summaryrefslogtreecommitdiffstats
path: root/debian/patches-applied
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/patches-applied/007_modules_pam_unix515
-rw-r--r--debian/patches-applied/008_modules_pam_limits_chroot132
-rw-r--r--debian/patches-applied/021_nis_cleanup24
-rw-r--r--debian/patches-applied/022_pam_unix_group_time_miscfixes22
-rw-r--r--debian/patches-applied/026_pam_unix_passwd_unknown_user33
-rw-r--r--debian/patches-applied/027_pam_limits_better_init_allow_explicit_root253
-rw-r--r--debian/patches-applied/031_pam_include72
-rw-r--r--debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL22
-rw-r--r--debian/patches-applied/036_pam_wheel_getlogin_considered_harmful145
-rw-r--r--debian/patches-applied/040_pam_limits_log_failure36
-rw-r--r--debian/patches-applied/045_pam_dispatch_jump_is_ignore34
-rw-r--r--debian/patches-applied/054_pam_security_abstract_securetty_handling199
-rw-r--r--debian/patches-applied/055_pam_unix_nullok_secure223
-rw-r--r--debian/patches-applied/PAM-manpage-section1802
-rw-r--r--debian/patches-applied/cve-2010-4708.patch53
-rw-r--r--debian/patches-applied/do_not_check_nis_accidentally22
-rw-r--r--debian/patches-applied/fix-autoreconf.patch27
-rw-r--r--debian/patches-applied/hurd_no_setfsuid77
-rw-r--r--debian/patches-applied/lib_security_multiarch_compat71
-rw-r--r--debian/patches-applied/make_documentation_reproducible.patch19
-rw-r--r--debian/patches-applied/no_PATH_MAX_on_hurd22
-rw-r--r--debian/patches-applied/pam-limits-nofile-fd-setsize-cap60
-rw-r--r--debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch25
-rw-r--r--debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch25
-rw-r--r--debian/patches-applied/series25
-rw-r--r--debian/patches-applied/update-motd108
26 files changed, 4046 insertions, 0 deletions
diff --git a/debian/patches-applied/007_modules_pam_unix b/debian/patches-applied/007_modules_pam_unix
new file mode 100644
index 0000000..ae00a79
--- /dev/null
+++ b/debian/patches-applied/007_modules_pam_unix
@@ -0,0 +1,515 @@
+Index: pam/modules/pam_unix/pam_unix_passwd.c
+===================================================================
+--- pam.orig/modules/pam_unix/pam_unix_passwd.c
++++ pam/modules/pam_unix/pam_unix_passwd.c
+@@ -98,6 +98,9 @@
+ # endif /* GNU libc 2.1 */
+ #endif
+
++extern const char *obscure_msg(const char *, const char *, const struct passwd *,
++ unsigned int);
++
+ /*
+ How it works:
+ Gets in username (has to be done) from the calling program
+@@ -593,6 +596,11 @@
+ return retval;
+ }
+ }
++ if (!remark && pass_old != NULL) { /* only check if we don't already have a failure */
++ struct passwd *pwd;
++ pwd = pam_modutil_getpwnam(pamh, user);
++ remark = (char *)obscure_msg(pass_old,pass_new,pwd,ctrl); /* do obscure checks */
++ }
+ }
+ if (remark) {
+ _make_remark(pamh, ctrl, PAM_ERROR_MSG, remark);
+@@ -608,7 +616,7 @@
+ int retval;
+ int remember = -1;
+ int rounds = -1;
+- int pass_min_len = 0;
++ int pass_min_len = 6;
+
+ /* <DO NOT free() THESE> */
+ const char *user;
+Index: pam/modules/pam_unix/support.h
+===================================================================
+--- pam.orig/modules/pam_unix/support.h
++++ pam/modules/pam_unix/support.h
+@@ -98,8 +98,9 @@
+ #define UNIX_QUIET 28 /* Don't print informational messages */
+ #define UNIX_NO_PASS_EXPIRY 29 /* Don't check for password expiration if not used for authentication */
+ #define UNIX_DES 30 /* DES, default */
++#define UNIX_OBSCURE_CHECKS 31 /* enable obscure checks on passwords */
+ /* -------------- */
+-#define UNIX_CTRLS_ 31 /* number of ctrl arguments defined */
++#define UNIX_CTRLS_ 32 /* number of ctrl arguments defined */
+
+ #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
+
+@@ -108,37 +109,38 @@
+ /* symbol token name ctrl mask ctrl *
+ * ----------------------- ------------------- --------------------- -------- */
+
+-/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01, 0},
+-/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02, 0},
+-/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04, 0},
+-/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010, 0},
+-/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060), 020, 0},
+-/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060), 040, 0},
+-/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0},
+-/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0},
+-/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0},
+-/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0},
+-/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0},
+-/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0},
+-/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0},
+-/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0260420000), 020000, 1},
+-/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000), 0, 0},
+-/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000, 0},
+-/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000, 0},
+-/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000, 0},
+-/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0260420000), 0400000, 1},
+-/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000, 0},
+-/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000, 0},
+-/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000, 0},
+-/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000, 0},
+-/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0260420000), 020000000, 1},
+-/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0260420000), 040000000, 1},
+-/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0},
+-/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000, 1},
+-/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
+-/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0},
+-/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0},
+-/* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1},
++/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 0x1, 0},
++/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 0x2, 0},
++/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 0x4, 0},
++/* UNIX_AUDIT */ {"audit", _ALL_ON_, 0x8, 0},
++/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(0x30), 0x10, 0},
++/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(0x30), 0x20, 0},
++/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0x40, 0},
++/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0x180), 0x80, 0},
++/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0x180), 0x100, 0},
++/* UNIX__NONULL */ {NULL, _ALL_ON_, 0x200, 0},
++/* UNIX__QUIET */ {NULL, _ALL_ON_, 0x400, 0},
++/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 0x800, 0},
++/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 0x1000, 0},
++/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0x2C22000), 0x2000, 1},
++/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(0x200), 0, 0},
++/* UNIX_DEBUG */ {"debug", _ALL_ON_, 0x4000, 0},
++/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0x8000, 0},
++/* UNIX_NIS */ {"nis", _ALL_ON_, 0x10000, 0},
++/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0x2C22000), 0x20000, 1},
++/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 0x40000, 0},
++/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 0x80000, 0},
++/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 0x100000, 0},
++/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 0x200000, 0},
++/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0x2C22000), 0x400000, 1},
++/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0x2C22000), 0x800000, 1},
++/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0x1000000, 0},
++/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0x2C22000),0x2000000, 1},
++/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0x4000000, 0},
++/* UNIX_QUIET */ {"quiet", _ALL_ON_, 0x8000000, 0},
++/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 0x10000000, 0},
++/* UNIX_DES */ {"des", _ALL_ON_^(0x2C22000), 0, 1},
++/* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x20000000, 0},
+ };
+
+ #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
+Index: pam/modules/pam_unix/pam_unix.8.xml
+===================================================================
+--- pam.orig/modules/pam_unix/pam_unix.8.xml
++++ pam/modules/pam_unix/pam_unix.8.xml
+@@ -361,8 +361,81 @@
+ <listitem>
+ <para>
+ Set a minimum password length of <replaceable>n</replaceable>
+- characters. The max. for DES crypt based passwords are 8
+- characters.
++ characters. The default value is 6. The maximum for DES
++ crypt-based passwords is 8 characters.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>obscure</option>
++ </term>
++ <listitem>
++ <para>
++ Enable some extra checks on password strength. These checks
++ are based on the "obscure" checks in the original shadow
++ package. The behavior is similar to the pam_cracklib
++ module, but for non-dictionary-based checks. The following
++ checks are implemented:
++ <variablelist>
++ <varlistentry>
++ <term>
++ <option>Palindrome</option>
++ </term>
++ <listitem>
++ <para>
++ Verifies that the new password is not a palindrome
++ of (i.e., the reverse of) the previous one.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>Case Change Only</option>
++ </term>
++ <listitem>
++ <para>
++ Verifies that the new password isn't the same as the
++ old one with a change of case.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>Similar</option>
++ </term>
++ <listitem>
++ <para>
++ Verifies that the new password isn't too much like
++ the previous one.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>Simple</option>
++ </term>
++ <listitem>
++ <para>
++ Is the new password too simple? This is based on
++ the length of the password and the number of
++ different types of characters (alpha, numeric, etc.)
++ used.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>Rotated</option>
++ </term>
++ <listitem>
++ <para>
++ Is the new password a rotated version of the old
++ password? (E.g., "billy" and "illyb")
++ </para>
++ </listitem>
++ </varlistentry>
++ </variablelist>
+ </para>
+ </listitem>
+ </varlistentry>
+Index: pam/modules/pam_unix/obscure.c
+===================================================================
+--- /dev/null
++++ pam/modules/pam_unix/obscure.c
+@@ -0,0 +1,198 @@
++/*
++ * Copyright 1989 - 1994, Julianne Frances Haugh
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors
++ * may be used to endorse or promote products derived from this software
++ * without specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ */
++
++#include "config.h"
++
++#include <ctype.h>
++#include <stdio.h>
++#include <unistd.h>
++#include <string.h>
++#include <stdlib.h>
++#include <pwd.h>
++#include <security/pam_modules.h>
++#include <security/_pam_macros.h>
++
++
++#include "support.h"
++
++/* can't be a palindrome - like `R A D A R' or `M A D A M' */
++static int palindrome(const char *old, const char *new) {
++ int i, j;
++
++ i = strlen (new);
++
++ for (j = 0;j < i;j++)
++ if (new[i - j - 1] != new[j])
++ return 0;
++
++ return 1;
++}
++
++/* more than half of the characters are different ones. */
++static int similar(const char *old, const char *new) {
++ int i, j;
++
++ /*
++ * XXX - sometimes this fails when changing from a simple password
++ * to a really long one (MD5). For now, I just return success if
++ * the new password is long enough. Please feel free to suggest
++ * something better... --marekm
++ */
++ if (strlen(new) >= 8)
++ return 0;
++
++ for (i = j = 0; new[i] && old[i]; i++)
++ if (strchr(new, old[i]))
++ j++;
++
++ if (i >= j * 2)
++ return 0;
++
++ return 1;
++}
++
++/* a nice mix of characters. */
++static int simple(const char *old, const char *new) {
++ int digits = 0;
++ int uppers = 0;
++ int lowers = 0;
++ int others = 0;
++ int size;
++ int i;
++
++ for (i = 0;new[i];i++) {
++ if (isdigit (new[i]))
++ digits++;
++ else if (isupper (new[i]))
++ uppers++;
++ else if (islower (new[i]))
++ lowers++;
++ else
++ others++;
++ }
++
++ /*
++ * The scam is this - a password of only one character type
++ * must be 8 letters long. Two types, 7, and so on.
++ */
++
++ size = 9;
++ if (digits) size--;
++ if (uppers) size--;
++ if (lowers) size--;
++ if (others) size--;
++
++ if (size <= i)
++ return 0;
++
++ return 1;
++}
++
++static char *str_lower(char *string) {
++ char *cp;
++
++ for (cp = string; *cp; cp++)
++ *cp = tolower(*cp);
++ return string;
++}
++
++static const char * password_check(const char *old, const char *new,
++ const struct passwd *pwdp) {
++ const char *msg = NULL;
++ char *oldmono, *newmono, *wrapped;
++
++ if (strcmp(new, old) == 0)
++ return _("Bad: new password must be different than the old one");
++
++ newmono = str_lower(strdup(new));
++ oldmono = str_lower(strdup(old));
++ wrapped = (char *)malloc(strlen(oldmono) * 2 + 1);
++ strcpy (wrapped, oldmono);
++ strcat (wrapped, oldmono);
++
++ if (palindrome(oldmono, newmono)) {
++ msg = _("Bad: new password cannot be a palindrome");
++ } else if (strcmp(oldmono, newmono) == 0) {
++ msg = _("Bad: new and old password must differ by more than just case");
++ } else if (similar(oldmono, newmono)) {
++ msg = _("Bad: new and old password are too similar");
++ } else if (simple(old, new)) {
++ msg = _("Bad: new password is too simple");
++ } else if (strstr(wrapped, newmono)) {
++ msg = _("Bad: new password is just a wrapped version of the old one");
++ }
++
++ _pam_delete(newmono);
++ _pam_delete(oldmono);
++ _pam_delete(wrapped);
++
++ return msg;
++}
++
++const char *obscure_msg(const char *old, const char *new,
++ const struct passwd *pwdp, unsigned int ctrl) {
++ int oldlen, newlen;
++ char *new1, *old1;
++ const char *msg;
++
++ if (old == NULL)
++ return NULL; /* no check if old is NULL */
++
++ oldlen = strlen(old);
++ newlen = strlen(new);
++
++ /* Remaining checks are optional. */
++ if (off(UNIX_OBSCURE_CHECKS,ctrl))
++ return NULL;
++
++ if ((msg = password_check(old, new, pwdp)) != NULL)
++ return msg;
++
++ /* The traditional crypt() truncates passwords to 8 chars. It is
++ possible to circumvent the above checks by choosing an easy
++ 8-char password and adding some random characters to it...
++ Example: "password$%^&*123". So check it again, this time
++ truncated to the maximum length. Idea from npasswd. --marekm */
++
++ if (!UNIX_DES_CRYPT(ctrl))
++ return NULL; /* unlimited password length */
++
++ if (oldlen <= 8 && newlen <= 8)
++ return NULL;
++
++ new1 = strndup(new,8);
++ old1 = strndup(old,8);
++
++ msg = password_check(old1, new1, pwdp);
++
++ _pam_delete(new1);
++ _pam_delete(old1);
++
++ return msg;
++}
+Index: pam/modules/pam_unix/Makefile.am
+===================================================================
+--- pam.orig/modules/pam_unix/Makefile.am
++++ pam/modules/pam_unix/Makefile.am
+@@ -42,7 +42,7 @@
+
+ pam_unix_la_SOURCES = bigcrypt.c pam_unix_acct.c \
+ pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \
+- passverify.c yppasswd_xdr.c md5_good.c md5_broken.c
++ passverify.c yppasswd_xdr.c md5_good.c md5_broken.c obscure.c
+
+ bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c
+ bigcrypt_CFLAGS = $(AM_CFLAGS)
+Index: pam/modules/pam_unix/pam_unix.8
+===================================================================
+--- pam.orig/modules/pam_unix/pam_unix.8
++++ pam/modules/pam_unix/pam_unix.8
+@@ -193,7 +193,38 @@
+ .RS 4
+ Set a minimum password length of
+ \fIn\fR
+-characters\&. The max\&. for DES crypt based passwords are 8 characters\&.
++characters\&. The default value is 6\&. The maximum for DES crypt\-based passwords is 8 characters\&.
++.RE
++.PP
++\fBobscure\fR
++.RS 4
++Enable some extra checks on password strength\&. These checks are based on the "obscure" checks in the original shadow package\&. The behavior is similar to the pam_cracklib module, but for non\-dictionary\-based checks\&. The following checks are implemented:
++.PP
++\fBPalindrome\fR
++.RS 4
++Verifies that the new password is not a palindrome of (i\&.e\&., the reverse of) the previous one\&.
++.RE
++.PP
++\fBCase Change Only\fR
++.RS 4
++Verifies that the new password isn\*(Aqt the same as the old one with a change of case\&.
++.RE
++.PP
++\fBSimilar\fR
++.RS 4
++Verifies that the new password isn\*(Aqt too much like the previous one\&.
++.RE
++.PP
++\fBSimple\fR
++.RS 4
++Is the new password too simple? This is based on the length of the password and the number of different types of characters (alpha, numeric, etc\&.) used\&.
++.RE
++.PP
++\fBRotated\fR
++.RS 4
++Is the new password a rotated version of the old password? (E\&.g\&., "billy" and "illyb")
++.RE
++.sp
+ .RE
+ .PP
+ \fBno_pass_expiry\fR
+Index: pam/modules/pam_unix/README
+===================================================================
+--- pam.orig/modules/pam_unix/README
++++ pam/modules/pam_unix/README
+@@ -155,8 +155,40 @@
+
+ minlen=n
+
+- Set a minimum password length of n characters. The max. for DES crypt based
+- passwords are 8 characters.
++ Set a minimum password length of n characters. The default value is 6. The
++ maximum for DES crypt-based passwords is 8 characters.
