2018-05-18 Thorsten Kukuk Release version 1.3.1. Add xz compression. 2018-05-16 Allison Karlitskaya pam_motd: add support for a motd.d directory (#48) Add a new feature to pam_motd to allow packages to install their own message files in a "motd.d" directory, to be displayed after the primary motd. Add an option motd_d= to specify the location of this directory. Modify the defaults, in the case where no options are given, to display both /etc/motd and /etc/motd.d. Fixes #47 * modules/pam_motd/pam_motd.c: add support for motd.d * modules/pam_motd/pam_motd.8.xml: update the manpage 2018-05-02 Tomas Mraz pam_umask: Fix documentation to align with order of loading umask. * modules/pam_umask/pam_umask.8.xml: Document the real order of loading umask. 2018-04-10 Joey Chagnon Fix missing word in documentation. * doc/man/pam_get_user.3.xml: Fix it. 2017-11-10 Dmitry V. Levin pam_tally2 --reset: avoid creating a missing tallylog file. There is no need for pam_tally2 in --reset=0 mode to create a missing tallylog file because its absence has the same meaning as its existence with the appropriate entry reset. This was not a big deal until useradd(8) from shadow suite release 4.5 started to invoke /sbin/pam_tally2 --reset routinely regardless of PAM configuration. The positive effect of this change is noticeable when using tools like cpio(1) that cannot archive huge sparse files efficiently. * modules/pam_tally2/pam_tally2.c [MAIN] (main) : Stat cline_filename when cline_reset == 0, exit early if the file is missing. 2017-11-10 Tomas Mraz pam_mkhomedir: Allow creating parent of homedir under / * modules/pam_mkhomedir/mkhomedir_helper.c (make_parent_dirs): Do not skip creating the directory if we are under /. 2017-10-09 Tomas Mraz pam_tty_audit: Fix regression introduced by adding the uid range support. * modules/pam_tty_audit/pam_tty_audit.c (parse_uid_range): Fix constification and remove unneeded code carried from pam_limits. (pam_sm_open_session): When multiple enable/disable options are present do not stop after first match. 2017-09-06 Tomas Mraz pam_access: Add note about spaces around ':' in access.conf(5) * modules/pam_access/access.conf.5.xml: Add note about spaces around ':' Workaround formatting problem in pam(8) * doc/man/pam.8.xml: Workaround formatting problem. 2017-07-12 Peter Urbanec pam_unix: Check return value of malloc used for setcred data (#24) Check the return value of malloc and if it failed print debug info, send a syslog message and return an error code. The test in AUTH_RETURN for ret_data not being NULL becomes redundant. 2017-07-10 Tomas Mraz pam_cracklib: Drop unused prompt macros. * modules/pam_cracklib/pam_cracklib.c: Drop the unused macros. 2017-06-28 Tomas Mraz pam_tty_audit: Support matching users by uid range. * modules/pam_tty_audit/pam_tty_audit.c (parse_uid_range): New function to parse the uid range. (pam_sm_open_session): Call parse_uid_range() and behave according to its result. * modules/pam_tty_audit/pam_tty_audit.8.xml: Document the uid range matching. 2017-05-31 Tomas Mraz pam_access: support parsing files in /etc/security/access.d/*.conf. * modules/pam_access/pam_access.c (login_access): Return NOMATCH if there was no match in the parsed file. (pam_sm_authenticate): Add glob() call to go through the ACCESS_CONF_GLOB subdirectory and call login_access() on the individual files matched. * modules/pam_access/pam_access.8.xml: Document the addition. * modules/pam_access/Makefile.am: Add ACCESS_CONF_GLOB definition. 2017-04-11 Tomas Mraz pam_localuser: Correct the example in documentation. * modules/pam_localuser/pam_localuser.8.xml: The example configuration does something different. pam_localuser: Correct documentation of return value. * modules/pam_localuser/pam_localuser.8.xml: The module returns PAM_PERM_DENIED when the user is not listed. 2017-03-10 Saul Johnson Make maxclassrepeat=1 behavior consistent with docs (#9) * modules/pam_cracklib/pam_cracklib.c (simple): Apply the maxclassrepeat when greater than 0. 2017-02-09 Josef Moellers Properly test for strtol() failure to find any digits. * modules/pam_access/pam_access.c (network_netmask_match): Test for endptr set to beginning and not NULL. 2017-01-19 Daniel Abrecht pam_exec: fix a potential null pointer dereference. Fix a null pointer dereference when pam_prompt returns PAM_SUCCESS but the response is set to NULL. * modules/pam_exec/pam_exec.c (call_exec): Do not invoke strndupa with a null pointer. Closes: https://github.com/linux-pam/linux-pam/pull/2 2016-12-07 Antonio Ospite Add missing comma in the limits.conf.5 manpage. * modules/pam_limits/limits.conf.5.xml: add a missing comma 2016-11-14 Tomas Mraz Regular links doesn't work with -no-numbering -no-references. * configure.ac: Use elinks instead of links. 2016-11-01 Tomas Mraz pam_access: First check for the (group) match. The (group) match is performed first to allow for groups containing '@'. * modules/pam_access/pam_access.c (user_match): First check for the (group) match. 2016-10-17 Tomas Mraz pam_ftp: Properly use the first name from the supplied list. * modules/pam_ftp/pam_ftp.c (lookup): Return first user from the list of anonymous users if user name matches. (pam_sm_authenticate): Free the returned value allocated in lookup(). 2016-09-12 Bartos-Elekes Zsolt pam_issue: Fix no prompting in parse escape codes mode. * modules/pam_issue/pam_issue.c (read_issue_quoted): Fix misplaced strcat(). 2016-06-30 Maxin B. John xtests: remove bash dependency. There are no bash specific syntax in the xtest scripts. So, remove the bash dependency. 2016-06-30 Tomas Mraz Unification and cleanup of syslog log levels. * libpam/pam_handlers.c: Make memory allocation failures LOG_CRIT. * libpam/pam_modutil_priv.c: Make memory allocation failures LOG_CRIT. * modules/pam_echo/pam_echo.c: Make memory allocation failures LOG_CRIT. * modules/pam_env/pam_env.c: Make memory allocation failures LOG_CRIT. * modules/pam_exec/pam_exec.c: Make memory allocation failures LOG_CRIT. * modules/pam_filter/pam_filter.c: Make all non-memory call errors LOG_ERR. * modules/pam_group/pam_group.c: Make memory allocation failures LOG_CRIT. * modules/pam_issue/pam_issue.c: Make memory allocation failures LOG_CRIT. * modules/pam_lastlog/pam_lastlog.c: The lastlog file creation is syslogged with LOG_NOTICE, memory allocation errors with LOG_CRIT, other errors with LOG_ERR. * modules/pam_limits/pam_limits.c: User login limit messages are syslogged with LOG_NOTICE, stale utmp entry with LOG_INFO, non-memory errors with LOG_ERR. * modules/pam_listfile/pam_listfile.c: Rejection of user is syslogged with LOG_NOTICE. * modules/pam_namespace/pam_namespace.c: Make memory allocation failures LOG_CRIT. * modules/pam_nologin/pam_nologin.c: Make memory allocation failures LOG_CRIT, other errors LOG_ERR. * modules/pam_securetty/pam_securetty.c: Rejection of access is syslogged with LOG_NOTICE, non-memory errors with LOG_ERR. * modules/pam_selinux/pam_selinux.c: Make memory allocation failures LOG_CRIT. * modules/pam_succeed_if/pam_succeed_if.c: Make all non-memory call errors LOG_ERR. * modules/pam_time/pam_time.c: Make memory allocation failures LOG_CRIT. * modules/pam_timestamp/pam_timestamp.c: Make memory allocation failures LOG_CRIT. * modules/pam_unix/pam_unix_acct.c: Make all non-memory call errors LOG_ERR. * modules/pam_unix/pam_unix_passwd.c: Make memory allocation failures LOG_CRIT, other errors LOG_ERR. * modules/pam_unix/pam_unix_sess.c: Make all non-memory call errors LOG_ERR. * modules/pam_unix/passverify.c: Unknown user is syslogged with LOG_NOTICE. * modules/pam_unix/support.c: Unknown user is syslogged with LOG_NOTICE and max retries ignorance by application likewise. * modules/pam_unix/unix_chkpwd.c: Make all non-memory call errors LOG_ERR. * modules/pam_userdb/pam_userdb.c: Password authentication error is syslogged with LOG_NOTICE. * modules/pam_xauth/pam_xauth.c: Make memory allocation failures LOG_CRIT. 2016-06-15 Dmitry V. Levin pam_timestamp: fix typo in strncmp usage. Before this fix, a typo in check_login_time resulted to ruser and struct utmp.ut_user being compared by the first character only, which in turn could lead to a too low timestamp value being assigned to oldest_login, effectively causing bypass of check_login_time. * modules/pam_timestamp/pam_timestamp.c (check_login_time): Fix typo in strncmp usage. Patch-by: Anton V. Boyarshinov 2016-05-30 Tomas Mraz Correct the examples in pam_fail_delay(3) man page. doc/man/pam_fail_delay.3.xml: Correct the examples. 2016-05-11 Tomas Mraz Remove spaces in examples for access.conf. The spaces are ignored only with the default listsep. To remove confusion if non-default listsep is used they are removed from the examples. * modules/pam_access/access.conf: Remove all spaces around ':' in examples. * modules/pam_access/access.conf.5.xml: Likewise. 2016-05-05 Mike Frysinger build: avoid non-portable == with "test" (ticket #60) POSIX says test only accepts =. Some shells (including bash) accept ==, but we should still stick to = for portability. * configure.ac: Replace == with = in "test" invocations. 2016-04-28 Thorsten Kukuk Release version 1.3.0. * NEWS: add changes for 1.3.0. * configure.ac: bump version number. * libpam/Makefile.am: bump revision of libpam.so version. 