From a92c17bccef85519917b91e4c181154559ecec96 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@thkukuk.de>
Date: Fri, 26 Jun 2009 09:55:25 +0000
Subject: Relevant BUGIDs:

Purpose of commit: bugfix

Commit summary:
---------------

Fix blowfish support

009-06-25  Thorsten Kukuk  <kukuk@thkukuk.de>

        * configure.in: Rename crypt_gensalt_rn to crypt_gensalt_r
        * modules/pam_unix/passverify.c: Likewise.
---
 modules/pam_unix/passverify.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

(limited to 'modules')

diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index 8cf95c33..489e8560 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -274,7 +274,7 @@ PAMH_ARG_DECL(int check_shadow_expiry,
 	}
 	if ((curdays - spent->sp_lstchg < spent->sp_min)
 	    && (spent->sp_min != -1)) {
-		/* 
+		/*
 		 * The last password change was too recent. This error will be ignored
 		 * if no password change is attempted.
 		 */
@@ -403,11 +403,11 @@ PAMH_ARG_DECL(char * create_password_hash,
 		return crypted;
 	}
 
-#ifdef HAVE_CRYPT_GENSALT_RN
+#ifdef HAVE_CRYPT_GENSALT_R
 	if (on(UNIX_BLOWFISH_PASS, ctrl)) {
 		char entropy[17];
 		crypt_make_salt(entropy, sizeof(entropy) - 1);
-		sp = crypt_gensalt_rn(algoid, rounds,
+		sp = crypt_gensalt_r (algoid, rounds,
 				      entropy, sizeof(entropy),
 				      salt, sizeof(salt));
 	} else {
@@ -420,7 +420,7 @@ PAMH_ARG_DECL(char * create_password_hash,
 		/* For now be conservative so the resulting hashes
 		 * are not too long. 8 bytes of salt prevents dictionary
 		 * attacks well enough. */
-#ifdef HAVE_CRYPT_GENSALT_RN
+#ifdef HAVE_CRYPT_GENSALT_R
 	}
 #endif
 	sp = crypt(password, salt);
@@ -684,7 +684,7 @@ save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass,
 	D(("fflush or fsync error writing entries to old passwords file: %m"));
 	err = 1;
     }
-    
+
     if (fclose(pwfile)) {
 	D(("fclose error writing entries to old passwords file: %m"));
 	err = 1;
@@ -804,7 +804,7 @@ PAMH_ARG_DECL(int unix_update_passwd,
 	D(("fflush or fsync error writing entries to password file: %m"));
 	err = 1;
     }
-    
+
     if (fclose(pwfile)) {
 	D(("fclose error writing entries to password file: %m"));
 	err = 1;
@@ -930,7 +930,7 @@ PAMH_ARG_DECL(int unix_update_shadow,
 	D(("fflush or fsync error writing entries to shadow file: %m"));
 	err = 1;
     }
-    
+
     if (fclose(pwfile)) {
 	D(("fclose error writing entries to shadow file: %m"));
 	err = 1;
-- 
cgit v1.2.3


From 9c7be916c205257cbc40f4ab179ebe490ebe40f6 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@thkukuk.de>
Date: Fri, 26 Jun 2009 12:07:11 +0000
Subject: Relevant BUGIDs: 2809661

Purpose of commit: bugfix

Commit summary:
---------------

Fix compiling with --disable-nls:

2009-06-26  Thorsten Kukuk  <kukuk@thkukuk.de>

        * modules/pam_lastlog/pam_lastlog.c (last_login_failed): Fix
        usage of wrong variable [bug#2809661].
---
 modules/pam_lastlog/pam_lastlog.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'modules')

diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c
index 8af6b9eb..b44c1755 100644
--- a/modules/pam_lastlog/pam_lastlog.c
+++ b/modules/pam_lastlog/pam_lastlog.c
@@ -454,7 +454,7 @@ last_login_failed(pam_handle_t *pamh, int announce, const char *user, time_t llt
 		goto cleanup;
 	    }
 	}
-	
+
 	if (line != NULL || date != NULL || host != NULL) {
 	    /* TRANSLATORS: "Last failed login: <date> from <host> on <terminal>" */
 	    pam_info(pamh, _("Last failed login:%s%s%s"),
@@ -471,7 +471,7 @@ last_login_failed(pam_handle_t *pamh, int announce, const char *user, time_t llt
 		failed),
 	    failed);
 #else
-	if (daysleft == 1)
+	if (failed == 1)
 	    retval = asprintf(&line,
 		_("There was %d failed login attempt since the last successful login."),
 		failed);
-- 
cgit v1.2.3


From a10774c48223737de31a941f9de53f250db232fc Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@thkukuk.de>
Date: Fri, 26 Jun 2009 12:23:28 +0000
Subject: Relevant BUGIDs:

Purpose of commit: cleanup

Commit summary:
---------------

2009-06-26  Thorsten Kukuk  <kukuk@thkukuk.de>

        * modules/pam_unix/pam_unix_passwd.c: Remove dead SELinux
        code.
---
 modules/pam_unix/pam_unix_passwd.c | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

(limited to 'modules')

diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index 30ea6687..29b9c67d 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -1,7 +1,7 @@
 /*
  * Main coding by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
  * Copyright (C) 1996.
- * Copyright (c) Jan R�korajski, 1999.
+ * Copyright (c) Jan Rêkorajski, 1999.
  * Copyright (c) Red Hat, Inc., 2007, 2008.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -61,11 +61,6 @@
 #include <signal.h>
 #include <errno.h>
 #include <sys/wait.h>
-#ifdef WITH_SELINUX
-static int selinux_enabled=-1;
-#include <selinux/selinux.h>
-#define SELINUX_ENABLED (selinux_enabled!=-1 ? selinux_enabled : (selinux_enabled=is_selinux_enabled()>0))
-#endif
 
 #include <security/_pam_macros.h>
 
@@ -196,7 +191,7 @@ static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const
 
         snprintf(buffer, sizeof(buffer), "%d", remember);
         args[4] = x_strdup(buffer);
-	
+
 	execve(UPDATE_HELPER, args, envp);
 
 	/* should not get here: exit with error */
@@ -698,7 +693,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
 				pass_new = NULL;
 			}
 			retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new);
-			
+
 			if (retval != PAM_SUCCESS && off(UNIX_NOT_SET_PASS, ctrl)) {
 				pam_set_item(pamh, PAM_AUTHTOK, NULL);
 			}
-- 
cgit v1.2.3


From dbfe0f0ef9417fa939490a220f013f68e7f76f52 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@thkukuk.de>
Date: Sun, 28 Jun 2009 09:27:00 +0000
Subject: Relevant BUGIDs:

Purpose of commit: bugfix

Commit summary:
---------------

2009-06-26  Thorsten Kukuk  <kukuk@thkukuk.de>

        * modules/pam_namespace/Makefile.am: Fix make maintainer-clean,
        fix docu dependencies.

        * modules/pam_xauth/Makefile.am: Fix make maintainer-clean.
        * modules/pam_access/Makefile.am: Likewise.
        * modules/pam_debug/Makefile.am: Likewise.
        * modules/pam_deny/Makefile.am: Likewise.
        * modules/pam_echo/Makefile.am: Likewise.
        * modules/pam_env/Makefile.am: Likewise.
        * modules/pam_faildelay/Makefile.am: Likewise.
        * modules/pam_ftp/Makefile.am: Likewise.
        * modules/pam_group/Makefile.am: Likewise.
        * modules/pam_issue/Makefile.am: Likewise.
        * modules/pam_keyinit/Makefile.am: Likewise.
        * modules/pam_lastlog/Makefile.am: Likewise.
        * modules/pam_limits/Makefile.am: Likewise.
        * modules/pam_listfile/Makefile.am: Likewise.
        * modules/pam_localuser/Makefile.am: Likewise.
        * modules/pam_loginuid/Makefile.am: Likewise.
        * modules/pam_mail/Makefile.am: Likewise.
        * modules/pam_mkhomedir/Makefile.am: Likewise.
        * modules/pam_motd/Makefile.am: Likewise.
        * modules/pam_nologin/Makefile.am: Likewise.
        * modules/pam_pwhistory/Makefile.am: Likewise.
        * modules/pam_rhosts/Makefile.am: Likewise.
        * modules/pam_rootok/Makefile.am: Likewise.
        * modules/pam_securetty/Makefile.am: Likewise.
        * modules/pam_shells/Makefile.am: Likewise.
        * modules/pam_succeed_if/Makefile.am: Likewise.
        * modules/pam_tally2/Makefile.am: Likewise.
        * modules/pam_tally/Makefile.am: Likewise.
        * modules/pam_time/Makefile.am: Likewise.
        * modules/pam_timestamp/Makefile.am: Likewise.
        * modules/pam_tty_audit/Makefile.am: Likewise.
        * modules/pam_umask/Makefile.am: Likewise.
        * modules/pam_unix/Makefile.am: Likewise.
        * modules/pam_warn/Makefile.am: Likewise.
        * modules/pam_wheel/Makefile.am: Likewise.
        * modules/pam_filter/Makefile.am: Likewise.

        * configure.in: Make regeneration of docu configureable,
        rename enable_man to enable_docu.

        * modules/pam_env/pam_env.c (_pam_parse): Fix typo in debug
        code.

        * modules/pam_cracklib/Makefile.am: Don't install docu if
        module is disabled for building.
        * modules/pam_userdb/Makefile.am: Likewise.
---
 modules/pam_access/Makefile.am     |  3 ++-
 modules/pam_cracklib/Makefile.am   | 25 +++++++++++--------------
 modules/pam_debug/Makefile.am      |  4 ++--
 modules/pam_deny/Makefile.am       |  3 ++-
 modules/pam_echo/Makefile.am       |  3 ++-
 modules/pam_env/Makefile.am        |  3 ++-
 modules/pam_env/pam_env.c          |  2 +-
 modules/pam_exec/Makefile.am       |  3 ++-
 modules/pam_faildelay/Makefile.am  |  4 ++--
 modules/pam_filter/Makefile.am     |  4 ++--
 modules/pam_ftp/Makefile.am        |  4 ++--
 modules/pam_group/Makefile.am      |  4 ++--
 modules/pam_issue/Makefile.am      |  4 ++--
 modules/pam_keyinit/Makefile.am    |  3 ++-
 modules/pam_lastlog/Makefile.am    |  4 ++--
 modules/pam_limits/Makefile.am     |  3 ++-
 modules/pam_listfile/Makefile.am   |  4 ++--
 modules/pam_localuser/Makefile.am  |  6 +++---
 modules/pam_loginuid/Makefile.am   |  3 ++-
 modules/pam_mail/Makefile.am       |  4 ++--
 modules/pam_mkhomedir/Makefile.am  |  4 ++--
 modules/pam_motd/Makefile.am       |  4 ++--
 modules/pam_namespace/Makefile.am  | 37 ++++++++++++++++++++++---------------
 modules/pam_nologin/Makefile.am    |  4 ++--
 modules/pam_permit/Makefile.am     |  4 ++--
 modules/pam_pwhistory/Makefile.am  |  4 ++--
 modules/pam_rhosts/Makefile.am     |  4 ++--
 modules/pam_rootok/Makefile.am     |  3 ++-
 modules/pam_securetty/Makefile.am  |  3 ++-
 modules/pam_shells/Makefile.am     |  4 ++--
 modules/pam_stress/Makefile.am     |  2 +-
 modules/pam_succeed_if/Makefile.am |  3 ++-
 modules/pam_tally/Makefile.am      |  3 ++-
 modules/pam_tally2/Makefile.am     |  3 ++-
 modules/pam_time/Makefile.am       |  3 ++-
 modules/pam_timestamp/Makefile.am  |  5 +++--
 modules/pam_tty_audit/Makefile.am  |  4 ++--
 modules/pam_umask/Makefile.am      |  4 ++--
 modules/pam_unix/Makefile.am       | 10 +++++-----
 modules/pam_userdb/Makefile.am     | 14 +++++++++-----
 modules/pam_warn/Makefile.am       |  4 ++--
 modules/pam_wheel/Makefile.am      |  4 ++--
 modules/pam_xauth/Makefile.am      |  4 ++--
 43 files changed, 125 insertions(+), 102 deletions(-)

