summaryrefslogtreecommitdiffstats
path: root/ChangeLog
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--ChangeLog7232
-rw-r--r--ChangeLog-CVS5099
2 files changed, 12331 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
new file mode 100644
index 0000000..df5f174
--- /dev/null
+++ b/ChangeLog
@@ -0,0 +1,7232 @@
+2021-09-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ Fix a typo found using codespell tool.
+ * modules/pam_pwhistory/pam_pwhistory.c: Replace "crypted password" with
+ "hashed password" in comment.
+ * modules/pam_unix/passverify.c (create_password_hash): Rename "crypted"
+ local variable to "hashed".
+
+2021-08-30 Fabrice Fontaine <fontaine.fabrice@gmail.com>
+
+ configure.ac: also search libcrypt through pkg-config.
+ libxcrypt provides a libcrypt.pc file so use it if available as this
+ will allow to retrieve the library path (e.g.
+ -L/home/buildroot/output/host//riscv64-buildroot-linux-musl/sysroot/usr/lib)
+ which is useful when cross-compiling and will avoid the following build
+ failure on buildroot:
+
+ /home/buildroot/autobuild/run/instance-3/output-1/host/opt/ext-toolchain/bin/../lib/gcc/riscv64-buildroot-linux-musl/10.2.0/../../../../riscv64-buildroot-linux-musl/bin/ld: .libs/passverify.o: in function `.L30':
+ passverify.c:(.text+0x368): undefined reference to `crypt_checksalt'
+
+ Fixes:
+ - http://autobuild.buildroot.org/results/20b14e222b35c2d1269960075832b784ba81aa1a
+
+2021-08-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_unix: workaround the problem caused by libnss_systemd.
+ The getspnam(3) manual page says that errno shall be set to EACCES when
+ the caller does not have permission to access the shadow password file.
+ Unfortunately, this contract is broken when libnss_systemd is used in
+ the nss stack.
+
+ Workaround this problem by falling back to the helper invocation when
+ pam_modutil_getspnam returns NULL regardless of errno. As pam_unix
+ already behaves this way when selinux is enabled, it should be OK
+ for the case when selinux is not enabled, too.
+
+ * modules/pam_unix/passverify.c (get_account_info): When
+ pam_modutil_getspnam returns NULL, unconditionally fall back
+ to the helper invocation.
+
+ Complements: f220cace2053 ("Permit unix_chkpwd & pam_unix.so to run without being setuid-root")
+ Resolves: https://github.com/linux-pam/linux-pam/issues/379
+
+2021-08-18 Jérôme Fenal <jfenal@free.fr>
+
+ po: update translations using Weblate (French)
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fr/
+
+2021-08-02 panchenbo <panchenbo@uniontech.com>
+
+ po/zh_CN.po: fix pam_lastlog translation errors.
+ Closes: https://github.com/linux-pam/linux-pam/issues/383
+
+2021-07-24 simmon <simmon@nplob.com>
+
+ po: update translations using Weblate (Korean)
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ko/
+
+2021-07-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update translations using Weblate (Swedish)
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/sv/
+
+2021-07-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update translations using Weblate (Portuguese (Brazil))
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pt_BR/
+
+2021-07-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update translations using Weblate (Portuguese (Brazil))
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pt/
+
+2021-07-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update translations using Weblate (Dutch)
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/nl/
+
+2021-07-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update translations using Weblate (Italian)
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/it/
+
+2021-07-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update translations using Weblate (Hebrew)
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/he/
+
+2021-07-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update translations using Weblate (Finnish)
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fi/
+
+2021-07-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update translations using Weblate (Danish)
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/da/
+
+2021-07-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update translations using Weblate (Catalan)
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ca/
+
+2021-07-22 Yuri Chornoivan <yurchor@ukr.net>
+
+ po: update translations using Weblate (Ukrainian)
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/uk/
+
+2021-07-22 Oğuz Ersen <oguzersen@protonmail.com>
+
+ po: update translations using Weblate (Turkish)
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/tr/
+
+2021-07-21 Piotr Drąg <piotrdrag@gmail.com>
+
+ po: update translations using Weblate (Polish)
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/
+
+2021-07-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update translations using Weblate (German)
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/de/
+
+2021-07-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update translations using Weblate (Russian)
+ Currently translated at 100.0% (100 of 100 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ru/
+
+2021-07-21 Seong-ho Cho <darkcircle.0426@gmail.com>
+
+ po: update translations using Weblate (Korean)
+ Currently translated at 100.0% (99 of 99 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ko/
+
+2021-07-20 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update .pot and .po files.
+ Regenerate po/Linux-PAM.pot and po/*.po using "make -C po update-po"
+ command.
+
+ Prepare for 1.5.2 release.
+ * configure.ac (AC_INIT): Raise version to 1.5.2.
+ * NEWS: Update.
+
+ pam_faillock: remove confusing comment.
+ * modules/pam_faillock/pam_faillock.c (faillock_message): Remove the
+ comment that meant to help translators but actually confused xgettext.
+
+2021-07-09 Iker Pedrosa <ipedrosa@redhat.com>
+
+ pam_filter: Close file after controlling tty.
+ Failing to check the descriptor value meant that there was a bug in the
+ attempt to close the controlling tty. Moreover, this would lead to a
+ file descriptor leak as pointed out by the static analyzer tool:
+
+ Error: RESOURCE_LEAK (CWE-772): [#def26]
+ Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:356: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
+ Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:356: var_assign: Assigning: "t" = handle returned from "open("/dev/tty", 2)".
+ Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:357: off_by_one: Testing whether handle "t" is strictly greater than zero is suspicious. "t" leaks when it is zero.
+ Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:357: remediation: Did you intend to include equality with zero?
+ Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:367: leaked_handle: Handle variable "t" going out of scope leaks the handle.
+ 365| pam_syslog(pamh, LOG_ERR,
+ 366| "child cannot become new session: %m");
+ 367|-> return PAM_ABORT;
+ 368| }
+ 369|
+
+2021-06-29 Andrew G. Morgan <morgan@kernel.org>
+
+ Permit unix_chkpwd & pam_unix.so to run without being setuid-root.
+ Remove the hard-coding of the idea that the only way pam_unix.so can
+ read the shadow file is if it can, in some way, run setuid-root.
+ Linux capabilities only require cap_dac_override to read the /etc/shadow
+ file.
+
+ This change achieves two things: it opens a path for a linux-pam
+ application to run without being setuid-root; further, it allows
+ unix_chkpwd to run non-setuid-root if it is installed:
+
+ sudo setcap cap_dac_override=ep unix_chkpwd
+
+ If we wanted to link against libcap, we could install this binary with
+ cap_dac_override=p, and use cap_set_proc() to raise the effective bit
+ at runtime. However, some distributions already link unix_chkpwd
+ against libcap-ng for some, likely spurious, reason so "ep" is fine
+ for now.
+
+2021-06-15 Fabrice Fontaine <fontaine.fabrice@gmail.com>
+
+ configure.ac: fix build with libxcrypt and uclibc-ng.
+ Fix the following build failure with libxcrypt and uclibc-ng:
+
+ ld: unix_chkpwd-passverify.o: in function `verify_pwd_hash':
+ passverify.c:(.text+0xab4): undefined reference to `crypt_checksalt'
+
+ Fixes:
+ - http://autobuild.buildroot.org/results/65d68b7c9c7de1c7cb0f941ff9982f93a49a56f8
+
+2021-06-14 Mathieu Trossevin <mathieu.trossevin@gmail.com>
+
+ Add pkgconfig files for provided libraries.
+ * .gitignore: Add .pc files as they are generated by autoconf.
+ * configure.ac: Generate .pc files for libpam, libpam_misc and libpamc.
+ * libpam/Makefile.am: Install pam.pc.
+ * libpam/pam.pc.in: New file.
+ * libpam_misc/Makefile.am: Install pam_misc.pc
+ * libpam_misc/pam_misc.pc.in: New file.
+ * libpamc/Makefile.am: Install pamc.pc
+
+ This allow applications and PAM modules to automatically find libpam,
+ libpam_misc and libpamc if they are installed instead of having to
+ manually search for them.
+
+2021-06-14 Björn Esser <besser82@fedoraproject.org>
+
+ Remove support for legacy xcrypt.
+ Since many distributions are shipping a version of libxcrypt >= 4.0.0
+ as a replacement for glibc's libcrypt now, older versions of xcrypt,
+ which could be installed in parallel, are not relevant anymore.
+
+ * configure.ac (AC_CHECK_HEADERS): Remove xcrypt.h.
+ (AC_SEARCH_LIBS): Remove xcrypt.
+ (AC_CHECK_FUNCS): Remove crypt_gensalt_r.
+ (AC_DEFINE): Remove HAVE_LIBXCRYPT.
+ * modules/pam_pwhistory/opasswd.c [HAVE_LIBXCRYPT]: Remove.
+ * modules/pam_unix/bigcrypt.c [HAVE_LIBXCRYPT]: Likewise.
+ * modules/pam_userdb/pam_userdb.c [HAVE_LIBXCRYPT]: Likewise.
+ * modules/pam_unix/passverify.c [HAVE_LIBXCRYPT]: Likewise.
+ (create_password_hash) [HAVE_LIBXCRYPT]: Likewise.
+
+2021-06-14 Jeff Squyres <jsquyres@cisco.com>
+
+ pam_misc: set default length of misc_conv() buffer to 4096.
+
+ pam_misc: make length of misc_conv() configurable.
+ Add --with-misc-conv-bufsize=<number> option to configure to allow
+ a longer buffer size for libpam_misc's misc_conv() function (it still
+ defaults to 512 bytes).
+
+2021-06-14 Iker Pedrosa <ipedrosa@redhat.com>
+
+ pam_timestamp: replace hmac implementation.
+ sha1 is no longer recommended as a cryptographic algorithm for
+ authentication. Thus, the idea of this change is to replace the
+ implementation provided by hmacsha1 included in pam_timestamp module by
+ the one in the openssl library. This way, there's no need to maintain
+ the cryptographic algorithm implementation and it can be easily changed
+ with a single configuration change.
+
+ modules/pam_timestamp/hmac_openssl_wrapper.c: implement wrapper
+ functions around openssl's hmac implementation. Moreover, manage the key
+ generation and its read and write in a file. Include an option to
+ configure the cryptographic algorithm in login.defs file.
+ modules/pam_timestamp/hmac_openssl_wrapper.h: likewise.
+ modules/pam_timestamp/pam_timestamp.c: replace calls to functions
+ provided by hmacsha1 by functions provided by openssl's wrapper.
+ configure.ac: include openssl dependecy if it is enabled.
+ modules/pam_timestamp/Makefile.am: include new files and openssl library
+ to compilation.
+ ci/install-dependencies.sh: include openssl library to dependencies.
+ NEWS: add new item to next release.
+ Make.xml.rules.in: add stringparam profiling for hmac
+ doc/custom-man.xsl: change import docbook to one with profiling
+ modules/pam_timestamp/pam_timestamp.8.xml: add conditional paragraph to
+ indicate the value in /etc/login.defs that holds the value for the
+ encryption algorithm
+
+ Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1947294
+
+2021-06-13 Dmitry V. Levin <ldv@altlinux.org>
+
+ .github: add gcc-11, clang-12, and clang-11 jobs.
+ * .github/workflows/ci.yml (gcc11-x86_64, gcc11-x86, gcc11-x32,
+ clang12-x86_64, clang11-x86_64): New jobs.
+
+2021-06-13 Dmitry V. Levin <ldv@altlinux.org>
+
+ tests: fix -Wmaybe-uninitialized warnings.
+ Fix the following class of compilation warnings reported by gcc 11:
+
+ tst-pam_end.c: In function ‘main’:
+ tst-pam_end.c:55:12: error: ‘conv’ may be used uninitialized [-Werror=maybe-uninitialized]
+ 55 | retval = pam_start (service, user, &conv, &pamh);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ In file included from tst-pam_end.c:41:
+ ../libpam/include/security/pam_appl.h:23:1: note: by argument 3 of type ‘const struct pam_conv *’ to ‘pam_start’ declared here
+ 23 | pam_start(const char *service_name, const char *user,
+ | ^~~~~~~~~
+ tst-pam_end.c:49:19: note: ‘conv’ declared here
+ 49 | struct pam_conv conv;
+ | ^~~~
+
+ * tests/tst-pam_end.c (main): Initialize conv variable.
+ * tests/tst-pam_fail_delay.c: Likewise.
+ * tests/tst-pam_get_item.c: Likewise.
+ * tests/tst-pam_getenvlist.c: Likewise.
+ * tests/tst-pam_set_data.c: Likewise.
+ * tests/tst-pam_set_item.c: Likewise.
+ * tests/tst-pam_start.c: Likewise.
+ * tests/tst-pam_start_confdir.c: Likewise.
+
+2021-06-10 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_unix: do not use crypt_checksalt when checking for password expiration
+ According to Zack Weinberg, the intended meaning of
+ CRYPT_SALT_METHOD_LEGACY is "passwd(1) should not use this hashing
+ method", it is not supposed to mean "force a password change on next
+ login for any user with an existing stored hash using this method".
+
+ This reverts commit 4da9febc39b955892a30686e8396785b96bb8ba5.
+
+ * modules/pam_unix/passverify.c (check_shadow_expiry)
+ [CRYPT_CHECKSALT_AVAILABLE]: Remove.
+
+ Closes: https://github.com/linux-pam/linux-pam/issues/367
+
+2021-06-10 Patrick Schleizer <adrelanos@whonix.org>
+
+ pam_exec: implement quiet_log option.
+ * modules/pam_exec/pam_exec.c (call_exec): Implement quiet_log option.
+ * modules/pam_exec/pam_exec.8.xml: Document it.
+
+ Resolves: https://github.com/linux-pam/linux-pam/issues/334
+
+2021-05-24 Jeff Squyres <jsquyres@cisco.com>
+
+ pam.conf: clarify default action for unspecified return codes.
+ Add short blurbs explaining that if a return code is not specified in
+ the "[value1=action1 value2=action2 ...]" form and "default=action" is
+ not specified, that return code's action defaults to "bad".
+
+2021-05-01 Hasan <aliyevH@hotmail.com>
+
+ man: fix spelling bug in pam_end.3.xml.
+ * doc/man/pam_end.3.xml: Fix repeated words.
+
+2021-04-25 simmon <simmon@nplob.com>
+
+ po: update translations using Weblate (Korean)
+ Currently translated at 100.0% (99 of 99 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ko/
+
+2021-04-25 Emilio Herrera <ehespinosa57@gmail.com>
+
+ po: update translations using Weblate (Spanish)
+ Currently translated at 81.8% (81 of 99 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/es/
+
+2021-04-22 Josef Moellers <jmoellers@suse.de>
+
+ pam_limits: "Unlimited" is not a valid value for RLIMIT_NOFILE.
+ Replace it with a value obtained from /proc/sys/fs/nr_open
+
+ * modules/pam_limits/limits.conf.5.xml: Document the replacement.
+ * modules/pam_limits/pam_limits.c: Replace unlimited RLIMIT_NOFILE
+ value with a value obtained from /proc/sys/fs/nr_open
+
+2021-04-21 Stanislav Zidek <szidek@redhat.com>
+
+ pam_userdb: Prevent garbage characters from db.
+ Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791965
+
+2021-04-12 Tomas Mraz <tmraz@fedoraproject.org>
+
+ misc_conv: Flush the terminal input after the password is read.
+ Fixes #347
+
+ * libpam_misc/misc_conv.c (read_string): Use TCSAFLUSH instead
+ of TCSADRAIN when resetting the terminal echo state
+
+2021-04-12 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_access: clean up the remote host matching code.
+ * modules/pam_access/pam_access.c (from_match): Split out remote_match()
+ function and avoid calling it when matching against LOCAL keyword.
+ There is also no point in doing domain match against TTY or SERVICE.
+
+2021-03-25 chuanqin <chuanqing.qin@nokia-sbell.com>
+
+ pam_faillock: convert spaces to tab to keep code style.
+ convert spaces to tab which mixture use in modules/pam_faillock/main.c
+
+2021-03-08 theslimshaney <33791263+theslimshaney@users.noreply.github.com>
+
+ pam_env: fix example in pam_env.conf.5 for setting variable.
+
+2021-03-05 dshein-alt <76520100+dshein-alt@users.noreply.github.com>
+
+ pam_mkhomedir: use HOME_MODE or UMASK from /etc/login.defs.
+ Follow the example of useradd(8) and set the user home directory mode
+ to the value of HOME_MODE or UMASK configuration item from
+ /etc/login.defs when umask option is not specified.
+
+2021-02-13 Ricky Tigg <ricky.tigg@gmail.com>
+ Ricky Tigg <ricky.tigg@gmail.com>
+
+ po: update translations using Weblate (Finnish)
+ Currently translated at 100.0% (99 of 99 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fi/
+
+2021-02-13 Balázs Meskó <meskobalazs@mailbox.org>
+ Balázs Meskó <meskobalazs@mailbox.org>
+
+ po: update translations using Weblate (Hungarian)
+ Currently translated at 77.7% (77 of 99 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/hu/
+
+2021-02-13 Carmen Bianca Bakker <carmen@carmenbianca.eu>
+ Carmen Bianca Bakker <carmen@carmenbianca.eu>
+
+ po: update translations using Weblate (Esperanto)
+ Currently translated at 43.4% (43 of 99 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/eo/
+
+2021-02-13 Weblate <noreply@weblate.org>
+ Weblate <noreply@weblate.org>
+
+ Update translation files.
+ Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/
+ Translation: linux-pam/master
+
+2021-01-27 Changqing Li <changqing.li@windriver.com>
+
+ configure.ac: add --with-systemdunitdir option.
+ * Add this option to support the following scenario:
+ prefix = '/usr'
+ servicedir = '/lib/systemd/system'
+
+ * The default behavior is changed:
+ If this option is not given, servicedir will be set to the value that is
+ obtained from systemd pkg-config file. If the value cannot be obtained,
+ servicedir will be set to the default value '$(prefix)/lib/systemd/system'.
+
+2021-01-27 Changqing Li <changqing.li@windriver.com>
+
+ faillock: create tallydir before creating tallyfile.
+ The default tallydir is "/var/run/faillock", and this default
+ tallydir may not exist.
+
+ Function open may fail as tallydir does not exist when creating
+ the tallyfile. Therefore, faillock will not work well.
+
+ Fix this problem by creating tallydir before creating tallyfile
+ when the tallydir does not exist.
+
+2021-01-27 Ludwig Nussel <ludwig.nussel@suse.de>
+
+ pam_securetty: don't complain about missing config.
+ Not shipping a config file should be perfectly valid for distros while
+ still having eg login pre-configured to honor securetty when present.
+ PAM itself doesn't ship any template either. So avoid spamming the log
+ file if /etc/securetty wasn't found.
+
+2021-01-25 Kolja <razzeee@gmail.com>
+
+ faillock: Use pluralization via dngettext or fallback.
+
+2021-01-18 Andreas-Johann Ø Ulvestad <aj@aju.no>
+ Andreas-Johann Ø Ulvestad <aj@aju.no>
+
+ po: update translations using Weblate (Norwegian Nynorsk)
+ Currently translated at 100.0% (99 of 99 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/nn/
+
+2021-01-18 Jan Kuparinen <copper_fin@hotmail.com>
+ Jan Kuparinen <copper_fin@hotmail.com>
+
+ po: update translations using Weblate (Finnish)
+ Currently translated at 100.0% (99 of 99 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fi/
+
+2020-12-28 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_umask: fix handling of umask parameter.
+ Potential failures of strdup(3) were ignored, fix this by not using
+ strdup(3) at all.
+
+ * modules/pam_umask/pam_umask.c (struct options_t): Add const to umask
+ field, add login_umask field.
+ (parse_option): Do not use strdup.
+ (get_options): Assign pam_modutil_search_key return values
+ to options->login_umask.
+ (pam_sm_open_session): Free options.login_umask instead of
+ options.umask.
+
+2020-12-28 Sven Hartge <sven@svenhartge.de>
+
+ pam_setquota: Minor whitespace, spelling and mail address fixes.
+
+2020-12-26 Vlad <milovlad@outlook.com>
+ Vlad <milovlad@outlook.com>
+
+ po: update translations using Weblate (Romanian)
+ Currently translated at 100.0% (99 of 99 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ro/
+
+2020-12-23 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_mkhomedir: fix umask wording in documentation.
+ * modules/pam_mkhomedir/pam_mkhomedir.8.xml (umask): Fix wording.
+
+2020-12-20 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update translations using Weblate (Bulgarian)
+ Currently translated at 100.0% (122 of 122 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/bg/
+
+2020-12-17 Issam E. Maghni <issam.e.maghni@mailbox.org>
+
+ configure: test -a|o is not POSIX.
+ Fixes `test: too many arguments` when building Linux-PAM using sbase.
+ This is due to a non-POSIX syntax test ... -a ... and test ... -o ....
+
+ > The XSI extensions specifying the -a and -o binary primaries and the
+ > '(' and ')' operators have been marked obsolescent.
+
+ See https://pubs.opengroup.org/onlinepubs/9699919799/utilities/test.html
+
+2020-12-08 Christian Göttsche <cgzones@googlemail.com>
+
+ pam_namespace: check for string_to_security_class failure.
+ Check for the unlikely case string_to_security_class() does not find the
+ associated SELinux security class.
+ This will only happen if the loaded SELinux policy does not define the
+ class "dir" (which no sane policy does) or querying the selinuxfs
+ fails.
+
+ Suggested by #309
+
+2020-12-08 Christian Göttsche <cgzones@googlemail.com>
+
+ pam_selinux: check for string_to_security_class failure.
+ Check for the unlikely case string_to_security_class() does not find the
+ associated SELinux security class.
+ This will only happen if the loaded SELinux policy does not define the
+ class "chr_file" (which no sane policy does) or querying the selinuxfs
+ fails.
+
+ Suggested by #309
+
+2020-12-07 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Clarify the effect of 'done' in documentation.
+ The done action does not terminate the stack processing in case
+ there is a failing module with bad action up in the stack.
+
+ Fixes #307
+
+ * doc/man/pam.conf-syntax.xml: Clarify the effect of 'done'.
+
+2020-11-28 Dmitry V. Levin <ldv@altlinux.org>
+
+ .github: partially migrate from ubuntu-18.04 to ubuntu-20.04.
+ * .github/workflows/ci.yml (runs-on): Switch from ubuntu-latest to
+ ubuntu-20.04 for whitespace-errors and *-x86_64 jobs. Stick with
+ ubuntu-18.04 for *-x86 and *-x32 jobs until we figure out how to
+ obtain -lcrypt on ubuntu-20.04 for these architectures.
+
+2020-11-28 Dmitry V. Levin <ldv@altlinux.org>
+
+ ci: do not install libxcrypt-dev.
+ Apparently, both -lcrypt and -lxcrypt from ubuntu-18.04 already provide
+ crypt_r.
+
+ * ci/install-dependencies.sh (packages): Remove libxcrypt-dev.
+
+2020-11-24 Thomas M. DuBuisson <tommd@muse.dev>
+
+ pam_unix: fix memory leak on error path.
+ * modules/pam_unix/bigcrypt.c (bigcrypt) [HAVE_CRYPT_R]: Do not leak
+ cdata if crypt_r() fails.
+
+2020-11-24 Dmitry V. Levin <ldv@altlinux.org>
+
+ maint: update release procedure.
+ * maint/README-release: Update.
+
+2020-11-24 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update .po and .pot files.
+ Regenerate po/Linux-PAM.pot and po/*.po using "make -C po update-po"
+ command. This removes translations of pam_cracklib, pam_tally, and
+ pam_tally2 modules that were removed in v1.5.0.
+
+ Complements: v1.5.0~10 "Remove deprecated pam_cracklib module"
+ Complements: v1.5.0~9 "Remove deprecated pam_tally and pam_tally2 modules"
+
+2020-11-24 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: cleanup POTFILES.in.
+ * po/POTFILES.in: Strip "./" prefix, sort the list.
+
+2020-11-24 Jan Kuparinen <copper_fin@hotmail.com>
+ Jan Kuparinen <copper_fin@hotmail.com>
+
+ po: update translations using Weblate (Finnish)
+ Currently translated at 100.0% (122 of 122 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fi/
+
+2020-11-24 Dmitry V. Levin <ldv@altlinux.org>
+
+ Prepare for 1.5.1 release.
+ * configure.ac (AC_INIT): Raise version to 1.5.1.
+
+ Fix various typos found using codespell tool.
+ * modules/pam_limits/limits.conf: Replace "overriden" with "overridden".
+ * modules/pam_mkhomedir/mkhomedir_helper.c (create_homedir): Replace
+ "preseves" with "preserves".
+ * modules/pam_setquota/pam_setquota.8.xml: Replace "specifed" with
+ "specified".
+ * modules/pam_setquota/pam_setquota.c (pam_sm_open_session): Replace
+ "fileystem" with "filesystem", "conditons" with "conditions".
+
+ Fix grammar: replace "an user" with "a user" everywhere.
+ * NEWS: Replace "an user" with "a user".
+ * modules/pam_faillock/pam_faillock.8.xml: Likewise.
+ * modules/pam_lastlog/pam_lastlog.8.xml: Likewise.
+ * modules/pam_limits/pam_limits.c: Likewise.
+ * modules/pam_sepermit/sepermit.conf: Likewise.
+ * modules/pam_tty_audit/pam_tty_audit.8.xml: Likewise.
+ * modules/pam_userdb/pam_userdb.c: Likewise.
+
+2020-11-24 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_wheel: Use pam_modutil_user_in_group_uid_gid instead of reimplementation
+ The pam_modutil_user_in_group... functions use getgrouplist to check
+ the membership so they work also in setups with remote services which do
+ not provide group members in struct group.
+
+ Fixes #297
+
+ * modules/pam_wheel/pam_wheel.c (perform_check): Call pam_modutil_user_in_group_uid_gid
+ to do the group check.
+
+2020-11-24 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Add NEWS entries for the 1.5.1 security fix release.
+
+2020-11-20 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Second blank check with root for non-existent users must never return 1.
+ The commit af0faf66 ("pam_unix: avoid determining if user exists") introduced
+ a regression where the blank check could return 1 if root had an empty
+ password hash because in the second case the password hash of root was
+ used. We now always return 0 in this case.
+
+ The issue was found by Johannes Löthberg.
+
+ Fixes #284
+
+ * modules/pam_unix/support.c (_unix_blankpasswd): Make the loop
+ to cover the complete blank check so both existing and non existing
+ cases are identical except for the possible return value.
+
+2020-11-12 Tavian Barnes <tavianator@tavianator.com>
+
+ faillock: Add a nodelay option.
+ Fixes #295
+
+2020-11-10 Allison Karlitskaya <allison.karlitskaya@redhat.com>
+
+ libpam: add supplementary groups on priv drop.
+ Replace the setgroups(0, NULL) call in pam_modutil_drop_priv() with a
+ call to initgroups(). This makes sure that the user's supplementary
+ groups are also configured. Fall back to setgroups(0, NULL) in case the
+ initgroups() call fails.
+
+ This fixes the permission check in pam_motd: this feature was intended
+ to allow setting permissions on a motd file to prevent it from being
+ shown to users who are not a member of a particular group (for example,
+ wheel).
+
+ Closes #292
+
+2020-11-05 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_env: deprecation notice of reading the user environment.
+ * modules/pam_env/pam_env.8.xml: Add the notice to the manual.
+ * modules/pam_env/pam_env.c (_pam_parse): Log deprecation warning
+ if user_readenv is set.
+
+2020-11-04 Andreas Schneider <asn@cryptomilk.org>
+
+ libpam: Fix memory leak on error path in _pam_start_internal()
+
+2020-11-04 Andreas Schneider <asn@cryptomilk.org>
+
+ libpam: Fix memory leak with pam_start_confdir()
+ Found with AddressSanitzer in pam_wrapper tests.
+
+ ==985738== 44 bytes in 4 blocks are definitely lost in loss record 18 of 18
+ ==985738== at 0x4839809: malloc (vg_replace_malloc.c:307)
+ ==985738== by 0x48957E1: _pam_strdup (pam_misc.c:129)
+ ==985738== by 0x489851B: _pam_start_internal (pam_start.c:85)
+ ==985738== by 0x4849C8C: libpam_pam_start_confdir (pam_wrapper.c:418)
+ ==985738== by 0x484AF94: pwrap_pam_start (pam_wrapper.c:1461)
+ ==985738== by 0x484AFEE: pam_start (pam_wrapper.c:1483)
+ ==985738== by 0x401723: setup_noconv (test_pam_wrapper.c:189)
+ ==985738== by 0x4889E82: ??? (in /usr/lib64/libcmocka.so.0.7.0)
+ ==985738== by 0x488A444: _cmocka_run_group_tests (in /usr/lib64/libcmocka.so.0.7.0)
+ ==985738== by 0x403EE5: main (test_pam_wrapper.c:1059)
+
+2020-11-04 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_env: allow environment files without EOL at EOF.
