summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 14:22:51 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 14:22:51 +0000
commit9ada0093e92388590c7368600ca4e9e3e376f0d0 (patch)
treea56fe41110023676d7082028cbaa47ca4b6e6164
parentInitial commit. (diff)
downloadpam-upstream.tar.xz
pam-upstream.zip
Adding upstream version 1.5.2.upstream/1.5.2upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
-rw-r--r--ABOUT-NLS1282
-rw-r--r--AUTHORS7
-rw-r--r--CHANGELOG1765
-rw-r--r--COPYING40
-rw-r--r--ChangeLog7232
-rw-r--r--ChangeLog-CVS5099
-rw-r--r--Copyright40
-rw-r--r--INSTALL368
-rw-r--r--Make.xml.rules.in26
-rw-r--r--Makefile.am51
-rw-r--r--Makefile.in962
-rw-r--r--NEWS433
-rw-r--r--README63
-rw-r--r--aclocal.m41449
-rwxr-xr-xbuild-aux/compile348
-rwxr-xr-xbuild-aux/config.guess1748
-rwxr-xr-xbuild-aux/config.rpath690
-rwxr-xr-xbuild-aux/config.sub1864
-rwxr-xr-xbuild-aux/depcomp791
-rwxr-xr-xbuild-aux/install-sh541
-rw-r--r--build-aux/ltmain.sh11381
-rwxr-xr-xbuild-aux/missing215
-rwxr-xr-xbuild-aux/test-driver150
-rwxr-xr-xbuild-aux/ylwrap247
-rw-r--r--conf/Makefile.am6
-rw-r--r--conf/Makefile.in699
-rwxr-xr-xconf/install_conf36
-rwxr-xr-xconf/md5itall43
-rw-r--r--conf/pam.conf120
-rw-r--r--conf/pam_conv1/Makefile.am19
-rw-r--r--conf/pam_conv1/Makefile.in752
-rw-r--r--conf/pam_conv1/README8
-rw-r--r--conf/pam_conv1/pam_conv_l.c1798
-rw-r--r--conf/pam_conv1/pam_conv_l.l47
-rw-r--r--conf/pam_conv1/pam_conv_y.c1535
-rw-r--r--conf/pam_conv1/pam_conv_y.h94
-rw-r--r--conf/pam_conv1/pam_conv_y.y209
-rw-r--r--config.h.in466
-rwxr-xr-xconfigure23881
-rw-r--r--configure.ac714
-rw-r--r--doc/Makefile.am23
-rw-r--r--doc/Makefile.in772
-rw-r--r--doc/adg/Linux-PAM_ADG.xml780
-rw-r--r--doc/adg/Makefile.am113
-rw-r--r--doc/adg/Makefile.in623
-rw-r--r--doc/adg/pam_acct_mgmt.xml18
-rw-r--r--doc/adg/pam_authenticate.xml18
-rw-r--r--doc/adg/pam_chauthtok.xml18
-rw-r--r--doc/adg/pam_close_session.xml18
-rw-r--r--doc/adg/pam_conv.xml35
-rw-r--r--doc/adg/pam_end.xml18
-rw-r--r--doc/adg/pam_fail_delay.xml18
-rw-r--r--doc/adg/pam_get_item.xml18
-rw-r--r--doc/adg/pam_getenv.xml18
-rw-r--r--doc/adg/pam_getenvlist.xml18
-rw-r--r--doc/adg/pam_misc_conv.xml14
-rw-r--r--doc/adg/pam_misc_drop_env.xml14
-rw-r--r--doc/adg/pam_misc_paste_env.xml14
-rw-r--r--doc/adg/pam_misc_setenv.xml14
-rw-r--r--doc/adg/pam_open_session.xml18
-rw-r--r--doc/adg/pam_putenv.xml18
-rw-r--r--doc/adg/pam_set_item.xml18
-rw-r--r--doc/adg/pam_setcred.xml18
-rw-r--r--doc/adg/pam_start.xml18
-rw-r--r--doc/adg/pam_strerror.xml18
-rw-r--r--doc/custom-html.xsl18
-rw-r--r--doc/custom-man.xsl9
-rw-r--r--doc/index.html21
-rw-r--r--doc/man/Makefile.am63
-rw-r--r--doc/man/Makefile.in748
-rw-r--r--doc/man/PAM.8149
-rw-r--r--doc/man/misc_conv.3127
-rw-r--r--doc/man/misc_conv.3.xml188
-rw-r--r--doc/man/pam.3302
-rw-r--r--doc/man/pam.3.xml439
-rw-r--r--doc/man/pam.81
-rw-r--r--doc/man/pam.8.xml216
-rw-r--r--doc/man/pam.conf-desc.xml21
-rw-r--r--doc/man/pam.conf-dir.xml30
-rw-r--r--doc/man/pam.conf-syntax.xml427
-rw-r--r--doc/man/pam.conf.5382
-rw-r--r--doc/man/pam.d.51
-rw-r--r--doc/man/pam_acct_mgmt.3100
-rw-r--r--doc/man/pam_acct_mgmt.3.xml145
-rw-r--r--doc/man/pam_authenticate.3110
-rw-r--r--doc/man/pam_authenticate.3.xml169
-rw-r--r--doc/man/pam_chauthtok.3109
-rw-r--r--doc/man/pam_chauthtok.3.xml164
-rw-r--r--doc/man/pam_close_session.381
-rw-r--r--doc/man/pam_close_session.3.xml115
-rw-r--r--doc/man/pam_conv.3177
-rw-r--r--doc/man/pam_conv.3.xml228
-rw-r--r--doc/man/pam_end.389
-rw-r--r--doc/man/pam_end.3.xml122
-rw-r--r--doc/man/pam_error.390
-rw-r--r--doc/man/pam_error.3.xml121
-rw-r--r--doc/man/pam_fail_delay.3168
-rw-r--r--doc/man/pam_fail_delay.3.xml209
-rw-r--r--doc/man/pam_get_authtok.3170
-rw-r--r--doc/man/pam_get_authtok.3.xml248
-rw-r--r--doc/man/pam_get_authtok_noverify.31
-rw-r--r--doc/man/pam_get_authtok_verify.31
-rw-r--r--doc/man/pam_get_data.382
-rw-r--r--doc/man/pam_get_data.3.xml108
-rw-r--r--doc/man/pam_get_item.3196
-rw-r--r--doc/man/pam_get_item.3.xml143
-rw-r--r--doc/man/pam_get_user.3138
-rw-r--r--doc/man/pam_get_user.3.xml164
-rw-r--r--doc/man/pam_getenv.360
-rw-r--r--doc/man/pam_getenv.3.xml67
-rw-r--r--doc/man/pam_getenvlist.366
-rw-r--r--doc/man/pam_getenvlist.3.xml85
-rw-r--r--doc/man/pam_info.386
-rw-r--r--doc/man/pam_info.3.xml109
-rw-r--r--doc/man/pam_item_types_ext.inc.xml61
-rw-r--r--doc/man/pam_item_types_std.inc.xml138
-rw-r--r--doc/man/pam_misc_drop_env.362
-rw-r--r--doc/man/pam_misc_drop_env.3.xml63
-rw-r--r--doc/man/pam_misc_paste_env.357
-rw-r--r--doc/man/pam_misc_paste_env.3.xml61
-rw-r--r--doc/man/pam_misc_setenv.362
-rw-r--r--doc/man/pam_misc_setenv.3.xml68
-rw-r--r--doc/man/pam_open_session.381
-rw-r--r--doc/man/pam_open_session.3.xml115
-rw-r--r--doc/man/pam_prompt.381
-rw-r--r--doc/man/pam_prompt.3.xml114
-rw-r--r--doc/man/pam_putenv.3111
-rw-r--r--doc/man/pam_putenv.3.xml152
-rw-r--r--doc/man/pam_set_data.3119
-rw-r--r--doc/man/pam_set_data.3.xml172
-rw-r--r--doc/man/pam_set_item.3193
-rw-r--r--doc/man/pam_set_item.3.xml136
-rw-r--r--doc/man/pam_setcred.3122
-rw-r--r--doc/man/pam_setcred.3.xml180
-rw-r--r--doc/man/pam_sm_acct_mgmt.3105
-rw-r--r--doc/man/pam_sm_acct_mgmt.3.xml154
-rw-r--r--doc/man/pam_sm_authenticate.3106
-rw-r--r--doc/man/pam_sm_authenticate.3.xml151
-rw-r--r--doc/man/pam_sm_chauthtok.3137
-rw-r--r--doc/man/pam_sm_chauthtok.3.xml204
-rw-r--r--doc/man/pam_sm_close_session.374
-rw-r--r--doc/man/pam_sm_close_session.3.xml99
-rw-r--r--doc/man/pam_sm_open_session.374
-rw-r--r--doc/man/pam_sm_open_session.3.xml99
-rw-r--r--doc/man/pam_sm_setcred.3128
-rw-r--r--doc/man/pam_sm_setcred.3.xml184
-rw-r--r--doc/man/pam_start.3117
-rw-r--r--doc/man/pam_start.3.xml167
-rw-r--r--doc/man/pam_strerror.352
-rw-r--r--doc/man/pam_strerror.3.xml58
-rw-r--r--doc/man/pam_syslog.377
-rw-r--r--doc/man/pam_syslog.3.xml82
-rw-r--r--doc/man/pam_verror.31
-rw-r--r--doc/man/pam_vinfo.31
-rw-r--r--doc/man/pam_vprompt.31
-rw-r--r--doc/man/pam_vsyslog.31
-rw-r--r--doc/man/pam_xauth_data.384
-rw-r--r--doc/mwg/Linux-PAM_MWG.xml632
-rw-r--r--doc/mwg/Makefile.am113
-rw-r--r--doc/mwg/Makefile.in623
-rw-r--r--doc/mwg/pam_conv.xml35
-rw-r--r--doc/mwg/pam_fail_delay.xml18
-rw-r--r--doc/mwg/pam_get_data.xml18
-rw-r--r--doc/mwg/pam_get_item.xml18
-rw-r--r--doc/mwg/pam_get_user.xml18
-rw-r--r--doc/mwg/pam_getenv.xml18
-rw-r--r--doc/mwg/pam_getenvlist.xml18
-rw-r--r--doc/mwg/pam_putenv.xml18
-rw-r--r--doc/mwg/pam_set_data.xml18
-rw-r--r--doc/mwg/pam_set_item.xml18
-rw-r--r--doc/mwg/pam_sm_acct_mgmt.xml18
-rw-r--r--doc/mwg/pam_sm_authenticate.xml18
-rw-r--r--doc/mwg/pam_sm_chauthtok.xml18
-rw-r--r--doc/mwg/pam_sm_close_session.xml18
-rw-r--r--doc/mwg/pam_sm_open_session.xml18
-rw-r--r--doc/mwg/pam_sm_setcred.xml18
-rw-r--r--doc/mwg/pam_strerror.xml18
-rw-r--r--doc/sag/Linux-PAM_SAG.xml570
-rw-r--r--doc/sag/Makefile.am113
-rw-r--r--doc/sag/Makefile.in623
-rw-r--r--doc/sag/pam_access.xml42
-rw-r--r--doc/sag/pam_debug.xml34
-rw-r--r--doc/sag/pam_deny.xml34
-rw-r--r--doc/sag/pam_echo.xml34
-rw-r--r--doc/sag/pam_env.xml42
-rw-r--r--doc/sag/pam_exec.xml34
-rw-r--r--doc/sag/pam_faildelay.xml34
-rw-r--r--doc/sag/pam_faillock.xml38
-rw-r--r--doc/sag/pam_filter.xml34
-rw-r--r--doc/sag/pam_ftp.xml34
-rw-r--r--doc/sag/pam_group.xml42
-rw-r--r--doc/sag/pam_issue.xml34
-rw-r--r--doc/sag/pam_keyinit.xml34
-rw-r--r--doc/sag/pam_lastlog.xml34
-rw-r--r--doc/sag/pam_limits.xml42
-rw-r--r--doc/sag/pam_listfile.xml34
-rw-r--r--doc/sag/pam_localuser.xml34
-rw-r--r--doc/sag/pam_loginuid.xml34
-rw-r--r--doc/sag/pam_mail.xml34
-rw-r--r--doc/sag/pam_mkhomedir.xml34
-rw-r--r--doc/sag/pam_motd.xml34
-rw-r--r--doc/sag/pam_namespace.xml42
-rw-r--r--doc/sag/pam_nologin.xml34
-rw-r--r--doc/sag/pam_permit.xml34
-rw-r--r--doc/sag/pam_pwhistory.xml38
-rw-r--r--doc/sag/pam_rhosts.xml34
-rw-r--r--doc/sag/pam_rootok.xml34
-rw-r--r--doc/sag/pam_securetty.xml34
-rw-r--r--doc/sag/pam_selinux.xml34
-rw-r--r--doc/sag/pam_sepermit.xml38
-rw-r--r--doc/sag/pam_setquota.xml34
-rw-r--r--doc/sag/pam_shells.xml34
-rw-r--r--doc/sag/pam_succeed_if.xml34
-rw-r--r--doc/sag/pam_time.xml42
-rw-r--r--doc/sag/pam_timestamp.xml42
-rw-r--r--doc/sag/pam_tty_audit.xml38
-rw-r--r--doc/sag/pam_umask.xml34
-rw-r--r--doc/sag/pam_unix.xml34
-rw-r--r--doc/sag/pam_userdb.xml34
-rw-r--r--doc/sag/pam_warn.xml34
-rw-r--r--doc/sag/pam_wheel.xml34
-rw-r--r--doc/sag/pam_xauth.xml34
-rw-r--r--doc/specs/Makefile.am27
-rw-r--r--doc/specs/Makefile.in808
-rw-r--r--doc/specs/draft-morgan-pam.raw764
-rw-r--r--doc/specs/parse_l.c1786
-rw-r--r--doc/specs/parse_l.l22
-rw-r--r--doc/specs/parse_y.c1675
-rw-r--r--doc/specs/parse_y.h102
-rw-r--r--doc/specs/parse_y.y297
-rw-r--r--doc/specs/rfc86.0.txt1845
-rw-r--r--doc/specs/std-agent-id.raw95
-rw-r--r--examples/Makefile.am14
-rw-r--r--examples/Makefile.in722
-rw-r--r--examples/README12
-rw-r--r--examples/blank.c158
-rw-r--r--examples/check_user.c60
-rw-r--r--examples/vpass.c49
-rw-r--r--examples/xsh.c173
-rw-r--r--libpam/Makefile.am46
-rw-r--r--libpam/Makefile.in953
-rw-r--r--libpam/include/pam_cc_compat.h66
-rw-r--r--libpam/include/pam_inline.h118
-rw-r--r--libpam/include/security/_pam_compat.h126
-rw-r--r--libpam/include/security/_pam_macros.h196
-rw-r--r--libpam/include/security/_pam_types.h333
-rw-r--r--libpam/include/security/pam_appl.h104
-rw-r--r--libpam/include/security/pam_ext.h91
-rw-r--r--libpam/include/security/pam_modules.h124
-rw-r--r--libpam/include/security/pam_modutil.h160
-rw-r--r--libpam/include/test_assert.h55
-rw-r--r--libpam/libpam.map89
-rw-r--r--libpam/pam.pc.in9
-rw-r--r--libpam/pam_account.c23
-rw-r--r--libpam/pam_audit.c242
-rw-r--r--libpam/pam_auth.c73
-rw-r--r--libpam/pam_data.c166
-rw-r--r--libpam/pam_delay.c160
-rw-r--r--libpam/pam_dispatch.c447
-rw-r--r--libpam/pam_dynamic.c138
-rw-r--r--libpam/pam_end.c98
-rw-r--r--libpam/pam_env.c392
-rw-r--r--libpam/pam_get_authtok.c280
-rw-r--r--libpam/pam_handlers.c1045
-rw-r--r--libpam/pam_item.c396
-rw-r--r--libpam/pam_misc.c360
-rw-r--r--libpam/pam_modutil_check_user.c92
-rw-r--r--libpam/pam_modutil_cleanup.c19
-rw-r--r--libpam/pam_modutil_getgrgid.c138
-rw-r--r--libpam/pam_modutil_getgrnam.c127
-rw-r--r--libpam/pam_modutil_getlogin.c80
-rw-r--r--libpam/pam_modutil_getpwnam.c127
-rw-r--r--libpam/pam_modutil_getpwuid.c138
-rw-r--r--libpam/pam_modutil_getspnam.c127
-rw-r--r--libpam/pam_modutil_ingroup.c130
-rw-r--r--libpam/pam_modutil_ioloop.c53
-rw-r--r--libpam/pam_modutil_priv.c179
-rw-r--r--libpam/pam_modutil_private.h24
-rw-r--r--libpam/pam_modutil_sanitize.c147
-rw-r--r--libpam/pam_modutil_searchkey.c128
-rw-r--r--libpam/pam_password.c61
-rw-r--r--libpam/pam_prelude.c454
-rw-r--r--libpam/pam_prelude.h15
-rw-r--r--libpam/pam_private.h358
-rw-r--r--libpam/pam_session.c45
-rw-r--r--libpam/pam_start.c179
-rw-r--r--libpam/pam_strerror.c106
-rw-r--r--libpam/pam_syslog.c115
-rw-r--r--libpam/pam_tokens.h112
-rw-r--r--libpam/pam_vprompt.c115
-rw-r--r--libpam_misc/Makefile.am26
-rw-r--r--libpam_misc/Makefile.in806
-rw-r--r--libpam_misc/help_env.c88
-rw-r--r--libpam_misc/include/security/pam_misc.h52
-rw-r--r--libpam_misc/libpam_misc.map17
-rw-r--r--libpam_misc/misc_conv.c401
-rw-r--r--libpam_misc/pam_misc.pc.in9
-rw-r--r--libpamc/License41
-rw-r--r--libpamc/Makefile.am28
-rw-r--r--libpamc/Makefile.in924
-rw-r--r--libpamc/include/security/pam_client.h197
-rw-r--r--libpamc/libpamc.h66
-rw-r--r--libpamc/libpamc.map12
-rw-r--r--libpamc/pamc.pc.in9
-rw-r--r--libpamc/pamc_client.c189
-rw-r--r--libpamc/pamc_converse.c211
-rw-r--r--libpamc/pamc_load.c477
-rw-r--r--libpamc/test/Makefile.am11
-rw-r--r--libpamc/test/Makefile.in526
-rwxr-xr-xlibpamc/test/agents/secret@here307
-rw-r--r--libpamc/test/modules/Makefile9
-rw-r--r--libpamc/test/modules/pam_secret.c669
-rw-r--r--libpamc/test/regress/Makefile7
-rwxr-xr-xlibpamc/test/regress/run_test.sh6
-rw-r--r--libpamc/test/regress/test.libpamc.c343
-rwxr-xr-xlibpamc/test/regress/test.secret@here151
-rw-r--r--m4/attribute.m416
-rw-r--r--m4/gettext.m4401
-rw-r--r--m4/iconv.m4268
-rw-r--r--m4/intlmacosx.m456
-rw-r--r--m4/jh_path_xml_catalog.m454
-rw-r--r--m4/ld-O1.m415
-rw-r--r--m4/ld-as-needed.m415
-rw-r--r--m4/ld-no-undefined.m415
-rw-r--r--m4/ld-z-now.m416
-rw-r--r--m4/lib-ld.m4119
-rw-r--r--m4/lib-link.m4777
-rw-r--r--m4/lib-prefix.m4224
-rw-r--r--m4/libprelude.m4181
-rw-r--r--m4/libtool.m48424
-rw-r--r--m4/ltoptions.m4437
-rw-r--r--m4/ltsugar.m4124
-rw-r--r--m4/ltversion.m423
-rw-r--r--m4/lt~obsolete.m499
-rw-r--r--m4/nls.m432
-rw-r--r--m4/po.m4453
-rw-r--r--m4/progtest.m491
-rw-r--r--m4/warn_lang_flags.m433
-rw-r--r--m4/warnings.m485
-rw-r--r--modules/Makefile.am94
-rw-r--r--modules/Makefile.in767
-rw-r--r--modules/modules.map10
-rw-r--r--modules/pam_access/Makefile.am36
-rw-r--r--modules/pam_access/Makefile.in1222
-rw-r--r--modules/pam_access/README131
-rw-r--r--modules/pam_access/README.xml39
-rw-r--r--modules/pam_access/access.conf122
-rw-r--r--modules/pam_access/access.conf.5222
-rw-r--r--modules/pam_access/access.conf.5.xml253
-rw-r--r--modules/pam_access/pam_access.8139
-rw-r--r--modules/pam_access/pam_access.8.xml265
-rw-r--r--modules/pam_access/pam_access.c985
-rwxr-xr-xmodules/pam_access/tst-pam_access2
-rw-r--r--modules/pam_debug/Makefile.am36
-rw-r--r--modules/pam_debug/Makefile.in1180
-rw-r--r--modules/pam_debug/README64
-rw-r--r--modules/pam_debug/README.xml41
-rw-r--r--modules/pam_debug/pam_debug.8144
-rw-r--r--modules/pam_debug/pam_debug.8.xml231
-rw-r--r--modules/pam_debug/pam_debug.c108
-rwxr-xr-xmodules/pam_debug/tst-pam_debug2
-rw-r--r--modules/pam_debug/tst-pam_debug-retval.c65
-rw-r--r--modules/pam_deny/Makefile.am36
-rw-r--r--modules/pam_deny/Makefile.in1180
-rw-r--r--modules/pam_deny/README31
-rw-r--r--modules/pam_deny/README.xml36
-rw-r--r--modules/pam_deny/pam_deny.8102
-rw-r--r--modules/pam_deny/pam_deny.8.xml135
-rw-r--r--modules/pam_deny/pam_deny.c60
-rwxr-xr-xmodules/pam_deny/tst-pam_deny2
-rw-r--r--modules/pam_deny/tst-pam_deny-retval.c58
-rw-r--r--modules/pam_echo/Makefile.am36
-rw-r--r--modules/pam_echo/Makefile.in1180
-rw-r--r--modules/pam_echo/README50
-rw-r--r--modules/pam_echo/README.xml36
-rw-r--r--modules/pam_echo/pam_echo.8132
-rw-r--r--modules/pam_echo/pam_echo.8.xml170
-rw-r--r--modules/pam_echo/pam_echo.c260
-rwxr-xr-xmodules/pam_echo/tst-pam_echo2
-rw-r--r--modules/pam_echo/tst-pam_echo-retval.c101
-rw-r--r--modules/pam_env/Makefile.am37
-rw-r--r--modules/pam_env/Makefile.in1248
-rw-r--r--modules/pam_env/README101
-rw-r--r--modules/pam_env/README.xml39
-rw-r--r--modules/pam_env/environment5
-rw-r--r--modules/pam_env/environment.51
-rw-r--r--modules/pam_env/pam_env.8160
-rw-r--r--modules/pam_env/pam_env.8.xml271
-rw-r--r--modules/pam_env/pam_env.c894
-rw-r--r--modules/pam_env/pam_env.conf73
-rw-r--r--modules/pam_env/pam_env.conf.5132
-rw-r--r--modules/pam_env/pam_env.conf.5.xml136
-rwxr-xr-xmodules/pam_env/tst-pam_env2
-rw-r--r--modules/pam_exec/Makefile.am33
-rw-r--r--modules/pam_exec/Makefile.in1150
-rw-r--r--modules/pam_exec/README79
-rw-r--r--modules/pam_exec/README.xml41
-rw-r--r--modules/pam_exec/pam_exec.8188
-rw-r--r--modules/pam_exec/pam_exec.8.xml319
-rw-r--r--modules/pam_exec/pam_exec.c522
-rwxr-xr-xmodules/pam_exec/tst-pam_exec2
-rw-r--r--modules/pam_faildelay/Makefile.am36
-rw-r--r--modules/pam_faildelay/Makefile.in1181
-rw-r--r--modules/pam_faildelay/README33
-rw-r--r--modules/pam_faildelay/README.xml41
-rw-r--r--modules/pam_faildelay/pam_faildelay.893
-rw-r--r--modules/pam_faildelay/pam_faildelay.8.xml136
-rw-r--r--modules/pam_faildelay/pam_faildelay.c138
-rwxr-xr-xmodules/pam_faildelay/tst-pam_faildelay2
-rw-r--r--modules/pam_faildelay/tst-pam_faildelay-retval.c88
-rw-r--r--modules/pam_faillock/Makefile.am50
-rw-r--r--modules/pam_faillock/Makefile.in1344
-rw-r--r--modules/pam_faillock/README140
-rw-r--r--modules/pam_faillock/README.xml46
-rw-r--r--modules/pam_faillock/faillock.878
-rw-r--r--modules/pam_faillock/faillock.8.xml123
-rw-r--r--modules/pam_faillock/faillock.c176
-rw-r--r--modules/pam_faillock/faillock.conf62
-rw-r--r--modules/pam_faillock/faillock.conf.5171
-rw-r--r--modules/pam_faillock/faillock.conf.5.xml253
-rw-r--r--modules/pam_faillock/faillock.h75
-rw-r--r--modules/pam_faillock/main.c231
-rw-r--r--modules/pam_faillock/pam_faillock.8262
-rw-r--r--modules/pam_faillock/pam_faillock.8.xml362
-rw-r--r--modules/pam_faillock/pam_faillock.c764
-rwxr-xr-xmodules/pam_faillock/tst-pam_faillock2
-rw-r--r--modules/pam_filter/Makefile.am37
-rw-r--r--modules/pam_filter/Makefile.in1294
-rw-r--r--modules/pam_filter/README78
-rw-r--r--modules/pam_filter/README.xml41
-rw-r--r--modules/pam_filter/pam_filter.8172
-rw-r--r--modules/pam_filter/pam_filter.8.xml261
-rw-r--r--modules/pam_filter/pam_filter.c714
-rw-r--r--modules/pam_filter/pam_filter.h32
-rwxr-xr-xmodules/pam_filter/tst-pam_filter2
-rw-r--r--modules/pam_filter/upperLOWER/Makefile.am15
-rw-r--r--modules/pam_filter/upperLOWER/Makefile.in728
-rw-r--r--modules/pam_filter/upperLOWER/upperLOWER.c141
-rw-r--r--modules/pam_ftp/Makefile.am33
-rw-r--r--modules/pam_ftp/Makefile.in1150
-rw-r--r--modules/pam_ftp/README52
-rw-r--r--modules/pam_ftp/README.xml41
-rw-r--r--modules/pam_ftp/pam_ftp.8125
-rw-r--r--modules/pam_ftp/pam_ftp.8.xml183
-rw-r--r--modules/pam_ftp/pam_ftp.c215
-rwxr-xr-xmodules/pam_ftp/tst-pam_ftp2
-rw-r--r--modules/pam_group/Makefile.am35
-rw-r--r--modules/pam_group/Makefile.in1221
-rw-r--r--modules/pam_group/README52
-rw-r--r--modules/pam_group/README.xml34
-rw-r--r--modules/pam_group/group.conf106
-rw-r--r--modules/pam_group/group.conf.5121
-rw-r--r--modules/pam_group/group.conf.5.xml147
-rw-r--r--modules/pam_group/pam_group.8109
-rw-r--r--modules/pam_group/pam_group.8.xml162
-rw-r--r--modules/pam_group/pam_group.c815
-rwxr-xr-xmodules/pam_group/tst-pam_group2
-rw-r--r--modules/pam_issue/Makefile.am33
-rw-r--r--modules/pam_issue/Makefile.in1150
-rw-r--r--modules/pam_issue/README79
-rw-r--r--modules/pam_issue/README.xml41
-rw-r--r--modules/pam_issue/pam_issue.8158
-rw-r--r--modules/pam_issue/pam_issue.8.xml234
-rw-r--r--modules/pam_issue/pam_issue.c306
-rwxr-xr-xmodules/pam_issue/tst-pam_issue2
-rw-r--r--modules/pam_keyinit/Makefile.am33
-rw-r--r--modules/pam_keyinit/Makefile.in1150
-rw-r--r--modules/pam_keyinit/README67
-rw-r--r--modules/pam_keyinit/README.xml41
-rw-r--r--modules/pam_keyinit/pam_keyinit.8150
-rw-r--r--modules/pam_keyinit/pam_keyinit.8.xml250
-rw-r--r--modules/pam_keyinit/pam_keyinit.c298
-rwxr-xr-xmodules/pam_keyinit/tst-pam_keyinit2
-rw-r--r--modules/pam_lastlog/Makefile.am33
-rw-r--r--modules/pam_lastlog/Makefile.in1150
-rw-r--r--modules/pam_lastlog/README96
-rw-r--r--modules/pam_lastlog/README.xml41
-rw-r--r--modules/pam_lastlog/pam_lastlog.8197
-rw-r--r--modules/pam_lastlog/pam_lastlog.8.xml343
-rw-r--r--modules/pam_lastlog/pam_lastlog.c804
-rwxr-xr-xmodules/pam_lastlog/tst-pam_lastlog2
-rw-r--r--modules/pam_limits/Makefile.am40
-rw-r--r--modules/pam_limits/Makefile.in1227
-rw-r--r--modules/pam_limits/README70
-rw-r--r--modules/pam_limits/README.xml39
-rw-r--r--modules/pam_limits/limits.conf61
-rw-r--r--modules/pam_limits/limits.conf.5349
-rw-r--r--modules/pam_limits/limits.conf.5.xml360
-rw-r--r--modules/pam_limits/pam_limits.8152
-rw-r--r--modules/pam_limits/pam_limits.8.xml257
-rw-r--r--modules/pam_limits/pam_limits.c1215
-rwxr-xr-xmodules/pam_limits/tst-pam_limits2
-rw-r--r--modules/pam_listfile/Makefile.am33
-rw-r--r--modules/pam_listfile/Makefile.in1150
-rw-r--r--modules/pam_listfile/README101
-rw-r--r--modules/pam_listfile/README.xml41
-rw-r--r--modules/pam_listfile/pam_listfile.8211
-rw-r--r--modules/pam_listfile/pam_listfile.8.xml297
-rw-r--r--modules/pam_listfile/pam_listfile.c397
-rwxr-xr-xmodules/pam_listfile/tst-pam_listfile2
-rw-r--r--modules/pam_localuser/Makefile.am36
-rw-r--r--modules/pam_localuser/Makefile.in1181
-rw-r--r--modules/pam_localuser/README38
-rw-r--r--modules/pam_localuser/README.xml41
-rw-r--r--modules/pam_localuser/pam_localuser.8123
-rw-r--r--modules/pam_localuser/pam_localuser.8.xml202
-rw-r--r--modules/pam_localuser/pam_localuser.c126
-rwxr-xr-xmodules/pam_localuser/tst-pam_localuser2
-rw-r--r--modules/pam_localuser/tst-pam_localuser-retval.c144
-rw-r--r--modules/pam_loginuid/Makefile.am33
-rw-r--r--modules/pam_loginuid/Makefile.in1150
-rw-r--r--modules/pam_loginuid/README29
-rw-r--r--modules/pam_loginuid/README.xml36
-rw-r--r--modules/pam_loginuid/pam_loginuid.893
-rw-r--r--modules/pam_loginuid/pam_loginuid.8.xml142
-rw-r--r--modules/pam_loginuid/pam_loginuid.c267
-rwxr-xr-xmodules/pam_loginuid/tst-pam_loginuid2
-rw-r--r--modules/pam_mail/Makefile.am33
-rw-r--r--modules/pam_mail/Makefile.in1150
-rw-r--r--modules/pam_mail/README71
-rw-r--r--modules/pam_mail/README.xml41
-rw-r--r--modules/pam_mail/pam_mail.8159
-rw-r--r--modules/pam_mail/pam_mail.8.xml280
-rw-r--r--modules/pam_mail/pam_mail.c468
-rwxr-xr-xmodules/pam_mail/tst-pam_mail2
-rw-r--r--modules/pam_mkhomedir/Makefile.am44
-rw-r--r--modules/pam_mkhomedir/Makefile.in1280
-rw-r--r--modules/pam_mkhomedir/README36
-rw-r--r--modules/pam_mkhomedir/README.xml36
-rw-r--r--modules/pam_mkhomedir/mkhomedir_helper.863
-rw-r--r--modules/pam_mkhomedir/mkhomedir_helper.8.xml83
-rw-r--r--modules/pam_mkhomedir/mkhomedir_helper.c439
-rw-r--r--modules/pam_mkhomedir/pam_mkhomedir.8135
-rw-r--r--modules/pam_mkhomedir/pam_mkhomedir.8.xml219
-rw-r--r--modules/pam_mkhomedir/pam_mkhomedir.c267
-rwxr-xr-xmodules/pam_mkhomedir/tst-pam_mkhomedir2
-rw-r--r--modules/pam_mkhomedir/tst-pam_mkhomedir-retval.c110
-rw-r--r--modules/pam_motd/Makefile.am33
-rw-r--r--modules/pam_motd/Makefile.in1150
-rw-r--r--modules/pam_motd/README82
-rw-r--r--modules/pam_motd/README.xml41
-rw-r--r--modules/pam_motd/pam_motd.8195
-rw-r--r--modules/pam_motd/pam_motd.8.xml215
-rw-r--r--modules/pam_motd/pam_motd.c445
-rwxr-xr-xmodules/pam_motd/tst-pam_motd2
-rw-r--r--modules/pam_namespace/Makefile.am48
-rw-r--r--modules/pam_namespace/Makefile.in1348
-rw-r--r--modules/pam_namespace/README227
-rw-r--r--modules/pam_namespace/README.xml44
-rw-r--r--modules/pam_namespace/argv_parse.c172
-rw-r--r--modules/pam_namespace/argv_parse.h43
-rw-r--r--modules/pam_namespace/md5.c261
-rw-r--r--modules/pam_namespace/md5.h36
-rw-r--r--modules/pam_namespace/namespace.conf31
-rw-r--r--modules/pam_namespace/namespace.conf.5168
-rw-r--r--modules/pam_namespace/namespace.conf.5.xml223
-rwxr-xr-xmodules/pam_namespace/namespace.init25
-rw-r--r--modules/pam_namespace/pam_namespace.8154
-rw-r--r--modules/pam_namespace/pam_namespace.8.xml381
-rw-r--r--modules/pam_namespace/pam_namespace.c2272
-rw-r--r--modules/pam_namespace/pam_namespace.h192
-rw-r--r--modules/pam_namespace/pam_namespace.service.in11
-rw-r--r--modules/pam_namespace/pam_namespace_helper.849
-rw-r--r--modules/pam_namespace/pam_namespace_helper.8.xml62
-rw-r--r--modules/pam_namespace/pam_namespace_helper.in15
-rwxr-xr-xmodules/pam_namespace/tst-pam_namespace2
-rw-r--r--modules/pam_nologin/Makefile.am36
-rw-r--r--modules/pam_nologin/Makefile.in1181
-rw-r--r--modules/pam_nologin/README41
-rw-r--r--modules/pam_nologin/README.xml46
-rw-r--r--modules/pam_nologin/pam_nologin.8130
-rw-r--r--modules/pam_nologin/pam_nologin.8.xml175
-rw-r--r--modules/pam_nologin/pam_nologin.c163
-rwxr-xr-xmodules/pam_nologin/tst-pam_nologin2
-rw-r--r--modules/pam_nologin/tst-pam_nologin-retval.c226
-rw-r--r--modules/pam_permit/Makefile.am36
-rw-r--r--modules/pam_permit/Makefile.in1180
-rw-r--r--modules/pam_permit/README30
-rw-r--r--modules/pam_permit/README.xml41
-rw-r--r--modules/pam_permit/pam_permit.884
-rw-r--r--modules/pam_permit/pam_permit.8.xml106
-rw-r--r--modules/pam_permit/pam_permit.c84
-rwxr-xr-xmodules/pam_permit/tst-pam_permit2
-rw-r--r--modules/pam_permit/tst-pam_permit-retval.c58
-rw-r--r--modules/pam_pwhistory/Makefile.am45
-rw-r--r--modules/pam_pwhistory/Makefile.in1289
-rw-r--r--modules/pam_pwhistory/README66
-rw-r--r--modules/pam_pwhistory/README.xml41
-rw-r--r--modules/pam_pwhistory/opasswd.c564
-rw-r--r--modules/pam_pwhistory/opasswd.h66
-rw-r--r--modules/pam_pwhistory/pam_pwhistory.8163
-rw-r--r--modules/pam_pwhistory/pam_pwhistory.8.xml247
-rw-r--r--modules/pam_pwhistory/pam_pwhistory.c390
-rw-r--r--modules/pam_pwhistory/pwhistory_helper.854
-rw-r--r--modules/pam_pwhistory/pwhistory_helper.8.xml68
-rw-r--r--modules/pam_pwhistory/pwhistory_helper.c119
-rwxr-xr-xmodules/pam_pwhistory/tst-pam_pwhistory2
-rw-r--r--modules/pam_rhosts/Makefile.am33
-rw-r--r--modules/pam_rhosts/Makefile.in1150
-rw-r--r--modules/pam_rhosts/README56
-rw-r--r--modules/pam_rhosts/README.xml41
-rw-r--r--modules/pam_rhosts/pam_rhosts.8128
-rw-r--r--modules/pam_rhosts/pam_rhosts.8.xml171
-rw-r--r--modules/pam_rhosts/pam_rhosts.c142
-rwxr-xr-xmodules/pam_rhosts/tst-pam_rhosts2
-rw-r--r--modules/pam_rootok/Makefile.am36
-rw-r--r--modules/pam_rootok/Makefile.in1180
-rw-r--r--modules/pam_rootok/README33
-rw-r--r--modules/pam_rootok/README.xml41
-rw-r--r--modules/pam_rootok/pam_rootok.8106
-rw-r--r--modules/pam_rootok/pam_rootok.8.xml131
-rw-r--r--modules/pam_rootok/pam_rootok.c174
-rwxr-xr-xmodules/pam_rootok/tst-pam_rootok2
-rw-r--r--modules/pam_rootok/tst-pam_rootok-retval.c72
-rw-r--r--modules/pam_securetty/Makefile.am33
-rw-r--r--modules/pam_securetty/Makefile.in1150
-rw-r--r--modules/pam_securetty/README42
-rw-r--r--modules/pam_securetty/README.xml41
-rw-r--r--modules/pam_securetty/pam_securetty.8140
-rw-r--r--modules/pam_securetty/pam_securetty.8.xml202
-rw-r--r--modules/pam_securetty/pam_securetty.c286
-rwxr-xr-xmodules/pam_securetty/tst-pam_securetty2
-rw-r--r--modules/pam_selinux/Makefile.am37
-rw-r--r--modules/pam_selinux/Makefile.in1182
-rw-r--r--modules/pam_selinux/README85
-rw-r--r--modules/pam_selinux/README.xml41
-rw-r--r--modules/pam_selinux/pam_selinux.8151
-rw-r--r--modules/pam_selinux/pam_selinux.8.xml276
-rw-r--r--modules/pam_selinux/pam_selinux.c818
-rw-r--r--modules/pam_selinux/pam_selinux_check.835
-rw-r--r--modules/pam_selinux/pam_selinux_check.c161
-rwxr-xr-xmodules/pam_selinux/tst-pam_selinux2
-rw-r--r--modules/pam_sepermit/Makefile.am42
-rw-r--r--modules/pam_sepermit/Makefile.in1234
-rw-r--r--modules/pam_sepermit/README48
-rw-r--r--modules/pam_sepermit/README.xml41
-rw-r--r--modules/pam_sepermit/pam_sepermit.8131
-rw-r--r--modules/pam_sepermit/pam_sepermit.8.xml194
-rw-r--r--modules/pam_sepermit/pam_sepermit.c440
-rw-r--r--modules/pam_sepermit/sepermit.conf11
-rw-r--r--modules/pam_sepermit/sepermit.conf.5117
-rw-r--r--modules/pam_sepermit/sepermit.conf.5.xml110
-rwxr-xr-xmodules/pam_sepermit/tst-pam_sepermit2
-rw-r--r--modules/pam_setquota/Makefile.am29
-rw-r--r--modules/pam_setquota/Makefile.in1146
-rw-r--r--modules/pam_setquota/README80
-rw-r--r--modules/pam_setquota/README.xml41
-rw-r--r--modules/pam_setquota/pam_setquota.8186
-rw-r--r--modules/pam_setquota/pam_setquota.8.xml301
-rw-r--r--modules/pam_setquota/pam_setquota.c389
-rwxr-xr-xmodules/pam_setquota/tst-pam_setquota2
-rw-r--r--modules/pam_shells/Makefile.am33
-rw-r--r--modules/pam_shells/Makefile.in1150
-rw-r--r--modules/pam_shells/README24
-rw-r--r--modules/pam_shells/README.xml41
-rw-r--r--modules/pam_shells/pam_shells.891
-rw-r--r--modules/pam_shells/pam_shells.8.xml117
-rw-r--r--modules/pam_shells/pam_shells.c108
-rwxr-xr-xmodules/pam_shells/tst-pam_shells2
-rw-r--r--modules/pam_stress/Makefile.am32
-rw-r--r--modules/pam_stress/Makefile.in1150
-rw-r--r--modules/pam_stress/README61
-rw-r--r--modules/pam_stress/README.xml31
-rw-r--r--modules/pam_stress/pam_stress.8190
-rw-r--r--modules/pam_stress/pam_stress.8.xml356
-rw-r--r--modules/pam_stress/pam_stress.c534
-rwxr-xr-xmodules/pam_stress/tst-pam_stress2
-rw-r--r--modules/pam_succeed_if/Makefile.am33
-rw-r--r--modules/pam_succeed_if/Makefile.in1150
-rw-r--r--modules/pam_succeed_if/README131
-rw-r--r--modules/pam_succeed_if/README.xml41
-rw-r--r--modules/pam_succeed_if/pam_succeed_if.8226
-rw-r--r--modules/pam_succeed_if/pam_succeed_if.8.xml307
-rw-r--r--modules/pam_succeed_if/pam_succeed_if.c618
-rwxr-xr-xmodules/pam_succeed_if/tst-pam_succeed_if2
-rw-r--r--modules/pam_time/Makefile.am34
-rw-r--r--modules/pam_time/Makefile.in1221
-rw-r--r--modules/pam_time/README35
-rw-r--r--modules/pam_time/README.xml34
-rw-r--r--modules/pam_time/pam_time.8122
-rw-r--r--modules/pam_time/pam_time.8.xml198
-rw-r--r--modules/pam_time/pam_time.c677
-rw-r--r--modules/pam_time/time.conf65
-rw-r--r--modules/pam_time/time.conf.5115
-rw-r--r--modules/pam_time/time.conf.5.xml149
-rwxr-xr-xmodules/pam_time/tst-pam_time2
-rw-r--r--modules/pam_timestamp/Makefile.am60
-rw-r--r--modules/pam_timestamp/Makefile.in1349
-rw-r--r--modules/pam_timestamp/README56
-rw-r--r--modules/pam_timestamp/README.xml46
-rw-r--r--modules/pam_timestamp/hmac_openssl_wrapper.c381
-rw-r--r--modules/pam_timestamp/hmac_openssl_wrapper.h57
-rw-r--r--modules/pam_timestamp/hmacfile.c163
-rw-r--r--modules/pam_timestamp/hmacsha1.c295
-rw-r--r--modules/pam_timestamp/hmacsha1.h15
-rw-r--r--modules/pam_timestamp/pam_timestamp.8135
-rw-r--r--modules/pam_timestamp/pam_timestamp.8.xml208
-rw-r--r--modules/pam_timestamp/pam_timestamp.c873
-rw-r--r--modules/pam_timestamp/pam_timestamp_check.8133
-rw-r--r--modules/pam_timestamp/pam_timestamp_check.8.xml207
-rw-r--r--modules/pam_timestamp/pam_timestamp_check.c42
-rw-r--r--modules/pam_timestamp/sha1.c253
-rw-r--r--modules/pam_timestamp/sha1.h65
-rwxr-xr-xmodules/pam_timestamp/tst-pam_timestamp2
-rw-r--r--modules/pam_tty_audit/Makefile.am32
-rw-r--r--modules/pam_tty_audit/Makefile.in1149
-rw-r--r--modules/pam_tty_audit/README70
-rw-r--r--modules/pam_tty_audit/README.xml41
-rw-r--r--modules/pam_tty_audit/pam_tty_audit.8135
-rw-r--r--modules/pam_tty_audit/pam_tty_audit.8.xml199
-rw-r--r--modules/pam_tty_audit/pam_tty_audit.c450
-rwxr-xr-xmodules/pam_tty_audit/tst-pam_tty_audit2
-rw-r--r--modules/pam_umask/Makefile.am33
-rw-r--r--modules/pam_umask/Makefile.in1150
-rw-r--r--modules/pam_umask/README65
-rw-r--r--modules/pam_umask/README.xml41
-rw-r--r--modules/pam_umask/pam_umask.8176
-rw-r--r--modules/pam_umask/pam_umask.8.xml261
-rw-r--r--modules/pam_umask/pam_umask.c238
-rwxr-xr-xmodules/pam_umask/tst-pam_umask2
-rw-r--r--modules/pam_unix/CHANGELOG54
-rw-r--r--modules/pam_unix/Makefile.am63
-rw-r--r--modules/pam_unix/Makefile.in1537
-rw-r--r--modules/pam_unix/README206
-rw-r--r--modules/pam_unix/README.xml41
-rw-r--r--modules/pam_unix/bigcrypt.c163
-rw-r--r--modules/pam_unix/bigcrypt.h1
-rw-r--r--modules/pam_unix/bigcrypt_main.c18
-rw-r--r--modules/pam_unix/lckpwdf.-c142
-rw-r--r--modules/pam_unix/md5.c258
-rw-r--r--modules/pam_unix/md5.h39
-rw-r--r--modules/pam_unix/md5_broken.c4
-rw-r--r--modules/pam_unix/md5_crypt.c157
-rw-r--r--modules/pam_unix/md5_good.c5
-rw-r--r--modules/pam_unix/pam_unix.8285
-rw-r--r--modules/pam_unix/pam_unix.8.xml501
-rw-r--r--modules/pam_unix/pam_unix_acct.c291
-rw-r--r--modules/pam_unix/pam_unix_auth.c215
-rw-r--r--modules/pam_unix/pam_unix_passwd.c875
-rw-r--r--modules/pam_unix/pam_unix_sess.c134
-rw-r--r--modules/pam_unix/passverify.c1211
-rw-r--r--modules/pam_unix/passverify.h115
-rw-r--r--modules/pam_unix/support.c893
-rw-r--r--modules/pam_unix/support.h182
-rwxr-xr-xmodules/pam_unix/tst-pam_unix2
-rw-r--r--modules/pam_unix/unix_chkpwd.853
-rw-r--r--modules/pam_unix/unix_chkpwd.8.xml67
-rw-r--r--modules/pam_unix/unix_chkpwd.c246
-rw-r--r--modules/pam_unix/unix_update.852
-rw-r--r--modules/pam_unix/unix_update.8.xml67
-rw-r--r--modules/pam_unix/unix_update.c192
-rw-r--r--modules/pam_unix/yppasswd.h51
-rw-r--r--modules/pam_unix/yppasswd_xdr.c40
-rw-r--r--modules/pam_userdb/Makefile.am35
-rw-r--r--modules/pam_userdb/Makefile.in1155
-rw-r--r--modules/pam_userdb/README76
-rw-r--r--modules/pam_userdb/README.xml41
-rw-r--r--modules/pam_userdb/create.pl21
-rw-r--r--modules/pam_userdb/pam_userdb.8158
-rw-r--r--modules/pam_userdb/pam_userdb.8.xml294
-rw-r--r--modules/pam_userdb/pam_userdb.c517
-rw-r--r--modules/pam_userdb/pam_userdb.h59
-rwxr-xr-xmodules/pam_userdb/tst-pam_userdb2
-rw-r--r--modules/pam_usertype/Makefile.am34
-rw-r--r--modules/pam_usertype/Makefile.in1151
-rw-r--r--modules/pam_usertype/README48
-rw-r--r--modules/pam_usertype/README.xml41
-rw-r--r--modules/pam_usertype/pam_usertype.8135
-rw-r--r--modules/pam_usertype/pam_usertype.8.xml199
-rw-r--r--modules/pam_usertype/pam_usertype.c311
-rwxr-xr-xmodules/pam_usertype/tst-pam_usertype2
-rw-r--r--modules/pam_warn/Makefile.am36
-rw-r--r--modules/pam_warn/Makefile.in1180
-rw-r--r--modules/pam_warn/README36
-rw-r--r--modules/pam_warn/README.xml41
-rw-r--r--modules/pam_warn/pam_warn.889
-rw-r--r--modules/pam_warn/pam_warn.8.xml105
-rw-r--r--modules/pam_warn/pam_warn.c92
-rwxr-xr-xmodules/pam_warn/tst-pam_warn2
-rw-r--r--modules/pam_warn/tst-pam_warn-retval.c88
-rw-r--r--modules/pam_wheel/Makefile.am33
-rw-r--r--modules/pam_wheel/Makefile.in1150
-rw-r--r--modules/pam_wheel/README61
-rw-r--r--modules/pam_wheel/README.xml41
-rw-r--r--modules/pam_wheel/pam_wheel.8147
-rw-r--r--modules/pam_wheel/pam_wheel.8.xml243
-rw-r--r--modules/pam_wheel/pam_wheel.c301
-rwxr-xr-xmodules/pam_wheel/tst-pam_wheel2
-rw-r--r--modules/pam_xauth/Makefile.am33
-rw-r--r--modules/pam_xauth/Makefile.in1150
-rw-r--r--modules/pam_xauth/README90
-rw-r--r--modules/pam_xauth/README.xml46
-rw-r--r--modules/pam_xauth/pam_xauth.8183
-rw-r--r--modules/pam_xauth/pam_xauth.8.xml293
-rw-r--r--modules/pam_xauth/pam_xauth.c803
-rwxr-xr-xmodules/pam_xauth/tst-pam_xauth2
-rw-r--r--pgp.keys.asc154
-rw-r--r--po/LINGUAS82
-rw-r--r--po/Linux-PAM.pot478
-rw-r--r--po/Makefile.in.in454
-rw-r--r--po/Makevars53
-rw-r--r--po/POTFILES.in95
-rw-r--r--po/Rules-quot47
-rw-r--r--po/af.gmobin0 -> 494 bytes
-rw-r--r--po/af.po483
-rw-r--r--po/am.gmobin0 -> 491 bytes
-rw-r--r--po/am.po483
-rw-r--r--po/ar.gmobin0 -> 6560 bytes
-rw-r--r--po/ar.po554
-rw-r--r--po/as.gmobin0 -> 10333 bytes
-rw-r--r--po/as.po574
-rw-r--r--po/az.gmobin0 -> 1996 bytes
-rw-r--r--po/az.po481
-rw-r--r--po/be.gmobin0 -> 569 bytes
-rw-r--r--po/be.po490
-rw-r--r--po/bg.gmobin0 -> 12566 bytes
-rw-r--r--po/bg.po568
-rw-r--r--po/bn.gmobin0 -> 10846 bytes
-rw-r--r--po/bn.po581
-rw-r--r--po/bn_IN.gmobin0 -> 10850 bytes
-rw-r--r--po/bn_IN.po576
-rw-r--r--po/boldquot.sed10
-rw-r--r--po/bs.gmobin0 -> 566 bytes
-rw-r--r--po/bs.po487
-rw-r--r--po/ca.gmobin0 -> 10400 bytes
-rw-r--r--po/ca.po577
-rw-r--r--po/cs.gmobin0 -> 9857 bytes
-rw-r--r--po/cs.po568
-rw-r--r--po/cy.gmobin0 -> 535 bytes
-rw-r--r--po/cy.po490
-rw-r--r--po/da.gmobin0 -> 9846 bytes
-rw-r--r--po/da.po562
-rw-r--r--po/de.gmobin0 -> 10185 bytes
-rw-r--r--po/de.po570
-rw-r--r--po/de_CH.gmobin0 -> 511 bytes
-rw-r--r--po/de_CH.po483
-rw-r--r--po/el.gmobin0 -> 467 bytes
-rw-r--r--po/el.po482
-rw-r--r--po/en@boldquot.header25
-rw-r--r--po/en@quot.header22
-rw-r--r--po/eo.gmobin0 -> 3833 bytes
-rw-r--r--po/eo.po481
-rw-r--r--po/es.gmobin0 -> 7937 bytes
-rw-r--r--po/es.po588
-rw-r--r--po/et.gmobin0 -> 2251 bytes
-rw-r--r--po/et.po517
-rw-r--r--po/eu.gmobin0 -> 968 bytes
-rw-r--r--po/eu.po488
-rw-r--r--po/fa.gmobin0 -> 485 bytes
-rw-r--r--po/fa.po480
-rw-r--r--po/fi.gmobin0 -> 10046 bytes
-rw-r--r--po/fi.po575
-rw-r--r--po/fr.gmobin0 -> 10700 bytes
-rw-r--r--po/fr.po590
-rw-r--r--po/ga.gmobin0 -> 7693 bytes
-rw-r--r--po/ga.po603
-rw-r--r--po/gl.gmobin0 -> 493 bytes
-rw-r--r--po/gl.po483
-rw-r--r--po/gu.gmobin0 -> 10377 bytes
-rw-r--r--po/gu.po573
-rw-r--r--po/he.gmobin0 -> 10834 bytes
-rw-r--r--po/he.po560
-rw-r--r--po/hi.gmobin0 -> 9833 bytes
-rw-r--r--po/hi.po574
-rw-r--r--po/hr.gmobin0 -> 565 bytes
-rw-r--r--po/hr.po487
-rw-r--r--po/hu.gmobin0 -> 7349 bytes
-rw-r--r--po/hu.po580
-rw-r--r--po/ia.gmobin0 -> 7077 bytes
-rw-r--r--po/ia.po580
-rw-r--r--po/id.gmobin0 -> 4025 bytes
-rw-r--r--po/id.po490
-rw-r--r--po/insert-header.sin23
-rw-r--r--po/is.gmobin0 -> 494 bytes
-rw-r--r--po/is.po483
-rw-r--r--po/it.gmobin0 -> 10029 bytes
-rw-r--r--po/it.po575
-rw-r--r--po/ja.gmobin0 -> 7744 bytes
-rw-r--r--po/ja.po574
-rw-r--r--po/ka.gmobin0 -> 2579 bytes
-rw-r--r--po/ka.po510
-rw-r--r--po/kk.gmobin0 -> 12453 bytes
-rw-r--r--po/kk.po561
-rw-r--r--po/km.gmobin0 -> 8868 bytes
-rw-r--r--po/km.po538
-rw-r--r--po/kn.gmobin0 -> 10850 bytes
-rw-r--r--po/kn.po572
-rw-r--r--po/ko.gmobin0 -> 10148 bytes
-rw-r--r--po/ko.po561
-rw-r--r--po/kw_GB.gmobin0 -> 448 bytes
-rw-r--r--po/kw_GB.po482
-rw-r--r--po/ky.gmobin0 -> 484 bytes
-rw-r--r--po/ky.po480
-rw-r--r--po/lt.gmobin0 -> 558 bytes
-rw-r--r--po/lt.po487
-rw-r--r--po/lv.gmobin0 -> 527 bytes
-rw-r--r--po/lv.po487
-rw-r--r--po/mk.gmobin0 -> 525 bytes
-rw-r--r--po/mk.po483
-rw-r--r--po/ml.gmobin0 -> 12685 bytes
-rw-r--r--po/ml.po572
-rw-r--r--po/mn.gmobin0 -> 494 bytes
-rw-r--r--po/mn.po483
-rw-r--r--po/mr.gmobin0 -> 10413 bytes
-rw-r--r--po/mr.po572
-rw-r--r--po/ms.gmobin0 -> 532 bytes
-rw-r--r--po/ms.po483
-rw-r--r--po/my.gmobin0 -> 485 bytes
-rw-r--r--po/my.po480
-rw-r--r--po/nb.gmobin0 -> 9536 bytes
-rw-r--r--po/nb.po564
-rw-r--r--po/ne.gmobin0 -> 491 bytes
-rw-r--r--po/ne.po483
-rw-r--r--po/nl.gmobin0 -> 10020 bytes
-rw-r--r--po/nl.po573
-rw-r--r--po/nn.gmobin0 -> 9531 bytes
-rw-r--r--po/nn.po484
-rw-r--r--po/or.gmobin0 -> 15523 bytes
-rw-r--r--po/or.po563
-rw-r--r--po/pa.gmobin0 -> 14212 bytes
-rw-r--r--po/pa.po561
-rw-r--r--po/pl.gmobin0 -> 10235 bytes
-rw-r--r--po/pl.po573
-rw-r--r--po/pt.gmobin0 -> 10388 bytes
-rw-r--r--po/pt.po577
-rw-r--r--po/pt_BR.gmobin0 -> 9795 bytes
-rw-r--r--po/pt_BR.po567
-rw-r--r--po/quot.sed6
-rw-r--r--po/remove-potcdate.sin19
-rw-r--r--po/ro.gmobin0 -> 10103 bytes
-rw-r--r--po/ro.po496
-rw-r--r--po/ru.gmobin0 -> 13398 bytes
-rw-r--r--po/ru.po576
-rw-r--r--po/si.gmobin0 -> 8618 bytes
-rw-r--r--po/si.po542
-rw-r--r--po/sk.gmobin0 -> 9917 bytes
-rw-r--r--po/sk.po578
-rw-r--r--po/sl.gmobin0 -> 546 bytes
-rw-r--r--po/sl.po490
-rw-r--r--po/sq.gmobin0 -> 493 bytes
-rw-r--r--po/sq.po483
-rw-r--r--po/sr.gmobin0 -> 9013 bytes
-rw-r--r--po/sr.po581
-rw-r--r--po/sr@latin.gmobin0 -> 6926 bytes
-rw-r--r--po/sr@latin.po579
-rw-r--r--po/stamp-po1
-rw-r--r--po/sv.gmobin0 -> 9864 bytes
-rw-r--r--po/sv.po571
-rw-r--r--po/ta.gmobin0 -> 10884 bytes
-rw-r--r--po/ta.po575
-rw-r--r--po/te.gmobin0 -> 11038 bytes
-rw-r--r--po/te.po572
-rw-r--r--po/tg.gmobin0 -> 490 bytes
-rw-r--r--po/tg.po483
-rw-r--r--po/th.gmobin0 -> 482 bytes
-rw-r--r--po/th.po480
-rw-r--r--po/tr.gmobin0 -> 9969 bytes
-rw-r--r--po/tr.po569
-rw-r--r--po/uk.gmobin0 -> 13290 bytes
-rw-r--r--po/uk.po580
-rw-r--r--po/ur.gmobin0 -> 468 bytes
-rw-r--r--po/ur.po482
-rw-r--r--po/vi.gmobin0 -> 7349 bytes
-rw-r--r--po/vi.po575
-rw-r--r--po/yo.gmobin0 -> 392 bytes
-rw-r--r--po/yo.po480
-rw-r--r--po/zh_CN.gmobin0 -> 9086 bytes
-rw-r--r--po/zh_CN.po561
-rw-r--r--po/zh_HK.gmobin0 -> 476 bytes
-rw-r--r--po/zh_HK.po479
-rw-r--r--po/zh_TW.gmobin0 -> 9083 bytes
-rw-r--r--po/zh_TW.po558
-rw-r--r--po/zu.gmobin0 -> 5759 bytes
-rw-r--r--po/zu.po548
-rw-r--r--tests/Makefile.am21
-rw-r--r--tests/Makefile.in1374
-rw-r--r--tests/confdir1
-rw-r--r--tests/tst-dlopen.c43
-rw-r--r--tests/tst-pam_acct_mgmt.c58
-rw-r--r--tests/tst-pam_authenticate.c58
-rw-r--r--tests/tst-pam_chauthtok.c58
-rw-r--r--tests/tst-pam_close_session.c58
-rw-r--r--tests/tst-pam_end.c79
-rw-r--r--tests/tst-pam_fail_delay.c79
-rw-r--r--tests/tst-pam_get_item.c134
-rw-r--r--tests/tst-pam_get_user.c176
-rw-r--r--tests/tst-pam_getenvlist.c134
-rw-r--r--tests/tst-pam_mkargv.c54
-rw-r--r--tests/tst-pam_open_session.c58
-rw-r--r--tests/tst-pam_set_data.c488
-rw-r--r--tests/tst-pam_set_item.c150
-rw-r--r--tests/tst-pam_setcred.c58
-rw-r--r--tests/tst-pam_start.c107
-rw-r--r--tests/tst-pam_start_confdir.c99
-rw-r--r--xtests/Makefile.am55
-rw-r--r--xtests/Makefile.in990
-rw-r--r--xtests/access.conf3
-rw-r--r--xtests/group.conf2
-rw-r--r--xtests/limits.conf2
-rwxr-xr-xxtests/run-xtests.sh67
-rw-r--r--xtests/time.conf2
-rw-r--r--xtests/tst-pam_access1.c132
-rw-r--r--xtests/tst-pam_access1.pamd5
-rwxr-xr-xxtests/tst-pam_access1.sh9
-rw-r--r--xtests/tst-pam_access2.c132
-rw-r--r--xtests/tst-pam_access2.pamd5
-rwxr-xr-xxtests/tst-pam_access2.sh9
-rw-r--r--xtests/tst-pam_access3.c132
-rw-r--r--xtests/tst-pam_access3.pamd5
-rwxr-xr-xxtests/tst-pam_access3.sh7
-rw-r--r--xtests/tst-pam_access4.c170
-rw-r--r--xtests/tst-pam_access4.pamd5
-rwxr-xr-xxtests/tst-pam_access4.sh7
-rw-r--r--xtests/tst-pam_assemble_line1.pamd8
-rwxr-xr-xxtests/tst-pam_assemble_line1.sh3
-rw-r--r--xtests/tst-pam_authfail.c96
-rw-r--r--xtests/tst-pam_authfail.pamd5
-rw-r--r--xtests/tst-pam_authsucceed.c96
-rw-r--r--xtests/tst-pam_authsucceed.pamd5
-rw-r--r--xtests/tst-pam_dispatch1.c99
-rw-r--r--xtests/tst-pam_dispatch1.pamd3
-rw-r--r--xtests/tst-pam_dispatch2.c98
-rw-r--r--xtests/tst-pam_dispatch2.pamd3
-rw-r--r--xtests/tst-pam_dispatch3.c87
-rw-r--r--xtests/tst-pam_dispatch3.pamd5
-rw-r--r--xtests/tst-pam_dispatch4.c94
-rw-r--r--xtests/tst-pam_dispatch4.pamd8
-rw-r--r--xtests/tst-pam_dispatch5.c86
-rw-r--r--xtests/tst-pam_dispatch5.pamd4
-rw-r--r--xtests/tst-pam_group1.c209
-rw-r--r--xtests/tst-pam_group1.pamd6
-rwxr-xr-xxtests/tst-pam_group1.sh11
-rw-r--r--xtests/tst-pam_limits1.c156
-rw-r--r--xtests/tst-pam_limits1.pamd5
-rwxr-xr-xxtests/tst-pam_limits1.sh7
-rw-r--r--xtests/tst-pam_motd.c69
-rwxr-xr-xxtests/tst-pam_motd.sh8
-rw-r--r--xtests/tst-pam_motd1.pamd3
-rwxr-xr-xxtests/tst-pam_motd1.sh36
-rw-r--r--xtests/tst-pam_motd2.pamd3
-rwxr-xr-xxtests/tst-pam_motd2.sh53
-rw-r--r--xtests/tst-pam_motd3.pamd3
-rwxr-xr-xxtests/tst-pam_motd3.sh53
-rw-r--r--xtests/tst-pam_motd4.pamd3
-rwxr-xr-xxtests/tst-pam_motd4.sh27
-rw-r--r--xtests/tst-pam_pwhistory1.c169
-rw-r--r--xtests/tst-pam_pwhistory1.pamd6
-rwxr-xr-xxtests/tst-pam_pwhistory1.sh7
-rw-r--r--xtests/tst-pam_substack1.pamd5
-rwxr-xr-xxtests/tst-pam_substack1.sh3
-rw-r--r--xtests/tst-pam_substack1a.pamd2
-rw-r--r--xtests/tst-pam_substack2.pamd6
-rwxr-xr-xxtests/tst-pam_substack2.sh3
-rw-r--r--xtests/tst-pam_substack2a.pamd2
-rw-r--r--xtests/tst-pam_substack3.pamd5
-rwxr-xr-xxtests/tst-pam_substack3.sh3
-rw-r--r--xtests/tst-pam_substack3a.pamd3
-rw-r--r--xtests/tst-pam_substack4.pamd5
-rwxr-xr-xxtests/tst-pam_substack4.sh3
-rw-r--r--xtests/tst-pam_substack4a.pamd4
-rw-r--r--xtests/tst-pam_substack5.pamd4
-rwxr-xr-xxtests/tst-pam_substack5.sh3
-rw-r--r--xtests/tst-pam_substack5a.pamd3
-rw-r--r--xtests/tst-pam_succeed_if1.c138
-rw-r--r--xtests/tst-pam_succeed_if1.pamd2
-rwxr-xr-xxtests/tst-pam_succeed_if1.sh9
-rw-r--r--xtests/tst-pam_time1.c113
-rw-r--r--xtests/tst-pam_time1.pamd5
-rw-r--r--xtests/tst-pam_unix1.c122
-rw-r--r--xtests/tst-pam_unix1.pamd5
-rwxr-xr-xxtests/tst-pam_unix1.sh7
-rw-r--r--xtests/tst-pam_unix2.c154
-rw-r--r--xtests/tst-pam_unix2.pamd5
-rwxr-xr-xxtests/tst-pam_unix2.sh8
-rw-r--r--xtests/tst-pam_unix3.c155
-rw-r--r--xtests/tst-pam_unix3.pamd5
-rwxr-xr-xxtests/tst-pam_unix3.sh8
-rw-r--r--xtests/tst-pam_unix4.c154
-rw-r--r--xtests/tst-pam_unix4.pamd5
-rwxr-xr-xxtests/tst-pam_unix4.sh14
1080 files changed, 288051 insertions, 0 deletions
diff --git a/ABOUT-NLS b/ABOUT-NLS
new file mode 100644
index 0000000..b1de1b6
--- /dev/null
+++ b/ABOUT-NLS
@@ -0,0 +1,1282 @@
+1 Notes on the Free Translation Project
+***************************************
+
+Free software is going international! The Free Translation Project is
+a way to get maintainers of free software, translators, and users all
+together, so that free software will gradually become able to speak many
+languages. A few packages already provide translations for their
+messages.