2016-04-28 Tomas Mraz Updated translations from Zanata. * po/*.po: Updated translations from Zanata. 2016-04-19 Tomas Mraz pam_wheel: Correct the documentation of the root_only option. * modules/pam_wheel/pam_wheel.8.xml: Correct the documentation of the root_only option. pam_unix: Document that MD5 password hash is used to store old passwords. modules/pam_unix/pam_unix.8.xml: Document that the MD5 password hash is used to store the old passwords when remember option is set. 2016-04-14 Tomas Mraz Project registered at Zanata (fedora.zanata.org) for translations. * zanata.xml: Configuration file for zanata client. * po/LINGUAS: Update languages as supported by Zanata. * po/Linux-PAM.pot: Updated from sources. * po/*.po: Updated from sources. 2016-04-06 Tomas Mraz pam_unix: Use pam_get_authtok() instead of direct pam_prompt() calls. We have to drop support for not_set_pass option which is not much useful anyway. Instead we get proper support for authtok_type option. * modules/pam_unix/pam_unix.8.xml: Removed not_set_pass option, added authtok_ty pe option. * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace _unix_read_pas sword() call with equivalent pam_get_authtok() call. * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Likewise and also drop support for not_set_pass. * modules/pam_unix/support.c (_unix_read_password): Remove. * modules/pam_unix/support.h: Remove UNIX_NOT_SET_PASS add UNIX_AUTHTOK_TYPE. pam_get_authtok(): Add authtok_type support to current password prompt. * libpam/pam_get_authtok.c (pam_get_authtok_internal): When changing password, use different prompt for current password allowing for authtok_type to be displayed to the user. 2016-04-04 Tomas Mraz pam_unix: Make password expiration messages more user-friendly. * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Make password expiration messages more user-friendly. 2016-04-04 Thorsten Kukuk innetgr may not be there so make sure that when innetgr is not present then we inform about it and not use it. [ticket#46] * modules/pam_group/pam_group.c: ditto * modules/pam_succeed_if/pam_succeed_if.c: ditto * modules/pam_time/pam_time.c: ditto build: fix build when crypt() is not part of crypt_libs [ticket#46] * configure.ac: Don't set empty -l option in crypt check build: use $host_cpu for lib64 directory handling [ticket#46] * configure.ac: use $host_cpu for lib64 directory handling. 2016-04-01 Dmitry V. Levin Fix whitespace issues. Remove blank lines at EOF introduced by commit a684595c0bbd88df71285f43fb27630e3829121e, making the project free of warnings reported by git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD * libpam/pam_dynamic.c: Remove blank line at EOF. * modules/pam_echo/pam_echo.c: Likewise. * modules/pam_keyinit/pam_keyinit.c: Likewise. * modules/pam_mkhomedir/pam_mkhomedir.c: Likewise. * modules/pam_pwhistory/pam_pwhistory.c: Likewise. * modules/pam_rhosts/pam_rhosts.c: Likewise. * modules/pam_sepermit/pam_sepermit.c: Likewise. * modules/pam_stress/pam_stress.c: Likewise. 2016-04-01 Thorsten Kukuk Use TI-RPC functions if we compile and link against libtirpc. The old SunRPC functions don't work with IPv6. * configure.ac: Set and restore CPPFLAGS * modules/pam_unix/pam_unix_passwd.c: Replace getrpcport with rpcb_getaddr if available. 2016-03-29 Thorsten Kukuk PAM_EXTERN isn't needed anymore, but don't remove it to not break lot of external code using it. * libpam/include/security/pam_modules.h: Readd PAM_EXTERN for compatibility Remove "--enable-static-modules" option and support from Linux-PAM. It was never official supported and was broken since years. * configure.ac: Remove --enable-static-modules option. * doc/man/pam_sm_acct_mgmt.3.xml: Remove PAM_EXTERN. * doc/man/pam_sm_authenticate.3.xml: Likewise. * doc/man/pam_sm_chauthtok.3.xml: Likewise. * doc/man/pam_sm_close_session.3.xml: Likewise. * doc/man/pam_sm_open_session.3.xml: Likewise. * doc/man/pam_sm_setcred.3.xml: Likewise. * libpam/Makefile.am: Remove STATIC_MODULES cases. * libpam/include/security/pam_modules.h: Remove PAM_STATIC parts. * libpam/pam_dynamic.c: Likewise. * libpam/pam_handlers.c: Likewise. * libpam/pam_private.h: Likewise. * libpam/pam_static.c: Remove file. * libpam/pam_static_modules.h: Remove header file. * modules/pam_access/pam_access.c: Remove PAM_EXTERN and PAM_STATIC parts. * modules/pam_cracklib/pam_cracklib.c: Likewise. * modules/pam_debug/pam_debug.c: Likewise. * modules/pam_deny/pam_deny.c: Likewise. * modules/pam_echo/pam_echo.c: Likewise. * modules/pam_env/pam_env.c: Likewise. * modules/pam_exec/pam_exec.c: Likewise. * modules/pam_faildelay/pam_faildelay.c: Likewise. * modules/pam_filter/pam_filter.c: Likewise. * modules/pam_ftp/pam_ftp.c: Likewise. * modules/pam_group/pam_group.c: Likewise. * modules/pam_issue/pam_issue.c: Likewise. * modules/pam_keyinit/pam_keyinit.c: Likewise. * modules/pam_lastlog/pam_lastlog.c: Likewise. * modules/pam_limits/pam_limits.c: Likewise. * modules/pam_listfile/pam_listfile.c: Likewise. * modules/pam_localuser/pam_localuser.c: Likewise. * modules/pam_loginuid/pam_loginuid.c: Likewise. * modules/pam_mail/pam_mail.c: Likewise. * modules/pam_mkhomedir/pam_mkhomedir.c: Likewise. * modules/pam_motd/pam_motd.c: Likewise. * modules/pam_namespace/pam_namespace.c: Likewise. * modules/pam_nologin/pam_nologin.c: Likewise. * modules/pam_permit/pam_permit.c: Likewise. * modules/pam_pwhistory/pam_pwhistory.c: Likewise. * modules/pam_rhosts/pam_rhosts.c: Likewise. * modules/pam_rootok/pam_rootok.c: Likewise. * modules/pam_securetty/pam_securetty.c: Likewise. * modules/pam_selinux/pam_selinux.c: Likewise. * modules/pam_sepermit/pam_sepermit.c: Likewise. * modules/pam_shells/pam_shells.c: Likewise. * modules/pam_stress/pam_stress.c: Likewise. * modules/pam_succeed_if/pam_succeed_if.c: Likewise. * modules/pam_tally/pam_tally.c: Likewise. * modules/pam_tally2/pam_tally2.c: Likewise. * modules/pam_time/pam_time.c: Likewise. * modules/pam_timestamp/pam_timestamp.c: Likewise. * modules/pam_tty_audit/pam_tty_audit.c: Likewise. * modules/pam_umask/pam_umask.c: Likewise. * modules/pam_userdb/pam_userdb.c: Likewise. * modules/pam_warn/pam_warn.c: Likewise. * modules/pam_wheel/pam_wheel.c: Likewise. * modules/pam_xauth/pam_xauth.c: Likewise. * modules/pam_unix/Makefile.am: Remove STATIC_MODULES part. * modules/pam_unix/pam_unix_acct.c: Remove PAM_STATIC part. * modules/pam_unix/pam_unix_auth.c: Likewise. * modules/pam_unix/pam_unix_passwd.c: Likewise. * modules/pam_unix/pam_unix_sess.c: Likewise. * modules/pam_unix/pam_unix_static.c: Removed. * modules/pam_unix/pam_unix_static.h: Removed. * po/POTFILES.in: Remove removed files. * tests/tst-dlopen.c: Remove PAM_STATIC part. 2016-03-24 Thorsten Kukuk Fix check for libtirpc and enhance check for libnsl to include new libnsl. * configure.ac: fix setting of CFLAGS/LIBS, enhance libnsl check * modules/pam_unix/Makefile.am: replace NIS_* with TIRPC_* and NSL_* 2016-03-23 Thorsten Kukuk Remove YP dependencies from pam_access, they were never used and such not needed. * modules/pam_access/Makefile.am: Remove NIS_CFLAGS and NIS_LIBS * modules/pam_access/pam_access.c: Remove yp_get_default_domain case, it will never be used. 2016-03-04 Tomas Mraz Add checks for localtime() returning NULL. * modules/pam_lastlog/pam_lastlog.c (last_login_read): Check for localtime_r returning NULL. * modules/pam_tally2/pam_tally2.c (print_one): Check for localtime returning NULL. pam_unix: Silence warnings and fix a minor bug. Fixes a minor bug in behavior when is_selinux_enabled() returned negative value. * modules/pam_unix/passverify.c: Add parentheses to SELINUX_ENABLED macro. (unix_update_shadow): Safe cast forwho to non-const char *. * modules/pam_unix/support.c: Remove unused SELINUX_ENABLED macro. 2016-02-17 Tomas Mraz pam_env: Document the /etc/environment file. * modules/pam_env/Makefile.am: Add the environment.5 soelim stub. * modules/pam_env/pam_env.8.xml: Add environ(7) reference. * modules/pam_env/pam_env.conf.5.xml: Add environment alias name. Add a paragraph about /etc/environment. Add environ(7) reference. pam_unix: Add no_pass_expiry option to ignore password expiration. * modules/pam_unix/pam_unix.8.xml: Document the no_pass_expiry option. * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): If no_pass_expiry is on and return value data is not set to PAM_SUCCESS then ignore PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED returns. * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Always set the return value data. (pam_sm_setcred): Test for likeauth option and use the return value data only if set. * modules/pam_unix/support.h: Add the no_pass_expiry option. 2016-01-25 Tomas Mraz pam_unix: Change the salt length for new hashes to 16 characters. * modules/pam_unix/passverify.c (create_password_hash): Change the salt length for new hashes to 16 characters. 2015-12-17 Tomas Mraz Relax the conditions for fatal failure on auditing. The PAM library calls will not fail anymore for any uid if the return value from the libaudit call is -EPERM. * libpam/pam_audit.c (_pam_audit_writelog): Remove check for uid != 0. 2015-12-16 Tomas Mraz pam_tally2: Optionally log the tally count when checking. * modules/pam_tally2/pam_tally2.c (tally_parse_args): Add debug option. (tally_check): Always log the tally count with debug option. 