++
++obscure
++
++ Enable some extra checks on password strength. These checks are based on
++ the "obscure" checks in the original shadow package. The behavior is
++ similar to the pam_cracklib module, but for non-dictionary-based checks.
++ The following checks are implemented:
++
++ Palindrome
++
++ Verifies that the new password is not a palindrome of (i.e., the
++ reverse of) the previous one.
++
++ Case Change Only
++
++ Verifies that the new password isn't the same as the old one with a
++ change of case.
++
++ Similar
++
++ Verifies that the new password isn't too much like the previous one.
++
++ Simple
++
++ Is the new password too simple? This is based on the length of the
++ password and the number of different types of characters (alpha,
++ numeric, etc.) used.
++
++ Rotated
++
++ Is the new password a rotated version of the old password? (E.g.,
++ "billy" and "illyb")
+
+ no_pass_expiry
+
diff --git a/debian/patches-applied/008_modules_pam_limits_chroot b/debian/patches-applied/008_modules_pam_limits_chroot
new file mode 100644
index 0000000..acbdc1a
--- /dev/null
+++ b/debian/patches-applied/008_modules_pam_limits_chroot
@@ -0,0 +1,132 @@
+Index: pam/modules/pam_limits/pam_limits.c
+===================================================================
+--- pam.orig/modules/pam_limits/pam_limits.c
++++ pam/modules/pam_limits/pam_limits.c
+@@ -88,6 +88,7 @@
+ int flag_numsyslogins; /* whether to limit logins only for a
+ specific user or to count all logins */
+ int priority; /* the priority to run user process with */
++ char chroot_dir[8092]; /* directory to chroot into */
+ struct user_limits_struct limits[RLIM_NLIMITS];
+ const char *conf_file;
+ int utmp_after_pam_call;
+@@ -98,6 +99,7 @@
+ #define LIMIT_NUMSYSLOGINS RLIM_NLIMITS+2
+
+ #define LIMIT_PRI RLIM_NLIMITS+3
++#define LIMIT_CHROOT RLIM_NLIMITS+4
+
+ #define LIMIT_SOFT 1
+ #define LIMIT_HARD 2
+@@ -484,6 +486,8 @@
+ pl->login_limit = -2;
+ pl->login_limit_def = LIMITS_DEF_NONE;
+
++ pl->chroot_dir[0] = '\0';
++
+ return retval;
+ }
+
+@@ -554,6 +558,8 @@
+ pl->flag_numsyslogins = 1;
+ } else if (strcmp(lim_item, "priority") == 0) {
+ limit_item = LIMIT_PRI;
++ } else if (strcmp(lim_item, "chroot") == 0) {
++ limit_item = LIMIT_CHROOT;
+ } else {
+ pam_syslog(pamh, LOG_DEBUG, "unknown limit item '%s'", lim_item);
+ return;
+@@ -591,9 +597,9 @@
+ pam_syslog(pamh, LOG_DEBUG,
+ "wrong limit value '%s' for limit type '%s'",
+ lim_value, lim_type);
+- return;
++ return;
+ }
+- } else {
++ } else if (limit_item != LIMIT_CHROOT) {
+ #ifdef __USE_FILE_OFFSET64
+ rlimit_value = strtoull (lim_value, &endptr, 10);
+ #else
+@@ -654,7 +660,11 @@
+ #endif
+ }
+
+- if ( (limit_item != LIMIT_LOGIN)
++ if (limit_item == LIMIT_CHROOT) {
++ strncpy(pl->chroot_dir, value_orig, sizeof(pl->chroot_dir)-1);
++ pl->chroot_dir[sizeof(pl->chroot_dir)-1]='\0';
++ }
++ else if ( (limit_item != LIMIT_LOGIN)
+ && (limit_item != LIMIT_NUMSYSLOGINS)
+ && (limit_item != LIMIT_PRI) ) {
+ if (limit_type & LIMIT_SOFT) {
+@@ -998,6 +1008,15 @@
+ retval |= LOGIN_ERR;
+ }
+
++ if (!retval && pl->chroot_dir[0]) {
++ i = chdir(pl->chroot_dir);
++ if (i == 0)
++ i = chroot(pl->chroot_dir);
++ if (i == 0)
++ i = chdir("/");
++ if (i != 0)
++ retval = LIMIT_ERR;
++ }
+ return retval;
+ }
+
+Index: pam/modules/pam_limits/limits.conf.5.xml
+===================================================================
+--- pam.orig/modules/pam_limits/limits.conf.5.xml
++++ pam/modules/pam_limits/limits.conf.5.xml
+@@ -266,6 +266,12 @@
+ (Linux 2.6.12 and higher)</para>
+ </listitem>
+ </varlistentry>
++ <varlistentry>
++ <term><option>chroot</option></term>
++ <listitem>
++ <para>the directory to chroot the user to</para>
++ </listitem>
++ </varlistentry>
+ </variablelist>
+ </listitem>
+ </varlistentry>
+Index: pam/modules/pam_limits/limits.conf.5
+===================================================================
+--- pam.orig/modules/pam_limits/limits.conf.5
++++ pam/modules/pam_limits/limits.conf.5
+@@ -271,6 +271,11 @@
+ .RS 4
+ maximum realtime priority allowed for non\-privileged processes (Linux 2\&.6\&.12 and higher)
+ .RE
++.PP
++\fBchroot\fR
++.RS 4
++the directory to chroot the user to
++.RE
+ .RE
+ .PP
+ All items support the values
+Index: pam/modules/pam_limits/limits.conf
+===================================================================
+--- pam.orig/modules/pam_limits/limits.conf
++++ pam/modules/pam_limits/limits.conf
+@@ -35,6 +35,7 @@
+ # - msgqueue - max memory used by POSIX message queues (bytes)
+ # - nice - max nice priority allowed to raise to values: [-20, 19]
+ # - rtprio - max realtime priority
++# - chroot - change root to directory (Debian-specific)
+ #
+ #<domain> <type> <item> <value>
+ #
+@@ -45,6 +46,7 @@
+ #@faculty soft nproc 20
+ #@faculty hard nproc 50
+ #ftp hard nproc 0
++#ftp - chroot /ftp
+ #@student - maxlogins 4
+
+ # End of file
diff --git a/debian/patches-applied/021_nis_cleanup b/debian/patches-applied/021_nis_cleanup
new file mode 100644
index 0000000..f05c710
--- /dev/null
+++ b/debian/patches-applied/021_nis_cleanup
@@ -0,0 +1,24 @@
+Patch from Philippe Troin <phil@fifi.org>
+
+Originally this included a bunch of changes to locking, but the more
+recent code pulled from Linux_pam CVS seems to fix that issue.
+
+Index: pam/modules/pam_unix/pam_unix_passwd.c
+===================================================================
+--- pam.orig/modules/pam_unix/pam_unix_passwd.c
++++ pam/modules/pam_unix/pam_unix_passwd.c
+@@ -708,9 +708,12 @@
+ "password - (old) token not obtained");
+ return retval;
+ }
+- /* verify that this is the password for this user */
++ /* verify that this is the password for this user
++ * if we're not using NIS */
+
+- retval = _unix_verify_password(pamh, user, pass_old, ctrl);
++ if (off(UNIX_NIS, ctrl)) {
++ retval = _unix_verify_password(pamh, user, pass_old, ctrl);
++ }
+ } else {
+ D(("process run by root so do nothing this time around"));
+ pass_old = NULL;
diff --git a/debian/patches-applied/022_pam_unix_group_time_miscfixes b/debian/patches-applied/022_pam_unix_group_time_miscfixes
new file mode 100644
index 0000000..b940aa2
--- /dev/null
+++ b/debian/patches-applied/022_pam_unix_group_time_miscfixes
@@ -0,0 +1,22 @@
+Description: handle the case of flags being empty or only PAM_SILENT, which is
+ documented in other PAM implementations as meaning PAM_ESTABLISH_CRED:
+ http://publib.boulder.ibm.com/infocenter/aix/v6r1/index.jsp?topic=%2Fcom.ibm.aix.basetechref%2Fdoc%2Fbasetrf1%2Fpam_setcred.htm
+
+Index: pam/modules/pam_group/pam_group.c
+===================================================================
+--- pam.orig/modules/pam_group/pam_group.c
++++ pam/modules/pam_group/pam_group.c
+@@ -761,9 +761,12 @@
+ unsigned setting;
+
+ /* only interested in establishing credentials */
++ /* PAM docs say that an empty flag is to be treated as PAM_ESTABLISH_CRED.
++ Some people just pass PAM_SILENT, so cope with it, too. */
+
+ setting = flags;
+- if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))) {
++ if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))
++ && (setting != 0) && (setting != PAM_SILENT)) {
+ D(("ignoring call - not for establishing credentials"));
+ return PAM_SUCCESS; /* don't fail because of this */
+ }
diff --git a/debian/patches-applied/026_pam_unix_passwd_unknown_user b/debian/patches-applied/026_pam_unix_passwd_unknown_user
new file mode 100644
index 0000000..99ac3f6
--- /dev/null
+++ b/debian/patches-applied/026_pam_unix_passwd_unknown_user
@@ -0,0 +1,33 @@
+Description: distinguish between password manipulation failure and missing user.
+Author: Martin Schwenke <martin@meltin.net>
+
+Index: pam/modules/pam_unix/passverify.c
+===================================================================
+--- pam.orig/modules/pam_unix/passverify.c
++++ pam/modules/pam_unix/passverify.c
+@@ -749,7 +749,7 @@
+ struct passwd *tmpent = NULL;
+ struct stat st;
+ FILE *pwfile, *opwfile;
+- int err = 1;
++ int err = 1, found = 0;
+ int oldmask;
+ #ifdef WITH_SELINUX
+ security_context_t prev_context=NULL;
+@@ -820,6 +820,7 @@
+
+ tmpent->pw_passwd = assigned_passwd.charp;
+ err = 0;
++ found = 1;
+ }
+ if (putpwent(tmpent, pwfile)) {
+ D(("error writing entry to password file: %m"));
+@@ -862,7 +863,7 @@
+ return PAM_SUCCESS;
+ } else {
+ unlink(PW_TMPFILE);
+- return PAM_AUTHTOK_ERR;
++ return found ? PAM_AUTHTOK_ERR : PAM_USER_UNKNOWN;
+ }
+ }
+
diff --git a/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root
new file mode 100644
index 0000000..5ac946f
--- /dev/null
+++ b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root
@@ -0,0 +1,253 @@
+Description: Allow explicit limits for root and reset limits on each session
+ When crossing session boundaries (such as when su'ing from one user to
+ another), if the target account has no limit specified in limits.conf we
+ want to use the default, not the current value configured for the
+ source account.
+ .
+ If /proc/1/limits is unavailable, fall back to a set of hard-coded values
+ that shadow the currently known defaults on Linux.
+ .
+ Also, don't apply wildcard limits to the root account; only apply limits to
+ root that reference root by name.
+Author: Peter Paluch <peterp@frcatel.fri.utc.sk>,
+ Ben Collins <bcollins@debian.org>,
+ Steve Langasek <vorlon@debian.org>,
+Bug-Debian: http://bugs.debian.org/63230
+Index: pam/modules/pam_limits/pam_limits.c
+===================================================================
+--- pam.orig/modules/pam_limits/pam_limits.c
++++ pam/modules/pam_limits/pam_limits.c
+@@ -46,6 +46,14 @@
+ #include <libaudit.h>
+ #endif
+
++#ifndef MLOCK_LIMIT
++#ifdef __FreeBSD_kernel__
++#define MLOCK_LIMIT RLIM_INFINITY
++#else
++#define MLOCK_LIMIT (64*1024)
++#endif
++#endif
++
+ /* Module defines */
+ #define LINE_LENGTH 1024
+
+@@ -83,6 +91,7 @@
+
+ /* internal data */
+ struct pam_limit_s {
++ int root; /* running as root? */
+ int login_limit; /* the max logins limit */
+ int login_limit_def; /* which entry set the login limit */
+ int flag_numsyslogins; /* whether to limit logins only for a
+@@ -448,9 +457,18 @@
+ {
+ int i;
+ int retval = PAM_SUCCESS;
++ static int mlock_limit = 0;
+
+ D(("called."));
+
++ pl->root = 0;
++
++ if (mlock_limit == 0) {
++ mlock_limit = sysconf(_SC_PAGESIZE);
++ if (mlock_limit < MLOCK_LIMIT)
++ mlock_limit = MLOCK_LIMIT;
++ }
++
+ for(i = 0; i < RLIM_NLIMITS; i++) {
+ int r = getrlimit(i, &pl->limits[i].limit);
+ if (r == -1) {
+@@ -466,18 +484,68 @@
+ }
+
+ #ifdef __linux__
+- if (ctrl & PAM_SET_ALL) {
+- parse_kernel_limits(pamh, pl, ctrl);
++ parse_kernel_limits(pamh, pl, ctrl);
++#endif
+
+- for(i = 0; i < RLIM_NLIMITS; i++) {
++ for(i = 0; i < RLIM_NLIMITS; i++) {
+ if (pl->limits[i].supported &&
+ (pl->limits[i].src_soft == LIMITS_DEF_NONE ||
+ pl->limits[i].src_hard == LIMITS_DEF_NONE)) {
+- pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM default", rlimit2str(i));
++#ifdef __linux__
++ pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM default", rlimit2str(i));
++#endif
++ pl->limits[i].src_soft = LIMITS_DEF_DEFAULT;
++ pl->limits[i].src_hard = LIMITS_DEF_DEFAULT;
++ switch(i) {
++ case RLIMIT_CPU:
++ case RLIMIT_FSIZE:
++ case RLIMIT_DATA:
++ case RLIMIT_RSS:
++ case RLIMIT_NPROC:
++#ifdef RLIMIT_AS
++ case RLIMIT_AS:
++#endif
++#ifdef RLIMIT_LOCKS
++ case RLIMIT_LOCKS:
++#endif
++ pl->limits[i].limit.rlim_cur = RLIM_INFINITY;
++ pl->limits[i].limit.rlim_max = RLIM_INFINITY;
++ break;
++ case RLIMIT_MEMLOCK:
++ pl->limits[i].limit.rlim_cur = mlock_limit;
++ pl->limits[i].limit.rlim_max = mlock_limit;
++ break;
++#ifdef RLIMIT_SIGPENDING
++ case RLIMIT_SIGPENDING:
++ pl->limits[i].limit.rlim_cur = 16382;
++ pl->limits[i].limit.rlim_max = 16382;
++ break;
++#endif
++#ifdef RLIMIT_MSGQUEUE
++ case RLIMIT_MSGQUEUE:
++ pl->limits[i].limit.rlim_cur = 819200;
++ pl->limits[i].limit.rlim_max = 819200;
++ break;
++#endif
++ case RLIMIT_CORE:
++ pl->limits[i].limit.rlim_cur = 0;
++ pl->limits[i].limit.rlim_max = RLIM_INFINITY;
++ break;
++ case RLIMIT_STACK:
++ pl->limits[i].limit.rlim_cur = 8192*1024;
++ pl->limits[i].limit.rlim_max = RLIM_INFINITY;
++ break;
++ case RLIMIT_NOFILE:
++ pl->limits[i].limit.rlim_cur = 1024;
++ pl->limits[i].limit.rlim_max = 1024;
++ break;
++ default:
++ pl->limits[i].src_soft = LIMITS_DEF_NONE;
++ pl->limits[i].src_hard = LIMITS_DEF_NONE;
++ break;
++ }
+ }
+- }
+ }
+-#endif
+
+ errno = 0;
+ pl->priority = getpriority (PRIO_PROCESS, 0);
+@@ -816,7 +884,7 @@
+
+ if (strcmp(uname, domain) == 0) /* this user have a limit */
+ process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl);
+- else if (domain[0]=='@') {
++ else if (domain[0]=='@' && !pl->root) {
+ if (ctrl & PAM_DEBUG_ARG) {
+ pam_syslog(pamh, LOG_DEBUG,
+ "checking if %s is in group %s",
+@@ -842,7 +910,7 @@
+ process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl,
+ pl);
+ }
+- } else if (domain[0]=='%') {
++ } else if (domain[0]=='%' && !pl->root) {
+ if (ctrl & PAM_DEBUG_ARG) {
+ pam_syslog(pamh, LOG_DEBUG,
+ "checking if %s is in group %s",
+@@ -876,7 +944,7 @@
+ } else {
+ switch(rngtype) {
+ case LIMIT_RANGE_NONE:
+- if (strcmp(domain, "*") == 0)
++ if (strcmp(domain, "*") == 0 && !pl->root)
+ process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl,
+ pl);
+ break;
+@@ -1062,6 +1130,8 @@
+ return PAM_ABORT;
+ }
+
++ if (pwd->pw_uid == 0)
++ pl->root = 1;
+ retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl);
+ if (retval == PAM_IGNORE) {
+ D(("the configuration file ('%s') has an applicable '<domain> -' entry", CONF_FILE));
+Index: pam/modules/pam_limits/limits.conf
+===================================================================
+--- pam.orig/modules/pam_limits/limits.conf
++++ pam/modules/pam_limits/limits.conf
+@@ -11,6 +11,9 @@
+ # - the wildcard *, for default entry
+ # - the wildcard %, can be also used with %group syntax,
+ # for maxlogin limit
++# - NOTE: group and wildcard limits are not applied to root.
