_nullok_secure new file mode 100644 index 00000000..8c1b84c7 --- /dev/null +++ b/debian/patches-applied/055_pam_unix_nullok_secure @@ -0,0 +1,223 @@ +Debian patch to add a new 'nullok_secure' option to pam_unix, which +accepts users with null passwords only when the applicant is connected +from a tty listed in /etc/securetty. + +Authors: Sam Hartman , + Steve Langasek + +Upstream status: not yet submitted + +Index: pam.debian/modules/pam_unix/support.c +=================================================================== +--- pam.debian.orig/modules/pam_unix/support.c ++++ pam.debian/modules/pam_unix/support.c +@@ -189,13 +189,22 @@ + /* now parse the arguments to this module */ + + for (; argc-- > 0; ++argv) { ++ int sl; + + D(("pam_unix arg: %s", *argv)); + + for (j = 0; j < UNIX_CTRLS_; ++j) { +- if (unix_args[j].token +- && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) { +- break; ++ if (unix_args[j].token) { ++ sl = strlen(unix_args[j].token); ++ if (unix_args[j].token[sl-1] == '=') { ++ /* exclude argument from comparison */ ++ if (!strncmp(*argv, unix_args[j].token, sl)) ++ break; ++ } else { ++ /* compare full strings */ ++ if (!strcmp(*argv, unix_args[j].token)) ++ break; ++ } + } + } + +@@ -565,6 +574,7 @@ + child = fork(); + if (child == 0) { + int i=0; ++ int nullok = off(UNIX__NONULL, ctrl); + struct rlimit rlim; + static char *envp[] = { NULL }; + char *args[] = { NULL, NULL, NULL, NULL }; +@@ -595,7 +605,18 @@ + /* exec binary helper */ + args[0] = strdup(CHKPWD_HELPER); + args[1] = x_strdup(user); +- if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */ ++ ++ if (on(UNIX_NULLOK_SECURE, ctrl)) { ++ const void *uttyname; ++ retval = pam_get_item(pamh, PAM_TTY, &uttyname); ++ if (retval != PAM_SUCCESS || uttyname == NULL ++ || _pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) ++ { ++ nullok = 0; ++ } ++ } ++ ++ if (nullok) { + args[2]=strdup("nullok"); + } else { + args[2]=strdup("nonull"); +@@ -675,6 +696,17 @@ + if (on(UNIX__NONULL, ctrl)) + return 0; /* will fail but don't let on yet */ + ++ if (on(UNIX_NULLOK_SECURE, ctrl)) { ++ int retval2; ++ const void *uttyname; ++ retval2 = pam_get_item(pamh, PAM_TTY, &uttyname); ++ if (retval2 != PAM_SUCCESS || uttyname == NULL) ++ return 0; ++ ++ if (_pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) ++ return 0; ++ } ++ + /* UNIX passwords area */ + + retval = get_pwd_hash(pamh, name, &pwd, &salt); +@@ -761,7 +793,8 @@ + } + } + } else { +- retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl)); ++ retval = verify_pwd_hash(p, salt, ++ _unix_blankpasswd(pamh, ctrl, name)); + } + + if (retval == PAM_SUCCESS) { +Index: pam.debian/modules/pam_unix/support.h +=================================================================== +--- pam.debian.orig/modules/pam_unix/support.h ++++ pam.debian/modules/pam_unix/support.h +@@ -98,8 +98,9 @@ + #define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */ + #define UNIX_MIN_PASS_LEN 27 /* min length for password */ + #define UNIX_OBSCURE_CHECKS 28 /* enable obscure checks on passwords */ ++#define UNIX_NULLOK_SECURE 29 /* NULL passwords allowed only on secure ttys */ + /* -------------- */ +-#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */ ++#define UNIX_CTRLS_ 30 /* number of ctrl arguments defined */ + + #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)) + +@@ -117,7 +118,7 @@ + /* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0x40, 0}, + /* UNIX__PRELIM */ {NULL, _ALL_ON_^(0x180), 0x80, 0}, + /* UNIX__UPDATE */ {NULL, _ALL_ON_^(0x180), 0x100, 0}, +-/* UNIX__NONULL */ {NULL, _ALL_ON_, 0x200, 0}, ++/* UNIX__NONULL */ {NULL, _ALL_ON_^(0x10000000), 0x200, 0}, + /* UNIX__QUIET */ {NULL, _ALL_ON_, 0x400, 0}, + /* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 0x800, 0}, + /* UNIX_SHADOW */ {"shadow", _ALL_ON_, 0x1000, 0}, +@@ -137,6 +138,7 @@ + /* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0x2C22000),0x2000000, 1}, + /* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0x4000000, 0}, + /* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x8000000, 0}, ++/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(0x200), 0x10000000, 0}, + }; + + #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) +@@ -172,6 +174,9 @@ + ,const char *data_name + ,const void **pass); + ++extern int _pammodutil_tty_secure(const pam_handle_t *pamh, ++ const char *uttyname); ++ + extern int _unix_run_verify_binary(pam_handle_t *pamh, + unsigned int ctrl, const char *user, int *daysleft); + #endif /* _PAM_UNIX_SUPPORT_H */ +Index: pam.debian/modules/pam_unix/Makefile.am +=================================================================== +--- pam.debian.orig/modules/pam_unix/Makefile.am ++++ pam.debian/modules/pam_unix/Makefile.am +@@ -30,7 +30,8 @@ + pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map + endif + pam_unix_la_LIBADD = $(top_builddir)/libpam/libpam.la \ +- @LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS) ++ @LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS) \ ++ ../pam_securetty/tty_secure.lo + + securelib_LTLIBRARIES = pam_unix.la + +Index: pam.debian/modules/pam_unix/README +=================================================================== +--- pam.debian.orig/modules/pam_unix/README ++++ pam.debian/modules/pam_unix/README +@@ -58,7 +58,16 @@ + + The default action of this module is to not permit the user access to a + service if their official password is blank. The nullok argument overrides +- this default. ++ this default and allows any user with a blank password to access the ++ service. ++ ++nullok_secure ++ ++ The default action of this module is to not permit the user access to a ++ service if their official password is blank. The nullok_secure argument ++ overrides this default and allows any user with a blank password to access ++ the service as long as the value of PAM_TTY is set to one of the values ++ found in /etc/securetty. + + try_first_pass + +Index: pam.debian/modules/pam_unix/pam_unix.8 +=================================================================== +--- pam.debian.orig/modules/pam_unix/pam_unix.8 ++++ pam.debian/modules/pam_unix/pam_unix.8 +@@ -82,7 +82,14 @@ + .RS 4 + The default action of this module is to not permit the user access to a service if their official password is blank\&. The + \fBnullok\fR +-argument overrides this default\&. ++argument overrides this default and allows any user with a blank password to access the service\&. ++.RE ++.PP ++\fBnullok_secure\fR ++.RS 4 ++The default action of this module is to not permit the user access to a service if their official password is blank\&. The ++\fBnullok_secure\fR ++argument overrides this default and allows any user with a blank password to access the service as long as the value of PAM_TTY is set to one of the values found in /etc/securetty\&. + .RE + .PP + \fBtry_first_pass\fR +Index: pam.debian/modules/pam_unix/pam_unix.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_unix/pam_unix.8.xml ++++ pam.debian/modules/pam_unix/pam_unix.8.xml +@@ -137,7 +137,24 @@ + + The default action of this module is to not permit the + user access to a service if their official password is blank. +- The argument overrides this default. ++ The argument overrides this default ++ and allows any user with a blank password to access the ++ service. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ The default action of this module is to not permit the ++ user access to a service if their official password is blank. ++ The argument overrides this ++ default and allows any user with a blank password to access ++ the service as long as the value of PAM_TTY is set to one of ++ the values found in /etc/securetty. + + + diff --git a/debian/patches-applied/PAM-manpage-section b/debian/patches-applied/PAM-manpage-section new file mode 100644 index 00000000..fc0dcab4 --- /dev/null +++ b/debian/patches-applied/PAM-manpage-section @@ -0,0 +1,1637 @@ +Patch to put the PAM manpage in section 7 (general topics) instead of 8 +(system administration commands) + +Authors: Steve Langasek + +Upstream status: maybe provide a backwards-compatibility link first? + +Index: pam.debian/doc/man/pam.8.xml +=================================================================== +--- pam.debian.orig/doc/man/pam.8.xml ++++ pam.debian/doc/man/pam.8.xml +@@ -6,7 +6,7 @@ + + + pam +- 8 ++ 7 + Linux-PAM Manual + + +@@ -179,7 +179,7 @@ + pam_strerror3 + , + +- PAM8 ++ PAM7 + + + +Index: pam.debian/doc/man/PAM.8 +=================================================================== +--- pam.debian.orig/doc/man/PAM.8 ++++ pam.debian/doc/man/PAM.8 +@@ -2,12 +2,12 @@ + .\" Title: pam + .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] + .\" Generator: DocBook XSL Stylesheets v1.78.1 +-.\" Date: 09/19/2013 ++.\" Date: 01/16/2014 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" Language: English + .\" +-.TH "PAM" "8" "09/19/2013" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM" "7" "01/16/2014" "Linux-PAM Manual" "Linux-PAM Manual" + .\" ----------------------------------------------------------------- + .\" * Define some portability stuff + .