diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-06 01:38:36 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-06 01:38:36 +0000 |
commit | 26367bfc399cb3862f94ddca8fce87f98f26d67e (patch) | |
tree | ba3a4e02ed5ec62fe645dfa810c01d26decf591f /ChangeLog | |
parent | Initial commit. (diff) | |
download | pam-26367bfc399cb3862f94ddca8fce87f98f26d67e.tar.xz pam-26367bfc399cb3862f94ddca8fce87f98f26d67e.zip |
Adding upstream version 1.3.1.upstream/1.3.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | ChangeLog | 1920 | ||||
-rw-r--r-- | ChangeLog-CVS | 5099 |
2 files changed, 7019 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog new file mode 100644 index 0000000..3e135be --- /dev/null +++ b/ChangeLog @@ -0,0 +1,1920 @@ +2018-05-18 Thorsten Kukuk <kukuk@thkukuk.de> + + Release version 1.3.1. + + Add xz compression. + +2018-05-16 Allison Karlitskaya <allison.karlitskaya@redhat.com> + + pam_motd: add support for a motd.d directory (#48) + Add a new feature to pam_motd to allow packages to install their own
+ message files in a "motd.d" directory, to be displayed after the primary
+ motd.
+
+ Add an option motd_d= to specify the location of this directory.
+
+ Modify the defaults, in the case where no options are given, to display
+ both /etc/motd and /etc/motd.d.
+
+ Fixes #47
+
+ * modules/pam_motd/pam_motd.c: add support for motd.d
+ * modules/pam_motd/pam_motd.8.xml: update the manpage + +2018-05-02 Tomas Mraz <tmraz@fedoraproject.org> + + pam_umask: Fix documentation to align with order of loading umask. + * modules/pam_umask/pam_umask.8.xml: Document the real order of loading + umask. + +2018-04-10 Joey Chagnon <joeychagnon@users.noreply.github.com> + + Fix missing word in documentation. + * doc/man/pam_get_user.3.xml: Fix it. + +2017-11-10 Dmitry V. Levin <ldv@altlinux.org> + + pam_tally2 --reset: avoid creating a missing tallylog file. + There is no need for pam_tally2 in --reset=0 mode to create a missing + tallylog file because its absence has the same meaning as its existence + with the appropriate entry reset. + + This was not a big deal until useradd(8) from shadow suite release 4.5 + started to invoke /sbin/pam_tally2 --reset routinely regardless of PAM + configuration. + + The positive effect of this change is noticeable when using tools like + cpio(1) that cannot archive huge sparse files efficiently. + + * modules/pam_tally2/pam_tally2.c [MAIN] (main) <cline_user>: Stat + cline_filename when cline_reset == 0, exit early if the file is missing. + +2017-11-10 Tomas Mraz <tmraz@fedoraproject.org> + + pam_mkhomedir: Allow creating parent of homedir under / + * modules/pam_mkhomedir/mkhomedir_helper.c (make_parent_dirs): Do not + skip creating the directory if we are under /. + +2017-10-09 Tomas Mraz <tmraz@fedoraproject.org> + + pam_tty_audit: Fix regression introduced by adding the uid range support. + * modules/pam_tty_audit/pam_tty_audit.c (parse_uid_range): Fix constification and + remove unneeded code carried from pam_limits. + (pam_sm_open_session): When multiple enable/disable options are present do not + stop after first match. + +2017-09-06 Tomas Mraz <tmraz@fedoraproject.org> + + pam_access: Add note about spaces around ':' in access.conf(5) + * modules/pam_access/access.conf.5.xml: Add note about spaces around ':' + + Workaround formatting problem in pam(8) + * doc/man/pam.8.xml: Workaround formatting problem. + +2017-07-12 Peter Urbanec <peterurbanec@users.noreply.github.com> + + pam_unix: Check return value of malloc used for setcred data (#24) + Check the return value of malloc and if it failed print debug info, send
+ a syslog message and return an error code.
+
+ The test in AUTH_RETURN for ret_data not being NULL becomes redundant.
+ +2017-07-10 Tomas Mraz <tmraz@fedoraproject.org> + + pam_cracklib: Drop unused prompt macros. + * modules/pam_cracklib/pam_cracklib.c: Drop the unused macros. + +2017-06-28 Tomas Mraz <tmraz@fedoraproject.org> + + pam_tty_audit: Support matching users by uid range. + * modules/pam_tty_audit/pam_tty_audit.c (parse_uid_range): New function to + parse the uid range. + (pam_sm_open_session): Call parse_uid_range() and behave according to its result. + * modules/pam_tty_audit/pam_tty_audit.8.xml: Document the uid range matching. + +2017-05-31 Tomas Mraz <tmraz@fedoraproject.org> + + pam_access: support parsing files in /etc/security/access.d/*.conf. + * modules/pam_access/pam_access.c (login_access): Return NOMATCH if + there was no match in the parsed file. + (pam_sm_authenticate): Add glob() call to go through the ACCESS_CONF_GLOB + subdirectory and call login_access() on the individual files matched. + * modules/pam_access/pam_access.8.xml: Document the addition. + * modules/pam_access/Makefile.am: Add ACCESS_CONF_GLOB definition. + +2017-04-11 Tomas Mraz <tmraz@fedoraproject.org> + + pam_localuser: Correct the example in documentation. + * modules/pam_localuser/pam_localuser.8.xml: The example configuration + does something different. + + pam_localuser: Correct documentation of return value. + * modules/pam_localuser/pam_localuser.8.xml: The module returns + PAM_PERM_DENIED when the user is not listed. + +2017-03-10 Saul Johnson <saul.a.johnson@gmail.com> + + Make maxclassrepeat=1 behavior consistent with docs (#9) + * modules/pam_cracklib/pam_cracklib.c (simple): Apply the maxclassrepeat when greater than 0. + +2017-02-09 Josef Moellers <jmoellers@suse.de> + + Properly test for strtol() failure to find any digits. + * modules/pam_access/pam_access.c (network_netmask_match): Test for endptr set + to beginning and not NULL. + +2017-01-19 Daniel Abrecht <daniel.abrecht@hotmail.com> + + pam_exec: fix a potential null pointer dereference. + Fix a null pointer dereference when pam_prompt returns PAM_SUCCESS + but the response is set to NULL. + + * modules/pam_exec/pam_exec.c (call_exec): Do not invoke strndupa + with a null pointer. + + Closes: https://github.com/linux-pam/linux-pam/pull/2 + +2016-12-07 Antonio Ospite <ao2@ao2.it> + + Add missing comma in the limits.conf.5 manpage. + * modules/pam_limits/limits.conf.5.xml: add a missing comma + +2016-11-14 Tomas Mraz <tmraz@fedoraproject.org> + + Regular links doesn't work with -no-numbering -no-references. + * configure.ac: Use elinks instead of links. + +2016-11-01 Tomas Mraz <tmraz@fedoraproject.org> + + pam_access: First check for the (group) match. + The (group) match is performed first to allow for groups + containing '@'. + + * modules/pam_access/pam_access.c (user_match): First check for the (group) match. + +2016-10-17 Tomas Mraz <tmraz@fedoraproject.org> + + pam_ftp: Properly use the first name from the supplied list. + * modules/pam_ftp/pam_ftp.c (lookup): Return first user from the list + of anonymous users if user name matches. + (pam_sm_authenticate): Free the returned value allocated in lookup(). + +2016-09-12 Bartos-Elekes Zsolt <muszi@kite.hu> + + pam_issue: Fix no prompting in parse escape codes mode. + * modules/pam_issue/pam_issue.c (read_issue_quoted): Fix misplaced strcat(). + +2016-06-30 Maxin B. John <maxin.john@intel.com> + + xtests: remove bash dependency. + There are no bash specific syntax in the xtest scripts. So, remove + the bash dependency. + +2016-06-30 Tomas Mraz <tmraz@fedoraproject.org> + + Unification and cleanup of syslog log levels. + * libpam/pam_handlers.c: Make memory allocation failures LOG_CRIT. + * libpam/pam_modutil_priv.c: Make memory allocation failures LOG_CRIT. + * modules/pam_echo/pam_echo.c: Make memory allocation failures LOG_CRIT. + * modules/pam_env/pam_env.c: Make memory allocation failures LOG_CRIT. + * modules/pam_exec/pam_exec.c: Make memory allocation failures LOG_CRIT. + * modules/pam_filter/pam_filter.c: Make all non-memory call errors LOG_ERR. + * modules/pam_group/pam_group.c: Make memory allocation failures LOG_CRIT. + * modules/pam_issue/pam_issue.c: Make memory allocation failures LOG_CRIT. + * modules/pam_lastlog/pam_lastlog.c: The lastlog file creation is syslogged + with LOG_NOTICE, memory allocation errors with LOG_CRIT, other errors + with LOG_ERR. + * modules/pam_limits/pam_limits.c: User login limit messages are syslogged + with LOG_NOTICE, stale utmp entry with LOG_INFO, non-memory errors with + LOG_ERR. + * modules/pam_listfile/pam_listfile.c: Rejection of user is syslogged + with LOG_NOTICE. + * modules/pam_namespace/pam_namespace.c: Make memory allocation failures + LOG_CRIT. + * modules/pam_nologin/pam_nologin.c: Make memory allocation failures + LOG_CRIT, other errors LOG_ERR. + * modules/pam_securetty/pam_securetty.c: Rejection of access is syslogged + with LOG_NOTICE, non-memory errors with LOG_ERR. + * modules/pam_selinux/pam_selinux.c: Make memory allocation failures LOG_CRIT. + * modules/pam_succeed_if/pam_succeed_if.c: Make all non-memory call errors + LOG_ERR. + * modules/pam_time/pam_time.c: Make memory allocation failures LOG_CRIT. + * modules/pam_timestamp/pam_timestamp.c: Make memory allocation failures + LOG_CRIT. + * modules/pam_unix/pam_unix_acct.c: Make all non-memory call errors LOG_ERR. + * modules/pam_unix/pam_unix_passwd.c: Make memory allocation failures LOG_CRIT, + other errors LOG_ERR. + * modules/pam_unix/pam_unix_sess.c: Make all non-memory call errors LOG_ERR. + * modules/pam_unix/passverify.c: Unknown user is syslogged with LOG_NOTICE. + * modules/pam_unix/support.c: Unknown user is syslogged with LOG_NOTICE and + max retries ignorance by application likewise. + * modules/pam_unix/unix_chkpwd.c: Make all non-memory call errors LOG_ERR. + * modules/pam_userdb/pam_userdb.c: Password authentication error is syslogged + with LOG_NOTICE. + * modules/pam_xauth/pam_xauth.c: Make memory allocation failures LOG_CRIT. + +2016-06-15 Dmitry V. Levin <ldv@altlinux.org> + + pam_timestamp: fix typo in strncmp usage. + Before this fix, a typo in check_login_time resulted to ruser and + struct utmp.ut_user being compared by the first character only, + which in turn could lead to a too low timestamp value being assigned + to oldest_login, effectively causing bypass of check_login_time. + + * modules/pam_timestamp/pam_timestamp.c (check_login_time): Fix typo + in strncmp usage. + + Patch-by: Anton V. Boyarshinov <boyarsh@altlinux.org> + +2016-05-30 Tomas Mraz <tmraz@fedoraproject.org> + + Correct the examples in pam_fail_delay(3) man page. + doc/man/pam_fail_delay.3.xml: Correct the examples. + +2016-05-11 Tomas Mraz <tmraz@fedoraproject.org> + + Remove spaces in examples for access.conf. + The spaces are ignored only with the default listsep. To remove confusion + if non-default listsep is used they are removed from the examples. + + * modules/pam_access/access.conf: Remove all spaces around ':' in examples. + * modules/pam_access/access.conf.5.xml: Likewise. + +2016-05-05 Mike Frysinger <vapier@gentoo.org> + + build: avoid non-portable == with "test" (ticket #60) + POSIX says test only accepts =. Some shells (including bash) accept ==, + but we should still stick to = for portability. + + * configure.ac: Replace == with = in "test" invocations. + +2016-04-28 Thorsten Kukuk <kukuk@thkukuk.de> + + Release version 1.3.0. + * NEWS: add changes for 1.3.0. + * configure.ac: bump version number. + * libpam/Makefile.am: bump revision of libpam.so version. + +2016-04-28 Tomas Mraz <tmraz@fedoraproject.org> + + Updated translations from Zanata. + * po/*.po: Updated translations from Zanata. + +2016-04-19 Tomas Mraz <tmraz@fedoraproject.org> + + pam_wheel: Correct the documentation of the root_only option. + * modules/pam_wheel/pam_wheel.8.xml: Correct the documentation of the + root_only option. + + pam_unix: Document that MD5 password hash is used to store old passwords. + modules/pam_unix/pam_unix.8.xml: Document that the MD5 password hash is used + to store the old passwords when remember option is set. + +2016-04-14 Tomas Mraz <tmraz@fedoraproject.org> + + Project registered at Zanata (fedora.zanata.org) for translations. + * zanata.xml: Configuration file for zanata client. + * po/LINGUAS: Update languages as supported by Zanata. + * po/Linux-PAM.pot: Updated from sources. + * po/*.po: Updated from sources. + +2016-04-06 Tomas Mraz <tmraz@fedoraproject.org> + + pam_unix: Use pam_get_authtok() instead of direct pam_prompt() calls. + We have to drop support for not_set_pass option which is not much useful + anyway. Instead we get proper support for authtok_type option. + + * modules/pam_unix/pam_unix.8.xml: Removed not_set_pass option, added authtok_ty + pe + option. + * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace _unix_read_pas + sword() + call with equivalent pam_get_authtok() call. + * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Likewise and also drop + support for not_set_pass. + * modules/pam_unix/support.c (_unix_read_password): Remove. + * modules/pam_unix/support.h: Remove UNIX_NOT_SET_PASS add UNIX_AUTHTOK_TYPE. + + pam_get_authtok(): Add authtok_type support to current password prompt. + * libpam/pam_get_authtok.c (pam_get_authtok_internal): When changing password, + use different prompt for current password allowing for authtok_type to be + displayed to the user. + +2016-04-04 Tomas Mraz <tmraz@fedoraproject.org> + + pam_unix: Make password expiration messages more user-friendly. + * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Make password + expiration messages more user-friendly. + +2016-04-04 Thorsten Kukuk <kukuk@thkukuk.de> + + innetgr may not be there so make sure that when innetgr is not present then we inform about it and not use it. [ticket#46] + * modules/pam_group/pam_group.c: ditto + * modules/pam_succeed_if/pam_succeed_if.c: ditto + * modules/pam_time/pam_time.c: ditto + + build: fix build when crypt() is not part of crypt_libs [ticket#46] + * configure.ac: Don't set empty -l option in crypt check + + build: use $host_cpu for lib64 directory handling [ticket#46] + * configure.ac: use $host_cpu for lib64 directory handling. + +2016-04-01 Dmitry V. Levin <ldv@altlinux.org> + + Fix whitespace issues. + Remove blank lines at EOF introduced by commit + a684595c0bbd88df71285f43fb27630e3829121e, + making the project free of warnings reported by + git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD + + * libpam/pam_dynamic.c: Remove blank line at EOF. + * modules/pam_echo/pam_echo.c: Likewise. + * modules/pam_keyinit/pam_keyinit.c: Likewise. + * modules/pam_mkhomedir/pam_mkhomedir.c: Likewise. + * modules/pam_pwhistory/pam_pwhistory.c: Likewise. + * modules/pam_rhosts/pam_rhosts.c: Likewise. + * modules/pam_sepermit/pam_sepermit.c: Likewise. + * modules/pam_stress/pam_stress.c: Likewise. + +2016-04-01 Thorsten Kukuk <kukuk@thkukuk.de> + + Use TI-RPC functions if we compile and link against libtirpc. The old SunRPC functions don't work with IPv6. + * configure.ac: Set and restore CPPFLAGS + * modules/pam_unix/pam_unix_passwd.c: Replace getrpcport with + rpcb_getaddr if available. + +2016-03-29 Thorsten Kukuk <kukuk@thkukuk.de> + + PAM_EXTERN isn't needed anymore, but don't remove it to not break lot of external code using it. + * libpam/include/security/pam_modules.h: Readd PAM_EXTERN for compatibility + + Remove "--enable-static-modules" option and support from Linux-PAM. It was never official supported and was broken since years. + * configure.ac: Remove --enable-static-modules option. + * doc/man/pam_sm_acct_mgmt.3.xml: Remove PAM_EXTERN. + * doc/man/pam_sm_authenticate.3.xml: Likewise. + * doc/man/pam_sm_chauthtok.3.xml: Likewise. + * doc/man/pam_sm_close_session.3.xml: Likewise. + * doc/man/pam_sm_open_session.3.xml: Likewise. + * doc/man/pam_sm_setcred.3.xml: Likewise. + * libpam/Makefile.am: Remove STATIC_MODULES cases. + * libpam/include/security/pam_modules.h: Remove PAM_STATIC parts. + * libpam/pam_dynamic.c: Likewise. + * libpam/pam_handlers.c: Likewise. + * libpam/pam_private.h: Likewise. + * libpam/pam_static.c: Remove file. + * libpam/pam_static_modules.h: Remove header file. + * modules/pam_access/pam_access.c: Remove PAM_EXTERN and PAM_STATIC parts. + * modules/pam_cracklib/pam_cracklib.c: Likewise. + * modules/pam_debug/pam_debug.c: Likewise. + * modules/pam_deny/pam_deny.c: Likewise. + * modules/pam_echo/pam_echo.c: Likewise. + * modules/pam_env/pam_env.c: Likewise. + * modules/pam_exec/pam_exec.c: Likewise. + * modules/pam_faildelay/pam_faildelay.c: Likewise. + * modules/pam_filter/pam_filter.c: Likewise. + * modules/pam_ftp/pam_ftp.c: Likewise. + * modules/pam_group/pam_group.c: Likewise. + * modules/pam_issue/pam_issue.c: Likewise. + * modules/pam_keyinit/pam_keyinit.c: Likewise. + * modules/pam_lastlog/pam_lastlog.c: Likewise. + * modules/pam_limits/pam_limits.c: Likewise. + * modules/pam_listfile/pam_listfile.c: Likewise. + * modules/pam_localuser/pam_localuser.c: Likewise. + * modules/pam_loginuid/pam_loginuid.c: Likewise. + * modules/pam_mail/pam_mail.c: Likewise. + * modules/pam_mkhomedir/pam_mkhomedir.c: Likewise. + * modules/pam_motd/pam_motd.c: Likewise. + * modules/pam_namespace/pam_namespace.c: Likewise. + * modules/pam_nologin/pam_nologin.c: Likewise. + * modules/pam_permit/pam_permit.c: Likewise. + * modules/pam_pwhistory/pam_pwhistory.c: Likewise. + * modules/pam_rhosts/pam_rhosts.c: Likewise. + * modules/pam_rootok/pam_rootok.c: Likewise. + * modules/pam_securetty/pam_securetty.c: Likewise. + * modules/pam_selinux/pam_selinux.c: Likewise. + * modules/pam_sepermit/pam_sepermit.c: Likewise. + * modules/pam_shells/pam_shells.c: Likewise. + * modules/pam_stress/pam_stress.c: Likewise. + * modules/pam_succeed_if/pam_succeed_if.c: Likewise. + * modules/pam_tally/pam_tally.c: Likewise. + * modules/pam_tally2/pam_tally2.c: Likewise. + * modules/pam_time/pam_time.c: Likewise. + * modules/pam_timestamp/pam_timestamp.c: Likewise. + * modules/pam_tty_audit/pam_tty_audit.c: Likewise. + * modules/pam_umask/pam_umask.c: Likewise. + * modules/pam_userdb/pam_userdb.c: Likewise. + * modules/pam_warn/pam_warn.c: Likewise. + * modules/pam_wheel/pam_wheel.c: Likewise. + * modules/pam_xauth/pam_xauth.c: Likewise. + * modules/pam_unix/Makefile.am: Remove STATIC_MODULES part. + * modules/pam_unix/pam_unix_acct.c: Remove PAM_STATIC part. + * modules/pam_unix/pam_unix_auth.c: Likewise. + * modules/pam_unix/pam_unix_passwd.c: Likewise. + * modules/pam_unix/pam_unix_sess.c: Likewise. + * modules/pam_unix/pam_unix_static.c: Removed. + * modules/pam_unix/pam_unix_static.h: Removed. + * po/POTFILES.in: Remove removed files. + * tests/tst-dlopen.c: Remove PAM_STATIC part. + +2016-03-24 Thorsten Kukuk <kukuk@thkukuk.de> + + Fix check for libtirpc and enhance check for libnsl to include new libnsl. + * configure.ac: fix setting of CFLAGS/LIBS, enhance libnsl check + * modules/pam_unix/Makefile.am: replace NIS_* with TIRPC_* and NSL_* + +2016-03-23 Thorsten Kukuk <kukuk@thkukuk.de> + + Remove YP dependencies from pam_access, they were never used and such not needed. + * modules/pam_access/Makefile.am: Remove NIS_CFLAGS and NIS_LIBS + * modules/pam_access/pam_access.c: Remove yp_get_default_domain case, + it will never be used. + +2016-03-04 Tomas Mraz <tmraz@fedoraproject.org> + + Add checks for localtime() returning NULL. + * modules/pam_lastlog/pam_lastlog.c (last_login_read): Check for localtime_r + returning NULL. + * modules/pam_tally2/pam_tally2.c (print_one): Check for localtime returning + NULL. + + pam_unix: Silence warnings and fix a minor bug. + Fixes a minor bug in behavior when is_selinux_enabled() + returned negative value. + + * modules/pam_unix/passverify.c: Add parentheses to SELINUX_ENABLED macro. + (unix_update_shadow): Safe cast forwho to non-const char *. + * modules/pam_unix/support.c: Remove unused SELINUX_ENABLED macro. + +2016-02-17 Tomas Mraz <tmraz@fedoraproject.org> + + pam_env: Document the /etc/environment file. + * modules/pam_env/Makefile.am: Add the environment.5 soelim stub. + * modules/pam_env/pam_env.8.xml: Add environ(7) reference. + * modules/pam_env/pam_env.conf.5.xml: Add environment alias name. + Add a paragraph about /etc/environment. Add environ(7) reference. + + pam_unix: Add no_pass_expiry option to ignore password expiration. + * modules/pam_unix/pam_unix.8.xml: Document the no_pass_expiry option. + * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): If no_pass_expiry + is on and return value data is not set to PAM_SUCCESS then ignore + PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED returns. + * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Always set the + return value data. + (pam_sm_setcred): Test for likeauth option and use the return value data + only if set. + * modules/pam_unix/support.h: Add the no_pass_expiry option. + +2016-01-25 Tomas Mraz <tmraz@fedoraproject.org> + + pam_unix: Change the salt length for new hashes to 16 characters. + * modules/pam_unix/passverify.c (create_password_hash): Change the + salt length for new hashes to 16 characters. + +2015-12-17 Tomas Mraz <tmraz@fedoraproject.org> + + Relax the conditions for fatal failure on auditing. + The PAM library calls will not fail anymore for any uid if the return + value from the libaudit call is -EPERM. + + * libpam/pam_audit.c (_pam_audit_writelog): Remove check for uid != 0. + +2015-12-16 Tomas Mraz <tmraz@fedoraproject.org> + + pam_tally2: Optionally log the tally count when checking. + * modules/pam_tally2/pam_tally2.c (tally_parse_args): Add debug option. + (tally_check): Always log the tally count with debug option. + +2015-10-02 Jakub Hrozek <jakub.hrozek@posteo.se> + + Docfix: pam handle is const in pam_syslog() and pam_vsyslog() + * doc/man/pam_syslog.3.xml: Add const to pam handle in pam_syslog() and pam_vsyslog(). + +2015-09-24 Tomas Mraz <tmraz@fedoraproject.org> + + pam_loginuid: Add syslog message if required auditd is not detected. + * modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Add syslog message + if required auditd is not detected. + +2015-09-04 Tomas Mraz <tmraz@fedoraproject.org> + + Allow links to be used instead of w3m for documentation regeneration. + * configure.ac: If w3m is not found check for links. + + Add missing space in pam_misc_setenv man page. + * doc/man/pam_misc_setenv.3.xml: Add a missing space. + +2015-08-12 Tomas Mraz <tmraz@fedoraproject.org> + + pam_rootok: use rootok permission instead of passwd permission in SELinux check. + * modules/pam_rootok/pam_rootok.c (selinux_check_root): Use rootok instead of + passwd permission. + +2015-08-05 Amarnath Valluri <amarnath.valluri@intel.com> + + pam_timestamp: Avoid leaking file descriptor. + * modules/pam_timestamp/hmacsha1.c(hmac_key_create): + close 'keyfd' when failed to own it. + +2015-06-22 Thorsten Kukuk <kukuk@thkukuk.de> + + Release version 1.2.1. + Security fix: CVE-2015-3238 + + If the process executing pam_sm_authenticate or pam_sm_chauthtok method + of pam_unix is not privileged enough to check the password, e.g. + if selinux is enabled, the _unix_run_helper_binary function is called. + When a long enough password is supplied (16 pages or more, i.e. 65536+ + bytes on a system with 4K pages), this helper function hangs + indefinitely, blocked in the write(2) call while writing to a blocking + pipe that has a limited capacity. + With this fix, the verifiable password length will be limited to + PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix. + + * NEWS: Update + * configure.ac: Bump version + * modules/pam_exec/pam_exec.8.xml: document limitation of password length + * modules/pam_exec/pam_exec.c: limit password length to PAM_MAX_RESP_SIZE + * modules/pam_unix/pam_unix.8.xml: document limitation of password length + * modules/pam_unix/pam_unix_passwd.c: limit password length + * modules/pam_unix/passverify.c: Likewise + * modules/pam_unix/passverify.h: Likewise + * modules/pam_unix/support.c: Likewise + +2015-04-27 Thorsten Kukuk <kukuk@thkukuk.de> + + Update NEWS file. + + Release version 1.2.0. + * NEWS: Update + * configure.ac: Bump version + * libpam/Makefile.am: Bump version of libpam + * libpam_misc/Makefile.am: Bump version of libpam_misc + * po/*: Regenerate po files + + Fix some grammatical errors in documentation. Patch by Louis Sautier. + * doc/adg/Linux-PAM_ADG.xml: Fix gramatical errors. + * doc/man/pam.3.xml: Likewise. + * doc/man/pam_acct_mgmt.3.xml: Likewise. + * doc/man/pam_chauthtok.3.xml: Likewise. + * doc/man/pam_sm_chauthtok.3.xml: Likewise. + * modules/pam_limits/limits.conf.5.xml: Likewise. + * modules/pam_mail/pam_mail.8.xml: Likewise. + * modules/pam_rhosts/pam_rhosts.c: Likewise. + * modules/pam_shells/pam_shells.8.xml: Likewise. + * modules/pam_tally/pam_tally.8.xml: Likewise. + * modules/pam_tally2/pam_tally2.8.xml: Likewise. + * modules/pam_unix/pam_unix.8.xml: Likewise. + +2015-04-23 Thorsten Kukuk <kukuk@thkukuk.de> + + Add "quiet" option to pam_unix to suppress informential info messages from session. + * modules/pam_unix/pam_unix.8.xml: Document new option. + * modules/pam_unix/support.h: Add quiet option. + * modules/pam_unix/pam_unix_sess.c: Don't print LOG_INFO messages if + 'quiet' option is set. + +2015-04-07 Tomas Mraz <tmraz@fedoraproject.org> + + Use crypt_r if available in pam_userdb and in pam_unix. + * modules/pam_unix/passverify.c (create_password_hash): Call crypt_r() + instead of crypt() if available. + * modules/pam_userdb/pam_userdb.c (user_lookup): Call crypt_r() + instead of crypt() if available. + +2015-03-25 Thorsten Kukuk <kukuk@thkukuk.de> + + Support alternative "vendor configuration" files as fallback to /etc (Ticket#34, patch from ay Sievers <kay@vrfy.org>) + * doc/man/pam.8.xml: document additonal config directory + * libpam/pam_handlers.c: add /usr/lib/pam.d as config file fallback directory + * libpam/pam_private.h: adjust defines + + pam_env: expand @{HOME} and @{SHELL} and enhance documentation (Ticket#24 and #29) + * modules/pam_env/pam_env.c: Replace @{HOME} and @{SHELL} with passwd entries + * modules/pam_env/pam_env.conf.5.xml: Document @{HOME} and @{SHELL} + * modules/pam_env/pam_env.8.xml: Enhance documentation + +2015-03-24 Thorsten Kukuk <kukuk@thkukuk.de> + + Clarify pam_access docs re PAM service names and X $DISPLAY value testing. (Ticket #39) + * modules/pam_access/access.conf.5.xml + * modules/pam_access/pam_access.8.xml + + Don't use sudo directory, the timestamp format is different (Ticket#32) + * modules/pam_timestamp/pam_timestamp.c: Change default timestamp directory. + + Enhance group.conf examples (Ticket#35) + * modules/pam_group/group.conf.5.xml: Enhance example by logic group entry. + + Document timestampdir option (Ticket#33) + * modules/pam_timestamp/pam_timestamp.8.xml: Add timestampdir option. + + Adjust documentation (Ticket#36) + * libpam/pam_delay.c: Change 25% in comment to 50% as used in code. + * doc/man/pam_fail_delay.3.xml: Change 25% to 50% + +2015-02-18 Tomas Mraz <tmraz@fedoraproject.org> + + Updated translations from Transifex. + * po/*.po: Updated translations from Transifex. + +2015-01-07 Dmitry V. Levin <ldv@altlinux.org> + + build: raise gettext version requirement. + Raise gettext requirement to the latest oldstable version 0.18.3. + This fixes the following automake warning: + + configure.ac:581: warning: The 'AM_PROG_MKDIR_P' macro is deprecated, and its use is discouraged. + configure.ac:581: You should use the Autoconf-provided 'AC_PROG_MKDIR_P' macro instead, + configure.ac:581: and use '$(MKDIR_P)' instead of '$(mkdir_p)'in your Makefile.am files. + + * configure.ac (AM_GNU_GETTEXT_VERSION): Raise from 0.15 to 0.18.3. + * po/Makevars: Update from gettext-0.18.3. + +2015-01-07 Ronny Chevalier <chevalier.ronny@gmail.com> + + build: adjust automake warning flags. + Enable all automake warning flags except for the portability issues, + since non portable features are used among the makefiles. + + * configure.ac (AM_INIT_AUTOMAKE): Add -Wall -Wno-portability. + +2015-01-07 Dmitry V. Levin <ldv@altlinux.org> + + build: rename configure.in to configure.ac. + This fixes the following automake warning: + aclocal: warning: autoconf input should be named 'configure.ac', not 'configure.in' + + * configure.in: Rename to configure.ac. + + Remove unmodified GNU gettext files installed by autopoint. + These files are part of GNU gettext; we have not modified them, they are + installed by autopoint which is called by autoreconf, so they had to be + removed from this repository along with ABOUT-NLS, config.rpath, and + mkinstalldirs files that were removed by commit + Linux-PAM-1_1_5-7-g542ec8b. + + * po/Makefile.in.in: Remove. + * po/Rules-quot: Likewise. + * po/boldquot.sed: Likewise. + * po/en@boldquot.header: Likewise. + * po/en@quot.header: Likewise. + * po/insert-header.sin: Likewise. + * po/quot.sed: Likewise. + * po/remove-potcdate.sin: Likewise. + * po/.gitignore: Ignore these files. + +2015-01-06 Ronny Chevalier <chevalier.ronny@gmail.com> + + Update .gitignore. + * .gitignore: Ignore *.log and *.trs files. + +2015-01-02 Luke Shumaker <lukeshu@sbcglobal.net> + + libpam: Only print "Password change aborted" when it's true. + pam_get_authtok() may be used any time that a password needs to be entered, + unlike pam_get_authtok_{no,}verify(), which may only be used when + changing a password; yet when the user aborts, it prints "Password change + aborted." whether or not that was the operation being performed. + + This bug was non-obvious because none of the modules distributed with + Linux-PAM use it for anything but changing passwords; pam_unix has its + own utility function that it uses instead. As an example, the + nss-pam-ldapd package uses it in pam_sm_authenticate(). + + libpam/pam_get_authtok.c (pam_get_authtok_internal): check that the + password is trying to be changed before printing a message about the + password change being aborted. + +2014-12-10 Dmitry V. Levin <ldv@altlinux.org> + + build: extend cross compiling check to cover CPPFLAGS (ticket #21) + Use BUILD_CPPFLAGS variable to override CPPFLAGS where necessary in + case of cross compiling, in addition to CC_FOR_BUILD, BUILD_CFLAGS, + and BUILD_LDFLAGS variables introduced earlier to override CC, + CFLAGS, and LDFLAGS, respectively. + + * configure.in (BUILD_CPPFLAGS): Define. + * doc/specs/Makefile.am (CPPFLAGS): Define to @BUILD_CPPFLAGS@. + +2014-12-09 Dmitry V. Levin <ldv@altlinux.org> + + Do not use yywrap (ticket #42) + Our scanners do not really use yywrap. Explicitly disable yywrap + so that no references to yywrap will be generated and no LEXLIB + would be needed. + + * conf/pam_conv1/Makefile.am (pam_conv1_LDADD): Remove. + * conf/pam_conv1/pam_conv_l.l: Enable noyywrap option. + * doc/specs/Makefile.am (padout_LDADD): Remove. + * doc/specs/parse_l.l: Enable noyywrap option. + +2014-12-09 Kyle Manna <kyle@kylemanna.com> + + doc: fix a trivial typo in pam_authenticate return values (ticket #38) + * doc/man/pam_authenticate.3.xml: Fix a typo in PAM_AUTHINFO_UNAVAIL. + +2014-12-09 Ronny Chevalier <chevalier.ronny@gmail.com> + + doc: fix typo in pam_authenticate.3.xml. + * doc/man/pam_authenticate.3.xml: Fix typo. + +2014-10-17 Tomas Mraz <tmraz@fedoraproject.org> + + pam_succeed_if: Fix copy&paste error in rhost and tty values. + modules/pam_succeed_if/pam_succeed_if.c (evaluate): Use PAM_RHOST + and PAM_TTY properly for the rhost and tty values. + + pam_succeed_if: Use long long type for numeric values. + The currently used long with additional conversion to int is + too small for uids and gids. + + modules/pam_succeed_if/pam_succeed_if.c (evaluate_num): Replace + strtol() with strtoll() and int with long long in the parameters + of comparison functions. + +2014-09-05 Tomas Mraz <tmraz@fedoraproject.org> + + Add grantor field to audit records of libpam. + The grantor field gives audit trail of PAM modules which granted access + for successful return from libpam calls. In case of failed return + the grantor field is set to '?'