summaryrefslogtreecommitdiffstats
path: root/debian/patches-applied
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 14:22:53 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 14:22:53 +0000
commitf4b22a2f215f6f80558d9e4075c9de306c8b9953 (patch)
tree05142dd668b11fc304d1c15faa52dee3784f8fa0 /debian/patches-applied
parentAdding upstream version 1.5.2. (diff)
downloadpam-f4b22a2f215f6f80558d9e4075c9de306c8b9953.tar.xz
pam-f4b22a2f215f6f80558d9e4075c9de306c8b9953.zip
Adding debian version 1.5.2-6+deb12u1.debian/1.5.2-6+deb12u1debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches-applied')
-rw-r--r--debian/patches-applied/007_modules_pam_unix524
-rw-r--r--debian/patches-applied/008_modules_pam_limits_chroot132
-rw-r--r--debian/patches-applied/021_nis_cleanup24
-rw-r--r--debian/patches-applied/022_pam_unix_group_time_miscfixes22
-rw-r--r--debian/patches-applied/026_pam_unix_passwd_unknown_user33
-rw-r--r--debian/patches-applied/027_pam_limits_better_init_allow_explicit_root253
-rw-r--r--debian/patches-applied/031_pam_include72
-rw-r--r--debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL22
-rw-r--r--debian/patches-applied/036_pam_wheel_getlogin_considered_harmful157
-rw-r--r--debian/patches-applied/040_pam_limits_log_failure36
-rw-r--r--debian/patches-applied/045_pam_dispatch_jump_is_ignore34
-rw-r--r--debian/patches-applied/PAM-manpage-section1723
-rw-r--r--debian/patches-applied/do_not_check_nis_accidentally22
-rw-r--r--debian/patches-applied/fix-autoreconf.patch27
-rw-r--r--debian/patches-applied/hurd_no_setfsuid77
-rw-r--r--debian/patches-applied/lib_security_multiarch_compat72
-rw-r--r--debian/patches-applied/make_documentation_reproducible.patch19
-rw-r--r--debian/patches-applied/no_PATH_MAX_on_hurd22
-rw-r--r--debian/patches-applied/nullok_secure-compat.patch27
-rw-r--r--debian/patches-applied/pam-limits-nofile-fd-setsize-cap60
-rw-r--r--debian/patches-applied/pam_mkhomedir_stat_before_opendir25
-rw-r--r--debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch25
-rw-r--r--debian/patches-applied/series24
-rw-r--r--debian/patches-applied/update-motd113
24 files changed, 3545 insertions, 0 deletions
diff --git a/debian/patches-applied/007_modules_pam_unix b/debian/patches-applied/007_modules_pam_unix
new file mode 100644
index 0000000..218379c
--- /dev/null
+++ b/debian/patches-applied/007_modules_pam_unix
@@ -0,0 +1,524 @@
+Index: pam/modules/pam_unix/pam_unix_passwd.c
+===================================================================
+--- pam.orig/modules/pam_unix/pam_unix_passwd.c
++++ pam/modules/pam_unix/pam_unix_passwd.c
+@@ -95,6 +95,9 @@
+ # endif /* GNU libc 2.1 */
+ #endif
+
++extern const char *obscure_msg(const char *, const char *, const struct passwd *,
++ unsigned int);
++
+ /*
+ How it works:
+ Gets in username (has to be done) from the calling program
+@@ -593,6 +596,11 @@
+ return retval;
+ }
+ }
++ if (!remark && pass_old != NULL) { /* only check if we don't already have a failure */
++ struct passwd *pwd;
++ pwd = pam_modutil_getpwnam(pamh, user);
++ remark = (char *)obscure_msg(pass_old,pass_new,pwd,ctrl); /* do obscure checks */
++ }
+ }
+ if (remark) {
+ _make_remark(pamh, ctrl, PAM_ERROR_MSG, remark);
+@@ -608,7 +616,7 @@
+ int retval;
+ int remember = -1;
+ int rounds = 0;
+- int pass_min_len = 0;
++ int pass_min_len = 6;
+
+ /* <DO NOT free() THESE> */
+ const char *user;
+Index: pam/modules/pam_unix/support.h
+===================================================================
+--- pam.orig/modules/pam_unix/support.h
++++ pam/modules/pam_unix/support.h
+@@ -101,50 +101,52 @@
+ #define UNIX_GOST_YESCRYPT_PASS 31 /* new password hashes will use gost-yescrypt */
+ #define UNIX_YESCRYPT_PASS 32 /* new password hashes will use yescrypt */
+ #define UNIX_NULLRESETOK 33 /* allow empty password if password reset is enforced */
++#define UNIX_OBSCURE_CHECKS 34 /* enable obscure checks on passwords */
+ /* -------------- */
+-#define UNIX_CTRLS_ 34 /* number of ctrl arguments defined */
++#define UNIX_CTRLS_ 35 /* number of ctrl arguments defined */
+
+ #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)&&off(UNIX_GOST_YESCRYPT_PASS,ctrl)&&off(UNIX_YESCRYPT_PASS,ctrl))
+
+ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
+ {
+-/* symbol token name ctrl mask ctrl *
+- * --------------------------- -------------------- ------------------------- ---------------- */
++/* symbol token name ctrl mask ctrl *
++ * --------------------------- -------------------- ------------------------- ------------ */
+
+-/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01, 0},
+-/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02, 0},
+-/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04, 0},
+-/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010, 0},
+-/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060ULL), 020, 0},
+-/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060ULL), 040, 0},
+-/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0},
+-/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600ULL), 0200, 0},
+-/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600ULL), 0400, 0},
+-/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0},
+-/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0},
+-/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0},
+-/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0},
+-/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(015660420000ULL), 020000, 1},
+-/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000ULL), 0, 0},
+-/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000, 0},
+-/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000, 0},
+-/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000, 0},
+-/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(015660420000ULL), 0400000, 1},
+-/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000, 0},
+-/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000, 0},
+-/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000, 0},
+-/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000, 0},
+-/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(015660420000ULL), 020000000, 1},
+-/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(015660420000ULL), 040000000, 1},
+-/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0},
+-/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(015660420000ULL), 0200000000, 1},
+-/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
+-/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0},
+-/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0},
+-/* UNIX_DES */ {"des", _ALL_ON_^(015660420000ULL), 0, 1},
+-/* UNIX_GOST_YESCRYPT_PASS */ {"gost_yescrypt", _ALL_ON_^(015660420000ULL), 04000000000, 1},
+-/* UNIX_YESCRYPT_PASS */ {"yescrypt", _ALL_ON_^(015660420000ULL), 010000000000, 1},
+-/* UNIX_NULLRESETOK */ {"nullresetok", _ALL_ON_, 020000000000, 0},
++/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 0x1, 0},
++/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 0x2, 0},
++/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 0x4, 0},
++/* UNIX_AUDIT */ {"audit", _ALL_ON_, 0x8, 0},
++/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(0x30ULL), 0x10, 0},
++/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(0x30ULL), 0x20, 0},
++/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0x40, 0},
++/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0x180ULL), 0x80, 0},
++/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0x180ULL), 0x100, 0},
++/* UNIX__NONULL */ {NULL, _ALL_ON_, 0x200, 0},
++/* UNIX__QUIET */ {NULL, _ALL_ON_, 0x400, 0},
++/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 0x800, 0},
++/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 0x1000, 0},
++/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0x6EC22000ULL), 0x2000, 1},
++/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(0x200ULL), 0, 0},
++/* UNIX_DEBUG */ {"debug", _ALL_ON_, 0x4000, 0},
++/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0x8000, 0},
++/* UNIX_NIS */ {"nis", _ALL_ON_, 0x10000, 0},
++/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0x6EC22000ULL), 0x20000, 1},
++/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 0x40000, 0},
++/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 0x80000, 0},
++/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 0x100000, 0},
++/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 0x200000, 0},
++/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0x6EC22000ULL), 0x400000, 1},
++/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0x6EC22000ULL), 0x800000, 1},
++/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0x1000000, 0},
++/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0x6EC22000ULL), 0x2000000, 1},
++/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0x4000000, 0},
++/* UNIX_QUIET */ {"quiet", _ALL_ON_, 0x8000000, 0},
++/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 0x10000000, 0},
++/* UNIX_DES */ {"des", _ALL_ON_^(0x6EC22000ULL), 0, 1},
++/* UNIX_GOST_YESCRYPT_PASS */ {"gost_yescrypt", _ALL_ON_^(0x6EC22000ULL), 0x20000000, 1},
++/* UNIX_YESCRYPT_PASS */ {"yescrypt", _ALL_ON_^(0x6EC22000ULL), 0x40000000, 1},
++/* UNIX_NULLRESETOK */ {"nullresetok", _ALL_ON_, 0x80000000, 0},
++/* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x100000000, 0},
+ };
+
+ #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
+Index: pam/modules/pam_unix/pam_unix.8.xml
+===================================================================
+--- pam.orig/modules/pam_unix/pam_unix.8.xml
++++ pam/modules/pam_unix/pam_unix.8.xml
+@@ -400,8 +400,81 @@
+ <listitem>
+ <para>
+ Set a minimum password length of <replaceable>n</replaceable>
+- characters. The max. for DES crypt based passwords are 8
+- characters.
++ characters. The default value is 6. The maximum for DES
++ crypt-based passwords is 8 characters.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>obscure</option>
++ </term>
++ <listitem>
++ <para>
++ Enable some extra checks on password strength. These checks
++ are based on the "obscure" checks in the original shadow
++ package. The behavior is similar to the pam_cracklib
++ module, but for non-dictionary-based checks. The following
++ checks are implemented:
++ <variablelist>
++ <varlistentry>
++ <term>
++ <option>Palindrome</option>
++ </term>
++ <listitem>
++ <para>
++ Verifies that the new password is not a palindrome
++ of (i.e., the reverse of) the previous one.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>Case Change Only</option>
++ </term>
++ <listitem>
++ <para>
++ Verifies that the new password isn't the same as the
++ old one with a change of case.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>Similar</option>
++ </term>
++ <listitem>
++ <para>
++ Verifies that the new password isn't too much like
++ the previous one.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>Simple</option>
++ </term>
++ <listitem>
++ <para>
++ Is the new password too simple? This is based on
++ the length of the password and the number of
++ different types of characters (alpha, numeric, etc.)
++ used.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>Rotated</option>
++ </term>
++ <listitem>
++ <para>
++ Is the new password a rotated version of the old
++ password? (E.g., "billy" and "illyb")
++ </para>
++ </listitem>
++ </varlistentry>
++ </variablelist>
+ </para>
+ </listitem>
+ </varlistentry>
+Index: pam/modules/pam_unix/obscure.c
+===================================================================
+--- /dev/null
++++ pam/modules/pam_unix/obscure.c
+@@ -0,0 +1,198 @@
++/*
++ * Copyright 1989 - 1994, Julianne Frances Haugh
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors
++ * may be used to endorse or promote products derived from this software
++ * without specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ */
++
++#include "config.h"
++
++#include <ctype.h>
++#include <stdio.h>
++#include <unistd.h>
++#include <string.h>
++#include <stdlib.h>
++#include <pwd.h>
++#include <security/pam_modules.h>
++#include <security/_pam_macros.h>
++
++
++#include "support.h"
++
++/* can't be a palindrome - like `R A D A R' or `M A D A M' */
++static int palindrome(const char *old, const char *new) {
++ int i, j;
++
++ i = strlen (new);
++
++ for (j = 0;j < i;j++)
++ if (new[i - j - 1] != new[j])
++ return 0;
++
++ return 1;
++}
++
++/* more than half of the characters are different ones. */
++static int similar(const char *old, const char *new) {
++ int i, j;
++
++ /*
++ * XXX - sometimes this fails when changing from a simple password
++ * to a really long one (MD5). For now, I just return success if
++ * the new password is long enough. Please feel free to suggest
++ * something better... --marekm
++ */
++ if (strlen(new) >= 8)
++ return 0;
++
++ for (i = j = 0; new[i] && old[i]; i++)
++ if (strchr(new, old[i]))
++ j++;
++
++ if (i >= j * 2)
++ return 0;
++
++ return 1;
++}
++
++/* a nice mix of characters. */
++static int simple(const char *old, const char *new) {
++ int digits = 0;
++ int uppers = 0;
++ int lowers = 0;
++ int others = 0;
++ int size;
++ int i;
++
++ for (i = 0;new[i];i++) {
++ if (isdigit (new[i]))
++ digits++;
++ else if (isupper (new[i]))
++ uppers++;
++ else if (islower (new[i]))
++ lowers++;
++ else
++ others++;
++ }
++
++ /*
++ * The scam is this - a password of only one character type
++ * must be 8 letters long. Two types, 7, and so on.
++ */
++
++ size = 9;
++ if (digits) size--;
++ if (uppers) size--;
++ if (lowers) size--;
++ if (others) size--;
++
++ if (size <= i)
++ return 0;
++
++ return 1;
++}
++
++static char *str_lower(char *string) {
++ char *cp;
++
++ for (cp = string; *cp; cp++)
++ *cp = tolower(*cp);
++ return string;
++}
++
++static const char * password_check(const char *old, const char *new,
++ const struct passwd *pwdp) {
++ const char *msg = NULL;
++ char *oldmono, *newmono, *wrapped;
++
++ if (strcmp(new, old) == 0)
++ return _("Bad: new password must be different than the old one");
++
++ newmono = str_lower(strdup(new));
++ oldmono = str_lower(strdup(old));
++ wrapped = (char *)malloc(strlen(oldmono) * 2 + 1);
++ strcpy (wrapped, oldmono);
++ strcat (wrapped, oldmono);
++
++ if (palindrome(oldmono, newmono)) {
++ msg = _("Bad: new password cannot be a palindrome");
++ } else if (strcmp(oldmono, newmono) == 0) {
++ msg = _("Bad: new and old password must differ by more than just case");
++ } else if (similar(oldmono, newmono)) {
++ msg = _("Bad: new and old password are too similar");
++ } else if (simple(old, new)) {
++ msg = _("Bad: new password is too simple");
++ } else if (strstr(wrapped, newmono)) {
++ msg = _("Bad: new password is just a wrapped version of the old one");
++ }
++
++ _pam_delete(newmono);
++ _pam_delete(oldmono);
++ _pam_delete(wrapped);
++
++ return msg;
++}
++
++const char *obscure_msg(const char *old, const char *new,
++ const struct passwd *pwdp, unsigned int ctrl) {
++ int oldlen, newlen;
++ char *new1, *old1;
++ const char *msg;
++
++ if (old == NULL)
++ return NULL; /* no check if old is NULL */
++
++ oldlen = strlen(old);
++ newlen = strlen(new);
++
++ /* Remaining checks are optional. */
++ if (off(UNIX_OBSCURE_CHECKS,ctrl))
++ return NULL;
++
++ if ((msg = password_check(old, new, pwdp)) != NULL)
++ return msg;
++
++ /* The traditional crypt() truncates passwords to 8 chars. It is
++ possible to circumvent the above checks by choosing an easy
++ 8-char password and adding some random characters to it...