++# To apply a limit to the root user, <domain> must be
++# the literal username root.
+ #
+ #<type> can have the two values:
+ # - "soft" for enforcing the soft limits
+@@ -41,6 +44,7 @@
+ #
+
+ #* soft core 0
++#root hard core 100000
+ #* hard rss 10000
+ #@student hard nproc 20
+ #@faculty soft nproc 20
+Index: pam/modules/pam_limits/limits.conf.5.xml
+===================================================================
+--- pam.orig/modules/pam_limits/limits.conf.5.xml
++++ pam/modules/pam_limits/limits.conf.5.xml
+@@ -96,6 +96,11 @@
+ </para>
+ </listitem>
+ </itemizedlist>
++ <para>
++ <emphasis remap='B'>NOTE:</emphasis> group and wildcard limits are not
++ applied to the root user. To set a limit for the root user, this field
++ must contain the literal username <emphasis remap='B'>root</emphasis>.
++ </para>
+ </listitem>
+ </varlistentry>
+
+@@ -323,6 +328,7 @@
+ </para>
+ <programlisting>
+ * soft core 0
++root hard core 100000
+ * hard nofile 512
+ @student hard nproc 20
+ @faculty soft nproc 20
+Index: pam/modules/pam_limits/limits.conf.5
+===================================================================
+--- pam.orig/modules/pam_limits/limits.conf.5
++++ pam/modules/pam_limits/limits.conf.5
+@@ -142,6 +142,10 @@
+ \fB%:\fR\fI<gid>\fR
+ applicable to maxlogins limit only\&. It limits the total number of logins of all users that are member of the group with the specified gid\&.
+ .RE
++.sp
++\fBNOTE:\fR
++group and wildcard limits are not applied to the root user\&. To set a limit for the root user, this field must contain the literal username
++\fBroot\fR\&.
+ .RE
+ .PP
+ \fB<type>\fR
+@@ -317,6 +321,7 @@
+ .\}
+ .nf
+ * soft core 0
++root hard core 100000
+ * hard nofile 512
+ @student hard nproc 20
+ @faculty soft nproc 20
+Index: pam/modules/pam_limits/README
+===================================================================
+--- pam.orig/modules/pam_limits/README
++++ pam/modules/pam_limits/README
+@@ -54,6 +54,7 @@
+ limits.conf.
+
+ * soft core 0
++root hard core 100000
+ * hard nofile 512
+ @student hard nproc 20
+ @faculty soft nproc 20
diff --git a/debian/patches-applied/031_pam_include b/debian/patches-applied/031_pam_include
new file mode 100644
index 0000000..1948f89
--- /dev/null
+++ b/debian/patches-applied/031_pam_include
@@ -0,0 +1,72 @@
+Patch to implement an @include directive for use in pam.d config files.
+
+Authors: Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>
+
+Upstream status: not yet submitted
+
+Index: pam/libpam/pam_handlers.c
+===================================================================
+--- pam.orig/libpam/pam_handlers.c
++++ pam/libpam/pam_handlers.c
+@@ -122,6 +122,10 @@
+ module_type = PAM_T_ACCT;
+ } else if (!strcasecmp("password", tok)) {
+ module_type = PAM_T_PASS;
++ } else if (!strcasecmp("@include", tok)) {
++ pam_include = 1;
++ module_type = requested_module_type;
++ goto parsing_done;
+ } else {
+ /* Illegal module type */
+ D(("_pam_init_handlers: bad module type: %s", tok));
+@@ -192,8 +196,10 @@
+ _pam_set_default_control(actions, _PAM_ACTION_BAD);
+ }
+
++parsing_done:
+ tok = _pam_StrTok(NULL, " \n\t", &nexttok);
+ if (pam_include) {
++ struct stat include_dir;
+ if (substack) {
+ res = _pam_add_handler(pamh, PAM_HT_SUBSTACK, other,
+ stack_level, module_type, actions, tok,
+@@ -204,13 +210,35 @@
+ return PAM_ABORT;
+ }
+ }
+- if (_pam_load_conf_file(pamh, tok, this_service, module_type,
+- stack_level + substack
++ if (tok[0] == '/') {
++ if (_pam_load_conf_file(pamh, tok, this_service,
++ module_type, stack_level + substack
++#ifdef PAM_READ_BOTH_CONFS
++ , !other
++#endif /* PAM_READ_BOTH_CONFS */
++ ) == PAM_SUCCESS)
++ continue;
++ }
++ else if (!stat(PAM_CONFIG_D, &include_dir)
++ && S_ISDIR(include_dir.st_mode))
++ {
++ char *include_file;
++ if (asprintf (&include_file, PAM_CONFIG_DF, tok) < 0) {
++ pam_syslog(pamh, LOG_CRIT, "asprintf failed");
++ return PAM_ABORT;
++ }
++ if (_pam_load_conf_file(pamh, include_file, this_service,
++ module_type, stack_level + substack
+ #ifdef PAM_READ_BOTH_CONFS
+ , !other
+ #endif /* PAM_READ_BOTH_CONFS */
+- ) == PAM_SUCCESS)
+- continue;
++ ) == PAM_SUCCESS)
++ {
++ free(include_file);
++ continue;
++ }
++ free(include_file);
++ }
+ _pam_set_default_control(actions, _PAM_ACTION_BAD);
+ mod_path = NULL;
+ handler_type = PAM_HT_MUST_FAIL;
diff --git a/debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL b/debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL
new file mode 100644
index 0000000..d5ce695
--- /dev/null
+++ b/debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL
@@ -0,0 +1,22 @@
+setrlimit will sometimes return EPERM for example if you try to increase the
+number of open files too much. This is not something we want to consider
+fatal. This also happens if you use non-root and try to decrease a limit.
+Running PAM as non-root is not so great.
+
+Authors: ?
+
+Upstream status: submitted in <20070830171918.GB30563@dario.dodds.net>
+
+Index: pam/modules/pam_limits/pam_limits.c
+===================================================================
+--- pam.orig/modules/pam_limits/pam_limits.c
++++ pam/modules/pam_limits/pam_limits.c
+@@ -1046,6 +1046,8 @@
+ if (res != 0)
+ pam_syslog(pamh, LOG_ERR, "Could not set limit for '%s': %m",
+ rlimit2str(i));
++ if (res == -1 && errno == EPERM)
++ continue;
+ status |= res;
+ }
+
diff --git a/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful b/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful
new file mode 100644
index 0000000..ca465d9
--- /dev/null
+++ b/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful
@@ -0,0 +1,145 @@
+Patch for Debian bug #163787 et al
+
+Always use the process uid, not getlogin(), to identify an applicant in
+pam_wheel; utmp may be wrong or may have no entry at all in the case of
+an xterm
+
+Authors: Ben Collins <bcollins@debian.org>
+
+Upstream status: submitted in <20070901175405.GA26092@dario.dodds.net>
+
+Index: pam/modules/pam_wheel/pam_wheel.c
+===================================================================
+--- pam.orig/modules/pam_wheel/pam_wheel.c
++++ pam/modules/pam_wheel/pam_wheel.c
+@@ -60,9 +60,8 @@
+ /* argument parsing */
+
+ #define PAM_DEBUG_ARG 0x0001
+-#define PAM_USE_UID_ARG 0x0002
+-#define PAM_TRUST_ARG 0x0004
+-#define PAM_DENY_ARG 0x0010
++#define PAM_TRUST_ARG 0x0002
++#define PAM_DENY_ARG 0x0004
+ #define PAM_ROOT_ONLY_ARG 0x0020
+
+ static int
+@@ -80,8 +79,7 @@
+
+ if (!strcmp(*argv,"debug"))
+ ctrl |= PAM_DEBUG_ARG;
+- else if (!strcmp(*argv,"use_uid"))
+- ctrl |= PAM_USE_UID_ARG;
++ else if (!strcmp(*argv,"use_uid")); /* ignored for compat. */
+ else if (!strcmp(*argv,"trust"))
+ ctrl |= PAM_TRUST_ARG;
+ else if (!strcmp(*argv,"deny"))
+@@ -129,27 +127,14 @@
+ }
+ }
+
+- if (ctrl & PAM_USE_UID_ARG) {
+- tpwd = pam_modutil_getpwuid (pamh, getuid());
+- if (!tpwd) {
+- if (ctrl & PAM_DEBUG_ARG) {
+- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
+- }
+- return PAM_SERVICE_ERR;
+- }
+- fromsu = tpwd->pw_name;
+- } else {
+- fromsu = pam_modutil_getlogin(pamh);
+- if (fromsu) {
+- tpwd = pam_modutil_getpwnam (pamh, fromsu);
+- }
+- if (!fromsu || !tpwd) {
+- if (ctrl & PAM_DEBUG_ARG) {
+- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
+- }
+- return PAM_SERVICE_ERR;
++ tpwd = pam_modutil_getpwuid (pamh, getuid());
++ if (!tpwd) {
++ if (ctrl & PAM_DEBUG_ARG) {
++ pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
+ }
++ return PAM_SERVICE_ERR;
+ }
++ fromsu = tpwd->pw_name;
+
+ /*
+ * At this point fromsu = username-of-invoker; tpwd = pwd ptr for fromsu
+Index: pam/modules/pam_wheel/pam_wheel.8.xml
+===================================================================
+--- pam.orig/modules/pam_wheel/pam_wheel.8.xml
++++ pam/modules/pam_wheel/pam_wheel.8.xml
+@@ -33,9 +33,6 @@
+ <arg choice="opt">
+ trust
+ </arg>
+- <arg choice="opt">
+- use_uid
+- </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+@@ -116,18 +113,6 @@
+ </para>
+ </listitem>
+ </varlistentry>
+- <varlistentry>
+- <term>
+- <option>use_uid</option>
+- </term>
+- <listitem>
+- <para>
+- The check for wheel membership will be done against
+- the current uid instead of the original one (useful when
+- jumping with su from one account to another for example).
+- </para>
+- </listitem>
+- </varlistentry>
+ </variablelist>
+ </refsect1>
+
+Index: pam/modules/pam_wheel/pam_wheel.8
+===================================================================
+--- pam.orig/modules/pam_wheel/pam_wheel.8
++++ pam/modules/pam_wheel/pam_wheel.8
+@@ -31,7 +31,7 @@
+ pam_wheel \- Only permit root access to members of group wheel
+ .SH "SYNOPSIS"
+ .HP \w'\fBpam_wheel\&.so\fR\ 'u
+-\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid]
++\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust]
+ .SH "DESCRIPTION"
+ .PP
+ The pam_wheel PAM module is used to enforce the so\-called
+@@ -72,11 +72,6 @@
+ .RS 4
+ The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd)\&.
+ .RE
+-.PP
+-\fBuse_uid\fR
+-.RS 4
+-The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example)\&.
+-.RE
+ .SH "MODULE TYPES PROVIDED"
+ .PP
+ The
+Index: pam/modules/pam_wheel/README
+===================================================================
+--- pam.orig/modules/pam_wheel/README
++++ pam/modules/pam_wheel/README
+@@ -39,12 +39,6 @@
+ modules the wheel members may be able to su to root without being prompted
+ for a passwd).
+
+-use_uid
+-
+- The check for wheel membership will be done against the current uid instead
+- of the original one (useful when jumping with su from one account to
+- another for example).
+-
+ EXAMPLES
+
+ The root account gains access by default (rootok), only wheel members can
diff --git a/debian/patches-applied/040_pam_limits_log_failure b/debian/patches-applied/040_pam_limits_log_failure
new file mode 100644
index 0000000..616887c
--- /dev/null
+++ b/debian/patches-applied/040_pam_limits_log_failure
@@ -0,0 +1,36 @@
+Patch for Debian bug #180310
+
+Generate some (low-severity) log information whenever setrlimit() fails,
+for debugging purposes.
+
+Authors: Sam Hartman <hartmans@debian.org>
+
+Upstream status: submitted in <20070830171918.GB30563@dario.dodds.net>
+
+Index: pam/modules/pam_limits/pam_limits.c
+===================================================================
+--- pam.orig/modules/pam_limits/pam_limits.c
++++ pam/modules/pam_limits/pam_limits.c
+@@ -1043,9 +1043,19 @@
+ if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max)
+ pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max;
+ res = setrlimit(i, &pl->limits[i].limit);
+- if (res != 0)
+- pam_syslog(pamh, LOG_ERR, "Could not set limit for '%s': %m",
+- rlimit2str(i));
++ if (res != 0 && (i != RLIMIT_NOFILE
++ || pl->limits[i].limit.rlim_cur != RLIM_INFINITY))
++ {
++ int save_errno = errno;
++ pam_syslog(pamh, LOG_DEBUG,
++ "Could not set limit for '%s' to soft=%d, hard=%d:"
++ " %m; uid=%lu,euid=%lu", rlimit2str(i),
++ pl->limits[i].limit.rlim_cur,
++ pl->limits[i].limit.rlim_max,
++ (unsigned long) getuid(),
++ (unsigned long) geteuid());
++ errno = save_errno;
++ }
+ if (res == -1 && errno == EPERM)
+ continue;
+ status |= res;
diff --git a/debian/patches-applied/045_pam_dispatch_jump_is_ignore b/debian/patches-applied/045_pam_dispatch_jump_is_ignore
new file mode 100644
index 0000000..e19a545
--- /dev/null
+++ b/debian/patches-applied/045_pam_dispatch_jump_is_ignore
@@ -0,0 +1,34 @@
+
+Previously jumps were treated as PAM_IGNORE in the freezing part of
+the chain and PAM_OK (aka required) in the frozen part of the chain.
+No one on pam-list was able to explain this behavior, so I changed it
+to be consistent.
+
+Index: pam/libpam/pam_dispatch.c
+===================================================================
+--- pam.orig/libpam/pam_dispatch.c
++++ pam/libpam/pam_dispatch.c
+@@ -260,22 +260,7 @@
+ if ( _PAM_ACTION_IS_JUMP(action) ) {
+
+ /* If we are evaluating a cached chain, we treat this
+- module as required (aka _PAM_ACTION_OK) as well as
+- executing the jump. */
+-
+- if (use_cached_chain) {
+- if (impression == _PAM_UNDEF
+- || (impression == _PAM_POSITIVE
+- && status == PAM_SUCCESS) ) {
+- if ( retval != PAM_IGNORE || cached_retval == retval ) {
+- if ( impression == _PAM_UNDEF && retval == PAM_SUCCESS ) {
+- h->grantor = 1;
+- }
+- impression = _PAM_POSITIVE;
+- status = retval;
+- }
+- }
+- }
++ module as ignored as well as executing the jump. */
+
+ /* this means that we need to skip #action stacked modules */
+ while (h->next != NULL && h->next->stack_level >= stack_level && action > 0) {
diff --git a/debian/patches-applied/054_pam_security_abstract_securetty_handling b/debian/patches-applied/054_pam_security_abstract_securetty_handling
new file mode 100644
index 0000000..9622271
--- /dev/null
+++ b/debian/patches-applied/054_pam_security_abstract_securetty_handling
@@ -0,0 +1,199 @@
+Description: extract the securetty logic for use with the "nullok_secure" option
+ introduced in the "055_pam_unix_nullok_secure" patch.