. + libpam/pam_account.c (pam_acct_mgmt): Remove _pam_auditlog() call. + libpam/pam_auth.c (pam_authenticate, pam_setcred): Likewise. + libpam/pam_password.c (pam_chauthtok): Likewise. + libpam/pam_session.c (pam_open_session, pam_close_session): Likewise. + libpam/pam_audit.c (_pam_audit_writelog): Add grantors parameter, + add grantor= field to the message if grantors is set. + (_pam_list_grantors): New function creating the string with grantors list. + (_pam_auditlog): Add struct handler pointer parameter, call _pam_list_grantors() + to list the grantors from the handler list. + (_pam_audit_end): Add NULL handler parameter to _pam_auditlog() call. + (pam_modutil_audit_write): Add NULL grantors parameter to _pam_audit_writelog(). + libpam/pam_dispatch.c (_pam_dispatch_aux): Set h->grantor where appropriate. + (_pam_clear_grantors): New function to clear grantor field of handler. + (_pam_dispatch): Call _pam_clear_grantors() before executing the stack. + Call _pam_auditlog() when appropriate. + libpam/pam_handlers.c (extract_modulename): Do not allow empty module name + or just "?" to avoid confusing audit trail. + (_pam_add_handler): Test for NULL return from extract_modulename(). + Clear grantor field of handler. + libpam/pam_private.h: Add grantor field to struct handler, add handler pointer + parameter to _pam_auditlog(). + +2014-08-26 Tomas Mraz <tmraz@fedoraproject.org> + + pam_mkhomedir: Drop superfluous stat() call. + modules/pam_mkhomedir/mkhomedir_helper.c (create_homedir): Drop superfluous + stat() call. + + pam_exec: Do not depend on open() returning STDOUT_FILENO. + modules/pam_exec/pam_exec.c (call_exec): Move the descriptor to + STDOUT_FILENO if needed. + +2014-08-25 Robin Hack <rhack@redhat.com> + + pam_keyinit: Check return value of setregid. + modules/pam_keyinit/pam_keyinit.c (pam_sm_open_session): Log if setregid() fails. + + pam_filter: Avoid leaking descriptors when fork() fails. + modules/pam_filter/pam_filter.c (set_filter): Close descriptors when fork() fails. + +2014-08-14 Robin Hack <rhack@redhat.com> + + pam_echo: Avoid leaking file descriptor. + modules/pam_echo/pam_echo.c (pam_echo): Close fd in error cases. + +2014-08-13 Robin Hack <rhack@redhat.com> + + pam_tty_audit: Silence Coverity reporting uninitialized use. + modules/pam_tty_audit/pam_tty_audit.c (nl_recv): Initialize also + msg_flags. + +2014-08-13 Tomas Mraz <tmraz@fedoraproject.org> + + pam_tally2: Avoid uninitialized use of fileinfo. + Problem found by Robin Hack <rhack@redhat.com>. + modules/pam_tally2/pam_tally2.c (get_tally): Do not depend on file size + just try to read it. + + pam_access: Avoid uninitialized access of line. + * modules/pam_access/pam_access.c (login_access): Reorder condition + so line is not accessed when uninitialized. + +2014-08-05 Tomas Mraz <tmraz@fedoraproject.org> + + pam_lastlog: Properly clean up last_login structure before use. + modules/pam_lastlog/pam_lastlog.c (last_login_write): Properly clean up last_login + structure before use. + +2014-07-21 Tomas Mraz <tmraz@fedoraproject.org> + + Make pam_pwhistory and pam_unix tolerant of corrupted opasswd file. + * modules/pam_pwhistory/opasswd.c (parse_entry): Test for missing fields + in opasswd entry and return error. + * modules/pam_unix/passverify.c (save_old_password): Test for missing fields + in opasswd entry and skip it. + +2014-07-01 Dmitry V. Levin <ldv@altlinux.org> + + doc: add missing build dependencies for soelim stubs. + * doc/man/Makefile.am [ENABLE_REGENERATE_MAN]: Add dependencies for + pam_verror.3, pam_vinfo.3, pam_vprompt.3, and pam_vsyslog.3 soelim stubs. + +2014-06-23 Dmitry V. Levin <ldv@altlinux.org> + + doc: fix install in case of out of tree build (ticket #31) + * doc/adg/Makefile.am (install-data-local, releasedocs): Fall back + to srcdir if documentation files haven't been found in builddir. + (releasedocs): Treat missing documentation files as an error. + * doc/mwg/Makefile.am: Likewise. + * doc/sag/Makefile.am: Likewise. + +2014-06-19 Dmitry V. Levin <ldv@altlinux.org> + + doc: fix installation of adg-*.html and mwg-*.html files (ticket #31) + Fix a typo due to which sag-*.html files might be installed instead of + adg-*.html and mwg-*.html files. + + * doc/adg/Makefile.am (install-data-local): Install adg-*.html instead + of sag-*.html. + * doc/mwg/Makefile.am (install-data-local): Install mwg-*.html instead + of sag-*.html. + + Patch-by: Mike Frysinger <vapier@gentoo.org> + +2014-06-19 Tomas Mraz <tmraz@fedoraproject.org> + + pam_limits: nofile refers to file descriptors not files. + modules/pam_limits/limits.conf.5.xml: Correct documentation of nofile limit. + modules/pam_limits/limits.conf: Likewise. + + pam_limits: clarify documentation of maxlogins and maxsyslogins limits. + modules/pam_limits/limits.conf.5.xml: clarify documentation of + maxlogins and maxsyslogins limits. + + pam_unix: Check for NULL return from Goodcrypt_md5(). + modules/pam_unix/pam_unix_passwd.c (check_old_password): Check for + NULL return from Goodcrypt_md5(). + + pam_unix: check for NULL return from malloc() + * modules/pam_unix/md5_crypt.c (crypt_md5): Check for NULL return from malloc(). + +2014-05-22 Tomas Mraz <tmraz@fedoraproject.org> + + pam_loginuid: Document one more possible case of PAM_IGNORE return. + modules/pam_loginuid/pam_loginuid.8.xml: Document one more possible case + of PAM_IGNORE return value. + + pam_loginuid: Document other possible return values. + modules/pam_loginuid/pam_loginuid.8.xml: Document the possible return + values. + +2014-03-26 Dmitry V. Levin <ldv@altlinux.org> + + pam_timestamp: fix potential directory traversal issue (ticket #27) + pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of + the timestamp pathname it creates, so extra care should be taken to + avoid potential directory traversal issues. + + * modules/pam_timestamp/pam_timestamp.c (check_tty): Treat + "." and ".." tty values as invalid. + (get_ruser): Treat "." and ".." ruser values, as well as any ruser + value containing '/', as invalid. + + Fixes CVE-2014-2583. + + Reported-by: Sebastian Krahmer <krahmer@suse.de> + +2014-03-20 Tomas Mraz <tmraz@fedoraproject.org> + + pam_userdb: document that .db suffix should not be used. + modules/pam_userdb/pam_userdb.8.xml: Document that .db suffix + should not be used and correct the example. + +2014-03-11 Tomas Mraz <tmraz@fedoraproject.org> + + pam_selinux: canonicalize user name. + SELinux expects canonical user name for example without domain component. + + * modules/pam_selinux/pam_selinux.c (compute_exec_context): Canonicalize user name with pam_modutil_getpwnam(). + +2014-01-28 Dmitry V. Levin <ldv@altlinux.org> + + Change tarball name back to "Linux-PAM" + As a side effect of commit Linux-PAM-1_1_8-11-g3fa23ce, tarball name + changed accidentally from "Linux-PAM" to "linux-pam". + This change brings it back to "Linux-PAM". + + * configure.in (AC_INIT): Explicitly specify TARNAME argument. + +2014-01-27 Dmitry V. Levin <ldv@altlinux.org> + + Introduce pam_modutil_sanitize_helper_fds. + This change introduces pam_modutil_sanitize_helper_fds - a new function + that redirects standard descriptors and closes all other descriptors. + + pam_modutil_sanitize_helper_fds supports three types of input and output + redirection: + - PAM_MODUTIL_IGNORE_FD: do not redirect at all. + - PAM_MODUTIL_PIPE_FD: redirect to a pipe. For stdin, it is implemented + by creating a pipe, closing its write end, and redirecting stdin to + its read end. Likewise, for stdout/stderr it is implemented by + creating a pipe, closing its read end, and redirecting to its write + end. Unlike stdin redirection, stdout/stderr redirection to a pipe + has a side effect that a process writing to such descriptor should be + prepared to handle SIGPIPE appropriately. + - PAM_MODUTIL_NULL_FD: redirect to /dev/null. For stdin, it is + implemented via PAM_MODUTIL_PIPE_FD because there is no functional + difference. For stdout/stderr, it is classic redirection to + /dev/null. + + PAM_MODUTIL_PIPE_FD is usually more suitable due to linux kernel + security restrictions, but when the helper process might be writing to + the corresponding descriptor and termination of the helper process by + SIGPIPE is not desirable, one should choose PAM_MODUTIL_NULL_FD. + + * libpam/pam_modutil_sanitize.c: New file. + * libpam/Makefile.am (libpam_la_SOURCES): Add it. + * libpam/include/security/pam_modutil.h (pam_modutil_redirect_fd, + pam_modutil_sanitize_helper_fds): New declarations. + * libpam/libpam.map (LIBPAM_MODUTIL_1.1.9): New interface. + * modules/pam_exec/pam_exec.c (call_exec): Use + pam_modutil_sanitize_helper_fds. + * modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Likewise. + * modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Likewise. + * modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary): + Likewise. + * modules/pam_unix/support.c (_unix_run_helper_binary): Likewise. + * modules/pam_xauth/pam_xauth.c (run_coprocess): Likewise. + * modules/pam_unix/support.h (MAX_FD_NO): Remove. + + pam_xauth: avoid potential SIGPIPE when writing to xauth process. + Similar issue in pam_unix was fixed by commit Linux-PAM-0-73~8. + + * modules/pam_xauth/pam_xauth.c (run_coprocess): In the parent process, + close the read end of input pipe after writing to its write end. + + pam_loginuid: log significant loginuid write errors. + * modules/pam_loginuid/pam_loginuid.c (set_loginuid): Log those errors + during /proc/self/loginuid update that are not ignored. + + Fix gratuitous use of strdup and x_strdup. + There is no need to copy strings passed as arguments to execve, + the only potentially noticeable effect of using strdup/x_strdup + would be a malformed argument list in case of memory allocation error. + + Also, x_strdup, being a thin wrapper around strdup, is of no benefit + when its argument is known to be non-NULL, and should not be used in + such cases. + + * modules/pam_cracklib/pam_cracklib.c (password_check): Use strdup + instead of x_strdup, the latter is of no benefit in this case. + * modules/pam_ftp/pam_ftp.c (lookup): Likewise. + * modules/pam_userdb/pam_userdb.c (user_lookup): Likewise. + * modules/pam_userdb/pam_userdb.h (x_strdup): Remove. + * modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Do not use + x_strdup for strings passed as arguments to execve. + * modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Likewise. + * modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary): Likewise. + * modules/pam_unix/support.c (_unix_run_helper_binary): Likewise. + (_unix_verify_password): Use strdup instead of x_strdup, the latter + is of no benefit in this case. + * modules/pam_xauth/pam_xauth.c (run_coprocess): Do not use strdup for + strings passed as arguments to execv. + + pam_userdb: fix password hash comparison. + Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed + passwords support in pam_userdb, hashes are compared case-insensitively. + This bug leads to accepting hashes for completely different passwords in + addition to those that should be accepted. + + Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for + modern password hashes with different lengths and settings, did not + update the hash comparison accordingly, which leads to accepting + computed hashes longer than stored hashes when the latter is a prefix + of the former. + + * modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed + hash whose length differs from the stored hash length. + Compare computed and stored hashes case-sensitively. + Fixes CVE-2013-7041. + + Bug-Debian: http://bugs.debian.org/731368 + +2014-01-24 Dmitry V. Levin <ldv@altlinux.org> + + pam_xauth: log fatal errors preventing xauth process execution. + * modules/pam_xauth/pam_xauth.c (run_coprocess): Log errors from pipe() + and fork() calls. + +2014-01-22 Dmitry V. Levin <ldv@altlinux.org> + + pam_loginuid: cleanup loginuid buffer initialization. + * modules/pam_loginuid/pam_loginuid.c (set_loginuid): Move loginuid + buffer initialization closer to its first use. + + libpam_misc: fix an inconsistency in handling memory allocation errors. + When misc_conv fails to allocate memory for pam_response array, it + returns PAM_CONV_ERR. However, when read_string fails to allocate + memory for a response string, it loses the response string and silently + ignores the error, with net result as if EOF has been read. + + * libpam_misc/misc_conv.c (read_string): Use strdup instead of x_strdup, + the latter is of no benefit in this case. + Do not ignore potential memory allocation errors returned by strdup, + forward them to misc_conv. + +2014-01-20 Dmitry V. Levin <ldv@altlinux.org> + + pam_limits: fix utmp->ut_user handling. + ut_user member of struct utmp is a string that is not necessarily + null-terminated, so extra care should be taken when using it. + + * modules/pam_limits/pam_limits.c (check_logins): Convert ut->UT_USER to + a null-terminated string and consistently use it where a null-terminated + string is expected. + + pam_mkhomedir: check and create home directory for the same user (ticket #22) + Before pam_mkhomedir helper was introduced in commit + 7b14630ef39e71f603aeca0c47edf2f384717176, pam_mkhomedir was checking for + existance and creating the same directory - the home directory of the + user NAME returned by pam_get_item(PAM_USER). + + The change in behaviour accidentally introduced along with + mkhomedir_helper is not consistent: while the module still checks for + getpwnam(NAME)->pw_dir, the directory created by mkhomedir_helper is + getpwnam(getpwnam(NAME)->pw_name)->pw_dir, which is not necessarily + the same as the directory being checked. + + This change brings check and creation back in sync, both handling + getpwnam(NAME)->pw_dir. + + * modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Replace + "struct passwd *" argument with user's name and home directory. + Pass user's name to MKHOMEDIR_HELPER. + (pam_sm_open_session): Update create_homedir call. + +2014-01-20 Tomas Mraz <tmraz@fedoraproject.org> + + pam_limits: detect and ignore stale utmp entries. + Original idea by Christopher Hailey + + * modules/pam_limits/pam_limits.c (check_logins): Use kill() to + detect if pid of the utmp entry is still running and ignore the entry + if it is not. + +2014-01-19 Stéphane Graber <stgraber@ubuntu.com> + + pam_loginuid: Always return PAM_IGNORE in userns. + The previous patch to support user namespaces works fine with containers + that are started from a desktop/terminal session but fails when dealing + with containers that were started from a remote session such as ssh. + + I haven't looked at the exact reason for that in the kernel but on the + userspace side of things, the difference is that containers started from + an ssh session will happily let pam open /proc/self/loginuid read-write, + will let it read its content but will then fail with EPERM when trying + to write to it. + + So to make the userns support bullet proof, this commit moves the userns + check earlier in the function (which means a small performance impact as + it'll now happen everytime on kernels that have userns support) and will + set rc = PAM_IGNORE instead of rc = PAM_ERROR. + + The rest of the code is still executed in the event that PAM is run on a + future kernel where we have some kind of audit namespace that includes a + working loginuid. + +2014-01-15 Steve Langasek <vorlon@debian.org> + + pam_namespace: don't use bashisms in default namespace.init script. + * modules/pam_namespace/pam_namespace.c: call setuid() before execing the + namespace init script, so that scripts run with maximum privilege regardless + of the shell implementation. + * modules/pam_namespace/namespace.init: drop the '-p' bashism from the + shebang line + + This is not a POSIX standard option, it's a bashism. The bash manpage says + that it's used to prevent the effective user id from being reset to the real + user id on startup, and to ignore certain unsafe variables from the + environment. + + In the case of pam_namespace, the -p is not necessary for environment + sanitizing because the PAM module (properly) sanitizes the environment + before execing the script. + + The stated reason given in CVS history for passing -p is to "preserve euid + when called from setuid apps (su, newrole)." This should be done more + portably, by calling setuid() before spawning the shell. + + Bug-Debian: http://bugs.debian.org/624842 + Bug-Ubuntu: https://bugs.launchpad.net/bugs/1081323 + +2014-01-10 Stéphane Graber <stgraber@ubuntu.com> + + pam_loginuid: Ignore failure in user namespaces. + When running pam_loginuid in a container using the user namespaces, even + uid 0 isn't allowed to set the loginuid property. + + This change catches the EACCES from opening loginuid, checks if the user + is in the host namespace (by comparing the uid_map with the host's one) + and only if that's the case, sets rc to 1. + + Should uid_map not exist or be unreadable for some reason, it'll be + assumed that the process is running on the host's namespace. + + The initial reason behind this change was failure to ssh into an + unprivileged container (using a 3.13 kernel and current LXC) when using + a standard pam profile for sshd (which requires success from + pam_loginuid). + + I believe this solution doesn't have any drawback and will allow people + to use unprivileged containers normally. An alternative would be to have + all distros set pam_loginuid as optional but that'd be bad for any of + the other potential failure case which people may care about. + + There has also been some discussions to get some of the audit features + tied with the user namespaces but currently none of that has been merged + upstream and the currently proposed implementation doesn't cover + loginuid (nor is it clear how this should even work when loginuid is set + as immutable after initial write). + +2014-01-10 Dmitry V. Levin <ldv@altlinux.org> + + pam_loginuid: return PAM_IGNORE when /proc/self/loginuid does not exist. + When /proc/self/loginuid does not exist, return PAM_IGNORE instead of + PAM_SUCCESS, so that we can distinguish between "loginuid set + successfully" and "loginuid not set, but this is expected". + + Suggested by Steve Langasek. + + * modules/pam_loginuid/pam_loginuid.c (set_loginuid): Change return + code semantics: return PAM_SUCCESS on success, PAM_IGNORE when loginuid + does not exist, PAM_SESSION_ERR in case of any other error. + (_pam_loginuid): Forward the PAM error code returned by set_loginuid. + +2013-11-20 Dmitry V. Levin <ldv@altlinux.org> + + pam_access: fix debug level logging (ticket #19) + * modules/pam_access/pam_access.c (group_match): Log the group token + passed to the function, not an uninitialized data on the stack. + + pam_warn: log flags passed to the module (ticket #25) + * modules/pam_warn/pam_warn.c (log_items): Take "flags" argument and + log it using pam_syslog. + (pam_sm_authenticate, pam_sm_setcred, pam_sm_chauthtok, + pam_sm_acct_mgmt, pam_sm_open_session, pam_sm_close_session): Pass + "flags" argument to log_items. + + Modernize AM_INIT_AUTOMAKE invocation. + Before this change, automake complained that two- and three-arguments + forms of AM_INIT_AUTOMAKE are deprecated. + + * configure.in: Pass PACKAGE and VERSION arguments to AC_INIT instead + of AM_INIT_AUTOMAKE. + + Fix autoconf warnings. + Before this change, autoconf complained that AC_COMPILE_IFELSE + and AC_RUN_IFELSE was called before AC_USE_SYSTEM_EXTENSIONS. + + * configure.in: Call AC_USE_SYSTEM_EXTENSIONS before LT_INIT. + + pam_securetty: check return value of fgets. + Checking return value of fgets not only silences the warning from glibc + but also leads to a cleaner code. + + * modules/pam_securetty/pam_securetty.c (securetty_perform_check): + Check return value of fgets. + + pam_lastlog: fix format string. + gcc -Wformat justly complains: + format '%d' expects argument of type 'int', but argument 5 has type 'time_t' + + * modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Fix format + string. + +2013-11-20 Darren Tucker <dtucker@zip.com.au> + + If the correct loginuid is set already, skip writing it. + modules/pam_loginuid/pam_loginuid.c (set_loginuid): Read the current loginuid + and skip writing if already correctly set. + +2013-11-11 Thorsten Kukuk <kukuk@thkukuk.de> + + Always ask for old password if changing NIS account. + * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): ask + for old password if NIS account. + +2013-11-08 Thorsten Kukuk <kukuk@thkukuk.de> + + Allow DES as compatibility option for /etc/login.defs. + * modules/pam_unix/support.h: Add UNIX_DES + +2013-10-14 Tomas Mraz <tmraz@fedoraproject.org> + + Docfix: pam_prompt() and pam_vprompt() return int. + doc/man/pam_prompt.3.xml: pam_prompt() and pam_vprompt() return int. + + Make pam_tty_audit work with old kernels not supporting log_passwd. + modules/pam_tty_audit/pam_tty_audit.c(nl_recv): Pad result with zeros + if message is short from older kernel. + +2013-09-25 Tomas Mraz <tmraz@fedoraproject.org> + + Fix pam_tty_audit log_passwd support and regression. + modules/pam_tty_audit/pam_tty_audit.c: Add missing "config.h" include. + (pam_sm_open_session): Always copy the old status as initialization of new. + +2013-09-19 Thorsten Kukuk <kukuk@thkukuk.de> + + Release version 1.1.8. + +2013-09-16 Thorsten Kukuk <kukuk@thkukuk.de> + + Check return value of setuid to remove glibc warnings. + * modules/pam_unix/pam_unix_acct.c: Check setuid return value. + * modules/pam_unix/support.c: Likewise. + +2013-09-13 Tomas Mraz <tmraz@fedoraproject.org> + + Write to *rounds only if non-NULL. + modules/pam_unix/support.c(_set_ctrl): Write to *rounds only if non-NULL. + + Add missing ')' + modules/pam_unix/pam_unix_passwd.c: Add missing ')'.. + +2013-09-11 Thorsten Kukuk <kukuk@thkukuk.de> + + Release version 1.1.7. + +2013-09-11 Tomas Mraz <tmraz@fedoraproject.org> + + Updated translations from Transifex. + po/*.po: Updated translations from Transifex. + +2013-09-04 Thorsten Kukuk <kukuk@thkukuk.de> + + Extend pam_exec by stdout and type= options (ticket #8): + * modules/pam_exec/pam_exec.c: Add stdout and type= option + * modules/pam_exec/pam_exec.8.xml: Document new options + +2013-08-30 Thorsten Kukuk <kukuk@thkukuk.de> + + Fix compile error. + * modules/pam_unix/pam_unix_acct.c: fix last change + +2013-08-29 Thorsten Kukuk <kukuk@thkukuk.de> + + Restart waitpid if it returns with EINTR (ticket #17) + * modules/pam_unix/pam_unix_acct.c: run waitpid in a while loop. + * modules/pam_unix/pam_unix_passwd.c: Likewise. + * modules/pam_unix/support.c: Likewise. + +2013-08-28 Thorsten Kukuk <kukuk@thkukuk.de> + + misc_conv.3: Fix documentation of misc_conv. + doc/man/misc_conv.3.xml: Fix return value of misc_conv + +2013-08-23 Tomas Mraz <tmraz@fedoraproject.org> + + Apply the exclusive check in pam_sepermit only when loginuid not set. + * modules/pam_sepermit/pam_sepermit.c(get_loginuid): Read loginuid from + /proc + (sepermit_match): Apply the exclusive check only when loginuid not set. + +2013-08-22 Tomas Mraz <tmraz@fedoraproject.org> + + Updated translations from Transifex. + * po/*.po: Updated translations from Transifex. + +2013-07-02 Dmitry V. Levin <ldv@altlinux.org> + + pam_rootok: fix linking in --enable-audit mode. + pam_rootok.c explicitly uses functions from libaudit, so the module has + to be linked with the library. + + * modules/pam_rootok/Makefile.am (pam_rootok_la_LIBADD): Add @LIBAUDIT@. + +2013-07-01 Richard Guy Briggs <rgb@redhat.com> + + pam_tty_audit: fix a typo that crept in during patch review. + * modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Replace + all occurrences of HAVE_AUDIT_TTY_STATUS_LOG_PASSWD with + HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD. + * configure.in (HAVE_AUDIT_TTY_STATUS_LOG_PASSWD): Remove. + +2013-06-21 Richard Guy Briggs <rgb@redhat.com> + + pam_tty_audit: add an option to control logging of passwords: log_passwd + Most commands are entered one line at a time and processed as complete lines + in non-canonical mode. Commands that interactively require a password, enter + canonical mode with echo set to off to do this. This feature (icanon and + !echo) can be used to avoid logging passwords by audit while still logging the + rest of the command. Adding a member to the struct audit_tty_status passed in + by pam_tty_audit allows control of logging passwords per task. + + * configure.in: autoconf bits to conditionally add support at compile time + depending on struct audit_tty_status kernel header version. + * modules/pam_tty_audit/pam_tty_audit.8.xml: Document new pam_tty_audit module + log_passwd option. + * modules/pam_tty_audit/pam_tty_audit.c: (pam_sm_open_session): Added + "log_passwd" option parsing. + +2013-06-20 Tomas Mraz <tmraz@fedoraproject.org> + + Man page fix - unix_update runs in the permissive mode as well. + modules/pam_unix/unix_update.8.xml: unix_update helper runs in the + permissive mode as well. + +2013-06-18 Thorsten Kukuk <kukuk@orinoco.thkukuk.de> + + Use hash from /etc/login.defs as default if no other one is specified as argument. + * modules/pam_unix/support.c: Add search_key, call from __set_ctrl + * modules/pam_unix/support.h: Add define for /etc/login.defs + * modules/pam_unix/pam_unix.8.xml: Document new behavior. + * modules/pam_umask/pam_umask.c: Add missing NULL pointer check + +2013-04-12 Tomas Mraz <tmraz@fedoraproject.org> + + pam_access: better not change the default function used to get domain name. + modules/pam_access/pam_access.c (netgroup_match): As we did not use + yp_get_default_domain() in the 1.1 branch due to typo in ifdef + we should use it only as fallback. + +2013-03-28 Tomas Mraz <tmraz@fedoraproject.org> + + Fix strict aliasing issue in MD5 implementations. + modules/pam_namespace/md5.c (MD5Final): Use memcpy instead of assignment. + modules/pam_unix/md5.c (MD5Final): Use memcpy instead of assignment. + +2013-03-22 Tomas Mraz <tmraz@fedoraproject.org> + + pam_lastlog: Do not fail on short read if btmp is corrupted. + modules/pam_lastlog/pam_lastlog.c (last_login_failed): Just warn, not fail + on short read or read error. + + pam_rootok: Allow proper logging of the user AVC if access disallowed by SELinux + modules/pam_rootok/pam_rootok.c (log_callback, selinux_check_root): New functions. + (check_for_root): Use the selinux_check_root() instead of checkPasswdAccess. + +2013-02-08 Tomas Mraz <tmraz@fedoraproject.org> + + Add checks for crypt() returning NULL. + modules/pam_pwhistory/opasswd.c (compare_password): Add check for crypt() NULL return. + modules/pam_unix/bigcrypt.c (bigcrypt): Likewise. + +2013-02-07 Tomas Mraz <tmraz@fedoraproject.org> + + pam_userdb: Allow also modern password hashes supported by crypt(). + modules/pam_userdb/pam_userdb.c (user_lookup): Allow password hashes + longer than 13 characters and long salt. + +2013-01-18 Walter de Jong <walter.dejong@surfsara.nl> + + pam_access: fix typo in ifdef. + modules/pam_access/pam_access.c (netgroup_match): Fix typo + in #ifdef HAVE_YP_GET_DEFAULT_DOMAIN. + +2012-12-20 Tomas Mraz <tmraz@fedoraproject.org> + + pam_cracklib: Mention checks that are not run for root. + modules/pam_cracklib/pam_cracklib.8.xml: Add note about checks + when run as root. + + Update also the POT file. + po/Linux-PAM.pot: Update to reflect current sources. + +2012-12-12 Tomas Mraz <tmraz@fedoraproject.org> + + Updated translations from Transifex, added new languages. + po/LINGUAS: Added new languages. + po/*.po: Updated translations from Transifex including new languages. + +2012-11-30 Tomas Mraz <tmraz@fedoraproject.org> + + pam_selinux: Drop obsolete and unsupported manual context selection. + modules/pam_selinux/pam_selinux.c (manual_context): Drop function. + (compute_exec_context): Drop manual_context() call. + +2012-11-23 Tomas Mraz <tmraz@fedoraproject.org> + + pam_limits: fix grammatical mistake. + modules/pam_limits/limits.conf: Fix grammatical mistake. + +2012-11-13 Tomas Mraz <tmraz@fedoraproject.org> + + Reflect the enforce_for_root semantics change in pam_pwhistory xtest. + xtests/tst-pam_pwhistory1.pamd: Use enforce_for_root as the test is + running with real uid == 0. + +2012-10-10 Dmitry V. Levin <ldv@altlinux.org> + + pam_unix: fix build in --enable-selinux mode. + glibc's <sys/wait.h> starting with commit + http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=glibc-2.15-231-gd94a467 + does not include <sys/resource.h> for POSIX 2008 conformance reasons, so + when pam is being built with SELinux support enabled, pam_unix_passwd.c + uses getrlimit(2) and therefore should include <sys/resource.h> without + relying on other headers. + + * modules/pam_unix/pam_unix_passwd.c: Include <sys/resource.h>. + + Reported-by: Guido Trentalancia <guido@trentalancia.com> + Reported-by: "Jory A. Pratt" <anarchy@gentoo.org> + Reported-by: Diego Elio Pettenò <flameeyes@flameeyes.eu> + +2012-10-10 Tomas Mraz <tmraz@fedoraproject.org> + + pam_namespace: add mntopts flag for tmpfs mount options. + modules/pam_namespace/pam_namespace.h: Add mount_opts member to polydir + structure. + modules/pam_namespace/pam_namespace.c (del_polydir): Free the mount_opts. + (parse_method): Parse the mntopts flag. + (ns_setup): Pass the mount_opts to mount(). + modules/pam_namespace/namespace.conf.5.xml: Document the mntopts flag. + +2012-09-06 Tomas Mraz <tmraz@fedoraproject.org> + + pam_selinux, pam_tally2: Add tty and rhost to audit data. + modules/pam_selinux/pam_selinux.c (send_audit_message): Obtain tty and + rhost from PAM items and pass them to audit. + modules/pam_tally2/pam_tally2.c (tally_check): Obtain tty and + rhost from PAM items and pass them to audit. + (main): Obtain tty name of stdin and pass it to audit. + + Update configure.in to use more recent interfaces. + configure.in: Use LT_INIT instead of AC_PROG_LIBTOOL and AS_HELP_STRING instead + of AC_HELP_STRING. + +2012-08-17 Tomas Mraz <tmraz@fedoraproject.org> + + Add missing $(DESTDIR) when making directories on install. + modules/pam_namespace/Makefile.am: Add missing $(DESTDIR) when making + $(namespaceddir) on install. + modules/pam_sepermit/Makefile.am: Add missing $(DESTDIR) when making + $(sepermitlockdir) on install. + +2012-08-17 Thorsten Kukuk <kukuk@orinoco.thkukuk.de> + + release version 1.1.6. + configure.in: Bump version to 1.1.6 + NEWS: Document changes + po/*.po: Regenerate *.po files + +2012-08-16 Thorsten Kukuk <kukuk@thkukuk.de> + + Small documentation and define fixes. + modules/pam_limits/limits.conf.5.xml: Document race of maxlogins [#10] + modules/pam_namespace/pam_namespace.h: Define MS_SLAVE if necessary + modules/pam_pwhistory/pam_pwhistory.c: Document how the module works + modules/pam_unix/pam_unix.8.xml: Document remember option obsoleted by pam_pwhistory [#6] + +2012-08-13 Tomas Mraz <tmraz@fedoraproject.org> + + Respect PAM_AUTHTOK_TYPE in pam_get_authtok_verify(). + libpam/pam_get_authtok.c (pam_get_authtok_internal): Set the PAM_AUTHTOK_TYPE + item when obtained from module options. + (pam_get_authtok_verify): Use the PAM_AUTHTOK_TYPE item when prompting. + +2012-08-09 Tomas Mraz <tmraz@fedoraproject.org> + + Document limits.d also in the limits.conf manpage. + modules/pam_limits/limits.conf.5.xml: Document the limits.d existence. + +2012-07-23 Tomas Mraz <tmraz@fedoraproject.org> + + New autotools do not create empty directories on install. + modules/pam_namespace/Makefile.am: Add install-data-local target to create + namespaceddir. + modules/pam_sepermit/Makefile.am: Add install-data-local target to create + sepermitlockdir. + +2012-07-09 Stevan Bajić <stevan@bajic.ch> + + RLIMIT_* variables are no longer defined unless you explicitly include sys/resource.h. + + modules/pam_unix/pam_unix_acct.c: Include sys/resource.h. + +2012-06-27 Tomas Mraz <tmraz@fedoraproject.org> + + pam_umask: correct the documentation of GECOS field parsing. + modules/pam_umask/pam_umask.8.xml: Correct the documentation of GECOS field + parsing. + +2012-06-22 Tomas Mraz <tmraz@fedoraproject.org> + + pam_cracklib: Add monotonic character sequence checking. + modules/pam_cracklib/pam_cracklib.c (_pam_parse): Parse the maxsequence option. + (sequence): New function to check for too long monotonic sequence of characters. + (password_check): Call the sequence(). + modules/pam_cracklib/pam_cracklib.8.xml: Document the maxsequence check. + +2012-06-01 Tomas Mraz <tmraz@fedoraproject.org> + + pam_timestamp: Fix copy&paste error in manpage. + modules/pam_timestamp/pam_timestamp.8.xml: Fix AUTHOR section. + +2012-05-28 Tomas Mraz <tmraz@fedoraproject.org> + + Pulled new translations from Transifex. + po/*.po: Updated translations. + + pam_pwhistory: Always record the old password even when root changes it. + modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Use the UID of + the process instead of the target user UID (same as in pam_cracklib) to + check for root. Always record old password. + +2012-05-24 Tomas Mraz <tmraz@fedoraproject.org> + + pam_cracklib: Add enforce_for_root option. + modules/pam_cracklib/pam_cracklib.c (_pam_parse): Recognize the enforce_for_root option. + (pam_sm_chauthtok): Enforce errors for root with the option. + modules/pam_cracklib/pam_cracklib.8.xml: Document the enforce_for_root option. + +2012-04-30 Tomas Mraz <tmraz@fedoraproject.org> + + pam_cracklib: Add maxclassrepeat, gecoscheck checks and remove unused difignore. + modules/pam_cracklib/pam_cracklib.c (_pam_parse): Recognize the maxclassrepeat, gecoscheck options. Ignore difignore option. + (simple): Add the check for the same class repetition. + (usercheck): Refactor into wordcheck(). + (gecoscheck): New test for words from the GECOS field. + (password_check): Call the gecoscheck(). + (pam_sm_chauthtok): Drop the diff_ignore from options struct. + modules/pam_cracklib/pam_cracklib.8.xml: Document the maxclassrepeat and gecoscheck checks, update the documentation of the difok test. + + pam_lastlog: Never lock out the root account. + modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Return PAM_SUCCESS if + uid==0. + modules/pam_lastlog/pam_lastlog.8.xml: Improve documentation. + +2012-04-17 Tomas Mraz <tmraz@fedoraproject.org> + + pam_lastlog: add possibility to lock out inactive users in auth or account + * modules/pam_lastlog/pam_lastlog.8.xml: Document the new functionality and + option. + * modules/pam_lastlog/pam_lastlog.c: Add the inactive user lock out. + (_pam_session_parse): Renamed from _pam_parse. + (_pam_auth_parse): New function to parse auth arguments. + (_last_login_open): Factor out opening of the lastlog file. + (_last_login_read): Factor out opening of the lastlog file. + (pam_sm_authenticate): Implement the lockout functionality. + (pam_sm_setcred): Just return