++ Example: "password$%^&*123". So check it again, this time
++ truncated to the maximum length. Idea from npasswd. --marekm */
++
++ if (!UNIX_DES_CRYPT(ctrl))
++ return NULL; /* unlimited password length */
++
++ if (oldlen <= 8 && newlen <= 8)
++ return NULL;
++
++ new1 = strndup(new,8);
++ old1 = strndup(old,8);
++
++ msg = password_check(old1, new1, pwdp);
++
++ _pam_delete(new1);
++ _pam_delete(old1);
++
++ return msg;
++}
+Index: pam/modules/pam_unix/Makefile.am
+===================================================================
+--- pam.orig/modules/pam_unix/Makefile.am
++++ pam/modules/pam_unix/Makefile.am
+@@ -39,7 +39,7 @@
+
+ pam_unix_la_SOURCES = bigcrypt.c pam_unix_acct.c \
+ pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \
+- passverify.c yppasswd_xdr.c md5_good.c md5_broken.c
++ passverify.c yppasswd_xdr.c md5_good.c md5_broken.c obscure.c
+
+ bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c
+ bigcrypt_CFLAGS = $(AM_CFLAGS)
+Index: pam/modules/pam_unix/pam_unix.8
+===================================================================
+--- pam.orig/modules/pam_unix/pam_unix.8
++++ pam/modules/pam_unix/pam_unix.8
+@@ -216,7 +216,38 @@
+ .RS 4
+ Set a minimum password length of
+ \fIn\fR
+-characters\&. The max\&. for DES crypt based passwords are 8 characters\&.
++characters\&. The default value is 6\&. The maximum for DES crypt\-based passwords is 8 characters\&.
++.RE
++.PP
++\fBobscure\fR
++.RS 4
++Enable some extra checks on password strength\&. These checks are based on the "obscure" checks in the original shadow package\&. The behavior is similar to the pam_cracklib module, but for non\-dictionary\-based checks\&. The following checks are implemented:
++.PP
++\fBPalindrome\fR
++.RS 4
++Verifies that the new password is not a palindrome of (i\&.e\&., the reverse of) the previous one\&.
++.RE
++.PP
++\fBCase Change Only\fR
++.RS 4
++Verifies that the new password isn\*(Aqt the same as the old one with a change of case\&.
++.RE
++.PP
++\fBSimilar\fR
++.RS 4
++Verifies that the new password isn\*(Aqt too much like the previous one\&.
++.RE
++.PP
++\fBSimple\fR
++.RS 4
++Is the new password too simple? This is based on the length of the password and the number of different types of characters (alpha, numeric, etc\&.) used\&.
++.RE
++.PP
++\fBRotated\fR
++.RS 4
++Is the new password a rotated version of the old password? (E\&.g\&., "billy" and "illyb")
++.RE
++.sp
+ .RE
+ .PP
+ \fBno_pass_expiry\fR
+Index: pam/modules/pam_unix/README
+===================================================================
+--- pam.orig/modules/pam_unix/README
++++ pam/modules/pam_unix/README
+@@ -171,8 +171,40 @@
+
+ minlen=n
+
+- Set a minimum password length of n characters. The max. for DES crypt based
+- passwords are 8 characters.
++ Set a minimum password length of n characters. The default value is 6. The
++ maximum for DES crypt-based passwords is 8 characters.
++
++obscure
++
++ Enable some extra checks on password strength. These checks are based on
++ the "obscure" checks in the original shadow package. The behavior is
++ similar to the pam_cracklib module, but for non-dictionary-based checks.
++ The following checks are implemented:
++
++ Palindrome
++
++ Verifies that the new password is not a palindrome of (i.e., the
++ reverse of) the previous one.
++
++ Case Change Only
++
++ Verifies that the new password isn't the same as the old one with a
++ change of case.
++
++ Similar
++
++ Verifies that the new password isn't too much like the previous one.
++
++ Simple
++
++ Is the new password too simple? This is based on the length of the
++ password and the number of different types of characters (alpha,
++ numeric, etc.) used.
++
++ Rotated
++
++ Is the new password a rotated version of the old password? (E.g.,
++ "billy" and "illyb")
+
+ no_pass_expiry
+
diff --git a/debian/patches-applied/008_modules_pam_limits_chroot b/debian/patches-applied/008_modules_pam_limits_chroot
new file mode 100644
index 0000000..7a86fdd
--- /dev/null
+++ b/debian/patches-applied/008_modules_pam_limits_chroot
@@ -0,0 +1,132 @@
+Index: pam/modules/pam_limits/pam_limits.c
+===================================================================
+--- pam.orig/modules/pam_limits/pam_limits.c
++++ pam/modules/pam_limits/pam_limits.c
+@@ -90,6 +90,7 @@
+ specific user or to count all logins */
+ int priority; /* the priority to run user process with */
+ int nonewprivs; /* whether to prctl(PR_SET_NO_NEW_PRIVS) */
++ char chroot_dir[8092]; /* directory to chroot into */
+ struct user_limits_struct limits[RLIM_NLIMITS];
+ const char *conf_file;
+ int utmp_after_pam_call;
+@@ -101,6 +102,7 @@
+
+ #define LIMIT_PRI RLIM_NLIMITS+3
+ #define LIMIT_NONEWPRIVS RLIM_NLIMITS+4
++#define LIMIT_CHROOT RLIM_NLIMITS+5
+
+ #define LIMIT_SOFT 1
+ #define LIMIT_HARD 2
+@@ -484,6 +486,8 @@
+ pl->login_limit = -2;
+ pl->login_limit_def = LIMITS_DEF_NONE;
+
++ pl->chroot_dir[0] = '\0';
++
+ return retval;
+ }
+
+@@ -591,6 +595,8 @@
+ limit_item = LIMIT_PRI;
+ } else if (strcmp(lim_item, "nonewprivs") == 0) {
+ limit_item = LIMIT_NONEWPRIVS;
++ } else if (strcmp(lim_item, "chroot") == 0) {
++ limit_item = LIMIT_CHROOT;
+ } else {
+ pam_syslog(pamh, LOG_DEBUG, "unknown limit item '%s'", lim_item);
+ return;
+@@ -640,9 +646,9 @@
+ pam_syslog(pamh, LOG_DEBUG,
+ "wrong limit value '%s' for limit type '%s'",
+ lim_value, lim_type);
+- return;
++ return;
+ }
+- } else {
++ } else if (limit_item != LIMIT_CHROOT) {
+ #ifdef __USE_FILE_OFFSET64
+ rlimit_value = strtoull (lim_value, &endptr, 10);
+ #else
+@@ -717,7 +723,11 @@
+ break;
+ }
+
+- if ( (limit_item != LIMIT_LOGIN)
++ if (limit_item == LIMIT_CHROOT) {
++ strncpy(pl->chroot_dir, value_orig, sizeof(pl->chroot_dir)-1);
++ pl->chroot_dir[sizeof(pl->chroot_dir)-1]='\0';
++ }
++ else if ( (limit_item != LIMIT_LOGIN)
+ && (limit_item != LIMIT_NUMSYSLOGINS)
+ && (limit_item != LIMIT_PRI)
+ && (limit_item != LIMIT_NONEWPRIVS) ) {
+@@ -1071,6 +1081,15 @@
+ }
+ }
+
++ if (!retval && pl->chroot_dir[0]) {
++ i = chdir(pl->chroot_dir);
++ if (i == 0)
++ i = chroot(pl->chroot_dir);
++ if (i == 0)
++ i = chdir("/");
++ if (i != 0)
++ retval = LIMIT_ERR;
++ }
+ return retval;
+ }
+
+Index: pam/modules/pam_limits/limits.conf.5.xml
+===================================================================
+--- pam.orig/modules/pam_limits/limits.conf.5.xml
++++ pam/modules/pam_limits/limits.conf.5.xml
+@@ -273,6 +273,12 @@
+ (Linux 2.6.12 and higher)</para>
+ </listitem>
+ </varlistentry>
++ <varlistentry>
++ <term><option>chroot</option></term>
++ <listitem>
++ <para>the directory to chroot the user to</para>
++ </listitem>
++ </varlistentry>
+ </variablelist>
+ </listitem>
+ </varlistentry>
+Index: pam/modules/pam_limits/limits.conf.5
+===================================================================
+--- pam.orig/modules/pam_limits/limits.conf.5
++++ pam/modules/pam_limits/limits.conf.5
+@@ -279,6 +279,11 @@
+ .RS 4
+ maximum realtime priority allowed for non\-privileged processes (Linux 2\&.6\&.12 and higher)
+ .RE
++.PP
++\fBchroot\fR
++.RS 4
++the directory to chroot the user to
++.RE
+ .RE
+ .PP
+ All items support the values
+Index: pam/modules/pam_limits/limits.conf
+===================================================================
+--- pam.orig/modules/pam_limits/limits.conf
++++ pam/modules/pam_limits/limits.conf
+@@ -46,6 +46,7 @@
+ # - msgqueue - max memory used by POSIX message queues (bytes)
+ # - nice - max nice priority allowed to raise to values: [-20, 19]
+ # - rtprio - max realtime priority
++# - chroot - change root to directory (Debian-specific)
+ #
+ #<domain> <type> <item> <value>
+ #
+@@ -56,6 +57,7 @@
+ #@faculty soft nproc 20
+ #@faculty hard nproc 50
+ #ftp hard nproc 0
++#ftp - chroot /ftp
+ #@student - maxlogins 4
+
+ # End of file
diff --git a/debian/patches-applied/021_nis_cleanup b/debian/patches-applied/021_nis_cleanup
new file mode 100644
index 0000000..f05c710
--- /dev/null
+++ b/debian/patches-applied/021_nis_cleanup
@@ -0,0 +1,24 @@
+Patch from Philippe Troin <phil@fifi.org>
+
+Originally this included a bunch of changes to locking, but the more
+recent code pulled from Linux_pam CVS seems to fix that issue.
+
+Index: pam/modules/pam_unix/pam_unix_passwd.c
+===================================================================
+--- pam.orig/modules/pam_unix/pam_unix_passwd.c
++++ pam/modules/pam_unix/pam_unix_passwd.c
+@@ -708,9 +708,12 @@
+ "password - (old) token not obtained");
+ return retval;
+ }
+- /* verify that this is the password for this user */
++ /* verify that this is the password for this user
++ * if we're not using NIS */
+
+- retval = _unix_verify_password(pamh, user, pass_old, ctrl);
++ if (off(UNIX_NIS, ctrl)) {
++ retval = _unix_verify_password(pamh, user, pass_old, ctrl);
++ }
+ } else {
+ D(("process run by root so do nothing this time around"));
+ pass_old = NULL;
diff --git a/debian/patches-applied/022_pam_unix_group_time_miscfixes b/debian/patches-applied/022_pam_unix_group_time_miscfixes
new file mode 100644
index 0000000..8239fd9
--- /dev/null
+++ b/debian/patches-applied/022_pam_unix_group_time_miscfixes
@@ -0,0 +1,22 @@
+Description: handle the case of flags being empty or only PAM_SILENT, which is
+ documented in other PAM implementations as meaning PAM_ESTABLISH_CRED:
+ http://publib.boulder.ibm.com/infocenter/aix/v6r1/index.jsp?topic=%2Fcom.ibm.aix.basetechref%2Fdoc%2Fbasetrf1%2Fpam_setcred.htm
+
+Index: pam/modules/pam_group/pam_group.c
+===================================================================
+--- pam.orig/modules/pam_group/pam_group.c
++++ pam/modules/pam_group/pam_group.c
+@@ -754,9 +754,12 @@
+ unsigned setting;
+
+ /* only interested in establishing credentials */
++ /* PAM docs say that an empty flag is to be treated as PAM_ESTABLISH_CRED.
++ Some people just pass PAM_SILENT, so cope with it, too. */
+
+ setting = flags;
+- if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))) {
++ if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))
++ && (setting != 0) && (setting != PAM_SILENT)) {
+ D(("ignoring call - not for establishing credentials"));
+ return PAM_SUCCESS; /* don't fail because of this */
+ }
diff --git a/debian/patches-applied/026_pam_unix_passwd_unknown_user b/debian/patches-applied/026_pam_unix_passwd_unknown_user
new file mode 100644
index 0000000..d277fee
--- /dev/null
+++ b/debian/patches-applied/026_pam_unix_passwd_unknown_user
@@ -0,0 +1,33 @@
+Description: distinguish between password manipulation failure and missing user.
+Author: Martin Schwenke <martin@meltin.net>
+
+Index: pam/modules/pam_unix/passverify.c
+===================================================================
+--- pam.orig/modules/pam_unix/passverify.c
++++ pam/modules/pam_unix/passverify.c
+@@ -801,7 +801,7 @@
+ struct passwd *tmpent = NULL;
+ struct stat st;
+ FILE *pwfile, *opwfile;
+- int err = 1;
++ int err = 1, found = 0;
+ int oldmask;
+ #ifdef WITH_SELINUX
+ char *prev_context_raw = NULL;
+@@ -872,6 +872,7 @@
+
+ tmpent->pw_passwd = assigned_passwd.charp;
+ err = 0;
++ found = 1;
+ }
+ if (putpwent(tmpent, pwfile)) {
+ D(("error writing entry to password file: %m"));
+@@ -914,7 +915,7 @@
+ return PAM_SUCCESS;
+ } else {
+ unlink(PW_TMPFILE);
+- return PAM_AUTHTOK_ERR;
++ return found ? PAM_AUTHTOK_ERR : PAM_USER_UNKNOWN;
+ }
+ }
+
diff --git a/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root
new file mode 100644
index 0000000..c4603f5
--- /dev/null
+++ b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root
@@ -0,0 +1,253 @@
+Description: Allow explicit limits for root and reset limits on each session
+ When crossing session boundaries (such as when su'ing from one user to
+ another), if the target account has no limit specified in limits.conf we
+ want to use the default, not the current value configured for the
+ source account.
+ .
+ If /proc/1/limits is unavailable, fall back to a set of hard-coded values
+ that shadow the currently known defaults on Linux.