+ Fixes #263
+
+ * modules/pam_env/pam_env.c (_assemble_line): Do not error out if at feof()
+
+2020-11-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ Prepare for 1.5.0 release.
+ * configure.ac (AC_INIT): Raise version to 1.5.0.
+ * NEWS: Update.
+
+2020-11-03 ikerexxe <ipedrosa@redhat.com>
+
+ pam_ftp: fix potential memory leak.
+ modules/pam_ftp/pam_ftp.c: free anon_user before returning as it may be
+ still in use.
+
+ pam_faillock: fix unread store statement.
+ modules/pam_faillock/main.c: remove store statement since the value is
+ only read in the enclosing expression.
+
+ pam_dispatch: fix unread store statement.
+ libpam/pam_dispatch: remove store statement since the value is never
+ read.
+
+2020-10-29 Dmitry V. Levin <ldv@altlinux.org>
+
+ Remove deprecated pam_tally and pam_tally2 modules.
+ * ci/run-build-and-tests.sh (DISTCHECK_CONFIGURE_FLAGS): Remove
+ --enable-tally --enable-tally2.
+ * configure.ac: Remove --enable-tally and --enable-tally2 options.
+ (AM_CONDITIONAL): Remove COND_BUILD_PAM_TALLY and COND_BUILD_PAM_TALLY2.
+ (AC_CONFIG_FILES): Remove modules/pam_tally/Makefile and
+ modules/pam_tally2/Makefile.
+ * doc/sag/pam_tally.xml: Remove.
+ * doc/sag/pam_tally2.xml: Likewise.
+ * doc/sag/Linux-PAM_SAG.xml: Do not include pam_tally.xml and
+ pam_tally2.xml.
+ * modules/Makefile.am (MAYBE_PAM_TALLY, MAYBE_PAM_TALLY2): Remove.
+ (SUBDIRS): Remove MAYBE_PAM_TALLY and MAYBE_PAM_TALLY2.
+ * modules/pam_tally/.gitignore: Remove.
+ * modules/pam_tally/Makefile.am: Likewise.
+ * modules/pam_tally/README.xml: Likewise.
+ * modules/pam_tally/faillog.h: Likewise.
+ * modules/pam_tally/pam_tally.8.xml: Likewise.
+ * modules/pam_tally/pam_tally.c: Likewise.
+ * modules/pam_tally/pam_tally_app.c: Likewise.
+ * modules/pam_tally/tst-pam_tally: Likewise.
+ * modules/pam_tally2/.gitignore: Likewise.
+ * modules/pam_tally2/Makefile.am: Likewise.
+ * modules/pam_tally2/README.xml: Likewise.
+ * modules/pam_tally2/pam_tally2.8.xml: Likewise.
+ * modules/pam_tally2/pam_tally2.c: Likewise.
+ * modules/pam_tally2/pam_tally2_app.c: Likewise.
+ * modules/pam_tally2/tallylog.h: Likewise.
+ * modules/pam_tally2/tst-pam_tally2: Likewise.
+ * modules/pam_timestamp/pam_timestamp_check.8.xml: Fix typo by replacing
+ pam_tally with pam_timestamp.
+ * po/POTFILES.in: Remove ./modules/pam_tally/pam_tally_app.c,
+ ./modules/pam_tally/pam_tally.c, ./modules/pam_tally2/pam_tally2_app.c,
+ and ./modules/pam_tally2/pam_tally2.c.
+ * NEWS: Document this change.
+
+ Remove deprecated pam_cracklib module.
+ * ci/install-dependencies.sh: Remove libcrack2-dev.
+ * ci/run-build-and-tests.sh (DISTCHECK_CONFIGURE_FLAGS): Remove
+ --enable-cracklib=check.
+ * conf/pam.conf: Remove references to pam_cracklib.so.
+ * configure.ac: Remove --enable-cracklib option.
+ (AC_SUBST): Remove LIBCRACK.
+ (AM_CONDITIONAL): Remove COND_BUILD_PAM_CRACKLIB.
+ (AC_CONFIG_FILES): Remove modules/pam_cracklib/Makefile.
+ * doc/sag/pam_cracklib.xml: Remove.
+ * doc/sag/Linux-PAM_SAG.xml: Do not include pam_cracklib.xml.
+ * modules/Makefile.am (MAYBE_PAM_CRACKLIB): Remove.
+ (SUBDIRS): Remove MAYBE_PAM_CRACKLIB.
+ * modules/pam_cracklib/Makefile.am: Remove.
+ * modules/pam_cracklib/README.xml: Likewise.
+ * modules/pam_cracklib/pam_cracklib.8.xml: Likewise.
+ * modules/pam_cracklib/pam_cracklib.c: Likewise.
+ * modules/pam_cracklib/tst-pam_cracklib: Likewise.
+ * xtests/tst-pam_cracklib1.c: Likewise.
+ * xtests/tst-pam_cracklib1.pamd: Likewise.
+ * xtests/tst-pam_cracklib2.c: Likewise.
+ * xtests/tst-pam_cracklib2.pamd: Likewise.
+ * modules/pam_pwhistory/pam_pwhistory.8.xml: Replace pam_cracklib
+ in examples with pam_passwdqc.
+ * modules/pam_unix/pam_unix.8.xml: Likewise.
+ * po/POTFILES.in: Remove ./modules/pam_cracklib/pam_cracklib.c.
+ * xtests/.gitignore: Remove tst-pam_cracklib1 and tst-pam_cracklib2.
+ * xtests/Makefile.am (EXTRA_DIST): Remove tst-pam_cracklib1.pamd
+ and tst-pam_cracklib2.pamd.
+ (XTESTS): Remove tst-pam_cracklib1 and tst-pam_cracklib2.
+ * NEWS: Document this change.
+
+2020-10-27 DDoSolitary <DDoSolitary@gmail.com>
+
+ pam_env: fix a typo in doc of pam_env.conf.
+
+2020-10-25 Christian Göttsche <cgzones@googlemail.com>
+
+ Add missing format function attributes and enable -Wmissing-format-attribute
+ Exported functions already have these attributes, add them to other functions.
+ This enables compilers to find format specifier mismatches, like:
+
+ foo_print("Hello %d", "world")
+
+ * m4/warn_lang_flags.m4 (gl_WARN_ADD): Add -Wmissing-format-attribute.
+ * conf/pam_conv1/Makefile.am (AM_CFLAGS): Add -I$(top_srcdir)/libpam/include.
+ * conf/pam_conv1/pam_conv_y.y: Include <security/_pam_types.h>.
+ (yyerror): Add printf format attribute.
+ * modules/pam_pwhistory/opasswd.c (helper_log_err): Likewise.
+ * modules/pam_rootok/pam_rootok.c (log_callback): Likewise.
+ * modules/pam_tally/pam_tally.c (tally_log): Likewise.
+ * modules/pam_tally2/pam_tally2.c (tally_log): Likewise.
+ * modules/pam_unix/passverify.c (helper_log_err): Likewise.
+
+2020-10-21 Milo Casagrande <milo@milo.name>
+ Milo Casagrande <milo@milo.name>
+
+ po: update translations using Weblate (Italian)
+ Currently translated at 100.0% (122 of 122 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/it/
+
+2020-10-21 Yaron Shahrabani <sh.yaron@gmail.com>
+ Yaron Shahrabani <sh.yaron@gmail.com>
+
+ po: update translations using Weblate (Hebrew)
+ Currently translated at 100.0% (122 of 122 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/he/
+
+2020-10-21 ikerexxe <ipedrosa@redhat.com>
+
+ pam_motd: unset prompt value to drop privileges.
+ modules/pam_motd/pam_motd.c: set NULL value instead of "key user" for the
+ prompt when dropping privileges.
+
+2020-10-20 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_modutil_sanitize_fds: Add explicit casts to avoid warnings.
+
+ Revert "libpam/pam_modutil_sanitize.c: optimize the way to close fds"
+ This reverts commit 1b087edc7f05237bf5eccc405704cd82b848e761.
+
+2020-10-14 ikerexxe <ipedrosa@redhat.com>
+
+ pam_motd: document file filtering.
+ modules/pam_motd/pam_motd.8.xml: document file filtering of motd
+ messages.
+ NEWS: annotate change.
+
+2020-10-14 ikerexxe <ipedrosa@redhat.com>
+
+ pam_motd: filter motd by user and group.
+ modules/pam_motd/pam_motd.c: filter motd by user and group owning the
+ proper files. This is achieved by changing the ids of the process
+ reading the files from root to the target user.
+
+ Resolves:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1861640
+
+2020-10-13 Mikhail Labiuk <m.labyuk@omprussia.ru>
+
+ pam_faillock: fix invalid error message.
+ args_parse function pass "conf=" argument to set_conf_opt() after handling by self.
+ set_conf_opt is not able to handle "conf" argument and write error:
+ sddm-helper[415]: pam_faillock(sddm:auth): Unknown option: conf
+
+2020-10-05 ikerexxe <ipedrosa@redhat.com>
+
+ pam_namespace: polyinstantiation refer to gdm doc.
+ modules/pam_namespace/pam_namespace.8.xml: delete obsolete information
+ about polyinstantiation and refer to gdm's documentation.
+
+ Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1861841
+
+2020-09-30 Anton D. Kachalov <rnouse@google.com>
+
+ Prevent SEGFAULT for unknown UID.
+ When running systemd service with DynamicUser being set, the dynamic UID
+ might be not mapped to user name (/etc/nsswitch.conf is not configured
+ with systemd nss module).
+
+ The getuidname() routine might return NULL and this is not checked by callee.
+
+2020-09-10 ikerexxe <ipedrosa@redhat.com>
+
+ pam_wheel: clarify use_uid option in man page.
+ modules/pam_wheel/pam_wheel.8.xml: indicate that use_uid option uses the
+ real uid of the calling process.
+
+2020-09-10 ikerexxe <ipedrosa@redhat.com>
+
+ pam_wheel: if getlogin fails fallback to PAM_RUSER.
+ modules/pam_wheel/pam_wheel.c: if getlogin fails to obtain the real user
+ ID, then try with PAM_RUSER.
+
+ Resolves:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1866866
+
+2020-09-10 ikerexxe <ipedrosa@redhat.com>
+
+ pam_wheel: improve coding style.
+ modules/pam_wheel/pam_wheel.c: improve indentation and explicitly state
+ condition statements
+
+2020-08-08 Dmitry V. Levin <ldv@altlinux.org>
+
+ configure: add --disable-unix option.
+ Some distributions do not build pam_unix, e.g. ALT uses pam_tcb instead.
+ Add a configure option to disable build of pam_unix so that those who
+ choose not to build pam_unix no longer have to edit modules/Makefile.am
+ file. The default is unchanged, i.e. build of pam_unix is enabled.
+
+ * configure.ac (AC_ARG_ENABLE): Add unix.
+ (AM_CONDITIONAL): Add COND_BUILD_PAM_UNIX.
+ * modules/Makefile.am [COND_BUILD_PAM_UNIX] (MAYBE_PAM_UNIX): Define.
+ (SUBDIRS): Replace pam_unix with $(COND_BUILD_PAM_UNIX).
+
+2020-08-07 Dmitry V. Levin <ldv@altlinux.org>
+
+ Build all installed executables with -Wl,-z,now if available.
+ This makes them built with full RELRO if -Wl,-z,relro is specified.
+
+ * m4/ld-z-now.m4: New file.
+ * m4/.gitignore: Add it to exclude list.
+ * configure.ac: Call PAM_LD_Z_NOW.
+ (EXE_LDFLAGS): Append $ZNOW_LDFLAGS.
+
+2020-08-07 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules: build all helpers with proper CFLAGS and LDFLAGS.
+ This makes all installed executables built with @EXE_CFLAGS@ and
+ @EXE_LDFLAGS@.
+
+ * modules/pam_mkhomedir/Makefile.am (mkhomedir_helper_CFLAGS,
+ mkhomedir_helper_LDFLAGS): New variables.
+ * modules/pam_tally/Makefile.am (pam_tally_CFLAGS, pam_tally_LDFLAGS):
+ Likewise.
+ * modules/pam_tally2/Makefile.am (pam_tally2_CFLAGS,
+ pam_tally2_LDFLAGS): Likewise.
+
+2020-08-07 Dmitry V. Levin <ldv@altlinux.org>
+
+ build: rename PIE_* AC_SUBST variables to EXE_*
+ There are going to be other options added to CFLAGS and LDFLAGS
+ of executables made along with modules.
+
+ * configure.ac (EXE_CFLAGS, EXE_LDFLAGS): New variables initialized from
+ PIE_CFLAGS and PIE_LDFLAGS, respectively. AC_SUBST them instead of
+ PIE_CFLAGS and PIE_LDFLAGS. All users updated.
+
+2020-08-07 Dmitry V. Levin <ldv@altlinux.org>
+
+ m4: make libprelude-config diagnostics less noisy.
+ Before this change, every normal build of Linux-PAM used to contain
+ the following diagnostics:
+
+ checking for libprelude-config... no
+ checking for libprelude - version >= 0.9.0... no
+ *** The libprelude-config script installed by LIBPRELUDE could not be found
+ *** If LIBPRELUDE was installed in PREFIX, make sure PREFIX/bin is in
+ *** your path, or set the LIBPRELUDE_CONFIG environment variable to the
+ *** full path to libprelude-config.
+
+ Given that libprelude-config is rarely used nowadays,
+ the first two lines of diagnostics should be enough.
+
+ * m4/libprelude.m4 (AM_PATH_LIBPRELUDE): When libprelude-config
+ is not found, do not print the lengthy diagnostics unless
+ --with-libprelude-prefix was specified.
+
+2020-08-07 Dmitry V. Levin <ldv@altlinux.org>
+
+ configure.ac: rewrite --disable-pie and -fpie/pie check.
+ * configure.ac: Rewrite -fpie/pie check using AC_LINK_IFELSE to make
+ the code more readable. Add --enable-pie=check support and make it
+ the default, terminate if --enable-pie is specified but -fpie/pie
+ support is not available.
+
+ m4: rewrite ld --no-undefined check.
+ * m4/ld-no-undefined.m4: Rewrite using AC_LINK_IFELSE to create a more readable
+ autoconf macro.
+
+ m4: rewrite ld --as-needed check.
+ * m4/ld-as-needed.m4: Rewrite using AC_LINK_IFELSE to create a more readable
+ autoconf macro.
+
+ m4: rewrite ld -O1 check.
+ * m4/ld-O1.m4: Rewrite using AC_LINK_IFELSE to create a more readable
+ autoconf macro.
+
+2020-08-07 Dmitry V. Levin <ldv@altlinux.org>
+
+ m4: rewrite __attribute__((unused)) check.
+ Rewrite using AC_CACHE_CHECK to create a more readable autoconf macro.
+
+ * m4/attribute.m4: New file.
+ * m4/japhar_grep_cflags.m4: Remove.
+ * m4/.gitignore: Replace japhar_grep_cflags.m4 with attribute.m4.
+ * configure.ac: Replace AC_C___ATTRIBUTE__ with PAM_ATTRIBUTE_UNUSED.
+
+2020-08-06 Dmitry V. Levin <ldv@altlinux.org>
+
+ build: add -Wcast-align=strict to WARN_CFLAGS.
+ This way -Wcast-align will be tested regardless of the target machine.
+
+ * m4/warn_lang_flags.m4: Add gl_WARN_ADD([-Wcast-align=strict]).
+
+2020-08-06 Dmitry V. Levin <ldv@altlinux.org>
+
+ configure.ac: rewrite WARN_CFLAGS initialization.
+ As the old machinery was not prepared for adding compiler options
+ conditionally when the compiler supports them, replace it with
+ a new machinery that implements this.
+
+ * m4/warnings.m4: New file.
+ * m4/warn_lang_flags.m4: Likewise.
+ * m4/.gitignore: Add exclusions for them.
+ * m4/japhar_grep_cflags.m4 (JAPHAR_GREP_CFLAGS): Remove.
+ * configure.ac: Call pam_WARN_LANG_FLAGS. Remove all uses
+ of JAPHAR_GREP_CFLAGS.
+
+2020-08-06 Dmitry V. Levin <ldv@altlinux.org>
+
+ Fix -Wcast-align compilation warnings on arm.
+ Apparently, gcc is also not smart enough to infer the alignment
+ of structure fields, for details see
+ https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89133
+
+ Use unions to avoid these casts altogether, this fixes compilation
+ warnings reported by gcc on arm, e.g.:
+
+ md5.c: In function 'MD5Update':
+ md5.c:92:35: error: cast increases required alignment of target type [-Werror=cast-align]
+ 92 | MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
+ | ^
+ md5.c:101:35: error: cast increases required alignment of target type [-Werror=cast-align]
+ 101 | MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
+ | ^
+ md5.c: In function 'MD5Final':
+ md5.c:136:35: error: cast increases required alignment of target type [-Werror=cast-align]
+ 136 | MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
+ | ^
+ md5.c:147:9: error: cast increases required alignment of target type [-Werror=cast-align]
+ 147 | memcpy((uint32 *)ctx->in + 14, ctx->bits, 2*sizeof(uint32));
+ | ^
+ md5.c:149:34: error: cast increases required alignment of target type [-Werror=cast-align]
+ 149 | MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
+ | ^
+
+ * modules/pam_namespace/md5.h (struct MD5Context): Replace "buf" and
+ "in" fields with unions. All users updated.
+ * modules/pam_unix/md5.h (struct MD5Context): Likewise.
+ * modules/pam_timestamp/sha1.h (struct sha1_context.pending): Replace
+ with a union. All users updated.
+
+ Complements: v1.4.0~195 ("Fix most of clang -Wcast-align compilation warnings")
+
+2020-08-05 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_namespace: fix big-endian check in md5 implementation.
+ * modules/pam_namespace/md5.c: Do not check against the list of
+ architectures that are known to be little-endian, instead check
+ for WORDS_BIGENDIAN macro defined by AC_C_BIGENDIAN autoconf macro
+ on big-endian platforms.
+
+2020-08-05 Christian Göttsche <cgzones@googlemail.com>
+
+ pam_namespace: skip context translation.
+ These retrieved contexts are just passed to libselinux functions and not
+ printed or otherwise made available to the outside, so a context
+ translation to human readable MCS/MLS labels is not needed.
+ (see man:setrans.conf(5))
+
+ pam_xauth: skip context translation.
+ The retrieved context is just passed to libselinux functions and not
+ printed or otherwise made available to the outside, so a context
+ translation to human readable MCS/MLS labels is not needed.
+ (see man:setrans.conf(5))
+
+ pam_xauth: replace deprecated security_context_t.
+ libselinux 3.1 deprecated the typedef security_context_t.
+ Use the underlaying type.
+
+ pam_unix: skip context translation.
+ These retrieved contexts are just passed to libselinux functions and not
+ printed or otherwise made available to the outside, so a context
+ translation to human readable MCS/MLS labels is not needed.
+ (see man:setrans.conf(5))
+
+ pam_unix: replace deprecated security_context_t.
+ libselinux 3.1 deprecated the typedef security_context_t.
+ Use the underlaying type.
+
+ pam_rootok: skip context translation.
+ The retrieved context is just passed to the libselinux function
+ 'selinux_check_access()', so a context translation to human readable
+ MCS/MLS labels is not needed. (see man:setrans.conf(5))
+
+ pam_rootok: replace deprecated security_context_t.
+ libselinux 3.1 deprecated the typedef security_context_t.
+ Use the underlaying type.
+
+ pam_namespace: replace deprecated matchpathcon.
+ The matchpathcon family is deprecated.
+ Use the selabel family.
+
+ pam_namespace: replace deprecated security_context_t.
+ libselinux 3.1 deprecated the typedef security_context_t.
+ Use the underlaying type.
+
+2020-08-03 Christian Göttsche <cgzones@googlemail.com>
+
+ autotools: enable warnings.
+
+2020-08-03 Christian Göttsche <cgzones@googlemail.com>
+
+ autotools: update deprecated macros.
+ see https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Obsolete-Macros.html
+
+ - update AC_HELP_STRING to AS_HELP_STRING
+ - update AC_TRY_COMPILE to AC_COMPILE_IFELSE
+ - update AC_TRY_RUN to AC_RUN_IFELSE
+ - update AC_TRY_LINK to AC_LINK_IFELSE
+
+2020-08-03 Issam Maghni <concatime@users.noreply.github.com>
+
+ configure.ac: fix typo in --with-kernel-overflow-uid= option to match its documentation
+
+2020-07-22 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_unix: Add comment for the ignored PAM_AUTHTOK_ERR case.
+ * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Add comment
+ about the reason for ignoring PAM_AUTHTOK_ERR.
+
+2020-07-22 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Fix missing initialization of daysleft.
+ The daysleft otherwise stays uninitialized if there is no shadow entry.
+
+ Regression from commit f5adefa.
+
+ Fixes #255
+
+ * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Initialize daysleft.
+
+2020-07-20 Charles Lee <lchopn@gmail.com>
+
+ po: update translations using Weblate (Chinese (Simplified))
+ Currently translated at 100.0% (122 of 122 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/zh_CN/
+
+2020-07-20 ikerexxe <ipedrosa@redhat.com>
+
+ pam_pwhistory: add helper to handle SELinux.
+ The purpose of the helper is to enable tighter confinement of login and
+ password changing services. The helper is thus called only when SELinux
+ is enabled on the system.
+
+ Resolves: https://github.com/linux-pam/linux-pam/pull/247
+
+2020-07-19 A S Alam <amanpreet.alam@gmail.com>
+
+ po: update translations using Weblate (Punjabi)
+ Currently translated at 100.0% (122 of 122 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pa/
+
+2020-07-15 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_inline.h: cleanup pam_read_passwords a bit.
+ * libpam/include/pam_inline.h (pam_read_passwords): Increment pptr once
+ instead of using pptr+1 several times. This change is not expected
+ to affect the code generated by the compiler as the latter is likely
+ to perform the optimization itself.
+
+2020-07-15 ikerexxe <ipedrosa@redhat.com>
+
+ Move read_passwords function from pam_unix to pam_inline.h.
+ [ldv: rewrote commit message]
+
+ * modules/pam_unix/passverify.h (read_passwords): Remove prototype.
+ * modules/pam_unix/passverify.c (read_passwords): Move ...
+ * libpam/include/pam_inline.h: ... here, rename to pam_read_passwords,
+ add static inline qualifiers.
+ Include <unistd.h> and <errno.h>.
+ * modules/pam_unix/unix_chkpwd.c: Include "pam_inline.h".
+ (main): Replace read_passwords with pam_read_passwords.
+ * modules/pam_unix/unix_update.c: Include "pam_inline.h".
+ (set_password): Replace read_passwords with pam_read_passwords.
+
+2020-07-15 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_unix: use PAM_MAX_RESP_SIZE instead of its alias MAXPASS.
+ * modules/pam_unix/passverify.h (MAXPASS): Remove.
+ * modules/pam_unix/passverify.c (read_passwords): Replace MAXPASS
+ with PAM_MAX_RESP_SIZE.
+ * modules/pam_unix/pam_unix_passwd.c (_pam_unix_approve_pass): Likewise.
+ * modules/pam_unix/support.c (_unix_verify_password): Likewise.
+ * modules/pam_unix/unix_chkpwd.c (main): Likewise.
+ * modules/pam_unix/unix_update.c (set_password): Likewise.
+
+2020-07-09 Lucas Ramage <ramage.lucas@protonmail.com>
+
+ pam_stress: create man page.
+ Resolves: https://github.com/linux-pam/linux-pam/issues/148
+
+ * modules/pam_stress/README: Remove.
+ * modules/pam_stress/README.xml: New file.
+ * modules/pam_stress/pam_stress.8.xml: Likewise.
+ * modules/pam_stress/Makefile.am (MAINTAINERCLEANFILES): Add
+ $(MANS) and README.
+ (EXTRA_DIST): Add $(XMLS).
+ (XMLS): Add README.xml and pam_stress.8.xml.
+ [HAVE_DOC] (dist_man_MANS): Add pam_stress.8.
+ [ENABLE_REGENERATE_MAN] (dist_noinst_DATA): Add README.
+ [ENABLE_REGENERATE_MAN]: Include $(top_srcdir)/Make.xml.rules.
+ * modules/pam_stress/.gitignore: Remove.
+
+ Resolves: https://github.com/linux-pam/linux-pam/pull/184
+
+2020-07-05 Dmitry V. Levin <ldv@altlinux.org>
+
+ po: update translations using Weblate (Slovak)
+ Currently translated at 100.0% (122 of 122 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/sk/
+
+ po: update translations using Weblate (Portuguese (Brazil))
+
+ Currently translated at 100.0% (122 of 122 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pt_BR/
+
+ po: update translations using Weblate (Dutch)
+
+ Currently translated at 100.0% (122 of 122 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/nl/
+
+ po: update translations using Weblate (Italian)
+
+ Currently translated at 100.0% (122 of 122 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/it/
+
+ po: update translations using Weblate (German)
+
+ Currently translated at 100.0% (122 of 122 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/de/
+
+ po: update translations using Weblate (Catalan)
+
+ Currently translated at 100.0% (122 of 122 strings).
+
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ca/
+
+2020-07-05 Yaron Shahrabani <sh.yaron@gmail.com>
+
+ Translated using Weblate (Hebrew)
+ Currently translated at 75.4% (92 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/he/
+
+ Translated using Weblate (Arabic)
+
+ Currently translated at 61.4% (75 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ar/
+
+2020-07-02 Dmitry V. Levin <ldv@altlinux.org>
+
+ misc_conv: fix potential information leak on error path.
+ * libpam_misc/misc_conv.c (read_string): Clear the stack buffer from
+ data read earlier from stdin in case of a read error.
+
+2020-07-01 ikerexxe <ipedrosa@redhat.com>
+
+ pam_loginuid: fix unlikely negative 3rd argument of strncmp on error path
+ [ldv: rewrote commit message]
+
+ * modules/pam_loginuid/pam_loginuid.c (set_loginuid): Do not pass to
+ strncmp the return value of pam_modutil_read in an unlikely case when
+ the latter fails to read from /proc/self/uid_map.
+
+2020-07-01 ikerexxe <ipedrosa@redhat.com>
+
+ pam_namespace, pam_mkhomedir: fix unlikely descriptor leaks on error path
+ [ldv: rewrote commit message]
+
+ * modules/pam_mkhomedir/mkhomedir_helper.c (create_homedir): Close just
+ opened file descriptor "srcfd" in an unlikely case when it cannot be
+ fstat'ed.
+ * modules/pam_namespace/pam_namespace.c (create_instance): Close just
+ opened file descriptor "fd" in an unlikely case when it cannot be
+ fstat'ed.
+
+2020-07-01 ikerexxe <ipedrosa@redhat.com>
+
+ pam_rootok: fix use of va_list.
+ CPPCHECK_WARNING (CWE-843):
+ error[va_end_missing]: va_list 'ap' was opened but not closed by
+ va_end().
+
+ [ldv: According to POSIX documentation, each invocation of va_start()
+ must be matched by a corresponding invocation of va_end().
+
+ According to the GNU libc documentation, "with most C compilers,
+ calling 'va_end' does nothing. This is always true in the GNU C
+ compiler. But you might as well call 'va_end' just in case your
+ program is someday compiled with a peculiar compiler."
+
+ The main reason for applying this change is to pacify static analysis
+ tools like cppcheck that insist on strict POSIX conformance in this
+ respect.]
+
+2020-07-01 ikerexxe <ipedrosa@redhat.com>
+
+ misc_conv: fix potential stack buffer overflow.
+ [ldv: rewrote commit message]
+
+ * libpam_misc/misc_conv.c (read_string): Use _pam_overwrite_n instead
+ of _pam_overwrite to clear stack buffer "line" because the latter does
+ not have to be null-terminated.
+
+2020-07-01 Yaron Shahrabani <sh.yaron@gmail.com>
+
+ Translated using Weblate (Hebrew)
+ Currently translated at 60.6% (74 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/he/
+
+2020-06-30 Dmitry V. Levin <ldv@altlinux.org>
+
+ misc_conv: remove redundant check.