+
+ If you found this `ABOUT-NLS' file inside a distribution, you may
+assume that the distributed package does use GNU `gettext' internally,
+itself available at your nearest GNU archive site. But you do _not_
+need to install GNU `gettext' prior to configuring, installing or using
+this package with messages translated.
+
+ Installers will find here some useful hints. These notes also
+explain how users should proceed for getting the programs to use the
+available translations. They tell how people wanting to contribute and
+work on translations can contact the appropriate team.
+
+1.1 INSTALL Matters
+===================
+
+Some packages are "localizable" when properly installed; the programs
+they contain can be made to speak your own native language. Most such
+packages use GNU `gettext'. Other packages have their own ways to
+internationalization, predating GNU `gettext'.
+
+ By default, this package will be installed to allow translation of
+messages. It will automatically detect whether the system already
+provides the GNU `gettext' functions. Installers may use special
+options at configuration time for changing the default behaviour. The
+command:
+
+ ./configure --disable-nls
+
+will _totally_ disable translation of messages.
+
+ When you already have GNU `gettext' installed on your system and run
+configure without an option for your new package, `configure' will
+probably detect the previously built and installed `libintl' library
+and will decide to use it. If not, you may have to to use the
+`--with-libintl-prefix' option to tell `configure' where to look for it.
+
+ Internationalized packages usually have many `po/LL.po' files, where
+LL gives an ISO 639 two-letter code identifying the language. Unless
+translations have been forbidden at `configure' time by using the
+`--disable-nls' switch, all available translations are installed
+together with the package. However, the environment variable `LINGUAS'
+may be set, prior to configuration, to limit the installed set.
+`LINGUAS' should then contain a space separated list of two-letter
+codes, stating which languages are allowed.
+
+1.2 Using This Package
+======================
+
+As a user, if your language has been installed for this package, you
+only have to set the `LANG' environment variable to the appropriate
+`LL_CC' combination. If you happen to have the `LC_ALL' or some other
+`LC_xxx' environment variables set, you should unset them before
+setting `LANG', otherwise the setting of `LANG' will not have the
+desired effect. Here `LL' is an ISO 639 two-letter language code, and
+`CC' is an ISO 3166 two-letter country code. For example, let's
+suppose that you speak German and live in Germany. At the shell
+prompt, merely execute `setenv LANG de_DE' (in `csh'),
+`export LANG; LANG=de_DE' (in `sh') or `export LANG=de_DE' (in `bash').
+This can be done from your `.login' or `.profile' file, once and for
+all.
+
+ You might think that the country code specification is redundant.
+But in fact, some languages have dialects in different countries. For
+example, `de_AT' is used for Austria, and `pt_BR' for Brazil. The
+country code serves to distinguish the dialects.
+
+ The locale naming convention of `LL_CC', with `LL' denoting the
+language and `CC' denoting the country, is the one use on systems based
+on GNU libc. On other systems, some variations of this scheme are
+used, such as `LL' or `LL_CC.ENCODING'. You can get the list of
+locales supported by your system for your language by running the
+command `locale -a | grep '^LL''.
+
+ Not all programs have translations for all languages. By default, an
+English message is shown in place of a nonexistent translation. If you
+understand other languages, you can set up a priority list of languages.
+This is done through a different environment variable, called
+`LANGUAGE'. GNU `gettext' gives preference to `LANGUAGE' over `LANG'
+for the purpose of message handling, but you still need to have `LANG'
+set to the primary language; this is required by other parts of the
+system libraries. For example, some Swedish users who would rather
+read translations in German than English for when Swedish is not
+available, set `LANGUAGE' to `sv:de' while leaving `LANG' to `sv_SE'.
+
+ Special advice for Norwegian users: The language code for Norwegian
+bokma*l changed from `no' to `nb' recently (in 2003). During the
+transition period, while some message catalogs for this language are
+installed under `nb' and some older ones under `no', it's recommended
+for Norwegian users to set `LANGUAGE' to `nb:no' so that both newer and
+older translations are used.
+
+ In the `LANGUAGE' environment variable, but not in the `LANG'
+environment variable, `LL_CC' combinations can be abbreviated as `LL'
+to denote the language's main dialect. For example, `de' is equivalent
+to `de_DE' (German as spoken in Germany), and `pt' to `pt_PT'
+(Portuguese as spoken in Portugal) in this context.
+
+1.3 Translating Teams
+=====================
+
+For the Free Translation Project to be a success, we need interested
+people who like their own language and write it well, and who are also
+able to synergize with other translators speaking the same language.
+Each translation team has its own mailing list. The up-to-date list of
+teams can be found at the Free Translation Project's homepage,
+`http://translationproject.org/', in the "Teams" area.
+
+ If you'd like to volunteer to _work_ at translating messages, you
+should become a member of the translating team for your own language.
+The subscribing address is _not_ the same as the list itself, it has
+`-request' appended. For example, speakers of Swedish can send a
+message to `sv-request@li.org', having this message body:
+
+ subscribe
+
+ Keep in mind that team members are expected to participate
+_actively_ in translations, or at solving translational difficulties,
+rather than merely lurking around. If your team does not exist yet and
+you want to start one, or if you are unsure about what to do or how to
+get started, please write to `coordinator@translationproject.org' to
+reach the coordinator for all translator teams.
+
+ The English team is special. It works at improving and uniformizing
+the terminology in use. Proven linguistic skills are praised more than
+programming skills, here.
+
+1.4 Available Packages
+======================
+
+Languages are not equally supported in all packages. The following
+matrix shows the current state of internationalization, as of June
+2010. The matrix shows, in regard of each package, for which languages
+PO files have been submitted to translation coordination, with a
+translation percentage of at least 50%.
+
+ Ready PO files af am an ar as ast az be be@latin bg bn_IN bs ca
+ +--------------------------------------------------+
+ a2ps | [] [] |
+ aegis | |
+ ant-phone | |
+ anubis | |
+ aspell | [] [] |
+ bash | |
+ bfd | |
+ bibshelf | [] |
+ binutils | |
+ bison | |
+ bison-runtime | [] |
+ bluez-pin | [] [] |
+ bombono-dvd | |
+ buzztard | |
+ cflow | |
+ clisp | |
+ coreutils | [] [] |
+ cpio | |
+ cppi | |
+ cpplib | [] |
+ cryptsetup | |
+ dfarc | |
+ dialog | [] [] |
+ dico | |
+ diffutils | [] |
+ dink | |
+ doodle | |
+ e2fsprogs | [] |
+ enscript | [] |
+ exif | |
+ fetchmail | [] |
+ findutils | [] |
+ flex | [] |
+ freedink | |
+ gas | |
+ gawk | [] [] |
+ gcal | [] |
+ gcc | |
+ gettext-examples | [] [] [] [] |
+ gettext-runtime | [] [] |
+ gettext-tools | [] [] |
+ gip | [] |
+ gjay | |
+ gliv | [] |
+ glunarclock | [] [] |
+ gnubiff | |
+ gnucash | [] |
+ gnuedu | |
+ gnulib | |
+ gnunet | |
+ gnunet-gtk | |
+ gnutls | |
+ gold | |
+ gpe-aerial | |
+ gpe-beam | |
+ gpe-bluetooth | |
+ gpe-calendar | |
+ gpe-clock | [] |
+ gpe-conf | |
+ gpe-contacts | |
+ gpe-edit | |
+ gpe-filemanager | |
+ gpe-go | |
+ gpe-login | |
+ gpe-ownerinfo | [] |
+ gpe-package | |
+ gpe-sketchbook | |
+ gpe-su | [] |
+ gpe-taskmanager | [] |
+ gpe-timesheet | [] |
+ gpe-today | [] |
+ gpe-todo | |
+ gphoto2 | |
+ gprof | [] |
+ gpsdrive | |
+ gramadoir | |
+ grep | |
+ grub | [] [] |
+ gsasl | |
+ gss | |
+ gst-plugins-bad | [] |
+ gst-plugins-base | [] |
+ gst-plugins-good | [] |
+ gst-plugins-ugly | [] |
+ gstreamer | [] [] [] |
+ gtick | |
+ gtkam | [] |
+ gtkorphan | [] |
+ gtkspell | [] [] [] |
+ gutenprint | |
+ hello | [] |
+ help2man | |
+ hylafax | |
+ idutils | |
+ indent | [] [] |
+ iso_15924 | |
+ iso_3166 | [] [] [] [] [] [] [] |
+ iso_3166_2 | |
+ iso_4217 | |
+ iso_639 | [] [] [] [] |
+ iso_639_3 | |
+ jwhois | |
+ kbd | |
+ keytouch | [] |
+ keytouch-editor | |
+ keytouch-keyboa... | [] |
+ klavaro | [] |
+ latrine | |
+ ld | [] |
+ leafpad | [] [] |
+ libc | [] [] |
+ libexif | () |
+ libextractor | |
+ libgnutls | |
+ libgpewidget | |
+ libgpg-error | |
+ libgphoto2 | |
+ libgphoto2_port | |
+ libgsasl | |
+ libiconv | [] |
+ libidn | |
+ lifelines | |
+ liferea | [] [] |
+ lilypond | |
+ linkdr | [] |
+ lordsawar | |
+ lprng | |
+ lynx | [] |
+ m4 | |
+ mailfromd | |
+ mailutils | |
+ make | |
+ man-db | |
+ man-db-manpages | |
+ minicom | |
+ mkisofs | |
+ myserver | |
+ nano | [] [] |
+ opcodes | |
+ parted | |
+ pies | |
+ popt | |
+ psmisc | |
+ pspp | [] |
+ pwdutils | |
+ radius | [] |
+ recode | [] [] |
+ rosegarden | |
+ rpm | |
+ rush | |
+ sarg | |
+ screem | |
+ scrollkeeper | [] [] [] |
+ sed | [] [] |
+ sharutils | [] [] |
+ shishi | |
+ skencil | |
+ solfege | |
+ solfege-manual | |
+ soundtracker | |
+ sp | |
+ sysstat | |
+ tar | [] |
+ texinfo | |
+ tin | |
+ unicode-han-tra... | |
+ unicode-transla... | |
+ util-linux-ng | [] |
+ vice | |
+ vmm | |
+ vorbis-tools | |
+ wastesedge | |
+ wdiff | |
+ wget | [] [] |
+ wyslij-po | |
+ xchat | [] [] [] [] |
+ xdg-user-dirs | [] [] [] [] [] [] [] [] [] |
+ xkeyboard-config | [] [] |
+ +--------------------------------------------------+
+ af am an ar as ast az be be@latin bg bn_IN bs ca
+ 6 0 1 2 3 19 1 10 3 28 3 1 38
+
+ crh cs da de el en en_GB en_ZA eo es et eu fa
+ +-------------------------------------------------+
+ a2ps | [] [] [] [] [] [] [] |
+ aegis | [] [] [] |
+ ant-phone | [] () |
+ anubis | [] [] |
+ aspell | [] [] [] [] [] |
+ bash | [] [] [] |
+ bfd | [] |
+ bibshelf | [] [] [] |
+ binutils | [] |
+ bison | [] [] |
+ bison-runtime | [] [] [] [] |
+ bluez-pin | [] [] [] [] [] [] |
+ bombono-dvd | [] |
+ buzztard | [] [] [] |
+ cflow | [] [] |
+ clisp | [] [] [] [] |
+ coreutils | [] [] [] [] |
+ cpio | |
+ cppi | |
+ cpplib | [] [] [] |
+ cryptsetup | [] |
+ dfarc | [] [] [] |
+ dialog | [] [] [] [] [] |
+ dico | |
+ diffutils | [] [] [] [] [] [] |
+ dink | [] [] [] |
+ doodle | [] |
+ e2fsprogs | [] [] [] |
+ enscript | [] [] [] |
+ exif | () [] [] |
+ fetchmail | [] [] () [] [] [] |
+ findutils | [] [] [] |
+ flex | [] [] |
+ freedink | [] [] [] |
+ gas | [] |
+ gawk | [] [] [] |
+ gcal | [] |
+ gcc | [] [] |
+ gettext-examples | [] [] [] [] |
+ gettext-runtime | [] [] [] [] |
+ gettext-tools | [] [] [] |
+ gip | [] [] [] [] |
+ gjay | [] |
+ gliv | [] [] [] |
+ glunarclock | [] [] |
+ gnubiff | () |
+ gnucash | [] () () () () |
+ gnuedu | [] [] |
+ gnulib | [] [] |
+ gnunet | |
+ gnunet-gtk | [] |
+ gnutls | [] [] |
+ gold | [] |
+ gpe-aerial | [] [] [] [] |
+ gpe-beam | [] [] [] [] |
+ gpe-bluetooth | [] [] |
+ gpe-calendar | [] |
+ gpe-clock | [] [] [] [] |
+ gpe-conf | [] [] [] |
+ gpe-contacts | [] [] [] |
+ gpe-edit | [] [] |
+ gpe-filemanager | [] [] [] |
+ gpe-go | [] [] [] [] |
+ gpe-login | [] [] |
+ gpe-ownerinfo | [] [] [] [] |
+ gpe-package | [] [] [] |
+ gpe-sketchbook | [] [] [] [] |
+ gpe-su | [] [] [] [] |
+ gpe-taskmanager | [] [] [] [] |
+ gpe-timesheet | [] [] [] [] |
+ gpe-today | [] [] [] [] |
+ gpe-todo | [] [] [] |
+ gphoto2 | [] [] () [] [] [] |
+ gprof | [] [] [] |
+ gpsdrive | [] [] [] |
+ gramadoir | [] [] [] |
+ grep | [] |
+ grub | [] [] |
+ gsasl | [] |
+ gss | |
+ gst-plugins-bad | [] [] [] [] [] |
+ gst-plugins-base | [] [] [] [] [] |
+ gst-plugins-good | [] [] [] [] [] [] |
+ gst-plugins-ugly | [] [] [] [] [] [] |
+ gstreamer | [] [] [] [] [] |
+ gtick | [] () [] |
+ gtkam | [] [] () [] [] |
+ gtkorphan | [] [] [] [] |
+ gtkspell | [] [] [] [] [] [] [] |
+ gutenprint | [] [] [] |
+ hello | [] [] [] [] |
+ help2man | [] |
+ hylafax | [] [] |
+ idutils | [] [] |
+ indent | [] [] [] [] [] [] [] |
+ iso_15924 | [] () [] [] |
+ iso_3166 | [] [] [] [] () [] [] [] () |
+ iso_3166_2 | () |
+ iso_4217 | [] [] [] () [] [] |
+ iso_639 | [] [] [] [] () [] [] |
+ iso_639_3 | [] |
+ jwhois | [] |
+ kbd | [] [] [] [] [] |
+ keytouch | [] [] |
+ keytouch-editor | [] [] |
+ keytouch-keyboa... | [] |
+ klavaro | [] [] [] [] |
+ latrine | [] () |
+ ld | [] [] |
+ leafpad | [] [] [] [] [] [] |
+ libc | [] [] [] [] |
+ libexif | [] [] () |
+ libextractor | |
+ libgnutls | [] |
+ libgpewidget | [] [] |
+ libgpg-error | [] [] |
+ libgphoto2 | [] () |
+ libgphoto2_port | [] () [] |
+ libgsasl | |
+ libiconv | [] [] [] [] [] |
+ libidn | [] [] [] |
+ lifelines | [] () |
+ liferea | [] [] [] [] [] |
+ lilypond | [] [] [] |
+ linkdr | [] [] [] |
+ lordsawar | [] |
+ lprng | |
+ lynx | [] [] [] [] |
+ m4 | [] [] [] [] |
+ mailfromd | |
+ mailutils | [] |
+ make | [] [] [] |
+ man-db | |
+ man-db-manpages | |
+ minicom | [] [] [] [] |
+ mkisofs | |
+ myserver | |
+ nano | [] [] [] |
+ opcodes | [] [] |
+ parted | [] [] |
+ pies | |
+ popt | [] [] [] [] [] |
+ psmisc | [] [] [] |
+ pspp | [] |
+ pwdutils | [] |
+ radius | [] |
+ recode | [] [] [] [] [] [] |
+ rosegarden | () () () |
+ rpm | [] [] [] |
+ rush | |
+ sarg | |
+ screem | |
+ scrollkeeper | [] [] [] [] [] |
+ sed | [] [] [] [] [] [] |
+ sharutils | [] [] [] [] |
+ shishi | |
+ skencil | [] () [] |
+ solfege | [] [] [] |
+ solfege-manual | [] [] |
+ soundtracker | [] [] [] |
+ sp | [] |
+ sysstat | [] [] [] |
+ tar | [] [] [] [] |
+ texinfo | [] [] [] |
+ tin | [] [] |
+ unicode-han-tra... | |
+ unicode-transla... | |
+ util-linux-ng | [] [] [] [] |
+ vice | () () |
+ vmm | [] |
+ vorbis-tools | [] [] |
+ wastesedge | [] |
+ wdiff | [] [] |
+ wget | [] [] [] |
+ wyslij-po | |
+ xchat | [] [] [] [] [] |
+ xdg-user-dirs | [] [] [] [] [] [] [] [] [] |
+ xkeyboard-config | [] [] [] [] [] [] |
+ +-------------------------------------------------+
+ crh cs da de el en en_GB en_ZA eo es et eu fa
+ 5 64 105 117 18 1 8 0 28 89 18 19 0
+
+ fi fr ga gl gu he hi hr hu hy id is it ja ka kn
+ +----------------------------------------------------+
+ a2ps | [] [] [] [] |
+ aegis | [] [] |
+ ant-phone | [] [] |
+ anubis | [] [] [] [] |
+ aspell | [] [] [] [] |
+ bash | [] [] [] [] |
+ bfd | [] [] [] |
+ bibshelf | [] [] [] [] [] |
+ binutils | [] [] [] |
+ bison | [] [] [] [] |
+ bison-runtime | [] [] [] [] [] [] |
+ bluez-pin | [] [] [] [] [] [] [] [] |
+ bombono-dvd | [] |
+ buzztard | [] |
+ cflow | [] [] [] |
+ clisp | [] |
+ coreutils | [] [] [] [] [] |
+ cpio | [] [] [] [] |
+ cppi | [] [] |
+ cpplib | [] [] [] |
+ cryptsetup | [] [] [] |
+ dfarc | [] [] [] |
+ dialog | [] [] [] [] [] [] [] |
+ dico | |
+ diffutils | [] [] [] [] [] [] [] [] [] |
+ dink | [] |
+ doodle | [] [] |
+ e2fsprogs | [] [] |
+ enscript | [] [] [] [] |
+ exif | [] [] [] [] [] [] |
+ fetchmail | [] [] [] [] |
+ findutils | [] [] [] [] [] [] |
+ flex | [] [] [] |
+ freedink | [] [] [] |
+ gas | [] [] |
+ gawk | [] [] [] [] () [] |
+ gcal | [] |
+ gcc | [] |
+ gettext-examples | [] [] [] [] [] [] [] |
+ gettext-runtime | [] [] [] [] [] [] |
+ gettext-tools | [] [] [] [] |
+ gip | [] [] [] [] [] [] |
+ gjay | [] |
+ gliv | [] () |
+ glunarclock | [] [] [] [] |
+ gnubiff | () [] () |
+ gnucash | () () () () () [] |
+ gnuedu | [] [] |
+ gnulib | [] [] [] [] [] [] |
+ gnunet | |
+ gnunet-gtk | [] |
+ gnutls | [] [] |
+ gold | [] [] |
+ gpe-aerial | [] [] [] |
+ gpe-beam | [] [] [] [] |
+ gpe-bluetooth | [] [] [] [] |
+ gpe-calendar | [] [] |
+ gpe-clock | [] [] [] [] [] |
+ gpe-conf | [] [] [] [] |
+ gpe-contacts | [] [] [] [] |
+ gpe-edit | [] [] [] |
+ gpe-filemanager | [] [] [] [] |
+ gpe-go | [] [] [] [] [] |
+ gpe-login | [] [] [] |
+ gpe-ownerinfo | [] [] [] [] [] |
+ gpe-package | [] [] [] |
+ gpe-sketchbook | [] [] [] [] |
+ gpe-su | [] [] [] [] [] [] |
+ gpe-taskmanager | [] [] [] [] [] |
+ gpe-timesheet | [] [] [] [] [] |
+ gpe-today | [] [] [] [] [] [] [] |
+ gpe-todo | [] [] [] |
+ gphoto2 | [] [] [] [] [] [] |
+ gprof | [] [] [] [] |
+ gpsdrive | [] [] [] |
+ gramadoir | [] [] [] |
+ grep | [] [] |
+ grub | [] [] [] [] |
+ gsasl | [] [] [] [] [] |
+ gss | [] [] [] [] [] |
+ gst-plugins-bad | [] [] [] [] [] [] |
+ gst-plugins-base | [] [] [] [] [] [] |
+ gst-plugins-good | [] [] [] [] [] [] |
+ gst-plugins-ugly | [] [] [] [] [] [] |
+ gstreamer | [] [] [] [] [] |
+ gtick | [] [] [] [] [] |
+ gtkam | [] [] [] [] [] |
+ gtkorphan | [] [] [] |
+ gtkspell | [] [] [] [] [] [] [] [] [] |
+ gutenprint | [] [] [] [] |
+ hello | [] [] [] |
+ help2man | [] [] |
+ hylafax | [] |
+ idutils | [] [] [] [] [] [] |
+ indent | [] [] [] [] [] [] [] [] |
+ iso_15924 | [] () [] [] |
+ iso_3166 | [] () [] [] [] [] [] [] [] [] [] [] |
+ iso_3166_2 | () [] [] [] |
+ iso_4217 | [] () [] [] [] [] |
+ iso_639 | [] () [] [] [] [] [] [] [] |
+ iso_639_3 | () [] [] |
+ jwhois | [] [] [] [] [] |
+ kbd | [] [] |
+ keytouch | [] [] [] [] [] [] |
+ keytouch-editor | [] [] [] [] [] |
+ keytouch-keyboa... | [] [] [] [] [] |
+ klavaro | [] [] |
+ latrine | [] [] [] |
+ ld | [] [] [] [] |
+ leafpad | [] [] [] [] [] [] [] () |
+ libc | [] [] [] [] [] |
+ libexif | [] |
+ libextractor | |
+ libgnutls | [] [] |
+ libgpewidget | [] [] [] [] |
+ libgpg-error | [] [] |
+ libgphoto2 | [] [] [] |
+ libgphoto2_port | [] [] [] |
+ libgsasl | [] [] [] [] [] |
+ libiconv | [] [] [] [] [] [] |
+ libidn | [] [] [] [] |
+ lifelines | () |
+ liferea | [] [] [] [] |
+ lilypond | [] [] |
+ linkdr | [] [] [] [] [] |
+ lordsawar | |
+ lprng | [] |
+ lynx | [] [] [] [] [] |
+ m4 | [] [] [] [] [] [] |
+ mailfromd | |
+ mailutils | [] [] |
+ make | [] [] [] [] [] [] [] [] [] |
+ man-db | [] [] |
+ man-db-manpages | [] |
+ minicom | [] [] [] [] [] |
+ mkisofs | [] [] [] [] |
+ myserver | |
+ nano | [] [] [] [] [] [] |
+ opcodes | [] [] [] [] |
+ parted | [] [] [] [] |
+ pies | |
+ popt | [] [] [] [] [] [] [] [] [] |
+ psmisc | [] [] [] |
+ pspp | |
+ pwdutils | [] [] |
+ radius | [] [] |
+ recode | [] [] [] [] [] [] [] [] |
+ rosegarden | () () () () () |
+ rpm | [] [] |
+ rush | |
+ sarg | [] |
+ screem | [] [] |
+ scrollkeeper | [] [] [] [] |
+ sed | [] [] [] [] [] [] [] [] |
+ sharutils | [] [] [] [] [] [] [] |
+ shishi | [] |
+ skencil | [] |
+ solfege | [] [] [] [] |
+ solfege-manual | [] [] |
+ soundtracker | [] [] |
+ sp | [] () |
+ sysstat | [] [] [] [] [] |
+ tar | [] [] [] [] [] [] [] |
+ texinfo | [] [] [] [] |
+ tin | [] |
+ unicode-han-tra... | |
+ unicode-transla... | [] [] |
+ util-linux-ng | [] [] [] [] [] [] |
+ vice | () () () |
+ vmm | [] |
+ vorbis-tools | [] |
+ wastesedge | () () |
+ wdiff | [] |
+ wget | [] [] [] [] [] [] [] [] |
+ wyslij-po | [] [] [] |
+ xchat | [] [] [] [] [] [] [] [] [] |
+ xdg-user-dirs | [] [] [] [] [] [] [] [] [] [] [] [] [] |
+ xkeyboard-config | [] [] [] [] [] |
+ +----------------------------------------------------+
+ fi fr ga gl gu he hi hr hu hy id is it ja ka kn
+ 105 121 53 20 4 8 3 5 53 2 120 5 84 67 0 4
+
+ ko ku ky lg lt lv mk ml mn mr ms mt nb nds ne
+ +-----------------------------------------------+
+ a2ps | [] |
+ aegis | |
+ ant-phone | |
+ anubis | [] [] |
+ aspell | [] |
+ bash | |
+ bfd | |
+ bibshelf | [] [] |
+ binutils | |
+ bison | [] |
+ bison-runtime | [] [] [] [] [] |
+ bluez-pin | [] [] [] [] [] |
+ bombono-dvd | |
+ buzztard | |
+ cflow | |
+ clisp | |
+ coreutils | [] |
+ cpio | |
+ cppi | |
+ cpplib | |
+ cryptsetup | |
+ dfarc | [] |
+ dialog | [] [] [] [] [] |
+ dico | |
+ diffutils | [] [] |
+ dink | |
+ doodle | |
+ e2fsprogs | |
+ enscript | |
+ exif | [] |
+ fetchmail | |
+ findutils | |
+ flex | |
+ freedink | [] |
+ gas | |
+ gawk | |
+ gcal | |
+ gcc | |
+ gettext-examples | [] [] [] [] |
+ gettext-runtime | [] |
+ gettext-tools | [] |
+ gip | [] [] |
+ gjay | |
+ gliv | |
+ glunarclock | [] |
+ gnubiff | |
+ gnucash | () () () () |
+ gnuedu | |
+ gnulib | |
+ gnunet | |
+ gnunet-gtk | |
+ gnutls | [] |
+ gold | |
+ gpe-aerial | [] |
+ gpe-beam | [] |
+ gpe-bluetooth | [] [] |
+ gpe-calendar | [] |
+ gpe-clock | [] [] [] [] [] |
+ gpe-conf | [] [] |
+ gpe-contacts | [] [] |
+ gpe-edit | [] |
+ gpe-filemanager | [] [] |
+ gpe-go | [] [] [] |
+ gpe-login | [] |
+ gpe-ownerinfo | [] [] |
+ gpe-package | [] [] |
+ gpe-sketchbook | [] [] |
+ gpe-su | [] [] [] [] [] [] |
+ gpe-taskmanager | [] [] [] [] [] [] |
+ gpe-timesheet | [] [] |
+ gpe-today | [] [] [] [] |
+ gpe-todo | [] [] |
+ gphoto2 | |
+ gprof | [] |
+ gpsdrive | |
+ gramadoir | |
+ grep | |
+ grub | |
+ gsasl | |
+ gss | |
+ gst-plugins-bad | [] [] [] [] |
+ gst-plugins-base | [] [] |
+ gst-plugins-good | [] [] |
+ gst-plugins-ugly | [] [] [] [] [] |
+ gstreamer | |
+ gtick | |
+ gtkam | [] |
+ gtkorphan | [] [] |
+ gtkspell | [] [] [] [] [] [] [] |
+ gutenprint | |
+ hello | [] [] [] |
+ help2man | |
+ hylafax | |
+ idutils | |
+ indent | |
+ iso_15924 | [] [] |
+ iso_3166 | [] [] () [] [] [] [] [] |
+ iso_3166_2 | |
+ iso_4217 | [] [] |
+ iso_639 | [] [] |
+ iso_639_3 | [] |
+ jwhois | [] |
+ kbd | |
+ keytouch | [] |
+ keytouch-editor | [] |
+ keytouch-keyboa... | [] |
+ klavaro | [] |
+ latrine | [] |
+ ld | |
+ leafpad | [] [] [] |
+ libc | [] |
+ libexif | |
+ libextractor | |
+ libgnutls | [] |
+ libgpewidget | [] [] |
+ libgpg-error | |
+ libgphoto2 | |
+ libgphoto2_port | |
+ libgsasl | |
+ libiconv | |
+ libidn | |
+ lifelines | |
+ liferea | |
+ lilypond | |
+ linkdr | |
+ lordsawar | |
+ lprng | |
+ lynx | |
+ m4 | |
+ mailfromd | |
+ mailutils | |
+ make | [] |
+ man-db | |
+ man-db-manpages | |
+ minicom | [] |
+ mkisofs | |
+ myserver | |
+ nano | [] [] |
+ opcodes | |
+ parted | |
+ pies | |
+ popt | [] [] [] |
+ psmisc | |
+ pspp | |
+ pwdutils | |
+ radius | |
+ recode | |
+ rosegarden | |
+ rpm | |
+ rush | |
+ sarg | |
+ screem | |
+ scrollkeeper | [] [] |
+ sed | |
+ sharutils | |
+ shishi | |
+ skencil | |
+ solfege | [] |
+ solfege-manual | |
+ soundtracker | |
+ sp | |
+ sysstat | [] |
+ tar | [] |
+ texinfo | [] |
+ tin | |
+ unicode-han-tra... | |
+ unicode-transla... | |
+ util-linux-ng | |
+ vice | |
+ vmm | |
+ vorbis-tools | |
+ wastesedge | |
+ wdiff | |
+ wget | [] |
+ wyslij-po | |
+ xchat | [] [] [] |
+ xdg-user-dirs | [] [] [] [] [] [] [] [] |
+ xkeyboard-config | [] [] [] |
+ +-----------------------------------------------+
+ ko ku ky lg lt lv mk ml mn mr ms mt nb nds ne
+ 20 5 10 1 13 48 4 2 2 4 24 10 20 3 1
+
+ nl nn or pa pl ps pt pt_BR ro ru rw sk sl sq sr
+ +---------------------------------------------------+
+ a2ps | [] [] [] [] [] [] [] [] |
+ aegis | [] [] [] |
+ ant-phone | [] [] |
+ anubis | [] [] [] |
+ aspell | [] [] [] [] [] |
+ bash | [] [] |
+ bfd | [] |
+ bibshelf | [] [] |
+ binutils | [] [] |
+ bison | [] [] [] |
+ bison-runtime | [] [] [] [] [] [] [] |
+ bluez-pin | [] [] [] [] [] [] [] [] |
+ bombono-dvd | [] () |
+ buzztard | [] [] |
+ cflow | [] |
+ clisp | [] [] |
+ coreutils | [] [] [] [] [] [] |
+ cpio | [] [] [] |
+ cppi | [] |
+ cpplib | [] |
+ cryptsetup | [] |
+ dfarc | [] |
+ dialog | [] [] [] [] |
+ dico | [] |
+ diffutils | [] [] [] [] [] [] |
+ dink | () |
+ doodle | [] [] |
+ e2fsprogs | [] [] |
+ enscript | [] [] [] [] [] |
+ exif | [] [] [] () [] |
+ fetchmail | [] [] [] [] |
+ findutils | [] [] [] [] [] |
+ flex | [] [] [] [] [] |
+ freedink | [] [] |
+ gas | |
+ gawk | [] [] [] [] |
+ gcal | |
+ gcc | [] |
+ gettext-examples | [] [] [] [] [] [] [] [] |
+ gettext-runtime | [] [] [] [] [] [] [] [] [] |
+ gettext-tools | [] [] [] [] [] [] |
+ gip | [] [] [] [] [] |
+ gjay | |
+ gliv | [] [] [] [] [] [] |
+ glunarclock | [] [] [] [] [] |
+ gnubiff | [] () |
+ gnucash | [] () () () |
+ gnuedu | [] |
+ gnulib | [] [] [] [] |
+ gnunet | |
+ gnunet-gtk | |
+ gnutls | [] [] |
+ gold | |
+ gpe-aerial | [] [] [] [] [] [] [] |
+ gpe-beam | [] [] [] [] [] [] [] |
+ gpe-bluetooth | [] [] |
+ gpe-calendar | [] [] [] [] |
+ gpe-clock | [] [] [] [] [] [] [] [] |
+ gpe-conf | [] [] [] [] [] [] [] |
+ gpe-contacts | [] [] [] [] [] |
+ gpe-edit | [] [] [] |
+ gpe-filemanager | [] [] [] |
+ gpe-go | [] [] [] [] [] [] [] [] |
+ gpe-login | [] [] |
+ gpe-ownerinfo | [] [] [] [] [] [] [] [] |
+ gpe-package | [] [] |
+ gpe-sketchbook | [] [] [] [] [] [] [] |
+ gpe-su | [] [] [] [] [] [] [] [] |
+ gpe-taskmanager | [] [] [] [] [] [] [] [] |
+ gpe-timesheet | [] [] [] [] [] [] [] [] |
+ gpe-today | [] [] [] [] [] [] [] [] |
+ gpe-todo | [] [] [] [] [] |
+ gphoto2 | [] [] [] [] [] [] [] [] |
+ gprof | [] [] [] |
+ gpsdrive | [] [] |
+ gramadoir | [] [] |
+ grep | [] [] [] [] |
+ grub | [] [] [] |
+ gsasl | [] [] [] [] |
+ gss | [] [] [] |
+ gst-plugins-bad | [] [] [] [] [] [] |
+ gst-plugins-base | [] [] [] [] [] |
+ gst-plugins-good | [] [] [] [] [] |
+ gst-plugins-ugly | [] [] [] [] [] [] |
+ gstreamer | [] [] [] [] [] |
+ gtick | [] [] [] |
+ gtkam | [] [] [] [] [] [] |
+ gtkorphan | [] |
+ gtkspell | [] [] [] [] [] [] [] [] [] [] |
+ gutenprint | [] [] |
+ hello | [] [] [] [] |
+ help2man | [] [] |
+ hylafax | [] |
+ idutils | [] [] [] [] [] |
+ indent | [] [] [] [] [] [] [] |
+ iso_15924 | [] [] [] [] |
+ iso_3166 | [] [] [] [] [] () [] [] [] [] [] [] [] [] |
+ iso_3166_2 | [] [] [] |
+ iso_4217 | [] [] [] [] [] [] [] [] |
+ iso_639 | [] [] [] [] [] [] [] [] [] |
+ iso_639_3 | [] [] |
+ jwhois | [] [] [] [] |
+ kbd | [] [] [] |
+ keytouch | [] [] [] |
+ keytouch-editor | [] [] [] |
+ keytouch-keyboa... | [] [] [] |
+ klavaro | [] [] |
+ latrine | [] [] |
+ ld | |
+ leafpad | [] [] [] [] [] [] [] [] [] |
+ libc | [] [] [] [] |
+ libexif | [] [] () [] |
+ libextractor | |
+ libgnutls | [] [] |
+ libgpewidget | [] [] [] |
+ libgpg-error | [] [] |
+ libgphoto2 | [] [] |
+ libgphoto2_port | [] [] [] [] [] |
+ libgsasl | [] [] [] [] [] |
+ libiconv | [] [] [] [] [] |
+ libidn | [] [] |
+ lifelines | [] [] |
+ liferea | [] [] [] [] [] () () [] |
+ lilypond | [] |
+ linkdr | [] [] [] |
+ lordsawar | |
+ lprng | [] |
+ lynx | [] [] [] |
+ m4 | [] [] [] [] [] |
+ mailfromd | [] |
+ mailutils | [] |
+ make | [] [] [] [] |
+ man-db | [] [] [] |
+ man-db-manpages | [] [] [] |
+ minicom | [] [] [] [] |
+ mkisofs | [] [] [] |
+ myserver | |
+ nano | [] [] [] [] |
+ opcodes | [] [] |
+ parted | [] [] [] [] |
+ pies | [] |
+ popt | [] [] [] [] |
+ psmisc | [] [] [] |
+ pspp | [] [] |
+ pwdutils | [] |
+ radius | [] [] [] |
+ recode | [] [] [] [] [] [] [] [] |
+ rosegarden | () () |
+ rpm | [] [] [] |
+ rush | [] [] |
+ sarg | |
+ screem | |
+ scrollkeeper | [] [] [] [] [] [] [] [] |
+ sed | [] [] [] [] [] [] [] [] [] |
+ sharutils | [] [] [] [] |
+ shishi | [] |
+ skencil | [] [] |
+ solfege | [] [] [] [] |
+ solfege-manual | [] [] [] |
+ soundtracker | [] |
+ sp | |
+ sysstat | [] [] [] [] |
+ tar | [] [] [] [] |
+ texinfo | [] [] [] [] |
+ tin | [] |
+ unicode-han-tra... | |
+ unicode-transla... | |
+ util-linux-ng | [] [] [] [] [] |
+ vice | [] |
+ vmm | [] |
+ vorbis-tools | [] [] |
+ wastesedge | [] |
+ wdiff | [] [] |
+ wget | [] [] [] [] [] [] [] |
+ wyslij-po | [] [] [] |
+ xchat | [] [] [] [] [] [] [] [] [] |
+ xdg-user-dirs | [] [] [] [] [] [] [] [] [] [] [] [] [] [] |
+ xkeyboard-config | [] [] [] |
+ +---------------------------------------------------+
+ nl nn or pa pl ps pt pt_BR ro ru rw sk sl sq sr
+ 135 10 4 7 105 1 29 62 47 91 3 54 46 9 37
+
+ sv sw ta te tg th tr uk vi wa zh_CN zh_HK zh_TW
+ +---------------------------------------------------+
+ a2ps | [] [] [] [] [] | 27
+ aegis | [] | 9
+ ant-phone | [] [] [] [] | 9
+ anubis | [] [] [] [] | 15
+ aspell | [] [] [] | 20
+ bash | [] [] [] | 12
+ bfd | [] | 6
+ bibshelf | [] [] [] | 16
+ binutils | [] [] | 8
+ bison | [] [] | 12
+ bison-runtime | [] [] [] [] [] [] | 29
+ bluez-pin | [] [] [] [] [] [] [] [] | 37
+ bombono-dvd | [] | 4
+ buzztard | [] | 7
+ cflow | [] [] [] | 9
+ clisp | | 10
+ coreutils | [] [] [] [] | 22
+ cpio | [] [] [] [] [] [] | 13
+ cppi | [] [] | 5
+ cpplib | [] [] [] [] [] [] | 14
+ cryptsetup | [] [] | 7
+ dfarc | [] | 9
+ dialog | [] [] [] [] [] [] [] | 30
+ dico | [] | 2
+ diffutils | [] [] [] [] [] [] | 30
+ dink | | 4
+ doodle | [] [] | 7
+ e2fsprogs | [] [] [] | 11
+ enscript | [] [] [] [] | 17
+ exif | [] [] [] | 16
+ fetchmail | [] [] [] | 17
+ findutils | [] [] [] [] [] | 20
+ flex | [] [] [] [] | 15
+ freedink | [] | 10
+ gas | [] | 4
+ gawk | [] [] [] [] | 18
+ gcal | [] [] | 5
+ gcc | [] [] [] | 7
+ gettext-examples | [] [] [] [] [] [] [] | 34
+ gettext-runtime | [] [] [] [] [] [] [] | 29
+ gettext-tools | [] [] [] [] [] [] | 22
+ gip | [] [] [] [] | 22
+ gjay | [] | 3
+ gliv | [] [] [] | 14
+ glunarclock | [] [] [] [] [] | 19
+ gnubiff | [] [] | 4
+ gnucash | () [] () [] () | 10
+ gnuedu | [] [] | 7
+ gnulib | [] [] [] [] | 16
+ gnunet | [] | 1
+ gnunet-gtk | [] [] [] | 5
+ gnutls | [] [] [] | 10
+ gold | [] | 4
+ gpe-aerial | [] [] [] | 18
+ gpe-beam | [] [] [] | 19
+ gpe-bluetooth | [] [] [] | 13
+ gpe-calendar | [] [] [] [] | 12
+ gpe-clock | [] [] [] [] [] | 28
+ gpe-conf | [] [] [] [] | 20
+ gpe-contacts | [] [] [] | 17
+ gpe-edit | [] [] [] | 12
+ gpe-filemanager | [] [] [] [] | 16
+ gpe-go | [] [] [] [] [] | 25
+ gpe-login | [] [] [] | 11
+ gpe-ownerinfo | [] [] [] [] [] | 25
+ gpe-package | [] [] [] | 13
+ gpe-sketchbook | [] [] [] | 20
+ gpe-su | [] [] [] [] [] | 30
+ gpe-taskmanager | [] [] [] [] [] | 29
+ gpe-timesheet | [] [] [] [] [] | 25
+ gpe-today | [] [] [] [] [] [] | 30
+ gpe-todo | [] [] [] [] | 17
+ gphoto2 | [] [] [] [] [] | 24
+ gprof | [] [] [] | 15
+ gpsdrive | [] [] [] | 11
+ gramadoir | [] [] [] | 11
+ grep | [] [] [] | 10
+ grub | [] [] [] | 14
+ gsasl | [] [] [] [] | 14
+ gss | [] [] [] | 11
+ gst-plugins-bad | [] [] [] [] | 26
+ gst-plugins-base | [] [] [] [] [] | 24
+ gst-plugins-good | [] [] [] [] | 24
+ gst-plugins-ugly | [] [] [] [] [] | 29
+ gstreamer | [] [] [] [] | 22
+ gtick | [] [] [] | 13
+ gtkam | [] [] [] | 20
+ gtkorphan | [] [] [] | 14
+ gtkspell | [] [] [] [] [] [] [] [] [] | 45
+ gutenprint | [] | 10
+ hello | [] [] [] [] [] [] | 21
+ help2man | [] [] | 7
+ hylafax | [] | 5
+ idutils | [] [] [] [] | 17
+ indent | [] [] [] [] [] [] | 30
+ iso_15924 | () [] () [] [] | 16
+ iso_3166 | [] [] () [] [] () [] [] [] () | 53
+ iso_3166_2 | () [] () [] | 9
+ iso_4217 | [] () [] [] () [] [] | 26
+ iso_639 | [] [] [] () [] () [] [] [] [] | 38
+ iso_639_3 | [] () | 8
+ jwhois | [] [] [] [] [] | 16
+ kbd | [] [] [] [] [] | 15
+ keytouch | [] [] [] | 16
+ keytouch-editor | [] [] [] | 14
+ keytouch-keyboa... | [] [] [] | 14
+ klavaro | [] | 11
+ latrine | [] [] [] | 10
+ ld | [] [] [] [] | 11
+ leafpad | [] [] [] [] [] [] | 33
+ libc | [] [] [] [] [] | 21
+ libexif | [] () | 7
+ libextractor | [] | 1
+ libgnutls | [] [] [] | 9
+ libgpewidget | [] [] [] | 14
+ libgpg-error | [] [] [] | 9
+ libgphoto2 | [] [] | 8
+ libgphoto2_port | [] [] [] [] | 14
+ libgsasl | [] [] [] | 13
+ libiconv | [] [] [] [] | 21
+ libidn | () [] [] | 11
+ lifelines | [] | 4
+ liferea | [] [] [] | 21
+ lilypond | [] | 7
+ linkdr | [] [] [] [] [] | 17
+ lordsawar | | 1
+ lprng | [] | 3
+ lynx | [] [] [] [] | 17
+ m4 | [] [] [] [] | 19
+ mailfromd | [] [] | 3
+ mailutils | [] | 5
+ make | [] [] [] [] | 21
+ man-db | [] [] [] | 8
+ man-db-manpages | | 4
+ minicom | [] [] | 16
+ mkisofs | [] [] | 9
+ myserver | | 0
+ nano | [] [] [] [] | 21
+ opcodes | [] [] [] | 11
+ parted | [] [] [] [] [] | 15
+ pies | [] [] | 3
+ popt | [] [] [] [] [] [] | 27
+ psmisc | [] [] | 11
+ pspp | | 4
+ pwdutils | [] [] | 6
+ radius | [] [] | 9
+ recode | [] [] [] [] | 28
+ rosegarden | () | 0
+ rpm | [] [] [] | 11
+ rush | [] [] | 4
+ sarg | | 1
+ screem | [] | 3
+ scrollkeeper | [] [] [] [] [] | 27
+ sed | [] [] [] [] [] | 30
+ sharutils | [] [] [] [] [] | 22
+ shishi | [] | 3
+ skencil | [] [] | 7
+ solfege | [] [] [] [] | 16
+ solfege-manual | [] | 8
+ soundtracker | [] [] [] | 9
+ sp | [] | 3
+ sysstat | [] [] | 15
+ tar | [] [] [] [] [] [] | 23
+ texinfo | [] [] [] [] [] | 17
+ tin | | 4
+ unicode-han-tra... | | 0
+ unicode-transla... | | 2
+ util-linux-ng | [] [] [] [] | 20
+ vice | () () | 1
+ vmm | [] | 4
+ vorbis-tools | [] | 6
+ wastesedge | | 2
+ wdiff | [] [] | 7
+ wget | [] [] [] [] [] | 26
+ wyslij-po | [] [] | 8
+ xchat | [] [] [] [] [] [] | 36
+ xdg-user-dirs | [] [] [] [] [] [] [] [] [] [] | 63
+ xkeyboard-config | [] [] [] | 22
+ +---------------------------------------------------+
+ 85 teams sv sw ta te tg th tr uk vi wa zh_CN zh_HK zh_TW
+ 178 domains 119 1 3 3 0 10 65 51 155 17 98 7 41 2618
+
+ Some counters in the preceding matrix are higher than the number of
+visible blocks let us expect. This is because a few extra PO files are
+used for implementing regional variants of languages, or language
+dialects.