+
+Index: pam/modules/pam_securetty/pam_securetty.c
+===================================================================
+--- pam.orig/modules/pam_securetty/pam_securetty.c
++++ pam/modules/pam_securetty/pam_securetty.c
+@@ -1,7 +1,5 @@
+ /* pam_securetty module */
+
+-#define SECURETTY_FILE "/etc/securetty"
+-#define TTY_PREFIX "/dev/"
+ #define CMDLINE_FILE "/proc/cmdline"
+ #define CONSOLEACTIVE_FILE "/sys/class/tty/console/active"
+
+@@ -40,6 +38,9 @@
+ #include <security/pam_modutil.h>
+ #include <security/pam_ext.h>
+
++extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
++ const char *uttyname);
++
+ #define PAM_DEBUG_ARG 0x0001
+ #define PAM_NOCONSOLE_ARG 0x0002
+
+@@ -73,11 +74,7 @@
+ const char *username;
+ const char *uttyname;
+ const void *void_uttyname;
+- char ttyfileline[256];
+- char ptname[256];
+- struct stat ttyfileinfo;
+ struct passwd *user_pwd;
+- FILE *ttyfile;
+
+ /* log a trail for debugging */
+ if (ctrl & PAM_DEBUG_ARG) {
+@@ -105,50 +102,7 @@
+ return PAM_SERVICE_ERR;
+ }
+
+- /* The PAM_TTY item may be prefixed with "/dev/" - skip that */
+- if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) {
+- uttyname += sizeof(TTY_PREFIX)-1;
+- }
+-
+- if (stat(SECURETTY_FILE, &ttyfileinfo)) {
+- pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE);
+- return PAM_SUCCESS; /* for compatibility with old securetty handling,
+- this needs to succeed. But we still log the
+- error. */
+- }
+-
+- if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) {
+- /* If the file is world writable or is not a
+- normal file, return error */
+- pam_syslog(pamh, LOG_ERR,
+- "%s is either world writable or not a normal file",
+- SECURETTY_FILE);
+- return PAM_AUTH_ERR;
+- }
+-
+- ttyfile = fopen(SECURETTY_FILE,"r");
+- if (ttyfile == NULL) { /* Check that we opened it successfully */
+- pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE);
+- return PAM_SERVICE_ERR;
+- }
+-
+- if (isdigit(uttyname[0])) {
+- snprintf(ptname, sizeof(ptname), "pts/%s", uttyname);
+- } else {
+- ptname[0] = '\0';
+- }
+-
+- retval = 1;
+-
+- while ((fgets(ttyfileline, sizeof(ttyfileline)-1, ttyfile) != NULL)
+- && retval) {
+- if (ttyfileline[strlen(ttyfileline) - 1] == '\n')
+- ttyfileline[strlen(ttyfileline) - 1] = '\0';
+-
+- retval = ( strcmp(ttyfileline, uttyname)
+- && (!ptname[0] || strcmp(ptname, uttyname)) );
+- }
+- fclose(ttyfile);
++ retval = _pammodutil_tty_secure(pamh, uttyname);
+
+ if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) {
+ FILE *cmdlinefile;
+Index: pam/modules/pam_securetty/tty_secure.c
+===================================================================
+--- /dev/null
++++ pam/modules/pam_securetty/tty_secure.c
+@@ -0,0 +1,90 @@
++/*
++ * A function to determine if a particular line is in /etc/securetty
++ */
++
++
++#define SECURETTY_FILE "/etc/securetty"
++#define TTY_PREFIX "/dev/"
++
++/* This function taken out of pam_securetty by Sam Hartman
++ * <hartmans@debian.org>*/
++/*
++ * by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
++ * July 25, 1996.
++ * Slight modifications AGM. 1996/12/3
++ */
++
++#include <unistd.h>
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <security/pam_modules.h>
++#include <stdarg.h>
++#include <syslog.h>
++#include <sys/syslog.h>
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++#include <ctype.h>
++#include <security/pam_modutil.h>
++#include <security/pam_ext.h>
++
++extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
++ const char *uttyname);
++
++int _pammodutil_tty_secure(const pam_handle_t *pamh, const char *uttyname)
++{
++ int retval = PAM_AUTH_ERR;
++ char ttyfileline[256];
++ char ptname[256];
++ struct stat ttyfileinfo;
++ FILE *ttyfile;
++ /* The PAM_TTY item may be prefixed with "/dev/" - skip that */
++ if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0)
++ uttyname += sizeof(TTY_PREFIX)-1;
++
++ if (stat(SECURETTY_FILE, &ttyfileinfo)) {
++ pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m",
++ SECURETTY_FILE);
++ return PAM_SUCCESS; /* for compatibility with old securetty handling,
++ this needs to succeed. But we still log the
++ error. */
++ }
++
++ if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) {
++ /* If the file is world writable or is not a
++ normal file, return error */
++ pam_syslog(pamh, LOG_ERR,
++ "%s is either world writable or not a normal file",
++ SECURETTY_FILE);
++ return PAM_AUTH_ERR;
++ }
++
++ ttyfile = fopen(SECURETTY_FILE,"r");
++ if(ttyfile == NULL) { /* Check that we opened it successfully */
++ pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE);
++ return PAM_SERVICE_ERR;
++ }
++
++ if (isdigit(uttyname[0])) {
++ snprintf(ptname, sizeof(ptname), "pts/%s", uttyname);
++ } else {
++ ptname[0] = '\0';
++ }
++
++ retval = 1;
++
++ while ((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL)
++ && retval) {
++ if(ttyfileline[strlen(ttyfileline) - 1] == '\n')
++ ttyfileline[strlen(ttyfileline) - 1] = '\0';
++ retval = ( strcmp(ttyfileline,uttyname)
++ && (!ptname[0] || strcmp(ptname, uttyname)) );
++ }
++ fclose(ttyfile);
++
++ if(retval) {
++ retval = PAM_AUTH_ERR;
++ }
++
++ return retval;
++}
+Index: pam/modules/pam_securetty/Makefile.am
+===================================================================
+--- pam.orig/modules/pam_securetty/Makefile.am
++++ pam/modules/pam_securetty/Makefile.am
+@@ -24,6 +24,10 @@
+ securelib_LTLIBRARIES = pam_securetty.la
+ pam_securetty_la_LIBADD = $(top_builddir)/libpam/libpam.la
+
++pam_securetty_la_SOURCES = \
++ pam_securetty.c \
++ tty_secure.c
++
+ if ENABLE_REGENERATE_MAN
+ noinst_DATA = README
+ README: pam_securetty.8.xml
diff --git a/debian/patches-applied/055_pam_unix_nullok_secure b/debian/patches-applied/055_pam_unix_nullok_secure
new file mode 100644
index 0000000..8a8cfdd
--- /dev/null
+++ b/debian/patches-applied/055_pam_unix_nullok_secure
@@ -0,0 +1,223 @@
+Debian patch to add a new 'nullok_secure' option to pam_unix, which
+accepts users with null passwords only when the applicant is connected
+from a tty listed in /etc/securetty.
+
+Authors: Sam Hartman <hartmans@debian.org>,
+ Steve Langasek <vorlon@debian.org>
+
+Upstream status: not yet submitted
+
+Index: pam/modules/pam_unix/support.c
+===================================================================
+--- pam.orig/modules/pam_unix/support.c
++++ pam/modules/pam_unix/support.c
+@@ -183,13 +183,22 @@
+ /* now parse the arguments to this module */
+
+ for (; argc-- > 0; ++argv) {
++ int sl;
+
+ D(("pam_unix arg: %s", *argv));
+
+ for (j = 0; j < UNIX_CTRLS_; ++j) {
+- if (unix_args[j].token
+- && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) {
+- break;
++ if (unix_args[j].token) {
++ sl = strlen(unix_args[j].token);
++ if (unix_args[j].token[sl-1] == '=') {
++ /* exclude argument from comparison */
++ if (!strncmp(*argv, unix_args[j].token, sl))
++ break;
++ } else {
++ /* compare full strings */
++ if (!strcmp(*argv, unix_args[j].token))
++ break;
++ }
+ }
+ }
+
+@@ -558,6 +567,7 @@
+ /* fork */
+ child = fork();
+ if (child == 0) {
++ int nullok = off(UNIX__NONULL, ctrl);
+ static char *envp[] = { NULL };
+ const char *args[] = { NULL, NULL, NULL, NULL };
+
+@@ -587,7 +597,17 @@
+ /* exec binary helper */
+ args[0] = CHKPWD_HELPER;
+ args[1] = user;
+- if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */
++ if (on(UNIX_NULLOK_SECURE, ctrl)) {
++ const void *uttyname;
++ retval = pam_get_item(pamh, PAM_TTY, &uttyname);
++ if (retval != PAM_SUCCESS || uttyname == NULL
++ || _pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS)
++ {
++ nullok = 0;
++ }
++ }
++
++ if (nullok) {
+ args[2]="nullok";
+ } else {
+ args[2]="nonull";
+@@ -672,6 +692,17 @@
+ if (on(UNIX__NONULL, ctrl))
+ return 0; /* will fail but don't let on yet */
+
++ if (on(UNIX_NULLOK_SECURE, ctrl)) {
++ int retval2;
++ const void *uttyname;
++ retval2 = pam_get_item(pamh, PAM_TTY, &uttyname);
++ if (retval2 != PAM_SUCCESS || uttyname == NULL)
++ return 0;
++
++ if (_pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS)
++ return 0;
++ }
++
+ /* UNIX passwords area */
+
+ retval = get_pwd_hash(pamh, name, &pwd, &salt);
+@@ -758,7 +789,8 @@
+ }
+ }
+ } else {
+- retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl));
++ retval = verify_pwd_hash(p, salt,
++ _unix_blankpasswd(pamh, ctrl, name));
+ }
+
+ if (retval == PAM_SUCCESS) {
+Index: pam/modules/pam_unix/support.h
+===================================================================
+--- pam.orig/modules/pam_unix/support.h
++++ pam/modules/pam_unix/support.h
+@@ -99,8 +99,10 @@
+ #define UNIX_NO_PASS_EXPIRY 29 /* Don't check for password expiration if not used for authentication */
+ #define UNIX_DES 30 /* DES, default */
+ #define UNIX_OBSCURE_CHECKS 31 /* enable obscure checks on passwords */
++#define UNIX_NULLOK_SECURE 32 /* NULL passwords allowed only on secure ttys */
++
+ /* -------------- */
+-#define UNIX_CTRLS_ 32 /* number of ctrl arguments defined */
++#define UNIX_CTRLS_ 33 /* number of ctrl arguments defined */
+
+ #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
+
+@@ -118,7 +120,7 @@
+ /* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0x40, 0},
+ /* UNIX__PRELIM */ {NULL, _ALL_ON_^(0x180), 0x80, 0},
+ /* UNIX__UPDATE */ {NULL, _ALL_ON_^(0x180), 0x100, 0},
+-/* UNIX__NONULL */ {NULL, _ALL_ON_, 0x200, 0},
++/* UNIX__NONULL */ {NULL, _ALL_ON_^(0x10000000), 0x200, 0},
+ /* UNIX__QUIET */ {NULL, _ALL_ON_, 0x400, 0},
+ /* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 0x800, 0},
+ /* UNIX_SHADOW */ {"shadow", _ALL_ON_, 0x1000, 0},
+@@ -141,6 +143,7 @@
+ /* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 0x10000000, 0},
+ /* UNIX_DES */ {"des", _ALL_ON_^(0x2C22000), 0, 1},
+ /* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x20000000, 0},
++/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(0x200), 0x40000000, 0},
+ };
+
+ #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
+@@ -174,6 +177,9 @@
+ ,const char *data_name
+ ,const void **pass);
+
++extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
++ const char *uttyname);
++
+ extern int _unix_run_verify_binary(pam_handle_t *pamh,
+ unsigned int ctrl, const char *user, int *daysleft);
+ #endif /* _PAM_UNIX_SUPPORT_H */
+Index: pam/modules/pam_unix/Makefile.am
+===================================================================
+--- pam.orig/modules/pam_unix/Makefile.am
++++ pam/modules/pam_unix/Makefile.am
+@@ -30,7 +30,8 @@
+ pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
+ endif
+ pam_unix_la_LIBADD = $(top_builddir)/libpam/libpam.la \
+- @LIBCRYPT@ @LIBSELINUX@ @TIRPC_LIBS@ @NSL_LIBS@
++ @LIBCRYPT@ @LIBSELINUX@ @TIRPC_LIBS@ @NSL_LIBS@ \
++ ../pam_securetty/tty_secure.lo
+
+ securelib_LTLIBRARIES = pam_unix.la
+
+Index: pam/modules/pam_unix/README
+===================================================================
+--- pam.orig/modules/pam_unix/README
++++ pam/modules/pam_unix/README
+@@ -67,7 +67,16 @@
+
+ The default action of this module is to not permit the user access to a
+ service if their official password is blank. The nullok argument overrides
+- this default.
++ this default and allows any user with a blank password to access the
++ service.
++
++nullok_secure
++
++ The default action of this module is to not permit the user access to a
++ service if their official password is blank. The nullok_secure argument
++ overrides this default and allows any user with a blank password to access
++ the service as long as the value of PAM_TTY is set to one of the values
++ found in /etc/securetty.
+
+ try_first_pass
+
+Index: pam/modules/pam_unix/pam_unix.8
+===================================================================
+--- pam.orig/modules/pam_unix/pam_unix.8
++++ pam/modules/pam_unix/pam_unix.8
+@@ -92,7 +92,14 @@
+ .RS 4
+ The default action of this module is to not permit the user access to a service if their official password is blank\&. The
+ \fBnullok\fR
+-argument overrides this default\&.
++argument overrides this default and allows any user with a blank password to access the service\&.
++.RE
++.PP
++\fBnullok_secure\fR
++.RS 4
++The default action of this module is to not permit the user access to a service if their official password is blank\&. The
++\fBnullok_secure\fR
++argument overrides this default and allows any user with a blank password to access the service as long as the value of PAM_TTY is set to one of the values found in /etc/securetty\&.
+ .RE
+ .PP
+ \fBtry_first_pass\fR
+Index: pam/modules/pam_unix/pam_unix.8.xml
+===================================================================
+--- pam.orig/modules/pam_unix/pam_unix.8.xml
++++ pam/modules/pam_unix/pam_unix.8.xml
+@@ -159,7 +159,24 @@
+ <para>
+ The default action of this module is to not permit the
+ user access to a service if their official password is blank.
+- The <option>nullok</option> argument overrides this default.
++ The <option>nullok</option> argument overrides this default
++ and allows any user with a blank password to access the
++ service.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>nullok_secure</option>
++ </term>
++ <listitem>
++ <para>
++ The default action of this module is to not permit the
++ user access to a service if their official password is blank.
++ The <option>nullok_secure</option> argument overrides this
++ default and allows any user with a blank password to access
++ the service as long as the value of PAM_TTY is set to one of
++ the values found in /etc/securetty.
+ </para>
+ </listitem>
+ </varlistentry>
diff --git a/debian/patches-applied/PAM-manpage-section b/debian/patches-applied/PAM-manpage-section
new file mode 100644
index 0000000..4a36752
--- /dev/null
+++ b/debian/patches-applied/PAM-manpage-section
@@ -0,0 +1,1802 @@
+Patch to put the PAM manpage in section 7 (general topics) instead of 8
+(system administration commands)
+
+Authors: Steve Langasek <vorlon@debian.org>
+
+Upstream status: maybe provide a backwards-compatibility link first?