+ .
+ Also, don't apply wildcard limits to the root account; only apply limits to
+ root that reference root by name.
+Author: Peter Paluch <peterp@frcatel.fri.utc.sk>,
+ Ben Collins <bcollins@debian.org>,
+ Steve Langasek <vorlon@debian.org>,
+Bug-Debian: http://bugs.debian.org/63230
+Index: pam/modules/pam_limits/pam_limits.c
+===================================================================
+--- pam.orig/modules/pam_limits/pam_limits.c
++++ pam/modules/pam_limits/pam_limits.c
+@@ -47,6 +47,14 @@
+ #include <libaudit.h>
+ #endif
+
++#ifndef MLOCK_LIMIT
++#ifdef __FreeBSD_kernel__
++#define MLOCK_LIMIT RLIM_INFINITY
++#else
++#define MLOCK_LIMIT (64*1024)
++#endif
++#endif
++
+ /* Module defines */
+ #define LINE_LENGTH 1024
+
+@@ -84,6 +92,7 @@
+
+ /* internal data */
+ struct pam_limit_s {
++ int root; /* running as root? */
+ int login_limit; /* the max logins limit */
+ int login_limit_def; /* which entry set the login limit */
+ int flag_numsyslogins; /* whether to limit logins only for a
+@@ -447,9 +456,18 @@
+ {
+ int i;
+ int retval = PAM_SUCCESS;
++ static int mlock_limit = 0;
+
+ D(("called."));
+
++ pl->root = 0;
++
++ if (mlock_limit == 0) {
++ mlock_limit = sysconf(_SC_PAGESIZE);
++ if (mlock_limit < MLOCK_LIMIT)
++ mlock_limit = MLOCK_LIMIT;
++ }
++
+ for(i = 0; i < RLIM_NLIMITS; i++) {
+ int r = getrlimit(i, &pl->limits[i].limit);
+ if (r == -1) {
+@@ -465,18 +483,68 @@
+ }
+
+ #ifdef __linux__
+- if (ctrl & PAM_SET_ALL) {
+- parse_kernel_limits(pamh, pl, ctrl);
++ parse_kernel_limits(pamh, pl, ctrl);
++#endif
+
+- for(i = 0; i < RLIM_NLIMITS; i++) {
++ for(i = 0; i < RLIM_NLIMITS; i++) {
+ if (pl->limits[i].supported &&
+ (pl->limits[i].src_soft == LIMITS_DEF_NONE ||
+ pl->limits[i].src_hard == LIMITS_DEF_NONE)) {
+- pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM default", rlimit2str(i));
++#ifdef __linux__
++ pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM default", rlimit2str(i));
++#endif
++ pl->limits[i].src_soft = LIMITS_DEF_DEFAULT;
++ pl->limits[i].src_hard = LIMITS_DEF_DEFAULT;
++ switch(i) {
++ case RLIMIT_CPU:
++ case RLIMIT_FSIZE:
++ case RLIMIT_DATA:
++ case RLIMIT_RSS:
++ case RLIMIT_NPROC:
++#ifdef RLIMIT_AS
++ case RLIMIT_AS:
++#endif
++#ifdef RLIMIT_LOCKS
++ case RLIMIT_LOCKS:
++#endif
++ pl->limits[i].limit.rlim_cur = RLIM_INFINITY;
++ pl->limits[i].limit.rlim_max = RLIM_INFINITY;
++ break;
++ case RLIMIT_MEMLOCK:
++ pl->limits[i].limit.rlim_cur = mlock_limit;
++ pl->limits[i].limit.rlim_max = mlock_limit;
++ break;
++#ifdef RLIMIT_SIGPENDING
++ case RLIMIT_SIGPENDING:
++ pl->limits[i].limit.rlim_cur = 16382;
++ pl->limits[i].limit.rlim_max = 16382;
++ break;
++#endif
++#ifdef RLIMIT_MSGQUEUE
++ case RLIMIT_MSGQUEUE:
++ pl->limits[i].limit.rlim_cur = 819200;
++ pl->limits[i].limit.rlim_max = 819200;
++ break;
++#endif
++ case RLIMIT_CORE:
++ pl->limits[i].limit.rlim_cur = 0;
++ pl->limits[i].limit.rlim_max = RLIM_INFINITY;
++ break;
++ case RLIMIT_STACK:
++ pl->limits[i].limit.rlim_cur = 8192*1024;
++ pl->limits[i].limit.rlim_max = RLIM_INFINITY;
++ break;
++ case RLIMIT_NOFILE:
++ pl->limits[i].limit.rlim_cur = 1024;
++ pl->limits[i].limit.rlim_max = 1024;
++ break;
++ default:
++ pl->limits[i].src_soft = LIMITS_DEF_NONE;
++ pl->limits[i].src_hard = LIMITS_DEF_NONE;
++ break;
++ }
+ }
+- }
+ }
+-#endif
+
+ errno = 0;
+ pl->priority = getpriority (PRIO_PROCESS, 0);
+@@ -881,7 +949,7 @@
+
+ if (strcmp(uname, domain) == 0) /* this user have a limit */
+ process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl);
+- else if (domain[0]=='@') {
++ else if (domain[0]=='@' && !pl->root) {
+ if (ctrl & PAM_DEBUG_ARG) {
+ pam_syslog(pamh, LOG_DEBUG,
+ "checking if %s is in group %s",
+@@ -907,7 +975,7 @@
+ process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl,
+ pl);
+ }
+- } else if (domain[0]=='%') {
++ } else if (domain[0]=='%' && !pl->root) {
+ if (ctrl & PAM_DEBUG_ARG) {
+ pam_syslog(pamh, LOG_DEBUG,
+ "checking if %s is in group %s",
+@@ -941,7 +1009,7 @@
+ } else {
+ switch(rngtype) {
+ case LIMIT_RANGE_NONE:
+- if (strcmp(domain, "*") == 0)
++ if (strcmp(domain, "*") == 0 && !pl->root)
+ process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl,
+ pl);
+ break;
+@@ -1134,6 +1202,8 @@
+ return PAM_ABORT;
+ }
+
++ if (pwd->pw_uid == 0)
++ pl->root = 1;
+ retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl);
+ if (retval == PAM_IGNORE) {
+ D(("the configuration file ('%s') has an applicable '<domain> -' entry", CONF_FILE));
+Index: pam/modules/pam_limits/limits.conf
+===================================================================
+--- pam.orig/modules/pam_limits/limits.conf
++++ pam/modules/pam_limits/limits.conf
+@@ -22,6 +22,9 @@
+ # - the wildcard *, for default entry
+ # - the wildcard %, can be also used with %group syntax,
+ # for maxlogin limit
++# - NOTE: group and wildcard limits are not applied to root.
++# To apply a limit to the root user, <domain> must be
++# the literal username root.
+ #
+ #<type> can have the two values:
+ # - "soft" for enforcing the soft limits
+@@ -52,6 +55,7 @@
+ #
+
+ #* soft core 0
++#root hard core 100000
+ #* hard rss 10000
+ #@student hard nproc 20
+ #@faculty soft nproc 20
+Index: pam/modules/pam_limits/limits.conf.5.xml
+===================================================================
+--- pam.orig/modules/pam_limits/limits.conf.5.xml
++++ pam/modules/pam_limits/limits.conf.5.xml
+@@ -96,6 +96,11 @@
+ </para>
+ </listitem>
+ </itemizedlist>
++ <para>
++ <emphasis remap='B'>NOTE:</emphasis> group and wildcard limits are not
++ applied to the root user. To set a limit for the root user, this field
++ must contain the literal username <emphasis remap='B'>root</emphasis>.
++ </para>
+ </listitem>
+ </varlistentry>
+
+@@ -333,6 +338,7 @@
+ </para>
+ <programlisting>
+ * soft core 0
++root hard core 100000
+ * hard nofile 512
+ @student hard nproc 20
+ @faculty soft nproc 20
+Index: pam/modules/pam_limits/limits.conf.5
+===================================================================
+--- pam.orig/modules/pam_limits/limits.conf.5
++++ pam/modules/pam_limits/limits.conf.5
+@@ -145,6 +145,10 @@
+ \fB%:\fR\fI<gid>\fR
+ applicable to maxlogins limit only\&. It limits the total number of logins of all users that are member of the group with the specified gid\&.
+ .RE
++.sp
++\fBNOTE:\fR
++group and wildcard limits are not applied to the root user\&. To set a limit for the root user, this field must contain the literal username
++\fBroot\fR\&.
+ .RE
+ .PP
+ \fB<type>\fR
+@@ -327,6 +331,7 @@
+ .\}
+ .nf
+ * soft core 0
++root hard core 100000
+ * hard nofile 512
+ @student hard nproc 20
+ @faculty soft nproc 20
+Index: pam/modules/pam_limits/README
+===================================================================
+--- pam.orig/modules/pam_limits/README
++++ pam/modules/pam_limits/README
+@@ -56,6 +56,7 @@
+ limits.conf.
+
+ * soft core 0
++root hard core 100000
+ * hard nofile 512
+ @student hard nproc 20
+ @faculty soft nproc 20
diff --git a/debian/patches-applied/031_pam_include b/debian/patches-applied/031_pam_include
new file mode 100644
index 0000000..16cf6d3
--- /dev/null
+++ b/debian/patches-applied/031_pam_include
@@ -0,0 +1,72 @@
+Patch to implement an @include directive for use in pam.d config files.
+
+Authors: Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>
+
+Upstream status: not yet submitted
+
+Index: pam/libpam/pam_handlers.c
+===================================================================
+--- pam.orig/libpam/pam_handlers.c
++++ pam/libpam/pam_handlers.c
+@@ -123,6 +123,10 @@
+ module_type = PAM_T_ACCT;
+ } else if (!strcasecmp("password", tok)) {
+ module_type = PAM_T_PASS;
++ } else if (!strcasecmp("@include", tok)) {
++ pam_include = 1;
++ module_type = requested_module_type;
++ goto parsing_done;
+ } else {
+ /* Illegal module type */
+ D(("_pam_init_handlers: bad module type: %s", tok));
+@@ -193,8 +197,10 @@
+ _pam_set_default_control(actions, _PAM_ACTION_BAD);
+ }
+
++parsing_done:
+ tok = _pam_StrTok(NULL, " \n\t", &nexttok);
+ if (pam_include) {
++ struct stat include_dir;
+ if (substack) {
+ res = _pam_add_handler(pamh, PAM_HT_SUBSTACK, other,
+ stack_level, module_type, actions, tok,
+@@ -205,13 +211,35 @@
+ return PAM_ABORT;
+ }
+ }
+- if (_pam_load_conf_file(pamh, tok, this_service, module_type,
+- stack_level + substack
++ if (tok[0] == '/') {
++ if (_pam_load_conf_file(pamh, tok, this_service,
++ module_type, stack_level + substack
++#ifdef PAM_READ_BOTH_CONFS
++ , !other
++#endif /* PAM_READ_BOTH_CONFS */
++ ) == PAM_SUCCESS)
++ continue;
++ }
++ else if (!stat(PAM_CONFIG_D, &include_dir)
++ && S_ISDIR(include_dir.st_mode))
++ {
++ char *include_file;
++ if (asprintf (&include_file, PAM_CONFIG_DF, tok) < 0) {
++ pam_syslog(pamh, LOG_CRIT, "asprintf failed");
++ return PAM_ABORT;
++ }
++ if (_pam_load_conf_file(pamh, include_file, this_service,
++ module_type, stack_level + substack
+ #ifdef PAM_READ_BOTH_CONFS
+ , !other
+ #endif /* PAM_READ_BOTH_CONFS */
+- ) == PAM_SUCCESS)
+- continue;
++ ) == PAM_SUCCESS)
++ {
++ free(include_file);
++ continue;
++ }
++ free(include_file);
++ }
+ _pam_set_default_control(actions, _PAM_ACTION_BAD);
+ mod_path = NULL;
+ handler_type = PAM_HT_MUST_FAIL;
diff --git a/debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL b/debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL
new file mode 100644
index 0000000..ec97b44
--- /dev/null
+++ b/debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL
@@ -0,0 +1,22 @@
+setrlimit will sometimes return EPERM for example if you try to increase the
+number of open files too much. This is not something we want to consider
+fatal. This also happens if you use non-root and try to decrease a limit.
+Running PAM as non-root is not so great.
+
+Authors: ?