\" ----------------------------------------------------------------- +@@ -118,4 +118,4 @@ + \fBpam_authenticate\fR(3), + \fBpam_sm_setcred\fR(3), + \fBpam_strerror\fR(3), +-\fBPAM\fR(8) ++\fBPAM\fR(7) +Index: pam.debian/modules/pam_access/access.conf.5.xml +=================================================================== +--- pam.debian.orig/modules/pam_access/access.conf.5.xml ++++ pam.debian/modules/pam_access/access.conf.5.xml +@@ -191,7 +191,7 @@ + + pam_access8, + pam.d5, +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_access/access.conf.5 +=================================================================== +--- pam.debian.orig/modules/pam_access/access.conf.5 ++++ pam.debian/modules/pam_access/access.conf.5 +@@ -181,7 +181,7 @@ + .PP + \fBpam_access\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHORS" + .PP + Original +Index: pam.debian/modules/pam_env/pam_env.conf.5.xml +=================================================================== +--- pam.debian.orig/modules/pam_env/pam_env.conf.5.xml ++++ pam.debian/modules/pam_env/pam_env.conf.5.xml +@@ -110,7 +110,7 @@ + + pam_env8, + pam.d5, +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_env/pam_env.conf.5 +=================================================================== +--- pam.debian.orig/modules/pam_env/pam_env.conf.5 ++++ pam.debian/modules/pam_env/pam_env.conf.5 +@@ -112,7 +112,7 @@ + .PP + \fBpam_env\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_env was written by Dave Kinchlea \&. +Index: pam.debian/modules/pam_group/group.conf.5.xml +=================================================================== +--- pam.debian.orig/modules/pam_group/group.conf.5.xml ++++ pam.debian/modules/pam_group/group.conf.5.xml +@@ -128,7 +128,7 @@ + + pam_group8, + pam.d5, +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_group/group.conf.5 +=================================================================== +--- pam.debian.orig/modules/pam_group/group.conf.5 ++++ pam.debian/modules/pam_group/group.conf.5 +@@ -113,7 +113,7 @@ + .PP + \fBpam_group\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_group was written by Andrew G\&. Morgan \&. +Index: pam.debian/modules/pam_limits/limits.conf.5.xml +=================================================================== +--- pam.debian.orig/modules/pam_limits/limits.conf.5.xml ++++ pam.debian/modules/pam_limits/limits.conf.5.xml +@@ -343,7 +343,7 @@ + + pam_limits8, + pam.d5, +- pam8, ++ pam7, + getrlimit2 + getrlimit3p + +Index: pam.debian/modules/pam_limits/limits.conf.5 +=================================================================== +--- pam.debian.orig/modules/pam_limits/limits.conf.5 ++++ pam.debian/modules/pam_limits/limits.conf.5 +@@ -339,7 +339,7 @@ + .PP + \fBpam_limits\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8), ++\fBpam\fR(7), + \fBgetrlimit\fR(2)\fBgetrlimit\fR(3p) + .SH "AUTHOR" + .PP +Index: pam.debian/modules/pam_namespace/namespace.conf.5.xml +=================================================================== +--- pam.debian.orig/modules/pam_namespace/namespace.conf.5.xml ++++ pam.debian/modules/pam_namespace/namespace.conf.5.xml +@@ -204,7 +204,7 @@ + + pam_namespace8, + pam.d5, +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_namespace/namespace.conf.5 +=================================================================== +--- pam.debian.orig/modules/pam_namespace/namespace.conf.5 ++++ pam.debian/modules/pam_namespace/namespace.conf.5 +@@ -155,7 +155,7 @@ + .PP + \fBpam_namespace\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHORS" + .PP + The namespace\&.conf manual page was written by Janak Desai \&. More features added by Tomas Mraz \&. +Index: pam.debian/modules/pam_time/time.conf.5.xml +=================================================================== +--- pam.debian.orig/modules/pam_time/time.conf.5.xml ++++ pam.debian/modules/pam_time/time.conf.5.xml +@@ -130,7 +130,7 @@ + + pam_time8, + pam.d5, +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_time/time.conf.5 +=================================================================== +--- pam.debian.orig/modules/pam_time/time.conf.5 ++++ pam.debian/modules/pam_time/time.conf.5 +@@ -107,7 +107,7 @@ + .PP + \fBpam_time\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_time was written by Andrew G\&. Morgan \&. +Index: pam.debian/modules/pam_access/pam_access.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_access/pam_access.8.xml ++++ pam.debian/modules/pam_access/pam_access.8.xml +@@ -237,7 +237,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + . + + +Index: pam.debian/modules/pam_access/pam_access.8 +=================================================================== +--- pam.debian.orig/modules/pam_access/pam_access.8 ++++ pam.debian/modules/pam_access/pam_access.8 +@@ -125,7 +125,7 @@ + .PP + \fBaccess.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8)\&. ++\fBpam\fR(7)\&. + .SH "AUTHORS" + .PP + The logdaemon style login access control scheme was designed and implemented by Wietse Venema\&. The pam_access PAM module was developed by Alexei Nogin \&. The IPv6 support and the network(address) / netmask feature was developed and provided by Mike Becher \&. +Index: pam.debian/modules/pam_cracklib/pam_cracklib.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_cracklib/pam_cracklib.8.xml ++++ pam.debian/modules/pam_cracklib/pam_cracklib.8.xml +@@ -577,7 +577,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_cracklib/pam_cracklib.8 +=================================================================== +--- pam.debian.orig/modules/pam_cracklib/pam_cracklib.8 ++++ pam.debian/modules/pam_cracklib/pam_cracklib.8 +@@ -357,7 +357,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_cracklib was written by Cristian Gafton +Index: pam.debian/modules/pam_debug/pam_debug.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_debug/pam_debug.8.xml ++++ pam.debian/modules/pam_debug/pam_debug.8.xml +@@ -216,7 +216,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_debug/pam_debug.8 +=================================================================== +--- pam.debian.orig/modules/pam_debug/pam_debug.8 ++++ pam.debian/modules/pam_debug/pam_debug.8 +@@ -138,7 +138,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_debug was written by Andrew G\&. Morgan \&. +Index: pam.debian/modules/pam_deny/pam_deny.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_deny/pam_deny.8.xml ++++ pam.debian/modules/pam_deny/pam_deny.8.xml +@@ -120,7 +120,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_deny/pam_deny.8 +=================================================================== +--- pam.debian.orig/modules/pam_deny/pam_deny.8 ++++ pam.debian/modules/pam_deny/pam_deny.8 +@@ -96,7 +96,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_deny was written by Andrew G\&. Morgan +Index: pam.debian/modules/pam_echo/pam_echo.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_echo/pam_echo.8.xml ++++ pam.debian/modules/pam_echo/pam_echo.8.xml +@@ -159,7 +159,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_echo/pam_echo.8 +=================================================================== +--- pam.debian.orig/modules/pam_echo/pam_echo.8 ++++ pam.debian/modules/pam_echo/pam_echo.8 +@@ -126,7 +126,7 @@ + .PP + \fBpam.conf\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + Thorsten Kukuk +Index: pam.debian/modules/pam_env/pam_env.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_env/pam_env.8.xml ++++ pam.debian/modules/pam_env/pam_env.8.xml +@@ -235,7 +235,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + . + + +Index: pam.debian/modules/pam_exec/pam_exec.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_exec/pam_exec.8.xml ++++ pam.debian/modules/pam_exec/pam_exec.8.xml +@@ -257,7 +257,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_exec/pam_exec.8 +=================================================================== +--- pam.debian.orig/modules/pam_exec/pam_exec.8 ++++ pam.debian/modules/pam_exec/pam_exec.8 +@@ -160,7 +160,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_exec was written by Thorsten Kukuk and Josh Triplett \&. +Index: pam.debian/modules/pam_faildelay/pam_faildelay.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_faildelay/pam_faildelay.8.xml ++++ pam.debian/modules/pam_faildelay/pam_faildelay.8.xml +@@ -121,7 +121,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_faildelay/pam_faildelay.8 +=================================================================== +--- pam.debian.orig/modules/pam_faildelay/pam_faildelay.8 ++++ pam.debian/modules/pam_faildelay/pam_faildelay.8 +@@ -87,7 +87,7 @@ + \fBpam_fail_delay\fR(3), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_faildelay was written by Darren Tucker \&. +Index: pam.debian/modules/pam_filter/pam_filter.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_filter/pam_filter.8.xml ++++ pam.debian/modules/pam_filter/pam_filter.8.xml +@@ -246,7 +246,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_filter/pam_filter.8 +=================================================================== +--- pam.debian.orig/modules/pam_filter/pam_filter.8 ++++ pam.debian/modules/pam_filter/pam_filter.8 +@@ -166,7 +166,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_filter was written by Andrew G\&. Morgan \&. +Index: pam.debian/modules/pam_ftp/pam_ftp.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_ftp/pam_ftp.8.xml ++++ pam.debian/modules/pam_ftp/pam_ftp.8.xml +@@ -168,7 +168,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_ftp/pam_ftp.8 +=================================================================== +--- pam.debian.orig/modules/pam_ftp/pam_ftp.8 ++++ pam.debian/modules/pam_ftp/pam_ftp.8 +@@ -119,7 +119,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_ftp was written by Andrew G\&. Morgan \&. +Index: pam.debian/modules/pam_group/pam_group.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_group/pam_group.8.xml ++++ pam.debian/modules/pam_group/pam_group.8.xml +@@ -148,7 +148,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + . + + +Index: pam.debian/modules/pam_group/pam_group.8 +=================================================================== +--- pam.debian.orig/modules/pam_group/pam_group.8 ++++ pam.debian/modules/pam_group/pam_group.8 +@@ -103,7 +103,7 @@ + .PP + \fBgroup.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8)\&. ++\fBpam\fR(7)\&. + .SH "AUTHORS" + .PP + pam_group was written by Andrew G\&. Morgan \&. +Index: pam.debian/modules/pam_issue/pam_issue.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_issue/pam_issue.8.xml ++++ pam.debian/modules/pam_issue/pam_issue.8.xml +@@ -219,7 +219,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_issue/pam_issue.8 +=================================================================== +--- pam.debian.orig/modules/pam_issue/pam_issue.8 ++++ pam.debian/modules/pam_issue/pam_issue.8 +@@ -152,7 +152,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_issue was written by Ben Collins \&. +Index: pam.debian/modules/pam_keyinit/pam_keyinit.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_keyinit/pam_keyinit.8.xml ++++ pam.debian/modules/pam_keyinit/pam_keyinit.8.xml +@@ -223,7 +223,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + keyctl1 +Index: pam.debian/modules/pam_keyinit/pam_keyinit.8 +=================================================================== +--- pam.debian.orig/modules/pam_keyinit/pam_keyinit.8 ++++ pam.debian/modules/pam_keyinit/pam_keyinit.8 +@@ -130,7 +130,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8)\fBkeyctl\fR(1) ++\fBpam\fR(7)\fBkeyctl\fR(1) + .SH "AUTHOR" + .PP + pam_keyinit was written by David Howells, \&. +Index: pam.debian/modules/pam_lastlog/pam_lastlog.