2015-10-02 Jakub Hrozek Docfix: pam handle is const in pam_syslog() and pam_vsyslog() * doc/man/pam_syslog.3.xml: Add const to pam handle in pam_syslog() and pam_vsyslog(). 2015-09-24 Tomas Mraz pam_loginuid: Add syslog message if required auditd is not detected. * modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Add syslog message if required auditd is not detected. 2015-09-04 Tomas Mraz Allow links to be used instead of w3m for documentation regeneration. * configure.ac: If w3m is not found check for links. Add missing space in pam_misc_setenv man page. * doc/man/pam_misc_setenv.3.xml: Add a missing space. 2015-08-12 Tomas Mraz pam_rootok: use rootok permission instead of passwd permission in SELinux check. * modules/pam_rootok/pam_rootok.c (selinux_check_root): Use rootok instead of passwd permission. 2015-08-05 Amarnath Valluri pam_timestamp: Avoid leaking file descriptor. * modules/pam_timestamp/hmacsha1.c(hmac_key_create): close 'keyfd' when failed to own it. 2015-06-22 Thorsten Kukuk Release version 1.2.1. Security fix: CVE-2015-3238 If the process executing pam_sm_authenticate or pam_sm_chauthtok method of pam_unix is not privileged enough to check the password, e.g. if selinux is enabled, the _unix_run_helper_binary function is called. When a long enough password is supplied (16 pages or more, i.e. 65536+ bytes on a system with 4K pages), this helper function hangs indefinitely, blocked in the write(2) call while writing to a blocking pipe that has a limited capacity. With this fix, the verifiable password length will be limited to PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix. * NEWS: Update * configure.ac: Bump version * modules/pam_exec/pam_exec.8.xml: document limitation of password length * modules/pam_exec/pam_exec.c: limit password length to PAM_MAX_RESP_SIZE * modules/pam_unix/pam_unix.8.xml: document limitation of password length * modules/pam_unix/pam_unix_passwd.c: limit password length * modules/pam_unix/passverify.c: Likewise * modules/pam_unix/passverify.h: Likewise * modules/pam_unix/support.c: Likewise 2015-04-27 Thorsten Kukuk Update NEWS file. Release version 1.2.0. * NEWS: Update * configure.ac: Bump version * libpam/Makefile.am: Bump version of libpam * libpam_misc/Makefile.am: Bump version of libpam_misc * po/*: Regenerate po files Fix some grammatical errors in documentation. Patch by Louis Sautier. * doc/adg/Linux-PAM_ADG.xml: Fix gramatical errors. * doc/man/pam.3.xml: Likewise. * doc/man/pam_acct_mgmt.3.xml: Likewise. * doc/man/pam_chauthtok.3.xml: Likewise. * doc/man/pam_sm_chauthtok.3.xml: Likewise. * modules/pam_limits/limits.conf.5.xml: Likewise. * modules/pam_mail/pam_mail.8.xml: Likewise. * modules/pam_rhosts/pam_rhosts.c: Likewise. * modules/pam_shells/pam_shells.8.xml: Likewise. * modules/pam_tally/pam_tally.8.xml: Likewise. * modules/pam_tally2/pam_tally2.8.xml: Likewise. * modules/pam_unix/pam_unix.8.xml: Likewise. 2015-04-23 Thorsten Kukuk Add "quiet" option to pam_unix to suppress informential info messages from session. * modules/pam_unix/pam_unix.8.xml: Document new option. * modules/pam_unix/support.h: Add quiet option. * modules/pam_unix/pam_unix_sess.c: Don't print LOG_INFO messages if 'quiet' option is set. 2015-04-07 Tomas Mraz Use crypt_r if available in pam_userdb and in pam_unix. * modules/pam_unix/passverify.c (create_password_hash): Call crypt_r() instead of crypt() if available. * modules/pam_userdb/pam_userdb.c (user_lookup): Call crypt_r() instead of crypt() if available. 2015-03-25 Thorsten Kukuk Support alternative "vendor configuration" files as fallback to /etc (Ticket#34, patch from ay Sievers ) * doc/man/pam.8.xml: document additonal config directory * libpam/pam_handlers.c: add /usr/lib/pam.d as config file fallback directory * libpam/pam_private.h: adjust defines pam_env: expand @{HOME} and @{SHELL} and enhance documentation (Ticket#24 and #29) * modules/pam_env/pam_env.c: Replace @{HOME} and @{SHELL} with passwd entries * modules/pam_env/pam_env.conf.5.xml: Document @{HOME} and @{SHELL} * modules/pam_env/pam_env.8.xml: Enhance documentation 2015-03-24 Thorsten Kukuk Clarify pam_access docs re PAM service names and X $DISPLAY value testing. (Ticket #39) * modules/pam_access/access.conf.5.xml * modules/pam_access/pam_access.8.xml Don't use sudo directory, the timestamp format is different (Ticket#32) * modules/pam_timestamp/pam_timestamp.c: Change default timestamp directory. Enhance group.conf examples (Ticket#35) * modules/pam_group/group.conf.5.xml: Enhance example by logic group entry. Document timestampdir option (Ticket#33) * modules/pam_timestamp/pam_timestamp.8.xml: Add timestampdir option. Adjust documentation (Ticket#36) * libpam/pam_delay.c: Change 25% in comment to 50% as used in code. * doc/man/pam_fail_delay.3.xml: Change 25% to 50% 2015-02-18 Tomas Mraz Updated translations from Transifex. * po/*.po: Updated translations from Transifex. 2015-01-07 Dmitry V. Levin build: raise gettext version requirement. Raise gettext requirement to the latest oldstable version 0.18.3. This fixes the following automake warning: configure.ac:581: warning: The 'AM_PROG_MKDIR_P' macro is deprecated, and its use is discouraged. configure.ac:581: You should use the Autoconf-provided 'AC_PROG_MKDIR_P' macro instead, configure.ac:581: and use '$(MKDIR_P)' instead of '$(mkdir_p)'in your Makefile.am files. * configure.ac (AM_GNU_GETTEXT_VERSION): Raise from 0.15 to 0.18.3. * po/Makevars: Update from gettext-0.18.3. 2015-01-07 Ronny Chevalier build: adjust automake warning flags. Enable all automake warning flags except for the portability issues, since non portable features are used among the makefiles. * configure.ac (AM_INIT_AUTOMAKE): Add -Wall -Wno-portability. 2015-01-07 Dmitry V. Levin build: rename configure.in to configure.ac. This fixes the following automake warning: aclocal: warning: autoconf input should be named 'configure.ac', not 'configure.in' * configure.in: Rename to configure.ac. Remove unmodified GNU gettext files installed by autopoint. These files are part of GNU gettext; we have not modified them, they are installed by autopoint which is called by autoreconf, so they had to be removed from this repository along with ABOUT-NLS, config.rpath, and mkinstalldirs files that were removed by commit Linux-PAM-1_1_5-7-g542ec8b. * po/Makefile.in.in: Remove. * po/Rules-quot: Likewise. * po/boldquot.sed: Likewise. * po/en@boldquot.header: Likewise. * po/en@quot.header: Likewise. * po/insert-header.sin: Likewise. * po/quot.sed: Likewise. * po/remove-potcdate.sin: Likewise. * po/.gitignore: Ignore these files. 2015-01-06 Ronny Chevalier Update .gitignore. * .gitignore: Ignore *.log and *.trs files. 2015-01-02 Luke Shumaker libpam: Only print "Password change aborted" when it's true. pam_get_authtok() may be used any time that a password needs to be entered, unlike pam_get_authtok_{no,}verify(), which may only be used when changing a password; yet when the user aborts, it prints "Password change aborted." whether or not that was the operation being performed. This bug was non-obvious because none of the modules distributed with Linux-PAM use it for anything but changing passwords; pam_unix has its own utility function that it uses instead. As an example, the nss-pam-ldapd package uses it in pam_sm_authenticate(). libpam/pam_get_authtok.c (pam_get_authtok_internal): check that the password is trying to be changed before printing a message about the password change being aborted. 2014-12-10 Dmitry V. Levin build: extend cross compiling check to cover CPPFLAGS (ticket #21) Use BUILD_CPPFLAGS variable to override CPPFLAGS where necessary in case of cross compiling, in addition to CC_FOR_BUILD, BUILD_CFLAGS, and BUILD_LDFLAGS variables introduced earlier to override CC, CFLAGS, and LDFLAGS, respectively. * configure.in (BUILD_CPPFLAGS): Define. * doc/specs/Makefile.am (CPPFLAGS): Define to @BUILD_CPPFLAGS@. 2014-12-09 Dmitry V. Levin Do not use yywrap (ticket #42) Our scanners do not really use yywrap. Explicitly disable yywrap so that no references to yywrap will be generated and no LEXLIB would be needed. * conf/pam_conv1/Makefile.am (pam_conv1_LDADD): Remove. * conf/pam_conv1/pam_conv_l.l: Enable noyywrap option. * doc/specs/Makefile.am (padout_LDADD): Remove. * doc/specs/parse_l.l: Enable noyywrap option. 2014-12-09 Kyle Manna doc: fix a trivial typo in pam_authenticate return values (ticket #38) * doc/man/pam_authenticate.3.xml: Fix a typo in PAM_AUTHINFO_UNAVAIL. 2014-12-09 Ronny Chevalier doc: fix typo in pam_authenticate.3.xml. * doc/man/pam_authenticate.3.xml: Fix typo. 2014-10-17 Tomas Mraz pam_succeed_if: Fix copy&paste error in rhost and tty values. modules/pam_succeed_if/pam_succeed_if.c (evaluate): Use PAM_RHOST and PAM_TTY properly for the rhost and tty values. pam_succeed_if: Use long long type for numeric values. The currently used long with additional conversion to int is too small for uids and gids. modules/pam_succeed_if/pam_succeed_if.c (evaluate_num): Replace strtol() with strtoll() and int with long long in the parameters of comparison functions. 