+
+Upstream status: submitted in <20070830171918.GB30563@dario.dodds.net>
+
+Index: pam/modules/pam_limits/pam_limits.c
+===================================================================
+--- pam.orig/modules/pam_limits/pam_limits.c
++++ pam/modules/pam_limits/pam_limits.c
+@@ -1111,6 +1111,8 @@
+ if (res != 0)
+ pam_syslog(pamh, LOG_ERR, "Could not set limit for '%s': %m",
+ rlimit2str(i));
++ if (res == -1 && errno == EPERM)
++ continue;
+ status |= res;
+ }
+
diff --git a/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful b/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful
new file mode 100644
index 0000000..805c62f
--- /dev/null
+++ b/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful
@@ -0,0 +1,157 @@
+Patch for Debian bug #163787 et al
+
+Always use the process uid, not getlogin(), to identify an applicant in
+pam_wheel; utmp may be wrong or may have no entry at all in the case of
+an xterm
+
+Authors: Ben Collins <bcollins@debian.org>
+
+Upstream status: submitted in <20070901175405.GA26092@dario.dodds.net>
+
+Index: pam/modules/pam_wheel/pam_wheel.c
+===================================================================
+--- pam.orig/modules/pam_wheel/pam_wheel.c
++++ pam/modules/pam_wheel/pam_wheel.c
+@@ -47,9 +47,8 @@
+ /* argument parsing */
+
+ #define PAM_DEBUG_ARG 0x0001
+-#define PAM_USE_UID_ARG 0x0002
+-#define PAM_TRUST_ARG 0x0004
+-#define PAM_DENY_ARG 0x0010
++#define PAM_TRUST_ARG 0x0002
++#define PAM_DENY_ARG 0x0004
+ #define PAM_ROOT_ONLY_ARG 0x0020
+
+ static int
+@@ -68,8 +67,7 @@
+
+ if (!strcmp(*argv,"debug"))
+ ctrl |= PAM_DEBUG_ARG;
+- else if (!strcmp(*argv,"use_uid"))
+- ctrl |= PAM_USE_UID_ARG;
++ else if (!strcmp(*argv,"use_uid")); /* ignored for compat. */
+ else if (!strcmp(*argv,"trust"))
+ ctrl |= PAM_TRUST_ARG;
+ else if (!strcmp(*argv,"deny"))
+@@ -118,39 +116,14 @@
+ }
+ }
+
+- if (ctrl & PAM_USE_UID_ARG) {
+- tpwd = pam_modutil_getpwuid (pamh, getuid());
+- if (tpwd == NULL) {
+- if (ctrl & PAM_DEBUG_ARG) {
+- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
+- }
+- return PAM_SERVICE_ERR;
+- }
+- fromsu = tpwd->pw_name;
+- } else {
+- fromsu = pam_modutil_getlogin(pamh);
+-
+- /* if getlogin fails try a fallback to PAM_RUSER */
+- if (fromsu == NULL) {
+- const char *rhostname;
+-
+- retval = pam_get_item(pamh, PAM_RHOST, (const void **)&rhostname);
+- if (retval != PAM_SUCCESS || rhostname == NULL) {
+- retval = pam_get_item(pamh, PAM_RUSER, (const void **)&fromsu);
+- }
+- }
+-
+- if (fromsu != NULL) {
+- tpwd = pam_modutil_getpwnam (pamh, fromsu);
+- }
+-
+- if (fromsu == NULL || tpwd == NULL) {
+- if (ctrl & PAM_DEBUG_ARG) {
+- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
+- }
+- return PAM_SERVICE_ERR;
++ tpwd = pam_modutil_getpwuid (pamh, getuid());
++ if (tpwd == NULL) {
++ if (ctrl & PAM_DEBUG_ARG) {
++ pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
+ }
++ return PAM_SERVICE_ERR;
+ }
++ fromsu = tpwd->pw_name;
+
+ /*
+ * At this point fromsu = username-of-invoker; tpwd = pwd ptr for fromsu
+Index: pam/modules/pam_wheel/pam_wheel.8.xml
+===================================================================
+--- pam.orig/modules/pam_wheel/pam_wheel.8.xml
++++ pam/modules/pam_wheel/pam_wheel.8.xml
+@@ -33,9 +33,6 @@
+ <arg choice="opt">
+ trust
+ </arg>
+- <arg choice="opt">
+- use_uid
+- </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+@@ -116,18 +113,6 @@
+ </para>
+ </listitem>
+ </varlistentry>
+- <varlistentry>
+- <term>
+- <option>use_uid</option>
+- </term>
+- <listitem>
+- <para>
+- The check will be done against the real uid of the calling process,
+- instead of trying to obtain the user from the login session
+- associated with the terminal in use.
+- </para>
+- </listitem>
+- </varlistentry>
+ </variablelist>
+ </refsect1>
+
+Index: pam/modules/pam_wheel/pam_wheel.8
+===================================================================
+--- pam.orig/modules/pam_wheel/pam_wheel.8
++++ pam/modules/pam_wheel/pam_wheel.8
+@@ -31,7 +31,7 @@
+ pam_wheel \- Only permit root access to members of group wheel
+ .SH "SYNOPSIS"
+ .HP \w'\fBpam_wheel\&.so\fR\ 'u
+-\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid]
++\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust]
+ .SH "DESCRIPTION"
+ .PP
+ The pam_wheel PAM module is used to enforce the so\-called
+@@ -72,11 +72,6 @@
+ .RS 4
+ The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd)\&.
+ .RE
+-.PP
+-\fBuse_uid\fR
+-.RS 4
+-The check will be done against the real uid of the calling process, instead of trying to obtain the user from the login session associated with the terminal in use\&.
+-.RE
+ .SH "MODULE TYPES PROVIDED"
+ .PP
+ The
+Index: pam/modules/pam_wheel/README
+===================================================================
+--- pam.orig/modules/pam_wheel/README
++++ pam/modules/pam_wheel/README
+@@ -39,12 +39,6 @@
+ modules the wheel members may be able to su to root without being prompted
+ for a passwd).
+
+-use_uid
+-
+- The check will be done against the real uid of the calling process, instead
+- of trying to obtain the user from the login session associated with the
+- terminal in use.
+-
+ EXAMPLES
+
+ The root account gains access by default (rootok), only wheel members can
diff --git a/debian/patches-applied/040_pam_limits_log_failure b/debian/patches-applied/040_pam_limits_log_failure
new file mode 100644
index 0000000..0ef703b
--- /dev/null
+++ b/debian/patches-applied/040_pam_limits_log_failure
@@ -0,0 +1,36 @@
+Patch for Debian bug #180310
+
+Generate some (low-severity) log information whenever setrlimit() fails,
+for debugging purposes.
+
+Authors: Sam Hartman <hartmans@debian.org>
+
+Upstream status: submitted in <20070830171918.GB30563@dario.dodds.net>
+
+Index: pam/modules/pam_limits/pam_limits.c
+===================================================================
+--- pam.orig/modules/pam_limits/pam_limits.c
++++ pam/modules/pam_limits/pam_limits.c
+@@ -1108,9 +1108,19 @@
+ if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max)
+ pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max;
+ res = setrlimit(i, &pl->limits[i].limit);
+- if (res != 0)
+- pam_syslog(pamh, LOG_ERR, "Could not set limit for '%s': %m",
+- rlimit2str(i));
++ if (res != 0 && (i != RLIMIT_NOFILE
++ || pl->limits[i].limit.rlim_cur != RLIM_INFINITY))
++ {
++ int save_errno = errno;
++ pam_syslog(pamh, LOG_DEBUG,
++ "Could not set limit for '%s' to soft=%d, hard=%d:"
++ " %m; uid=%lu,euid=%lu", rlimit2str(i),
++ pl->limits[i].limit.rlim_cur,
++ pl->limits[i].limit.rlim_max,
++ (unsigned long) getuid(),
++ (unsigned long) geteuid());
++ errno = save_errno;
++ }
+ if (res == -1 && errno == EPERM)
+ continue;
+ status |= res;
diff --git a/debian/patches-applied/045_pam_dispatch_jump_is_ignore b/debian/patches-applied/045_pam_dispatch_jump_is_ignore
new file mode 100644
index 0000000..e19a545
--- /dev/null
+++ b/debian/patches-applied/045_pam_dispatch_jump_is_ignore
@@ -0,0 +1,34 @@
+
+Previously jumps were treated as PAM_IGNORE in the freezing part of
+the chain and PAM_OK (aka required) in the frozen part of the chain.
+No one on pam-list was able to explain this behavior, so I changed it
+to be consistent.
+
+Index: pam/libpam/pam_dispatch.c
+===================================================================
+--- pam.orig/libpam/pam_dispatch.c
++++ pam/libpam/pam_dispatch.c
+@@ -260,22 +260,7 @@
+ if ( _PAM_ACTION_IS_JUMP(action) ) {
+
+ /* If we are evaluating a cached chain, we treat this
+- module as required (aka _PAM_ACTION_OK) as well as
+- executing the jump. */
+-
+- if (use_cached_chain) {
+- if (impression == _PAM_UNDEF
+- || (impression == _PAM_POSITIVE
+- && status == PAM_SUCCESS) ) {
+- if ( retval != PAM_IGNORE || cached_retval == retval ) {
+- if ( impression == _PAM_UNDEF && retval == PAM_SUCCESS ) {
+- h->grantor = 1;
+- }
+- impression = _PAM_POSITIVE;
+- status = retval;
+- }
+- }
+- }
++ module as ignored as well as executing the jump. */
+
+ /* this means that we need to skip #action stacked modules */
+ while (h->next != NULL && h->next->stack_level >= stack_level && action > 0) {
diff --git a/debian/patches-applied/PAM-manpage-section b/debian/patches-applied/PAM-manpage-section
new file mode 100644
index 0000000..7cdadad
--- /dev/null
+++ b/debian/patches-applied/PAM-manpage-section
@@ -0,0 +1,1723 @@
+Patch to put the PAM manpage in section 7 (general topics) instead of 8
+(system administration commands)
+
+Authors: Steve Langasek <vorlon@debian.org>
+
+Upstream status: maybe provide a backwards-compatibility link first?
+
+Index: pam/doc/man/pam.8.xml
+===================================================================
+--- pam.orig/doc/man/pam.8.xml
++++ pam/doc/man/pam.8.xml
+@@ -6,7 +6,7 @@
+
+ <refmeta>
+ <refentrytitle>pam</refentrytitle>
+- <manvolnum>8</manvolnum>
++ <manvolnum>7</manvolnum>
+ <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+ </refmeta>
+
+@@ -209,7 +209,7 @@
+ <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>PAM</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/PAM.8
+===================================================================
+--- pam.orig/doc/man/PAM.8
++++ pam/doc/man/PAM.8
+@@ -7,7 +7,7 @@
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM" "8" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM" "7" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+ .\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+@@ -146,4 +146,4 @@
+ \fBpam_authenticate\fR(3),
+ \fBpam_sm_setcred\fR(3),
+ \fBpam_strerror\fR(3),
+-\fBPAM\fR(8)
++\fBPAM\fR(7)
+Index: pam/modules/pam_access/access.conf.5.xml
+===================================================================
+--- pam.orig/modules/pam_access/access.conf.5.xml
++++ pam/modules/pam_access/access.conf.5.xml
+@@ -233,7 +233,7 @@
+ <para>
+ <citerefentry><refentrytitle>pam_access</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+Index: pam/modules/pam_access/access.conf.5
+===================================================================
+--- pam.orig/modules/pam_access/access.conf.5
++++ pam/modules/pam_access/access.conf.5
+@@ -210,7 +210,7 @@
+ .PP
+ \fBpam_access\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHORS"
+ .PP
+ Original
+Index: pam/modules/pam_env/pam_env.conf.5.xml
+===================================================================
+--- pam.orig/modules/pam_env/pam_env.conf.5.xml
++++ pam/modules/pam_env/pam_env.conf.5.xml
+@@ -122,7 +122,7 @@
+ <para>
+ <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_env/pam_env.conf.5
+===================================================================
+--- pam.orig/modules/pam_env/pam_env.conf.5
++++ pam/modules/pam_env/pam_env.conf.5
+@@ -125,7 +125,7 @@
+ .PP
+ \fBpam_env\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8),
++\fBpam\fR(7),
+ \fBenviron\fR(7)
+ .SH "AUTHOR"
+ .PP
+Index: pam/modules/pam_group/group.conf.5.xml
+===================================================================
+--- pam.orig/modules/pam_group/group.conf.5.xml
++++ pam/modules/pam_group/group.conf.5.xml
+@@ -134,7 +134,7 @@
+ <para>
+ <citerefentry><refentrytitle>pam_group</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+Index: pam/modules/pam_group/group.conf.5
+===================================================================
+--- pam.orig/modules/pam_group/group.conf.5
++++ pam/modules/pam_group/group.conf.5
+@@ -115,7 +115,7 @@
+ .PP
+ \fBpam_group\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_group was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam/modules/pam_limits/limits.conf.5.xml
+===================================================================
+--- pam.orig/modules/pam_limits/limits.conf.5.xml
++++ pam/modules/pam_limits/limits.conf.5.xml
+@@ -357,7 +357,7 @@
+ <para>
+ <citerefentry><refentrytitle>pam_limits</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>getrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>getrlimit</refentrytitle><manvolnum>3p</manvolnum></citerefentry>
+ </para>
+Index: pam/modules/pam_limits/limits.conf.5
+===================================================================
+--- pam.orig/modules/pam_limits/limits.conf.5
++++ pam/modules/pam_limits/limits.conf.5
+@@ -351,7 +351,7 @@
+ .PP
+ \fBpam_limits\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8),
++\fBpam\fR(7),
+ \fBgetrlimit\fR(2),
+ \fBgetrlimit\fR(3p)
+ .SH "AUTHOR"
+Index: pam/modules/pam_namespace/namespace.conf.5.xml
+===================================================================
+--- pam.orig/modules/pam_namespace/namespace.conf.5.xml
++++ pam/modules/pam_namespace/namespace.conf.5.xml
+@@ -209,7 +209,7 @@
+ <para>
+ <citerefentry><refentrytitle>pam_namespace</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+Index: pam/modules/pam_namespace/namespace.conf.5
+===================================================================
+--- pam.orig/modules/pam_namespace/namespace.conf.5
++++ pam/modules/pam_namespace/namespace.conf.5
+@@ -162,7 +162,7 @@
+ .PP
+ \fBpam_namespace\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHORS"
+ .PP
+ The namespace\&.conf manual page was written by Janak Desai <janak@us\&.ibm\&.com>\&. More features added by Tomas Mraz <tmraz@redhat\&.com>\&.
+Index: pam/modules/pam_time/time.conf.5.xml
+===================================================================
+--- pam.orig/modules/pam_time/time.conf.5.xml
++++ pam/modules/pam_time/time.conf.5.xml
+@@ -136,7 +136,7 @@
+ <para>
+ <citerefentry><refentrytitle>pam_time</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+Index: pam/modules/pam_time/time.conf.5
+===================================================================
+--- pam.orig/modules/pam_time/time.conf.5
++++ pam/modules/pam_time/time.conf.5
+@@ -109,7 +109,7 @@
+ .PP
+ \fBpam_time\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_time was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam/modules/pam_access/pam_access.8.xml
+===================================================================
+--- pam.orig/modules/pam_access/pam_access.8.xml
++++ pam/modules/pam_access/pam_access.8.xml
+@@ -246,7 +246,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+Index: pam/modules/pam_access/pam_access.8
+===================================================================
+--- pam.orig/modules/pam_access/pam_access.8
++++ pam/modules/pam_access/pam_access.8
+@@ -133,7 +133,7 @@
+ .PP
+ \fBaccess.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)\&.
++\fBpam\fR(7)\&.
+ .SH "AUTHORS"
+ .PP
+ The logdaemon style login access control scheme was designed and implemented by Wietse Venema\&. The pam_access PAM module was developed by Alexei Nogin <alexei@nogin\&.dnttm\&.ru>\&. The IPv6 support and the network(address) / netmask feature was developed and provided by Mike Becher <mike\&.becher@lrz\-muenchen\&.de>\&.