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_lastlog/pam_lastlog.8.xml ++++ pam.debian/modules/pam_lastlog/pam_lastlog.8.xml +@@ -298,7 +298,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_lastlog/pam_lastlog.8 +=================================================================== +--- pam.debian.orig/modules/pam_lastlog/pam_lastlog.8 ++++ pam.debian/modules/pam_lastlog/pam_lastlog.8 +@@ -173,7 +173,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_lastlog was written by Andrew G\&. Morgan \&. +Index: pam.debian/modules/pam_limits/pam_limits.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_limits/pam_limits.8.xml ++++ pam.debian/modules/pam_limits/pam_limits.8.xml +@@ -241,7 +241,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + . + + +Index: pam.debian/modules/pam_limits/pam_limits.8 +=================================================================== +--- pam.debian.orig/modules/pam_limits/pam_limits.8 ++++ pam.debian/modules/pam_limits/pam_limits.8 +@@ -146,7 +146,7 @@ + .PP + \fBlimits.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8)\&. ++\fBpam\fR(7)\&. + .SH "AUTHORS" + .PP + pam_limits was initially written by Cristian Gafton +Index: pam.debian/modules/pam_listfile/pam_listfile.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_listfile/pam_listfile.8.xml ++++ pam.debian/modules/pam_listfile/pam_listfile.8.xml +@@ -281,7 +281,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_listfile/pam_listfile.8 +=================================================================== +--- pam.debian.orig/modules/pam_listfile/pam_listfile.8 ++++ pam.debian/modules/pam_listfile/pam_listfile.8 +@@ -205,7 +205,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_listfile was written by Michael K\&. Johnson and Elliot Lee \&. +Index: pam.debian/modules/pam_localuser/pam_localuser.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_localuser/pam_localuser.8.xml ++++ pam.debian/modules/pam_localuser/pam_localuser.8.xml +@@ -158,7 +158,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_localuser/pam_localuser.8 +=================================================================== +--- pam.debian.orig/modules/pam_localuser/pam_localuser.8 ++++ pam.debian/modules/pam_localuser/pam_localuser.8 +@@ -102,7 +102,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_localuser was written by Nalin Dahyabhai \&. +Index: pam.debian/modules/pam_loginuid/pam_loginuid.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_loginuid/pam_loginuid.8.xml ++++ pam.debian/modules/pam_loginuid/pam_loginuid.8.xml +@@ -104,7 +104,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + , + + auditctl8 +Index: pam.debian/modules/pam_loginuid/pam_loginuid.8 +=================================================================== +--- pam.debian.orig/modules/pam_loginuid/pam_loginuid.8 ++++ pam.debian/modules/pam_loginuid/pam_loginuid.8 +@@ -75,7 +75,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8), ++\fBpam\fR(7), + \fBauditctl\fR(8), + \fBauditd\fR(8) + .SH "AUTHOR" +Index: pam.debian/modules/pam_mail/pam_mail.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_mail/pam_mail.8.xml ++++ pam.debian/modules/pam_mail/pam_mail.8.xml +@@ -265,7 +265,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_mail/pam_mail.8 +=================================================================== +--- pam.debian.orig/modules/pam_mail/pam_mail.8 ++++ pam.debian/modules/pam_mail/pam_mail.8 +@@ -153,7 +153,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_mail was written by Andrew G\&. Morgan \&. +Index: pam.debian/modules/pam_mkhomedir/pam_mkhomedir.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_mkhomedir/pam_mkhomedir.8.xml ++++ pam.debian/modules/pam_mkhomedir/pam_mkhomedir.8.xml +@@ -189,7 +189,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + . + + +Index: pam.debian/modules/pam_mkhomedir/pam_mkhomedir.8 +=================================================================== +--- pam.debian.orig/modules/pam_mkhomedir/pam_mkhomedir.8 ++++ pam.debian/modules/pam_mkhomedir/pam_mkhomedir.8 +@@ -123,7 +123,7 @@ + .SH "SEE ALSO" + .PP + \fBpam.d\fR(5), +-\fBpam\fR(8)\&. ++\fBpam\fR(7)\&. + .SH "AUTHOR" + .PP + pam_mkhomedir was written by Jason Gunthorpe \&. +Index: pam.debian/modules/pam_motd/pam_motd.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_motd/pam_motd.8.xml ++++ pam.debian/modules/pam_motd/pam_motd.8.xml +@@ -99,7 +99,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_motd/pam_motd.8 +=================================================================== +--- pam.debian.orig/modules/pam_motd/pam_motd.8 ++++ pam.debian/modules/pam_motd/pam_motd.8 +@@ -78,7 +78,7 @@ + \fBmotd\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_motd was written by Ben Collins \&. +Index: pam.debian/modules/pam_namespace/pam_namespace.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_namespace/pam_namespace.8.xml ++++ pam.debian/modules/pam_namespace/pam_namespace.8.xml +@@ -399,7 +399,7 @@ + mount8 + , + +- pam8 ++ pam7 + . + + +Index: pam.debian/modules/pam_namespace/pam_namespace.8 +=================================================================== +--- pam.debian.orig/modules/pam_namespace/pam_namespace.8 ++++ pam.debian/modules/pam_namespace/pam_namespace.8 +@@ -178,7 +178,7 @@ + \fBnamespace.conf\fR(5), + \fBpam.d\fR(5), + \fBmount\fR(8), +-\fBpam\fR(8)\&. ++\fBpam\fR(7)\&. + .SH "AUTHORS" + .PP + The namespace setup scheme was designed by Stephen Smalley, Janak Desai and Chad Sellers\&. The pam_namespace PAM module was developed by Janak Desai , Chad Sellers and Steve Grubb \&. Additional improvements by Xavier Toth and Tomas Mraz \&. +Index: pam.debian/modules/pam_nologin/pam_nologin.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_nologin/pam_nologin.8.xml ++++ pam.debian/modules/pam_nologin/pam_nologin.8.xml +@@ -160,7 +160,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_nologin/pam_nologin.8 +=================================================================== +--- pam.debian.orig/modules/pam_nologin/pam_nologin.8 ++++ pam.debian/modules/pam_nologin/pam_nologin.8 +@@ -124,7 +124,7 @@ + \fBnologin\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_nologin was written by Michael K\&. Johnson \&. +Index: pam.debian/modules/pam_permit/pam_permit.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_permit/pam_permit.8.xml ++++ pam.debian/modules/pam_permit/pam_permit.8.xml +@@ -91,7 +91,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_permit/pam_permit.8 +=================================================================== +--- pam.debian.orig/modules/pam_permit/pam_permit.8 ++++ pam.debian/modules/pam_permit/pam_permit.8 +@@ -78,7 +78,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_permit was written by Andrew G\&. Morgan, \&. +Index: pam.debian/modules/pam_rhosts/pam_rhosts.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_rhosts/pam_rhosts.8.xml ++++ pam.debian/modules/pam_rhosts/pam_rhosts.8.xml +@@ -156,7 +156,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_rhosts/pam_rhosts.8 +=================================================================== +--- pam.debian.orig/modules/pam_rhosts/pam_rhosts.8 ++++ pam.debian/modules/pam_rhosts/pam_rhosts.8 +@@ -122,7 +122,7 @@ + \fBrhosts\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_rhosts was written by Thorsten Kukuk +Index: pam.debian/modules/pam_rootok/pam_rootok.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_rootok/pam_rootok.8.xml ++++ pam.debian/modules/pam_rootok/pam_rootok.8.xml +@@ -116,7 +116,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_rootok/pam_rootok.8 +=================================================================== +--- pam.debian.orig/modules/pam_rootok/pam_rootok.8 ++++ pam.debian/modules/pam_rootok/pam_rootok.8 +@@ -99,7 +99,7 @@ + \fBsu\fR(1), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_rootok was written by Andrew G\&. Morgan, \&. +Index: pam.debian/modules/pam_securetty/pam_securetty.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_securetty/pam_securetty.8.xml ++++ pam.debian/modules/pam_securetty/pam_securetty.8.xml +@@ -168,7 +168,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_securetty/pam_securetty.8 +=================================================================== +--- pam.debian.orig/modules/pam_securetty/pam_securetty.8 ++++ pam.debian/modules/pam_securetty/pam_securetty.8 +@@ -119,7 +119,7 @@ + \fBsecuretty\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_securetty was written by Elliot Lee \&. +Index: pam.debian/modules/pam_selinux/pam_selinux.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_selinux/pam_selinux.8.xml ++++ pam.debian/modules/pam_selinux/pam_selinux.8.xml +@@ -258,7 +258,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + , + + selinux8 +Index: pam.debian/modules/pam_selinux/pam_selinux.8 +=================================================================== +--- pam.debian.orig/modules/pam_selinux/pam_selinux.8 ++++ pam.debian/modules/pam_selinux/pam_selinux.8 +@@ -2,12 +2,12 @@ + .\" Title: pam_selinux + .\" Author: [see the "AUTHOR" section] + .\" Generator: DocBook XSL Stylesheets v1.78.1 +-.\" Date: 06/18/2013 ++.\" Date: 01/14/2014 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" Language: English + .\" +-.TH "PAM_SELINUX" "8" "06/18/2013" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_SELINUX" "8" "01/14/2014" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" ----------------------------------------------------------------- + .\" * Define some portability stuff + .\" ----------------------------------------------------------------- +@@ -144,7 +144,7 @@ + \fBexecve\fR(2), + \fBtty\fR(4), + \fBpam.d\fR(5), +-\fBpam\fR(8), ++\fBpam\fR(7), + \fBselinux\fR(8) + .SH "AUTHOR" + .PP +Index: pam.debian/modules/pam_sepermit/pam_sepermit.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_sepermit/pam_sepermit.8.xml ++++ pam.debian/modules/pam_sepermit/pam_sepermit.8.xml +@@ -176,7 +176,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + selinux8 +Index: pam.debian/modules/pam_sepermit/pam_sepermit.8 +=================================================================== +--- pam.debian.orig/modules/pam_sepermit/pam_sepermit.8 ++++ pam.debian/modules/pam_sepermit/pam_sepermit.8 +@@ -124,7 +124,7 @@ + \fBsepermit.conf\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8)\fBselinux\fR(8) ++\fBpam\fR(7)\fBselinux\fR(8) + .SH "AUTHOR" + .PP + pam_sepermit and this manual page were written by Tomas Mraz \&. +Index: pam.debian/modules/pam_shells/pam_shells.