PAM_SUCCESS. + (pam_sm_acct_mgmt): Call pam_sm_authenticate(). + +2012-04-11 Paul Wouters <pwouters@redhat.com> + + Check for crypt() failure returning NULL. + * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Adjust syslog message. + * modules/pam_unix/passverify.c (create_password_hash): Check for crypt() + returning NULL. + +2012-02-03 Dmitry V. Levin <ldv@altlinux.org> + + pam_unix: make configuration consistent in --enable-static-modules mode. + In --enable-static-modules mode, it was not possible to use "pam_unix" + in PAM config files. Instead, different names had to be used for each + management group: pam_unix_auth, pam_unix_acct, pam_unix_passwd and + pam_unix_session. This change makes pam_unix configuration consistent + with other PAM modules. + + * README: Remove the paragraph describing pam_unix distinctions in + --enable-static-modules mode. + * libpam/pam_static_modules.h (_pam_unix_acct_modstruct, + _pam_unix_auth_modstruct, _pam_unix_passwd_modstruct, + _pam_unix_session_modstruct): Remove. + (_pam_unix_modstruct): New pam_module declaration. + * modules/pam_unix/pam_unix_static.h: New file. + * modules/pam_unix/pam_unix_static.c: Likewise. + * modules/pam_unix/Makefile.am (noinst_HEADERS): Add pam_unix_static.h + (pam_unix_la_SOURCES) [STATIC_MODULES]: Add pam_unix_static.c + * modules/pam_unix/pam_unix_acct.c [PAM_STATIC]: Include + pam_unix_static.h + [PAM_STATIC] (_pam_unix_acct_modstruct): Remove. + * modules/pam_unix/pam_unix_auth.c [PAM_STATIC]: Include + pam_unix_static.h + [PAM_STATIC] (_pam_unix_auth_modstruct): Remove. + * modules/pam_unix/pam_unix_passwd.c [PAM_STATIC]: Include + pam_unix_static.h + [PAM_STATIC] (_pam_unix_passwd_modstruct): Remove. + * modules/pam_unix/pam_unix_sess.c [PAM_STATIC]: Include + pam_unix_static.h + [PAM_STATIC] (_pam_unix_session_modstruct): Remove. + + Suggested-by: Matveychikov Ilya <i.matveychikov@securitycode.ru> + +2012-01-27 Dmitry V. Levin <ldv@altlinux.org> + + Make --disable-cracklib compatible with --enable-static-modules mode. + * configure.in: Define HAVE_LIBCRACK when cracklib is enabled. + * libpam/pam_static_modules.h (static_modules): Guard the use of + _pam_cracklib_modstruct by HAVE_LIBCRACK macro. + +2012-02-10 Tomas Mraz <tmraz@fedoraproject.org> + + Add missing includes for types used in the pam_modutil.h. + * libpam/include/security/pam_modutil.h: Add missing includes for used types. + +2012-01-27 Matveychikov Ilya <i.matveychikov@securitycode.ru> + + Fix compile time errors in --enable-static-modules mode. + * libpam/pam_static_modules.h (_pam_rhosts_auth_modstruct): Remove + obsolete declaration. + (static_modules): Remove undefined reference to + _pam_rhosts_auth_modstruct. + * modules/pam_pwhistory/opasswd.h: Rename {save,check}_old_password to + {save,check}_old_pass in order to avoid conflicts with pam_unix. + * modules/pam_pwhistory/opasswd.c: Likewise. + * modules/pam_pwhistory/pam_pwhistory.c: Likewise. + * modules/pam_tally2/pam_tally2.c: Rename _pam_tally_modstruct to + _pam_tally2_modstruct. + +2012-01-26 Dmitry V. Levin <ldv@altlinux.org> + + Fix SUBDIRS for --enable-static-modules mode. + There is no way to build "modules" subdirectory before "libpam" anyway. + In STATIC_MODULES mode, "libpam" subdirectory must be built twice to + produce a usable libpam.a without undefined references to multiple + _pam_*_modstruct symbols. + + * Makefile.am: Use default SUBDIRS in STATIC_MODULES mode. + +2012-01-26 Matveychikov Ilya <i.matveychikov@securitycode.ru> + + configure: fix typo in --disable-nis help string. + * configure.in: Change '-disable-nis' to '--disable-nis'. + +2012-01-26 Tomas Mraz <tmraz@fedoraproject.org> + + Do not unmount anything by default in pam_namespace close session call. + * modules/pam_namespace/pam_namespace.c (pam_sm_close_session): Recognize + the unmount_on_close option and make the default to be to not unmount. + * modules/pam_namespace/pam_namespace.h: Rename PAMNS_NO_UNMOUNT_ON_CLOSE to + PAMNS_UNMOUNT_ON_CLOSE. + * modules/pam_namespace/pam_namespace.8.xml: Document the change. + +2012-01-24 Tomas Mraz <tmraz@fedoraproject.org> + + Make / mount as rslave instead of bind mounting polydirs. + * modules/pam_namespace/pam_namespace.c (protect_dir): Drop the always argument. + (check_inst_parent): Drop the always argument from protect_dir(). + (create_polydir): Likewise. + (ns_setup): Likewise and do not mark the polydir with MS_PRIVATE. + (setup_namespace): Mark the / with MS_SLAVE|MS_REC. + * modules/pam_namespace/pam_namespace.8.xml: Reflect the change in docs. + +2012-01-13 Tomas Mraz <tmraz@fedoraproject.org> + + Add possibility to match ruser, rhost, and tty in pam_succeed_if. + * modules/pam_succeed_if/pam_succeed_if.c (evaluate): Match ruser, + rhost, and tty as left operand. + * modules/pam_succeed_if/pam_succeed_if.8.xml: Document the new + possible left operands. + +2012-01-03 Tomas Mraz <tmraz@fedoraproject.org> + + Merge branch 'master' of ssh://git.fedorahosted.org/git/linux-pam. + + Fix matching of usernames in the pam_unix remember feature. + * modules/pam_unix/pam_unix_passwd.c (check_old_password): Make + sure we match only the whole username in opasswd entry. + * modules/pam_unix/passverify.c (save_old_password): Likewise make + sure we match only the whole username in opasswd entry. + +2011-12-26 Dmitry V. Levin <ldv@altlinux.org> + + pam_start: fix memory leak on error path. + * libpam/pam_start.c (pam_start): If _pam_make_env() or + _pam_init_handlers() returned an error, release the memory allocated + for pam_conv structure. + + Patch-by: cancel <suntsu@yandex.ru>. + +2011-11-03 Dmitry V. Levin <ldv@altlinux.org> + + pam_selinux.8.xml: update. + * modules/pam_selinux/pam_selinux.8.xml (pam_selinux-cmdsynopsis): + Reorder options, add new "restore" option. + pam_selinux-description): Rewrite. + (pam_selinux-options): Reorder options, describe new "restore" option. + (pam_selinux-return_values): Remove PAM_AUTH_ERR, PAM_SESSION_ERR + and PAM_BUF_ERR. + (pam_selinux-see_also): Remove pam.conf(5). Add execve(2), tty(4) + and selinux(8). + + pam_selinux.c: add "restore" option. + * modules/pam_selinux/pam_selinux.c (pam_sm_open_session): Add new + "restore" option. + + pam_selinux.c: rewrite using pam_get_data/pam_set_data. + * modules/pam_selinux/pam_selinux.c (security_restorelabel_tty, + security_label_tty): Remove old functions. + (module_data_t): New structure. + (free_module_data, cleanup, get_module_data, get_item, + set_exec_context, set_file_context, compute_exec_context, + compute_tty_context, restore_context, set_context, + create_context): New functions. + (pam_sm_authenticate, pam_sm_setcred, pam_sm_open_session, + pam_sm_close_session): Use them. + +2011-10-28 Dmitry V. Levin <ldv@altlinux.org> + + Use libpam.la/libpam_misc.la to link with -lpam/-lpam_misc. + GNU automake documentation recommends to avoid using -l options in + LDADD or LIBADD when referring to libraries built by the package. + Instead, it recommends to write the file name of the library explicitly, + and use -l option only to list third-party libraries. As result, the + default value of *_DEPENDENCIES will list all local libraries and omit + the other ones. + * modules/pam_access/Makefile.am (pam_access_la_LIBADD): Replace + "-L$(top_builddir)/libpam -lpam" with + "$(top_builddir)/libpam/libpam.la", to follow GNU automake + recommendations. + * modules/pam_cracklib/Makefile.am (pam_cracklib_la_LIBADD): Likewise. + * modules/pam_debug/Makefile.am (pam_debug_la_LIBADD): Likewise. + * modules/pam_deny/Makefile.am (pam_deny_la_LIBADD): Likewise. + * modules/pam_echo/Makefile.am (pam_echo_la_LIBADD): Likewise. + * modules/pam_env/Makefile.am (pam_env_la_LIBADD): Likewise. + * modules/pam_exec/Makefile.am (pam_exec_la_LIBADD): Likewise. + * modules/pam_faildelay/Makefile.am (pam_faildelay_la_LIBADD): Likewise. + * modules/pam_filter/Makefile.am (pam_filter_la_LIBADD): Likewise. + * modules/pam_filter/upperLOWER/Makefile.am (LDADD): Likewise. + * modules/pam_ftp/Makefile.am (pam_ftp_la_LIBADD): Likewise. + * modules/pam_group/Makefile.am (pam_group_la_LIBADD): Likewise. + * modules/pam_issue/Makefile.am (pam_issue_la_LIBADD): Likewise. + * modules/pam_keyinit/Makefile.am (pam_keyinit_la_LIBADD): Likewise. + * modules/pam_lastlog/Makefile.am (pam_lastlog_la_LIBADD): Likewise. + * modules/pam_limits/Makefile.am (pam_limits_la_LIBADD): Likewise. + * modules/pam_listfile/Makefile.am (pam_listfile_la_LIBADD): Likewise. + * modules/pam_localuser/Makefile.am (pam_localuser_la_LIBADD): Likewise. + * modules/pam_loginuid/Makefile.am (pam_loginuid_la_LIBADD): Likewise. + * modules/pam_mail/Makefile.am (pam_mail_la_LIBADD): Likewise. + * modules/pam_mkhomedir/Makefile.am (pam_mkhomedir_la_LIBADD, + mkhomedir_helper_LDADD): Likewise. + * modules/pam_motd/Makefile.am (pam_motd_la_LIBADD): Likewise. + * modules/pam_namespace/Makefile.am (pam_namespace_la_LIBADD): Likewise. + * modules/pam_nologin/Makefile.am (pam_nologin_la_LIBADD): Likewise. + * modules/pam_permit/Makefile.am (pam_permit_la_LIBADD): Likewise. + * modules/pam_pwhistory/Makefile.am (pam_pwhistory_la_LIBADD): Likewise. + * modules/pam_rhosts/Makefile.am (pam_rhosts_la_LIBADD): Likewise. + * modules/pam_rootok/Makefile.am (pam_rootok_la_LIBADD): Likewise. + * modules/pam_securetty/Makefile.am (pam_securetty_la_LIBADD): Likewise. + * modules/pam_sepermit/Makefile.am (pam_sepermit_la_LIBADD): Likewise. + * modules/pam_shells/Makefile.am (pam_shells_la_LIBADD): Likewise. + * modules/pam_stress/Makefile.am (pam_stress_la_LIBADD): Likewise. + * modules/pam_succeed_if/Makefile.am (pam_succeed_if_la_LIBADD): + Likewise. + * modules/pam_tally/Makefile.am (pam_tally_la_LIBADD): Likewise. + * modules/pam_tally2/Makefile.am (pam_tally2_la_LIBADD, + pam_tally2_LDADD): Likewise. + * modules/pam_time/Makefile.am (pam_time_la_LIBADD): Likewise. + * modules/pam_timestamp/Makefile.am (pam_timestamp_la_LIBADD, + pam_timestamp_check_LDADD, hmacfile_LDADD): Likewise. + * modules/pam_tty_audit/Makefile.am (pam_tty_audit_la_LIBADD): Likewise. + * modules/pam_umask/Makefile.am (pam_umask_la_LIBADD): Likewise. + * modules/pam_unix/Makefile.am (pam_unix_la_LIBADD): Likewise. + * modules/pam_userdb/Makefile.am (pam_userdb_la_LIBADD): Likewise. + * modules/pam_warn/Makefile.am (pam_warn_la_LIBADD): Likewise. + * modules/pam_wheel/Makefile.am (pam_wheel_la_LIBADD): Likewise. + * modules/pam_xauth/Makefile.am (pam_xauth_la_LIBADD): Likewise. + * tests/Makefile.am (LDADD): Likewise. + * examples/Makefile.am (LDADD): Replace "-L$(top_builddir)/libpam -lpam" + with "$(top_builddir)/libpam/libpam.la", and + "-L$(top_builddir)/libpam_misc -lpam_misc" with + "$(top_builddir)/libpam_misc/libpam_misc.la", to follow GNU automake + recommendations. + * xtests/Makefile.am (LDADD): Likewise. + * modules/pam_selinux/Makefile.am (pam_selinux_la_LIBADD): Likewise. + + Fix usage of LIBADD, LDADD and LDFLAGS. + * modules/pam_selinux/Makefile.am: Rename pam_selinux_check_LDFLAGS to + pam_selinux_check_LDADD. + * modules/pam_userdb/Makefile.am: Split out pam_userdb_la_LIBADD from + AM_LDFLAGS. + * modules/pam_warn/Makefile.am: Split out pam_warn_la_LIBADD from + AM_LDFLAGS. + * modules/pam_wheel/Makefile.am: Split out pam_wheel_la_LIBADD from + AM_LDFLAGS. + * modules/pam_xauth/Makefile.am: split out pam_xauth_la_LIBADD from + AM_LDFLAGS. + * xtests/Makefile.am: Rename AM_LDFLAGS to LDADD. + +2011-10-27 Dmitry V. Levin <ldv@altlinux.org> + + Update .gitignore files. + * .gitignore: Add common ignore patterns. + * m4/.gitignore: Unignore local m4 files. + * dynamic/.gitignore: Unignore Makefile. + * libpamc/test/modules/.gitignore: Likewise. + * libpamc/test/regress/.gitignore: Likewise. + * po/.gitignore: Add Makevars.template. + * conf/.gitignore: Remove common ignore patterns. + * conf/pam_conv1/.gitignore: Likewise. + * doc/.gitignore: Likewise. + * doc/specs/.gitignore: Likewise. + * doc/specs/formatter/.gitignore: Likewise. + * examples/.gitignore: Likewise. + * modules/pam_filter/upperLOWER/.gitignore: Likewise. + * modules/pam_mkhomedir/.gitignore: Likewise. + * modules/pam_selinux/.gitignore: Likewise. + * modules/pam_stress/.gitignore: Likewise. + * modules/pam_tally/.gitignore: Likewise. + * modules/pam_tally2/.gitignore: Likewise. + * modules/pam_timestamp/.gitignore: Likewise. + * modules/pam_unix/.gitignore: Likewise. + * tests/.gitignore: Likewise. + * xtests/.gitignore: Likewise. + * doc/adg/.gitignore: Remove. + * doc/man/.gitignore: Remove. + * doc/mwg/.gitignore: Remove. + * doc/sag/.gitignore: Remove. + * libpamc/.gitignore: Remove. + * libpamc/test/.gitignore: Remove. + * libpam/.gitignore: Remove. + * libpam_misc/.gitignore: Remove. + * modules/.gitignore: Remove. + * modules/pam_access/.gitignore: Remove. + * modules/pam_cracklib/.gitignore: Remove. + * modules/pam_debug/.gitignore: Remove. + * modules/pam_deny/.gitignore: Remove. + * modules/pam_echo/.gitignore: Remove. + * modules/pam_env/.gitignore: Remove. + * modules/pam_exec/.gitignore: Remove. + * modules/pam_faildelay/.gitignore: Remove. + * modules/pam_filter/.gitignore: Remove. + * modules/pam_ftp/.gitignore: Remove. + * modules/pam_group/.gitignore: Remove. + * modules/pam_issue/.gitignore: Remove. + * modules/pam_keyinit/.gitignore: Remove. + * modules/pam_lastlog/.gitignore: Remove. + * modules/pam_limits/.gitignore: Remove. + * modules/pam_listfile/.gitignore: Remove. + * modules/pam_localuser/.gitignore: Remove. + * modules/pam_loginuid/.gitignore: Remove. + * modules/pam_mail/.gitignore: Remove. + * modules/pam_motd/.gitignore: Remove. + * modules/pam_namespace/.gitignore: Remove. + * modules/pam_nologin/.gitignore: Remove. + * modules/pam_permit/.gitignore: Remove. + * modules/pam_pwhistory/.gitignore: Remove. + * modules/pam_rhosts/.gitignore: Remove. + * modules/pam_rootok/.gitignore: Remove. + * modules/pam_securetty/.gitignore: Remove. + * modules/pam_sepermit/.gitignore: Remove. + * modules/pam_shells/.gitignore: Remove. + * modules/pam_succeed_if/.gitignore: Remove. + * modules/pam_time/.gitignore: Remove. + * modules/pam_tty_audit/.gitignore: Remove. + * modules/pam_umask/.gitignore: Remove. + * modules/pam_userdb/.gitignore: Remove. + * modules/pam_warn/.gitignore: Remove. + * modules/pam_wheel/.gitignore: Remove. + * modules/pam_xauth/.gitignore: Remove. + + Move generated auxiliary files to build-aux directory. + * configure.in: Add AC_CONFIG_AUX_DIR([build-aux]). + + Remove generated files. + * ABOUT-NLS: Remove. + * INSTALL: Remove. + * config.rpath: Remove. + * install-sh: Remove. + * mkinstalldirs: Remove. + * Makefile.am (EXTRA_DIST): Remove config.rpath and mkinstalldirs. + * .gitignore: Add ABOUT-NLS and INSTALL. + + Create release tarballs using safe ownership and permissions. + * Makefile.am: Define and export TAR_OPTIONS. + + Generate ChangeLog from git log. + * .gitignore: Add ChangeLog + * ChangeLog: Rename to ChangeLog-CVS. + * Makefile.am (gen-changelog): New rule. + (dist-hook, .PHONY): Depend on it. + (EXTRA_DIST): Add ChangeLog-CVS. + * README-hacking: New file. + * gitlog-to-changelog: Import from gnulib. + * autogen.sh: Create empty ChangeLog file to make automake strictness + check happy. Use automated "autoreconf -fiv" instead of manual + invocations of various autotools. + + Fix "make distcheck" + There is no use to distribute m4 files manually, because automake does + the right thing, while manual distribution is not only redundant but + also very fragile. + * Makefile.am (M4_FILES): Remove. + (EXTRA_DIST): Remove M4_FILES. + + Remove modules/pam_timestamp/hmacfile from distribution. + * modules/pam_timestamp/Makefile.am (dist_TESTS): Add tst-pam_timestamp. + (nodist_TESTS): Add hmacfile. + (EXTRA_DIST): Replace TESTS with dist_TESTS. + + Rename all .cvsignore files to .gitignore. + + Fix whitespace issues. + Cleanup trailing whitespaces, indentation that uses spaces before tabs, + and blank lines at EOF. Make the project free of warnings reported by + git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD + + +See ChangeLog-CVS for earlier changes. diff --git a/ChangeLog-CVS b/ChangeLog-CVS new file mode 100644 index 0000000..47b54ce --- /dev/null +++ b/ChangeLog-CVS @@ -0,0 +1,5099 @@ +2011-10-26 Dmitry V. Levin <ldv@altlinux.org> + + NB: ChangeLog file is no longer manually maintained. + See README-hacking for details. + +2011-10-25 Thorsten Kukuk <kukuk@thkukuk.de> + + * release version 1.1.5 + + * configure.in: Bump version number. + + * modules/pam_tally2/pam_tally2.8.xml: Remove never used option + "no_lock_time". + +2011-10-14 Kees Cook <kees@debian.org> + + * modules/pam_env/pam_env.c (_expand_arg): Abort when encountering an + overflowed environment variable expansion. + Fixes CVE-2011-3149. + Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874565 + + * modules/pam_env/pam_env.c (_assemble_line): Correctly count leading + whitespace. + Fixes CVE-2011-3148. + Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874469 + +2011-10-10 Tomas Mraz <tm@t8m.info> + + * modules/pam_access/pam_access.c: Add hostname resolution + cache. + (user_match): Clear the cache in fake_item. + (from_match): If from is not hostname, do not try to resolve it. + Cache the getaddrinfo() result. + (network_netmask_match): Cache the getaddrinfo() result. + (pam_sm_authenticate): Free the getaddrinfo() result. + + * modules/pam_access/pam_access.c (netgroup_match): If getdomainname() + fails or domainname not set use NULL as domain in innetgr(). + +2011-09-30 Tomas Mraz <tm@t8m.info> + + * doc/man/pam.conf-syntax.xml: Improve documentation of the + sufficient and requisite control values. (Red Hat Bug #742413) + +2011-08-25 Tomas Mraz <tm@t8m.info> + + * modules/pam_access/pam_access.c (user_match): Fix the split + on @ in the user field. (Red Hat Bug #732081) + + * modules/pam_loginuid/pam_loginuid.c: Correct the FSF address. + +2011-08-23 Tomas Mraz <tm@t8m.info> + + * modules/pam_env/pam_env.c (_pam_parse): Fix missing dereference. + +2011-06-22 Thorsten Kukuk <kukuk@thkukuk.de> + + * release version 1.1.4 + + * configure.in: Bump version number. + * NEWS: Document changes since 1.1.3 + * libpam/Makefile.am: Bump release number of shared library + * po/de.po: Translate new string. + + * modules/pam_unix/Makefile.am (pam_unix_la_LIBADD): Reorder + Libraries. + +2011-06-21 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_limits/pam_limits.c: Add set_all option, + read limits from PID one if no limit is specified and set_all + is set. + * modules/pam_limits/pam_limits.8.xml: Document set_all option. + Based on Patch by Kees Cook. + +2011-06-15 Tomas Mraz <tm@t8m.info> + + * modules/pam_sepermit/pam_sepermit.c (check_running): Avoid + leaking memory and dir handle on realloc failure. + (sepermit_unlock): Cast fcntl() and close() calls to void. + + * modules/pam_pwhistory/opasswd.c (check_old_password): Do not + needlessly call strdupa(). + (save_old_password): Avoid memleaks in error paths. Avoid memleak of + buf. Make the opasswd entry parsing more robust. + * modules/pam_pwhistory/pam_pwhistory.8.xml: Document the + special meaning of remember=0. + + * modules/pam_unix/support.c (_set_ctrl): Do not crash when remember, + minlen, or rounds options are used with wrong module type. + + * modules/pam_timestamp/pam_timestamp.c (pam_sm_authenticate): Avoid + memleak in error path. + (pam_sm_open_session): Avoid memleak and fd leak in error path. + + * modules/pam_access/pam_access.c (user_match): Initialize the + fake_item from item. + +2011-06-14 Thorsten Kukuk <kukuk@thkukuk.de> + + * configure.in: Check for libtirpc by default. + * libpam/Makefile.am: Add support for libtirpc. + * modules/pam_access/Makefile.am: Likewise. + * modules/pam_unix/Makefile.am: Likewise. + * modules/pam_unix/pam_unix_passwd.c: Change ifdefs for + new libtirpc support. + * modules/pam_unix/yppasswd_xdr.c: Only compile if we have rpc/rpc.h. + +2011-06-13 Tomas Mraz <tm@t8m.info> + + * modules/pam_securetty/pam_securetty.c (securetty_perform_check): Test + also whether the tty is in the /sys/class/tty/console/active file. + * modules/pam_securetty/pam_securetty.8.xml: Document the new check of + /sys/class/tty/console/active/file. + +2011-06-07 Tomas Mraz <tm@t8m.info> + + * modules/pam_namespace/pam_namespace.c (root_shared): New + function to detect shared / mount. + (pam_sm_open_session): Call the root_shared() and enable + private mounts based on that. + * modules/pam_namespace/pam_namespace.8.xml: Document the + automatic detection of shared / mount. + +2011-06-06 Tomas Mraz <tm@t8m.info> + + * modules/pam_group/pam_group.c (shift_bytes): Removed. + (shift_buf, trim_spaces): Added new functions. + (read_field): Thorough rewrite of the parsing. + (check_account): read_field() now uses state information. No + extra read_field() call at the end of configuration line. + * modules/pam_time/pam_time.c (shift_bytes): Removed. + (shift_buf, trim_spaces): Added new functions. + (read_field): Thorough rewrite of the parsing. + (check_account): read_field() now uses state information. No + extra read_field() call at the end of configuration line. + + * modules/pam_namespace/pam_namespace.h: Define the MS_PRIVATE and + MS_REC flags if they are not in sys/mount.h. + +2011-06-06 Nguyễn Thái Ngọc Duy <pclouds@gmail.com> + + * po/LINGUAS: Add vietnamese. + * po/vi.po: Add vietnamese translation. + +2011-06-02 Tomas Mraz <tm@t8m.info> + + * modules/pam_namespace/pam_namespace.c (protect_dir): Add parameter + to always do protect mount the last directory in the path. + (check_inst_parent, create_polydir): Update the protect_dir() call. + (ns_setup): Likewise and add the MS_PRIVATE mount() call. + (pam_sm_open_session): Check the mount_private option. + * modules/pam_namespace/pam_namespace.h: Add the PAMNS_MOUNT_PRIVATE. + * modules/pam_namespace/pam_namespace.8.xml: Document the mount_private + option. + + * modules/pam_cracklib/pam_cracklib.c (str_lower): Make it no-op + on NULL strings. + (password_check): Guard for NULLs returned from memory allocation. + + * modules/pam_filter/pam_filter.c (process_args): Guard for error return + from pam_get_user(). + + * modules/pam_echo/pam_echo.c (replace_and_print): Guard for error return + from pam_get_item(). + +2011-05-30 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_timestamp/pam_timestamp.c (main): Remove unsused + variable pretval. + + * modules/pam_stress/pam_stress.c (converse): **message is const. + (stress_get_password): pmsg is const. + (pam_sm_chauthtok): Likewise. + * libpam/pam_item.c (pam_get_user): Make pmsg const and remove + casts. + +2011-05-30 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_env/pam_env.c (_pam_parse): Implement debug option. + Based on patch by Tomas Mraz. + +2011-05-24 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): quiet + option has no argument, print no missing file if quiet is set + [sf#3194930]. + +2011-05-04 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_lastlog/pam_lastlog.c (last_login_failed): Don't + abort with error if btmp file does not exist. + +2011-03-21 Tomas Mraz <tm@t8m.info> + + * modules/pam_unix/md5.c (MD5Final): Clear the whole ctx. + +2011-03-18 Tomas Mraz <tm@t8m.info> + + * modules/pam_namespace/md5.c (MD5Final): Clear the whole ctx. + * modules/pam_namespace/pam_namespace.c (del_polydir): Guard for NULL poly. + (protect_dir): Guard for -1 passing to close(). + (ns_setup): Likewise. + (pam_sm_open_session): Correctly test for SELinux enabled flag. + +2011-03-17 Tomas Mraz <tm@t8m.info> + + * modules/pam_selinux/pam_selinux.c (config_context): Fix leak of type. + (manual_context): Likewise. + (context_from_env): Remove extraneous auditing in success case. + + * modules/pam_unix/support.c (_unix_run_helper_binary): Remove extra + close() call. + +2011-02-22 Tomas Mraz <tm@t8m.info> + + * modules/pam_nologin/pam_nologin.8.xml: Add missing space. + * modules/pam_limits/limits.conf.5.xml: Fix typo. + +2010-12-21 Tomas Mraz <tm@t8m.info> + + * modules/pam_selinux/pam_selinux.c (mls_range_allowed): Unhardcode + values for security class and av permission bit. + +2010-12-14 Tomas Mraz <tm@t8m.info> + + * modules/pam_limits/pam_limits.c (parse_uid_range): New function + to parse the range of uids or gids. + (parse_config_file): Call parse_uid_range() and if uid/gid range + is identified, setup the limits if the range matches. New parameters + containing user's uid and primary gid. + (pam_sm_open_session): Pass the user's uid and primary gid to + parse_config_file(). + * modules/pam_limits/limits.conf.5.xml: Document the uid/gid ranges. + +2010-12-14 Bahadır Kandemir <bahadir@pardus.org.tr> + + * po/tr.po: Updated translations. + +2010-11-25 Tomas Mraz <tm@t8m.info> + + * modules/pam_securetty/pam_securetty.8.xml: Improve documentation + of the kernel console feature and the noconsole option. + +2010-11-24 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_securetty/pam_securetty.c: Parse console= kernel + option, add noconsole option. + * modules/pam_securetty/pam_securetty.8.xml: Document new behavior + for serial console. + Patch from Lennart Poettering. + +2010-11-24 Tomas Mraz <tm@t8m.info> + + * modules/pam_limits/limits.conf.5.xml: Document the %group syntax. + +2010-11-18 Tomas Mraz <tm@t8m.info> + + * modules/pam_limits/pam_limits.c (pam_parse,pam_sm_open_session): + Drop obsolete and broken option change_uid. + * modules/pam_limits/pam_limits.8.xml: Likewise. + +2010-11-16 Tomas Mraz <tm@t8m.info> + + * modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Remove + dead and duplicate code. Return PAM_INCOMPLETE instead of + PAM_CONV_AGAIN. + +2010-11-11 Tomas Mraz <tm@t8m.info> + + * modules/pam_selinux/pam_selinux.c (pam_sm_open_session): Fix + potential use after free in case SELinux is misconfigured. + + * modules/pam_namespace/pam_namespace.c (process_line): Fix memory + leak when parsing empty config file lines. + +2010-10-28 Thorsten Kukuk <kukuk@thkukuk.de> + + * release version 1.1.3 + + * configure.in: Increase version to 1.1.3 + + * NEWS: document visible changes + + * libpam/Makefile.am (libpam_la_LDFLAGS): Bump version number. + +2010-10-27 Thorsten Kukuk <kukuk@thkukuk.de> + + * doc/adg/Makefile.am: Use UTF-8 for html docu. + * doc/mwg/Makefile.am: Likewise. + * doc/sag/Makefile.am: Likewise. + +2010-10-22 Tomas Mraz <tm@t8m.info> + + * modules/pam_namespace/pam_namespace.c (inst_init): Use execle() + to execute the init script with clean environment. (CVE-2010-3853) + (cleanup_tmpdirs): Likewise for executing rm. + +2010-10-21 Dmitry V. Levin <ldv@altlinux.org> + + * modules/pam_mkhomedir/mkhomedir_helper.c (rec_mkdir): Remove. + (create_homedir): Use mkdir() instead of rec_mkdir(). + (make_parent_dirs): New function. + (main): Use make_parent_dirs() to create parent directories only + for the home directory itself. + +2010-10-21 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_unix/support.c (_unix_getpwnam): Don't allocate + unneeded buffer for uid/gid [sf#3059572]. + +2010-10-20 Thorsten Kukuk <kukuk@thkukuk.de> + + * doc/man/pam_get_authtok.3.xml: Fix xml code. + + * doc/man/Makefile.am: Fix build dependencys of pam_get_authtok.3. + + * xtests/Makefile.am: Only build xtests if we run xtests. + * configure.in: Check for libdb with symbol versions, too. + Patch from Diego Elio Pettenò. + + * modules/pam_mkhomedir/mkhomedir_helper.c (rec_mkdir): Create + parent directories always with mode 0755. + (create_homedir): Create main directory with mode 0700 at first. + +2010-10-19 Dmitry V. Levin <ldv@altlinux.org> + + * modules/pam_selinux/Makefile.am (pam_selinux_la_LIBADD): Add + @LIBAUDIT@. + + * m4/ld-O1.m4 (PAM_LD_O1): Fix typo. + + * m4/ld-no-undefined.m4: New file. + * configure.in: Use PAM_LD_NO_UNDEFINED. + * Makefile.am (M4_FILES): Add m4/ld-no-undefined.m4. + + * modules/pam_selinux/pam_selinux.c (verbose_message): Remove. + (pam_sm_open_session): Call send_text() instead of verbose_message(). + +2010-10-19 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_env/pam_env.8.xml: Document side effects of + environment variables in the stack. + * modules/pam_exec/pam_exec.8.xml: Document that user can + have controll over the environment. + +2010-10-07 Dmitry V. Levin <ldv@altlinux.org> + + * modules/pam_selinux/pam_selinux.c (verbose_message): Fix format + string. + +2010-10-04 Dmitry V. Levin <ldv@altlinux.org> + + * libpam/pam_modutil_priv.c: New file. + * libpam/Makefile.am (libpam_la_SOURCES): Add it. + * libpam/include/security/pam_modutil.h (struct pam_modutil_privs, + PAM_MODUTIL_DEF_PRIVS, pam_modutil_drop_priv, + pam_modutil_regain_priv): New declarations. + * libpam/libpam.map (LIBPAM_MODUTIL_1.1.3): New interface. + * modules/pam_env/pam_env.c (handle_env): Use new pam_modutil interface. + * modules/pam_mail/pam_mail.c (_do_mail): Likewise. + * modules/pam_xauth/pam_xauth.c (check_acl, pam_sm_open_session, + pam_sm_close_session): Likewise. + (pam_sm_open_session): Remove redundant fchown call. + Fixes CVE-2010-3430, CVE-2010-3431. + +2010-10-01 Thorsten Kukuk <kukuk@thkukuk.de> + + * configure.in: Extend cross compiling check. + * doc/specs/Makefile.am: Set CFLAGS and LDFLAGS to BUILD_CFLAGS + and BUILD_LDFLAGS. + Bug #3078936 / gentoo #339174 + +2010-09-30 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_xauth/pam_xauth.c (pam_sm_close_session): Warn if + unlink() fails. + +2010-09-27 Dmitry V. Levin <ldv@altlinux.org> + + * modules/pam_xauth/pam_xauth.c (pam_sm_close_session): Return + PAM_SUCCESS immediately if no cookie file is defined. Return + PAM_SESSION_ERR if cookie file is defined but target uid cannot be + determined. Do not modify cookiefile string returned by pam_get_data. + + * modules/pam_xauth/pam_xauth.c (check_acl): Ensure that the given + access control file is a regular file. + +2010-09-16 Dmitry V. Levin <ldv@altlinux.org> + + * modules/pam_env/pam_env.c (handle_env): Use setfsuid() return code. + * modules/pam_mail/pam_mail.c (_do_mail): Likewise. + * modules/pam_xauth/pam_xauth.c (check_acl, pam_sm_open_session, + pam_sm_close_session): Likewise. + +2010-08-31 Thorsten Kukuk <kukuk@thkukuk.de> + + * release version 1.1.2 + + * configure.in: Bump version number. + * NEWS: Document changes since 1.1.1. + * doc/adg/Linux-PAM_ADG.xml: Bump version number. + * doc/mwg/Linux-PAM_MWG.xml: Likewise. + * doc/sag/Linux-PAM_SAG.xml: Likewise. + * libpam/Makefile.am: Bump revision of shared library. + * po/*.po: Regenerate. + +2010-08-26 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_nologin/pam_nologin.c (perform_check): Try first + /var/run/nologin if the nologin file is not explicitly specified. + * modules/pam_nologin/pam_nologin.8.xml: Document that /var/run/nologin + is tried first. + +2010-08-26 Sweta Kothari <swkothar@redhat.com> + + * po/gu.po: Updated translations. + +2010-08-26 Geert Warrink <geert.warrink@onsnet.nu> + + * po/nl.po: Updated translations. + +2010-08-26 Thorsten Kukuk <kukuk@thkukuk.de> + + * doc/specs/Makefile.am: Use CC_FOR_BUILD as compiler (cross + compile support). + * configure.in: Check for host compiler if cross compiling. + Bug #2315432, debian#284854#42. + +2010-08-17 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_unix/pam_unix_passwd.c: Implement minlen option. + * modules/pam_unix/support.c: Likewise. + * modules/pam_unix/support.h: Likewise. + + * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Adjust + arguments for _set_ctrl call. + * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Likewise. + * modules/pam_unix/pam_unix_session.c: Likewise. + + * modules/pam_unix/pam_unix.8.xml: Document minlen option. + Based on patch by Steve Langasek. + +2010-08-12 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_mail/pam_mail.c: Check for mail only with user + privilegs. + + * modules/pam_xauth/pam_xauth.c (run_coprocess): Check return + value of setgid, setgroups and setuid. + + * modules/pam_xauth/pam_xauth.c (check_acl): Save errno for + later usage. + + * modules/pam_env/pam_env.c (handle_env): Check if user exists, + read local user config only with user privilegs.