+ * libpam_misc/misc_conv.c (read_string): Remove redundant nc > 0
+ check as it has already been tested in the previous condition.
+
+2020-06-29 ikerexxe <ipedrosa@redhat.com>
+
+ pam_limits: clarify configuration file.
+ Resolves: https://github.com/linux-pam/linux-pam/pull/249
+
+2020-06-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ .gitignore: move doc-specific entries to doc/.gitignore.
+
+ .gitignore: move module-specific entries to modules/.gitignore.
+
+2020-06-26 ikerexxe <ipedrosa@redhat.com>
+
+ pam_namespace: add systemd service file to gitignore.
+ * modules/pam_namespace/.gitignore: Add pam_namespace.service.
+
+ Complements: v1.4.0~247 ("pam_namespace: secure tmp-inst directories")
+
+2020-06-26 ikerexxe <ipedrosa@redhat.com>
+
+ pam_faillock: add faillock executable to gitignore.
+ * modules/pam_faillock/.gitignore: Add faillock.
+
+ Complements: v1.4.0~76 ("pam_faillock: New module for locking after multiple auth failures")
+
+2020-06-25 ikerexxe <ipedrosa@redhat.com>
+
+ pam_env: clarify user_readenv option.
+
+2020-06-24 Baurzhan Muftakhidinov <baurthefirst@gmail.com>
+
+ Translated using Weblate (Kazakh)
+ Currently translated at 100.0% (122 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/kk/
+
+2020-06-24 Yaron Shahrabani <sh.yaron@gmail.com>
+
+ Translated using Weblate (Hebrew)
+ Currently translated at 44.2% (54 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/he/
+
+2020-06-22 Vito Caputo <vcaputo@pengaru.com>
+
+ modules/pam_limits: add support for nonewprivs.
+ Expose prctl(PR_SET_NO_NEW_PRIVS) as "nonewprivs" item.
+
+ The valid values are a boolean toggle 0/1 to keep semi-consistent
+ with the other numeric limits. It's slightly awkward as this is
+ an oddball relative to the other items in pam_limits but outside
+ of the item value itself this does seem at home in pam_limits.
+
+ Resolves: https://github.com/linux-pam/linux-pam/issues/224
+ Resolves: https://github.com/linux-pam/linux-pam/pull/225
+
+2020-06-17 ikerexxe <ipedrosa@redhat.com>
+
+ pam_usertype: avoid determining if user exists.
+ Taking a look at the time for the password prompt to appear it was
+ possible to determine if a user existed in a system. Solved it by
+ matching the runtime until the password prompt was shown by always
+ checking the password hash for an existing and a non-existing user.
+
+ Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1629598
+
+2020-06-17 ikerexxe <ipedrosa@redhat.com>
+
+ pam_unix: avoid determining if user exists.
+ Taking a look at the time for the password prompt to appear it was
+ possible to determine if a user existed in a system. Solved it by
+ matching the runtime until the password prompt was shown by always
+ checking the password hash for an existing and a non-existing user.
+
+ Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1629598
+
+2020-06-17 ikerexxe <ipedrosa@redhat.com>
+
+ pam_faillock: change /run/faillock/$USER permissions to 0660.
+ Nowadays, /run/faillock/$USER files have user:root ownership and 0600
+ permissions. This forces the process that writes to these files to have
+ CAP_DAC_OVERRIDE capabilites. Just by changing the permissions to 0660
+ the capability can be removed, which leads to a more secure system.
+
+ Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1661822
+
+2020-06-16 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_modutil_check_user_in_passwd: avoid timing attacks.
+ * libpam/pam_modutil_check_user.c (pam_modutil_check_user_in_passwd): Do
+ not exit the file reading loop when the user is found, continue reading
+ the file to avoid timing attacks.
+
+2020-06-15 Fabrice Fontaine <fontaine.fabrice@gmail.com>
+
+ pam_faillock: fix build on musl.
+ Use pam_modutil_check_user_in_passwd in pam_faillock.c instead of
+ fgetpwent_r which is not available on musl.
+
+ Resolves: https://github.com/linux-pam/linux-pam/issues/236
+ Resolves: https://github.com/linux-pam/linux-pam/pull/237
+ Fixes: http://autobuild.buildroot.org/results/0432736ffee376dd84757469434a4bbcfdcdaf4b
+
+2020-06-15 Fabrice Fontaine <fontaine.fabrice@gmail.com>
+ Dmitry V. Levin <ldv@altlinux.org>
+
+ Move check_user_in_passwd from pam_localuser.c to pam_modutil.
+
+ * modules/pam_localuser/pam_localuser.c: Include
+ <security/pam_modutil.h>.
+ (pam_sm_authenticate): Replace check_user_in_passwd with
+ pam_modutil_check_user_in_passwd.
+ (check_user_in_passwd): Rename to pam_modutil_check_user_in_passwd,
+ move to ...
+ * libpam/pam_modutil_check_user.c: ... new file.
+ * libpam/Makefile.am (libpam_la_SOURCES): Add pam_modutil_check_user.c.
+ * libpam/include/security/pam_modutil.h
+ (pam_modutil_check_user_in_passwd): New function declaration.
+ * libpam/libpam.map (LIBPAM_MODUTIL_1.4.1): New interface.
+
+2020-06-15 Dmitry V. Levin <ldv@altlinux.org>
+
+ configure.ac: fix non-portable use of test builtin.
+ Portable code should not assume that test builtin supports == operator.
+
+ * configure.ac (opt_uidmin, opt_sysuidmin, opt_kerneloverflowuid): Fix
+ initialization.
+
+ Resolves: https://github.com/linux-pam/linux-pam/issues/241
+ Fixes: 926d7935e ("pam_usertype: new module to tell if uid is in login.defs ranges")
+
+2020-06-11 Fabrice Fontaine <fontaine.fabrice@gmail.com>
+
+ configure.ac: fix build failure when crypt() does not require libcrypt.
+ Since commit 522246d20e4cd92fadc2d760228cb7e78cbeb4c5, the build fails
+ if "none required" is returned by AC_SEARCH_LIBS for libcrypt.
+
+ Resolves: https://github.com/linux-pam/linux-pam/pull/235
+ Fixes: http://autobuild.buildroot.org/results/92b3dd7c984d2b843ac9aacacd69eec99f28743e
+ Fixes: v1.4.0~228 ("Use cached 'crypt' library result correctly")
+
+2020-06-04 Dmitry V. Levin <ldv@altlinux.org>
+
+ build: do not generate tarballs compressed with bzip2 and gzip.
+ There are tarballs compressed with xz, that should be enough.
+
+ * Makefile.am (AUTOMAKE_OPTIONS): Remove dist-bzip2, add no-dist-gzip.
+ (releasedocs): Do not create Linux-PAM-$(VERSION)-docs.tar.bz2
+ and Linux-PAM-$(VERSION)-docs.tar.gz.
+
+2020-06-04 Dmitry V. Levin <ldv@altlinux.org>
+
+ maint: document release procedure.
+ * maint/README-release: New file.
+
+ maint: introduce gen-tag-message.
+ * maint/gen-tag-message: New script for preparing tag message.
+
+ maint: introduce make-dist.
+ * maint/make-dist: New script for preparing release tarballs.
+
+2020-06-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ gitlog-to-changelog: update from gnulib.
+
+2020-05-29 Josef Möllers <jmoellers@suse.de>
+ Tomáš Mráz <tmraz@redhat.com>
+ Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_setquota: skip mountpoints equal to the user's $HOME.
+ Matthias Gerstner found the following issue:
+
+ <quote>
+ So this pam_setquota module iterates over all mounted file systems using
+ `setmntent()` and `getmntent()`. It tries to find the longest match of
+ a file system mounted on /home/$USER or above (except when the
+ fs=/some/path parameter is passed to the pam module).
+
+ The thing is that /home/$USER is owned by the unprivileged user. And
+ there exist tools like fusermount from libfuse which is by default
+ installed setuid-root for everybody. fusermount allows to mount a FUSE
+ file system using an arbitrary "source device name" as the unprivileged
+ user.
+
+ Thus considering the following use case:
+
+ 1) there is only the root file system (/) or a file system is mounted on
+ /home, but not on /home/$USER.
+ 2) the attacker mounts a fake FUSE file system over its own home directory:
+
+ ```
+ user $ export _FUSE_COMMFD=0
+ user $ fusermount $HOME -ononempty,fsname=/dev/sda1
+ ```
+
+ This will result in a mount entry in /proc/mounts looking like this:
+
+ ```
+ /dev/sda1 on /home/$USER type fuse (rw,nosuid,nodev,relatime,user_id=1000,group_id=100)
+ ```
+ 3) when the attacker now logs in with pam_setquota configured then
+ pam_setquota will identify /dev/sda1 and the file system where
+ to apply the user's quota on.
+
+ As a result an unprivileged user has full control over onto which block
+ device the quota is applied.
+ </quote>
+
+ If the user's $HOME is on a separate partition, setting a quota on the
+ user's $HOME does not really make sense, so this patch skips mountpoints
+ equal to the user's $HOME, preventing the above mentioned bug as
+ a side-effect (or vice-versa).
+
+ Reported-by: Matthias Gerstner <mgerstner@suse.de>
+ Resolves: https://github.com/linux-pam/linux-pam/pull/230
+
+2020-05-25 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_debug: do not invoke pam_get_user and do not set PAM_USER.
+ pam_debug used to invoke pam_get_user and set PAM_USER to "nobody" when
+ pam_get_user returns an empty string as the user name. When either of
+ these functions returned an error value, it used to return that error
+ value. This hasn't been documented, and I couldn't find any rationale
+ for this behaviour.
+
+ * modules/pam_debug/pam_debug.c (pam_sm_authenticate): Do not invoke
+ pam_get_user and pam_set_item.
+
+2020-05-24 Yi-Jyun Pan <pan93412@gmail.com>
+
+ Translated using Weblate (Chinese (Traditional))
+ Currently translated at 100.0% (122 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/zh_TW/
+
+2020-05-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules: downgrade syslog level for errors related to pam_get_user.
+ * modules/pam_faillock/pam_faillock.c (get_pam_user): Downgrade
+ the syslog level for diagnostics of errors returned by
+ pam_modutil_getpwnam for users returned by pam_get_user
+ from LOG_ERR to LOG_NOTICE.
+ * modules/pam_keyinit/pam_keyinit.c (do_keyinit): Likewise.
+ * modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
+ * modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Likewise.
+ * modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Likewise.
+ * modules/pam_mail/pam_mail.c (_do_mail): Likewise.
+ * modules/pam_sepermit/pam_sepermit.c (sepermit_lock): Likewise.
+ * modules/pam_tally/pam_tally.c (pam_get_uid): Likewise.
+ * modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise.
+ * modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
+ * modules/pam_xauth/pam_xauth.c (pam_sm_open_session,
+ pam_sm_close_session): Likewise.
+ * modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Downgrade
+ the syslog level for diagnostics of errors returned by
+ pam_modutil_getpwnam for users returned by pam_get_user
+ from LOG_WARNING to LOG_NOTICE.
+
+ Suggested-by: Tomáš Mráz <tmraz@fedoraproject.org>
+
+2020-05-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules: downgrade syslog level for pam_get_user errors.
+ * modules/pam_access/pam_access.c (pam_sm_authenticate): Downgrade
+ the syslog level for pam_get_user errors from LOG_ERR to LOG_NOTICE.
+ * modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Likewise.
+ * modules/pam_ftp/pam_ftp.c (pam_sm_authenticate): Likewise.
+ * modules/pam_group/pam_group.c (pam_sm_setcred): Likewise.
+ * modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
+ * modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Likewise.
+ * modules/pam_mail/pam_mail.c (_do_mail): Likewise.
+ * modules/pam_nologin/pam_nologin.c (perform_check): Likewise.
+ * modules/pam_rhosts/pam_rhosts.c (pam_sm_authenticate): Likewise.
+ * modules/pam_sepermit/pam_sepermit.c (pam_sm_authenticate): Likewise.
+ * modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Likewise.
+ * modules/pam_tally/pam_tally.c (pam_get_uid): Likewise.
+ * modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise.
+ * modules/pam_time/pam_time.c (pam_sm_acct_mgmt): Likewise.
+ * modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Likewise.
+ * modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
+ * modules/pam_userdb/pam_userdb.c (pam_sm_authenticate,
+ pam_sm_acct_mgmt): Likewise.
+ * modules/pam_usertype/pam_usertype.c (pam_usertype_get_uid): Likewise.
+ * modules/pam_xauth/pam_xauth.c (pam_sm_open_session,
+ pam_sm_close_session): Likewise.
+ * modules/pam_securetty/pam_securetty.c (securetty_perform_check):
+ Downgrade the syslog level for pam_get_user errors from LOG_WARNING
+ to LOG_NOTICE.
+ * modules/pam_stress/pam_stress.c (pam_sm_authenticate): Likewise.
+
+ Suggested-by: Tomáš Mráz <tmraz@fedoraproject.org>
+
+2020-05-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_localuser: add a test for return values.
+ * modules/pam_localuser/tst-pam_localuser-retval.c: New file.
+ * modules/pam_localuser/Makefile.am (TESTS): Add $(check_PROGRAMS).
+ (check_PROGRAMS, tst_pam_localuser_retval_LDADD): New variables.
+
+ pam_localuser: refactor pam_sm_authenticate.
+ * modules/pam_localuser/pam_localuser.c (check_user_in_passwd): New
+ function.
+ (pam_sm_authenticate): Use it.
+
+2020-05-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_localuser: downgrade syslog level for errors related to user input.
+ * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Downgrade
+ the syslog level for errors related to pam_get_user from LOG_ERR to
+ LOG_NOTICE.
+
+ Suggested-by: Tomáš Mráz <tmraz@fedoraproject.org>
+
+2020-05-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_localuser: re-format pam_sm_* function declarations.
+
+2020-05-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_localuser: remove unused includes.
+ Also, remove unused MODULE_NAME macro.
+
+ * modules/pam_localuser/pam_localuser.c: Stop including unused header
+ files.
+ (MODULE_NAME): Remove.
+
+2020-05-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_localuser: forward error values returned by pam_get_user.
+ Starting with commit c2c601f5340a59c5c62193d55b555d384380ea38,
+ pam_get_user is guaranteed to return one of the following values:
+ PAM_SUCCESS, PAM_BUF_ERR, PAM_CONV_AGAIN, or PAM_CONV_ERR.
+
+ * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Do not
+ replace non-PAM_CONV_AGAIN error values returned by pam_get_user with
+ PAM_SERVICE_ERR.
+ * modules/pam_localuser/pam_localuser.8.xml (RETURN VALUES): Document
+ new return values.
+
+2020-05-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_localuser: return PAM_INCOMPLETE when pam_get_user returns PAM_CONV_AGAIN
+ Give the application a chance to handle PAM_INCOMPLETE.
+
+ * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return
+ PAM_INCOMPLETE instead of PAM_SERVICE_ERR when pam_get_user returns
+ PAM_CONV_AGAIN.
+ * modules/pam_localuser/pam_localuser.8.xml (RETURN VALUES): Document
+ it.
+
+2020-05-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_localuser: open the passwd file after user name validation.
+ Since user name is untrusted input, it should be validated earlier
+ rather than later.
+
+ * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Open
+ the passwd file after user name validation.
+
+2020-05-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_localuser: use BUFSIZ as the line buffer size.
+ As BUFSIZ is the buffer size used in stdio, it must be an efficient size
+ for the line buffer. Also, it's larger than LINE_MAX used as the line
+ buffer size before this change, effectively raising the maximum user
+ name length supported by this module.
+
+ * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Replace
+ LINE_MAX with BUFSIZ.
+
+2020-05-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_localuser: handle long lines in passwd files properly.
+ Before this change, a long line in the passwd file used to be treated as
+ several lines which could potentially result to false match and,
+ consequently, to incorrect PAM_SUCCESS return value.
+
+ * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Handle
+ long lines in passwd files properly.
+
+2020-05-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_localuser: get rid of a temporary buffer.
+ * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Do not
+ copy the user name into a temporary buffer, use the user name itself in
+ comparisons.
+
+ pam_localuser: log unrecognized options.
+ * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Log
+ unrecognized options.
+
+2020-05-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_localuser: return PAM_SERVICE_ERR instead of PAM_SYSTEM_ERR.
+ When passwd file cannot be opened or the user name either cannot be
+ obtained or is not valid, return PAM_SERVICE_ERR instead of
+ PAM_SYSTEM_ERR.
+
+ * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return
+ PAM_SERVICE_ERR instead of PAM_SYSTEM_ERR.
+
+2020-05-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_localuser: reject user names that are too long.
+ Too long user names used to be truncated which could potentially result
+ to false match and, consequently, to incorrect PAM_SUCCESS return value.
+
+ * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return
+ PAM_SERVICE_ERR if the user name is too long.
+
+2020-05-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_localuser: reject user names containing a colon.
+ "root:x" is not a local user name even if the passwd file contains
+ a line starting with "root:x:".
+
+ * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return
+ PAM_PERM_DENIED if the user name contains a colon.
+
+2020-05-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_mkhomedir: add a test for return values.
+ * modules/pam_mkhomedir/tst-pam_mkhomedir-retval.c: New file.
+ * modules/pam_mkhomedir/Makefile.am (TESTS): Add $(check_PROGRAMS).
+ (check_PROGRAMS, tst_pam_mkhomedir_retval_LDADD): New variables.
+
+ pam_faildelay: add a test for return values.
+ * modules/pam_faildelay/tst-pam_faildelay-retval.c: New file.
+ * modules/pam_faildelay/Makefile.am (TESTS): Add $(check_PROGRAMS).
+ (check_PROGRAMS, tst_pam_faildelay_retval_LDADD): New variables.
+
+ pam_rootok: add a test for return values.
+ * modules/pam_rootok/tst-pam_rootok-retval.c: New file.
+ * modules/pam_rootok/Makefile.am (TESTS): Add $(check_PROGRAMS).
+ (check_PROGRAMS, tst_pam_rootok_retval_LDADD): New variables.
+
+ pam_nologin: add a test for return values.
+ * modules/pam_nologin/tst-pam_nologin-retval.c: New file.
+ * modules/pam_nologin/Makefile.am (TESTS): Add $(check_PROGRAMS).
+ (check_PROGRAMS, tst_pam_nologin_retval_LDADD): New variables.
+
+ pam_echo: add a test for return values.
+ * modules/pam_echo/tst-pam_echo-retval.c: New file.
+ * modules/pam_echo/Makefile.am (TESTS): Add $(check_PROGRAMS).
+ (check_PROGRAMS, tst_pam_echo_retval_LDADD): New variables.
+
+ pam_warn: add a test for return values.
+ * modules/pam_warn/tst-pam_warn-retval.c: New file.
+ * modules/pam_warn/Makefile.am (TESTS): Add $(check_PROGRAMS).
+ (check_PROGRAMS, tst_pam_warn_retval_LDADD): New variables.
+
+ pam_debug: add a test for return values.
+ * modules/pam_debug/tst-pam_debug-retval.c: New file.
+ * modules/pam_debug/Makefile.am (TESTS): Add $(check_PROGRAMS).
+ (check_PROGRAMS, tst_pam_debug_retval_LDADD): New variables.
+
+ pam_permit: add a test for return values.
+ * modules/pam_permit/tst-pam_permit-retval.c: New file.
+ * modules/pam_permit/Makefile.am (TESTS): Add $(check_PROGRAMS).
+ (check_PROGRAMS, tst_pam_permit_retval_LDADD): New variables.
+
+ pam_deny: add a test for return values.
+ * modules/pam_deny/tst-pam_deny-retval.c: New file.
+ * modules/pam_deny/Makefile.am (TESTS): Add $(check_PROGRAMS).
+ (check_PROGRAMS, tst_pam_deny_retval_LDADD): New variables.
+
+2020-05-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ Introduce test_assert.h.
+ Introduce a new internal header file for definitions of handy macros
+ providing convenient assertion testing functionality.
+
+ * libpam/include/test_assert.h: New file.
+ * libpam/Makefile.am (noinst_HEADERS): Add include/test_assert.h.
+
+2020-05-21 Andreas Henriksson <andreas+fedora@fatal.se>
+
+ Translated using Weblate (Swedish)
+ Currently translated at 100.0% (122 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/sv/
+
+2020-05-17 Dmitry V. Levin <ldv@altlinux.org>
+
+ doc: fix the description of stack jump effects.
+ Every stack jump, besides the jump itself, has a side effect which is
+ one of 'ignore', 'ok', or 'bad'. Unfortunately, the side effect is far
+ from obvious because it depends on the PAM function call, and the
+ documentation that contradicts the implementation does not help either.
+
+ * doc/man/pam.conf-syntax.xml (actionN): Rewrite the description
+ of stack jump effects to match the implementation.
+
+ Fixes: 871a6e14d65c3c446ae0af51166dabc7a47a2b56
+
+2020-05-17 Weblate (bot) <noreply@weblate.org>
+ Allan Nordhøy <epost@anotheragency.no>
+ Dmitry V. Levin <ldv@altlinux.org>
+
+ Translations update from Weblate (#227)
+ * Translated using Weblate (Norwegian Bokmål)
+
+ Currently translated at 99.1% (121 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/nb_NO/
+
+ * Translated using Weblate (Catalan)
+
+ Currently translated at 98.3% (120 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ca/
+
+2020-05-16 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules: do not check user name for emptyness before passing it to pam_modutil_getpwnam
+ pam_modutil_getpwnam is perfectly capable of handling empty strings as
+ user names, no need to double check that.
+
+ * modules/pam_access/pam_access.c (pam_sm_authenticate): Do not check
+ the user name for emptyness before passing it to pam_modutil_getpwnam.
+ * modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
+ * modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Likewise.
+ * modules/pam_shells/pam_shells.c (perform_check): Likewise.
+ * modules/pam_tally/pam_tally.c (pam_get_uid): Likewise.
+ * modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise.
+ * modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
+
+2020-05-15 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_usertype: Document return values forwarded from pam_get_user.
+ * modules/pam_usertype/pam_usertype.8.xml (RETURN VALUES): Document
+ PAM_BUF_ERR and PAM_CONV_ERR return values.
+
+2020-05-15 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_usertype: return PAM_INCOMPLETE when pam_get_user returns PAM_CONV_AGAIN
+ Give the application a chance to handle PAM_INCOMPLETE.
+
+ * modules/pam_usertype/pam_usertype.c (pam_usertype_get_uid): Return
+ PAM_INCOMPLETE instead of PAM_CONV_AGAIN when pam_get_user returns
+ PAM_CONV_AGAIN.
+ * modules/pam_usertype/pam_usertype.8.xml (RETURN VALUES): Document it.
+
+2020-05-15 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_faillock: Document return values forwarded from pam_get_user.
+ * modules/pam_faillock/pam_faillock.8.xml (RETURN VALUES): Document
+ PAM_BUF_ERR and PAM_CONV_ERR return values.
+
+2020-05-15 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_faillock: return PAM_INCOMPLETE when pam_get_user returns PAM_CONV_AGAIN
+ Give the application a chance to handle PAM_INCOMPLETE.
+
+ * modules/pam_faillock/pam_faillock.c (get_pam_user): Return
+ PAM_INCOMPLETE instead of PAM_CONV_AGAIN when pam_get_user returns
+ PAM_CONV_AGAIN.
+ * modules/pam_faillock/pam_faillock.8.xml (RETURN VALUES): Document it.
+
+2020-05-15 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_securetty: forward error values returned by pam_get_user.
+ Starting with commit c2c601f5340a59c5c62193d55b555d384380ea38,
+ pam_get_user is guaranteed to return one of the following values:
+ PAM_SUCCESS, PAM_BUF_ERR, PAM_CONV_AGAIN, or PAM_CONV_ERR.
+
+ * modules/pam_securetty/pam_securetty.c (pam_sm_authenticate): Do not
+ replace non-PAM_CONV_AGAIN error values returned by pam_get_user with
+ PAM_SERVICE_ERR.
+ * modules/pam_securetty/pam_securetty.8.xml (RETURN VALUES): Document
+ new return values.
+
+2020-05-15 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules: do not check user name for NULL if pam_get_user returned PAM_SUCCESS
+ If pam_get_user returned PAM_SUCCESS, the user name is guaranteed
+ to be a valid C string, no need to double check that.
+
+ * modules/pam_access/pam_access.c (pam_sm_authenticate): Do not check
+ for NULL the user name returned by pam_get_user when the latter returned
+ PAM_SUCCESS.
+ * modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Likewise.
+ * modules/pam_debug/pam_debug.c (pam_sm_authenticate): Likewise.
+ * modules/pam_filter/pam_filter.c (process_args): Likewise.
+ * modules/pam_ftp/pam_ftp.c (pam_sm_authenticate): Likewise.
+ * modules/pam_group/pam_group.c (pam_sm_setcred): Likewise.
+ * modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
+ * modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Likewise.
+ * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Likewise.
+ * modules/pam_mail/pam_mail.c (_do_mail): Likewise.
+ * modules/pam_nologin/pam_nologin.c (perform_check): Likewise.
+ * modules/pam_permit/pam_permit.c (pam_sm_authenticate): Likewise.
+ * modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Likewise.
+ * modules/pam_rhosts/pam_rhosts.c (pam_sm_authenticate): Likewise.
+ * modules/pam_securetty/pam_securetty.c (pam_sm_authenticate): Likewise.
+ * modules/pam_sepermit/pam_sepermit.c (pam_sm_authenticate): Likewise.
+ * modules/pam_shells/pam_shells.c (perform_check): Likewise.
+ * modules/pam_stress/pam_stress.c (pam_sm_authenticate): Likewise.
+ * modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Likewise.
+ * modules/pam_time/pam_time.c (pam_sm_acct_mgmt): Likewise.
+ * modules/pam_timestamp/pam_timestamp.c (get_timestamp_name): Likewise.
+ * modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
+ * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Likewise.
+ * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Likewise.
+ * modules/pam_usertype/pam_usertype.c (pam_usertype_get_uid): Likewise.
+ * modules/pam_wheel/pam_wheel.c (perform_check): Likewise.
+ * modules/pam_userdb/pam_userdb.c (pam_sm_authenticate, pam_sm_acct_mgmt):
+ Likewise.
+
+2020-05-14 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_umask: Document return values forwarded from pam_get_user.
+ * modules/pam_umask/pam_umask.8.xml (RETURN VALUES): Document
+ PAM_BUF_ERR, PAM_CONV_ERR, and PAM_INCOMPLETE return values.
+
+ pam_exec: Document return values forwarded from pam_get_user.
+ * modules/pam_exec/pam_exec.8.xml (RETURN VALUES): Document
+ PAM_BUF_ERR, PAM_CONV_ERR, and PAM_INCOMPLETE return values.
+
+2020-05-13 Dmitry V. Levin <ldv@altlinux.org>
+
+ Deprecate pam_cracklib, pam_tally, and pam_tally2.
+ Deprecate pam_cracklib, there are two better alternatives to this
+ obsolete module: pam_passwdqc from passwdqc project and pam_pwquality
+ from libpwquality project.
+
+ Deprecate pam_tally and pam_tally2 in favour of pam_faillock.
+
+ * configure.ac: Implement --enable-cracklib=check that enables build
+ of pam_cracklib when libcrack is available.
+ Disable build of pam_cracklib, pam_tally, and pam_tally2 by default.
+ * NEWS: Mention this change.
+ * ci/run-build-and-tests.sh (DISTCHECK_CONFIGURE_FLAGS): Add
+ --enable-tally, --enable-tally2, and --enable-cracklib=check
+ to check build of these deprecated modules.
+
+2020-05-13 Dmitry V. Levin <ldv@altlinux.org>
+
+ NEWS: update.
+
+2020-05-12 Thorsten Kukuk <5908016+thkukuk@users.noreply.github.com>
+
+ Use correct path for pam_namespace.service file (#223)
+
+2020-05-09 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_setquota: fix return value when the user is unknown.
+ Following the bad example in pam_mkhomedir module, from the very
+ beginning pam_setquota module used to return PAM_CRED_INSUFFICIENT
+ when pam_modutil_getpwnam() returned an error. Fix this now
+ by changing the return value to PAM_USER_UNKNOWN.
+
+ * modules/pam_setquota/pam_setquota.c (pam_sm_open_session): Return
+ PAM_USER_UNKNOWN instead of PAM_CRED_INSUFFICIENT.