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_shells/pam_shells.8.xml ++++ pam.debian/modules/pam_shells/pam_shells.8.xml +@@ -102,7 +102,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_shells/pam_shells.8 +=================================================================== +--- pam.debian.orig/modules/pam_shells/pam_shells.8 ++++ pam.debian/modules/pam_shells/pam_shells.8 +@@ -85,7 +85,7 @@ + \fBshells\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_shells was written by Erik Troan \&. +Index: pam.debian/modules/pam_succeed_if/pam_succeed_if.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_succeed_if/pam_succeed_if.8.xml ++++ pam.debian/modules/pam_succeed_if/pam_succeed_if.8.xml +@@ -295,7 +295,7 @@ + glob7 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_succeed_if/pam_succeed_if.8 +=================================================================== +--- pam.debian.orig/modules/pam_succeed_if/pam_succeed_if.8 ++++ pam.debian/modules/pam_succeed_if/pam_succeed_if.8 +@@ -220,7 +220,7 @@ + .SH "SEE ALSO" + .PP + \fBglob\fR(7), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + Nalin Dahyabhai +Index: pam.debian/modules/pam_tally/pam_tally.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_tally/pam_tally.8.xml ++++ pam.debian/modules/pam_tally/pam_tally.8.xml +@@ -444,7 +444,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_tally/pam_tally.8 +=================================================================== +--- pam.debian.orig/modules/pam_tally/pam_tally.8 ++++ pam.debian/modules/pam_tally/pam_tally.8 +@@ -248,7 +248,7 @@ + \fBfaillog\fR(8), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_tally was written by Tim Baverstock and Tomas Mraz\&. +Index: pam.debian/modules/pam_time/pam_time.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_time/pam_time.8.xml ++++ pam.debian/modules/pam_time/pam_time.8.xml +@@ -169,7 +169,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + . + + +Index: pam.debian/modules/pam_time/pam_time.8 +=================================================================== +--- pam.debian.orig/modules/pam_time/pam_time.8 ++++ pam.debian/modules/pam_time/pam_time.8 +@@ -109,7 +109,7 @@ + .PP + \fBtime.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8)\&. ++\fBpam\fR(7)\&. + .SH "AUTHOR" + .PP + pam_time was written by Andrew G\&. Morgan \&. +Index: pam.debian/modules/pam_umask/pam_umask.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_umask/pam_umask.8.xml ++++ pam.debian/modules/pam_umask/pam_umask.8.xml +@@ -201,7 +201,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_umask/pam_umask.8 +=================================================================== +--- pam.debian.orig/modules/pam_umask/pam_umask.8 ++++ pam.debian/modules/pam_umask/pam_umask.8 +@@ -150,7 +150,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_umask was written by Thorsten Kukuk \&. +Index: pam.debian/modules/pam_unix/pam_unix.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_unix/pam_unix.8.xml ++++ pam.debian/modules/pam_unix/pam_unix.8.xml +@@ -494,7 +494,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_unix/pam_unix.8 +=================================================================== +--- pam.debian.orig/modules/pam_unix/pam_unix.8 ++++ pam.debian/modules/pam_unix/pam_unix.8 +@@ -269,7 +269,7 @@ + \fBlogin.defs\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_unix was written by various people\&. +Index: pam.debian/doc/man/misc_conv.3.xml +=================================================================== +--- pam.debian.orig/doc/man/misc_conv.3.xml ++++ pam.debian/doc/man/misc_conv.3.xml +@@ -171,7 +171,7 @@ + pam_conv3 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/misc_conv.3 +=================================================================== +--- pam.debian.orig/doc/man/misc_conv.3 ++++ pam.debian/doc/man/misc_conv.3 +@@ -117,7 +117,7 @@ + .SH "SEE ALSO" + .PP + \fBpam_conv\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The +Index: pam.debian/doc/man/pam_acct_mgmt.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_acct_mgmt.3.xml ++++ pam.debian/doc/man/pam_acct_mgmt.3.xml +@@ -138,7 +138,7 @@ + pam_strerror3 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/pam_acct_mgmt.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_acct_mgmt.3 ++++ pam.debian/doc/man/pam_acct_mgmt.3 +@@ -97,4 +97,4 @@ + \fBpam_authenticate\fR(3), + \fBpam_chauthtok\fR(3), + \fBpam_strerror\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam.debian/doc/man/pam_authenticate.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_authenticate.3.xml ++++ pam.debian/doc/man/pam_authenticate.3.xml +@@ -162,7 +162,7 @@ + pam_strerror3 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/pam_authenticate.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_authenticate.3 ++++ pam.debian/doc/man/pam_authenticate.3 +@@ -107,4 +107,4 @@ + \fBpam_setcred\fR(3), + \fBpam_chauthtok\fR(3), + \fBpam_strerror\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam.debian/doc/man/pam_chauthtok.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_chauthtok.3.xml ++++ pam.debian/doc/man/pam_chauthtok.3.xml +@@ -157,7 +157,7 @@ + pam_strerror3 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/pam_chauthtok.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_chauthtok.3 ++++ pam.debian/doc/man/pam_chauthtok.3 +@@ -106,4 +106,4 @@ + \fBpam_setcred\fR(3), + \fBpam_get_item\fR(3), + \fBpam_strerror\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam.debian/doc/man/pam_conv.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_conv.3.xml ++++ pam.debian/doc/man/pam_conv.3.xml +@@ -221,7 +221,7 @@ + pam_strerror3 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/pam_conv.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_conv.3 ++++ pam.debian/doc/man/pam_conv.3 +@@ -174,4 +174,4 @@ + \fBpam_set_item\fR(3), + \fBpam_get_item\fR(3), + \fBpam_strerror\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam.debian/doc/man/pam_error.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_error.3.xml ++++ pam.debian/doc/man/pam_error.3.xml +@@ -105,7 +105,7 @@ + pam_vprompt3 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/pam_error.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_error.3 ++++ pam.debian/doc/man/pam_error.3 +@@ -80,7 +80,7 @@ + \fBpam_vinfo\fR(3), + \fBpam_prompt\fR(3), + \fBpam_vprompt\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The +Index: pam.debian/doc/man/pam_getenv.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_getenv.3.xml ++++ pam.debian/doc/man/pam_getenv.3.xml +@@ -60,7 +60,7 @@ + pam_putenv3 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/pam_getenv.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_getenv.3 ++++ pam.debian/doc/man/pam_getenv.3 +@@ -57,4 +57,4 @@ + \fBpam_start\fR(3), + \fBpam_getenvlist\fR(3), + \fBpam_putenv\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam.debian/doc/man/pam_getenvlist.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_getenvlist.3.xml ++++ pam.debian/doc/man/pam_getenvlist.3.xml +@@ -78,7 +78,7 @@ + pam_putenv3 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/pam_getenvlist.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_getenvlist.3 ++++ pam.debian/doc/man/pam_getenvlist.3 +@@ -63,4 +63,4 @@ + \fBpam_start\fR(3), + \fBpam_getenv\fR(3), + \fBpam_putenv\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam.debian/doc/man/pam_info.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_info.3.xml ++++ pam.debian/doc/man/pam_info.3.xml +@@ -93,7 +93,7 @@ + SEE ALSO + + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/pam_info.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_info.3 ++++ pam.debian/doc/man/pam_info.3 +@@ -76,7 +76,7 @@ + .RE + .SH "SEE ALSO" + .PP +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The +Index: pam.debian/doc/man/pam_misc_drop_env.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_misc_drop_env.3.xml ++++ pam.debian/doc/man/pam_misc_drop_env.3.xml +@@ -46,7 +46,7 @@ + pam_getenvlist3 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/pam_misc_drop_env.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_misc_drop_env.3 ++++ pam.debian/doc/man/pam_misc_drop_env.3 +@@ -52,7 +52,7 @@ + .SH "SEE ALSO" + .PP + \fBpam_getenvlist\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The +Index: pam.debian/doc/man/pam_misc_paste_env.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_misc_paste_env.3.xml ++++ pam.debian/doc/man/pam_misc_paste_env.3.xml +@@ -44,7 +44,7 @@ + pam_putenv3 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/pam_misc_paste_env.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_misc_paste_env.3 ++++ pam.debian/doc/man/pam_misc_paste_env.3 +@@ -47,7 +47,7 @@ + .SH "SEE ALSO" + .PP + \fBpam_putenv\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The +Index: pam.debian/doc/man/pam_misc_setenv.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_misc_setenv.3.xml ++++ pam.debian/doc/man/pam_misc_setenv.3.xml +@@ -51,7 +51,7 @@ + pam_putenv3 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/pam_misc_setenv.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_misc_setenv.3 ++++ pam.debian/doc/man/pam_misc_setenv.3 +@@ -52,7 +52,7 @@ + .SH "SEE ALSO" + .PP + \fBpam_putenv\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The +Index: pam.debian/doc/man/pam_prompt.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_prompt.3.xml ++++ pam.debian/doc/man/pam_prompt.3.xml +@@ -95,7 +95,7 @@ + SEE ALSO + + +- pam8 ++ pam7 + , + + pam_conv3 +Index: pam.debian/doc/man/pam_prompt.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_prompt.3 ++++ pam.debian/doc/man/pam_prompt.3 +@@ -70,7 +70,7 @@ + .RE + .SH "SEE ALSO" + .PP +-\fBpam\fR(8), ++\fBpam\fR(7), + \fBpam_conv\fR(3) + .SH "STANDARDS" + .PP +Index: pam.debian/doc/man/pam_putenv.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_putenv.3.xml ++++ pam.debian/doc/man/pam_putenv.3.xml +@@ -145,7 +145,7 @@ + pam_strerror3 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/pam_putenv.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_putenv.3 ++++ pam.debian/doc/man/pam_putenv.3 +@@ -108,4 +108,4 @@ + \fBpam_getenv\fR(3), + \fBpam_getenvlist\fR(3), + \fBpam_strerror\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam.debian/doc/man/pam_strerror.