+Index: pam/modules/pam_debug/pam_debug.8.xml
+===================================================================
+--- pam.orig/modules/pam_debug/pam_debug.8.xml
++++ pam/modules/pam_debug/pam_debug.8.xml
+@@ -216,7 +216,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_debug/pam_debug.8
+===================================================================
+--- pam.orig/modules/pam_debug/pam_debug.8
++++ pam/modules/pam_debug/pam_debug.8
+@@ -138,7 +138,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_debug was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam/modules/pam_deny/pam_deny.8.xml
+===================================================================
+--- pam.orig/modules/pam_deny/pam_deny.8.xml
++++ pam/modules/pam_deny/pam_deny.8.xml
+@@ -120,7 +120,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_deny/pam_deny.8
+===================================================================
+--- pam.orig/modules/pam_deny/pam_deny.8
++++ pam/modules/pam_deny/pam_deny.8
+@@ -96,7 +96,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_deny was written by Andrew G\&. Morgan <morgan@kernel\&.org>
+Index: pam/modules/pam_echo/pam_echo.8.xml
+===================================================================
+--- pam.orig/modules/pam_echo/pam_echo.8.xml
++++ pam/modules/pam_echo/pam_echo.8.xml
+@@ -159,7 +159,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry></para>
+ </refsect1>
+
+Index: pam/modules/pam_echo/pam_echo.8
+===================================================================
+--- pam.orig/modules/pam_echo/pam_echo.8
++++ pam/modules/pam_echo/pam_echo.8
+@@ -126,7 +126,7 @@
+ .PP
+ \fBpam.conf\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ Thorsten Kukuk <kukuk@thkukuk\&.de>
+Index: pam/modules/pam_env/pam_env.8.xml
+===================================================================
+--- pam.orig/modules/pam_env/pam_env.8.xml
++++ pam/modules/pam_env/pam_env.8.xml
+@@ -254,7 +254,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum>
+Index: pam/modules/pam_exec/pam_exec.8.xml
+===================================================================
+--- pam.orig/modules/pam_exec/pam_exec.8.xml
++++ pam/modules/pam_exec/pam_exec.8.xml
+@@ -303,7 +303,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_exec/pam_exec.8
+===================================================================
+--- pam.orig/modules/pam_exec/pam_exec.8
++++ pam/modules/pam_exec/pam_exec.8
+@@ -182,7 +182,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_exec was written by Thorsten Kukuk <kukuk@thkukuk\&.de> and Josh Triplett <josh@joshtriplett\&.org>\&.
+Index: pam/modules/pam_faildelay/pam_faildelay.8.xml
+===================================================================
+--- pam.orig/modules/pam_faildelay/pam_faildelay.8.xml
++++ pam/modules/pam_faildelay/pam_faildelay.8.xml
+@@ -121,7 +121,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_faildelay/pam_faildelay.8
+===================================================================
+--- pam.orig/modules/pam_faildelay/pam_faildelay.8
++++ pam/modules/pam_faildelay/pam_faildelay.8
+@@ -87,7 +87,7 @@
+ \fBpam_fail_delay\fR(3),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_faildelay was written by Darren Tucker <dtucker@zip\&.com\&.au>\&.
+Index: pam/modules/pam_filter/pam_filter.8.xml
+===================================================================
+--- pam.orig/modules/pam_filter/pam_filter.8.xml
++++ pam/modules/pam_filter/pam_filter.8.xml
+@@ -246,7 +246,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_filter/pam_filter.8
+===================================================================
+--- pam.orig/modules/pam_filter/pam_filter.8
++++ pam/modules/pam_filter/pam_filter.8
+@@ -166,7 +166,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_filter was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam/modules/pam_ftp/pam_ftp.8.xml
+===================================================================
+--- pam.orig/modules/pam_ftp/pam_ftp.8.xml
++++ pam/modules/pam_ftp/pam_ftp.8.xml
+@@ -168,7 +168,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_ftp/pam_ftp.8
+===================================================================
+--- pam.orig/modules/pam_ftp/pam_ftp.8
++++ pam/modules/pam_ftp/pam_ftp.8
+@@ -119,7 +119,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_ftp was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam/modules/pam_group/pam_group.8.xml
+===================================================================
+--- pam.orig/modules/pam_group/pam_group.8.xml
++++ pam/modules/pam_group/pam_group.8.xml
+@@ -148,7 +148,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+Index: pam/modules/pam_group/pam_group.8
+===================================================================
+--- pam.orig/modules/pam_group/pam_group.8
++++ pam/modules/pam_group/pam_group.8
+@@ -103,7 +103,7 @@
+ .PP
+ \fBgroup.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)\&.
++\fBpam\fR(7)\&.
+ .SH "AUTHORS"
+ .PP
+ pam_group was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam/modules/pam_issue/pam_issue.8.xml
+===================================================================
+--- pam.orig/modules/pam_issue/pam_issue.8.xml
++++ pam/modules/pam_issue/pam_issue.8.xml
+@@ -219,7 +219,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_issue/pam_issue.8
+===================================================================
+--- pam.orig/modules/pam_issue/pam_issue.8
++++ pam/modules/pam_issue/pam_issue.8
+@@ -152,7 +152,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_issue was written by Ben Collins <bcollins@debian\&.org>\&.
+Index: pam/modules/pam_keyinit/pam_keyinit.8.xml
+===================================================================
+--- pam.orig/modules/pam_keyinit/pam_keyinit.8.xml
++++ pam/modules/pam_keyinit/pam_keyinit.8.xml
+@@ -232,7 +232,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum>
+Index: pam/modules/pam_keyinit/pam_keyinit.8
+===================================================================
+--- pam.orig/modules/pam_keyinit/pam_keyinit.8
++++ pam/modules/pam_keyinit/pam_keyinit.8
+@@ -137,7 +137,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8),
++\fBpam\fR(7),
+ \fBkeyctl\fR(1)
+ .SH "AUTHOR"
+ .PP
+Index: pam/modules/pam_lastlog/pam_lastlog.8.xml
+===================================================================
+--- pam.orig/modules/pam_lastlog/pam_lastlog.8.xml
++++ pam/modules/pam_lastlog/pam_lastlog.8.xml
+@@ -325,7 +325,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_lastlog/pam_lastlog.8
+===================================================================
+--- pam.orig/modules/pam_lastlog/pam_lastlog.8
++++ pam/modules/pam_lastlog/pam_lastlog.8
+@@ -189,7 +189,7 @@
+ \fBlimits.conf\fR(5),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_lastlog was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam/modules/pam_limits/pam_limits.8.xml
+===================================================================
+--- pam.orig/modules/pam_limits/pam_limits.8.xml
++++ pam/modules/pam_limits/pam_limits.8.xml
+@@ -243,7 +243,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+Index: pam/modules/pam_limits/pam_limits.8
+===================================================================
+--- pam.orig/modules/pam_limits/pam_limits.8
++++ pam/modules/pam_limits/pam_limits.8
+@@ -146,7 +146,7 @@
+ .PP
+ \fBlimits.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)\&.
++\fBpam\fR(7)\&.
+ .SH "AUTHORS"
+ .PP
+ pam_limits was initially written by Cristian Gafton <gafton@redhat\&.com>
+Index: pam/modules/pam_listfile/pam_listfile.8.xml
+===================================================================
+--- pam.orig/modules/pam_listfile/pam_listfile.8.xml
++++ pam/modules/pam_listfile/pam_listfile.8.xml
+@@ -281,7 +281,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_listfile/pam_listfile.8
+===================================================================
+--- pam.orig/modules/pam_listfile/pam_listfile.8
++++ pam/modules/pam_listfile/pam_listfile.8
+@@ -205,7 +205,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_listfile was written by Michael K\&. Johnson <johnsonm@redhat\&.com> and Elliot Lee <sopwith@cuc\&.edu>\&.
+Index: pam/modules/pam_localuser/pam_localuser.8.xml
+===================================================================
+--- pam.orig/modules/pam_localuser/pam_localuser.8.xml
++++ pam/modules/pam_localuser/pam_localuser.8.xml
+@@ -187,7 +187,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_localuser/pam_localuser.8
+===================================================================
+--- pam.orig/modules/pam_localuser/pam_localuser.8
++++ pam/modules/pam_localuser/pam_localuser.8
+@@ -117,7 +117,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_localuser was written by Nalin Dahyabhai <nalin@redhat\&.com>\&.
+Index: pam/modules/pam_loginuid/pam_loginuid.8.xml
+===================================================================
+--- pam.orig/modules/pam_loginuid/pam_loginuid.8.xml
++++ pam/modules/pam_loginuid/pam_loginuid.8.xml
+@@ -121,7 +121,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>auditctl</refentrytitle><manvolnum>8</manvolnum>
+Index: pam/modules/pam_loginuid/pam_loginuid.8
+===================================================================
+--- pam.orig/modules/pam_loginuid/pam_loginuid.8
++++ pam/modules/pam_loginuid/pam_loginuid.8
+@@ -85,7 +85,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8),
++\fBpam\fR(7),
+ \fBauditctl\fR(8),
+ \fBauditd\fR(8)
+ .SH "AUTHOR"
+Index: pam/modules/pam_mail/pam_mail.8.xml
+===================================================================
+--- pam.orig/modules/pam_mail/pam_mail.8.xml
++++ pam/modules/pam_mail/pam_mail.8.xml
+@@ -265,7 +265,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_mail/pam_mail.8
+===================================================================
+--- pam.orig/modules/pam_mail/pam_mail.8
++++ pam/modules/pam_mail/pam_mail.8
+@@ -153,7 +153,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_mail was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam/modules/pam_mkhomedir/pam_mkhomedir.8.xml
+===================================================================
+--- pam.orig/modules/pam_mkhomedir/pam_mkhomedir.8.xml
++++ pam/modules/pam_mkhomedir/pam_mkhomedir.8.xml
+@@ -205,7 +205,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+Index: pam/modules/pam_mkhomedir/pam_mkhomedir.8
+===================================================================
+--- pam.orig/modules/pam_mkhomedir/pam_mkhomedir.8
++++ pam/modules/pam_mkhomedir/pam_mkhomedir.8
+@@ -129,7 +129,7 @@
+ .SH "SEE ALSO"
+ .PP
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)\&.
++\fBpam\fR(7)\&.
+ .SH "AUTHOR"
+ .PP
+ pam_mkhomedir was written by Jason Gunthorpe <jgg@debian\&.org>\&.
+Index: pam/modules/pam_motd/pam_motd.8.xml
+===================================================================
+--- pam.orig/modules/pam_motd/pam_motd.8.xml
++++ pam/modules/pam_motd/pam_motd.8.xml
+@@ -196,7 +196,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_motd/pam_motd.8
+===================================================================
+--- pam.orig/modules/pam_motd/pam_motd.8
++++ pam/modules/pam_motd/pam_motd.8
+@@ -185,7 +185,7 @@
+ \fBmotd\fR(5),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_motd was written by Ben Collins <bcollins@debian\&.org>\&.
+Index: pam/modules/pam_namespace/pam_namespace.8.xml
+===================================================================
+--- pam.orig/modules/pam_namespace/pam_namespace.8.xml
++++ pam/modules/pam_namespace/pam_namespace.8.xml
+@@ -362,7 +362,7 @@
+ <refentrytitle>mount</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+Index: pam/modules/pam_namespace/pam_namespace.8
+===================================================================
+--- pam.orig/modules/pam_namespace/pam_namespace.8
++++ pam/modules/pam_namespace/pam_namespace.8
+@@ -148,7 +148,7 @@
+ \fBnamespace.conf\fR(5),
+ \fBpam.d\fR(5),
+ \fBmount\fR(8),
+-\fBpam\fR(8)\&.
++\fBpam\fR(7)\&.
+ .SH "AUTHORS"
+ .PP
+ The namespace setup scheme was designed by Stephen Smalley, Janak Desai and Chad Sellers\&. The pam_namespace PAM module was developed by Janak Desai <janak@us\&.ibm\&.com>, Chad Sellers <csellers@tresys\&.com> and Steve Grubb <sgrubb@redhat\&.com>\&. Additional improvements by Xavier Toth <txtoth@gmail\&.com> and Tomas Mraz <tmraz@redhat\&.com>\&.
+Index: pam/modules/pam_nologin/pam_nologin.8.xml
+===================================================================
+--- pam.orig/modules/pam_nologin/pam_nologin.8.xml
++++ pam/modules/pam_nologin/pam_nologin.8.xml
+@@ -160,7 +160,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_nologin/pam_nologin.8
+===================================================================
+--- pam.orig/modules/pam_nologin/pam_nologin.8
++++ pam/modules/pam_nologin/pam_nologin.8
+@@ -124,7 +124,7 @@
+ \fBnologin\fR(5),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_nologin was written by Michael K\&. Johnson <johnsonm@redhat\&.com>\&.
+Index: pam/modules/pam_permit/pam_permit.8.xml
+===================================================================
+--- pam.orig/modules/pam_permit/pam_permit.8.xml
++++ pam/modules/pam_permit/pam_permit.8.xml
+@@ -91,7 +91,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_permit/pam_permit.8
+===================================================================
+--- pam.orig/modules/pam_permit/pam_permit.8
++++ pam/modules/pam_permit/pam_permit.8
+@@ -78,7 +78,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_permit was written by Andrew G\&. Morgan, <morgan@kernel\&.org>\&.
+Index: pam/modules/pam_rhosts/pam_rhosts.8.xml
+===================================================================
+--- pam.orig/modules/pam_rhosts/pam_rhosts.8.xml
++++ pam/modules/pam_rhosts/pam_rhosts.8.xml
+@@ -156,7 +156,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_rhosts/pam_rhosts.8
+===================================================================
+--- pam.orig/modules/pam_rhosts/pam_rhosts.8
++++ pam/modules/pam_rhosts/pam_rhosts.8
+@@ -122,7 +122,7 @@
+ \fBrhosts\fR(5),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_rhosts was written by Thorsten Kukuk <kukuk@thkukuk\&.de>
+Index: pam/modules/pam_rootok/pam_rootok.8.xml
+===================================================================
+--- pam.orig/modules/pam_rootok/pam_rootok.8.xml
++++ pam/modules/pam_rootok/pam_rootok.8.xml
+@@ -116,7 +116,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_rootok/pam_rootok.8
+===================================================================
+--- pam.orig/modules/pam_rootok/pam_rootok.8
++++ pam/modules/pam_rootok/pam_rootok.8
+@@ -100,7 +100,7 @@
+ \fBsu\fR(1),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_rootok was written by Andrew G\&. Morgan, <morgan@kernel\&.org>\&.
+Index: pam/modules/pam_securetty/pam_securetty.8.xml
+===================================================================
+--- pam.orig/modules/pam_securetty/pam_securetty.8.xml
++++ pam/modules/pam_securetty/pam_securetty.8.xml
+@@ -187,7 +187,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_securetty/pam_securetty.8
+===================================================================
+--- pam.orig/modules/pam_securetty/pam_securetty.8
++++ pam/modules/pam_securetty/pam_securetty.8
+@@ -134,7 +134,7 @@
+ \fBsecuretty\fR(5),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_securetty was written by Elliot Lee <sopwith@cuc\&.edu>\&.