(limited to 'modules')

diff --git a/modules/pam_access/Makefile.am b/modules/pam_access/Makefile.am
index 9b58e81e..b4fea7df 100644
--- a/modules/pam_access/Makefile.am
+++ b/modules/pam_access/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@thkukuk.de>
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@thkukuk.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README access.conf $(MANS) $(XMLS) tst-pam_access
 
diff --git a/modules/pam_cracklib/Makefile.am b/modules/pam_cracklib/Makefile.am
index 619ffc93..57ddd675 100644
--- a/modules/pam_cracklib/Makefile.am
+++ b/modules/pam_cracklib/Makefile.am
@@ -1,12 +1,16 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
-EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_cracklib
+EXTRA_DIST = README $(XMLS) pam_cracklib.8 tst-pam_cracklib
 
-man_MANS = pam_cracklib.8
+if HAVE_LIBCRACK
+  TESTS = tst-pam_cracklib
+  man_MANS = pam_cracklib.8
+endif
 
 XMLS = README.xml pam_cracklib.8.xml
 
@@ -18,21 +22,14 @@ AM_LDFLAGS = -no-undefined -avoid-version -module
 if HAVE_VERSIONING
   AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
 endif
-
-if HAVE_LIBCRACK
-securelib_LTLIBRARIES = pam_cracklib.la
-
-TESTS = tst-pam_cracklib
-endif
-
 pam_cracklib_la_LIBADD = -L$(top_builddir)/libpam -lpam \
 	@LIBCRACK@ @LIBCRYPT@
+if HAVE_LIBCRACK
+  securelib_LTLIBRARIES = pam_cracklib.la
+endif
 
 if ENABLE_REGENERATE_MAN
-
-noinst_DATA = README
-
+noinst_DATA = README pam_cracklib.8
 README: pam_cracklib.8.xml
-
 -include $(top_srcdir)/Make.xml.rules
 endif
diff --git a/modules/pam_debug/Makefile.am b/modules/pam_debug/Makefile.am
index 0b798516..d87af88f 100644
--- a/modules/pam_debug/Makefile.am
+++ b/modules/pam_debug/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@thkukuk.de>
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@thkukuk.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_debug
 
@@ -28,4 +29,3 @@ noinst_DATA = README
 README: pam_debug.8.xml
 -include $(top_srcdir)/Make.xml.rules
 endif
-
diff --git a/modules/pam_deny/Makefile.am b/modules/pam_deny/Makefile.am
index 94b5f0f6..118928a1 100644
--- a/modules/pam_deny/Makefile.am
+++ b/modules/pam_deny/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2005 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_deny
 
diff --git a/modules/pam_echo/Makefile.am b/modules/pam_echo/Makefile.am
index d004e8f4..265e3a07 100644
--- a/modules/pam_echo/Makefile.am
+++ b/modules/pam_echo/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@thkukuk.de>
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@thkukuk.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_echo
 
diff --git a/modules/pam_env/Makefile.am b/modules/pam_env/Makefile.am
index 87813688..d39aad80 100644
--- a/modules/pam_env/Makefile.am
+++ b/modules/pam_env/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2005 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README pam_env.conf $(MANS) $(XMLS) tst-pam_env environment
 
diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
index 395ada21..84953104 100644
--- a/modules/pam_env/pam_env.c
+++ b/modules/pam_env/pam_env.c
@@ -120,7 +120,7 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv,
 			"user_envfile= specification missing argument - ignored");
 	  } else {
 	    *user_envfile = 13+*argv;
-	    D(("new User Env File: %s", *user_env_file));
+	    D(("new User Env File: %s", *user_envfile));
 	  }
 	} else if (!strncmp(*argv,"readenv=",8))
 	  *readenv = atoi(8+*argv);
diff --git a/modules/pam_exec/Makefile.am b/modules/pam_exec/Makefile.am
index 55fe9297..2838d1de 100644
--- a/modules/pam_exec/Makefile.am
+++ b/modules/pam_exec/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2006 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_exec
 
diff --git a/modules/pam_faildelay/Makefile.am b/modules/pam_faildelay/Makefile.am
index 2796018c..2a4a2b07 100644
--- a/modules/pam_faildelay/Makefile.am
+++ b/modules/pam_faildelay/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2006 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_faildelay
 
@@ -28,4 +29,3 @@ noinst_DATA = README
 README: pam_faildelay.8.xml
 -include $(top_srcdir)/Make.xml.rules
 endif
-
diff --git a/modules/pam_filter/Makefile.am b/modules/pam_filter/Makefile.am
index ab2ceee9..eddb08af 100644
--- a/modules/pam_filter/Makefile.am
+++ b/modules/pam_filter/Makefile.am
@@ -1,10 +1,11 @@
 #
-# Copyright (c) 2005, 2006, 2007 Thorsten Kukuk <kukuk@thkukuk.de>
+# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk <kukuk@thkukuk.de>
 #
 
 SUBDIRS = upperLOWER
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_filter
 
@@ -31,4 +32,3 @@ noinst_DATA = README
 README: pam_filter.8.xml
 -include $(top_srcdir)/Make.xml.rules
 endif
-
diff --git a/modules/pam_ftp/Makefile.am b/modules/pam_ftp/Makefile.am
index a4ce03df..4401399b 100644
--- a/modules/pam_ftp/Makefile.am
+++ b/modules/pam_ftp/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_ftp
 
@@ -28,4 +29,3 @@ noinst_DATA = README
 README: pam_ftp.8.xml
 -include $(top_srcdir)/Make.xml.rules
 endif
-
diff --git a/modules/pam_group/Makefile.am b/modules/pam_group/Makefile.am
index 22dc831b..0fd2a5d2 100644
--- a/modules/pam_group/Makefile.am
+++ b/modules/pam_group/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README group.conf $(MANS) $(XMLS) tst-pam_group
 
@@ -31,4 +32,3 @@ noinst_DATA = README
 README: pam_group.8.xml group.conf.5.xml
 -include $(top_srcdir)/Make.xml.rules
 endif
-
diff --git a/modules/pam_issue/Makefile.am b/modules/pam_issue/Makefile.am
index 8161fd81..40d5c1ab 100644
--- a/modules/pam_issue/Makefile.am
+++ b/modules/pam_issue/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_issue
 
@@ -28,4 +29,3 @@ noinst_DATA = README
 README: pam_issue.8.xml
 -include $(top_srcdir)/Make.xml.rules
 endif
-
diff --git a/modules/pam_keyinit/Makefile.am b/modules/pam_keyinit/Makefile.am
index 5039705a..4416c1c1 100644
--- a/modules/pam_keyinit/Makefile.am
+++ b/modules/pam_keyinit/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2006 David Howells <dhowells@redhat.com>
+# Copyright (c) 2006, 2009 David Howells <dhowells@redhat.com>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README $(XMLS) pam_keyinit.8 tst-pam_keyinit
 XMLS = README.xml pam_keyinit.8.xml
diff --git a/modules/pam_lastlog/Makefile.am b/modules/pam_lastlog/Makefile.am
index 899bda7b..88bab272 100644
--- a/modules/pam_lastlog/Makefile.am
+++ b/modules/pam_lastlog/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 securelibdir = $(SECUREDIR)
 secureconfdir = $(SCONFIGDIR)
@@ -28,4 +29,3 @@ noinst_DATA = README
 README: pam_lastlog.8.xml
 -include $(top_srcdir)/Make.xml.rules
 endif
-
diff --git a/modules/pam_limits/Makefile.am b/modules/pam_limits/Makefile.am
index 13232ea6..78943736 100644
--- a/modules/pam_limits/Makefile.am
+++ b/modules/pam_limits/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README $(MANS) $(XMLS) limits.conf tst-pam_limits
 
diff --git a/modules/pam_listfile/Makefile.am b/modules/pam_listfile/Makefile.am
index 2f211320..15466257 100644
--- a/modules/pam_listfile/Makefile.am
+++ b/modules/pam_listfile/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_listfile
 
@@ -28,4 +29,3 @@ noinst_DATA = README
 README: pam_listfile.8.xml
 -include $(top_srcdir)/Make.xml.rules
 endif
-
diff --git a/modules/pam_localuser/Makefile.am b/modules/pam_localuser/Makefile.am
index d4e47937..c7deac3f 100644
--- a/modules/pam_localuser/Makefile.am
+++ b/modules/pam_localuser/Makefile.am
@@ -1,10 +1,11 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
-EXTRA_DIST = README ${MANS} $(XMLS) tst-pam_localuser
+EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_localuser
 
 TESTS = tst-pam_localuser
 
@@ -28,4 +29,3 @@ noinst_DATA = README
 README: pam_localuser.8.xml
 -include $(top_srcdir)/Make.xml.rules
 endif
-
diff --git a/modules/pam_loginuid/Makefile.am b/modules/pam_loginuid/Makefile.am
index 636db963..4a715f1b 100644
--- a/modules/pam_loginuid/Makefile.am
+++ b/modules/pam_loginuid/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de>
+# Copyright (c) 2006, 2009 Thorsten Kukuk <kukuk@thkukuk.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_loginuid
 
diff --git a/modules/pam_mail/Makefile.am b/modules/pam_mail/Makefile.am
index 0b5d2d70..c63a2bc2 100644
--- a/modules/pam_mail/Makefile.am
+++ b/modules/pam_mail/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_mail
 
@@ -28,4 +29,3 @@ noinst_DATA = README
 README: pam_mail.8.xml
 -include $(top_srcdir)/Make.xml.rules
 endif
-
diff --git a/modules/pam_mkhomedir/Makefile.am b/modules/pam_mkhomedir/Makefile.am
index 42031472..7fe66056 100644
--- a/modules/pam_mkhomedir/Makefile.am
+++ b/modules/pam_mkhomedir/Makefile.am
@@ -1,9 +1,10 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
 # Copyright (c) 2008 Red Hat, Inc.
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_mkhomedir
 
@@ -36,4 +37,3 @@ noinst_DATA = README
 README: pam_mkhomedir.8.xml
 -include $(top_srcdir)/Make.xml.rules
 endif
-
diff --git a/modules/pam_motd/Makefile.am b/modules/pam_motd/Makefile.am
index 872e5d37..ec6cd57a 100644
--- a/modules/pam_motd/Makefile.am
+++ b/modules/pam_motd/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_motd
 
@@ -28,4 +29,3 @@ noinst_DATA = README
 README: pam_motd.8.xml
 -include $(top_srcdir)/Make.xml.rules
 endif
-
diff --git a/modules/pam_namespace/Makefile.am b/modules/pam_namespace/Makefile.am
index 05d47cf3..44513de0 100644
--- a/modules/pam_namespace/Makefile.am
+++ b/modules/pam_namespace/Makefile.am
@@ -1,21 +1,22 @@
 #
+# Copyright (c) 2009 Thorsten Kukuk <kukuk@thkukuk.de>
 # Copyright (c) 2006 Red Hat, Inc.
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MAN5) $(MAN8) README
+
 MAN5 = namespace.conf.5
 MAN8 = pam_namespace.8
 