+ * modules/pam_setquota/pam_setquota.8.xml (PAM_CRED_INSUFFICIENT):
+ Replace with PAM_USER_UNKNOWN.
+
+2020-05-09 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_mkhomedir: fix return value when the user is unknown.
+ From the very beginning pam_mkhomedir module used to return
+ PAM_CRED_INSUFFICIENT when getpwnam() or pam_modutil_getpwnam()
+ returned an error. Fix this now by changing the return value
+ to PAM_USER_UNKNOWN.
+
+ * modules/pam_mkhomedir/mkhomedir_helper.c (main): Return
+ PAM_USER_UNKNOWN instead of PAM_CRED_INSUFFICIENT.
+ * modules/pam_mkhomedir/pam_mkhomedir.c (pam_sm_open_session): Likewise.
+ * modules/pam_mkhomedir/pam_mkhomedir.8.xml (PAM_CRED_INSUFFICIENT):
+ Remove.
+
+2020-05-06 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_get_user: do not override valid values returned by the conversation function
+ When the conversation function returned a value different from
+ PAM_CONV_AGAIN and provided no response, pam_get_user used to replace
+ the return value with PAM_CONV_ERR. Fix this and replace the return
+ value only if it was PAM_SUCCESS.
+
+ * libpam/pam_item.c (pam_get_user): Do not override valid values
+ returned by the conversation function.
+
+2020-05-06 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_get_user: filter conversation function return values.
+ Do not assume that the conversation function provided by the application
+ strictly follows the return values guidelines, replace undocumented
+ return values with PAM_CONV_ERR.
+
+ * libpam/pam_item.c (pam_get_user): If the value returned by the
+ conversation function is not one of PAM_SUCCESS, PAM_BUF_ERR,
+ PAM_CONV_AGAIN, or PAM_CONV_ERR, replace it with PAM_CONV_ERR.
+
+2020-05-06 Dmitry V. Levin <ldv@altlinux.org>
+
+ man: document other valid pam_get_user return values.
+ * doc/man/pam_get_user.3.xml (pam_get_user-return_values): Add
+ PAM_BUF_ERR, PAM_ABORT, and PAM_CONV_AGAIN.
+
+2020-05-06 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_get_user: consistently return PAM_SYSTEM_ERR if user specified a NULL pointer
+ pam_get_user returns PAM_SYSTEM_ERR in case of pamh == NULL.
+ In case of user == NULL, however, it used to return PAM_PERM_DENIED,
+ and in case of NULL conversation function it used to return
+ PAM_SERVICE_ERR.
+
+ According to the documentation, PAM_SYSTEM_ERR shall be returned
+ if a NULL pointer was submitted.
+
+ Fix this inconsistency and return PAM_SYSTEM_ERR in each of these
+ programming error cases.
+
+ * libpam/pam_item.c (pam_get_user): Return PAM_SYSTEM_ERR instead of
+ PAM_PERM_DENIED if user == NULL. Return PAM_SYSTEM_ERR instead of
+ PAM_SERVICE_ERR if pamh->pam_conversation == NULL.
+
+2020-05-06 Weblate (bot) <noreply@weblate.org>
+
+ Translations update from Weblate.
+ * Translated using Weblate (Spanish)
+
+ Currently translated at 81.9% (100 of 122 strings)
+
+ * Translated using Weblate (Portuguese)
+
+ Currently translated at 100.0% (122 of 122 strings)
+
+2020-05-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ doc: remove references to PAM_SM_* macros.
+ Starting with commit a684595c0bbd88df71285f43fb27630e3829121e aka
+ Linux-PAM-1.3.0~14 (Remove "--enable-static-modules" option and support
+ from Linux-PAM), PAM_SM_* macros have no effect.
+
+ modules: remove PAM_SM_* macros.
+ Starting with commit a684595c0bbd88df71285f43fb27630e3829121e aka
+ Linux-PAM-1.3.0~14 (Remove "--enable-static-modules" option and support
+ from Linux-PAM), PAM_SM_* macros have no effect.
+
+2020-05-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_usertype: do not override the default prompt.
+ Following the bad example in pam_succeed_if module, from the very
+ beginning pam_usertype used to override the default prompt used by
+ pam_get_user() with "login: ". Fix this now.
+
+ * modules/pam_usertype/pam_usertype.c (pam_sm_authenticate): Do not
+ request PAM_USER_PROMPT item, invoke pam_get_user() with the default
+ prompt.
+
+2020-05-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_succeed_if: do not override the default prompt.
+ From the very beginning pam_succeed_if used to override the default
+ prompt used by pam_get_user() with "login: ". Fix this now.
+
+ * modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Do not
+ request PAM_USER_PROMPT item, invoke pam_get_user() with the default
+ prompt.
+
+2020-05-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/*/Makefile.am: rename TESTS to dist_check_SCRIPTS.
+ ... and remove $(TESTS) from EXTRA_DIST.
+
+ The change is performed automatically using the following script:
+ sed -i -e 's/^TESTS = \(tst.*\)/dist_check_SCRIPTS = \1\nTESTS = $(dist_check_SCRIPTS)/' \
+ -e '/^EXTRA_DIST/ s/ \$(TESTS)//' modules/*/Makefile.am
+
+2020-05-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/*/Makefile.am: rename man_MANS to dist_man_MANS.
+ ... and remove $(MANS) from EXTRA_DIST.
+
+ The change is performed automatically using the following script:
+ sed -i 's/^man_MANS/dist_&/; /^EXTRA_DIST/ s/ \$(MANS)//' modules/*/Makefile.am
+
+2020-05-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_namespace: cleanup pam_namespace.service installation.
+ * modules/pam_namespace/Makefile.am (service_DATA): New variable.
+ (install-data-local): Remove all commands related to servicedir.
+ (uninstall-local): Remove.
+
+ Fixes: 59812d1cf ("pam_namespace: secure tmp-inst directories")
+
+2020-05-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/*/Makefile.am: add dist_ prefix to *_DATA.
+ ... and remove $(DATA) from EXTRA_DIST.
+
+ The change is performed automatically using the following script:
+ sed -i 's/^[a-z]*_DATA/dist_&/; /^EXTRA_DIST/ s/ \$(DATA)//' modules/*/Makefile.am
+
+2020-05-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/pam_timestamp/Makefile.am: rename noinst_PROGRAMS to check_PROGRAMS
+ ... and remove nodist_TESTS.
+
+ * modules/pam_timestamp/Makefile.am (nodist_TESTS): Remove.
+ (TESTS): Replace $(nodist_TESTS) with $(check_PROGRAMS).
+ (noinst_PROGRAMS): Rename to check_PROGRAMS.
+
+2020-05-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/pam_timestamp/Makefile.am: rename dist_TESTS to dist_check_SCRIPTS
+ ... and remove it from EXTRA_DIST
+
+ * modules/pam_timestamp/Makefile.am (EXTRA_DIST): Remove $(dist_TESTS).
+ (dist_TESTS): Rename to dist_check_SCRIPTS.
+ (TESTS): Replace $(dist_TESTS) with $(dist_check_SCRIPTS).
+
+2020-05-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/pam_namespace/Makefile.am: add dist_ prefix to secureconf_SCRIPTS
+ ... and remove $(SCRIPTS) from EXTRA_DIST.
+
+ * modules/pam_namespace/Makefile.am (EXTRA_DIST): Remove $(SCRIPTS).
+ (secureconf_SCRIPTS): Rename to dist_secureconf_SCRIPTS.
+
+2020-05-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ Translated using Weblate (Russian)
+ Currently translated at 100.0% (122 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ru/
+
+2020-05-03 Yuri Chornoivan <yurchor@ukr.net>
+
+ Translated using Weblate (Ukrainian)
+ Currently translated at 100.0% (122 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/uk/
+
+2020-05-03 Oğuz Ersen <oguzersen@protonmail.com>
+
+ Translated using Weblate (Turkish)
+ Currently translated at 100.0% (122 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/tr/
+
+2020-05-03 Julien Humbert <julroy67@gmail.com>
+
+ Translated using Weblate (French)
+ Currently translated at 100.0% (122 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fr/
+
+2020-05-03 scootergrisen <scootergrisen@gmail.com>
+
+ Translated using Weblate (Danish)
+ Currently translated at 100.0% (122 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/da/
+
+2020-05-03 Piotr Drąg <piotrdrag@gmail.com>
+
+ Translated using Weblate (Polish)
+ Currently translated at 100.0% (122 of 122 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/
+
+2020-04-30 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Update .po and .pot files after adding pam_faillock.
+
+ pam_faillock: Correct the grammar of translated strings.
+ Also make the message the same as in pam_tally2.
+
+ pam_faillock: Add conf option to use a different config file.
+
+ pam_faillock: New module for locking after multiple auth failures.
+
+2020-04-29 Weblate (bot) <noreply@weblate.org>
+ Alesker Abdullayev - FEDORA Azerbaijan <tech@abdullaeff.com>
+ Allan Nordhøy <epost@anotheragency.no>
+
+ Translations update from Weblate (#215)
+ Updated translation using Weblate
+
+ * Translated using Weblate (Azerbaijani)
+
+ Currently translated at 15.8% (19 of 120 strings)
+
+ * Translated using Weblate (Norwegian Bokmål)
+
+ Currently translated at 100.0% (120 of 120 strings)
+
+2020-04-28 Dmitry V. Levin <ldv@altlinux.org>
+
+ build: rework vendordir substitution.
+ Since Make.xml.rules is the only place where XSLTPROC_CUSTOM was used,
+ remove stereotypic definitions from other Makefiles, this way we no
+ longer have to worry about vendordir being used somewhere else in
+ documentation files.
+
+ Likewise, define VENDORDIR in config.h and remove stereotypic
+ -DVENDORDIR= additions from other Makefiles, this way we no longer
+ have to worry about VENDORDIR being used somewhere else in the code.
+
+ * configure.ac (AM_CONDITIONAL): Remove HAVE_VENDORDIR.
+ (AC_DEFINE_UNQUOTED): Add VENDORDIR.
+ (AC_SUBST): Remove VENDORDIR, add STRINGPARAM_VENDORDIR.
+ * Make.xml.rules.in: Replace $(XSLTPROC_CUSTOM) with
+ @STRINGPARAM_VENDORDIR@.
+ * doc/man/Makefile.am (XSLTPROC_CUSTOM): Remove.
+ * libpam/Makefile.am [HAVE_VENDORDIR]: Remove.
+ * modules/pam_securetty/Makefile.am [HAVE_VENDORDIR]: Remove.
+ (XSLTPROC_CUSTOM): Remove.
+ * modules/pam_securetty/pam_securetty.c: Move definitions of local
+ macros after config.h to benefit from macros defined there.
+
+2020-04-28 Dmitry V. Levin <ldv@altlinux.org>
+
+ Make.xml.rules: prepare for configure substitutions.
+ * Make.xml.rules: Rename to ...
+ * Make.xml.rules.in: ... new file.
+ * Makefile.am (EXTRA_DIST): Remove Make.xml.rules.
+ * configure.ac (AC_CONFIG_FILES): Add Make.xml.rules.
+
+2020-04-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_namespace: replace namespace.init with $(SCRIPTS) in EXTRA_DIST.
+ As namespace.init is listed in secureconf_SCRIPTS which is part of
+ generated SCRIPTS variable.
+
+ * modules/pam_namespace/Makefile.am (EXTRA_DIST): Replace namespace.init
+ with $(SCRIPTS).
+
+2020-04-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_env: remove environment from EXTRA_DIST.
+ * modules/pam_env/Makefile.am (EXTRA_DIST): Remove environment as it is
+ listed in sysconf_DATA which is part of DATA which is already listed in
+ EXTRA_DIST.
+
+2020-04-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/*/Makefile.am: remove $(secureconf_DATA) from EXTRA_DIST.
+ Since the whole $(DATA) is listed in EXTRA_DIST, $(secureconf_DATA)
+ can be safely de-listed.
+
+ * modules/pam_access/Makefile.am (EXTRA_DIST): Remove
+ $(secureconf_DATA).
+ * modules/pam_env/Makefile.am: Likewise.
+ * modules/pam_group/Makefile.am: Likewise.
+ * modules/pam_limits/Makefile.am: Likewise.
+ * modules/pam_namespace/Makefile.am: Likewise.
+ * modules/pam_sepermit/Makefile.am: Likewise.
+ * modules/pam_time/Makefile.am: Likewise.
+
+2020-04-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/*/Makefile.am: replace README with $(DATA) in EXTRA_DIST.
+ Since the GNU Automake distributes README files by default, the only
+ reason why README had to be listed in EXTRA_DIST was to make these
+ README files generated.
+
+ Since README is also listed in noinst_DATA, we can safely replace
+ README in EXTRA_DIST with $(DATA), this also opens the way for
+ further EXTRA_DIST cleanup.
+
+ * modules/*/Makefile.am (EXTRA_DIST): Replace README with $(DATA).
+
+2020-04-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/*/Makefile.am: reorder lines to promote uniformity.
+ This is essentially a no-op change that makes modules/*/Makefile.am
+ files less divergent.
+
+2020-04-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ build: move README prerequisites rule from modules/*/Makefile.am to Make.xml.rules
+ As the rule is now the same in every modules/*/Makefile.am file,
+ move it to Make.xml.rules.
+
+ * Make.xml.rules (README): New prerequisites rule.
+ * modules/pam_access/Makefile.am (README): Remove rule.
+ * modules/pam_cracklib/Makefile.am (README): Likewise.
+ * modules/pam_debug/Makefile.am (README): Likewise.
+ * modules/pam_deny/Makefile.am (README): Likewise.
+ * modules/pam_echo/Makefile.am (README): Likewise.
+ * modules/pam_env/Makefile.am (README): Likewise.
+ * modules/pam_exec/Makefile.am (README): Likewise.
+ * modules/pam_faildelay/Makefile.am (README): Likewise.
+ * modules/pam_filter/Makefile.am (README): Likewise.
+ * modules/pam_ftp/Makefile.am (README): Likewise.
+ * modules/pam_group/Makefile.am (README): Likewise.
+ * modules/pam_issue/Makefile.am (README): Likewise.
+ * modules/pam_keyinit/Makefile.am (README): Likewise.
+ * modules/pam_lastlog/Makefile.am (README): Likewise.
+ * modules/pam_limits/Makefile.am (README): Likewise.
+ * modules/pam_listfile/Makefile.am (README): Likewise.
+ * modules/pam_localuser/Makefile.am (README): Likewise.
+ * modules/pam_loginuid/Makefile.am (README): Likewise.
+ * modules/pam_mail/Makefile.am (README): Likewise.
+ * modules/pam_mkhomedir/Makefile.am (README): Likewise.
+ * modules/pam_motd/Makefile.am (README): Likewise.
+ * modules/pam_namespace/Makefile.am (README): Likewise.
+ * modules/pam_nologin/Makefile.am (README): Likewise.
+ * modules/pam_permit/Makefile.am (README): Likewise.
+ * modules/pam_pwhistory/Makefile.am (README): Likewise.
+ * modules/pam_rhosts/Makefile.am (README): Likewise.
+ * modules/pam_rootok/Makefile.am (README): Likewise.
+ * modules/pam_securetty/Makefile.am (README): Likewise.
+ * modules/pam_selinux/Makefile.am (README): Likewise.
+ * modules/pam_sepermit/Makefile.am (README): Likewise.
+ * modules/pam_setquota/Makefile.am (README): Likewise.
+ * modules/pam_shells/Makefile.am (README): Likewise.
+ * modules/pam_succeed_if/Makefile.am (README): Likewise.
+ * modules/pam_tally/Makefile.am (README): Likewise.
+ * modules/pam_tally2/Makefile.am (README): Likewise.
+ * modules/pam_time/Makefile.am (README): Likewise.
+ * modules/pam_timestamp/Makefile.am (README): Likewise.
+ * modules/pam_tty_audit/Makefile.am (README): Likewise.
+ * modules/pam_umask/Makefile.am (README): Likewise.
+ * modules/pam_unix/Makefile.am (README): Likewise.
+ * modules/pam_userdb/Makefile.am (README): Likewise.
+ * modules/pam_usertype/Makefile.am (README): Likewise.
+ * modules/pam_warn/Makefile.am (README): Likewise.
+ * modules/pam_wheel/Makefile.am (README): Likewise.
+ * modules/pam_xauth/Makefile.am (README): Likewise.
+
+2020-04-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/*/Makefile.am: list prerequisites of README target uniformly.
+ There is no need to list prerequisites of README targets manually as
+ all README targets depend on $(XMLS).
+
+ The change is performed automatically using the following script:
+ sed -i 's/^README: pam_.*/README: $(XMLS)/' modules/*/Makefile.am
+
+ * modules/pam_access/Makefile.am (README): Replace pam_access.8.xml
+ and access.conf.5.xml with $(XMLS).
+ * modules/pam_cracklib/Makefile.am (README): Replace pam_cracklib.8.xml
+ with $(XMLS).
+ * modules/pam_debug/Makefile.am (README): Replace pam_debug.8.xml
+ with $(XMLS).
+ * modules/pam_deny/Makefile.am (README): Replace pam_deny.8.xml
+ with $(XMLS).
+ * modules/pam_echo/Makefile.am (README): Replace pam_echo.8.xml
+ with $(XMLS).
+ * modules/pam_env/Makefile.am (README): Replace pam_env.8.xml and
+ pam_env.conf.5.xml with $(XMLS).
+ * modules/pam_exec/Makefile.am (README): Replace pam_exec.8.xml
+ with $(XMLS).
+ * modules/pam_faildelay/Makefile.am (README): Replace
+ pam_faildelay.8.xml with $(XMLS).
+ * modules/pam_filter/Makefile.am (README): Replace pam_filter.8.xml
+ with $(XMLS).
+ * modules/pam_ftp/Makefile.am (README): Replace pam_ftp.8.xml with
+ $(XMLS).
+ * modules/pam_group/Makefile.am (README): Replace pam_group.8.xml
+ and group.conf.5.xml with $(XMLS).
+ * modules/pam_issue/Makefile.am (README): Replace pam_issue.8.xml
+ with $(XMLS).
+ * modules/pam_keyinit/Makefile.am (README): Replace pam_keyinit.8.xml
+ with $(XMLS).
+ * modules/pam_lastlog/Makefile.am (README): Replace pam_lastlog.8.xml
+ with $(XMLS).
+ * modules/pam_limits/Makefile.am (README): Replace pam_limits.8.xml
+ and limits.conf.5.xml with $(XMLS).
+ * modules/pam_listfile/Makefile.am (README): Replace pam_listfile.8.xml
+ with $(XMLS).
+ * modules/pam_localuser/Makefile.am (README): Replace
+ pam_localuser.8.xml with $(XMLS).
+ * modules/pam_loginuid/Makefile.am (README): Replace pam_loginuid.8.xml
+ with $(XMLS).
+ * modules/pam_mail/Makefile.am (README): Replace pam_mail.8.xml
+ with $(XMLS).
+ * modules/pam_mkhomedir/Makefile.am (README): Replace
+ pam_mkhomedir.8.xml with $(XMLS).
+ * modules/pam_motd/Makefile.am (README): Replace pam_motd.8.xml
+ with $(XMLS).
+ * modules/pam_namespace/Makefile.am (README): Replace
+ pam_namespace.8.xml, namespace.conf.5.xml,
+ and pam_namespace_helper.8.xml with $(XMLS).
+ * modules/pam_nologin/Makefile.am (README): Replace pam_nologin.8.xml
+ with $(XMLS).
+ * modules/pam_permit/Makefile.am (README): Replace pam_permit.8.xml
+ with $(XMLS).
+ * modules/pam_pwhistory/Makefile.am (README): Replace
+ pam_pwhistory.8.xml with $(XMLS).
+ * modules/pam_rhosts/Makefile.am (README): Replace pam_rhosts.8.xml
+ with $(XMLS).
+ * modules/pam_rootok/Makefile.am (README): Replace pam_rootok.8.xml
+ with $(XMLS).
+ * modules/pam_securetty/Makefile.am (README): Replace
+ pam_securetty.8.xml with $(XMLS).
+ * modules/pam_selinux/Makefile.am (README): Replace pam_selinux.8.xml
+ with $(XMLS).
+ * modules/pam_sepermit/Makefile.am (README): Replace pam_sepermit.8.xml
+ with $(XMLS).
+ * modules/pam_setquota/Makefile.am (README): Replace pam_setquota.8.xml
+ with $(XMLS).
+ * modules/pam_shells/Makefile.am (README): Replace pam_shells.8.xml
+ with $(XMLS).
+ * modules/pam_succeed_if/Makefile.am (README): Replace
+ pam_succeed_if.8.xml with $(XMLS).
+ * modules/pam_tally/Makefile.am (README): Replace pam_tally.8.xml
+ with $(XMLS).
+ * modules/pam_tally2/Makefile.am (README): Replace pam_tally2.8.xml
+ with $(XMLS).
+ * modules/pam_time/Makefile.am (README): Replace pam_time.8.xml and
+ time.conf.5.xml with $(XMLS).
+ * modules/pam_timestamp/Makefile.am (README): Replace
+ pam_timestamp.8.xml with $(XMLS).
+ * modules/pam_tty_audit/Makefile.am (README): Replace
+ pam_tty_audit.8.xml with $(XMLS).
+ * modules/pam_umask/Makefile.am (README): Replace pam_umask.8.xml
+ with $(XMLS).
+ * modules/pam_unix/Makefile.am (README): Replace pam_unix.8.xml
+ with $(XMLS).
+ * modules/pam_userdb/Makefile.am (README): Replace pam_userdb.8.xml
+ with $(XMLS).
+ * modules/pam_usertype/Makefile.am (README): Replace pam_usertype.8.xml
+ with $(XMLS).
+ * modules/pam_warn/Makefile.am (README): Replace pam_warn.8.xml
+ with $(XMLS).
+ * modules/pam_wheel/Makefile.am (README): Replace pam_wheel.8.xml
+ with $(XMLS).
+ * modules/pam_xauth/Makefile.am (README): Replace pam_xauth.8.xml
+ with $(XMLS).
+
+2020-04-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/*/Makefile.am: list secureconf_DATA files in EXTRA_DIST uniformly
+ The change was prepared using the following script:
+ git grep -l secureconf_DATA modules/*/Makefile.am |while read m; do
+ t="$(sed '/^secureconf_DATA = /!d;s///;q' -- "$m")"
+ sed -i "/^EXTRA_DIST =/ s/\\<$t\\>/\$(secureconf_DATA)/" -- "$m"
+ done
+
+ * modules/pam_access/Makefile.am (EXTRA_DIST): Replace access.conf with
+ $(secureconf_DATA).
+ * modules/pam_env/Makefile.am (EXTRA_DIST): Replace pam_env.conf with
+ $(secureconf_DATA).
+ * modules/pam_group/Makefile.am (EXTRA_DIST): Replace group.conf with
+ $(secureconf_DATA).
+ * modules/pam_limits/Makefile.am (EXTRA_DIST): Replace limits.conf with
+ $(secureconf_DATA).
+ * modules/pam_namespace/Makefile.am (EXTRA_DIST): Replace namespace.conf
+ with $(secureconf_DATA).
+ * modules/pam_sepermit/Makefile.am (EXTRA_DIST): Replace sepermit.conf
+ with $(secureconf_DATA).
+ * modules/pam_time/Makefile.am (EXTRA_DIST): Replace time.conf with
+ $(secureconf_DATA).
+
+2020-04-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/*/Makefile.am: list manual pages in EXTRA_DIST uniformly.
+ List in EXTRA_DIST those manual pages that are listed in man_MANS
+ as $(MANS).
+
+ * modules/pam_cracklib/Makefile.am (EXTRA_DIST): Replace pam_cracklib.8
+ with $(MANS).
+ * modules/pam_keyinit/Makefile.am (EXTRA_DIST): Replace pam_keyinit.8
+ with $(MANS).
+ * modules/pam_selinux/Makefile.am (EXTRA_DIST): Replace pam_selinux.8
+ with $(MANS).
+ * modules/pam_sepermit/Makefile.am (EXTRA_DIST): Replace pam_sepermit.8
+ and sepermit.conf.5 with $(MANS).
+ * modules/pam_tty_audit/Makefile.am (EXTRA_DIST): Replace
+ pam_tty_audit.8 with $(MANS).
+ * modules/pam_userdb/Makefile.am (EXTRA_DIST): Replace pam_userdb.8 with
+ $(MANS).
+
+2020-04-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/*/Makefile.am: list tests in EXTRA_DIST uniformly.
+ The change was prepared using the following script:
+ git grep -l '^TESTS = tst-pam_' modules/ |while read m; do
+ t="$(sed '/^TESTS = tst-pam_/!d;s/^TESTS = //;q' -- "$m")"
+ sed -i "/^EXTRA_DIST =/ s/$t\\>/\$(TESTS)/" -- "$m"
+ done
+
+ * modules/pam_access/Makefile.am (EXTRA_DIST): Replace tst-pam_access
+ with $(TESTS).
+ * modules/pam_cracklib/Makefile.am (EXTRA_DIST): Replace
+ tst-pam_cracklib with $(TESTS).
+ * modules/pam_debug/Makefile.am (EXTRA_DIST): Replace tst-pam_debug with
+ $(TESTS).
+ * modules/pam_deny/Makefile.am (EXTRA_DIST): Replace tst-pam_deny with
+ $(TESTS).
+ * modules/pam_echo/Makefile.am (EXTRA_DIST): Replace tst-pam_echo with
+ $(TESTS).
+ * modules/pam_env/Makefile.am (EXTRA_DIST): Replace tst-pam_env with
+ $(TESTS).
+ * modules/pam_exec/Makefile.am (EXTRA_DIST): Replace tst-pam_exec with
+ $(TESTS).
+ * modules/pam_faildelay/Makefile.am (EXTRA_DIST): Replace
+ tst-pam_faildelay with $(TESTS).
+ * modules/pam_filter/Makefile.am (EXTRA_DIST): Replace tst-pam_filter
+ with $(TESTS).
+ * modules/pam_ftp/Makefile.am (EXTRA_DIST): Replace tst-pam_ftp with
+ $(TESTS).
+ * modules/pam_group/Makefile.am (EXTRA_DIST): Replace tst-pam_group with
+ $(TESTS).
+ * modules/pam_issue/Makefile.am (EXTRA_DIST): Replace tst-pam_issue with
+ $(TESTS).
+ * modules/pam_keyinit/Makefile.am (EXTRA_DIST): Replace tst-pam_keyinit
+ with $(TESTS).
+ * modules/pam_lastlog/Makefile.am (EXTRA_DIST): Replace tst-pam_lastlog
+ with $(TESTS).
+ * modules/pam_limits/Makefile.am (EXTRA_DIST): Replace tst-pam_limits
+ with $(TESTS).
+ * modules/pam_listfile/Makefile.am (EXTRA_DIST): Replace
+ tst-pam_listfile with $(TESTS).
+ * modules/pam_localuser/Makefile.am (EXTRA_DIST): Replace
+ tst-pam_localuser with $(TESTS).
+ * modules/pam_loginuid/Makefile.am (EXTRA_DIST): Replace
+ tst-pam_loginuid with $(TESTS).
+ * modules/pam_mail/Makefile.am (EXTRA_DIST): Replace tst-pam_mail with
+ $(TESTS).
+ * modules/pam_mkhomedir/Makefile.am (EXTRA_DIST): Replace
+ tst-pam_mkhomedir with $(TESTS).
+ * modules/pam_motd/Makefile.am (EXTRA_DIST): Replace tst-pam_motd with
+ $(TESTS).
+ * modules/pam_namespace/Makefile.am (EXTRA_DIST): Replace
+ tst-pam_namespace with $(TESTS).
+ * modules/pam_nologin/Makefile.am (EXTRA_DIST): Replace tst-pam_nologin
+ with $(TESTS).
+ * modules/pam_permit/Makefile.am (EXTRA_DIST): Replace tst-pam_permit
+ with $(TESTS).
+ * modules/pam_pwhistory/Makefile.am (EXTRA_DIST): Replace
+ tst-pam_pwhistory with $(TESTS).
+ * modules/pam_rhosts/Makefile.am (EXTRA_DIST): Replace tst-pam_rhosts
+ with $(TESTS).
+ * modules/pam_rootok/Makefile.am (EXTRA_DIST): Replace tst-pam_rootok
+ with $(TESTS).
+ * modules/pam_securetty/Makefile.am (EXTRA_DIST): Replace
+ tst-pam_securetty with $(TESTS).
+ * modules/pam_sepermit/Makefile.am (EXTRA_DIST): Replace
+ tst-pam_sepermit with $(TESTS).