2014-09-05 Tomas Mraz Add grantor field to audit records of libpam. The grantor field gives audit trail of PAM modules which granted access for successful return from libpam calls. In case of failed return the grantor field is set to '?'. libpam/pam_account.c (pam_acct_mgmt): Remove _pam_auditlog() call. libpam/pam_auth.c (pam_authenticate, pam_setcred): Likewise. libpam/pam_password.c (pam_chauthtok): Likewise. libpam/pam_session.c (pam_open_session, pam_close_session): Likewise. libpam/pam_audit.c (_pam_audit_writelog): Add grantors parameter, add grantor= field to the message if grantors is set. (_pam_list_grantors): New function creating the string with grantors list. (_pam_auditlog): Add struct handler pointer parameter, call _pam_list_grantors() to list the grantors from the handler list. (_pam_audit_end): Add NULL handler parameter to _pam_auditlog() call. (pam_modutil_audit_write): Add NULL grantors parameter to _pam_audit_writelog(). libpam/pam_dispatch.c (_pam_dispatch_aux): Set h->grantor where appropriate. (_pam_clear_grantors): New function to clear grantor field of handler. (_pam_dispatch): Call _pam_clear_grantors() before executing the stack. Call _pam_auditlog() when appropriate. libpam/pam_handlers.c (extract_modulename): Do not allow empty module name or just "?" to avoid confusing audit trail. (_pam_add_handler): Test for NULL return from extract_modulename(). Clear grantor field of handler. libpam/pam_private.h: Add grantor field to struct handler, add handler pointer parameter to _pam_auditlog(). 2014-08-26 Tomas Mraz pam_mkhomedir: Drop superfluous stat() call. modules/pam_mkhomedir/mkhomedir_helper.c (create_homedir): Drop superfluous stat() call. pam_exec: Do not depend on open() returning STDOUT_FILENO. modules/pam_exec/pam_exec.c (call_exec): Move the descriptor to STDOUT_FILENO if needed. 2014-08-25 Robin Hack pam_keyinit: Check return value of setregid. modules/pam_keyinit/pam_keyinit.c (pam_sm_open_session): Log if setregid() fails. pam_filter: Avoid leaking descriptors when fork() fails. modules/pam_filter/pam_filter.c (set_filter): Close descriptors when fork() fails. 2014-08-14 Robin Hack pam_echo: Avoid leaking file descriptor. modules/pam_echo/pam_echo.c (pam_echo): Close fd in error cases. 2014-08-13 Robin Hack pam_tty_audit: Silence Coverity reporting uninitialized use. modules/pam_tty_audit/pam_tty_audit.c (nl_recv): Initialize also msg_flags. 2014-08-13 Tomas Mraz pam_tally2: Avoid uninitialized use of fileinfo. Problem found by Robin Hack . modules/pam_tally2/pam_tally2.c (get_tally): Do not depend on file size just try to read it. pam_access: Avoid uninitialized access of line. * modules/pam_access/pam_access.c (login_access): Reorder condition so line is not accessed when uninitialized. 2014-08-05 Tomas Mraz pam_lastlog: Properly clean up last_login structure before use. modules/pam_lastlog/pam_lastlog.c (last_login_write): Properly clean up last_login structure before use. 2014-07-21 Tomas Mraz Make pam_pwhistory and pam_unix tolerant of corrupted opasswd file. * modules/pam_pwhistory/opasswd.c (parse_entry): Test for missing fields in opasswd entry and return error. * modules/pam_unix/passverify.c (save_old_password): Test for missing fields in opasswd entry and skip it. 2014-07-01 Dmitry V. Levin doc: add missing build dependencies for soelim stubs. * doc/man/Makefile.am [ENABLE_REGENERATE_MAN]: Add dependencies for pam_verror.3, pam_vinfo.3, pam_vprompt.3, and pam_vsyslog.3 soelim stubs. 2014-06-23 Dmitry V. Levin doc: fix install in case of out of tree build (ticket #31) * doc/adg/Makefile.am (install-data-local, releasedocs): Fall back to srcdir if documentation files haven't been found in builddir. (releasedocs): Treat missing documentation files as an error. * doc/mwg/Makefile.am: Likewise. * doc/sag/Makefile.am: Likewise. 2014-06-19 Dmitry V. Levin doc: fix installation of adg-*.html and mwg-*.html files (ticket #31) Fix a typo due to which sag-*.html files might be installed instead of adg-*.html and mwg-*.html files. * doc/adg/Makefile.am (install-data-local): Install adg-*.html instead of sag-*.html. * doc/mwg/Makefile.am (install-data-local): Install mwg-*.html instead of sag-*.html. Patch-by: Mike Frysinger 2014-06-19 Tomas Mraz pam_limits: nofile refers to file descriptors not files. modules/pam_limits/limits.conf.5.xml: Correct documentation of nofile limit. modules/pam_limits/limits.conf: Likewise. pam_limits: clarify documentation of maxlogins and maxsyslogins limits. modules/pam_limits/limits.conf.5.xml: clarify documentation of maxlogins and maxsyslogins limits. pam_unix: Check for NULL return from Goodcrypt_md5(). modules/pam_unix/pam_unix_passwd.c (check_old_password): Check for NULL return from Goodcrypt_md5(). pam_unix: check for NULL return from malloc() * modules/pam_unix/md5_crypt.c (crypt_md5): Check for NULL return from malloc(). 2014-05-22 Tomas Mraz pam_loginuid: Document one more possible case of PAM_IGNORE return. modules/pam_loginuid/pam_loginuid.8.xml: Document one more possible case of PAM_IGNORE return value. pam_loginuid: Document other possible return values. modules/pam_loginuid/pam_loginuid.8.xml: Document the possible return values. 2014-03-26 Dmitry V. Levin pam_timestamp: fix potential directory traversal issue (ticket #27) pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of the timestamp pathname it creates, so extra care should be taken to avoid potential directory traversal issues. * modules/pam_timestamp/pam_timestamp.c (check_tty): Treat "." and ".." tty values as invalid. (get_ruser): Treat "." and ".." ruser values, as well as any ruser value containing '/', as invalid. Fixes CVE-2014-2583. Reported-by: Sebastian Krahmer 2014-03-20 Tomas Mraz pam_userdb: document that .db suffix should not be used. modules/pam_userdb/pam_userdb.8.xml: Document that .db suffix should not be used and correct the example. 2014-03-11 Tomas Mraz pam_selinux: canonicalize user name. SELinux expects canonical user name for example without domain component. * modules/pam_selinux/pam_selinux.c (compute_exec_context): Canonicalize user name with pam_modutil_getpwnam(). 2014-01-28 Dmitry V. Levin Change tarball name back to "Linux-PAM" As a side effect of commit Linux-PAM-1_1_8-11-g3fa23ce, tarball name changed accidentally from "Linux-PAM" to "linux-pam". This change brings it back to "Linux-PAM". * configure.in (AC_INIT): Explicitly specify TARNAME argument. 2014-01-27 Dmitry V. Levin Introduce pam_modutil_sanitize_helper_fds. This change introduces pam_modutil_sanitize_helper_fds - a new function that redirects standard descriptors and closes all other descriptors. pam_modutil_sanitize_helper_fds supports three types of input and output redirection: - PAM_MODUTIL_IGNORE_FD: do not redirect at all. - PAM_MODUTIL_PIPE_FD: redirect to a pipe. For stdin, it is implemented by creating a pipe, closing its write end, and redirecting stdin to its read end. Likewise, for stdout/stderr it is implemented by creating a pipe, closing its read end, and redirecting to its write end. Unlike stdin redirection, stdout/stderr redirection to a pipe has a side effect that a process writing to such descriptor should be prepared to handle SIGPIPE appropriately. - PAM_MODUTIL_NULL_FD: redirect to /dev/null. For stdin, it is implemented via PAM_MODUTIL_PIPE_FD because there is no functional difference. For stdout/stderr, it is classic redirection to /dev/null. PAM_MODUTIL_PIPE_FD is usually more suitable due to linux kernel security restrictions, but when the helper process might be writing to the corresponding descriptor and termination of the helper process by SIGPIPE is not desirable, one should choose PAM_MODUTIL_NULL_FD. * libpam/pam_modutil_sanitize.c: New file. * libpam/Makefile.am (libpam_la_SOURCES): Add it. * libpam/include/security/pam_modutil.h (pam_modutil_redirect_fd, pam_modutil_sanitize_helper_fds): New declarations. * libpam/libpam.map (LIBPAM_MODUTIL_1.1.9): New interface. * modules/pam_exec/pam_exec.c (call_exec): Use pam_modutil_sanitize_helper_fds. * modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Likewise. * modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Likewise. * modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary): Likewise. * modules/pam_unix/support.c (_unix_run_helper_binary): Likewise. * modules/pam_xauth/pam_xauth.c (run_coprocess): Likewise. * modules/pam_unix/support.h (MAX_FD_NO): Remove. pam_xauth: avoid potential SIGPIPE when writing to xauth process. Similar issue in pam_unix was fixed by commit Linux-PAM-0-73~8. * modules/pam_xauth/pam_xauth.c (run_coprocess): In the parent process, close the read end of input pipe after writing to its write end. pam_loginuid: log significant loginuid write errors. * modules/pam_loginuid/pam_loginuid.c (set_loginuid): Log those errors during /proc/self/loginuid update that are not ignored. Fix gratuitous use of strdup and x_strdup. There is no need to copy strings passed as arguments to execve, the only potentially noticeable effect of using strdup/x_strdup would be a malformed argument list in case of memory allocation error. Also, x_strdup, being a thin wrapper around strdup, is of no benefit when its argument is known to be non-NULL, and should not be used in such cases. * modules/pam_cracklib/pam_cracklib.c (password_check): Use strdup instead of x_strdup, the latter is of no benefit in this case. * modules/pam_ftp/pam_ftp.c (lookup): Likewise. * modules/pam_userdb/pam_userdb.c (user_lookup): Likewise. * modules/pam_userdb/pam_userdb.h (x_strdup): Remove. * modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Do not use x_strdup for strings passed as arguments to execve. * modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Likewise. * modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary): Likewise. * modules/pam_unix/support.c (_unix_run_helper_binary): Likewise. (_unix_verify_password): Use strdup instead of x_strdup, the latter is of no benefit in this case. * modules/pam_xauth/pam_xauth.c (run_coprocess): Do not use strdup for strings passed as arguments to execv. pam_userdb: fix password hash comparison. Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed passwords support in pam_userdb, hashes are compared case-insensitively. This bug leads to accepting hashes for completely different passwords in addition to those that should be accepted. Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for modern password hashes with different lengths and settings, did not update the hash comparison accordingly, which leads to accepting computed hashes longer than stored hashes when the latter is a prefix of the former. * modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed hash whose length differs from the stored hash length. Compare computed and stored hashes case-sensitively. Fixes CVE-2013-7041. Bug-Debian: http://bugs.debian.org/731368 2014-01-24 Dmitry V. Levin pam_xauth: log fatal errors preventing xauth process execution. * modules/pam_xauth/pam_xauth.c (run_coprocess): Log errors from pipe() and fork() calls. 2014-01-22 Dmitry V. Levin pam_loginuid: cleanup loginuid buffer initialization. * modules/pam_loginuid/pam_loginuid.c (set_loginuid): Move loginuid buffer initialization closer to its first use. libpam_misc: fix an inconsistency in handling memory allocation errors. When misc_conv fails to allocate memory for pam_response array, it returns PAM_CONV_ERR. However, when read_string fails to allocate memory for a response string, it loses the response string and silently ignores the error, with net result as if EOF has been read. * libpam_misc/misc_conv.c (read_string): Use strdup instead of x_strdup, the latter is of no benefit in this case. Do not ignore potential memory allocation errors returned by strdup, forward them to misc_conv. 2014-01-20 Dmitry V. Levin pam_limits: fix utmp->ut_user handling. ut_user member of struct utmp is a string that is not necessarily null-terminated, so extra care should be taken when using it. * modules/pam_limits/pam_limits.c (check_logins): Convert ut->UT_USER to a null-terminated string and consistently use it where a null-terminated string is expected. pam_mkhomedir: check and create home directory for the same user (ticket #22) Before pam_mkhomedir helper was introduced in commit 7b14630ef39e71f603aeca0c47edf2f384717176, pam_mkhomedir was checking for existance and creating the same directory - the home directory of the user NAME returned by pam_get_item(PAM_USER). The change in behaviour accidentally introduced along with mkhomedir_helper is not consistent: while the module still checks for getpwnam(NAME)->pw_dir, the directory created by mkhomedir_helper is getpwnam(getpwnam(NAME)->pw_name)->pw_dir, which is not necessarily the same as the directory being checked. This change brings check and creation back in sync, both handling getpwnam(NAME)->pw_dir. * modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Replace "struct passwd *" argument with user's name and home directory. Pass user's name to MKHOMEDIR_HELPER. (pam_sm_open_session): Update create_homedir call. 2014-01-20 Tomas Mraz pam_limits: detect and ignore stale utmp entries. Original idea by Christopher Hailey * modules/pam_limits/pam_limits.c (check_logins): Use kill() to detect if pid of the utmp entry is still running and ignore the entry if it is not. 2014-01-19 Stéphane Graber pam_loginuid: Always return PAM_IGNORE in userns. The previous patch to support user namespaces works fine with containers that are started from a desktop/terminal session but fails when dealing with containers that were started from a remote session such as ssh. I haven't looked at the exact reason for that in the kernel but on the userspace side of things, the difference is that containers started from an ssh session will happily let pam open /proc/self/loginuid read-write, will let it read its content but will then fail with EPERM when trying to write to it. So to make the userns support bullet proof, this commit moves the userns check earlier in the function (which means a small performance impact as it'll now happen everytime on kernels that have userns support) and will set rc = PAM_IGNORE instead of rc = PAM_ERROR. The rest of the code is still executed in the event that PAM is run on a future kernel where we have some kind of audit namespace that includes a working loginuid. 2014-01-15 Steve Langasek pam_namespace: don't use bashisms in default namespace.init script. * modules/pam_namespace/pam_namespace.c: call setuid() before execing the namespace init script, so that scripts run with maximum privilege regardless of the shell implementation. * modules/pam_namespace/namespace.init: drop the '-p' bashism from the shebang line This is not a POSIX standard option, it's a bashism. The bash manpage says that it's used to prevent the effective user id from being reset to the real user id on startup, and to ignore certain unsafe variables from the environment. In the case of pam_namespace, the -p is not necessary for environment sanitizing because the PAM module (properly) sanitizes the environment before execing the script. The stated reason given in CVS history for passing -p is to "preserve euid when called from setuid apps (su, newrole)." This should be done more portably, by calling setuid() before spawning the shell. Bug-Debian: http://bugs.debian.org/624842 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1081323 2014-01-10 Stéphane Graber pam_loginuid: Ignore failure in user namespaces. When running pam_loginuid in a container using the user namespaces, even uid 0 isn't allowed to set the loginuid property. This change catches the EACCES from opening loginuid, checks if the user is in the host namespace (by comparing the uid_map with the host's one) and only if that's the case, sets rc to 1. Should uid_map not exist or be unreadable for some reason, it'll be assumed that the process is running on the host's namespace. The initial reason behind this change was failure to ssh into an unprivileged container (using a 3.13 kernel and current LXC) when using a standard pam profile for sshd (which requires success from pam_loginuid). I believe this solution doesn't have any drawback and will allow people to use unprivileged containers normally. An alternative would be to have all distros set pam_loginuid as optional but that'd be bad for any of the other potential failure case which people may care about. There has also been some discussions to get some of the audit features tied with the user namespaces but currently none of that has been merged upstream and the currently proposed implementation doesn't cover loginuid (nor is it clear how this should even work when loginuid is set as immutable after initial write). 2014-01-10 Dmitry V. Levin pam_loginuid: return PAM_IGNORE when /proc/self/loginuid does not exist. When /proc/self/loginuid does not exist, return PAM_IGNORE instead of PAM_SUCCESS, so that we can distinguish between "loginuid set successfully" and "loginuid not set, but this is expected". Suggested by Steve Langasek. * modules/pam_loginuid/pam_loginuid.c (set_loginuid): Change return code semantics: return PAM_SUCCESS on success, PAM_IGNORE when loginuid does not exist, PAM_SESSION_ERR in case of any other error. (_pam_loginuid): Forward the PAM error code returned by set_loginuid. 2013-11-20 Dmitry V. Levin pam_access: fix debug level logging (ticket #19) * modules/pam_access/pam_access.c (group_match): Log the group token passed to the function, not an uninitialized data on the stack. pam_warn: log flags passed to the module (ticket #25) * modules/pam_warn/pam_warn.c (log_items): Take "flags" argument and log it using pam_syslog. (pam_sm_authenticate, pam_sm_setcred, pam_sm_chauthtok, pam_sm_acct_mgmt, pam_sm_open_session, pam_sm_close_session): Pass "flags" argument to log_items. Modernize AM_INIT_AUTOMAKE invocation. Before this change, automake complained that two- and three-arguments forms of AM_INIT_AUTOMAKE are deprecated. * configure.in: Pass PACKAGE and VERSION arguments to AC_INIT instead of AM_INIT_AUTOMAKE. Fix autoconf warnings. Before this change, autoconf complained that AC_COMPILE_IFELSE and AC_RUN_IFELSE was called before AC_USE_SYSTEM_EXTENSIONS. * configure.in: Call AC_USE_SYSTEM_EXTENSIONS before LT_INIT. pam_securetty: check return value of fgets. Checking return value of fgets not only silences the warning from glibc but also leads to a cleaner code. * modules/pam_securetty/pam_securetty.c (securetty_perform_check): Check return value of fgets. pam_lastlog: fix format string. gcc -Wformat justly complains: format '%d' expects argument of type 'int', but argument 5 has type 'time_t' * modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Fix format string. 