-XMLS = README.xml namespace.conf.5.xml pam_namespace.8.xml
+EXTRA_DIST = README namespace.conf namespace.init $(MAN5) $(MAN8) $(XMLS) tst-pam_namespace
 
-if ENABLE_REGENERATE_MAN
-noinst_DATA = README
--include $(top_srcdir)/Make.xml.rules
+if HAVE_UNSHARE
+  TESTS = tst-pam_namespace
+  man_MANS = $(MAN5) $(MAN8)
 endif
 
-EXTRA_DIST = README namespace.conf namespace.init $(MAN5) $(MAN8) $(XMLS) tst-pam_namespace
-
-noinst_HEADERS = md5.h pam_namespace.h argv_parse.h
+XMLS = README.xml namespace.conf.5.xml pam_namespace.8.xml
 
 securelibdir = $(SECUREDIR)
 secureconfdir = $(SCONFIGDIR)
@@ -28,15 +29,21 @@ if HAVE_VERSIONING
   AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
 endif
 
+noinst_HEADERS = md5.h pam_namespace.h argv_parse.h
+
 if HAVE_UNSHARE
-securelib_LTLIBRARIES = pam_namespace.la
-pam_namespace_la_SOURCES = pam_namespace.c md5.c argv_parse.c
-pam_namespace_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBSELINUX@
+  securelib_LTLIBRARIES = pam_namespace.la
+  pam_namespace_la_SOURCES = pam_namespace.c md5.c argv_parse.c
+  pam_namespace_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBSELINUX@
 
-secureconf_DATA = namespace.conf
-secureconf_SCRIPTS = namespace.init
-namespaced_DATA =
+  secureconf_DATA = namespace.conf
+  secureconf_SCRIPTS = namespace.init
+  namespaced_DATA =
+endif
 
-TESTS = tst-pam_namespace
-man_MANS = $(MAN5) $(MAN8)
+
+if ENABLE_REGENERATE_MAN
+noinst_DATA = README
+README: pam_namespace.8.xml namespace.conf.5.xml
+-include $(top_srcdir)/Make.xml.rules
 endif
diff --git a/modules/pam_nologin/Makefile.am b/modules/pam_nologin/Makefile.am
index 02840dde..f2bcfab1 100644
--- a/modules/pam_nologin/Makefile.am
+++ b/modules/pam_nologin/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_nologin
 
@@ -28,4 +29,3 @@ noinst_DATA = README
 README: pam_nologin.8.xml
 -include $(top_srcdir)/Make.xml.rules
 endif
-
diff --git a/modules/pam_permit/Makefile.am b/modules/pam_permit/Makefile.am
index aa6db7a1..5d251323 100644
--- a/modules/pam_permit/Makefile.am
+++ b/modules/pam_permit/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_permit
 
@@ -28,4 +29,3 @@ noinst_DATA = README
 README: pam_permit.8.xml
 -include $(top_srcdir)/Make.xml.rules
 endif
-
diff --git a/modules/pam_pwhistory/Makefile.am b/modules/pam_pwhistory/Makefile.am
index 018d0b52..4c24c275 100644
--- a/modules/pam_pwhistory/Makefile.am
+++ b/modules/pam_pwhistory/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2008 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2008, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_pwhistory
 
@@ -32,4 +33,3 @@ noinst_DATA = README
 README: pam_pwhistory.8.xml
 -include $(top_srcdir)/Make.xml.rules
 endif
-
diff --git a/modules/pam_rhosts/Makefile.am b/modules/pam_rhosts/Makefile.am
index 547ad621..7ffd4b78 100644
--- a/modules/pam_rhosts/Makefile.am
+++ b/modules/pam_rhosts/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2005, 2006, 2008 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2006, 2008, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_rhosts
 
@@ -29,4 +30,3 @@ noinst_DATA = README
 README: pam_rhosts.8.xml
 -include $(top_srcdir)/Make.xml.rules
 endif
-
diff --git a/modules/pam_rootok/Makefile.am b/modules/pam_rootok/Makefile.am
index 54fe2720..81969fc4 100644
--- a/modules/pam_rootok/Makefile.am
+++ b/modules/pam_rootok/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_rootok
 
diff --git a/modules/pam_securetty/Makefile.am b/modules/pam_securetty/Makefile.am
index dd8d9473..092b6773 100644
--- a/modules/pam_securetty/Makefile.am
+++ b/modules/pam_securetty/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_securetty
 
diff --git a/modules/pam_shells/Makefile.am b/modules/pam_shells/Makefile.am
index 543e01b4..f4abbb44 100644
--- a/modules/pam_shells/Makefile.am
+++ b/modules/pam_shells/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_shells
 
@@ -28,4 +29,3 @@ noinst_DATA = README
 README: pam_shells.8.xml
 -include $(top_srcdir)/Make.xml.rules
 endif
-
diff --git a/modules/pam_stress/Makefile.am b/modules/pam_stress/Makefile.am
index b5f80938..ff33817b 100644
--- a/modules/pam_stress/Makefile.am
+++ b/modules/pam_stress/Makefile.am
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
diff --git a/modules/pam_succeed_if/Makefile.am b/modules/pam_succeed_if/Makefile.am
index 0394f42d..49b5d46c 100644
--- a/modules/pam_succeed_if/Makefile.am
+++ b/modules/pam_succeed_if/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README ${MANS} ${XMLS} tst-pam_succeed_if
 
diff --git a/modules/pam_tally/Makefile.am b/modules/pam_tally/Makefile.am
index c4c181a9..e5b95592 100644
--- a/modules/pam_tally/Makefile.am
+++ b/modules/pam_tally/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2005, 2006, 2007 Thorsten Kukuk <kukuk@thkukuk.de>
+# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk <kukuk@thkukuk.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_tally
 
diff --git a/modules/pam_tally2/Makefile.am b/modules/pam_tally2/Makefile.am
index 06cdf554..507c2942 100644
--- a/modules/pam_tally2/Makefile.am
+++ b/modules/pam_tally2/Makefile.am
@@ -1,9 +1,10 @@
 #
-# Copyright (c) 2005, 2006, 2007 Thorsten Kukuk <kukuk@thkukuk.de>
+# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk <kukuk@thkukuk.de>
 # Copyright (c) 2008 Red Hat, Inc.
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_tally2
 
diff --git a/modules/pam_time/Makefile.am b/modules/pam_time/Makefile.am
index 9c63ee5e..d2ef636c 100644
--- a/modules/pam_time/Makefile.am
+++ b/modules/pam_time/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README $(MANS) $(XMLS) time.conf tst-pam_time
 
diff --git a/modules/pam_timestamp/Makefile.am b/modules/pam_timestamp/Makefile.am
index 37cbabf9..313c1eb7 100644
--- a/modules/pam_timestamp/Makefile.am
+++ b/modules/pam_timestamp/Makefile.am
@@ -1,9 +1,10 @@
 #
-# Copyright (c) 2005 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2009 Thorsten Kukuk <kukuk@suse.de>
 # Copyright (c) 2005, 2008 Red Hat, Inc.
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 XMLS = README.xml pam_timestamp.8.xml pam_timestamp_check.8.xml
 man_MANS = pam_timestamp.8 pam_timestamp_check.8
@@ -44,4 +45,4 @@ README: pam_timestamp.8.xml
 -include $(top_srcdir)/Make.xml.rules
 endif
 
-noinst_PROGRAMS = hmacfile 
+noinst_PROGRAMS = hmacfile
diff --git a/modules/pam_tty_audit/Makefile.am b/modules/pam_tty_audit/Makefile.am
index 5bb64585..fce439ce 100644
--- a/modules/pam_tty_audit/Makefile.am
+++ b/modules/pam_tty_audit/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README $(MANS) $(XMLS)
 
@@ -27,4 +28,3 @@ noinst_DATA = README
 README: pam_tty_audit.8.xml
 -include $(top_srcdir)/Make.xml.rules
 endif
-
diff --git a/modules/pam_umask/Makefile.am b/modules/pam_umask/Makefile.am
index 53a666aa..397c5398 100644
--- a/modules/pam_umask/Makefile.am
+++ b/modules/pam_umask/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_umask
 
@@ -29,4 +30,3 @@ noinst_DATA = README
 README: pam_umask.8.xml
 -include $(top_srcdir)/Make.xml.rules
 endif
-
diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am
index c4f746c9..44b37e94 100644
--- a/modules/pam_unix/Makefile.am
+++ b/modules/pam_unix/Makefile.am
@@ -1,11 +1,12 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README md5.c md5_crypt.c lckpwdf.-c $(MANS) CHANGELOG \
-		tst-pam_unix $(XMLS) 
+		tst-pam_unix $(XMLS)
 
 man_MANS = pam_unix.8 unix_chkpwd.8 unix_update.8
 XMLS = README.xml pam_unix.8.xml unix_chkpwd.8.xml unix_update.8.xml
@@ -49,13 +50,13 @@ bigcrypt_LDADD = @LIBCRYPT@
 unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \
 	passverify.c
 unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\"
-unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@ 
+unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@
 unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@
 
 unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \
 	passverify.c
 unix_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\"
-unix_update_LDFLAGS = @PIE_LDFLAGS@ 
+unix_update_LDFLAGS = @PIE_LDFLAGS@
 unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@
 
 if ENABLE_REGENERATE_MAN
@@ -63,4 +64,3 @@ noinst_DATA = README
 README: pam_unix.8.xml
 -include $(top_srcdir)/Make.xml.rules
 endif
-
diff --git a/modules/pam_userdb/Makefile.am b/modules/pam_userdb/Makefile.am
index a442ef83..b05cc6c6 100644
--- a/modules/pam_userdb/Makefile.am
+++ b/modules/pam_userdb/Makefile.am
@@ -1,12 +1,17 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@thkukuk.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
-EXTRA_DIST = README $(MANS) $(XMLS) create.pl tst-pam_userdb
+EXTRA_DIST = README $(XMLS) pam_userdb.8 create.pl tst-pam_userdb
+
+if HAVE_LIBDB
+  man_MANS = pam_userdb.8
+  TESTS = tst-pam_userdb
+endif
 
-man_MANS = pam_userdb.8
 XMLS = README.xml pam_userdb.8.xml
 
 securelibdir = $(SECUREDIR)
@@ -21,13 +26,12 @@ endif
 
 if HAVE_LIBDB
   securelib_LTLIBRARIES = pam_userdb.la
-  TESTS = tst-pam_userdb
 endif
 
 noinst_HEADERS = pam_userdb.h
 
 if ENABLE_REGENERATE_MAN
-noinst_DATA = README
+noinst_DATA = README pam_userdb.8
 README: pam_userdb.8.xml
 -include $(top_srcdir)/Make.xml.rules
 endif
diff --git a/modules/pam_warn/Makefile.am b/modules/pam_warn/Makefile.am
index 6ecc1362..75cf38a5 100644
--- a/modules/pam_warn/Makefile.am
+++ b/modules/pam_warn/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_warn
 
@@ -28,4 +29,3 @@ noinst_DATA = README
 README: pam_warn.8.xml
 -include $(top_srcdir)/Make.xml.rules
 endif
-
diff --git a/modules/pam_wheel/Makefile.am b/modules/pam_wheel/Makefile.am
index 82a98305..bccb8aae 100644
--- a/modules/pam_wheel/Makefile.am
+++ b/modules/pam_wheel/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README ${MANS} $(XMLS) tst-pam_wheel
 