+
+ For a PO file in the matrix above to be effective, the package to
+which it applies should also have been internationalized and
+distributed as such by its maintainer. There might be an observable
+lag between the mere existence a PO file and its wide availability in a
+distribution.
+
+ If June 2010 seems to be old, you may fetch a more recent copy of
+this `ABOUT-NLS' file on most GNU archive sites. The most up-to-date
+matrix with full percentage details can be found at
+`http://translationproject.org/extra/matrix.html'.
+
+1.5 Using `gettext' in new packages
+===================================
+
+If you are writing a freely available program and want to
+internationalize it you are welcome to use GNU `gettext' in your
+package. Of course you have to respect the GNU Library General Public
+License which covers the use of the GNU `gettext' library. This means
+in particular that even non-free programs can use `libintl' as a shared
+library, whereas only free software can use `libintl' as a static
+library or use modified versions of `libintl'.
+
+ Once the sources are changed appropriately and the setup can handle
+the use of `gettext' the only thing missing are the translations. The
+Free Translation Project is also available for packages which are not
+developed inside the GNU project. Therefore the information given above
+applies also for every other Free Software Project. Contact
+`coordinator@translationproject.org' to make the `.pot' files available
+to the translation teams.
+
diff --git a/AUTHORS b/AUTHORS
new file mode 100644
index 0000000..58862a6
--- /dev/null
+++ b/AUTHORS
@@ -0,0 +1,7 @@
+Original authors and current maintainers of Linux-PAM:
+
+Andrew G. Morgan <morgan@kernel.org>
+Dmitry V. Levin <ldv@altlinux.org>
+Thorsten Kukuk <kukuk@thkukuk.de>
+Sebastien Tricaud <toady@gscore.org>
+Tomas Mraz <t8m@centrum.cz>
diff --git a/CHANGELOG b/CHANGELOG
new file mode 100644
index 0000000..a997c0f
--- /dev/null
+++ b/CHANGELOG
@@ -0,0 +1,1765 @@
+
+=======================================================================
+=======================================================================
+
+ This file is no longer used for tracking changes for Linux-PAM. For
+ user visible changes, please look at the NEWS file. A more verbose
+ list of changes can be found in ChangeLog.
+
+=======================================================================
+=======================================================================
+
+-----------------------------
+
+TODO:
+
+ - sanitize use of md5 throughout distribution.. Make a static
+ library for helping to develop modules that contains it and other
+ stuff. Also add sha-1 and ripemd-160 digest algorithms.
+ - once above is done. remove hacks from the secret@here module etc..
+ - document PAM_INCOMPLETE changes
+ - verify that the PAM_INCOMPLETE interface is sensible. Can we
+ catch errors? should we permit item changing etc., between
+ pam_authenticate re-invocations?
+ - verify that the PAM_INCOMPLETE interface works (auth seems ok..)
+ - add PAM_INCOMPLETE support to modules (partially added to pam_pwdb)
+ - work on RFC.
+ - auth and acct support in pam_cracklib, "yes, I know the password
+ you just typed was valid, I just don't think it was very strong..."
+
+====================================================================
+
+If you have found a bug in Linux-PAM (including a documentation bug,
+or a new feature request and/or patch), please consider filing such a
+bug report - outstanding bugs are listed here:
+
+ http://sourceforge.net/tracker/?atid=106663&group_id=6663&func=browse
+
+(to file another bug see the 'submit bug' button on that page).
+
+====================================================================
+
+0.81: please submit patches for this section with actual code/doc
+ patches!
+* pam_umask: New module for setting umask from GECOS field, /etc/login.defs
+ or /etc/default/login (kukuk)
+* configure/pam_strerror: Remove old ugly-hack option for pam_strerror
+ interface change (kukuk)
+* configure.in: Fix AC_DEFINE usage for autoheader (kukuk)
+* configure.in/_pam_aconf.h.in: Remove feature.h inclusion (kukuk)
+* defs: Remove obsolete directory/content (kukuk)
+* Rename _pam_aconf.h.in to config.h (kukuk)
+* pam_unix: Don't ignore pam_get_item return value (kukuk)
+* pam_userdb: Fix regression - crash when crypt param not specified (t8m)
+* libpam: Remove pam_authenticate_secondary stub (kukuk)
+* Use autoconf/automake/libtool (kukuk)
+* pam_securetty: Be fail-close on user lookups, always log failures,
+ not just with "debug" (Solar Designer)
+* Add gettext support
+* Add translations for cs, de, es, fr, hu, it, ja, nb, pa, pt_BR,
+ pt, zh_CN and zh_TW
+* pam_limits: Apply ALT Linux/Owl patch
+* pam_motd: Apply ALT Linux/Owl patch
+* libpam: Cache pam_get_user() failures
+* libpam: Add pam_prompt,pam_vprompt,pam_error,pam_verror,pam_info
+ and pam_vinfo functions for use by modules as extension (kukuk).
+* pam_cracklib: Make path to cracklib dicts an option (kukuk).
+* libpam: Add pam_syslog function for unified syslog messages from
+ PAM modules (kukuk).
+* pam_tally, pam_time, pam_userdb: use pam_syslog and pam_prompt (ldv)
+* pam_issue: major cleanup (ldv)
+* pam_echo: New PAM module for message output (kukuk)
+* pam_limits: Fix regression from RLIMIT_NICE support (wrong limit
+ values for other limits are applied) patch by Anton Guda
+* pam_unix: Always honor nis flag on password change (by Aaron Hope)
+* libpam: Moved functions from pammodutil to libpam (t8m)
+* pam_lastlog: Cleanup, fix broken logic in pam_parse,
+ modify wtmp by default, nowtmp option switches that off (ldv)
+
+0.80: Wed Jul 13 13:23:20 CEST 2005
+* pam_tally: test for NULL data before dereferencing them (t8m)
+* pam_unix: fix regression introduced in 0.78 - both NIS and local password
+ should be changed if possible (t8m)
+* misc_conv: flush input first then print the prompt - fixes problem
+ with expect scripts (t8m)
+* pam_unix: nis option shouldn't clear the shadow option (t8m)
+* cleanups and minor bugfixes by Steve Grubb (t8m)
+* pam_private.h: set PAM_DEFAULT_PROMPT to "login: " (kukuk)
+* pam_mkhomedir: Create parent directories if they do not already
+ exist (Bug 600351 - kukuk)
+* pam_mkhomedir: Set owner/permissions of home directory after we
+ created all files (Bug 1032922 - kukuk)
+* pam_rhosts: Get rid of static buffer for path (kukuk)
+* pam_selinux/pam_unix/pam_rootok: Add SELinux support based on
+ patch from Red Hat (kukuk)
+* pam_limits: Correct support of unlimited limits, use correct type
+ for rlimit value (Bug 945449 - kukuk, t8m)
+* pam_xauth: Unset the XAUTHORITY variable when requesting user is
+ root and target user is not (t8m)
+* pam_access: Add listsep option to set list element separator by
+ Richard Shaffer (t8m)
+* pam_limits: Don't reset process priority if none is specified in
+ the config file (Novell #81690 - kukuk)
+* Fix all occurrence of dereferencing type-punned pointer will break
+ strict-aliasing rules warnings (kukuk)
+* pam_limits: Support new limits in linux 2.6.12 (t8m)
+* pam_mkhomedir: change mode datatype (toady)
+* pam_limits: Don't lowercase login names (kukuk)
+
+0.79: Thu Mar 31 16:48:45 CEST 2005
+* pam_tally: added audit option (toady)
+* pam_unix: don't log user unknown failure when he can be properly
+ authenticated by another module (t8m)
+* configure: don't abort if no cracklib dictinaries were found, but
+ warn user that pam_cracklib will not be built (kukuk)
+* modules/pam_unix/support.c: Fix return value if user aborts while
+ changes the password (Bug 872945 - kukuk)
+* modules/pam_unix/support.c: Fix return value for an unknown user
+ (Bug 872943 - kukuk)
+* pam_limits: support for new Linux kernel 2.6 limits (from toby cabot
+ - t8m)
+* pam_tally: major rewrite of the module (t8m)
+* libpam: don't return PAM_IGNORE for OK or JUMP actions if using
+ cached chain (Bug 629251 - t8m)
+* pam_nologin: don't overwrite return value with return from
+ pam_get_item (t8m)
+* libpam: Add more checks for broken PAM configuration files to
+ avoid seg.faults (kukuk)
+* pam_shells: correct README
+* libpam: Fix debug code (kukuk)
+* pam_limits: Fix order of LIMITS_DEF_* priorities (kukuk)
+* pam_xauth: preserve DISPLAY variable (Novell #66885 - kukuk)
+* libpam: Add prelude ids (http://www.prelude-ids.org) support,
+ as experimental. (toady)
+* configure: Add the directory where new versions of cracklib is
+ installed (from Jim Gifford - toady)
+* libpamc: Use standard u_intX_t types instead of __uX (kukuk)
+
+0.78: Do Nov 18 14:48:36 CET 2004
+
+* pam_unix: change the order of trying password changes - local first,
+ NIS second (t8m)
+* pam_wheel: add option only_root to make it affect authentication
+ to root account only
+* pam_unix: test return values on renaming files and report error to
+ syslog and to user
+* pam_unix: forced password change shouldn't trump account expiration
+* pam_unix: remove the use of openlog (from debian - toady)
+* pam_unix: NIS cleanup (patch from Philippe Troin)
+* pam_access: you can now authenticate an explicit user on an explicit
+ tty (from debian - toady)
+* pam_limits, pam_rhosts, pam_unix: fixed hurd portability issues
+ (patch from Igor Khavkine)
+* pam_env: added comments in the configuration file to avoid errors
+ (from debian - toady)
+* pam_mail: check PAM_NO_ENV to know if we can delete the environment
+ variable (from debian - toady)
+* pam_filter: s/termio/termios/g (from debian - toady)
+* pam_mkhomedir: no maxpathlen required (from debian - toady)
+* pam_limits: applied patch to allow explicit limits for root
+ and remove limits on su. (from debian - toady)
+* pam_unix: severe denial of service possible with this module since
+ it locked too aggressively. Bug report and testing help from Sascha
+ Loetz. (Bug 664290 - agmorgan)
+* getlogin was spoofable: "/tmp/" and "/dev/" have the same number of
+ characters, so 'ln /dev/tty /tmp/tty1 ; bash < /tmp/tty1 ; logname'
+ attacks could potentially spoof pam_wheel with the 'trust' module
+ argument into granting access to a luser. Also, pam_unix gave
+ odd error messages in such a situation (logname != uid). This
+ problem was found by David Endler of iDefense.com (Bug 667584 -
+ agmorgan).
+* added my new DSA public key to the pgp.keys.asc file. Also included
+ a signed copy of my new public key (1024D/D41A6DF2) made with my old
+ key (1024/2A398175).
+* added "include" directive to config file syntax.
+ The whole idea is to create few "systemwide" pam configs and include
+ parts of them in application pam configs.
+ (patch by "Dmitry V. Levin" <ldv@altlinux.org>) (Bug 812567 - baggins).
+* doc/modules/pam_mkhomedir.sgml: Remove wrong debug options
+ (Bug 591605 - kukuk)
+* pam_unix: Call password checking helper whenever the password field
+ contains only one character (Bug 1027903 - kukuk)
+* libpam/pam_start.c: All service names should be files below /etc/pam.d
+ and nothing else. Forbid paths. (Bug 1027912 - kukuk)
+* pam_cracklib: Fix error in distance algorithm in the 0.9 pam_cracklib
+ module (Bug 1010142 - toady)
+* pam_userdb: applied patch from Paul Walmsley <paul@booyaka.com>
+ it now indicates whether encrypted or plaintext passwords are stored
+ in the database needed for pam_userdb (BerliOS - toady)
+* pam_group: The module should also ignore PAM_REINITIALIZE_CRED to
+ avoid spurious errors (from Linux distributors - kukuk)
+* pam_cracklib: Clear the entire options structure (from Linux
+ distributors - kukuk)
+* pam_issue: We write a NUL to prompt_tmp[tot_size] later, so make sure
+ that the destination is part of the allocated block, make do_prompt
+ static (from Linux distributors - kukuk)
+* ldconfig: Only run full ldconfig, if we don't install into a FAKEROOT
+ environment, else let ldconfig only create the symlinks correct
+ (from Linux distributors - kukuk)
+* pam_unix/pam_pwdb: Use SIG_DFL instead of SIG_IGN for SIGCHLD
+ (from Linux distributors - kukuk)
+* Add most of Steve Grubb's resource leak and other fixes (from
+ Linux distributors - kukuk)
+* doc/Makefile: Don't include .cvsignore files in tar ball (kukuk)
+* libpam_misc/misc_conv.c: Differentiate between Ctrl-D and
+ <Return> (Bug 1032604 - kukuk)
+* Make.Rules.in: Add targets for installing man pages for modules
+ (from Linux distributors - kukuk)
+* Add pam_xauth module (Bug 436440 - kukuk)
+* Add pam_localuser module (Bug 436444 - kukuk)
+* Add pam_succeed_if module (from Linux distributors - kukuk)
+* configure.in: Fix check for libcrypt (Bug 417704 - kukuk)
+* Add the "broken_shadow" argument to pam_unix, for ignoring errors
+ reading shadow information (from Linux distributors - kukuk)
+* Add patches to make PAM modules reentrant (Bug 440107 - kukuk)
+* Merge patches from Red Hat (Bug 477000 and other - kukuk)
+* Fix pam_rhosts option parsing (Bug 922648 - kukuk)
+* Add $ISA support in config files (from Red Hat - kukuk)
+
+0.77: Mon Sep 23 10:25:42 PDT 2002
+
+* documentation support for pdf files was not quite right -
+ installation was messed up.
+* pam_wheel was too aggressive to grant access (in the case of the
+ 'deny' option you want to pay attention to 'trust'). Fix from
+ Nalin (Bugs 476951, 476953 - agmorgan)
+* account management support for: pam_shells, pam_listfile, pam_wheel
+ and pam_securetty (+ static module fix for pam_nologin). Patch from
+ redhat through Harald Welte (Bug 436435 - agmorgan).
+* pam_wheel feature from Nalin - can use the module to provide wheel
+ access to non-root accounts. Also from Nalin, a bugfix related to
+ the primary group of the applicant is the 'wheel' group. (Bugs
+ 476980, 476941 - agmorgan)
+* pam_unix and pam_pwdb: by default turn off the SIGCHLD handler while
+ running the helper binary (patch from Nalin) added the "noreap"
+ module argument to both of these modules to turn off this new
+ default. Bugfix found by Silvan Minghetti for former module and
+ 521314 checkin. (Bugs 476963, 521314 - agmorgan).
+* updated CHANGELOG and configure.in for 0.77 work.
+
+0.76: Mon Jul 8 21:44:59 PDT 2002
+
+* pam_unix: fix for legacy crypt() support when the password entered
+ was long. (Bug 521314 - agmorgan).
+* pam_access no longer include gethostname() prototype complaint from
+ David Lee (Bug 415423 - agmorgan).
+* make pam_nologin more secure by default, added two new module
+ arguments etc. - acting on suggestion from Nico (Bug 419307 -
+ agmorgan)
+* link in libpam to libpam_misc - since the latter uses functions in
+ the former it makes some sort of sense to do this (although, in the
+ static library case, I remain to be convinced). (Bug 565470 -
+ agmorgan).
+* absorbed some of the proposed darwin (OS X) changes from Luke Howard
+ (of PADL software) - hopefully will get the rest (see Rob Braun's
+ 534205) by 0.77 (Bug 491466 - agmorgan).
+* README fix for pam_unix from Nalin (Bug 476971 - agmorgan).
+* add support for building pdf files from the documentation - request
+ from 'lolive' (Bug 471377 - agmorgan).
+* documented the equivalent '[..]' expressions for "required"
+ etc. Request from Ross Patterson (Bug 529078 - agmorgan).
+* '[...]' parsing: document it and also fix it to support '\]' escape
+ sequence. Feature request from Russell Kliese (Bug 517064 -
+ agmorgan).
+* pam_rootok: compilation warning noted by Tony den Haan wrt no
+ prototype for strcmp() (Bug 557322 - agmorgan).
+* documentation: (a few of mine in passing) and app documentation
+ suggestions regarding PAM environment variables and module
+ documentation changes regarding the conversation function from Jenn
+ Vesperman (Bug 527821, 527965 - agmorgan)
+* documentation: pam_time.sgml typo fixed, pam_motd exists now,
+ correct Red Hat comment about config files (Bugs 554274, 554261,
+ 554182 - agmorgan)
+* pam_limits: added '%' domain for maxlogins limiting, now '*' and @group
+ have the old meaning (every) and '%' the new one (all)
+ (Bug 533664 - baggins)
+* pam_limits: put not so interesting log messages under debug arg
+ (Bug 533668 - baggins)
+* pam_access: added the 'fieldsep=' argument (Bug 547051 - agmorgan),
+ made a PAM_RHOST of "" equivalent to NULL (Bug 547521 - agmorgan).
+* pam_limits: keep well know behaviour of maxlogins default ('*') limit
+ (Bug 533664 - baggins)
+* pam_unix: more from Nalin log password changes (Bug 517743 - agmorgan)
+* pam_limits: make it use the priority value specified in config
+ (bug 530428 - baggins)
+* pam_unix: removed broken code in password update code. Report from
+ Len Lattanzi (Bug 507379 - agmorgan)
+* pam_mkhomedir: recurse directories. Patch from Nalin (Bug 476981 -
+ agmorgan)
+* pam_limits can handle negative priority limits now (which can apply
+ to the superuser too) - based on patch from Nalin. Also cleanup the
+ error handling that was very sloppy before. Also, courtesy of Berend
+ De Schouwe get the math right on login counting (Bug 476990, 476987,
+ 493294 - agmorgan)
+* documentation: random typo fixes from Nalin and more stuff from me
+ (Bug 476949, Tasks 43507, 17426 - agmorgan)
+* A Tru64 fix (given other stuff has already resolved this, it
+ actually just a comment actually) from 'Eddie'. (Bug 418450 -
+ agmorgan)
+* pam_handlers: BSD fix from Dag-Erling Smrgrav and Anton Berezin
+ (Bug 486063 - agmorgan)
+* added the dynamic/* directory to the distribution. If you go in
+ there after building the rest of the tree, you'll make a pam.so
+ object that can be used by something like a java runtime with
+ dlopen. Its not very well tested - caveat emptor. (Bug 232194 -
+ agmorgan)
+* somehow pam_unix has started forcing the user prompt to be "login: ".
+ This is entirely inapropriate as it overrides PAM_USER_PROMPT. (Bug
+ 486361 - agmorgan).
+* added a static module helper library object includes a few changes
+ to examples/xsh.c for testing purposes (added a simple shell wrapper
+ for running xsh with the sandbox libraries), and also modified the
+ pam_rhosts_auth module to use this new library. (Bug 490938, 409852
+ - agmorgan).
+* pam_unix: fix 'likeauth' to kill off the memory leak once and for all.
+ (Bug 483959 - vorlon)
+* pam_unix: restore handling of 'likeauth' argument to a known working
+ state; prettify AUTH_RETURN macro; remove redundant argv checks in
+ pam_sm_setcred() (Bugs 483959, 113596 - vorlon)
+* pam_cracklib: another try at implementing similar() from Harald
+ Welte and Nalin (Bugs 436053, 476957 - agmorgan)
+* pam_access: default access.conf file contained a type (console
+ instead of LOCAL) fix from Nalin (Bug 476934 - agmorgan)
+* pam_unix: fixed bizarre memory leak pointed out by Fernando Trias
+ (Bug 483959 - agmorgan)
+* misc string comparison length checking changes from Nalin. Modules
+ touched, pam_cracklib, pam_listfile, pam_unix, pam_wheel (Bug 476947 -
+ agmorgan)
+* pam_userdb: require that all of typed password matches that in
+ database report and fix from Vladimir Pastukhov. (Bug 484252 - agmorgan)
+* pam_malloc: revived malloc debugging code, now tied to
+ --enable-memory-debug and added strdup() support (Bug 485454 - agmorgan)
+* pam_tally: Nalin's fix for lastlog corruption (Bug 476985 - agmorgan)
+* pam_rhosts: Nalin adds support for '+hostname', and zdd fix
+ compilation warning. (Bug 476986 - agmorgan)
+* pam_motd: Nalin fixed compiler warning. (Bug 476938 - agmorgan)
+* pam_pwdb: Solar Designer pointed out that there was a problem with
+ the compatibility support for md5 password hashing. (Bug 460717,
+ 476961 - agmorgan)
+* pam_issue: Nalin found segfaulting problems if the PAM_USER_PROMPT
+ is unset, found some similar problems with assumptions about
+ realloc. (Bug 476983 - agmorgan)
+* pam_env: 'weichangyang of hotmail' pointed out a wild string with no
+ valid '\0' was leading to problems with sshd and suggested fix (Bug
+ 473034 - agmorgan)
+* MANDIR cleanup. It defaults to /usr/share/man, but can be overridden
+ using the --enable-mandir ./configure option, similarly for DOCDIR
+ from Nalin (Bug 476940 - agmorgan)
+* pam_filter cleanup (including moving the filter directory) Nalin
+ and Harald Welte (Bugs 436057, 476970 - agmorgan)
+* db3 is now recognized as a libdb candidate (Bug 435764 - agmorgan)
+* more changes (extracted from redhat version) courtesy of
+ Harald Welte (Bugs pam_limits=436061, pam_lastlog=436060,
+ pam_mkhomedir/pam_env=435991 - agmorgan)
+* fix for legacy behavior of pam_setcred and pam_close_session in
+ the case that pam_authenticate and pam_open_session hadn't been
+ called - bug report from Seongwan Park. (Bug 468724 - agmorgan)
+* some BSD updates and fixes from Mark Murray - including a slightly
+ more robust conversation function and some minimization of gcc
+ warnings. (Bugs 449203,463984 - agmorgan)
+* verified that the setcred stack didn't suffer from the bug I was
+ nervous about, add a new module pam_debug to help me test this.
+ fixed a libpam/pam_dispatch.c instrumentation line that I tripped
+ over when testing. Also restructured pam_warn to help here (Bug
+ 424315 - agmorgan).
+* pam_unix/support.c: sample use of reentrant NSS function. Not yet active,
+ because modules do not include _pam_aconf_h! (Bug 440107 - vorlon)
+* doc/Makefile changes - use $(mandir) [courtesy Harald Welte] (Bug
+ 435760) and add some rules to make/delete the draft rfc I've been
+ working on (Task 17426 - agmorgan)
+* pam_modules.sgml: sourceforge has changed its CVS viewing software
+ (Bug 460491 - agmorgan)
+* pam_unix_passwd: got rid of an annoying warning (Bug 461089 - agmorgan)
+* configure.in, _pam_aconf.h.in: set the stage for fully reentrant PAM
+ modules, with some infrastructure to detect getxxbyxx_r() functions
+ (Bug 440107 - vorlon)
+* pam_unix: removed superfluous use of static variables in md5 and bigcrypt
+ routines, bringing us a step closer to thread-safeness. Eliminated
+ some variable indirection along the way. (Bug 440107 - vorlon)
+* pam_tally: remove #include of stdlib.h, which isn't needed by anything
+ found in this module. Can be readded if we find a real need for it at
+ a later date. (Bug 436432 - vorlon)
+* pam_tally: added an #include (was it really needed?) and made the
+ pam_tally app install (with more pretty printing and a corrected
+ Makefile dependency) motivated by a (red hat diff) courtesy of Harald
+ Welte (Bug 436432 - agmorgan)
+* configure.in changes to help support non-Linux environments courtesy
+ of Scott T. Emery (Bug 422563 - agmorgan)
+* made a pam_cracklib enhancement to interpret -ve limits in a
+ sensible fashion contributed by Werner Puschitz (Bug 413162 -
+ agmorgan)
+* another fix for the latest number of rlimits available to pam_limits
+ (Bug 424060 - agmorgan)
+* removed stale link from pam_pwdb documentation (Bug 433460 - agmorgan)
+* pam_appl.sgml change - more discussion of choosing a service name
+ (Bug 417512 - agmorgan)
+* more specific linking requirements for -lndbm for pam_userdb - from
+ David Lee (Bug 417339 - agmorgan)
+* a large number of small changes to make AIX support better (Bug
+ 416229 - agmorgan)
+* $(MAKE) instead of 'make' - from Scott T. Emery (Bug 422144 -
+ agmorgan)
+* c++ header fixes for pam_misc.h and pam_client.h - from Alexandre
+ Sagala (Bug 420270 - agmorgan)
+* pam_access fixes - looks out for trailing '.' - from Carlo Marcelo
+ Arenas Belon (Bug 419631 - agmorgan)
+* don't zero out password strings during pam_unix's password changing
+ function (Bug 419803 - vorlon)
+* propagate some definitions to the _pam_aconf.h file - from David Lee
+ (Bug 415419 - agmorgan)
+* solaris GCC OS_CFLAGS change from David Lee (Bug 415412 - agmorgan)
+* added a comment to this CHANGELOG to explain why most of the bugids
+ used below appear not to be known to sourceforge [try adding 100000
+ to the bugid number.] (Bug 414943 - agmorgan)
+* bumped version numbers and also added support for SONAME defines
+ that appear not to have survived the great autoconf experiment (Bug
+ 414669 - agmorgan).
+
+0.75: Sat Apr 7 23:10:50 PDT 2001
+
+ ** WARNING **
+
+This release contains backwardly incompatible changes to
+libpam. Prior versions were buggy - see bugfix for Bug 129775.
+
+ ** WARNING **
+
+* made 0.75 release (Bug 414665 - agmorgan)
+* pam_pwdb has been removed from the suggested pam.conf template. I've
+ replaced it with pam_unix. (Bug 227565 - agmorgan)
+* pam_limits - Richard M. Yumul reported that "<domain> -" didn't
+ work, first fix suggested by Werner Puschitz (Bug 404953 - agmorgan)
+* Nicolay Pelov suggested a simple fix for freebsd support (Bug 407282
+ - agmorgan)
+* Michel D'HOOGE submitted documentation fixes (Bug 408961 - agmorgan)
+* fix for module linking directions (Bug 133545 - agmorgan)
+* fix for glibc-2.2.2 compilation of pam_issue (Bug 133542 - agmorgan)
+* fix pam_userdb to make and link both .o files it needs - converse()
+ wasn't being linked! (Bug 132880 - agmorgan)
+* added some sys-admin documentation for the pam_tally module (Bug
+ 126210 - agmorgan).
+* added a link to module examples from the module writers doc (Bug
+ 131192 - agmorgan).
+* fixed a small security hole (more of a user confusion issue) with
+ the unix and pwdb password helper binaries. The beef is described in
+ the bug report, but no uid change was possible so no-one should
+ think they need to issue a security bulletin over this one! (Bug
+ 112540 - agmorgan)
+* pam_lastlog needs to be linked with -lutil, also removed ambiguity
+ from sysadmin guide regarding this module being a 'session' module
+ (Bug 131549 - agmorgan).
+* pam_cracklib needs to be linked with -lcrypt (old password checking)
+ (Bug 131601 - agmorgan).
+* fixes for static library builds and also the examples when linked
+ with the debugging build of the libraries. (Bug 131783 - agmorgan)
+* fixed URL for original RFC to a cached kernel.org file. (Bug 131503
+ - agmorgan)
+* quoted the $CRACKLIB_DICTPATH test in configure.in (Bug 130130 -
+ agmorgan).
+* improved handling of the setcred/close_session and update chauthtok
+ stack. *Warning* This is a backwardly incompatable change, but 'more
+ sane' than before. (Bug 129775 - agmorgan)
+* bumped the version number, and added some code to assist in making
+ documentation releases (Bug 129644 - agmorgan).
+
+0.74: Sun Jan 21 22:36:08 PST 2001
+
+* made 0.74 release (Bug 129642 - agmorgan)
+* libpam - cleaned up a few non-static functions to be static and added
+ support for libpam to enforce things like pam_[gs]et_data() and
+ AUTHTOK rules for using the API. Also documented pam_[gs]et_item()
+ a little better including return codes (Bugs 129027, 128576 -
+ agmorgan).
+* pam_access - fixed the non-default config file option (Bug 127561 -
+ agmorgan)
+* pam.8 manual page clarified with respect to the default location for
+ finding modules, also added some text describing the [...] control
+ syntax. (Bug 127625 - agmorgan)
+* md5.h ia64 fixes for pam_unix and pam_pwdb (Bug 127700 - agmorgan)
+* removed requirement for c++ from the configure{.in,} files (Bug
+ 128298 - agmorgan)
+* removed subdirectories from man page redirections (124396 - baggins)
+* per David Lee, fixed non-POSIX shell command in modules/pam_filter/Makefile
+ (Bug 126440 - vorlon)
+* modify format of pam_unix log messages to include service name
+ (Bug 126423 - vorlon)
+* prevent pam_unix from logging unknown usernames (Bug 126431 - vorlon)
+* changed format of pam_unix 'authentication failure' log messages to make
+ them clearer and more consistent (Bug 126036 - vorlon)
+* improved portability of pam_unix by eliminating Linux-specific utmp
+ defines in PAM_getlogin() (Bug 125704 - vorlon)
+* removed static variables from pam_tally (Bug 117434 - agmorgan)
+* added copyright message to pam_access module from original logdaemon
+ sources (Bug 125022 - agmorgan)
+* configure.in - removed the GCC -Wtraditional flag (Bug 124923 - agmorgan)
+* pam_mail - use PAM_PATH_MAILDIR as the location of mail spool
+ (Bug 124397 - baggins)
+* _pam_aconf.h.in, configure.in - added PAM_PATH_MAILDIR set via
+ --with-mailspool=dir option (default is _PAM_MAILDIR if defined
+ in paths.h otherwise /var/spool/mail (Bug 124397 - baggins)
+* removed unnecessary CVS Log tags from all over the source
+ (Bug 124391 - baggins)
+* pam_tally - check for PAM_TTY if PAM_RHOST is not set when writing
+ to faillog (Bug 124394 - baggins)
+* use O_NOFOLLOW if available when opening debug log (Bug 124385 - baggins)
+* pam_cracklib - removed comments about pam_unix not working with
+ pam_cracklib, added information about use_authtok parameter
+ (Bug 124388 - baggins)
+* pam_userdb - fixed wrong definition of struct pam_module (was pam_wheel)
+ (Bug 124386 - baggins)
+* fixed example/Makefile include path (Bug 124187, 127563(?) - agmorgan)
+* pam_userdb compiles on RH5x. Also removed circular dependency on
+ configure.in. Also bumped revision number to 0.74. (Bug 124136 -
+ agmorgan)
+
+0.73: Sat Dec 2 00:04:04 PST 2000
+
+* updated documentaion revisions and added 'make release' support
+ to the top level Makefile (Bug 124132 - agmorgan).
+* documented Qmail support in pam_mail (Bug 109219 - baggins)
+* add change_uid option to pam_limits, and set real uid only if
+ this option is present (Bug 124062 - baggins)
+* pam_limits - set real uid to the user for who we set limits.
+ (Bug 123972 - baggins)
+* removed static variables from pam_limits (thread safe now). (Bug
+ 117450 - agmorgan).
+* removed static variable from pam_wheel (module should be thread safe
+ now). (Bug 112906 - agmorgan)
+* added support for '/' symbols in pam_time and pam_group config files
+ (support for modern terminal devices). Fixed infinite loop problem
+ with '\\[^\n]' in these files. (Bug 116076 - agmorgan)
+* avoid potential SIGPIPE when writing to helper binaries with (Bug
+ 123399 - agmorgan)
+* replaced bogus logic in the pam_cracklib module for determining if
+ the replacement is too similar to the old password (Bug 115055 -
+ agmorgan)
+* added accessconf=<filename> feature to pam_access - request from
+ Aldrin Martoq and Meelis Roos (Bugs 111927,117240 - agmorgan)
+* fix for pam_limit module not dealing with all limits Adam J. Richter
+ (Bug 119554 - agmorgan)
+* comment fix describing fail_delay callback in _pam_types.h (Bug
+ 112646 - agmorgan)
+* "likeauth" fix for pam_unix and pam_pwdb which (Bug 113596 - agmorgan)
+* fix for pam_unix (support.c) to avoid segfault with NULL password
+ (Bug 113238 - vorlon)
+* fix to pam_unix_passwd: try repeatedly to get a lock on the password
+ file, instead of failing immediately (Bug 108845 - fix vorlon)
+* fix to pam_shells: logged information was not formatted correctly
+ (extra comma) (Bug 111491 - fix vorlon)
+* fix for C++ application support (Bug 111645 - fix agmorgan)
+* fix for typo in pam_client.h (Bug 111648 - fix agmorgan)
+* removal of -lpam from pam_mkhomedir Makefile (Bug 116380 - fix agmorgan)
+* autoconf support [Task ID 15788, Bug ID 108297 - agmorgan with help!]
+ - bugfix for libpamc.h include file [Bug ID 117476 - agmorgan]
+ - bugfix for pam_filter.h inclusion [Bug ID 117474 - agmorgan]
+
+0.72: Mon Dec 13 22:41:11 PST 1999
+
+* patches from Debian (Ben Collins): pam_ftp supports event driven
+ conversations now; pwdb_chkpwd cleanup; pam_warn static compile fix;
+ user_db compiler warnings removed; debian defs file; pam_mail can
+ now be used as a session module
+* ndbm compilation option for user_db module (fix explained by Richard Khoo)
+* pam_cracklib bug fix
+* packaging fixes & build from scratch stuff (Konst Bulatnikov & Frodo
+ Looijaard)
+* -ldl appended to the libpam.so compilation make rule. (Charles Seeger)
+* Red Hat security patch for pam_pwdb forwarded by Debian! (Ben
+ Collins. Fix provided by Andrey as it caught the problem earlier in the
+ code.)
+* heuristic to prevent leaking filedescriptors to an agent. [This needs
+ to be better supported perhaps by an additional libpamc API function?]
+* pam_userdb segfault fix from (Ben Collins)
+* PAM draft spec extras added at request of 'sen_ml'
+
+0.71: Sun Nov 7 20:21:19 PST 1999
+
+* added -lc to linker pass for pam_nologin module (glibc is weird).
+* various header changes to lower the number of warnings on glibc
+ systems (Dan Yefimov)
+* merged a bunch of Debian fixes/patches/documentation (Ben Collins)
+ things touched: libpam (minor); doc/modules/pam_unix.sgml; pam_env
+ (plus docs); pam_mkhomedir (new module for new home directories on
+ the fly...); pam_motd (new module); pam_limits (adjust to match
+ docs); pam_issue (new module + doc) [Some of these were also
+ submitted by Thorsten Kukuk]
+* small hack to lower the number of warnings that pam_client.h was
+ generating.
+* debian and SuSE apparently can use the pam_ftp module, so
+ removed the obsolete comment about this from the docs. (Thorsten
+ Kukuk)
+
+0.70: Fri Oct 8 22:05:30 PDT 1999
+
+* bug fix for parsing of value=action tokens in libpam/pam_misc.c was
+ segfaulting (Jan Rekorajski and independently Matthew Melvin)
+* numerous fixes from Thorsten Kukuk (icluding much needed fixes for
+ bitrot in modules and some documentation) that got included in SuSE 6.2.
+* reentrancy issues in pam_unix and pam_cracklib resolved (Jan Rekorajski)
+* added hosts_equiv_rootok module option to pam_rhosts module (Tim Berger)
+* added comment about 'expose_account' module argument to admin and
+ module writers' docs (request from Michael K Johnson).
+* myriad of bug fixes for libpamc - library now built by default and
+ works with the biomouse fingerprint scanner agent/module
+ (distributed separately).
+
+0.69: Sun Aug 1 20:25:37 PDT 1999
+
+* c++ header #ifdef'ing for pam_appl.h (Tuomo Pyhala)
+* added pam_userdb module (Cristian Gafton)
+* minor documentation changes
+* added in revised pam_client library (libpamc). Not installed by
+ default yet, since the example agent/module combo is not very secure.
+* glibc fixes (Thorsten Kukuk, Adam J. Richter)
+
+0.68: Sun Jul 4 23:04:13 PDT 1999
+
+* completely new pam_unix module from Jan Rekorajski and Stephen Langasek
+* Jan Rekorajski pam_mail - support for Maildir format mailboxes
+* Jan Rekorajski pam_cracklib - support for old password comparison
+* Jan Rekorajski bug fix for pam_pwdb setcred reusing auth retval
+* Andrey's pam_tally patch (lstat -> fstat)
+* Robert Milkowski's additional pam_tally patches to **change format of
+ /var/log/faillog** to one from shadow-utils, add new option "per_user"
+ for pam_tally module, failure time logging, support for fail_line
+ field, and support for fail_locktime field with new option
+ no_lock_time.
+* pam_tally: clean up the tally application too.
+* Marcin Korzonek added process priority settings to pam_limits (bonus
+ points for adding to documentation!)
+* Andrey's pam_pwdb patch (cleanup + md5 endian fubar fix)
+* more binary prompt preparations (make misc conv more compatible with spec)
+* modified callback hook for fail delay to be more useful with event
+ driven applications (changed function prototype - suspect no one
+ will notice). Documented this in app developer guide.
+* documentation for pam_access from Tim Berger
+* syntax fixes for the documentation - a long time since I've built it :*(
+ added some more names to the CREDITS file.
+
+0.67: Sat Jun 19 14:01:24 PDT 1999
+
+* [dropped libpam_client - libpamc will be in the next release and
+ conforms to the developing spec in doc/specs/draft-morgan-pam.raw.
+ Sorry if you are keeping a PAM tree in CVS. CVS is a pain for
+ directories, but this directory was actually not referenced by
+ anything so the disruption should be light.]
+* updates to pam_tally from Tim
+* multiple updates from Stephen Langasek to pam_unix
+* pam_filter had some trouble compiling (bug report from Sridhar)
+* pam_wheel now attempts to identify the wheel group for the local
+ system instead of blindly assuming it is gid=0. In the case that
+ there is no "wheel" group, we default to assuming gid=0 is what was
+ meant - former behavior. (courtesy of Sridhar)
+* NIS+ changes to pam_unix module from Dmitry O Panov
+* hopefully, a fix for redefinition of LOG_AUTHPRIV (bug report Luke
+ Kenneth Casson Leighton)
+* fix for minor typo in pam_wheel documentation (Jacek Kopecky)
+* slightly more explanation of the [x=y] pam.conf syntax in the sys
+ admin guide.
+
+0.66: Mon Dec 28 20:22:23 PST 1998 <morgan@linux.kernel.org>
+
+* Started using cvs to keep track of changes to Linux-PAM. This will
+ likely break some of the automated building stuff (RPMs etc..).
+* security bug fix to pam_unix and pam_tally from Andrey.
+* modules make file is now more automatic. It should be possible to
+ unpack an external module in the modules directory and have it automatically
+ added to the build process. Also added a modules/download-all script
+ that will make such downloading easier. I'm happy to receive patches to
+ this file, informing the distribution of places from which to enrich itself.
+* removed pam_system_log stuff. Thought about it long and hard: a
+ bad idea. If libc cannot guarantee a thread safe syslog, it needs
+ to be fixed and compatibility with other PAM libraries was
+ unnecessarily strained.
+* SAG documentation changes: Seth Chaiklin
+* rhosts: problems with NIS lookup failures with the root-uid check.
+ As a work-around, I've partially eliminated the need for the lookup
+ by supplying two new arguments: no_uid_check, superuser=<username>.
+ As a general rule this is more pluggable, since this module might be
+ used as an authentication scheme for a network service that does not
+ need root privilege...
+* authenticate retval -> setcred for pam_pwdb (likeauth arg).
+* pam_pwdb event driven support
+* non openlog pam_listfile logging
+* BUGFIX: close filedescriptor in pam_group and pam_time (Emmanuel Galanos)
+* Chris Adams' mailhash change for pam_mail module
+* fixed malloc failure check in pam_handlers.c (follow up to comment
+ by Brad M. Garcia).
+* update to _pam_compat.h (Brad M. Garcia)
+* support static modules in libpam again (Brad M. Garcia)
+* libpam/pam_misc.c for egcs to grok the code (Brad M. Garcia)
+* added a solaris-2.5.1 defs file (revived by Derrick J Brashear)
+* pam_listfile logs failed attempts
+* added a comment (Michael K Johnson pointed it out) about sgml2latex
+ having a new syntax. I'll make it the change real when I upgrade...
+* a little more text to the RFC, spelling fix from William J Buffam.
+* minor changes to pam_securetty to accommodate event driven support.
+
+0.65: Sun Apr 5 22:29:09 PDT 1998 <morgan@linux.kernel.org>
+
+* added event driven programming extensions to libpam
+ - added PAM_INCOMPLETE handling to libpam/pam_dispatch.c
+ - added PAM_CONV_AGAIN which is a new conversation response that
+ should be mapped to PAM_INCOMPLETE by the module.
+ - ensured that the pam_get_user() function can resume
+ - changes to pam_strerror to accommodate above return codes
+ - clean up _pam_former_state at pam_end()
+ - ensured that former state is correctly initialized
+ - added resumption tests to pam_authenticate(), pam_chauthtok()
+ - added PAM_FAIL_DELAY item for pausing on failure
+
+* improved _pam_macros.h so that macros can be used as single commands
+ (Andrey)
+
+* reimplemented logging to avoid bad interactions with libc. Added
+ new functions, pam_[,v]system_log() to libpam's API. A programmer
+ can check for this function's availablility by checking if
+ HAVE_PAM_SYSTEM_LOG is #defined.
+
+* removed the reduce conflict from pam_conv1 creation -- I can sleep
+ again now. :^]
+
+* made building of static and dynamic libpam separate. This is
+ towards making it possible to build both under Solaris (for Derrick)
+
+* made USE_CRACKLIB a condition in unix module (Luke Kenneth Casson Leighton)
+
+* automated (quiet) config installation (Andrey)
+
+0.64: Thu Feb 19 23:30:24 PST 1998 Andrew Morgan <morgan@linux.kernel.org>
+
+* miscellaneous patches for building under Solaris (Derrick J Brashear)
+
+* removed STATIC support from a number of module Makefiles. Notably,
+ these modules are those that use libpwdb and caused difficulties
+ satisfying the build process. (Please submit patches to fix this...;)
+
+* reomved the union for binary packet conversations from
+ (_pam_types.h). This is now completely implemented in libpam_client.
+
+* Andrey's patch for working environment variable handling in
+ sh_secret module.
+
+* made the libpam_misc conversation function a bit more flexible with
+ respect to binary conversations.
+
+* added top level define (DEBUG_REL) for compiling in the form of
+ a debugging release. I use this on a Red Hat 4.2 system with little
+ chance of crashing the system as a whole. (Andrey has another
+ implementation of this -- with a spec file to match..)
+
+0.63: Wed Jan 28 22:55:30 PST 1998 Andrew Morgan <morgan@linux.kernel.org>
+
+* added libpam_client "convention" library. This makes explicit the
+ use of PAM_BINARY_PROMPT. It is a first cut, so don't take it too
+ seriously yet. Comments/suggestions for improvements are very
+ welcome. Note, this library does not compile by default. It will
+ be enabled when it is judged stable. The library comes with two
+ module/agent pairs and can be used with ssh using a patch available
+ from my pre-release directory [where you got this file.]
+
+* backward compatibility patch for libpam/pam_handlers.c (PAM_IGNORE
+ was working with neither "requistie" nor "required") and a DEBUG'ing
+ compile time bug with pam_dispatch.c (Savochkin Andrey Vladimirovich)
+
+* minor Makefile change from (Savochkin Andrey Vladimirovich)
+
+* added pam_afsauth, pam_afspass, pam_restrict, and pam_syslog hooks
+ (Derrick J Brashear)
+
+* pam_access use of uname(2) problematic (security problem
+ highlighted by Olaf Kirch).
+
+* pam_listfile went a bit crazy reading group membersips (problem
+ highlighted by Olaf Kirch and patched independently by Cristian
+ Gafton and Savochkin Andrey Vladimirovich)
+
+* compatibility hooks for solaris and hpux (Derrick J Brashear)
+
+* 64 bit Linux/alpha bug fixed in pam_rhosts (Andrew D. Isaacson)
+
+0.62: Wed Jan 14 14:10:55 PST 1998 Andrew Morgan <morgan@linux.kernel.org>
+
+* Derrick J Brashear's patches: adds the HP stuff missed in the first
+ patch; adds SunOS support; adds support for the Solaris native ld
+ instead of requiring gnu ld.
+
+* last line of .rhosts file need not contain a newline. (Bug reported by
+ Thompson Freeman.)
+
+0.61: Thu Jan 8 22:57:44 PST 1998 Andrew Morgan <morgan@linux.kernel.org>
+
+* complete rewrite of the "control flag" logic. Formerly, we were
+ limited to four flags: requisite, required, sufficient, optional.
+ We can now use these keywords _and_ a great deal more besides.
+ The extra logic was inspired by Vipin Samar, a preliminary patch was
+ written by Andy Berkheimer, but I "had some ideas of my own" and
+ that's what I've actually included. The basic idea is to allow the
+ admin to custom build a control flag with a series of token=value
+ pairs inside square brackets. Eg., '[default=die success=ok]' which
+ is pretty close to a synonym for 'requisite'. I'll try to document it
+ better in the sys-admin guide but I'm pretty sure it is a change for
+ the better.... If what is in the sys-admin guide is not good enough
+ for you, just take a look at the source for libpam ;^)
+
+0.59: Thu Jan 8 22:27:22 PST 1998 Andrew Morgan <morgan@linux.kernel.org>
+
+* better handling of empty lines in .rhosts file. (Formerly, we asked
+ the nameserver about them!) Fix from Hugh Daschbach.
+
+* _broke_some_binary_compatibility_ with previous versions to become
+ compliant with X/Open's XSSO spec. Specifically, this has been
+ by changing the prototype for pam_strerror().
+
+* altered the convention for the conversation mechanism to agree
+ with that of Sun. (number of responses 'now=' number of messages
+ with help from Cristian for finding a bug.. Cristian also found a
+ nasty speradic segfault bug -- Thanks!)
+
+* added NIS+ support to pam_unix_*
+
+* fixed a "regular file checking" problem with the ~/.rhosts sanity
+ check. Added "privategroup" option to permit group write permission
+ on the ~/.rhosts file in the case that the group owner has the same
+ name as the authenticating user. :*) "promiscuous" and "suppress"
+ were not usable!
+
+* added glibc compatibility to pam_rhosts_auth (protected __USE_MISC
+ with #ifndef since my libc already defines it!).
+
+* Security fix from Savochkin Andrey Vladimirovich with suggested
+ modification from Olaf Seibert.
+
+* preC contains mostly code clean-ups and a number of changes to
+ _pam_macros.
+
+0.58: whenever
+
+* pam_getenvlist() has a more robust definition (XSSO) than was previously
+ thought. It would seem that we no longer need pam_misc_copy_env()
+ which was there to provide the robustness that pam_getenvlist()
+ lacked before...
+
+ Accordingly, I have REMOVED the prototype from libpam_misc. (The
+ function, however, will remain in the library as a wrapper for
+ legacy apps, but will likely be removed from libpam_misc-1.0.) PLEASE
+ FIX YOUR APPS *BEFORE* WE GET THERE!
+
+* Alexy Nogin reported garbage output from pam_env in the case of
+ a non-existent environment variable.
+
+* 'fixed' pwdb compilation for pam_wheel. Not very cleanly
+ done.. Mmmm. Should really clean up the entire source tree...
+
+* added prototypes for mapping functions
+
+ <**WARNING**>
+
+ various constants have had there names changed. Numerical values have
+ been retained but be aware some source old modules/applications will
+ need to be fixed before recompilation.
+
+ </**WARNING**>
+
+* appended documentation to README for pam_rhosts module (Nicolai
+ Langfeldt).
+
+* verified X/Open compatibility of header files - note, where we differ
+ it is at the level of compilation warnings and the use of 'const char *'
+ instead of 'char *'. Previously, Sun(X/open) have revised their spec
+ to be more 'const'-ervative in the light of comments from Linux-PAM
+ development.
+
+* Ooops! PAM_AUTHTOKEN_REQD should have been PAM_NEW_AUTHTOK_REQD.
+
+ changed: pam_pwdb(pam_unix_acct) (also bug fix for
+ _shadow_acct_mgmt_exp() return value), pam_stress,
+ libpam/pam_dispatch, blank, xsh.
+
+* New: PAM_AUTHTOK_EXPIRED - password has expired.
+
+* Ooops! PAM_CRED_ESTABLISH (etc.) should have been PAM_ESTABLISH_CRED
+ etc... (changed - this may break some people's modules - PLEASE TAKE
+ NOTE!)
+ changed: pam_group, pam_mail, blank, xsh; module and appl
+ docs, pam_setcred manual page.
+
+* renamed internal _pam_handle structure to be pam_handle as per XSSO.
+
+* added PAM_RADIO_TYPE (for multiple choice input method). Also
+ added PAM_BINARY_{MSG,PROMPT} (for interaction out of sight of user
+ - this could be used for RSA type authentication but is currently
+ just there for experimental purposes). The _BINARY_ types are now
+ usable with hooks in the libpam_misc conversation function. Still
+ have to add PAM_RADIO_TYPE.
+
+* added pam_access module (Alexei Nogin)
+
+* added documentation for pam_lastlog. Also modified the module to
+ not (by default) print "welcome to your new account" when it cannot
+ find a utmp entry for the user (you can turn this on with the
+ "never" argument).
+
+* small correction to the pam_fail_delay manual page. Either the appl or
+ the modules header file will prototype this function.
+
+* added "bigcrypt" (DEC's C2) algorithm(0) to pam_pwdb. (Andy Phillips)
+
+* *BSD tweaking for various #include's etc. (pam_lastlog, pam_rhosts,
+ pam_wheel, libpam/pam_handlers). (Michael Smith)
+
+* added configuration directory $SCONFIGED for module specific
+ configuration files.
+
+* added two new "linked" man pages (pam.conf(8) and pam.d(8))
+
+* included a reasonable default for /etc/pam.conf (which can be
+ translated to /etc/pam.d/* files with the pam_conv1 binary)
+
+* fixed the names of the new configuration files in
+ conf/pam_conv1/pam_conv.y
+
+* fixed make check.
+
+* pam_lastlog fixed to handle UID in virgin part of /var/log/lastlog
+ (bug report from Ronald Wahl).
+
+* grammar fix in pam_cracklib
+
+* segfault avoided in pam_pwdb (getting user). Updating of passwords
+ that are directed to a "new" database are more robust now (bug noted
+ by Michael K. Johnson). Added "unix" module argument for migrating
+ passwords from another database to /etc/passwd. (documentation
+ updated). Removed "bad username []" warning for empty passwords -
+ on again if you supply the 'debug' module argument.
+
+* ctrl-D respected in conversation function (libpam_misc)
+
+* Removed -DPAM_FAIL_DELAY_ON from top-level Makefile. Nothing in
+ the distribution uses it. I guess this change happened a while
+ back, basically I'm trying to make the module parts of the
+ distribution "source compatible" with the RFC definition of PAM.
+ This implementation of PAM is a superset of that definition. I have
+ added the following symbols to the Linux-PAM header files:
+
+ PAM_DATA_SILENT (see _pam_types.h)
+ HAVE_PAM_FAIL_DELAY (see _pam_types.h)
+ PAM_DATA_REPLACE (see _pam_modules.h)
+
+ Any module (or application) that wants to utilize these features,
+ should check (#ifdef) for these tokens before using the associated
+ functionality. (Credit to Michael K. Johnson for pointing out my
+ earlier omission: not documenting this change :*)
+
+* first stab at making modules more independent of full library
+ source. Modules converted:
+ pam_deny
+ pam_permit
+ pam_lastlog
+ pam_pwdb
+
+* pam_env.c: #include <errno.h> added to ease GNU libc use. (Michael
+ K. Johnson)
+
+* pam_unix_passwd fixes to shadow aging code (Eliot Frank)
+
+* added README for pam_tally
+
+0.57: Fri Apr 4 23:00:45 PST 1997 Andrew Morgan <morgan@parc.power.net>
+
+* added "nodelay" argument to pam_pwdb. This can be used to turn off
+ the call to pam_fail_delay that takes effect when the user fails to
+ authenticate themself.
+
+* added "suppress" argument to pam_rhosts_auth module. This will stop
+ printing the "rlogin failure message" when the user does not have a
+ .rhosts file.
+
+* Extra fixes for FAKEROOT in Makefiles (Savochkin Andrey
+ Vladimirovich)
+
+* pam_tally added to tree courtesy of Tim Baverstock
+
+* pam_rhosts_auth was failing to read NFS mounted .rhosts
+ files. (Fixed by Peter Allgeyer). Refixed and further enhanced
+ (netgroups) by Nicolai Langfeldt. [Credit also to G.Wilford for some
+ changes that were not actually included..]
+
+* optional (#ifdef PAM_READ_BOTH_CONFS) support for parsing of pam.d/
+ AND pam.conf files (Elliot Lee).
+
+* Added (and signed) Cristian's PGP key. (I've never met him, but I am
+ convinced the key belongs to the guy that is making the PAM rpms and
+ also producing libpwdb. Please note, I will not be signing anyone
+ else's key without a personal introduction..)
+
+* fixed erroneous syslog warning in pam_listfile (Savochkin Andrey
+ Vladimirovich, whole file reformatted by Cristian)
+
+* modified pam_securetty to return PAM_IGNORE in the case that the user's
+ name is not known to the system (was previously, PAM_USER_UNKNOWN). The
+ Rationale is that pam_securetty's sole purpose is to prevent superuser
+ login anywhere other than at the console. It is not its concern that the
+ user is unknown - only that they are _not_ root. Returning
+ PAM_IGNORE, however, insures that the pam_securetty can never be used to
+ "authenticate" a non-existent user. (Cristian Gafton with bug report from
+ Roger Hu)
+
+* Modified pam_nologin to display the no-login message when the user
+ is not known. The return value in this case is still PAM_USER_UNKNOWN.
+ (Bug report from Cristian Gafton)
+
+* Added NEED_LCKPWD for pam_unix/ This is used to define the locking
+ functions and should only be turned on if you don't have them in
+ your libc.
+
+* tidied up pam_lastlog and pam_pwdb: removed function that was never used.
+
+* Note for package maintainers: I have added $(FAKEROOT) to the list of
+ environment variables. This should help greatly when you build PAM
+ in a subdirectory. I've gone through the tree and tried to make
+ everything compatible with it.
+
+* added pam_env (courtesy of Dave Kinchlea)
+
+* removed pam_passwd+ from the tree. It has not been maintained in a
+ long time and running a shell script was basically insecure. I've
+ indicated where you can pick up the source if you want it.
+
+* #define HAVE_PAM_FAIL_DELAY . Applications can conditionally compile
+ with this if they want to see if the facility is available. It is
+ now always available. (corresponding compilation cleanups..)
+
+* _pam_sanitize() added to pam_misc. It purges the PAM_AUTHTOK and
+ PAM_OLDAUTHTOK items. (calls replaced in pam_auth and pam_password)
+
+* pam_rhosts now knows about the '+' entry. Since I think this is a
+ dangerous thing, I have required that the sysadmin supply the
+ "promiscuous" flag for it in the corresponding configuration file
+ before it will work.
+
+* FULL_LINUX_PAM_SOURCE_TREE exported from the top level make file.
+ If you want to build a module, you can test for this to determine if
+ it should take its directions from above or supply default locations
+ for installation. Etc.
+
+0.56: Sat Feb 15 12:21:01 PST 1997 <morgan@parc.power.net>
+
+* pam_handlers.c can now interpret the pam.d/ service config tree:
+ - if /etc/pam.d/ exists /etc/pam.conf is IGNORED
+ (otherwise /etc/pam.conf is treated as before)
+ - given /etc/pam.d/
+ . config files are named (in lower case) by service-name
+ . config files have same syntax as /etc/pam.conf except
+ that the "service-name" field is not present. (there
+ are thus three manditory fields (and arguments are
+ optional):
+
+ module-type control-flag module-path optional-args...