+
+Index: pam/doc/man/pam.8.xml
+===================================================================
+--- pam.orig/doc/man/pam.8.xml
++++ pam/doc/man/pam.8.xml
+@@ -6,7 +6,7 @@
+
+ <refmeta>
+ <refentrytitle>pam</refentrytitle>
+- <manvolnum>8</manvolnum>
++ <manvolnum>7</manvolnum>
+ <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+ </refmeta>
+
+@@ -196,7 +196,7 @@
+ <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>PAM</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/PAM.8
+===================================================================
+--- pam.orig/doc/man/PAM.8
++++ pam/doc/man/PAM.8
+@@ -7,7 +7,7 @@
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM" "8" "05/18/2018" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM" "7" "05/18/2018" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+ .\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+@@ -135,4 +135,4 @@
+ \fBpam_authenticate\fR(3),
+ \fBpam_sm_setcred\fR(3),
+ \fBpam_strerror\fR(3),
+-\fBPAM\fR(8)
++\fBPAM\fR(7)
+Index: pam/modules/pam_access/access.conf.5.xml
+===================================================================
+--- pam.orig/modules/pam_access/access.conf.5.xml
++++ pam/modules/pam_access/access.conf.5.xml
+@@ -227,7 +227,7 @@
+ <para>
+ <citerefentry><refentrytitle>pam_access</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+Index: pam/modules/pam_access/access.conf.5
+===================================================================
+--- pam.orig/modules/pam_access/access.conf.5
++++ pam/modules/pam_access/access.conf.5
+@@ -204,7 +204,7 @@
+ .PP
+ \fBpam_access\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHORS"
+ .PP
+ Original
+Index: pam/modules/pam_env/pam_env.conf.5.xml
+===================================================================
+--- pam.orig/modules/pam_env/pam_env.conf.5.xml
++++ pam/modules/pam_env/pam_env.conf.5.xml
+@@ -122,7 +122,7 @@
+ <para>
+ <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_env/pam_env.conf.5
+===================================================================
+--- pam.orig/modules/pam_env/pam_env.conf.5
++++ pam/modules/pam_env/pam_env.conf.5
+@@ -125,7 +125,7 @@
+ .PP
+ \fBpam_env\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8),
++\fBpam\fR(7),
+ \fBenviron\fR(7)
+ .SH "AUTHOR"
+ .PP
+Index: pam/modules/pam_group/group.conf.5.xml
+===================================================================
+--- pam.orig/modules/pam_group/group.conf.5.xml
++++ pam/modules/pam_group/group.conf.5.xml
+@@ -128,7 +128,7 @@
+ <para>
+ <citerefentry><refentrytitle>pam_group</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+Index: pam/modules/pam_group/group.conf.5
+===================================================================
+--- pam.orig/modules/pam_group/group.conf.5
++++ pam/modules/pam_group/group.conf.5
+@@ -113,7 +113,7 @@
+ .PP
+ \fBpam_group\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_group was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam/modules/pam_limits/limits.conf.5.xml
+===================================================================
+--- pam.orig/modules/pam_limits/limits.conf.5.xml
++++ pam/modules/pam_limits/limits.conf.5.xml
+@@ -346,7 +346,7 @@
+ <para>
+ <citerefentry><refentrytitle>pam_limits</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>getrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>getrlimit</refentrytitle><manvolnum>3p</manvolnum></citerefentry>
+ </para>
+Index: pam/modules/pam_limits/limits.conf.5
+===================================================================
+--- pam.orig/modules/pam_limits/limits.conf.5
++++ pam/modules/pam_limits/limits.conf.5
+@@ -340,7 +340,7 @@
+ .PP
+ \fBpam_limits\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8),
++\fBpam\fR(7),
+ \fBgetrlimit\fR(2),
+ \fBgetrlimit\fR(3p)
+ .SH "AUTHOR"
+Index: pam/modules/pam_namespace/namespace.conf.5.xml
+===================================================================
+--- pam.orig/modules/pam_namespace/namespace.conf.5.xml
++++ pam/modules/pam_namespace/namespace.conf.5.xml
+@@ -204,7 +204,7 @@
+ <para>
+ <citerefentry><refentrytitle>pam_namespace</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+Index: pam/modules/pam_namespace/namespace.conf.5
+===================================================================
+--- pam.orig/modules/pam_namespace/namespace.conf.5
++++ pam/modules/pam_namespace/namespace.conf.5
+@@ -155,7 +155,7 @@
+ .PP
+ \fBpam_namespace\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHORS"
+ .PP
+ The namespace\&.conf manual page was written by Janak Desai <janak@us\&.ibm\&.com>\&. More features added by Tomas Mraz <tmraz@redhat\&.com>\&.
+Index: pam/modules/pam_time/time.conf.5.xml
+===================================================================
+--- pam.orig/modules/pam_time/time.conf.5.xml
++++ pam/modules/pam_time/time.conf.5.xml
+@@ -130,7 +130,7 @@
+ <para>
+ <citerefentry><refentrytitle>pam_time</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+Index: pam/modules/pam_time/time.conf.5
+===================================================================
+--- pam.orig/modules/pam_time/time.conf.5
++++ pam/modules/pam_time/time.conf.5
+@@ -107,7 +107,7 @@
+ .PP
+ \fBpam_time\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_time was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam/modules/pam_access/pam_access.8.xml
+===================================================================
+--- pam.orig/modules/pam_access/pam_access.8.xml
++++ pam/modules/pam_access/pam_access.8.xml
+@@ -246,7 +246,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+Index: pam/modules/pam_access/pam_access.8
+===================================================================
+--- pam.orig/modules/pam_access/pam_access.8
++++ pam/modules/pam_access/pam_access.8
+@@ -133,7 +133,7 @@
+ .PP
+ \fBaccess.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)\&.
++\fBpam\fR(7)\&.
+ .SH "AUTHORS"
+ .PP
+ The logdaemon style login access control scheme was designed and implemented by Wietse Venema\&. The pam_access PAM module was developed by Alexei Nogin <alexei@nogin\&.dnttm\&.ru>\&. The IPv6 support and the network(address) / netmask feature was developed and provided by Mike Becher <mike\&.becher@lrz\-muenchen\&.de>\&.
+Index: pam/modules/pam_cracklib/pam_cracklib.8.xml
+===================================================================
+--- pam.orig/modules/pam_cracklib/pam_cracklib.8.xml
++++ pam/modules/pam_cracklib/pam_cracklib.8.xml
+@@ -577,7 +577,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_cracklib/pam_cracklib.8
+===================================================================
+--- pam.orig/modules/pam_cracklib/pam_cracklib.8
++++ pam/modules/pam_cracklib/pam_cracklib.8
+@@ -357,7 +357,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_cracklib was written by Cristian Gafton <gafton@redhat\&.com>
+Index: pam/modules/pam_debug/pam_debug.8.xml
+===================================================================
+--- pam.orig/modules/pam_debug/pam_debug.8.xml
++++ pam/modules/pam_debug/pam_debug.8.xml
+@@ -216,7 +216,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_debug/pam_debug.8
+===================================================================
+--- pam.orig/modules/pam_debug/pam_debug.8
++++ pam/modules/pam_debug/pam_debug.8
+@@ -138,7 +138,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_debug was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam/modules/pam_deny/pam_deny.8.xml
+===================================================================
+--- pam.orig/modules/pam_deny/pam_deny.8.xml
++++ pam/modules/pam_deny/pam_deny.8.xml
+@@ -120,7 +120,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_deny/pam_deny.8
+===================================================================
+--- pam.orig/modules/pam_deny/pam_deny.8
++++ pam/modules/pam_deny/pam_deny.8
+@@ -96,7 +96,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_deny was written by Andrew G\&. Morgan <morgan@kernel\&.org>
+Index: pam/modules/pam_echo/pam_echo.8.xml
+===================================================================
+--- pam.orig/modules/pam_echo/pam_echo.8.xml
++++ pam/modules/pam_echo/pam_echo.8.xml
+@@ -159,7 +159,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry></para>
+ </refsect1>
+
+Index: pam/modules/pam_echo/pam_echo.8
+===================================================================
+--- pam.orig/modules/pam_echo/pam_echo.8
++++ pam/modules/pam_echo/pam_echo.8
+@@ -126,7 +126,7 @@
+ .PP
+ \fBpam.conf\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ Thorsten Kukuk <kukuk@thkukuk\&.de>
+Index: pam/modules/pam_env/pam_env.8.xml
+===================================================================
+--- pam.orig/modules/pam_env/pam_env.8.xml
++++ pam/modules/pam_env/pam_env.8.xml
+@@ -246,7 +246,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum>
+Index: pam/modules/pam_exec/pam_exec.8.xml
+===================================================================
+--- pam.orig/modules/pam_exec/pam_exec.8.xml
++++ pam/modules/pam_exec/pam_exec.8.xml
+@@ -258,7 +258,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_exec/pam_exec.8
+===================================================================
+--- pam.orig/modules/pam_exec/pam_exec.8
++++ pam/modules/pam_exec/pam_exec.8
+@@ -162,7 +162,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_exec was written by Thorsten Kukuk <kukuk@thkukuk\&.de> and Josh Triplett <josh@joshtriplett\&.org>\&.
+Index: pam/modules/pam_faildelay/pam_faildelay.8.xml
+===================================================================
+--- pam.orig/modules/pam_faildelay/pam_faildelay.8.xml
++++ pam/modules/pam_faildelay/pam_faildelay.8.xml
+@@ -121,7 +121,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_faildelay/pam_faildelay.8
+===================================================================
+--- pam.orig/modules/pam_faildelay/pam_faildelay.8
++++ pam/modules/pam_faildelay/pam_faildelay.8
+@@ -87,7 +87,7 @@
+ \fBpam_fail_delay\fR(3),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_faildelay was written by Darren Tucker <dtucker@zip\&.com\&.au>\&.
+Index: pam/modules/pam_filter/pam_filter.8.xml
+===================================================================
+--- pam.orig/modules/pam_filter/pam_filter.8.xml
++++ pam/modules/pam_filter/pam_filter.8.xml
+@@ -246,7 +246,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_filter/pam_filter.8
+===================================================================
+--- pam.orig/modules/pam_filter/pam_filter.8
++++ pam/modules/pam_filter/pam_filter.8
+@@ -166,7 +166,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_filter was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam/modules/pam_ftp/pam_ftp.8.xml
+===================================================================
+--- pam.orig/modules/pam_ftp/pam_ftp.8.xml
++++ pam/modules/pam_ftp/pam_ftp.8.xml
+@@ -168,7 +168,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_ftp/pam_ftp.8
+===================================================================
+--- pam.orig/modules/pam_ftp/pam_ftp.8
++++ pam/modules/pam_ftp/pam_ftp.8
+@@ -119,7 +119,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_ftp was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam/modules/pam_group/pam_group.8.xml
+===================================================================
+--- pam.orig/modules/pam_group/pam_group.8.xml
++++ pam/modules/pam_group/pam_group.8.xml
+@@ -148,7 +148,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+Index: pam/modules/pam_group/pam_group.8
+===================================================================
+--- pam.orig/modules/pam_group/pam_group.8
++++ pam/modules/pam_group/pam_group.8
+@@ -103,7 +103,7 @@
+ .PP
+ \fBgroup.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)\&.
++\fBpam\fR(7)\&.
+ .SH "AUTHORS"
+ .PP
+ pam_group was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam/modules/pam_issue/pam_issue.8.xml
+===================================================================
+--- pam.orig/modules/pam_issue/pam_issue.8.xml
++++ pam/modules/pam_issue/pam_issue.8.xml
+@@ -219,7 +219,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_issue/pam_issue.8
+===================================================================
+--- pam.orig/modules/pam_issue/pam_issue.8
++++ pam/modules/pam_issue/pam_issue.8
+@@ -152,7 +152,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_issue was written by Ben Collins <bcollins@debian\&.org>\&.
+Index: pam/modules/pam_keyinit/pam_keyinit.8.xml
+===================================================================
+--- pam.orig/modules/pam_keyinit/pam_keyinit.8.xml
++++ pam/modules/pam_keyinit/pam_keyinit.8.xml
+@@ -223,7 +223,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ <citerefentry>
+ <refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum>
+Index: pam/modules/pam_keyinit/pam_keyinit.8
+===================================================================
+--- pam.orig/modules/pam_keyinit/pam_keyinit.8
++++ pam/modules/pam_keyinit/pam_keyinit.8
+@@ -130,7 +130,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)\fBkeyctl\fR(1)
++\fBpam\fR(7)\fBkeyctl\fR(1)
+ .SH "AUTHOR"
+ .PP
+ pam_keyinit was written by David Howells, <dhowells@redhat\&.com>\&.
+Index: pam/modules/pam_lastlog/pam_lastlog.8.xml
+===================================================================
+--- pam.orig/modules/pam_lastlog/pam_lastlog.8.xml
++++ pam/modules/pam_lastlog/pam_lastlog.8.xml
+@@ -298,7 +298,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_lastlog/pam_lastlog.8
+===================================================================
+--- pam.orig/modules/pam_lastlog/pam_lastlog.8
++++ pam/modules/pam_lastlog/pam_lastlog.8
+@@ -173,7 +173,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_lastlog was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam/modules/pam_limits/pam_limits.8.xml
+===================================================================
+--- pam.orig/modules/pam_limits/pam_limits.8.xml
++++ pam/modules/pam_limits/pam_limits.8.xml
+@@ -241,7 +241,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+Index: pam/modules/pam_limits/pam_limits.8
+===================================================================
+--- pam.orig/modules/pam_limits/pam_limits.8
++++ pam/modules/pam_limits/pam_limits.8
+@@ -146,7 +146,7 @@
+ .PP
+ \fBlimits.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)\&.
++\fBpam\fR(7)\&.
+ .SH "AUTHORS"
+ .PP
+ pam_limits was initially written by Cristian Gafton <gafton@redhat\&.com>
+Index: pam/modules/pam_listfile/pam_listfile.8.xml
+===================================================================
+--- pam.orig/modules/pam_listfile/pam_listfile.8.xml
++++ pam/modules/pam_listfile/pam_listfile.8.xml
+@@ -281,7 +281,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_listfile/pam_listfile.8
+===================================================================
+--- pam.orig/modules/pam_listfile/pam_listfile.8
++++ pam/modules/pam_listfile/pam_listfile.8
+@@ -205,7 +205,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_listfile was written by Michael K\&. Johnson <johnsonm@redhat\&.com> and Elliot Lee <sopwith@cuc\&.edu>\&.
+Index: pam/modules/pam_localuser/pam_localuser.8.xml
+===================================================================
+--- pam.orig/modules/pam_localuser/pam_localuser.8.xml
++++ pam/modules/pam_localuser/pam_localuser.8.xml
+@@ -158,7 +158,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_localuser/pam_localuser.8
+===================================================================
+--- pam.orig/modules/pam_localuser/pam_localuser.8
++++ pam/modules/pam_localuser/pam_localuser.8
+@@ -102,7 +102,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_localuser was written by Nalin Dahyabhai <nalin@redhat\&.com>\&.
+Index: pam/modules/pam_loginuid/pam_loginuid.8.xml
+===================================================================
+--- pam.orig/modules/pam_loginuid/pam_loginuid.8.xml
++++ pam/modules/pam_loginuid/pam_loginuid.8.xml
+@@ -121,7 +121,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>auditctl</refentrytitle><manvolnum>8</manvolnum>
+Index: pam/modules/pam_loginuid/pam_loginuid.8
+===================================================================
+--- pam.orig/modules/pam_loginuid/pam_loginuid.8
++++ pam/modules/pam_loginuid/pam_loginuid.8
+@@ -85,7 +85,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8),
++\fBpam\fR(7),
+ \fBauditctl\fR(8),
+ \fBauditd\fR(8)
+ .SH "AUTHOR"
+Index: pam/modules/pam_mail/pam_mail.8.xml
+===================================================================
+--- pam.orig/modules/pam_mail/pam_mail.8.xml
++++ pam/modules/pam_mail/pam_mail.8.xml
+@@ -265,7 +265,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_mail/pam_mail.8
+===================================================================
+--- pam.orig/modules/pam_mail/pam_mail.8
++++ pam/modules/pam_mail/pam_mail.8
+@@ -153,7 +153,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_mail was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam/modules/pam_mkhomedir/pam_mkhomedir.8.xml
+===================================================================
+--- pam.orig/modules/pam_mkhomedir/pam_mkhomedir.8.xml
++++ pam/modules/pam_mkhomedir/pam_mkhomedir.8.xml
+@@ -189,7 +189,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+Index: pam/modules/pam_mkhomedir/pam_mkhomedir.8
+===================================================================
+--- pam.orig/modules/pam_mkhomedir/pam_mkhomedir.8
++++ pam/modules/pam_mkhomedir/pam_mkhomedir.8
+@@ -123,7 +123,7 @@
+ .SH "SEE ALSO"
+ .PP
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)\&.
++\fBpam\fR(7)\&.
+ .SH "AUTHOR"
+ .PP
+ pam_mkhomedir was written by Jason Gunthorpe <jgg@debian\&.org>\&.