+ * modules/pam_setquota/Makefile.am (EXTRA_DIST): Replace
+ tst-pam_setquota with $(TESTS).
+ * modules/pam_shells/Makefile.am (EXTRA_DIST): Replace tst-pam_shells
+ with $(TESTS).
+ * modules/pam_stress/Makefile.am (EXTRA_DIST): Replace tst-pam_stress
+ with $(TESTS).
+ * modules/pam_succeed_if/Makefile.am (EXTRA_DIST): Replace
+ tst-pam_succeed_if with $(TESTS).
+ * modules/pam_tally/Makefile.am (EXTRA_DIST): Replace tst-pam_tally with
+ $(TESTS).
+ * modules/pam_tally2/Makefile.am (EXTRA_DIST): Replace tst-pam_tally2
+ with $(TESTS).
+ * modules/pam_time/Makefile.am (EXTRA_DIST): Replace tst-pam_time with
+ $(TESTS).
+ * modules/pam_tty_audit/Makefile.am (EXTRA_DIST): Replace
+ tst-pam_tty_audit with $(TESTS).
+ * modules/pam_umask/Makefile.am (EXTRA_DIST): Replace tst-pam_umask with
+ $(TESTS).
+ * modules/pam_userdb/Makefile.am (EXTRA_DIST): Replace tst-pam_userdb
+ with $(TESTS).
+ * modules/pam_usertype/Makefile.am (EXTRA_DIST): Replace
+ tst-pam_usertype with $(TESTS).
+ * modules/pam_warn/Makefile.am (EXTRA_DIST): Replace tst-pam_warn with
+ $(TESTS).
+ * modules/pam_wheel/Makefile.am (EXTRA_DIST): Replace tst-pam_wheel with
+ $(TESTS).
+ * modules/pam_xauth/Makefile.am (EXTRA_DIST): Replace tst-pam_xauth with
+ $(TESTS).
+
+2020-04-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_namespace: simplify distribution of manual pages.
+ * modules/pam_namespace/Makefile.am: Merge MAN5 and MAN8 into man_MANS.
+
+2020-04-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/*/Makefile.am: remove manual pages from noinst_DATA.
+ Manual pages already belong to man_MANS, listing them also
+ in noinst_DATA does not help in any way.
+
+ * modules/pam_cracklib/Makefile.am (noinst_DATA): Remove pam_cracklib.8.
+ * modules/pam_selinux/Makefile.am (noinst_DATA): Remove pam_selinux.8.
+ * modules/pam_sepermit/Makefile.am (noinst_DATA): Remove pam_sepermit.8
+ and sepermit.conf.5.
+ * modules/pam_userdb/Makefile.am (noinst_DATA): Remove pam_userdb.8.
+
+2020-04-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ configure: fix dlopen check.
+ * configure.ac: Check for the library providing dlopen using
+ AC_SEARCH_LIBS instead of AC_CHECK_LIB to handle the case when
+ dlopen is a part of libc.
+
+ configure: add --disable-tally and --disable-tally2 options.
+ * configure.ac (AC_ARG_ENABLE): Add tally and tally2.
+ (AM_CONDITIONAL): Add COND_BUILD_PAM_TALLY and COND_BUILD_PAM_TALLY2.
+ * modules/Makefile.am [COND_BUILD_PAM_TALLY] (MAYBE_PAM_TALLY): Define.
+ [COND_BUILD_PAM_TALLY2] (MAYBE_PAM_TALLY2): Likewise.
+ (SUBDIRS): Replace pam_tally with $(COND_BUILD_PAM_TALLY), pam_tally2
+ with $(COND_BUILD_PAM_TALLY2).
+
+2020-04-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ build: move pam_selinux and pam_sepermit build conditions to modules/Makefile.am
+ * configure.ac (AM_CONDITIONAL): Replace HAVE_LIBSELINUX with
+ COND_BUILD_PAM_SELINUX and COND_BUILD_PAM_SEPERMIT.
+ * modules/Makefile.am [COND_BUILD_PAM_SELINUX] (MAYBE_PAM_SELINUX):
+ Define.
+ [COND_BUILD_PAM_SEPERMIT] (MAYBE_PAM_SEPERMIT): Likewise.
+ (SUBDIRS): Replace pam_selinux with $(MAYBE_PAM_SELINUX),
+ pam_sepermit with MAYBE_PAM_SEPERMIT.
+ * modules/pam_selinux/Makefile.am: Assume HAVE_LIBSELINUX.
+ * modules/pam_sepermit/Makefile.am: Likewise.
+
+ build: simplify the check for unshare function.
+ * configure.ac (AC_CHECK_FUNCS): Do not set UNSHARE when checking for
+ unshare function.
+ (COND_BUILD_PAM_NAMESPACE): Check for $ac_cv_func_unshare instead of
+ $UNSHARE.
+
+ build: move pam_namespace build condition to modules/Makefile.am.
+ * configure.ac (AM_CONDITIONAL): Replace HAVE_UNSHARE with
+ COND_BUILD_PAM_NAMESPACE.
+ * modules/Makefile.am [COND_BUILD_PAM_NAMESPACE] (MAYBE_PAM_NAMESPACE):
+ Define.
+ (SUBDIRS): Replace pam_namespace with $(MAYBE_PAM_NAMESPACE).
+ * modules/pam_namespace/Makefile.am: Assume HAVE_UNSHARE.
+
+ build: move pam_userdb build condition to modules/Makefile.am.
+ * configure.ac (AM_CONDITIONAL): Replace HAVE_LIBDB with
+ COND_BUILD_PAM_USERDB.
+ * modules/Makefile.am [COND_BUILD_PAM_USERDB] (MAYBE_PAM_USERDB):
+ Define.
+ (SUBDIRS): Replace pam_userdb with $(MAYBE_PAM_USERDB).
+ * modules/pam_userdb/Makefile.am: Assume HAVE_LIBDB.
+
+ build: remove unused HAVE_LIBCRACK.
+ * configure.ac (AC_DEFINE): Remove unused HAVE_LIBCRACK.
+
+ build: move pam_cracklib build condition to modules/Makefile.am.
+ * configure.ac (AM_CONDITIONAL): Replace HAVE_LIBCRACK with
+ COND_BUILD_PAM_CRACKLIB.
+ * modules/Makefile.am [COND_BUILD_PAM_CRACKLIB] (MAYBE_PAM_CRACKLIB):
+ Define.
+ (SUBDIRS): Replace pam_cracklib with $(MAYBE_PAM_CRACKLIB).
+ * modules/pam_cracklib/Makefile.am: Assume HAVE_LIBCRACK.
+
+ build: remove unused HAVE_KEY_MANAGEMENT.
+ * configure.ac (AC_DEFINE, AC_SUBST): Remove unused HAVE_KEY_MANAGEMENT.
+ (AC_CHECK_DECL): Remove unused ENOKEY.
+
+ build: move pam_keyinit build condition to modules/Makefile.am.
+ * configure.ac (AM_CONDITIONAL): Replace HAVE_KEY_MANAGEMENT with
+ COND_BUILD_PAM_KEYINIT.
+ * modules/Makefile.am [COND_BUILD_PAM_KEYINIT] (MAYBE_PAM_KEYINIT):
+ Define.
+ (SUBDIRS): Replace pam_keyinit with $(MAYBE_PAM_KEYINIT).
+ * modules/pam_keyinit/Makefile.am: Assume HAVE_KEY_MANAGEMENT.
+
+ build: remove unused AC_DEFINE([HAVE_AUDIT_TTY_STATUS])
+ * configure.ac (AC_DEFINE): Remove unused HAVE_AUDIT_TTY_STATUS.
+
+ build: move pam_tty_audit build condition to modules/Makefile.am.
+ * configure.ac (AM_CONDITIONAL): Replace HAVE_AUDIT_TTY_STATUS with
+ COND_BUILD_PAM_TTY_AUDIT.
+ * modules/Makefile.am [COND_BUILD_PAM_TTY_AUDIT] (MAYBE_PAM_TTY_AUDIT):
+ Define.
+ (SUBDIRS): Replace pam_tty_audit with $(MAYBE_PAM_TTY_AUDIT).
+ * modules/pam_tty_audit/Makefile.am: Assume HAVE_AUDIT_TTY_STATUS.
+
+ configure.ac: sort COND_BUILD_* conditionals.
+ ... and move them closer to the end of configure.ac.
+
+2020-04-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/Makefile.am: sort SUBDIRS.
+ Also list one element of SUBDIRS per line for the ease of maintenance.
+
+ * modules/Makefile.am (SUBDIRS): List one per line, sort.
+
+2020-04-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ ci: add gcc-10 jobs.
+ * .github/workflows/ci.yml (gcc10-x86_64, gcc10-x86, gcc10-x32):
+ New jobs.
+ * .travis.yml (matrix): Add gcc-10 jobs on x86_64, x86, x32,
+ and ppc64le.
+
+2020-04-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_issue: fix potential read out of bounds.
+ Reported by gcc-10 -Warray-bounds:
+
+ In file included from /usr/include/string.h:494,
+ from modules/pam_issue/pam_issue.c:19:
+ In function 'strncat',
+ inlined from 'read_issue_quoted' at modules/pam_issue/pam_issue.c:197:3:
+ /usr/include/x86_64-linux-gnu/bits/string_fortified.h:136:10: error: '__builtin___strncat_chk' offset [260, 389] from the object at 'uts' is out of the bounds of referenced subobject 'version' with type 'char[65]' at offset 195 [-Werror=array-bounds]
+ 136 | return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest));
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ In file included from modules/pam_issue/pam_issue.c:26:
+ modules/pam_issue/pam_issue.c: In function 'read_issue_quoted':
+ /usr/include/x86_64-linux-gnu/sys/utsname.h:59:10: note: subobject 'version' declared here
+ 59 | char version[_UTSNAME_VERSION_LENGTH];
+ | ^~~~~~~
+ In file included from /usr/include/string.h:494,
+ from modules/pam_issue/pam_issue.c:19:
+ In function 'strncat',
+ inlined from 'read_issue_quoted' at modules/pam_issue/pam_issue.c:188:3:
+ /usr/include/x86_64-linux-gnu/bits/string_fortified.h:136:10: error: '__builtin___strncat_chk' offset [65, 389] from the object at 'uts' is out of the bounds of referenced subobject 'sysname' with type 'char[65]' at offset 0 [-Werror=array-bounds]
+ 136 | return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest));
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ In file included from modules/pam_issue/pam_issue.c:26:
+ modules/pam_issue/pam_issue.c: In function 'read_issue_quoted':
+ /usr/include/x86_64-linux-gnu/sys/utsname.h:51:10: note: subobject 'sysname' declared here
+ 51 | char sysname[_UTSNAME_SYSNAME_LENGTH];
+ | ^~~~~~~
+ In file included from /usr/include/string.h:494,
+ from modules/pam_issue/pam_issue.c:19:
+ In function 'strncat',
+ inlined from 'read_issue_quoted' at modules/pam_issue/pam_issue.c:194:3:
+ /usr/include/x86_64-linux-gnu/bits/string_fortified.h:136:10: error: '__builtin___strncat_chk' offset [195, 389] from the object at 'uts' is out of the bounds of referenced subobject 'release' with type 'char[65]' at offset 130 [-Werror=array-bounds]
+ 136 | return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest));
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ In file included from modules/pam_issue/pam_issue.c:26:
+ modules/pam_issue/pam_issue.c: In function 'read_issue_quoted':
+ /usr/include/x86_64-linux-gnu/sys/utsname.h:57:10: note: subobject 'release' declared here
+ 57 | char release[_UTSNAME_RELEASE_LENGTH];
+ | ^~~~~~~
+ In file included from /usr/include/string.h:494,
+ from modules/pam_issue/pam_issue.c:19:
+ In function 'strncat',
+ inlined from 'read_issue_quoted' at modules/pam_issue/pam_issue.c:191:3:
+ /usr/include/x86_64-linux-gnu/bits/string_fortified.h:136:10: error: '__builtin___strncat_chk' offset [130, 389] from the object at 'uts' is out of the bounds of referenced subobject 'nodename' with type 'char[65]' at offset 65 [-Werror=array-bounds]
+ 136 | return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest));
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ In file included from modules/pam_issue/pam_issue.c:26:
+ modules/pam_issue/pam_issue.c: In function 'read_issue_quoted':
+ /usr/include/x86_64-linux-gnu/sys/utsname.h:54:10: note: subobject 'nodename' declared here
+ 54 | char nodename[_UTSNAME_NODENAME_LENGTH];
+ | ^~~~~~~~
+ In file included from /usr/include/string.h:494,
+ from modules/pam_issue/pam_issue.c:19:
+ In function 'strncat',
+ inlined from 'read_issue_quoted' at modules/pam_issue/pam_issue.c:200:3:
+ /usr/include/x86_64-linux-gnu/bits/string_fortified.h:136:10: error: '__builtin___strncat_chk' offset [325, 389] from the object at 'uts' is out of the bounds of referenced subobject 'machine' with type 'char[65]' at offset 260 [-Werror=array-bounds]
+ 136 | return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest));
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ In file included from modules/pam_issue/pam_issue.c:26:
+ modules/pam_issue/pam_issue.c: In function 'read_issue_quoted':
+ /usr/include/x86_64-linux-gnu/sys/utsname.h:62:10: note: subobject 'machine' declared here
+ 62 | char machine[_UTSNAME_MACHINE_LENGTH];
+ | ^~~~~~~
+
+ * modules/pam_issue/pam_issue.c (read_issue_quoted): Rewrite to avoid
+ strncat from potentially not null-terminated string buffer fields
+ of struct utsname.
+
+2020-04-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_motd: fix NULL dereference when at least one of motd directories is not available
+ * modules/pam_motd/pam_motd.c
+ (try_to_display_directories_with_overrides): Do not assign -1U to
+ dirscans_sizes[i] when scandir(motd_dir_path_split[i]) returns an error.
+
+ Resolves: https://bugzilla.altlinux.org/38389
+ Fixes: d57ab221 ("pam_motd: Cleanup the code and avoid unnecessary logging")
+
+2020-04-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_motd: cleanup calloc invocations.
+ Apply the following calloc invocation idiom:
+ ptr = calloc(nmemb, sizeof(*ptr));
+
+ * modules/pam_motd/pam_motd.c (pam_split_string,
+ try_to_display_directories_with_overrides): Cleanup calloc invocations.
+
+ Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
+
+2020-04-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_motd: fix NULL dereference on error path.
+ * modules/pam_motd/pam_motd.c
+ (try_to_display_directories_with_overrides): Do not access
+ elements of dirscans_sizes array if dirscans_sizes == NULL
+ due to an earlier memory allocation error.
+
+ Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
+
+2020-04-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_motd: remove redundant return statement.
+ * modules/pam_motd/pam_motd.c
+ (try_to_display_directories_with_overrides): Remove return statement
+ at the end of the function returning void.
+
+ Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
+
+2020-04-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_motd: remove redundant prefix from syslog messages.
+ pam_syslog already does all the prefixing we need.
+
+ * modules/pam_motd/pam_motd.c (pam_split_string,
+ try_to_display_directories_with_overrides): Remove "pam_motd: " prefix
+ from strings passed to pam_syslog.
+
+ Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
+
+2020-04-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_motd: fix memory leak.
+ pam_motd used to leak memory allocated for each motd file
+ successfully opened in try_to_display_directories_with_overrides.
+
+ * modules/pam_motd/pam_motd.c
+ (try_to_display_directories_with_overrides): Free abs_path.
+
+ Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
+
+2020-04-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_motd: fix misleading error diagnostics.
+ Do not invoke calloc with the first argument equal to zero as the return
+ value can be NULL which is undistinguishable from memory allocation
+ error.
+
+ * modules/pam_motd/pam_motd.c
+ (try_to_display_directories_with_overrides): Skip if there are no
+ directory entries (dirscans_size_total == 0).
+
+ Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
+
+2020-04-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_motd: do not zero the memory allocated by calloc.
+ As dirnames_all is allocated with calloc, zeroing it out is pointless.
+
+ * modules/pam_motd/pam_motd.c
+ (try_to_display_directories_with_overrides): Remove redundant zeroing
+ of dirnames_all.
+
+ Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
+
+2020-04-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ build: cleanup: do not add -DWITH_SELINUX to CFLAGS.
+ As WITH_SELINUX is already AC_DEFINE'd in configure.ac,
+ there is no point in adding -DWITH_SELINUX to CFLAGS.
+
+ * libpam/Makefile.am [HAVE_LIBSELINUX] (AM_CFLAGS): Do not add
+ -DWITH_SELINUX.
+ * modules/pam_rootok/Makefile.am: Likewise.
+ * modules/pam_unix/Makefile.am: Likewise.
+
+2020-04-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ build: cleanup: replace "test ! -z" with "test -n"
+ * configure.ac: replace "test ! -z" with "test -n".
+
+2020-04-24 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_filter: fix potential off-by-one heap buffer overflow.
+ Reported by gcc-10 -Wstringop-overflow:
+
+ In file included from /usr/include/string.h:494,
+ from modules/pam_filter/pam_filter.c:14:
+ In function 'strcpy',
+ inlined from 'process_args' at modules/pam_filter/pam_filter.c:137:2,
+ inlined from 'need_a_filter.isra' at modules/pam_filter/pam_filter.c:618:12:
+ /usr/include/x86_64-linux-gnu/bits/string_fortified.h:90:10: warning: '__builtin_memcpy' writing 6 bytes into a region of size 5 [-Wstringop-overflow=]
+ 90 | return __builtin___strcpy_chk (__dest, __src, __bos (__dest));
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ modules/pam_filter/pam_filter.c: In function 'need_a_filter.isra':
+ modules/pam_filter/pam_filter.c:128:21: note: at offset 0 to an object with size 5 allocated by 'malloc' here
+ 128 | levp[0] = (char *) malloc(size);
+ | ^~~~~~~~~~~~
+
+ * modules/pam_filter/pam_filter.c (process_args): Fix off-by-one heap
+ buffer overflow in case of a filter without arguments (argc == 0).
+
+2020-04-24 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_setquota: remove PAM_EXTERN and PAM_STATIC parts.
+ In other modules they were removed by commit Linux-PAM-1.3.0~14.
+
+ * modules/pam_setquota/pam_setquota.c: Remove PAM_EXTERN and PAM_STATIC
+ parts.
+
+2020-04-24 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_setquota: fix more harmless compilation warnings.
+ On ppc64le the compiler complains with the following diagnostics:
+
+ pam_setquota.c: In function 'debug':
+ pam_setquota.c:48:59: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 6 has type '__u64' {aka 'const long unsigned int'} [-Wformat=]
+ 48 | pam_syslog(pamh, LOG_DEBUG, "%s device=%s bsoftlimit=%llu bhardlimit=%llu "
+ | ~~~^
+ | |
+ | long long unsigned int
+ | %lu
+ ......
+ 51 | p->dqb_bsoftlimit, p->dqb_bhardlimit,
+ | ~~~~~~~~~~~~~~~~~
+ | |
+ | __u64 {aka const long unsigned int}
+ pam_setquota.c:48:75: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 7 has type '__u64' {aka 'const long unsigned int'} [-Wformat=]
+ 48 | pam_syslog(pamh, LOG_DEBUG, "%s device=%s bsoftlimit=%llu bhardlimit=%llu "
+ | ~~~^
+ | |
+ | long long unsigned int
+ | %lu
+ ......
+ 51 | p->dqb_bsoftlimit, p->dqb_bhardlimit,
+ | ~~~~~~~~~~~~~~~~~
+ | |
+ | __u64 {aka const long unsigned int}
+ pam_setquota.c:48:31: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 8 has type '__u64' {aka 'const long unsigned int'} [-Wformat=]
+ 48 | pam_syslog(pamh, LOG_DEBUG, "%s device=%s bsoftlimit=%llu bhardlimit=%llu "
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ......
+ 52 | p->dqb_isoftlimit, p->dqb_ihardlimit,
+ | ~~~~~~~~~~~~~~~~~
+ | |
+ | __u64 {aka const long unsigned int}
+ pam_setquota.c:49:46: note: format string is defined here
+ 49 | "isoftlimit=%llu ihardlimit=%llu btime=%llu itime=%llu",
+ | ~~~^
+ | |
+ | long long unsigned int
+ | %lu
+ pam_setquota.c:48:31: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 9 has type '__u64' {aka 'const long unsigned int'} [-Wformat=]
+ 48 | pam_syslog(pamh, LOG_DEBUG, "%s device=%s bsoftlimit=%llu bhardlimit=%llu "
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ......
+ 52 | p->dqb_isoftlimit, p->dqb_ihardlimit,
+ | ~~~~~~~~~~~~~~~~~
+ | |
+ | __u64 {aka const long unsigned int}
+ pam_setquota.c:49:62: note: format string is defined here
+ 49 | "isoftlimit=%llu ihardlimit=%llu btime=%llu itime=%llu",
+ | ~~~^
+ | |
+ | long long unsigned int
+ | %lu
+ pam_setquota.c:48:31: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 10 has type '__u64' {aka 'const long unsigned int'} [-Wformat=]
+ 48 | pam_syslog(pamh, LOG_DEBUG, "%s device=%s bsoftlimit=%llu bhardlimit=%llu "
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ......
+ 53 | p->dqb_btime, p->dqb_itime);
+ | ~~~~~~~~~~~~
+ | |
+ | __u64 {aka const long unsigned int}
+ pam_setquota.c:49:73: note: format string is defined here
+ 49 | "isoftlimit=%llu ihardlimit=%llu btime=%llu itime=%llu",
+ | ~~~^
+ | |
+ | long long unsigned int
+ | %lu
+ pam_setquota.c:48:31: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 11 has type '__u64' {aka 'const long unsigned int'} [-Wformat=]
+ 48 | pam_syslog(pamh, LOG_DEBUG, "%s device=%s bsoftlimit=%llu bhardlimit=%llu "
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ......
+ 53 | p->dqb_btime, p->dqb_itime);
+ | ~~~~~~~~~~~~
+ | |
+ | __u64 {aka const long unsigned int}
+ pam_setquota.c:49:84: note: format string is defined here
+ 49 | "isoftlimit=%llu ihardlimit=%llu btime=%llu itime=%llu",
+ | ~~~^
+ | |
+ | long long unsigned int
+ | %lu
+
+ * modules/pam_setquota/pam_setquota.c (debug): Cast fields of type __u64
+ to unsigned long long.
+
+2020-04-24 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_timestamp: include "config.h" in hmacsha1.c as the first header.
+ This ensures "config.h" is included before any system header
+ which fixes the following bug reported by ALT diagnostics:
+
+ verify-elf: ERROR: ./lib/security/pam_timestamp.so: uses non-LFS functions: __fxstat open
+
+ * modules/pam_timestamp/hmacsha1.c: Include "config.h".
+
+2020-04-24 Dmitry V. Levin <ldv@altlinux.org>
+
+ libpamc.h: include "config.h" as the first header.
+ This ensures "config.h" is included before any system header included by
+ libpamc.h, which fixes the following bug reported by ALT diagnostics:
+
+ verify-elf: ERROR: ./lib/libpamc.so.0.82.1: uses non-LFS functions: __xstat readdir
+
+ * libpamc/libpamc.h: Include "config.h".
+
+2020-04-24 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_setquota: apply WARN_CFLAGS.
+ All other modules already build with WARN_CFLAGS.
+
+ * modules/pam_setquota/Makefile.am (AM_CFLAGS): Add $(WARN_CFLAGS).
+
+2020-04-24 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_setquota: fix harmless compilation warnings.
+ Fix -Wunused-variable compilation warnings:
+
+ pam_setquota.c: In function 'pam_sm_open_session':
+ pam_setquota.c:173:9: warning: unused variable 'ep' [-Wunused-variable]
+ 173 | char *ep, *val, *mntdevice = NULL;
+ | ^~
+ pam_setquota.c:172:17: warning: unused variable 'ul' [-Wunused-variable]
+ 172 | unsigned long ul;
+ | ^~
+
+ Fix -Wunused-parameter compilation warnings:
+
+ pam_setquota.c: In function 'pam_sm_open_session':
+ pam_setquota.c:169:60: warning: unused parameter 'flags' [-Wunused-parameter]
+ 169 | PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc,
+ | ~~~~^~~~~
+ pam_setquota.c: In function 'pam_sm_close_session':
+ pam_setquota.c:382:40: warning: unused parameter 'pamh' [-Wunused-parameter]
+ 382 | int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc,
+ | ~~~~~~~~~~~~~~^~~~
+ pam_setquota.c:382:50: warning: unused parameter 'flags' [-Wunused-parameter]
+ 382 | int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc,
+ | ~~~~^~~~~
+ pam_setquota.c:382:61: warning: unused parameter 'argc' [-Wunused-parameter]
+ 382 | int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc,
+ | ~~~~^~~~
+ pam_setquota.c:383:39: warning: unused parameter 'argv' [-Wunused-parameter]
+ 383 | const char **argv) {
+ | ~~~~~~~~~~~~~^~~~
+
+ * modules/pam_setquota/pam_setquota.c (pam_sm_open_session): Mark
+ 'flags' parameter as unused. Remove unused 'ep' and 'ul' variables.
+ (pam_sm_close_session): Mark all parameters as unused.
+
+2020-04-18 Oğuz Ersen <oguzersen@protonmail.com>
+
+ Translated using Weblate (Turkish)
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/tr/
+ Resolves: https://github.com/linux-pam/linux-pam/pull/214
+
+2020-04-17 Sven Hartge <sven@svenhartge.de>
+
+ pam_setquota: new module to set or modify disk quotas on session start.
+ This makes disk quotas usable with central user databases, such as MySQL or
+ LDAP.
+
+ Resolves: https://github.com/linux-pam/linux-pam/issues/92
+
+2020-04-15 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_access, pam_issue: do not assume that getdomainname always exists.
+ * modules/pam_access/pam_access.c (netgroup_match): Place the code
+ that calls getdomainname under HAVE_GETDOMAINNAME guard.
+ * modules/pam_issue/pam_issue.c (read_issue_quoted): Likewise.
+
+ Resolves: https://github.com/linux-pam/linux-pam/issues/43
+
+2020-04-13 Oğuz Ersen <oguzersen@protonmail.com>
+
+ Translated using Weblate (Turkish)
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/tr/
+
+2020-04-13 Ankit Behera <proneon267@gmail.com>
+
+ Translated using Weblate (Odia)
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/or/
+
+2020-04-12 Topi Miettinen <toiwoton@gmail.com>
+
+ pam_unix: modernize example in manual page.
+ According to crypt(5), md5 should not be used for new hashes. Let's
+ give a modern example with yescrypt.
+
+2020-04-10 Robert Antoni Buj Gelonch <robert.buj@gmail.com>
+
+ Translated using Weblate (Catalan)
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ca/
+ Resolves: https://github.com/linux-pam/linux-pam/pull/207
+
+2020-04-07 Dmitry V. Levin <ldv@altlinux.org>
+
+ travis: remove faulty jobs.
+ * .travis.yml: Remove faulty gcc-9 jobs on aarch64 and s390x,
+ gcc-9 became uninstallable on these platforms several days ago
+ and hasn't been fixed yet.
+
+2020-04-07 Lucas Ramage <oxr463@gmx.us>
+
+ pam_access: add an example of using groups in access.conf to permit access
+ Resolves: https://github.com/linux-pam/linux-pam/issues/65
+ Resolves: https://github.com/linux-pam/linux-pam/pull/199
+
+2020-04-07 Dmitry V. Levin <ldv@altlinux.org>
+
+ github: add CI action.
+ Somewhat similar to Travis CI, this runs "make distcheck" on Ubuntu
+ 18.04 using gcc-9, gcc-8, gcc, clang-9, clang-8, and clang on x86_64,
+ x86, and x32 architectures.
+
+ Compared with Travis CI, GitHub Actions service currently provides
+ a significantly better parallelism as well as (unsurprisingly)
+ better integration with github.
+
+ However, GitHub Actions cannot replace Travis CI completely yet as
+ the latter can build on aarch64, s390x, and ppc64le architectures.
+
+ * .github/workflows/whitespace-errors-check.yml: Remove
+ * .github/workflows/ci.yml: New file.
+
+2020-04-07 scootergrisen <scootergrisen@gmail.com>
+
+ Translated using Weblate (Danish)
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/da/
+
+2020-04-07 scootergrisen <scootergrisen@gmail.com>
+
+ Translated using Weblate (Danish)
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/da/
+
+2020-03-31 Petr Lautrbach <plautrba@redhat.com>
+
+ pam_timestamp: Fix // in TIMESTAMPDIR.