+
+ )
+
+* included conf/pam_conv1 for converting pam.conf to a pam.d/ version
+ 1.0 directory tree. This program reads a pam.conf file on the
+ standard input stream and creates ./pam.d/ (in the local directory)
+ and fills it with ./pam.d/"service-name" files.
+
+ *> Note: It will fail if ./pam.d/ already exists.
+
+ PLEASE REPORT ANY BUGS WITH THIS CONVERSION PROGRAM... It currently
+ cannot retain comments from the old conf file, so take care to do this
+ by hand. Also, please email me with the fix that makes the
+ shift/reduce conflict go away...
+
+* Added default module path to libpam for modules (see pam_handlers.c)
+ it makes use of Makfile defined symbol: DEFAULT_MODULE_PATH which is
+ inhereted from the defs/* variable $(SECUREDIR). Removed module
+ paths from the sample pam.conf file as they are no longer needed.
+
+* pam_pwdb can now verify read protected passwords when it is not run
+ by root. This is via a helper binary that is setuid root.
+
+* pam_permit now prompts for a username if it is not already determined
+
+* pam_rhosts now honors "debug" and no longer hardwire's "root" as the
+ superuser's name.
+
+* pam_securetty now honors the "debug" flag
+
+* trouble parsing extra spaces fixed in pam_time and pam_group
+
+* added Michael K. Johnson's PGP key to the pgp.keys.asc list
+
+* pam_end->env not being free()'d: fixed
+
+* manuals relocated to section 3
+
+* fixed bug in pam_mail.c, and enhanced to recognize '~' as a prefix
+ to indicate the $HOME of the user (courtesy David
+ Kinchlea). *Changed* from a "session" module to an "auth"
+ module. It cannot be used to authenticate a user, but it can be used
+ in setting credentials.
+
+* fixed a stupid bug in pam_warn.. Only PAM_SERVICE was being read :*(
+
+* pam_radius rewritten to exclusively make use of libpwdb. (minor fix
+ to Makefile for cleaning up - AGM)
+
+* pam_limits extended to limit the total number of logins on a system
+ at any given time.
+
+* libpam and libpam_misc use $(MAJOR_REL) and $(MINOR_REL) to set their
+ version numbers [defined in top level makefile]
+
+* bugfix in sed command in defs/redhat.defs (AGM's fault)
+
+* The following was related to a possibility of buffer overruns in
+ the syslogging code: removed fixed length array from syslogging
+ function in the following modules [capitalized the log identifier
+ so the sysadmin can "know" these are fixed on the local system],
+
+ pam_ftp, pam_stress, pam_rootok, pam_securetty,
+ pam_listfile, pam_shells, pam_warn, pam_lastlog
+ and
+ pam_unix_passwd (where it was definitely _not_ exploitable)
+
+0.55: Sat Jan 4 14:43:02 PST 1997, Andrew Morgan <morgan@parc.power.net>
+
+* added "requisite" control_flag to /etc/pam.conf syntax. [See
+ Sys. Admin. Guide for explanation] changes to pam_handlers.c
+
+* completely new handling of garbled pam.conf lines. The modus
+ operandi now is to assume that any errors in the line are minor.
+ Errors of this sort should *most definitely* lead to the module
+ failing, however, just ignoring the line (as was the case
+ previously) can lead to gaping security holes(! Not foreseen by the
+ RFC). The "motivation" for the RFC's comments about ignoring garbled
+ lines is present in spirit in the new code: basically a garbled line
+ is treated like an instance of the pam_deny.so module.
+ changes to pam_handlers.c and pam_dispatch.c .
+
+* patched libpam, to (a) call _pam_init_handlers from pam_start() and
+ (b) to log a text error if there are no modules defined for a given
+ service when a call to a module is requested. [pam_start() and
+ pam_dispatch() were changed].
+
+* patched pam_securetty to deal with "/dev/" prefix on PAM_TTY item.
+
+* reorganized the modules/Makefile to include *ALL* modules. It is now
+ the responsibility of the modules themselves to test whether they can
+ be compiled locally or not.
+
+* modified pam_group to add to the getgroups() list rather than overwrite
+ it. [In the case of "HAVE_LIBPWDB" we use the pwdb_..() calls to
+ translate the group names.]. Module now pays attention to
+ PAM_CRED_.. flag(!)
+
+* identified and removed bugs in field reading code of pam_time and
+ (thus) pam_group.
+
+* Cristian's patches to pam_listfile module, corresponding change to
+ documentation.
+
+* I've discovered &ero; for sgml!
+ Added pam_time documentation to the admin guide.
+
+* added manual pages: pam.8, pam_start.2(=pam_end.2),
+ pam_authenticate.2, pam_setcred.2, pam_strerror.2,
+ pam_open_session.2(=pam_close_session.2) and pam_chauthtok.2 .
+
+* added new modules:
+
+ - pam_mail (tells the user if they have any new mail
+ and sets their MAIL env variable)
+ - pam_lastlog (reports on the last time this user called
+ this module)
+
+* new module hooks provided.
+
+* added a timeout feature to the conversation function in
+ libpam_misc. Documented it in the application developers' guide.
+
+* fixed bug in pam_misc_paste_env() function..
+
+* slight modifications to wheel and rhosts writeup.
+
+* more security issues added to module and application guides.
+
+--
+Things present but not mentioned in previous release (sorry)
+
+* pam_pwdb module now resets the "last_change" entry before updating a
+ password.
+--
+
+Sat Nov 30 19:30:20 PST 1996, Andrew Morgan <morgan@parc.power.net>
+
+* added environment handling to libpam. involved change to _pam_types.h
+ also added supplementary functions to libpam_misc
+
+* added pam_radius - Cristian
+
+* slight speed up for pam_rhosts
+
+* significantly enhanced sys-admin documentation (8 p -> 41 p in
+ PostScript). Added to other documentation too. Mostly the changes
+ in the other docs concern the new PAM-environment support, there is
+ also some coverage of libpam_misc in the App. Developers' guide.
+
+* Cristian's patches to pam_limits and pam_pwdb. Fixing bugs. (MORE added)
+
+* adopted Cristian's _pam_macros.h file to help with common macros and
+ debugging stuff, gone through tree tidying up debugging lines to use
+ this [not complete].
+
+ - for consistency replaced DROP() with _pam_drop()
+
+* commented memory debugging in top level makefile
+
+* added the following modules
+
+ - pam_warn log information to syslog(3) about service application
+ - pam_ftp if user is 'ftp' then set PAM_RUSER/PAM_RHOST with password
+ (comment about nologin added to last release's notes)
+
+* modified the pam_listfile module. It now declares a meaningful static
+ structure name.
+
+Sun Nov 10 13:26:39 PST 1996, Andrew Morgan <morgan@parc.power.net>
+
+ **PLEASE *RE*AMEND YOUR PERSONAL LINKS**
+
+ -------> http://parc.power.net/morgan/Linux-PAM/index.html <-------
+
+ **PLEASE *RE*AMEND YOUR PERSONAL LINKS**
+
+A brief summary of what has changed:
+
+* many modules have been modified to accomodate fixing the pam_get_user()
+ change. Please take note if you have a module in this distribution.
+
+* pam_unix is now the pam_unix that Red Hat has been using and which
+ should be fairly well debugged.
+
+ - I've added some #ifdef's to make it compile for me, and also
+ updated it with respect to the libpam-0.53, so have a look at the
+ .../modules/pam_unix/Makefile to enable cracklib and shadow features
+
+ ** BECAUSE OF THIS, I cannot guarantee this code works as it **
+ ** did for Red Hat. Please test and report any problems. **
+
+* the pam_unix of .52 (renamed to pam_pwdb) has been enhanced and made
+ more flexible with by implementing it with respect to the new
+ "Password Database Library" see
+
+ http://parc.power.net/morgan/libpwdb/index.html
+
+ modules included in this release that require this library to
+ function are the following:
+
+ - pam_pwdb (ne pam_unix-0.52 + some enhancements)
+ - pam_wheel
+ - pam_limits
+ - pam_nologin
+
+* Added some optional code for memory debugging. In order to support
+ this you have to enable MEMORY_DEBUG in the top level makefile and
+ also #define MEMORY_DEBUG in your applications when they are compiled.
+ The extra code resides in libpam (compiled if MEMORY_DEBUG is defined)
+ and the macros for malloc etc. are to be found at the end of
+ _pam_types.h
+
+* used above code to locate two memory leaks in pam_unix module and two
+ in libpam (pam_handlers.h)
+
+* pam_get_user() now sets the PAM_USER item. After reading the Sun
+ manual page again, it was clear that it should do this. Various
+ modules have been assuming this and now I have modified most of them
+ to account for this change. Additionally, pam_get_user() is now
+ located in the module include file; modules are supposed to be the
+ ones that use it(!) [Note, this is explicitly contrary to the Sun
+ manual page, but in the spirit of the Linux distribution to date.]
+
+* replaced -D"LINUX" with -D"LINUX_PAM" as this is more explicit and less
+ likely to be confused with -D"linux".
+ Also, modified the libpam #include files to behave more like the Sun
+ ones #ifndef LINUX_PAM.
+
+* removed <bf/ .. / from documentation titles. This was not giving
+ politically correct html..
+
+----- My vvvvvvvvvvvvvvvvvvv was a long time ago ;*] -----
+
+Wed Sep 4 23:57:19 PDT 1996 (Andrew Morgan <morgan@physics.ucla.edu>
+
+0. Before I begin, Linux-PAM has a new primary distribution site (kindly
+donated by Power Net Inc., Los Angeles)
+
+ **PLEASE AMMEND YOUR PERSONAL LINKS**
+
+ -------> http://www.power.net/morgan/Linux-PAM <-------
+
+ **PLEASE AMMEND YOUR PERSONAL LINKS**
+
+1. I'm hoping to make the next release a bug-fix release... So please find
+ all the bugs(! ;^)
+
+2. here are the changes for .52:
+
+* minor changes to module documentation [Incidently, it is now
+ available on-line from the WWW page above]. More changes to follow in
+ the next two releases. PLEASE EMAIL me or the list if there is
+ anything that isn't clear!
+
+* completely changed the unix module. Now a single module for all four
+ management groups (this meant that I could define all functions as
+ static that were not part of the pam_sm_... scheme. AGM)
+
+ - Shadow support added
+PASSWD - Elliot's account management included, and enhanced by Cristian Gafton.
+ - MD5 password support added by Cristian Gafton.
+ - maxtries for authentication now enforced.
+ - Password changing function in pam_unix now works!
+ Although obviously, I'm not going to *guarantee* it ;^) .
+ - stole Marek's locking code from the Red Hat unix module.
+ [ If you like you can #ifdef it in or out ... ]
+
+ You can configure the module more from its Makefile in
+ 0.52/modules/pam_unix/
+
+ If you are nervous that it will destroy your /etc/passwd or shadow
+ files then EDIT the 0.52/modules/pam_unix/pam_unix_pass.-c file.
+ Here is the warning comment from this file...
+
+-------------8<-----------------
+/* <WARNING>
+ *
+ * Uncomment the following #define if you are paranoid, and do not
+ * want to risk losing your /etc/passwd or shadow files.
+ * It works for me (AGM) but there are no guarantees.
+ *
+ * </WARNING>
+ */
+/* #define TMP__FILE */
+------------->8-----------------
+
+ *** If anyone has any trouble, please *say*. Your problem will be
+ fixed in the next release. Also please feel free to scour the
+ code for race conditions etc...
+
+[* The above change requires that you purge your /usr/lib/security
+ directory of the old pam_unix_XXX.so modules: they will NOT be deleted
+ with a 'make remove'.]
+
+* the prototype for the cleanup function supplied to pam_set_data used
+ to return "int". According to Sun it should be "void". CHANGED.
+
+* added some definitions for the 'error_status' mask values that are
+ passed to the cleanup function associated with each
+ module-data-item. These numbers were needed to keep up with changing
+ a data item (see for example the code in pam_unix/support.-c that
+ manages the maximum number of retries so far). Will see what Sun says
+ (current indications are positive); this may be undone before 1.0 is
+ released. Here are the definitions (from pam_modules.h).
+
+#define PAM_DATA_SILENT 0x40000000 /* used to suppress messages... */
+#define PAM_DATA_REPLACE 0x20000000 /* used when replacing a data item */
+
+* Changed the .../conf/pam.conf file. It now points to the new
+ pam_unix module for 'su' and 'passwd' [can get these as SimpleApps --
+ I use them for testing. A more extensive selection of applications is
+ available from Red Hat...]
+
+* corrected a bug in pam_dispatch. Basically, the problem was that if
+ all the modules were "sufficient" then the return value for this
+ function was never set. The net effect was that _pam_dispatch_aux
+ returned success when all the sufficient modules failed. :^( I think
+ this is the correct fix to a problem that the Red Hat folks had
+ found...
+
+sopwith* Removed advisory locking from libpam (thanks for the POSIX patch
+ goes to Josh Wilmes's, my apologies for not using it in the
+ end.). Advisory locking did not seem sufficiently secure for libpam.
+ Thanks to Werner Almesberger for identifying the corresponding "denial
+ of service attack". :*(
+
+* related to fix, have introduced a lock file /var/lock/subsys/PAM
+ that can be used to indicate the system should pay attention to
+ advisory locking on /etc/pam.conf file. To implement this you need to
+ define PAM_LOCKING though. (see .52/libpam)
+
+* modified pam_fail_delay() function. Couldn't find the "not working"
+ problem indicated by Michael, but modified it to do pseudo-random
+ delays based on the values indicated by pam_fail_delay() -- the
+ function "that may eventually go away"... Although Sun is warming to
+ the idea.
+
+* new modules include:
+
+ pam_shells - authentication for users with a shell listed in
+ /etc/shells. Erik Troan <ewt@redhat.com>
+
+ pam_listfile - authentication based on the contents of files.
+ Set to be more general than the above in the
+ future. UNTESTED. Elliot Lee <@redhat.com>
+ [Note, this module compiles with a non-trivial
+ warning: AGM]
+
+Thu Aug 8 22:32:15 PDT 1996 (Andrew Morgan <morgan@physics.ucla.edu>)
+
+* modified makefiles to take more of their installation instructions
+ from the top level makefile. Desired for integration into the Debian
+ distribution, and generally a good idea.
+
+* fixed memory arithmetic in pam_handlers
+ -- still need to track down why failure to load modules can lead to
+ authentication succeding..
+
+* added tags for new modules (smartcards from Alex -- just a promise
+ at this stage) and a new module from Elliot Lee; pam_securetty
+
+* I have not had time to smooth out the wrinkles with it, but Alex's
+ pam_unix modifications are provided in pam_unix-alex (in the modules
+ directory) they will not be compiled by 'make all' and I can't even
+ say if they do compile... I will try to look at them for .52 but, in
+ the mean time please feel free to study/fix/discuss what is there.
+
+* pam_rhosts module. Removed code for manually setting the ruser
+ etc. This was not very secure.
+
+* [remade .ps docs to be in letter format -- my printer complains
+ about a4]
+
+Sunday July, 7 12:45:00 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>)
+
+* No longer accompanying the Linux-PAM release with apps installed.
+ [Will provide what was here in a separate package.. (soon)
+lib Also see http://www.redhat.com/pam for some more (in .rpm form...)]
+
+* renamed libmisc to libpam_misc. It is currently configured to only compile
+ the static library. For some strange reason (perhaps someone can
+ investigate) my Linux 2.0.0 kernel with RedHat 3.0.3 system
+ segfaults when I compile it to be a dynamic library. The segfault
+ seems to be inside the call to the ** dl_XXX ** function...!?
+
+ There is a simple flag in the libpam_misc/Makefile to turn on dynamic
+ compiles.
+
+* Added a little unofficial code for delay support in libpam (will probably
+ disappear later..) There is some documentation for it in the pam_modules
+ doc now. That will obviously go too.
+
+* rewritten pam_time to use *logic* to specify the stringing together of
+ users/times/terminals etc.. (what was there before was superficially
+ logical but basically un-predictable!)
+
+* added pam_group. Its syntax is almost identical to pam_time but it
+ has another field added; a list of groups to make the user a member
+ of if they pass the previous tests. It seems to not co-exist too well
+ with the groups in the /etc/group but I hope to have that fixed by
+ the next release...
+
+* minor re-formatting of pam_modules documentation
+
+* removed ...// since it wasn't being used and didn't look like it
+ would be!
+
+GCCSunday 23 22:35:00 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>)
+
+* The major change is the addition of a new module: pam_time for
+ restricting access on terminals at given times for indicated users
+ it comes with its own configuration file /etc/security/time.conf
+ and the sample file simply restricts 'you' from satisfying the blank
+ application if they try to use blank from any tty*
+
+* Small changes include
+- altered pam.conf to demonstrate above new module (try typing username: you)
+- very minor changes to the docs (pam_appl and pam_modules)
+
+Saturday June 2 01:40:00 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>)
+
+*** PLEASE READ THE README, it has changed ***
+
+* NOTE, 'su' exhibits a "system error", when static linking is
+ used. This is because the pam_unix_... module currently only has
+ partial static linking support. This is likely to change on Monday
+ June 3, when Alex makes his latest version availible. I will include
+ the updated module in next release.
+
+changes for .42:
+
+* modified the way in which libpam/pam_modules.h defines prototypes for
+ the pam_sm_ functions. Now the module must declare which functions it
+ is to provide *before* the #include <security/pam_modules.h> line.
+ (for contrasting examples, see the pam_deny and pam_rootok modules)
+ This removed the ugly hack of defining functions that are never called
+ to overcome warnings... This seems much tidier.
+insterted* updated the TODO list. (changed mailing list address)
+* updated README in .../modules to reflect modifications to static
+ compliation protocol
+* modified the pam_modules documentation to describe this.
+* corrected last argument of pam_get_item( ... ) in
+ pam_appl/modules.sgml, to "const void **".
+* altered GNU GPL's in the documentation, and various other parts of
+ the distribution. *Please check* that any code you are responsible for
+ is corrected.
+* Added ./Copyright (please check that it is acceptable)
+* updated ./README to make current and indicate the new mailing list
+ address
+* have completely rewritten pam_filter. It now runs modular filter
+ executables (stored in /usr/sbin/pam_filter/) This should make it
+ trivial for others to write their own filters.. If you want yours
+ included in the distribution please email the list/me.
+* changes to libpam; there was a silly bug with multiple arguments on a
+ pam.conf line that was broken with a '\<LF>'.
+* 'su' rearranged code (to make better use of PAM)
+ *Also* now uses POSIX signals--this should help the Alpha port.
+* 'passwd' now uses getlogin() to determine who's passwords to change.
+
+Sunday May 26 9:00:00 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>)
+
+* fixed module makefiles to create needed dynamic/static subdirectories
+
+Saturday May 25 20:30:27.8 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>)
+
+* LOTS has changed regarding how the modules/libpam are built.
+* Michael's mostly complete changes for static support--see below
+ (Andrew got a little carried away and automated the static linking
+ of modules---bugs are likely mine ;( )
+* Thanks mostly to Michael, libpam now compiles without a single warning :^]
+* made static modules/library optional.
+CFLAGS* added 'make sterile' to top level makefile. This does extraclean and remove
+* added Michael and Joseph to documentation credits (and a subsection for
+ future documentation of static module support in pam_modules.sgml)
+* libpam; many changes to makefiles and also automated the inclusion of
+ static module objects in pam_static.c
+* modified modules for automated static/dynamic support. Added static &
+ dynamic subdirectories, as instructed by Michael
+* removed an annoying syslog message from pam_filter: "parent exited.."
+* updated todo list (anyone know anything about svgalib/X? we probably should
+ have some support for these...)
+
+Friday May 24 16:30:15 EDT 1996 (Michael K. Johnson <johnsonm@redhat.com>)
+
+* Added first (incomplete) cut at static support.
+ This includes:
+ . changes in libpam, including a new file, pam_static.c
+ . changes to modules including exporting struct of function pointers
+ . static and dynamic linking can be combined
+ . right now, the only working combinations are just dynamic
+ linking and dynamic libpam.so with static modules linked
+ into libpam.so. That's on the list of things to fix...
+ . modules are built differently depending on whether they
+ are static or dynamic. Therefore, there are two directories
+ under each module directory, one for static, and one for
+ dynamic modules.
+* Fixed random brokenness in the Makefiles. [ foo -nt bar ] is
+ rather redundant in a makefile, for instance. Also, passing
+ on the command line is broken because it cannot be
+ overridden in any way (even adding important parts) in lower-level
+ makefiles.
+* Unfortunately, fixing some of the brokenness meant that I used
+ GNU-specific stuff. However, I *think* that there was GNU-specific
+ stuff already. And I think that we should just use the GNU
+ extensions, because any platform that GNU make doesn't port to
+ easily will be hard to port to anyway. It also won't be likely
+passwd to handle autoconf, which was Ted's suggestion for getting
+ around limitations in standard make...
+ For now, I suggest that we just use some simple GNU-specific
+ extensions.
+
+Monday May 20 22:00:00 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>)
+
+* added some text to pam_modules.sgml
+* corrected Marek's name in all documentation
+* made pam_stress conform to chauthtok conventions -- ie can now request
+ old password before proceeding.
+* included Alex's latest unix module
+* included Al's + password strength checking module
+* included pam_rootok module
+* fixed too many bugs in libpam.. all subtly related to the argument lists
+ or use of syslog. Added more debugging lines here too.
+* fixed the pam.conf file
+* deleted pam_test module. It is pretty old and basically superceeded
+ by pam_stress
+
+Friday May 9 1:00:00 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>)
+
+* updated documentaion, added Al Longyear to credits and corrected the
+ spelling of Jeff's name(!). Most changes to pam.sgml (even added a figure!)
+* new module pam_rhosts_auth (from Al Longyear)
+* new apps rlogind and ftpd (a patch) from Al.
+* modified 'passwd' to not call pam_authenticate (note, none of the
+ modules respect this convention yet!)
+* fixed bug in libpam that caused trouble if the last line of a
+ pam.conf file ends with a module name and no newline character
+* also made more compatable with documentation, in that bad lines in
+ pam.conf are now ignored rather than causing libpam to return an
+ error to the app.
+* libpam now overwrites the AUTHTOKs when returning from
+ pam_authenticate and pam_chauthtok calls (as per Sun/RFC too)
+* libpam is now installed as libpam.so.XXX in a way that ldconfig can
+ handle!
+
+
+Wednesday May 1 22:00:00 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>)
+
+* removed .../test directory, use .../examples from now on.
+* added .../apps directory for fully functional applications
+ - the apps directory contains directories that actually contain the apps.
+ the idea is to make application compilation conditional on the presence
+ of the directory. Note, there are entries in the Makefile for
+ 'login' and 'ftpd' that are ready for installation... Email me if
+ you want to reserve a directory name for an application you are
+ working on...
+* similar changes to .../modules makefile [entries for pam_skey and
+ pam_kerberos created---awaiting the directories.] Email me if you
+ want to register another module...
+* minor changes to docs.. Not really worth reprinting them quite yet!
+ [save the trees]
+* added misc_conv to libmisc. it is a generic conversation function
+ for text based applications. [would be nice to see someone create
+ an Xlib and/or svgalib version]
+* fixed ctrl-z/c bug with pam_filter module [try xsh with the default
+ pam.conf file]
+* added 'required' argument to 'pam_stress' module.
+* added a TODO list... other suggestions to the list please.
+
+Saturday April 7 00:00:00 PST 1996 ( Andrew Morgan <morgan@physics.ucla.edu> )
+
+* Alex and Marek please note I have altered _pam_auth_unix a little, to
+ make it get the passwords with the "proper method" (and also fixed it
+ to not have as many compiler warnings)
+* updated the conf/pam.conf file
+* added new example application examples/xsh.c (like blank but invokes
+ /bin/sh)
+* Marc's patches for examples/blank.c (and AGM's too)
+* fixed stacking of modules in libpam/pam_handlers.c
+* fixed RESETing in libpam/pam_item.c
+* added new module modules/pam_filter/ to demonstrate the possibility
+ of inserting an arbitrary filter between the terminal and the
+ application that could do customized logging etc... (see use of
+ bin/xsh as defined in conf/pam.conf)
+
+
+Saturday March 16 19:00:00 PST 1996 ( Andrew Morgan <morgan@physics.ucla.edu> )
+
+These notes are for 0.3 I don't think I've left anything important
+out, but I will use emacs 'C-x v a' next time! (Thanks Jeff)
+
+ * not much has changed with the functionality of the Linux-PAM lib
+ .../libpam
+ - pam_password calls module twice with different arguments
+ - added const to some of the function arguments
+ - added PAM_MAX_MES_ to <security/_pam_types.h>
+ - was a lot over zealous about purging old passwords...
+ I have removed much of this from source to make it
+ more compatible with SUN.
+ - moved some PAM_... tokens to pam_modules.h from _pam_types.h
+ (no-one should notice)
+
+ * added three modules: pam_permit pam_deny pam_stress
+ no prizes for guessing what the first two do. The third is
+ a reasonably complete (functional) module. Is intended for testing
+ applications with.
+
+ * fixed a few pieces of examples/blank.c so that it works (with
+ pam_stress)
+
+ * ammended the documentation. Looking better, but suggestions/comments
+ very welcome!
+
+Sunday March 10 10:50:00 PST 1996 ( Andrew Morgan <morgan@physics.ucla.edu> )
+
+These notes are for Linux-PAM release 0.21. They cover what's changed
+since I relased 0.2.
+
+ * am now using RCS
+ * substantially changed ./README
+ * fixed bug reading \\\n in pam.conf file
+ * small changes to documentation
+ * added `blank' application to ./examples (could be viewed as
+ a `Linux-PAM aware' application template.)
+ * oops. now including pam_passwd.o and pam_session.o in pamlib.so
+ * compute md5 checksums for all the source when making a release
+ - added `make check' and `make RCScheck' to compute md5 checksums
+ * create a second tar file with all the RCS files in.
+ * removed the .html and .txt docs, supplying sgml sources instead.
+ - see README for info on where to get .ps files
+
+Thursday March 6 0:44:?? PST 1996 ( Andrew Morgan <morgan@physics.ucla.edu> )
+
+These notes are for Linux-PAM release 0.2. They cover what's changed
+since Marc Ewing relased 0.1.
+
+**** Please note. All of the directories in this release have been modified
+**** slightly to conform to the new pamlib. A couple of new directories have
+**** been added. As well as some documentation. If some of your code
+**** was in the previous release. Feel free to update it, but please
+**** try to conform to the new headers and Makefiles.
+
+* Andrew Morgan (morgan@physics.ucla.edu) is making this release
+ availible, Marc has been busy...!
+
+* Marc's pam-0.1/lib has been (quietly) enhanced and integrated into
+ Alex Yurie's collected tree of library and module code
+ (linux-pam.prop.1.tar.gz). Most of the changes are to do with error
+ checking. Some more robustness in the reading of the pam.conf file
+ and the addition of the pam_get_user() function.
+
+* The pam_*.h files have been reorganized to logically enforce the
+ separation of modules from applications. [Don't panic! Apart from
+ changing references of the form
+
+ #include "pam_appl.h"
+
+ to
+
+ #include <security/pam_appl.h>
+
+ The reorganization should be backwardly compatable (ie. a module
+ written for SUN will be as compatable as it was before with the
+ previous version ;)~ ]
+
+ (All of the source in this tree now conforms to this scheme...)
+
+ The new reorganization means that modules can be compiled with a
+ single header, <security/pam_modules.h>, and applications with
+ <security/pam_appl.h>.
+
+* I have tried to remove all the compiler warnings from the updated
+ "pamlib/*.c" files. On my system, (with a slightly modified <dlfcn.h>
+ email me if it interests you..) there are only two warnings that
+ remain: they are that ansi does not permit void --> fn ptr
+ assignment. K&Rv2 doesn't mention this....? As a matter of principle,
+ if anyone knows how to get rid of that warning... please
+ tell. Thanks! "-pedantic"
+
+* you can "make all" as a plain user, but
+
+* to "make install" you must be root. The include files are placed in
+ /usr/include/security. The libpam.so library is installed in /usr/lib
+ and the modules in /usr/lib/security. The two test binaries
+ are installed in the Linux-PAM-0.2/bin directory and a chance is given to
+ replace your /etc/pam.conf file with the one in Linux-PAM-0.2/conf.
+
+* I have included some documentation (pretty preliminary at the
+moment) which I have been working on in .../doc .
+
+I have had a little trouble with the modules, but atleast there are no
+segfaults! Please try it out and discuss your results... I actually
+hope it all works for you. But, Email any bugs/suggestions to the
+Linux-PAM list: linux-pam@mit.edu .....
+
+Regards,
+
+Andrew Morgan
+(morgan@physics.ucla.edu)
+
+
+Sat Feb 17 17:30:24 EST 1996 (Alexander O. Yuriev alex@bach.cis.temple.edu)
+
+ * conf directory created with example of pam_conf
+ * stable code from pam_unix is added to modules/pam_unix
+ * test/test.c now requests username and password and attempts
+ to perform authentication
diff --git a/COPYING b/COPYING
new file mode 100644
index 0000000..12ff8c5
--- /dev/null
+++ b/COPYING
@@ -0,0 +1,40 @@
+Unless otherwise *explicitly* stated the following text describes the
+licensed conditions under which the contents of this Linux-PAM release
+may be distributed:
+
+-------------------------------------------------------------------------
+Redistribution and use in source and binary forms of Linux-PAM, with
+or without modification, are permitted provided that the following
+conditions are met:
+
+1. Redistributions of source code must retain any existing copyright
+ notice, and this entire permission notice in its entirety,
+ including the disclaimer of warranties.
+
+2. Redistributions in binary form must reproduce all prior and current
+ copyright notices, this list of conditions, and the following
+ disclaimer in the documentation and/or other materials provided
+ with the distribution.
+
+3. The name of any author may not be used to endorse or promote
+ products derived from this software without their specific prior
+ written permission.
+
+ALTERNATIVELY, this product may be distributed under the terms of the
+GNU General Public License, in which case the provisions of the GNU
+GPL are required INSTEAD OF the above restrictions. (This clause is
+necessary due to a potential conflict between the GNU GPL and the
+restrictions contained in a BSD-style copyright.)
+
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+DAMAGE.
+-------------------------------------------------------------------------
diff --git a/ChangeLog b/ChangeLog
new file mode 100644
index 0000000..df5f174
--- /dev/null
+++ b/ChangeLog
@@ -0,0 +1,7232 @@
+2021-09-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ Fix a typo found using codespell tool.
+ * modules/pam_pwhistory/pam_pwhistory.c: Replace "crypted password" with
+ "hashed password" in comment.
+ * modules/pam_unix/passverify.c (create_password_hash): Rename "crypted"
+ local variable to "hashed".
+
+2021-08-30 Fabrice Fontaine <fontaine.fabrice@gmail.com>
+
+ configure.ac: also search libcrypt through pkg-config.
+ libxcrypt provides a libcrypt.pc file so use it if available as this
+ will allow to retrieve the library path (e.g.
+ -L/home/buildroot/output/host//riscv64-buildroot-linux-musl/sysroot/usr/lib)
+ which is useful when cross-compiling and will avoid the following build
+ failure on buildroot:
+
+ /home/buildroot/autobuild/run/instance-3/output-1/host/opt/ext-toolchain/bin/../lib/gcc/riscv64-buildroot-linux-musl/10.2.0/../../../../riscv64-buildroot-linux-musl/bin/ld: .libs/passverify.o: in function `.L30':
+ passverify.c:(.text+0x368): undefined reference to `crypt_checksalt'
+
+ Fixes:
+ - http://autobuild.buildroot.org/results/20b14e222b35c2d1269960075832b784ba81aa1a
+
+2021-08-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_unix: workaround the problem caused by libnss_systemd.
+ The getspnam(3) manual page says that errno shall be set to EACCES when
+ the caller does not have permission to access the shadow password file.
+ Unfortunately, this contract is broken when libnss_systemd is used in
+ the nss stack.
+
+ Workaround this problem by falling back to the helper invocation when
+ pam_modutil_getspnam returns NULL regardless of errno. As pam_unix
+ already behaves this way when selinux is enabled, it should be OK
+ for the case when selinux is not enabled, too.
+
+ * modules/pam_unix/passverify.c (get_account_info): When
+ pam_modutil_getspnam returns NULL, unconditionally fall back
+ to the helper invocation.
+
+ Complements: f220cace2053 ("Permit unix_chkpwd & pam_unix.so to run without being setuid-root")
+ Resolves: https://github.com/linux-pam/linux-pam/issues/379
+
+2021-08-18 Jérôme Fenal <jfenal@free.fr>
+
+ po: update translations using Weblate (French)
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fr/
+
+2021-08-02 panchenbo <panchenbo@uniontech.com>
+
+ po/zh_CN.po: fix pam_lastlog translation errors.
+ Closes: https://github.com/linux-pam/linux-pam/issues/383
+
+2021-07-24 simmon <simmon@nplob.com>
+
+ po: update translations using Weblate (Korean)
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ko/
+
+2021-07-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update translations using Weblate (Swedish)
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/sv/
+
+2021-07-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update translations using Weblate (Portuguese (Brazil))
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pt_BR/
+
+2021-07-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update translations using Weblate (Portuguese (Brazil))
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pt/
+
+2021-07-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update translations using Weblate (Dutch)
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/nl/
+
+2021-07-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update translations using Weblate (Italian)
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/it/
+
+2021-07-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update translations using Weblate (Hebrew)
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/he/
+
+2021-07-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update translations using Weblate (Finnish)
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fi/
+
+2021-07-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update translations using Weblate (Danish)
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/da/
+
+2021-07-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update translations using Weblate (Catalan)
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ca/
+
+2021-07-22 Yuri Chornoivan <yurchor@ukr.net>
+
+ po: update translations using Weblate (Ukrainian)
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/uk/
+
+2021-07-22 Oğuz Ersen <oguzersen@protonmail.com>
+
+ po: update translations using Weblate (Turkish)
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/tr/
+
+2021-07-21 Piotr Drąg <piotrdrag@gmail.com>
+
+ po: update translations using Weblate (Polish)
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/
+
+2021-07-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update translations using Weblate (German)
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/de/
+
+2021-07-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update translations using Weblate (Russian)
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ru/
+
+2021-07-21 Seong-ho Cho <darkcircle.0426@gmail.com>
+
+ po: update translations using Weblate (Korean)
+ Currently translated at 100.0% (99 of 99 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ko/
+
+2021-07-20 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update .pot and .po files.
+ Regenerate po/Linux-PAM.pot and po/*.po using "make -C po update-po"
+ command.
+
+ Prepare for 1.5.2 release.
+ * configure.ac (AC_INIT): Raise version to 1.5.2.
+ * NEWS: Update.
+
+ pam_faillock: remove confusing comment.
+ * modules/pam_faillock/pam_faillock.c (faillock_message): Remove the
+ comment that meant to help translators but actually confused xgettext.
+
+2021-07-09 Iker Pedrosa <ipedrosa@redhat.com>
+
+ pam_filter: Close file after controlling tty.
+ Failing to check the descriptor value meant that there was a bug in the
+ attempt to close the controlling tty. Moreover, this would lead to a
+ file descriptor leak as pointed out by the static analyzer tool:
+
+ Error: RESOURCE_LEAK (CWE-772): [#def26]
+ Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:356: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
+ Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:356: var_assign: Assigning: "t" = handle returned from "open("/dev/tty", 2)".
+ Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:357: off_by_one: Testing whether handle "t" is strictly greater than zero is suspicious. "t" leaks when it is zero.
+ Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:357: remediation: Did you intend to include equality with zero?
+ Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:367: leaked_handle: Handle variable "t" going out of scope leaks the handle.
+ 365| pam_syslog(pamh, LOG_ERR,
+ 366| "child cannot become new session: %m");
+ 367|-> return PAM_ABORT;
+ 368| }
+ 369|
+
+2021-06-29 Andrew G. Morgan <morgan@kernel.org>
+
+ Permit unix_chkpwd & pam_unix.so to run without being setuid-root.
+ Remove the hard-coding of the idea that the only way pam_unix.so can
+ read the shadow file is if it can, in some way, run setuid-root.
+ Linux capabilities only require cap_dac_override to read the /etc/shadow
+ file.
+
+ This change achieves two things: it opens a path for a linux-pam
+ application to run without being setuid-root; further, it allows
+ unix_chkpwd to run non-setuid-root if it is installed:
+
+ sudo setcap cap_dac_override=ep unix_chkpwd
+
+ If we wanted to link against libcap, we could install this binary with
+ cap_dac_override=p, and use cap_set_proc() to raise the effective bit
+ at runtime. However, some distributions already link unix_chkpwd
+ against libcap-ng for some, likely spurious, reason so "ep" is fine
+ for now.
+
+2021-06-15 Fabrice Fontaine <fontaine.fabrice@gmail.com>
+
+ configure.ac: fix build with libxcrypt and uclibc-ng.
+ Fix the following build failure with libxcrypt and uclibc-ng:
+
+ ld: unix_chkpwd-passverify.o: in function `verify_pwd_hash':
+ passverify.c:(.text+0xab4): undefined reference to `crypt_checksalt'
+
+ Fixes:
+ - http://autobuild.buildroot.org/results/65d68b7c9c7de1c7cb0f941ff9982f93a49a56f8
+
+2021-06-14 Mathieu Trossevin <mathieu.trossevin@gmail.com>
+
+ Add pkgconfig files for provided libraries.
+ * .gitignore: Add .pc files as they are generated by autoconf.
+ * configure.ac: Generate .pc files for libpam, libpam_misc and libpamc.
+ * libpam/Makefile.am: Install pam.pc.
+ * libpam/pam.pc.in: New file.
+ * libpam_misc/Makefile.am: Install pam_misc.pc
+ * libpam_misc/pam_misc.pc.in: New file.
+ * libpamc/Makefile.am: Install pamc.pc
+
+ This allow applications and PAM modules to automatically find libpam,
+ libpam_misc and libpamc if they are installed instead of having to
+ manually search for them.
+
+2021-06-14 Björn Esser <besser82@fedoraproject.org>
+
+ Remove support for legacy xcrypt.
+ Since many distributions are shipping a version of libxcrypt >= 4.0.0
+ as a replacement for glibc's libcrypt now, older versions of xcrypt,
+ which could be installed in parallel, are not relevant anymore.
+
+ * configure.ac (AC_CHECK_HEADERS): Remove xcrypt.h.
+ (AC_SEARCH_LIBS): Remove xcrypt.
+ (AC_CHECK_FUNCS): Remove crypt_gensalt_r.
+ (AC_DEFINE): Remove HAVE_LIBXCRYPT.
+ * modules/pam_pwhistory/opasswd.c [HAVE_LIBXCRYPT]: Remove.
+ * modules/pam_unix/bigcrypt.c [HAVE_LIBXCRYPT]: Likewise.
+ * modules/pam_userdb/pam_userdb.c [HAVE_LIBXCRYPT]: Likewise.
+ * modules/pam_unix/passverify.c [HAVE_LIBXCRYPT]: Likewise.
+ (create_password_hash) [HAVE_LIBXCRYPT]: Likewise.
+
+2021-06-14 Jeff Squyres <jsquyres@cisco.com>
+
+ pam_misc: set default length of misc_conv() buffer to 4096.
+
+ pam_misc: make length of misc_conv() configurable.
+ Add --with-misc-conv-bufsize=<number> option to configure to allow
+ a longer buffer size for libpam_misc's misc_conv() function (it still
+ defaults to 512 bytes).
+
+2021-06-14 Iker Pedrosa <ipedrosa@redhat.com>
+
+ pam_timestamp: replace hmac implementation.
+ sha1 is no longer recommended as a cryptographic algorithm for
+ authentication. Thus, the idea of this change is to replace the
+ implementation provided by hmacsha1 included in pam_timestamp module by
+ the one in the openssl library. This way, there's no need to maintain
+ the cryptographic algorithm implementation and it can be easily changed
+ with a single configuration change.
+
+ modules/pam_timestamp/hmac_openssl_wrapper.c: implement wrapper
+ functions around openssl's hmac implementation. Moreover, manage the key
+ generation and its read and write in a file. Include an option to
+ configure the cryptographic algorithm in login.defs file.
+ modules/pam_timestamp/hmac_openssl_wrapper.h: likewise.
+ modules/pam_timestamp/pam_timestamp.c: replace calls to functions
+ provided by hmacsha1 by functions provided by openssl's wrapper.
+ configure.ac: include openssl dependecy if it is enabled.
+ modules/pam_timestamp/Makefile.am: include new files and openssl library
+ to compilation.
+ ci/install-dependencies.sh: include openssl library to dependencies.
+ NEWS: add new item to next release.
+ Make.xml.rules.in: add stringparam profiling for hmac
+ doc/custom-man.xsl: change import docbook to one with profiling
+ modules/pam_timestamp/pam_timestamp.8.xml: add conditional paragraph to
+ indicate the value in /etc/login.defs that holds the value for the
+ encryption algorithm
+
+ Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1947294
+
+2021-06-13 Dmitry V. Levin <ldv@altlinux.org>
+
+ .github: add gcc-11, clang-12, and clang-11 jobs.
+ * .github/workflows/ci.yml (gcc11-x86_64, gcc11-x86, gcc11-x32,
+ clang12-x86_64, clang11-x86_64): New jobs.
+
+2021-06-13 Dmitry V. Levin <ldv@altlinux.org>
+
+ tests: fix -Wmaybe-uninitialized warnings.
+ Fix the following class of compilation warnings reported by gcc 11:
+
+ tst-pam_end.c: In function ‘main’:
+ tst-pam_end.c:55:12: error: ‘conv’ may be used uninitialized [-Werror=maybe-uninitialized]
+ 55 | retval = pam_start (service, user, &conv, &pamh);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ In file included from tst-pam_end.c:41:
+ ../libpam/include/security/pam_appl.h:23:1: note: by argument 3 of type ‘const struct pam_conv *’ to ‘pam_start’ declared here
+ 23 | pam_start(const char *service_name, const char *user,
+ | ^~~~~~~~~
+ tst-pam_end.c:49:19: note: ‘conv’ declared here
+ 49 | struct pam_conv conv;
+ | ^~~~
+
+ * tests/tst-pam_end.c (main): Initialize conv variable.
+ * tests/tst-pam_fail_delay.c: Likewise.
+ * tests/tst-pam_get_item.c: Likewise.
+ * tests/tst-pam_getenvlist.c: Likewise.
+ * tests/tst-pam_set_data.c: Likewise.
+ * tests/tst-pam_set_item.c: Likewise.
+ * tests/tst-pam_start.c: Likewise.
+ * tests/tst-pam_start_confdir.c: Likewise.
+
+2021-06-10 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_unix: do not use crypt_checksalt when checking for password expiration
+ According to Zack Weinberg, the intended meaning of
+ CRYPT_SALT_METHOD_LEGACY is "passwd(1) should not use this hashing
+ method", it is not supposed to mean "force a password change on next
+ login for any user with an existing stored hash using this method".
+
+ This reverts commit 4da9febc39b955892a30686e8396785b96bb8ba5.
+
+ * modules/pam_unix/passverify.c (check_shadow_expiry)
+ [CRYPT_CHECKSALT_AVAILABLE]: Remove.
+
+ Closes: https://github.com/linux-pam/linux-pam/issues/367
+
+2021-06-10 Patrick Schleizer <adrelanos@whonix.org>
+
+ pam_exec: implement quiet_log option.
+ * modules/pam_exec/pam_exec.c (call_exec): Implement quiet_log option.
+ * modules/pam_exec/pam_exec.8.xml: Document it.
+
+ Resolves: https://github.com/linux-pam/linux-pam/issues/334
+
+2021-05-24 Jeff Squyres <jsquyres@cisco.com>
+
+ pam.conf: clarify default action for unspecified return codes.
+ Add short blurbs explaining that if a return code is not specified in
+ the "[value1=action1 value2=action2 ...]" form and "default=action" is
+ not specified, that return code's action defaults to "bad".
+
+2021-05-01 Hasan <aliyevH@hotmail.com>
+
+ man: fix spelling bug in pam_end.3.xml.
+ * doc/man/pam_end.3.xml: Fix repeated words.
+
+2021-04-25 simmon <simmon@nplob.com>
+
+ po: update translations using Weblate (Korean)
+ Currently translated at 100.0% (99 of 99 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ko/
+
+2021-04-25 Emilio Herrera <ehespinosa57@gmail.com>
+
+ po: update translations using Weblate (Spanish)
+ Currently translated at 81.8% (81 of 99 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/es/
+
+2021-04-22 Josef Moellers <jmoellers@suse.de>
+
+ pam_limits: "Unlimited" is not a valid value for RLIMIT_NOFILE.
+ Replace it with a value obtained from /proc/sys/fs/nr_open
+
+ * modules/pam_limits/limits.conf.5.xml: Document the replacement.
+ * modules/pam_limits/pam_limits.c: Replace unlimited RLIMIT_NOFILE
+ value with a value obtained from /proc/sys/fs/nr_open
+
+2021-04-21 Stanislav Zidek <szidek@redhat.com>
+
+ pam_userdb: Prevent garbage characters from db.
+ Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791965
+
+2021-04-12 Tomas Mraz <tmraz@fedoraproject.org>
+
+ misc_conv: Flush the terminal input after the password is read.
+ Fixes #347
+
+ * libpam_misc/misc_conv.c (read_string): Use TCSAFLUSH instead
+ of TCSADRAIN when resetting the terminal echo state
+
+2021-04-12 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_access: clean up the remote host matching code.
+ * modules/pam_access/pam_access.c (from_match): Split out remote_match()
+ function and avoid calling it when matching against LOCAL keyword.
+ There is also no point in doing domain match against TTY or SERVICE.
+
+2021-03-25 chuanqin <chuanqing.qin@nokia-sbell.com>
+
+ pam_faillock: convert spaces to tab to keep code style.
+ convert spaces to tab which mixture use in modules/pam_faillock/main.c
+
+2021-03-08 theslimshaney <33791263+theslimshaney@users.noreply.github.com>
+
+ pam_env: fix example in pam_env.conf.5 for setting variable.
+
+2021-03-05 dshein-alt <76520100+dshein-alt@users.noreply.github.com>
+
+ pam_mkhomedir: use HOME_MODE or UMASK from /etc/login.defs.
+ Follow the example of useradd(8) and set the user home directory mode
+ to the value of HOME_MODE or UMASK configuration item from
+ /etc/login.defs when umask option is not specified.
+
+2021-02-13 Ricky Tigg <ricky.tigg@gmail.com>
+ Ricky Tigg <ricky.tigg@gmail.com>
+
+ po: update translations using Weblate (Finnish)
+ Currently translated at 100.0% (99 of 99 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fi/
+
+2021-02-13 Balázs Meskó <meskobalazs@mailbox.org>
+ Balázs Meskó <meskobalazs@mailbox.org>
+
+ po: update translations using Weblate (Hungarian)
+ Currently translated at 77.7% (77 of 99 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/hu/
+
+2021-02-13 Carmen Bianca Bakker <carmen@carmenbianca.eu>
+ Carmen Bianca Bakker <carmen@carmenbianca.eu>
+
+ po: update translations using Weblate (Esperanto)
+ Currently translated at 43.4% (43 of 99 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/eo/
+
+2021-02-13 Weblate <noreply@weblate.org>
+ Weblate <noreply@weblate.org>
+
+ Update translation files.
+ Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/
+ Translation: linux-pam/master
+
+2021-01-27 Changqing Li <changqing.li@windriver.com>
+
+ configure.ac: add --with-systemdunitdir option.
+ * Add this option to support the following scenario:
+ prefix = '/usr'
+ servicedir = '/lib/systemd/system'
+
+ * The default behavior is changed:
+ If this option is not given, servicedir will be set to the value that is
+ obtained from systemd pkg-config file. If the value cannot be obtained,
+ servicedir will be set to the default value '$(prefix)/lib/systemd/system'.
+
+2021-01-27 Changqing Li <changqing.li@windriver.com>
+
+ faillock: create tallydir before creating tallyfile.
+ The default tallydir is "/var/run/faillock", and this default
+ tallydir may not exist.
+
+ Function open may fail as tallydir does not exist when creating
+ the tallyfile. Therefore, faillock will not work well.
+
+ Fix this problem by creating tallydir before creating tallyfile
+ when the tallydir does not exist.
+
+2021-01-27 Ludwig Nussel <ludwig.nussel@suse.de>
+
+ pam_securetty: don't complain about missing config.
+ Not shipping a config file should be perfectly valid for distros while
+ still having eg login pre-configured to honor securetty when present.
+ PAM itself doesn't ship any template either. So avoid spamming the log
+ file if /etc/securetty wasn't found.
+
+2021-01-25 Kolja <razzeee@gmail.com>
+
+ faillock: Use pluralization via dngettext or fallback.
+
+2021-01-18 Andreas-Johann Ø Ulvestad <aj@aju.no>
+ Andreas-Johann Ø Ulvestad <aj@aju.no>
+
+ po: update translations using Weblate (Norwegian Nynorsk)
+ Currently translated at 100.0% (99 of 99 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/nn/
+
+2021-01-18 Jan Kuparinen <copper_fin@hotmail.com>
+ Jan Kuparinen <copper_fin@hotmail.com>
+
+ po: update translations using Weblate (Finnish)
+ Currently translated at 100.0% (99 of 99 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fi/
+
+2020-12-28 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_umask: fix handling of umask parameter.
+ Potential failures of strdup(3) were ignored, fix this by not using
+ strdup(3) at all.
+
+ * modules/pam_umask/pam_umask.c (struct options_t): Add const to umask
+ field, add login_umask field.
+ (parse_option): Do not use strdup.
+ (get_options): Assign pam_modutil_search_key return values
+ to options->login_umask.
+ (pam_sm_open_session): Free options.login_umask instead of
+ options.umask.
+
+2020-12-28 Sven Hartge <sven@svenhartge.de>
+
+ pam_setquota: Minor whitespace, spelling and mail address fixes.
+
+2020-12-26 Vlad <milovlad@outlook.com>
+ Vlad <milovlad@outlook.com>
+
+ po: update translations using Weblate (Romanian)
+ Currently translated at 100.0% (99 of 99 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ro/
+
+2020-12-23 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_mkhomedir: fix umask wording in documentation.
+ * modules/pam_mkhomedir/pam_mkhomedir.8.xml (umask): Fix wording.
+
+2020-12-20 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update translations using Weblate (Bulgarian)
+ Currently translated at 100.0% (122 of 122 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/bg/
+
+2020-12-17 Issam E. Maghni <issam.e.maghni@mailbox.org>
+
+ configure: test -a|o is not POSIX.
+ Fixes `test: too many arguments` when building Linux-PAM using sbase.
+ This is due to a non-POSIX syntax test ... -a ... and test ... -o ....
+
+ > The XSI extensions specifying the -a and -o binary primaries and the
+ > '(' and ')' operators have been marked obsolescent.
+
+ See https://pubs.opengroup.org/onlinepubs/9699919799/utilities/test.html
+
+2020-12-08 Christian Göttsche <cgzones@googlemail.com>
+
+ pam_namespace: check for string_to_security_class failure.
+ Check for the unlikely case string_to_security_class() does not find the
+ associated SELinux security class.
+ This will only happen if the loaded SELinux policy does not define the
+ class "dir" (which no sane policy does) or querying the selinuxfs
+ fails.
+
+ Suggested by #309
+
+2020-12-08 Christian Göttsche <cgzones@googlemail.com>
+
+ pam_selinux: check for string_to_security_class failure.
+ Check for the unlikely case string_to_security_class() does not find the
+ associated SELinux security class.
+ This will only happen if the loaded SELinux policy does not define the
+ class "chr_file" (which no sane policy does) or querying the selinuxfs
+ fails.
+
+ Suggested by #309
+
+2020-12-07 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Clarify the effect of 'done' in documentation.
+ The done action does not terminate the stack processing in case
+ there is a failing module with bad action up in the stack.
+
+ Fixes #307
+
+ * doc/man/pam.conf-syntax.xml: Clarify the effect of 'done'.
+
+2020-11-28 Dmitry V. Levin <ldv@altlinux.org>
+
+ .github: partially migrate from ubuntu-18.04 to ubuntu-20.04.
+ * .github/workflows/ci.yml (runs-on): Switch from ubuntu-latest to
+ ubuntu-20.04 for whitespace-errors and *-x86_64 jobs. Stick with
+ ubuntu-18.04 for *-x86 and *-x32 jobs until we figure out how to
+ obtain -lcrypt on ubuntu-20.04 for these architectures.
+
+2020-11-28 Dmitry V. Levin <ldv@altlinux.org>
+
+ ci: do not install libxcrypt-dev.
+ Apparently, both -lcrypt and -lxcrypt from ubuntu-18.04 already provide
+ crypt_r.
+
+ * ci/install-dependencies.sh (packages): Remove libxcrypt-dev.
+
+2020-11-24 Thomas M. DuBuisson <tommd@muse.dev>
+
+ pam_unix: fix memory leak on error path.
+ * modules/pam_unix/bigcrypt.c (bigcrypt) [HAVE_CRYPT_R]: Do not leak
+ cdata if crypt_r() fails.
+
+2020-11-24 Dmitry V. Levin <ldv@altlinux.org>
+
+ maint: update release procedure.
+ * maint/README-release: Update.
+
+2020-11-24 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update .po and .pot files.
+ Regenerate po/Linux-PAM.pot and po/*.po using "make -C po update-po"
+ command. This removes translations of pam_cracklib, pam_tally, and
+ pam_tally2 modules that were removed in v1.5.0.
+
+ Complements: v1.5.0~10 "Remove deprecated pam_cracklib module"
+ Complements: v1.5.0~9 "Remove deprecated pam_tally and pam_tally2 modules"
+
+2020-11-24 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: cleanup POTFILES.in.
+ * po/POTFILES.in: Strip "./" prefix, sort the list.
+
+2020-11-24 Jan Kuparinen <copper_fin@hotmail.com>
+ Jan Kuparinen <copper_fin@hotmail.com>
+
+ po: update translations using Weblate (Finnish)
+ Currently translated at 100.0% (122 of 122 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fi/
+
+2020-11-24 Dmitry V. Levin <ldv@altlinux.org>
+
+ Prepare for 1.5.1 release.
+ * configure.ac (AC_INIT): Raise version to 1.5.1.
+
+ Fix various typos found using codespell tool.
+ * modules/pam_limits/limits.conf: Replace "overriden" with "overridden".
+ * modules/pam_mkhomedir/mkhomedir_helper.c (create_homedir): Replace
+ "preseves" with "preserves".
+ * modules/pam_setquota/pam_setquota.8.xml: Replace "specifed" with
+ "specified".
+ * modules/pam_setquota/pam_setquota.c (pam_sm_open_session): Replace
+ "fileystem" with "filesystem", "conditons" with "conditions".
+
+ Fix grammar: replace "an user" with "a user" everywhere.
+ * NEWS: Replace "an user" with "a user".
+ * modules/pam_faillock/pam_faillock.8.xml: Likewise.
+ * modules/pam_lastlog/pam_lastlog.8.xml: Likewise.
+ * modules/pam_limits/pam_limits.c: Likewise.
+ * modules/pam_sepermit/sepermit.conf: Likewise.
+ * modules/pam_tty_audit/pam_tty_audit.8.xml: Likewise.
+ * modules/pam_userdb/pam_userdb.c: Likewise.
+
+2020-11-24 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_wheel: Use pam_modutil_user_in_group_uid_gid instead of reimplementation
+ The pam_modutil_user_in_group... functions use getgrouplist to check
+ the membership so they work also in setups with remote services which do
+ not provide group members in struct group.
+
+ Fixes #297
+
+ * modules/pam_wheel/pam_wheel.c (perform_check): Call pam_modutil_user_in_group_uid_gid
+ to do the group check.
+
+2020-11-24 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Add NEWS entries for the 1.5.1 security fix release.
+
+2020-11-20 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Second blank check with root for non-existent users must never return 1.
+ The commit af0faf66 ("pam_unix: avoid determining if user exists") introduced
+ a regression where the blank check could return 1 if root had an empty
+ password hash because in the second case the password hash of root was
+ used. We now always return 0 in this case.
+
+ The issue was found by Johannes Löthberg.