+Index: pam/modules/pam_motd/pam_motd.8.xml
+===================================================================
+--- pam.orig/modules/pam_motd/pam_motd.8.xml
++++ pam/modules/pam_motd/pam_motd.8.xml
+@@ -129,7 +129,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_motd/pam_motd.8
+===================================================================
+--- pam.orig/modules/pam_motd/pam_motd.8
++++ pam/modules/pam_motd/pam_motd.8
+@@ -122,7 +122,7 @@
+ \fBmotd\fR(5),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_motd was written by Ben Collins <bcollins@debian\&.org>\&.
+Index: pam/modules/pam_namespace/pam_namespace.8.xml
+===================================================================
+--- pam.orig/modules/pam_namespace/pam_namespace.8.xml
++++ pam/modules/pam_namespace/pam_namespace.8.xml
+@@ -399,7 +399,7 @@
+ <refentrytitle>mount</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+Index: pam/modules/pam_namespace/pam_namespace.8
+===================================================================
+--- pam.orig/modules/pam_namespace/pam_namespace.8
++++ pam/modules/pam_namespace/pam_namespace.8
+@@ -178,7 +178,7 @@
+ \fBnamespace.conf\fR(5),
+ \fBpam.d\fR(5),
+ \fBmount\fR(8),
+-\fBpam\fR(8)\&.
++\fBpam\fR(7)\&.
+ .SH "AUTHORS"
+ .PP
+ The namespace setup scheme was designed by Stephen Smalley, Janak Desai and Chad Sellers\&. The pam_namespace PAM module was developed by Janak Desai <janak@us\&.ibm\&.com>, Chad Sellers <csellers@tresys\&.com> and Steve Grubb <sgrubb@redhat\&.com>\&. Additional improvements by Xavier Toth <txtoth@gmail\&.com> and Tomas Mraz <tmraz@redhat\&.com>\&.
+Index: pam/modules/pam_nologin/pam_nologin.8.xml
+===================================================================
+--- pam.orig/modules/pam_nologin/pam_nologin.8.xml
++++ pam/modules/pam_nologin/pam_nologin.8.xml
+@@ -160,7 +160,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_nologin/pam_nologin.8
+===================================================================
+--- pam.orig/modules/pam_nologin/pam_nologin.8
++++ pam/modules/pam_nologin/pam_nologin.8
+@@ -124,7 +124,7 @@
+ \fBnologin\fR(5),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_nologin was written by Michael K\&. Johnson <johnsonm@redhat\&.com>\&.
+Index: pam/modules/pam_permit/pam_permit.8.xml
+===================================================================
+--- pam.orig/modules/pam_permit/pam_permit.8.xml
++++ pam/modules/pam_permit/pam_permit.8.xml
+@@ -91,7 +91,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_permit/pam_permit.8
+===================================================================
+--- pam.orig/modules/pam_permit/pam_permit.8
++++ pam/modules/pam_permit/pam_permit.8
+@@ -78,7 +78,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_permit was written by Andrew G\&. Morgan, <morgan@kernel\&.org>\&.
+Index: pam/modules/pam_rhosts/pam_rhosts.8.xml
+===================================================================
+--- pam.orig/modules/pam_rhosts/pam_rhosts.8.xml
++++ pam/modules/pam_rhosts/pam_rhosts.8.xml
+@@ -156,7 +156,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_rhosts/pam_rhosts.8
+===================================================================
+--- pam.orig/modules/pam_rhosts/pam_rhosts.8
++++ pam/modules/pam_rhosts/pam_rhosts.8
+@@ -122,7 +122,7 @@
+ \fBrhosts\fR(5),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_rhosts was written by Thorsten Kukuk <kukuk@thkukuk\&.de>
+Index: pam/modules/pam_rootok/pam_rootok.8.xml
+===================================================================
+--- pam.orig/modules/pam_rootok/pam_rootok.8.xml
++++ pam/modules/pam_rootok/pam_rootok.8.xml
+@@ -116,7 +116,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_rootok/pam_rootok.8
+===================================================================
+--- pam.orig/modules/pam_rootok/pam_rootok.8
++++ pam/modules/pam_rootok/pam_rootok.8
+@@ -99,7 +99,7 @@
+ \fBsu\fR(1),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_rootok was written by Andrew G\&. Morgan, <morgan@kernel\&.org>\&.
+Index: pam/modules/pam_securetty/pam_securetty.8.xml
+===================================================================
+--- pam.orig/modules/pam_securetty/pam_securetty.8.xml
++++ pam/modules/pam_securetty/pam_securetty.8.xml
+@@ -168,7 +168,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_securetty/pam_securetty.8
+===================================================================
+--- pam.orig/modules/pam_securetty/pam_securetty.8
++++ pam/modules/pam_securetty/pam_securetty.8
+@@ -119,7 +119,7 @@
+ \fBsecuretty\fR(5),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_securetty was written by Elliot Lee <sopwith@cuc\&.edu>\&.
+Index: pam/modules/pam_selinux/pam_selinux.8.xml
+===================================================================
+--- pam.orig/modules/pam_selinux/pam_selinux.8.xml
++++ pam/modules/pam_selinux/pam_selinux.8.xml
+@@ -258,7 +258,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum>
+Index: pam/modules/pam_selinux/pam_selinux.8
+===================================================================
+--- pam.orig/modules/pam_selinux/pam_selinux.8
++++ pam/modules/pam_selinux/pam_selinux.8
+@@ -7,7 +7,7 @@
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_SELINUX" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual"
++.TH "PAM_SELINUX" "7" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual"
+ .\" -----------------------------------------------------------------
+ .\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+@@ -144,7 +144,7 @@
+ \fBexecve\fR(2),
+ \fBtty\fR(4),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8),
++\fBpam\fR(7),
+ \fBselinux\fR(8)
+ .SH "AUTHOR"
+ .PP
+Index: pam/modules/pam_sepermit/pam_sepermit.8.xml
+===================================================================
+--- pam.orig/modules/pam_sepermit/pam_sepermit.8.xml
++++ pam/modules/pam_sepermit/pam_sepermit.8.xml
+@@ -176,7 +176,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ <citerefentry>
+ <refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum>
+Index: pam/modules/pam_sepermit/pam_sepermit.8
+===================================================================
+--- pam.orig/modules/pam_sepermit/pam_sepermit.8
++++ pam/modules/pam_sepermit/pam_sepermit.8
+@@ -124,7 +124,7 @@
+ \fBsepermit.conf\fR(5),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)\fBselinux\fR(8)
++\fBpam\fR(7)\fBselinux\fR(8)
+ .SH "AUTHOR"
+ .PP
+ pam_sepermit and this manual page were written by Tomas Mraz <tmraz@redhat\&.com>\&.
+Index: pam/modules/pam_shells/pam_shells.8.xml
+===================================================================
+--- pam.orig/modules/pam_shells/pam_shells.8.xml
++++ pam/modules/pam_shells/pam_shells.8.xml
+@@ -102,7 +102,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_shells/pam_shells.8
+===================================================================
+--- pam.orig/modules/pam_shells/pam_shells.8
++++ pam/modules/pam_shells/pam_shells.8
+@@ -85,7 +85,7 @@
+ \fBshells\fR(5),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_shells was written by Erik Troan <ewt@redhat\&.com>\&.
+Index: pam/modules/pam_succeed_if/pam_succeed_if.8.xml
+===================================================================
+--- pam.orig/modules/pam_succeed_if/pam_succeed_if.8.xml
++++ pam/modules/pam_succeed_if/pam_succeed_if.8.xml
+@@ -295,7 +295,7 @@
+ <refentrytitle>glob</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_succeed_if/pam_succeed_if.8
+===================================================================
+--- pam.orig/modules/pam_succeed_if/pam_succeed_if.8
++++ pam/modules/pam_succeed_if/pam_succeed_if.8
+@@ -220,7 +220,7 @@
+ .SH "SEE ALSO"
+ .PP
+ \fBglob\fR(7),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ Nalin Dahyabhai <nalin@redhat\&.com>
+Index: pam/modules/pam_tally/pam_tally.8.xml
+===================================================================
+--- pam.orig/modules/pam_tally/pam_tally.8.xml
++++ pam/modules/pam_tally/pam_tally.8.xml
+@@ -444,7 +444,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_tally/pam_tally.8
+===================================================================
+--- pam.orig/modules/pam_tally/pam_tally.8
++++ pam/modules/pam_tally/pam_tally.8
+@@ -248,7 +248,7 @@
+ \fBfaillog\fR(8),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_tally was written by Tim Baverstock and Tomas Mraz\&.
+Index: pam/modules/pam_time/pam_time.8.xml
+===================================================================
+--- pam.orig/modules/pam_time/pam_time.8.xml
++++ pam/modules/pam_time/pam_time.8.xml
+@@ -169,7 +169,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+Index: pam/modules/pam_time/pam_time.8
+===================================================================
+--- pam.orig/modules/pam_time/pam_time.8
++++ pam/modules/pam_time/pam_time.8
+@@ -109,7 +109,7 @@
+ .PP
+ \fBtime.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)\&.
++\fBpam\fR(7)\&.
+ .SH "AUTHOR"
+ .PP
+ pam_time was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam/modules/pam_umask/pam_umask.8.xml
+===================================================================
+--- pam.orig/modules/pam_umask/pam_umask.8.xml
++++ pam/modules/pam_umask/pam_umask.8.xml
+@@ -201,7 +201,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_umask/pam_umask.8
+===================================================================
+--- pam.orig/modules/pam_umask/pam_umask.8
++++ pam/modules/pam_umask/pam_umask.8
+@@ -150,7 +150,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_umask was written by Thorsten Kukuk <kukuk@thkukuk\&.de>\&.
+Index: pam/modules/pam_unix/pam_unix.8.xml
+===================================================================
+--- pam.orig/modules/pam_unix/pam_unix.8.xml
++++ pam/modules/pam_unix/pam_unix.8.xml
+@@ -537,7 +537,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_unix/pam_unix.8
+===================================================================
+--- pam.orig/modules/pam_unix/pam_unix.8
++++ pam/modules/pam_unix/pam_unix.8
+@@ -294,7 +294,7 @@
+ \fBlogin.defs\fR(5),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_unix was written by various people\&.
+Index: pam/doc/man/misc_conv.3.xml
+===================================================================
+--- pam.orig/doc/man/misc_conv.3.xml
++++ pam/doc/man/misc_conv.3.xml
+@@ -171,7 +171,7 @@
+ <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/misc_conv.3
+===================================================================
+--- pam.orig/doc/man/misc_conv.3
++++ pam/doc/man/misc_conv.3
+@@ -117,7 +117,7 @@
+ .SH "SEE ALSO"
+ .PP
+ \fBpam_conv\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
+Index: pam/doc/man/pam_acct_mgmt.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_acct_mgmt.3.xml
++++ pam/doc/man/pam_acct_mgmt.3.xml
+@@ -138,7 +138,7 @@
+ <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_acct_mgmt.3
+===================================================================
+--- pam.orig/doc/man/pam_acct_mgmt.3
++++ pam/doc/man/pam_acct_mgmt.3
+@@ -97,4 +97,4 @@
+ \fBpam_authenticate\fR(3),
+ \fBpam_chauthtok\fR(3),
+ \fBpam_strerror\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam/doc/man/pam_authenticate.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_authenticate.3.xml
++++ pam/doc/man/pam_authenticate.3.xml
+@@ -162,7 +162,7 @@
+ <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_authenticate.3
+===================================================================
+--- pam.orig/doc/man/pam_authenticate.3
++++ pam/doc/man/pam_authenticate.3
+@@ -107,4 +107,4 @@
+ \fBpam_setcred\fR(3),
+ \fBpam_chauthtok\fR(3),
+ \fBpam_strerror\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam/doc/man/pam_chauthtok.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_chauthtok.3.xml
++++ pam/doc/man/pam_chauthtok.3.xml
+@@ -157,7 +157,7 @@
+ <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_chauthtok.3
+===================================================================
+--- pam.orig/doc/man/pam_chauthtok.3
++++ pam/doc/man/pam_chauthtok.3
+@@ -106,4 +106,4 @@
+ \fBpam_setcred\fR(3),
+ \fBpam_get_item\fR(3),
+ \fBpam_strerror\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam/doc/man/pam_conv.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_conv.3.xml
++++ pam/doc/man/pam_conv.3.xml
+@@ -221,7 +221,7 @@
+ <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_conv.3
+===================================================================
+--- pam.orig/doc/man/pam_conv.3
++++ pam/doc/man/pam_conv.3
+@@ -174,4 +174,4 @@
+ \fBpam_set_item\fR(3),
+ \fBpam_get_item\fR(3),
+ \fBpam_strerror\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam/doc/man/pam_error.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_error.3.xml
++++ pam/doc/man/pam_error.3.xml
+@@ -105,7 +105,7 @@
+ <refentrytitle>pam_vprompt</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_error.3
+===================================================================
+--- pam.orig/doc/man/pam_error.3
++++ pam/doc/man/pam_error.3
+@@ -80,7 +80,7 @@
+ \fBpam_vinfo\fR(3),
+ \fBpam_prompt\fR(3),
+ \fBpam_vprompt\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
+Index: pam/doc/man/pam_getenv.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_getenv.3.xml
++++ pam/doc/man/pam_getenv.3.xml
+@@ -60,7 +60,7 @@
+ <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_getenv.3
+===================================================================
+--- pam.orig/doc/man/pam_getenv.3
++++ pam/doc/man/pam_getenv.3
+@@ -57,4 +57,4 @@
+ \fBpam_start\fR(3),
+ \fBpam_getenvlist\fR(3),
+ \fBpam_putenv\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam/doc/man/pam_getenvlist.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_getenvlist.3.xml
++++ pam/doc/man/pam_getenvlist.3.xml
+@@ -78,7 +78,7 @@
+ <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_getenvlist.3
+===================================================================
+--- pam.orig/doc/man/pam_getenvlist.3
++++ pam/doc/man/pam_getenvlist.3
+@@ -63,4 +63,4 @@
+ \fBpam_start\fR(3),
+ \fBpam_getenv\fR(3),
+ \fBpam_putenv\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam/doc/man/pam_info.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_info.3.xml
++++ pam/doc/man/pam_info.3.xml
+@@ -93,7 +93,7 @@
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_info.3
+===================================================================
+--- pam.orig/doc/man/pam_info.3
++++ pam/doc/man/pam_info.3
+@@ -76,7 +76,7 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
+Index: pam/doc/man/pam_misc_drop_env.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_misc_drop_env.3.xml
++++ pam/doc/man/pam_misc_drop_env.3.xml
+@@ -46,7 +46,7 @@
+ <refentrytitle>pam_getenvlist</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_misc_drop_env.3
+===================================================================
+--- pam.orig/doc/man/pam_misc_drop_env.3
++++ pam/doc/man/pam_misc_drop_env.3
+@@ -52,7 +52,7 @@
+ .SH "SEE ALSO"
+ .PP
+ \fBpam_getenvlist\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
+Index: pam/doc/man/pam_misc_paste_env.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_misc_paste_env.3.xml
++++ pam/doc/man/pam_misc_paste_env.3.xml
+@@ -44,7 +44,7 @@
+ <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_misc_paste_env.3
+===================================================================
+--- pam.orig/doc/man/pam_misc_paste_env.3
++++ pam/doc/man/pam_misc_paste_env.3
+@@ -47,7 +47,7 @@
+ .SH "SEE ALSO"
+ .PP
+ \fBpam_putenv\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
+Index: pam/doc/man/pam_misc_setenv.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_misc_setenv.3.xml
++++ pam/doc/man/pam_misc_setenv.3.xml
+@@ -51,7 +51,7 @@
+ <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_misc_setenv.3
+===================================================================
+--- pam.orig/doc/man/pam_misc_setenv.3
++++ pam/doc/man/pam_misc_setenv.3
+@@ -52,7 +52,7 @@
+ .SH "SEE ALSO"
+ .PP
+ \fBpam_putenv\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
+Index: pam/doc/man/pam_prompt.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_prompt.3.xml
++++ pam/doc/man/pam_prompt.3.xml
+@@ -95,7 +95,7 @@
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum>
+Index: pam/doc/man/pam_prompt.3
+===================================================================
+--- pam.orig/doc/man/pam_prompt.3
++++ pam/doc/man/pam_prompt.3
+@@ -70,7 +70,7 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-\fBpam\fR(8),
++\fBpam\fR(7),
+ \fBpam_conv\fR(3)
+ .SH "STANDARDS"
+ .PP
+Index: pam/doc/man/pam_putenv.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_putenv.3.xml
++++ pam/doc/man/pam_putenv.3.xml
+@@ -145,7 +145,7 @@
+ <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_putenv.3
+===================================================================
+--- pam.orig/doc/man/pam_putenv.3
++++ pam/doc/man/pam_putenv.3
+@@ -108,4 +108,4 @@
+ \fBpam_getenv\fR(3),
+ \fBpam_getenvlist\fR(3),
+ \fBpam_strerror\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam/doc/man/pam_strerror.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_strerror.3.xml
++++ pam/doc/man/pam_strerror.3.xml
+@@ -51,7 +51,7 @@
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_strerror.3
+===================================================================
+--- pam.orig/doc/man/pam_strerror.3
++++ pam/doc/man/pam_strerror.3
+@@ -49,4 +49,4 @@
+ This function returns always a pointer to a string\&.
