From a852177c4fde4f21ca20abba1ca8d9db06824102 Mon Sep 17 00:00:00 2001
From: Steve Langasek <vorlon@debian.org>
Date: Tue, 25 Aug 2009 01:17:34 -0700
Subject: =?UTF-8?q?debian/patches/007=5Fmodules=5Fpam=5Funix:=20drop=20div?=
 =?UTF-8?q?ergence=20from=20upstream=20that=20treats=20"0"=20as=20a=20spec?=
 =?UTF-8?q?ial=20value=20in=20various=20fields=20in=20/etc/shadow,=20and?=
 =?UTF-8?q?=20document=20this=20in=20debian/NEWS.=20=20Thanks=20to=20Nicol?=
 =?UTF-8?q?as=20Fran=C3=A7ois=20<nicolas.francois@centraliens.net>=20for?=
 =?UTF-8?q?=20the=20detailed=20analysis.=20Closes:=20#308229.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 debian/NEWS                                 | 19 +++++++++++++
 debian/changelog                            |  5 ++++
 debian/patches-applied/007_modules_pam_unix | 42 -----------------------------
 3 files changed, 24 insertions(+), 42 deletions(-)

(limited to 'debian')

diff --git a/debian/NEWS b/debian/NEWS
index f644dc45..327df1ac 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -9,6 +9,25 @@ pam (1.1.0-1) unstable; urgency=low
     The pam_unix module still does its own check of /etc/security/opasswd,
     so if you are using this module you should not need to change anything.
 
+  * Change in handling of /etc/shadow fields
+
+    The Debian PAM package included a patch to treat a value of 0 in certain
+    fields in /etc/shadow as the same as an empty field.  This patch has
+    been dropped, since it caused the behavior of pam_unix to differ from
+    both that of PAM upstream and that of the shadow package.
+
+    The main consequences of this change are that:
+
+    - a "0" in the sp_expire field will be treated as a date of Jan 1, 1970
+      instead of a "never expires" value, so users with this set will be
+      unable to log in
+
+    - a "0" in the sp_inact field will indicate that the user should not be
+      allowed to change an expired password at all, instead of being allowed
+      to change an expired at any time after the expiry.
+
+    See Debian bug #308229 for more information about this change.
+
  -- Steve Langasek <vorlon@debian.org>  Tue, 25 Aug 2009 00:13:57 -0700
 
 pam (0.99.10.0-1) unstable; urgency=low
diff --git a/debian/changelog b/debian/changelog
index a0997f8e..7b752138 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -17,6 +17,11 @@ pam (1.1.0-1) UNRELEASED; urgency=low
     symbols.
   * Add /sbin/mkhomedir_helper to libpam-modules.
   * Document that pam_cracklib no longer checks /etc/security/opasswd.
+  * debian/patches/007_modules_pam_unix: drop divergence from upstream
+    that treats "0" as a special value in various fields in /etc/shadow,
+    and document this in debian/NEWS.  Thanks to Nicolas François
+    <nicolas.francois@centraliens.net> for the detailed analysis.
+    Closes: #308229.
 
  -- Steve Langasek <vorlon@debian.org>  Mon, 24 Aug 2009 01:23:18 -0700
 
diff --git a/debian/patches-applied/007_modules_pam_unix b/debian/patches-applied/007_modules_pam_unix
index 3a8446c7..8eedeaea 100644
--- a/debian/patches-applied/007_modules_pam_unix
+++ b/debian/patches-applied/007_modules_pam_unix
@@ -598,48 +598,6 @@ Index: pam.deb/modules/pam_unix/pam_unix_sess.c
  
  	retval = pam_get_item(pamh, PAM_USER, (void *) &user_name);
  	if (user_name == NULL || *user_name == '\0' || retval != PAM_SUCCESS) {
-Index: pam.deb/modules/pam_unix/passverify.c
-===================================================================
---- pam.deb.orig/modules/pam_unix/passverify.c
-+++ pam.deb/modules/pam_unix/passverify.c
-@@ -240,7 +240,9 @@
- 	*daysleft = -1;
- 	curdays = (long int)(time(NULL) / (60 * 60 * 24));
- 	D(("today is %d, last change %d", curdays, spent->sp_lstchg));
--	if ((curdays > spent->sp_expire) && (spent->sp_expire != -1)) {
-+	if ((curdays > spent->sp_expire) && (spent->sp_expire != -1)
-+	    && (spent->sp_expire != 0))
-+	{
- 		D(("account expired"));
- 		return PAM_ACCT_EXPIRED;
- 	}
-@@ -258,17 +260,23 @@
- 	if ((curdays - spent->sp_lstchg > spent->sp_max)
- 	    && (curdays - spent->sp_lstchg > spent->sp_inact)
- 	    && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact)
--	    && (spent->sp_max != -1) && (spent->sp_inact != -1)) {
-+	    && (spent->sp_max != -1) && (spent->sp_max != 0)
-+	    && (spent->sp_inact != -1) && (spent->sp_inact != 0))
-+	{
- 		*daysleft = (int)((spent->sp_lstchg + spent->sp_max) - curdays);
- 		D(("authtok expired"));
- 		return PAM_AUTHTOK_EXPIRED;
- 	}
--	if ((curdays - spent->sp_lstchg > spent->sp_max) && (spent->sp_max != -1)) {
-+	if ((curdays - spent->sp_lstchg > spent->sp_max)
-+            && (spent->sp_max != -1) && (spent->sp_max != 0))
-+	{
- 		D(("need a new password 2"));
- 		return PAM_NEW_AUTHTOK_REQD;
- 	}
- 	if ((curdays - spent->sp_lstchg > spent->sp_max - spent->sp_warn)
--	    && (spent->sp_max != -1) && (spent->sp_warn != -1)) {
-+	    && (spent->sp_max != -1) && (spent->sp_warn != -1)
-+	    && (spent->sp_max != 0) && (spent->sp_warn != 0))
-+	{
- 		*daysleft = (int)((spent->sp_lstchg + spent->sp_max) - curdays);
- 		D(("warn before expiry"));
- 	}
 Index: pam.deb/modules/pam_unix/pam_unix.8
 ===================================================================
 --- pam.deb.orig/modules/pam_unix/pam_unix.8
-- 
cgit v1.2.3