` + +2010-08-09 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_tally/pam_tally.8.xml: Document that pam_tally is + deprecated. + + * modules/pam_tty_audit/Makefile.am (EXTRA_DIST): Fix make dist. + + * modules/pam_unix/passverify.c (check_shadow_expiry): Correct + check for expired date. + + * modules/pam_unix/pam_unix_passwd.c (_pam_unix_approve_pass): Remove + check for password length. Bug #2923437. + +2010-08-04 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_tally2/pam_tally2.c (get_tally): Create file + with correct permissions. Patch by Diego Elio “Flameeyes” Pettenò. + + * modules/pam_unix/passverify.c (PAMH_ARG_DECL): Don't request + password change if time is not yet set (1.1.1970). Bug #2730965. + + * modules/pam_access/pam_access.c (user_match): Make sure + that user@host will not match @@netgroup. Bug #3035919. + + * modules/pam_group/pam_group.c (check_account): Add '%' for + UNIX groups. + * modules/pam_group/group.conf: Add example for '%'. + * modules/pam_group/group.conf.5.xml: Document '%' syntax. + Bug #3002340, #3037155. + +2010-08-02 Steve Langasek <vorlon@debian.org> + + * modules/pam_mkhomedir/Makefile.am: don't pass --version-script + options when linking executables, only when linking libraries + Patch from Julien Cristau <jcristau@debian.org> + +2010-07-12 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Add + audit flag to enable logging about unknown user (#2917257). + * modules/pam_succeed_if/pam_succeed_if.8.xml: Document audit. + * modules/pam_succeed_if/pam_succeed_if.8: Regenerated from xml. + * modules/pam_succeed_if/README: Regenerated from xml. + +2010-06-22 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_umask/pam_umask.8.xml: Remove comparisation of + gid and uid for usergroups. + * modules/pam_umask/pam_umask.c (setup_limits_from_gecos): Likewise. + Bug #3004656 + + * configure.in: Don't check for libxcrypt if no xcrypt.h exists, + fix typo introduced with 1.1.1. + Reported by Diego Elio “Flameeyes” Pettenò. + +2010-06-15 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_xauth/pam_xauth.c (pam_sm_close_session): Call + setfsuid to be allowed to remove temporary files (#3010705). + (pam_sm_open_session): Call fchown with correct permissions. + +2010-06-09 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_tty_audit/Makefile.am (TESTS): Add tst-pam_tty_audit. + * modules/pam_tty_audit/tst-pam_tty_audit: New. + +2010-06-07 Steve Langasek <vorlon@debian.org> + + * modules/pam_tty_audit/Makefile.am: If we don't have the libraries + required for building pam_tty_audit, we shouldn't install the manpage + either. + +2010-05-27 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_userdb/pam_userdb.c: Define HAVE_DBM + for BerkDB 5.0 support. Patch by Diego Elio Pettenò. + +2010-04-15 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_exec/pam_exec.8.xml: Fix example. + +2010-04-13 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_pwhistory/opasswd.c: Fix compilation if + cyprt_r() is not available. + * configure.in: check for getutent_r. + * modules/pam_timestamp/pam_timestamp.c: Use getutent() + if getutent_r() does not exist. + Patch from Diego Elio “Flameeyes” Pettenò. + +2010-04-12 Thorsten Kukuk <kukuk@thkukuk.de> + + * doc/man/pam.conf-syntax.xml: Better documentation of + "actionN". Patch from Michal Soltys <soltys@ziu.info>. + +2010-04-06 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_rootok/pam_rootok.c: Add support for acct_mgmt + and chauthtok. + * modules/pam_rootok/pam_rootok.8.xml: Document new module + types. + +2010-03-29 Thorsten Kukuk <kukuk@thkukuk.de> + + * po/ar.po: Add missing Plural-Forms entry to header. + +2010-03-25 Daniel Nylander <po@danielnylander.se> + + * po/sv.po: Updated translations. + +2010-03-24 Ani Peter <anipeter@fedoraproject.org> + + * po/ml.po: Updated translations. + +2010-03-08 Yuri Chornoivan <yurchor@ukr.net> + + * po/uk.po: Updated translations. + +2010-02-09 Tomas Mraz <t8m@centrum.cz> + + * libpam/pam_get_authtok.c (pam_get_authtok_internal): Fix + regression in the new password prompt. + +2010-01-04 Elad <el.il@doom.co.il> + + * po/he.po: New translation to Hebrew. + * po/LINGUAS: Add Hebrew to the list. + +2009-12-16 Thorsten Kukuk <kukuk@thkukuk.de> + + * release version 1.1.1 + + * NEWS: Adjust for 1.1.1 + * configure.in: Likewise. + * doc/adg/Linux-PAM_ADG.xml: Likewise. + * doc/mwg/Linux-PAM_MWG.xml: Likewise. + * doc/sag/Linux-PAM_SAG.xml: Likewise. + * po/*.po: Regenerated. + +2009-12-08 Thorsten Kukuk <kukuk@thkukuk.de> + + * configure.in: Rename DEBUG to PAM_DEBUG. + * libpam/pam_env.c: Likewise + * libpam/pam_handlers.c: Likewise + * libpam/pam_miscc.c: Likewise + * libpam/pam_password.c: Likewise + * libpam/include/security/_pam_macros.h: Likewise + * libpamc/test/modules/pam_secret.c: Likewise + * modules/pam_group/pam_group.c: Likewise + * modules/pam_listfile/pam_listfile.c: Likewise + * modules/pam_unix/pam_unix_auth.c: Likewise + * modules/pam_unix/pam_unix_passwd.c: Likewise + +2009-12-08 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_unix/passverify.c(unix_update_shadow): Create a shadow + entry if not present in the file. + + * modules/pam_listfile/pam_listfile.c(pam_sm_authenticate): Remove + unused function and variable. + +2009-11-19 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_sepermit/pam_sepermit.c(sepermit_match): Return + PAM_AUTH_ERR from the module if sepermit_lock() fails. + +2009-11-18 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_access/pam_access.c(user_match): Revert the netgroup + match to the original behavior, add new syntax for adding the local + hostname. + * modules/pam_access/access.conf.5.xml: Document the new syntax + for adding the local hostname to the netgroup match. + +2009-11-10 Thorsten Kukuk <kukuk@suse.de> + + * doc/man/pam_get_authtok.3.xml: Document pam_get_authtok_noverify + and pam_get_authtok_verify. + + * libpam/Makefile.am (libpam_la_LDFLAGS): Bump revesion of libpam. + + * libpam/pam_get_authtok.c (pam_get_authtok_internal): Renamed + from pam_get_authtok, add flags argument, always check return + values. + + * modules/pam_cracklib/pam_cracklib.c (pam_sm_chauthtok): Use + pam_get_authtok_noverify and pam_get_authtok_verify. + + * libpam/include/security/pam_ext.h: Add prototypes for + pam_get_authtok_noverify and pam_get_authtok_verify. + + * libpam/libpam.map: Add new pam_get_authtok_* functions. + +2009-11-02 Ani Peter <anipeter@fedoraproject.org> + + * po/ml.po: Updated translations. + +2009-11-02 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_sepermit/Makefile.am: Add sepermit.conf(5) manual page. + * modules/pam_sepermit/pam_sepermit.8.xml: Add reference to + sepermit.conf(5). Drop some redundant text. + * modules/pam_sepermit/sepermit.conf.5.xml: New file. + + * modules/pam_sepermit/pam_sepermit.c(sepermit_match): Implement the ignore + option in sepermit.conf. + +2009-10-29 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_xauth/Makefile.am: Link with libselinux. + * modules/pam_xauth/pam_xauth.c(pam_sm_open_session): Call + setfscreatecon() if selinux is enabled to create the .xauth file + with the right label. Original idea by Dan Walsh. + +2009-10-08 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_tty_audit/pam_tty_audit.8.xml: Add notice about aureport + add SEE ALSO section. + +2009-10-06 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_listfile/pam_listfile.c(pam_sm_authenticate): Just + call pam_modutil_user_in_group_nam_nam() instead of reimplementation + of group matching. + +2009-10-05 Kris Thomsen <lakristho@gmail.com> + + * po/da.po: Updated translations. + +2009-09-29 Piotr Drąg <piotrdrag@gmail.com> + + * po/pl.po: Updated translations. + +2009-09-21 Yulia Poyarkova <yulia.poyarkova@redhat.com> + + * po/ru.po: Updated translations. + +2009-09-17 Kiyoto Hashida <khashida@redhat.com> + + * po/ja.po: Updated translations. + +2009-09-17 Eunju Kim <eukim@redhat.com> + + * po/ko.po: Updated translations. + +2009-09-17 Yulia Poyarkova <yulia.poyarkova@redhat.com> + + * po/ru.po: Updated translations. + +2009-09-10 Steve Langasek <vorlon@debian.org> + + * modules/pam_securetty/pam_securetty.c: pam_securetty should not + return PAM_USER_UNKNOWN when the tty is secure, regardless of what + was entered as a username. + Patch from Nicolas François <nicolas.francois@centraliens.net>. + +2009-08-31 Steve Langasek <vorlon@debian.org> + + * modules/pam_namespace/namespace.init: make this portable to POSIX + awk, instead of using GNU awk extensions. + +2009-08-25 Steve Langasek <vorlon@debian.org> + + * modules/pam_sepermit/pam_sepermit.8.xml: fix up one reference + to pam.d(8) left behind because I've forgotten how CVS works + * po/es.po: fix missing whitespace in password prompts. + +2009-08-24 Steve Langasek <vorlon@debian.org> + + * doc/pam_get_authtok.3.xml: grammar fix. + * doc/adg/Linux-PAM-ADG.xml: Likewise. + * doc/mwg/Linux-PAM_MWG.xml: Likewise. + * doc/man/pam_setcred.3.xml: fix a typo. + +2009-07-21 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_cracklib/pam_cracklib.c (pam_sm_chauthtok): Delete + new token if it does not match strength criteria. + +2009-06-29 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_unix/yppasswd_xdr.c: Remove unnecessary header files. + + * modules/pam_unix/support.c (_unix_getpwnam): Only compile in NIS + support if all necessary functions exist. + + * modules/pam_unix/pam_unix_passwd.c (getNISserver): Add debug + option, handle correct if OS has no NIS support. + + * modules/pam_access/pam_access.c (netgroup_match): Check if + yp_get_default_domain and innetgr are available at compile time. + + * configure.in: Check for functions: innetgr, getdomainname + check for headers: rpcsvc/ypclnt.h, rpcsvc/yp_prot.h. + +2009-06-29 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_unix/pam_unix.8.xml: Fix blowfish description. + Reported by Diego E. “Flameeyes” Pettenò. + +2009-06-26 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_namespace/Makefile.am: Fix make maintainer-clean, + fix docu dependencies. + + * modules/pam_xauth/Makefile.am: Fix make maintainer-clean. + * modules/pam_access/Makefile.am: Likewise. + * modules/pam_debug/Makefile.am: Likewise. + * modules/pam_deny/Makefile.am: Likewise. + * modules/pam_echo/Makefile.am: Likewise. + * modules/pam_env/Makefile.am: Likewise. + * modules/pam_faildelay/Makefile.am: Likewise. + * modules/pam_ftp/Makefile.am: Likewise. + * modules/pam_group/Makefile.am: Likewise. + * modules/pam_issue/Makefile.am: Likewise. + * modules/pam_keyinit/Makefile.am: Likewise. + * modules/pam_lastlog/Makefile.am: Likewise. + * modules/pam_limits/Makefile.am: Likewise. + * modules/pam_listfile/Makefile.am: Likewise. + * modules/pam_localuser/Makefile.am: Likewise. + * modules/pam_loginuid/Makefile.am: Likewise. + * modules/pam_mail/Makefile.am: Likewise. + * modules/pam_mkhomedir/Makefile.am: Likewise. + * modules/pam_motd/Makefile.am: Likewise. + * modules/pam_nologin/Makefile.am: Likewise. + * modules/pam_pwhistory/Makefile.am: Likewise. + * modules/pam_rhosts/Makefile.am: Likewise. + * modules/pam_rootok/Makefile.am: Likewise. + * modules/pam_securetty/Makefile.am: Likewise. + * modules/pam_shells/Makefile.am: Likewise. + * modules/pam_succeed_if/Makefile.am: Likewise. + * modules/pam_tally2/Makefile.am: Likewise. + * modules/pam_tally/Makefile.am: Likewise. + * modules/pam_time/Makefile.am: Likewise. + * modules/pam_timestamp/Makefile.am: Likewise. + * modules/pam_tty_audit/Makefile.am: Likewise. + * modules/pam_umask/Makefile.am: Likewise. + * modules/pam_unix/Makefile.am: Likewise. + * modules/pam_warn/Makefile.am: Likewise. + * modules/pam_wheel/Makefile.am: Likewise. + * modules/pam_filter/Makefile.am: Likewise. + + * configure.in: Make regeneration of docu configureable, + rename enable_man to enable_docu. + + * modules/pam_env/pam_env.c (_pam_parse): Fix typo in debug + code. + + * modules/pam_cracklib/Makefile.am: Don't install docu if + module is disabled for building. + * modules/pam_userdb/Makefile.am: Likewise. + + * modules/pam_unix/pam_unix_passwd.c: Remove dead SELinux + code. + + * modules/pam_lastlog/pam_lastlog.c (last_login_failed): Fix + usage of wrong variable [bug#2809661]. + +2009-06-25 Thorsten Kukuk <kukuk@thkukuk.de> + + * configure.in: Rename crypt_gensalt_rn to crypt_gensalt_r + * modules/pam_unix/passverify.c: Likewise. + +2009-06-19 Thorsten Kukuk <kukuk@thkukuk.de> + + * release version 1.1.0 + +2009-06-16 Thorsten Kukuk <kukuk@thkukuk.de> + + * doc/sag/Linux-PAM_SAG.xml: Fix typos. + * doc/adg/Linux-PAM_ADG.xml: Likewise. + * doc/mwg/Linux-PAM_MWG.xml: Likewise. + +2009-06-08 Rajesh Ranjan <rajesh672@gmail.com> + + * po/hi.po: Updated translations. + +2009-06-01 Jaswinder Singh <jsingh@redhat.com> + + * po/pa.po: Updated translations. + +2009-06-01 Tomáš Mráz <t8m@centrum.cz> + + * modules/pam_pwhistory/opasswd.c (save_old_password): Don't + call fclose() on NULL descriptor. Found by Steve Grubb. + +2009-06-01 Ville Skyttä <ville.skytta@iki.fi> + + * modules/pam_limits/pam_limits.8.xml: Only *.conf + files are parsed. Spelling fixes. + * modules/pam_access/pam_access.8.xml: Spelling fixes. + * modules/pam_cracklib/pam_cracklib.8.xml: Likewise. + * modules/pam_echo/pam_echo.8.xml: Likewise. + * modules/pam_env/pam_env.8.xml: Likewise. + * modules/pam_exec/pam_exec.8.xml: Likewise. + * modules/pam_filter/pam_filter.8.xml: Likewise. + * modules/pam_ftp/pam_ftp.8.xml: Likewise. + * modules/pam_group/pam_group.8.xml: Likewise. + * modules/pam_issue/pam_issue.8.xml: Likewise. + * modules/pam_lastlog/pam_lastlog.8.xml: Likewise. + * modules/pam_listfile/pam_listfile.8.xml: Likewise. + * modules/pam_localuser/pam_localuser.8.xml: Likewise. + * modules/pam_loginuid/pam_loginuid.8.xml: Likewise. + * modules/pam_mkhomedir/pam_mkhomedir.8.xml: Likewise. + * modules/pam_motd/pam_motd.8.xml: Likewise. + * modules/pam_namespace/pam_namespace.8.xml: Likewise. + * modules/pam_pwhistory/pam_pwhistory.8.xml: Likewise. + * modules/pam_selinux/pam_selinux.8.xml: Likewise. + * modules/pam_succeed_if/pam_succeed_if.8.xml: Likewise. + * modules/pam_tally/pam_tally.8.xml: Likewise. + * modules/pam_tally2/pam_tally2.8.xml: Likewise. + * modules/pam_time/pam_time.8.xml: Likewise. + * modules/pam_timestamp/pam_timestamp.8.xml: Likewise. + * modules/pam_timestamp/pam_timestamp_check.8.xml: Likewise. + * modules/pam_tty_audit/pam_tty_audit.8.xml: Likewise. + * modules/pam_umask/pam_umask.8.xml: Likewise. + * modules/pam_unix/pam_unix.8.xml: Likewise. + * modules/pam_xauth/pam_xauth.8.xml: Likewise. + +2009-05-28 Jaswinder Singh <jsingh@redhat.com> + + * po/pa.po: Updated translations. + +2009-05-21 Albert Carabasa Giribet <albertc@asic.udl.cat> + + * po/ca.po: Updated translations. + +2009-05-11 Ani Peter <anipeter@fedoraproject.org> + + * po/ml.po: Updated translations. + +2009-05-11 Charles-Antoine Couret <cacouret@wanadoo.fr> + + * po/fr.po: Updated translations. + +2009-05-11 Tomáš Mráz <t8m@centrum.cz> + + * modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary): Remove + unnecessary setuid() call. + +2009-05-05 Thorsten Kukuk <kukuk@thkukuk.de> + + * release version 1.0.92 + * libpamc/Makefile.am (libpamc_la_LDFLAGS): Increase revesion. + * configure.in: Increase version to 1.0.92. + +2009-04-20 Mario Santagiuliana <mario@marionline.it> + + * po/it.po: Updated translations. + +2009-04-17 Fabian Affolter <fab@fedoraproject.org> + + * po/de.po: Updated translations. + +2009-04-16 Tomáš Mráz <t8m@centrum.cz> + + * modules/pam_succeed_if/pam_succeed_if.c (evaluate): Add user + parameter. Use user instead of pwd->pw_name in comparsions. + (pam_sm_authenticate): Pass the original user to evaluate(). + +2009-04-14 Amitakhya Phukan <aphukan@fedoraproject.org> + + * po/as.po: Updated translations. + +2009-04-14 Runa Bhattacharjee <runab@fedoraproject.org> + + * po/bn_IN.po: Updated translations. + +2009-04-14 Sweta Kothari <swkothar@redhat.com> + + * po/gu.po: Updated translations. + +2009-04-14 Sandeep Shedmake <sandeep.shedmake@gmail.com> + + * po/mr.po: Updated translations. + +2009-04-14 Rui Gouveia <rui.gouveia@globaltek.pt> + + * po/pt.po: Updated translations. + +2009-04-14 I. Felix <ifelix@redhat.com> + + * po/ta.po: Updated translations. + +2009-04-14 Krishna Babu K <kkrothap@redhat.com> + + * po/te.po: Updated translations. + +2009-04-09 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_unix/yppasswd.h: Update license to GPLv2 or later + on request of Olaf Kirch (Author). + * modules/pam_unix/yppasswd_xdr.c: Likewise. + +2009-04-06 R.E. van der Luit <nippur@fedoraproject.org> + + * po/nl.po: Updated translations. + +2009-04-06 Terry Chuang <tchuang@redhat.com> + + * po/zh_TW.po: Updated translations. + +2009-04-03 Shankar Prasad <svenkate@redhat.com> + + * po/kn.po: Updated translations. + +2009-04-03 Manoj Kumar Giri <mgiri@redhat.com> + + * po/or.po: Updated translations. + +2009-04-03 Miloš Komarčević <kmilos@gmail.com> + + * po/sr.po: Updated translations. + * po/sr@latin.po: Updated translations. + +2009-04-03 Leah Liu <lliu@redhat.com> + + * po/zh_CN.po: Updated translations. + +2009-04-03 Dmitry V. Levin <ldv@altlinux.org> + + * libpamc/pamc_load.c (__pamc_exec_agent): Replace call to exit(3) + in child process with call to _exit(2). + * modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Likewise. + * modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): + Likewise. + * modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary): + Likewise. + * modules/pam_unix/support.c (_unix_run_helper_binary): Likewise. + * modules/pam_xauth/pam_xauth.c (run_coprocess): Likewise. + * modules/pam_exec/pam_exec.c (call_exec): Replace all calls to + exit(3) in child process with calls to _exit(2). + * modules/pam_filter/pam_filter.c (set_filter): Likewise. + * modules/pam_namespace/pam_namespace.c (inst_init, + cleanup_tmpdirs): Likewise. + +2009-03-27 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_unix/support.c (_unix_run_helper_binary): Don't + ignore return value of write(). + + * libpamc/include/security/pam_client.h (PAM_BP_ASSERT): Honour + NDEBUG. + * modules/pam_timestamp/pam_timestamp.c: don't ignore return + values of lchown and fchown. + +2009-03-25 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_mkhomedir/pam_mkhomedir.c: Make option handling + reentrant (#2487654) + (_pam_parse): Fix umask option. + + * modules/pam_unix/passverify.c: Fix typo. + + * modules/pam_issue/pam_issue.c: Fix compiler warning. + * modules/pam_ftp/pam_ftp.c: Likewise. + +2009-03-25 Pavol Šimo <palo.simo@gmail.com> + + * po/sk.po: Updated translations. + +2009-03-24 Sulyok Péter <peti@sulyok.hu> + + * po/hu.po: Updated translations. + +2009-03-24 Domingo Becker <domingobecker@gmail.com> + + * po/es.po: Updated translations. + +2009-03-24 Diego Búrigo Zacarão <diegobz@projetofedora.org> + + * po/pt_BR.po: Updated translations. + +2009-03-24 Piotr Drąg <piotrdrag@gmail.com> + + * po/pl.po: Updated translations. + +2009-03-24 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_unix/passverify.c(save_old_password): Call fflush() and + fsync(). + (unix_update_passwd, unix_update_shadow): Likewise. + * modules/pam_pwhistory/opasswd.c(save_old_password): Likewise. + + * po/cs.po: Updated translations. + +2009-03-09 Thorsten Kukuk <kukuk@thkukuk.de> + + * release version 1.0.91 + + * libpam/Makefile.am (libpam_la_LDFLAGS): Bump version number. + * xtests/Makefile.am: Add tst-pam_unix4.pamd, tst-pam_unix4.sh + and time.conf. + +2009-03-03 Dmitry V. Levin <ldv@altlinux.org> + + * tests/tst-pam_mkargv.c (main): Fix for non-64bit architectures. + +2009-03-03 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_unix/pam_unix_acct.c(_unix_run_verify_binary): Test + for abnormal exit of the helper binary. + * modules/pam_unix/pam_unix_passwd.c(_unix_run_update_binary): Likewise. + * modules/pam_unix/support.c(_unix_run_helper_binary): Likewise. + * modules/pam_mkhomedir/pam_mkhomedir.c(create_homedir): Likewise. + +2009-02-27 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_mkhomedir/pam_mkhomedir.c(create_homedir): Replace + signal() with sigaction(). + * modules/pam_namespace/pam_namespace.c(inst_init, cleanup_tmpdirs): + Likewise. + * modules/pam_unix/pam_unix_acct.c(_unix_run_verify_binary): Likewise. + * modules/pam_unix/pam_unix_passwd.c(_unix_run_update_binary): + Likewise. + * modules/pam_unix/passverify.c(su_sighandler): Likewise. + * modules/pam_unix/support.c(_unix_run_helper_binary): Likewise. + + * modules/pam_tally2/Makefile.am: Link the pam_tally2 app to libpam + for auxiliary functions. + * modules/pam_tally2/pam_tally2.8.xml: Drop non-existing no_reset + option. Document new serialize option. + * modules/pam_tally2/pam_tally2.c: Add support for the new serialize + option. + (_cleanup, tally_set_data, tally_get_data): Add tally file handle to + tally PAM data. Needed for fcntl() locking. + (get_tally): Use low level file access instead of stdio buffered FILE. + If serialize option is used lock the tally file access. + (set_tally, tally_bump, tally_reset): Use low level file access instead + of stdio buffered FILE. Close the file handle only when it is not owned + by PAM data. + (pam_sm_authenticate, pam_sm_setcred, pam_sm_acct_mgmt): Pass the tally + file handle to tally_set_data(). Get it from tally_get_data(). + (main): Use low level file access instead of stdio buffered FILE. + +2009-02-26 Tomas Mraz <t8m@centrum.cz> + + * xtests/Makefile.am: Add tst-pam_unix4. + * xtests/tst-pam_unix4.c: New test for password change + and shadow min days limit. + * xtests/tst-pam_unix4.pamd: Likewise. + * xtests/tst-pam_unix4.sh: Likewise. + + * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Ignore + PAM_AUTHTOK_ERR on shadow verification. + * modules/pam_unix/passverify.c (check_shadow_expiry): Return + PAM_AUTHTOK_ERR if sp_min limit for password change is defied. + +2009-02-26 Timur Birsh <taem@linukz.org> + + * po/LINGUAS: New Kazakh translation. + * po/kk.po: New Kazakh translation. + +2009-02-25 Thorsten Kukuk <kukuk@thkukuk.de> + + * libpam/pam_misc.c (_pam_StrTok): Use unsigned char + instead of int. Reported by Marcus Granado. + * tests/Makefile.am (TESTS): Add tst-pam_mkargv. + * tests/tst-pam_mkargv.c (main): Test case for + _pam_mkargv. + + * po/de.po: Update fuzzy translations. + +2009-02-25 Tomas Mraz <t8m@centrum.cz> + + * xtests/access.conf: Add a line for name resolution test case. + * xtests/tst-pam_access4.c (main): Set PAM_RHOST for testing the LOCAL + keyword. Add a test case for name resolution. + + * modules/pam_access/pam_access.c (from_match): Move name resolution + to network_netmask_match(). + (network_netmask_match): Do a name resolution of the origin only if + matching against a real network/netmask. + +2009-02-25 Fabian Affolter <fabian@bernewireless.net> + + * po/de.po: Updated translations. + +2009-02-25 Taylon Silmer Lacerda Silva <taylonsilva@gmail.com> + + * po/pt_BR.po: Updated translations. + +2009-02-25 Domingo Becker <domingobecker@gmail.com> + + * po/es.po: Updated translations. + +2009-02-20 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_limits/limits.conf.5.xml: Document that the kernel + can refuse values out of range for the local system. + * modules/pam_limits/pam_limits.c (setup_limits): Log if setrlimit + fails. + +2009-02-18 Thorsten Kukuk <kukuk@thkukuk.de> + + * libpam/pam_password.c (pam_chauthtok): Make sure applications + don't set internal flags. + +2009-02-17 Thorsten Kukuk <kukuk@thkukuk.de> + + * doc/man/pam_sm_chauthtok.3.xml: Document that sufficient + can break the PRELIM_CHECK chain. + + * libpam/pam_dispatch.c: Don't freeze chain for chauthtok + [bugzilla.novell.com#470337] + +2009-02-11 Daniel Nylander <po@danielnylander.se> + + * po/sv.po: Updated translations. + +2009-01-29 Thorsten Kukuk <kukuk@thkukuk.de> + + * doc/man/pam_sm_setcred.3.xml: Document PAM_ESTABLISH_CRED. + +2009-01-19 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_mkhomedir/Makefile.am: Add mkhomedir_helper. + * modules/pam_mkhomedir/mkhomedir_helper.8.xml: New file. Manual page + for mkhomedir_helper. + * modules/pam_mkhomedir/mkhomedir_helper.c: New file. Source + for mkhomedir_helper. Most of the code moved from pam_mkhomedir.c. + * modules/pam_mkhomedir/pam_mkhomedir.c (_pam_parse): Do not convert umask + to integer. + (rec_mkdir): Moved to mkhomedir_helper.c. + (create_homedir): Just exec the helper. + (pam_sm_open_session): Improve logging. + +2009-01-19 Daniel Cabrera <h.daniel.cabrera@gmail.com> + + * po/es.po: Updated translations. + +2009-01-14 Thorsten Kukuk <kukuk@thkukuk.de> + + * po/de.po: Updated translations. + +2009-01-07 Piotr Drąg <piotrdrag@gmail.com> + + * po/pl.po: Updated translations. + +2008-12-23 Piotr Drąg <piotrdrag@gmail.com> + + * po/pl.po: Updated translations. + +2008-12-18 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_pwhistory/pam_pwhistory.c (parse_option): Rename + type= option to authtok_type= (because of pam_get_authtok). + * modules/pam_pwhistory/pam_pwhistory.8.xml: Likewise. + +2008-12-17 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Do + not abort on unknown option. Avoid double free of old_status. + (pam_sm_close_session): Use LOG_DEBUG for restored status message. + + * configure.in: Test for getseuser(). + * modules/pam_selinux/pam_selinux.c (pam_sm_open_session): Call getseuser() + instead of getseuserbyname() if the function is available. + +2008-12-12 Thorsten Kukuk <kukuk@thkukuk.de> + + * release version 1.0.90 + + * libpam_misc/Makefile.am: Increase version number of shared library. + * libpamc/Makefile.am: Likewise. + +2008-12-12 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_tally2/pam_tally2.c (get_tally): Test for EACCES + instead of EPERM. + * modules/pam_tally2/pam_tally2.8.xml: Fix documentation. + +2008-12-10 Thorsten Kukuk <kukuk@thkukuk.de> + + * doc/man/pam_item_types_ext.inc.xml: Document PAM_AUTHTOK_TYPE. + * libpam/pam_end.c (pam_end): Free authtok_type. + * tests/tst-pam_get_item.c: Add PAM_AUTHTOK_TYPE + as test case. + * tests/tst-pam_set_item.c: Likewise. + * libpam/pam_start.c (pam_start): Initialize xdisplay, + xauth and authtok_type. + * libpam/pam_get_authtok.c (pam_get_authtok): Rename "type" + to "authtok_type". + * modules/pam_cracklib/pam_cracklib.8.xml: Replace "type=" with + "authtok_type=". + * doc/man/pam_get_authtok.3.xml: Document authtok_type argument. + * modules/pam_cracklib/pam_cracklib.c (pam_sm_chauthtok): Set + type= argument as PAM_AUTHTOK_TYPE item. + * libpam/pam_get_authtok.c (pam_get_authtok): If no type + argument given, use PAM_AUTHTOK_TYPE item. + * libpam/pam_item.c (pam_get_item): Fetch PAM_AUTHTOK_TYPE item. + (pam_set_item): Store PAM_AUTHTOK_TYPE item. + * libpam/pam_private.h: Add authtok_type to pam_handle. + * libpam/include/security/_pam_types.h (PAM_AUTHTOK_TYPE): New. + +2008-12-03 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_access/access.conf.5.xml: Replace + 2001:4ca0 with 2001:db8:: [bug#2356400]. + + * doc/man/Makefile.am: Add pam_get_authtok.3.xml. + * doc/man/pam_get_authtok.3.xml: New. + * libpam/Makefile.am: Add pam_get_authtok.c. + * libpam/libpam.map: Export pam_get_authtok. + * libpam/pam_get_authtok.c: New. + * libpam/pam_private.h: Add mod_argc and mod_argv to pam_handle. + * libpam_include/security/pam_ext.h: Add pam_get_authtok + prototype. + * modules/pam_cracklib/pam_cracklib.c: Use pam_get_authtok. + * modules/pam_pwhistory/pam_pwhistory.c: Likewise. + * po/POTFILES.in: Add libpam/pam_get_authtok.c. + * xtests/tst-pam_cracklib1.c: Adjust error codes. + + * modules/pam_timestamp/Makefile.am: Remove hmactest.c from + EXTRA_DIST. + + * po/*.po: Regenerated. + +2008-12-02 Michael Calmer <mc@suse.de> + + * modules/pam_limits/limits.conf.5.xml: Document valid values + for limits (bnc#448314). + +2008-12-02 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_env/pam_env.c: Add support for user specific + environment file. Based on a patch from Ubuntu. + * modules/pam_env/pam_env.8.xml: Document new options. + +2008-12-02 Olivier Fourdan <ofourdan@redhat.com> + + * modules/pam_filter/pam_filter.c (master): Use /dev/ptmx + instead of the old BSD pseudoterminal API. + (set_filter): Call grantpt(), unlockpt() and ptsname(). Do not + close pseudoterminal handle in filter child. + * modules/pam_filter/upperLOWER/upperLOWER.c (main): Use + regular read() instead of pam_modutil_read() to allow for + short reads. + +2008-12-02 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_timestamp/Makefile.am: Add hmacfile to tests. + * modules/pam_timestamp/hmacfile.c: Do not try the short key + testvector. + +2008-12-01 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_unix/support.h: Fix masks for cipher algorithm + flags. + +2008-12-01 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_unix/pam_unix.8.xml: Document blowfish option. + + * configure.in: Check for crypt_gensalt_rn. + * modules/pam_unix/pam_unix_passwd.c: Pass pamh to + create_password_hash function. + * modules/pam_unix/passverify.c (create_password_hash): Add + blowfish support. + * modules/pam_unix/passverify.h: Adjust create_password_hash + prototype. + * modules/pam_unix/support.c: Add support for blowfish option. + * modules/pam_unix/support.h: Add defines for blowfish option. + Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> + +2008-12-01 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_access/pam_access.8.xml: Fix description of nodefgroup + option. + + * modules/pam_group/pam_group.c (is_same): Fix check for correct + string length. + +2008-11-29 Thorsten Kukuk <kukuk@thkukuk.de> + + * configure.in: Check for xcrypt.h, fix typo in libaudit check. + * modules/pam_cracklib/pam_cracklib.c: Include xcrypt.h if + available. + * modules/pam_unix/bigcrypt.c: Likewise. + * modules/pam_unix/passverify.c: Likewise. + * modules/pam_userdb/pam_userdb.c: Likewise. + Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> + + * doc/man/pam_getenv.3.xml: Document that application should + not free return value. + + * doc/man/pam.3.xml: Add Note about thread-safeness of libpam + functions. + +2008-11-28 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_unix/unix_update.c (set_password): Allow root to change + passwords without verification of the old ones. + + * modules/pam_tally2/pam_tally2.c (tally_check): Fix info format + to be the same as in pam_tally. + + * configure.in: Add modules/pam_timestamp/Makefile. + * doc/sag/Linux-PAM_SAG.xml: Include pam_timestamp.xml. + * doc/sag/pam_timestamp.xml: New. + * libpam/pam_static_modules.h: Add pam_timestamp static struct. + * modules/Makefile.am: Add pam_timestamp directory. + * modules/pam_timestamp/Makefile.am: New. + * modules/pam_timestamp/README.xml: New. + * modules/pam_timestamp/hmacsha1.h: New. + * modules/pam_timestamp/sha1.h: New. + * modules/pam_timestamp/pam_timestamp.8.xml: New. + * modules/pam_timestamp/pam_timestamp_check.8.xml: New. + * modules/pam_timestamp/pam_timestamp.c: New. + * modules/pam_timestamp/pam_timestamp_check.c: New. + * modules/pam_timestamp/hmacfile.c: New. + * modules/pam_timestamp/hmacsha1.c: New. + * modules/pam_timestamp/sha1.c: New. + * modules/pam_timestamp/tst-pam_timestamp: New. + * po/POTFILES.in: Add pam_timestamp sources. + * po/*.po: Regenerate. + * po/cs.po: Updated translations. + +2008-11-25 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_pwhistory/opasswd.c (save_old_password): Fix typo. + + * modules/pam_time/pam_time.c (is_same): Fix check + of correct string length (debian bug #326407). + +2008-11-24 Thorsten Kukuk <kukuk@thkukuk.de> + + * xtests/Makefile.am: Add pam_time1 tests. + * xtests/tst-pam_time1.c: New test case. + * xtests/tst-pam_time1.pamd: New. + * xtests/time.conf: New. + * xtests/run-xtests.sh: Copy time.conf. + +2008-11-24 Tomas Mraz <t8m@centrum.cz> + + * libpam/pam_handlers.c (_pam_parse_conf_file): '-' at + beginning of type token marks silent module. + (_pam_load_module): Add handler_type parameter. Do not log + module load error if module is silent. + (_pam_add_handler): Pass handler_type to _pam_load_module(). + * libpam/pam_private.h: Add PAM_HT_SILENT_MODULE. + * doc/man/pam.conf-syntax.xml: Document the '-' at beginning + of type. + + * modules/pam_cracklib/pam_cracklib.c (pam_sm_chauthtok): Fix leaks + in error path. + * modules/pam_env/pam_env.c (_parse_env_file): Remove superfluous + condition. + * modules/pam_group/pam_group.c (check_account): Fix leak + in error path. + * modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Fix leak + in error path. + * modules/pam_securetty/pam_securetty.c (securetty_perform_check): Remove + superfluous condition. + * modules/pam_stress/pam_stress.c (stress_get_password,pam_sm_authenticate): + Remove superfluous conditions. + (pam_sm_chauthtok): Fix mistaken && for &. + * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Remove + superfluous condition. + All the problems fixed in this commit were found by Steve Grubb. + +2008-11-20 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_sepermit/pam_sepermit.c (sepermit_match): Do not + call sepermit_lock() if sense is deny. Do not crash on NULL seuser + match. + (pam_sm_authenticate): Try to call getseuserbyname() even if + SELinux is disabled. + +2008-11-19 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_xauth/pam_xauth.c (pam_sm_open_session): + Preserve XAUTHLOCALHOSTNAME environment variable. + + * modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Finish + implementation of type=STRING option. + + * modules/pam_pwhistory/pam_pwhistory.8.xml: Document + "type=STRING" option. + +2008-10-27 Thorsten Kukuk <kukuk@thkukuk.de> + + * doc/man/pam_setcred.3.xml: Document when credentials + should be deleted. + * po/ja.po: Fix syntax error. + * po/de.po: Update translations. + * po/*.po: Regenerate with pam_tally2 added. + +2008-10-23 Taylon Silmer Lacerda Silva <taylonsilva@gmail.com> + + * po/pt_BR.po: Updated translations. + +2008-10-23 Krishna Babu K <kkrothap@redhat.com> + + * po/LINGUAS: New language. + * po/te.po: New translation to Telugu. + +2008-10-23 Manoj Kumar Giri <mgiri@redhat.com> + + * po/or.po: Updated translations. + +2008-10-21 Amitakhya Phukan <aphukan@redhat.com> + + * po/as.po: Updated translations. + +2008-10-21 Ondrej Sulek <feonsu@gmail.com> + + * po/sk.po: Updated translations. + +2008-10-21 Terry Chuang <tchuang@redhat.com> + + * po/zh_TW.po: Updated translations. + +2008-10-21 Kiyoto Hashida <khashida@redhat.com> + + * po/ja.po: Updated translations. + +2008-10-21 Francesco Valente <fvalen@redhat.com> + + * po/it.po: Updated translations. + +2008-10-21 Peter van Egdom <p.van.egdom@gmail.com> + + * po/nl.po: Updated translations. + +2008-10-20 Ani Peter <apeter@redhat.com> + + * po/ml.po: Updated translations. + +2008-10-20 Pablo Martin-Gomez <pablo.martin-gomez@laposte.net> + + * po/fr.po: Updated translations. + +2008-10-20 Runa Bhattacharjee <runab@redhat.com> + + * po/bn_IN.po: Updated translations. + +2008-10-20 Shankar Prasad <svenkate@redhat.com> + + * po/kn.po: Updated translations. + +2008-10-20 Leah Liu <lliu@redhat.com> + + * po/zh_CN.po: Updated translations. + +2008-10-20 Ondrej Sulek <feonsu@gmail.com> + + * po/LINGUAS: New language. + * po/sk.po: New translation to Slovak. + +2008-10-17 Tomas Mraz <t8m@centrum.cz> + + * configure.in: Add modules/pam_tally2/Makefile. + * doc/sag/Linux-PAM_SAG.xml: Include pam_tally2.xml. + * doc/sag/pam_tally2.xml: New. + * libpam/pam_static_modules.h: Add pam_tally2 static struct. + * modules/Makefile.am: Add pam_tally2 directory. + * modules/pam_tally2/Makefile.am: New. + * modules/pam_tally2/README.xml: New. + * modules/pam_tally2/tallylog.h: New. + * modules/pam_tally2/pam_tally2.8.xml: New. + * modules/pam_tally2/pam_tally2.c: New. + * modules/pam_tally2/pam_tally2_app.c: New. + * modules/pam_tally2/tst-pam_tally2: New. + * po/POTFILES.in: Add pam_tally2 sources. + +2008-10-17 Xavier Queralt Mateu <xqueralt@gmail.com> + + * po/ca.po: Updated translations. + +2008-10-15 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_keyinit/pam_keyinit.c (kill_keyrings): Save the old + euid to suid to be able to restore it. + +2008-10-15 Piotr Drąg <piotrdrag@gmail.com> + + * po/pl.po: Updated translations. + +2008-10-13 Tomas Mraz <t8m@centrum.cz> + + * po/LINGUAS: New languages. + * po/cs.po: Updated translations. + +2008-10-13 Amitakhya Phukan <aphukan@redhat.com> + + * po/as.po: Updated translations. + +2008-10-13 Shankar Prasad <svenkate@redhat.com> + + * po/kn.po: Updated translations. + +2008-10-13 Sandeep Sheshrao Shedmake <sshedmak@redhat.com> + + * po/mr.po: New translation to Marathi. + +2008-10-13 Runa Bhattacharjee <runab@redhat.com> + + * po/bn_IN.po: Updated translations. + +2008-10-13 Sharuzzaman Ahmat Raslan <sharuzzaman@gmail.com> + + * po/ms.po: New translation to Malay. + +2008-10-10 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): + Remove check for re-used passwords. + * modules/pam_cracklib/pam_cracklib.8.xml: Remove documentation + of re-used password check. + + * configure.in: add modules/pam_pwhistory/Makefile. + * doc/sag/Linux-PAM_SAG.xml: Include pam_pwhistory.xml. + * doc/sag/pam_pwhistory.xml: New. + * libpam/pam_static_modules.h: Add pam_pwhistory data. + * modules/Makefile.am: Add pam_pwhistory directory. + * modules/pam_pwhistory/Makefile.am: New. + * modules/pam_pwhistory/README.xml: New. + * modules/pam_pwhistory/opasswd.c: New. + * modules/pam_pwhistory/opasswd.h: New. + * modules/pam_pwhistory/pam_pwhistory.8.xml: New. + * modules/pam_pwhistory/pam_pwhistory.c: New. + * modules/pam_pwhistory/tst-pam_pwhistory: New. + * xtests/Makefile.am: New. + * xtests/run-xtests.sh: New. + * xtests/tst-pam_pwhistory1.c: New. + * xtests/tst-pam_pwhistory1.pamd: New. + * xtests/tst-pam_pwhistory1.sh: New. + * po/POTFILES.in: Add modules/pam_pwhistory/. + * po/de.po: Update translations. + +2008-10-02 Thorsten Kukuk <kukuk@thkukuk.de> + + * po/de.po: Update translations. + +2008-09-30 Manoj Kumar Giri <mgiri@redhat.com> + + * po/or.po: Updated translations. + +2008-09-30 Taylon Silmer Lacerda Silva <taylonsilva@gmail.com> + + * po/pt_BR.po: Updated translations. + +2008-09-30 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_lastlog/pam_lastlog.8.xml: Document new options + noupdate and showfailed. + * modules/pam_lastlog/pam_lastlog.c(pam_parse): Recognize the new + options. + (last_login_read): New output parameter lltime. Do not display + the last login message if it would be empty. + (last_login_date): New output parameter lltime. Do not write the + last login info when LASTLOG_UPDATE is not set. + (last_login_failed): New function to display the last bad login + attempt from btmp. + (pam_sm_open_session): Obtain lltime from last_login_date() and + call last_login_failed() when appropriate. + + * po/Linux-pam.pot: Updated strings to translate. + * po/*.po: Likewise. + +2008-09-29 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_echo/pam_echo.8.xml: Fix format error. + +2008-09-25 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_tally/pam_tally.c(get_tally): Fix syslog message. + (tally_check): Open faillog read only. Close file descriptor. + Fix typos in messages. + +2008-09-25 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_mail/pam_mail.c (report_mail): Fix logic of + "quiet" option (Patch from Andreas Henriksson <andreas@fatal.se>) + + * modules/pam_mail/pam_mail.8.xml: Fix typo. + +2008-09-23 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_limits/limits.conf.5.xml: Comment that rss limit is + ignored. + +2008-09-19 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_cracklib/pam_cracklib.8.xml: Fix description + of the palindrome test. Document new options maxrepeat and + reject_username. + * modules/pam_cracklib/pam_cracklib.c(_pam_parse): Parse + the maxrepeat and reject_username options. + (password_check): Call the new tests usercheck() and + consecutive(). + (_pam_unix_approve_pass): Pass user name to the password_check(). + +2008-09-16 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_cracklib/pam_cracklib.8.xml: Fix typo. + + * modules/pam_unix/pam_unix.8.xml: Fix typo. + +2008-09-03 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_exec/pam_exec.c: Expose authtok if requested, + provide environment variable containing service type. + * modules/pam_exec/pam_exec.8.xml: Document new option. + +2008-08-29 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_loginuid/pam_loginuid.c(set_loginuid): Uids + are unsigned. + +2008-08-18 Thorsten Kukuk <kukuk@thkukuk.de> + + * Makefile.am (M4_FILES): Adjust list. + + * modules/pam_access/pam_access.8.xml: Fix module service + vs. module type. + * modules/pam_cracklib/pam_cracklib.8.xml: Likewise. + * modules/pam_debug/pam_debug.8.xml: Likewise. + * modules/pam_deny/pam_deny.8.xml: Likewise. + * modules/pam_echo/pam_echo.8.xml: Likewise. + * modules/pam_env/pam_env.8.xml: Likewise. + * modules/pam_exec/pam_exec.8.xml: Likewise. + * modules/pam_faildelay/pam_faildelay.8.xml: Likewise. + * modules/pam_filter/pam_filter.8.xml: Likewise. + * modules/pam_ftp/pam_ftp.8.xml: Likewise. + * modules/pam_group/pam_group.8.xml: Likewise. + * modules/pam_issue/pam_issue.8.xml: Likewise. + * modules/pam_keyinit/pam_keyinit.8.xml: Likewise. + * modules/pam_lastlog/pam_lastlog.8.xml: Likewise. + * modules/pam_limits/pam_limits.8.xml: Likewise. + * modules/pam_listfile/pam_listfile.8.xml: Likewise. + * modules/pam_localuser/pam_localuser.8.xml: Likewise. + * modules/pam_loginuid/pam_loginuid.8.xml: Likewise. + * modules/pam_mail/pam_mail.8.xml: Likewise. + * modules/pam_mkhomedir/pam_mkhomedir.8.xml: Likewise. + * modules/pam_motd/pam_motd.8.xml: Likewise. + * modules/pam_namespace/pam_namespace.8.xml: Likewise. + * modules/pam_nologin/pam_nologin.8.xml: Likewise. + * modules/pam_permit/pam_permit.8.xml: Likewise. + * modules/pam_rhosts/pam_rhosts.8.xml: Likewise. + * modules/pam_rootok/pam_rootok.8.xml: Likewise. + * modules/pam_securetty/pam_securetty.8.xml: Likewise. + * modules/pam_selinux/pam_selinux.8.xml: Likewise. + * modules/pam_sepermit/pam_sepermit.8.xml: Likewise. + * modules/pam_shells/pam_shells.8.xml: Likewise. + * modules/pam_succeed_if/pam_succeed_if.8.xml: Likewise. + * modules/pam_tally/pam_tally.8.xml: Likewise. + * modules/pam_time/pam_time.8.xml: Likewise. + * modules/pam_tty_audit/pam_tty_audit.8.xml: Likewise. + * modules/pam_umask/pam_umask.8.xml: Likewise. + * modules/pam_unix/pam_unix.8.xml: Likewise. + * modules/pam_userdb/pam_userdb.8.xml: Likewise. + * modules/pam_warn/pam_warn.8.xml: Likewise. + * modules/pam_wheel/pam_wheel.8.xml: Likewise. + * modules/pam_xauth/pam_xauth.8.xml: Likewise. + +2008-08-01 Thorsten Kukuk <kukuk@thkukuk.de> + + * configure.in: Add version for gettext, add search path + for m4 directory, fix handling of --disable-* options. + Patches from Diego Pettenò <flameeyes@gmail.com>. + + * configure.in: Run autoupdate on it. + + * acincludde.m4: Rename to ... + * m4/jh_path_xml_catalog.m4: ... this. + + * m4/*.m4: Remove all autoconf m4 files. + +2008-07-29 Steve Langasek <vorlon@debian.org> + + * modules/pam_cracklib/pam_cracklib.8.xml: correct a typo, + "Only he" -> "Only the" + +2008-07-28 Steve Langasek <vorlon@debian.org> + + * libpamc/test/regress/test.libpamc.c: use standard u_int8_t + type instead of __u8, as elsewhere. + Patch from Roger Leigh <rleigh@debian.org>. + * modules/pam_unix/passverify.c: make save_old_password() + thread-safe by using pam_modutil_getpwnam() instead of getpwnam() + * modules/pam_unix/passverify.c, modules/pam_unix/passverify.h, + modules/pam_unix/pam_unix_passwd.c: add pamh argument to + save_old_password() + +2008-07-27 Steve Langasek <vorlon@debian.org> + + * modules/pam_*/pam_*.8.xml: fix up the references to pam.d, + which is in manpage section 5, not 8. + * modules/pam_env/environment, modules/pam_env/pam_env.8.xml: + spelling fix, seperate -> separate + +2008-07-26 Steve Langasek <vorlon@debian.org> + + * modules/pam_env/pam_env.c: Fix module to skip over + non-alphanumeric variable names, and to handle the case when + asked to delete a non-existent variable. + +2008-07-13 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_mail/pam_mail.8.xml: Module supports session and + not account service (#1980773). + +2008-07-11 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Do + not close the pipe descriptor in borderline case (#2009766). + * modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary): + Likewise. + * modules/pam_unix/support.c (_unix_run_helper_binary): Likewise. + * modules/pam_unix/support.h: Define upper limit of fds we will + attempt to close. + + * modules/pam_selinux/pam_selinux.c (config_context): Do not + ask for the level if use_current_range is set. + (context_from_env): New function to obtain the context from + PAM environment variables. + (pam_sm_open_session): Call context_from_env() if env_params option + is present. use_current_range now modifies behavior of the + context_from_env and config_context options. + * modules/pam_selinux/pam_selinux.8.xml: Describe the env_params + option. Adjust description of use_current_range option. + +2008-07-09 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_exec/pam_exec.c (call_exec): Move all variable + declaration to begin of a block (#1976310). + + * xtests/tst-pam_group1.c (run_test): Move no_grps declaration + to begin of function (#1976310). + + * modules/pam_securetty/pam_securetty.8.xml: Replace + PAM_IGNORE with PAM_USER_UNKNOWN (#1994330). + + * modules/pam_tally/pam_tally.c: Add support for silent and + no_log_info options. + * modules/pam_tally/pam_tally.8.xml: Document silent and + no_log_info options. + +2008-07-08 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_unix/passverify.c (verify_pwd_hash): Adjust debug + statement. + +2008-06-22 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_unix/unix_chkpwd.c (main): Fix compiling without + audit support. + + * modules/pam_cracklib/pam_cracklib.8.xml: Fix typo in ucredit + description (reported by Wayne Pollock <pollock@acm.org>) + +2008-06-19 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): + Detect configuration errors. Fail on incomplete condition. + +2008-05-20 Tomas Mraz <t8m@centrum.cz> + + * configure.in: Work correctly with autoconf-2.62. + +2008-05-19 Tomas Mraz <t8m@centrum.cz> + + * doc/man/pam_getenv.3.xml: Correct the pam_getenv documentation. + + * doc/man/pam_prompt.3.xml: Add missing description. + +2008-05-14 Kjartan Maraas <kmaraas@gnome.org> + + * po/nb.po: Updated translation. + +2008-05-14 Sulyok Péter <peti@sulyok.hu> + + * po/hu.po: Updated translation. + +2008-05-14 Tomas Mraz <t8m@centrum.cz> + + * libpam/pam_modutil_getgrgid.c: Replace hardcoded constant with + define PWD_LENGTH_SHIFT. + * libpam/pam_modutil_getgrnam.c: Likewise. + * libpam/pam_modutil_getpwnam.c: Likewise. + * libpam/pam_modutil_getpwuid.c: Likewise. + * libpam/pam_modutil_getspnam.c: Likewise. + * libpam/pam_modutil_private.h: Adjust values for PWD_ constants. + + * modules/pam_unix/pam_unix_passwd.c(pam_sm_chauthtok): Unset authtok + item when password is not approved. + * modules/pam_unix/support.c(_unix_read_password): UNIX_USE_FIRST_PASS + is always set when UNIX_AUTHTOK is set, change order of conditions. + +2008-05-02 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_selinux/pam_selinux.c(query_response): Add handling + for NULL response. + (manual_context): Handle failed query_response() properly. Rename + variable responses to response which is more correct name. + (config_context): Likewise. + (pam_sm_open_session): Do not base decision on whether there is a tty. + +2008-04-22 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_selinux/pam_selinux.c(pam_sm_close_sesion): Fix + regression from the change from 2008-03-20. setexeccon() must be + called also with NULL prev_context. + +2008-04-21 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_access/access.conf.5.xml: Document changed behavior + of LOCAL keyword. + * modules/pam_access/pam_access.c: Add from_remote_host to + struct login_info to change behavior of LOCAL keyword: if + PAM_RHOST is not set, LOCAL will be true. + +2008-04-18 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_namespace/pam_namespace.c: New functions + unprotect_dirs(), cleanup_protect_data(), protect_mount(), + protect_dir() to protect directory by bind mount. + (cleanup_data): Renamed to cleanup_polydir_data(). + (parse_create_params): Allow missing specification of mode + or owner. + (check_inst_parent): Call protect_dir() on the instance parent + directory. The directory is created when it doesn't exist. + (create_polydir): Protect and make the polydir by protect_dir(), + remove potential races. + (create_dirs): Renamed to create_instance(), remove call to + inst_init(). + (ns_setup): Call protect_dir() on the polydir if it already exists. + Call inst_init() after the polydir is mounted. + (setup_namespace): Set the namespace protect data to be cleaned up + on pam_close_session()/pam_end(). + (pam_sm_open_session): Initialize the protect_dirs. + (pam_sm_close_session): Cleanup namespace protect data. + * modules/pam_namespace/pam_namespace.h: Define struct for the + stack of protected dirs. + * modules/pam_namespace/pam_namespace.8.xml: Document when the + instance init script is called. + * modules/pam_namespace/namespace.conf.5.xml: Likewise. + +2008-04-17 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_access/pam_access.c(myhostname): Removed function. + (user_match): Supply hostname of the machine to the netgroup_match(). + Use hostname from the loginfo instead of calling myhostname(). + (pam_sm_authenticate): Call gethostname() to fill hostname in the + loginfo. + + * modules/pam_sepermit/pam_sepermit.c(sepermit_match): Do not try + to lock if euid != 0. + +2008-04-16 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_unix/Makefile.am: Link unix_chkpwd with libaudit. + * modules/pam_unix/unix_chkpwd.c(_audit_log): New function for audit. + (main): Call _audit_log() when appropriate. + + * modules/pam_cracklib/pam_cracklib.c(_pam_parse): Recognize also + try_first_pass and use_first_pass options. + (pam_sm_chauthtok): Implement the new options. + +2008-04-08 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_xauth/pam_xauth.c(run_coprocess): Avoid multiple + calls to sysconf() (based on patch by Sami Farin). + + * libpam/pam_item.c (TRY_SET): Do not set when destination + is identical to source. + (pam_set_item): Do not overwrite destination when it + is identical to source. + +2008-04-07 Miloš Komarčević <kmilos@gmail.com> + + * po/sr.po: New file with translation. + * po/sr@latin.po: Likewise. + * po/LINGUAS: Add sr and sr@latin. + +2008-04-03 Thorsten Kukuk <kukuk@thkukuk.de> + + * release version 1.0.0 + + * configure.in: Set version number to 1.0.0. + * libpam/Makefile.am: Bump patchlevel of libpam. + * doc/adg/Linux-PAM_ADG.xml: Update version/date. + * doc/mwg/Linux-PAM_MWG.xml: Likewise. + * doc/sag/Linux-PAM_SAG.xml: Likewise. + +2008-03-31 Dan Walsh <dwalsh@redhat.com> + + * modules/pam_sepermit/pam_sepermit.c(sepermit_lock): Mark lock fd to + be closed on exec. + +2008-03-25 Leah Liu <lliu@redhat.com> + + * po/zh_CN.po: Updated translation. + +2008-03-20 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_namespace/pam_namespace.c(poly_name): Switch to USER + method only when appropriate. + (setup_namespace): Do not umount when not mounted with RUSER. + + * modules/pam_selinux/pam_selinux.c(pam_sm_close_session): Call + freecontext() after the context is logged not before. + +2008-03-18 Canniot Thomas <thomas.canniot@mrtomlinux.org> + + * po/fr.po: Updated translation. + +2008-03-13 Ankit Patel <ankit@redhat.com> + + * po/gu.po: Updated translation. + +2008-03-05 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_cracklib/pam_cracklib.c(pam_sm_chauthtok): Avoid + unnecessary x_strdup() of resp. + * modules/pam_ftp/pam_ftp(pam_sm_authenticate): Call _pam_overwrite() + before dropping password resp. + +2008-03-03 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_selinux/pam_selinux.c: Do not translate syslog messages. + * po/Linux-PAM.pot: Update. + + * libpam/pam_item.c(RESET): Rename to TRY_SET, handle strdup failure. + (pam_set_item): Use TRY_SET() also for PAM_AUTHTOK and PAM_OLDAUTHTOK. + Handle allocation failure for PAM_XAUTHDATA. + (pam_get_user): Return error when conversation returns NULL user. + Call pam_set_item() instead of RESET(). + +2008-02-26 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_unix/Makefile.am: Do not link to cracklib. + * modules/pam_unix/pam_unix_passwd.c(_pam_unix_approve_pass): + Do not call FascistCheck() from cracklib. + +2008-02-29 Fabian Affolter <fab@fedoraproject.org> + + * po/de.po: Updated translation. + +2008-02-28 Piotr Drąg <piotrdrag@gmail.com> + + * po/pl.po: Updated translation. + +2008-02-26 Tomas Mraz <t8m@centrum.cz> + + * po/LINUGAS: New languages added. + * po/es.po: Updated translations. + * po/fr.po: Likewise. + * po/it.po: Likewise. + * po/ja.po: Likewise. + * po/nl.po: Likewise. + * po/pl.po: Likewise. + * po/pt_BR.po: Likewise. + * po/ru.po: Likewise. + * po/zh_CN.po: Likewise. + * po/as.po: New file. + * po/gu.po: Likewise. + * po/hi.po: Likewise. + * po/kn.po: Likewise. + * po/ko.po: Likewise. + * po/ml.po: Likewise. + * po/or.po: Likewise. + * po/si.po: Likewise. + * po/ta.po: Likewise. + +2008-02-21 Tomas Mraz <t8m@centrum.cz> + + * libpam/pam_audit.c (_pam_audit_writelog): Silence syslog + message on non-error return. + + * modules/pam_unix/unix_chkpwd.c (main): Proceed as unprivileged + user when checking password of another user. + * modules/pam_unix/unix_update.c: Fix comment. + +2008-02-18 Dmitry V. Levin <ldv@altlinux.org> + + * libpam/pam_handlers.c (_pam_assemble_line): Fix potential + buffer overflow. + * xtests/tst-pam_assemble_line1.pamd: New test for + _pam_assemble_line. + * xtests/tst-pam_assemble_line1.sh: New script for + tst-pam_assemble_line1. + * xtests/Makefile.am (NOSRCTESTS): Add tst-pam_assemble_line1. + (EXTRA_DIST): Add tst-pam_assemble_line1.pamd and + tst-pam_assemble_line1.sh + + * modules/pam_exec/pam_exec.c (call_exec): Fix asprintf return + code check. + +2008-02-13 Thorsten Kukuk <kukuk@thkukuk.de> + + * release version 0.99.10.0 + + * configure.in: set version number. + + * modules/pam_rhosts/Makefile.am: Remove pam_rhosts_auth. + * modules/pam_rhosts/pam_rhosts_auth.c: Removed. + * modules/pam_rhosts/tst-pam_rhosts_auth: Removed. + + * modules/pam_namespace/Makefile.am (noinst_HEADERS): Add + pam_namespace.h. + +2008-02-13 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_namespace/Makefile.am: Add argv_parse files and namespace.d + dir. + * modules/pam_namespace/argv_parse.c: New file. + * modules/pam_namespace/argv_parse.h: New file. + * modules/pam_namespace/namespace.conf.5.xml: Document new features. + * modules/pam_namespace/pam_namespace.8.xml: Likewise. + * modules/pam_namespace/pam_namespace.h: Use SECURECONF_DIR define. + Define NAMESPACE_D_DIR and NAMESPACE_D_GLOB. Define new option flags + and polydir flags. + (polydir_s): Add rdir, replace exclusive with flags, add init_script, + owner, group, and mode. + (instance_data): Add ruser, gid, and ruid. + * modules/pam_namespace/pam_namespace.c: Remove now unused copy_ent(). + (add_polydir_entry): Add the entry directly, no copy. + (del_polydir): New function. + (del_polydir_list): Call del_polydir(). + (expand_variables, parse_create_params, parse_iscript_params, + parse_method): New functions. + (process_line): Call expand_variables() on polydir and instance prefix. + Call argv_parse() instead of strtok_r(). Allocate struct polydir_s on heap. + (parse_config_file): Parse .conf files from namespace.d dir after + namespace.conf. + (form_context): Call getcon() or get_default_context_with_level() when + appropriate flags are set. + (poly_name): Handle shared polydir flag. + (inst_init): Execute non-default init script when specified. + (create_polydir): New function. + (create_dirs): Remove the code which checks the polydir. Do not call + inst_init() when noinit flag is set. + (ns_setup): Check the polydir and eventually create it if the create flag + is set. + (setup_namespace): Use ruser uid from idata. Set the namespace polydir + pam data only when namespace was set up correctly. Unmount polydir + based on ruser. + (get_user_data): New function. + (pam_sm_open_session): Check for use_current_context and + use_default_context options. Call get_user_data(). + (pam_sm_close_session): Call get_user_data(). + +2008-02-06 Thorsten Kukuk <kukuk@thkukuk.de> + + * po/de.po: Translate some more strings. + +2008-02-05 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_unix/unix_update.c: Remove unused declarations. + +2008-02-04 Thorsten Kukuk <kukuk@thkukuk.de> + + * libpam/pam_static_modules.h: Add _pam_sepermit_modstruct. + * modules/pam_sepermit/pam_sepermit.c: Fix typo. + * modules/pam_sepermit/Makefile.am: Install config file only + if we build the module. + + * README: Add --disable-pie to configure options for static library. + + * doc/man/Makefile.am: Fix building outside of src directory. + + * libpam/Makefile.am: Bump version number of libpam. + + * modules/Makefile.am: Add pam_sepermit. + + * doc/Makefile.am: Fix build out of source directory. + + * po/POTFILES.in: Add pam_sepermit.c. + + * modules/pam_exec/pam_exec.c: Set PAM environment variables and + add 'quiet' option. + * modules/pam_exec/pam_exec.8.xml: Document new behavior. + Patch from Julien Lecomte <julien@lecomte.at>. + +2008-02-01 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_namespace/namespace.conf.5.xml: Add documentation for + tmpfs and tmpdir polyinst and for ~ user list modifier. + * modules/pam_namespace/namespace.init: Add documentation for the + new init parameter. Add home directory initialization script. + * modules/pam_namespace/pam_namespace.8.xml: Document the new + init parameter of the namespace.init script. + * modules/pam_namespace/pam_namespace.c(copy_ent): Copy exclusive flag. + (cleanup_data): New function. + (process_line): Set exclusive flag. Add tmpfs and tmpdir methods. + (ns_override): Change behavior on the exclusive flag. + (poly_name): Process tmpfs and tmpdir methods. + (inst_init): Add flag for new directory initialization. + (create_dirs): Process the tmpdir method, add the new directory + flag. + (ns_setup): Remove unused code. Process the tmpfs method. + (cleanup_tmpdirs): New function. + (setup_namespace): Set data for proper cleanup. Cleanup the tmpdirs + on failures. + (pam_sm_close_session): Instead of parsing the config file again use + the previously set data for cleanup. + * modules/pam_namespace/pam_namespace.h: Add TMPFS and TMPDIR methods + and exclusive flag. + +2008-01-29 Tomas Mraz <t8m@centrum.cz> + + * configure.in: Test for setkeycreatecon needs libselinux. + Add new module pam_sepermit. + * modules/Makefile.am: Add new module pam_sepermit. + * modules/pam_sepermit/.cvsignore: New file. + * modules/pam_sepermit/Makefile.am: Likewise. + * modules/pam_sepermit/README.xml: Likewise. + * modules/pam_sepermit/pam_sepermit.8.xml: Likewise. + * modules/pam_sepermit/pam_sepermit.c: Likewise. + * modules/pam_sepermit/sepermit.conf: Likewise. + * modules/pam_sepermit/tst-pam_sepermit: Likewise. + * doc/sag/pam_sepermit.xml: Likewise. + + * doc/sag/pam_tty_audit.xml: Add pam_tty_audit to SAG. + +2008-01-29 Miloslav Trmac <mitr@redhat.com> + + * modules/pam_tty_audit/README.xml: Add notes section. + * modules/pam_tty_audit/pam_tty_audit.8.xml: Describe patterns + support and open_only option. Add notes. + * modules/pam_tty_audit/pam_tty_audit.c(pam_sm_open_session): Add + support for pattern matching and the open_only option. + +2008-01-28 Thorsten Kukuk <kukuk@thkukuk.de> + + * libpam/pam_audit.c: Include pam_modutil_private.h. + + * libpam/pam_item.c (pam_set_item): Fix compiler warning. + + * libpam/pam_end.c (pam_end): Cast to correct pointer type. + * libpam/include/security/_pam_macros.h (_pam_overwrite_n): Use + unsigned int. + + * modules/pam_unix/passverify.c: Fix compiling without SELinux + support. + +2008-01-24 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_unix/bigcrypt.c (bigcrypt): Use crypt_r() when + available. + * modules/pam_unix/passverify.c (strip_hpux_aging): New function + to strip HP/UX aging info from password hash. + (verify_pwd_hash): Call strip_hpux_aging(), use crypt_r() when + available. + +2008-01-23 Tomas Mraz <t8m@centrum.cz> + + * configure.in: Add test for crypt_r(). Add setting/disabling random + device support. + + * modules/pam_unix/Makefile.am: Add unix_update.8 manpage generated from + XML, generate also unix_chkpwd.8 from XML. + * modules/pam_unix/pam_unix_acct.c: Add rounds parameter to _set_ctrl(). + * modules/pam_unix/pam_unix_auth.c: Likewise. + * modules/pam_unix/pam_unix_sess.c: Likewise. + * modules/pam_unix/pam_unix_passwd.c: Likewise. + * modules/pam_unix/support.c(_set_ctrl): Likewise. + * modules/pam_unix/support.h: Likewise. Add UNIX_SHA256_PASS, + UNIX_SHA512_PASS, and UNIX_ALGO_ROUNDS ctrls. + (pam_sm_chauthtok): Refactor out new password encryption. + * modules/pam_unix/passverify.c(crypt_make_salt): New function. + (crypt_md5_wrapper): Call crypt_make_salt(). + (create_password_hash): New function refactored out of + pam_sm_chauthtok(). Support for new password hashes. + * modules/pam_unix/passverify.h: Drop ascii_to_bin() and bin_to_ascii() + macros. Add prototype for create_password_hash(). + * modules/pam_unix/unix_update.8.xml: New file. + * modules/pam_unix/unix_chkpwd.8.xml: Likewise. + + * modules/pam_unix/Makefile.am: Add unix_update helper. + * modules/pam_unix/pam_unix_passwd.c: Move functions i64c(), + crypt_md5_wrapper(), save_old_password(), _update_passwd() and + _update_shadow() to passverify.c file. Rename _unix_run_shadow_binary() + to _unix_run_update_binary(), which also verifies old password and + does all writing. + (_do_setpass, pam_sm_chauthtok): lckpwdf()->lock_pwdf(), the same for unlock. + Call _unix_run_update_binary() appropriately. + _update_passwd()->unix_update_passwd(), the same for shadow. + * modules/pam_unix/passverify.c: Add new functions moved from + pam_unix_passwd.c and unix_chkpwd.c. + * modules/pam_unix/passverify.h: Likewise. + * modules/pam_unix/unix_chkpwd.c: Remove SELinux checks. Move + su_sighandler(), setup_signals(), getuidname() to passverify.c. + (main): Remove 'shadow' option. Refactor out read_passwords() and + call it. More strict checking how the binary is called. + * modules/pam_unix/unix_update.c: New helper binary - non-setuid, + called from SELinux confined apps only. + + * modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Return + status and daysleft instead of fake shadow entry. + (pam_sm_acct_mgmt): Call _unix_run_verify_binary() appropriately. + * modules/pam_unix/pam_unix_passwd.c (_unix_verify_shadow): Call + get_account_info() and check_shadow_expiry(). + * modules/pam_unix/support.h: Adjust _unix_run_verify_binary() + prototype. + * modules/pam_unix/support.c (_unix_run_helper_binary): Remove check + on selinux enabled/disabled. + * modules/pam_unix/unix_chkpwd.c (_verify_account): Rename to + _check_expiry(), now checks shadow expiry info. + (main): Remove check on selinux enabled/disabled. Check shadow + expiry through _check_expiry(). + + * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Call + get_account_info() and check_shadow_expiry(). + * modules/pam_unix/passverify.c: Add get_account_info() to + obtain shadow and passwd entry. Add check_shadow_expiry() to + for shadow password expiry check. + (get_pwd_hash): Call get_account_info(). + * modules/pam_unix/passverify.h: Add prototypes for get_account_info() + and check_shadow_expiry(). + +2008-01-08 Thorsten Kukuk <kukuk@thkukuk.de> + + * doc/man/Makefile.am: Fix manual page dependencies, + add hack for bug in xsl stylestheets. + +2008-01-07 Thorsten Kukuk <kukuk@thkukuk.de> + + * po/it.po: Fix typos. + * po/de.po: Few new translations. + * po/POTFILES.in: Add pam_tty_audit.c and passverify.c. + * doc/man/pam_xauth_data.3.xml: Added to CVS. + * doc/man/pam_xauth_data.3: Likewise. + * modules/pam_tty_audit/README: Likewise. + * modules/pam_tty_audit/pam_tty_audit.8: Likewise. + * po/sv.po: Update swedish translation [#1857531]. + * modules/pam_succeed_if/pam_succeed_if.8.xml: Fix + cut & paste error [#1863490]. + +2008-01-02 Petteri Räty <betelgeuse@gentoo.org> + * modules/pam_limits/limits.conf: document allowed values for + nice. + * modules/pam_limits/limits.conf.5.xml: Likewise. + +2007-12-18 Thorsten Kukuk <kukuk@thkukuk.de> + + * README: Document how to run make check with static modules + (SF#1822779). + +2007-12-18 Peter Breitenlohner <peb@mppmu.mpg.de> + * README: Document that "make check" requires a file + /etc/pam.d/other (SF#1822764). + +2007-12-12 Eamon Walsh <ewalsh@tycho.nsa.gov> + + * doc/man/pam_item_types_ext.inc.xml: More appropriate wording + for PAM_XDISPLAY doc. + +2007-12-07 Tomas Mraz <t8m@centrum.cz> + + * po/cs.po: Updated translations. + + * libpam/libpam.map: Add LIBPAM_MODUTIL_1.1 version. + * libpam/pam_audit.c: Add _pam_audit_open() and + pam_modutil_audit_write(). + (_pam_auditlog): Call _pam_audit_open(). + * libpam/include/security/pam_modutil.h: Add pam_modutil_audit_write(). + * modules/pam_access/pam_access.8.xml: Add noaudit option. + Document auditing. + * modules/pam_access/pam_access.c: Move fs, sep, pam_access_debug, and + only_new_group_syntax variables to struct login_info. Add noaudit + member. + (_parse_args): Adjust for the move of variables and add support for + noaudit option. + (group_match): Add debug parameter. + (string_match): Likewise. + (network_netmask_match): Likewise. + (login_access): Adjust for the move of variables. Add nonall_match. + Add call to pam_modutil_audit_write(). + (list_match): Adjust for the move of variables. + (user_match): Likewise. + (from_match): Likewise. + (pam_sm_authenticate): Call _parse_args() earlier. + * modules/pam_limits/pam_limits.8.xml: Add noaudit option. + Document auditing. + * modules/pam_limits/pam_limits.c (_pam_parse): Add noaudit option. + (setup_limits): Call pam_modutil_audit_write(). + * modules/pam_time/pam_time.8.xml: Add debug and noaudit options. + Document auditing. + * modules/pam_time/pam_time.c: Add option parsing (_pam_parse()). + (check_account): Call _pam_parse(). Call pam_modutil_audit_write() + and pam_syslog() on login denials. + +2007-12-07 Luca Bruno <luca.br@uno.it> + + * po/it.po: Updated translations. + +2007-12-06 Eamon Walsh <ewalsh@tycho.nsa.gov> + + * libpam/include/security/_pam_macros.h: Add _pam_overwrite_n() + macro. + * libpam/include/security/_pam_types.h: Add PAM_XDISPLAY, + PAM_XAUTHDATA items, pam_xauth_data struct. + * libpam/pam_item.c (pam_set_item, pam_get_item): Handle + PAM_XDISPLAY and PAM_XAUTHDATA items. + * libpam/pam_end.c (pam_end): Destroy the new items. + * libpam/pam_private.h (pam_handle): Add data members for new + items. Add prototype for _pam_memdup. + * libpam/pam_misc.c: Add _pam_memdup. + * doc/man/Makefile.am: Add pam_xauth_data.3. Replace + pam_item_types.inc.xml with pam_item_types_std.inc.xml and + pam_item_types_ext.inc.xml. + * doc/man/pam_get_item.3.xml: Replace pam_item_types.inc.xml + with pam_item_types_std.inc.xml and pam_item_types_ext.inc.xml. + * doc/man/pam_set_item.3.xml: Likewise. + * doc/man/pam_item_types.inc.xml: Removed file. + * doc/man/pam_item_types_ext.inc.xml: New file. + * doc/man/pam_item_types_std.inc.xml: New file. + +2007-12-06 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_tty_audit/pam_tty_audit.8.xml: Fix example. + +2007-12-05 Miloslav Trmac <mitr@redhat.com> + + * configure.in: Add test for audit_tty_status struct. Add + pam_tty_audit module. + * libpam/pam_static_modules.h: Add pam_tty_audit module. + * modules/pam_tty_audit/Makefile.am: New file. + * modules/pam_tty_audit/README.xml: Likewise. + * modules/pam_tty_audit/pam_tty_audit.8.xml: Likewise. + * modules/pam_tty_audit/pam_tty_audit.c: Likewise. + +2007-12-05 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_unix/Makefile.am: Add passverify.h and passverify.c + as first part of pam_unix refactorization. + * modules/pam_unix/pam_unix/pam_unix_acct.c: Include passverify.h. + * modules/pam_unix/pam_unix_passwd.c: Likewise. + * modules/pam_unix/passverify.c: New file with common functions. + * modules/pam_unix/passverify.h: Prototypes for the common functions. + * modules/pam_unix/support.c: Include passverify.h, move + _unix_shadowed() to passverify.c. + (_unix_verify_password): Refactor out verify_pwd_hash() function. + * modules/pam_unix/support.h: Move _unix_shadowed() prototype to + passverify.h + * modules/pam_unix/unix_chkpwd.c: Use _unix_shadowed() and + verify_pwd_hash() from passverify.c. + +2007-11-20 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_unix/Makefile.am (unix_chkpwd_LDADD): Don't link + unix_chkpwd unnecessary against libpam (#1822779). + + * modules/pam_tally/pam_tally.c (tally_log): Map + pam_modutil_getpwnam to getpwnam if we don't compile + as module. + * modules/pam_tally/Makefile.am: Don't link pam_tally_app + against libpam (#1822779). + +2007-11-06 Thorsten Kukuk <kukuk@thkukuk.de> + + * xtests/tst-pam_group1.c: Include stdlib.h + * xtests/tst-pam_succeed_if1.c: Likewise. + * xtests/tst-pam_limits1.c: Likewise. + * xtests/tst-pam_access1.c: Likewise. + * xtests/tst-pam_access2.c: Likewise. + * xtests/tst-pam_access3.c: Likewise. + * xtests/tst-pam_access4.c: Likewise. + * xtests/tst-pam_unix1.c: Likewise. + * xtests/tst-pam_unix2.c: Likewise. + * xtests/tst-pam_unix3.c: Likewise. + * xtests/tst-pam_cracklib1.c: Likewise. + * xtests/tst-pam_cracklib2.c: Likewise. + + * libpam/pam_static_modules.h: Fix name of pam_namespace variable. + +2007-11-01 Peter Breitenlohner <peb@mppmu.mpg.de> + + * doc/man/pam_conv.3.xml: Correct typo. + +2007-10-30 Peter Breitenlohner <peb@mppmu.mpg.de> + + * modules/pam_rhosts/pam_rhosts_auth.c (__icheckhost): Correct + misplaced parenthesis. + * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Prevent use of + dngettext() when NLS is disabled. + * modules/pam_exec/pam_exec.c (call_exec): Avoid gcc warning. + * doc/specs/parse_y.y (set_label, new_counter): Break trigraphs to + avoid gcc warning. + * modules/pam_wheel/pam_wheel.c: Remove excessive initializer + elements. + + * modules/pam_cracklib/pam_cracklib.8.xml: Correct typo. + * modules/pam_limits/limits.conf.5.xml: Likewise. + * modules/pam_listfile/pam_listfile.8.xml: Likewise. + * modules/pam_xauth/pam_xauth.8.xml: Likewise. + + * modules/pam_deny/pam_deny.8.xml: Correct spelling. + * modules/pam_group/pam_group.8.xml: Likewise. + * modules/pam_permit/pam_permit.8.xml: Likewise. + * modules/pam_shells/pam_shells.8.xml: Likewise. + * modules/pam_time/pam_time.8.xml: Likewise. + * modules/pam_warn/pam_warn.8.xml: Likewise. + + * tests/tst-dlopen.c: Return 77 in case of static modules, such that + all modules/pam_*/tst-pam_* tests yield SKIP instead of FAIL. + * libpam/Makefile.am (libpam_la_LIBADD): Use "$(shell ls ...)" instead + of "`ls ...