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_strerror.3.xml ++++ pam.debian/doc/man/pam_strerror.3.xml +@@ -51,7 +51,7 @@ + SEE ALSO + + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/pam_strerror.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_strerror.3 ++++ pam.debian/doc/man/pam_strerror.3 +@@ -49,4 +49,4 @@ + This function returns always a pointer to a string\&. + .SH "SEE ALSO" + .PP +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam.debian/doc/man/pam_syslog.3.xml +=================================================================== +--- pam.debian.orig/doc/man/pam_syslog.3.xml ++++ pam.debian/doc/man/pam_syslog.3.xml +@@ -66,7 +66,7 @@ + SEE ALSO + + +- pam8 ++ pam7 + + + +Index: pam.debian/doc/man/pam_syslog.3 +=================================================================== +--- pam.debian.orig/doc/man/pam_syslog.3 ++++ pam.debian/doc/man/pam_syslog.3 +@@ -67,7 +67,7 @@ + variable argument list macros\&. + .SH "SEE ALSO" + .PP +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The +Index: pam.debian/modules/pam_userdb/pam_userdb.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_userdb/pam_userdb.8.xml ++++ pam.debian/modules/pam_userdb/pam_userdb.8.xml +@@ -277,7 +277,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_userdb/pam_userdb.8 +=================================================================== +--- pam.debian.orig/modules/pam_userdb/pam_userdb.8 ++++ pam.debian/modules/pam_userdb/pam_userdb.8 +@@ -150,7 +150,7 @@ + \fBcrypt\fR(3), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_userdb was written by Cristian Gafton >gafton@redhat\&.com<\&. +Index: pam.debian/modules/pam_warn/pam_warn.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_warn/pam_warn.8.xml ++++ pam.debian/modules/pam_warn/pam_warn.8.xml +@@ -90,7 +90,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_warn/pam_warn.8 +=================================================================== +--- pam.debian.orig/modules/pam_warn/pam_warn.8 ++++ pam.debian/modules/pam_warn/pam_warn.8 +@@ -83,7 +83,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_warn was written by Andrew G\&. Morgan \&. +Index: pam.debian/modules/pam_wheel/pam_wheel.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_wheel/pam_wheel.8.xml ++++ pam.debian/modules/pam_wheel/pam_wheel.8.xml +@@ -212,7 +212,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_wheel/pam_wheel.8 +=================================================================== +--- pam.debian.orig/modules/pam_wheel/pam_wheel.8 ++++ pam.debian/modules/pam_wheel/pam_wheel.8 +@@ -136,7 +136,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_wheel was written by Cristian Gafton \&. +Index: pam.debian/modules/pam_xauth/pam_xauth.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_xauth/pam_xauth.8.xml ++++ pam.debian/modules/pam_xauth/pam_xauth.8.xml +@@ -276,7 +276,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam.debian/modules/pam_xauth/pam_xauth.8 +=================================================================== +--- pam.debian.orig/modules/pam_xauth/pam_xauth.8 ++++ pam.debian/modules/pam_xauth/pam_xauth.8 +@@ -177,7 +177,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_xauth was written by Nalin Dahyabhai , based on original version by Michael K\&. Johnson \&. +Index: pam.debian/modules/pam_env/pam_env.8 +=================================================================== +--- pam.debian.orig/modules/pam_env/pam_env.8 ++++ pam.debian/modules/pam_env/pam_env.8 +@@ -2,12 +2,12 @@ + .\" Title: pam_env + .\" Author: [see the "AUTHOR" section] + .\" Generator: DocBook XSL Stylesheets v1.78.1 +-.\" Date: 01/15/2014 ++.\" Date: 01/16/2014 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" Language: English + .\" +-.TH "PAM_ENV" "8" "01/15/2014" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_ENV" "8" "01/16/2014" "Linux-PAM Manual" "Linux-PAM Manual" + .\" ----------------------------------------------------------------- + .\" * Define some portability stuff + .\" ----------------------------------------------------------------- diff --git a/debian/patches-applied/cve-2010-4708.patch b/debian/patches-applied/cve-2010-4708.patch new file mode 100644 index 00000000..cf23e318 --- /dev/null +++ b/debian/patches-applied/cve-2010-4708.patch @@ -0,0 +1,64 @@ +Description: fix cve-2010-4708: .pam_environment privilege issue +Index: pam.debian/modules/pam_env/pam_env.c +=================================================================== +--- pam.debian.orig/modules/pam_env/pam_env.c ++++ pam.debian/modules/pam_env/pam_env.c +@@ -10,7 +10,7 @@ + #define DEFAULT_READ_ENVFILE 1 + + #define DEFAULT_USER_ENVFILE ".pam_environment" +-#define DEFAULT_USER_READ_ENVFILE 1 ++#define DEFAULT_USER_READ_ENVFILE 0 + + #include "config.h" + +Index: pam.debian/modules/pam_env/pam_env.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_env/pam_env.8.xml ++++ pam.debian/modules/pam_env/pam_env.8.xml +@@ -147,7 +147,7 @@ + + + Turns on or off the reading of the user specific environment +- file. 0 is off, 1 is on. By default this option is on. ++ file. 0 is off, 1 is on. By default this option is off. + + + +Index: pam.debian/modules/pam_env/pam_env.8 +=================================================================== +--- pam.debian.orig/modules/pam_env/pam_env.8 ++++ pam.debian/modules/pam_env/pam_env.8 +@@ -2,12 +2,12 @@ + .\" Title: pam_env + .\" Author: [see the "AUTHOR" section] + .\" Generator: DocBook XSL Stylesheets v1.78.1 +-.\" Date: 09/19/2013 ++.\" Date: 01/15/2014 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" Language: English + .\" +-.TH "PAM_ENV" "8" "09/19/2013" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_ENV" "8" "01/15/2014" "Linux-PAM Manual" "Linux-PAM Manual" + .\" ----------------------------------------------------------------- + .\" * Define some portability stuff + .\" ----------------------------------------------------------------- +@@ -88,7 +88,7 @@ + .PP + \fBuser_readenv=\fR\fB\fI0|1\fR\fR + .RS 4 +-Turns on or off the reading of the user specific environment file\&. 0 is off, 1 is on\&. By default this option is on\&. ++Turns on or off the reading of the user specific environment file\&. 0 is off, 1 is on\&. By default this option is off\&. + .RE + .SH "MODULE TYPES PROVIDED" + .PP +@@ -138,7 +138,7 @@ + .PP + \fBpam_env.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8)\&. ++\fBpam\fR(7)\&. + .SH "AUTHOR" + .PP + pam_env was written by Dave Kinchlea \&. diff --git a/debian/patches-applied/cve-2013-7041.patch b/debian/patches-applied/cve-2013-7041.patch new file mode 100644 index 00000000..dac35b25 --- /dev/null +++ b/debian/patches-applied/cve-2013-7041.patch @@ -0,0 +1,44 @@ +From 57a1e2b274d0a6376d92ada9926e5c5741e7da20 Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Fri, 24 Jan 2014 22:18:32 +0000 +Subject: pam_userdb: fix password hash comparison + +Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed +passwords support in pam_userdb, hashes are compared case-insensitively. +This bug leads to accepting hashes for completely different passwords in +addition to those that should be accepted. + +Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for +modern password hashes with different lengths and settings, did not +update the hash comparison accordingly, which leads to accepting +computed hashes longer than stored hashes when the latter is a prefix +of the former. + +* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed +hash whose length differs from the stored hash length. +Compare computed and stored hashes case-sensitively. +Fixes CVE-2013-7041. + +Bug-Debian: http://bugs.debian.org/731368 + +--- a/modules/pam_userdb/pam_userdb.c ++++ b/modules/pam_userdb/pam_userdb.c +@@ -222,12 +222,15 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode, + } else { + cryptpw = crypt (pass, data.dptr); + +- if (cryptpw) { +- compare = strncasecmp (data.dptr, cryptpw, data.dsize); ++ if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) { ++ compare = memcmp(data.dptr, cryptpw, data.dsize); + } else { + compare = -2; + if (ctrl & PAM_DEBUG_ARG) { +- pam_syslog(pamh, LOG_INFO, "crypt() returned NULL"); ++ if (cryptpw) ++ pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ"); ++ else ++ pam_syslog(pamh, LOG_INFO, "crypt() returned NULL"); + } + }; + diff --git a/debian/patches-applied/cve-2014-2583.patch b/debian/patches-applied/cve-2014-2583.patch new file mode 100644 index 00000000..3eb91702 --- /dev/null +++ b/debian/patches-applied/cve-2014-2583.patch @@ -0,0 +1,47 @@ +From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Wed, 26 Mar 2014 22:17:23 +0000 +Subject: pam_timestamp: fix potential directory traversal issue (ticket #27) + +pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of +the timestamp pathname it creates, so extra care should be taken to +avoid potential directory traversal issues. + +* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat +"." and ".." tty values as invalid. +(get_ruser): Treat "." and ".." ruser values, as well as any ruser +value containing '/', as invalid. + +Fixes CVE-2014-2583. + +Reported-by: Sebastian Krahmer + +--- a/modules/pam_timestamp/pam_timestamp.c ++++ b/modules/pam_timestamp/pam_timestamp.c +@@ -158,7 +158,7 @@ check_tty(const char *tty) + tty = strrchr(tty, '/') + 1; + } + /* Make sure the tty wasn't actually a directory (no basename). */ +- if (strlen(tty) == 0) { ++ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) { + return NULL; + } + return tty; +@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen) + if (pwd != NULL) { + ruser = pwd->pw_name; + } ++ } else { ++ /* ++ * This ruser is used by format_timestamp_name as a component ++ * of constructed timestamp pathname, so ".", "..", and '/' ++ * are disallowed to avoid potential path traversal issues. ++ */ ++ if (!strcmp(ruser, ".") || ++ !strcmp(ruser, "..") || ++ strchr(ruser, '/')) { ++ ruser = NULL; ++ } + } + if (ruser == NULL || strlen(ruser) >= ruserbuflen) { + *ruserbuf = '\0'; diff --git a/debian/patches-applied/cve-2015-3238.patch b/debian/patches-applied/cve-2015-3238.patch new file mode 100644 index 00000000..cb5e8c06 --- /dev/null +++ b/debian/patches-applied/cve-2015-3238.patch @@ -0,0 +1,180 @@ +From e89d4c97385ff8180e6e81e84c5aa745daf28a79 Mon Sep 17 00:00:00 2001 +From: Thorsten Kukuk +Date: Mon, 22 Jun 2015 14:53:01 +0200 +Subject: Release version 1.2.1 + +Security fix: CVE-2015-3238 + +If the process executing pam_sm_authenticate or pam_sm_chauthtok method +of pam_unix is