@@ -28,4 +29,3 @@ noinst_DATA = README
 README: pam_wheel.8.xml
 -include $(top_srcdir)/Make.xml.rules
 endif
-
diff --git a/modules/pam_xauth/Makefile.am b/modules/pam_xauth/Makefile.am
index 8f1d56b0..816d50e9 100644
--- a/modules/pam_xauth/Makefile.am
+++ b/modules/pam_xauth/Makefile.am
@@ -1,8 +1,9 @@
 #
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
 
 EXTRA_DIST = README ${MANS} $(XMLS) tst-pam_xauth
 
@@ -28,4 +29,3 @@ noinst_DATA = README
 README: pam_xauth.8.xml
 -include $(top_srcdir)/Make.xml.rules
 endif
-
-- 
cgit v1.2.3


From 006cf0e7333c53f7981c60c1cfcad77537d0fe74 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@thkukuk.de>
Date: Mon, 29 Jun 2009 08:15:00 +0000
Subject: Relevant BUGIDs:
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Purpose of commit: docu fix

Commit summary:
---------------

2009-06-29  Thorsten Kukuk  <kukuk@thkukuk.de>

        * modules/pam_unix/pam_unix.8.xml: Fix blowfish description.
        Reported by Diego E. “Flameeyes” Pettenò.
---
 modules/pam_unix/pam_unix.8.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'modules')

diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
index a726e5e7..6b860f7f 100644
--- a/modules/pam_unix/pam_unix.8.xml
+++ b/modules/pam_unix/pam_unix.8.xml
@@ -296,7 +296,7 @@
           <para>
             When a user changes their password next,
             encrypt it with the blowfish algorithm. If the
-            SHA512 algorithm is not known to the <citerefentry>
+            blowfish algorithm is not known to the <citerefentry>
 	    <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
             </citerefentry> function,
             fall back to MD5.
-- 
cgit v1.2.3


From 2037cd51a2b787c492d60c9235b85868f03ed9ba Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@thkukuk.de>
Date: Tue, 30 Jun 2009 10:28:53 +0000
Subject: Relevant BUGIDs:

Purpose of commit: bugfix

Commit summary:
---------------

This makes Linux-PAM compile able with uClibc or on embedded systems
without full libc/libnsl.

2009-06-29  Thorsten Kukuk  <kukuk@thkukuk.de>

        * modules/pam_unix/yppasswd_xdr.c: Remove unnecessary header files.

        * modules/pam_unix/support.c (_unix_getpwnam): Only compile in NIS
        support if all necessary functions exist.

        * modules/pam_unix/pam_unix_passwd.c (getNISserver): Add debug
        option, handle correct if OS has no NIS support.

        * modules/pam_access/pam_access.c (netgroup_match): Check if
        yp_get_default_domain and innetgr are available at compile time.

        * configure.in: Check for functions: innetgr, getdomainname
        check for headers: rpcsvc/ypclnt.h, rpcsvc/yp_prot.h.
---
 modules/pam_access/pam_access.c    | 26 ++++++++++++++++++++++----
 modules/pam_unix/pam_unix_passwd.c | 36 ++++++++++++++++++++++++++++++++++--
 modules/pam_unix/support.c         |  7 +++++++
 modules/pam_unix/yppasswd_xdr.c    |  2 --
 4 files changed, 63 insertions(+), 8 deletions(-)

(limited to 'modules')

diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
index ba8effe3..963ce528 100644
--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
@@ -41,11 +41,12 @@
 #include <errno.h>
 #include <ctype.h>
 #include <sys/utsname.h>
-#include <rpcsvc/ypclnt.h>
 #include <arpa/inet.h>
 #include <netdb.h>
 #include <sys/socket.h>
-
+#ifdef HAVE_RPCSVC_YPCLNT_H
+#include <rpcsvc/ypclnt.h>
+#endif
 #ifdef HAVE_LIBAUDIT
 #include <libaudit.h>
 #endif
@@ -465,13 +466,31 @@ static int
 netgroup_match (pam_handle_t *pamh, const char *netgroup,
 		const char *machine, const char *user, int debug)
 {
-  char *mydomain = NULL;
   int retval;
+  char *mydomain = NULL;
 
+#ifdef HAVE_YP_GET_DEFAUTL_DOMAIN
   yp_get_default_domain(&mydomain);
+#elif defined(HAVE_GETDOMAINNAME)
+  char domainname_res[256];
 
+  if (getdomainname (domainname_res, sizeof (domainname_res)) == 0)
+    {
+      if (strcmp (domainname_res, "(none)") == 0)
+        {
+          /* If domainname is not set, some systems will return "(none)" */
+	  domainname_res[0] = '\0';
+	}
+      mydomain = domainname_res;
+    }
+#endif
 
+#ifdef HAVE_INNETGR
   retval = innetgr (netgroup, machine, user, mydomain);
+#else
+  retval = 0;
+  pam_syslog (pamh, LOG_ERR, "pam_access does not have netgroup support");
+#endif
   if (debug == YES)
     pam_syslog (pamh, LOG_DEBUG,
 		"netgroup_match: %d (netgroup=%s, machine=%s, user=%s, domain=%s)",
@@ -479,7 +498,6 @@ netgroup_match (pam_handle_t *pamh, const char *netgroup,
 		machine ? machine : "NULL",
 		user ? user : "NULL", mydomain ? mydomain : "NULL");
   return retval;
-
 }
 
 /* user_match - match a username against one token */
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index 29b9c67d..2792a4d5 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -55,8 +55,12 @@
 #include <sys/time.h>
 #include <sys/stat.h>
 #include <rpc/rpc.h>
+#ifdef HAVE_RPCSVC_YP_PROT_H
 #include <rpcsvc/yp_prot.h>
+#endif
+#ifdef HAVE_RPCSVC_YPCLNT_H
 #include <rpcsvc/ypclnt.h>
+#endif
 
 #include <signal.h>
 #include <errno.h>
@@ -98,17 +102,34 @@ extern int getrpcport(const char *host, unsigned long prognum,
 
 #define MAX_PASSWD_TRIES	3
 
-static char *getNISserver(pam_handle_t *pamh)
+static char *getNISserver(pam_handle_t *pamh, unsigned int ctrl)
 {
+#if (defined(HAVE_YP_GET_DEFAULT_DOMAIN) || defined(HAVE_GETDOMAINNAME)) && defined(HAVE_YP_MASTER)
 	char *master;
 	char *domainname;
 	int port, err;
 
+#ifdef HAVE_YP_GET_DEFAULT_DOMAIN
 	if ((err = yp_get_default_domain(&domainname)) != 0) {
 		pam_syslog(pamh, LOG_WARNING, "can't get local yp domain: %s",
 			 yperr_string(err));
 		return NULL;
 	}
+#elif defined(HAVE_GETDOMAINNAME)
+	char domainname_res[256];
+
+	if (getdomainname (domainname_res, sizeof (domainname_res)) == 0)
+	  {
+	    if (strcmp (domainname_res, "(none)") == 0)
+	      {
+		/* If domainname is not set, some systems will return "(none)" */
+		domainname_res[0] = '\0';
+	      }
+	    domainname = domainname_res;
+	  }
+	else domainname = NULL;
+#endif
+
 	if ((err = yp_master(domainname, "passwd.byname", &master)) != 0) {
 		pam_syslog(pamh, LOG_WARNING, "can't find the master ypserver: %s",
 			 yperr_string(err));
@@ -125,7 +146,18 @@ static char *getNISserver(pam_handle_t *pamh)
 		         "yppasswd daemon running on illegal port");
 		return NULL;
 	}
+	if (on(UNIX_DEBUG, ctrl)) {
+	  pam_syslog(pamh, LOG_DEBUG, "Use NIS server on %s with port %d",
+		     master, port);
+	}
 	return master;
+#else
+	if (on(UNIX_DEBUG, ctrl)) {
+	  pam_syslog(pamh, LOG_DEBUG, "getNISserver: No NIS support available");
+	}
+
+	return NULL;
+#endif
 }
 
 #ifdef WITH_SELINUX
@@ -294,7 +326,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho,
 	}
 
 	if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, forwho, 0, 1)) {
-	    if ((master=getNISserver(pamh)) != NULL) {
+	  if ((master=getNISserver(pamh, ctrl)) != NULL) {
 		struct timeval timeout;
 		struct yppasswd yppwd;
 		CLIENT *clnt;
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index 050e0dc1..2a47d157 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -19,7 +19,9 @@
 #include <ctype.h>
 #include <syslog.h>
 #include <sys/resource.h>
+#ifdef HAVE_RPCSVC_YPCLNT_H
 #include <rpcsvc/ypclnt.h>
+#endif
 
 #include <security/_pam_macros.h>
 #include <security/pam_modules.h>
@@ -275,6 +277,7 @@ int _unix_getpwnam(pam_handle_t *pamh, const char *name,
 		}
 	}
 
+#if defined(HAVE_YP_GET_DEFAULT_DOMAIN) && defined (HAVE_YP_BIND) && defined (HAVE_YP_MATCH) && defined (HAVE_YP_UNBIND)
 	if (!matched && nis) {
 		char *userinfo = NULL, *domain = NULL;
 		int len = 0, i;
@@ -293,6 +296,10 @@ int _unix_getpwnam(pam_handle_t *pamh, const char *name,
 			}
 		}
 	}
+#else
+	/* we don't have NIS support, make compiler happy. */
+	nis = 0;
+#endif
 
 	if (matched && (ret != NULL)) {
 		*ret = NULL;
diff --git a/modules/pam_unix/yppasswd_xdr.c b/modules/pam_unix/yppasswd_xdr.c
index 0b7cfac6..0b95b82b 100644
--- a/modules/pam_unix/yppasswd_xdr.c
+++ b/modules/pam_unix/yppasswd_xdr.c
@@ -13,8 +13,6 @@
 #include "config.h"
 
 #include <rpc/rpc.h>
-#include <rpcsvc/yp_prot.h>
-#include <rpcsvc/ypclnt.h>
 #include "yppasswd.h"
 
 bool_t
-- 
cgit v1.2.3


From 15ea8d1c2d1f0899e3a4caa6c3482b2f01647cdf Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@thkukuk.de>
Date: Tue, 21 Jul 2009 13:59:24 +0000
Subject: Relevant BUGIDs:

Purpose of commit: bugfix

Commit summary:
---------------

2009-07-21  Thorsten Kukuk  <kukuk@thkukuk.de>

        * modules/pam_cracklib/pam_cracklib.c (pam_sm_chauthtok): Delete
        new token if it does not match strength criteria.
---
 modules/pam_cracklib/pam_cracklib.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'modules')

diff --git a/modules/pam_cracklib/pam_cracklib.c b/modules/pam_cracklib/pam_cracklib.c
index ba64aae2..cf383b2c 100644
--- a/modules/pam_cracklib/pam_cracklib.c
+++ b/modules/pam_cracklib/pam_cracklib.c
@@ -545,7 +545,7 @@ static int _pam_unix_approve_pass(pam_handle_t *pamh,
                                   const char *pass_new)
 {
     const char *msg = NULL;
-    const void *user;
+    const char *user;
     int retval;
 
     if (pass_new == NULL || (pass_old && !strcmp(pass_old,pass_new))) {
@@ -556,7 +556,7 @@ static int _pam_unix_approve_pass(pam_handle_t *pamh,
         return PAM_AUTHTOK_ERR;
     }
 