`", to allow for static modules. + * libpam/pam_static_modules.h: Make pam_keyinit module depend on + HAVE_KEY_MANAGEMENT; correct name of pam_faildelay pam_module struct. + * modules/pam_faildelay/pam_faildelay.c: Correct name of pam_module + struct. + +2007-10-25 Steve Langasek <vorlon@debian.org> + + * modules/pam_tally/pam_tally.c: fix the definition of OPT_AUDIT + to be octal instead of decimal, so that it works properly in a + bit field instead of forcing the "even_deny_root_account" and + "no_reset" options to on. + Patch from Corey Wright <undefined@pobox.com>. + +2007-10-19 Tomas Mraz <t8m@centrum.cz> + + * xtests/tst-pam_access1.c: Use different name for user and group. + * xtests/tst-pam_access1.sh: Likewise. + * xtests/tst-pam_access2.c: Likewise. + * xtests/tst-pam_access2.sh: Likewise. + * xtests/tst-pam_access4.c: Likewise. + * xtests/tst-pam_access4.sh: Likewise. + * xtests/group.conf: Likewise. + * xtests/tst-pam_group1.c: Likewise. + * xtests/tst-pam_group1.sh: Likewise. + + * libpam/pam_dispatch.c (_pam_dispatch_aux): Save states for substacks, + record substack level, skip over virtual substack modules, implement + evaluation of done, die, reset and jumps in substacks. Also fixes + too far jumps in substacks. + * libpam/pam_end.c (pam_end): Drop substack evaluation states. + * libpam/pam_handlers.c (_pam_parse_conf_file): Add substack level + parameter, instead of must_fail use handler_type needed for virtual + substack modules. + (_pam_load_conf_file): Add substack level parameter. + (_pam_init_handlers): Substack level parameter added to + _pam_parse_conf_file() calls. + (_pam_load_module): New function. + (_pam_add_handler): Refactor code into the _pam_load_module(). Add + support for virtual substack modules. + * libpam/pam_private.h: Rename must_fail to handler_type, add stack_level + to struct handler. Define handler type constants. Add struct + for substack evaluation states. Define constant for maximum + substack level. Add substack states pointer to former state struct. + * libpam/pam_start.c (pam_start): Initialize pointer to substack states. + * doc/man/pam.conf-syntax.xml: Document substack control. + * xtests/Makefile.am: Add new tests for substack evaluation. + * xtests/run_xtests.sh: Support multiple .pamd files in a test. + * xtests/tst-pam_authfail.pamd: New tests for substack evaluation. + * xtests/tst-pam_authsucceed.pamd: Likewise. + * xtests/tst-pam_substack1.pamd: Likewise. + * xtests/tst-pam_substack1a.pamd: Likewise. + * xtests/tst-pam_substack1.sh: Likewise. + * xtests/tst-pam_substack2.pamd: Likewise. + * xtests/tst-pam_substack2a.pamd: Likewise. + * xtests/tst-pam_substack2.sh: Likewise. + * xtests/tst-pam_substack3.pamd: Likewise. + * xtests/tst-pam_substack3a.pamd: Likewise. + * xtests/tst-pam_substack3.sh: Likewise. + * xtests/tst-pam_substack4.pamd: Likewise. + * xtests/tst-pam_substack4a.pamd: Likewise. + * xtests/tst-pam_substack4.sh: Likewise. + * xtests/tst-pam_substack5.pamd: Likewise. + * xtests/tst-pam_substack5a.pamd: Likewise. + * xtests/tst-pam_substack5.sh: Likewise. + +2007-10-18 Tomas Mraz <t8m@centrum.cz> + + * xtests/tst-pam_dispatch4.c: Fix comment about the test. + * xtests/tst-pam_dispatch4.pamd: Improve the testcase. + * xtests/tst-pam_cracklib2.c: Make the testcase more robust. + +2007-10-12 Thorsten Kukuk <kukuk@thkukuk.de> + + * xtests/Makefile.am: Add tst-pam_dispatch5 sources + * xtests/tst-pam_dispatch5.c: New test for jump too far. + * xtests/tst-pam_dispatch5.pamd: New test configuration. + +2007-10-09 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_tally/pam_tally.8.xml: Document audit option + correctly. + +2007-10-09 Thorsten Kukuk <kukuk@thkukuk.de> + + * release version 0.99.9.0 + + * configure.in: Increase vesion number. + + * libpam/Makefile.am: Increase release number. + * libpam_misc/Makefile.am: Increase release number. + + * po/*.po: Regenerate. + +2007-10-08 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_time/pam_time.c (is_same): Length of strings without + wildcard needs to be the same. + * modules/pam_group/pam_group.c (is_same): Likewise. + +2007-10-01 Thorsten Kukuk <kukuk@thkukuk.de> + + * xtests/tst-pam_group1.c: New test case for user compare in pam_group. + * xtests/tst-pam_group1.sh: Script to run test case. + * xtests/tst-pam_group1.pamd: Config for test case. + * xtests/Makefile.am: Add tst-pam_group1 test case. + * xtests/run-xtests.sh: Save/restore group.conf. + * xtests/group.conf: New. + + * modules/pam_xauth/pam_xauth.c (pam_sm_open_session): Don't + free arguments used for putenv(). + + * doc/man/pam_putenv.3.xml: Document that application has to free + the memory. + +2007-09-27 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_succeed_if/pam_succeed_if.c (evaluate_inlist): Fix in + operator rhbz #295151. + * modules/pam_namespace/pam_namespace.c (poly_name): Do not try to + get context when SELinux is disabled. + +2007-09-27 Thorsten Kukuk <kukuk@thkukuk.de> + + * xtests/tst-pam_succeed_if1.c: New test case for + https://bugzilla.redhat.com/show_bug.cgi?id=295151 + * xtests/tst-pam_succeed_if1.sh: Script to run test case. + * xtests/tst-pam_succeed_if1.pamd: Config for test case. + * xtests/Makefile.am: Add tst-pam_succeed_if1 test case. + + * xtests/run-xtests.sh: Add support to skip tests. + * xtests/tst-pam_limits1.c: Skip test if RLIMIT_NICE is not + defined. + +2007-09-03 Steve Langasek <vorlon@debian.org> + + * modules/pam_limits/pam_limits.c: remove a number of unnecessary + string manipulations, including a strncpy() that was acting on + overlapping memory. + + * libpam_misc/misc_conv.c: don't block SIGINT in misc_conv; it's + perfectly valid to allow the user to interrupt at a prompt. If + an application wants prompts to not be interruptable, the + application should take responsibility for blocking SIGINT. + +2007-09-02 Thorsten Kukuk <kukuk@thkukuk.de> + + * examples/Makefile.am: Fix usage of LIBADD, LDADD and LDFLAGS. + * libpam/Makefile.am: Likewise. + * modules/pam_access/Makefile.am: Likewise. + * modules/pam_cracklib/Makefile.am: Likewise. + * modules/pam_debug/Makefile.am: Likewise. + * modules/pam_deny/Makefile.am: Likewise. + * modules/pam_echo/Makefile.am: Likewise. + * modules/pam_env/Makefile.am: Likewise. + * modules/pam_exec/Makefile.am: Likewise. + * modules/pam_faildelay/Makefile.am: Likewise. + * modules/pam_filter/Makefile.am: Likewise. + * modules/pam_filter/upperLOWER/Makefile.am: Likewise. + * modules/pam_ftp/Makefile.am: Likewise. + * modules/pam_group/Makefile.am: Likewise. + * modules/pam_issue/Makefile.am: Likewise. + * modules/pam_keyinit/Makefile.am: Likewise. + * modules/pam_lastlog/Makefile.am: Likewise. + * modules/pam_limits/Makefile.am: Likewise. + * modules/pam_listfile/Makefile.am: Likewise. + * modules/pam_localuser/Makefile.am: Likewise. + * modules/pam_loginuid/Makefile.am: Likewise. + * modules/pam_mail/Makefile.am: Likewise. + * modules/pam_mkhomedir/Makefile.am: Likewise. + * modules/pam_motd/Makefile.am: Likewise. + * modules/pam_namespace/Makefile.am: Likewise. + * modules/pam_nologin/Makefile.am: Likewise. + * modules/pam_permit/Makefile.am: Likewise. + * modules/pam_rhosts/Makefile.am: Likewise. + * modules/pam_rootok/Makefile.am: Likewise. + * modules/pam_securetty/Makefile.am: Likewise. + * modules/pam_selinux/Makefile.am: Likewise. + * modules/pam_shells/Makefile.am: Likewise. + * modules/pam_stress/Makefile.am: Likewise. + * modules/pam_succeed_if/Makefile.am: Likewise. + * modules/pam_tally/Makefile.am: Likewise. + * modules/pam_time/Makefile.am: Likewise. + * modules/pam_umask/Makefile.am: Likewise. + * modules/pam_unix/Makefile.am: Likewise. + * tests/Makefile.am: Likewise. + +2007-08-31 Steve Langasek <vorlon@debian.org> + + * modules/pam_group/group.conf: don't use "games" as an example + group, on some distros this is a pre-existing group that it would + be a security hole to give users access to. + +2007-08-30 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_limits/limits.conf.5.xml: Document that maxlogins + is ignored for users with UID 0. + +2007-08-30 Steve Langasek <vorlon@debian.org> + + * modules/pam_unix/support.c, modules/pam_unix/unix_chkpwd.c: + A wrong username doesn't need to be logged at LOG_ALERT; + LOG_WARNING should be sufficient. + Patch from Sam Hartman <hartmans@debian.org>. + + * modules/pam_cracklib/pam_cracklib.c: + s/CRACKLIB_DICT/CRACKLIB_DICTS/, for consistency with existing + #define in pam_unix + +2007-08-29 Steve Langasek <vorlon@debian.org> + + * libpam/pam_modutil_getgrgid.c, libpam/pam_modutil_getgrnam.c, + libpam/pam_modutil_getpwnam.c, libpam/pam_modutil_getpwuid.c, + libpam/pam_modutil_getspnam.c: don't use pthread mutexes in libpam + unnecessarily; this avoids linking problems on non-Linux + platforms. + + * modules/pam_listfile/pam_listfile.c, modules/pam_listfile/README, + modules/pam_listfile/pam_listfile.8, + modules/pam_listfile/pam_listfile.8.xml: add a 'quiet' option to + avoid logging errors any time a user is refused service by this + module. + +2007-08-29 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_rhosts/pam_rhosts_auth.c: buflen needs to be size_t. + (__icheckhost): Cast to int32_t to fix limited range error. + + * modules/pam_cracklib/pam_cracklib.c: Mark cracklib_dictpath + as const. + +2007-08-29 Steve Langasek <vorlon@debian.org> + + * modules/pam_rhosts/pam_rhosts_auth.c: getline returns -1 at + EOF, not 0. Check accordingly to fix an infinite loop. Thanks + to Stephan Springl <springl-rhosts@bfw-online.de> for catching + this. + +2007-08-28 Steve Langasek <vorlon@debian.org> + + * configure.in: call AC_CHECK_HEADERS instead of AC_CHECK_HEADER + for crack.h, so we get a HAVE_CRACK_H define. + * modules/pam_cracklib/pam_cracklib.c: don't copy around the + cracklib dictpath into a fixed-width buffer, when we can just + point at the existing strings; and allow users to override the + default cracklib path with -DCRACKLIB_DICT, required for + compatibility with cracklib 2.7. + +2007-08-27 Steve Langasek <vorlon@debian.org> + + * modules/pam_limits/pam_limits.c: when building on non-Linux + systems, give a warning only, not an error; no one seems to + remember why this error was here in the first place, but leave + something in that might still grab the attention of non-Linux + users. + Patch from Michal Suchanek <hramrach_l@centrum.cz>. + * configure.in, modules/pam_rhosts/pam_rhosts_auth.c: check for + the presence of net/if.h before using, required for Hurd + compatibility. + Patch from Igor Khavkine <i_khavki@alcor.concordia.ca>. + * modules/pam_limits/pam_limits.c: conditionalize the use of + RLIMIT_AS, which is not present on the Hurd. + Patch from Igor Khavkine <i_khavki@alcor.concordia.ca>. + * modules/pam_rhosts/pam_rhosts_auth.c: use getline() instead of + a static buffer when available; fixes the build on systems + without MAXHOSTNAMELEN (i.e., the Hurd). + * modules/pam_xauth/pam_xauth.c: make sure PATH_MAX is defined + before using it. + +2007-08-26 Andrew Morgan <morgan@kernel.org> + + * doc/man/pam.conf-syntax.xml + Minor fixes: '\[' -> '\]'. + +2007-08-25 Steve Langasek <vorlon@debian.org> + + * doc/man/pam.conf-syntax.xml, doc/man/pam.conf.5: + Document "new" control options conv_again and incomplete, supported + in pam.d's extended syntax. + Patch from Ben Collins <bcollins@debian.org>. + +2007-08-15 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_access/pam_access.c (list_match): Add explicit + sptr argument for strtok_r, otherwise the code is not portable. + +2007-08-13 Olivier Blin <blino@mandriva.com> + + * doc/man/pam.3.xml: Fix typo. + * doc/man/pam.3: Likewise. + * doc/man/pam_end.3.xml: Likewise. + * doc/man/pam_end.3: Likewise. + +2007-07-18 Thorsten Kukuk <kukuk@thkukuk.de> + + * release version 0.99.8.1 + + * libpam/pam_audit.c: Include unistd.h for getuid(). + * libpam/Makefile.am: Bump version number. + +2007-07-12 Thorsten Kukuk <kukuk@thkukuk.de> + + * libpam/pam_audit.c (_pam_audit_writelog): Don't return + error if application runs as normal user. Fixes regression + introduced with last change. + +2007-07-10 Thorsten Kukuk <kukuk@thkukuk.de> + + * configure.in: Add --with-db-uniquename option to support + db libraries and functions with unique name extension. + Patch from Diego 'Flameeyes' Pettenò <flameeyes@gmail.com>. + + * modules/pam_limits/pam_limits.c: Include locale.h. + +2007-07-06 Thorsten Kukuk <kukuk@thkukuk.de> + + * release version 0.99.8.0 + + * configure.in: Check for audit_log_acct_message instead of + audit_log_user_message. + * libpam/pam_audit.c: Use audit_log_acct_message. + Based on patch from Mark J Cox <mjc@redhat.com>. + * libpam/Makefile.am: Bump version number of libpam. + + * modules/pam_umask/pam_umask.c (set_umask): mode_t is 32bit, + not 64bit. + + * xtests/tst-pam_limits1.c: Fix printf arguments. + + * po/*.po: Merge po files with latest code changes. + +2007-06-26 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_limits/pam_limits.c (process_limit): Check upper and + lower limit of nice value, fix off-by-one in conversation to rlim_t. + * xtests/Makefile.am: Add new pam_limits test case. + * xtests/limits.conf: New, config file for test case. + * xtests/pam_limits1.c: New, test case for RLIMIT_NICE. + * xtests/pam_limits1.sh: Likewise. + * xtests/pam_limits1.pamd: Likewise. + +2007-06-25 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_access/pam_access.c (list_match): Use saveptr of strtok_r + result for recursive calls. + * xtests/Makefile.am: Add new pam_access test cases. + * xtests/pam_access1.c: New test case. + * xtests/pam_access2.c: Likewise. + * xtests/pam_access3.c: Likewise. + * xtests/pam_access4.c: Likewise. + * xtests/pam_access1.sh: Wrapper to create user accounts. + * xtests/pam_access2.sh: Likewise. + * xtests/pam_access3.sh: Likewise. + * xtests/pam_access4.sh: Likewise. + * xtests/pam_access1.pamd: PAM config file for pam_access tests. + * xtests/pam_access2.pamd: Likewise. + * xtests/pam_access3.pamd: Likewise. + * xtests/pam_access4.pamd: Likewise. + * xtests/access.conf: Config file for pam_access tests. + * xtests/run-tests.sh: Install access.conf into system. + +2007-06-22 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_loginuid/pam_loginuid.c (set_loginuid): Print + better error message if /proc/self/loginuid cannot be opened. + + * modules/pam_limits/pam_limits.c (process_limit): Check for + variable overflow after multiplication [bnc#283001]. + + * modules/pam_access/pam_access.c: Add new syntax for groups + in access.conf to differentiate group names from account names. + Based on patch from Julien Lecomte <julien@famille-lecomte.net>, + solves feature request [#411390]. + * modules/pam_access/access.conf: Add example for new group + syntax. + * modules/pam_access/access.conf.5.xml: Document new syntax. + +2007-06-20 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_cracklib/pam_cracklib.8.xml: Document new minclass + option. + * modules/pam_cracklib/pam_cracklib.c: Add support for minimum + character classes [#1688777]. Based on patch from Keith Schincke. + + * xtests/tst-pam_cracklib2.c: New, test case for minclass option. + * xtests/tst-pam_cracklib2.pamd: New, PAM config file for test case. + * xtests/Makefile.am: Add new testcase. + + * xtests/pam_cracklib.c: Fix comment what this application tests. + + * configure.in: Use /lib64 on x86-64, ppc64, s390x, sparc64 + +2007-06-15 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_selinux/pam_selinux.8.xml: Remove multiple option, + add select_context and use_current_range options. + * modules/pam_selinux/pam_selinux.c (send_audit_message): Added + function for auditing role/level changes. + (query_response): Add default response. + (select_context): Removed. + (manual_context): Query only role and level. + (mls_range_allowed): Added function for range check. + (config_context): Added function for role and level override. + (pam_sm_open_session): Remove multiple option, add select_context + and use_current_range_options. Use getseuserbyname to obtain + SELinux user and level. Audit role/level changes. Call setkeycreatecon + to assign key creation context. Don't fail on errors when SELinux + is not in enforcing mode. + * configure.in: Check for setkeycreatecon(). + + * modules/pam_namespace/README.xml: Avoid duplication of + documentation. + * modules/pam_namespace/namespace.conf: More real life example + from MLS support. + * modules/pam_namespace/namespace.conf.5.xml: Likewise plus + properly describe how instance directory names are formed. + * modules/pam_namespace/namespace.init: Preserve euid when + called from setuid apps (su, newrole). + * modules/pam_namespace/pam_namespace.8.xml: Added option + no_unmount_on_close. + * modules/pam_namespace/pam_namespace.c (process_line): Polyinst + methods are now user, level and context. Fix crash on unknown + override user in config file. + (ns_override): Add explicit uid parameter. + (form_context): Skip for user method. Implement level based + polyinstantiation. + (poly_name): Initialize contexts. Add level based polyinst, + remove 'both' metod. Use raw contexts for instance names, + truncate long instance names and add hash. + (ns_setup): Hashing moved to poly_name(). + (setup_namespace): Handle correctly override users for + su (when unmnt_remnt is used). + (pam_sm_close_session): Added no_unmount_on_close option. + * modules/pam_namespace/pam_namespace.h: Added + no_unmount_on_close_option, level method, limit on instance + directory name length. + +2007-05-04 Thorsten Kukuk <kukuk@suse.de> + + * xtests/run-xtests.sh: Use SRCDIR to find PAM config files. + * xtests/Makefile.am: Call run-xtests.sh with srcdir as first + argument. + Based on patch by Bernard Leak <thisisnotapipe@hotmail.com>. + +2007-04-30 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_limits/limits.conf: Address space limit is KB. + * modules/pam_limits/limits.conf.5.xml: Likewise. + Reported by Thomas Vander Stichele <thomas@apestaart.org>. + + * modules/pam_mail/pam_mail.c (_do_mail): Remove duplicate + check for PAM_SILENT and don't bail out if it is set [#1706247]. + +2007-03-29 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_access/pam_access.c (login_access, list_match): + Replace strtok with strtok_r. + * modules/pam_cracklib/pam_cracklib.c (check_old_password): + Likewise. + * modules/pam_ftp/pam_ftp.c (lookup, pam_authenticate): + Likewise. + * modules/pam_unix/pam_unix_passwd.c (check_old_password, + save_old_password): Likewise. + + * modules/pam_limits/Makefile.am: Define limits.d dir and install it. + * modules/pam_limits/pam_limits.8.xml: Describe limits.d parsing. + * modules/pam_limits/pam_limits.c (pam_limit_s): Make conf_file ptr. + (pam_parse): conf_file is now ptr. + (pam_sm_open_session): Add parsing files from limits.d subdir using + glob, change pl to pointer. + +2007-03-12 Thorsten Kukuk <kukuk@thkukuk.de> + + * po/ar.po: New translation. + * po/ca.po: Likewise. + * po/da.po: Likewise. + * po/ru.po: Likewise. + * po/sv.po: Likewise. + * po/zu.po: Likewise. + * po/LINGUAS: Add ar, ca, da, ru, sv, zu + + * po/hu.po: Update translation. + +2007-02-21 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_unix/unix_chkpwd.c (_unix_verify_password): Test for + allocation failure in bigcrypt(). + + * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Allow + modification of '*' password by root. + +2007-02-06 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_loginuid/pam_loginuid.c (set_loginuid): Remove + debug syslog message when loginuid doesn't exist. + +2007-02-01 Tomas Mraz <t8m@centrum.cz> + + * xtests/tst-pam_unix3.c: Fix typos in comments. + + * modules/pam_unix/support.c (_unix_verify_password): Explicitly + disallow '!' in the beginning of password hash. Treat only + 13 bytes password hash specifically. (Suggested by Solar Designer.) + Fix a warning and test for allocation failure. + * modules/pam_unix/unix_chkpwd.c (_unix_verify_password): Likewise. + +2007-01-31 Thorsten Kukuk <kukuk@thkukuk.de> + + * xtests/Makefile.am: Add new pam_unix.so tests + * xtests/run-xtests.sh: Prefer shell scripts (wrapper) + over binaries. + * xtests/tst-pam_cracklib1.c: Fix typo. + * xtests/tst-pam_unix1.c: New, for sucurity fix. + * xtests/tst-pam_unix1.pamd: New. + * xtests/tst-pam_unix1.sh: New. + * xtests/tst-pam_unix2.c: New, for crypt checks. + * xtests/tst-pam_unix2.pamd: New. + * xtests/tst-pam_unix2.sh: New. + * xtests/tst-pam_unix3.c: New, for bigcrypt checks. + * xtests/tst-pam_unix3.pamd: New. + * xtests/tst-pam_unix3.sh: New. + +2007-01-23 Thorsten Kukuk <kukuk@suse.de> + + * release 0.99.7.1 + + * configure.in: Set version number to 0.99.7.1 + +2007-01-23 Thorsten Kukuk <kukuk@thukuk.de> + Tomas Mraz <t8m@centrum.cz> + + * modules/pam_unix/support.c (_unix_verify_password): Always + compare full encrypted passwords (CVE-2007-0003). + +2007-01-23 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_loginuid/Makefile.am (AM_LDFLAGS): Add LIBAUDIT. + + * modules/pam_selinux/Makefile.am (pam_selinux_check_LDFLAGS): Add + AM_LDFLAGS. + (pam_selinux_la_LDFLAGS): Likewise. + +2007-01-17 Thorsten Kukuk <kukuk@thkukuk.de> + + * release 0.99.7.0 + + * configure.in: Set version number to 0.99.7.0 + + * Makefile.am (M4_FILES): Replace GNU make extension by listing + all m4 files. + +2007-01-17 Tomas Mraz <t8m@centrum.cz> + + * po/*.po: Updated strings to translate. + * po/Linux-PAM.pot: Likewise. + +2007-01-16 Thorsten Kukuk <kukuk@thkukuk.de> + + * doc/man/pam.conf-syntax.xml: Improve documentation about + sufficient keyword (Patch by Petteri Räty <betelgeuse@gentoo.org>) + +2006-12-20 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Forbid + only '+' and '-' as first characters for account names. + * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Likewise. + +2006-12-18 Thorsten Kukuk <kukuk@thkukuk.de> + + * configure.in: Fix ENOKEY check (specify errno.h as header + file to search in). + + * configure.in: Add AM_PROG_CC_C_O. + * libpam/Makefile.am: Add content of AM_LDFLAGS to *_LDFLAGS. + * modules/pam_tally/Makefile.am: Likewise. + * modules/pam_unix/Makefile.am: Likewise. + + * modules/pam_stress/pam_stress.c (pam_sm_chauthtok): Fix + localisation of message printed to user. + * po/de.po: Adjust translation. + +2006-12-18 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Localize + message printed to user. + + * modules/pam_unix/support.c (_unix_verify_password): Use strncmp + only for bigcrypt result. + + * modules/pam_keyinit/pam_keyinit.c (kill_keyrings): Switch to new + egid first, euid next. Revert euid/egid to old euid/egid and not + ruid/rgid. + (pam_sm_open_session): Switch to new rgid first, ruid next. + +2006-12-13 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_localuser/pam_localuser.c: Add support for session + and chauthtok [SF#1606180]. + * modules/pam_localuser/pam_localuser.8.xml: Document last change. + + * libpam/pam_audit.c (_pam_audit_writelog): Print error message + only once. + +2006-12-12 Thorsten Kukuk <kukuk@thkukuk.de> + + * libpam/pam_audit.c (_pam_audit_writelog): Print error + message on failure to syslog. + +2006-12-09 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_umask/pam_umask.c: Use strtoul instead of strtol, + fix overflow detection. + +2006-12-06 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_mkhomedir/pam_mkhomedir.c (rec_mkdir): Fix + handling of left-most path component [SF#1591598]. + (create_homedir): Mark user visible messages for translation. + * po/de.po: Adjust german translation for pam_mkhomedir. + + * modules/pam_faildelay/pam_faildelay.c: If no argument is + given, try to read FAIL_DELAY from /etc/login.defs. + * modules/pam_faildelay/pam_faildelay.8.xml: Document usage + of /etc/login.defs. + +2006-12-04 Tomas Mraz <t8m@centrun.cz> + + * po/jp.po: Fixed mistake in Password: message (from + Peng Huang <phuang@redhat.com>). + +2006-11-28 Thorsten Kukuk <kukuk@thkukuk.de> + + * po/hu.po: Update hungarian translation (from + Kalman Kemenczy <kkemenczy@novell.com>). + + * configure.in: Allow disabling support for cracklib, audit, libdb. + + * modules/pam_faildelay/pam_faildelay.8.xml: Correct name of Author. + + * configure.in: Remove --enable-docdir (obsolete by --docdir). + * doc/Makefile.am: Don't overwrite htmldir. + * doc/adg/Makefile.am: Use docdir, htmldir and pdfdir. + * doc/mwg/Makefile.am: Likewise. + * doc/sag/Makefile.am: Likewise. + * doc/specs/Makefile.am: Use docdir. + + * tests/tst-pam_set_data.c: New test cases for pam_set_data(). + * tests/Makefile.am: Add pam_set_data test case. + + * libpam/pam_data.c: Add NULL pointer check for module_data_name. + * libpam/Makefile.am: Bump revision of shared library. + +2006-11-08 Thorsten Kukuk <kukuk@thkukuk.de> + + * configure.in: Add modules/pam_faildelay/Makefile. + * doc/sag/Linux-PAM_SAG.xml: Include pam_faildelay.xml. + * doc/sag/pam_faildelay.xml: New. + * libpam/pam_static_modules.h: Include static pam_faildelay data. + * modules/Makefile.am: Add pam_faildelay directory. + * modules/pam_faildelay/Makefile.am: New. + * modules/pam_faildelay/README: New, generated from XML file. + * modules/pam_faildelay/README.xml: New. + * modules/pam_faildelay/pam_faildelay.8: New, generated from xml. + * modules/pam_faildelay/pam_faildelay.8.xml: New. + * modules/pam_faildelay/pam_faildelay.c: New. + * modules/pam_faildelay/tst-pam_faildelay: New. + + * po/POTFILES.in: Add pam_faildelay.c and pam_loginuid.c. + +2006-11-07 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_cracklib/pam_cracklib.c: PAM_DEBUG_ARG + is a bit mask and not a boolean value (Reported by + Jochen Voss <voss@seehuhn.de>). + +2006-10-26 Thorsten Kukuk <kukuk@thkukuk.de> + + * doc/man/pam.3.xml: Add pam_get_user function. + + * modules/pam_motd/pam_motd.8.xml: Fix typo. + +2006-10-24 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_namespace/pam_namespace.c: Reserve space for + trailing zero. + +2006-10-24 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_unix/support.c (_unix_verify_password): Try system + crypt() if we don't know the hash alogorithm. + * modules/pam_unix/unix_chkpwd.c (_unix_verify_password): Likewise. + +2006-10-13 Tomas Mraz <t8m@centrum.cz> + + * doc/mwg/Linux-PAM_MWG.xml: Add id[s] to section[s]. + * doc/sag/pam_access.xml: Likewise. + * doc/sag/pam_echo.xml: Likewise. + * doc/sag/pam_env.xml: Likewise. + * doc/sag/pam_exec.xml: Likewise. + * doc/sag/pam_group.xml: Likewise. + * doc/sag/pam_limits.xml: Likewise. + * doc/sag/pam_namespace.xml: Likewise. + * doc/sag/pam_time.xml: Likewise. + * doc/sag/Linux-PAM_SAG.xml: Add id to book. + * doc/adg/Linux-PAM_ADG.xml: Add id to book. + * doc/mwg/Linux-PAM_MWG.xml: Add id to book. + + +2006-10-07 Thorsten Kukuk <kukuk@thkukuk.de> + + * po/hu.po: Updated hungarian translation (from + Kalman Kemenczy <kkemenczy@novell.com>) + +2006-09-20 Thorsten Kukuk <kukuk@thkukuk.de> + + * doc/adg/Makefile.am: Add manual pages as dependency. + * doc/mwg/Makefile.am: Likewise. + * doc/sag/Makefile.am: Likewise. + * doc/sag/Linux-PAM_SAG.xml: Include pam_unix.xml. + * doc/sag/pam_unix.xml: New. + * modules/pam_unix/Makefile.am: Generate pam_unix.8 manual page. + * modules/pam_unix/README.xml: New. + * modules/pam_unix/pam_unix.8.xml: New. + * modules/pam_unix/README: Regenerate from XML. + * modules/pam_unix/pam_unix.8: Generated from XML. + +2006-09-09 Dmitry V. Levin <ldv@altlinux.org> + + * modules/pam_wheel/pam_wheel.8.xml: Fix typo. + * modules/pam_wheel/pam_wheel.8: Likewise. + * modules/pam_wheel/README: Likewise. + +2006-09-08 Thorsten Kukuk <kukuk@thkukuk.de> + + * po/de.po: Fix typo. + +2006-09-06 Thorsten Kukuk <kukuk@thkukuk.de> + + * release version 0.99.6.3 + +2006-09-01 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_loginuid/pam_loginuid.8.xml: Fix typo in + config name. + +2006-08-31 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_env/environment: New, dummy environment example + config file. + + * modules/pam_namespace/Makefile.am: Don't install + manual page if we don't build module. + + * m4/ld-as-needed.m4: Don't set LDFLAGS if check failed. + * m4/ld-O1: Likewise. + +2006-08-30 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_access/pam_access.8.xml: All services supported. + * modules/pam_access/pam_access.c (pam_sm_open_session): New. + (pam_sm_close_session): New. + (pam_sm_chauthtok): New. + + * modules/pam_access/pam_succeed_if.8.xml: All services supported. + * modules/pam_access/pam_succeed_if.c (pam_sm_setcred): Return + PAM_IGNORE rather than success. + (pam_sm_open_session): New. + (pam_sm_close_session): New. + (pam_sm_chauthtok): New. + +2006-08-30 Thorsten Kukuk <kukuk@thkukuk.de> + + * xtests/Makefile.am: Move shell code to execute tests from here ... + * xtests/run-xtests.sh: ... to here. + * xtests/*.c: Include config.h. + * tests/*.c: Likewise. + + * modules/pam_namespace/pam_namespace.c: Use pam_modutil_getpwnam() + instead of getpwnam(). + +2006-08-29 Thorsten Kukuk <kukuk@thkukuk.de> + + * doc/sag/pam_loginuid.xml: New. + * doc/sag/Linux-PAM_SAG.xml: Include pam_loginuid.xml. + + * configure.in: Add modules/pam_loginuid/Makefile. + * modules/Makefile.am: Add pam_loginuid sub directory. + + * libpam/pam_static_modules.h: Add pam_loginuid. + + * modules/pam_loginuid/Makefile.am: New. + * modules/pam_loginuid/tst-pam_loginuid: New. + * modules/pam_loginuid/pam_loginuid.8.xml: New. + * modules/pam_loginuid/pam_loginuid.8: New, generated from XML source. + * modules/pam_loginuid/pam_loginuid.c: New. + * modules/pam_loginuid/README.xml: New. + * modules/pam_loginuid/README: New, generated from XML source. + +2006-08-29 Dmitry V. Levin <ldv@altlinux.org> + + * modules/pam_exec/pam_exec.c (call_exec): Add required third + argument to open() call with O_CREAT flag set. + +2006-08-28 