2013-11-20 Darren Tucker If the correct loginuid is set already, skip writing it. modules/pam_loginuid/pam_loginuid.c (set_loginuid): Read the current loginuid and skip writing if already correctly set. 2013-11-11 Thorsten Kukuk Always ask for old password if changing NIS account. * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): ask for old password if NIS account. 2013-11-08 Thorsten Kukuk Allow DES as compatibility option for /etc/login.defs. * modules/pam_unix/support.h: Add UNIX_DES 2013-10-14 Tomas Mraz Docfix: pam_prompt() and pam_vprompt() return int. doc/man/pam_prompt.3.xml: pam_prompt() and pam_vprompt() return int. Make pam_tty_audit work with old kernels not supporting log_passwd. modules/pam_tty_audit/pam_tty_audit.c(nl_recv): Pad result with zeros if message is short from older kernel. 2013-09-25 Tomas Mraz Fix pam_tty_audit log_passwd support and regression. modules/pam_tty_audit/pam_tty_audit.c: Add missing "config.h" include. (pam_sm_open_session): Always copy the old status as initialization of new. 2013-09-19 Thorsten Kukuk Release version 1.1.8. 2013-09-16 Thorsten Kukuk Check return value of setuid to remove glibc warnings. * modules/pam_unix/pam_unix_acct.c: Check setuid return value. * modules/pam_unix/support.c: Likewise. 2013-09-13 Tomas Mraz Write to *rounds only if non-NULL. modules/pam_unix/support.c(_set_ctrl): Write to *rounds only if non-NULL. Add missing ')' modules/pam_unix/pam_unix_passwd.c: Add missing ')'.. 2013-09-11 Thorsten Kukuk Release version 1.1.7. 2013-09-11 Tomas Mraz Updated translations from Transifex. po/*.po: Updated translations from Transifex. 2013-09-04 Thorsten Kukuk Extend pam_exec by stdout and type= options (ticket #8): * modules/pam_exec/pam_exec.c: Add stdout and type= option * modules/pam_exec/pam_exec.8.xml: Document new options 2013-08-30 Thorsten Kukuk Fix compile error. * modules/pam_unix/pam_unix_acct.c: fix last change 2013-08-29 Thorsten Kukuk Restart waitpid if it returns with EINTR (ticket #17) * modules/pam_unix/pam_unix_acct.c: run waitpid in a while loop. * modules/pam_unix/pam_unix_passwd.c: Likewise. * modules/pam_unix/support.c: Likewise. 2013-08-28 Thorsten Kukuk misc_conv.3: Fix documentation of misc_conv. doc/man/misc_conv.3.xml: Fix return value of misc_conv 2013-08-23 Tomas Mraz Apply the exclusive check in pam_sepermit only when loginuid not set. * modules/pam_sepermit/pam_sepermit.c(get_loginuid): Read loginuid from /proc (sepermit_match): Apply the exclusive check only when loginuid not set. 2013-08-22 Tomas Mraz Updated translations from Transifex. * po/*.po: Updated translations from Transifex. 2013-07-02 Dmitry V. Levin pam_rootok: fix linking in --enable-audit mode. pam_rootok.c explicitly uses functions from libaudit, so the module has to be linked with the library. * modules/pam_rootok/Makefile.am (pam_rootok_la_LIBADD): Add @LIBAUDIT@. 2013-07-01 Richard Guy Briggs pam_tty_audit: fix a typo that crept in during patch review. * modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Replace all occurrences of HAVE_AUDIT_TTY_STATUS_LOG_PASSWD with HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD. * configure.in (HAVE_AUDIT_TTY_STATUS_LOG_PASSWD): Remove. 2013-06-21 Richard Guy Briggs pam_tty_audit: add an option to control logging of passwords: log_passwd Most commands are entered one line at a time and processed as complete lines in non-canonical mode. Commands that interactively require a password, enter canonical mode with echo set to off to do this. This feature (icanon and !echo) can be used to avoid logging passwords by audit while still logging the rest of the command. Adding a member to the struct audit_tty_status passed in by pam_tty_audit allows control of logging passwords per task. * configure.in: autoconf bits to conditionally add support at compile time depending on struct audit_tty_status kernel header version. * modules/pam_tty_audit/pam_tty_audit.8.xml: Document new pam_tty_audit module log_passwd option. * modules/pam_tty_audit/pam_tty_audit.c: (pam_sm_open_session): Added "log_passwd" option parsing. 2013-06-20 Tomas Mraz Man page fix - unix_update runs in the permissive mode as well. modules/pam_unix/unix_update.8.xml: unix_update helper runs in the permissive mode as well. 2013-06-18 Thorsten Kukuk Use hash from /etc/login.defs as default if no other one is specified as argument. * modules/pam_unix/support.c: Add search_key, call from __set_ctrl * modules/pam_unix/support.h: Add define for /etc/login.defs * modules/pam_unix/pam_unix.8.xml: Document new behavior. * modules/pam_umask/pam_umask.c: Add missing NULL pointer check 2013-04-12 Tomas Mraz pam_access: better not change the default function used to get domain name. modules/pam_access/pam_access.c (netgroup_match): As we did not use yp_get_default_domain() in the 1.1 branch due to typo in ifdef we should use it only as fallback. 2013-03-28 Tomas Mraz Fix strict aliasing issue in MD5 implementations. modules/pam_namespace/md5.c (MD5Final): Use memcpy instead of assignment. modules/pam_unix/md5.c (MD5Final): Use memcpy instead of assignment. 2013-03-22 Tomas Mraz pam_lastlog: Do not fail on short read if btmp is corrupted. modules/pam_lastlog/pam_lastlog.c (last_login_failed): Just warn, not fail on short read or read error. pam_rootok: Allow proper logging of the user AVC if access disallowed by SELinux modules/pam_rootok/pam_rootok.c (log_callback, selinux_check_root): New functions. (check_for_root): Use the selinux_check_root() instead of checkPasswdAccess. 2013-02-08 Tomas Mraz Add checks for crypt() returning NULL. modules/pam_pwhistory/opasswd.c (compare_password): Add check for crypt() NULL return. modules/pam_unix/bigcrypt.c (bigcrypt): Likewise. 2013-02-07 Tomas Mraz pam_userdb: Allow also modern password hashes supported by crypt(). modules/pam_userdb/pam_userdb.c (user_lookup): Allow password hashes longer than 13 characters and long salt. 2013-01-18 Walter de Jong pam_access: fix typo in ifdef. modules/pam_access/pam_access.c (netgroup_match): Fix typo in #ifdef HAVE_YP_GET_DEFAULT_DOMAIN. 2012-12-20 Tomas Mraz pam_cracklib: Mention checks that are not run for root. modules/pam_cracklib/pam_cracklib.8.xml: Add note about checks when run as root. Update also the POT file. po/Linux-PAM.pot: Update to reflect current sources. 2012-12-12 Tomas Mraz Updated translations from Transifex, added new languages. po/LINGUAS: Added new languages. po/*.po: Updated translations from Transifex including new languages. 2012-11-30 Tomas Mraz pam_selinux: Drop obsolete and unsupported manual context selection. modules/pam_selinux/pam_selinux.c (manual_context): Drop function. (compute_exec_context): Drop manual_context() call. 2012-11-23 Tomas Mraz pam_limits: fix grammatical mistake. modules/pam_limits/limits.conf: Fix grammatical mistake. 2012-11-13 Tomas Mraz Reflect the enforce_for_root semantics change in pam_pwhistory xtest. xtests/tst-pam_pwhistory1.pamd: Use enforce_for_root as the test is running with real uid == 0. 2012-10-10 Dmitry V. Levin pam_unix: fix build in --enable-selinux mode. glibc's starting with commit http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=glibc-2.15-231-gd94a467 does not include for POSIX 2008 conformance reasons, so when pam is being built with SELinux support enabled, pam_unix_passwd.c uses getrlimit(2) and therefore should include without relying on other headers. * modules/pam_unix/pam_unix_passwd.c: Include . Reported-by: Guido Trentalancia Reported-by: "Jory A. Pratt" Reported-by: Diego Elio Pettenò 2012-10-10 Tomas Mraz pam_namespace: add mntopts flag for tmpfs mount options. modules/pam_namespace/pam_namespace.h: Add mount_opts member to polydir structure. modules/pam_namespace/pam_namespace.c (del_polydir): Free the mount_opts. (parse_method): Parse the mntopts flag. (ns_setup): Pass the mount_opts to mount(). modules/pam_namespace/namespace.conf.5.xml: Document the mntopts flag. 2012-09-06 Tomas Mraz pam_selinux, pam_tally2: Add tty and rhost to audit data. modules/pam_selinux/pam_selinux.c (send_audit_message): Obtain tty and rhost from PAM items and pass them to audit. modules/pam_tally2/pam_tally2.c (tally_check): Obtain tty and rhost from PAM items and pass them to audit. (main): Obtain tty name of stdin and pass it to audit. Update configure.in to use more recent interfaces. configure.in: Use LT_INIT instead of AC_PROG_LIBTOOL and AS_HELP_STRING instead of AC_HELP_STRING. 2012-08-17 Tomas Mraz Add missing $(DESTDIR) when making directories on install. modules/pam_namespace/Makefile.am: Add missing $(DESTDIR) when making $(namespaceddir) on install. modules/pam_sepermit/Makefile.am: Add missing $(DESTDIR) when making $(sepermitlockdir) on install. 2012-08-17 Thorsten Kukuk release version 1.1.6. configure.in: Bump version to 1.1.6 NEWS: Document changes po/*.po: Regenerate *.po files 2012-08-16 Thorsten Kukuk Small documentation and define fixes. modules/pam_limits/limits.conf.5.xml: Document race of maxlogins [#10] modules/pam_namespace/pam_namespace.h: Define MS_SLAVE if necessary modules/pam_pwhistory/pam_pwhistory.c: Document how the module works modules/pam_unix/pam_unix.8.xml: Document remember option obsoleted by pam_pwhistory [#6] 2012-08-13 Tomas Mraz Respect PAM_AUTHTOK_TYPE in pam_get_authtok_verify(). libpam/pam_get_authtok.c (pam_get_authtok_internal): Set the PAM_AUTHTOK_TYPE item when obtained from module options. (pam_get_authtok_verify): Use the PAM_AUTHTOK_TYPE item when prompting. 