+ _PATH_VARRUN already provides trailing slash for building paths
+
+ Fixes:
+ $ strings /usr/lib64/security/pam_timestamp.so | grep /run/
+ /var/run//pam_timestamp
+ /var/run//pam_timestamp/_pam_timestamp_key
+
+2020-03-30 James Ralston <ralston@pobox.com>
+
+ pam_unix: Return PAM_AUTHINFO_UNAVAIL when appropriate.
+ The pam_unix.so will never return PAM_AUTHINFO_UNAVAIL on systems
+ that use the unix_chkpwd helper.
+
+ The reason is that in unix_chkpwd.c, towards the end of main(), if
+ helper_verify_password() does not return PAM_SUCCESS, main() ignores
+ the actual error that helper_verify_password() returned and instead
+ returns PAM_AUTH_ERR.
+
+ This commit corrects this behavior. Specifically, if
+ helper_verify_password() returns PAM_USER_UNKNOWN, which it does
+ when /etc/passwd entry indicates that shadow information is present
+ but the /etc/shadow entry is missing, the unix_chkpwd now exits
+ with PAM_AUTHINFO_UNAVAIL. For any other error from
+ helper_verify_password(), unix_chkpwd continues to exit with
+ PAM_AUTH_ERR.
+
+ * modules/pam_unix/unix_chkpwd.c (main): Return PAM_AUTHINFO_UNAVAIL
+ when helper_verify_password() returns PAM_USER_UNKNOWN.
+
+2020-03-28 Dmitry V. Levin <ldv@altlinux.org>
+
+ Fix various typos found using codespell tool.
+
+ po: semi-automatically fix translations of pam_get_authtok default prompts
+ Complements: 4daceedd ("pam_get_authtok: fix i18n of default prompts")
+
+2020-03-24 Dmitry V. Levin <ldv@altlinux.org>
+
+ _pam_load_module: reduce redundancy.
+ * libpam/pam_handlers.c (_pam_load_module): Reorganize $ISA handling
+ to reduce redundancy.
+
+ Resolves: https://github.com/linux-pam/linux-pam/pull/198
+
+2020-03-24 blueskycs2c <lili.ding@cs2c.com>
+
+ pam_time: add conffile option to specify an alternative configuration file
+ Resolves: https://github.com/linux-pam/linux-pam/pull/163
+ Resolves: https://github.com/linux-pam/linux-pam/pull/191
+
+2020-03-23 Alexander Zubkov <green@qrator.net>
+
+ pam_exec: require user name to be ready for the command.
+ pam_exec module can be called when a user name has not been prompted
+ yet. And thus the command is called without a user name available.
+ This fix asks PAM for the user name to ensure it is ready or to force
+ the prompt.
+
+ Resolves: https://github.com/linux-pam/linux-pam/issues/131
+ Resolves: https://github.com/linux-pam/linux-pam/pull/195
+
+2020-03-23 Christian Göttsche <cgzones@googlemail.com>
+
+ pam_selinux: fall back to log to syslog if audit logging fails.
+ Resolves: https://github.com/linux-pam/linux-pam/pull/194
+
+ pam_selinux: sanitize asprintf argument on failure.
+
+ pam_selinux: print additional information on failures.
+
+ pam_selinux: convert send_audit_message to void function.
+ The result is nowhere checked and other logging functions like
+ pam_syslog are also not checked.
+
+ pam_selinux: fix indentation.
+
+2020-03-23 Christian Göttsche <cgzones@googlemail.com>
+
+ pam_selinux: substitute legacy security_context_t type.
+ `security_context_t` is a legacy typedef to `char *`, substitute all usage.
+
+ See
+ https://github.com/SELinuxProject/selinux/commit/9eb9c9327563014ad6a807814e7975424642d5b9
+ https://github.com/SELinuxProject/selinux/blob/f8c110c8a615eb640510eab39640a0957a6ba19c/libselinux/include/selinux/selinux.h#L16
+
+2020-03-20 Jiri Grönroos <jiri.gronroos@iki.fi>
+
+ Translated using Weblate (Finnish)
+ Currently translated at 90.8% (109 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fi/
+
+2020-03-20 Dmitry V. Levin <ldv@altlinux.org>
+
+ Translated using Weblate (Slovak)
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/sk/
+
+ Translated using Weblate (Czech)
+
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/cs/
+
+ Translated using Weblate (French)
+
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fr/
+
+2020-03-20 Yuri Chornoivan <yurchor@ukr.net>
+
+ Translated using Weblate (Ukrainian)
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/uk/
+
+2020-03-20 Oğuz Ersen <oguzersen@protonmail.com>
+
+ Translated using Weblate (Turkish)
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/tr/
+
+2020-03-20 Geert Warrink <geert.warrink@onsnet.nu>
+
+ Translated using Weblate (Dutch)
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/nl/
+
+2020-03-20 Julien Humbert <julroy67@gmail.com>
+
+ Translated using Weblate (French)
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fr/
+
+2020-03-20 Dmitry V. Levin <ldv@altlinux.org>
+
+ Translated using Weblate (Russian)
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ru/
+
+ Translated using Weblate (Portuguese (Brazil))
+
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pt_BR/
+
+ Translated using Weblate (Portuguese)
+
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pt/
+
+ Translated using Weblate (German)
+
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/de/
+
+2020-03-20 Piotr Drąg <piotrdrag@gmail.com>
+
+ Translated using Weblate (Polish)
+ Currently translated at 100.0% (120 of 120 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/pam_userdb: use pam_str_skip_icase_prefix.
+ * modules/pam_userdb/pam_userdb.c: Include "pam_inline.h".
+ (_pam_parse, user_lookup): Use pam_str_skip_icase_prefix
+ instead of ugly strncasecmp invocations.
+
+ modules/pam_umask: use pam_str_skip_icase_prefix.
+ * modules/pam_umask/pam_umask.c: Include "pam_inline.h".
+ (parse_option, setup_limits_from_gecos): Use pam_str_skip_icase_prefix
+ instead of ugly strncasecmp invocations.
+
+ modules/pam_pwhistory: use pam_str_skip_icase_prefix.
+ * modules/pam_pwhistory/pam_pwhistory.c: Include "pam_inline.h".
+ (parse_option): Use pam_str_skip_icase_prefix instead of ugly
+ strncasecmp invocations.
+
+ modules/pam_exec: use pam_str_skip_icase_prefix.
+ * modules/pam_exec/pam_exec.c (call_exec): Use pam_str_skip_icase_prefix
+ instead of ugly strncasecmp invocations.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ Introduce pam_str_skip_icase_prefix_len and pam_str_skip_icase_prefix.
+ Every time I see a code like
+ if (strncasecmp(argv, "remember=", 9) == 0)
+ options->remember = strtol(&argv[9], NULL, 10);
+ my eyes are bleeding.
+
+ Similar to pam_str_skip_prefix_len() and pam_str_skip_prefix(),
+ introduce a new helper inline function pam_str_skip_icase_prefix_len()
+ and a new macro pam_str_skip_icase_prefix() on top of it, to be used
+ in subsequent commits to cleanup the ugliness.
+
+ * libpam/include/pam_inline.h (pam_str_skip_icase_prefix_len): New
+ function.
+ (pam_str_skip_icase_prefix): New macro.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/pam_xauth: use pam_str_skip_prefix.
+ * modules/pam_xauth/pam_xauth.c: Include "pam_inline.h".
+ (pam_sm_open_session, pam_sm_close_session): Use pam_str_skip_prefix
+ instead of ugly strncmp invocations.
+
+ modules/pam_wheel: use pam_str_skip_prefix.
+ * modules/pam_wheel/pam_wheel.c: Include "pam_inline.h".
+ (_pam_parse): Use pam_str_skip_prefix instead of ugly strncmp
+ invocations.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/pam_unix: use pam_str_skip_prefix and pam_str_skip_prefix_len.
+ * modules/pam_unix/passverify.c: Include "pam_inline.h".
+ (verify_pwd_hash): Use pam_str_skip_prefix instead of ugly strncmp
+ invocations.
+ * modules/pam_unix/support.c: Include "pam_inline.h".
+ (_set_ctrl): Use pam_str_skip_prefix_len instead of hardcoding string
+ lengths.
+ * modules/pam_unix/md5_crypt.c: Include "pam_inline.h".
+ (crypt_md5): Use pam_str_skip_prefix_len.
+
+ squash! modules/pam_unix: use pam_str_skip_prefix and pam_str_skip_prefix_len
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/pam_tty_audit: use pam_str_skip_prefix.
+ * modules/pam_tty_audit/pam_tty_audit.c: Include "pam_inline.h".
+ (pam_sm_open_session): Use pam_str_skip_prefix instead of ugly strncmp
+ invocations.
+
+ modules/pam_timestamp: use pam_str_skip_prefix.
+ * modules/pam_timestamp/pam_timestamp.c: Include "pam_inline.h".
+ (check_tty, get_timestamp_name, pam_sm_authenticate): Use
+ pam_str_skip_prefix instead of ugly strncmp invocations.
+
+ modules/pam_tally: use pam_str_skip_prefix.
+ * modules/pam_tally/pam_tally.c: Include "pam_inline.h".
+ (tally_parse_args, getopts): Use pam_str_skip_prefix instead of ugly
+ strncmp invocations.
+
+ modules/pam_tally2: use pam_str_skip_prefix.
+ * modules/pam_tally2/pam_tally2.c: Include "pam_inline.h".
+ (tally_parse_args, getopts): Use pam_str_skip_prefix instead of ugly
+ strncmp invocations.
+
+ modules/pam_selinux: use pam_str_skip_prefix.
+ * modules/pam_selinux/pam_selinux.c: Include "pam_inline.h".
+ (compute_exec_context, compute_tty_context): Use pam_str_skip_prefix
+ instead of ugly strncmp invocations.
+
+ modules/pam_securetty: use pam_str_skip_prefix and pam_str_skip_prefix_len
+ * modules/pam_securetty/pam_securetty.c: Include "pam_inline.h".
+ (securetty_perform_check): Use pam_str_skip_prefix and
+ pam_str_skip_prefix_len instead of ugly strncmp invocations.
+
+ modules/pam_rhosts: use pam_str_skip_prefix.
+ * modules/pam_rhosts/pam_rhosts.c: Include "pam_inline.h".
+ (pam_sm_authenticate): Use pam_str_skip_prefix instead of ugly strncmp
+ invocations.
+
+ modules/pam_nologin: use pam_str_skip_prefix.
+ * modules/pam_nologin/pam_nologin.c: Include "pam_inline.h".
+ (parse_args): Use pam_str_skip_prefix instead of ugly strncmp
+ invocations.
+
+ modules/pam_namespace: use pam_str_skip_prefix.
+ * modules/pam_namespace/pam_namespace.c (root_shared): Use
+ pam_str_skip_prefix instead of ugly strncmp invocations.
+
+ modules/pam_motd: use pam_str_skip_prefix.
+ * modules/pam_motd/pam_motd.c: Include "pam_inline.h".
+ (pam_sm_open_session): Use pam_str_skip_prefix instead of ugly strncmp
+ invocations.
+
+ modules/pam_mkhomedir: use pam_str_skip_prefix.
+ * modules/pam_mkhomedir/pam_mkhomedir.c: Include "pam_inline.h".
+ (_pam_parse): Use pam_str_skip_prefix instead of ugly strncmp
+ invocations.
+
+ modules/pam_mail: use pam_str_skip_prefix.
+ * modules/pam_mail/pam_mail.c: Include "pam_inline.h".
+ (_pam_parse): Use pam_str_skip_prefix instead of ugly strncmp
+ invocations.
+
+ modules/pam_localuser: use pam_str_skip_prefix.
+ * modules/pam_localuser/pam_localuser.c: Include "pam_inline.h".
+ (pam_sm_authenticate): Use pam_str_skip_prefix instead of ugly strncmp
+ invocations.
+
+ modules/pam_listfile: use pam_str_skip_prefix.
+ * modules/pam_listfile/pam_listfile.c: Include "pam_inline.h".
+ (pam_sm_authenticate): Use pam_str_skip_prefix instead of ugly strncmp
+ invocations.
+
+ modules/pam_limits: use pam_str_skip_prefix.
+ * modules/pam_limits/pam_limits.c: Include "pam_inline.h".
+ (_pam_parse, parse_kernel_limits): Use pam_str_skip_prefix instead of
+ ugly strncmp invocations.
+
+ modules/pam_lastlog: use pam_str_skip_prefix.
+ * modules/pam_lastlog/pam_lastlog.c: Include "pam_inline.h".
+ (_pam_auth_parse, get_tty): Use pam_str_skip_prefix instead of ugly
+ strncmp invocations.
+
+ modules/pam_issue: use pam_str_skip_prefix.
+ * modules/pam_issue/pam_issue.c: Include "pam_inline.h".
+ (pam_sm_authenticate, read_issue_quoted): Use pam_str_skip_prefix
+ instead of ugly strncmp invocations.
+
+ modules/pam_ftp: use pam_str_skip_prefix.
+ * modules/pam_ftp/pam_ftp.c: Include "pam_inline.h".
+ (_pam_parse): Use pam_str_skip_prefix instead of ugly strncmp invocations.
+
+ modules/pam_env: use pam_str_skip_prefix.
+ * modules/pam_env/pam_env.c: Include "pam_inline.h".
+ (_pam_parse, _parse_line): Use pam_str_skip_prefix instead of ugly
+ strncmp invocations.
+
+ modules/pam_echo: use pam_str_skip_prefix.
+ * modules/pam_echo/pam_echo.c: Include "pam_inline.h".
+ (pam_echo): Use pam_str_skip_prefix instead of ugly strncmp invocations.
+
+ modules/pam_cracklib: use pam_str_skip_prefix.
+ * modules/pam_cracklib/pam_cracklib.c: Include "pam_inline.h".
+ (_pam_parse): Use pam_str_skip_prefix instead of ugly strncmp
+ invocations.
+
+ modules/pam_access: use pam_str_skip_prefix.
+ * modules/pam_access/pam_access.c: Include "pam_inline.h".
+ (parse_args): Use pam_str_skip_prefix instead of ugly strncmp invocations.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ Introduce pam_str_skip_prefix_len and pam_str_skip_prefix.
+ Every time I see a code like
+ if (!strncmp(*argv,"user_readenv=",13))
+ *user_readenv = atoi(13+*argv);
+ my eyes are bleeding.
+
+ Introduce a new helper inline function pam_str_skip_prefix_len() and
+ a new macro pam_str_skip_prefix() on top of it, to be used in subsequent
+ commits to cleanup the ugliness.
+
+ * libpam/include/pam_inline.h: Include <string.h>.
+ (pam_str_skip_prefix_len): New function.
+ (pam_str_skip_prefix): New macro.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ Use PAM_ARRAY_SIZE.
+ Replace all instances of sizeof(x) / sizeof(*x) with PAM_ARRAY_SIZE(x)
+ which is less error-prone and implements an additional type check.
+
+ * libpam/pam_handlers.c: Include "pam_inline.h".
+ (_pam_open_config_file): Use PAM_ARRAY_SIZE.
+ * modules/pam_exec/pam_exec.c: Include "pam_inline.h".
+ (call_exec): Use PAM_ARRAY_SIZE.
+ * modules/pam_namespace/pam_namespace.c: Include "pam_inline.h".
+ (filter_mntopts): Use PAM_ARRAY_SIZE.
+ * modules/pam_timestamp/hmacfile.c: Include "pam_inline.h".
+ (testvectors): Use PAM_ARRAY_SIZE.
+ * modules/pam_xauth/pam_xauth.c: Include "pam_inline.h".
+ (run_coprocess, pam_sm_open_session): Use PAM_ARRAY_SIZE.
+ * tests/tst-pam_get_item.c: Include "pam_inline.h".
+ (main): Use PAM_ARRAY_SIZE.
+ * tests/tst-pam_set_item.c: Likewise.
+ * xtests/tst-pam_pwhistory1.c: Likewise.
+ * xtests/tst-pam_time1.c: Likewise.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ Introduce pam_inline.h.
+ Introduce a new internal header file for definitions of handly inline
+ functions and macros providing some convenient functionality to libpam
+ and its modules.
+
+ * libpam/include/pam_cc_compat.h (PAM_SAME_TYPE): New macro.
+ * libpam/include/pam_inline.h: New file.
+ * libpam/Makefile.am (noinst_HEADERS): Add include/pam_inline.h.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/pam_cracklib: fix parsing of options without arguments.
+ Prefix match for options without arguments such as use_first_pass
+ is not correct, there has to be an exact match for these options.
+
+ * modules/pam_cracklib/pam_cracklib.c (_pam_parse): Fix parsing
+ of reject_username, gecoscheck, enforce_for_root, use_authtok,
+ use_first_pass, and try_first_pass options.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ ci: enable -Werror for all builds.
+ The main purpose of fixing all compilation warnings in the current code
+ base was to enable -Werror in CI builds so that no new warnings would
+ creep in.
+
+ * ci/run-build-and-tests.sh (DISTCHECK_CONFIGURE_FLAGS): Add --enable-Werror.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ configure: implement --enable-Werror option.
+ When configure is invoked with --enable-Werror option,
+ -Werror compiler option is added to WARN_CFLAGS.
+
+ This new configure option is intended primarily for CI purposes.
+
+ * configure.ac (AC_ARG_ENABLE): Add Werror. Forward -Werror
+ to JAPHAR_GREP_CFLAGS.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ Fix remaining clang -Wcast-align compilation warnings.
+ Introduce DIAG_PUSH_IGNORE_CAST_ALIGN and DIAG_POP_IGNORE_CAST_ALIGN
+ macros, use them to silence remaining clang -Wcast-align compilation
+ warnings.
+
+ * libpam/include/pam_cc_compat.h (DIAG_PUSH_IGNORE_CAST_ALIGN,
+ DIAG_POP_IGNORE_CAST_ALIGN): New macros.
+ * modules/pam_access/pam_access.c: Include "pam_cc_compat.h".
+ (from_match, network_netmask_match): Wrap inet_ntop invocations
+ in DIAG_PUSH_IGNORE_CAST_ALIGN and DIAG_POP_IGNORE_CAST_ALIGN.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ Fix most of clang -Wcast-align compilation warnings.
+ Unlike gcc, clang is not smart enough to infer the alignment
+ of structure fields, so add some alignment hints to the code.
+
+ * libpam/include/pam_cc_compat.h (PAM_ATTRIBUTE_ALIGNED): New macro.
+ * modules/pam_namespace/md5.h: Include "pam_cc_compat.h".
+ (struct MD5Context): Add PAM_ATTRIBUTE_ALIGNED to "in" field.
+ * modules/pam_namespace/md5.c [!(__i386__ || __x86_64__)]
+ (uint8_aligned): New type.
+ [!(__i386__ || __x86_64__)] (byteReverse): Use it instead of
+ unsigned char.
+ * modules/pam_timestamp/sha1.h: Include "pam_cc_compat.h".
+ (struct sha1_context): Add PAM_ATTRIBUTE_ALIGNED to pending field.
+ * modules/pam_unix/md5.h: Include "pam_cc_compat.h".
+ (struct MD5Context): Add PAM_ATTRIBUTE_ALIGNED to "in" field.
+ * modules/pam_unix/md5.c [!HIGHFIRST] (uint8_aligned): New type.
+ [!HIGHFIRST] (byteReverse): Use it instead of unsigned char.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/pam_tally, modules/pam_tally2: fix compilation warnings.
+ Fix the following compilation warnings reported by gcc
+ when sizeof(time_t) > sizeof(long), e.g. on x32:
+
+ modules/pam_tally/pam_tally.c:541:7: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 5 has type ‘time_t’ {aka ‘long long int’} [-Wformat=]
+ 541 | _("The account is temporarily locked (%ld seconds left)."),
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ modules/pam_tally/pam_tally.c:546:40: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 6 has type ‘time_t’ {aka ‘long long int’} [-Wformat=]
+ 546 | "user %s (%lu) has time limit [%lds left]"
+ | ~~^
+ | |
+ | long int
+ | %lld
+ ......
+ 549 | oldtime+lock_time-time(NULL));
+ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ | |
+ | time_t {aka long long int}
+
+ modules/pam_tally2/pam_tally2.c:592:27: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 5 has type ‘time_t’ {aka ‘long long int’} [-Wformat=]
+ 592 | pam_info(pamh, _("The account is temporarily locked (%ld seconds left)."),
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ modules/pam_tally2/pam_tally2.c:597:50: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 6 has type ‘time_t’ {aka ‘long long int’} [-Wformat=]
+ 597 | "user %s (%lu) has time limit [%lds left]"
+ | ~~^
+ | |
+ | long int
+ | %lld
+ ......
+ 600 | oldtime+opts->lock_time-time(NULL));
+ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ | |
+ | time_t {aka long long int}
+
+ This change doesn't attempt to fix handling of 64-bit time_t on 32-bit
+ systems in these modules.
+
+ * modules/pam_tally/pam_tally.c (tally_check): Cast time_t expressions
+ to long int before passing them to pam_info and pam_syslog.
+ * modules/pam_tally2/pam_tally2.c (tally_check): Likewise.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/pam_timestamp: fix compilation warnings.
+ Fix the following compilation warnings reported by gcc on ilp32 platforms:
+
+ modules/pam_timestamp/hmacfile.c: In function ‘testvectors’:
+ modules/pam_timestamp/hmacfile.c:121:44: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 2 has type ‘size_t’ {aka ‘unsigned int’} [-Wformat=]
+ 121 | printf("Incorrect result for vector %lu\n", i + 1);
+ | ~~^ ~~~~~
+ | | |
+ | | size_t {aka unsigned int}
+ | long unsigned int
+ | %u
+ modules/pam_timestamp/hmacfile.c:128:30: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 2 has type ‘size_t’ {aka ‘unsigned int’} [-Wformat=]
+ 128 | printf("Error in vector %lu.\n", i + 1);
+ | ~~^ ~~~~~
+ | | |
+ | | size_t {aka unsigned int}
+ | long unsigned int
+ | %u
+ In function ‘strncpy’,
+ inlined from ‘pam_sm_open_session’ at modules/pam_timestamp/pam_timestamp.c:584:4:
+ /usr/include/bits/string_fortified.h:106:10: warning: ‘__builtin___strncpy_chk’ output may be truncated copying between 1 and 4095 bytes from a string of length 4095 [-Wstringop-truncation]
+
+ * modules/pam_timestamp/hmacfile.c (testvectors): Cast the argument
+ of type size_t to unsigned long before passing it to printf.
+ * modules/pam_timestamp/pam_timestamp.c (pam_sm_open_session): Use
+ memcpy instead of strncpy as the source is not NUL-terminated, add an
+ extra check to ensure that iterator stays inside bounds.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/pam_unix: fix gcc compilation warnings.
+ When setreuid() fails, there is no way to proceed any further: either
+ the process credentials are unchanged but inappropriate, or they are
+ in an inconsistent state and nothing good could be made out of it.
+ This fixes the following compilation warnings:
+
+ modules/pam_unix/passverify.c:209:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:211:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:213:6: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:214:6: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:222:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:224:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:225:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:226:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:209:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:211:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:213:6: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:214:6: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:222:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:224:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:225:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+ modules/pam_unix/passverify.c:226:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+
+ * modules/pam_unix/passverify.c (get_account_info) [HELPER_COMPILE]:
+ Always check setreuid return code and return PAM_CRED_INSUFFICIENT
+ if setreuid failed.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/pam_access: fix compilation warning.
+ Fix the following compilation warning reported by gcc
+ when HAVE_LIBAUDIT is not set:
+
+ modules/pam_access/pam_access.c: In function ‘login_access’:
+ modules/pam_access/pam_access.c:338:13: warning: variable ‘nonall_match’ set but not used [-Wunused-but-set-variable]
+ 338 | int nonall_match = NO;
+ | ^~~~~~~~~~~~
+
+ * modules/pam_access/pam_access.c (login_access): Enclose nonall_match
+ variable with HAVE_LIBAUDIT #ifdef's.
+
+2020-03-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ conf/pam_conv1: fix clang compilation warnings.
+ Fix the following compilation warnings reported by clang:
+
+ pam_conv_y.y:12:23: warning: unused variable 'bisonid' [-Wunused-const-variable]
+ static const char bisonid[]=
+ ^
+ pam_conv_l.l:12:23: warning: unused variable 'lexid' [-Wunused-const-variable]
+ static const char lexid[]=
+ ^
+
+ These static variables lost their meaning after repository conversion
+ from cvs to git and can be safely removed.
+
+ * conf/pam_conv1/pam_conv_l.l (lexid): Remove.
+ * conf/pam_conv1/pam_conv_y.y (bisonid): Remove.
+
+2020-03-18 Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/pam_timestamp: fix clang compilation warning.
+ modules/pam_timestamp/pam_timestamp.c:807:17: warning: logical not
+ is only applied to the left hand side of this comparison
+ [-Wlogical-not-parentheses]
+ } else if (!timestamp_good(st.st...
+ ^
+
+ * modules/pam_timestamp/pam_timestamp.c (main): Change timestamp_good
+ return code check to a more traditional form.
+
+2020-03-18 Dmitry V. Levin <ldv@altlinux.org>
+
+ github: check for whitespace errors on push and pull requests.
+ * .github/workflows/whitespace-errors-check.yml: New file.
+
+ modules/pam_timestamp: fix EXTRA_DIST.
+ * modules/pam_timestamp/Makefile.am (EXTRA_DIST): Replace "$(man_MANS)"
+ with "$(MANS)" as the former is conditional on HAVE_DOC.
+
+ modules/pam_namespace: fix EXTRA_DIST.
+ * modules/pam_namespace/Makefile.am (EXTRA_DIST): Replace
+ "$(MAN5) $(MAN8)" with "$(MANS)" as the former is conditional
+ on HAVE_DOC.
+
+2020-03-17 Christian Göttsche <cgzones@googlemail.com>
+
+ pam_usertype: exclude man-page generation when configured with --disable-doc
+ * modules/pam_usertype/Makefile.am (man_MANS): Make conditional
+ on HAVE_DOC.
+
+ Resolves: https://github.com/linux-pam/linux-pam/pull/193
+
+2020-03-17 Christian Göttsche <cgzones@googlemail.com>
+
+ pam_namespace: ignore pam_namespace_helper in git.
+ * modules/pam_namespace/.gitignore: New file.
+
+ Resolves: https://github.com/linux-pam/linux-pam/pull/192
+
+2020-03-13 Weblate <noreply@weblate.org>
+
+ Update translation files.
+ Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/
+
+2020-03-13 Ondrej Sulek <feonsu@gmail.com>
+
+ Translated using Weblate (Slovak)
+ Currently translated at 100.0% (117 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/sk/
+
+2020-03-13 Yuri Chornoivan <yurchor@ukr.net>
+
+ Translated using Weblate (Ukrainian)
+ Currently translated at 100.0% (117 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/uk/
+
+2020-03-13 Dmitry V. Levin <ldv@altlinux.org>
+
+ Translated using Weblate (Portuguese (Brazil))
+ Currently translated at 100.0% (117 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pt_BR/
+
+ Translated using Weblate (Portuguese)
+
+ Currently translated at 100.0% (117 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pt/
+
+ Translated using Weblate (German)
+
+ Currently translated at 91.4% (107 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/de/
+
+2020-03-13 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Adjust README with instructions for package prerequsities.
+ Also remove obsolete static modules instructions
+
+2020-03-11 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_get_authtok: fix i18n of default prompts.
+ Change formatting of default prompts, making them translatable
+ to those languages that use a different word order.
+ From non-i18n perspective this change is essentially a no-op.
+
+ * libpam/pam_get_authtok.c (PROMPTCURRENT): Replace with
+ PROMPT_CURRENT_ARG and PROMPT_CURRENT_NOARG.
+ (PROMPT1): Replace with PROMPT_NEW_ARG and PROMPT_NEW_NOARG.
+ (PROMPT2): Replace with PROMPT_RETYPE_ARG and PROMPT_RETYPE_NOARG.
+ (pam_get_authtok_internal, pam_get_authtok_verify): Use new macros.
+ * po/Linux-PAM.pot: Regenerated.
+
+ Resolves: https://github.com/linux-pam/linux-pam/issues/29
+
+2020-03-11 ikerexxe <ipedrosa@redhat.com>
+
+ pam_selinux: check unknown object classes or permissions in current policy
+ Explanation: check whether unknown object classes or permissions are allowed or denied in the current policy
+
+ Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1680961
+
+2020-03-06 Weblate <noreply@weblate.org>
+
+ Update translation files.
+ Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/
+
+2020-03-06 Milo Casagrande <milo@milo.name>
+
+ Translated using Weblate (Italian)
+ Currently translated at 100.0% (117 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/it/
+
+2020-03-06 Dmitry V. Levin <ldv@altlinux.org>
+
+ Translated using Weblate (Zulu)
+ Currently translated at 63.2% (74 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/zu/
+
+ Translated using Weblate (Chinese (Traditional))
+
+ Currently translated at 81.1% (95 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/zh_TW/
+
+ Translated using Weblate (Chinese (Simplified))
+
+ Currently translated at 81.1% (95 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/zh_CN/
+
+ Translated using Weblate (Tamil)
+
+ Currently translated at 81.1% (95 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ta/
+
+ Translated using Weblate (Sinhala)
+
+ Currently translated at 65.8% (77 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/si/
+
+ Translated using Weblate (Russian)
+
+ Currently translated at 100.0% (117 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ru/
+
+ Translated using Weblate (Portuguese (Brazil))
+
+ Currently translated at 81.1% (95 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pt_BR/
+
+ Translated using Weblate (Kazakh)
+
+ Currently translated at 81.1% (95 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/kk/
+
+ Translated using Weblate (Japanese)
+
+ Currently translated at 81.1% (95 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ja/
+
+ Translated using Weblate (Hungarian)
+
+ Currently translated at 81.1% (95 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/hu/
+
+ Translated using Weblate (Hindi)
+
+ Currently translated at 81.1% (95 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/hi/
+
+ Translated using Weblate (Spanish)
+
+ Currently translated at 81.1% (95 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/es/
+
+ Translated using Weblate (German)
+
+ Currently translated at 81.1% (95 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/de/
+
+2020-03-06 Oğuz Ersen <oguzersen@protonmail.com>
+
+ Translated using Weblate (Turkish)
+ Currently translated at 100.0% (117 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/tr/
+
+2020-03-06 Geert Warrink <geert.warrink@onsnet.nu>
+
+ Translated using Weblate (Dutch)
+ Currently translated at 100.0% (117 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/nl/
+
+2020-03-06 Julien Humbert <julroy67@gmail.com>
+
+ Translated using Weblate (French)
+ Currently translated at 100.0% (117 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fr/
+
+2020-03-06 Piotr Drąg <piotrdrag@gmail.com>
+
+ Translated using Weblate (Polish)
+ Currently translated at 100.0% (117 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/
+
+ Translated using Weblate (Polish)
+
+ Currently translated at 100.0% (117 of 117 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/
+
+2020-03-06 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Add missing file to EXTRA_DIST.
+ * tests/Makefile.am: Add confdir to EXTRA_DIST.
+
+ New API call pam_start_confdir()
+ To load PAM stack configurations from specified directory
+
+2020-03-05 Dmitry V. Levin <ldv@altlinux.org>
+
+ Fix remaining references to sourceforge.net.
+ Linux-PAM moved to github long time ago, update the remaining
+ bug tracking references to point to github issues tracker.
+
+ * README: Refer to https://github.com/linux-pam/linux-pam/issues
+ instead of sourceforge.net.
+ * po/Makevars: Refer to https://github.com/linux-pam/linux-pam/issues
+ instead of http://sourceforge.net/projects/pam .
+ * po/Linux-PAM.pot: Regenerated.
+
+2020-03-05 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_unix: fix --disable-nis compilation warnings.
+ When the build is configured using --disable-nis option, gcc complains:
+
+ pam_unix_passwd.c: In function '_do_setpass':
+ pam_unix_passwd.c:398:8: warning: unused variable 'master' [-Wunused-variable]
+
+ support.c: In function '_unix_getpwnam':
+ support.c:305:21: warning: parameter 'nis' set but not used [-Wunused-but-set-parameter]
+
+ * modules/pam_unix/pam_unix_passwd.c (_do_setpass): Move the definition
+ of "master" variable to [HAVE_NIS].
+ * modules/pam_unix/support.c (_unix_getpwnam) [!(HAVE_YP_GET_DEFAULT_DOMAIN
+ && HAVE_YP_BIND && HAVE_YP_MATCH && HAVE_YP_UNBIND)]: Do not assign
+ the unused parameter but mark it as used.
+
+2020-03-05 Dmitry V. Levin <ldv@altlinux.org>
+
+ Sort NEWS entries.
+ * NEWS (1.4.0): Sort module-related news entries.
+
+2020-03-05 Dmitry V. Levin <ldv@altlinux.org>
+
+ Fix whitespace issues.
+ Remove trailing whitespace introduced by commit
+ f9c9c72121eada731e010ab3620762bcf63db08f.
+ Remove blank lines at EOF introduced by commit
+ 65d6735c5949ec233df9813f734e918a93fa36cf.
+
+ This makes the project free of warnings reported by
+ git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD
+
+ * doc/custom-html.xsl: Remove blank line at EOF.
+ * doc/custom-man.xsl: Likewise.
+ * modules/pam_motd/pam_motd.c: Remove trailing whitespace.
+
+2020-03-04 ed@s5h.net <ed@s5h.net>
+
+ Adding package dependency hints to README.
+
+2020-03-04 Mark Wutzke <mark.wutzke@alliedtelesis.co.nz>
+
+ Use cached 'crypt' library result correctly.
+ Configure script incorrectly used a non-cached variable (ac_lib) in the
+ cached code path. This results in no -lcrypt being defined resulting in
+ link errors on a re-build.
+
+ Update configure.ac to use ac_cv_search_crypt (via ac_res) to setup the
+ correct library arguments.
+
+2020-03-03 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Prepare for the 1.4.0 release.
+
+ Updated LINGUAS to remove completely untranslated languages.
+ Updated pot and po files
+
+2020-03-03 Tomáš Mráz <tmraz@redhat.com>
+
+ Translated using Weblate (Czech)
+ Currently translated at 100.0% (116 of 116 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/cs/
+
+2020-03-03 Oğuz Ersen <oguzersen@protonmail.com>
+
+ Translated using Weblate (Turkish)
+ Currently translated at 100.0% (121 of 121 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/tr/
+
+2020-03-03 Julien Humbert <julroy67@gmail.com>
+
+ Translated using Weblate (French)
+ Currently translated at 100.0% (121 of 121 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fr/
+
+2020-03-03 Piotr Drąg <piotrdrag@gmail.com>
+
+ Translated using Weblate (Polish)
+ Currently translated at 100.0% (121 of 121 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/
+
+ Translated using Weblate (Polish)
+
+ Currently translated at 100.0% (121 of 121 strings)
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/
+
+2020-03-03 Jean-Baptiste Holcroft <jean-baptiste@holcroft.fr>
+
+ Deleted translation using Weblate (Cornish)
+ Deleted translation using Weblate (German (Low))
+
+ Deleted translation using Weblate (Angika)
+
+ Deleted translation using Weblate (English (United Kingdom))
+
+ Deleted translation using Weblate (Asturian)
+
+ Deleted translation using Weblate (bal (generated))
+
+ Deleted translation using Weblate (Bodo)
+
+ Deleted translation using Weblate (Breton)
+
+ Deleted translation using Weblate (Cornish)
+
+ Deleted translation using Weblate (Cornish)
+
+ Deleted translation using Weblate (ilo (generated))
+
+ Deleted translation using Weblate (Maithili)
+
+ Deleted translation using Weblate (Pedi)
+
+ Deleted translation using Weblate (Tibetan)
+
+ Deleted translation using Weblate (Twi)
+
+ Deleted translation using Weblate (wba (generated))
+
+2020-03-03 Weblate <noreply@weblate.org>
+
+ Update translation files.
+ Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
+
+ Translation: linux-pam/master
+ Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/
+
+2020-02-27 Iker Pedrosa <ikerpedrosam@gmail.com>
+
+ pam_tty_audit: if kernel audit is disabled return PAM_IGNORE.
+ If kernel audit is disabled the socket open will return
+ EPROTONOSUPPORT.
+ Return PAM_IGNORE from pam_tty_audit and log a warning
+ in this situation so login is not blocked by the module.
+
+2020-02-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_modutil_sanitize_helper_fds: fix SIGPIPE effect of PAM_MODUTIL_PIPE_FD
+ When pam_modutil_sanitize_helper_fds() is invoked with
+ PAM_MODUTIL_PIPE_FD to provide a dummy pipe descriptor for stdout
+ or stderr, it closes the read end of the newly created dummy pipe.
+ The negative side effect of this approach is that any write to such
+ descriptor triggers a SIGPIPE. Avoid this by closing the write end of
+ the dummy pipe and using its read end as a dummy pipe descriptor for
+ output. Any read from such descriptor returns 0, and any write just
+ fails with EBADF, which should work better with unprepared writers.
+
+ * libpam/pam_modutil_sanitize.c (redirect_out_pipe): Remove.
+ (redirect_out): Call redirect_in_pipe instead of redirect_out_pipe.
+
+ Fixes: b0ec5d1e ("Introduce pam_modutil_sanitize_helper_fds")
+
+2020-02-26 TBK <tbk@jjtc.eu>
+
+ libpamc: Use ISO C99 uintX_t types instead of u_intX_t.
+ u_intX_t is a glibcism this fixes the issue of compiling against musl libc.
+
+2020-02-25 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_group, pam_time: Fix regression in documentation from last change.
+ * modules/pam_group/group.conf.5.xml: Replace bare & with &amp;.
+ * modules/pam_time/time.conf.5.xml: Likewise.
+
+2020-02-24 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_limits: Document the unwanted effect of set_all with systemd.
+
+ misc_conv: Use PAM_MAX_RESP_SIZE to limit the length of the input.
+
+ pam_group, pam_time: Fix logical error with multiple ! operators.
+ * modules/pam_group/group.conf.5.xml: Document what logic list means.
+ * modules/pam_time/time.conf.5.xml: Likewise.
+ * modules/pam_group/pam_group.c (logic_field): Clear the not operator for the
+ further operations.
+ * modules/pam_time/pam_time.c (logic_field): Likewise.
+
+2020-02-24 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_shells: Recognize /bin/sh as the default shell.
+ If the shell is empty in /etc/passwd entry it means /bin/sh.
+
+ * modules/pam_shells/pam_shells.c (perform_check): Use /bin/sh as default shell.
+
+2020-02-24 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_env: Change the default to not read the user .pam_environment file.
+ * modules/pam_env/pam_env.8.xml: Document the change.
+ * modules/pam_env/pam_env.c: Set DEFAULT_USER_READ_ENVFILE to 0.
+
+2020-02-24 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_env: code cleanups.
+ Raise BUF_SIZE to 8192 bytes.
+
+ * modules/pam_env/pam_env.c (_parse_env_file): Ignore lines starting with '='.
+ (_assemble_line): Detect long lines and binary files.
+ (_check_var): Avoid overwriting global variable.
+ (_expand_arg): Avoid repeated strlen calls.
+
+2020-02-18 Topi Miettinen <toiwoton@gmail.com>
+
+ pam_namespace: secure tmp-inst directories.
+ When using polyinstantiation for /tmp and/or /var/tmp, pam_namespace
+ creates subdirectories with fixed name tmp-inst. These paths should be
+ secured as early as possible to avoid that somehow these directories
+ could created and controlled by for example a malicious user or
+ service.
+
+ Ship a systemd service, which creates the directories early in
+ boot sequence with correct permissions and ownership.
+
+ Closes #111.
+
+2020-02-18 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Fix warnings from the recent PR merges.
+ * modules/pam_succeed_if/pam_succeed_if.c: Fix const issues.
+ * modules/pam_usertype/pam_usertype.c: Avoid maybe used uninitialized warning.
+
+2020-02-18 Pavel Březina <pbrezina@redhat.com>
+
+ pam_unix: add nullresetok option to allow reset blank passwords.
+ Adding nullresetok to auth phase of pam_unix module will allow users
+ with blank password to authenticate in order to immediatelly change
+ their password even if nullok is not set.
+
+ This allows to have blank password authentication disabled but still
+ allows administrator to create new user accounts with expired blank
+ password that must be change on the first login.
+
+2020-02-18 Serghei Anicheev <serghei.anicheev@gmail.com>
+
+ pam_succeed_if: Add list support for group membership checks.
+ Examples:
+ account requisite pam_succeed_if.so user ingroup group1:group2
+ OR
+ account requisite pam_succeed_if.so user notingroup group1:group2
+ OR
+ account requisite pam_succeed_if.so user ingroup wheel
+ OR
+ account requisite pam_succeed_if.so user notingroup wheel
+
+ Can be very convenient to grant access based on complex group memberships (LDAP, etc)
+
+2020-02-18 MIZUTA Takeshi <mizuta.takeshi@fujitsu.com>
+
+ Remove redundant header file inclusion.
+ There are some source code including the same header file redundantly.
+ We remove these redundant header file inclusion.
+
+2020-01-29 edneville <ed-github@s5h.net>
+
+ pam_tally[2]: Updating man pages to indicate account leakage without silent
+ * modules/pam_tally/pam_tally.8.xml: Mention account leakage without silent
+ * modules/pam_tally2/pam_tally2.8.xml: Mention account leakage without silent
+
+2020-01-29 Jakub Wilk <jwilk@jwilk.net>
+
+ pam_keyinit.8: add missing comma.
+
+2020-01-28 Pavel Březina <pbrezina@redhat.com>
+
+ pam_usertype: new module to tell if uid is in login.defs ranges.
+ This module will check if the user account type is system or regular based
+ on its uid. To evaluate the condition it will use 0-99 reserved range
+ together with `SYS_UID_MIN` and `SYS_UID_MAX` values from `/etc/login.defs`.
+
+ If these values are not set, it uses configure-time defaults
+ `--with-sys-uid-min` and `--with-uid-min` (according to `login.defs` man page
+ `SYS_UID_MAX` defaults to `UID_MIN - 1`.
+
+ This information can be used to skip specific module in pam stack
+ based on the account type. `pam_succeed_if uid < 1000` is used at the moment
+ however it does not reflect changes to `login.defs`.
+
+2020-01-27 Fabrice Fontaine <fontaine.fabrice@gmail.com>
+
+ configure.ac: add --enable-doc option.
+ Allow the user to disable documentation through --disable-doc (enabled
+ by default), this is especially useful when cross-compiling for embedded
+ targets
+
+2020-01-20 Dmitry V. Levin <ldv@altlinux.org>
+
+ Fix remaining -Wcast-qual compilation warnings.
+ Introduce a new internal header file with definitions of
+ DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL macros,
+ use them to temporary silence -Wcast-qual compilation warnings
+ in various modules.
+
+ * libpam/include/pam_cc_compat.h: New file.
+ * libpam/Makefile.am (noinst_HEADERS): Add include/pam_cc_compat.h.
+ * modules/pam_mkhomedir/pam_mkhomedir.c: Include "pam_cc_compat.h".
+ (create_homedir): Wrap execve invocation in DIAG_PUSH_IGNORE_CAST_QUAL
+ and DIAG_POP_IGNORE_CAST_QUAL.
+ * modules/pam_namespace/pam_namespace.c: Include "pam_cc_compat.h".
+ (pam_sm_close_session): Wrap the cast that discards ‘const’ qualifier
+ in DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
+ * modules/pam_tty_audit/pam_tty_audit.c: Include "pam_cc_compat.h".
+ (nl_send): Wrap the cast that discards ‘const’ qualifier in
+ DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
+ * modules/pam_unix/pam_unix_acct.c: Include "pam_cc_compat.h".
+ (_unix_run_verify_binary): Wrap execve invocation in
+ DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
+ * modules/pam_unix/pam_unix_passwd.c: Include "pam_cc_compat.h".
+ (_unix_run_update_binary): Wrap execve invocation in
+ DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
+ * modules/pam_unix/passverify.c: Include "pam_cc_compat.h".
+ (unix_update_shadow): Wrap the cast that discards ‘const’ qualifier
+ in DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
+ * modules/pam_unix/support.c: Include "pam_cc_compat.h".
+ (_unix_run_helper_binary): Wrap execve invocation in
+ DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
+ * modules/pam_xauth/pam_xauth.c: Include "pam_cc_compat.h".
+ (run_coprocess): Wrap execv invocation in DIAG_PUSH_IGNORE_CAST_QUAL
+ and DIAG_POP_IGNORE_CAST_QUAL.
+
+2020-01-20 Dmitry V. Levin <ldv@altlinux.org>
+
+ _pam_mkargv: add const qualifier to the first argument.
+ Also fix the following compilation warning:
+
+ tests/tst-pam_mkargv.c:21:22: warning: initialization discards ‘const’
+ qualifier from pointer target type [-Wdiscarded-qualifiers]
+ char *argvstring = "user = XENDT\\userα user=XENDT\\user1";
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+ * libpam/pam_misc.c (_pam_mkargv): Add const qualifier to the first
+ argument.
+ * libpam/pam_private.h (_pam_mkargv): Likewise.
+ * tests/tst-pam_mkargv.c (main): Convert argvstring from a pointer into
+ a static const string, make argvresult array static const.
+
+2020-01-20 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Fix miscellaneous const issues.
+ * libpam/pam_modutil_searchkey.c: Avoid assigning empty string literal to
+ non-const char *.
+ * modules/pam_filter/pam_filter.c: Avoid using const char **.
+ * modules/pam_mkhomedir/pam_mkhomedir.c: Properly cast out const for execve().
+ * modules/pam_namespace/pam_namespace.c: Properly cast out const from pam data.
+ * modules/pam_tally2/pam_tally2.c: String literal must be assigned to
+ const char *.
+
+2020-01-17 Björn Esser <besser82@fedoraproject.org>
+
+ pam_unix: Return NULL instead of calling crypt_md5_wrapper().
+ If the call to the crypt(3) function failed for some reason during
+ hashing a new login passphrase, the wrapper function for computing
+ a hash with the md5crypt method was called internally by the pam_unix
+ module in previous versions of linux-pam.
+
+ With CVE-2012-3287 in mind, the md5crypt method is not considered to
+ be a safe nor recommended hashing method for a new login passphrase
+ since at least 2012. Thus pam_unix should error out in case of a
+ failure in crypt(3) instead of silently computing a hashed passphrase
+ using a potentially unsafe method.
+
+ * modules/pam_unix/pam_unix.8.xml: Update documentation.
+ * modules/pam_unix/passverify.c (create_password_hash): Return NULL
+ on error instead of silently invoke crypt_md5_wrapper().
+
+2020-01-15 Hulto <jack.m.mckenna@gmail.com>
+
+ Changed variable salt to hash.
+ helper_verify_password's variable salt is not just the salt but the whole hash. Renamed for clarity and conformity with the rest of the code.
+
+2020-01-15 Josef Moellers <jmoellers@suse.de>
+
+ Add two missing va_end() calls According to the man pages, "Each invocation of va_start() must be matched by a corresponding invocation of va_end() in the same function."
+
+2020-01-15 Steve Langasek <steve.langasek@canonical.com>
+
+ Further grammar fixes.
+
+ Bug-Debian: https://bugs.debian.org/651560
+
+2020-01-15 Steve Langasek <steve.langasek@canonical.com>
+
+ Miscellaneous spelling fixes.
+
+ Miscellaneous grammar fixes.
+
+2020-01-10 Andreas Henriksson <andreas@fatal.se>
+
+ pam_umask: document the 'nousergroups' option.
+ Add a short description of the nousergroups to the pam_umask(8)
+ man-page.
+
+2020-01-10 Andreas Henriksson <andreas@fatal.se>
+
+ pam_umask: add new 'nousergroups' module argument.
+ This is particularly useful when pam has been built with the new
+ --enable-usergroups configure switch, allowing users to override
+ the default-enabled state and disabling usergroups at runtime.
+
+ This is synonymous but opposite to current and previous pam_umask
+ default that could be changed to enabled at runtime with the usergroups
+ argument.
+
+2020-01-10 Andreas Henriksson <andreas@fatal.se>
+
+ pam_umask: build-time usergroups option default.
+ This change adds a configure option to set the default value of the
+ usergroups option (of the pam_umask module) at build-time.
+
+ Distributions usually makes the decision if usergroups should be used or
+ not. This allows them to control the built-in default value, without
+ having to ship the value in a config file (cluttering up the view
+ of actually relevant user/system configuration overrides).
+
+2020-01-02 msalle <mischa.salle@gmail.com>
+
+ pam_access: Fix (IPv6) address prefix size matching.
+ IPv6 address prefix sizes larger than 128 (i.e. not larger or equal to) should
+ be discarded. Additionally, for IPv4 addresses, the largest valid prefix size
+ should be 32.
+
+ Fixes #161
+
+2019-12-18 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Do not use CFLAGS for warning flags set from configure.
+ To be able to set CFLAGS from make command-line but not to lose the
+ warning flags.
+
+ * configure.ac: Put warning flags to WARN_CFLAGS instead of CFLAGS.
+ * */Makefile.am: Apply WARN_CFLAGS to AM_CFLAGS.
+
+2019-12-17 Balint Reczey <balint.reczey@canonical.com>
+
+ Return only PAM_IGNORE or error from pam_motd.
+ Follow-up for c81280b16e1831ab0bdd0383486c7e2d1eaf1b5e.
+ * modules/pam_motd/pam_motd.c: Return PAM_IGNORE if pam_putenv succeeds.
+ * modules/pam_motd/pam_motd.8.xml: Document additional possible return values of the module.
+
+2019-12-16 Dmitry V. Levin <ldv@altlinux.org>
+
+ Add initial Travis CI support.
+ This runs "make distcheck" using gcc-9, gcc-8, gcc-7, and clang
+ on x86_64, x86, x32, aarch64, s390x, and ppc64le architectures.
+
+ * .travis.yml: New file.
+ * ci/install-dependencies.sh: Likewise.
+ * ci/run-build-and-tests.sh: Likewise.
+
+ Resolves: https://github.com/linux-pam/linux-pam/issues/28
+
+2019-12-16 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_pwhistory: fix build when -lxcrypt is not available.
+ When xcrypt.h is available but -lxcrypt is not, pam_pwhistory fails to
+ build with the following diagnostics:
+ modules/pam_pwhistory/opasswd.c:111: undefined reference to `xcrypt_r'
+
+ Fix this by using the same check for xcrypt as in other modules.
+
+ * modules/pam_pwhistory/opasswd.c: Replace HAVE_XCRYPT_H with
+ HAVE_LIBXCRYPT.
+
+2019-12-16 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Fix or suppress various warnings when compiling with -Wall -Wextra.
+ * conf/pam_conv1/Makefile.am: Add -Wno-unused-function -Wno-sign-compare to CFLAGS.
+ * doc/specs/Makefile.am: Likewise.
+
+ * libpamc/include/security/pam_client.h: Explicitly compare old_p with NULL.
+
+ * modules/pam_access/pam_access.c: Avoid double const.
+
+ * modules/pam_filter/pam_filter.c: Avoid arbitrary constants. Avoid strncpy()
+ without copying the NUL byte.
+
+ * modules/pam_group/pam_group.c: Mark switch fallthrough with comment.
+ * modules/pam_time/pam_time.c: Likewise.
+
+ * modules/pam_limits/pam_limits.c: Remove unused units variable.
+
+ * modules/pam_listfile/pam_listfile.c: Avoid unnecessary strncpy, use pointers.
+
+ * modules/pam_rootok/pam_rootok.c (log_callback): Mark unused parameter.
+
+ * modules/pam_selinux/pam_selinux.c: Use string_to_security_class() instead
+ of hardcoded value.
+
+ * modules/pam_sepermit/pam_sepermit.c: Properly cast when comparing.
+
+ * modules/pam_succeed_if/pam_succeed_if.c: Mark unused parameters.
+
+ * modules/pam_unix/pam_unix_passwd.c: Remove unused variables and properly
+ cast for comparison.
+
+ * modules/pam_unix/support.c: Remove unused function.
+
+2019-12-04 Balint Reczey <balint@balintreczey.hu>
+
+ pam_motd: Export MOTD_SHOWN=pam after showing MOTD.
+ This is a useful indication for update-motd profile.d snippet which can
+ also try to show MOTD when it is not already shown.
+
+ The use-case for that is showing MOTD in shells in containers without
+ PAM being involved.
+
+ * modules/pam_motd/pam_motd.c: Export MOTD_SHOWN=pam after showing MOTD
+ * modules/pam_motd/pam_motd.8.xml: Mention setting MOTD_SHOWN=pam in the man page
+
+2019-11-28 ppkarwasz <piotr.github@karwasz.org>
+
+ Adds an auth module to pam_keyinit (#150)
+ Adds an auth module to pam_keyinit, whose implementation of
+ pam_sm_setcred
+ is identical to the implementation of pam_sm_open_session.
+
+ It is useful with PAM applications, which call pam_setcred,
+ before calling pam_open_session.
+
+ * modules/pam_keyinit/pam_keyinit.c: Add an auth module to pam_keyinit.
+
+ * modules/pam_keyinit/pam_keyinit.8.xml: Update the manpage
+ to describe the new functionality.
+
+2019-11-28 Sophie Herold <sophie@hemio.de>
+
+ Lower "bad username" log priority (#154)
+ * modules/pam_unix/pam_unix_auth.c: Use LOG_NOTICE instead of LOG_ERR.
+ * modules/pam_unix/pam_unix_passwd.c: Likewise.
+ * modules/pam_umask/pam_umask.c: Likewise.
+
+2019-11-04 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_namespace: Support for noexec, nosuid and nodev flags for tmpfs mounts
+ * modules/pam_namespace/namespace.conf.5.xml: Add documentation for the
+ noexec, nosuid, and nodev flags support.
+ * modules/pam_namespace/pam_namespace.c (filter_mntopts): New function to
+ filter out the flags.
+ (parse_method): Call the function.
+ (ns_setup): Apply the flags to the tmpfs mount.
+ * modules/pam_namespace/pam_namespace.h: Add mount_flags to polydir_s struct.
+
+2019-11-04 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Optimize the checkgrouplist function.
+ There is no point in rising the allocation size by doubling when
+ we can allocate required memory size at once in the second pass.
+
+ * libpam/pam_modutil_ingroup.c (checkgrouplist): Allocate some reasonable
+ default size in first pass and required size in the second pass.
+
+2019-10-15 MIZUTA Takeshi <mizuta.takeshi@fujitsu.com>
+
+ doc: fix module type written in MODULE TYPES PROVIDED.
+
+2019-10-14 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_unix: Add logging useful for debugging problems.
+ Two messages added about obtaining the username are guarded
+ by the debug option as these should not be normally
+ logged - they can be useful for debugging but they do not
+ indicate any special condition.
+
+ The message about authenticating user with blank password is
+ still just LOG_DEBUG priority but it is logged unconditionally
+ because it is somewhat extraordinary condition to have an user
+ with blank password.
+
+ * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace
+ D() macro calls which are not enabled on production builds with
+ regular pam_syslog() calls.
+
+2019-10-10 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_unix: Fix the spelling of Jan Rękorajski's name.
+
+2019-10-08 MIZUTA Takeshi <mizuta.takeshi@fujitsu.com>
+
+ doc: fix typo in manpage.
+
+2019-10-03 MIZUTA Takeshi <mizuta.takeshi@fujitsu.com>
+
+ pam_mkhomedir: Add debug option to pam_mkhomedir(8) man page.
+
+2019-09-23 Marek Černocký <marek@manet.cz>
+
+ Fixed missing quotes in configure script.
+
+2019-09-16 Thorsten Kukuk <5908016+thkukuk@users.noreply.github.com>
+
+ Add support for a vendor directory and libeconf (#136)
+ With this, it is possible for Linux distributors to store their
+ supplied default configuration files somewhere below /usr, while
+ /etc only contains the changes made by the user. The new option
+ --enable-vendordir defines where Linux-PAM should additional look
+ for pam.d/*, login.defs and securetty if this files are not in /etc.
+ libeconf is a key/value configuration file reading library, which
+ handles the split of configuration files in different locations
+ and merges them transparently for the application.
+
+2019-09-12 Carlos Santos <casantos@redhat.com>
+
+ pam_lastlog: document the 'unlimited' option.
+
+2019-09-12 Carlos Santos <casantos@redhat.com>
+
+ pam_lastlog: prevent crash due to reduced 'fsize' limit.
+ It a reduced fsize limit is set in /etc/security/limits.conf and
+ pam_limits is in use pam_lastlog may cause a crash, e.g.