+ .SH "SEE ALSO"
+ .PP
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam/doc/man/pam_syslog.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_syslog.3.xml
++++ pam/doc/man/pam_syslog.3.xml
+@@ -66,7 +66,7 @@
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_syslog.3
+===================================================================
+--- pam.orig/doc/man/pam_syslog.3
++++ pam/doc/man/pam_syslog.3
+@@ -67,7 +67,7 @@
+ variable argument list macros\&.
+ .SH "SEE ALSO"
+ .PP
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
+Index: pam/modules/pam_userdb/pam_userdb.8.xml
+===================================================================
+--- pam.orig/modules/pam_userdb/pam_userdb.8.xml
++++ pam/modules/pam_userdb/pam_userdb.8.xml
+@@ -278,7 +278,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_userdb/pam_userdb.8
+===================================================================
+--- pam.orig/modules/pam_userdb/pam_userdb.8
++++ pam/modules/pam_userdb/pam_userdb.8
+@@ -152,7 +152,7 @@
+ \fBcrypt\fR(3),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_userdb was written by Cristian Gafton >gafton@redhat\&.com<\&.
+Index: pam/modules/pam_warn/pam_warn.8.xml
+===================================================================
+--- pam.orig/modules/pam_warn/pam_warn.8.xml
++++ pam/modules/pam_warn/pam_warn.8.xml
+@@ -90,7 +90,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_warn/pam_warn.8
+===================================================================
+--- pam.orig/modules/pam_warn/pam_warn.8
++++ pam/modules/pam_warn/pam_warn.8
+@@ -83,7 +83,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_warn was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam/modules/pam_wheel/pam_wheel.8.xml
+===================================================================
+--- pam.orig/modules/pam_wheel/pam_wheel.8.xml
++++ pam/modules/pam_wheel/pam_wheel.8.xml
+@@ -213,7 +213,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_wheel/pam_wheel.8
+===================================================================
+--- pam.orig/modules/pam_wheel/pam_wheel.8
++++ pam/modules/pam_wheel/pam_wheel.8
+@@ -136,7 +136,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_wheel was written by Cristian Gafton <gafton@redhat\&.com>\&.
+Index: pam/modules/pam_xauth/pam_xauth.8.xml
+===================================================================
+--- pam.orig/modules/pam_xauth/pam_xauth.8.xml
++++ pam/modules/pam_xauth/pam_xauth.8.xml
+@@ -276,7 +276,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_xauth/pam_xauth.8
+===================================================================
+--- pam.orig/modules/pam_xauth/pam_xauth.8
++++ pam/modules/pam_xauth/pam_xauth.8
+@@ -177,7 +177,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_xauth was written by Nalin Dahyabhai <nalin@redhat\&.com>, based on original version by Michael K\&. Johnson <johnsonm@redhat\&.com>\&.
+Index: pam/modules/pam_env/pam_env.8
+===================================================================
+--- pam.orig/modules/pam_env/pam_env.8
++++ pam/modules/pam_env/pam_env.8
+@@ -7,7 +7,7 @@
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_ENV" "8" "05/18/2017" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_ENV" "7" "05/18/2017" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+ .\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+Index: pam/modules/pam_pwhistory/pam_pwhistory.8.xml
+===================================================================
+--- pam.orig/modules/pam_pwhistory/pam_pwhistory.8.xml
++++ pam/modules/pam_pwhistory/pam_pwhistory.8.xml
+@@ -229,7 +229,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ <citerefentry>
+ <refentrytitle>pam_get_authtok</refentrytitle><manvolnum>3</manvolnum>
+Index: pam/modules/pam_pwhistory/pam_pwhistory.8
+===================================================================
+--- pam.orig/modules/pam_pwhistory/pam_pwhistory.8
++++ pam/modules/pam_pwhistory/pam_pwhistory.8
+@@ -156,7 +156,8 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)\fBpam_get_authtok\fR(3)
++\fBpam\fR(7)
++\fBpam_get_authtok\fR(3)
+ .SH "AUTHOR"
+ .PP
+ pam_pwhistory was written by Thorsten Kukuk <kukuk@thkukuk\&.de>
+Index: pam/modules/pam_sepermit/sepermit.conf.5.xml
+===================================================================
+--- pam.orig/modules/pam_sepermit/sepermit.conf.5.xml
++++ pam/modules/pam_sepermit/sepermit.conf.5.xml
+@@ -96,7 +96,7 @@
+ <para>
+ <citerefentry><refentrytitle>pam_sepermit</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ </para>
+ </refsect1>
+Index: pam/modules/pam_sepermit/sepermit.conf.5
+===================================================================
+--- pam.orig/modules/pam_sepermit/sepermit.conf.5
++++ pam/modules/pam_sepermit/sepermit.conf.5
+@@ -110,7 +110,7 @@
+ .PP
+ \fBpam_sepermit\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8),
++\fBpam\fR(7),
+ \fBselinux\fR(8),
+ .SH "AUTHOR"
+ .PP
+Index: pam/modules/pam_tally2/pam_tally2.8.xml
+===================================================================
+--- pam.orig/modules/pam_tally2/pam_tally2.8.xml
++++ pam/modules/pam_tally2/pam_tally2.8.xml
+@@ -435,7 +435,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_tally2/pam_tally2.8
+===================================================================
+--- pam.orig/modules/pam_tally2/pam_tally2.8
++++ pam/modules/pam_tally2/pam_tally2.8
+@@ -236,7 +236,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_tally2 was written by Tim Baverstock and Tomas Mraz\&.
+Index: pam/modules/pam_timestamp/pam_timestamp.8.xml
+===================================================================
+--- pam.orig/modules/pam_timestamp/pam_timestamp.8.xml
++++ pam/modules/pam_timestamp/pam_timestamp.8.xml
+@@ -188,7 +188,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_timestamp/pam_timestamp.8
+===================================================================
+--- pam.orig/modules/pam_timestamp/pam_timestamp.8
++++ pam/modules/pam_timestamp/pam_timestamp.8
+@@ -124,7 +124,7 @@
+ \fBpam_timestamp_check\fR(8),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_timestamp was written by Nalin Dahyabhai\&.
+Index: pam/modules/pam_timestamp/pam_timestamp_check.8.xml
+===================================================================
+--- pam.orig/modules/pam_timestamp/pam_timestamp_check.8.xml
++++ pam/modules/pam_timestamp/pam_timestamp_check.8.xml
+@@ -192,7 +192,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_timestamp/pam_timestamp_check.8
+===================================================================
+--- pam.orig/modules/pam_timestamp/pam_timestamp_check.8
++++ pam/modules/pam_timestamp/pam_timestamp_check.8
+@@ -127,7 +127,7 @@
+ \fBpam_timestamp_check\fR(8),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_tally was written by Nalin Dahyabhai\&.
+Index: pam/modules/pam_tty_audit/pam_tty_audit.8.xml
+===================================================================
+--- pam.orig/modules/pam_tty_audit/pam_tty_audit.8.xml
++++ pam/modules/pam_tty_audit/pam_tty_audit.8.xml
+@@ -174,7 +174,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_tty_audit/pam_tty_audit.8
+===================================================================
+--- pam.orig/modules/pam_tty_audit/pam_tty_audit.8
++++ pam/modules/pam_tty_audit/pam_tty_audit.8
+@@ -125,7 +125,7 @@
+ \fBaureport\fR(8),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_tty_audit was written by Miloslav Trmač <mitr@redhat\&.com>\&. The log_passwd option was added by Richard Guy Briggs <rgb@redhat\&.com>\&.
+Index: pam/doc/man/pam_get_authtok.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_get_authtok.3.xml
++++ pam/doc/man/pam_get_authtok.3.xml
+@@ -232,7 +232,7 @@
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_get_authtok.3
+===================================================================
+--- pam.orig/doc/man/pam_get_authtok.3
++++ pam/doc/man/pam_get_authtok.3
+@@ -161,7 +161,7 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
diff --git a/debian/patches-applied/cve-2010-4708.patch b/debian/patches-applied/cve-2010-4708.patch
new file mode 100644
index 0000000..0ab2a8e
--- /dev/null
+++ b/debian/patches-applied/cve-2010-4708.patch
@@ -0,0 +1,53 @@
+Description: fix cve-2010-4708: .pam_environment privilege issue
+Index: pam/modules/pam_env/pam_env.c
+===================================================================
+--- pam.orig/modules/pam_env/pam_env.c
++++ pam/modules/pam_env/pam_env.c
+@@ -10,7 +10,7 @@
+ #define DEFAULT_READ_ENVFILE 1
+
+ #define DEFAULT_USER_ENVFILE ".pam_environment"
+-#define DEFAULT_USER_READ_ENVFILE 1
++#define DEFAULT_USER_READ_ENVFILE 0
+
+ #include "config.h"
+
+Index: pam/modules/pam_env/pam_env.8.xml
+===================================================================
+--- pam.orig/modules/pam_env/pam_env.8.xml
++++ pam/modules/pam_env/pam_env.8.xml
+@@ -158,7 +158,7 @@
+ <listitem>
+ <para>
+ Turns on or off the reading of the user specific environment
+- file. 0 is off, 1 is on. By default this option is on.
++ file. 0 is off, 1 is on. By default this option is off.
+ </para>
+ </listitem>
+ </varlistentry>
+Index: pam/modules/pam_env/pam_env.8
+===================================================================
+--- pam.orig/modules/pam_env/pam_env.8
++++ pam/modules/pam_env/pam_env.8
+@@ -101,7 +101,7 @@
+ .PP
+ \fBuser_readenv=\fR\fB\fI0|1\fR\fR
+ .RS 4
+-Turns on or off the reading of the user specific environment file\&. 0 is off, 1 is on\&. By default this option is on\&.
++Turns on or off the reading of the user specific environment file\&. 0 is off, 1 is on\&. By default this option is off\&.
+ .RE
+ .SH "MODULE TYPES PROVIDED"
+ .PP
+Index: pam/modules/pam_env/README
+===================================================================
+--- pam.orig/modules/pam_env/README
++++ pam/modules/pam_env/README
+@@ -57,7 +57,7 @@
+ user_readenv=0|1
+
+ Turns on or off the reading of the user specific environment file. 0 is
+- off, 1 is on. By default this option is on.
++ off, 1 is on. By default this option is off.
+
+ EXAMPLES
+
diff --git a/debian/patches-applied/do_not_check_nis_accidentally b/debian/patches-applied/do_not_check_nis_accidentally
new file mode 100644
index 0000000..29ce609
--- /dev/null
+++ b/debian/patches-applied/do_not_check_nis_accidentally
@@ -0,0 +1,22 @@
+Patch for Debian bug #469635
+
+Always call _unix_getpwnam() consistent with the value of the 'nis'
+option, so that we only grab from the backends we're expecting.
+
+Authors: Quentin Godfroy <godfroy@clipper.ens.fr>
+
+Upstream status: should be submitted
+
+Index: pam/modules/pam_unix/pam_unix_passwd.c
+===================================================================
+--- pam.orig/modules/pam_unix/pam_unix_passwd.c
++++ pam/modules/pam_unix/pam_unix_passwd.c
+@@ -669,7 +669,7 @@
+ return PAM_USER_UNKNOWN;
+ } else {
+ struct passwd *pwd;
+- _unix_getpwnam(pamh, user, 1, 1, &pwd);
++ _unix_getpwnam(pamh, user, 1, on(UNIX_NIS, ctrl), &pwd);
+ if (pwd == NULL) {
+ pam_syslog(pamh, LOG_DEBUG,
+ "user \"%s\" has corrupted passwd entry",
diff --git a/debian/patches-applied/fix-autoreconf.patch b/debian/patches-applied/fix-autoreconf.patch
new file mode 100644
index 0000000..037f7ff
--- /dev/null
+++ b/debian/patches-applied/fix-autoreconf.patch
@@ -0,0 +1,27 @@
+From: Andreas Henriksson <andreas@fatal.se>
+Date: Thu, 8 Nov 2018 19:09:21 +0100
+Subject: fix-autoreconf.patch
+
+Do not override user variables in Makefile.am, see the
+"Flag Variables Ordering" section of the automake manual.
+---
+ doc/specs/Makefile.am | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/doc/specs/Makefile.am b/doc/specs/Makefile.am
+index 99ecc70..b94e5ef 100644
+--- a/doc/specs/Makefile.am
++++ b/doc/specs/Makefile.am
+@@ -12,9 +12,9 @@ draft-morgan-pam-current.txt: padout draft-morgan-pam.raw
+ AM_YFLAGS = -d
+
+ CC = @CC_FOR_BUILD@
+-CPPFLAGS = @BUILD_CPPFLAGS@
+-CFLAGS = @BUILD_CFLAGS@
+-LDFLAGS = @BUILD_LDFLAGS@
++AM_CPPFLAGS = @BUILD_CPPFLAGS@
++AM_CFLAGS = @BUILD_CFLAGS@
++AM_LDFLAGS = @BUILD_LDFLAGS@
+
+ BUILT_SOURCES = parse_y.h
+
diff --git a/debian/patches-applied/hurd_no_setfsuid b/debian/patches-applied/hurd_no_setfsuid
new file mode 100644
index 0000000..00610a8
--- /dev/null
+++ b/debian/patches-applied/hurd_no_setfsuid
@@ -0,0 +1,77 @@
+On systems without setfsuid(), use setreuid() instead.
+
+Authors: Steve Langasek <vorlon@debian.org>
+
+Upstream status: to be forwarded, now that pam_modutil_{drop,regain}_priv
+ are implemented
+
+Index: pam/libpam/pam_modutil_priv.c
+===================================================================
+--- pam.orig/libpam/pam_modutil_priv.c
++++ pam/libpam/pam_modutil_priv.c
+@@ -14,7 +14,9 @@
+ #include <syslog.h>
+ #include <pwd.h>
+ #include <grp.h>
++#ifdef HAVE_SYS_FSUID_H
+ #include <sys/fsuid.h>
++#endif /* HAVE_SYS_FSUID_H */
+
+ /*
+ * Two setfsuid() calls in a row are necessary to check
+@@ -22,17 +24,55 @@
+ */
+ static int change_uid(uid_t uid, uid_t *save)
+ {
++#ifdef HAVE_SYS_FSUID_H
+ uid_t tmp = setfsuid(uid);
+ if (save)
+ *save = tmp;
+ return (uid_t) setfsuid(uid) == uid ? 0 : -1;
++#else
++ uid_t euid = geteuid();
++ uid_t ruid = getuid();
++ if (save)
++ *save = ruid;
++ if (ruid == uid && uid != 0)
++ if (setreuid(euid, uid))
++ return -1;
++ else {
++ setreuid(0, -1);
++ if (setreuid(-1, uid)) {
++ setreuid(-1, 0);
++ setreuid(0, -1);
++ if (setreuid(-1, uid))
++ return -1;
++ }
++ }
++#endif
+ }
+ static int change_gid(gid_t gid, gid_t *save)
+ {
++#ifdef HAVE_SYS_FSUID_H
+ gid_t tmp = setfsgid(gid);
+ if (save)
+ *save = tmp;
+ return (gid_t) setfsgid(gid) == gid ? 0 : -1;
++#else
++ gid_t egid = getegid();
++ gid_t rgid = getgid();
++ if (save)
++ *save = rgid;
++ if (rgid == gid)
++ if (setregid(egid, gid))
++ return -1;
++ else {
++ setregid(0, -1);
++ if (setregid(-1, gid)) {
++ setregid(-1, 0);
++ setregid(0, -1);
++ if (setregid(-1, gid))
++ return -1;
++ }
++ }
++#endif
+ }
+
+ static int cleanup(struct pam_modutil_privs *p)
diff --git a/debian/patches-applied/lib_security_multiarch_compat b/debian/patches-applied/lib_security_multiarch_compat
new file mode 100644
index 0000000..82b48fc
--- /dev/null
+++ b/debian/patches-applied/lib_security_multiarch_compat
@@ -0,0 +1,71 @@
+Unqualified module paths should always be looked up in *both* the default
+module dir, *and* the ISA dir. That's what paths are for.