+Index: pam/modules/pam_selinux/pam_selinux.8.xml
+===================================================================
+--- pam.orig/modules/pam_selinux/pam_selinux.8.xml
++++ pam/modules/pam_selinux/pam_selinux.8.xml
+@@ -258,7 +258,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum>
+Index: pam/modules/pam_selinux/pam_selinux.8
+===================================================================
+--- pam.orig/modules/pam_selinux/pam_selinux.8
++++ pam/modules/pam_selinux/pam_selinux.8
+@@ -7,7 +7,7 @@
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_SELINUX" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual"
++.TH "PAM_SELINUX" "7" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual"
+ .\" -----------------------------------------------------------------
+ .\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+@@ -144,7 +144,7 @@
+ \fBexecve\fR(2),
+ \fBtty\fR(4),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8),
++\fBpam\fR(7),
+ \fBselinux\fR(8)
+ .SH "AUTHOR"
+ .PP
+Index: pam/modules/pam_sepermit/pam_sepermit.8.xml
+===================================================================
+--- pam.orig/modules/pam_sepermit/pam_sepermit.8.xml
++++ pam/modules/pam_sepermit/pam_sepermit.8.xml
+@@ -176,7 +176,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ <citerefentry>
+ <refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum>
+Index: pam/modules/pam_sepermit/pam_sepermit.8
+===================================================================
+--- pam.orig/modules/pam_sepermit/pam_sepermit.8
++++ pam/modules/pam_sepermit/pam_sepermit.8
+@@ -124,7 +124,7 @@
+ \fBsepermit.conf\fR(5),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ \fBselinux\fR(8)
+ .SH "AUTHOR"
+ .PP
+Index: pam/modules/pam_shells/pam_shells.8.xml
+===================================================================
+--- pam.orig/modules/pam_shells/pam_shells.8.xml
++++ pam/modules/pam_shells/pam_shells.8.xml
+@@ -102,7 +102,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_shells/pam_shells.8
+===================================================================
+--- pam.orig/modules/pam_shells/pam_shells.8
++++ pam/modules/pam_shells/pam_shells.8
+@@ -85,7 +85,7 @@
+ \fBshells\fR(5),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_shells was written by Erik Troan <ewt@redhat\&.com>\&.
+Index: pam/modules/pam_succeed_if/pam_succeed_if.8.xml
+===================================================================
+--- pam.orig/modules/pam_succeed_if/pam_succeed_if.8.xml
++++ pam/modules/pam_succeed_if/pam_succeed_if.8.xml
+@@ -295,7 +295,7 @@
+ <refentrytitle>glob</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_succeed_if/pam_succeed_if.8
+===================================================================
+--- pam.orig/modules/pam_succeed_if/pam_succeed_if.8
++++ pam/modules/pam_succeed_if/pam_succeed_if.8
+@@ -220,7 +220,7 @@
+ .SH "SEE ALSO"
+ .PP
+ \fBglob\fR(7),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ Nalin Dahyabhai <nalin@redhat\&.com>
+Index: pam/modules/pam_time/pam_time.8.xml
+===================================================================
+--- pam.orig/modules/pam_time/pam_time.8.xml
++++ pam/modules/pam_time/pam_time.8.xml
+@@ -184,7 +184,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+Index: pam/modules/pam_time/pam_time.8
+===================================================================
+--- pam.orig/modules/pam_time/pam_time.8
++++ pam/modules/pam_time/pam_time.8
+@@ -116,7 +116,7 @@
+ .PP
+ \fBtime.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)\&.
++\fBpam\fR(7)\&.
+ .SH "AUTHOR"
+ .PP
+ pam_time was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam/modules/pam_umask/pam_umask.8.xml
+===================================================================
+--- pam.orig/modules/pam_umask/pam_umask.8.xml
++++ pam/modules/pam_umask/pam_umask.8.xml
+@@ -246,7 +246,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_umask/pam_umask.8
+===================================================================
+--- pam.orig/modules/pam_umask/pam_umask.8
++++ pam/modules/pam_umask/pam_umask.8
+@@ -170,7 +170,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_umask was written by Thorsten Kukuk <kukuk@thkukuk\&.de>\&.
+Index: pam/modules/pam_unix/pam_unix.8.xml
+===================================================================
+--- pam.orig/modules/pam_unix/pam_unix.8.xml
++++ pam/modules/pam_unix/pam_unix.8.xml
+@@ -559,7 +559,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_unix/pam_unix.8
+===================================================================
+--- pam.orig/modules/pam_unix/pam_unix.8
++++ pam/modules/pam_unix/pam_unix.8
+@@ -310,7 +310,7 @@
+ \fBlogin.defs\fR(5),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_unix was written by various people\&.
+Index: pam/doc/man/misc_conv.3.xml
+===================================================================
+--- pam.orig/doc/man/misc_conv.3.xml
++++ pam/doc/man/misc_conv.3.xml
+@@ -171,7 +171,7 @@
+ <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/misc_conv.3
+===================================================================
+--- pam.orig/doc/man/misc_conv.3
++++ pam/doc/man/misc_conv.3
+@@ -117,7 +117,7 @@
+ .SH "SEE ALSO"
+ .PP
+ \fBpam_conv\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
+Index: pam/doc/man/pam_acct_mgmt.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_acct_mgmt.3.xml
++++ pam/doc/man/pam_acct_mgmt.3.xml
+@@ -138,7 +138,7 @@
+ <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_acct_mgmt.3
+===================================================================
+--- pam.orig/doc/man/pam_acct_mgmt.3
++++ pam/doc/man/pam_acct_mgmt.3
+@@ -97,4 +97,4 @@
+ \fBpam_authenticate\fR(3),
+ \fBpam_chauthtok\fR(3),
+ \fBpam_strerror\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam/doc/man/pam_authenticate.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_authenticate.3.xml
++++ pam/doc/man/pam_authenticate.3.xml
+@@ -162,7 +162,7 @@
+ <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_authenticate.3
+===================================================================
+--- pam.orig/doc/man/pam_authenticate.3
++++ pam/doc/man/pam_authenticate.3
+@@ -107,4 +107,4 @@
+ \fBpam_setcred\fR(3),
+ \fBpam_chauthtok\fR(3),
+ \fBpam_strerror\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam/doc/man/pam_chauthtok.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_chauthtok.3.xml
++++ pam/doc/man/pam_chauthtok.3.xml
+@@ -157,7 +157,7 @@
+ <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_chauthtok.3
+===================================================================
+--- pam.orig/doc/man/pam_chauthtok.3
++++ pam/doc/man/pam_chauthtok.3
+@@ -106,4 +106,4 @@
+ \fBpam_setcred\fR(3),
+ \fBpam_get_item\fR(3),
+ \fBpam_strerror\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam/doc/man/pam_conv.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_conv.3.xml
++++ pam/doc/man/pam_conv.3.xml
+@@ -221,7 +221,7 @@
+ <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_conv.3
+===================================================================
+--- pam.orig/doc/man/pam_conv.3
++++ pam/doc/man/pam_conv.3
+@@ -174,4 +174,4 @@
+ \fBpam_set_item\fR(3),
+ \fBpam_get_item\fR(3),
+ \fBpam_strerror\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam/doc/man/pam_error.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_error.3.xml
++++ pam/doc/man/pam_error.3.xml
+@@ -105,7 +105,7 @@
+ <refentrytitle>pam_vprompt</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_error.3
+===================================================================
+--- pam.orig/doc/man/pam_error.3
++++ pam/doc/man/pam_error.3
+@@ -80,7 +80,7 @@
+ \fBpam_vinfo\fR(3),
+ \fBpam_prompt\fR(3),
+ \fBpam_vprompt\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
+Index: pam/doc/man/pam_getenv.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_getenv.3.xml
++++ pam/doc/man/pam_getenv.3.xml
+@@ -60,7 +60,7 @@
+ <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_getenv.3
+===================================================================
+--- pam.orig/doc/man/pam_getenv.3
++++ pam/doc/man/pam_getenv.3
+@@ -57,4 +57,4 @@
+ \fBpam_start\fR(3),
+ \fBpam_getenvlist\fR(3),
+ \fBpam_putenv\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam/doc/man/pam_getenvlist.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_getenvlist.3.xml
++++ pam/doc/man/pam_getenvlist.3.xml
+@@ -78,7 +78,7 @@
+ <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_getenvlist.3
+===================================================================
+--- pam.orig/doc/man/pam_getenvlist.3
++++ pam/doc/man/pam_getenvlist.3
+@@ -63,4 +63,4 @@
+ \fBpam_start\fR(3),
+ \fBpam_getenv\fR(3),
+ \fBpam_putenv\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam/doc/man/pam_info.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_info.3.xml
++++ pam/doc/man/pam_info.3.xml
+@@ -93,7 +93,7 @@
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_info.3
+===================================================================
+--- pam.orig/doc/man/pam_info.3
++++ pam/doc/man/pam_info.3
+@@ -76,7 +76,7 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
+Index: pam/doc/man/pam_misc_drop_env.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_misc_drop_env.3.xml
++++ pam/doc/man/pam_misc_drop_env.3.xml
+@@ -46,7 +46,7 @@
+ <refentrytitle>pam_getenvlist</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_misc_drop_env.3
+===================================================================
+--- pam.orig/doc/man/pam_misc_drop_env.3
++++ pam/doc/man/pam_misc_drop_env.3
+@@ -52,7 +52,7 @@
+ .SH "SEE ALSO"
+ .PP
+ \fBpam_getenvlist\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
+Index: pam/doc/man/pam_misc_paste_env.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_misc_paste_env.3.xml
++++ pam/doc/man/pam_misc_paste_env.3.xml
+@@ -44,7 +44,7 @@
+ <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_misc_paste_env.3
+===================================================================
+--- pam.orig/doc/man/pam_misc_paste_env.3
++++ pam/doc/man/pam_misc_paste_env.3
+@@ -47,7 +47,7 @@
+ .SH "SEE ALSO"
+ .PP
+ \fBpam_putenv\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
+Index: pam/doc/man/pam_misc_setenv.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_misc_setenv.3.xml
++++ pam/doc/man/pam_misc_setenv.3.xml
+@@ -51,7 +51,7 @@
+ <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_misc_setenv.3
+===================================================================
+--- pam.orig/doc/man/pam_misc_setenv.3
++++ pam/doc/man/pam_misc_setenv.3
+@@ -52,7 +52,7 @@
+ .SH "SEE ALSO"
+ .PP
+ \fBpam_putenv\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
+Index: pam/doc/man/pam_prompt.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_prompt.3.xml
++++ pam/doc/man/pam_prompt.3.xml
+@@ -95,7 +95,7 @@
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum>
+Index: pam/doc/man/pam_prompt.3
+===================================================================
+--- pam.orig/doc/man/pam_prompt.3
++++ pam/doc/man/pam_prompt.3
+@@ -70,7 +70,7 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-\fBpam\fR(8),
++\fBpam\fR(7),
+ \fBpam_conv\fR(3)
+ .SH "STANDARDS"
+ .PP
+Index: pam/doc/man/pam_putenv.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_putenv.3.xml
++++ pam/doc/man/pam_putenv.3.xml
+@@ -145,7 +145,7 @@
+ <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_putenv.3
+===================================================================
+--- pam.orig/doc/man/pam_putenv.3
++++ pam/doc/man/pam_putenv.3
+@@ -108,4 +108,4 @@
+ \fBpam_getenv\fR(3),
+ \fBpam_getenvlist\fR(3),
+ \fBpam_strerror\fR(3),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam/doc/man/pam_strerror.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_strerror.3.xml
++++ pam/doc/man/pam_strerror.3.xml
+@@ -51,7 +51,7 @@
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_strerror.3
+===================================================================
+--- pam.orig/doc/man/pam_strerror.3
++++ pam/doc/man/pam_strerror.3
+@@ -49,4 +49,4 @@
+ This function returns always a pointer to a string\&.
+ .SH "SEE ALSO"
+ .PP
+-\fBpam\fR(8)
++\fBpam\fR(7)
+Index: pam/doc/man/pam_syslog.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_syslog.3.xml
++++ pam/doc/man/pam_syslog.3.xml
+@@ -66,7 +66,7 @@
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_syslog.3
+===================================================================
+--- pam.orig/doc/man/pam_syslog.3
++++ pam/doc/man/pam_syslog.3
+@@ -67,7 +67,7 @@
+ variable argument list macros\&.
+ .SH "SEE ALSO"
+ .PP
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
+Index: pam/modules/pam_userdb/pam_userdb.8.xml
+===================================================================
+--- pam.orig/modules/pam_userdb/pam_userdb.8.xml
++++ pam/modules/pam_userdb/pam_userdb.8.xml
+@@ -279,7 +279,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_userdb/pam_userdb.8
+===================================================================
+--- pam.orig/modules/pam_userdb/pam_userdb.8
++++ pam/modules/pam_userdb/pam_userdb.8
+@@ -152,7 +152,7 @@
+ \fBcrypt\fR(3),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_userdb was written by Cristian Gafton >gafton@redhat\&.com<\&.
+Index: pam/modules/pam_warn/pam_warn.8.xml
+===================================================================
+--- pam.orig/modules/pam_warn/pam_warn.8.xml
++++ pam/modules/pam_warn/pam_warn.8.xml
+@@ -90,7 +90,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_warn/pam_warn.8
+===================================================================
+--- pam.orig/modules/pam_warn/pam_warn.8
++++ pam/modules/pam_warn/pam_warn.8
+@@ -83,7 +83,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_warn was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+Index: pam/modules/pam_wheel/pam_wheel.8.xml
+===================================================================
+--- pam.orig/modules/pam_wheel/pam_wheel.8.xml
++++ pam/modules/pam_wheel/pam_wheel.8.xml
+@@ -213,7 +213,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_wheel/pam_wheel.8
+===================================================================
+--- pam.orig/modules/pam_wheel/pam_wheel.8
++++ pam/modules/pam_wheel/pam_wheel.8
+@@ -136,7 +136,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_wheel was written by Cristian Gafton <gafton@redhat\&.com>\&.
+Index: pam/modules/pam_xauth/pam_xauth.8.xml
+===================================================================
+--- pam.orig/modules/pam_xauth/pam_xauth.8.xml
++++ pam/modules/pam_xauth/pam_xauth.8.xml
+@@ -276,7 +276,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_xauth/pam_xauth.8
+===================================================================
+--- pam.orig/modules/pam_xauth/pam_xauth.8
++++ pam/modules/pam_xauth/pam_xauth.8
+@@ -177,7 +177,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_xauth was written by Nalin Dahyabhai <nalin@redhat\&.com>, based on original version by Michael K\&. Johnson <johnsonm@redhat\&.com>\&.