+
+ Fixes #284
+
+ * modules/pam_unix/support.c (_unix_blankpasswd): Make the loop
+ to cover the complete blank check so both existing and non existing
+ cases are identical except for the possible return value.
+
+2020-11-12 Tavian Barnes <tavianator@tavianator.com>
+
+ faillock: Add a nodelay option.
+ Fixes #295
+
+2020-11-10 Allison Karlitskaya <allison.karlitskaya@redhat.com>
+
+ libpam: add supplementary groups on priv drop.
+ Replace the setgroups(0, NULL) call in pam_modutil_drop_priv() with a
+ call to initgroups(). This makes sure that the user's supplementary
+ groups are also configured. Fall back to setgroups(0, NULL) in case the
+ initgroups() call fails.
+
+ This fixes the permission check in pam_motd: this feature was intended
+ to allow setting permissions on a motd file to prevent it from being
+ shown to users who are not a member of a particular group (for example,
+ wheel).
+
+ Closes #292
+
+2020-11-05 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_env: deprecation notice of reading the user environment.
+ * modules/pam_env/pam_env.8.xml: Add the notice to the manual.
+ * modules/pam_env/pam_env.c (_pam_parse): Log deprecation warning
+ if user_readenv is set.
+
+2020-11-04 Andreas Schneider <asn@cryptomilk.org>
+
+ libpam: Fix memory leak on error path in _pam_start_internal()
+
+2020-11-04 Andreas Schneider <asn@cryptomilk.org>
+
+ libpam: Fix memory leak with pam_start_confdir()
+ Found with AddressSanitzer in pam_wrapper tests.
+
+ ==985738== 44 bytes in 4 blocks are definitely lost in loss record 18 of 18
+ ==985738== at 0x4839809: malloc (vg_replace_malloc.c:307)
+ ==985738== by 0x48957E1: _pam_strdup (pam_misc.c:129)
+ ==985738== by 0x489851B: _pam_start_internal (pam_start.c:85)
+ ==985738== by 0x4849C8C: libpam_pam_start_confdir (pam_wrapper.c:418)
+ ==985738== by 0x484AF94: pwrap_pam_start (pam_wrapper.c:1461)
+ ==985738== by 0x484AFEE: pam_start (pam_wrapper.c:1483)
+ ==985738== by 0x401723: setup_noconv (test_pam_wrapper.c:189)
+ ==985738== by 0x4889E82: ??? (in /usr/lib64/libcmocka.so.0.7.0)
+ ==985738== by 0x488A444: _cmocka_run_group_tests (in /usr/lib64/libcmocka.so.0.7.0)
+ ==985738== by 0x403EE5: main (test_pam_wrapper.c:1059)
+
+2020-11-04 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_env: allow environment files without EOL at EOF.
+ Fixes #263
+
+ * modules/pam_env/pam_env.c (_assemble_line): Do not error out if at feof()
+
+2020-11-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ Prepare for 1.5.0 release.
+ * configure.ac (AC_INIT): Raise version to 1.5.0.
+ * NEWS: Update.
+
+2020-11-03 ikerexxe <ipedrosa@redhat.com>
+
+ pam_ftp: fix potential memory leak.
+ modules/pam_ftp/pam_ftp.c: free anon_user before returning as it may be
+ still in use.
+
+ pam_faillock: fix unread store statement.
+ modules/pam_faillock/main.c: remove store statement since the value is
+ only read in the enclosing expression.
+
+ pam_dispatch: fix unread store statement.
+ libpam/pam_dispatch: remove store statement since the value is never
+ read.
+
+2020-10-29 Dmitry V. Levin <ldv@altlinux.org>
+
+ Remove deprecated pam_tally and pam_tally2 modules.
+ * ci/run-build-and-tests.sh (DISTCHECK_CONFIGURE_FLAGS): Remove
+ --enable-tally --enable-tally2.
+ * configure.ac: Remove --enable-tally and --enable-tally2 options.
+ (AM_CONDITIONAL): Remove COND_BUILD_PAM_TALLY and COND_BUILD_PAM_TALLY2.
+ (AC_CONFIG_FILES): Remove modules/pam_tally/Makefile and
+ modules/pam_tally2/Makefile.
+ * doc/sag/pam_tally.xml: Remove.
+ * doc/sag/pam_tally2.xml: Likewise.
+ * doc/sag/Linux-PAM_SAG.xml: Do not include pam_tally.xml and
+ pam_tally2.xml.
+ * modules/Makefile.am (MAYBE_PAM_TALLY, MAYBE_PAM_TALLY2): Remove.
+ (SUBDIRS): Remove MAYBE_PAM_TALLY and MAYBE_PAM_TALLY2.
+ * modules/pam_tally/.gitignore: Remove.
+ * modules/pam_tally/Makefile.am: Likewise.
+ * modules/pam_tally/README.xml: Likewise.
+ * modules/pam_tally/faillog.h: Likewise.
+ * modules/pam_tally/pam_tally.8.xml: Likewise.
+ * modules/pam_tally/pam_tally.c: Likewise.
+ * modules/pam_tally/pam_tally_app.c: Likewise.
+ * modules/pam_tally/tst-pam_tally: Likewise.
+ * modules/pam_tally2/.gitignore: Likewise.
+ * modules/pam_tally2/Makefile.am: Likewise.
+ * modules/pam_tally2/README.xml: Likewise.
+ * modules/pam_tally2/pam_tally2.8.xml: Likewise.
+ * modules/pam_tally2/pam_tally2.c: Likewise.
+ * modules/pam_tally2/pam_tally2_app.c: Likewise.
+ * modules/pam_tally2/tallylog.h: Likewise.
+ * modules/pam_tally2/tst-pam_tally2: Likewise.
+ * modules/pam_timestamp/pam_timestamp_check.8.xml: Fix typo by replacing
+ pam_tally with pam_timestamp.
+ * po/POTFILES.in: Remove ./modules/pam_tally/pam_tally_app.c,
+ ./modules/pam_tally/pam_tally.c, ./modules/pam_tally2/pam_tally2_app.c,
+ and ./modules/pam_tally2/pam_tally2.c.
+ * NEWS: Document this change.
+
+ Remove deprecated pam_cracklib module.
+ * ci/install-dependencies.sh: Remove libcrack2-dev.
+ * ci/run-build-and-tests.sh (DISTCHECK_CONFIGURE_FLAGS): Remove
+ --enable-cracklib=check.
+ * conf/pam.conf: Remove references to pam_cracklib.so.
+ * configure.ac: Remove --enable-cracklib option.
+ (AC_SUBST): Remove LIBCRACK.
+ (AM_CONDITIONAL): Remove COND_BUILD_PAM_CRACKLIB.
+ (AC_CONFIG_FILES): Remove modules/pam_cracklib/Makefile.
+ * doc/sag/pam_cracklib.xml: Remove.
+ * doc/sag/Linux-PAM_SAG.xml: Do not include pam_cracklib.xml.
+ * modules/Makefile.am (MAYBE_PAM_CRACKLIB): Remove.
+ (SUBDIRS): Remove MAYBE_PAM_CRACKLIB.
+ * modules/pam_cracklib/Makefile.am: Remove.
+ * modules/pam_cracklib/README.xml: Likewise.
+ * modules/pam_cracklib/pam_cracklib.8.xml: Likewise.
+ * modules/pam_cracklib/pam_cracklib.c: Likewise.
+ * modules/pam_cracklib/tst-pam_cracklib: Likewise.
+ * xtests/tst-pam_cracklib1.c: Likewise.
+ * xtests/tst-pam_cracklib1.pamd: Likewise.
+ * xtests/tst-pam_cracklib2.c: Likewise.
+ * xtests/tst-pam_cracklib2.pamd: Likewise.
+ * modules/pam_pwhistory/pam_pwhistory.8.xml: Replace pam_cracklib
+ in examples with pam_passwdqc.
+ * modules/pam_unix/pam_unix.8.xml: Likewise.
+ * po/POTFILES.in: Remove ./modules/pam_cracklib/pam_cracklib.c.
+ * xtests/.gitignore: Remove tst-pam_cracklib1 and tst-pam_cracklib2.
+ * xtests/Makefile.am (EXTRA_DIST): Remove tst-pam_cracklib1.pamd
+ and tst-pam_cracklib2.pamd.
+ (XTESTS): Remove tst-pam_cracklib1 and tst-pam_cracklib2.
+ * NEWS: Document this change.
+
+2020-10-27 DDoSolitary <DDoSolitary@gmail.com>
+
+ pam_env: fix a typo in doc of pam_env.conf.
+
+2020-10-25 Christian Göttsche <cgzones@googlemail.com>
+
+ Add missing format function attributes and enable -Wmissing-format-attribute
+ Exported functions already have these attributes, add them to other functions.
+ This enables compilers to find format specifier mismatches, like:
+
+ foo_print("Hello %d", "world")
+
+ * m4/warn_lang_flags.m4 (gl_WARN_ADD): Add -Wmissing-format-attribute.
+ * conf/pam_conv1/Makefile.am (AM_CFLAGS): Add -I$(top_srcdir)/libpam/include.
+ * conf/pam_conv1/pam_conv_y.y: Include <security/_pam_types.h>.
+ (yyerror): Add printf format attribute.
+ * modules/pam_pwhistory/opasswd.c (helper_log_err): Likewise.
+ * modules/pam_rootok/pam_rootok.c (log_callback): Likewise.
+ * modules/pam_tally/pam_tally.c (tally_log): Likewise.
+ * modules/pam_tally2/pam_tally2.c (tally_log): Likewise.
+ * modules/pam_unix/passverify.c (helper_log_err): Likewise.
+
+2020-10-21 Milo Casagrande <milo@milo.name>
+ Milo Casagrande <milo@milo.name>
+
+ po: update translations using Weblate (Italian)
+ Currently translated at 100.0% (122 of 122 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/it/
+
+2020-10-21 Yaron Shahrabani <sh.yaron@gmail.com>
+ Yaron Shahrabani <sh.yaron@gmail.com>
+
+ po: update translations using Weblate (Hebrew)
+ Currently translated at 100.0% (122 of 122 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/he/
+
+2020-10-21 ikerexxe <ipedrosa@redhat.com>
+
+ pam_motd: unset prompt value to drop privileges.
+ modules/pam_motd/pam_motd.c: set NULL value instead of "key user" for the
+ prompt when dropping privileges.
+
+2020-10-20 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_modutil_sanitize_fds: Add explicit casts to avoid warnings.
+
+ Revert "libpam/pam_modutil_sanitize.c: optimize the way to close fds"
+ This reverts commit 1b087edc7f05237bf5eccc405704cd82b848e761.
+
+2020-10-14 ikerexxe <ipedrosa@redhat.com>
+
+ pam_motd: document file filtering.
+ modules/pam_motd/pam_motd.8.xml: document file filtering of motd
+ messages.
+ NEWS: annotate change.
+
+2020-10-14 ikerexxe <ipedrosa@redhat.com>
+
+ pam_motd: filter motd by user and group.
+ modules/pam_motd/pam_motd.c: filter motd by user and group owning the
+ proper files. This is achieved by changing the ids of the process
+ reading the files from root to the target user.
+
+ Resolves:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1861640
+
+2020-10-13 Mikhail Labiuk <m.labyuk@omprussia.ru>
+
+ pam_faillock: fix invalid error message.
+ args_parse function pass "conf=" argument to set_conf_opt() after handling by self.
+ set_conf_opt is not able to handle "conf" argument and write error:
+ sddm-helper[415]: pam_faillock(sddm:auth): Unknown option: conf
+
+2020-10-05 ikerexxe <ipedrosa@redhat.com>
+
+ pam_namespace: polyinstantiation refer to gdm doc.
+ modules/pam_namespace/pam_namespace.8.xml: delete obsolete information
+ about polyinstantiation and refer to gdm's documentation.
+
+ Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1861841
+
+2020-09-30 Anton D. Kachalov <rnouse@google.com>
+
+ Prevent SEGFAULT for unknown UID.
+ When running systemd service with DynamicUser being set, the dynamic UID
+ might be not mapped to user name (/etc/nsswitch.conf is not configured
+ with systemd nss module).
+
+ The getuidname() routine might return NULL and this is not checked by callee.
+
+2020-09-10 ikerexxe <ipedrosa@redhat.com>
+
+ pam_wheel: clarify use_uid option in man page.
+ modules/pam_wheel/pam_wheel.8.xml: indicate that use_uid option uses the
+ real uid of the calling process.
+
+2020-09-10 ikerexxe <ipedrosa@redhat.com>
+
+ pam_wheel: if getlogin fails fallback to PAM_RUSER.
+ modules/pam_wheel/pam_wheel.c: if getlogin fails to obtain the real user
+ ID, then try with PAM_RUSER.
+
+ Resolves:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1866866
+
+2020-09-10 ikerexxe <ipedrosa@redhat.com>
+
+ pam_wheel: improve coding style.
+ modules/pam_wheel/pam_wheel.c: improve indentation and explicitly state
+ condition statements
+
+2020-08-08 Dmitry V. Levin <ldv@altlinux.org>
+
+ configure: add --disable-unix option.
+ Some distributions do not build pam_unix, e.g. ALT uses pam_tcb instead.
+ Add a configure option to disable build of pam_unix so that those who
+ choose not to build pam_unix no longer have to edit modules/Makefile.am
+ file. The default is unchanged, i.e. build of pam_unix is enabled.
+
+ * configure.ac (AC_ARG_ENABLE): Add unix.
+ (AM_CONDITIONAL): Add COND_BUILD_PAM_UNIX.
+ * modules/Makefile.am [COND_BUILD_PAM_UNIX] (MAYBE_PAM_UNIX): Define.
+ (SUBDIRS): Replace pam_unix with $(COND_BUILD_PAM_UNIX).
+
+2020-08-07 Dmitry V. Levin <ldv@altlinux.org>
+
+ Build all installed executables with -Wl,-z,now if available.
+ This makes them built with full RELRO if -Wl,-z,relro is specified.
+
+ * m4/ld-z-now.m4: New file.
+ * m4/.gitignore: Add it to exclude list.
+ * configure.ac: Call PAM_LD_Z_NOW.
+ (EXE_LDFLAGS): Append $ZNOW_LDFLAGS.
+
+2020-08-07 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules: build all helpers with proper CFLAGS and LDFLAGS.
+ This makes all installed executables built with @EXE_CFLAGS@ and
+ @EXE_LDFLAGS@.
+
+ * modules/pam_mkhomedir/Makefile.am (mkhomedir_helper_CFLAGS,
+ mkhomedir_helper_LDFLAGS): New variables.
+ * modules/pam_tally/Makefile.am (pam_tally_CFLAGS, pam_tally_LDFLAGS):
+ Likewise.
+ * modules/pam_tally2/Makefile.am (pam_tally2_CFLAGS,
+ pam_tally2_LDFLAGS): Likewise.
+
+2020-08-07 Dmitry V. Levin <ldv@altlinux.org>
+
+ build: rename PIE_* AC_SUBST variables to EXE_*
+ There are going to be other options added to CFLAGS and LDFLAGS
+ of executables made along with modules.
+
+ * configure.ac (EXE_CFLAGS, EXE_LDFLAGS): New variables initialized from
+ PIE_CFLAGS and PIE_LDFLAGS, respectively. AC_SUBST them instead of
+ PIE_CFLAGS and PIE_LDFLAGS. All users updated.
+
+2020-08-07 Dmitry V. Levin <ldv@altlinux.org>
+
+ m4: make libprelude-config diagnostics less noisy.
+ Before this change, every normal build of Linux-PAM used to contain
+ the following diagnostics:
+
+ checking for libprelude-config... no
+ checking for libprelude - version >= 0.9.0... no
+ *** The libprelude-config script installed by LIBPRELUDE could not be found
+ *** If LIBPRELUDE was installed in PREFIX, make sure PREFIX/bin is in
+ *** your path, or set the LIBPRELUDE_CONFIG environment variable to the
+ *** full path to libprelude-config.
+
+ Given that libprelude-config is rarely used nowadays,
+ the first two lines of diagnostics should be enough.
+
+ * m4/libprelude.m4 (AM_PATH_LIBPRELUDE): When libprelude-config
+ is not found, do not print the lengthy diagnostics unless
+ --with-libprelude-prefix was specified.
+
+2020-08-07 Dmitry V. Levin <ldv@altlinux.org>
+
+ configure.ac: rewrite --disable-pie and -fpie/pie check.
+ * configure.ac: Rewrite -fpie/pie check using AC_LINK_IFELSE to make
+ the code more readable. Add --enable-pie=check support and make it
+ the default, terminate if --enable-pie is specified but -fpie/pie
+ support is not available.
+
+ m4: rewrite ld --no-undefined check.
+ * m4/ld-no-undefined.m4: Rewrite using AC_LINK_IFELSE to create a more readable
+ autoconf macro.
+
+ m4: rewrite ld --as-needed check.
+ * m4/ld-as-needed.m4: Rewrite using AC_LINK_IFELSE to create a more readable
+ autoconf macro.
+
+ m4: rewrite ld -O1 check.
+ * m4/ld-O1.m4: Rewrite using AC_LINK_IFELSE to create a more readable
+ autoconf macro.
+
+2020-08-07 Dmitry V. Levin <ldv@altlinux.org>
+
+ m4: rewrite __attribute__((unused)) check.
+ Rewrite using AC_CACHE_CHECK to create a more readable autoconf macro.
+
+ * m4/attribute.m4: New file.
+ * m4/japhar_grep_cflags.m4: Remove.
+ * m4/.gitignore: Replace japhar_grep_cflags.m4 with attribute.m4.
+ * configure.ac: Replace AC_C___ATTRIBUTE__ with PAM_ATTRIBUTE_UNUSED.
+
+2020-08-06 Dmitry V. Levin <ldv@altlinux.org>
+
+ build: add -Wcast-align=strict to WARN_CFLAGS.
+ This way -Wcast-align will be tested regardless of the target machine.
+
+ * m4/warn_lang_flags.m4: Add gl_WARN_ADD([-Wcast-align=strict]).
+
+2020-08-06 Dmitry V. Levin <ldv@altlinux.org>
+
+ configure.ac: rewrite WARN_CFLAGS initialization.
+ As the old machinery was not prepared for adding compiler options
+ conditionally when the compiler supports them, replace it with
+ a new machinery that implements this.
+
+ * m4/warnings.m4: New file.
+ * m4/warn_lang_flags.m4: Likewise.
+ * m4/.gitignore: Add exclusions for them.
+ * m4/japhar_grep_cflags.m4 (JAPHAR_GREP_CFLAGS): Remove.
+ * configure.ac: Call pam_WARN_LANG_FLAGS. Remove all uses
+ of JAPHAR_GREP_CFLAGS.
+
+2020-08-06 Dmitry V. Levin <ldv@altlinux.org>
+
+ Fix -Wcast-align compilation warnings on arm.
+ Apparently, gcc is also not smart enough to infer the alignment
+ of structure fields, for details see
+ https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89133
+
+ Use unions to avoid these casts altogether, this fixes compilation
+ warnings reported by gcc on arm, e.g.:
+
+ md5.c: In function 'MD5Update':
+ md5.c:92:35: error: cast increases required alignment of target type [-Werror=cast-align]
+ 92 | MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
+ | ^
+ md5.c:101:35: error: cast increases required alignment of target type [-Werror=cast-align]
+ 101 | MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
+ | ^
+ md5.c: In function 'MD5Final':
+ md5.c:136:35: error: cast increases required alignment of target type [-Werror=cast-align]
+ 136 | MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
+ | ^
+ md5.c:147:9: error: cast increases required alignment of target type [-Werror=cast-align]
+ 147 | memcpy((uint32 *)ctx->in + 14, ctx->bits, 2*sizeof(uint32));
+ | ^
+ md5.c:149:34: error: cast increases required alignment of target type [-Werror=cast-align]
+ 149 | MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
+ | ^
+
+ * modules/pam_namespace/md5.h (struct MD5Context): Replace "buf" and
+ "in" fields with unions. All users updated.
+ * modules/pam_unix/md5.h (struct MD5Context): Likewise.
+ * modules/pam_timestamp/sha1.h (struct sha1_context.pending): Replace
+ with a union. All users updated.
+
+ Complements: v1.4.0~195 ("Fix most of clang -Wcast-align compilation warnings")
+
+2020-08-05 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_namespace: fix big-endian check in md5 implementation.
+ * modules/pam_namespace/md5.c: Do not check against the list of
+ architectures that are known to be little-endian, instead check
+ for WORDS_BIGENDIAN macro defined by AC_C_BIGENDIAN autoconf macro
+ on big-endian platforms.
+
+2020-08-05 Christian Göttsche <cgzones@googlemail.com>
+
+ pam_namespace: skip context translation.
+ These retrieved contexts are just passed to libselinux functions and not
+ printed or otherwise made available to the outside, so a context
+ translation to human readable MCS/MLS labels is not needed.
+ (see man:setrans.conf(5))
+
+ pam_xauth: skip context translation.
+ The retrieved context is just passed to libselinux functions and not
+ printed or otherwise made available to the outside, so a context
+ translation to human readable MCS/MLS labels is not needed.
+ (see man:setrans.conf(5))
+
+ pam_xauth: replace deprecated security_context_t.
+ libselinux 3.1 deprecated the typedef security_context_t.
+ Use the underlaying type.
+
+ pam_unix: skip context translation.
+ These retrieved contexts are just passed to libselinux functions and not
+ printed or otherwise made available to the outside, so a context
+ translation to human readable MCS/MLS labels is not needed.
+ (see man:setrans.conf(5))
+
+ pam_unix: replace deprecated security_context_t.
+ libselinux 3.1 deprecated the typedef security_context_t.
+ Use the underlaying type.
+
+ pam_rootok: skip context translation.
+ The retrieved context is just passed to the libselinux function
+ 'selinux_check_access()', so a context translation to human readable
+ MCS/MLS labels is not needed. (see man:setrans.conf(5))
+
+ pam_rootok: replace deprecated security_context_t.
+ libselinux 3.1 deprecated the typedef security_context_t.
+ Use the underlaying type.
+
+ pam_namespace: replace deprecated matchpathcon.
+ The matchpathcon family is deprecated.
+ Use the selabel family.
+
+ pam_namespace: replace deprecated security_context_t.
+ libselinux 3.1 deprecated the typedef security_context_t.
+ Use the underlaying type.
+
+2020-08-03 Christian Göttsche <cgzones@googlemail.com>
+
+ autotools: enable warnings.
+
+2020-08-03 Christian Göttsche <cgzones@googlemail.com>
+
+ autotools: update deprecated macros.
+ see https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Obsolete-Macros.html
+
+ - update AC_HELP_STRING to AS_HELP_STRING
+ - update AC_TRY_COMPILE to AC_COMPILE_IFELSE
+ - update AC_TRY_RUN to AC_RUN_IFELSE
+ - update AC_TRY_LINK to AC_LINK_IFELSE
+
+2020-08-03 Issam Maghni <concatime@users.noreply.github.com>
+
+ configure.ac: fix typo in --with-kernel-overflow-uid= option to match its documentation
+
+2020-07-22 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_unix: Add comment for the ignored PAM_AUTHTOK_ERR case.
+ * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Add comment
+ about the reason for ignoring PAM_AUTHTOK_ERR.
+
+2020-07-22 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Fix missing initialization of daysleft.
+ The daysleft otherwise stays uninitialized if there is no shadow entry.
+
+ Regression from commit f5adefa.
+
+ Fixes #255
+
+ * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Initialize daysleft.
+
+2020-07-20 Charles Lee <lchopn@gmail.com>
+
+ po: update translations using Weblate (Chinese (Simplified))
+ Currently translated at 100.0% (122 of 122 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/zh_CN/
+
+2020-07-20 ikerexxe <ipedrosa@redhat.com>
+
+ pam_pwhistory: add helper to handle SELinux.
+ The purpose of the helper is to enable tighter confinement of login and
+ password changing services. The helper is thus called only when SELinux
+ is enabled on the system.
+
+ Resolves: https://github.com/linux-pam/linux-pam/pull/247
+
+2020-07-19 A S Alam <amanpreet.alam@gmail.com>
+
+ po: update translations using Weblate (Punjabi)
+ Currently translated at 100.0% (122 of 122 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pa/
+
+2020-07-15 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_inline.h: cleanup pam_read_passwords a bit.
+ * libpam/include/pam_inline.h (pam_read_passwords): Increment pptr once
+ instead of using pptr+1 several times. This change is not expected
+ to affect the code generated by the compiler as the latter is likely
+ to perform the optimization itself.
+
+2020-07-15 ikerexxe <ipedrosa@redhat.com>
+
+ Move read_passwords function from pam_unix to pam_inline.h.
+ [ldv: rewrote commit message]
+
+ * modules/pam_unix/passverify.h (read_passwords): Remove prototype.
+ * modules/pam_unix/passverify.c (read_passwords): Move ...
+ * libpam/include/pam_inline.h: ... here, rename to pam_read_passwords,
+ add static inline qualifiers.
+ Include <unistd.h> and <errno.h>.
+ * modules/pam_unix/unix_chkpwd.c: Include "pam_inline.h".
+ (main): Replace read_passwords with pam_read_passwords.
+ * modules/pam_unix/unix_update.c: Include "pam_inline.h".
+ (set_password): Replace read_passwords with pam_read_passwords.
+
+2020-07-15 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_unix: use PAM_MAX_RESP_SIZE instead of its alias MAXPASS.
+ * modules/pam_unix/passverify.h (MAXPASS): Remove.
+ * modules/pam_unix/passverify.c (read_passwords): Replace MAXPASS
+ with PAM_MAX_RESP_SIZE.
+ * modules/pam_unix/pam_unix_passwd.c (_pam_unix_approve_pass): Likewise.
+ * modules/pam_unix/support.c (_unix_verify_password): Likewise.
+ * modules/pam_unix/unix_chkpwd.c (main): Likewise.
+ * modules/pam_unix/unix_update.c (set_password): Likewise.
+
+2020-07-09 Lucas Ramage <ramage.lucas@protonmail.com>
+
+ pam_stress: create man page.
+ Resolves: https://github.com/linux-pam/linux-pam/issues/148
+
+ * modules/pam_stress/README: Remove.
+ * modules/pam_stress/README.xml: New file.
+ * modules/pam_stress/pam_stress.8.xml: Likewise.
+ * modules/pam_stress/Makefile.am (MAINTAINERCLEANFILES): Add
+ $(MANS) and README.
+ (EXTRA_DIST): Add $(XMLS).
+ (XMLS): Add README.xml and pam_stress.8.xml.
+ [HAVE_DOC] (dist_man_MANS): Add pam_stress.8.
+ [ENABLE_REGENERATE_MAN] (dist_noinst_DATA): Add README.
+ [ENABLE_REGENERATE_MAN]: Include $(top_srcdir)/Make.xml.rules.
+ * modules/pam_stress/.gitignore: Remove.
+
+ Resolves: https://github.com/linux-pam/linux-pam/pull/184
+
+2020-07-05 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update translations using Weblate (Slovak)
+ Currently translated at 100.0% (122 of 122 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/sk/
+
+ po: update translations using Weblate (Portuguese (Brazil))
+
+ Currently translated at 100.0% (122 of 122 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pt_BR/
+
+ po: update translations using Weblate (Dutch)
+
+ Currently translated at 100.0% (122 of 122 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/nl/
+
+ po: update translations using Weblate (Italian)
+
+ Currently translated at 100.0% (122 of 122 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/it/
+
+ po: update translations using Weblate (German)
+
+ Currently translated at 100.0% (122 of 122 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/de/
+
+ po: update translations using Weblate (Catalan)
+
+ Currently translated at 100.0% (122 of 122 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ca/
+
+2020-07-05 Yaron Shahrabani <sh.yaron@gmail.com>
+
+ Translated using Weblate (Hebrew)
+ Currently translated at 75.4% (92 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/he/
+
+ Translated using Weblate (Arabic)
+
+ Currently translated at 61.4% (75 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ar/
+
+2020-07-02 Dmitry V. Levin <ldv@altlinux.org>
+
+ misc_conv: fix potential information leak on error path.
+ * libpam_misc/misc_conv.c (read_string): Clear the stack buffer from
+ data read earlier from stdin in case of a read error.
+
+2020-07-01 ikerexxe <ipedrosa@redhat.com>
+
+ pam_loginuid: fix unlikely negative 3rd argument of strncmp on error path
+ [ldv: rewrote commit message]
+
+ * modules/pam_loginuid/pam_loginuid.c (set_loginuid): Do not pass to
+ strncmp the return value of pam_modutil_read in an unlikely case when
+ the latter fails to read from /proc/self/uid_map.
+
+2020-07-01 ikerexxe <ipedrosa@redhat.com>
+
+ pam_namespace, pam_mkhomedir: fix unlikely descriptor leaks on error path
+ [ldv: rewrote commit message]
+
+ * modules/pam_mkhomedir/mkhomedir_helper.c (create_homedir): Close just
+ opened file descriptor "srcfd" in an unlikely case when it cannot be
+ fstat'ed.
+ * modules/pam_namespace/pam_namespace.c (create_instance): Close just
+ opened file descriptor "fd" in an unlikely case when it cannot be
+ fstat'ed.
+
+2020-07-01 ikerexxe <ipedrosa@redhat.com>
+
+ pam_rootok: fix use of va_list.
+ CPPCHECK_WARNING (CWE-843):
+ error[va_end_missing]: va_list 'ap' was opened but not closed by
+ va_end().
+
+ [ldv: According to POSIX documentation, each invocation of va_start()
+ must be matched by a corresponding invocation of va_end().
+
+ According to the GNU libc documentation, "with most C compilers,
+ calling 'va_end' does nothing. This is always true in the GNU C
+ compiler. But you might as well call 'va_end' just in case your
+ program is someday compiled with a peculiar compiler."
+
+ The main reason for applying this change is to pacify static analysis
+ tools like cppcheck that insist on strict POSIX conformance in this
+ respect.]
+
+2020-07-01 ikerexxe <ipedrosa@redhat.com>
+
+ misc_conv: fix potential stack buffer overflow.
+ [ldv: rewrote commit message]
+
+ * libpam_misc/misc_conv.c (read_string): Use _pam_overwrite_n instead
+ of _pam_overwrite to clear stack buffer "line" because the latter does
+ not have to be null-terminated.
+
+2020-07-01 Yaron Shahrabani <sh.yaron@gmail.com>
+
+ Translated using Weblate (Hebrew)
+ Currently translated at 60.6% (74 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/he/
+
+2020-06-30 Dmitry V. Levin <ldv@altlinux.org>
+
+ misc_conv: remove redundant check.
+ * libpam_misc/misc_conv.c (read_string): Remove redundant nc > 0
+ check as it has already been tested in the previous condition.
+
+2020-06-29 ikerexxe <ipedrosa@redhat.com>
+
+ pam_limits: clarify configuration file.
+ Resolves: https://github.com/linux-pam/linux-pam/pull/249
+
+2020-06-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ .gitignore: move doc-specific entries to doc/.gitignore.
+
+ .gitignore: move module-specific entries to modules/.gitignore.
+
+2020-06-26 ikerexxe <ipedrosa@redhat.com>
+
+ pam_namespace: add systemd service file to gitignore.
+ * modules/pam_namespace/.gitignore: Add pam_namespace.service.
+
+ Complements: v1.4.0~247 ("pam_namespace: secure tmp-inst directories")
+
+2020-06-26 ikerexxe <ipedrosa@redhat.com>
+
+ pam_faillock: add faillock executable to gitignore.
+ * modules/pam_faillock/.gitignore: Add faillock.
+
+ Complements: v1.4.0~76 ("pam_faillock: New module for locking after multiple auth failures")
+
+2020-06-25 ikerexxe <ipedrosa@redhat.com>
+
+ pam_env: clarify user_readenv option.
+
+2020-06-24 Baurzhan Muftakhidinov <baurthefirst@gmail.com>
+
+ Translated using Weblate (Kazakh)
+ Currently translated at 100.0% (122 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/kk/
+
+2020-06-24 Yaron Shahrabani <sh.yaron@gmail.com>
+
+ Translated using Weblate (Hebrew)
+ Currently translated at 44.2% (54 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/he/
+
+2020-06-22 Vito Caputo <vcaputo@pengaru.com>
+
+ modules/pam_limits: add support for nonewprivs.
+ Expose prctl(PR_SET_NO_NEW_PRIVS) as "nonewprivs" item.
+
+ The valid values are a boolean toggle 0/1 to keep semi-consistent
+ with the other numeric limits. It's slightly awkward as this is
+ an oddball relative to the other items in pam_limits but outside
+ of the item value itself this does seem at home in pam_limits.
+
+ Resolves: https://github.com/linux-pam/linux-pam/issues/224
+ Resolves: https://github.com/linux-pam/linux-pam/pull/225
+
+2020-06-17 ikerexxe <ipedrosa@redhat.com>
+
+ pam_usertype: avoid determining if user exists.
+ Taking a look at the time for the password prompt to appear it was
+ possible to determine if a user existed in a system. Solved it by
+ matching the runtime until the password prompt was shown by always
+ checking the password hash for an existing and a non-existing user.
+
+ Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1629598
+
+2020-06-17 ikerexxe <ipedrosa@redhat.com>
+
+ pam_unix: avoid determining if user exists.
+ Taking a look at the time for the password prompt to appear it was
+ possible to determine if a user existed in a system. Solved it by
+ matching the runtime until the password prompt was shown by always
+ checking the password hash for an existing and a non-existing user.
+
+ Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1629598
+
+2020-06-17 ikerexxe <ipedrosa@redhat.com>
+
+ pam_faillock: change /run/faillock/$USER permissions to 0660.
+ Nowadays, /run/faillock/$USER files have user:root ownership and 0600
+ permissions. This forces the process that writes to these files to have
+ CAP_DAC_OVERRIDE capabilites. Just by changing the permissions to 0660
+ the capability can be removed, which leads to a more secure system.
+
+ Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1661822
+
+2020-06-16 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_modutil_check_user_in_passwd: avoid timing attacks.
+ * libpam/pam_modutil_check_user.c (pam_modutil_check_user_in_passwd): Do
+ not exit the file reading loop when the user is found, continue reading
+ the file to avoid timing attacks.
+
+2020-06-15 Fabrice Fontaine <fontaine.fabrice@gmail.com>
+
+ pam_faillock: fix build on musl.
+ Use pam_modutil_check_user_in_passwd in pam_faillock.c instead of
+ fgetpwent_r which is not available on musl.
+
+ Resolves: https://github.com/linux-pam/linux-pam/issues/236
+ Resolves: https://github.com/linux-pam/linux-pam/pull/237
+ Fixes: http://autobuild.buildroot.org/results/0432736ffee376dd84757469434a4bbcfdcdaf4b
+
+2020-06-15 Fabrice Fontaine <fontaine.fabrice@gmail.com>
+ Dmitry V. Levin <ldv@altlinux.org>
+
+ Move check_user_in_passwd from pam_localuser.c to pam_modutil.
+
+ * modules/pam_localuser/pam_localuser.c: Include
+ <security/pam_modutil.h>.
+ (pam_sm_authenticate): Replace check_user_in_passwd with
+ pam_modutil_check_user_in_passwd.
+ (check_user_in_passwd): Rename to pam_modutil_check_user_in_passwd,
+ move to ...
+ * libpam/pam_modutil_check_user.c: ... new file.
+ * libpam/Makefile.am (libpam_la_SOURCES): Add pam_modutil_check_user.c.
+ * libpam/include/security/pam_modutil.h
+ (pam_modutil_check_user_in_passwd): New function declaration.
+ * libpam/libpam.map (LIBPAM_MODUTIL_1.4.1): New interface.
+
+2020-06-15 Dmitry V. Levin <ldv@altlinux.org>
+
+ configure.ac: fix non-portable use of test builtin.
+ Portable code should not assume that test builtin supports == operator.
+
+ * configure.ac (opt_uidmin, opt_sysuidmin, opt_kerneloverflowuid): Fix
+ initialization.
+
+ Resolves: https://github.com/linux-pam/linux-pam/issues/241
+ Fixes: 926d7935e ("pam_usertype: new module to tell if uid is in login.defs ranges")
+
+2020-06-11 Fabrice Fontaine <fontaine.fabrice@gmail.com>
+
+ configure.ac: fix build failure when crypt() does not require libcrypt.
+ Since commit 522246d20e4cd92fadc2d760228cb7e78cbeb4c5, the build fails
+ if "none required" is returned by AC_SEARCH_LIBS for libcrypt.
+
+ Resolves: https://github.com/linux-pam/linux-pam/pull/235
+ Fixes: http://autobuild.buildroot.org/results/92b3dd7c984d2b843ac9aacacd69eec99f28743e
+ Fixes: v1.4.0~228 ("Use cached 'crypt' library result correctly")
+
+2020-06-04 Dmitry V. Levin <ldv@altlinux.org>
+
+ build: do not generate tarballs compressed with bzip2 and gzip.
+ There are tarballs compressed with xz, that should be enough.
+
+ * Makefile.am (AUTOMAKE_OPTIONS): Remove dist-bzip2, add no-dist-gzip.
+ (releasedocs): Do not create Linux-PAM-$(VERSION)-docs.tar.bz2
+ and Linux-PAM-$(VERSION)-docs.tar.gz.
+
+2020-06-04 Dmitry V. Levin <ldv@altlinux.org>
+
+ maint: document release procedure.
+ * maint/README-release: New file.
+
+ maint: introduce gen-tag-message.
+ * maint/gen-tag-message: New script for preparing tag message.
+
+ maint: introduce make-dist.
+ * maint/make-dist: New script for preparing release tarballs.
+
+2020-06-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ gitlog-to-changelog: update from gnulib.
+
+2020-05-29 Josef Möllers <jmoellers@suse.de>
+ Tomáš Mráz <tmraz@redhat.com>
+ Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_setquota: skip mountpoints equal to the user's $HOME.
+ Matthias Gerstner found the following issue:
+
+ <quote>
+ So this pam_setquota module iterates over all mounted file systems using
+ `setmntent()` and `getmntent()`. It tries to find the longest match of
+ a file system mounted on /home/$USER or above (except when the
+ fs=/some/path parameter is passed to the pam module).
+
+ The thing is that /home/$USER is owned by the unprivileged user. And
+ there exist tools like fusermount from libfuse which is by default
+ installed setuid-root for everybody. fusermount allows to mount a FUSE
+ file system using an arbitrary "source device name" as the unprivileged
+ user.
+
+ Thus considering the following use case:
+
+ 1) there is only the root file system (/) or a file system is mounted on
+ /home, but not on /home/$USER.
+ 2) the attacker mounts a fake FUSE file system over its own home directory:
+
+ ```
+ user $ export _FUSE_COMMFD=0
+ user $ fusermount $HOME -ononempty,fsname=/dev/sda1
+ ```
+
+ This will result in a mount entry in /proc/mounts looking like this:
+
+ ```
+ /dev/sda1 on /home/$USER type fuse (rw,nosuid,nodev,relatime,user_id=1000,group_id=100)
+ ```
+ 3) when the attacker now logs in with pam_setquota configured then
+ pam_setquota will identify /dev/sda1 and the file system where
+ to apply the user's quota on.
+
+ As a result an unprivileged user has full control over onto which block
+ device the quota is applied.
+ </quote>
+
+ If the user's $HOME is on a separate partition, setting a quota on the
+ user's $HOME does not really make sense, so this patch skips mountpoints
+ equal to the user's $HOME, preventing the above mentioned bug as
+ a side-effect (or vice-versa).
+
+ Reported-by: Matthias Gerstner <mgerstner@suse.de>
+ Resolves: https://github.com/linux-pam/linux-pam/pull/230
+
+2020-05-25 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_debug: do not invoke pam_get_user and do not set PAM_USER.
+ pam_debug used to invoke pam_get_user and set PAM_USER to "nobody" when
+ pam_get_user returns an empty string as the user name. When either of
+ these functions returned an error value, it used to return that error
+ value. This hasn't been documented, and I couldn't find any rationale
+ for this behaviour.
+
+ * modules/pam_debug/pam_debug.c (pam_sm_authenticate): Do not invoke
+ pam_get_user and pam_set_item.
+
+2020-05-24 Yi-Jyun Pan <pan93412@gmail.com>
+
+ Translated using Weblate (Chinese (Traditional))
+ Currently translated at 100.0% (122 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/zh_TW/
+
+2020-05-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules: downgrade syslog level for errors related to pam_get_user.
+ * modules/pam_faillock/pam_faillock.c (get_pam_user): Downgrade
+ the syslog level for diagnostics of errors returned by
+ pam_modutil_getpwnam for users returned by pam_get_user
+ from LOG_ERR to LOG_NOTICE.
+ * modules/pam_keyinit/pam_keyinit.c (do_keyinit): Likewise.
+ * modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
+ * modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Likewise.
+ * modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Likewise.
+ * modules/pam_mail/pam_mail.c (_do_mail): Likewise.
+ * modules/pam_sepermit/pam_sepermit.c (sepermit_lock): Likewise.
+ * modules/pam_tally/pam_tally.c (pam_get_uid): Likewise.
+ * modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise.
+ * modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
+ * modules/pam_xauth/pam_xauth.c (pam_sm_open_session,
+ pam_sm_close_session): Likewise.
+ * modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Downgrade
+ the syslog level for diagnostics of errors returned by
+ pam_modutil_getpwnam for users returned by pam_get_user
+ from LOG_WARNING to LOG_NOTICE.
+
+ Suggested-by: Tomáš Mráz <tmraz@fedoraproject.org>
+
+2020-05-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules: downgrade syslog level for pam_get_user errors.
+ * modules/pam_access/pam_access.c (pam_sm_authenticate): Downgrade
+ the syslog level for pam_get_user errors from LOG_ERR to LOG_NOTICE.
+ * modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Likewise.
+ * modules/pam_ftp/pam_ftp.c (pam_sm_authenticate): Likewise.
+ * modules/pam_group/pam_group.c (pam_sm_setcred): Likewise.
+ * modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
+ * modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Likewise.
+ * modules/pam_mail/pam_mail.c (_do_mail): Likewise.
+ * modules/pam_nologin/pam_nologin.c (perform_check): Likewise.
+ * modules/pam_rhosts/pam_rhosts.c (pam_sm_authenticate): Likewise.
+ * modules/pam_sepermit/pam_sepermit.c (pam_sm_authenticate): Likewise.
+ * modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Likewise.
+ * modules/pam_tally/pam_tally.c (pam_get_uid): Likewise.
+ * modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise.
+ * modules/pam_time/pam_time.c (pam_sm_acct_mgmt): Likewise.
+ * modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Likewise.
+ * modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
+ * modules/pam_userdb/pam_userdb.c (pam_sm_authenticate,
+ pam_sm_acct_mgmt): Likewise.
+ * modules/pam_usertype/pam_usertype.c (pam_usertype_get_uid): Likewise.
+ * modules/pam_xauth/pam_xauth.c (pam_sm_open_session,
+ pam_sm_close_session): Likewise.
+ * modules/pam_securetty/pam_securetty.c (securetty_perform_check):
+ Downgrade the syslog level for pam_get_user errors from LOG_WARNING
+ to LOG_NOTICE.
+ * modules/pam_stress/pam_stress.c (pam_sm_authenticate): Likewise.
+
+ Suggested-by: Tomáš Mráz <tmraz@fedoraproject.org>
+
+2020-05-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_localuser: add a test for return values.
+ * modules/pam_localuser/tst-pam_localuser-retval.c: New file.
+ * modules/pam_localuser/Makefile.am (TESTS): Add $(check_PROGRAMS).
+ (check_PROGRAMS, tst_pam_localuser_retval_LDADD): New variables.
+
+ pam_localuser: refactor pam_sm_authenticate.
+ * modules/pam_localuser/pam_localuser.c (check_user_in_passwd): New
+ function.
+ (pam_sm_authenticate): Use it.
+
+2020-05-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_localuser: downgrade syslog level for errors related to user input.
+ * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Downgrade
+ the syslog level for errors related to pam_get_user from LOG_ERR to
+ LOG_NOTICE.
+
+ Suggested-by: Tomáš Mráz <tmraz@fedoraproject.org>
+
+2020-05-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_localuser: re-format pam_sm_* function declarations.
+
+2020-05-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_localuser: remove unused includes.
+ Also, remove unused MODULE_NAME macro.
+
+ * modules/pam_localuser/pam_localuser.c: Stop including unused header
+ files.
+ (MODULE_NAME): Remove.
+
+2020-05-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_localuser: forward error values returned by pam_get_user.
+ Starting with commit c2c601f5340a59c5c62193d55b555d384380ea38,
+ pam_get_user is guaranteed to return one of the following values:
+ PAM_SUCCESS, PAM_BUF_ERR, PAM_CONV_AGAIN, or PAM_CONV_ERR.
+
+ * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Do not
+ replace non-PAM_CONV_AGAIN error values returned by pam_get_user with
+ PAM_SERVICE_ERR.
+ * modules/pam_localuser/pam_localuser.8.xml (RETURN VALUES): Document
+ new return values.
+
+2020-05-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_localuser: return PAM_INCOMPLETE when pam_get_user returns PAM_CONV_AGAIN
+ Give the application a chance to handle PAM_INCOMPLETE.
+
+ * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return
+ PAM_INCOMPLETE instead of PAM_SERVICE_ERR when pam_get_user returns
+ PAM_CONV_AGAIN.
+ * modules/pam_localuser/pam_localuser.8.xml (RETURN VALUES): Document
+ it.
+
+2020-05-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_localuser: open the passwd file after user name validation.
+ Since user name is untrusted input, it should be validated earlier
+ rather than later.
+
+ * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Open
+ the passwd file after user name validation.
+
+2020-05-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_localuser: use BUFSIZ as the line buffer size.
+ As BUFSIZ is the buffer size used in stdio, it must be an efficient size
+ for the line buffer. Also, it's larger than LINE_MAX used as the line
+ buffer size before this change, effectively raising the maximum user
+ name length supported by this module.
+
+ * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Replace
+ LINE_MAX with BUFSIZ.
+
+2020-05-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_localuser: handle long lines in passwd files properly.
+ Before this change, a long line in the passwd file used to be treated as
+ several lines which could potentially result to false match and,
+ consequently, to incorrect PAM_SUCCESS return value.
+
+ * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Handle
+ long lines in passwd files properly.
+
+2020-05-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_localuser: get rid of a temporary buffer.
+ * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Do not
+ copy the user name into a temporary buffer, use the user name itself in
+ comparisons.
+
+ pam_localuser: log unrecognized options.
+ * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Log
+ unrecognized options.
+
+2020-05-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_localuser: return PAM_SERVICE_ERR instead of PAM_SYSTEM_ERR.
+ When passwd file cannot be opened or the user name either cannot be
+ obtained or is not valid, return PAM_SERVICE_ERR instead of
+ PAM_SYSTEM_ERR.
+
+ * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return
+ PAM_SERVICE_ERR instead of PAM_SYSTEM_ERR.
+
+2020-05-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_localuser: reject user names that are too long.
+ Too long user names used to be truncated which could potentially result
+ to false match and, consequently, to incorrect PAM_SUCCESS return value.
+
+ * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return
+ PAM_SERVICE_ERR if the user name is too long.
+
+2020-05-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_localuser: reject user names containing a colon.
+ "root:x" is not a local user name even if the passwd file contains
+ a line starting with "root:x:".
+
+ * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return
+ PAM_PERM_DENIED if the user name contains a colon.
+
+2020-05-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_mkhomedir: add a test for return values.
+ * modules/pam_mkhomedir/tst-pam_mkhomedir-retval.c: New file.
+ * modules/pam_mkhomedir/Makefile.am (TESTS): Add $(check_PROGRAMS).
+ (check_PROGRAMS, tst_pam_mkhomedir_retval_LDADD): New variables.
+
+ pam_faildelay: add a test for return values.
+ * modules/pam_faildelay/tst-pam_faildelay-retval.c: New file.
+ * modules/pam_faildelay/Makefile.am (TESTS): Add $(check_PROGRAMS).
+ (check_PROGRAMS, tst_pam_faildelay_retval_LDADD): New variables.
+
+ pam_rootok: add a test for return values.
+ * modules/pam_rootok/tst-pam_rootok-retval.c: New file.
+ * modules/pam_rootok/Makefile.am (TESTS): Add $(check_PROGRAMS).
+ (check_PROGRAMS, tst_pam_rootok_retval_LDADD): New variables.
+
+ pam_nologin: add a test for return values.
+ * modules/pam_nologin/tst-pam_nologin-retval.c: New file.
+ * modules/pam_nologin/Makefile.am (TESTS): Add $(check_PROGRAMS).
+ (check_PROGRAMS, tst_pam_nologin_retval_LDADD): New variables.
+
+ pam_echo: add a test for return values.
+ * modules/pam_echo/tst-pam_echo-retval.c: New file.
+ * modules/pam_echo/Makefile.am (TESTS): Add $(check_PROGRAMS).
+ (check_PROGRAMS, tst_pam_echo_retval_LDADD): New variables.
+
+ pam_warn: add a test for return values.
+ * modules/pam_warn/tst-pam_warn-retval.c: New file.
+ * modules/pam_warn/Makefile.am (TESTS): Add $(check_PROGRAMS).
+ (check_PROGRAMS, tst_pam_warn_retval_LDADD): New variables.
+
+ pam_debug: add a test for return values.
+ * modules/pam_debug/tst-pam_debug-retval.c: New file.
+ * modules/pam_debug/Makefile.am (TESTS): Add $(check_PROGRAMS).
+ (check_PROGRAMS, tst_pam_debug_retval_LDADD): New variables.
+
+ pam_permit: add a test for return values.
+ * modules/pam_permit/tst-pam_permit-retval.c: New file.
+ * modules/pam_permit/Makefile.am (TESTS): Add $(check_PROGRAMS).
+ (check_PROGRAMS, tst_pam_permit_retval_LDADD): New variables.
+
+ pam_deny: add a test for return values.
+ * modules/pam_deny/tst-pam_deny-retval.c: New file.
+ * modules/pam_deny/Makefile.am (TESTS): Add $(check_PROGRAMS).
+ (check_PROGRAMS, tst_pam_deny_retval_LDADD): New variables.
+
+2020-05-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ Introduce test_assert.h.
+ Introduce a new internal header file for definitions of handy macros
+ providing convenient assertion testing functionality.
+
+ * libpam/include/test_assert.h: New file.
+ * libpam/Makefile.am (noinst_HEADERS): Add include/test_assert.h.
+
+2020-05-21 Andreas Henriksson <andreas+fedora@fatal.se>
+
+ Translated using Weblate (Swedish)
+ Currently translated at 100.0% (122 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/sv/
+
+2020-05-17 Dmitry V. Levin <ldv@altlinux.org>
+
+ doc: fix the description of stack jump effects.
+ Every stack jump, besides the jump itself, has a side effect which is
+ one of 'ignore', 'ok', or 'bad'. Unfortunately, the side effect is far
+ from obvious because it depends on the PAM function call, and the
+ documentation that contradicts the implementation does not help either.
+
+ * doc/man/pam.conf-syntax.xml (actionN): Rewrite the description
+ of stack jump effects to match the implementation.
+
+ Fixes: 871a6e14d65c3c446ae0af51166dabc7a47a2b56
+
+2020-05-17 Weblate (bot) <noreply@weblate.org>
+ Allan Nordhøy <epost@anotheragency.no>
+ Dmitry V. Levin <ldv@altlinux.org>
+
+ Translations update from Weblate (#227)
+ * Translated using Weblate (Norwegian Bokmål)
+
+ Currently translated at 99.1% (121 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/nb_NO/
+
+ * Translated using Weblate (Catalan)
+
+ Currently translated at 98.3% (120 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ca/
+
+2020-05-16 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules: do not check user name for emptyness before passing it to pam_modutil_getpwnam
+ pam_modutil_getpwnam is perfectly capable of handling empty strings as
+ user names, no need to double check that.
+
+ * modules/pam_access/pam_access.c (pam_sm_authenticate): Do not check
+ the user name for emptyness before passing it to pam_modutil_getpwnam.
+ * modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
+ * modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Likewise.
+ * modules/pam_shells/pam_shells.c (perform_check): Likewise.
+ * modules/pam_tally/pam_tally.c (pam_get_uid): Likewise.
+ * modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise.
+ * modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
+
+2020-05-15 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_usertype: Document return values forwarded from pam_get_user.
+ * modules/pam_usertype/pam_usertype.8.xml (RETURN VALUES): Document
+ PAM_BUF_ERR and PAM_CONV_ERR return values.
+
+2020-05-15 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_usertype: return PAM_INCOMPLETE when pam_get_user returns PAM_CONV_AGAIN
+ Give the application a chance to handle PAM_INCOMPLETE.
+
+ * modules/pam_usertype/pam_usertype.c (pam_usertype_get_uid): Return
+ PAM_INCOMPLETE instead of PAM_CONV_AGAIN when pam_get_user returns
+ PAM_CONV_AGAIN.
+ * modules/pam_usertype/pam_usertype.8.xml (RETURN VALUES): Document it.
+
+2020-05-15 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_faillock: Document return values forwarded from pam_get_user.
+ * modules/pam_faillock/pam_faillock.8.xml (RETURN VALUES): Document
+ PAM_BUF_ERR and PAM_CONV_ERR return values.
+
+2020-05-15 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_faillock: return PAM_INCOMPLETE when pam_get_user returns PAM_CONV_AGAIN
+ Give the application a chance to handle PAM_INCOMPLETE.
+
+ * modules/pam_faillock/pam_faillock.c (get_pam_user): Return
+ PAM_INCOMPLETE instead of PAM_CONV_AGAIN when pam_get_user returns
+ PAM_CONV_AGAIN.
+ * modules/pam_faillock/pam_faillock.8.xml (RETURN VALUES): Document it.
+
+2020-05-15 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_securetty: forward error values returned by pam_get_user.
+ Starting with commit c2c601f5340a59c5c62193d55b555d384380ea38,
+ pam_get_user is guaranteed to return one of the following values:
+ PAM_SUCCESS, PAM_BUF_ERR, PAM_CONV_AGAIN, or PAM_CONV_ERR.
+
+ * modules/pam_securetty/pam_securetty.c (pam_sm_authenticate): Do not
+ replace non-PAM_CONV_AGAIN error values returned by pam_get_user with
+ PAM_SERVICE_ERR.
+ * modules/pam_securetty/pam_securetty.8.xml (RETURN VALUES): Document
+ new return values.
+
+2020-05-15 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules: do not check user name for NULL if pam_get_user returned PAM_SUCCESS
+ If pam_get_user returned PAM_SUCCESS, the user name is guaranteed
+ to be a valid C string, no need to double check that.
+
+ * modules/pam_access/pam_access.c (pam_sm_authenticate): Do not check
+ for NULL the user name returned by pam_get_user when the latter returned
+ PAM_SUCCESS.
+ * modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Likewise.
+ * modules/pam_debug/pam_debug.c (pam_sm_authenticate): Likewise.
+ * modules/pam_filter/pam_filter.c (process_args): Likewise.
+ * modules/pam_ftp/pam_ftp.c (pam_sm_authenticate): Likewise.
+ * modules/pam_group/pam_group.c (pam_sm_setcred): Likewise.
+ * modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
+ * modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Likewise.
+ * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Likewise.
+ * modules/pam_mail/pam_mail.c (_do_mail): Likewise.
+ * modules/pam_nologin/pam_nologin.c (perform_check): Likewise.
+ * modules/pam_permit/pam_permit.c (pam_sm_authenticate): Likewise.
+ * modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Likewise.
+ * modules/pam_rhosts/pam_rhosts.c (pam_sm_authenticate): Likewise.
+ * modules/pam_securetty/pam_securetty.c (pam_sm_authenticate): Likewise.
+ * modules/pam_sepermit/pam_sepermit.c (pam_sm_authenticate): Likewise.
+ * modules/pam_shells/pam_shells.c (perform_check): Likewise.
+ * modules/pam_stress/pam_stress.c (pam_sm_authenticate): Likewise.
+ * modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Likewise.
+ * modules/pam_time/pam_time.c (pam_sm_acct_mgmt): Likewise.