+
+This lets us have a soft transition to multiarch for modules without having
+to rewrite /etc/pam.d/ files or add ugly symlinks.
+
+Authors: Steve Langasek <vorlon@debian.org>
+
+Upstream status: not ready to be committed - this needs tweaked, we're
+currently abusing the existing variables and inverting their meaning in
+order to get everything installed where we want it and get absolute paths
+the way we want them.
+
+Index: pam/libpam/pam_handlers.c
+===================================================================
+--- pam.orig/libpam/pam_handlers.c
++++ pam/libpam/pam_handlers.c
+@@ -728,7 +728,26 @@
+ success = PAM_ABORT;
+
+ D(("_pam_load_module: _pam_dlopen(%s)", mod_path));
+- mod->dl_handle = _pam_dlopen(mod_path);
++ if (mod_path[0] == '/') {
++ mod->dl_handle = _pam_dlopen(mod_path);
++ } else {
++ if (asprintf(&mod_full_isa_path, "%s%s",
++ DEFAULT_MODULE_PATH, mod_path) >= 0) {
++ mod->dl_handle = _pam_dlopen(mod_full_isa_path);
++ _pam_drop(mod_full_isa_path);
++ } else {
++ pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path");
++ }
++ if (!mod->dl_handle) {
++ if (asprintf(&mod_full_isa_path, "%s/%s",
++ _PAM_ISA, mod_path) >= 0) {
++ mod->dl_handle = _pam_dlopen(mod_full_isa_path);
++ _pam_drop(mod_full_isa_path);
++ } else {
++ pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path");
++ }
++ }
++ }
+ D(("_pam_load_module: _pam_dlopen'ed"));
+ D(("_pam_load_module: dlopen'ed"));
+ if (mod->dl_handle == NULL) {
+@@ -797,7 +816,6 @@
+ struct handler **handler_p2;
+ struct handlers *the_handlers;
+ const char *sym, *sym2;
+- char *mod_full_path;
+ servicefn func, func2;
+ int mod_type = PAM_MT_FAULTY_MOD;
+
+@@ -809,16 +827,7 @@
+
+ if ((handler_type == PAM_HT_MODULE || handler_type == PAM_HT_SILENT_MODULE) &&
+ mod_path != NULL) {
+- if (mod_path[0] == '/') {
+- mod = _pam_load_module(pamh, mod_path, handler_type);
+- } else if (asprintf(&mod_full_path, "%s%s",
+- DEFAULT_MODULE_PATH, mod_path) >= 0) {
+- mod = _pam_load_module(pamh, mod_full_path, handler_type);
+- _pam_drop(mod_full_path);
+- } else {
+- pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path");
+- return PAM_ABORT;
+- }
++ mod = _pam_load_module(pamh, mod_path, handler_type);
+
+ if (mod == NULL) {
+ /* if we get here with NULL it means allocation error */
diff --git a/debian/patches-applied/make_documentation_reproducible.patch b/debian/patches-applied/make_documentation_reproducible.patch
new file mode 100644
index 0000000..f953b23
--- /dev/null
+++ b/debian/patches-applied/make_documentation_reproducible.patch
@@ -0,0 +1,19 @@
+Description: Make documentation reproducible
+ Add LC_ALL=C.UTF-8 to w3m to avoid changes in the output when build the
+ documentation with different locales.
+Author: Juan Picca <jumapico@gmail.com>, Steve Langasek <vorlon@debian.org>
+Last-Update: 2019-01-06
+
+Index: pam/configure.ac
+===================================================================
+--- pam.orig/configure.ac
++++ pam/configure.ac
+@@ -556,7 +556,7 @@
+
+ AC_PATH_PROG([BROWSER], [w3m])
+ if test ! -z "$BROWSER"; then
+- BROWSER="$BROWSER -T text/html -dump"
++ BROWSER="LC_ALL=C.UTF-8 $BROWSER -T text/html -dump"
+ else
+ AC_PATH_PROG([BROWSER], [links])
+ if test ! -z "$BROWSER"; then
diff --git a/debian/patches-applied/no_PATH_MAX_on_hurd b/debian/patches-applied/no_PATH_MAX_on_hurd
new file mode 100644
index 0000000..ab2403d
--- /dev/null
+++ b/debian/patches-applied/no_PATH_MAX_on_hurd
@@ -0,0 +1,22 @@
+Description: define PATH_MAX for compatibility when it's not already set
+ Some platforms, such as the Hurd, don't set PATH_MAX. Set a reasonable
+ default value in this case.
+Author: Steve Langasek <vorlon@debian.org>
+Bug-Debian: http://bugs.debian.org/552043
+
+Index: pam/tests/tst-dlopen.c
+===================================================================
+--- pam.orig/tests/tst-dlopen.c
++++ pam/tests/tst-dlopen.c
+@@ -16,6 +16,11 @@
+ #include <limits.h>
+ #include <sys/stat.h>
+
++/* Hurd compatibility */
++#ifndef PATH_MAX
++#define PATH_MAX 4096
++#endif
++
+ /* Simple program to see if dlopen() would succeed. */
+ int main(int argc, char **argv)
+ {
diff --git a/debian/patches-applied/pam-limits-nofile-fd-setsize-cap b/debian/patches-applied/pam-limits-nofile-fd-setsize-cap
new file mode 100644
index 0000000..302c911
--- /dev/null
+++ b/debian/patches-applied/pam-limits-nofile-fd-setsize-cap
@@ -0,0 +1,60 @@
+From: Robie Basak <robie.basak@ubuntu.com>
+Subject: pam_limits: cap the default soft nofile limit read from pid 1 to FD_SETSIZE
+
+Cap the default soft nofile limit read from pid 1 to FD_SETSIZE since
+larger values can cause problems with fd_set overflow and systemd sets
+itself higher.
+
+See:
+https://lists.ubuntu.com/archives/ubuntu-devel/2010-September/031446.html
+http://www.outflux.net/blog/archives/2014/06/13/5-year-old-glibc-select-weakness-fixed/
+https://sourceware.org/bugzilla/show_bug.cgi?id=10352
+https://github.com/systemd/systemd/commit/4096d6f5879aef73e20dd7b62a01f447629945b0
+
+pam_limits reads the default limits from /proc/1/limits. Previously,
+using upstart, this resulted in a 1024 nofile soft limit on Ubuntu
+systems by default. Using systemd, this results in a limit of 65536
+instead. This is not the intention of systemd upstream. See systemd
+commit 4096d6f for an explanation of systemd's behaviour.
+
+If we want to make such a change to the default distribution soft limit
+in PAM, we should do it deliberately and carefully, not accidentally. A
+change should consider what uses select(2) and might inadvertently (and
+incorrectly) assume that file descriptors will always fit into an
+fd_set, what vulnerabilities or crashes the change could consequently
+create, and whether the protection now present with FORTIFY_SOURCE is
+suitably enabled in all relevant builds.
+
+So this keeps the soft limit at 1024 for now. The hard limit will rise
+to 65536 along with systemd. Anything that knows that it will not be
+buggy with respect to fd_set and FD_SETSIZE, such as by using poll(2) or
+epoll(7) instead of select(2), can always raise the soft limit itself
+without issue.
+
+20:54 <rbasak> slangasek: [...] I'm also not sure how to go about
+upstreaming this as pam_limits seems to be heavily patched already.
+
+Forwarded: no
+Reviewed-by: Adam Conrad <adconrad@ubuntu.com>
+Reviewed-by: Martin Pitt <martin.pitt@ubuntu.com>
+Last-Update: 2015-04-22
+
+Index: pam/modules/pam_limits/pam_limits.c
+===================================================================
+--- pam.orig/modules/pam_limits/pam_limits.c
++++ pam/modules/pam_limits/pam_limits.c
+@@ -451,6 +451,14 @@
+ pl->limits[i].src_hard = LIMITS_DEF_KERNEL;
+ }
+ fclose(limitsfile);
++
++ /* Cap the default soft nofile limit read from pid 1 to FD_SETSIZE
++ * since larger values can cause problems with fd_set overflow and
++ * systemd sets itself higher. */
++ if (pl->limits[RLIMIT_NOFILE].src_soft == LIMITS_DEF_KERNEL &&
++ pl->limits[RLIMIT_NOFILE].limit.rlim_cur > FD_SETSIZE) {
++ pl->limits[RLIMIT_NOFILE].limit.rlim_cur = FD_SETSIZE;
++ }
+ }
+
+ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl)
diff --git a/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch
new file mode 100644
index 0000000..11d4ee3
--- /dev/null
+++ b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch
@@ -0,0 +1,25 @@
+Dropping suid bits is not enough to let us trust the caller; the unix_chkpwd
+helper could be sgid shadow instead of suid root, as it is in Debian and
+Ubuntu by default. Drop any sgid bits as well.
+
+Authors: Steve Langasek <vorlon@debian.org>,
+ Michael Spang <mspang@csclub.uwaterloo.ca>
+
+Upstream status: to be submitted
+
+Index: pam/modules/pam_unix/unix_chkpwd.c
+===================================================================
+--- pam.orig/modules/pam_unix/unix_chkpwd.c
++++ pam/modules/pam_unix/unix_chkpwd.c
+@@ -137,9 +137,10 @@
+ /* if the caller specifies the username, verify that user
+ matches it */
+ if (strcmp(user, argv[1])) {
++ gid_t gid = getgid();
+ user = argv[1];
+ /* no match -> permanently change to the real user and proceed */
+- if (setuid(getuid()) != 0)
++ if (setresgid(gid, gid, gid) != 0 || setuid(getuid()) != 0)
+ return PAM_AUTH_ERR;
+ }
+ }
diff --git a/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch b/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch
new file mode 100644
index 0000000..0ce85eb
--- /dev/null
+++ b/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch
@@ -0,0 +1,25 @@
+Revert upstream change that prevents pam_unix from working with sgid
+shadow applications.
+
+Authors: Steve Langasek <vorlon@debian.org>
+
+Upstream status: to be submitted (and debated...)
+
+Index: pam/modules/pam_unix/passverify.c
+===================================================================
+--- pam.orig/modules/pam_unix/passverify.c
++++ pam/modules/pam_unix/passverify.c
+@@ -198,11 +198,11 @@
+ * ...and shadow password file entry for this user,
+ * if shadowing is enabled
+ */
++ *spwdent = pam_modutil_getspnam(pamh, name);
+ #ifndef HELPER_COMPILE
+- if (geteuid() || SELINUX_ENABLED)
++ if (*spwdent == NULL && (geteuid() || SELINUX_ENABLED))
+ return PAM_UNIX_RUN_HELPER;
+ #endif
+- *spwdent = pam_modutil_getspnam(pamh, name);
+ if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL)
+ return PAM_AUTHINFO_UNAVAIL;
+ }
diff --git a/debian/patches-applied/series b/debian/patches-applied/series
new file mode 100644
index 0000000..d5318db
--- /dev/null
+++ b/debian/patches-applied/series
@@ -0,0 +1,25 @@
+pam_unix_fix_sgid_shadow_auth.patch
+pam_unix_dont_trust_chkpwd_caller.patch
+make_documentation_reproducible.patch
+007_modules_pam_unix
+008_modules_pam_limits_chroot
+021_nis_cleanup
+022_pam_unix_group_time_miscfixes
+026_pam_unix_passwd_unknown_user
+do_not_check_nis_accidentally
+027_pam_limits_better_init_allow_explicit_root
+031_pam_include
+032_pam_limits_EPERM_NOT_FATAL
+036_pam_wheel_getlogin_considered_harmful
+hurd_no_setfsuid
+040_pam_limits_log_failure
+045_pam_dispatch_jump_is_ignore
+054_pam_security_abstract_securetty_handling
+055_pam_unix_nullok_secure
+cve-2010-4708.patch
+PAM-manpage-section
+update-motd
+no_PATH_MAX_on_hurd
+lib_security_multiarch_compat
+pam-limits-nofile-fd-setsize-cap
+fix-autoreconf.patch
diff --git a/debian/patches-applied/update-motd b/debian/patches-applied/update-motd
new file mode 100644
index 0000000..dececee
--- /dev/null
+++ b/debian/patches-applied/update-motd
@@ -0,0 +1,108 @@
+Provide a more dynamic MOTD, based on the short-lived update-motd project.
+
+Authors: Dustin Kirkland <kirkland@canonical.com>
+
+Last-Update: 2019-02-12
+Forwarded: no
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/399071
+
+Index: pam/modules/pam_motd/pam_motd.c
+===================================================================
+--- pam.orig/modules/pam_motd/pam_motd.c
++++ pam/modules/pam_motd/pam_motd.c
+@@ -101,8 +101,10 @@
+ int argc, const char **argv)
+ {
+ int retval = PAM_IGNORE;
++ int do_update = 1;
+ const char *motd_path = NULL;
+ const char *motd_dir_path = NULL;
++ struct stat st;
+
+ if (flags & PAM_SILENT) {
+ return retval;
+@@ -131,6 +133,9 @@
+ "motd_dir= specification missing argument - ignored");
+ }
+ }
++ else if (!strcmp(*argv,"noupdate")) {
++ do_update = 0;
++ }
+ else
+ pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
+ }
+@@ -140,6 +145,19 @@
+ motd_dir_path = default_motd_dir;
+ }
+
++ /* Run the update-motd dynamic motd scripts, outputting to /run/motd.dynamic.
++ This will be displayed only when calling pam_motd with
++ motd=/run/motd.dynamic; current /etc/pam.d/login and /etc/pam.d/sshd
++ display both this file and /etc/motd. */
++ if (do_update && (stat("/etc/update-motd.d", &st) == 0)
++ && S_ISDIR(st.st_mode))
++ {
++ mode_t old_mask = umask(0022);
++ if (!system("/usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new"))
++ rename("/run/motd.dynamic.new", "/run/motd.dynamic");
++ umask(old_mask);
++ }
++
+ if (motd_path != NULL) {
+ int fd = open(motd_path, O_RDONLY, 0);
+
+Index: pam/modules/pam_motd/pam_motd.8.xml
+===================================================================
+--- pam.orig/modules/pam_motd/pam_motd.8.xml
++++ pam/modules/pam_motd/pam_motd.8.xml
+@@ -63,6 +63,17 @@
+ </para>
+ </listitem>
+ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>noupdate</option>
++ </term>
++ <listitem>
++ <para>
++ Don't run the scripts in <filename>/etc/update-motd.d</filename>
++ to refresh the motd file.
++ </para>
++ </listitem>
++ </varlistentry>
+ </variablelist>
+ <para>
+ When no options are given, the default is to display both
+Index: pam/modules/pam_motd/pam_motd.8
+===================================================================
+--- pam.orig/modules/pam_motd/pam_motd.8
++++ pam/modules/pam_motd/pam_motd.8
+@@ -53,6 +53,13 @@
+ directory is scanned and each file contained inside of it is displayed\&.
+ .RE
+ .PP
++\fBnoupdate\fR
++.RS 4
++Don\*(Aqt run the scripts in
++/etc/update\-motd\&.d
++to refresh the motd file\&.
++.RE
++.PP
+ When no options are given, the default is to display both
+ /etc/motd
+ and the contents of
+Index: pam/modules/pam_motd/README
+===================================================================
+--- pam.orig/modules/pam_motd/README
++++ pam/modules/pam_motd/README
+@@ -19,6 +19,10 @@
+ The /path/dirname.d directory is scanned and each file contained inside of
+ it is displayed.
+
++noupdate
++
++ Don't run the scripts in /etc/update-motd.d to refresh the motd file.
++
+ When no options are given, the default is to display both /etc/motd and the
+ contents of /etc/motd.d. Specifying either option (or both) will disable this
+ default behavior.