+Index: pam/modules/pam_env/pam_env.8
+===================================================================
+--- pam.orig/modules/pam_env/pam_env.8
++++ pam/modules/pam_env/pam_env.8
+@@ -7,7 +7,7 @@
+ .\" Source: Linux-PAM Manual
+ .\" Language: English
+ .\"
+-.TH "PAM_ENV" "8" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual"
++.TH "PAM_ENV" "7" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual"
+ .\" -----------------------------------------------------------------
+ .\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+Index: pam/modules/pam_pwhistory/pam_pwhistory.8.xml
+===================================================================
+--- pam.orig/modules/pam_pwhistory/pam_pwhistory.8.xml
++++ pam/modules/pam_pwhistory/pam_pwhistory.8.xml
+@@ -229,7 +229,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ <citerefentry>
+ <refentrytitle>pam_get_authtok</refentrytitle><manvolnum>3</manvolnum>
+Index: pam/modules/pam_pwhistory/pam_pwhistory.8
+===================================================================
+--- pam.orig/modules/pam_pwhistory/pam_pwhistory.8
++++ pam/modules/pam_pwhistory/pam_pwhistory.8
+@@ -156,7 +156,7 @@
+ .PP
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ \fBpam_get_authtok\fR(3)
+ .SH "AUTHOR"
+ .PP
+Index: pam/modules/pam_sepermit/sepermit.conf.5.xml
+===================================================================
+--- pam.orig/modules/pam_sepermit/sepermit.conf.5.xml
++++ pam/modules/pam_sepermit/sepermit.conf.5.xml
+@@ -96,7 +96,7 @@
+ <para>
+ <citerefentry><refentrytitle>pam_sepermit</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ </para>
+ </refsect1>
+Index: pam/modules/pam_sepermit/sepermit.conf.5
+===================================================================
+--- pam.orig/modules/pam_sepermit/sepermit.conf.5
++++ pam/modules/pam_sepermit/sepermit.conf.5
+@@ -110,7 +110,7 @@
+ .PP
+ \fBpam_sepermit\fR(8),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8),
++\fBpam\fR(7),
+ \fBselinux\fR(8),
+ .SH "AUTHOR"
+ .PP
+Index: pam/modules/pam_timestamp/pam_timestamp.8.xml
+===================================================================
+--- pam.orig/modules/pam_timestamp/pam_timestamp.8.xml
++++ pam/modules/pam_timestamp/pam_timestamp.8.xml
+@@ -193,7 +193,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_timestamp/pam_timestamp.8
+===================================================================
+--- pam.orig/modules/pam_timestamp/pam_timestamp.8
++++ pam/modules/pam_timestamp/pam_timestamp.8
+@@ -129,7 +129,7 @@
+ \fBpam_timestamp_check\fR(8),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_timestamp was written by Nalin Dahyabhai\&.
+Index: pam/modules/pam_timestamp/pam_timestamp_check.8.xml
+===================================================================
+--- pam.orig/modules/pam_timestamp/pam_timestamp_check.8.xml
++++ pam/modules/pam_timestamp/pam_timestamp_check.8.xml
+@@ -192,7 +192,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_timestamp/pam_timestamp_check.8
+===================================================================
+--- pam.orig/modules/pam_timestamp/pam_timestamp_check.8
++++ pam/modules/pam_timestamp/pam_timestamp_check.8
+@@ -127,7 +127,7 @@
+ \fBpam_timestamp_check\fR(8),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_timestamp was written by Nalin Dahyabhai\&.
+Index: pam/modules/pam_tty_audit/pam_tty_audit.8.xml
+===================================================================
+--- pam.orig/modules/pam_tty_audit/pam_tty_audit.8.xml
++++ pam/modules/pam_tty_audit/pam_tty_audit.8.xml
+@@ -181,7 +181,7 @@
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/modules/pam_tty_audit/pam_tty_audit.8
+===================================================================
+--- pam.orig/modules/pam_tty_audit/pam_tty_audit.8
++++ pam/modules/pam_tty_audit/pam_tty_audit.8
+@@ -129,7 +129,7 @@
+ \fBaureport\fR(8),
+ \fBpam.conf\fR(5),
+ \fBpam.d\fR(5),
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "AUTHOR"
+ .PP
+ pam_tty_audit was written by Miloslav Trmač <mitr@redhat\&.com>\&. The log_passwd option was added by Richard Guy Briggs <rgb@redhat\&.com>\&.
+Index: pam/doc/man/pam_get_authtok.3.xml
+===================================================================
+--- pam.orig/doc/man/pam_get_authtok.3.xml
++++ pam/doc/man/pam_get_authtok.3.xml
+@@ -232,7 +232,7 @@
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+Index: pam/doc/man/pam_get_authtok.3
+===================================================================
+--- pam.orig/doc/man/pam_get_authtok.3
++++ pam/doc/man/pam_get_authtok.3
+@@ -162,7 +162,7 @@
+ .RE
+ .SH "SEE ALSO"
+ .PP
+-\fBpam\fR(8)
++\fBpam\fR(7)
+ .SH "STANDARDS"
+ .PP
+ The
diff --git a/debian/patches-applied/do_not_check_nis_accidentally b/debian/patches-applied/do_not_check_nis_accidentally
new file mode 100644
index 0000000..29ce609
--- /dev/null
+++ b/debian/patches-applied/do_not_check_nis_accidentally
@@ -0,0 +1,22 @@
+Patch for Debian bug #469635
+
+Always call _unix_getpwnam() consistent with the value of the 'nis'
+option, so that we only grab from the backends we're expecting.
+
+Authors: Quentin Godfroy <godfroy@clipper.ens.fr>
+
+Upstream status: should be submitted
+
+Index: pam/modules/pam_unix/pam_unix_passwd.c
+===================================================================
+--- pam.orig/modules/pam_unix/pam_unix_passwd.c
++++ pam/modules/pam_unix/pam_unix_passwd.c
+@@ -669,7 +669,7 @@
+ return PAM_USER_UNKNOWN;
+ } else {
+ struct passwd *pwd;
+- _unix_getpwnam(pamh, user, 1, 1, &pwd);
++ _unix_getpwnam(pamh, user, 1, on(UNIX_NIS, ctrl), &pwd);
+ if (pwd == NULL) {
+ pam_syslog(pamh, LOG_DEBUG,
+ "user \"%s\" has corrupted passwd entry",
diff --git a/debian/patches-applied/fix-autoreconf.patch b/debian/patches-applied/fix-autoreconf.patch
new file mode 100644
index 0000000..bdd9626
--- /dev/null
+++ b/debian/patches-applied/fix-autoreconf.patch
@@ -0,0 +1,27 @@
+From: Andreas Henriksson <andreas@fatal.se>
+Date: Thu, 8 Nov 2018 19:09:21 +0100
+Subject: fix-autoreconf.patch
+
+Do not override user variables in Makefile.am, see the
+"Flag Variables Ordering" section of the automake manual.
+---
+ doc/specs/Makefile.am | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+Index: pam/doc/specs/Makefile.am
+===================================================================
+--- pam.orig/doc/specs/Makefile.am
++++ pam/doc/specs/Makefile.am
+@@ -12,9 +12,9 @@
+ AM_YFLAGS = -d
+
+ CC = @CC_FOR_BUILD@
+-CPPFLAGS = @BUILD_CPPFLAGS@
+-CFLAGS = @BUILD_CFLAGS@
+-LDFLAGS = @BUILD_LDFLAGS@
++AM_CPPFLAGS = @BUILD_CPPFLAGS@
++AM_CFLAGS = @BUILD_CFLAGS@
++AM_LDFLAGS = @BUILD_LDFLAGS@
+
+ padout_CFLAGS = $(WARN_CFLAGS) -Wno-unused-function -Wno-sign-compare
+
diff --git a/debian/patches-applied/hurd_no_setfsuid b/debian/patches-applied/hurd_no_setfsuid
new file mode 100644
index 0000000..00610a8
--- /dev/null
+++ b/debian/patches-applied/hurd_no_setfsuid
@@ -0,0 +1,77 @@
+On systems without setfsuid(), use setreuid() instead.
+
+Authors: Steve Langasek <vorlon@debian.org>
+
+Upstream status: to be forwarded, now that pam_modutil_{drop,regain}_priv
+ are implemented
+
+Index: pam/libpam/pam_modutil_priv.c
+===================================================================
+--- pam.orig/libpam/pam_modutil_priv.c
++++ pam/libpam/pam_modutil_priv.c
+@@ -14,7 +14,9 @@
+ #include <syslog.h>
+ #include <pwd.h>
+ #include <grp.h>
++#ifdef HAVE_SYS_FSUID_H
+ #include <sys/fsuid.h>
++#endif /* HAVE_SYS_FSUID_H */
+
+ /*
+ * Two setfsuid() calls in a row are necessary to check
+@@ -22,17 +24,55 @@
+ */
+ static int change_uid(uid_t uid, uid_t *save)
+ {
++#ifdef HAVE_SYS_FSUID_H
+ uid_t tmp = setfsuid(uid);
+ if (save)
+ *save = tmp;
+ return (uid_t) setfsuid(uid) == uid ? 0 : -1;
++#else
++ uid_t euid = geteuid();
++ uid_t ruid = getuid();
++ if (save)
++ *save = ruid;
++ if (ruid == uid && uid != 0)
++ if (setreuid(euid, uid))
++ return -1;
++ else {
++ setreuid(0, -1);
++ if (setreuid(-1, uid)) {
++ setreuid(-1, 0);
++ setreuid(0, -1);
++ if (setreuid(-1, uid))
++ return -1;
++ }
++ }
++#endif
+ }
+ static int change_gid(gid_t gid, gid_t *save)
+ {
++#ifdef HAVE_SYS_FSUID_H
+ gid_t tmp = setfsgid(gid);
+ if (save)
+ *save = tmp;
+ return (gid_t) setfsgid(gid) == gid ? 0 : -1;
++#else
++ gid_t egid = getegid();
++ gid_t rgid = getgid();
++ if (save)
++ *save = rgid;
++ if (rgid == gid)
++ if (setregid(egid, gid))
++ return -1;
++ else {
++ setregid(0, -1);
++ if (setregid(-1, gid)) {
++ setregid(-1, 0);
++ setregid(0, -1);
++ if (setregid(-1, gid))
++ return -1;
++ }
++ }
++#endif
+ }
+
+ static int cleanup(struct pam_modutil_privs *p)
diff --git a/debian/patches-applied/lib_security_multiarch_compat b/debian/patches-applied/lib_security_multiarch_compat
new file mode 100644
index 0000000..e386ff3
--- /dev/null
+++ b/debian/patches-applied/lib_security_multiarch_compat
@@ -0,0 +1,72 @@
+Unqualified module paths should always be looked up in *both* the default
+module dir, *and* the ISA dir. That's what paths are for.
+
+This lets us have a soft transition to multiarch for modules without having
+to rewrite /etc/pam.d/ files or add ugly symlinks.
+
+Authors: Steve Langasek <vorlon@debian.org>
+
+Upstream status: not ready to be committed - this needs tweaked, we're
+currently abusing the existing variables and inverting their meaning in
+order to get everything installed where we want it and get absolute paths
+the way we want them.
+
+Index: pam-1.4.0/libpam/pam_handlers.c
+===================================================================
+--- pam-1.4.0.orig/libpam/pam_handlers.c
++++ pam-1.4.0/libpam/pam_handlers.c
+@@ -735,7 +735,27 @@ _pam_load_module(pam_handle_t *pamh, con
+ success = PAM_ABORT;
+
+ D(("_pam_load_module: _pam_dlopen(%s)", mod_path));
+- mod->dl_handle = _pam_dlopen(mod_path);
++ if (mod_path[0] == '/') {
++ mod->dl_handle = _pam_dlopen(mod_path);
++ } else {
++ char *mod_full_path = NULL;
++ if (asprintf(&mod_full_path, "%s%s",
++ DEFAULT_MODULE_PATH, mod_path) >= 0) {
++ mod->dl_handle = _pam_dlopen(mod_full_path);
++ _pam_drop(mod_full_path);
++ } else {
++ pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path");
++ }
++ if (!mod->dl_handle) {
++ if (asprintf(&mod_full_path, "%s/%s",
++ _PAM_ISA, mod_path) >= 0) {
++ mod->dl_handle = _pam_dlopen(mod_full_path);
++ _pam_drop(mod_full_path);
++ } else {
++ pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path");
++ }
++ }
++ }
+ D(("_pam_load_module: _pam_dlopen'ed"));
+ D(("_pam_load_module: dlopen'ed"));
+ if (mod->dl_handle == NULL) {
+@@ -812,7 +832,6 @@ int _pam_add_handler(pam_handle_t *pamh
+ struct handler **handler_p2;
+ struct handlers *the_handlers;
+ const char *sym, *sym2;
+- char *mod_full_path;
+ servicefn func, func2;
+ int mod_type = PAM_MT_FAULTY_MOD;
+
+@@ -824,16 +843,7 @@ int _pam_add_handler(pam_handle_t *pamh
+
+ if ((handler_type == PAM_HT_MODULE || handler_type == PAM_HT_SILENT_MODULE) &&
+ mod_path != NULL) {
+- if (mod_path[0] == '/') {
+- mod = _pam_load_module(pamh, mod_path, handler_type);
+- } else if (asprintf(&mod_full_path, "%s%s",
+- DEFAULT_MODULE_PATH, mod_path) >= 0) {
+- mod = _pam_load_module(pamh, mod_full_path, handler_type);
+- _pam_drop(mod_full_path);
+- } else {
+- pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path");
+- return PAM_ABORT;
+- }
++ mod = _pam_load_module(pamh, mod_path, handler_type);
+
+ if (mod == NULL) {
+ /* if we get here with NULL it means allocation error */
diff --git a/debian/patches-applied/make_documentation_reproducible.patch b/debian/patches-applied/make_documentation_reproducible.patch
new file mode 100644
index 0000000..b6a4bfe
--- /dev/null
+++ b/debian/patches-applied/make_documentation_reproducible.patch
@@ -0,0 +1,19 @@
+Description: Make documentation reproducible
+ Add LC_ALL=C.UTF-8 to w3m to avoid changes in the output when build the
+ documentation with different locales.