+ * modules/pam_timestamp/pam_timestamp.c (get_timestamp_name): Likewise.
+ * modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
+ * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Likewise.
+ * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Likewise.
+ * modules/pam_usertype/pam_usertype.c (pam_usertype_get_uid): Likewise.
+ * modules/pam_wheel/pam_wheel.c (perform_check): Likewise.
+ * modules/pam_userdb/pam_userdb.c (pam_sm_authenticate, pam_sm_acct_mgmt):
+ Likewise.
+
+2020-05-14 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_umask: Document return values forwarded from pam_get_user.
+ * modules/pam_umask/pam_umask.8.xml (RETURN VALUES): Document
+ PAM_BUF_ERR, PAM_CONV_ERR, and PAM_INCOMPLETE return values.
+
+ pam_exec: Document return values forwarded from pam_get_user.
+ * modules/pam_exec/pam_exec.8.xml (RETURN VALUES): Document
+ PAM_BUF_ERR, PAM_CONV_ERR, and PAM_INCOMPLETE return values.
+
+2020-05-13 Dmitry V. Levin <ldv@altlinux.org>
+
+ Deprecate pam_cracklib, pam_tally, and pam_tally2.
+ Deprecate pam_cracklib, there are two better alternatives to this
+ obsolete module: pam_passwdqc from passwdqc project and pam_pwquality
+ from libpwquality project.
+
+ Deprecate pam_tally and pam_tally2 in favour of pam_faillock.
+
+ * configure.ac: Implement --enable-cracklib=check that enables build
+ of pam_cracklib when libcrack is available.
+ Disable build of pam_cracklib, pam_tally, and pam_tally2 by default.
+ * NEWS: Mention this change.
+ * ci/run-build-and-tests.sh (DISTCHECK_CONFIGURE_FLAGS): Add
+ --enable-tally, --enable-tally2, and --enable-cracklib=check
+ to check build of these deprecated modules.
+
+2020-05-13 Dmitry V. Levin <ldv@altlinux.org>
+
+ NEWS: update.
+
+2020-05-12 Thorsten Kukuk <5908016+thkukuk@users.noreply.github.com>
+
+ Use correct path for pam_namespace.service file (#223)
+
+2020-05-09 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_setquota: fix return value when the user is unknown.
+ Following the bad example in pam_mkhomedir module, from the very
+ beginning pam_setquota module used to return PAM_CRED_INSUFFICIENT
+ when pam_modutil_getpwnam() returned an error. Fix this now
+ by changing the return value to PAM_USER_UNKNOWN.
+
+ * modules/pam_setquota/pam_setquota.c (pam_sm_open_session): Return
+ PAM_USER_UNKNOWN instead of PAM_CRED_INSUFFICIENT.
+ * modules/pam_setquota/pam_setquota.8.xml (PAM_CRED_INSUFFICIENT):
+ Replace with PAM_USER_UNKNOWN.
+
+2020-05-09 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_mkhomedir: fix return value when the user is unknown.
+ From the very beginning pam_mkhomedir module used to return
+ PAM_CRED_INSUFFICIENT when getpwnam() or pam_modutil_getpwnam()
+ returned an error. Fix this now by changing the return value
+ to PAM_USER_UNKNOWN.
+
+ * modules/pam_mkhomedir/mkhomedir_helper.c (main): Return
+ PAM_USER_UNKNOWN instead of PAM_CRED_INSUFFICIENT.
+ * modules/pam_mkhomedir/pam_mkhomedir.c (pam_sm_open_session): Likewise.
+ * modules/pam_mkhomedir/pam_mkhomedir.8.xml (PAM_CRED_INSUFFICIENT):
+ Remove.
+
+2020-05-06 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_get_user: do not override valid values returned by the conversation function
+ When the conversation function returned a value different from
+ PAM_CONV_AGAIN and provided no response, pam_get_user used to replace
+ the return value with PAM_CONV_ERR. Fix this and replace the return
+ value only if it was PAM_SUCCESS.
+
+ * libpam/pam_item.c (pam_get_user): Do not override valid values
+ returned by the conversation function.
+
+2020-05-06 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_get_user: filter conversation function return values.
+ Do not assume that the conversation function provided by the application
+ strictly follows the return values guidelines, replace undocumented
+ return values with PAM_CONV_ERR.
+
+ * libpam/pam_item.c (pam_get_user): If the value returned by the
+ conversation function is not one of PAM_SUCCESS, PAM_BUF_ERR,
+ PAM_CONV_AGAIN, or PAM_CONV_ERR, replace it with PAM_CONV_ERR.
+
+2020-05-06 Dmitry V. Levin <ldv@altlinux.org>
+
+ man: document other valid pam_get_user return values.
+ * doc/man/pam_get_user.3.xml (pam_get_user-return_values): Add
+ PAM_BUF_ERR, PAM_ABORT, and PAM_CONV_AGAIN.
+
+2020-05-06 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_get_user: consistently return PAM_SYSTEM_ERR if user specified a NULL pointer
+ pam_get_user returns PAM_SYSTEM_ERR in case of pamh == NULL.
+ In case of user == NULL, however, it used to return PAM_PERM_DENIED,
+ and in case of NULL conversation function it used to return
+ PAM_SERVICE_ERR.
+
+ According to the documentation, PAM_SYSTEM_ERR shall be returned
+ if a NULL pointer was submitted.
+
+ Fix this inconsistency and return PAM_SYSTEM_ERR in each of these
+ programming error cases.
+
+ * libpam/pam_item.c (pam_get_user): Return PAM_SYSTEM_ERR instead of
+ PAM_PERM_DENIED if user == NULL. Return PAM_SYSTEM_ERR instead of
+ PAM_SERVICE_ERR if pamh->pam_conversation == NULL.
+
+2020-05-06 Weblate (bot) <noreply@weblate.org>
+
+ Translations update from Weblate.
+ * Translated using Weblate (Spanish)
+
+ Currently translated at 81.9% (100 of 122 strings)
+
+ * Translated using Weblate (Portuguese)
+
+ Currently translated at 100.0% (122 of 122 strings)
+
+2020-05-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ doc: remove references to PAM_SM_* macros.
+ Starting with commit a684595c0bbd88df71285f43fb27630e3829121e aka
+ Linux-PAM-1.3.0~14 (Remove "--enable-static-modules" option and support
+ from Linux-PAM), PAM_SM_* macros have no effect.
+
+ modules: remove PAM_SM_* macros.
+ Starting with commit a684595c0bbd88df71285f43fb27630e3829121e aka
+ Linux-PAM-1.3.0~14 (Remove "--enable-static-modules" option and support
+ from Linux-PAM), PAM_SM_* macros have no effect.
+
+2020-05-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_usertype: do not override the default prompt.
+ Following the bad example in pam_succeed_if module, from the very
+ beginning pam_usertype used to override the default prompt used by
+ pam_get_user() with "login: ". Fix this now.
+
+ * modules/pam_usertype/pam_usertype.c (pam_sm_authenticate): Do not
+ request PAM_USER_PROMPT item, invoke pam_get_user() with the default
+ prompt.
+
+2020-05-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_succeed_if: do not override the default prompt.
+ From the very beginning pam_succeed_if used to override the default
+ prompt used by pam_get_user() with "login: ". Fix this now.
+
+ * modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Do not
+ request PAM_USER_PROMPT item, invoke pam_get_user() with the default
+ prompt.
+
+2020-05-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/*/Makefile.am: rename TESTS to dist_check_SCRIPTS.
+ ... and remove $(TESTS) from EXTRA_DIST.
+
+ The change is performed automatically using the following script:
+ sed -i -e 's/^TESTS = \(tst.*\)/dist_check_SCRIPTS = \1\nTESTS = $(dist_check_SCRIPTS)/' \
+ -e '/^EXTRA_DIST/ s/ \$(TESTS)//' modules/*/Makefile.am
+
+2020-05-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/*/Makefile.am: rename man_MANS to dist_man_MANS.
+ ... and remove $(MANS) from EXTRA_DIST.
+
+ The change is performed automatically using the following script:
+ sed -i 's/^man_MANS/dist_&/; /^EXTRA_DIST/ s/ \$(MANS)//' modules/*/Makefile.am
+
+2020-05-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_namespace: cleanup pam_namespace.service installation.
+ * modules/pam_namespace/Makefile.am (service_DATA): New variable.
+ (install-data-local): Remove all commands related to servicedir.
+ (uninstall-local): Remove.
+
+ Fixes: 59812d1cf ("pam_namespace: secure tmp-inst directories")
+
+2020-05-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/*/Makefile.am: add dist_ prefix to *_DATA.
+ ... and remove $(DATA) from EXTRA_DIST.
+
+ The change is performed automatically using the following script:
+ sed -i 's/^[a-z]*_DATA/dist_&/; /^EXTRA_DIST/ s/ \$(DATA)//' modules/*/Makefile.am
+
+2020-05-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/pam_timestamp/Makefile.am: rename noinst_PROGRAMS to check_PROGRAMS
+ ... and remove nodist_TESTS.
+
+ * modules/pam_timestamp/Makefile.am (nodist_TESTS): Remove.
+ (TESTS): Replace $(nodist_TESTS) with $(check_PROGRAMS).
+ (noinst_PROGRAMS): Rename to check_PROGRAMS.
+
+2020-05-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/pam_timestamp/Makefile.am: rename dist_TESTS to dist_check_SCRIPTS
+ ... and remove it from EXTRA_DIST
+
+ * modules/pam_timestamp/Makefile.am (EXTRA_DIST): Remove $(dist_TESTS).
+ (dist_TESTS): Rename to dist_check_SCRIPTS.
+ (TESTS): Replace $(dist_TESTS) with $(dist_check_SCRIPTS).
+
+2020-05-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/pam_namespace/Makefile.am: add dist_ prefix to secureconf_SCRIPTS
+ ... and remove $(SCRIPTS) from EXTRA_DIST.
+
+ * modules/pam_namespace/Makefile.am (EXTRA_DIST): Remove $(SCRIPTS).
+ (secureconf_SCRIPTS): Rename to dist_secureconf_SCRIPTS.
+
+2020-05-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ Translated using Weblate (Russian)
+ Currently translated at 100.0% (122 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ru/
+
+2020-05-03 Yuri Chornoivan <yurchor@ukr.net>
+
+ Translated using Weblate (Ukrainian)
+ Currently translated at 100.0% (122 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/uk/
+
+2020-05-03 Oğuz Ersen <oguzersen@protonmail.com>
+
+ Translated using Weblate (Turkish)
+ Currently translated at 100.0% (122 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/tr/
+
+2020-05-03 Julien Humbert <julroy67@gmail.com>
+
+ Translated using Weblate (French)
+ Currently translated at 100.0% (122 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fr/
+
+2020-05-03 scootergrisen <scootergrisen@gmail.com>
+
+ Translated using Weblate (Danish)
+ Currently translated at 100.0% (122 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/da/
+
+2020-05-03 Piotr Drąg <piotrdrag@gmail.com>
+
+ Translated using Weblate (Polish)
+ Currently translated at 100.0% (122 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/
+
+2020-04-30 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Update .po and .pot files after adding pam_faillock.
+
+ pam_faillock: Correct the grammar of translated strings.
+ Also make the message the same as in pam_tally2.
+
+ pam_faillock: Add conf option to use a different config file.
+
+ pam_faillock: New module for locking after multiple auth failures.
+
+2020-04-29 Weblate (bot) <noreply@weblate.org>
+ Alesker Abdullayev - FEDORA Azerbaijan <tech@abdullaeff.com>
+ Allan Nordhøy <epost@anotheragency.no>
+
+ Translations update from Weblate (#215)
+ Updated translation using Weblate
+
+ * Translated using Weblate (Azerbaijani)
+
+ Currently translated at 15.8% (19 of 120 strings)
+
+ * Translated using Weblate (Norwegian Bokmål)
+
+ Currently translated at 100.0% (120 of 120 strings)
+
+2020-04-28 Dmitry V. Levin <ldv@altlinux.org>
+
+ build: rework vendordir substitution.
+ Since Make.xml.rules is the only place where XSLTPROC_CUSTOM was used,
+ remove stereotypic definitions from other Makefiles, this way we no
+ longer have to worry about vendordir being used somewhere else in
+ documentation files.
+
+ Likewise, define VENDORDIR in config.h and remove stereotypic
+ -DVENDORDIR= additions from other Makefiles, this way we no longer
+ have to worry about VENDORDIR being used somewhere else in the code.
+
+ * configure.ac (AM_CONDITIONAL): Remove HAVE_VENDORDIR.
+ (AC_DEFINE_UNQUOTED): Add VENDORDIR.
+ (AC_SUBST): Remove VENDORDIR, add STRINGPARAM_VENDORDIR.
+ * Make.xml.rules.in: Replace $(XSLTPROC_CUSTOM) with
+ @STRINGPARAM_VENDORDIR@.
+ * doc/man/Makefile.am (XSLTPROC_CUSTOM): Remove.
+ * libpam/Makefile.am [HAVE_VENDORDIR]: Remove.
+ * modules/pam_securetty/Makefile.am [HAVE_VENDORDIR]: Remove.
+ (XSLTPROC_CUSTOM): Remove.
+ * modules/pam_securetty/pam_securetty.c: Move definitions of local
+ macros after config.h to benefit from macros defined there.
+
+2020-04-28 Dmitry V. Levin <ldv@altlinux.org>
+
+ Make.xml.rules: prepare for configure substitutions.
+ * Make.xml.rules: Rename to ...
+ * Make.xml.rules.in: ... new file.
+ * Makefile.am (EXTRA_DIST): Remove Make.xml.rules.
+ * configure.ac (AC_CONFIG_FILES): Add Make.xml.rules.
+
+2020-04-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_namespace: replace namespace.init with $(SCRIPTS) in EXTRA_DIST.
+ As namespace.init is listed in secureconf_SCRIPTS which is part of
+ generated SCRIPTS variable.
+
+ * modules/pam_namespace/Makefile.am (EXTRA_DIST): Replace namespace.init
+ with $(SCRIPTS).
+
+2020-04-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_env: remove environment from EXTRA_DIST.
+ * modules/pam_env/Makefile.am (EXTRA_DIST): Remove environment as it is
+ listed in sysconf_DATA which is part of DATA which is already listed in
+ EXTRA_DIST.
+
+2020-04-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/*/Makefile.am: remove $(secureconf_DATA) from EXTRA_DIST.
+ Since the whole $(DATA) is listed in EXTRA_DIST, $(secureconf_DATA)
+ can be safely de-listed.
+
+ * modules/pam_access/Makefile.am (EXTRA_DIST): Remove
+ $(secureconf_DATA).
+ * modules/pam_env/Makefile.am: Likewise.
+ * modules/pam_group/Makefile.am: Likewise.
+ * modules/pam_limits/Makefile.am: Likewise.
+ * modules/pam_namespace/Makefile.am: Likewise.
+ * modules/pam_sepermit/Makefile.am: Likewise.
+ * modules/pam_time/Makefile.am: Likewise.
+
+2020-04-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/*/Makefile.am: replace README with $(DATA) in EXTRA_DIST.
+ Since the GNU Automake distributes README files by default, the only
+ reason why README had to be listed in EXTRA_DIST was to make these
+ README files generated.
+
+ Since README is also listed in noinst_DATA, we can safely replace
+ README in EXTRA_DIST with $(DATA), this also opens the way for
+ further EXTRA_DIST cleanup.
+
+ * modules/*/Makefile.am (EXTRA_DIST): Replace README with $(DATA).
+
+2020-04-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/*/Makefile.am: reorder lines to promote uniformity.
+ This is essentially a no-op change that makes modules/*/Makefile.am
+ files less divergent.
+
+2020-04-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ build: move README prerequisites rule from modules/*/Makefile.am to Make.xml.rules
+ As the rule is now the same in every modules/*/Makefile.am file,
+ move it to Make.xml.rules.
+
+ * Make.xml.rules (README): New prerequisites rule.
+ * modules/pam_access/Makefile.am (README): Remove rule.
+ * modules/pam_cracklib/Makefile.am (README): Likewise.
+ * modules/pam_debug/Makefile.am (README): Likewise.
+ * modules/pam_deny/Makefile.am (README): Likewise.
+ * modules/pam_echo/Makefile.am (README): Likewise.
+ * modules/pam_env/Makefile.am (README): Likewise.
+ * modules/pam_exec/Makefile.am (README): Likewise.
+ * modules/pam_faildelay/Makefile.am (README): Likewise.
+ * modules/pam_filter/Makefile.am (README): Likewise.
+ * modules/pam_ftp/Makefile.am (README): Likewise.
+ * modules/pam_group/Makefile.am (README): Likewise.
+ * modules/pam_issue/Makefile.am (README): Likewise.
+ * modules/pam_keyinit/Makefile.am (README): Likewise.
+ * modules/pam_lastlog/Makefile.am (README): Likewise.
+ * modules/pam_limits/Makefile.am (README): Likewise.
+ * modules/pam_listfile/Makefile.am (README): Likewise.
+ * modules/pam_localuser/Makefile.am (README): Likewise.
+ * modules/pam_loginuid/Makefile.am (README): Likewise.
+ * modules/pam_mail/Makefile.am (README): Likewise.
+ * modules/pam_mkhomedir/Makefile.am (README): Likewise.
+ * modules/pam_motd/Makefile.am (README): Likewise.
+ * modules/pam_namespace/Makefile.am (README): Likewise.
+ * modules/pam_nologin/Makefile.am (README): Likewise.
+ * modules/pam_permit/Makefile.am (README): Likewise.
+ * modules/pam_pwhistory/Makefile.am (README): Likewise.
+ * modules/pam_rhosts/Makefile.am (README): Likewise.
+ * modules/pam_rootok/Makefile.am (README): Likewise.
+ * modules/pam_securetty/Makefile.am (README): Likewise.
+ * modules/pam_selinux/Makefile.am (README): Likewise.
+ * modules/pam_sepermit/Makefile.am (README): Likewise.
+ * modules/pam_setquota/Makefile.am (README): Likewise.
+ * modules/pam_shells/Makefile.am (README): Likewise.
+ * modules/pam_succeed_if/Makefile.am (README): Likewise.
+ * modules/pam_tally/Makefile.am (README): Likewise.
+ * modules/pam_tally2/Makefile.am (README): Likewise.
+ * modules/pam_time/Makefile.am (README): Likewise.
+ * modules/pam_timestamp/Makefile.am (README): Likewise.
+ * modules/pam_tty_audit/Makefile.am (README): Likewise.
+ * modules/pam_umask/Makefile.am (README): Likewise.
+ * modules/pam_unix/Makefile.am (README): Likewise.
+ * modules/pam_userdb/Makefile.am (README): Likewise.
+ * modules/pam_usertype/Makefile.am (README): Likewise.
+ * modules/pam_warn/Makefile.am (README): Likewise.
+ * modules/pam_wheel/Makefile.am (README): Likewise.
+ * modules/pam_xauth/Makefile.am (README): Likewise.
+
+2020-04-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/*/Makefile.am: list prerequisites of README target uniformly.
+ There is no need to list prerequisites of README targets manually as
+ all README targets depend on $(XMLS).
+
+ The change is performed automatically using the following script:
+ sed -i 's/^README: pam_.*/README: $(XMLS)/' modules/*/Makefile.am
+
+ * modules/pam_access/Makefile.am (README): Replace pam_access.8.xml
+ and access.conf.5.xml with $(XMLS).
+ * modules/pam_cracklib/Makefile.am (README): Replace pam_cracklib.8.xml
+ with $(XMLS).
+ * modules/pam_debug/Makefile.am (README): Replace pam_debug.8.xml
+ with $(XMLS).
+ * modules/pam_deny/Makefile.am (README): Replace pam_deny.8.xml
+ with $(XMLS).
+ * modules/pam_echo/Makefile.am (README): Replace pam_echo.8.xml
+ with $(XMLS).
+ * modules/pam_env/Makefile.am (README): Replace pam_env.8.xml and
+ pam_env.conf.5.xml with $(XMLS).
+ * modules/pam_exec/Makefile.am (README): Replace pam_exec.8.xml
+ with $(XMLS).
+ * modules/pam_faildelay/Makefile.am (README): Replace
+ pam_faildelay.8.xml with $(XMLS).
+ * modules/pam_filter/Makefile.am (README): Replace pam_filter.8.xml
+ with $(XMLS).
+ * modules/pam_ftp/Makefile.am (README): Replace pam_ftp.8.xml with
+ $(XMLS).
+ * modules/pam_group/Makefile.am (README): Replace pam_group.8.xml
+ and group.conf.5.xml with $(XMLS).
+ * modules/pam_issue/Makefile.am (README): Replace pam_issue.8.xml
+ with $(XMLS).
+ * modules/pam_keyinit/Makefile.am (README): Replace pam_keyinit.8.xml
+ with $(XMLS).
+ * modules/pam_lastlog/Makefile.am (README): Replace pam_lastlog.8.xml
+ with $(XMLS).
+ * modules/pam_limits/Makefile.am (README): Replace pam_limits.8.xml
+ and limits.conf.5.xml with $(XMLS).
+ * modules/pam_listfile/Makefile.am (README): Replace pam_listfile.8.xml
+ with $(XMLS).
+ * modules/pam_localuser/Makefile.am (README): Replace
+ pam_localuser.8.xml with $(XMLS).
+ * modules/pam_loginuid/Makefile.am (README): Replace pam_loginuid.8.xml
+ with $(XMLS).
+ * modules/pam_mail/Makefile.am (README): Replace pam_mail.8.xml
+ with $(XMLS).
+ * modules/pam_mkhomedir/Makefile.am (README): Replace
+ pam_mkhomedir.8.xml with $(XMLS).
+ * modules/pam_motd/Makefile.am (README): Replace pam_motd.8.xml
+ with $(XMLS).
+ * modules/pam_namespace/Makefile.am (README): Replace
+ pam_namespace.8.xml, namespace.conf.5.xml,
+ and pam_namespace_helper.8.xml with $(XMLS).
+ * modules/pam_nologin/Makefile.am (README): Replace pam_nologin.8.xml
+ with $(XMLS).
+ * modules/pam_permit/Makefile.am (README): Replace pam_permit.8.xml
+ with $(XMLS).
+ * modules/pam_pwhistory/Makefile.am (README): Replace
+ pam_pwhistory.8.xml with $(XMLS).
+ * modules/pam_rhosts/Makefile.am (README): Replace pam_rhosts.8.xml
+ with $(XMLS).
+ * modules/pam_rootok/Makefile.am (README): Replace pam_rootok.8.xml
+ with $(XMLS).
+ * modules/pam_securetty/Makefile.am (README): Replace
+ pam_securetty.8.xml with $(XMLS).
+ * modules/pam_selinux/Makefile.am (README): Replace pam_selinux.8.xml
+ with $(XMLS).
+ * modules/pam_sepermit/Makefile.am (README): Replace pam_sepermit.8.xml
+ with $(XMLS).
+ * modules/pam_setquota/Makefile.am (README): Replace pam_setquota.8.xml
+ with $(XMLS).
+ * modules/pam_shells/Makefile.am (README): Replace pam_shells.8.xml
+ with $(XMLS).
+ * modules/pam_succeed_if/Makefile.am (README): Replace
+ pam_succeed_if.8.xml with $(XMLS).
+ * modules/pam_tally/Makefile.am (README): Replace pam_tally.8.xml
+ with $(XMLS).
+ * modules/pam_tally2/Makefile.am (README): Replace pam_tally2.8.xml
+ with $(XMLS).
+ * modules/pam_time/Makefile.am (README): Replace pam_time.8.xml and
+ time.conf.5.xml with $(XMLS).
+ * modules/pam_timestamp/Makefile.am (README): Replace
+ pam_timestamp.8.xml with $(XMLS).
+ * modules/pam_tty_audit/Makefile.am (README): Replace
+ pam_tty_audit.8.xml with $(XMLS).
+ * modules/pam_umask/Makefile.am (README): Replace pam_umask.8.xml
+ with $(XMLS).
+ * modules/pam_unix/Makefile.am (README): Replace pam_unix.8.xml
+ with $(XMLS).
+ * modules/pam_userdb/Makefile.am (README): Replace pam_userdb.8.xml
+ with $(XMLS).
+ * modules/pam_usertype/Makefile.am (README): Replace pam_usertype.8.xml
+ with $(XMLS).
+ * modules/pam_warn/Makefile.am (README): Replace pam_warn.8.xml
+ with $(XMLS).
+ * modules/pam_wheel/Makefile.am (README): Replace pam_wheel.8.xml
+ with $(XMLS).
+ * modules/pam_xauth/Makefile.am (README): Replace pam_xauth.8.xml
+ with $(XMLS).
+
+2020-04-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/*/Makefile.am: list secureconf_DATA files in EXTRA_DIST uniformly
+ The change was prepared using the following script:
+ git grep -l secureconf_DATA modules/*/Makefile.am |while read m; do
+ t="$(sed '/^secureconf_DATA = /!d;s///;q' -- "$m")"
+ sed -i "/^EXTRA_DIST =/ s/\\<$t\\>/\$(secureconf_DATA)/" -- "$m"
+ done
+
+ * modules/pam_access/Makefile.am (EXTRA_DIST): Replace access.conf with
+ $(secureconf_DATA).
+ * modules/pam_env/Makefile.am (EXTRA_DIST): Replace pam_env.conf with
+ $(secureconf_DATA).
+ * modules/pam_group/Makefile.am (EXTRA_DIST): Replace group.conf with
+ $(secureconf_DATA).
+ * modules/pam_limits/Makefile.am (EXTRA_DIST): Replace limits.conf with
+ $(secureconf_DATA).
+ * modules/pam_namespace/Makefile.am (EXTRA_DIST): Replace namespace.conf
+ with $(secureconf_DATA).
+ * modules/pam_sepermit/Makefile.am (EXTRA_DIST): Replace sepermit.conf
+ with $(secureconf_DATA).
+ * modules/pam_time/Makefile.am (EXTRA_DIST): Replace time.conf with
+ $(secureconf_DATA).
+
+2020-04-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/*/Makefile.am: list manual pages in EXTRA_DIST uniformly.
+ List in EXTRA_DIST those manual pages that are listed in man_MANS
+ as $(MANS).
+
+ * modules/pam_cracklib/Makefile.am (EXTRA_DIST): Replace pam_cracklib.8
+ with $(MANS).
+ * modules/pam_keyinit/Makefile.am (EXTRA_DIST): Replace pam_keyinit.8
+ with $(MANS).
+ * modules/pam_selinux/Makefile.am (EXTRA_DIST): Replace pam_selinux.8
+ with $(MANS).
+ * modules/pam_sepermit/Makefile.am (EXTRA_DIST): Replace pam_sepermit.8
+ and sepermit.conf.5 with $(MANS).
+ * modules/pam_tty_audit/Makefile.am (EXTRA_DIST): Replace
+ pam_tty_audit.8 with $(MANS).
+ * modules/pam_userdb/Makefile.am (EXTRA_DIST): Replace pam_userdb.8 with
+ $(MANS).
+
+2020-04-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/*/Makefile.am: list tests in EXTRA_DIST uniformly.
+ The change was prepared using the following script:
+ git grep -l '^TESTS = tst-pam_' modules/ |while read m; do
+ t="$(sed '/^TESTS = tst-pam_/!d;s/^TESTS = //;q' -- "$m")"
+ sed -i "/^EXTRA_DIST =/ s/$t\\>/\$(TESTS)/" -- "$m"
+ done
+
+ * modules/pam_access/Makefile.am (EXTRA_DIST): Replace tst-pam_access
+ with $(TESTS).
+ * modules/pam_cracklib/Makefile.am (EXTRA_DIST): Replace
+ tst-pam_cracklib with $(TESTS).
+ * modules/pam_debug/Makefile.am (EXTRA_DIST): Replace tst-pam_debug with
+ $(TESTS).
+ * modules/pam_deny/Makefile.am (EXTRA_DIST): Replace tst-pam_deny with
+ $(TESTS).
+ * modules/pam_echo/Makefile.am (EXTRA_DIST): Replace tst-pam_echo with
+ $(TESTS).
+ * modules/pam_env/Makefile.am (EXTRA_DIST): Replace tst-pam_env with
+ $(TESTS).
+ * modules/pam_exec/Makefile.am (EXTRA_DIST): Replace tst-pam_exec with
+ $(TESTS).
+ * modules/pam_faildelay/Makefile.am (EXTRA_DIST): Replace
+ tst-pam_faildelay with $(TESTS).
+ * modules/pam_filter/Makefile.am (EXTRA_DIST): Replace tst-pam_filter
+ with $(TESTS).
+ * modules/pam_ftp/Makefile.am (EXTRA_DIST): Replace tst-pam_ftp with
+ $(TESTS).
+ * modules/pam_group/Makefile.am (EXTRA_DIST): Replace tst-pam_group with
+ $(TESTS).
+ * modules/pam_issue/Makefile.am (EXTRA_DIST): Replace tst-pam_issue with
+ $(TESTS).
+ * modules/pam_keyinit/Makefile.am (EXTRA_DIST): Replace tst-pam_keyinit
+ with $(TESTS).
+ * modules/pam_lastlog/Makefile.am (EXTRA_DIST): Replace tst-pam_lastlog
+ with $(TESTS).
+ * modules/pam_limits/Makefile.am (EXTRA_DIST): Replace tst-pam_limits
+ with $(TESTS).
+ * modules/pam_listfile/Makefile.am (EXTRA_DIST): Replace
+ tst-pam_listfile with $(TESTS).
+ * modules/pam_localuser/Makefile.am (EXTRA_DIST): Replace
+ tst-pam_localuser with $(TESTS).
+ * modules/pam_loginuid/Makefile.am (EXTRA_DIST): Replace
+ tst-pam_loginuid with $(TESTS).
+ * modules/pam_mail/Makefile.am (EXTRA_DIST): Replace tst-pam_mail with
+ $(TESTS).
+ * modules/pam_mkhomedir/Makefile.am (EXTRA_DIST): Replace
+ tst-pam_mkhomedir with $(TESTS).
+ * modules/pam_motd/Makefile.am (EXTRA_DIST): Replace tst-pam_motd with
+ $(TESTS).
+ * modules/pam_namespace/Makefile.am (EXTRA_DIST): Replace
+ tst-pam_namespace with $(TESTS).
+ * modules/pam_nologin/Makefile.am (EXTRA_DIST): Replace tst-pam_nologin
+ with $(TESTS).
+ * modules/pam_permit/Makefile.am (EXTRA_DIST): Replace tst-pam_permit
+ with $(TESTS).
+ * modules/pam_pwhistory/Makefile.am (EXTRA_DIST): Replace
+ tst-pam_pwhistory with $(TESTS).
+ * modules/pam_rhosts/Makefile.am (EXTRA_DIST): Replace tst-pam_rhosts
+ with $(TESTS).
+ * modules/pam_rootok/Makefile.am (EXTRA_DIST): Replace tst-pam_rootok
+ with $(TESTS).
+ * modules/pam_securetty/Makefile.am (EXTRA_DIST): Replace
+ tst-pam_securetty with $(TESTS).
+ * modules/pam_sepermit/Makefile.am (EXTRA_DIST): Replace
+ tst-pam_sepermit with $(TESTS).
+ * modules/pam_setquota/Makefile.am (EXTRA_DIST): Replace
+ tst-pam_setquota with $(TESTS).
+ * modules/pam_shells/Makefile.am (EXTRA_DIST): Replace tst-pam_shells
+ with $(TESTS).
+ * modules/pam_stress/Makefile.am (EXTRA_DIST): Replace tst-pam_stress
+ with $(TESTS).
+ * modules/pam_succeed_if/Makefile.am (EXTRA_DIST): Replace
+ tst-pam_succeed_if with $(TESTS).
+ * modules/pam_tally/Makefile.am (EXTRA_DIST): Replace tst-pam_tally with
+ $(TESTS).
+ * modules/pam_tally2/Makefile.am (EXTRA_DIST): Replace tst-pam_tally2
+ with $(TESTS).
+ * modules/pam_time/Makefile.am (EXTRA_DIST): Replace tst-pam_time with
+ $(TESTS).
+ * modules/pam_tty_audit/Makefile.am (EXTRA_DIST): Replace
+ tst-pam_tty_audit with $(TESTS).
+ * modules/pam_umask/Makefile.am (EXTRA_DIST): Replace tst-pam_umask with
+ $(TESTS).
+ * modules/pam_userdb/Makefile.am (EXTRA_DIST): Replace tst-pam_userdb
+ with $(TESTS).
+ * modules/pam_usertype/Makefile.am (EXTRA_DIST): Replace
+ tst-pam_usertype with $(TESTS).
+ * modules/pam_warn/Makefile.am (EXTRA_DIST): Replace tst-pam_warn with
+ $(TESTS).
+ * modules/pam_wheel/Makefile.am (EXTRA_DIST): Replace tst-pam_wheel with
+ $(TESTS).
+ * modules/pam_xauth/Makefile.am (EXTRA_DIST): Replace tst-pam_xauth with
+ $(TESTS).
+
+2020-04-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_namespace: simplify distribution of manual pages.
+ * modules/pam_namespace/Makefile.am: Merge MAN5 and MAN8 into man_MANS.
+
+2020-04-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/*/Makefile.am: remove manual pages from noinst_DATA.
+ Manual pages already belong to man_MANS, listing them also
+ in noinst_DATA does not help in any way.
+
+ * modules/pam_cracklib/Makefile.am (noinst_DATA): Remove pam_cracklib.8.
+ * modules/pam_selinux/Makefile.am (noinst_DATA): Remove pam_selinux.8.
+ * modules/pam_sepermit/Makefile.am (noinst_DATA): Remove pam_sepermit.8
+ and sepermit.conf.5.
+ * modules/pam_userdb/Makefile.am (noinst_DATA): Remove pam_userdb.8.
+
+2020-04-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ configure: fix dlopen check.
+ * configure.ac: Check for the library providing dlopen using
+ AC_SEARCH_LIBS instead of AC_CHECK_LIB to handle the case when
+ dlopen is a part of libc.
+
+ configure: add --disable-tally and --disable-tally2 options.
+ * configure.ac (AC_ARG_ENABLE): Add tally and tally2.
+ (AM_CONDITIONAL): Add COND_BUILD_PAM_TALLY and COND_BUILD_PAM_TALLY2.
+ * modules/Makefile.am [COND_BUILD_PAM_TALLY] (MAYBE_PAM_TALLY): Define.
+ [COND_BUILD_PAM_TALLY2] (MAYBE_PAM_TALLY2): Likewise.
+ (SUBDIRS): Replace pam_tally with $(COND_BUILD_PAM_TALLY), pam_tally2
+ with $(COND_BUILD_PAM_TALLY2).
+
+2020-04-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ build: move pam_selinux and pam_sepermit build conditions to modules/Makefile.am
+ * configure.ac (AM_CONDITIONAL): Replace HAVE_LIBSELINUX with
+ COND_BUILD_PAM_SELINUX and COND_BUILD_PAM_SEPERMIT.
+ * modules/Makefile.am [COND_BUILD_PAM_SELINUX] (MAYBE_PAM_SELINUX):
+ Define.
+ [COND_BUILD_PAM_SEPERMIT] (MAYBE_PAM_SEPERMIT): Likewise.
+ (SUBDIRS): Replace pam_selinux with $(MAYBE_PAM_SELINUX),
+ pam_sepermit with MAYBE_PAM_SEPERMIT.
+ * modules/pam_selinux/Makefile.am: Assume HAVE_LIBSELINUX.
+ * modules/pam_sepermit/Makefile.am: Likewise.
+
+ build: simplify the check for unshare function.
+ * configure.ac (AC_CHECK_FUNCS): Do not set UNSHARE when checking for
+ unshare function.
+ (COND_BUILD_PAM_NAMESPACE): Check for $ac_cv_func_unshare instead of
+ $UNSHARE.
+
+ build: move pam_namespace build condition to modules/Makefile.am.
+ * configure.ac (AM_CONDITIONAL): Replace HAVE_UNSHARE with
+ COND_BUILD_PAM_NAMESPACE.
+ * modules/Makefile.am [COND_BUILD_PAM_NAMESPACE] (MAYBE_PAM_NAMESPACE):
+ Define.
+ (SUBDIRS): Replace pam_namespace with $(MAYBE_PAM_NAMESPACE).
+ * modules/pam_namespace/Makefile.am: Assume HAVE_UNSHARE.
+
+ build: move pam_userdb build condition to modules/Makefile.am.
+ * configure.ac (AM_CONDITIONAL): Replace HAVE_LIBDB with
+ COND_BUILD_PAM_USERDB.
+ * modules/Makefile.am [COND_BUILD_PAM_USERDB] (MAYBE_PAM_USERDB):
+ Define.
+ (SUBDIRS): Replace pam_userdb with $(MAYBE_PAM_USERDB).
+ * modules/pam_userdb/Makefile.am: Assume HAVE_LIBDB.
+
+ build: remove unused HAVE_LIBCRACK.
+ * configure.ac (AC_DEFINE): Remove unused HAVE_LIBCRACK.
+
+ build: move pam_cracklib build condition to modules/Makefile.am.
+ * configure.ac (AM_CONDITIONAL): Replace HAVE_LIBCRACK with
+ COND_BUILD_PAM_CRACKLIB.
+ * modules/Makefile.am [COND_BUILD_PAM_CRACKLIB] (MAYBE_PAM_CRACKLIB):
+ Define.
+ (SUBDIRS): Replace pam_cracklib with $(MAYBE_PAM_CRACKLIB).
+ * modules/pam_cracklib/Makefile.am: Assume HAVE_LIBCRACK.
+
+ build: remove unused HAVE_KEY_MANAGEMENT.
+ * configure.ac (AC_DEFINE, AC_SUBST): Remove unused HAVE_KEY_MANAGEMENT.
+ (AC_CHECK_DECL): Remove unused ENOKEY.
+
+ build: move pam_keyinit build condition to modules/Makefile.am.
+ * configure.ac (AM_CONDITIONAL): Replace HAVE_KEY_MANAGEMENT with
+ COND_BUILD_PAM_KEYINIT.
+ * modules/Makefile.am [COND_BUILD_PAM_KEYINIT] (MAYBE_PAM_KEYINIT):
+ Define.
+ (SUBDIRS): Replace pam_keyinit with $(MAYBE_PAM_KEYINIT).
+ * modules/pam_keyinit/Makefile.am: Assume HAVE_KEY_MANAGEMENT.
+
+ build: remove unused AC_DEFINE([HAVE_AUDIT_TTY_STATUS])
+ * configure.ac (AC_DEFINE): Remove unused HAVE_AUDIT_TTY_STATUS.
+
+ build: move pam_tty_audit build condition to modules/Makefile.am.
+ * configure.ac (AM_CONDITIONAL): Replace HAVE_AUDIT_TTY_STATUS with
+ COND_BUILD_PAM_TTY_AUDIT.
+ * modules/Makefile.am [COND_BUILD_PAM_TTY_AUDIT] (MAYBE_PAM_TTY_AUDIT):
+ Define.
+ (SUBDIRS): Replace pam_tty_audit with $(MAYBE_PAM_TTY_AUDIT).
+ * modules/pam_tty_audit/Makefile.am: Assume HAVE_AUDIT_TTY_STATUS.
+
+ configure.ac: sort COND_BUILD_* conditionals.
+ ... and move them closer to the end of configure.ac.
+
+2020-04-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/Makefile.am: sort SUBDIRS.
+ Also list one element of SUBDIRS per line for the ease of maintenance.
+
+ * modules/Makefile.am (SUBDIRS): List one per line, sort.
+
+2020-04-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ ci: add gcc-10 jobs.
+ * .github/workflows/ci.yml (gcc10-x86_64, gcc10-x86, gcc10-x32):
+ New jobs.
+ * .travis.yml (matrix): Add gcc-10 jobs on x86_64, x86, x32,
+ and ppc64le.
+
+2020-04-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_issue: fix potential read out of bounds.
+ Reported by gcc-10 -Warray-bounds:
+
+ In file included from /usr/include/string.h:494,
+ from modules/pam_issue/pam_issue.c:19:
+ In function 'strncat',
+ inlined from 'read_issue_quoted' at modules/pam_issue/pam_issue.c:197:3:
+ /usr/include/x86_64-linux-gnu/bits/string_fortified.h:136:10: error: '__builtin___strncat_chk' offset [260, 389] from the object at 'uts' is out of the bounds of referenced subobject 'version' with type 'char[65]' at offset 195 [-Werror=array-bounds]
+ 136 | return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest));
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ In file included from modules/pam_issue/pam_issue.c:26:
+ modules/pam_issue/pam_issue.c: In function 'read_issue_quoted':
+ /usr/include/x86_64-linux-gnu/sys/utsname.h:59:10: note: subobject 'version' declared here
+ 59 | char version[_UTSNAME_VERSION_LENGTH];
+ | ^~~~~~~
+ In file included from /usr/include/string.h:494,
+ from modules/pam_issue/pam_issue.c:19:
+ In function 'strncat',
+ inlined from 'read_issue_quoted' at modules/pam_issue/pam_issue.c:188:3:
+ /usr/include/x86_64-linux-gnu/bits/string_fortified.h:136:10: error: '__builtin___strncat_chk' offset [65, 389] from the object at 'uts' is out of the bounds of referenced subobject 'sysname' with type 'char[65]' at offset 0 [-Werror=array-bounds]
+ 136 | return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest));
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ In file included from modules/pam_issue/pam_issue.c:26:
+ modules/pam_issue/pam_issue.c: In function 'read_issue_quoted':
+ /usr/include/x86_64-linux-gnu/sys/utsname.h:51:10: note: subobject 'sysname' declared here
+ 51 | char sysname[_UTSNAME_SYSNAME_LENGTH];
+ | ^~~~~~~
+ In file included from /usr/include/string.h:494,
+ from modules/pam_issue/pam_issue.c:19:
+ In function 'strncat',
+ inlined from 'read_issue_quoted' at modules/pam_issue/pam_issue.c:194:3:
+ /usr/include/x86_64-linux-gnu/bits/string_fortified.h:136:10: error: '__builtin___strncat_chk' offset [195, 389] from the object at 'uts' is out of the bounds of referenced subobject 'release' with type 'char[65]' at offset 130 [-Werror=array-bounds]
+ 136 | return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest));
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ In file included from modules/pam_issue/pam_issue.c:26:
+ modules/pam_issue/pam_issue.c: In function 'read_issue_quoted':
+ /usr/include/x86_64-linux-gnu/sys/utsname.h:57:10: note: subobject 'release' declared here
+ 57 | char release[_UTSNAME_RELEASE_LENGTH];
+ | ^~~~~~~
+ In file included from /usr/include/string.h:494,
+ from modules/pam_issue/pam_issue.c:19:
+ In function 'strncat',
+ inlined from 'read_issue_quoted' at modules/pam_issue/pam_issue.c:191:3:
+ /usr/include/x86_64-linux-gnu/bits/string_fortified.h:136:10: error: '__builtin___strncat_chk' offset [130, 389] from the object at 'uts' is out of the bounds of referenced subobject 'nodename' with type 'char[65]' at offset 65 [-Werror=array-bounds]
+ 136 | return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest));
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ In file included from modules/pam_issue/pam_issue.c:26:
+ modules/pam_issue/pam_issue.c: In function 'read_issue_quoted':
+ /usr/include/x86_64-linux-gnu/sys/utsname.h:54:10: note: subobject 'nodename' declared here
+ 54 | char nodename[_UTSNAME_NODENAME_LENGTH];
+ | ^~~~~~~~
+ In file included from /usr/include/string.h:494,
+ from modules/pam_issue/pam_issue.c:19:
+ In function 'strncat',
+ inlined from 'read_issue_quoted' at modules/pam_issue/pam_issue.c:200:3:
+ /usr/include/x86_64-linux-gnu/bits/string_fortified.h:136:10: error: '__builtin___strncat_chk' offset [325, 389] from the object at 'uts' is out of the bounds of referenced subobject 'machine' with type 'char[65]' at offset 260 [-Werror=array-bounds]
+ 136 | return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest));
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ In file included from modules/pam_issue/pam_issue.c:26:
+ modules/pam_issue/pam_issue.c: In function 'read_issue_quoted':
+ /usr/include/x86_64-linux-gnu/sys/utsname.h:62:10: note: subobject 'machine' declared here
+ 62 | char machine[_UTSNAME_MACHINE_LENGTH];
+ | ^~~~~~~
+
+ * modules/pam_issue/pam_issue.c (read_issue_quoted): Rewrite to avoid
+ strncat from potentially not null-terminated string buffer fields
+ of struct utsname.
+
+2020-04-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_motd: fix NULL dereference when at least one of motd directories is not available
+ * modules/pam_motd/pam_motd.c
+ (try_to_display_directories_with_overrides): Do not assign -1U to
+ dirscans_sizes[i] when scandir(motd_dir_path_split[i]) returns an error.
+
+ Resolves: https://bugzilla.altlinux.org/38389
+ Fixes: d57ab221 ("pam_motd: Cleanup the code and avoid unnecessary logging")
+
+2020-04-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_motd: cleanup calloc invocations.
+ Apply the following calloc invocation idiom:
+ ptr = calloc(nmemb, sizeof(*ptr));
+
+ * modules/pam_motd/pam_motd.c (pam_split_string,
+ try_to_display_directories_with_overrides): Cleanup calloc invocations.
+
+ Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
+
+2020-04-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_motd: fix NULL dereference on error path.
+ * modules/pam_motd/pam_motd.c
+ (try_to_display_directories_with_overrides): Do not access
+ elements of dirscans_sizes array if dirscans_sizes == NULL
+ due to an earlier memory allocation error.
+
+ Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
+
+2020-04-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_motd: remove redundant return statement.
+ * modules/pam_motd/pam_motd.c
+ (try_to_display_directories_with_overrides): Remove return statement
+ at the end of the function returning void.
+
+ Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
+
+2020-04-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_motd: remove redundant prefix from syslog messages.
+ pam_syslog already does all the prefixing we need.
+
+ * modules/pam_motd/pam_motd.c (pam_split_string,
+ try_to_display_directories_with_overrides): Remove "pam_motd: " prefix
+ from strings passed to pam_syslog.
+
+ Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
+
+2020-04-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_motd: fix memory leak.
+ pam_motd used to leak memory allocated for each motd file
+ successfully opened in try_to_display_directories_with_overrides.
+
+ * modules/pam_motd/pam_motd.c
+ (try_to_display_directories_with_overrides): Free abs_path.
+
+ Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
+
+2020-04-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_motd: fix misleading error diagnostics.
+ Do not invoke calloc with the first argument equal to zero as the return
+ value can be NULL which is undistinguishable from memory allocation
+ error.
+
+ * modules/pam_motd/pam_motd.c
+ (try_to_display_directories_with_overrides): Skip if there are no
+ directory entries (dirscans_size_total == 0).
+
+ Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
+
+2020-04-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_motd: do not zero the memory allocated by calloc.
+ As dirnames_all is allocated with calloc, zeroing it out is pointless.
+
+ * modules/pam_motd/pam_motd.c
+ (try_to_display_directories_with_overrides): Remove redundant zeroing
+ of dirnames_all.
+
+ Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
+
+2020-04-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ build: cleanup: do not add -DWITH_SELINUX to CFLAGS.
+ As WITH_SELINUX is already AC_DEFINE'd in configure.ac,
+ there is no point in adding -DWITH_SELINUX to CFLAGS.
+
+ * libpam/Makefile.am [HAVE_LIBSELINUX] (AM_CFLAGS): Do not add
+ -DWITH_SELINUX.
+ * modules/pam_rootok/Makefile.am: Likewise.
+ * modules/pam_unix/Makefile.am: Likewise.
+
+2020-04-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ build: cleanup: replace "test ! -z" with "test -n"
+ * configure.ac: replace "test ! -z" with "test -n".
+
+2020-04-24 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_filter: fix potential off-by-one heap buffer overflow.
+ Reported by gcc-10 -Wstringop-overflow:
+
+ In file included from /usr/include/string.h:494,
+ from modules/pam_filter/pam_filter.c:14:
+ In function 'strcpy',
+ inlined from 'process_args' at modules/pam_filter/pam_filter.c:137:2,
+ inlined from 'need_a_filter.isra' at modules/pam_filter/pam_filter.c:618:12:
+ /usr/include/x86_64-linux-gnu/bits/string_fortified.h:90:10: warning: '__builtin_memcpy' writing 6 bytes into a region of size 5 [-Wstringop-overflow=]
+ 90 | return __builtin___strcpy_chk (__dest, __src, __bos (__dest));
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ modules/pam_filter/pam_filter.c: In function 'need_a_filter.isra':
+ modules/pam_filter/pam_filter.c:128:21: note: at offset 0 to an object with size 5 allocated by 'malloc' here
+ 128 | levp[0] = (char *) malloc(size);
+ | ^~~~~~~~~~~~
+
+ * modules/pam_filter/pam_filter.c (process_args): Fix off-by-one heap
+ buffer overflow in case of a filter without arguments (argc == 0).
+
+2020-04-24 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_setquota: remove PAM_EXTERN and PAM_STATIC parts.
+ In other modules they were removed by commit Linux-PAM-1.3.0~14.
+
+ * modules/pam_setquota/pam_setquota.c: Remove PAM_EXTERN and PAM_STATIC
+ parts.
+
+2020-04-24 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_setquota: fix more harmless compilation warnings.
+ On ppc64le the compiler complains with the following diagnostics:
+
+ pam_setquota.c: In function 'debug':
+ pam_setquota.c:48:59: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 6 has type '__u64' {aka 'const long unsigned int'} [-Wformat=]
+ 48 | pam_syslog(pamh, LOG_DEBUG, "%s device=%s bsoftlimit=%llu bhardlimit=%llu "
+ | ~~~^
+ | |
+ | long long unsigned int
+ | %lu
+ ......
+ 51 | p->dqb_bsoftlimit, p->dqb_bhardlimit,
+ | ~~~~~~~~~~~~~~~~~
+ | |
+ | __u64 {aka const long unsigned int}
+ pam_setquota.c:48:75: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 7 has type '__u64' {aka 'const long unsigned int'} [-Wformat=]
+ 48 | pam_syslog(pamh, LOG_DEBUG, "%s device=%s bsoftlimit=%llu bhardlimit=%llu "
+ | ~~~^
+ | |
+ | long long unsigned int
+ | %lu
+ ......
+ 51 | p->dqb_bsoftlimit, p->dqb_bhardlimit,
+ | ~~~~~~~~~~~~~~~~~
+ | |
+ | __u64 {aka const long unsigned int}
+ pam_setquota.c:48:31: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 8 has type '__u64' {aka 'const long unsigned int'} [-Wformat=]
+ 48 | pam_syslog(pamh, LOG_DEBUG, "%s device=%s bsoftlimit=%llu bhardlimit=%llu "
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ......
+ 52 | p->dqb_isoftlimit, p->dqb_ihardlimit,
+ | ~~~~~~~~~~~~~~~~~
+ | |
+ | __u64 {aka const long unsigned int}
+ pam_setquota.c:49:46: note: format string is defined here
+ 49 | "isoftlimit=%llu ihardlimit=%llu btime=%llu itime=%llu",
+ | ~~~^
+ | |
+ | long long unsigned int
+ | %lu
+ pam_setquota.c:48:31: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 9 has type '__u64' {aka 'const long unsigned int'} [-Wformat=]
+ 48 | pam_syslog(pamh, LOG_DEBUG, "%s device=%s bsoftlimit=%llu bhardlimit=%llu "
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ......
+ 52 | p->dqb_isoftlimit, p->dqb_ihardlimit,
+ | ~~~~~~~~~~~~~~~~~
+ | |
+ | __u64 {aka const long unsigned int}
+ pam_setquota.c:49:62: note: format string is defined here
+ 49 | "isoftlimit=%llu ihardlimit=%llu btime=%llu itime=%llu",
+ | ~~~^
+ | |
+ | long long unsigned int
+ | %lu
+ pam_setquota.c:48:31: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 10 has type '__u64' {aka 'const long unsigned int'} [-Wformat=]
+ 48 | pam_syslog(pamh, LOG_DEBUG, "%s device=%s bsoftlimit=%llu bhardlimit=%llu "
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ......
+ 53 | p->dqb_btime, p->dqb_itime);
+ | ~~~~~~~~~~~~
+ | |
+ | __u64 {aka const long unsigned int}
+ pam_setquota.c:49:73: note: format string is defined here
+ 49 | "isoftlimit=%llu ihardlimit=%llu btime=%llu itime=%llu",
+ | ~~~^
+ | |
+ | long long unsigned int
+ | %lu
+ pam_setquota.c:48:31: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 11 has type '__u64' {aka 'const long unsigned int'} [-Wformat=]
+ 48 | pam_syslog(pamh, LOG_DEBUG, "%s device=%s bsoftlimit=%llu bhardlimit=%llu "
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ......
+ 53 | p->dqb_btime, p->dqb_itime);
+ | ~~~~~~~~~~~~
+ | |
+ | __u64 {aka const long unsigned int}
+ pam_setquota.c:49:84: note: format string is defined here
+ 49 | "isoftlimit=%llu ihardlimit=%llu btime=%llu itime=%llu",
+ | ~~~^
+ | |
+ | long long unsigned int
+ | %lu
+
+ * modules/pam_setquota/pam_setquota.c (debug): Cast fields of type __u64
+ to unsigned long long.
+
+2020-04-24 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_timestamp: include "config.h" in hmacsha1.c as the first header.
+ This ensures "config.h" is included before any system header
+ which fixes the following bug reported by ALT diagnostics:
+
+ verify-elf: ERROR: ./lib/security/pam_timestamp.so: uses non-LFS functions: __fxstat open
+
+ * modules/pam_timestamp/hmacsha1.c: Include "config.h".
+
+2020-04-24 Dmitry V. Levin <ldv@altlinux.org>
+
+ libpamc.h: include "config.h" as the first header.
+ This ensures "config.h" is included before any system header included by
+ libpamc.h, which fixes the following bug reported by ALT diagnostics:
+
+ verify-elf: ERROR: ./lib/libpamc.so.0.82.1: uses non-LFS functions: __xstat readdir
+
+ * libpamc/libpamc.h: Include "config.h".
+
+2020-04-24 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_setquota: apply WARN_CFLAGS.
+ All other modules already build with WARN_CFLAGS.
+
+ * modules/pam_setquota/Makefile.am (AM_CFLAGS): Add $(WARN_CFLAGS).
+
+2020-04-24 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_setquota: fix harmless compilation warnings.
+ Fix -Wunused-variable compilation warnings:
+
+ pam_setquota.c: In function 'pam_sm_open_session':
+ pam_setquota.c:173:9: warning: unused variable 'ep' [-Wunused-variable]
+ 173 | char *ep, *val, *mntdevice = NULL;
+ | ^~
+ pam_setquota.c:172:17: warning: unused variable 'ul' [-Wunused-variable]
+ 172 | unsigned long ul;
+ | ^~
+
+ Fix -Wunused-parameter compilation warnings:
+
+ pam_setquota.c: In function 'pam_sm_open_session':
+ pam_setquota.c:169:60: warning: unused parameter 'flags' [-Wunused-parameter]
+ 169 | PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc,
+ | ~~~~^~~~~
+ pam_setquota.c: In function 'pam_sm_close_session':
+ pam_setquota.c:382:40: warning: unused parameter 'pamh' [-Wunused-parameter]
+ 382 | int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc,
+ | ~~~~~~~~~~~~~~^~~~
+ pam_setquota.c:382:50: warning: unused parameter 'flags' [-Wunused-parameter]
+ 382 | int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc,
+ | ~~~~^~~~~
+ pam_setquota.c:382:61: warning: unused parameter 'argc' [-Wunused-parameter]
+ 382 | int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc,
+ | ~~~~^~~~
+ pam_setquota.c:383:39: warning: unused parameter 'argv' [-Wunused-parameter]
+ 383 | const char **argv) {
+ | ~~~~~~~~~~~~~^~~~
+
+ * modules/pam_setquota/pam_setquota.c (pam_sm_open_session): Mark
+ 'flags' parameter as unused. Remove unused 'ep' and 'ul' variables.
+ (pam_sm_close_session): Mark all parameters as unused.