not privileged enough to check the password, e.g. +if selinux is enabled, the _unix_run_helper_binary function is called. +When a long enough password is supplied (16 pages or more, i.e. 65536+ +bytes on a system with 4K pages), this helper function hangs +indefinitely, blocked in the write(2) call while writing to a blocking +pipe that has a limited capacity. +With this fix, the verifiable password length will be limited to +PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix. + +diff --git a/modules/pam_exec/pam_exec.8.xml b/modules/pam_exec/pam_exec.8.xml +index 2379366..d1b00a2 100644 +--- a/modules/pam_exec/pam_exec.8.xml ++++ b/modules/pam_exec/pam_exec.8.xml +@@ -106,7 +106,8 @@ + During authentication the calling command can read + the password from + stdin3 +- . ++ . Only first PAM_MAX_RESP_SIZE ++ bytes of a password are provided to the command. + + + +diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c +index 5ab9630..17ba6ca 100644 +--- a/modules/pam_exec/pam_exec.c ++++ b/modules/pam_exec/pam_exec.c +@@ -178,11 +178,11 @@ call_exec (const char *pam_type, pam_handle_t *pamh, + } + + pam_set_item (pamh, PAM_AUTHTOK, resp); +- authtok = strdupa (resp); ++ authtok = strndupa (resp, PAM_MAX_RESP_SIZE); + _pam_drop (resp); + } + else +- authtok = void_pass; ++ authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE); + + if (pipe(fds) != 0) + { +diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml +index 4008402..a8b64bb 100644 +--- a/modules/pam_unix/pam_unix.8.xml ++++ b/modules/pam_unix/pam_unix.8.xml +@@ -80,6 +80,13 @@ + + + ++ The maximum length of a password supported by the pam_unix module ++ via the helper binary is PAM_MAX_RESP_SIZE ++ - currently 512 bytes. The rest of the password provided by the ++ conversation function to the module will be ignored. ++ ++ ++ + The password component of this module performs the task of updating + the user's password. The default encryption hash is taken from the + ENCRYPT_METHOD variable from +diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c +index 2d330e5..c2e5de5 100644 +--- a/modules/pam_unix/pam_unix_passwd.c ++++ b/modules/pam_unix/pam_unix_passwd.c +@@ -240,15 +240,22 @@ static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const + /* wait for child */ + /* if the stored password is NULL */ + int rc=0; +- if (fromwhat) +- pam_modutil_write(fds[1], fromwhat, strlen(fromwhat)+1); +- else +- pam_modutil_write(fds[1], "", 1); +- if (towhat) { +- pam_modutil_write(fds[1], towhat, strlen(towhat)+1); ++ if (fromwhat) { ++ int len = strlen(fromwhat); ++ ++ if (len > PAM_MAX_RESP_SIZE) ++ len = PAM_MAX_RESP_SIZE; ++ pam_modutil_write(fds[1], fromwhat, len); + } +- else +- pam_modutil_write(fds[1], "", 1); ++ pam_modutil_write(fds[1], "", 1); ++ if (towhat) { ++ int len = strlen(towhat); ++ ++ if (len > PAM_MAX_RESP_SIZE) ++ len = PAM_MAX_RESP_SIZE; ++ pam_modutil_write(fds[1], towhat, len); ++ } ++ pam_modutil_write(fds[1], "", 1); + + close(fds[0]); /* close here to avoid possible SIGPIPE above */ + close(fds[1]); +diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c +index b325602..e79b55e 100644 +--- a/modules/pam_unix/passverify.c ++++ b/modules/pam_unix/passverify.c +@@ -1115,12 +1115,15 @@ getuidname(uid_t uid) + int + read_passwords(int fd, int npass, char **passwords) + { ++ /* The passwords array must contain npass preallocated ++ * buffers of length MAXPASS + 1 ++ */ + int rbytes = 0; + int offset = 0; + int i = 0; + char *pptr; + while (npass > 0) { +- rbytes = read(fd, passwords[i]+offset, MAXPASS-offset); ++ rbytes = read(fd, passwords[i]+offset, MAXPASS+1-offset); + + if (rbytes < 0) { + if (errno == EINTR) continue; +diff --git a/modules/pam_unix/passverify.h b/modules/pam_unix/passverify.h +index 3de6759..caf7ae8 100644 +--- a/modules/pam_unix/passverify.h ++++ b/modules/pam_unix/passverify.h +@@ -8,7 +8,7 @@ + + #define PAM_UNIX_RUN_HELPER PAM_CRED_INSUFFICIENT + +-#define MAXPASS 200 /* the maximum length of a password */ ++#define MAXPASS PAM_MAX_RESP_SIZE /* the maximum length of a password */ + + #define OLD_PASSWORDS_FILE "/etc/security/opasswd" + +diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c +index fdb45c2..abccd82 100644 +--- a/modules/pam_unix/support.c ++++ b/modules/pam_unix/support.c +@@ -609,7 +609,12 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, + /* if the stored password is NULL */ + int rc=0; + if (passwd != NULL) { /* send the password to the child */ +- if (write(fds[1], passwd, strlen(passwd)+1) == -1) { ++ int len = strlen(passwd); ++ ++ if (len > PAM_MAX_RESP_SIZE) ++ len = PAM_MAX_RESP_SIZE; ++ if (write(fds[1], passwd, len) == -1 || ++ write(fds[1], "", 1) == -1) { + pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m"); + retval = PAM_AUTH_ERR; + } +--- a/modules/pam_unix/pam_unix.8 2017-05-27 15:38:27.000000000 +0000 ++++ b/modules/pam_unix/pam_unix.8 2017-05-27 15:34:49.000000000 +0000 +@@ -56,6 +56,10 @@ + \fBnoreap\fR + module argument can be used to suppress this temporary shielding and may be needed for use with certain applications\&. + .PP ++The maximum length of a password supported by the pam_unix module via the helper binary is ++\fIPAM_MAX_RESP_SIZE\fR ++\- currently 512 bytes\&. The rest of the password provided by the conversation function to the module will be ignored\&. ++.PP + The password component of this module performs the task of updating the user\*(Aqs password\&. The default encryption hash is taken from the + \fBENCRYPT_METHOD\fR + variable from +--- a/modules/pam_exec/pam_exec.8 2017-05-27 15:38:27.000000000 +0000 ++++ b/modules/pam_exec/pam_exec.8 2017-05-27 15:56:25.000000000 +0000 +@@ -65,7 +65,9 @@ + \fBexpose_authtok\fR + .RS 4 + During authentication the calling command can read the password from +-\fBstdin\fR(3)\&. ++\fBstdin\fR(3)\&. Only first ++\fIPAM_MAX_RESP_SIZE\fR ++bytes of a password are provided to the command\&. + .RE + .PP + \fBlog=\fR\fB\fIfile\fR\fR diff --git a/debian/patches-applied/do_not_check_nis_accidentally b/debian/patches-applied/do_not_check_nis_accidentally new file mode 100644 index 00000000..8d85bfc3 --- /dev/null +++ b/debian/patches-applied/do_not_check_nis_accidentally @@ -0,0 +1,22 @@ +Patch for Debian bug #469635 + +Always call _unix_getpwnam() consistent with the value of the 'nis' +option, so that we only grab from the backends we're expecting. + +Authors: Quentin Godfroy + +Upstream status: should be submitted + +Index: pam.deb/modules/pam_unix/pam_unix_passwd.c +=================================================================== +--- pam.deb.orig/modules/pam_unix/pam_unix_passwd.c ++++ pam.deb/modules/pam_unix/pam_unix_passwd.c +@@ -551,7 +551,7 @@ + return PAM_USER_UNKNOWN; + } else { + struct passwd *pwd; +- _unix_getpwnam(pamh, user, 1, 1, &pwd); ++ _unix_getpwnam(pamh, user, 1, on(UNIX_NIS, ctrl), &pwd); + if (pwd == NULL) { + pam_syslog(pamh, LOG_DEBUG, + "user \"%s\" has corrupted passwd entry", diff --git a/debian/patches-applied/hurd_no_setfsuid b/debian/patches-applied/hurd_no_setfsuid new file mode 100644 index 00000000..a2bf783c --- /dev/null +++ b/debian/patches-applied/hurd_no_setfsuid @@ -0,0 +1,77 @@ +On systems without setfsuid(), use setreuid() instead. + +Authors: Steve Langasek + +Upstream status: to be forwarded, now that pam_modutil_{drop,regain}_priv + are implemented + +Index: pam.debian/libpam/pam_modutil_priv.c +=================================================================== +--- pam.debian.orig/libpam/pam_modutil_priv.c ++++ pam.debian/libpam/pam_modutil_priv.c +@@ -14,7 +14,9 @@ + #include + #include + #include ++#ifdef HAVE_SYS_FSUID_H + #include ++#endif /* HAVE_SYS_FSUID_H */ + + /* + * Two setfsuid() calls in a row are necessary to check +@@ -22,17 +24,55 @@ + */ + static int change_uid(uid_t uid, uid_t *save) + { ++#ifdef HAVE_SYS_FSUID_H + uid_t tmp = setfsuid(uid); + if (save) + *save = tmp; + return (uid_t) setfsuid(uid) == uid ? 0 : -1; ++#else ++ uid_t euid = geteuid(); ++ uid_t ruid = getuid(); ++ if (save) ++ *save = ruid; ++ if (ruid == uid && uid != 0) ++ if (setreuid(euid, uid)) ++ return -1; ++ else { ++ setreuid(0, -1); ++ if (setreuid(-1, uid)) { ++ setreuid(-1, 0); ++ setreuid(0, -1); ++ if (setreuid(-1, uid)) ++ return -1; ++ } ++ } ++#endif + } + static int change_gid(gid_t gid, gid_t *save) + { ++#ifdef HAVE_SYS_FSUID_H + gid_t tmp = setfsgid(gid); + if (save) + *save = tmp; + return (gid_t) setfsgid(gid) == gid ? 0 : -1; ++#else ++ gid_t egid = getegid(); ++ gid_t rgid = getgid(); ++ if (save) ++ *save = rgid; ++ if (rgid == gid) ++ if (setregid(egid, gid)) ++ return -1; ++ else { ++ setregid(0, -1); ++ if (setregid(-1, gid)) { ++ setregid(-1, 0); ++ setregid(0, -1); ++ if (setregid(-1, gid)) ++ return -1; ++ } ++ } ++#endif + } + + static int cleanup(struct pam_modutil_privs *p) diff --git a/debian/patches-applied/lib_security_multiarch_compat b/debian/patches-applied/lib_security_multiarch_compat new file mode 100644 index 00000000..9d6d40a9 --- /dev/null +++ b/debian/patches-applied/lib_security_multiarch_compat @@ -0,0 +1,71 @@ +Unqualified module paths should always be looked up in *both* the default +module dir, *and* the ISA dir. That's what paths are for. + +This lets us have a soft transition to multiarch for modules without having +to rewrite /etc/pam.d/ files or add ugly symlinks. + +Authors: Steve Langasek + +Upstream status: not ready to be committed - this needs tweaked, we're +currently abusing the existing variables and inverting their meaning in +order to get everything installed where we want it and get absolute paths +the way we want them. + +Index: multiarch/libpam/pam_handlers.c +=================================================================== +--- multiarch.orig/libpam/pam_handlers.c ++++ multiarch/libpam/pam_handlers.c +@@ -705,7 +705,26 @@ + } + #else + D(("_pam_load_module: _pam_dlopen(%s)", mod_path)); +- mod->dl_handle = _pam_dlopen(mod_path); ++ if (mod_path[0] == '/') { ++ mod->dl_handle = _pam_dlopen(mod_path); ++ } else { ++ if (asprintf(&mod_full_isa_path, "%s%s", ++ DEFAULT_MODULE_PATH, mod_path) >= 0) { ++ mod->dl_handle = _pam_dlopen(mod_full_isa_path); ++ _pam_drop(mod_full_isa_path); ++ } else { ++ pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path"); ++ } ++ if (!mod->dl_handle) { ++ if (asprintf(&mod_full_isa_path, "%s/%s", ++ _PAM_ISA, mod_path) >= 0) { ++ mod->dl_handle = _pam_dlopen(mod_full_isa_path); ++ _pam_drop(mod_full_isa_path); ++ } else { ++ pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path"); ++ } ++ } ++ } + D(("_pam_load_module: _pam_dlopen'ed")); + D(("_pam_load_module: dlopen'ed")); + if (mod->dl_handle == NULL) { +@@ -775,7 +794,6 @@ + struct handler **handler_p2; + struct handlers *the_handlers; + const char *sym, *sym2; +- char *mod_full_path; + servicefn func, func2; + int mod_type = PAM_MT_FAULTY_MOD; + +@@ -787,16 +805,7 @@ + + if ((handler_type == PAM_HT_MODULE || handler_type == PAM_HT_SILENT_MODULE) && + mod_path != NULL) { +- if (mod_path[0] == '/') { +- mod = _pam_load_module(pamh, mod_path, handler_type); +- } else if (asprintf(&mod_full_path, "%s%s", +- DEFAULT_MODULE_PATH, mod_path) >= 0) { +- mod = _pam_load_module(pamh, mod_full_path, handler_type); +- _pam_drop(mod_full_path); +- } else { +- pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path"); +- return PAM_ABORT; +- } ++ mod = _pam_load_module(pamh, mod_path, handler_type); + + if (mod == NULL) { + /* if we get here with NULL it means allocation error */ diff --git a/debian/patches-applied/make_documentation_reproducible.patch b/debian/patches-applied/make_documentation_reproducible.patch new file mode 100644 index 00000000..26f16503 --- /dev/null +++ b/debian/patches-applied/make_documentation_reproducible.patch @@ -0,0 +1,28 @@ +Description: Make documentation reproducible + Add LC_ALL=C to w3m to avoid changes in the output when build the + documentation with different locales. +Author: Juan Picca +Last-Update: 2015-07-11 + +--- pam.orig/configure ++++ pam/configure +@@ -15162,7 +15162,7 @@ fi + + + if test ! -z "$BROWSER"; then +- BROWSER="$BROWSER -T text/html -dump" ++ BROWSER="LC_ALL=C $BROWSER -T text/html -dump" + else + enable_docu=no + fi +--- pam.orig/configure.in ++++ pam/configure.in +@@ -554,7 +554,7 @@ JH_CHECK_XML_CATALOG([http://docbook.sou + + AC_PATH_PROG([BROWSER], [w3m]) + if test ! -z "$BROWSER"; then +- BROWSER="$BROWSER -T text/html -dump" ++ BROWSER="LC_ALL=C $BROWSER -T text/html -dump" + else + enable_docu=no + fi diff --git a/debian/patches-applied/no_PATH_MAX_on_hurd b/debian/patches-applied/no_PATH_MAX_on_hurd new file mode 100644 index 00000000..ab7d506c --- /dev/null +++ b/debian/patches-applied/no_PATH_MAX_on_hurd @@ -0,0 +1,22 @@ +Description: define PATH_MAX for compatibility when it's not already set + Some platforms, such as the Hurd, don't set PATH_MAX. Set a reasonable + default value in this case. +Author: Steve Langasek +Bug-Debian: http://bugs.debian.org/552043 + +Index: pam.deb/tests/tst-dlopen.c +=================================================================== +--- pam.deb.orig/tests/tst-dlopen.c ++++ pam.deb/tests/tst-dlopen.c +@@ -16,6 +16,11 @@ + #include + #include + ++/* Hurd compatibility */ ++#ifndef PATH_MAX ++#define PATH_MAX 4096 ++#endif ++ + /* Simple program to see if dlopen() would succeed. */ + int main(int argc, char **argv) + { diff --git a/debian/patches-applied/pam-limits-nofile-fd-setsize-cap b/debian/patches-applied/pam-limits-nofile-fd-setsize-cap new file mode 100644 index 00000000..176d7845 --- /dev/null +++ b/debian/patches-applied/pam-limits-nofile-fd-setsize-cap @@ -0,0 +1,58 @@ +From: Robie Basak +Subject: pam_limits: cap the default soft nofile limit read from pid 1 to FD_SETSIZE + +Cap the default soft nofile limit read from pid 1 to FD_SETSIZE since +larger values can cause problems with fd_set overflow and systemd sets +itself higher. + +See: +https://lists.ubuntu.com/archives/ubuntu-devel/2010-September/031446.html +http://www.outflux.net/blog/archives/2014/06/13/5-year-old-glibc-select-weakness-fixed/ +https://sourceware.org/bugzilla/show_bug.cgi?id=10352 +https://github.com/systemd/systemd/commit/4096d6f5879aef73e20dd7b62a01f447629945b0 + +pam_limits reads the default limits from /proc/1/limits. Previously, +using upstart, this resulted in a 1024 nofile soft limit on Ubuntu +systems by default. Using systemd, this results in a limit of 65536 +instead. This is not the intention of systemd upstream. See systemd +commit 4096d6f for an explanation of systemd's behaviour. + +If we want to make such a change to the default distribution soft limit +in PAM, we should do it deliberately and carefully, not accidentally. A +change should consider what uses select(2) and might inadvertently (and +incorrectly) assume that file descriptors will always fit into an +fd_set, what vulnerabilities or crashes the change could consequently +create, and whether the protection now present with FORTIFY_SOURCE is +suitably enabled in all relevant builds. + +So this keeps the soft limit at 1024 for now. The hard limit will rise +to 65536 along with systemd. Anything that knows that it will not be +buggy with respect to fd_set and FD_SETSIZE, such as by using poll(2) or +epoll(7) instead of select(2), can always raise the soft limit itself +without issue. + +20:54 slangasek: [...] I'm also not sure how to go about +upstreaming this as pam_limits seems to be heavily patched already. + +Forwarded: no +Reviewed-by: Adam Conrad +Reviewed-by: Martin Pitt +Last-Update: 2015-04-22 + +--- a/modules/pam_limits/pam_limits.c ++++ b/modules/pam_limits/pam_limits.c +@@ -439,6 +439,14 @@ static void parse_kernel_limits(pam_hand + pl->limits[i].src_hard = LIMITS_DEF_KERNEL; + } + fclose(limitsfile); ++ ++ /* Cap the default soft nofile limit read from pid 1 to FD_SETSIZE ++ * since larger values can cause problems with fd_set overflow and ++ * systemd sets itself higher. */ ++ if (pl->limits[RLIMIT_NOFILE].src_soft == LIMITS_DEF_KERNEL && ++ pl->limits[RLIMIT_NOFILE].limit.rlim_cur > FD_SETSIZE) { ++ pl->limits[RLIMIT_NOFILE].limit.rlim_cur = FD_SETSIZE; ++ } + } + + static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl) diff --git a/debian/patches-applied/pam-loginuid-in-containers b/debian/patches-applied/pam-loginuid-in-containers new file mode 100644 index 00000000..1e965b2d --- /dev/null +++ b/debian/patches-applied/pam-loginuid-in-containers @@ -0,0 +1,146 @@ +Author: Stéphane Graber +Description: pam_loginuid: Ignore failure in user namespaces + When running pam_loginuid in a container using the user namespaces, even + uid 0 isn't allowed to set the loginuid property. + . + This change catches the EACCES from opening loginuid, checks if the user + is in the host namespace (by comparing the uid_map with the host's one) + and only if that's the case, sets rc to 1. + . + Should uid_map not exist or be unreadable for some reason, it'll be + assumed that the process is running on the host's namespace. + . + The initial reason behind this change was failure to ssh into an + unprivileged container (using a 3.13 kernel and current LXC) when using + a standard pam profile for sshd (which requires success from + pam_loginuid). + . + I believe this solution doesn't have any drawback and will allow people + to use unprivileged containers normally. An alternative would be to have + all distros set pam_loginuid as optional but that'd be bad for any of + the other potential failure case which people may care about. + . + There has also been some discussions to get some of the audit features + tied with the user namespaces but currently none of that has been merged + upstream and the currently proposed implementation doesn't cover + loginuid (nor is it clear how this should even work when loginuid is set + as immutable after initial write). + . + Signed-off-by: Steve Langasek + Signed-off-by: Dmitry V. Levin + +Index: ubuntu/modules/pam_loginuid/pam_loginuid.c +=================================================================== +--- ubuntu.orig/modules/pam_loginuid/pam_loginuid.c 2014-01-31 21:07:08.665185675 +0000 ++++ ubuntu/modules/pam_loginuid/pam_loginuid.c 2014-01-31 21:05:05.000000000 +0000 +@@ -47,25 +47,56 @@ + + /* + * This function writes the loginuid to the /proc system. It returns +- * 0 on success and 1 on failure. ++ * PAM_SUCCESS on success, ++ * PAM_IGNORE when /proc/self/loginuid does not exist, ++ * PAM_SESSION_ERR in case of any other error. + */ + static int set_loginuid(pam_handle_t *pamh, uid_t uid) + { +- int fd, count, rc = 0; +- char loginuid[24]; ++ int fd, count, rc = PAM_SESSION_ERR; ++ char loginuid[24], buf[24]; ++ static const char host_uid_map[] = " 0 0 4294967295\n"; ++ char uid_map[sizeof(host_uid_map)]; ++ ++ /* loginuid in user namespaces currently isn't writable and in some ++ case, not even readable, so consider any failure as ignorable (but try ++ anyway, in case we hit a kernel which supports it). */ ++ fd = open("/proc/self/uid_map", O_RDONLY); ++ if (fd >= 0) { ++ count = pam_modutil_read(fd, uid_map, sizeof(uid_map)); ++ if (strncmp(uid_map, host_uid_map, count) != 0) ++ rc = PAM_IGNORE; ++ close(fd); ++ } + +- count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid); +- fd = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC); ++ fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDWR); + if (fd < 0) { +- if (errno != ENOENT) { +- rc = 1; +- pam_syslog(pamh, LOG_ERR, +- "Cannot open /proc/self/loginuid: %m"); ++ if (errno == ENOENT) { ++ rc = PAM_IGNORE; ++ } ++ if (rc != PAM_IGNORE) { ++ pam_syslog(pamh, LOG_ERR, "Cannot open %s: %m", ++ "/proc/self/loginuid"); + } + return rc; + } +- if (pam_modutil_write(fd, loginuid, count) != count) +- rc = 1; ++ ++ count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid); ++ if (pam_modutil_read(fd, buf, sizeof(buf)) == count && ++ memcmp(buf, loginuid, count) == 0) { ++ rc = PAM_SUCCESS; ++ goto done; /* already correct */ ++ } ++ if (lseek(fd, 0, SEEK_SET) == 0 && ftruncate(fd, 0) == 0 && ++ pam_modutil_write(fd, loginuid, count) == count) { ++ rc = PAM_SUCCESS; ++ } else { ++ if (rc != PAM_IGNORE) { ++ pam_syslog(pamh, LOG_ERR, "Error writing %s: %m", ++ "/proc/self/loginuid"); ++ } ++ } ++ done: + close(fd); + return rc; + } +@@ -165,6 +196,7 @@ + { + const char *user = NULL; + struct passwd *pwd; ++ int ret; + #ifdef HAVE_LIBAUDIT + int require_auditd = 0; + #endif +@@ -183,9 +215,14 @@ + return PAM_SESSION_ERR; + } + +- if (set_loginuid(pamh, pwd->pw_uid)) { +- pam_syslog(pamh, LOG_ERR, "set_loginuid failed\n"); +- return PAM_SESSION_ERR; ++ ret = set_loginuid(pamh, pwd->pw_uid); ++ switch (ret) { ++ case PAM_SUCCESS: ++ case PAM_IGNORE: ++ break; ++ default: ++ pam_syslog(pamh, LOG_ERR, "set_loginuid failed"); ++ return ret; + } + + #ifdef HAVE_LIBAUDIT +@@ -195,11 +232,12 @@ + argv++; + } + +- if (require_auditd) +- return check_auditd(); +- else ++ if (require_auditd) { ++ int rc = check_auditd(); ++ return rc != PAM_SUCCESS ? rc : ret; ++ } else + #endif +- return PAM_SUCCESS; ++ return ret; + } + + /* diff --git a/debian/patches-applied/pam_namespace_fix_bashism.patch b/debian/patches-applied/pam_namespace_fix_bashism.patch new file mode 100644 index 00000000..6c6f1861 --- /dev/null +++ b/debian/patches-applied/pam_namespace_fix_bashism.patch @@ -0,0 +1,61 @@ +From fbc65c39d6853af268c9a093923afc876d0b138e Mon Sep 17 00:00:00 2001 +From: Steve Langasek +Date: Tue, 14 Jan 2014 19:48:51 -0800 +Subject: pam_namespace: don't use bashisms in default namespace.init script + +* modules/pam_namespace/pam_namespace.c: call setuid() before execing the +namespace init script, so that scripts run with maximum privilege regardless +of the shell implementation. +* modules/pam_namespace/namespace.init: drop the '-p' bashism from the +shebang line + +This is not a POSIX standard option, it's a bashism. The bash manpage says +that it's used to prevent the effective user id from being reset to the real +user id on startup, and to ignore certain unsafe variables from the +environment. + +In the case of pam_namespace, the -p is not necessary for environment +sanitizing because the PAM module (properly) sanitizes the environment +before execing the script. + +The stated reason given in CVS history for passing -p is to "preserve euid +when called from setuid apps (su, newrole)." This should be done more +portably, by calling setuid() before spawning the shell. + +Signed-off-by: Steve Langasek +Bug-Debian: http://bugs.debian.org/624842 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1081323 +--- + modules/pam_namespace/namespace.init | 2 +- + modules/pam_namespace/pam_namespace.c | 5 +++++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/modules/pam_namespace/namespace.init b/modules/pam_namespace/namespace.init +index 9ab5806..67d4aa2 100755 +--- a/modules/pam_namespace/namespace.init ++++ b/modules/pam_namespace/namespace.init +@@ -1,4 +1,4 @@ +-#!/bin/sh -p ++#!/bin/sh + # It receives polydir path as $1, the instance path as $2, + # a flag whether the instance dir was newly created (0 - no, 1 - yes) in $3, + # and user name in $4. +diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c +index e0d5e30..92883f5 100644 +--- a/modules/pam_namespace/pam_namespace.c ++++ b/modules/pam_namespace/pam_namespace.c +@@ -1205,6 +1205,11 @@ static int inst_init(const struct polydir_s *polyptr, const char *ipath, + _exit(1); + } + #endif ++ /* Pass maximum privs when we exec() */ ++ if (setuid(geteuid()) < 0) { ++ /* ignore failures, they don't matter */ ++ } ++ + if (execle(init_script, init_script, + polyptr->dir, ipath, newdir?"1":"0", idata->user, NULL, envp) < 0) + _exit(1); +-- +cgit v0.12 + diff --git a/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch new file mode 100644 index 00000000..87336651 --- /dev/null +++ b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch @@ -0,0 +1,25 @@ +Dropping suid bits is not enough to let us trust the caller; the unix_chkpwd +helper could be sgid shadow instead of suid root, as it is in Debian and +Ubuntu by default. Drop any sgid bits as well. + +Authors: Steve Langasek , + Michael Spang + +Upstream status: to be submitted + +Index: pam-debian/modules/pam_unix/unix_chkpwd.c +=================================================================== +--- pam-debian.orig/modules/pam_unix/unix_chkpwd.c 2011-10-10 16:22:06.270705822 -0700 ++++ pam-debian/modules/pam_unix/unix_chkpwd.c 2011-10-10 16:24:06.080224301 -0700 +@@ -137,9 +137,10 @@ + /* if the caller specifies the username, verify that user + matches it */ + if (strcmp(user, argv[1])) { ++ gid_t gid = getgid(); + user = argv[1]; + /* no match -> permanently change to the real user and proceed */ +- if (setuid(getuid()) != 0) ++ if (setresgid(gid, gid, gid) != 0 || setuid(getuid()) != 0) + return PAM_AUTH_ERR; + } + } diff --git a/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch b/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch new file mode 100644 index 00000000..df3dc65a --- /dev/null +++ b/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch @@ -0,0 +1,25 @@ +Revert upstream change that prevents pam_unix from working with sgid +shadow applications. + +Authors: Steve Langasek + +Upstream status: to be submitted (and debated...) + +Index: debian-pkg-pam/modules/pam_unix/passverify.c +=================================================================== +--- debian-pkg-pam.orig/modules/pam_unix/passverify.c 2009-04-17 12:46:39.000000000 -0700 ++++ debian-pkg-pam/modules/pam_unix/passverify.c 2009-04-17 12:46:40.000000000 -0700 +@@ -203,11 +203,11 @@ + * ...and shadow password file entry for this user, + * if shadowing is enabled + */ ++ *spwdent = pam_modutil_getspnam(pamh, name); + #ifndef HELPER_COMPILE +- if (geteuid() || SELINUX_ENABLED) ++ if (*spwdent == NULL && (geteuid() || SELINUX_ENABLED)) + return PAM_UNIX_RUN_HELPER; + #endif +- *spwdent = pam_modutil_getspnam(pamh, name); + if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL) + return PAM_AUTHINFO_UNAVAIL; + } diff --git a/debian/patches-applied/series b/debian/patches-applied/series new file mode 100644 index 00000000..51598ca8 --- /dev/null +++ b/debian/patches-applied/series @@ -0,0 +1,29 @@ +pam_unix_fix_sgid_shadow_auth.patch +pam_unix_dont_trust_chkpwd_caller.patch +007_modules_pam_unix +008_modules_pam_limits_chroot +021_nis_cleanup +022_pam_unix_group_time_miscfixes +026_pam_unix_passwd_unknown_user +do_not_check_nis_accidentally +027_pam_limits_better_init_allow_explicit_root +031_pam_include +032_pam_limits_EPERM_NOT_FATAL +036_pam_wheel_getlogin_considered_harmful +hurd_no_setfsuid +040_pam_limits_log_failure +045_pam_dispatch_jump_is_ignore +054_pam_security_abstract_securetty_handling +055_pam_unix_nullok_secure +cve-2010-4708.patch +PAM-manpage-section +update-motd +no_PATH_MAX_on_hurd +lib_security_multiarch_compat +pam-loginuid-in-containers +cve-2013-7041.patch +cve-2014-2583.patch +cve-2015-3238.patch +pam-limits-nofile-fd-setsize-cap +pam_namespace_fix_bashism.patch +make_documentation_reproducible.patch diff --git a/debian/patches-applied/update-motd b/debian/patches-applied/update-motd new file mode 100644 index 00000000..6c2af5bb --- /dev/null +++ b/debian/patches-applied/update-motd @@ -0,0 +1,168 @@ +Patch for Ubuntu bug #399071 + +Provide a more dynamic MOTD, based on the short-lived update-motd project. + +Authors: Dustin Kirkland + +Upstream status: not yet submitted + +Index: pam.debian/modules/pam_motd/pam_motd.c +=================================================================== +--- pam.debian.orig/modules/pam_motd/pam_motd.c ++++ pam.debian/modules/pam_motd/pam_motd.c +@@ -48,14 +48,39 @@ + + static char default_motd[] = DEFAULT_MOTD; + ++static void display_file(pam_handle_t *pamh, const char *motd_path) ++{ ++ int fd; ++ char *mtmp = NULL; ++ while ((fd = open(motd_path, O_RDONLY, 0)) >= 0) { ++ struct stat st; ++ /* fill in message buffer with contents of motd */ ++ if ((fstat(fd, &st) < 0) || !st.st_size || st.st_size > 0x10000) ++ break; ++ if (!(mtmp = malloc(st.st_size+1))) ++ break; ++ if (pam_modutil_read(fd, mtmp, st.st_size) != st.st_size) ++ break; ++ if (mtmp[st.st_size-1] == '\n') ++ mtmp[st.st_size-1] = '\0'; ++ else ++ mtmp[st.st_size] = '\0'; ++ pam_info (pamh, "%s", mtmp); ++ break; ++ } ++ _pam_drop (mtmp); ++ if (fd >= 0) ++ close(fd); ++} ++ + PAM_EXTERN + int pam_sm_open_session(pam_handle_t *pamh, int flags, + int argc, const char **argv) + { + int retval = PAM_IGNORE; +- int fd; ++ int do_update = 1; + const char *motd_path = NULL; +- char *mtmp = NULL; ++ struct stat st; + + if (flags & PAM_SILENT) { + return retval; +@@ -73,6 +98,9 @@ + "motd= specification missing argument - ignored"); + } + } ++ else if (!strcmp(*argv,"noupdate")) { ++ do_update = 0; ++ } + else + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); + } +@@ -80,34 +108,23 @@ + if (motd_path == NULL) + motd_path = default_motd; + +- while ((fd = open(motd_path, O_RDONLY, 0)) >= 0) { +- struct stat st; +- +- /* fill in message buffer with contents of motd */ +- if ((fstat(fd, &st) < 0) || !st.st_size || st.st_size > 0x10000) +- break; +- +- if (!(mtmp = malloc(st.st_size+1))) +- break; +- +- if (pam_modutil_read(fd, mtmp, st.st_size) != st.st_size) +- break; +- +- if (mtmp[st.st_size-1] == '\n') +- mtmp[st.st_size-1] = '\0'; +- else +- mtmp[st.st_size] = '\0'; +- +- pam_info (pamh, "%s", mtmp); +- break; ++ /* Run the update-motd dynamic motd scripts, outputting to /run/motd.dynamic. ++ This will be displayed only when calling pam_motd with ++ motd=/run/motd.dynamic; current /etc/pam.d/login and /etc/pam.d/sshd ++ display both this file and /etc/motd. */ ++ if (do_update && (stat("/etc/update-motd.d", &st) == 0) ++ && S_ISDIR(st.st_mode)) ++ { ++ mode_t old_mask = umask(0022); ++ if (!system("/usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new")) ++ rename("/run/motd.dynamic.new", "/run/motd.dynamic"); ++ umask(old_mask); + } + +- _pam_drop (mtmp); +- +- if (fd >= 0) +- close(fd); ++ /* Display the updated motd */ ++ display_file(pamh, motd_path); + +- return retval; ++ return retval; + } + + +Index: pam.debian/modules/pam_motd/pam_motd.8.xml +=================================================================== +--- pam.debian.orig/modules/pam_motd/pam_motd.8.xml ++++ pam.debian/modules/pam_motd/pam_motd.8.xml +@@ -52,6 +52,17 @@ + + + ++ ++ ++ ++ ++ ++ ++ Don't run the scripts in /etc/update-motd.d ++ to refresh the motd file. ++ ++ ++ + + + +Index: pam.debian/modules/pam_motd/pam_motd.8 +=================================================================== +--- pam.debian.orig/modules/pam_motd/pam_motd.8 ++++ pam.debian/modules/pam_motd/pam_motd.8 +@@ -45,6 +45,13 @@ + /path/filename + file is displayed as message of the day\&. + .RE ++.PP ++\fBnoupdate\fR ++.RS 4 ++Don\*(Aqt run the scripts in ++/etc/update\-motd\&.d ++to refresh the motd file\&. ++.RE + .SH "MODULE TYPES PROVIDED" + .PP + Only the +Index: pam.debian/modules/pam_motd/README +=================================================================== +--- pam.debian.orig/modules/pam_motd/README ++++ pam.debian/modules/pam_motd/README +@@ -14,6 +14,10 @@ + + The /path/filename file is displayed as message of the day. + ++noupdate ++ ++ Don't run the scripts in /etc/update-motd.d to refresh the motd file. ++ + EXAMPLES + + The suggested usage for /etc/pam.d/login is: -- cgit v1.2.3