2012-08-09 Tomas Mraz Document limits.d also in the limits.conf manpage. modules/pam_limits/limits.conf.5.xml: Document the limits.d existence. 2012-07-23 Tomas Mraz New autotools do not create empty directories on install. modules/pam_namespace/Makefile.am: Add install-data-local target to create namespaceddir. modules/pam_sepermit/Makefile.am: Add install-data-local target to create sepermitlockdir. 2012-07-09 Stevan Bajić RLIMIT_* variables are no longer defined unless you explicitly include sys/resource.h. modules/pam_unix/pam_unix_acct.c: Include sys/resource.h. 2012-06-27 Tomas Mraz pam_umask: correct the documentation of GECOS field parsing. modules/pam_umask/pam_umask.8.xml: Correct the documentation of GECOS field parsing. 2012-06-22 Tomas Mraz pam_cracklib: Add monotonic character sequence checking. modules/pam_cracklib/pam_cracklib.c (_pam_parse): Parse the maxsequence option. (sequence): New function to check for too long monotonic sequence of characters. (password_check): Call the sequence(). modules/pam_cracklib/pam_cracklib.8.xml: Document the maxsequence check. 2012-06-01 Tomas Mraz pam_timestamp: Fix copy&paste error in manpage. modules/pam_timestamp/pam_timestamp.8.xml: Fix AUTHOR section. 2012-05-28 Tomas Mraz Pulled new translations from Transifex. po/*.po: Updated translations. pam_pwhistory: Always record the old password even when root changes it. modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Use the UID of the process instead of the target user UID (same as in pam_cracklib) to check for root. Always record old password. 2012-05-24 Tomas Mraz pam_cracklib: Add enforce_for_root option. modules/pam_cracklib/pam_cracklib.c (_pam_parse): Recognize the enforce_for_root option. (pam_sm_chauthtok): Enforce errors for root with the option. modules/pam_cracklib/pam_cracklib.8.xml: Document the enforce_for_root option. 2012-04-30 Tomas Mraz pam_cracklib: Add maxclassrepeat, gecoscheck checks and remove unused difignore. modules/pam_cracklib/pam_cracklib.c (_pam_parse): Recognize the maxclassrepeat, gecoscheck options. Ignore difignore option. (simple): Add the check for the same class repetition. (usercheck): Refactor into wordcheck(). (gecoscheck): New test for words from the GECOS field. (password_check): Call the gecoscheck(). (pam_sm_chauthtok): Drop the diff_ignore from options struct. modules/pam_cracklib/pam_cracklib.8.xml: Document the maxclassrepeat and gecoscheck checks, update the documentation of the difok test. pam_lastlog: Never lock out the root account. modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Return PAM_SUCCESS if uid==0. modules/pam_lastlog/pam_lastlog.8.xml: Improve documentation. 2012-04-17 Tomas Mraz pam_lastlog: add possibility to lock out inactive users in auth or account * modules/pam_lastlog/pam_lastlog.8.xml: Document the new functionality and option. * modules/pam_lastlog/pam_lastlog.c: Add the inactive user lock out. (_pam_session_parse): Renamed from _pam_parse. (_pam_auth_parse): New function to parse auth arguments. (_last_login_open): Factor out opening of the lastlog file. (_last_login_read): Factor out opening of the lastlog file. (pam_sm_authenticate): Implement the lockout functionality. (pam_sm_setcred): Just return PAM_SUCCESS. (pam_sm_acct_mgmt): Call pam_sm_authenticate(). 2012-04-11 Paul Wouters Check for crypt() failure returning NULL. * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Adjust syslog message. * modules/pam_unix/passverify.c (create_password_hash): Check for crypt() returning NULL. 2012-02-03 Dmitry V. Levin pam_unix: make configuration consistent in --enable-static-modules mode. In --enable-static-modules mode, it was not possible to use "pam_unix" in PAM config files. Instead, different names had to be used for each management group: pam_unix_auth, pam_unix_acct, pam_unix_passwd and pam_unix_session. This change makes pam_unix configuration consistent with other PAM modules. * README: Remove the paragraph describing pam_unix distinctions in --enable-static-modules mode. * libpam/pam_static_modules.h (_pam_unix_acct_modstruct, _pam_unix_auth_modstruct, _pam_unix_passwd_modstruct, _pam_unix_session_modstruct): Remove. (_pam_unix_modstruct): New pam_module declaration. * modules/pam_unix/pam_unix_static.h: New file. * modules/pam_unix/pam_unix_static.c: Likewise. * modules/pam_unix/Makefile.am (noinst_HEADERS): Add pam_unix_static.h (pam_unix_la_SOURCES) [STATIC_MODULES]: Add pam_unix_static.c * modules/pam_unix/pam_unix_acct.c [PAM_STATIC]: Include pam_unix_static.h [PAM_STATIC] (_pam_unix_acct_modstruct): Remove. * modules/pam_unix/pam_unix_auth.c [PAM_STATIC]: Include pam_unix_static.h [PAM_STATIC] (_pam_unix_auth_modstruct): Remove. * modules/pam_unix/pam_unix_passwd.c [PAM_STATIC]: Include pam_unix_static.h [PAM_STATIC] (_pam_unix_passwd_modstruct): Remove. * modules/pam_unix/pam_unix_sess.c [PAM_STATIC]: Include pam_unix_static.h [PAM_STATIC] (_pam_unix_session_modstruct): Remove. Suggested-by: Matveychikov Ilya 2012-01-27 Dmitry V. Levin Make --disable-cracklib compatible with --enable-static-modules mode. * configure.in: Define HAVE_LIBCRACK when cracklib is enabled. * libpam/pam_static_modules.h (static_modules): Guard the use of _pam_cracklib_modstruct by HAVE_LIBCRACK macro. 2012-02-10 Tomas Mraz Add missing includes for types used in the pam_modutil.h. * libpam/include/security/pam_modutil.h: Add missing includes for used types. 2012-01-27 Matveychikov Ilya Fix compile time errors in --enable-static-modules mode. * libpam/pam_static_modules.h (_pam_rhosts_auth_modstruct): Remove obsolete declaration. (static_modules): Remove undefined reference to _pam_rhosts_auth_modstruct. * modules/pam_pwhistory/opasswd.h: Rename {save,check}_old_password to {save,check}_old_pass in order to avoid conflicts with pam_unix. * modules/pam_pwhistory/opasswd.c: Likewise. * modules/pam_pwhistory/pam_pwhistory.c: Likewise. * modules/pam_tally2/pam_tally2.c: Rename _pam_tally_modstruct to _pam_tally2_modstruct. 2012-01-26 Dmitry V. Levin Fix SUBDIRS for --enable-static-modules mode. There is no way to build "modules" subdirectory before "libpam" anyway. In STATIC_MODULES mode, "libpam" subdirectory must be built twice to produce a usable libpam.a without undefined references to multiple _pam_*_modstruct symbols. * Makefile.am: Use default SUBDIRS in STATIC_MODULES mode. 2012-01-26 Matveychikov Ilya configure: fix typo in --disable-nis help string. * configure.in: Change '-disable-nis' to '--disable-nis'. 2012-01-26 Tomas Mraz Do not unmount anything by default in pam_namespace close session call. * modules/pam_namespace/pam_namespace.c (pam_sm_close_session): Recognize the unmount_on_close option and make the default to be to not unmount. * modules/pam_namespace/pam_namespace.h: Rename PAMNS_NO_UNMOUNT_ON_CLOSE to PAMNS_UNMOUNT_ON_CLOSE. * modules/pam_namespace/pam_namespace.8.xml: Document the change. 2012-01-24 Tomas Mraz Make / mount as rslave instead of bind mounting polydirs. * modules/pam_namespace/pam_namespace.c (protect_dir): Drop the always argument. (check_inst_parent): Drop the always argument from protect_dir(). (create_polydir): Likewise. (ns_setup): Likewise and do not mark the polydir with MS_PRIVATE. (setup_namespace): Mark the / with MS_SLAVE|MS_REC. * modules/pam_namespace/pam_namespace.8.xml: Reflect the change in docs. 2012-01-13 Tomas Mraz Add possibility to match ruser, rhost, and tty in pam_succeed_if. * modules/pam_succeed_if/pam_succeed_if.c (evaluate): Match ruser, rhost, and tty as left operand. * modules/pam_succeed_if/pam_succeed_if.8.xml: Document the new possible left operands. 2012-01-03 Tomas Mraz Merge branch 'master' of ssh://git.fedorahosted.org/git/linux-pam. Fix matching of usernames in the pam_unix remember feature. * modules/pam_unix/pam_unix_passwd.c (check_old_password): Make sure we match only the whole username in opasswd entry. * modules/pam_unix/passverify.c (save_old_password): Likewise make sure we match only the whole username in opasswd entry. 2011-12-26 Dmitry V. Levin pam_start: fix memory leak on error path. * libpam/pam_start.c (pam_start): If _pam_make_env() or _pam_init_handlers() returned an error, release the memory allocated for pam_conv structure. Patch-by: cancel . 