-    retval = pam_get_item(pamh, PAM_USER, &user);
+    retval = pam_get_user(pamh, &user, NULL);
     if (retval != PAM_SUCCESS || user == NULL) {
 	if (ctrl & PAM_DEBUG_ARG)
 		pam_syslog(pamh,LOG_ERR,"Can not get username");
@@ -658,6 +658,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
 	    pam_error (pamh, _("BAD PASSWORD: %s"), crack_msg);
 	    if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
 	      {
+		pam_set_item (pamh, PAM_AUTHTOK, NULL);
 		retval = PAM_AUTHTOK_ERR;
 		continue;
 	      }
@@ -670,6 +671,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
 	  if (retval != PAM_SUCCESS) {
 	    if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
 	      {
+		pam_set_item(pamh, PAM_AUTHTOK, NULL);
 		retval = PAM_AUTHTOK_ERR;
 		continue;
 	      }
-- 
cgit v1.2.3


From c474e908e6e1e74dcceafdc972b559ba76642a18 Mon Sep 17 00:00:00 2001
From: Steve Langasek <vorlon@debian.org>
Date: Tue, 25 Aug 2009 07:32:55 +0000
Subject: Relevant BUGIDs: Debian bug #470137

Purpose of commit: bugfix

Commit summary:
---------------
2009-08-25  Steve Langasek <vorlon@debian.org>

	* modules/pam_sepermit/pam_sepermit.8.xml: fix up one reference
	to pam.d(8) left behind because I've forgotten how CVS works
---
 modules/pam_sepermit/pam_sepermit.8.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'modules')

diff --git a/modules/pam_sepermit/pam_sepermit.8.xml b/modules/pam_sepermit/pam_sepermit.8.xml
index da4153bf..36730721 100644
--- a/modules/pam_sepermit/pam_sepermit.8.xml
+++ b/modules/pam_sepermit/pam_sepermit.8.xml
@@ -171,7 +171,7 @@ session  required  pam_permit.so
 	<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
       </citerefentry>,
       <citerefentry>
-	<refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
+	<refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
       </citerefentry>,
       <citerefentry>
 	<refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
-- 
cgit v1.2.3


From de99a00248cdd5d41994056ccc1815a8f1e779b6 Mon Sep 17 00:00:00 2001
From: Steve Langasek <vorlon@debian.org>
Date: Mon, 31 Aug 2009 22:09:44 +0000
Subject: Relevant BUGIDs: Debian bug #518908

Purpose of commit: portability

Commit summary:
---------------
2009-08-31  Steve Langasek  <vorlon@debian.org>

	* modules/pam_namespace/namespace.init: make this portable to POSIX
	awk, instead of using GNU awk extensions.
---
 modules/pam_namespace/namespace.init | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'modules')

diff --git a/modules/pam_namespace/namespace.init b/modules/pam_namespace/namespace.init
index 424c6d0c..9898bf3a 100755
--- a/modules/pam_namespace/namespace.init
+++ b/modules/pam_namespace/namespace.init
@@ -15,7 +15,8 @@ if [ "$3" = 1 ]; then
                 gid=$(echo "$passwd" | cut -f4 -d":")
                 cp -rT /etc/skel "$homedir"
                 chown -R "$user":"$gid" "$homedir"
-                mode=$(awk '/^UMASK/{gsub("#.*$", "", $2); printf "%o", and(0777,compl(strtonum("0" $2))); exit}' /etc/login.defs)
+                mask=$(awk '/^UMASK/{gsub("#.*$", "", $2); print $2; exit}' /etc/login.defs)
+                mode=$(printf "%o" $((0777 & ~$mask)))
                 chmod ${mode:-700} "$homedir"
                 [ -x /sbin/restorecon ] && /sbin/restorecon -R "$homedir"
         fi
-- 
cgit v1.2.3


From 78badec1b121a83fca3e7a42a440a1bb14b24329 Mon Sep 17 00:00:00 2001
From: Steve Langasek <vorlon@debian.org>
Date: Thu, 10 Sep 2009 10:19:57 +0000
Subject: Relevant BUGIDs: Debian bug #537848
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Purpose of commit: bugfix

Commit summary:
---------------
2009-09-10  Steve Langasek  <vorlon@debian.org>

	* modules/pam_securetty/pam_securetty.c: pam_securetty should not
	return PAM_USER_UNKNOWN when the tty is secure, regardless of what
	was entered as a username.
	Patch from Nicolas François <nicolas.francois@centraliens.net>.
---
 modules/pam_securetty/pam_securetty.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

(limited to 'modules')

diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c
index ec796d9e..a3c2010d 100644
--- a/modules/pam_securetty/pam_securetty.c
+++ b/modules/pam_securetty/pam_securetty.c
@@ -86,13 +86,11 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl,
     }
 
     user_pwd = pam_modutil_getpwnam(pamh, username);
-    if (user_pwd == NULL) {
-	return PAM_USER_UNKNOWN;
-    } else if (user_pwd->pw_uid != 0) { /* If the user is not root,
-					   securetty's does not apply
-					   to them */
+    if (user_pwd != NULL && user_pwd->pw_uid != 0) {
+	/* If the user is not root, securetty's does not apply to them */
 	return PAM_SUCCESS;
     }
+    /* The user is now either root or an invalid / mistyped username */
 
     retval = pam_get_item(pamh, PAM_TTY, &void_uttyname);
     uttyname = void_uttyname;
@@ -151,6 +149,9 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl,
 		     uttyname);
 
 	    retval = PAM_AUTH_ERR;
+	    if (user_pwd == NULL) {
+		retval = PAM_USER_UNKNOWN;
+	    }
     } else {
 	if (ctrl & PAM_DEBUG_ARG) {
 	    pam_syslog(pamh, LOG_DEBUG, "access allowed for '%s' on '%s'",
-- 
cgit v1.2.3


From 12d006be22f7e47cbce75c9891e3cf51ac030711 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tm@t8m.info>
Date: Tue, 6 Oct 2009 12:26:05 +0000
Subject: Relevant BUGIDs:

Purpose of commit: bugfix

Commit summary:
---------------
2009-10-06  Tomas Mraz  <t8m@centrum.cz>

        * modules/pam_listfile/pam_listfile.c(pam_sm_authenticate): Just
        call pam_modutil_user_in_group_nam_nam() instead of reimplementation
        of group matching.
---
 modules/pam_listfile/pam_listfile.c | 76 +++++++++++--------------------------
 1 file changed, 22 insertions(+), 54 deletions(-)

(limited to 'modules')

diff --git a/modules/pam_listfile/pam_listfile.c b/modules/pam_listfile/pam_listfile.c
index dbd92058..f7ed9a40 100644
--- a/modules/pam_listfile/pam_listfile.c
+++ b/modules/pam_listfile/pam_listfile.c
@@ -82,7 +82,6 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
     /* Stuff for "extended" items */
     struct passwd *userinfo;
     struct group *grpinfo;
-    char *itemlist[256]; /* Maximum of 256 items */
 
     apply_type=APPLY_TYPE_NULL;
     memset(apply_val,0,sizeof(apply_val));
@@ -265,30 +264,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
     if(extitem) {
 	switch(extitem) {
 	    case EI_GROUP:
-		userinfo = pam_modutil_getpwnam(pamh, citemp);
-		if (userinfo == NULL) {
-		    pam_syslog(pamh,LOG_ERR, "getpwnam(%s) failed",
-			     citemp);
-		    free(ifname);
-		    return onerr;
-		}
-		grpinfo = pam_modutil_getgrgid(pamh, userinfo->pw_gid);
-		if (grpinfo == NULL) {
-		    pam_syslog(pamh,LOG_ERR, "getgrgid(%d) failed",
-			     (int)userinfo->pw_gid);
-		    free(ifname);
-		    return onerr;
-		}
-		itemlist[0] = x_strdup(grpinfo->gr_name);
-		setgrent();
-		for (i=1; (i < (int)(sizeof(itemlist)/sizeof(itemlist[0])-1)) &&
-			 (grpinfo = getgrent()); ) {
-		    if (is_on_list(grpinfo->gr_mem,citemp)) {
-			itemlist[i++] = x_strdup(grpinfo->gr_name);
-		    }
-                }
-		endgrent();
-		itemlist[i] = NULL;
+		/* Just ignore, call pam_modutil_in_group... later */
 		break;
 	    case EI_SHELL:
 		/* Assume that we have already gotten PAM_USER in
@@ -352,38 +328,30 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
     assert(PAM_SUCCESS == 0);
     assert(PAM_AUTH_ERR != 0);
 #endif
-    if(extitem == EI_GROUP) {
-	while((fgets(aline,sizeof(aline),inf) != NULL)
-	      && retval) {
-            if(strlen(aline) == 0)
-		continue;
-	    if(aline[strlen(aline) - 1] == '\n')
-		aline[strlen(aline) - 1] = '\0';
-	    for(i=0;itemlist[i];)
-		/* If any of the items match, strcmp() == 0, and we get out
-		   of this loop */
-		retval = (strcmp(aline,itemlist[i++]) && retval);
+    while((fgets(aline,sizeof(aline),inf) != NULL)
+	  && retval) {
+	char *a = aline;
+
+	if(strlen(aline) == 0)
+	    continue;
+	if(aline[strlen(aline) - 1] == '\n')
+	    aline[strlen(aline) - 1] = '\0';
+	if(strlen(aline) == 0)
+	    continue;
+	if(aline[strlen(aline) - 1] == '\r')
+	    aline[strlen(aline) - 1] = '\0';
+	if(citem == PAM_TTY) {
+	    if(strncmp(a, "/dev/", 5) == 0)
+		a += 5;
 	}
-	for(i=0;itemlist[i];)
-	    free(itemlist[i++]);
-    } else {
-	while((fgets(aline,sizeof(aline),inf) != NULL)
-	      && retval) {
-            char *a = aline;
-            if(strlen(aline) == 0)
-		continue;
-	    if(aline[strlen(aline) - 1] == '\n')
-		aline[strlen(aline) - 1] = '\0';
-            if(strlen(aline) == 0)
-		continue;
-	    if(aline[strlen(aline) - 1] == '\r')
-		aline[strlen(aline) - 1] = '\0';
-	    if(citem == PAM_TTY)
-	        if(strncmp(a, "/dev/", 5) == 0)
-	            a += 5;
-	    retval = strcmp(a,citemp);
+	if (extitem == EI_GROUP) {
+	    retval = !pam_modutil_user_in_group_nam_nam(pamh,
+		citemp, aline);
+	} else {
+	    retval = strcmp(a, citemp);
 	}
     }
+
     fclose(inf);
     free(ifname);
     if ((sense && retval) || (!sense && !retval)) {
-- 
cgit v1.2.3


From 0d0218cc1cae724073a6f93de4d133049b359a81 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tm@t8m.info>
Date: Thu, 8 Oct 2009 15:19:41 +0000
Subject: Relevant BUGIDs:

Purpose of commit: documentation

Commit summary:
---------------
2009-10-08  Tomas Mraz  <t8m@centrum.cz>

        * modules/pam_tty_audit/pam_tty_audit.8.xml: Add notice about aureport
        add SEE ALSO section.
---
 modules/pam_tty_audit/pam_tty_audit.8.xml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