+
+2020-04-18 Oğuz Ersen <oguzersen@protonmail.com>
+
+ Translated using Weblate (Turkish)
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/tr/
+ Resolves: https://github.com/linux-pam/linux-pam/pull/214
+
+2020-04-17 Sven Hartge <sven@svenhartge.de>
+
+ pam_setquota: new module to set or modify disk quotas on session start.
+ This makes disk quotas usable with central user databases, such as MySQL or
+ LDAP.
+
+ Resolves: https://github.com/linux-pam/linux-pam/issues/92
+
+2020-04-15 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_access, pam_issue: do not assume that getdomainname always exists.
+ * modules/pam_access/pam_access.c (netgroup_match): Place the code
+ that calls getdomainname under HAVE_GETDOMAINNAME guard.
+ * modules/pam_issue/pam_issue.c (read_issue_quoted): Likewise.
+
+ Resolves: https://github.com/linux-pam/linux-pam/issues/43
+
+2020-04-13 Oğuz Ersen <oguzersen@protonmail.com>
+
+ Translated using Weblate (Turkish)
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/tr/
+
+2020-04-13 Ankit Behera <proneon267@gmail.com>
+
+ Translated using Weblate (Odia)
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/or/
+
+2020-04-12 Topi Miettinen <toiwoton@gmail.com>
+
+ pam_unix: modernize example in manual page.
+ According to crypt(5), md5 should not be used for new hashes. Let's
+ give a modern example with yescrypt.
+
+2020-04-10 Robert Antoni Buj Gelonch <robert.buj@gmail.com>
+
+ Translated using Weblate (Catalan)
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ca/
+ Resolves: https://github.com/linux-pam/linux-pam/pull/207
+
+2020-04-07 Dmitry V. Levin <ldv@altlinux.org>
+
+ travis: remove faulty jobs.
+ * .travis.yml: Remove faulty gcc-9 jobs on aarch64 and s390x,
+ gcc-9 became uninstallable on these platforms several days ago
+ and hasn't been fixed yet.
+
+2020-04-07 Lucas Ramage <oxr463@gmx.us>
+
+ pam_access: add an example of using groups in access.conf to permit access
+ Resolves: https://github.com/linux-pam/linux-pam/issues/65
+ Resolves: https://github.com/linux-pam/linux-pam/pull/199
+
+2020-04-07 Dmitry V. Levin <ldv@altlinux.org>
+
+ github: add CI action.
+ Somewhat similar to Travis CI, this runs "make distcheck" on Ubuntu
+ 18.04 using gcc-9, gcc-8, gcc, clang-9, clang-8, and clang on x86_64,
+ x86, and x32 architectures.
+
+ Compared with Travis CI, GitHub Actions service currently provides
+ a significantly better parallelism as well as (unsurprisingly)
+ better integration with github.
+
+ However, GitHub Actions cannot replace Travis CI completely yet as
+ the latter can build on aarch64, s390x, and ppc64le architectures.
+
+ * .github/workflows/whitespace-errors-check.yml: Remove
+ * .github/workflows/ci.yml: New file.
+
+2020-04-07 scootergrisen <scootergrisen@gmail.com>
+
+ Translated using Weblate (Danish)
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/da/
+
+2020-04-07 scootergrisen <scootergrisen@gmail.com>
+
+ Translated using Weblate (Danish)
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/da/
+
+2020-03-31 Petr Lautrbach <plautrba@redhat.com>
+
+ pam_timestamp: Fix // in TIMESTAMPDIR.
+ _PATH_VARRUN already provides trailing slash for building paths
+
+ Fixes:
+ $ strings /usr/lib64/security/pam_timestamp.so | grep /run/
+ /var/run//pam_timestamp
+ /var/run//pam_timestamp/_pam_timestamp_key
+
+2020-03-30 James Ralston <ralston@pobox.com>
+
+ pam_unix: Return PAM_AUTHINFO_UNAVAIL when appropriate.
+ The pam_unix.so will never return PAM_AUTHINFO_UNAVAIL on systems
+ that use the unix_chkpwd helper.
+
+ The reason is that in unix_chkpwd.c, towards the end of main(), if
+ helper_verify_password() does not return PAM_SUCCESS, main() ignores
+ the actual error that helper_verify_password() returned and instead
+ returns PAM_AUTH_ERR.
+
+ This commit corrects this behavior. Specifically, if
+ helper_verify_password() returns PAM_USER_UNKNOWN, which it does
+ when /etc/passwd entry indicates that shadow information is present
+ but the /etc/shadow entry is missing, the unix_chkpwd now exits
+ with PAM_AUTHINFO_UNAVAIL. For any other error from
+ helper_verify_password(), unix_chkpwd continues to exit with
+ PAM_AUTH_ERR.
+
+ * modules/pam_unix/unix_chkpwd.c (main): Return PAM_AUTHINFO_UNAVAIL
+ when helper_verify_password() returns PAM_USER_UNKNOWN.
+
+2020-03-28 Dmitry V. Levin <ldv@altlinux.org>
+
+ Fix various typos found using codespell tool.
+
+ po: semi-automatically fix translations of pam_get_authtok default prompts
+ Complements: 4daceedd ("pam_get_authtok: fix i18n of default prompts")
+
+2020-03-24 Dmitry V. Levin <ldv@altlinux.org>
+
+ _pam_load_module: reduce redundancy.
+ * libpam/pam_handlers.c (_pam_load_module): Reorganize $ISA handling
+ to reduce redundancy.
+
+ Resolves: https://github.com/linux-pam/linux-pam/pull/198
+
+2020-03-24 blueskycs2c <lili.ding@cs2c.com>
+
+ pam_time: add conffile option to specify an alternative configuration file
+ Resolves: https://github.com/linux-pam/linux-pam/pull/163
+ Resolves: https://github.com/linux-pam/linux-pam/pull/191
+
+2020-03-23 Alexander Zubkov <green@qrator.net>
+
+ pam_exec: require user name to be ready for the command.
+ pam_exec module can be called when a user name has not been prompted
+ yet. And thus the command is called without a user name available.
+ This fix asks PAM for the user name to ensure it is ready or to force
+ the prompt.
+
+ Resolves: https://github.com/linux-pam/linux-pam/issues/131
+ Resolves: https://github.com/linux-pam/linux-pam/pull/195
+
+2020-03-23 Christian Göttsche <cgzones@googlemail.com>
+
+ pam_selinux: fall back to log to syslog if audit logging fails.
+ Resolves: https://github.com/linux-pam/linux-pam/pull/194
+
+ pam_selinux: sanitize asprintf argument on failure.
+
+ pam_selinux: print additional information on failures.
+
+ pam_selinux: convert send_audit_message to void function.
+ The result is nowhere checked and other logging functions like
+ pam_syslog are also not checked.
+
+ pam_selinux: fix indentation.
+
+2020-03-23 Christian Göttsche <cgzones@googlemail.com>
+
+ pam_selinux: substitute legacy security_context_t type.
+ `security_context_t` is a legacy typedef to `char *`, substitute all usage.
+
+ See
+ https://github.com/SELinuxProject/selinux/commit/9eb9c9327563014ad6a807814e7975424642d5b9
+ https://github.com/SELinuxProject/selinux/blob/f8c110c8a615eb640510eab39640a0957a6ba19c/libselinux/include/selinux/selinux.h#L16
+
+2020-03-20 Jiri Grönroos <jiri.gronroos@iki.fi>
+
+ Translated using Weblate (Finnish)
+ Currently translated at 90.8% (109 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fi/
+
+2020-03-20 Dmitry V. Levin <ldv@altlinux.org>
+
+ Translated using Weblate (Slovak)
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/sk/
+
+ Translated using Weblate (Czech)
+
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/cs/
+
+ Translated using Weblate (French)
+
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fr/
+
+2020-03-20 Yuri Chornoivan <yurchor@ukr.net>
+
+ Translated using Weblate (Ukrainian)
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/uk/
+
+2020-03-20 Oğuz Ersen <oguzersen@protonmail.com>
+
+ Translated using Weblate (Turkish)
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/tr/
+
+2020-03-20 Geert Warrink <geert.warrink@onsnet.nu>
+
+ Translated using Weblate (Dutch)
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/nl/
+
+2020-03-20 Julien Humbert <julroy67@gmail.com>
+
+ Translated using Weblate (French)
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fr/
+
+2020-03-20 Dmitry V. Levin <ldv@altlinux.org>
+
+ Translated using Weblate (Russian)
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ru/
+
+ Translated using Weblate (Portuguese (Brazil))
+
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pt_BR/
+
+ Translated using Weblate (Portuguese)
+
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pt/
+
+ Translated using Weblate (German)
+
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/de/
+
+2020-03-20 Piotr Drąg <piotrdrag@gmail.com>
+
+ Translated using Weblate (Polish)
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/pam_userdb: use pam_str_skip_icase_prefix.
+ * modules/pam_userdb/pam_userdb.c: Include "pam_inline.h".
+ (_pam_parse, user_lookup): Use pam_str_skip_icase_prefix
+ instead of ugly strncasecmp invocations.
+
+ modules/pam_umask: use pam_str_skip_icase_prefix.
+ * modules/pam_umask/pam_umask.c: Include "pam_inline.h".
+ (parse_option, setup_limits_from_gecos): Use pam_str_skip_icase_prefix
+ instead of ugly strncasecmp invocations.
+
+ modules/pam_pwhistory: use pam_str_skip_icase_prefix.
+ * modules/pam_pwhistory/pam_pwhistory.c: Include "pam_inline.h".
+ (parse_option): Use pam_str_skip_icase_prefix instead of ugly
+ strncasecmp invocations.
+
+ modules/pam_exec: use pam_str_skip_icase_prefix.
+ * modules/pam_exec/pam_exec.c (call_exec): Use pam_str_skip_icase_prefix
+ instead of ugly strncasecmp invocations.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ Introduce pam_str_skip_icase_prefix_len and pam_str_skip_icase_prefix.
+ Every time I see a code like
+ if (strncasecmp(argv, "remember=", 9) == 0)
+ options->remember = strtol(&argv[9], NULL, 10);
+ my eyes are bleeding.
+
+ Similar to pam_str_skip_prefix_len() and pam_str_skip_prefix(),
+ introduce a new helper inline function pam_str_skip_icase_prefix_len()
+ and a new macro pam_str_skip_icase_prefix() on top of it, to be used
+ in subsequent commits to cleanup the ugliness.
+
+ * libpam/include/pam_inline.h (pam_str_skip_icase_prefix_len): New
+ function.
+ (pam_str_skip_icase_prefix): New macro.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/pam_xauth: use pam_str_skip_prefix.
+ * modules/pam_xauth/pam_xauth.c: Include "pam_inline.h".
+ (pam_sm_open_session, pam_sm_close_session): Use pam_str_skip_prefix
+ instead of ugly strncmp invocations.
+
+ modules/pam_wheel: use pam_str_skip_prefix.
+ * modules/pam_wheel/pam_wheel.c: Include "pam_inline.h".
+ (_pam_parse): Use pam_str_skip_prefix instead of ugly strncmp
+ invocations.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/pam_unix: use pam_str_skip_prefix and pam_str_skip_prefix_len.
+ * modules/pam_unix/passverify.c: Include "pam_inline.h".
+ (verify_pwd_hash): Use pam_str_skip_prefix instead of ugly strncmp
+ invocations.
+ * modules/pam_unix/support.c: Include "pam_inline.h".
+ (_set_ctrl): Use pam_str_skip_prefix_len instead of hardcoding string
+ lengths.
+ * modules/pam_unix/md5_crypt.c: Include "pam_inline.h".
+ (crypt_md5): Use pam_str_skip_prefix_len.
+
+ squash! modules/pam_unix: use pam_str_skip_prefix and pam_str_skip_prefix_len
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/pam_tty_audit: use pam_str_skip_prefix.
+ * modules/pam_tty_audit/pam_tty_audit.c: Include "pam_inline.h".
+ (pam_sm_open_session): Use pam_str_skip_prefix instead of ugly strncmp
+ invocations.
+
+ modules/pam_timestamp: use pam_str_skip_prefix.
+ * modules/pam_timestamp/pam_timestamp.c: Include "pam_inline.h".
+ (check_tty, get_timestamp_name, pam_sm_authenticate): Use
+ pam_str_skip_prefix instead of ugly strncmp invocations.
+
+ modules/pam_tally: use pam_str_skip_prefix.
+ * modules/pam_tally/pam_tally.c: Include "pam_inline.h".
+ (tally_parse_args, getopts): Use pam_str_skip_prefix instead of ugly
+ strncmp invocations.
+
+ modules/pam_tally2: use pam_str_skip_prefix.
+ * modules/pam_tally2/pam_tally2.c: Include "pam_inline.h".
+ (tally_parse_args, getopts): Use pam_str_skip_prefix instead of ugly
+ strncmp invocations.
+
+ modules/pam_selinux: use pam_str_skip_prefix.
+ * modules/pam_selinux/pam_selinux.c: Include "pam_inline.h".
+ (compute_exec_context, compute_tty_context): Use pam_str_skip_prefix
+ instead of ugly strncmp invocations.
+
+ modules/pam_securetty: use pam_str_skip_prefix and pam_str_skip_prefix_len
+ * modules/pam_securetty/pam_securetty.c: Include "pam_inline.h".
+ (securetty_perform_check): Use pam_str_skip_prefix and
+ pam_str_skip_prefix_len instead of ugly strncmp invocations.
+
+ modules/pam_rhosts: use pam_str_skip_prefix.
+ * modules/pam_rhosts/pam_rhosts.c: Include "pam_inline.h".
+ (pam_sm_authenticate): Use pam_str_skip_prefix instead of ugly strncmp
+ invocations.
+
+ modules/pam_nologin: use pam_str_skip_prefix.
+ * modules/pam_nologin/pam_nologin.c: Include "pam_inline.h".
+ (parse_args): Use pam_str_skip_prefix instead of ugly strncmp
+ invocations.
+
+ modules/pam_namespace: use pam_str_skip_prefix.
+ * modules/pam_namespace/pam_namespace.c (root_shared): Use
+ pam_str_skip_prefix instead of ugly strncmp invocations.
+
+ modules/pam_motd: use pam_str_skip_prefix.
+ * modules/pam_motd/pam_motd.c: Include "pam_inline.h".
+ (pam_sm_open_session): Use pam_str_skip_prefix instead of ugly strncmp
+ invocations.
+
+ modules/pam_mkhomedir: use pam_str_skip_prefix.
+ * modules/pam_mkhomedir/pam_mkhomedir.c: Include "pam_inline.h".
+ (_pam_parse): Use pam_str_skip_prefix instead of ugly strncmp
+ invocations.
+
+ modules/pam_mail: use pam_str_skip_prefix.
+ * modules/pam_mail/pam_mail.c: Include "pam_inline.h".
+ (_pam_parse): Use pam_str_skip_prefix instead of ugly strncmp
+ invocations.
+
+ modules/pam_localuser: use pam_str_skip_prefix.
+ * modules/pam_localuser/pam_localuser.c: Include "pam_inline.h".
+ (pam_sm_authenticate): Use pam_str_skip_prefix instead of ugly strncmp
+ invocations.
+
+ modules/pam_listfile: use pam_str_skip_prefix.
+ * modules/pam_listfile/pam_listfile.c: Include "pam_inline.h".
+ (pam_sm_authenticate): Use pam_str_skip_prefix instead of ugly strncmp
+ invocations.
+
+ modules/pam_limits: use pam_str_skip_prefix.
+ * modules/pam_limits/pam_limits.c: Include "pam_inline.h".
+ (_pam_parse, parse_kernel_limits): Use pam_str_skip_prefix instead of
+ ugly strncmp invocations.
+
+ modules/pam_lastlog: use pam_str_skip_prefix.
+ * modules/pam_lastlog/pam_lastlog.c: Include "pam_inline.h".
+ (_pam_auth_parse, get_tty): Use pam_str_skip_prefix instead of ugly
+ strncmp invocations.
+
+ modules/pam_issue: use pam_str_skip_prefix.
+ * modules/pam_issue/pam_issue.c: Include "pam_inline.h".
+ (pam_sm_authenticate, read_issue_quoted): Use pam_str_skip_prefix
+ instead of ugly strncmp invocations.
+
+ modules/pam_ftp: use pam_str_skip_prefix.
+ * modules/pam_ftp/pam_ftp.c: Include "pam_inline.h".
+ (_pam_parse): Use pam_str_skip_prefix instead of ugly strncmp invocations.
+
+ modules/pam_env: use pam_str_skip_prefix.
+ * modules/pam_env/pam_env.c: Include "pam_inline.h".
+ (_pam_parse, _parse_line): Use pam_str_skip_prefix instead of ugly
+ strncmp invocations.
+
+ modules/pam_echo: use pam_str_skip_prefix.
+ * modules/pam_echo/pam_echo.c: Include "pam_inline.h".
+ (pam_echo): Use pam_str_skip_prefix instead of ugly strncmp invocations.
+
+ modules/pam_cracklib: use pam_str_skip_prefix.
+ * modules/pam_cracklib/pam_cracklib.c: Include "pam_inline.h".
+ (_pam_parse): Use pam_str_skip_prefix instead of ugly strncmp
+ invocations.
+
+ modules/pam_access: use pam_str_skip_prefix.
+ * modules/pam_access/pam_access.c: Include "pam_inline.h".
+ (parse_args): Use pam_str_skip_prefix instead of ugly strncmp invocations.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ Introduce pam_str_skip_prefix_len and pam_str_skip_prefix.
+ Every time I see a code like
+ if (!strncmp(*argv,"user_readenv=",13))
+ *user_readenv = atoi(13+*argv);
+ my eyes are bleeding.
+
+ Introduce a new helper inline function pam_str_skip_prefix_len() and
+ a new macro pam_str_skip_prefix() on top of it, to be used in subsequent
+ commits to cleanup the ugliness.
+
+ * libpam/include/pam_inline.h: Include <string.h>.
+ (pam_str_skip_prefix_len): New function.
+ (pam_str_skip_prefix): New macro.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ Use PAM_ARRAY_SIZE.
+ Replace all instances of sizeof(x) / sizeof(*x) with PAM_ARRAY_SIZE(x)
+ which is less error-prone and implements an additional type check.
+
+ * libpam/pam_handlers.c: Include "pam_inline.h".
+ (_pam_open_config_file): Use PAM_ARRAY_SIZE.
+ * modules/pam_exec/pam_exec.c: Include "pam_inline.h".
+ (call_exec): Use PAM_ARRAY_SIZE.
+ * modules/pam_namespace/pam_namespace.c: Include "pam_inline.h".
+ (filter_mntopts): Use PAM_ARRAY_SIZE.
+ * modules/pam_timestamp/hmacfile.c: Include "pam_inline.h".
+ (testvectors): Use PAM_ARRAY_SIZE.
+ * modules/pam_xauth/pam_xauth.c: Include "pam_inline.h".
+ (run_coprocess, pam_sm_open_session): Use PAM_ARRAY_SIZE.
+ * tests/tst-pam_get_item.c: Include "pam_inline.h".
+ (main): Use PAM_ARRAY_SIZE.
+ * tests/tst-pam_set_item.c: Likewise.
+ * xtests/tst-pam_pwhistory1.c: Likewise.
+ * xtests/tst-pam_time1.c: Likewise.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ Introduce pam_inline.h.
+ Introduce a new internal header file for definitions of handly inline
+ functions and macros providing some convenient functionality to libpam
+ and its modules.
+
+ * libpam/include/pam_cc_compat.h (PAM_SAME_TYPE): New macro.
+ * libpam/include/pam_inline.h: New file.
+ * libpam/Makefile.am (noinst_HEADERS): Add include/pam_inline.h.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/pam_cracklib: fix parsing of options without arguments.
+ Prefix match for options without arguments such as use_first_pass
+ is not correct, there has to be an exact match for these options.
+
+ * modules/pam_cracklib/pam_cracklib.c (_pam_parse): Fix parsing
+ of reject_username, gecoscheck, enforce_for_root, use_authtok,
+ use_first_pass, and try_first_pass options.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ ci: enable -Werror for all builds.
+ The main purpose of fixing all compilation warnings in the current code
+ base was to enable -Werror in CI builds so that no new warnings would
+ creep in.
+
+ * ci/run-build-and-tests.sh (DISTCHECK_CONFIGURE_FLAGS): Add --enable-Werror.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ configure: implement --enable-Werror option.
+ When configure is invoked with --enable-Werror option,
+ -Werror compiler option is added to WARN_CFLAGS.
+
+ This new configure option is intended primarily for CI purposes.
+
+ * configure.ac (AC_ARG_ENABLE): Add Werror. Forward -Werror
+ to JAPHAR_GREP_CFLAGS.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ Fix remaining clang -Wcast-align compilation warnings.
+ Introduce DIAG_PUSH_IGNORE_CAST_ALIGN and DIAG_POP_IGNORE_CAST_ALIGN
+ macros, use them to silence remaining clang -Wcast-align compilation
+ warnings.
+
+ * libpam/include/pam_cc_compat.h (DIAG_PUSH_IGNORE_CAST_ALIGN,
+ DIAG_POP_IGNORE_CAST_ALIGN): New macros.
+ * modules/pam_access/pam_access.c: Include "pam_cc_compat.h".
+ (from_match, network_netmask_match): Wrap inet_ntop invocations
+ in DIAG_PUSH_IGNORE_CAST_ALIGN and DIAG_POP_IGNORE_CAST_ALIGN.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ Fix most of clang -Wcast-align compilation warnings.
+ Unlike gcc, clang is not smart enough to infer the alignment
+ of structure fields, so add some alignment hints to the code.
+
+ * libpam/include/pam_cc_compat.h (PAM_ATTRIBUTE_ALIGNED): New macro.
+ * modules/pam_namespace/md5.h: Include "pam_cc_compat.h".
+ (struct MD5Context): Add PAM_ATTRIBUTE_ALIGNED to "in" field.
+ * modules/pam_namespace/md5.c [!(__i386__ || __x86_64__)]
+ (uint8_aligned): New type.
+ [!(__i386__ || __x86_64__)] (byteReverse): Use it instead of
+ unsigned char.
+ * modules/pam_timestamp/sha1.h: Include "pam_cc_compat.h".
+ (struct sha1_context): Add PAM_ATTRIBUTE_ALIGNED to pending field.
+ * modules/pam_unix/md5.h: Include "pam_cc_compat.h".
+ (struct MD5Context): Add PAM_ATTRIBUTE_ALIGNED to "in" field.
+ * modules/pam_unix/md5.c [!HIGHFIRST] (uint8_aligned): New type.
+ [!HIGHFIRST] (byteReverse): Use it instead of unsigned char.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/pam_tally, modules/pam_tally2: fix compilation warnings.
+ Fix the following compilation warnings reported by gcc
+ when sizeof(time_t) > sizeof(long), e.g. on x32:
+
+ modules/pam_tally/pam_tally.c:541:7: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 5 has type ‘time_t’ {aka ‘long long int’} [-Wformat=]
+ 541 | _("The account is temporarily locked (%ld seconds left)."),
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ modules/pam_tally/pam_tally.c:546:40: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 6 has type ‘time_t’ {aka ‘long long int’} [-Wformat=]
+ 546 | "user %s (%lu) has time limit [%lds left]"
+ | ~~^
+ | |
+ | long int
+ | %lld
+ ......
+ 549 | oldtime+lock_time-time(NULL));
+ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ | |
+ | time_t {aka long long int}
+
+ modules/pam_tally2/pam_tally2.c:592:27: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 5 has type ‘time_t’ {aka ‘long long int’} [-Wformat=]
+ 592 | pam_info(pamh, _("The account is temporarily locked (%ld seconds left)."),
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ modules/pam_tally2/pam_tally2.c:597:50: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 6 has type ‘time_t’ {aka ‘long long int’} [-Wformat=]
+ 597 | "user %s (%lu) has time limit [%lds left]"
+ | ~~^
+ | |
+ | long int
+ | %lld
+ ......
+ 600 | oldtime+opts->lock_time-time(NULL));
+ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ | |
+ | time_t {aka long long int}
+
+ This change doesn't attempt to fix handling of 64-bit time_t on 32-bit
+ systems in these modules.
+
+ * modules/pam_tally/pam_tally.c (tally_check): Cast time_t expressions
+ to long int before passing them to pam_info and pam_syslog.
+ * modules/pam_tally2/pam_tally2.c (tally_check): Likewise.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/pam_timestamp: fix compilation warnings.
+ Fix the following compilation warnings reported by gcc on ilp32 platforms:
+
+ modules/pam_timestamp/hmacfile.c: In function ‘testvectors’:
+ modules/pam_timestamp/hmacfile.c:121:44: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 2 has type ‘size_t’ {aka ‘unsigned int’} [-Wformat=]
+ 121 | printf("Incorrect result for vector %lu\n", i + 1);
+ | ~~^ ~~~~~
+ | | |
+ | | size_t {aka unsigned int}
+ | long unsigned int
+ | %u
+ modules/pam_timestamp/hmacfile.c:128:30: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 2 has type ‘size_t’ {aka ‘unsigned int’} [-Wformat=]
+ 128 | printf("Error in vector %lu.\n", i + 1);
+ | ~~^ ~~~~~
+ | | |
+ | | size_t {aka unsigned int}
+ | long unsigned int
+ | %u
+ In function ‘strncpy’,
+ inlined from ‘pam_sm_open_session’ at modules/pam_timestamp/pam_timestamp.c:584:4:
+ /usr/include/bits/string_fortified.h:106:10: warning: ‘__builtin___strncpy_chk’ output may be truncated copying between 1 and 4095 bytes from a string of length 4095 [-Wstringop-truncation]
+
+ * modules/pam_timestamp/hmacfile.c (testvectors): Cast the argument
+ of type size_t to unsigned long before passing it to printf.
+ * modules/pam_timestamp/pam_timestamp.c (pam_sm_open_session): Use
+ memcpy instead of strncpy as the source is not NUL-terminated, add an
+ extra check to ensure that iterator stays inside bounds.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/pam_unix: fix gcc compilation warnings.
+ When setreuid() fails, there is no way to proceed any further: either
+ the process credentials are unchanged but inappropriate, or they are
+ in an inconsistent state and nothing good could be made out of it.
+ This fixes the following compilation warnings:
+
+ modules/pam_unix/passverify.c:209:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:211:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:213:6: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:214:6: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:222:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:224:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:225:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:226:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:209:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:211:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:213:6: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:214:6: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:222:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:224:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:225:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:226:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+
+ * modules/pam_unix/passverify.c (get_account_info) [HELPER_COMPILE]:
+ Always check setreuid return code and return PAM_CRED_INSUFFICIENT
+ if setreuid failed.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/pam_access: fix compilation warning.
+ Fix the following compilation warning reported by gcc
+ when HAVE_LIBAUDIT is not set:
+
+ modules/pam_access/pam_access.c: In function ‘login_access’:
+ modules/pam_access/pam_access.c:338:13: warning: variable ‘nonall_match’ set but not used [-Wunused-but-set-variable]
+ 338 | int nonall_match = NO;
+ | ^~~~~~~~~~~~
+
+ * modules/pam_access/pam_access.c (login_access): Enclose nonall_match
+ variable with HAVE_LIBAUDIT #ifdef's.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ conf/pam_conv1: fix clang compilation warnings.
+ Fix the following compilation warnings reported by clang:
+
+ pam_conv_y.y:12:23: warning: unused variable 'bisonid' [-Wunused-const-variable]
+ static const char bisonid[]=
+ ^
+ pam_conv_l.l:12:23: warning: unused variable 'lexid' [-Wunused-const-variable]
+ static const char lexid[]=
+ ^
+
+ These static variables lost their meaning after repository conversion
+ from cvs to git and can be safely removed.
+
+ * conf/pam_conv1/pam_conv_l.l (lexid): Remove.
+ * conf/pam_conv1/pam_conv_y.y (bisonid): Remove.
+
+2020-03-18 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/pam_timestamp: fix clang compilation warning.
+ modules/pam_timestamp/pam_timestamp.c:807:17: warning: logical not
+ is only applied to the left hand side of this comparison
+ [-Wlogical-not-parentheses]
+ } else if (!timestamp_good(st.st...
+ ^
+
+ * modules/pam_timestamp/pam_timestamp.c (main): Change timestamp_good
+ return code check to a more traditional form.
+
+2020-03-18 Dmitry V. Levin <ldv@altlinux.org>
+
+ github: check for whitespace errors on push and pull requests.
+ * .github/workflows/whitespace-errors-check.yml: New file.
+
+ modules/pam_timestamp: fix EXTRA_DIST.
+ * modules/pam_timestamp/Makefile.am (EXTRA_DIST): Replace "$(man_MANS)"
+ with "$(MANS)" as the former is conditional on HAVE_DOC.
+
+ modules/pam_namespace: fix EXTRA_DIST.
+ * modules/pam_namespace/Makefile.am (EXTRA_DIST): Replace
+ "$(MAN5) $(MAN8)" with "$(MANS)" as the former is conditional
+ on HAVE_DOC.
+
+2020-03-17 Christian Göttsche <cgzones@googlemail.com>
+
+ pam_usertype: exclude man-page generation when configured with --disable-doc
+ * modules/pam_usertype/Makefile.am (man_MANS): Make conditional
+ on HAVE_DOC.
+
+ Resolves: https://github.com/linux-pam/linux-pam/pull/193
+
+2020-03-17 Christian Göttsche <cgzones@googlemail.com>
+
+ pam_namespace: ignore pam_namespace_helper in git.
+ * modules/pam_namespace/.gitignore: New file.
+
+ Resolves: https://github.com/linux-pam/linux-pam/pull/192
+
+2020-03-13 Weblate <noreply@weblate.org>
+
+ Update translation files.
+ Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/
+
+2020-03-13 Ondrej Sulek <feonsu@gmail.com>
+
+ Translated using Weblate (Slovak)
+ Currently translated at 100.0% (117 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/sk/
+
+2020-03-13 Yuri Chornoivan <yurchor@ukr.net>
+
+ Translated using Weblate (Ukrainian)
+ Currently translated at 100.0% (117 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/uk/
+
+2020-03-13 Dmitry V. Levin <ldv@altlinux.org>
+
+ Translated using Weblate (Portuguese (Brazil))
+ Currently translated at 100.0% (117 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pt_BR/
+
+ Translated using Weblate (Portuguese)
+
+ Currently translated at 100.0% (117 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pt/
+
+ Translated using Weblate (German)
+
+ Currently translated at 91.4% (107 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/de/
+
+2020-03-13 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Adjust README with instructions for package prerequsities.
+ Also remove obsolete static modules instructions
+
+2020-03-11 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_get_authtok: fix i18n of default prompts.
+ Change formatting of default prompts, making them translatable
+ to those languages that use a different word order.
+ From non-i18n perspective this change is essentially a no-op.
+
+ * libpam/pam_get_authtok.c (PROMPTCURRENT): Replace with
+ PROMPT_CURRENT_ARG and PROMPT_CURRENT_NOARG.
+ (PROMPT1): Replace with PROMPT_NEW_ARG and PROMPT_NEW_NOARG.
+ (PROMPT2): Replace with PROMPT_RETYPE_ARG and PROMPT_RETYPE_NOARG.
+ (pam_get_authtok_internal, pam_get_authtok_verify): Use new macros.
+ * po/Linux-PAM.pot: Regenerated.
+
+ Resolves: https://github.com/linux-pam/linux-pam/issues/29
+
+2020-03-11 ikerexxe <ipedrosa@redhat.com>
+
+ pam_selinux: check unknown object classes or permissions in current policy
+ Explanation: check whether unknown object classes or permissions are allowed or denied in the current policy
+
+ Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1680961
+
+2020-03-06 Weblate <noreply@weblate.org>
+
+ Update translation files.
+ Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/
+
+2020-03-06 Milo Casagrande <milo@milo.name>
+
+ Translated using Weblate (Italian)
+ Currently translated at 100.0% (117 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/it/
+
+2020-03-06 Dmitry V. Levin <ldv@altlinux.org>
+
+ Translated using Weblate (Zulu)
+ Currently translated at 63.2% (74 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/zu/
+
+ Translated using Weblate (Chinese (Traditional))
+
+ Currently translated at 81.1% (95 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/zh_TW/
+
+ Translated using Weblate (Chinese (Simplified))
+
+ Currently translated at 81.1% (95 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/zh_CN/
+
+ Translated using Weblate (Tamil)
+
+ Currently translated at 81.1% (95 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ta/
+
+ Translated using Weblate (Sinhala)
+
+ Currently translated at 65.8% (77 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/si/
+
+ Translated using Weblate (Russian)
+
+ Currently translated at 100.0% (117 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ru/
+
+ Translated using Weblate (Portuguese (Brazil))
+
+ Currently translated at 81.1% (95 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pt_BR/
+
+ Translated using Weblate (Kazakh)
+
+ Currently translated at 81.1% (95 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/kk/
+
+ Translated using Weblate (Japanese)
+
+ Currently translated at 81.1% (95 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ja/
+
+ Translated using Weblate (Hungarian)
+
+ Currently translated at 81.1% (95 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/hu/
+
+ Translated using Weblate (Hindi)
+
+ Currently translated at 81.1% (95 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/hi/
+
+ Translated using Weblate (Spanish)
+
+ Currently translated at 81.1% (95 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/es/
+
+ Translated using Weblate (German)
+
+ Currently translated at 81.1% (95 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/de/
+
+2020-03-06 Oğuz Ersen <oguzersen@protonmail.com>
+
+ Translated using Weblate (Turkish)
+ Currently translated at 100.0% (117 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/tr/
+
+2020-03-06 Geert Warrink <geert.warrink@onsnet.nu>
+
+ Translated using Weblate (Dutch)
+ Currently translated at 100.0% (117 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/nl/
+
+2020-03-06 Julien Humbert <julroy67@gmail.com>
+
+ Translated using Weblate (French)
+ Currently translated at 100.0% (117 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fr/
+
+2020-03-06 Piotr Drąg <piotrdrag@gmail.com>
+
+ Translated using Weblate (Polish)
+ Currently translated at 100.0% (117 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/
+
+ Translated using Weblate (Polish)
+
+ Currently translated at 100.0% (117 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/
+
+2020-03-06 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Add missing file to EXTRA_DIST.
+ * tests/Makefile.am: Add confdir to EXTRA_DIST.
+
+ New API call pam_start_confdir()
+ To load PAM stack configurations from specified directory
+
+2020-03-05 Dmitry V. Levin <ldv@altlinux.org>
+
+ Fix remaining references to sourceforge.net.
+ Linux-PAM moved to github long time ago, update the remaining
+ bug tracking references to point to github issues tracker.
+
+ * README: Refer to https://github.com/linux-pam/linux-pam/issues
+ instead of sourceforge.net.
+ * po/Makevars: Refer to https://github.com/linux-pam/linux-pam/issues
+ instead of http://sourceforge.net/projects/pam .
+ * po/Linux-PAM.pot: Regenerated.
+
+2020-03-05 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_unix: fix --disable-nis compilation warnings.
+ When the build is configured using --disable-nis option, gcc complains:
+
+ pam_unix_passwd.c: In function '_do_setpass':
+ pam_unix_passwd.c:398:8: warning: unused variable 'master' [-Wunused-variable]
+
+ support.c: In function '_unix_getpwnam':
+ support.c:305:21: warning: parameter 'nis' set but not used [-Wunused-but-set-parameter]
+
+ * modules/pam_unix/pam_unix_passwd.c (_do_setpass): Move the definition
+ of "master" variable to [HAVE_NIS].
+ * modules/pam_unix/support.c (_unix_getpwnam) [!(HAVE_YP_GET_DEFAULT_DOMAIN
+ && HAVE_YP_BIND && HAVE_YP_MATCH && HAVE_YP_UNBIND)]: Do not assign
+ the unused parameter but mark it as used.
+
+2020-03-05 Dmitry V. Levin <ldv@altlinux.org>
+
+ Sort NEWS entries.
+ * NEWS (1.4.0): Sort module-related news entries.
+
+2020-03-05 Dmitry V. Levin <ldv@altlinux.org>
+
+ Fix whitespace issues.
+ Remove trailing whitespace introduced by commit
+ f9c9c72121eada731e010ab3620762bcf63db08f.
+ Remove blank lines at EOF introduced by commit
+ 65d6735c5949ec233df9813f734e918a93fa36cf.
+
+ This makes the project free of warnings reported by
+ git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD
+
+ * doc/custom-html.xsl: Remove blank line at EOF.
+ * doc/custom-man.xsl: Likewise.
+ * modules/pam_motd/pam_motd.c: Remove trailing whitespace.
+
+2020-03-04 ed@s5h.net <ed@s5h.net>
+
+ Adding package dependency hints to README.
+
+2020-03-04 Mark Wutzke <mark.wutzke@alliedtelesis.co.nz>
+
+ Use cached 'crypt' library result correctly.
+ Configure script incorrectly used a non-cached variable (ac_lib) in the
+ cached code path. This results in no -lcrypt being defined resulting in
+ link errors on a re-build.
+
+ Update configure.ac to use ac_cv_search_crypt (via ac_res) to setup the
+ correct library arguments.
+
+2020-03-03 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Prepare for the 1.4.0 release.
+
+ Updated LINGUAS to remove completely untranslated languages.
+ Updated pot and po files
+
+2020-03-03 Tomáš Mráz <tmraz@redhat.com>
+
+ Translated using Weblate (Czech)
+ Currently translated at 100.0% (116 of 116 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/cs/
+
+2020-03-03 Oğuz Ersen <oguzersen@protonmail.com>
+
+ Translated using Weblate (Turkish)
+ Currently translated at 100.0% (121 of 121 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/tr/
+
+2020-03-03 Julien Humbert <julroy67@gmail.com>
+
+ Translated using Weblate (French)
+ Currently translated at 100.0% (121 of 121 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fr/
+
+2020-03-03 Piotr Drąg <piotrdrag@gmail.com>
+
+ Translated using Weblate (Polish)
+ Currently translated at 100.0% (121 of 121 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/
+
+ Translated using Weblate (Polish)
+
+ Currently translated at 100.0% (121 of 121 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/
+
+2020-03-03 Jean-Baptiste Holcroft <jean-baptiste@holcroft.fr>
+
+ Deleted translation using Weblate (Cornish)
+ Deleted translation using Weblate (German (Low))
+
+ Deleted translation using Weblate (Angika)
+
+ Deleted translation using Weblate (English (United Kingdom))
+
+ Deleted translation using Weblate (Asturian)
+
+ Deleted translation using Weblate (bal (generated))
+
+ Deleted translation using Weblate (Bodo)
+
+ Deleted translation using Weblate (Breton)
+
+ Deleted translation using Weblate (Cornish)
+
+ Deleted translation using Weblate (Cornish)
+
+ Deleted translation using Weblate (ilo (generated))
+
+ Deleted translation using Weblate (Maithili)
+
+ Deleted translation using Weblate (Pedi)
+
+ Deleted translation using Weblate (Tibetan)
+
+ Deleted translation using Weblate (Twi)
+
+ Deleted translation using Weblate (wba (generated))
+
+2020-03-03 Weblate <noreply@weblate.org>
+
+ Update translation files.
+ Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/
+
+2020-02-27 Iker Pedrosa <ikerpedrosam@gmail.com>
+
+ pam_tty_audit: if kernel audit is disabled return PAM_IGNORE.
+ If kernel audit is disabled the socket open will return
+ EPROTONOSUPPORT.
+ Return PAM_IGNORE from pam_tty_audit and log a warning
+ in this situation so login is not blocked by the module.
+
+2020-02-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_modutil_sanitize_helper_fds: fix SIGPIPE effect of PAM_MODUTIL_PIPE_FD
+ When pam_modutil_sanitize_helper_fds() is invoked with
+ PAM_MODUTIL_PIPE_FD to provide a dummy pipe descriptor for stdout
+ or stderr, it closes the read end of the newly created dummy pipe.
+ The negative side effect of this approach is that any write to such
+ descriptor triggers a SIGPIPE. Avoid this by closing the write end of
+ the dummy pipe and using its read end as a dummy pipe descriptor for
+ output. Any read from such descriptor returns 0, and any write just
+ fails with EBADF, which should work better with unprepared writers.
+
+ * libpam/pam_modutil_sanitize.c (redirect_out_pipe): Remove.
+ (redirect_out): Call redirect_in_pipe instead of redirect_out_pipe.
+
+ Fixes: b0ec5d1e ("Introduce pam_modutil_sanitize_helper_fds")
+
+2020-02-26 TBK <tbk@jjtc.eu>
+
+ libpamc: Use ISO C99 uintX_t types instead of u_intX_t.
+ u_intX_t is a glibcism this fixes the issue of compiling against musl libc.
+
+2020-02-25 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_group, pam_time: Fix regression in documentation from last change.
+ * modules/pam_group/group.conf.5.xml: Replace bare & with &amp;.
+ * modules/pam_time/time.conf.5.xml: Likewise.
+
+2020-02-24 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_limits: Document the unwanted effect of set_all with systemd.
+
+ misc_conv: Use PAM_MAX_RESP_SIZE to limit the length of the input.
+
+ pam_group, pam_time: Fix logical error with multiple ! operators.
+ * modules/pam_group/group.conf.5.xml: Document what logic list means.
+ * modules/pam_time/time.conf.5.xml: Likewise.
+ * modules/pam_group/pam_group.c (logic_field): Clear the not operator for the
+ further operations.
+ * modules/pam_time/pam_time.c (logic_field): Likewise.
+
+2020-02-24 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_shells: Recognize /bin/sh as the default shell.
+ If the shell is empty in /etc/passwd entry it means /bin/sh.
+
+ * modules/pam_shells/pam_shells.c (perform_check): Use /bin/sh as default shell.
+
+2020-02-24 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_env: Change the default to not read the user .pam_environment file.
+ * modules/pam_env/pam_env.8.xml: Document the change.
+ * modules/pam_env/pam_env.c: Set DEFAULT_USER_READ_ENVFILE to 0.
+
+2020-02-24 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_env: code cleanups.
+ Raise BUF_SIZE to 8192 bytes.
+
+ * modules/pam_env/pam_env.c (_parse_env_file): Ignore lines starting with '='.
+ (_assemble_line): Detect long lines and binary files.
+ (_check_var): Avoid overwriting global variable.
+ (_expand_arg): Avoid repeated strlen calls.
+
+2020-02-18 Topi Miettinen <toiwoton@gmail.com>
+
+ pam_namespace: secure tmp-inst directories.
+ When using polyinstantiation for /tmp and/or /var/tmp, pam_namespace
+ creates subdirectories with fixed name tmp-inst. These paths should be
+ secured as early as possible to avoid that somehow these directories
+ could created and controlled by for example a malicious user or
+ service.
+
+ Ship a systemd service, which creates the directories early in
+ boot sequence with correct permissions and ownership.
+
+ Closes #111.
+
+2020-02-18 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Fix warnings from the recent PR merges.
+ * modules/pam_succeed_if/pam_succeed_if.c: Fix const issues.
+ * modules/pam_usertype/pam_usertype.c: Avoid maybe used uninitialized warning.
+
+2020-02-18 Pavel Březina <pbrezina@redhat.com>
+
+ pam_unix: add nullresetok option to allow reset blank passwords.
+ Adding nullresetok to auth phase of pam_unix module will allow users
+ with blank password to authenticate in order to immediatelly change
+ their password even if nullok is not set.
+
+ This allows to have blank password authentication disabled but still
+ allows administrator to create new user accounts with expired blank
+ password that must be change on the first login.
+
+2020-02-18 Serghei Anicheev <serghei.anicheev@gmail.com>
+
+ pam_succeed_if: Add list support for group membership checks.
+ Examples:
+ account requisite pam_succeed_if.so user ingroup group1:group2
+ OR
+ account requisite pam_succeed_if.so user notingroup group1:group2
+ OR
+ account requisite pam_succeed_if.so user ingroup wheel
+ OR
+ account requisite pam_succeed_if.so user notingroup wheel
+
+ Can be very convenient to grant access based on complex group memberships (LDAP, etc)
+
+2020-02-18 MIZUTA Takeshi <mizuta.takeshi@fujitsu.com>
+
+ Remove redundant header file inclusion.
+ There are some source code including the same header file redundantly.
+ We remove these redundant header file inclusion.
+
+2020-01-29 edneville <ed-github@s5h.net>
+
+ pam_tally[2]: Updating man pages to indicate account leakage without silent
+ * modules/pam_tally/pam_tally.8.xml: Mention account leakage without silent
+ * modules/pam_tally2/pam_tally2.8.xml: Mention account leakage without silent
+
+2020-01-29 Jakub Wilk <jwilk@jwilk.net>
+
+ pam_keyinit.8: add missing comma.
+
+2020-01-28 Pavel Březina <pbrezina@redhat.com>
+
+ pam_usertype: new module to tell if uid is in login.defs ranges.
+ This module will check if the user account type is system or regular based
+ on its uid. To evaluate the condition it will use 0-99 reserved range
+ together with `SYS_UID_MIN` and `SYS_UID_MAX` values from `/etc/login.defs`.
+
+ If these values are not set, it uses configure-time defaults
+ `--with-sys-uid-min` and `--with-uid-min` (according to `login.defs` man page
+ `SYS_UID_MAX` defaults to `UID_MIN - 1`.
+
+ This information can be used to skip specific module in pam stack
+ based on the account type. `pam_succeed_if uid < 1000` is used at the moment
+ however it does not reflect changes to `login.defs`.
+
+2020-01-27 Fabrice Fontaine <fontaine.fabrice@gmail.com>
+
+ configure.ac: add --enable-doc option.
+ Allow the user to disable documentation through --disable-doc (enabled
+ by default), this is especially useful when cross-compiling for embedded
+ targets
+
+2020-01-20 Dmitry V. Levin <ldv@altlinux.org>
+
+ Fix remaining -Wcast-qual compilation warnings.
+ Introduce a new internal header file with definitions of
+ DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL macros,
+ use them to temporary silence -Wcast-qual compilation warnings
+ in various modules.
+
+ * libpam/include/pam_cc_compat.h: New file.
+ * libpam/Makefile.am (noinst_HEADERS): Add include/pam_cc_compat.h.
+ * modules/pam_mkhomedir/pam_mkhomedir.c: Include "pam_cc_compat.h".
+ (create_homedir): Wrap execve invocation in DIAG_PUSH_IGNORE_CAST_QUAL
+ and DIAG_POP_IGNORE_CAST_QUAL.
+ * modules/pam_namespace/pam_namespace.c: Include "pam_cc_compat.h".
+ (pam_sm_close_session): Wrap the cast that discards ‘const’ qualifier
+ in DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
+ * modules/pam_tty_audit/pam_tty_audit.c: Include "pam_cc_compat.h".
+ (nl_send): Wrap the cast that discards ‘const’ qualifier in
+ DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
+ * modules/pam_unix/pam_unix_acct.c: Include "pam_cc_compat.h".
+ (_unix_run_verify_binary): Wrap execve invocation in
+ DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
+ * modules/pam_unix/pam_unix_passwd.c: Include "pam_cc_compat.h".
+ (_unix_run_update_binary): Wrap execve invocation in
+ DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
+ * modules/pam_unix/passverify.c: Include "pam_cc_compat.h".
+ (unix_update_shadow): Wrap the cast that discards ‘const’ qualifier
+ in DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
+ * modules/pam_unix/support.c: Include "pam_cc_compat.h".
+ (_unix_run_helper_binary): Wrap execve invocation in
+ DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
+ * modules/pam_xauth/pam_xauth.c: Include "pam_cc_compat.h".
+ (run_coprocess): Wrap execv invocation in DIAG_PUSH_IGNORE_CAST_QUAL
+ and DIAG_POP_IGNORE_CAST_QUAL.
+
+2020-01-20 Dmitry V. Levin <ldv@altlinux.org>
+
+ _pam_mkargv: add const qualifier to the first argument.
+ Also fix the following compilation warning:
+
+ tests/tst-pam_mkargv.c:21:22: warning: initialization discards ‘const’
+ qualifier from pointer target type [-Wdiscarded-qualifiers]
+ char *argvstring = "user = XENDT\\userα user=XENDT\\user1";
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+ * libpam/pam_misc.c (_pam_mkargv): Add const qualifier to the first
+ argument.
+ * libpam/pam_private.h (_pam_mkargv): Likewise.
+ * tests/tst-pam_mkargv.c (main): Convert argvstring from a pointer into
+ a static const string, make argvresult array static const.
+
+2020-01-20 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Fix miscellaneous const issues.
+ * libpam/pam_modutil_searchkey.c: Avoid assigning empty string literal to
+ non-const char *.
+ * modules/pam_filter/pam_filter.c: Avoid using const char **.
+ * modules/pam_mkhomedir/pam_mkhomedir.c: Properly cast out const for execve().
+ * modules/pam_namespace/pam_namespace.c: Properly cast out const from pam data.
+ * modules/pam_tally2/pam_tally2.c: String literal must be assigned to
+ const char *.
+
+2020-01-17 Björn Esser <besser82@fedoraproject.org>
+
+ pam_unix: Return NULL instead of calling crypt_md5_wrapper().
+ If the call to the crypt(3) function failed for some reason during
+ hashing a new login passphrase, the wrapper function for computing
+ a hash with the md5crypt method was called internally by the pam_unix
+ module in previous versions of linux-pam.
+
+ With CVE-2012-3287 in mind, the md5crypt method is not considered to
+ be a safe nor recommended hashing method for a new login passphrase
+ since at least 2012. Thus pam_unix should error out in case of a
+ failure in crypt(3) instead of silently computing a hashed passphrase
+ using a potentially unsafe method.
+
+ * modules/pam_unix/pam_unix.8.xml: Update documentation.
+ * modules/pam_unix/passverify.c (create_password_hash): Return NULL
+ on error instead of silently invoke crypt_md5_wrapper().
+
+2020-01-15 Hulto <jack.m.mckenna@gmail.com>
+
+ Changed variable salt to hash.
+ helper_verify_password's variable salt is not just the salt but the whole hash. Renamed for clarity and conformity with the rest of the code.
+
+2020-01-15 Josef Moellers <jmoellers@suse.de>
+
+ Add two missing va_end() calls According to the man pages, "Each invocation of va_start() must be matched by a corresponding invocation of va_end() in the same function."
+
+2020-01-15 Steve Langasek <steve.langasek@canonical.com>
+
+ Further grammar fixes.
+
+ Bug-Debian: https://bugs.debian.org/651560
+
+2020-01-15 Steve Langasek <steve.langasek@canonical.com>
+
+ Miscellaneous spelling fixes.
+
+ Miscellaneous grammar fixes.
+
+2020-01-10 Andreas Henriksson <andreas@fatal.se>
+
+ pam_umask: document the 'nousergroups' option.
+ Add a short description of the nousergroups to the pam_umask(8)
+ man-page.
+
+2020-01-10 Andreas Henriksson <andreas@fatal.se>
+
+ pam_umask: add new 'nousergroups' module argument.
+ This is particularly useful when pam has been built with the new
+ --enable-usergroups configure switch, allowing users to override
+ the default-enabled state and disabling usergroups at runtime.
+
+ This is synonymous but opposite to current and previous pam_umask
+ default that could be changed to enabled at runtime with the usergroups
+ argument.
+
+2020-01-10 Andreas Henriksson <andreas@fatal.se>
+
+ pam_umask: build-time usergroups option default.
+ This change adds a configure option to set the default value of the
+ usergroups option (of the pam_umask module) at build-time.
+
+ Distributions usually makes the decision if usergroups should be used or
+ not. This allows them to control the built-in default value, without
+ having to ship the value in a config file (cluttering up the view
+ of actually relevant user/system configuration overrides).
+
+2020-01-02 msalle <mischa.salle@gmail.com>
+
+ pam_access: Fix (IPv6) address prefix size matching.
+ IPv6 address prefix sizes larger than 128 (i.e. not larger or equal to) should
+ be discarded. Additionally, for IPv4 addresses, the largest valid prefix size
+ should be 32.
+
+ Fixes #161
+
+2019-12-18 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Do not use CFLAGS for warning flags set from configure.
+ To be able to set CFLAGS from make command-line but not to lose the
+ warning flags.
+
+ * configure.ac: Put warning flags to WARN_CFLAGS instead of CFLAGS.
+ * */Makefile.am: Apply WARN_CFLAGS to AM_CFLAGS.
+
+2019-12-17 Balint Reczey <balint.reczey@canonical.com>
+
+ Return only PAM_IGNORE or error from pam_motd.
+ Follow-up for c81280b16e1831ab0bdd0383486c7e2d1eaf1b5e.
+ * modules/pam_motd/pam_motd.c: Return PAM_IGNORE if pam_putenv succeeds.
+ * modules/pam_motd/pam_motd.8.xml: Document additional possible return values of the module.
+
+2019-12-16 Dmitry V. Levin <ldv@altlinux.org>
+
+ Add initial Travis CI support.
+ This runs "make distcheck" using gcc-9, gcc-8, gcc-7, and clang
+ on x86_64, x86, x32, aarch64, s390x, and ppc64le architectures.
+
+ * .travis.yml: New file.
+ * ci/install-dependencies.sh: Likewise.
+ * ci/run-build-and-tests.sh: Likewise.
+
+ Resolves: https://github.com/linux-pam/linux-pam/issues/28
+
+2019-12-16 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_pwhistory: fix build when -lxcrypt is not available.
+ When xcrypt.h is available but -lxcrypt is not, pam_pwhistory fails to
+ build with the following diagnostics:
+ modules/pam_pwhistory/opasswd.c:111: undefined reference to `xcrypt_r'
+
+ Fix this by using the same check for xcrypt as in other modules.
+
+ * modules/pam_pwhistory/opasswd.c: Replace HAVE_XCRYPT_H with
+ HAVE_LIBXCRYPT.
+
+2019-12-16 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Fix or suppress various warnings when compiling with -Wall -Wextra.
+ * conf/pam_conv1/Makefile.am: Add -Wno-unused-function -Wno-sign-compare to CFLAGS.
+ * doc/specs/Makefile.am: Likewise.
+
+ * libpamc/include/security/pam_client.h: Explicitly compare old_p with NULL.
+
+ * modules/pam_access/pam_access.c: Avoid double const.
+
+ * modules/pam_filter/pam_filter.c: Avoid arbitrary constants. Avoid strncpy()
+ without copying the NUL byte.
+
+ * modules/pam_group/pam_group.c: Mark switch fallthrough with comment.
+ * modules/pam_time/pam_time.c: Likewise.
+
+ * modules/pam_limits/pam_limits.c: Remove unused units variable.
+
+ * modules/pam_listfile/pam_listfile.c: Avoid unnecessary strncpy, use pointers.
+
+ * modules/pam_rootok/pam_rootok.c (log_callback): Mark unused parameter.
+
+ * modules/pam_selinux/pam_selinux.c: Use string_to_security_class() instead
+ of hardcoded value.
+
+ * modules/pam_sepermit/pam_sepermit.c: Properly cast when comparing.
+
+ * modules/pam_succeed_if/pam_succeed_if.c: Mark unused parameters.
+
+ * modules/pam_unix/pam_unix_passwd.c: Remove unused variables and properly
+ cast for comparison.
+
+ * modules/pam_unix/support.c: Remove unused function.
+
+2019-12-04 Balint Reczey <balint@balintreczey.hu>
+
+ pam_motd: Export MOTD_SHOWN=pam after showing MOTD.
+ This is a useful indication for update-motd profile.d snippet which can
+ also try to show MOTD when it is not already shown.
+
+ The use-case for that is showing MOTD in shells in containers without
+ PAM being involved.
+
+ * modules/pam_motd/pam_motd.c: Export MOTD_SHOWN=pam after showing MOTD
+ * modules/pam_motd/pam_motd.8.xml: Mention setting MOTD_SHOWN=pam in the man page
+
+2019-11-28 ppkarwasz <piotr.github@karwasz.org>
+
+ Adds an auth module to pam_keyinit (#150)
+ Adds an auth module to pam_keyinit, whose implementation of
+ pam_sm_setcred
+ is identical to the implementation of pam_sm_open_session.
+
+ It is useful with PAM applications, which call pam_setcred,
+ before calling pam_open_session.