2011-11-03 Dmitry V. Levin pam_selinux.8.xml: update. * modules/pam_selinux/pam_selinux.8.xml (pam_selinux-cmdsynopsis): Reorder options, add new "restore" option. pam_selinux-description): Rewrite. (pam_selinux-options): Reorder options, describe new "restore" option. (pam_selinux-return_values): Remove PAM_AUTH_ERR, PAM_SESSION_ERR and PAM_BUF_ERR. (pam_selinux-see_also): Remove pam.conf(5). Add execve(2), tty(4) and selinux(8). pam_selinux.c: add "restore" option. * modules/pam_selinux/pam_selinux.c (pam_sm_open_session): Add new "restore" option. pam_selinux.c: rewrite using pam_get_data/pam_set_data. * modules/pam_selinux/pam_selinux.c (security_restorelabel_tty, security_label_tty): Remove old functions. (module_data_t): New structure. (free_module_data, cleanup, get_module_data, get_item, set_exec_context, set_file_context, compute_exec_context, compute_tty_context, restore_context, set_context, create_context): New functions. (pam_sm_authenticate, pam_sm_setcred, pam_sm_open_session, pam_sm_close_session): Use them. 2011-10-28 Dmitry V. Levin Use libpam.la/libpam_misc.la to link with -lpam/-lpam_misc. GNU automake documentation recommends to avoid using -l options in LDADD or LIBADD when referring to libraries built by the package. Instead, it recommends to write the file name of the library explicitly, and use -l option only to list third-party libraries. As result, the default value of *_DEPENDENCIES will list all local libraries and omit the other ones. * modules/pam_access/Makefile.am (pam_access_la_LIBADD): Replace "-L$(top_builddir)/libpam -lpam" with "$(top_builddir)/libpam/libpam.la", to follow GNU automake recommendations. * modules/pam_cracklib/Makefile.am (pam_cracklib_la_LIBADD): Likewise. * modules/pam_debug/Makefile.am (pam_debug_la_LIBADD): Likewise. * modules/pam_deny/Makefile.am (pam_deny_la_LIBADD): Likewise. * modules/pam_echo/Makefile.am (pam_echo_la_LIBADD): Likewise. * modules/pam_env/Makefile.am (pam_env_la_LIBADD): Likewise. * modules/pam_exec/Makefile.am (pam_exec_la_LIBADD): Likewise. * modules/pam_faildelay/Makefile.am (pam_faildelay_la_LIBADD): Likewise. * modules/pam_filter/Makefile.am (pam_filter_la_LIBADD): Likewise. * modules/pam_filter/upperLOWER/Makefile.am (LDADD): Likewise. * modules/pam_ftp/Makefile.am (pam_ftp_la_LIBADD): Likewise. * modules/pam_group/Makefile.am (pam_group_la_LIBADD): Likewise. * modules/pam_issue/Makefile.am (pam_issue_la_LIBADD): Likewise. * modules/pam_keyinit/Makefile.am (pam_keyinit_la_LIBADD): Likewise. * modules/pam_lastlog/Makefile.am (pam_lastlog_la_LIBADD): Likewise. * modules/pam_limits/Makefile.am (pam_limits_la_LIBADD): Likewise. * modules/pam_listfile/Makefile.am (pam_listfile_la_LIBADD): Likewise. * modules/pam_localuser/Makefile.am (pam_localuser_la_LIBADD): Likewise. * modules/pam_loginuid/Makefile.am (pam_loginuid_la_LIBADD): Likewise. * modules/pam_mail/Makefile.am (pam_mail_la_LIBADD): Likewise. * modules/pam_mkhomedir/Makefile.am (pam_mkhomedir_la_LIBADD, mkhomedir_helper_LDADD): Likewise. * modules/pam_motd/Makefile.am (pam_motd_la_LIBADD): Likewise. * modules/pam_namespace/Makefile.am (pam_namespace_la_LIBADD): Likewise. * modules/pam_nologin/Makefile.am (pam_nologin_la_LIBADD): Likewise. * modules/pam_permit/Makefile.am (pam_permit_la_LIBADD): Likewise. * modules/pam_pwhistory/Makefile.am (pam_pwhistory_la_LIBADD): Likewise. * modules/pam_rhosts/Makefile.am (pam_rhosts_la_LIBADD): Likewise. * modules/pam_rootok/Makefile.am (pam_rootok_la_LIBADD): Likewise. * modules/pam_securetty/Makefile.am (pam_securetty_la_LIBADD): Likewise. * modules/pam_sepermit/Makefile.am (pam_sepermit_la_LIBADD): Likewise. * modules/pam_shells/Makefile.am (pam_shells_la_LIBADD): Likewise. * modules/pam_stress/Makefile.am (pam_stress_la_LIBADD): Likewise. * modules/pam_succeed_if/Makefile.am (pam_succeed_if_la_LIBADD): Likewise. * modules/pam_tally/Makefile.am (pam_tally_la_LIBADD): Likewise. * modules/pam_tally2/Makefile.am (pam_tally2_la_LIBADD, pam_tally2_LDADD): Likewise. * modules/pam_time/Makefile.am (pam_time_la_LIBADD): Likewise. * modules/pam_timestamp/Makefile.am (pam_timestamp_la_LIBADD, pam_timestamp_check_LDADD, hmacfile_LDADD): Likewise. * modules/pam_tty_audit/Makefile.am (pam_tty_audit_la_LIBADD): Likewise. * modules/pam_umask/Makefile.am (pam_umask_la_LIBADD): Likewise. * modules/pam_unix/Makefile.am (pam_unix_la_LIBADD): Likewise. * modules/pam_userdb/Makefile.am (pam_userdb_la_LIBADD): Likewise. * modules/pam_warn/Makefile.am (pam_warn_la_LIBADD): Likewise. * modules/pam_wheel/Makefile.am (pam_wheel_la_LIBADD): Likewise. * modules/pam_xauth/Makefile.am (pam_xauth_la_LIBADD): Likewise. * tests/Makefile.am (LDADD): Likewise. * examples/Makefile.am (LDADD): Replace "-L$(top_builddir)/libpam -lpam" with "$(top_builddir)/libpam/libpam.la", and "-L$(top_builddir)/libpam_misc -lpam_misc" with "$(top_builddir)/libpam_misc/libpam_misc.la", to follow GNU automake recommendations. * xtests/Makefile.am (LDADD): Likewise. * modules/pam_selinux/Makefile.am (pam_selinux_la_LIBADD): Likewise. Fix usage of LIBADD, LDADD and LDFLAGS. * modules/pam_selinux/Makefile.am: Rename pam_selinux_check_LDFLAGS to pam_selinux_check_LDADD. * modules/pam_userdb/Makefile.am: Split out pam_userdb_la_LIBADD from AM_LDFLAGS. * modules/pam_warn/Makefile.am: Split out pam_warn_la_LIBADD from AM_LDFLAGS. * modules/pam_wheel/Makefile.am: Split out pam_wheel_la_LIBADD from AM_LDFLAGS. * modules/pam_xauth/Makefile.am: split out pam_xauth_la_LIBADD from AM_LDFLAGS. * xtests/Makefile.am: Rename AM_LDFLAGS to LDADD. 2011-10-27 Dmitry V. Levin Update .gitignore files. * .gitignore: Add common ignore patterns. * m4/.gitignore: Unignore local m4 files. * dynamic/.gitignore: Unignore Makefile. * libpamc/test/modules/.gitignore: Likewise. * libpamc/test/regress/.gitignore: Likewise. * po/.gitignore: Add Makevars.template. * conf/.gitignore: Remove common ignore patterns. * conf/pam_conv1/.gitignore: Likewise. * doc/.gitignore: Likewise. * doc/specs/.gitignore: Likewise. * doc/specs/formatter/.gitignore: Likewise. * examples/.gitignore: Likewise. * modules/pam_filter/upperLOWER/.gitignore: Likewise. * modules/pam_mkhomedir/.gitignore: Likewise. * modules/pam_selinux/.gitignore: Likewise. * modules/pam_stress/.gitignore: Likewise. * modules/pam_tally/.gitignore: Likewise. * modules/pam_tally2/.gitignore: Likewise. * modules/pam_timestamp/.gitignore: Likewise. * modules/pam_unix/.gitignore: Likewise. * tests/.gitignore: Likewise. * xtests/.gitignore: Likewise. * doc/adg/.gitignore: Remove. * doc/man/.gitignore: Remove. * doc/mwg/.gitignore: Remove. * doc/sag/.gitignore: Remove. * libpamc/.gitignore: Remove. * libpamc/test/.gitignore: Remove. * libpam/.gitignore: Remove. * libpam_misc/.gitignore: Remove. * modules/.gitignore: Remove. * modules/pam_access/.gitignore: Remove. * modules/pam_cracklib/.gitignore: Remove. * modules/pam_debug/.gitignore: Remove. * modules/pam_deny/.gitignore: Remove. * modules/pam_echo/.gitignore: Remove. * modules/pam_env/.gitignore: Remove. * modules/pam_exec/.gitignore: Remove. * modules/pam_faildelay/.gitignore: Remove. * modules/pam_filter/.gitignore: Remove. * modules/pam_ftp/.gitignore: Remove. * modules/pam_group/.gitignore: Remove. * modules/pam_issue/.gitignore: Remove. * modules/pam_keyinit/.gitignore: Remove. * modules/pam_lastlog/.gitignore: Remove. * modules/pam_limits/.gitignore: Remove. * modules/pam_listfile/.gitignore: Remove. * modules/pam_localuser/.gitignore: Remove. * modules/pam_loginuid/.gitignore: Remove. * modules/pam_mail/.gitignore: Remove. * modules/pam_motd/.gitignore: Remove. * modules/pam_namespace/.gitignore: Remove. * modules/pam_nologin/.gitignore: Remove. * modules/pam_permit/.gitignore: Remove. * modules/pam_pwhistory/.gitignore: Remove. * modules/pam_rhosts/.gitignore: Remove. * modules/pam_rootok/.gitignore: Remove. * modules/pam_securetty/.gitignore: Remove. * modules/pam_sepermit/.gitignore: Remove. * modules/pam_shells/.gitignore: Remove. * modules/pam_succeed_if/.gitignore: Remove. * modules/pam_time/.gitignore: Remove. * modules/pam_tty_audit/.gitignore: Remove. * modules/pam_umask/.gitignore: Remove. * modules/pam_userdb/.gitignore: Remove. * modules/pam_warn/.gitignore: Remove. * modules/pam_wheel/.gitignore: Remove. * modules/pam_xauth/.gitignore: Remove. Move generated auxiliary files to build-aux directory. * configure.in: Add AC_CONFIG_AUX_DIR([build-aux]). Remove generated files. * ABOUT-NLS: Remove. * INSTALL: Remove. * config.rpath: Remove. * install-sh: Remove. * mkinstalldirs: Remove. * Makefile.am (EXTRA_DIST): Remove config.rpath and mkinstalldirs. * .gitignore: Add ABOUT-NLS and INSTALL. Create release tarballs using safe ownership and permissions. * Makefile.am: Define and export TAR_OPTIONS. Generate ChangeLog from git log. * .gitignore: Add ChangeLog * ChangeLog: Rename to ChangeLog-CVS. * Makefile.am (gen-changelog): New rule. (dist-hook, .PHONY): Depend on it. (EXTRA_DIST): Add ChangeLog-CVS. * README-hacking: New file. * gitlog-to-changelog: Import from gnulib. * autogen.sh: Create empty ChangeLog file to make automake strictness check happy. Use automated "autoreconf -fiv" instead of manual invocations of various autotools. Fix "make distcheck" There is no use to distribute m4 files manually, because automake does the right thing, while manual distribution is not only redundant but also very fragile. * Makefile.am (M4_FILES): Remove. (EXTRA_DIST): Remove M4_FILES. Remove modules/pam_timestamp/hmacfile from distribution. * modules/pam_timestamp/Makefile.am (dist_TESTS): Add tst-pam_timestamp. (nodist_TESTS): Add hmacfile. (EXTRA_DIST): Replace TESTS with dist_TESTS. Rename all .cvsignore files to .gitignore. Fix whitespace issues. Cleanup trailing whitespaces, indentation that uses spaces before tabs, and blank lines at EOF. Make the project free of warnings reported by git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD See ChangeLog-CVS for earlier changes.