(limited to 'modules')

diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml
index 7f233dfe..447b8454 100644
--- a/modules/pam_tty_audit/pam_tty_audit.8.xml
+++ b/modules/pam_tty_audit/pam_tty_audit.8.xml
@@ -122,6 +122,10 @@
       recommended to use <option>disable=*</option> as the first option for
       most daemons using PAM.
     </para>
+    <para>
+      To view the data that was logged by the kernel to audit use
+      the command <command>aureport --tty</command>.
+    </para>
   </refsect1>
 
   <refsect1 id='pam_tty_audit-examples'>
@@ -134,6 +138,24 @@ session	required pam_tty_audit.so disable=* enable=root
     </para>
   </refsect1>
 
+  <refsect1 id='pam_tty_audit-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+	<refentrytitle>aureport</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+
   <refsect1 id='pam_tty_audit-author'>
     <title>AUTHOR</title>
       <para>
-- 
cgit v1.2.3


From 2abb3dfa9a3ec4934217c594b7d3edcb43716a16 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tm@t8m.info>
Date: Thu, 29 Oct 2009 15:26:50 +0000
Subject: Relevant BUGIDs: rhbz#531530

Purpose of commit: bugfix

Commit summary:
---------------
2009-10-29  Tomas Mraz  <t8m@centrum.cz>

        * modules/pam_xauth/Makefile.am: Link with libselinux.
        * modules/pam_xauth/pam_xauth.c(pam_sm_open_session): Call
        setfscreatecon() if selinux is enabled to create the .xauth file
        with the right label. Original idea by Dan Walsh.
---
 modules/pam_xauth/Makefile.am |  2 +-
 modules/pam_xauth/pam_xauth.c | 45 ++++++++++++++++++++++++++++++++++++++++---
 2 files changed, 43 insertions(+), 4 deletions(-)

(limited to 'modules')

diff --git a/modules/pam_xauth/Makefile.am b/modules/pam_xauth/Makefile.am
index 816d50e9..db089adb 100644
--- a/modules/pam_xauth/Makefile.am
+++ b/modules/pam_xauth/Makefile.am
@@ -17,7 +17,7 @@ secureconfdir = $(SCONFIGDIR)
 
 AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
 AM_LDFLAGS = -no-undefined -avoid-version -module \
-	-L$(top_builddir)/libpam -lpam
+	-L$(top_builddir)/libpam -lpam @LIBSELINUX@
 if HAVE_VERSIONING
   AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
 endif
diff --git a/modules/pam_xauth/pam_xauth.c b/modules/pam_xauth/pam_xauth.c
index bc72a8c1..0a94db4f 100644
--- a/modules/pam_xauth/pam_xauth.c
+++ b/modules/pam_xauth/pam_xauth.c
@@ -57,6 +57,12 @@
 #include <security/pam_modutil.h>
 #include <security/pam_ext.h>
 
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/label.h>
+#include <sys/stat.h>
+#endif
+
 #define DATANAME "pam_xauth_cookie_file"
 #define XAUTHENV "XAUTHORITY"
 #define HOMEENV  "HOME"
@@ -461,6 +467,10 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED,
 			  getuid(), getgid(),
 			  xauth, "-f", cookiefile, "nlist", display,
 			  NULL) == 0) {
+		int save_errno;
+#ifdef WITH_SELINUX
+		security_context_t context = NULL;
+#endif
 		/* Check that we got a cookie.  If not, we get creative. */
 		if (((cookie == NULL) || (strlen(cookie) == 0)) &&
 		    ((strncmp(display, "localhost:", 10) == 0) ||
@@ -545,12 +555,41 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED,
 		/* Generate a new file to hold the data. */
 		euid = geteuid();
 		setfsuid(tpwd->pw_uid);
-		fd = mkstemp(xauthority + strlen(XAUTHENV) + 1);
+		
+#ifdef WITH_SELINUX
+		if (is_selinux_enabled() > 0) {
+			struct selabel_handle *ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+			if (ctx != NULL) {
+				if (selabel_lookup(ctx, &context,
+						   xauthority + sizeof(XAUTHENV), S_IFREG) != 0) {
+					pam_syslog(pamh, LOG_WARNING,
+						   "could not get SELinux label for '%s'",
+						   xauthority + sizeof(XAUTHENV));
+				}
+				selabel_close(ctx);
+				if (setfscreatecon(context)) {
+					pam_syslog(pamh, LOG_WARNING,
+						   "setfscreatecon(%s) failed: %m", context);
+				}
+			}
+		}
+		fd = mkstemp(xauthority + sizeof(XAUTHENV));
+		save_errno = errno;
+		if (context != NULL) {
+			free(context);
+			setfscreatecon(NULL);
+		}
+#else
+		fd = mkstemp(xauthority + sizeof(XAUTHENV));
+		save_errno = errno;
+#endif
+
 		setfsuid(euid);
 		if (fd == -1) {
+			errno = save_errno;
 			pam_syslog(pamh, LOG_ERR,
 				   "error creating temporary file `%s': %m",
-				   xauthority + strlen(XAUTHENV) + 1);
+				   xauthority + sizeof(XAUTHENV));
 			retval = PAM_SESSION_ERR;
 			goto cleanup;
 		}
@@ -563,7 +602,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED,
 		/* Get a copy of the filename to save as a data item for
 		 * removal at session-close time. */
 		free(cookiefile);
-		cookiefile = strdup(xauthority + strlen(XAUTHENV) + 1);
+		cookiefile = strdup(xauthority + sizeof(XAUTHENV));
 
 		/* Save the filename. */
 		if (pam_set_data(pamh, DATANAME, cookiefile, cleanup) != PAM_SUCCESS) {
-- 
cgit v1.2.3


From 2d79d6172837d6d458f08e19169b97677593c772 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tm@t8m.info>
Date: Mon, 2 Nov 2009 16:09:07 +0000
Subject: Relevant BUGIDs:

Purpose of commit: new feature

Commit summary:
---------------
2009-11-02  Tomas Mraz  <t8m@centrum.cz>

        * modules/pam_sepermit/Makefile.am: Add sepermit.conf(5) manual page.
        * modules/pam_sepermit/pam_sepermit.8.xml: Add reference to
        sepermit.conf(5). Drop some redundant text.
        * modules/pam_sepermit/sepermit.conf.5.xml: New file.

        * modules/pam_sepermit/pam_sepermit.c(sepermit_match): Implement the ignore
        option in sepermit.conf.
---
 modules/pam_sepermit/Makefile.am         |  10 +--
 modules/pam_sepermit/pam_sepermit.8.xml  |  19 ++++--
 modules/pam_sepermit/pam_sepermit.c      |  22 ++++---
 modules/pam_sepermit/sepermit.conf.5.xml | 110 +++++++++++++++++++++++++++++++
 4 files changed, 141 insertions(+), 20 deletions(-)
 create mode 100644 modules/pam_sepermit/sepermit.conf.5.xml

(limited to 'modules')

diff --git a/modules/pam_sepermit/Makefile.am b/modules/pam_sepermit/Makefile.am
index 579e142f..9211a938 100644
--- a/modules/pam_sepermit/Makefile.am
+++ b/modules/pam_sepermit/Makefile.am
@@ -1,19 +1,19 @@
 #
 # Copyright (c) 2005, 2006, 2007 Thorsten Kukuk <kukuk@thkukuk.de>
-# Copyright (c) 2008 Red Hat, Inc.
+# Copyright (c) 2008, 2009 Red Hat, Inc.
 #
 
 CLEANFILES = *~
 MAINTAINERCLEANFILES = $(MANS) README
 
-EXTRA_DIST = README $(XMLS) pam_sepermit.8 sepermit.conf tst-pam_sepermit
+EXTRA_DIST = README $(XMLS) pam_sepermit.8 sepermit.conf sepermit.conf.5 tst-pam_sepermit
 
 if HAVE_LIBSELINUX
   TESTS = tst-pam_sepermit
-  man_MANS = pam_sepermit.8
+  man_MANS = pam_sepermit.8 sepermit.conf.5
 endif
 
-XMLS = README.xml pam_sepermit.8.xml
+XMLS = README.xml pam_sepermit.8.xml sepermit.conf.5.xml
 
 securelibdir = $(SECUREDIR)
 secureconfdir = $(SCONFIGDIR)
@@ -37,7 +37,7 @@ if HAVE_LIBSELINUX
   securelib_LTLIBRARIES = pam_sepermit.la
 endif
 if ENABLE_REGENERATE_MAN
-noinst_DATA = README pam_sepermit.8
+noinst_DATA = README pam_sepermit.8 sepermit.conf.5
 README: pam_sepermit.8.xml
 -include $(top_srcdir)/Make.xml.rules
 endif
diff --git a/modules/pam_sepermit/pam_sepermit.8.xml b/modules/pam_sepermit/pam_sepermit.8.xml
index 36730721..30d9cc54 100644
--- a/modules/pam_sepermit/pam_sepermit.8.xml
+++ b/modules/pam_sepermit/pam_sepermit.8.xml
@@ -40,7 +40,7 @@
       the pam_sepermit module returns PAM_IGNORE return value.
     </para>
     <para>
-      The config file contains a simple list of user names one per line. If the
+      The config file contains a list of user names one per line with optional arguments. If the
       <replaceable>name</replaceable> is prefixed with <emphasis>@</emphasis> character it means that all
       users in the group <replaceable>name</replaceable> match. If it is prefixed
       with a <emphasis>%</emphasis> character the SELinux user is used to match against the <replaceable>name</replaceable>
@@ -50,12 +50,11 @@
       will return PAM_IGNORE.
     </para>
     <para>
-      Each user name in the configuration file can have optional arguments separated
-      by <emphasis>:</emphasis> character. The only currently recognized argument is <emphasis>exclusive</emphasis>.
-      The pam_sepermit module will allow only single concurrent user session for
-      the user with this argument specified and it will attempt to kill all processes
-      of the user after logout.
+      See <citerefentry>
+      <refentrytitle>sepermit.conf</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry> for details.
     </para>
+
   </refsect1>
 
   <refsect1 id="pam_sepermit-options">
@@ -167,6 +166,9 @@ session  required  pam_permit.so
   <refsect1 id='pam_sepermit-see_also'>
     <title>SEE ALSO</title>
     <para>
+      <citerefentry>
+	<refentrytitle>sepermit.conf</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
       <citerefentry>
 	<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
       </citerefentry>,
@@ -176,13 +178,16 @@ session  required  pam_permit.so
       <citerefentry>
 	<refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>
+      <citerefentry>
+	<refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
     </para>
   </refsect1>
 
   <refsect1 id='pam_sepermit-author'>
     <title>AUTHOR</title>
       <para>
-        pam_sepermit was written by Tomas Mraz &lt;tmraz@redhat.com&gt;.
+        pam_sepermit and this manual page were written by Tomas Mraz &lt;tmraz@redhat.com&gt;.
       </para>
   </refsect1>
 
diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c
index 0fd95619..df0a2b1c 100644
--- a/modules/pam_sepermit/pam_sepermit.c
+++ b/modules/pam_sepermit/pam_sepermit.c
@@ -1,7 +1,7 @@
 /******************************************************************************
  * A module for Linux-PAM that allows/denies acces based on SELinux state.
  *
- * Copyright (c) 2007, 2008 Red Hat, Inc.
+ * Copyright (c) 2007, 2008, 2009 Red Hat, Inc.
  * Originally written by Tomas Mraz <tmraz@redhat.com>
  * Contributions by Dan Walsh <dwalsh@redhat.com>
  *
@@ -231,7 +231,7 @@ sepermit_lock(pam_handle_t *pamh, const char *user, int debug)
 /* return 0 when matched, -1 when unmatched, pam error otherwise */
 static int
 sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
-	       const char *seuser, int debug, int sense)
+	       const char *seuser, int debug, int *sense)
 {
 	FILE *f;
 	char *line = NULL;
@@ -239,6 +239,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
 	size_t len = 0;
 	int matched = 0;
 	int exclusive = 0;
+	int ignore = 0;
 	
 	f = fopen(cfgfile, "r");
 	