+Author: Juan Picca <jumapico@gmail.com>, Steve Langasek <vorlon@debian.org>
+Last-Update: 2019-01-06
+
+Index: pam/configure.ac
+===================================================================
+--- pam.orig/configure.ac
++++ pam/configure.ac
+@@ -585,7 +585,7 @@
+
+ AC_PATH_PROG([BROWSER], [w3m])
+ if test -n "$BROWSER"; then
+- BROWSER="$BROWSER -T text/html -dump"
++ BROWSER="LC_ALL=C.UTF-8 $BROWSER -T text/html -dump"
+ else
+ AC_PATH_PROG([BROWSER], [elinks])
+ if test -n "$BROWSER"; then
diff --git a/debian/patches-applied/no_PATH_MAX_on_hurd b/debian/patches-applied/no_PATH_MAX_on_hurd
new file mode 100644
index 0000000..ab2403d
--- /dev/null
+++ b/debian/patches-applied/no_PATH_MAX_on_hurd
@@ -0,0 +1,22 @@
+Description: define PATH_MAX for compatibility when it's not already set
+ Some platforms, such as the Hurd, don't set PATH_MAX. Set a reasonable
+ default value in this case.
+Author: Steve Langasek <vorlon@debian.org>
+Bug-Debian: http://bugs.debian.org/552043
+
+Index: pam/tests/tst-dlopen.c
+===================================================================
+--- pam.orig/tests/tst-dlopen.c
++++ pam/tests/tst-dlopen.c
+@@ -16,6 +16,11 @@
+ #include <limits.h>
+ #include <sys/stat.h>
+
++/* Hurd compatibility */
++#ifndef PATH_MAX
++#define PATH_MAX 4096
++#endif
++
+ /* Simple program to see if dlopen() would succeed. */
+ int main(int argc, char **argv)
+ {
diff --git a/debian/patches-applied/nullok_secure-compat.patch b/debian/patches-applied/nullok_secure-compat.patch
new file mode 100644
index 0000000..d85aa9f
--- /dev/null
+++ b/debian/patches-applied/nullok_secure-compat.patch
@@ -0,0 +1,27 @@
+Description: Support nullok_secure as a deprecated alias for nullok
+Author: Steve Langasek <vorlon@debian.org>
+Last-Update: 2020-08-11
+
+Index: pam/modules/pam_unix/support.h
+===================================================================
+--- pam.orig/modules/pam_unix/support.h
++++ pam/modules/pam_unix/support.h
+@@ -102,8 +102,9 @@
+ #define UNIX_YESCRYPT_PASS 32 /* new password hashes will use yescrypt */
+ #define UNIX_NULLRESETOK 33 /* allow empty password if password reset is enforced */
+ #define UNIX_OBSCURE_CHECKS 34 /* enable obscure checks on passwords */
++#define UNIX_NULLOK_SECURE 35 /* deprecated alias for nullok */
+ /* -------------- */
+-#define UNIX_CTRLS_ 35 /* number of ctrl arguments defined */
++#define UNIX_CTRLS_ 36 /* number of ctrl arguments defined */
+
+ #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)&&off(UNIX_GOST_YESCRYPT_PASS,ctrl)&&off(UNIX_YESCRYPT_PASS,ctrl))
+
+@@ -147,6 +148,7 @@
+ /* UNIX_YESCRYPT_PASS */ {"yescrypt", _ALL_ON_^(0x6EC22000ULL), 0x40000000, 1},
+ /* UNIX_NULLRESETOK */ {"nullresetok", _ALL_ON_, 0x80000000, 0},
+ /* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x100000000, 0},
++/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(0x200ULL), 0, 0},
+ };
+
+ #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
diff --git a/debian/patches-applied/pam-limits-nofile-fd-setsize-cap b/debian/patches-applied/pam-limits-nofile-fd-setsize-cap
new file mode 100644
index 0000000..9c0503c
--- /dev/null
+++ b/debian/patches-applied/pam-limits-nofile-fd-setsize-cap
@@ -0,0 +1,60 @@
+From: Robie Basak <robie.basak@ubuntu.com>
+Subject: pam_limits: cap the default soft nofile limit read from pid 1 to FD_SETSIZE
+
+Cap the default soft nofile limit read from pid 1 to FD_SETSIZE since
+larger values can cause problems with fd_set overflow and systemd sets
+itself higher.
+
+See:
+https://lists.ubuntu.com/archives/ubuntu-devel/2010-September/031446.html
+http://www.outflux.net/blog/archives/2014/06/13/5-year-old-glibc-select-weakness-fixed/
+https://sourceware.org/bugzilla/show_bug.cgi?id=10352
+https://github.com/systemd/systemd/commit/4096d6f5879aef73e20dd7b62a01f447629945b0
+
+pam_limits reads the default limits from /proc/1/limits. Previously,
+using upstart, this resulted in a 1024 nofile soft limit on Ubuntu
+systems by default. Using systemd, this results in a limit of 65536
+instead. This is not the intention of systemd upstream. See systemd
+commit 4096d6f for an explanation of systemd's behaviour.
+
+If we want to make such a change to the default distribution soft limit
+in PAM, we should do it deliberately and carefully, not accidentally. A
+change should consider what uses select(2) and might inadvertently (and
+incorrectly) assume that file descriptors will always fit into an
+fd_set, what vulnerabilities or crashes the change could consequently
+create, and whether the protection now present with FORTIFY_SOURCE is
+suitably enabled in all relevant builds.
+
+So this keeps the soft limit at 1024 for now. The hard limit will rise
+to 65536 along with systemd. Anything that knows that it will not be
+buggy with respect to fd_set and FD_SETSIZE, such as by using poll(2) or
+epoll(7) instead of select(2), can always raise the soft limit itself
+without issue.
+
+20:54 <rbasak> slangasek: [...] I'm also not sure how to go about
+upstreaming this as pam_limits seems to be heavily patched already.
+
+Forwarded: no
+Reviewed-by: Adam Conrad <adconrad@ubuntu.com>
+Reviewed-by: Martin Pitt <martin.pitt@ubuntu.com>
+Last-Update: 2015-04-22
+
+Index: pam/modules/pam_limits/pam_limits.c
+===================================================================
+--- pam.orig/modules/pam_limits/pam_limits.c
++++ pam/modules/pam_limits/pam_limits.c
+@@ -450,6 +450,14 @@
+ pl->limits[i].src_hard = LIMITS_DEF_KERNEL;
+ }
+ fclose(limitsfile);
++
++ /* Cap the default soft nofile limit read from pid 1 to FD_SETSIZE
++ * since larger values can cause problems with fd_set overflow and
++ * systemd sets itself higher. */
++ if (pl->limits[RLIMIT_NOFILE].src_soft == LIMITS_DEF_KERNEL &&
++ pl->limits[RLIMIT_NOFILE].limit.rlim_cur > FD_SETSIZE) {
++ pl->limits[RLIMIT_NOFILE].limit.rlim_cur = FD_SETSIZE;
++ }
+ }
+
+ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl)
diff --git a/debian/patches-applied/pam_mkhomedir_stat_before_opendir b/debian/patches-applied/pam_mkhomedir_stat_before_opendir
new file mode 100644
index 0000000..aec49b6
--- /dev/null
+++ b/debian/patches-applied/pam_mkhomedir_stat_before_opendir
@@ -0,0 +1,25 @@
+Index: pam/modules/pam_mkhomedir/mkhomedir_helper.c
+===================================================================
+--- pam.orig/modules/pam_mkhomedir/mkhomedir_helper.c
++++ pam/modules/pam_mkhomedir/mkhomedir_helper.c
+@@ -39,6 +39,7 @@
+ DIR *d;
+ struct dirent *dent;
+ int retval = PAM_SESSION_ERR;
++ struct stat stat_buf;
+
+ /* Create the new directory */
+ if (mkdir(dest, 0700) && errno != EEXIST)
+@@ -54,6 +55,12 @@
+ goto go_out;
+ }
+
++ /* Various things such as an autofs mount with browsing disabled
++ * can cause the directory to appear only on stat. The intent is
++ * to minimize network traversal when a file explorer tries to
++ * traverse large chunks of a directory tree. So stat first.*/
++ stat(source, &stat_buf);
++
+ /* Scan the directory */
+ d = opendir(source);
+ if (d == NULL)
diff --git a/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch
new file mode 100644
index 0000000..6a9e525
--- /dev/null
+++ b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch
@@ -0,0 +1,25 @@
+Dropping suid bits is not enough to let us trust the caller; the unix_chkpwd
+helper could be sgid shadow instead of suid root, as it is in Debian and
+Ubuntu by default. Drop any sgid bits as well.
+
+Authors: Steve Langasek <vorlon@debian.org>,
+ Michael Spang <mspang@csclub.uwaterloo.ca>
+
+Upstream status: to be submitted
+
+Index: pam/modules/pam_unix/unix_chkpwd.c
+===================================================================
+--- pam.orig/modules/pam_unix/unix_chkpwd.c
++++ pam/modules/pam_unix/unix_chkpwd.c
+@@ -138,9 +138,10 @@
+ /* if the caller specifies the username, verify that user
+ matches it */
+ if (user == NULL || strcmp(user, argv[1])) {
++ gid_t gid = getgid();
+ user = argv[1];
+ /* no match -> permanently change to the real user and proceed */
+- if (setuid(getuid()) != 0)
++ if (setresgid(gid, gid, gid) != 0 || setuid(getuid()) != 0)
+ return PAM_AUTH_ERR;
+ }
+ }
diff --git a/debian/patches-applied/series b/debian/patches-applied/series
new file mode 100644
index 0000000..3ea285a
--- /dev/null
+++ b/debian/patches-applied/series
@@ -0,0 +1,24 @@
+pam_unix_dont_trust_chkpwd_caller.patch
+make_documentation_reproducible.patch
+007_modules_pam_unix
+008_modules_pam_limits_chroot
+021_nis_cleanup
+022_pam_unix_group_time_miscfixes
+026_pam_unix_passwd_unknown_user
+do_not_check_nis_accidentally
+027_pam_limits_better_init_allow_explicit_root
+031_pam_include
+032_pam_limits_EPERM_NOT_FATAL
+036_pam_wheel_getlogin_considered_harmful
+hurd_no_setfsuid
+040_pam_limits_log_failure
+045_pam_dispatch_jump_is_ignore
+PAM-manpage-section
+update-motd
+no_PATH_MAX_on_hurd
+lib_security_multiarch_compat
+pam-limits-nofile-fd-setsize-cap
+fix-autoreconf.patch
+nullok_secure-compat.patch
+
+pam_mkhomedir_stat_before_opendir
diff --git a/debian/patches-applied/update-motd b/debian/patches-applied/update-motd
new file mode 100644
index 0000000..14d5fee
--- /dev/null
+++ b/debian/patches-applied/update-motd
@@ -0,0 +1,113 @@
+Provide a more dynamic MOTD, based on the short-lived update-motd project.
+
+Authors: Dustin Kirkland <kirkland@canonical.com>
+
+Last-Update: 2019-02-12
+Forwarded: no
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/399071
+
+Index: pam/modules/pam_motd/pam_motd.c
+===================================================================
+--- pam.orig/modules/pam_motd/pam_motd.c
++++ pam/modules/pam_motd/pam_motd.c
+@@ -352,6 +352,7 @@
+ int argc, const char **argv)
+ {
+ int retval = PAM_IGNORE;
++ int do_update = 1;
+ const char *motd_path = NULL;
+ char *motd_path_copy = NULL;
+ unsigned int num_motd_paths = 0;
+@@ -361,6 +362,7 @@
+ unsigned int num_motd_dir_paths = 0;
+ char **motd_dir_path_split = NULL;
+ int report_missing;
++ struct stat st;
+
+ if (flags & PAM_SILENT) {
+ return retval;
+@@ -390,6 +392,9 @@
+ "motd_dir= specification missing argument - ignored");
+ }
+ }
++ else if (!strcmp(*argv,"noupdate")) {
++ do_update = 0;
++ }
+ else
+ pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
+ }
+@@ -402,6 +407,19 @@
+ report_missing = 1;
+ }
+
++ /* Run the update-motd dynamic motd scripts, outputting to /run/motd.dynamic.
++ This will be displayed only when calling pam_motd with
++ motd=/run/motd.dynamic; current /etc/pam.d/login and /etc/pam.d/sshd
++ display both this file and /etc/motd. */
++ if (do_update && (stat("/etc/update-motd.d", &st) == 0)
++ && S_ISDIR(st.st_mode))
++ {
++ mode_t old_mask = umask(0022);
++ if (!system("/usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new"))
++ rename("/run/motd.dynamic.new", "/run/motd.dynamic");
++ umask(old_mask);
++ }
++
+ if (motd_path != NULL) {
+ motd_path_copy = strdup(motd_path);
+ }
+Index: pam/modules/pam_motd/pam_motd.8.xml
+===================================================================
+--- pam.orig/modules/pam_motd/pam_motd.8.xml
++++ pam/modules/pam_motd/pam_motd.8.xml
+@@ -115,6 +115,17 @@
+ </para>
+ </listitem>
+ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>noupdate</option>
++ </term>
++ <listitem>
++ <para>
++ Don't run the scripts in <filename>/etc/update-motd.d</filename>
++ to refresh the motd file.
++ </para>
++ </listitem>
++ </varlistentry>
+ </variablelist>
+ <para>
+ When no options are given, the default behavior applies for both
+Index: pam/modules/pam_motd/pam_motd.8
+===================================================================
+--- pam.orig/modules/pam_motd/pam_motd.8
++++ pam/modules/pam_motd/pam_motd.8
+@@ -109,6 +109,13 @@
+ /etc/motd\&.d:/run/motd\&.d:/usr/lib/motd\&.d\&.
+ .RE
+ .PP
++\fBnoupdate\fR
++.RS 4
++Don\*(Aqt run the scripts in
++/etc/update\-motd\&.d
++to refresh the motd file\&.
++.RE
++.PP
+ When no options are given, the default behavior applies for both options\&. Specifying either option (or both) will disable the default behavior for both options\&.
+ .SH "MODULE TYPES PROVIDED"
+ .PP
+Index: pam/modules/pam_motd/README
+===================================================================
+--- pam.orig/modules/pam_motd/README
++++ pam/modules/pam_motd/README
+@@ -52,6 +52,10 @@
+ colon-separated list. By default this option is set to /etc/motd.d:/run/
+ motd.d:/usr/lib/motd.d.
+
++noupdate
++
++ Don't run the scripts in /etc/update-motd.d to refresh the motd file.
++
+ When no options are given, the default behavior applies for both options.
+ Specifying either option (or both) will disable the default behavior for both
+ options.