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_cracklib/pam_cracklib.c (pam_sm_chauthtok): Remove + duplicate code. + +2006-08-24 Thorsten Kukuk <kukuk@thkukuk.de> + + * release version 0.99.6.2 + + * modules/pam_lastlog/pam_lastlog.c (last_login_date): Create + lastlog file if it does not exist. + + * modules/pam_cracklib/pam_cracklib.c (pam_sm_chauthtok): Check + for error from getting second token. + * xtests/Makefile.am: Add tst-pam_cracklib1 + * xtests/tst-pam_cracklib1.c: New, check for pam_cracklib seg.fault. + * xtests/tst-pam_cracklib1.pamd: New, config for cracklib test. + +2006-08-24 Thorsten Kukuk <kukuk@thkukuk.de> + + * xtests/tst-pam_dispatch4.c: New test. + * xtests/tst-pam_dispatch4.pamd: PAM config for new test. + +2006-08-09 Thorsten Kukuk <kukuk@thkukuk.de> + + * release version 0.99.6.1 + +2006-08-09 David Howells <dhowells@redhat.com> + + * modules/pam_keyinit/pam_keyinit.c (kill_keyrings): Set real uid + to user's before revoking. + (pam_sm_open_session): Remember the uid. + +2006-08-06 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_umask/pam_umask.c (setup_limits_from_gecos): + Add error handling. + * modules/pam_umask/pam_umask.8.xml: Document silent option. + + * xtests/Makefile.am: Fix includes for bootstrapping. + Reported by Greg Schafer <gschafer@zip.com.au>. + +2006-08-05 Thorsten Kukuk <kukuk@thkukuk.de> + + * release version 0.99.6.0 + + * modules/pam_limits/pam_limits.c (pam_sm_open_session): Use + pam_modutil_getpwnam instead of getpwnam. + + * modules/pam_succeed_if/pam_succeed_if.c (evaluate): Cast + svc variable to char pointer for snprintf. + + * configure.in: Generate xtests/Makefile. + * Makefile.am (SUBDIRS): Add xtests. + * README: Document make check and make xtests. + * xtests/Makefile.am: New. + * xtests/tst-pam_dispatch1.pamd: New. + * xtests/tst-pam_dispatch2.pamd: New. + * xtests/tst-pam_dispatch3.pamd: New. + * xtests/tst-pam_dispatch1.c: New. + * xtests/tst-pam_dispatch2.c: New. + * xtests/tst-pam_dispatch3.c: New. + +2006-08-04 Ray Strode <rstrode@redhat.com> + + * modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): + Return PAM_USER_UNKNOWN instead of PAM_SERVICE_ERR where appropriate. + +2006-08-03 David Howells <dhowells@redhat.com> + + * modules/pam_keyinit/pam_keyinit.c: Debug should be off by default. + (init_keyrings): Properly handle multiple invocations of the module. + (kill_keyrings, pam_sm_open_session, pam_sm_close_session): Likewise. + +2006-08-03 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_succeed_if/pam_succeed_if.c (evaluate_inlist): + New function for list matching. + (evaluate_notinlist): Likewise. + (evaluate): Add service value match, list matching. + * modules/pam_succeed_if/pam_succeed_if.8.xml: Document the + features. + + * modules/pam_selinux/pam_selinux.c (security_label_tty): Don't log + relabelling error when the tty device doesn't exist (ENOENT). + +2006-08-01 Thorsten Kukuk <kukuk@thkukuk.de> + + * doc/man/pam_fail_delay.3.xml: Fix some Bugs and enhance + rationale about when this function should be used and when not. + + * doc/index.html: Cleanup to look prettier. + +2006-08-01 Thorsten Kukuk <kukuk@thkukuk.de> + + * libpam/Makefile.am: Bump patchlevel of libpam. + * libpam/pam_dispatch.c (_pam_dispatch_aux): If [return=die] + or [return=bad] is used, don't return PAM_IGNORE. Based on + patch by Tomas Mraz <t8m@centrum.cz>, [BRC#196859]. + +2006-07-28 Thorsten Kukuk <kukuk@thkukuk.de> + + * ABOUT-NLS: Upgrade to gettext-0.15. + * config.rpath: Likewise. + * m4/gettext.m4: Upgrade to gettext-0.15. + * m4/inttypes-h.m4: New file, from gettext-0.15. + * m4/inttypes-pri.m4: Upgrade to gettext-0.15. + * m4/lib-link.m4: Upgrade to gettext-0.15. + * m4/lib-prefix.m4: Upgrade to gettext-0.15. + * m4/lock.m4: New file, from gettext-0.15. + * m4/longdouble.m4: Upgrade to gettext-0.15. + * m4/nls.m4: Upgrade to gettext-0.15. + * m4/po.m4: Upgrade to gettext-0.15. + * m4/size_max.m4: Upgrade to gettext-0.15. + * m4/visibility.m4: New file, from gettext-0.15. + * po/Makefile.in.in: Upgrade to gettext-0.15. + +2006-07-24 David Quigley <dpquigl@tycho.nsa.gov> + + * modules/pam_namespace/Makefile.am: Add pam_namespace.h. + * modules/pam_namespace/pam_namespace.c: Move includes and + data structure definitions from here ... + * modules/pam_namespace/pam_namespace.h: ... here. New file. + + * modules/pam_namespace/pam_namespace.c: Move large sections + of code into new functions. + +2006-07-24 Thorsten Kukuk <kukuk@thkukuk.de> + + * doc/adg/Makefile.am: Add uninstall and distclean rules. + * doc/mwg/Makefile.am: Likewise. + * doc/sag/Makefile.am: Likewise. + +2006-07-08 Daniel Richard G. <skunk@iskunk.org> + + * conf/pam_conv1/Makefile.am: Fix rules for lex and yacc files. + * conf/pam_conv1/pam_conv.lex: Rename to ... + * conf/pam_conv1/pam_conv_l.l: ... this. + * conf/pam_conv1/pam_conv.y: Rename to ... + * conf/pam_conv1/pam_conv_y.y: ... this. + * configure.in: Add AC_HELP_STRING()s to various AC_ARG_ENABLE() + calls. + * doc/Makefile.am: Fix rule to install index.html. + * doc/adg/Makefile.am: Fix test usage. + * doc/mwg/Makefile.am: Likewise. + * doc/sag/Makefile.am: Likewise. + * doc/specs/Makefile.am: Fix rules for lex and yacc files. + * specs/parse.lex: Rename to ... + * doc/specs/parse_l.l: ... this. + * doc/specs/parse.y: Rename to ... + * doc/specs/parse_y.y: ... this. + * libpam/pam_account.c: Fix #if vs. #ifdef. + * libpam/pam_audit.c: Likewise. + * libpam/pam_auth.c: Likewise. + * libpam/pam_password.c: Likewise. + * libpam/pam_private.h: Likewise. + * libpam/pam_session.c: Likewise. + * libpam/pam_start.c: Likewise. + * libpam/pam_static.c: Fix "empty sourcefile" warning. + * modules/pam_limits/pam_limits.c: Check for __linux, too. + * modules/pam_userdb/Makefile.am: Don't run test if no + libdb available. + * tests/tst-dlopen.c: Include config.h. + +2006-07-03 Dan Yefimov + + * configure.in: Fixed have_key_syscalls test. + + * modules/pam_access/pam_access.c (from_match): Fixed IPv4 network + match, removed AI_ADDRCONFIG flag. + +2006-06-30 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_namespace/Makefile.am(EXTRA_DIST): Add namespace.init. + +2006-06-29 Thorsten Kukuk <kukuk@thkukuk.de> + + * doc/Makefile.am (releasedocs): Fix directory layout. + * doc/adg/Makefile.am: Likewise. + * doc/mwg/Makefile.am: Likewise. + * doc/sag/Makefile.am: Likewise. + +2006-06-28 Thorsten Kukuk <kukuk@thkukuk.de> + + * doc/sag: System Administrator Guide as XML source. + * doc/sag/Makefile.am: New. + * doc/sag/Linux-PAM_SAG.xml: New, main XML document. + * doc/sag/pam_*.xml: New, wrapper to include module documentation. + + * doc/adg: Application Developers Guide as XML source. + * doc/adg/Makefile.am: New. + * doc/adg/Linux-PAM_ADG.xml: New, main XML document. + * doc/adg/pam_*.xml: New, wrappers to include manual pages. + + * doc/mwg: Application Developers Guide as XML source. + * doc/mwg/Makefile.am: New. + * doc/mwg/Linux-PAM_MWG.xml: New, main XML document. + * doc/mwg/pam_*.xml: New, wrappers to include manual pages. + + * doc/CREDITS: Removed. + * doc/NOTES: Removed. + * doc/pam_appl.sgml: Removed. + * doc/pam_modules.sgml: Removed. + * doc/pam_source.sgml: Removed. + * doc/figs/pam_orient.txt: Removed. + * doc/figs: Removed. + + * configure.in: Remove checks for sgml2* progrs, add sag, adg + and mwg Makefiles. + + * doc/Makefile.am: Remove references to sgml, add sag, adg and mwg + directories. + * doc/modules: Remove directory. + * doc/html: Remove directory. + * doc/ps: Remove directory. + * doc/pdf: Remove directory. + * doc/txts: Remove directory. + * doc/index.html: Moved from html directory to here. + +2006-06-28 Thorsten Kukuk <kukuk@thkukuk.de> + + * release version 0.99.5.0 + + * bump version number to 0.99.5.0 + + * modules/pam_rhosts/pam_rhosts.c: New module, replaces + pam_rhosts_auth.so. + * modules/pam_rhosts/pam_rhosts.8.xml: New. + * modules/pam_rhosts/pam_rhosts.8: New, generated from XML source. + * modules/pam_rhosts/tst-pam_rhosts: New. + * modules/pam_rhosts/Makefile.am: Add pam_rhosts, generate + manual page and README. + * modules/pam_rhosts/README.xml: New. + * modules/pam_rhosts/reADME: Regenerated from XML source. + + * doc/man/pam_sm_acct_mgmt.3.xml: Adjust syntax for module + writers guide. + * doc/man/pam_sm_authenticate.3.xml: Likewise. + * doc/man/pam_sm_chauthtok.3.xml: Likewise. + * doc/man/pam_sm_close_session.3.xml: Likewise. + * doc/man/pam_sm_open_session.3.xml: Likewise. + * doc/man/pam_sm_setcred.3.xml: Likewise. + + * po/POTFILES.in: Add new source files. + + * libpam/pam_static_modules.h: Add new modules. + + * modules/pam_keyinit.c: Add _pam_keyinit_modstruct. + + * modules/pam_keyinit/Makefile.am (EXTRA_DIST): Add XML + files and manual page. + +2006-06-27 Thorsten Kukuk <kukuk@thkukuk.de> + + * configure.in: Allow disabling of SELinux support, check for + rootok_af. + +2006-06-27 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_namespace/pam_namespace.c: New module + originally written by Janak Desai. + * modules/pam_namespace/Makefile.am: New. + * modules/pam_namespace/README: New. + * modules/pam_namespace/md5.c: New. + * modules/pam_namespace/md5.h: New. + * modules/pam_namespace/namespace.conf: New. + * modules/pam_namespace/namespace.conf.5: New. + * modules/pam_namespace/namespace.conf.5.xml: New. + * modules/pam_namespace/namespace.init: New. + * modules/pam_namespace/pam_namespace.8: New. + * modules/pam_namespace/pam_namespace.8.xml: New. + * modules/pam_namespace/tst-pam_namespace: New. + * modules/Makefile.am: Added pam_namespace. + * configure.in: Added pam_namespace, test for unshare + library call. + +2006-06-27 David Howells <dhowells@redhat.com> + + * modules/pam_keyinit/pam_keyinit.c: New module. + * modules/pam_keyinit/pam_keyinit.8: New. + * modules/pam_keyinit/pam_keyinit.8.xml: New. + * modules/pam_keyinit/README: New. + * modules/pam_keyinit/README.xml: New. + * modules/pam_keyinit/Makefile.am: New. + * modules/pam_keyinit/tst-pam_keyinit: New. + * modules/Makefile.am: Added pam_keyinit. + * configure.in: Added test for the key mgmt syscall. + +2006-06-27 Thorsten Kukuk <kukuk@thkukuk.de> + + * m4/libprelude.m4: Sync with upstream. + +2006-06-27 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): + signal() fails with SIG_ERR return + * modules/pam_unix/pam_unix_passwd.c(_unix_run_shadow_binary): + Likewise. + * modules/pam_unix/support.c(_unix_run_helper_binary): + Likewise. + +2006-06-25 Thorsten Kukuk <kukuk@thkukuk.de> + + * doc/man/misc_conv.3.xml: New. + * doc/man/misc_conv.3: New. + * doc/man/pam_misc_paste_env.3.xml: New. + * doc/man/pam_misc_paste_env.3: New. + * doc/man/pam_misc_drop_env.3.xml: New. + * doc/man/pam_misc_drop_env.3: New. + * doc/man/pam_misc_setenv.3.xml: New. + * doc/man/pam_misc_setenv.3: New. + * doc/man/Makefile.am: Add new manual pages. + + * doc/man/pam_acct_mgmt.3.xml: Fix syntax for inclusion + in Applicatoin Developer Guide. + * doc/man/pam_authenticate.3.xml: Likewise + * doc/man/pam_chauthtok.3.xml: Likewise + * doc/man/pam_close_session.3.xml: Likewise + * doc/man/pam_conv.3.xml: Likewise + * doc/man/pam_end.3.xml: Likewise + * doc/man/pam_fail_delay.3.xml: Likewise + * doc/man/pam_getenv.3.xml: Likewise + * doc/man/pam_getenvlist.3.xml: Likewise + * doc/man/pam_open_session.3.xml: Likewise + * doc/man/pam_putenv.3.xml: Likewise + * doc/man/pam_setcred.3.xml: Likewise + * doc/man/pam_start.3.xml: Likewise + * doc/man/pam_strerror.3.xml: Likewise + + * doc/man/pam_acct_mgmt.3: Regenerate from XML source. + * doc/man/pam_authenticate.3: Likewise + * doc/man/pam_chauthtok.3: Likewise + * doc/man/pam_close_session.3: Likewise + * doc/man/pam_conv.3: Likewise + * doc/man/pam_end.3: Likewise + * doc/man/pam_fail_delay.3: Likewise + * doc/man/pam_getenv.3: Likewise + * doc/man/pam_getenvlist.3: Likewise + * doc/man/pam_open_session.3: Likewise + * doc/man/pam_putenv.3: Likewise + * doc/man/pam_setcred.3: Likewise + * doc/man/pam_sm_close_session.3: Likewise + * doc/man/pam_start.3: Likewise + * doc/man/pam_strerror.3: Likewise + * doc/man/pam_syslog.3: Likewise + * doc/man/PAM.8: Likewise + +2006-06-24 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_limits/pam_limits.c (setup_limits): Don't + reset priority for root. + +2006-06-23 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_access/access.conf.5.xml: Fix syntax for SAG. + * modules/pam_access/pam_access.8.xml: Likewise. + * modules/pam_deny/pam_deny.8.xml: Likewise. + * modules/pam_echo/pam_echo.8.xml: Likewise. + * modules/pam_env/pam_env.8.xml: Likewise. + * modules/pam_env/pam_env.conf.5.xml: Likewise. + * modules/pam_group/group.conf.5.xml: Likewise. + * modules/pam_group/pam_group.8.xml: Likewise. + * modules/pam_limits/limits.conf.5.xml: Likewise. + * modules/pam_listfile/pam_listfile.8.xml: Likewise. + * modules/pam_succeed_if/pam_succeed_if.8.xml: Likewise. + * modules/pam_time/pam_time.8.xml: Likewise. + * modules/pam_time/time.conf.5.xml: Likewise. + + * modules/pam_access/access.conf.5: Regenerate. + * modules/pam_access/pam_access.8: Likewise. + * modules/pam_deny/pam_deny.8: Likewise. + * modules/pam_echo/README: Likewise. + * modules/pam_echo/pam_echo.8: Likewise. + * modules/pam_env/pam_env.8: Likewise. + * modules/pam_env/pam_env.conf.5: Likewise. + * modules/pam_group/README: Likewise. + * modules/pam_group/group.conf.5: Likewise. + * modules/pam_group/pam_group.8: Likewise. + * modules/pam_limits/limits.conf.5: Likewise. + * modules/pam_listfile/README: Likewise. + * modules/pam_listfile/pam_listfile.8: Likewise. + * modules/pam_succeed_if/pam_succeed_if.8: Likewise. + * modules/pam_time/pam_time.8: Likewise. + * modules/pam_time/time.conf.5: Likewise. + + * doc/man/Makefile.am: Add pam.conf-desc.xml, pam.conf-dir.xml + and pam.conf-syntax.xml. + * doc/man/pam.conf.5.xml: Split into different pieces for SAG. + * doc/man/pam.conf.5: Regenerated. + * doc/man/pam.conf-desc.xml: New. + * doc/man/pam.conf-dir.xml: New. + * doc/man/pam.conf-syntax.xml: New. + +2006-06-21 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_selinux/Makefile.am: Fix "make dist" if libselinux + is not installed. + + * modules/pam_issue/pam_issue.8.xml: Fix listing of escapes. + * modules/pam_issue/pam_issue.8: Regenerate. + +2006-06-20 Thorsten Kukuk <kukuk@thkukuk.de> + + * configure.in: Remove unused check for libcap. + + * m4/ld-as-needed.m4: New. + * m4/ld-O1.m4: New. + * configure.in: Call PAM_LD_AS_NEEDED and PAM_LD_O1, + require docbook version 4.4. + +2006-06-19 Thorsten Kukuk <kukuk@thkukuk.de> + + * doc/man/pam.8.xml: Syntax cleanup. + * doc/pam/PAM.8: Regenerated from xml source. + * man/pam_sm_chauthtok.3: New. + * man/pam_sm_chauthtok.3.xml: New. + * man/pam_sm_close_session.3: New. + * man/pam_sm_close_session.3.xml: New. + * man/pam_sm_open_session.3: New. + * man/pam_sm_open_session.3.xml: New. + * man/pam_sm_authenticate.3: New. + * man/pam_sm_authenticate.3.xml: New. + * man/pam_sm_setcred.3: New. + * man/pam_sm_setcred.3.xml: New. + * man/Makefile.am: Add new pam_sm_* manual pages. + + * specs/Makefile.am: Fix rule to generate draft. + +2006-06-18 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_tally/Makefile.am: Include Make.xml.rules. + * modules/pam_tally/pam_tally.8.xml: New. + * modules/pam_tally/pam_tally.8: New, generated from xml file. + * modules/pam_tally/README.xml: New. + * modules/pam_tally/README: Regenerated from xml file. + + * modules/pam_selinux/Makefile.am: Include Make.xml.rules. + * modules/pam_selinux/pam_selinux.8.xml: New. + * modules/pam_selinux/pam_selinux.8: Regenerated from xml file. + * modules/pam_selinux/README.xml: New. + * modules/pam_selinux/README: Regenerated from xml file. + +2006-06-17 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_debug/Makefile.am: Include Make.xml.rules. + * modules/pam_debug/pam_debug.8.xml: New. + * modules/pam_debug/pam_debug.8: New, generated from xml file. + * modules/pam_debug/README.xml: New. + * modules/pam_debug/README: Regenerated from xml file. + + * examples/vpass.c: UID is unsigned on Linux. + * modules/pam_exec/pam_exec.c: Likewise. + * modules/pam_unix/pam_unix_acct.c: Likewise. + * modules/pam_unix/pam_unix_sess.c: Likewise. + + * modules/pam_succeed_if/pam_succeed_if.8.xml: Fix syntax error. + * modules/pam_succeed_if/pam_succeed_if.8: Regenerated. + * modules/pam_succeed_if/README: Regenerated. + + * modules/pam_limits/Makefile.am: Include Make.xml.rules. + * modules/pam_limits/limits.conf.5: New, generated from xml file. + * modules/pam_limits/limits.conf.5.xml: New. + * modules/pam_limits/pam_limits.8: New, generated from xml file. + * modules/pam_limits/pam_limits.8.xml: New. + * modules/pam_limits/README.xml: New. + * modules/pam_limits/README: Regenerated from README.xml. + +2006-06-16 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_unix/pam_unix_passwd.c (save_old_password): UIDs + are unsigned on Linux, don't truncate them. + (_do_setpass): err is of type clnt_stat, not int. + + * modules/pam_lastlog/pam_lastlog.c (last_login_read): Don't + truncate UID for syslog output. + + * modules/pam_time/pam_time.c: Replace type boolean with int. + * modules/pam_group/pam_group.c: Likewise. + +2006-06-15 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_unix/bigcrypt.h: New. + * modules/pam_unix/Makefile.am: Add bigcrypt.h. + * modules/pam_unix/bigcrypt.c: Include bigcrypt.h. + * modules/pam_unix/support.c: Include bigcrypt.h, remove + own prototype. + * modules/pam_unix/bigcrypt_main.c: Include bigcrypt.h, remove + own prototype. + * modules/pam_unix/pam_unix_passwd.c: Include bigcrypt.h, remove + own prototype. + + * modules/pam_time/pam_time.c (logic_member): Remove unused + variable len. + + * modules/pam_group/pam_group.c (logic_field): Accept + colon in tty name. [#1428276]. + (logic_member): Remove unused variable len. + (check_account): Fix usage of err variable in debug code. + + * modules/pam_time/pam_time.c (logic_field): Likewise. + + * configure.in: Add special exceptions for icc: different + compiler warnings, no PIE support. + +2006-06-14 Thorsten Kukuk <kukuk@thkukuk.de> + + * libpam/pam_misc.c (_pam_strdup): Use strlen and strcpy. + + * configure.in: Remove --enable-memory-debug, add option + to disable prelude if installed. + + * modules/pam_tally/pam_tally.c: Remove MEMORY_DEBUG + * modules/pam_filter/upperLOWER/upperLOWER.c: Likewise. + * modules/pam_unix/unix_chkpwd.c: Likewise. + * libpam/include/security/_pam_types.h: Likewise. + * libpam/libpam.map: Remove LIBPAM_MALLOC_DEBUG export. + * libpam/pam_malloc.c: Remove file. + * libpam/Makefile.am: Remove pam_malloc.c and pam_malloc.h. + + * libpam/pam_handlers.c (extract_modulename): Use _pam_strdup + instead of strdup. + + * libpam/pam_private.h: Remove _pam_strCMP. + * libpam/pam_misc.c: Likewise. + * libpam/pam_handlers.c: Replaced _pam_strCMP with strcasecmp. + +2006-06-12 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_tally/Makefile.am (AM_LDFLAGS): Remove flags + for modules from main application. + +2006-06-09 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_time/Makefile.am: Include Make.xml.rules. + * modules/pam_time/time.conf.5: New, generated from xml file. + * modules/pam_time/time.conf.5.xml: New. + * modules/pam_time/pam_time.8: New, generated from xml file. + * modules/pam_time/pam_time.8.xml: New. + * modules/pam_time/README.xml: New. + * modules/pam_time/README: Regenerated from README.xml. + + * modules/pam_wheel/Makefile.am: Include Make.xml.rules. + * modules/pam_wheel/pam_wheel.8.xml: New. + * modules/pam_wheel/pam_wheel.8: New, generated from xml file. + * modules/pam_wheel/README.xml: New. + * modules/pam_wheel/README: Regenerated from xml file. + + * modules/pam_xauth/Makefile.am: Include Make.xml.rules. + * modules/pam_xauth/pam_xauth.8.xml: New. + * modules/pam_xauth/pam_xauth.8: Regenerated from xml file. + * modules/pam_xauth/README.xml: New. + * modules/pam_xauth/README: Regenerated from xml file. + + * modules/pam_deny/pam_deny.8.xml: Fix syntax errors. + * modules/pam_deny/pam_deny.8: Regenerate from xml file. + * modules/pam_deny/README: Likewise. + + * modules/pam_warn/Makefile.am: Include Make.xml.rules. + * modules/pam_warn/pam_warn.8.xml: New. + * modules/pam_warn/pam_warn.8: New, generated from xml file. + * modules/pam_warn/README.xml: New. + * modules/pam_warn/README: Regenerated from xml file. + + * modules/pam_userdb/Makefile.am: Include Make.xml.rules. + * modules/pam_userdb/pam_userdb.8.xml: New. + * modules/pam_userdb/pam_userdb.8: New, generated from xml file. + * modules/pam_userdb/README.xml: New. + * modules/pam_userdb/README: Regenerated from xml file. + +2006-06-06 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_shells/Makefile.am: Include Make.xml.rules. + * modules/pam_shells/pam_shells.8.xml: New. + * modules/pam_shells/pam_shells.8: New, generated from xml file. + * modules/pam_shells/README.xml: New. + * modules/pam_shells/README: Regenerated from xml file. + + * libpam/include/security/pam_malloc.h: Add missing license + informations. + + * libpam/include/security/pam_ext.h: Add brackets for C++. + * libpam/include/security/pam_modutil.h: Likewise. + + * libpam/include/security/pam_modules.h: Document where to + find the copyright/license informations. + + * libpam/include/security/pam_appl.h: Move _pam_compat.h + include inside of brackets. + +2006-06-04 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_securetty/Makefile.am: Include Make.xml.rules. + * modules/pam_securetty/pam_securetty.8.xml: New. + * modules/pam_securetty/pam_securetty.8: Regenerated from xml file. + * modules/pam_securetty/README.xml: New. + * modules/pam_securetty/README: Regenerated from xml file. + + * modules/pam_rootok/Makefile.am: Include Make.xml.rules. + * modules/pam_rootok/pam_rootok.8.xml: New. + * modules/pam_rootok/pam_rootok.8: New, generated from xml file. + * modules/pam_rootok/README.xml: New. + * modules/pam_rootok/README: Regenerated from xml file. + + * modules/pam_permit/Makefile.am: Include Make.xml.rules. + * modules/pam_permit/pam_permit.8.xml: New. + * modules/pam_permit/pam_permit.8: New, generated from xml file. + * modules/pam_permit/README.xml: New. + * modules/pam_permit/README: Regenerated from xml file. + + * modules/pam_nologin/Makefile.am: Include Make.xml.rules. + * modules/pam_nologin/pam_nologin.8.xml: New. + * modules/pam_nologin/pam_nologin.8: Regenerated from xml file. + * modules/pam_nologin/README.xml: New. + * modules/pam_nologin/README: Regenerated from xml file. + +2006-06-03 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_motd/Makefile.am: Include Make.xml.rules. + * modules/pam_motd/pam_motd.8.xml: New. + * modules/pam_motd/pam_motd.8: New, generated from xml file. + * modules/pam_motd/README.xml: New. + * modules/pam_motd/README: New, generated from xml file. + +2006-06-02 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_mail/Makefile.am: Include Make.xml.rules. + * modules/pam_mail/pam_mail.8.xml: New. + * modules/pam_mail/pam_mail.8: New, generated from xml file. + * modules/pam_mail/README.xml: New. + * modules/pam_mail/README: Regenerated from xml file. + + * modules/pam_localuser/Makefile.am: Include Make.xml.rules. + * modules/pam_localuser/pam_localuser.8.xml: New. + * modules/pam_localuser/pam_localuser.8: New, generated from xml file. + * modules/pam_localuser/README.xml: New. + * modules/pam_localuser/README: Regenerated from xml file. + + * doc/man/PAM.8: Regenerate with DocBook XSL Stylesheets v1.70.1. + * doc/man/pam.3: Likewise. + * doc/man/pam.conf.5: Likewise. + * doc/man/pam_acct_mgmt.3: Likewise. + * doc/man/pam_authenticate.3: Likewise. + * doc/man/pam_chauthtok.3: Likewise. + * doc/man/pam_close_session.3: Likewise. + * doc/man/pam_conv.3: Likewise. + * doc/man/pam_end.3: Likewise. + * doc/man/pam_error.3: Likewise. + * doc/man/pam_fail_delay.3: Likewise. + * doc/man/pam_get_data.3: Likewise. + * doc/man/pam_get_item.3: Likewise. + * doc/man/pam_get_user.3: Likewise. + * doc/man/pam_getenv.3: Likewise. + * doc/man/pam_getenvlist.3: Likewise. + * doc/man/pam_info.3: Likewise. + * doc/man/pam_open_session.3: Likewise. + * doc/man/pam_prompt.3: Likewise. + * doc/man/pam_putenv.3: Likewise. + * doc/man/pam_set_data.3: Likewise. + * doc/man/pam_set_item.3: Likewise. + * doc/man/pam_setcred.3: Likewise. + * doc/man/pam_sm_acct_mgmt.3: Likewise. + * doc/man/pam_start.3: Likewise. + * doc/man/pam_strerror.3: Likewise. + * doc/man/pam_syslog.3: Likewise. + * modules/pam_access/access.conf.5: Likewise. + * modules/pam_access/pam_access.8: Likewise. + * modules/pam_cracklib/pam_cracklib.8: Likewise. + * modules/pam_deny/pam_deny.8: Likewise. + * modules/pam_echo/pam_echo.8: Likewise. + * modules/pam_env/pam_env.8: Likewise. + * modules/pam_env/pam_env.conf.5: Likewise. + * modules/pam_exec/pam_exec.8: Likewise. + * modules/pam_filter/pam_filter.8: Likewise. + * modules/pam_ftp/pam_ftp.8: Likewise. + * modules/pam_group/group.conf.5: Likewise. + * modules/pam_group/pam_group.8: Likewise. + * modules/pam_issue/pam_issue.8: Likewise. + * modules/pam_lastlog/pam_lastlog.8: Likewise. + * modules/pam_mkhomedir/pam_mkhomedir.8: Likewise. + * modules/pam_succeed_if/pam_succeed_if.8: Likewise. + * modules/pam_umask/pam_umask.8: Likewise. + + * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Use + dngettext if available [#1427738]. + * configure.in: Check for dngettext [#1427738]. + * po/*.po: Update to dngettext usage. + + * modules/pam_listfile/Makefile.am: Include Make.xml.rules. + * modules/pam_listfile/pam_listfile.8.xml: New. + * modules/pam_listfile/pam_listfile.8: New, generated from xml file. + * modules/pam_listfile/README.xml: New. + * modules/pam_listfile/README: Regenerated from xml file. + +2006-06-01 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_lastlog/Makefile.am: Include Make.xml.rules. + * modules/pam_lastlog/pam_lastlog.8.xml: New. + * modules/pam_lastlog/pam_lastlog.8: New, generated from xml file. + * modules/pam_lastlog/README.xml: New. + * modules/pam_lastlog/README: Regenerated from xml file. + + * modules/pam_group/Makefile.am: Include Make.xml.rules. + * modules/pam_group/group.conf.5.xml: New. + * modules/pam_group/group.conf.5: New, generated from xml file. + * modules/pam_group/pam_group.8.xml: New. + * modules/pam_group/pam_group.8: New, generated from xml file. + * modules/pam_group/README.xml: New. + * modules/pam_group/README: Regenerated from xml file. + + * modules/pam_ftp/Makefile.am: Include Make.xml.rules. + * modules/pam_ftp/pam_ftp.8.xml: New. + * modules/pam_ftp/pam_ftp.8: New, generated from xml file. + * modules/pam_ftp/README.xml: New. + * modules/pam_ftp/README: Regenerated from xml file. + + * modules/pam_issue/Makefile.am: Include Make.xml.rules. + * modules/pam_issue/pam_issue.8.xml: New. + * modules/pam_issue/pam_issue.8: New, generated from xml file. + * modules/pam_issue/README.xml: New. + * modules/pam_issue/README: Regenerated from xml file. + + * modules/pam_filter/Makefile.am: Include Make.xml.rules. + * modules/pam_filter/pam_filter.8.xml: New. + * modules/pam_filter/pam_filter.8: New, generated from xml file. + * modules/pam_filter/README.xml: New. + * modules/pam_filter/README: Regenerated from xml file. + +2006-05-30 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_mkhomedir/pam_mkhomedir.8.xml: Fix umask and skel + directory documentation. + + * modules/pam_umask/Makefile.am: Include Make.xml.rules. + * modules/pam_umask/pam_umask.8.xml: New. + * modules/pam_umask/pam_umask.8: New, generated from xml file. + * modules/pam_umask/README.xml: New. + * modules/pam_umask/README: Regenerated from xml file. + +2006-05-29 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_mkhomedir/Makefile.am: Include Make.xml.rules. + * modules/pam_mkhomedir/pam_mkhomedir.8.xml: New. + * modules/pam_mkhomedir/pam_mkhomedir.8: New, generated from xml file. + * modules/pam_mkhomedir/README.xml: New. + * modules/pam_mkhomedir/README: Regenerated from xml file. + +2006-05-23 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_echo/pam_echo.c (pam_echo): Use pam_modutil_read() + instead of read(). + +2006-05-22 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): + Fix memory leaks, [#1490956] found by Coverity. + + * modules/pam_tally/pam_tally.c (pam_get_uid): Check return + value of pam_get_user(). + (tally_get_data): Check if oldtime is not NULL. + [#1489818] found by Coverity. + + * modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Don't + ignore return value of stat(). [#1489808] found by Coverity. + + * modules/pam_mail/pam_mail.c (get_folder): Fix a potential + NULL pointer dereference. [#1489792] found by Coverity. + + * libpam/Makefile.am: bump release number of libpam.so. + * libpam/pam_misc.c (_pam_mkargv): Fix memory leak, + [#1489804] found by Coverity. + + * modules/pam_echo/pam_echo.c (replace_and_print): Initialize + str, [#1489658] found by Coverity. + + * modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Fix + a potential NULL pointer dereference. + (pam_sm_chauthtok): Remove dead code. + [#1489634] found by Coverity. + +2006-05-04 Thorsten Kukuk <kukuk@thkukuk.de> + + * configure.in: Check for fseeko. + * modules/pam_tally/pam_tally.c: Use fseeko if available + (Based on patch by IBM). + +2006-05-04 Thorsten Kukuk <kukuk@thkukuk.de> + + * release version 0.99.4.0 + + * libpam/pam_strerror.c: Unify error messages. + + * po/zh_TW.po: Adjust for last pam_strerror changes. + * po/zh_CN.po: Likewise. + * po/uk.po: Likewise. + * po/tr.po: Likewise. + * po/pt.po: Likewise. + * po/pt_BR.po: Likewise. + * po/pl.po: Likewise. + * po/ja.po: Likewise. + * po/nl.po: Likewise. + * po/nb.po: Likewise. + * po/it.po: Likewise. + * po/hu.po: Likewise. + * po/fr.po: Likewise. + * po/fi.po: Likewise. + * po/es.po: Likewise. + * po/de.po: Likewise. + * po/cs.po: Likewise. + + * doc/man/pam.3.xml: New. + * doc/man/pam.3. New, generated from XML file. + + * doc/man/pam_sm_acct_mgmt.3.xml: New. + * doc/man/pam_sm_acct_mgmt.3: New, generated from XML file. + + * doc/man/*.xml: Fix encoding and use always UTF-8, regenerate + all manual pages. + + * doc/pam_modules.sgml (PAM_NEW_AUTHTOKEN_REQD): Fix typo. + +2006-05-02 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Use + different strings for plural or not [#1427738] + + * po/*.po: Adjust for pam_unix.so translation fix. + + * modules/pam_tally/pam_tally.c: Always close file handle + in error case, don't close it depending on *TALLY value [#1478180] + +2006-04-21 Thorsten Kukuk <kukuk@thkukuk.de> + + * po/fr.po: Updated. + +2006-04-11 Thorsten Kukuk <kukuk@thkukuk.de> + + * po/km.po: Updated. + +2006-03-27 Thorsten Kukuk <kukuk@thkukuk.de> + + * po/LINGUAS: Add uk. + + * po/uk.po: New. + * po/cs.po: Updated. + * po/po/es.po: Updated. + * po/fi.po: Updated. + * po/fr.po: Updated. + * po/hu.po: Updated. + * po/it.po: Updated. + * po/ja.po: Updated. + * po/nb.po: Updated. + * po/pl.po: Updated. + * po/pt.po: Updated. + * po/pt_BR.po: Updated. + * po/zh_CN.po: Updated. + * po/zh_TW.po: Updated. + +2006-03-21 Thorsten Kukuk <kukuk@thkukuk.de> + + * configure.in: Remove ALL_LINGUAS. + * po/LINGUAS: New. + * po/tr.po: New (from Ismail Donmez <ismail@pardus.org.tr>). + +2006-03-13 Thorsten Kukuk <kukuk@thkukuk.de> + + * doc/man/pam_error.3.xml: New. + * doc/man/pam_error.3: New, generated from XML file. + * doc/man/pam_verror.3: New, generated from XML file. + * doc/man/Makefile.am: Add pam_error.3 and pam_verror.3. + + * modules/pam_lastlog/Makefile.am: Fix typo. + + * modules/pam_lastlog/pam_lastlog.c: Move comment for + translators in right line. + * po/*.po: Update po files with comment for translator. + +2006-03-12 Thorsten Kukuk <kukuk@thkukuk.de> + + * doc/man/Makefile.am: Add new manual pages. + + * doc/man/pam.conf.5.xml: Replace link with content + of PAM admin guide. + * doc/man/pam.conf.5: Regenerated from XML file. + + * doc/man/pam_info.3.xml: New. + * doc/man/pam_info.3: New, generated from XML file. + * doc/man/pam_vinfo.3: New, generated from XML file. + + * doc/man/pam_conv.3.xml: New. + * doc/man/pam_conv.3: New, generated from XML file. + + * doc/man/pam_putenv.3.xml: New. + * doc/man/pam_putenv.3: New, generated from XML file. + + * doc/man/pam_getenv.3.xml: New. + * doc/man/pam_getenv.3: New, generated from XML file. + + * doc/man/pam_getenvlist.3.xml: New. + * doc/man/pam_getenvlist.3: New, generated from XML file. + + * libpam/pam_item.c (pam_get_user): Check for valid pamh before + using it. + + * configure.in: create tests/Makefile + * Makefile.am (SUBDIRS): Add tests + * tests/Makefile.am: New. + * tests/tst-dlopen.c: New. + * tests/tst-pam_acct_mgmt.c: New. + * tests/tst-pam_authenticate.c: New. + * tests/tst-pam_chauthtok.c: New. + * tests/tst-pam_close_session.c: New. + * tests/tst-pam_end.c: New. + * tests/tst-pam_fail_delay.c: New. + * tests/tst-pam_getenvlist.c: New. + * tests/tst-pam_get_item.c: New. + * tests/tst-pam_open_session.c: New. + * tests/tst-pam_setcred.c: New. + * tests/tst-pam_set_item.c: New. + * tests/tst-pam_start.c: New. + * tests/tst-pam_get_user.c: New. + + * modules/pam_access/Makefile.am: Add rules for make check + * modules/pam_access/tst-pam_access: New + * modules/pam_cracklib/Makefile.am: Add rules for make check + * modules/pam_cracklib/tst-pam_cracklib: New + * modules/pam_debug/Makefile.am: Add rules for make check + * modules/pam_debug/tst-pam_debug: New + * modules/pam_deny/Makefile.am: Add rules for make check + * modules/pam_deny/tst-pam_deny: New + * modules/pam_echo/Makefile.am: Add rules for make check + * modules/pam_echo/tst-pam_echo: New + * modules/pam_env/Makefile.am: Add rules for make check + * modules/pam_env/tst-pam_env: New + * modules/pam_exec/Makefile.am: Add rules for make check + * modules/pam_exec/tst-pam_exec: New + * modules/pam_filter/Makefile.am: Add rules for make check + * modules/pam_filter/tst-pam_filter: New + * modules/pam_ftp/Makefile.am: Add rules for make check + * modules/pam_ftp/tst-pam_ftp: New + * modules/pam_group/Makefile.am: Add rules for make check + * modules/pam_group/tst-pam_group: New + * modules/pam_issue/Makefile.am: Add rules for make check + * modules/pam_issue/tst-pam_issue: New + * modules/pam_lastlog/Makefile.am: Add rules for make check + * modules/pam_lastlog/tst-pam_lastlog: New + * modules/pam_limits/Makefile.am: Add rules for make check + * modules/pam_limits/tst-pam_limits: New + * modules/pam_listfile/Makefile.am: Add rules for make check + * modules/pam_listfile/tst-pam_listfile: New + * modules/pam_localuser/Makefile.am: Add rules for make check + * modules/pam_localuser/tst-pam_localuser: New + * modules/pam_mail/Makefile.am: Add rules for make check + * modules/pam_mail/tst-pam_mail: New + * modules/pam_mkhomedir/Makefile.am: Add rules for make check + * modules/pam_mkhomedir/tst-pam_mkhomedir: New + * modules/pam_motd/Makefile.am: Add rules for make check + * modules/pam_motd/tst-pam_motd: New + * modules/pam_nologin/Makefile.am: Add rules for make check + * modules/pam_nologin/tst-pam_nologin: New + * modules/pam_permit/Makefile.am: Add rules for make check + * modules/pam_permit/tst-pam_permit: New + * modules/pam_rhosts/Makefile.am: Add rules for make check + * modules/pam_rhosts/tst-pam_rhosts: New + * modules/pam_rootok/Makefile.am: Add rules for make check + * modules/pam_rootok/tst-pam_rootok: New + * modules/pam_securetty/Makefile.am: Add rules for make check + * modules/pam_securetty/tst-pam_securetty: New + * modules/pam_selinux/Makefile.am: Add rules for make check + * modules/pam_selinux/tst-pam_selinux: New + * modules/pam_shells/Makefile.am: Add rules for make check + * modules/pam_shells/tst-pam_shells: New + * modules/pam_stress/Makefile.am: Add rules for make check + * modules/pam_stress/tst-pam_stress: New + * modules/pam_succeed_if/Makefile.am: Add rules for make check + * modules/pam_succeed_if/tst-pam_succeed_if: New + * modules/pam_tally/Makefile.am: Add rules for make check + * modules/pam_tally/tst-pam_tally: New + * modules/pam_time/Makefile.am: Add rules for make check + * modules/pam_time/tst-pam_time: New + * modules/pam_umask/Makefile.am: Add rules for make check + * modules/pam_umask/tst-pam_umask: New + * modules/pam_unix/Makefile.am: Add rules for make check + * modules/pam_unix/tst-pam_unix: New + * modules/pam_userdb/Makefile.am: Add rules for make check + * modules/pam_userdb/tst-pam_userdb: New + * modules/pam_warn/Makefile.am: Add rules for make check + * modules/pam_warn/tst-pam_warn: New + * modules/pam_wheel/Makefile.am: Add rules for make check + * modules/pam_wheel/tst-pam_wheel: New + * modules/pam_xauth/Makefile.am: Add rules for make check + * modules/pam_xauth/tst-pam_xauth: New + +2006-03-11 Thorsten Kukuk <kukuk@thkukuk.de> + + * doc/man/pam_fail_delay.3.xml: New. + * doc/man/pam_fail_delay.3: New, generated from xml. + * doc/man/pam_prompt.3.xml: New. + * doc/man/pam_prompt.3: New, generated from xml. + * doc/man/pam_syslog.3.xml: New. + * doc/man/pam_syslog.3: New, generated from xml. + * doc/man/pam_vprompt.3: New, generated from xml. + * doc/man/pam_vsyslog.3: New, generated from xml. + +2006-02-24 Thorsten Kukuk <kukuk@thkukuk.de> + + * po/km.po: Update Khmer translation. + +2006-02-24 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_succeed_if/pam_succeed_if.8.xml: New, based on + version from #1425487. + * modules/pam_succeed_if/pam_succeed_if.8: Regenerated from xml. + * modules/pam_succeed_if/Makefile.am: Include XML rules. + * modules/pam_succeed_if/README.xml: New. + * modules/pam_succeed_if/README: Regenerated from xml. + * modules/pam_succeed_if/pam_succeed_if.c: Fix comment about + return values. + +2006-02-22 Thorsten Kukuk <kukuk@thkukuk.de> + + * configure.in: Fix check for incomplete libaudit installations + (Patch from Ruediger Oertel <ro@suse.de>). + + * modules/pam_lastlog/pam_lastlog.c (last_login_write): Initialize + correct last_login field [#1427401]. + + * modules/pam_lastlog/pam_lastlog.c (last_login_read): Mark strftime + format string for translation to allow reorder [#1428269]. + * po/*.po: Update with last pam_lastlog change. + + +2006-02-17 Thorsten Kukuk <kukuk@thkukuk.de> + + * doc/man/Makefile.am: Add new manual pages. + * doc/man/pam_end.3: Regenerated from xml file. + * doc/man/pam_end.3.xml: Document freeing of item data. + * doc/man/pam_get_user.3: New. + * doc/man/pam_get_user.3.xml: New. + * modules/pam_access/access.conf.5.xml: Fix typos. + * modules/pam_env/Makefile.am: Add new manual pages. + * modules/pam_env/README: Regenerate from xml file. + * modules/pam_env/README.xml: New. + * modules/pam_env/pam_env.8: New. + * modules/pam_env/pam_env.8.xml: New. + * modules/pam_env/pam_env.conf.5: New. + * modules/pam_env/pam_env.conf.5.xml New. + +2006-02-14 Thorsten Kukuk <kukuk@thkukuk.de> + + * po/fi.po: Updated translations. + * po/pl.po: Likewise. + * po/km.po: New translation. + * configure.in: Add km as new language. + +2006-02-13 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_echo/pam_echo.8.xml: New. + * modules/pam_echo/pam_echo.8: Regenerated from xml file. + * modules/pam_echo/Makefile.am: Include Make.xml.rules. + * modules/pam_echo/pam_echo.c: Fix return value. + + * doc/modules/pam_chroot.sgml: Remove obsolete sgml file. + +2006-02-12 Thorsten Kukuk <kukuk@thkukuk.de> + + * configure.in: Add doc/man/Makefile. + * Make.xml.rules: Enable xincludes for manual pages. + * doc/Makefile.am (EXRA_DIST): Remove manual pages. + (SUBDIR): Add man subdirectory. + * doc/man/Makefile.am: New. + * doc/man/pam_acct_mgmt.3: New. + * doc/man/pam_acct_mgmt.3.xml: New. + * doc/man/pam_get_data.3: New. + * doc/man/pam_get_data.3.xml: New. + * doc/man/pam_set_data.3: New. + * doc/man/pam_set_data.3.xml: New. + * doc/man/pam.8.xml: New. + * doc/man/pam.8: Regenerated from xml file. + * doc/man/pam_authenticate.3.xml: New. + * doc/man/pam_authenticate.3: Regenerated from xml file. + * doc/man/pam_chauthtok.3.xml: New. + * doc/man/pam_chauthtok.3: Regenerated from xml file. + * doc/man/pam_close_session.3.xml: New. + * doc/man/pam_close_session.3: Regenerated from xml file. + * doc/man/pam_end.3.xml: New. + * doc/man/pam_end.3: Regenerated from xml file. + * doc/man/pam_fail_delay.3.xml: New. + * doc/man/pam_fail_delay.3: Regenerated from xml file. + * doc/man/pam_get_item.3.xml: New. + * doc/man/pam_get_item.3: Regenerated from xml file. + * doc/man/pam_item_types.inc.xml: New. + * doc/man/pam_open_session.3.xml: New. + * doc/man/pam_open_session.3: Regenerated from xml file. + * doc/man/pam_set_item.3.xml: New. + * doc/man/pam_set_item.3: Regenerated from xml file. + * doc/man/pam_setcred.3.xml: New. + * doc/man/pam_setcred.3: Regenerated from xml file. + * doc/man/pam_start.3.xml: New. + * doc/man/pam_start.3: Regenerated from xml file. + * doc/man/pam_strerror.3.xml: New. + * doc/man/pam_strerror.3: Regenerated from xml file. + * doc/man/template-man: Removed. + +2006-02-10 Thorsten Kukuk <kukuk@thkukuk.de> + + * configure.in: Remove pam_pwdb support. + * modules/Makefile.am: remove pam_pwdb. + * modules/pam_pwdb: Remove complete directory. + * libpam/Makefile.am: Remove LIBPWDB references. + * libpam/pam_static_modules.h: Remove pam_pwdb references. + * doc/modules/pam_pwdb.sgml: Removed. + * po/POTFILES.in: Remove modules/pam_pwdb/*.c entries. + * doc/pam_source.sgml: Remove references to libpwdb. + * doc/modules/pam_limits.sgml: Remove wrong reference to libpwdb. + * doc/modules/pam_group.sgml: Likewise. + * doc/modules/pam_cracklib.sgml: Replace pam_pwdb with pam_unix. + * doc/modules/pam_userdb.sgml: Likewise. + * modules/pam_cracklib/pam_cracklib.8.xml: Replace pam_pwdb + with pam_unix. + * modules/pam_mkhomedir/pam_mkhomedir.c: Likewise. + * modules/pam_group/pam_group.c: Remove dead code for libpwdb. + + * modules/pam_access/Makefile.am: Fix EXTRA_DIST. + * modules/pam_cracklib/Makefile.am: Likewise. + * modules/pam_deny/Makefile.am: Likewise. + * modules/pam_exec/Makefile.am: Likewise. + +2006-02-07 Thorsten Kukuk <kukuk@thkukuk.de> + + * configure.in: Check for text browser. + * Make.xml.rules: Add rule to generate README from README.xml. + + * modules/pam_access/Makefile.am: Include Make.xml.rules. + * modules/pam_access/README: Regenerated from README.xml. + * modules/pam_access/README.xml: New. + * modules/pam_access/access.conf: Extended by new examples. + * modules/pam_access/access.conf.5: New, generated from xml file. + * modules/pam_access/access.conf.5.xml: New. + * modules/pam_access/pam_access.8: New, generated from xml file. + * modules/pam_access/pam_access.8.xml: New. + * modules/pam_access/pam_access.c: Add rules for IPv6 and + netmasks. + Based on patch from Mike Becher <Mike.Becher@lrz-muenchen.de>. + + * modules/pam_deny/Makefile.am: Include Make.xml.rules. + * modules/pam_deny/pam_deny.8.xml: New. + * modules/pam_deny/pam_deny.8: New, generated from xml file. + * modules/pam_deny/README.xml: New. + * modules/pam_deny/README: Regenerated from xml file. + + * modules/pam_cracklib/Makefile.am: Include Make.xml.rules. + * modules/pam_cracklib/pam_cracklib.8.xml: New. + * modules/pam_cracklib/pam_cracklib.8: New, generated from xml file. + * modules/pam_cracklib/README.xml: New. + * modules/pam_cracklib/README: Regenerated from xml file. + + * modules/pam_exec/Makefile.am: Add rule to generate README. + * modules/pam_exec/README: Regenerated from xml file. + * modules/pam_exec/pam_exec.8: Regenerated from xml file. + * modules/pam_exec/pam_exec.8.xml: Syntax files. + +2006-02-06 Thorsten Kukuk <kukuk@thkukuk.de> + + * po/nl.po: New. + * po/pt.po: Update translations. + * configure.in: Add nl as new language. + +2006-01-30 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_exec/pam_exec.8.xml: Fix syntax of Return Value section. + * modules/pam_exec/Makefile.am: Include Make.xml.rules. + + * Make.xml.rules: New. + + * Makefile.am (EXTRA_DIST): Add Make.xml.rules. + +2006-01-27 Thorsten Kukuk <kukuk@thkukuk.de> + + * configure.in: Prefer libdb over libndbm, fix check for + libcrack and remove not needed BACKUP_LIBS. + +2006-01-24 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_debug/pam_debug.c: Fix name of pam_module struct. + + * po/de.po: Fix one translation. + + * configure.in: Add modules/pam_exec. + * modules/Makefile.am: Add pam_exec subdirectory. + * modules/pam_exec/README: New. + * modules/pam_exec/Makefile.am: New. + * modules/pam_exec/pam_exec.8: New. + * modules/pam_exec/pam_exec.c: New. + * modules/pam_exec/pam_exec.8.xml: New. + * po/POTFILES.in: Add modules/pam_exec/pam_exec.c. + * po/*.po: Merge new pam_exec strings. + + * libpam/pam_static_modules.h: New. + * Makefile.am: Reorder subdirectories for static modules. + * configure.in: Add --enable-static-modules option. + * libpam/Makefile.am: Define WITH_SELINUX and WITH_PWDB if + necessary, add pam_static_modules.h, link against all PAM + module object files if STATIC_MODULES is defined. + * libpam/pam_static.c: Remove old _static_module* includes, + include pam_static_modules.h. + + * configure.in: Add checks for xsltproc, xmllint and docbook + xsl stylesheet. + * m4/jh_path_xml_catalog.m4: New. + +2006-01-22 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_succeed_if/pam_succeed_if.c: Add support for + static modules. + * modules/pam_xauth/pam_xauth.c: Likewise. + + * libpam/pam_static.c (_pam_open_static_handler): Add pamh + as argument. + * libpam/pam_private.h: Adjust prototype. + * libpam/pam_handlers.c (_pam_add_handler): Add pamh to + _pam_open_static_handler call. + + * configure.in: Don't define PAM_DYNAMIC. + * libpam/pam_handlers.c: Get ride of PAM_DYNAMIC, don't + include pam_dynamic.h + * libpam/pam_dynamic.c: Don't include pam_dynamic.h, + exclude functions if we compile with PAM_STATIC. + * libpam/pam_dynamic.h: Remove. + * libpam/pam_private.h: Add function prototypes from pam_dynamic.h. + * libpam/Makefile.am: Bump version number of libpam, remove + pam_dynamic.h. + +2006-01-21 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_listfile/pam_listfile.c: Add support for session + and password management. + +2006-01-19 Thorsten Kukuk <kukuk@thkukuk.de> + + * doc/specs/Makefile.am (spec): Add padout to fix parallel + build (Reported by Andreas Haumer <andreas@xss.co.at>). + +2006-01-15 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_echo/pam_echo.c: Define HOST_NAME_MAX if not + already defined. + +2006-01-13 Thorsten Kukuk <kukuk@thkukuk.de> + + * release version 0.99.3.0 + + * libpam_misc/misc_conv.c (misc_conv): Fix strict aliasing + error. + + * modules/pam_umask/pam_umask.c (search_key): Don't ignore + EOF/error return value from fgets(). + + * configure.in: Check for getline and getdelim + + * po/fi.po: Add new translations. + * po/de.po: Likewise. + * po/es.po: Likewise. + * po/fr.po: Likewise. + * po/it.po: Likewise. + * po/ja.po: Likewise. + * po/pt_BR.po: Likewise. + * po/zh_CH.po: Likewise. + * po/zh_TW.po: Likewise. + +2006-01-13 Dmitry V. Levin <ldv@altlinux.org> + + * libpam/pam_audit.c (_pam_auditlog): Replace strerror(errno) + call with %m specifier. + +2006-01-12 Thorsten Kukuk <kukuk@thkukuk.de> + + * configure.in: Add check for -fpie/-pie + * modules/pam_filter/upperLOWER/Makefile.am: Compile/link + upperLOWER with -fpie/-pie if supported. + * modules/pam_unix/Makefile.am: Compile/link unix_chkpwd + with -fpie/-pie if supported. + +2006-01-12 Steve Grubb <sgrubb@redhat.com> + + * configure.in: Add check for audit library. + * libpam/Makefile.am (libpam_la_LDFLAGS): Add LIBAUDIT. + (libpam_la_SOURCES): Add pam_audit.c. + * libpam/pam_account.c (pam_acct_mgmt): Add _pam_auditlog() call. + * libpam/pam_auth.c (pam_authenticate), (pam_setcred): Likewise. + * libpam/pam_password.c (pam_chauthtok): Likewise. + * libpam/pam_session.c (pam_open_session), + (pam_close_session): Likewise. + * libpam/pam_private.h: Add audit_state member to pam_handle, + declare _pam_auditlog and _pam_audit_end. + * libpam/pam_start.c (pam_start): Initialize audit_state. + * libpam/pam_audit.c: New file with _pam_auditlog and _pam_audit_end + implementation. + * libpam/pam_end.c (pam_end): Add _pam_audit_end() call. + * NEWS: Note about added auditing. + +2006-01-11 Thorsten Kukuk <kukuk@thkukuk.de> + + * libpam/Makefile.am (AM_CFLAGS): Define LIBPAM_COMPILE. + + * libpam/include/security/_pam_types.h: Don't define PAM_NONNULL + if we compile libpam itself. + + * po/hu.po: Update with new translations. + +2006-01-08 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_cracklib/pam_cracklib.c: Use PAM_AUTHTOK_RECOVERY_ERR + instead of PAM_AUTHTOK_RECOVER_ERR. + * modules/pam_pwdb/support.-c: Likewise. + * modules/pam_unix/support.c: Likewise. + * modules/pam_userdb/pam_userdb.c (pam_sm_authenticate): Likewise. + * libpam/pam_strerror.c (pam_strerror): Likewise. + + * libpam/include/security/_pam_compat.h: Define + PAM_AUTHTOK_RECOVER_ERR for backward compatibility. + + * libpam/include/security/_pam_types.h: Rename + PAM_AUTHTOK_RECOVER_ERR to PAM_AUTHTOK_RECOVERY_ERR. + +2006-01-05 Thorsten Kukuk <kukuk@thkukuk.de> + + * libpam/include/security/_pam_types.h: Remove nonnull attribute + from third paramter (item) of pam_get_item. + * libpam/Makefile.am: Bump version number of shared library. + +2005-12-21 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_succeed_if/pam_succeed_if.c (evaluate_ingroup), + (evaluate_notingroup): Simplified. + (evaluate_innetgr), (evaluate_notinnetgr): New functions. + (evaluate): Added calls to evaluate_(not)innetgr(). + * modules/pam_succeed_if/README: Documented netgroup matching. + * NEWS: Mentioned the added netgroup matching support. + +2005-12-20 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_lastlog/pam_lastlog.c (last_login_read): Use + strftime instead of ctime. + + * po/de.po: Fix typo. + +2005-12-19 Thorsten Kukuk <kukuk@thkukuk.de> + + * libpam/pam_syslog.c: Define LOG_AUTHPRIV as LOG_AUTH on Solaris. + Reported by Charles_H_Bedford@nbc.gov. + + * modules/pam_time/pam_time.c (check_account): Implement + support for netgroups. + + * modules/pam_time/time.conf: Document usage of netgroups. + +2005-12-16 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_group/pam_group.c (check_account): Implement + support for netgroups. + + * modules/pam_group/group.conf: Add all documentation to this + example config file and don't reference to outdated configs. + + * modules/pam_group/README: New. + + * modules/pam_group/Makefile.am: Add README to EXTRADIST. + +2005-12-15 Thorsten Kukuk <kukuk@suse.de> + + * modules/pam_lastlog/pam_lastlog.c (last_login_read): Don't report an + error if user logins the first time. + + * modules/pam_lastlog/README: New. + + * modules/pam_lastlog/Makefile.am: Add README to EXTRADIST. + +2005-12-14 Thorsten Kukuk <kukuk@suse.de> + + * modules/pam_deny/pam_deny.c: Fix comment. + + * doc/pam_appl.sgml: Fix typo. + + Reported by Russell Bateman <russ@windofkeltia.com> + +2005-12-12 Thorsten Kukuk <kukuk@thkukuk.de> + + * release version 0.99.2.1 + + * po/de.po: Remove new fuzzy entry + + * NEWS: Add 0.99.2.1 changes + + * configure.in: bump version number to 0.99.2.1 + +2005-12-12 Dmitry V. Levin <ldv@altlinux.org> + + Cleanup pam_syslog messages. + + * modules/pam_env/pam_env.c (_expand_arg): Fix compiler warning. + * modules/pam_filter/pam_filter.c (set_filter): Append %m + specifier to pam_syslog messages where appropriate. + * modules/pam_group/pam_group.c (read_field): Likewise. + * modules/pam_mkhomedir/pam_mkhomedir.c (make_remark): Remove. + (create_homedir): Do not use make_remark() wrapper, call + pam_info() directly. Call pam_syslog() right after failed + operation and append %m specifier to pam_syslog messages where + appropriate. + * modules/pam_rhosts/pam_rhosts_auth.c (pam_iruserok): Replace + sequence of malloc(), strcpy() and strcat() calls with asprintf(). + Append %m specifier to pam_syslog messages where appropriate. + * modules/pam_securetty/pam_securetty.c (securetty_perform_check): + Append %m specifier to pam_syslog messages where appropriate. + * modules/pam_shells/pam_shells.c (perform_check): Likewise. + +2005-12-12 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_mail/pam_mail.c (report_mail): Fixed typo in string. + * po/Linux-PAM.pot: Likewise. + * po/de.po: Likewise. + * po/es.po: Likewise. + * po/fi.po: Likewise. + * po/fr.po: Likewise. + * po/hu.po: Likewise. + * po/it.po: Likewise. + * po/ja.po: Likewise. + * po/nb.po: Likewise. + * po/pa.po: Likewise. + * po/pl.po: Likewise. + * po/pt.po: Likewise. + * po/pt_BR.po: Likewise. + * po/zh_CN.po: Likewise. + * po/zh_TW.po: Likewise. + * po/de.po: Add new translation, fixed typo in string. + +2005-12-12 Mike Becher <Mike.Becher@lrz-muenchen.de> + + * doc/Makefile.am: Fixed install of PS, PDF, TXT and HTML files. + +2005-12-12 Thorsten Kukuk <kukuk@suse.de> + + * modules/pam_mail/README: Document "quiet" and "standard" + options. + +2005-12-07 Thorsten Kukuk <kukuk@suse.de> + + * modules/pam_mail/pam_mail.c: Modify assembling of output + for easier translation. + + * po/de.po: Translate new pam_mail messages. + + +2005-11-24 Thorsten Kukuk <kukuk@thkukuk.de> + + * po/de.po: Add new translation, fix wrong format specifier. + * po/cs.po: Fix wrong format specifier. + * po/es.po: Likewise. + * po/fi.po: Likewise. + * po/fr.po: Likewise. + * po/hu.po: Likewise. + * po/it.po: Likewise. + * po/ja.po: Likewise. + * po/nb.po: Likewise. + * po/pa.po: Likewise. + * po/pl.po: Likewise. + * po/pt.po: Likewise. + * po/pt_BR.po: Likewise. + * po/zh_CN.po: Likewise. + * po/zh_TW.po: Likewise. + +2005-11-24 Dmitry V. Levin <ldv@altlinux.org> + + * config.h.in: Remove generated file. + * .cvsignore: Add config.h.in. + + * configure.in: Do not check for strerror. + * libpam_misc/misc_conv.c (read_string): Replace strerror() + call with %m specifier. + * libpamc/pamc_converse.c (pamc_converse): Likewise. + * modules/pam_echo/pam_echo.c (pam_echo): Likewise. + * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): + Likewise. + * modules/pam_selinux/pam_selinux.c (security_label_tty): + Likewise. + (security_restorelabel_tty, security_label_tty): Append %m + specifier where appropriate. + * modules/pam_selinux/pam_selinux_check.c (main): Replace + strerror() call with %m specifier. + * modules/pam_unix/pam_unix_passwd.c (save_old_password, + _update_passwd, _update_shadow): Likewise. + * modules/pam_unix/support.c (_unix_run_helper_binary): Likewise. + * modules/pam_unix/unix_chkpwd.c (_update_shadow): Likewise. + * po/Linux-PAM.pot: Update strings from pam_selinux. + * po/cs.po: Likewise. + * po/de.po: Likewise. + * po/es.po: Likewise. + * po/fi.po: Likewise. + * po/fr.po: Likewise. + * po/hu.po: Likewise. + * po/it.po: Likewise. + * po/ja.po: Likewise. + * po/nb.po: Likewise. + * po/pa.po: Likewise. + * po/pl.po: Likewise. + * po/pt.po: Likewise. + * po/pt_BR.po: Likewise. + * po/zh_CN.po: Likewise. + * po/zh_TW.po: Likewise. + +2005-11-23 Thorsten Kukuk <kukuk@suse.de> + + * modules/pam_xauth/pam_xauth.c (pam_sm_open_session): Introduce + new variable to fix compiler warning. + + * libpam/pam_modutil_getlogin.c (pam_modutil_getlogin): PAM_TTY + don't need to start with /dev/. + +2005-11-21 Thorsten Kukuk <kukuk@thkukuk.de> + + * release version 0.99.2.0 + + * libpam_misc/Makefile.am: Increase release number (for change + from 2005-11-09) + + * NEWS: Adjust for 0.99.2.0 + +2005-11-17 Thorsten Kukuk <kukuk@thkukuk.de> + + * libpam/include/security/_pam_compat.h: Fix wrong #ifdef nesting. + Redefine PAM_CHANGE_EXPIRED_AUTHTOK [#604380] + +2005-11-16 Thorsten Kukuk <kukuk@thkukuk.de> + + * libpam/pam_handlers.c: Replace code for all dlopen variants with + a generic wrapper. + * libpam/pam_dynamic.c: Implement generic wrapper for dlopen. + * libpam/pam_dynamic.h: Provide prototypes. + For Mac OS X support [#534205] + +2005-11-09 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_access/pam_access.c (pam_sm_acct_mgmt): Parse correctly + full path tty name. + * modules/pam_time/pam_time.c (pam_sm_acct_mgmt): Parse correctly + full path tty name. Allow unset tty. + (logic_member): Allow matching ':' in tty name. + * modules/pam_group/pam_group.c (pam_sm_acct_mgmt): Parse correctly + full path tty name. Allow unset tty. + (logic_member): Allow matching ':' in tty name. + + * libpam_misc/misc_conv.c (read_string): Read only up to EOL if stdin + is not terminal. + +2005-11-07 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_unix/pam_unix_passwd.c (_unix_verify_shadow): Use + correct variable names. + +2005-11-06 Steve Langasek <vorlon@debian.org> + + * modules/pam_env/pam_env.c: don't treat a missing + /etc/environment as a fatal error when attempting to read it, + and try to read this file by default; this restores the behavior + from Linux-PAM 0.76. + +2005-11-02 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_unix/support.c (_unix_getpwnam): Fix typo [#1224807] + by ohyajapn. + + * modules/pam_unix/pam_unix_passwd.c (_unix_verify_shadow): Change the + logic when comparing dates to handle corner cases better [#1245888]. + +2005-10-31 Thorsten Kukuk <kukuk@suse.de> + + * modules/pam_filter/pam_filter.c: Use XCASE only if defined + [#624214] + +2005-10-27 Thorsten Kukuk <kukuk@suse.de> + + * doc/man/pam.8: Fix wording for authentication chapter [#1197444] + +2005-10-26 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary), + modules/pam_unix/pam_unix_passwd.c (_unix_run_shadow_binary), + modules/pam_unix/support.c (_unix_run_shadow_binary_): Set real + uid to 0 before executing the helper if SELinux is enabled. + * modules/pam_unix/unix_chkpwd.c (main): Disable user check only + if real uid is 0 (CVE-2005-2977). Log failed password check attempt. + + +2005-10-20 Tomas Mraz <t8m@centrum.cz> + + * configure.in: Added check for xauth binary and --with-xauth option. + * config.h.in: Added configurable PAM_PATH_XAUTH. + * modules/pam_xauth/README, + modules/pam_xauth/pam_xauth.8: Document where xauth is looked for. + * modules/pam_xauth/pam_xauth.c (pam_sm_open_session): Implement + searching xauth binary on multiple places. + (run_coprocess): Don't use execvp as it can be a security risk. + +2005-10-04 Steve Langasek <vorlon@debian.org> + + * libpam/include/security/pam_malloc.h, + libpam/include/security/pam_modules.h: Declare public header + files extern "C" so that they are C++-safe. + +2005-10-02 Dmitry V. Levin <ldv@altlinux.org> + Steve Langasek <vorlon@debian.org> + + Cleanup gratuitous use of strdup(). + Fix "missing argument" checks. + + * modules/pam_env/pam_env.c (_pam_parse): Add const qualifier + to conffile and envfile arguments. Do not use x_strdup() for + conffile and envfile initialization. Fix "missing argument" + checks. + (_parse_config_file): Take conffile argument of type "const char *" + instead of "char **". Do not free conffile. + (_parse_env_file): Take env_file argument of type "const char *" + instead of "char **". Do not free env_file. + (pam_sm_setcred): Add const qualifier to conf_file and env_file. + Pass conf_file and env_file to _parse_config_file() and + _parse_env_file() by value. + (pam_sm_open_session): Likewise. + + * modules/pam_ftp/pam_ftp.c (_pam_parse): Add const qualifier to + users argument. Do not use x_strdup() for users initialization. + (lookup): Add const qualifier to list argument. + (pam_sm_authenticate): Add const qualifier to users argument. + + * modules/pam_mail/pam_mail.c (_pam_parse): Add const qualifier + to maildir argument. Do not use x_strdup() for maildir + initialization. Fix "missing argument" check. + (get_folder): Take path_mail argument of type "const char *" + instead of "char **". Do not free path_mail. + (_do_mail): Add const qualifier to path_mail argument. + Pass path_mail to get_folder() by value. + + * modules/pam_motd/pam_motd.c: Include <syslog.h>. + (pam_sm_open_session): Add const qualifier to motd_path. + Do not use x_strdup() for motd_path initialization. Do not + free motd_path. Fix "missing argument" check. Add "unknown + option" warning. + + * modules/pam_userdb/pam_userdb.c (_pam_parse): Add const + qualifier to database and cryptmode arguments. Fix "missing + argument" checks. + (pam_sm_authenticate): Add const qualifier to database and cryptmode. + (pam_sm_acct_mgmt): Likewise. + +2005-10-01 Steve Langasek <vorlon@debian.org> + + * modules/pam_userdb/pam_userdb.c: spelling fix in log message. + +2005-09-30 Steve Langasek <vorlon@debian.org> + + * modules/pam_userdb/pam_userdb.c: Fix memory leak due to + gratuitous use of strdup(). + +2005-09-27 Thorsten Kukuk <kukuk@thkukuk.de> + + * release 0.99.1.0 + + * doc/specs/Makefile.am (install-data-local): Install + rfc and draft. + (all): Copy rfc if we build outside of source directory. + +2005-09-27 Thorsten Kukuk <kukuk@suse.de> + + * NEWS: Document removal of pam_radius. + * autogen.sh: Make configure script executeable. + + * conv/pam_conv1/Makefile (EXTRA_DIST): Removed lex.yy.c + (lex.yy.c): Fixed out of tree build. + + * conv/pam_conv1/pam_conv.y: Fix main prototype. + + * README: Adjust. + + * po/POTFILES.in: Remove files not distributed by tar archive + and not containing strings for translation. + +2005-09-26 Tomas Mraz <t8m@centrum.cz> + + * NEWS: Add a few missing entries from CHANGELOG. + + * AUTHORS: Fixed entries for Toady and me. + + * Makefile.am (M4_FILES): Fixed out of tree build. + * doc/specs/Makefile.am (EXTRA_DIST): Removed lex.yy.c + (spec, lex.yy.c): Fixed out of tree build. + + * modules/pam_userdb/README: Document try_first_pass and + use_first_pass options, remove use_authtok option. + + +2005-09-26 Dmitry V. Levin <ldv@altlinux.org> + + * NEWS: Mention changes in pam_lastlog. + +2005-09-26 Thorsten Kukuk <kukuk@suse.de> + + * NEWS: New file. + * autogen.sh: Don't generate NEWS file. + * CHANGELOG: Document it as obsolete. + +2005-09-26 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): + _log_err() -> pam_syslog() + (pam_sm_acct_mgmt): _log_err() -> pam_syslog(), fix warning. + * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): + _log_err() -> pam_syslog() + * modules/pam_unix/pam_unix_passwd.c: removed obsolete ifdef + (getNISserver, _unix_run_shadow_binary, _update_passwd, + _update_shadow, _do_setpass, _pam_unix_approve_pass, + pam_sm_chauthtok): _log_err() -> pam_syslog() + * modules/pam_unix/pam_unix_sess.c: removed obsolete ifdef + (pam_sm_open_session, pam_sm_close_session): + _log_err() -> pam_syslog() + * modules/pam_unix/support.c (_log_err, converse): removed + (_make_remark): use pam_prompt() instead of converse() + (_set_ctrl, _cleanup_failures, _unix_run_helper_binary, + _unix_verify_password, _unix_read_password): + _log_err() -> pam_syslog() + _cleanup(), _unix_cleanup(): Silence unused param warnings. + (_cleanup_failures, _unix_verify_password, _unix_getpwnam, + _unix_run_helper_binary): Silence incorrect type warnings. + (_unix_read_password): Use multiple pam_prompt() and pam_info() calls + instead of converse(). + * modules/pam_unix/support.h (_log_err): removed + * modules/pam_unix/unix_chkpwd.c (_log_err): LOG_AUTH -> LOG_AUTHPRIV + +2005-09-26 Thorsten Kukuk <kukuk@suse.de> + + * configure.in: Add doc/specs/Makefile. + * Makefile.am: Add releasedocs rule. + * doc/Makefile.am: Add specs subdir, remove files from specs + directory, add rfc86.0.txt to releasedocs. + * doc/specs/Makefile.am: New file. + * doc/specs/formatter/parse.y: move from here ... + * doc/specs/parse.y: ... here. + * doc/specs/formatter/parse.lex: move from here ... + * doc/specs/parse.lex: ... here. + + * modules/pam_mail/pam_mail.c: Mark missing strings for translation + * po/Linux-PAM.pot: Add new strings from pam_mail + * po/cs.po: Likewise. + * po/de.po: Likewise. + * po/es.po: Likewise. + * po/fi.po: Likewise. + * po/fr.po: Likewise. + * po/hu.po: Likewise. + * po/it.po: Likewise. + * po/ja.po: Likewise. + * po/nb.po: Likewise. + * po/pa.po: Likewise. + * po/pl.po: Likewise. + * po/pt.po: Likewise. + * po/pt_BR.po: Likewise. + * po/zh_CN.po: Likewise. + * po/zh_TW.po: Likewise. + +2005-09-23 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_access/pam_access.c (from_match): Support NULL from. + (string_match): Support NULL string, add NONE keyword matching it. + (pam_sm_acct_mgmt): Don't fail when ttyname returns NULL. + * modules/pam_access/access.conf: NONE keyword description + * modules/pam_access/README: NONE keyword description + +2005-09-22 Dmitry V. Levin <ldv@altlinux.org> + + * modules/pam_xauth/pam_xauth.c: (check_acl, pam_sm_open_session, + pam_sm_close_session): Strip redundant "pam_xauth: " prefix from + text of log messages. + (pam_sm_open_session): Replace sequence of malloc(), strcpy() + and strcat() calls with asprintf(). Replace syslog() calls + with pam_syslog(). + + * modules/pam_nologin/pam_nologin.c (parse_args): Use strncmp() + instead of memcmp() for string comparison. + +2005-09-21 Dmitry V. Levin <ldv@altlinux.org> + + * modules/pam_nologin/pam_nologin.c: Include <syslog.h>. + (parse_args): Add pam_handle_t* argument. Log unrecognized + options. + (perform_check): Log pam_get_user() and malloc() failures. + (pam_sm_authenticate, pam_sm_setcred, pam_sm_acct_mgmt): + Pass pam_handle_t* to parse_args(). + + * modules/pam_mail/pam_mail.c: Include <errno.h>. + Remove YOUR_MAIL_VERBOSE_FORMAT, YOUR_MAIL_STANDARD_FORMAT and + NO_MAIL_STANDARD_FORMAT macros. + (parse_args, get_folder): Cleanup error messages. + (get_folder): Fix leak of the path_mail variable in case of + pam_get_user() failure. Cleanup memory management. + (get_mail_status): Add pam_handle_t* argument. Fix leaks of + namelist variable. Cleanup memory management. Log memory + allocation failures. Remove 250-byte limit on Maildir pathname. + (report_mail): Mark text messages for translation. + (_do_mail): Cleanup memory management. Pass pam_handle_t* + to get_mail_status(). + + * po/Linux-PAM.pot: Update with new strings from pam_mail for + translation. + * po/cs.po: Likewise. + * po/de.po: Likewise. + * po/es.po: Likewise. + * po/fi.po: Likewise. + * po/fr.po: Likewise. + * po/hu.po: Likewise. + * po/it.po: Likewise. + * po/ja.po: Likewise. + * po/nb.po: Likewise. + * po/pa.po: Likewise. + * po/pl.po: Likewise. + * po/pt.po: Likewise. + * po/pt_BR.po: Likewise. + * po/zh_CN.po: Likewise. + * po/zh_TW.po: Likewise. + +2005-09-20 Thorsten Kukuk <kukuk@suse.de> + + * configure.in: Add finish translation. + * po/fi.po: New. + + * acinclude.m4: remove libprelude macros. + * m4/libprelude.m4: New. + + * Makefile.am (EXTRA_DIST): make sure we include all m4 macros. + + * libpamc/Makefile.am (EXTRA_DIST): Add License. + +See CHANGELOG for earlier changes. |