@@ -284,7 +285,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
 				if (debug)
 					pam_syslog(pamh, LOG_NOTICE, "Matching seuser %s against seuser %s", seuser, start);
 				if (strcmp(seuser, start) == 0) {
-					matched = 1;					
+					matched = 1;
 				}
 				break;
 			default:
@@ -298,6 +299,8 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
 			while ((opt=strtok_r(NULL, OPT_DELIM, &sptr)) != NULL) {
 				if (strcmp(opt, "exclusive") == 0)
 					exclusive = 1;
+				else if (strcmp(opt, "ignore") == 0)
+					ignore = 1;
 				else if (debug) {
 					pam_syslog(pamh, LOG_NOTICE, "Unknown user option: %s", opt);
 				}
@@ -307,10 +310,13 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
 	free(line);
 	fclose(f);
 	if (matched) {
-		if (sense == PAM_SUCCESS && geteuid() == 0 && exclusive)
-			return sepermit_lock(pamh, user, debug);
-		else
-			return 0;
+		if (*sense == PAM_SUCCESS) {
+			if (ignore)
+				*sense = PAM_IGNORE;
+			if (geteuid() == 0 && exclusive)
+				return sepermit_lock(pamh, user, debug);
+		}
+		return 0;
 	}
 	else
 		return -1;
@@ -365,7 +371,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
 	if (debug && sense != PAM_SUCCESS)
 		pam_syslog(pamh, LOG_NOTICE, "Access will not be allowed on match");
 
-	rv = sepermit_match(pamh, cfgfile, user, seuser, debug, sense);
+	rv = sepermit_match(pamh, cfgfile, user, seuser, debug, &sense);
 
 	if (debug)
 		pam_syslog(pamh, LOG_NOTICE, "sepermit_match returned: %d", rv);
diff --git a/modules/pam_sepermit/sepermit.conf.5.xml b/modules/pam_sepermit/sepermit.conf.5.xml
new file mode 100644
index 00000000..511480f6
--- /dev/null
+++ b/modules/pam_sepermit/sepermit.conf.5.xml
@@ -0,0 +1,110 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+        "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="sepermit.conf">
+
+  <refmeta>
+    <refentrytitle>sepermit.conf</refentrytitle>
+    <manvolnum>5</manvolnum>
+    <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>sepermit.conf</refname>
+    <refpurpose>configuration file for the pam_sepermit module</refpurpose>
+  </refnamediv>
+
+  <refsect1 id='sepermit.conf-description'>
+    <title>DESCRIPTION</title>
+    <para>
+      The lines of the configuration file have the following syntax:
+    </para>
+    <para>
+      <replaceable>&lt;user&gt;</replaceable>[:<replaceable>&lt;option&gt;</replaceable>:<replaceable>&lt;option&gt;</replaceable>...]
+    </para>
+    <para>
+      The <emphasis remap='B'>user</emphasis> can be specified in the following manner:
+    </para>
+    <itemizedlist>
+        <listitem>
+              <para>
+                a username
+              </para>
+        </listitem>
+        <listitem>
+              <para>
+                a groupname, with <emphasis remap='B'>@group</emphasis> syntax.
+                This should not be confused with netgroups.
+              </para>
+        </listitem>
+        <listitem>
+              <para>
+                a SELinux user name with <emphasis remap='B'>%seuser</emphasis> syntax.
+              </para>
+        </listitem>
+    </itemizedlist>
+
+    <para>
+      The recognized options are:
+    </para>
+
+    <variablelist>
+        <varlistentry>
+              <term><option>exclusive</option></term>
+              <listitem>
+                <para>
+                  Only single login session will be allowed for the user
+                  and the user's processes will be killed on logout.
+                </para>
+              </listitem>
+        </varlistentry>
+        <varlistentry>
+              <term><option>ignore</option></term>
+              <listitem>
+                <para>
+                  The module will never return PAM_SUCCESS status for the user.
+                  It will return PAM_IGNORE if SELinux is in the enforcing mode,
+                  and PAM_AUTH_ERR otherwise. It is useful if you want to support
+                  passwordless guest users and other confined users with passwords
+                  simultaneously.
+                </para>
+              </listitem>
+        </varlistentry>
+    </variablelist>
+
+    <para>
+      The lines which start with # character are comments and are ignored.
+    </para>
+  </refsect1>
+
+  <refsect1 id="sepermit.conf-examples">
+    <title>EXAMPLES</title>
+    <para>
+      These are some example lines which might be specified in
+      <filename>/etc/security/sepermit.conf</filename>.
+    </para>
+    <programlisting>
+%guest_u:exclusive
+%staff_u:ignore
+%user_u:ignore
+    </programlisting>
+  </refsect1>
+
+  <refsect1 id="sepermit.conf-see_also">
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry><refentrytitle>pam_sepermit</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+      <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+      <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+      <citerefentry><refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+    </para>
+  </refsect1>
+
+  <refsect1 id="sepermit.conf-author">
+    <title>AUTHOR</title>
+    <para>
+      pam_sepermit and this manual page were written by Tomas Mraz &lt;tmraz@redhat.com&gt;
+    </para>
+  </refsect1>
+</refentry>
-- 
cgit v1.2.3


From cf360646cafc2f84d7a601d9681555c4d43e713b Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@thkukuk.de>
Date: Wed, 4 Nov 2009 14:07:44 +0000
Subject: Relevant BUGIDs:

Purpose of commit: bugfix

Commit summary:
---------------

Add new manual page.
---
 modules/pam_sepermit/.cvsignore | 1 +
 1 file changed, 1 insertion(+)

(limited to 'modules')

diff --git a/modules/pam_sepermit/.cvsignore b/modules/pam_sepermit/.cvsignore
index 258e7207..47f494cc 100644
--- a/modules/pam_sepermit/.cvsignore
+++ b/modules/pam_sepermit/.cvsignore
@@ -8,3 +8,4 @@ Makefile
 Makefile.in
 README
 pam_sepermit.8
+sepermit.conf.5
-- 
cgit v1.2.3


From 0674700d17431655b4be03de6119ada78164266b Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@thkukuk.de>
Date: Tue, 10 Nov 2009 15:52:20 +0000
Subject: Relevant BUGIDs:

Purpose of commit: regression fix

Commit summary:
---------------

2009-11-10  Thorsten Kukuk  <kukuk@suse.de>

        * doc/man/pam_get_authtok.3.xml: Document pam_get_authtok_noverify
        and pam_get_authtok_verify.

        * libpam/Makefile.am (libpam_la_LDFLAGS): Bump revesion of libpam.

        * libpam/pam_get_authtok.c (pam_get_authtok_internal): Renamed
        from pam_get_authtok, add flags argument, always check return
        values.

        * modules/pam_cracklib/pam_cracklib.c (pam_sm_chauthtok): Use
        pam_get_authtok_noverify and pam_get_authtok_verify.

        * libpam/include/security/pam_ext.h: Add prototypes for
        pam_get_authtok_noverify and pam_get_authtok_verify.

        * libpam/libpam.map: Add new pam_get_authtok_* functions.
---
 modules/pam_cracklib/pam_cracklib.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

(limited to 'modules')

diff --git a/modules/pam_cracklib/pam_cracklib.c b/modules/pam_cracklib/pam_cracklib.c
index cf383b2c..2e911261 100644
--- a/modules/pam_cracklib/pam_cracklib.c
+++ b/modules/pam_cracklib/pam_cracklib.c
@@ -639,9 +639,9 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
 	   * set PAM_AUTHTOK and return
 	   */
 
-	  retval = pam_get_authtok (pamh, PAM_AUTHTOK, &newtoken, NULL);
+	  retval = pam_get_authtok_noverify (pamh, &newtoken, NULL);
 	  if (retval != PAM_SUCCESS) {
-	    pam_syslog(pamh, LOG_ERR, "pam_get_authtok returned error: %s",
+	    pam_syslog(pamh, LOG_ERR, "pam_get_authtok_noverify returned error: %s",
 		       pam_strerror (pamh, retval));
 	    continue;
 	  } else if (newtoken == NULL) {      /* user aborted password change, quit */
@@ -676,6 +676,17 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
 		continue;
 	      }
 	  }
+
+	  retval = pam_get_authtok_verify (pamh, &newtoken, NULL);
+	  if (retval != PAM_SUCCESS) {
+	    pam_syslog(pamh, LOG_ERR, "pam_get_authtok_verify returned error: %s",
+		       pam_strerror (pamh, retval));
+	    pam_set_item(pamh, PAM_AUTHTOK, NULL);
+	    continue;
+	  } else if (newtoken == NULL) {      /* user aborted password change, quit */
+	    return PAM_AUTHTOK_ERR;
+	  }
+
 	  return PAM_SUCCESS;
         }
 
-- 
cgit v1.2.3


From e8e780f7a3911f8ad9d96268d669ed7943e93f4f Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tm@t8m.info>
Date: Wed, 18 Nov 2009 16:06:53 +0000
Subject: Relevant BUGIDs: 2892189

Purpose of commit: bugfix

Commit summary:
---------------
2009-11-18  Tomas Mraz  <t8m@centrum.cz>

        * modules/pam_access/pam_access.c(user_match): Revert the netgroup
        match to the original behavior, add new syntax for adding the local
        hostname.
        * modules/pam_access/access.conf.5.xml: Document the new syntax
	for adding the local hostname to the netgroup match.
---
 modules/pam_access/access.conf.5.xml |  7 ++++++-
 modules/pam_access/pam_access.c      | 11 ++++++++---
 2 files changed, 14 insertions(+), 4 deletions(-)

(limited to 'modules')

diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml
index 1b629afc..a4d3419b 100644
--- a/modules/pam_access/access.conf.5.xml
+++ b/modules/pam_access/access.conf.5.xml
@@ -74,7 +74,12 @@
       not set and &lt;origin&gt; field is thus set from
       <emphasis>PAM_TTY</emphasis> or <emphasis>PAM_SERVICE</emphasis>".
       If supported by the system you can use
-      <emphasis>@netgroupname</emphasis> in host or user patterns.
+      <emphasis>@netgroupname</emphasis> in host or user patterns. The
+      <emphasis>@@netgroupname</emphasis> syntax is supported in the user
+      pattern only and it makes the local system hostname to be passed
+      to the netgroup match call in addition to the user name. This might not
+      work correctly on some libc implementations causing the match to
+      always fail.
     </para>
 
     <para>
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
index 963ce528..e9f0caa3 100644
--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
@@ -529,9 +529,14 @@ user_match (pam_handle_t *pamh, char *tok, struct login_info *item)
 	return (user_match (pamh, tok, item) &&
 		from_match (pamh, at + 1, &fake_item));
     } else if (tok[0] == '@') {			/* netgroup */
-	if (item->hostname == NULL)
-	    return NO;
-        return (netgroup_match (pamh, tok + 1, item->hostname, string, item->debug));
+	const char *hostname = NULL;
+	if (tok[1] == '@') {			/* add hostname to netgroup match */
+		if (item->hostname == NULL)
+		    return NO;
+		++tok;
+		hostname = item->hostname;
+	}
+        return (netgroup_match (pamh, tok + 1, hostname, string, item->debug));
     } else if (tok[0] == '(' && tok[strlen(tok) - 1] == ')')
       return (group_match (pamh, tok, string, item->debug));
     else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */
-- 
cgit v1.2.3