+
+ * modules/pam_keyinit/pam_keyinit.c: Add an auth module to pam_keyinit.
+
+ * modules/pam_keyinit/pam_keyinit.8.xml: Update the manpage
+ to describe the new functionality.
+
+2019-11-28 Sophie Herold <sophie@hemio.de>
+
+ Lower "bad username" log priority (#154)
+ * modules/pam_unix/pam_unix_auth.c: Use LOG_NOTICE instead of LOG_ERR.
+ * modules/pam_unix/pam_unix_passwd.c: Likewise.
+ * modules/pam_umask/pam_umask.c: Likewise.
+
+2019-11-04 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_namespace: Support for noexec, nosuid and nodev flags for tmpfs mounts
+ * modules/pam_namespace/namespace.conf.5.xml: Add documentation for the
+ noexec, nosuid, and nodev flags support.
+ * modules/pam_namespace/pam_namespace.c (filter_mntopts): New function to
+ filter out the flags.
+ (parse_method): Call the function.
+ (ns_setup): Apply the flags to the tmpfs mount.
+ * modules/pam_namespace/pam_namespace.h: Add mount_flags to polydir_s struct.
+
+2019-11-04 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Optimize the checkgrouplist function.
+ There is no point in rising the allocation size by doubling when
+ we can allocate required memory size at once in the second pass.
+
+ * libpam/pam_modutil_ingroup.c (checkgrouplist): Allocate some reasonable
+ default size in first pass and required size in the second pass.
+
+2019-10-15 MIZUTA Takeshi <mizuta.takeshi@fujitsu.com>
+
+ doc: fix module type written in MODULE TYPES PROVIDED.
+
+2019-10-14 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_unix: Add logging useful for debugging problems.
+ Two messages added about obtaining the username are guarded
+ by the debug option as these should not be normally
+ logged - they can be useful for debugging but they do not
+ indicate any special condition.
+
+ The message about authenticating user with blank password is
+ still just LOG_DEBUG priority but it is logged unconditionally
+ because it is somewhat extraordinary condition to have an user
+ with blank password.
+
+ * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace
+ D() macro calls which are not enabled on production builds with
+ regular pam_syslog() calls.
+
+2019-10-10 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_unix: Fix the spelling of Jan Rękorajski's name.
+
+2019-10-08 MIZUTA Takeshi <mizuta.takeshi@fujitsu.com>
+
+ doc: fix typo in manpage.
+
+2019-10-03 MIZUTA Takeshi <mizuta.takeshi@fujitsu.com>
+
+ pam_mkhomedir: Add debug option to pam_mkhomedir(8) man page.
+
+2019-09-23 Marek Černocký <marek@manet.cz>
+
+ Fixed missing quotes in configure script.
+
+2019-09-16 Thorsten Kukuk <5908016+thkukuk@users.noreply.github.com>
+
+ Add support for a vendor directory and libeconf (#136)
+ With this, it is possible for Linux distributors to store their
+ supplied default configuration files somewhere below /usr, while
+ /etc only contains the changes made by the user. The new option
+ --enable-vendordir defines where Linux-PAM should additional look
+ for pam.d/*, login.defs and securetty if this files are not in /etc.
+ libeconf is a key/value configuration file reading library, which
+ handles the split of configuration files in different locations
+ and merges them transparently for the application.
+
+2019-09-12 Carlos Santos <casantos@redhat.com>
+
+ pam_lastlog: document the 'unlimited' option.
+
+2019-09-12 Carlos Santos <casantos@redhat.com>
+
+ pam_lastlog: prevent crash due to reduced 'fsize' limit.
+ It a reduced fsize limit is set in /etc/security/limits.conf and
+ pam_limits is in use pam_lastlog may cause a crash, e.g.
+
+ ----- begin /etc/pam.d/su ----
+ auth sufficient pam_rootok.so
+ auth required pam_wheel.so use_uid
+ auth required pam_env.so
+ auth required pam_unix.so nullok
+ account required pam_unix.so
+ password required pam_unix.so nullok
+ session required pam_limits.so
+ session required pam_env.so
+ session required pam_unix.so
+ session optional pam_lastlog.so
+ ----- end /etc/pam.d/su -----
+
+ ----- begin /etc/security/limits.d/fsize.conf -----
+ * soft fsize 1710
+ * hard fsize 1710
+ ----- end /etc/security/limits.d/fsize.conf -----
+
+ # id user1
+ uid=1000(user1) gid=1000(user1) groups=1000(user1)
+ # su - user1
+ Last login: Wed Sep 11 01:52:44 UTC 2019 on console
+ $ exit
+ # id user2
+ uid=60000(user2) gid=60000(user2) groups=60000(user2)
+ # su - user2
+ File size limit exceeded
+
+ This happens because pam_limits sets RLIMIT_FSIZE before pam_lastlog
+ attempts to write /var/log/lastlog, leading to a SIGXFSZ signal.
+
+ In order to fix this, and an 'unlimited' option, which leads to saving
+ the 'fsize' limit and set it to unlimited before writing lastlog. After
+ that, restore the saved value. If 'fsize' is already unlimited nothing
+ is done.
+
+ Failing to set the 'fsize' limit is not a fatal error. With luck the
+ configured limit will suffice, so we try to write lastlog anyway, even
+ under the risk of dying due to a SIGXFSZ.
+
+ Failing to restore the 'fsize' limit is a fatal error, since we don't
+ want to keep it unlimited.
+
+2019-09-11 ed <ed@s5h.net>
+
+ pam_unix_sess.c add uid for opening session.
+ This adds the UID of the target user to the session open log.
+
+ Also fixing tabulation in pam_unix_sess.c.
+
+2019-09-09 lifecrisis <15251574+lifecrisis@users.noreply.github.com>
+
+ Fix the man page for "pam_fail_delay()"
+ This man page contained the incorrect statement that setting the
+ PAM_FAIL_DELAY item to NULL would disable any form of delay on
+ authentication failure.
+
+ I removed the incorrect statement and added a paragraph explaining
+ how an application should properly avoid delays.
+
+ Closes #137.
+
+2019-09-06 lifecrisis <15251574+lifecrisis@users.noreply.github.com>
+
+ Fix a typo.
+ There is an extra space where there should not be one.
+
+2019-09-06 lifecrisis <15251574+lifecrisis@users.noreply.github.com>
+
+ Update a function comment.
+ The function comment for "_pam_await_timer()" does not mention the
+ intended behavior of prioritizing the "PAM_FAIL_DELAY" item.
+
+ I updated the comment to make this intention clear.
+
+2019-09-02 Matt Cowell <matt.cowell@nokia.com>
+
+ pwhistory: fix read of uninitialized data and memory leak when modifying opasswd
+ The glibc implementation of getline/getdelim does not guarantee a NUL
+ terminator in lineptr if getline returns failure (-1). This occurs when
+ the opasswd file exists but is empty. Since strdup is called
+ immediately afterwards, this causes strdup to read uninitialized memory
+ and possibly buffer overrun / crash.
+
+ This also fixes a memory leak which always occurs when reading the last
+ line of the opasswd file. Since the strdup is called before checking
+ the return code from getline, getdelim, or fgets+strlen, it will
+ duplicate and never free either:
+ - The last successfully read line (for getline or getdelim)
+ - Uninitialized data (if the file is empty)
+ - A 0 byte string (for fgets+strlen)
+
+ Fix by always checking the return code of getline, getdelim, or
+ fgets+strlen before calling strdup.
+
+2019-08-26 Christophe Besson <cbesson@redhat.com>
+
+ libpam/pam_modutil_sanitize.c: optimize the way to close fds.
+
+2019-08-07 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_tty_audit: Manual page clarification about password logging.
+ * modules/pam_tty_audit/pam_tty_audit.8.xml: Explanation why passwords
+ can be sometimes logged even when the option is not set.
+
+2019-08-07 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_get_authtok_verify: Avoid duplicate password verification.
+ If password was already verified by previous modules in the stack
+ it does not need to be verified by pam_get_authtok_verify either.
+
+ * libpam/pam_get_authtok.c (pam_get_authtok_internal): Set the authtok_verified
+ appropriately.
+ (pam_get_authtok_verify): Do not prompt if authtok_verified is set and
+ set it when the password is verified.
+ * libpam/pam_private.h: Add authtok_verified to the pam handle struct.
+ * libpam/pam_start.c (pam_start): Initialize authtok_verified.
+
+2019-07-16 2*yo <yohann@lepage.info>
+
+ Mention that ./autogen.sh is needeed to be run if you check out the sources from git
+
+2019-06-27 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_unix: Correct MAXPASS define name in the previous two commits.
+ * modules/pam_unix/pam_unix_passwd.c: Change MAX_PASS to MAXPASS.
+ * modules/pam_unix/support.c: Likewise.
+
+2019-06-27 Florian Best <best@univention.de>
+
+ Restrict password length when changing password.
+
+ Trim password at PAM_MAX_RESP_SIZE chars.
+ Issue #118: Protect against Denial of Service attacks.
+ To prevent hashsum generation via crypt of very long passwords the
+ password is now stripped to 512 characters. This is equivalent behavior
+ to unix_chkpwd.
+
+2019-05-23 Olaf Mandel <o.mandel@menlosystems.com>
+
+ pam_succeed_if: Request user data only when needed.
+ Allow for conditions that just check the user field to also work for
+ users not known to the system. Before this caused a PAM_USER_UNKNOWN
+ even if no extra data for an existing user was needed. E.g.
+
+ auth sufficient pam_succeed_if.so user = NotKnownToSystem
+
+ modules/pam_succeed_if/pam_succeed_if.c (evaluate): Change the pwd
+ parameter to an input/output parameter. Lazily request pwd with
+ pam_modutil_getpwnam() if needed and return PAM_USER_UNKNOWN on failure.
+
+ modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Don't
+ request the pwd if !use_uid anymore and shift the output from audit to
+ after the evaluate() call. Also make sure not to give the normal failure
+ message if the lazy pwd loading failed.
+
+2019-02-26 Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+
+ pam_tally2: Remove unnecessary fsync()
+ pam_tally2 does fsync() after writing to a tally file.
+ This causes hard drive cache flushes on every failed SSH login on many
+ (if not most) filesystems.
+ And an internet-exposed machine can have a lot of these failed logins.
+
+ This operation however doesn't seem to be necessary - the pam_tally2
+ module does not do any operation which would need explicit post-crash
+ ordering, it just does simple file reads and writes.
+ And doing a fsync() after them doesn't close any race if the system happens
+ to crash between a write being posted and its fsync() completion.
+
+ Let's remove this operation to get rid of all these extra cache flushes.
+
+2019-02-19 vkwitshana <vkwitshana@gmail.com>
+
+ Fixed a grammer mistake.
+
+2019-01-10 Christopher Head <chead@chead.ca>
+
+ Fix documentation for pam_wheel.
+ By default, pam_wheel checks for applicant membership in the wheel group
+ for *all* access requests, regardless of whether the target user is root
+ or non-root. Only if root_only is provided does it limit the membership
+ check to cases when the target user is root. Update the documentation to
+ reflect this.
+
+2019-01-10 Louis Sautier <sautier.louis@gmail.com>
+
+ Fix a typo in the documentation.
+
+2019-01-10 Nir Soffer <nsoffer@redhat.com>
+
+ pam_lastlog: Improve silent option documentation.
+ The silent option explicitly silents only the last login message and not
+ bad logins. Add a note to the manual to make this clear.
+
+ * modules/pam_lastlog/pam_lastlog.8.xml: Clearify "silent showfailed"
+
+2019-01-10 Nir Soffer <nsoffer@redhat.com>
+
+ pam_lastlog: Respect PAM_SILENT flag.
+ pam_lastlog module will not log info about failed login if the session
+ was opened with PAM_SILENT flag.
+
+ Example use case enabled by this change:
+
+ sudo --non-interactive program
+
+ If this command is run by another program expecting specific output from
+ the command run by sudo, the unexpected info about failed logins will
+ break this program.
+
+ * modules/pam_lastlog/pam_lastlog.c: Respect silent option.
+ (_pam_session_parse): Unset LASTLOG_BTMP if PAM_SILENT is set.
+
+2019-01-04 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Fix regressions from the last commits.
+ * configure.ac: Test for logwtmp needs -lutil in LIBS.
+ * modules/Makefile.am: Fix indentation of variable assignments causing
+ creation of incorrect Makefile.
+
+2019-01-04 Rosen Penev <rosenp@gmail.com>
+
+ Replace strndupa with strncpy.
+ glibc only. A static string is better.
+
+2019-01-04 Yousong Zhou <yszhou4tech@gmail.com>
+
+ build: ignore pam_lastlog when logwtmp is not available.
+ * configure.ac: check logwtmp and set COND_BUILD_PAM_LASTLOG
+ * modules/pam_lastlog/Makefile.am: check COND_BUILD_PAM_LASTLOG
+
+ build: ignore pam_rhosts if neither ruserok nor ruserok_af is available.
+ * configure.ac: check for ruserok and ruserok_af
+ * modules/Makefile.am: ignore pam_rhosts/ if it's disabled
+ * modules/pam_rhosts/pam_rhosts.c: include stdlib.h for malloc and free
+
+2018-12-20 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_motd: Cleanup the code and avoid unnecessary logging.
+ The pam_motd module will not log if the default motd.d directories
+ are missing.
+
+ Also cleanup some code cleanliness issues and fix compilation
+ warnings.
+
+ * modules/pam_motd/pam_motd.c: Constification of constant strings.
+ (try_to_display_directory): Removed unused function.
+ (pam_split_string): Replace uint with unsigned int. Fix warnings.
+ (compare_strings): Fix warnings by proper constification.
+ (try_to_display_directories_with_overrides): Cleanups. Switch
+ off the logging if the motd.d directories are missing and they
+ are default ones.
+ (pam_sm_open_session): Cleanup warnings. Pass the information
+ to try_to_display_directories_with_overrides() that non-default
+ motd options are used.
+
+2018-12-20 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs.
+ * modules/pam_lastlog/pam_lastlog.8.xml: Add the documentation of the
+ LASTLOG_UID_MAX option.
+ * modules/pam_lastlog/pam_lastlog.c: New function get_lastlog_uid_max().
+ (last_login_date): Check the uid against the get_lastlog_uid_max().
+ (pam_authenticate): Likewise.
+
+2018-12-11 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Move the duplicated search_key function to pam_modutil.
+ * libpam/pam_modutil_searchkey.c: New source file with pam_modutil_search_key().
+ * libpam/Makefile.am: Add the pam_modutil_searchkey.c.
+ * libpam/include/security/pam_modutil.h: Add the pam_modutil_search_key() prototype.
+ * libpam/libpam.map: Add the pam_modutil_search_key() into a new version.
+ * modules/pam_faildelay/pam_faildelay.c: Drop search_key() and use
+ pam_modutil_search_key().
+ * modules/pam_umask/pam_umask.c: Likewise.
+ * modules/pam_unix/support.c: Likewise.
+
+2018-11-27 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_unix: Use pam_syslog instead of helper_log_err.
+ * modules/pam_unix/passverify.c (verify_pwd_hash): Add pamh argument via
+ PAMH_ARG_DECL. Call pam_syslog() instead of helper_log_err().
+ * modules/pam_unix/passverify.h: Adjust the declaration of verify_pwd_hash().
+ * modules/pam_unix/support.c (_unix_verify_password): Add the pamh argument
+ to verify_pwd_hash() call.
+
+2018-11-27 Björn Esser <besser82@fedoraproject.org>
+
+ pam_unix: Report unusable hashes found by checksalt to syslog.
+ libxcrypt can be build-time configured to support (or not support)
+ various hashing methods. Future versions will also have support for
+ runtime configuration by the system's vendor and/or administrator.
+
+ For that reason adminstrator should be notified by pam if users cannot
+ log into their account anymore because of such a change in the system's
+ configuration of libxcrypt.
+
+ Also check for malformed hashes, like descrypt hashes starting with
+ "$2...", which might have been generated by unsafe base64 encoding
+ functions as used in glibc <= 2.16.
+ Such hashes are likely to be rejected by many recent implementations
+ of libcrypt.
+
+ * modules/pam_unix/passverify.c (verify_pwd_hash): Report unusable
+ hashes found by checksalt to syslog.
+
+2018-11-27 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Revert "pam_unix: Add crypt_default method, if supported."
+ This reverts commit ad435b386b22b456724dc5c5b8d9f2d1beffc558.
+
+2018-11-27 Björn Esser <besser82@fedoraproject.org>
+
+ pam_unix: Add crypt_default method, if supported.
+ libxcrypt since v4.4.0 supports a default method for its
+ gensalt function on most system configurations. As the
+ default method is to be considered the strongest available
+ hash method, it should be preferred over all other hash
+ methods supported by pam.
+
+ * modules/pam_unix/pam_unix.8.xml: Documentation for crypt_default.
+ * modules/pam_unix/passverify.c: Add crypt_default method.
+ * modules/pam_unix/support.h: Likewise.
+
+2018-11-26 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Revert part of the commit 4da9febc.
+ pam_unix: Do not return a hard failure on invalid or disabled salt
+ as in some cases the failure actually is not interesting and can
+ broke things such as password-less sudo.
+
+ * modules/pam_unix/passverify.c (check_shadow_expiry): Revert checking
+ of disabled or invalid salt.
+
+2018-11-23 Björn Esser <besser82@fedoraproject.org>
+
+ pam_unix: Add support for (gost-)yescrypt hashing methods.
+ libxcrypt (v4.2 and later) has added support for the yescrypt
+ hashing method; gost-yescrypt has been added in v4.3.
+
+ * modules/pam_unix/pam_unix.8.xml: Documentation for (gost-)yescrypt.
+ * modules/pam_unix/pam_unix_acct.c: Use 64 bit type for control flags.
+ * modules/pam_unix/pam_unix_auth.c: Likewise.
+ * modules/pam_unix/pam_unix_passwd.c: Likewise.
+ * modules/pam_unix/pam_unix_sess.c: Likewise.
+ * modules/pam_unix/passverify.c: Add support for (gost-)yescrypt.
+ * modules/pam_unix/passverify.h: Use 64 bit type for control flags.
+ * modules/pam_unix/support.c: Set sane rounds for (gost-)yescrypt.
+ * modules/pam_unix/support.h: Add support for (gost-)yescrypt.
+
+2018-11-22 Björn Esser <besser82@fedoraproject.org>
+
+ pam_unix: Fix closing curly brace. (#77)
+ This has been overlooked during review of commit dce80b3f11b3.
+
+ * modules/pam_unix/support.c (_set_ctrl): Fix closing curly brace.
+
+ Closes: https://github.com/linux-pam/linux-pam/issues/77
+
+2018-11-22 Björn Esser <besser82@fedoraproject.org>
+
+ pam_unix: Add support for crypt_checksalt, if libcrypt supports it.
+ libxcrypt v4.3 has added the crypt_checksalt function to whether
+ the prefix at the begining of a given hash string refers to a
+ supported hashing method.
+
+ Future revisions of this function will add support to check whether
+ the hashing method, the prefix refers to, was disabled or considered
+ deprecated by the system's factory presets or system administrator.
+ Furthermore it will be able to detect whether the parameters, which
+ are used by the corresponding hashing method, being encoded in the
+ hash string are not considered to be strong enough anymore.
+
+ *modules/pam_unix/passverify.c: Add support for crypt_checksalt.
+
+2018-11-22 Björn Esser <besser82@fedoraproject.org>
+
+ pam_unix: Prefer a gensalt function, that supports auto entropy.
+ * modules/pam_unix/pam_unix_passwd.c: Initialize rounds parameter to 0.
+ * modules/pam_unix/passverify.c: Prefer gensalt with auto entropy.
+ * modules/pam_unix/support.c: Fix sanitizing of rounds parameter.
+
+2018-11-21 Robert Fairley <rfairley@users.noreply.github.com>
+
+ pam_motd: Fix segmentation fault when no motd_dir specified (#76)
+ This fixes a regression introduced by #69, where motd_path was set
+ to NULL and passed into strdup() if the motd_dir argument was
+ not specified in the configuration file. This caused a segmentation
+ fault.
+
+ * modules/pam_motd/pam_motd.c: fix checks for NULL in arguments
+ * xtests/Makefile.am: add test scripts and config file
+ * xtests/tst-pam_motd.sh: add running tst-pam_motd4.sh
+ * xtests/tst-pam_motd4.pamd: create
+ * xtests/tst-pam_motd4.sh: create
+
+2018-11-19 Robert Fairley <rfairley@users.noreply.github.com>
+
+ pam_motd: Support multiple motd paths specified, with filename overrides (#69)
+ Adds specifying multiple paths to motd files and motd.d
+ directories to be displayed. A colon-separated list of
+ paths is specified as arguments motd and motd_dir to the
+ pam_motd module.
+
+ This gives packages several options to install motd files to.
+ By default, the paths are, with highest priority first:
+ /etc/motd
+ /run/motd
+ /usr/lib/motd
+ /etc/motd.d/
+ /run/motd.d/
+ /usr/lib/motd.d/
+
+ Which is equivalent to the following arguments:
+ motd=/etc/motd:/run/motd:/usr/lib/motd
+ motd_dir=/etc/motd.d:/run/motd.d:/usr/lib/motd.d
+
+ Files with the same filename in a lower-priority directory,
+ as specified by the order in the colon-separated list, are
+ overridden, meaning PAM will not display them.
+
+ This allows a package to contain motd files under
+ /usr/lib instead of the host configuration in /etc.
+ A service may also write a dynamically generated motd in
+ /run/motd.d/ and have PAM display it without needing a
+ symlink from /etc/motd.d/ installed.
+
+ Closes #68
+
+ * modules/pam_motd/pam_motd.8.xml: update documentation
+ * modules/pam_motd/pam_motd.c: add specifying multiple motd paths
+ * xtests/.gitignore: add generated test script
+ * xtests/Makefile.am: add test source, scripts and config files
+ * xtests/tst-pam_motd.c: create
+ * xtests/tst-pam_motd.sh: create
+ * xtests/tst-pam_motd1.pamd: create
+ * xtests/tst-pam_motd1.sh: create
+ * xtests/tst-pam_motd2.pamd: create
+ * xtests/tst-pam_motd2.sh: create
+ * xtests/tst-pam_motd3.pamd: create
+ * xtests/tst-pam_motd3.sh: create
+
+2018-11-16 Björn Esser <besser82@fedoraproject.org>
+
+ pam_unix: Use bcrypt b-variant for computing new hashes.
+ Bcrypt hashes used the "$2a$" prefix since 1997.
+ However, in 2011 an implementation bug was discovered in bcrypt
+ affecting the handling of characters in passphrases with the 8th
+ bit set.
+
+ Besides fixing the bug, OpenBSD 5.5 introduced the "$2b$" prefix
+ for a behavior that exactly matches crypt_blowfish's "$2y$", and
+ the crypt_blowfish implementation supports it as well since v1.1.
+
+ That said new computed bcrypt hashes should use the "$2b$" prefix.
+
+ * modules/pam_unix/passverify.c: Use bcrypt b-variant.
+
+2018-06-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_tally, pam_tally2: fix grammar and spelling (#54)
+ * modules/pam_tally/pam_tally.c (tally_check): Replace
+ "Account is temporary locked" with "The account is temporarily locked"
+ in translated messages.
+ * modules/pam_tally2/pam_tally2.c (tally_check): Likewise.
+ * po/Linux-PAM.pot: Update pam_tally and pam_tally2 messages.
+
+ Closes: https://github.com/linux-pam/linux-pam/issues/54
+
+2018-06-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ Fix grammar of messages printed via pam_prompt.
+ Turn into proper sentences those messages that are printed without
+ further modifications using pam_prompt in contexts where proper
+ sentences are expected.
+
+ * libpam/pam_get_authtok.c (pam_get_authtok_internal): Fix grammar
+ of the message passed to pam_error.
+ * modules/pam_limits/pam_limits.c (pam_sm_open_session): Likewise.
+ * modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Fix
+ grammar of error messages passed to pam_error.
+ * modules/pam_mail/pam_mail.c (report_mail): Fix grammar of a message
+ passed to pam_info.
+ * modules/pam_timestamp/pam_timestamp.c (verbose_success): Likewise.
+ * modules/pam_selinux/pam_selinux.c (config_context, send_text): Fix
+ grammar of messages passed to pam_prompt.
+ * modules/pam_tally/pam_tally.c (tally_check): Fix grammar of messages
+ passed to pam_info.
+ * modules/pam_tally2/pam_tally2.c (tally_check): Likewise.
+ * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Fix grammar
+ of messages passed to _make_remark.
+ * modules/pam_unix/pam_unix_passwd.c (_pam_unix_approve_pass,
+ pam_sm_chauthtok): Likewise.
+ * po/Linux-PAM.pot: Regenerate.
+
+2018-06-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_stress: do not mark messages for translation.
+ pam_stress is not a regular module that needs to be translated.
+ Besides that, its messages are not easy to understand
+ and even harder to translate properly.
+
+ * modules/pam_stress/pam_stress.c (pam_sm_chauthtok): Do not mark
+ messages for translation.
+ * po/Linux-PAM.pot: Remove pam_stress messages.
+
+2018-05-31 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_unix: remove obsolete _UNIX_AUTHTOK, _UNIX_OLD_AUTHTOK, and _UNIX_NEW_AUTHTOK macros
+ The last use of these macros was removed by commit Linux-PAM-1.3.0~5
+ so their definitions should go as well.
+
+ * modules/pam_unix/pam_unix_auth.c (_UNIX_AUTHTOK): Remove.
+ * modules/pam_unix/pam_unix_passwd.c (_UNIX_OLD_AUTHTOK,
+ _UNIX_NEW_AUTHTOK): Likewise.
+
+ Complements: 7e09188c5dc4 ("pam_unix: Use pam_get_authtok() instead of
+ direct pam_prompt() calls.")
+
+2018-05-31 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_unix: remove obsolete _unix_read_password prototype.
+ The function was removed by commit Linux-PAM-1.3.0~5
+ so the function prototype should go as well.
+
+ * modules/pam_unix/support.h (_unix_read_password): Remove.
+
+ Complements: 7e09188c5dc4 ("pam_unix: Use pam_get_authtok() instead of
+ direct pam_prompt() calls.")
+
+2018-05-18 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ Release version 1.3.1.
+
+ Add xz compression.
+
+2018-05-16 Allison Karlitskaya <allison.karlitskaya@redhat.com>
+
+ pam_motd: add support for a motd.d directory (#48)
+ Add a new feature to pam_motd to allow packages to install their own
+ message files in a "motd.d" directory, to be displayed after the primary
+ motd.
+
+ Add an option motd_d= to specify the location of this directory.
+
+ Modify the defaults, in the case where no options are given, to display
+ both /etc/motd and /etc/motd.d.
+
+ Fixes #47
+
+ * modules/pam_motd/pam_motd.c: add support for motd.d
+ * modules/pam_motd/pam_motd.8.xml: update the manpage
+
+2018-05-02 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_umask: Fix documentation to align with order of loading umask.
+ * modules/pam_umask/pam_umask.8.xml: Document the real order of loading
+ umask.
+
+2018-04-10 Joey Chagnon <joeychagnon@users.noreply.github.com>
+
+ Fix missing word in documentation.
+ * doc/man/pam_get_user.3.xml: Fix it.
+
+2017-11-10 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_tally2 --reset: avoid creating a missing tallylog file.
+ There is no need for pam_tally2 in --reset=0 mode to create a missing
+ tallylog file because its absence has the same meaning as its existence
+ with the appropriate entry reset.
+
+ This was not a big deal until useradd(8) from shadow suite release 4.5
+ started to invoke /sbin/pam_tally2 --reset routinely regardless of PAM
+ configuration.
+
+ The positive effect of this change is noticeable when using tools like
+ cpio(1) that cannot archive huge sparse files efficiently.
+
+ * modules/pam_tally2/pam_tally2.c [MAIN] (main) <cline_user>: Stat
+ cline_filename when cline_reset == 0, exit early if the file is missing.
+
+2017-11-10 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_mkhomedir: Allow creating parent of homedir under /
+ * modules/pam_mkhomedir/mkhomedir_helper.c (make_parent_dirs): Do not
+ skip creating the directory if we are under /.
+
+2017-10-09 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_tty_audit: Fix regression introduced by adding the uid range support.
+ * modules/pam_tty_audit/pam_tty_audit.c (parse_uid_range): Fix constification and
+ remove unneeded code carried from pam_limits.
+ (pam_sm_open_session): When multiple enable/disable options are present do not
+ stop after first match.
+
+2017-09-06 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_access: Add note about spaces around ':' in access.conf(5)
+ * modules/pam_access/access.conf.5.xml: Add note about spaces around ':'
+
+ Workaround formatting problem in pam(8)
+ * doc/man/pam.8.xml: Workaround formatting problem.
+
+2017-07-12 Peter Urbanec <peterurbanec@users.noreply.github.com>
+
+ pam_unix: Check return value of malloc used for setcred data (#24)
+ Check the return value of malloc and if it failed print debug info, send
+ a syslog message and return an error code.
+
+ The test in AUTH_RETURN for ret_data not being NULL becomes redundant.
+
+2017-07-10 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_cracklib: Drop unused prompt macros.
+ * modules/pam_cracklib/pam_cracklib.c: Drop the unused macros.
+
+2017-06-28 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_tty_audit: Support matching users by uid range.
+ * modules/pam_tty_audit/pam_tty_audit.c (parse_uid_range): New function to
+ parse the uid range.
+ (pam_sm_open_session): Call parse_uid_range() and behave according to its result.
+ * modules/pam_tty_audit/pam_tty_audit.8.xml: Document the uid range matching.
+
+2017-05-31 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_access: support parsing files in /etc/security/access.d/*.conf.
+ * modules/pam_access/pam_access.c (login_access): Return NOMATCH if
+ there was no match in the parsed file.
+ (pam_sm_authenticate): Add glob() call to go through the ACCESS_CONF_GLOB
+ subdirectory and call login_access() on the individual files matched.
+ * modules/pam_access/pam_access.8.xml: Document the addition.
+ * modules/pam_access/Makefile.am: Add ACCESS_CONF_GLOB definition.
+
+2017-04-11 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_localuser: Correct the example in documentation.
+ * modules/pam_localuser/pam_localuser.8.xml: The example configuration
+ does something different.
+
+ pam_localuser: Correct documentation of return value.
+ * modules/pam_localuser/pam_localuser.8.xml: The module returns
+ PAM_PERM_DENIED when the user is not listed.
+
+2017-03-10 Saul Johnson <saul.a.johnson@gmail.com>
+
+ Make maxclassrepeat=1 behavior consistent with docs (#9)
+ * modules/pam_cracklib/pam_cracklib.c (simple): Apply the maxclassrepeat when greater than 0.
+
+2017-02-09 Josef Moellers <jmoellers@suse.de>
+
+ Properly test for strtol() failure to find any digits.
+ * modules/pam_access/pam_access.c (network_netmask_match): Test for endptr set
+ to beginning and not NULL.
+
+2017-01-19 Daniel Abrecht <daniel.abrecht@hotmail.com>
+
+ pam_exec: fix a potential null pointer dereference.
+ Fix a null pointer dereference when pam_prompt returns PAM_SUCCESS
+ but the response is set to NULL.
+
+ * modules/pam_exec/pam_exec.c (call_exec): Do not invoke strndupa
+ with a null pointer.
+
+ Closes: https://github.com/linux-pam/linux-pam/pull/2
+
+2016-12-07 Antonio Ospite <ao2@ao2.it>
+
+ Add missing comma in the limits.conf.5 manpage.
+ * modules/pam_limits/limits.conf.5.xml: add a missing comma
+
+2016-11-14 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Regular links doesn't work with -no-numbering -no-references.
+ * configure.ac: Use elinks instead of links.
+
+2016-11-01 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_access: First check for the (group) match.
+ The (group) match is performed first to allow for groups
+ containing '@'.
+
+ * modules/pam_access/pam_access.c (user_match): First check for the (group) match.
+
+2016-10-17 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_ftp: Properly use the first name from the supplied list.
+ * modules/pam_ftp/pam_ftp.c (lookup): Return first user from the list
+ of anonymous users if user name matches.
+ (pam_sm_authenticate): Free the returned value allocated in lookup().
+
+2016-09-12 Bartos-Elekes Zsolt <muszi@kite.hu>
+
+ pam_issue: Fix no prompting in parse escape codes mode.
+ * modules/pam_issue/pam_issue.c (read_issue_quoted): Fix misplaced strcat().
+
+2016-06-30 Maxin B. John <maxin.john@intel.com>
+
+ xtests: remove bash dependency.
+ There are no bash specific syntax in the xtest scripts. So, remove
+ the bash dependency.
+
+2016-06-30 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Unification and cleanup of syslog log levels.
+ * libpam/pam_handlers.c: Make memory allocation failures LOG_CRIT.
+ * libpam/pam_modutil_priv.c: Make memory allocation failures LOG_CRIT.
+ * modules/pam_echo/pam_echo.c: Make memory allocation failures LOG_CRIT.
+ * modules/pam_env/pam_env.c: Make memory allocation failures LOG_CRIT.
+ * modules/pam_exec/pam_exec.c: Make memory allocation failures LOG_CRIT.
+ * modules/pam_filter/pam_filter.c: Make all non-memory call errors LOG_ERR.
+ * modules/pam_group/pam_group.c: Make memory allocation failures LOG_CRIT.
+ * modules/pam_issue/pam_issue.c: Make memory allocation failures LOG_CRIT.
+ * modules/pam_lastlog/pam_lastlog.c: The lastlog file creation is syslogged
+ with LOG_NOTICE, memory allocation errors with LOG_CRIT, other errors
+ with LOG_ERR.
+ * modules/pam_limits/pam_limits.c: User login limit messages are syslogged
+ with LOG_NOTICE, stale utmp entry with LOG_INFO, non-memory errors with
+ LOG_ERR.
+ * modules/pam_listfile/pam_listfile.c: Rejection of user is syslogged
+ with LOG_NOTICE.
+ * modules/pam_namespace/pam_namespace.c: Make memory allocation failures
+ LOG_CRIT.
+ * modules/pam_nologin/pam_nologin.c: Make memory allocation failures
+ LOG_CRIT, other errors LOG_ERR.
+ * modules/pam_securetty/pam_securetty.c: Rejection of access is syslogged
+ with LOG_NOTICE, non-memory errors with LOG_ERR.
+ * modules/pam_selinux/pam_selinux.c: Make memory allocation failures LOG_CRIT.
+ * modules/pam_succeed_if/pam_succeed_if.c: Make all non-memory call errors
+ LOG_ERR.
+ * modules/pam_time/pam_time.c: Make memory allocation failures LOG_CRIT.
+ * modules/pam_timestamp/pam_timestamp.c: Make memory allocation failures
+ LOG_CRIT.
+ * modules/pam_unix/pam_unix_acct.c: Make all non-memory call errors LOG_ERR.
+ * modules/pam_unix/pam_unix_passwd.c: Make memory allocation failures LOG_CRIT,
+ other errors LOG_ERR.
+ * modules/pam_unix/pam_unix_sess.c: Make all non-memory call errors LOG_ERR.
+ * modules/pam_unix/passverify.c: Unknown user is syslogged with LOG_NOTICE.
+ * modules/pam_unix/support.c: Unknown user is syslogged with LOG_NOTICE and
+ max retries ignorance by application likewise.
+ * modules/pam_unix/unix_chkpwd.c: Make all non-memory call errors LOG_ERR.
+ * modules/pam_userdb/pam_userdb.c: Password authentication error is syslogged
+ with LOG_NOTICE.
+ * modules/pam_xauth/pam_xauth.c: Make memory allocation failures LOG_CRIT.
+
+2016-06-14 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_timestamp: fix typo in strncmp usage.
+ Before this fix, a typo in check_login_time resulted to ruser and
+ struct utmp.ut_user being compared by the first character only,
+ which in turn could lead to a too low timestamp value being assigned
+ to oldest_login, effectively causing bypass of check_login_time.
+
+ * modules/pam_timestamp/pam_timestamp.c (check_login_time): Fix typo
+ in strncmp usage.
+
+ Patch-by: Anton V. Boyarshinov <boyarsh@altlinux.org>
+
+2016-05-30 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Correct the examples in pam_fail_delay(3) man page.
+ doc/man/pam_fail_delay.3.xml: Correct the examples.
+
+2016-05-11 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Remove spaces in examples for access.conf.
+ The spaces are ignored only with the default listsep. To remove confusion
+ if non-default listsep is used they are removed from the examples.
+
+ * modules/pam_access/access.conf: Remove all spaces around ':' in examples.
+ * modules/pam_access/access.conf.5.xml: Likewise.
+
+2016-05-05 Mike Frysinger <vapier@gentoo.org>
+
+ build: avoid non-portable == with "test" (ticket #60)
+ POSIX says test only accepts =. Some shells (including bash) accept ==,
+ but we should still stick to = for portability.
+
+ * configure.ac: Replace == with = in "test" invocations.
+
+2016-04-28 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ Release version 1.3.0.
+ * NEWS: add changes for 1.3.0.
+ * configure.ac: bump version number.
+ * libpam/Makefile.am: bump revision of libpam.so version.
+
+2016-04-28 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Updated translations from Zanata.
+ * po/*.po: Updated translations from Zanata.
+
+2016-04-19 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_wheel: Correct the documentation of the root_only option.
+ * modules/pam_wheel/pam_wheel.8.xml: Correct the documentation of the
+ root_only option.
+
+ pam_unix: Document that MD5 password hash is used to store old passwords.
+ modules/pam_unix/pam_unix.8.xml: Document that the MD5 password hash is used
+ to store the old passwords when remember option is set.
+
+2016-04-14 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Project registered at Zanata (fedora.zanata.org) for translations.
+ * zanata.xml: Configuration file for zanata client.
+ * po/LINGUAS: Update languages as supported by Zanata.
+ * po/Linux-PAM.pot: Updated from sources.
+ * po/*.po: Updated from sources.
+
+2016-04-06 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_unix: Use pam_get_authtok() instead of direct pam_prompt() calls.
+ We have to drop support for not_set_pass option which is not much useful
+ anyway. Instead we get proper support for authtok_type option.
+
+ * modules/pam_unix/pam_unix.8.xml: Removed not_set_pass option, added authtok_ty
+ pe
+ option.
+ * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace _unix_read_pas
+ sword()
+ call with equivalent pam_get_authtok() call.
+ * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Likewise and also drop
+ support for not_set_pass.
+ * modules/pam_unix/support.c (_unix_read_password): Remove.
+ * modules/pam_unix/support.h: Remove UNIX_NOT_SET_PASS add UNIX_AUTHTOK_TYPE.
+
+2016-04-06 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_get_authtok(): Add authtok_type support to current password prompt.
+ * libpam/pam_get_authtok.c (pam_get_authtok_internal): When changing password,
+ use different prompt for current password allowing for authtok_type to be
+ displayed to the user.
+
+2016-04-04 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_unix: Make password expiration messages more user-friendly.
+ * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Make password
+ expiration messages more user-friendly.
+
+2016-04-04 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ innetgr may not be there so make sure that when innetgr is not present then we inform about it and not use it. [ticket#46]
+ * modules/pam_group/pam_group.c: ditto
+ * modules/pam_succeed_if/pam_succeed_if.c: ditto
+ * modules/pam_time/pam_time.c: ditto
+
+ build: fix build when crypt() is not part of crypt_libs [ticket#46]
+ * configure.ac: Don't set empty -l option in crypt check
+
+ build: use $host_cpu for lib64 directory handling [ticket#46]
+ * configure.ac: use $host_cpu for lib64 directory handling.
+
+2016-04-01 Dmitry V. Levin <ldv@altlinux.org>
+
+ Fix whitespace issues.
+ Remove blank lines at EOF introduced by commit
+ a684595c0bbd88df71285f43fb27630e3829121e,
+ making the project free of warnings reported by
+ git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD
+
+ * libpam/pam_dynamic.c: Remove blank line at EOF.
+ * modules/pam_echo/pam_echo.c: Likewise.
+ * modules/pam_keyinit/pam_keyinit.c: Likewise.
+ * modules/pam_mkhomedir/pam_mkhomedir.c: Likewise.
+ * modules/pam_pwhistory/pam_pwhistory.c: Likewise.
+ * modules/pam_rhosts/pam_rhosts.c: Likewise.
+ * modules/pam_sepermit/pam_sepermit.c: Likewise.
+ * modules/pam_stress/pam_stress.c: Likewise.
+
+2016-04-01 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ Use TI-RPC functions if we compile and link against libtirpc. The old SunRPC functions don't work with IPv6.
+ * configure.ac: Set and restore CPPFLAGS
+ * modules/pam_unix/pam_unix_passwd.c: Replace getrpcport with
+ rpcb_getaddr if available.
+
+2016-03-29 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ PAM_EXTERN isn't needed anymore, but don't remove it to not break lot of external code using it.
+ * libpam/include/security/pam_modules.h: Readd PAM_EXTERN for compatibility
+
+ Remove "--enable-static-modules" option and support from Linux-PAM. It was never official supported and was broken since years.
+ * configure.ac: Remove --enable-static-modules option.
+ * doc/man/pam_sm_acct_mgmt.3.xml: Remove PAM_EXTERN.
+ * doc/man/pam_sm_authenticate.3.xml: Likewise.
+ * doc/man/pam_sm_chauthtok.3.xml: Likewise.
+ * doc/man/pam_sm_close_session.3.xml: Likewise.
+ * doc/man/pam_sm_open_session.3.xml: Likewise.
+ * doc/man/pam_sm_setcred.3.xml: Likewise.
+ * libpam/Makefile.am: Remove STATIC_MODULES cases.
+ * libpam/include/security/pam_modules.h: Remove PAM_STATIC parts.
+ * libpam/pam_dynamic.c: Likewise.
+ * libpam/pam_handlers.c: Likewise.
+ * libpam/pam_private.h: Likewise.
+ * libpam/pam_static.c: Remove file.
+ * libpam/pam_static_modules.h: Remove header file.
+ * modules/pam_access/pam_access.c: Remove PAM_EXTERN and PAM_STATIC parts.
+ * modules/pam_cracklib/pam_cracklib.c: Likewise.
+ * modules/pam_debug/pam_debug.c: Likewise.
+ * modules/pam_deny/pam_deny.c: Likewise.
+ * modules/pam_echo/pam_echo.c: Likewise.
+ * modules/pam_env/pam_env.c: Likewise.
+ * modules/pam_exec/pam_exec.c: Likewise.
+ * modules/pam_faildelay/pam_faildelay.c: Likewise.
+ * modules/pam_filter/pam_filter.c: Likewise.
+ * modules/pam_ftp/pam_ftp.c: Likewise.
+ * modules/pam_group/pam_group.c: Likewise.
+ * modules/pam_issue/pam_issue.c: Likewise.
+ * modules/pam_keyinit/pam_keyinit.c: Likewise.
+ * modules/pam_lastlog/pam_lastlog.c: Likewise.
+ * modules/pam_limits/pam_limits.c: Likewise.
+ * modules/pam_listfile/pam_listfile.c: Likewise.
+ * modules/pam_localuser/pam_localuser.c: Likewise.
+ * modules/pam_loginuid/pam_loginuid.c: Likewise.
+ * modules/pam_mail/pam_mail.c: Likewise.
+ * modules/pam_mkhomedir/pam_mkhomedir.c: Likewise.
+ * modules/pam_motd/pam_motd.c: Likewise.
+ * modules/pam_namespace/pam_namespace.c: Likewise.
+ * modules/pam_nologin/pam_nologin.c: Likewise.
+ * modules/pam_permit/pam_permit.c: Likewise.
+ * modules/pam_pwhistory/pam_pwhistory.c: Likewise.
+ * modules/pam_rhosts/pam_rhosts.c: Likewise.
+ * modules/pam_rootok/pam_rootok.c: Likewise.
+ * modules/pam_securetty/pam_securetty.c: Likewise.
+ * modules/pam_selinux/pam_selinux.c: Likewise.
+ * modules/pam_sepermit/pam_sepermit.c: Likewise.
+ * modules/pam_shells/pam_shells.c: Likewise.
+ * modules/pam_stress/pam_stress.c: Likewise.
+ * modules/pam_succeed_if/pam_succeed_if.c: Likewise.
+ * modules/pam_tally/pam_tally.c: Likewise.
+ * modules/pam_tally2/pam_tally2.c: Likewise.
+ * modules/pam_time/pam_time.c: Likewise.
+ * modules/pam_timestamp/pam_timestamp.c: Likewise.
+ * modules/pam_tty_audit/pam_tty_audit.c: Likewise.
+ * modules/pam_umask/pam_umask.c: Likewise.
+ * modules/pam_userdb/pam_userdb.c: Likewise.
+ * modules/pam_warn/pam_warn.c: Likewise.
+ * modules/pam_wheel/pam_wheel.c: Likewise.
+ * modules/pam_xauth/pam_xauth.c: Likewise.
+ * modules/pam_unix/Makefile.am: Remove STATIC_MODULES part.
+ * modules/pam_unix/pam_unix_acct.c: Remove PAM_STATIC part.
+ * modules/pam_unix/pam_unix_auth.c: Likewise.
+ * modules/pam_unix/pam_unix_passwd.c: Likewise.
+ * modules/pam_unix/pam_unix_sess.c: Likewise.
+ * modules/pam_unix/pam_unix_static.c: Removed.
+ * modules/pam_unix/pam_unix_static.h: Removed.
+ * po/POTFILES.in: Remove removed files.
+ * tests/tst-dlopen.c: Remove PAM_STATIC part.
+
+2016-03-24 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ Fix check for libtirpc and enhance check for libnsl to include new libnsl.
+ * configure.ac: fix setting of CFLAGS/LIBS, enhance libnsl check
+ * modules/pam_unix/Makefile.am: replace NIS_* with TIRPC_* and NSL_*
+
+2016-03-23 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ Remove YP dependencies from pam_access, they were never used and such not needed.
+ * modules/pam_access/Makefile.am: Remove NIS_CFLAGS and NIS_LIBS
+ * modules/pam_access/pam_access.c: Remove yp_get_default_domain case,
+ it will never be used.
+
+2016-03-04 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Add checks for localtime() returning NULL.
+ * modules/pam_lastlog/pam_lastlog.c (last_login_read): Check for localtime_r
+ returning NULL.
+ * modules/pam_tally2/pam_tally2.c (print_one): Check for localtime returning
+ NULL.
+
+2016-03-04 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_unix: Silence warnings and fix a minor bug.
+ Fixes a minor bug in behavior when is_selinux_enabled()
+ returned negative value.
+
+ * modules/pam_unix/passverify.c: Add parentheses to SELINUX_ENABLED macro.
+ (unix_update_shadow): Safe cast forwho to non-const char *.
+ * modules/pam_unix/support.c: Remove unused SELINUX_ENABLED macro.
+
+2016-02-17 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_env: Document the /etc/environment file.
+ * modules/pam_env/Makefile.am: Add the environment.5 soelim stub.
+ * modules/pam_env/pam_env.8.xml: Add environ(7) reference.
+ * modules/pam_env/pam_env.conf.5.xml: Add environment alias name.
+ Add a paragraph about /etc/environment. Add environ(7) reference.
+
+ pam_unix: Add no_pass_expiry option to ignore password expiration.
+ * modules/pam_unix/pam_unix.8.xml: Document the no_pass_expiry option.
+ * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): If no_pass_expiry
+ is on and return value data is not set to PAM_SUCCESS then ignore
+ PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED returns.
+ * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Always set the
+ return value data.
+ (pam_sm_setcred): Test for likeauth option and use the return value data
+ only if set.
+ * modules/pam_unix/support.h: Add the no_pass_expiry option.
+
+2016-01-25 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_unix: Change the salt length for new hashes to 16 characters.
+ * modules/pam_unix/passverify.c (create_password_hash): Change the
+ salt length for new hashes to 16 characters.
+
+2015-12-17 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Relax the conditions for fatal failure on auditing.
+ The PAM library calls will not fail anymore for any uid if the return
+ value from the libaudit call is -EPERM.
+
+ * libpam/pam_audit.c (_pam_audit_writelog): Remove check for uid != 0.
+
+2015-12-16 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_tally2: Optionally log the tally count when checking.
+ * modules/pam_tally2/pam_tally2.c (tally_parse_args): Add debug option.
+ (tally_check): Always log the tally count with debug option.
+
+2015-10-02 Jakub Hrozek <jakub.hrozek@posteo.se>
+
+ Docfix: pam handle is const in pam_syslog() and pam_vsyslog()
+ * doc/man/pam_syslog.3.xml: Add const to pam handle in pam_syslog() and pam_vsyslog().
+
+2015-09-24 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_loginuid: Add syslog message if required auditd is not detected.
+ * modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Add syslog message
+ if required auditd is not detected.
+
+2015-09-04 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Allow links to be used instead of w3m for documentation regeneration.
+ * configure.ac: If w3m is not found check for links.
+
+ Add missing space in pam_misc_setenv man page.
+ * doc/man/pam_misc_setenv.3.xml: Add a missing space.
+
+2015-08-12 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_rootok: use rootok permission instead of passwd permission in SELinux check.
+ * modules/pam_rootok/pam_rootok.c (selinux_check_root): Use rootok instead of
+ passwd permission.
+
+2015-08-05 Amarnath Valluri <amarnath.valluri@intel.com>
+
+ pam_timestamp: Avoid leaking file descriptor.
+ * modules/pam_timestamp/hmacsha1.c(hmac_key_create):
+ close 'keyfd' when failed to own it.
+
+2015-06-22 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ Release version 1.2.1.
+ Security fix: CVE-2015-3238
+
+ If the process executing pam_sm_authenticate or pam_sm_chauthtok method
+ of pam_unix is not privileged enough to check the password, e.g.
+ if selinux is enabled, the _unix_run_helper_binary function is called.
+ When a long enough password is supplied (16 pages or more, i.e. 65536+
+ bytes on a system with 4K pages), this helper function hangs
+ indefinitely, blocked in the write(2) call while writing to a blocking
+ pipe that has a limited capacity.
+ With this fix, the verifiable password length will be limited to
+ PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix.
+
+ * NEWS: Update
+ * configure.ac: Bump version
+ * modules/pam_exec/pam_exec.8.xml: document limitation of password length
+ * modules/pam_exec/pam_exec.c: limit password length to PAM_MAX_RESP_SIZE
+ * modules/pam_unix/pam_unix.8.xml: document limitation of password length
+ * modules/pam_unix/pam_unix_passwd.c: limit password length
+ * modules/pam_unix/passverify.c: Likewise
+ * modules/pam_unix/passverify.h: Likewise
+ * modules/pam_unix/support.c: Likewise
+
+2015-04-27 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ Update NEWS file.
+
+ Release version 1.2.0.
+ * NEWS: Update
+ * configure.ac: Bump version
+ * libpam/Makefile.am: Bump version of libpam
+ * libpam_misc/Makefile.am: Bump version of libpam_misc
+ * po/*: Regenerate po files
+
+ Fix some grammatical errors in documentation. Patch by Louis Sautier.
+ * doc/adg/Linux-PAM_ADG.xml: Fix gramatical errors.
+ * doc/man/pam.3.xml: Likewise.
+ * doc/man/pam_acct_mgmt.3.xml: Likewise.
+ * doc/man/pam_chauthtok.3.xml: Likewise.
+ * doc/man/pam_sm_chauthtok.3.xml: Likewise.
+ * modules/pam_limits/limits.conf.5.xml: Likewise.
+ * modules/pam_mail/pam_mail.8.xml: Likewise.
+ * modules/pam_rhosts/pam_rhosts.c: Likewise.
+ * modules/pam_shells/pam_shells.8.xml: Likewise.
+ * modules/pam_tally/pam_tally.8.xml: Likewise.
+ * modules/pam_tally2/pam_tally2.8.xml: Likewise.
+ * modules/pam_unix/pam_unix.8.xml: Likewise.
+
+2015-04-23 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ Add "quiet" option to pam_unix to suppress informential info messages from session.
+ * modules/pam_unix/pam_unix.8.xml: Document new option.
+ * modules/pam_unix/support.h: Add quiet option.
+ * modules/pam_unix/pam_unix_sess.c: Don't print LOG_INFO messages if
+ 'quiet' option is set.
+
+2015-04-07 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Use crypt_r if available in pam_userdb and in pam_unix.
+ * modules/pam_unix/passverify.c (create_password_hash): Call crypt_r()
+ instead of crypt() if available.
+ * modules/pam_userdb/pam_userdb.c (user_lookup): Call crypt_r()
+ instead of crypt() if available.
+
+2015-03-25 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ Support alternative "vendor configuration" files as fallback to /etc (Ticket#34, patch from ay Sievers <kay@vrfy.org>)
+ * doc/man/pam.8.xml: document additonal config directory
+ * libpam/pam_handlers.c: add /usr/lib/pam.d as config file fallback directory
+ * libpam/pam_private.h: adjust defines
+
+ pam_env: expand @{HOME} and @{SHELL} and enhance documentation (Ticket#24 and #29)
+ * modules/pam_env/pam_env.c: Replace @{HOME} and @{SHELL} with passwd entries
+ * modules/pam_env/pam_env.conf.5.xml: Document @{HOME} and @{SHELL}
+ * modules/pam_env/pam_env.8.xml: Enhance documentation
+
+2015-03-24 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ Clarify pam_access docs re PAM service names and X $DISPLAY value testing. (Ticket #39)
+ * modules/pam_access/access.conf.5.xml
+ * modules/pam_access/pam_access.8.xml
+
+ Don't use sudo directory, the timestamp format is different (Ticket#32)
+ * modules/pam_timestamp/pam_timestamp.c: Change default timestamp directory.
+
+ Enhance group.conf examples (Ticket#35)
+ * modules/pam_group/group.conf.5.xml: Enhance example by logic group entry.
+
+ Document timestampdir option (Ticket#33)
+ * modules/pam_timestamp/pam_timestamp.8.xml: Add timestampdir option.
+
+ Adjust documentation (Ticket#36)
+ * libpam/pam_delay.c: Change 25% in comment to 50% as used in code.
+ * doc/man/pam_fail_delay.3.xml: Change 25% to 50%
+
+2015-02-18 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Updated translations from Transifex.
+ * po/*.po: Updated translations from Transifex.
+
+2015-01-07 Dmitry V. Levin <ldv@altlinux.org>
+
+ build: raise gettext version requirement.
+ Raise gettext requirement to the latest oldstable version 0.18.3.
+ This fixes the following automake warning:
+
+ configure.ac:581: warning: The 'AM_PROG_MKDIR_P' macro is deprecated, and its use is discouraged.
+ configure.ac:581: You should use the Autoconf-provided 'AC_PROG_MKDIR_P' macro instead,
+ configure.ac:581: and use '$(MKDIR_P)' instead of '$(mkdir_p)'in your Makefile.am files.
+
+ * configure.ac (AM_GNU_GETTEXT_VERSION): Raise from 0.15 to 0.18.3.
+ * po/Makevars: Update from gettext-0.18.3.
+
+2015-01-07 Ronny Chevalier <chevalier.ronny@gmail.com>
+
+ build: adjust automake warning flags.
+ Enable all automake warning flags except for the portability issues,
+ since non portable features are used among the makefiles.
+
+ * configure.ac (AM_INIT_AUTOMAKE): Add -Wall -Wno-portability.
+
+2015-01-07 Dmitry V. Levin <ldv@altlinux.org>
+
+ build: rename configure.in to configure.ac.
+ This fixes the following automake warning:
+ aclocal: warning: autoconf input should be named 'configure.ac', not 'configure.in'
+
+ * configure.in: Rename to configure.ac.
+
+2015-01-07 Dmitry V. Levin <ldv@altlinux.org>
+
+ Remove unmodified GNU gettext files installed by autopoint.
+ These files are part of GNU gettext; we have not modified them, they are
+ installed by autopoint which is called by autoreconf, so they had to be
+ removed from this repository along with ABOUT-NLS, config.rpath, and
+ mkinstalldirs files that were removed by commit
+ Linux-PAM-1_1_5-7-g542ec8b.
+
+ * po/Makefile.in.in: Remove.
+ * po/Rules-quot: L