From e600e04072e7fe89168209b813f953985350159e Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tm@t8m.info>
Date: Thu, 19 Nov 2009 10:43:23 +0000
Subject: Relevant BUGIDs:

Purpose of commit: bugfix

Commit summary:
---------------
2009-11-19  Tomas Mraz  <t8m@centrum.cz>

        * modules/pam_sepermit/pam_sepermit.c(sepermit_match): Return
        PAM_AUTH_ERR from the module if sepermit_lock() fails.
---
 modules/pam_sepermit/pam_sepermit.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'modules')

diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c
index df0a2b1c..8b2360b5 100644
--- a/modules/pam_sepermit/pam_sepermit.c
+++ b/modules/pam_sepermit/pam_sepermit.c
@@ -314,7 +314,8 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
 			if (ignore)
 				*sense = PAM_IGNORE;
 			if (geteuid() == 0 && exclusive)
-				return sepermit_lock(pamh, user, debug);
+				if (sepermit_lock(pamh, user, debug) < 0)
+					*sense = PAM_AUTH_ERR;
 		}
 		return 0;
 	}
-- 
cgit v1.2.3


From 7f002afe63c0ae06bf011d6cc83fb2c0dcc6f373 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tm@t8m.info>
Date: Tue, 8 Dec 2009 09:06:46 +0000
Subject: Relevant BUGIDs:

Purpose of commit: cleanup

Commit summary:
---------------
2009-12-08  Tomas Mraz  <t8m@centrum.cz>

        * modules/pam_listfile/pam_listfile.c(pam_sm_authenticate): Remove
        unused function and variable.
---
 modules/pam_listfile/pam_listfile.c | 12 ------------
 1 file changed, 12 deletions(-)

(limited to 'modules')

diff --git a/modules/pam_listfile/pam_listfile.c b/modules/pam_listfile/pam_listfile.c
index f7ed9a40..3768aa72 100644
--- a/modules/pam_listfile/pam_listfile.c
+++ b/modules/pam_listfile/pam_listfile.c
@@ -39,17 +39,6 @@
 #include <security/pam_modutil.h>
 #include <security/pam_ext.h>
 
-/* checks if a user is on a list of members */
-static int is_on_list(char * const *list, const char *member)
-{
-    while (*list) {
-        if (strcmp(*list, member) == 0)
-            return 1;
-        list++;
-    }
-    return 0;
-}
-
 /* --- authentication management functions (only) --- */
 
 /* Extended Items that are not directly available via pam_get_item() */
@@ -81,7 +70,6 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
 
     /* Stuff for "extended" items */
     struct passwd *userinfo;
-    struct group *grpinfo;
 
     apply_type=APPLY_TYPE_NULL;
     memset(apply_val,0,sizeof(apply_val));
-- 
cgit v1.2.3


From 17c4c04115c7de3f5884ebdc562b0912bbd1b736 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tm@t8m.info>
Date: Tue, 8 Dec 2009 09:15:51 +0000
Subject: Relevant BUGIDs: rhbz#545053

Purpose of commit: new feature

Commit summary:
---------------
2009-12-08  Tomas Mraz  <t8m@centrum.cz>

        * modules/pam_unix/passverify.c(unix_update_shadow): Create a shadow
        entry if not present in the file.
---
 modules/pam_unix/passverify.c | 25 ++++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

(limited to 'modules')

diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index 489e8560..d175dfa5 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -839,19 +839,16 @@ done:
 PAMH_ARG_DECL(int unix_update_shadow,
 	const char *forwho, char *towhat)
 {
-    struct spwd *spwdent = NULL, *stmpent = NULL;
+    struct spwd spwdent, *stmpent = NULL;
     struct stat st;
     FILE *pwfile, *opwfile;
-    int err = 1;
+    int err = 0;
     int oldmask;
+    int wroteentry = 0;
 #ifdef WITH_SELINUX
     security_context_t prev_context=NULL;
 #endif
 
-    spwdent = getspnam(forwho);
-    if (spwdent == NULL) {
-	return PAM_USER_UNKNOWN;
-    }
     oldmask = umask(077);
 
 #ifdef WITH_SELINUX
@@ -912,7 +909,7 @@ PAMH_ARG_DECL(int unix_update_shadow,
 	if (!strcmp(stmpent->sp_namp, forwho)) {
 	    stmpent->sp_pwdp = towhat;
 	    stmpent->sp_lstchg = time(NULL) / (60 * 60 * 24);
-	    err = 0;
+	    wroteentry = 1;
 	    D(("Set password %s for %s", stmpent->sp_pwdp, forwho));
 	}
 
@@ -924,8 +921,22 @@ PAMH_ARG_DECL(int unix_update_shadow,
 
 	stmpent = fgetspent(opwfile);
     }
+
     fclose(opwfile);
 
+    if (!wroteentry && !err) {
+	spwdent.sp_namp = forwho;
+	spwdent.sp_pwdp = towhat;
+	spwdent.sp_lstchg = time(NULL) / (60 * 60 * 24);
+	spwdent.sp_min = spwdent.sp_max = spwdent.sp_warn = spwdent.sp_inact =
+	    spwdent.sp_expire = -1;
+	spwdent.sp_flag = (unsigned long)-1l;
+	if (putspent(&spwdent, pwfile)) {
+	    D(("error writing entry to shadow file: %m"));
+	    err = 1;
+	}
+    }
+
     if (fflush(pwfile) || fsync(fileno(pwfile))) {
 	D(("fflush or fsync error writing entries to shadow file: %m"));
 	err = 1;
-- 
cgit v1.2.3


From a728c0f63e15c18ef599e599e4e46456b624abda Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@thkukuk.de>
Date: Tue, 8 Dec 2009 14:41:40 +0000
Subject: Relevant BUGIDs: 2892529

Purpose of commit: bugfix

Commit summary:
---------------

2009-12-08  Thorsten Kukuk  <kukuk@thkukuk.de>

        * configure.in: Rename DEBUG to PAM_DEBUG.
        * libpam/pam_env.c: Likewise
        * libpam/pam_handlers.c: Likewise
        * libpam/pam_miscc.c: Likewise
        * libpam/pam_password.c: Likewise
        * libpam/include/security/_pam_macros.h: Likewise
        * libpamc/test/modules/pam_secret.c: Likewise
        * modules/pam_group/pam_group.c: Likewise
        * modules/pam_listfile/pam_listfile.c: Likewise
        * modules/pam_unix/pam_unix_auth.c: Likewise
        * modules/pam_unix/pam_unix_passwd.c: Likewise
---
 modules/pam_group/pam_group.c       |  6 +++---
 modules/pam_listfile/pam_listfile.c | 18 +++++++++---------
 modules/pam_unix/pam_unix_auth.c    |  2 --
 modules/pam_unix/pam_unix_passwd.c  |  2 +-
 4 files changed, 13 insertions(+), 15 deletions(-)

(limited to 'modules')

diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c
index 4a931c4f..3dc7f78e 100644
--- a/modules/pam_group/pam_group.c
+++ b/modules/pam_group/pam_group.c
@@ -605,7 +605,7 @@ static int check_account(pam_handle_t *pamh, const char *service,
 	    no_grps = 0;
 	    _pam_drop(grps);
 	}
-#ifdef DEBUG
+#ifdef PAM_DEBUG
 	{
 	    int z;
 	    for (z=0; z<no_grps; ++z) {
@@ -719,11 +719,11 @@ static int check_account(pam_handle_t *pamh, const char *service,
     /* now set the groups for the user */
 
     if (no_grps > 0) {
-#ifdef DEBUG
+#ifdef PAM_DEBUG
 	int err;
 #endif
 	D(("trying to set %d groups", no_grps));
-#ifdef DEBUG
+#ifdef PAM_DEBUG
 	for (err=0; err<no_grps; ++err) {
 	    D(("gid[%d]=%d", err, grps[err]));
 	}
diff --git a/modules/pam_listfile/pam_listfile.c b/modules/pam_listfile/pam_listfile.c
index 3768aa72..616d2201 100644
--- a/modules/pam_listfile/pam_listfile.c
+++ b/modules/pam_listfile/pam_listfile.c
@@ -18,7 +18,7 @@
 #include <pwd.h>
 #include <grp.h>
 
-#ifdef DEBUG
+#ifdef PAM_DEBUG
 #include <assert.h>
 #endif
 
@@ -199,23 +199,23 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
 	    if(apply_type==APPLY_TYPE_USER) {
 		if(strcmp(user_name, apply_val)) {
 		    /* Does not apply to this user */
-#ifdef DEBUG
+#ifdef PAM_DEBUG
 		    pam_syslog(pamh,LOG_DEBUG,
 			      "don't apply: apply=%s, user=%s",
 			     apply_val,user_name);
-#endif /* DEBUG */
+#endif /* PAM_DEBUG */
 		    free(ifname);
 		    return PAM_IGNORE;
 		}
 	    } else if(apply_type==APPLY_TYPE_GROUP) {
 		if(!pam_modutil_user_in_group_nam_nam(pamh,user_name,apply_val)) {
 		    /* Not a member of apply= group */
-#ifdef DEBUG
+#ifdef PAM_DEBUG
 		    pam_syslog(pamh,LOG_DEBUG,
 
 			     "don't apply: %s not a member of group %s",
 			     user_name,apply_val);
-#endif /* DEBUG */
+#endif /* PAM_DEBUG */
 		    free(ifname);
 		    return PAM_IGNORE;
 		}
@@ -276,7 +276,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
 		return onerr;
 	}
     }
-#ifdef DEBUG
+#ifdef PAM_DEBUG
     pam_syslog(pamh,LOG_INFO,
 
 	     "Got file = %s, item = %d, value = %s, sense = %d",
@@ -312,7 +312,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
     retval=PAM_AUTH_ERR;
     /* This loop assumes that PAM_SUCCESS == 0
        and PAM_AUTH_ERR != 0 */
-#ifdef DEBUG
+#ifdef PAM_DEBUG
     assert(PAM_SUCCESS == 0);
     assert(PAM_AUTH_ERR != 0);
 #endif
@@ -343,7 +343,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
     fclose(inf);
     free(ifname);
     if ((sense && retval) || (!sense && !retval)) {
-#ifdef DEBUG
+#ifdef PAM_DEBUG
 	pam_syslog(pamh,LOG_INFO,
 		 "Returning PAM_SUCCESS, retval = %d", retval);
 #endif
@@ -352,7 +352,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
     else {
 	const void *service;
 	const char *user_name;
-#ifdef DEBUG
+#ifdef PAM_DEBUG
 	pam_syslog(pamh,LOG_INFO,
 		 "Returning PAM_AUTH_ERR, retval = %d", retval);
 #endif
diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c
index 05b5ec6c..c2f79b10 100644
--- a/modules/pam_unix/pam_unix_auth.c
+++ b/modules/pam_unix/pam_unix_auth.c
@@ -35,8 +35,6 @@
  * OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-/* #define DEBUG */
-
 #include "config.h"
 
 #include <stdio.h>
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index 2792a4d5..1d70a7c2 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -385,7 +385,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho,
 				_("NIS password could not be changed."));
 			retval = PAM_TRY_AGAIN;
 		}
-#ifdef DEBUG
+#ifdef PAM_DEBUG
 		sleep(5);
 #endif
 	    } else {
-- 
cgit v1.2.3