+
+ ----- begin /etc/pam.d/su ----
+ auth sufficient pam_rootok.so
+ auth required pam_wheel.so use_uid
+ auth required pam_env.so
+ auth required pam_unix.so nullok
+ account required pam_unix.so
+ password required pam_unix.so nullok
+ session required pam_limits.so
+ session required pam_env.so
+ session required pam_unix.so
+ session optional pam_lastlog.so
+ ----- end /etc/pam.d/su -----
+
+ ----- begin /etc/security/limits.d/fsize.conf -----
+ * soft fsize 1710
+ * hard fsize 1710
+ ----- end /etc/security/limits.d/fsize.conf -----
+
+ # id user1
+ uid=1000(user1) gid=1000(user1) groups=1000(user1)
+ # su - user1
+ Last login: Wed Sep 11 01:52:44 UTC 2019 on console
+ $ exit
+ # id user2
+ uid=60000(user2) gid=60000(user2) groups=60000(user2)
+ # su - user2
+ File size limit exceeded
+
+ This happens because pam_limits sets RLIMIT_FSIZE before pam_lastlog
+ attempts to write /var/log/lastlog, leading to a SIGXFSZ signal.
+
+ In order to fix this, and an 'unlimited' option, which leads to saving
+ the 'fsize' limit and set it to unlimited before writing lastlog. After
+ that, restore the saved value. If 'fsize' is already unlimited nothing
+ is done.
+
+ Failing to set the 'fsize' limit is not a fatal error. With luck the
+ configured limit will suffice, so we try to write lastlog anyway, even
+ under the risk of dying due to a SIGXFSZ.
+
+ Failing to restore the 'fsize' limit is a fatal error, since we don't
+ want to keep it unlimited.
+
+2019-09-11 ed <ed@s5h.net>
+
+ pam_unix_sess.c add uid for opening session.
+ This adds the UID of the target user to the session open log.
+
+ Also fixing tabulation in pam_unix_sess.c.
+
+2019-09-09 lifecrisis <15251574+lifecrisis@users.noreply.github.com>
+
+ Fix the man page for "pam_fail_delay()"
+ This man page contained the incorrect statement that setting the
+ PAM_FAIL_DELAY item to NULL would disable any form of delay on
+ authentication failure.
+
+ I removed the incorrect statement and added a paragraph explaining
+ how an application should properly avoid delays.
+
+ Closes #137.
+
+2019-09-06 lifecrisis <15251574+lifecrisis@users.noreply.github.com>
+
+ Fix a typo.
+ There is an extra space where there should not be one.
+
+2019-09-06 lifecrisis <15251574+lifecrisis@users.noreply.github.com>
+
+ Update a function comment.
+ The function comment for "_pam_await_timer()" does not mention the
+ intended behavior of prioritizing the "PAM_FAIL_DELAY" item.
+
+ I updated the comment to make this intention clear.
+
+2019-09-02 Matt Cowell <matt.cowell@nokia.com>
+
+ pwhistory: fix read of uninitialized data and memory leak when modifying opasswd
+ The glibc implementation of getline/getdelim does not guarantee a NUL
+ terminator in lineptr if getline returns failure (-1). This occurs when
+ the opasswd file exists but is empty. Since strdup is called
+ immediately afterwards, this causes strdup to read uninitialized memory
+ and possibly buffer overrun / crash.
+
+ This also fixes a memory leak which always occurs when reading the last
+ line of the opasswd file. Since the strdup is called before checking
+ the return code from getline, getdelim, or fgets+strlen, it will
+ duplicate and never free either:
+ - The last successfully read line (for getline or getdelim)
+ - Uninitialized data (if the file is empty)
+ - A 0 byte string (for fgets+strlen)
+
+ Fix by always checking the return code of getline, getdelim, or
+ fgets+strlen before calling strdup.
+
+2019-08-26 Christophe Besson <cbesson@redhat.com>
+
+ libpam/pam_modutil_sanitize.c: optimize the way to close fds.
+
+2019-08-07 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_tty_audit: Manual page clarification about password logging.
+ * modules/pam_tty_audit/pam_tty_audit.8.xml: Explanation why passwords
+ can be sometimes logged even when the option is not set.
+
+2019-08-07 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_get_authtok_verify: Avoid duplicate password verification.
+ If password was already verified by previous modules in the stack
+ it does not need to be verified by pam_get_authtok_verify either.
+
+ * libpam/pam_get_authtok.c (pam_get_authtok_internal): Set the authtok_verified
+ appropriately.
+ (pam_get_authtok_verify): Do not prompt if authtok_verified is set and
+ set it when the password is verified.
+ * libpam/pam_private.h: Add authtok_verified to the pam handle struct.
+ * libpam/pam_start.c (pam_start): Initialize authtok_verified.
+
+2019-07-16 2*yo <yohann@lepage.info>
+
+ Mention that ./autogen.sh is needeed to be run if you check out the sources from git
+
+2019-06-27 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_unix: Correct MAXPASS define name in the previous two commits.
+ * modules/pam_unix/pam_unix_passwd.c: Change MAX_PASS to MAXPASS.
+ * modules/pam_unix/support.c: Likewise.
+
+2019-06-27 Florian Best <best@univention.de>
+
+ Restrict password length when changing password.
+
+ Trim password at PAM_MAX_RESP_SIZE chars.
+ Issue #118: Protect against Denial of Service attacks.
+ To prevent hashsum generation via crypt of very long passwords the
+ password is now stripped to 512 characters. This is equivalent behavior
+ to unix_chkpwd.
+
+2019-05-23 Olaf Mandel <o.mandel@menlosystems.com>
+
+ pam_succeed_if: Request user data only when needed.
+ Allow for conditions that just check the user field to also work for
+ users not known to the system. Before this caused a PAM_USER_UNKNOWN
+ even if no extra data for an existing user was needed. E.g.
+
+ auth sufficient pam_succeed_if.so user = NotKnownToSystem
+
+ modules/pam_succeed_if/pam_succeed_if.c (evaluate): Change the pwd
+ parameter to an input/output parameter. Lazily request pwd with
+ pam_modutil_getpwnam() if needed and return PAM_USER_UNKNOWN on failure.
+
+ modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Don't
+ request the pwd if !use_uid anymore and shift the output from audit to
+ after the evaluate() call. Also make sure not to give the normal failure
+ message if the lazy pwd loading failed.
+
+2019-02-26 Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+
+ pam_tally2: Remove unnecessary fsync()
+ pam_tally2 does fsync() after writing to a tally file.
+ This causes hard drive cache flushes on every failed SSH login on many
+ (if not most) filesystems.
+ And an internet-exposed machine can have a lot of these failed logins.
+
+ This operation however doesn't seem to be necessary - the pam_tally2
+ module does not do any operation which would need explicit post-crash
+ ordering, it just does simple file reads and writes.
+ And doing a fsync() after them doesn't close any race if the system happens
+ to crash between a write being posted and its fsync() completion.
+
+ Let's remove this operation to get rid of all these extra cache flushes.
+
+2019-02-19 vkwitshana <vkwitshana@gmail.com>
+
+ Fixed a grammer mistake.
+
+2019-01-10 Christopher Head <chead@chead.ca>
+
+ Fix documentation for pam_wheel.
+ By default, pam_wheel checks for applicant membership in the wheel group
+ for *all* access requests, regardless of whether the target user is root
+ or non-root. Only if root_only is provided does it limit the membership
+ check to cases when the target user is root. Update the documentation to
+ reflect this.
+
+2019-01-10 Louis Sautier <sautier.louis@gmail.com>
+
+ Fix a typo in the documentation.
+
+2019-01-10 Nir Soffer <nsoffer@redhat.com>
+
+ pam_lastlog: Improve silent option documentation.
+ The silent option explicitly silents only the last login message and not
+ bad logins. Add a note to the manual to make this clear.
+
+ * modules/pam_lastlog/pam_lastlog.8.xml: Clearify "silent showfailed"
+
+2019-01-10 Nir Soffer <nsoffer@redhat.com>
+
+ pam_lastlog: Respect PAM_SILENT flag.
+ pam_lastlog module will not log info about failed login if the session
+ was opened with PAM_SILENT flag.
+
+ Example use case enabled by this change:
+
+ sudo --non-interactive program
+
+ If this command is run by another program expecting specific output from
+ the command run by sudo, the unexpected info about failed logins will
+ break this program.
+
+ * modules/pam_lastlog/pam_lastlog.c: Respect silent option.
+ (_pam_session_parse): Unset LASTLOG_BTMP if PAM_SILENT is set.
+
+2019-01-04 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Fix regressions from the last commits.
+ * configure.ac: Test for logwtmp needs -lutil in LIBS.
+ * modules/Makefile.am: Fix indentation of variable assignments causing
+ creation of incorrect Makefile.
+
+2019-01-04 Rosen Penev <rosenp@gmail.com>
+
+ Replace strndupa with strncpy.
+ glibc only. A static string is better.
+
+2019-01-04 Yousong Zhou <yszhou4tech@gmail.com>
+
+ build: ignore pam_lastlog when logwtmp is not available.
+ * configure.ac: check logwtmp and set COND_BUILD_PAM_LASTLOG
+ * modules/pam_lastlog/Makefile.am: check COND_BUILD_PAM_LASTLOG
+
+ build: ignore pam_rhosts if neither ruserok nor ruserok_af is available.
+ * configure.ac: check for ruserok and ruserok_af
+ * modules/Makefile.am: ignore pam_rhosts/ if it's disabled
+ * modules/pam_rhosts/pam_rhosts.c: include stdlib.h for malloc and free
+
+2018-12-20 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_motd: Cleanup the code and avoid unnecessary logging.
+ The pam_motd module will not log if the default motd.d directories
+ are missing.
+
+ Also cleanup some code cleanliness issues and fix compilation
+ warnings.
+
+ * modules/pam_motd/pam_motd.c: Constification of constant strings.
+ (try_to_display_directory): Removed unused function.
+ (pam_split_string): Replace uint with unsigned int. Fix warnings.
+ (compare_strings): Fix warnings by proper constification.
+ (try_to_display_directories_with_overrides): Cleanups. Switch
+ off the logging if the motd.d directories are missing and they
+ are default ones.
+ (pam_sm_open_session): Cleanup warnings. Pass the information
+ to try_to_display_directories_with_overrides() that non-default
+ motd options are used.
+
+2018-12-20 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs.
+ * modules/pam_lastlog/pam_lastlog.8.xml: Add the documentation of the
+ LASTLOG_UID_MAX option.
+ * modules/pam_lastlog/pam_lastlog.c: New function get_lastlog_uid_max().
+ (last_login_date): Check the uid against the get_lastlog_uid_max().
+ (pam_authenticate): Likewise.
+
+2018-12-11 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Move the duplicated search_key function to pam_modutil.
+ * libpam/pam_modutil_searchkey.c: New source file with pam_modutil_search_key().
+ * libpam/Makefile.am: Add the pam_modutil_searchkey.c.
+ * libpam/include/security/pam_modutil.h: Add the pam_modutil_search_key() prototype.
+ * libpam/libpam.map: Add the pam_modutil_search_key() into a new version.
+ * modules/pam_faildelay/pam_faildelay.c: Drop search_key() and use
+ pam_modutil_search_key().
+ * modules/pam_umask/pam_umask.c: Likewise.
+ * modules/pam_unix/support.c: Likewise.
+
+2018-11-27 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_unix: Use pam_syslog instead of helper_log_err.
+ * modules/pam_unix/passverify.c (verify_pwd_hash): Add pamh argument via
+ PAMH_ARG_DECL. Call pam_syslog() instead of helper_log_err().
+ * modules/pam_unix/passverify.h: Adjust the declaration of verify_pwd_hash().
+ * modules/pam_unix/support.c (_unix_verify_password): Add the pamh argument
+ to verify_pwd_hash() call.
+
+2018-11-27 Björn Esser <besser82@fedoraproject.org>
+
+ pam_unix: Report unusable hashes found by checksalt to syslog.
+ libxcrypt can be build-time configured to support (or not support)
+ various hashing methods. Future versions will also have support for
+ runtime configuration by the system's vendor and/or administrator.
+
+ For that reason adminstrator should be notified by pam if users cannot
+ log into their account anymore because of such a change in the system's
+ configuration of libxcrypt.
+
+ Also check for malformed hashes, like descrypt hashes starting with
+ "$2...", which might have been generated by unsafe base64 encoding
+ functions as used in glibc <= 2.16.
+ Such hashes are likely to be rejected by many recent implementations
+ of libcrypt.
+
+ * modules/pam_unix/passverify.c (verify_pwd_hash): Report unusable
+ hashes found by checksalt to syslog.
+
+2018-11-27 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Revert "pam_unix: Add crypt_default method, if supported."
+ This reverts commit ad435b386b22b456724dc5c5b8d9f2d1beffc558.
+
+2018-11-27 Björn Esser <besser82@fedoraproject.org>
+
+ pam_unix: Add crypt_default method, if supported.
+ libxcrypt since v4.4.0 supports a default method for its
+ gensalt function on most system configurations. As the
+ default method is to be considered the strongest available
+ hash method, it should be preferred over all other hash
+ methods supported by pam.
+
+ * modules/pam_unix/pam_unix.8.xml: Documentation for crypt_default.
+ * modules/pam_unix/passverify.c: Add crypt_default method.
+ * modules/pam_unix/support.h: Likewise.
+
+2018-11-26 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Revert part of the commit 4da9febc.
+ pam_unix: Do not return a hard failure on invalid or disabled salt
+ as in some cases the failure actually is not interesting and can
+ broke things such as password-less sudo.
+
+ * modules/pam_unix/passverify.c (check_shadow_expiry): Revert checking
+ of disabled or invalid salt.
+
+2018-11-23 Björn Esser <besser82@fedoraproject.org>
+
+ pam_unix: Add support for (gost-)yescrypt hashing methods.
+ libxcrypt (v4.2 and later) has added support for the yescrypt
+ hashing method; gost-yescrypt has been added in v4.3.
+
+ * modules/pam_unix/pam_unix.8.xml: Documentation for (gost-)yescrypt.
+ * modules/pam_unix/pam_unix_acct.c: Use 64 bit type for control flags.
+ * modules/pam_unix/pam_unix_auth.c: Likewise.
+ * modules/pam_unix/pam_unix_passwd.c: Likewise.
+ * modules/pam_unix/pam_unix_sess.c: Likewise.
+ * modules/pam_unix/passverify.c: Add support for (gost-)yescrypt.
+ * modules/pam_unix/passverify.h: Use 64 bit type for control flags.
+ * modules/pam_unix/support.c: Set sane rounds for (gost-)yescrypt.
+ * modules/pam_unix/support.h: Add support for (gost-)yescrypt.
+
+2018-11-22 Björn Esser <besser82@fedoraproject.org>
+
+ pam_unix: Fix closing curly brace. (#77)
+ This has been overlooked during review of commit dce80b3f11b3.
+
+ * modules/pam_unix/support.c (_set_ctrl): Fix closing curly brace.
+
+ Closes: https://github.com/linux-pam/linux-pam/issues/77
+
+2018-11-22 Björn Esser <besser82@fedoraproject.org>
+
+ pam_unix: Add support for crypt_checksalt, if libcrypt supports it.
+ libxcrypt v4.3 has added the crypt_checksalt function to whether
+ the prefix at the begining of a given hash string refers to a
+ supported hashing method.
+
+ Future revisions of this function will add support to check whether
+ the hashing method, the prefix refers to, was disabled or considered
+ deprecated by the system's factory presets or system administrator.
+ Furthermore it will be able to detect whether the parameters, which
+ are used by the corresponding hashing method, being encoded in the
+ hash string are not considered to be strong enough anymore.
+
+ *modules/pam_unix/passverify.c: Add support for crypt_checksalt.
+
+2018-11-22 Björn Esser <besser82@fedoraproject.org>
+
+ pam_unix: Prefer a gensalt function, that supports auto entropy.
+ * modules/pam_unix/pam_unix_passwd.c: Initialize rounds parameter to 0.
+ * modules/pam_unix/passverify.c: Prefer gensalt with auto entropy.
+ * modules/pam_unix/support.c: Fix sanitizing of rounds parameter.
+
+2018-11-21 Robert Fairley <rfairley@users.noreply.github.com>
+
+ pam_motd: Fix segmentation fault when no motd_dir specified (#76)
+ This fixes a regression introduced by #69, where motd_path was set
+ to NULL and passed into strdup() if the motd_dir argument was
+ not specified in the configuration file. This caused a segmentation
+ fault.
+
+ * modules/pam_motd/pam_motd.c: fix checks for NULL in arguments
+ * xtests/Makefile.am: add test scripts and config file
+ * xtests/tst-pam_motd.sh: add running tst-pam_motd4.sh
+ * xtests/tst-pam_motd4.pamd: create
+ * xtests/tst-pam_motd4.sh: create
+
+2018-11-19 Robert Fairley <rfairley@users.noreply.github.com>
+
+ pam_motd: Support multiple motd paths specified, with filename overrides (#69)
+ Adds specifying multiple paths to motd files and motd.d
+ directories to be displayed. A colon-separated list of
+ paths is specified as arguments motd and motd_dir to the
+ pam_motd module.
+
+ This gives packages several options to install motd files to.
+ By default, the paths are, with highest priority first:
+ /etc/motd
+ /run/motd
+ /usr/lib/motd
+ /etc/motd.d/
+ /run/motd.d/
+ /usr/lib/motd.d/
+
+ Which is equivalent to the following arguments:
+ motd=/etc/motd:/run/motd:/usr/lib/motd
+ motd_dir=/etc/motd.d:/run/motd.d:/usr/lib/motd.d
+
+ Files with the same filename in a lower-priority directory,
+ as specified by the order in the colon-separated list, are
+ overridden, meaning PAM will not display them.
+
+ This allows a package to contain motd files under
+ /usr/lib instead of the host configuration in /etc.
+ A service may also write a dynamically generated motd in
+ /run/motd.d/ and have PAM display it without needing a
+ symlink from /etc/motd.d/ installed.
+
+ Closes #68
+
+ * modules/pam_motd/pam_motd.8.xml: update documentation
+ * modules/pam_motd/pam_motd.c: add specifying multiple motd paths
+ * xtests/.gitignore: add generated test script
+ * xtests/Makefile.am: add test source, scripts and config files
+ * xtests/tst-pam_motd.c: create
+ * xtests/tst-pam_motd.sh: create
+ * xtests/tst-pam_motd1.pamd: create
+ * xtests/tst-pam_motd1.sh: create
+ * xtests/tst-pam_motd2.pamd: create
+ * xtests/tst-pam_motd2.sh: create
+ * xtests/tst-pam_motd3.pamd: create
+ * xtests/tst-pam_motd3.sh: create
+
+2018-11-16 Björn Esser <besser82@fedoraproject.org>
+
+ pam_unix: Use bcrypt b-variant for computing new hashes.
+ Bcrypt hashes used the "$2a$" prefix since 1997.
+ However, in 2011 an implementation bug was discovered in bcrypt
+ affecting the handling of characters in passphrases with the 8th
+ bit set.
+
+ Besides fixing the bug, OpenBSD 5.5 introduced the "$2b$" prefix
+ for a behavior that exactly matches crypt_blowfish's "$2y$", and
+ the crypt_blowfish implementation supports it as well since v1.1.
+
+ That said new computed bcrypt hashes should use the "$2b$" prefix.
+
+ * modules/pam_unix/passverify.c: Use bcrypt b-variant.
+
+2018-06-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_tally, pam_tally2: fix grammar and spelling (#54)
+ * modules/pam_tally/pam_tally.c (tally_check): Replace
+ "Account is temporary locked" with "The account is temporarily locked"
+ in translated messages.
+ * modules/pam_tally2/pam_tally2.c (tally_check): Likewise.
+ * po/Linux-PAM.pot: Update pam_tally and pam_tally2 messages.
+
+ Closes: https://github.com/linux-pam/linux-pam/issues/54
+
+2018-06-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ Fix grammar of messages printed via pam_prompt.
+ Turn into proper sentences those messages that are printed without
+ further modifications using pam_prompt in contexts where proper
+ sentences are expected.
+
+ * libpam/pam_get_authtok.c (pam_get_authtok_internal): Fix grammar
+ of the message passed to pam_error.
+ * modules/pam_limits/pam_limits.c (pam_sm_open_session): Likewise.
+ * modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Fix
+ grammar of error messages passed to pam_error.
+ * modules/pam_mail/pam_mail.c (report_mail): Fix grammar of a message
+ passed to pam_info.
+ * modules/pam_timestamp/pam_timestamp.c (verbose_success): Likewise.
+ * modules/pam_selinux/pam_selinux.c (config_context, send_text): Fix
+ grammar of messages passed to pam_prompt.
+ * modules/pam_tally/pam_tally.c (tally_check): Fix grammar of messages
+ passed to pam_info.
+ * modules/pam_tally2/pam_tally2.c (tally_check): Likewise.
+ * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Fix grammar
+ of messages passed to _make_remark.
+ * modules/pam_unix/pam_unix_passwd.c (_pam_unix_approve_pass,
+ pam_sm_chauthtok): Likewise.
+ * po/Linux-PAM.pot: Regenerate.
+
+2018-06-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_stress: do not mark messages for translation.
+ pam_stress is not a regular module that needs to be translated.
+ Besides that, its messages are not easy to understand
+ and even harder to translate properly.
+
+ * modules/pam_stress/pam_stress.c (pam_sm_chauthtok): Do not mark
+ messages for translation.
+ * po/Linux-PAM.pot: Remove pam_stress messages.
+
+2018-05-31 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_unix: remove obsolete _UNIX_AUTHTOK, _UNIX_OLD_AUTHTOK, and _UNIX_NEW_AUTHTOK macros
+ The last use of these macros was removed by commit Linux-PAM-1.3.0~5
+ so their definitions should go as well.
+
+ * modules/pam_unix/pam_unix_auth.c (_UNIX_AUTHTOK): Remove.
+ * modules/pam_unix/pam_unix_passwd.c (_UNIX_OLD_AUTHTOK,
+ _UNIX_NEW_AUTHTOK): Likewise.
+
+ Complements: 7e09188c5dc4 ("pam_unix: Use pam_get_authtok() instead of
+ direct pam_prompt() calls.")
+
+2018-05-31 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_unix: remove obsolete _unix_read_password prototype.
+ The function was removed by commit Linux-PAM-1.3.0~5
+ so the function prototype should go as well.
+
+ * modules/pam_unix/support.h (_unix_read_password): Remove.
+
+ Complements: 7e09188c5dc4 ("pam_unix: Use pam_get_authtok() instead of
+ direct pam_prompt() calls.")
+
+2018-05-18 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ Release version 1.3.1.
+
+ Add xz compression.
+
+2018-05-16 Allison Karlitskaya <allison.karlitskaya@redhat.com>
+
+ pam_motd: add support for a motd.d directory (#48)
+ Add a new feature to pam_motd to allow packages to install their own
+ message files in a "motd.d" directory, to be displayed after the primary
+ motd.
+
+ Add an option motd_d= to specify the location of this directory.
+
+ Modify the defaults, in the case where no options are given, to display
+ both /etc/motd and /etc/motd.d.
+
+ Fixes #47
+
+ * modules/pam_motd/pam_motd.c: add support for motd.d
+ * modules/pam_motd/pam_motd.8.xml: update the manpage
+
+2018-05-02 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_umask: Fix documentation to align with order of loading umask.
+ * modules/pam_umask/pam_umask.8.xml: Document the real order of loading
+ umask.
+
+2018-04-10 Joey Chagnon <joeychagnon@users.noreply.github.com>
+
+ Fix missing word in documentation.
+ * doc/man/pam_get_user.3.xml: Fix it.
+
+2017-11-10 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_tally2 --reset: avoid creating a missing tallylog file.
+ There is no need for pam_tally2 in --reset=0 mode to create a missing
+ tallylog file because its absence has the same meaning as its existence
+ with the appropriate entry reset.
+
+ This was not a big deal until useradd(8) from shadow suite release 4.5
+ started to invoke /sbin/pam_tally2 --reset routinely regardless of PAM
+ configuration.
+
+ The positive effect of this change is noticeable when using tools like
+ cpio(1) that cannot archive huge sparse files efficiently.
+
+ * modules/pam_tally2/pam_tally2.c [MAIN] (main) <cline_user>: Stat
+ cline_filename when cline_reset == 0, exit early if the file is missing.
+
+2017-11-10 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_mkhomedir: Allow creating parent of homedir under /
+ * modules/pam_mkhomedir/mkhomedir_helper.c (make_parent_dirs): Do not
+ skip creating the directory if we are under /.
+
+2017-10-09 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_tty_audit: Fix regression introduced by adding the uid range support.
+ * modules/pam_tty_audit/pam_tty_audit.c (parse_uid_range): Fix constification and
+ remove unneeded code carried from pam_limits.
+ (pam_sm_open_session): When multiple enable/disable options are present do not
+ stop after first match.
+
+2017-09-06 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_access: Add note about spaces around ':' in access.conf(5)
+ * modules/pam_access/access.conf.5.xml: Add note about spaces around ':'
+
+ Workaround formatting problem in pam(8)
+ * doc/man/pam.8.xml: Workaround formatting problem.
+
+2017-07-12 Peter Urbanec <peterurbanec@users.noreply.github.com>
+
+ pam_unix: Check return value of malloc used for setcred data (#24)
+ Check the return value of malloc and if it failed print debug info, send
+ a syslog message and return an error code.
+
+ The test in AUTH_RETURN for ret_data not being NULL becomes redundant.
+
+2017-07-10 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_cracklib: Drop unused prompt macros.
+ * modules/pam_cracklib/pam_cracklib.c: Drop the unused macros.
+
+2017-06-28 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_tty_audit: Support matching users by uid range.
+ * modules/pam_tty_audit/pam_tty_audit.c (parse_uid_range): New function to
+ parse the uid range.
+ (pam_sm_open_session): Call parse_uid_range() and behave according to its result.
+ * modules/pam_tty_audit/pam_tty_audit.8.xml: Document the uid range matching.
+
+2017-05-31 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_access: support parsing files in /etc/security/access.d/*.conf.
+ * modules/pam_access/pam_access.c (login_access): Return NOMATCH if
+ there was no match in the parsed file.
+ (pam_sm_authenticate): Add glob() call to go through the ACCESS_CONF_GLOB
+ subdirectory and call login_access() on the individual files matched.
+ * modules/pam_access/pam_access.8.xml: Document the addition.
+ * modules/pam_access/Makefile.am: Add ACCESS_CONF_GLOB definition.
+
+2017-04-11 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_localuser: Correct the example in documentation.
+ * modules/pam_localuser/pam_localuser.8.xml: The example configuration
+ does something different.
+
+ pam_localuser: Correct documentation of return value.
+ * modules/pam_localuser/pam_localuser.8.xml: The module returns
+ PAM_PERM_DENIED when the user is not listed.
+
+2017-03-10 Saul Johnson <saul.a.johnson@gmail.com>
+
+ Make maxclassrepeat=1 behavior consistent with docs (#9)
+ * modules/pam_cracklib/pam_cracklib.c (simple): Apply the maxclassrepeat when greater than 0.
+
+2017-02-09 Josef Moellers <jmoellers@suse.de>
+
+ Properly test for strtol() failure to find any digits.
+ * modules/pam_access/pam_access.c (network_netmask_match): Test for endptr set
+ to beginning and not NULL.
+
+2017-01-19 Daniel Abrecht <daniel.abrecht@hotmail.com>
+
+ pam_exec: fix a potential null pointer dereference.
+ Fix a null pointer dereference when pam_prompt returns PAM_SUCCESS
+ but the response is set to NULL.
+
+ * modules/pam_exec/pam_exec.c (call_exec): Do not invoke strndupa
+ with a null pointer.
+
+ Closes: https://github.com/linux-pam/linux-pam/pull/2
+
+2016-12-07 Antonio Ospite <ao2@ao2.it>
+
+ Add missing comma in the limits.conf.5 manpage.
+ * modules/pam_limits/limits.conf.5.xml: add a missing comma
+
+2016-11-14 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Regular links doesn't work with -no-numbering -no-references.
+ * configure.ac: Use elinks instead of links.
+
+2016-11-01 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_access: First check for the (group) match.
+ The (group) match is performed first to allow for groups
+ containing '@'.
+
+ * modules/pam_access/pam_access.c (user_match): First check for the (group) match.
+
+2016-10-17 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_ftp: Properly use the first name from the supplied list.
+ * modules/pam_ftp/pam_ftp.c (lookup): Return first user from the list
+ of anonymous users if user name matches.
+ (pam_sm_authenticate): Free the returned value allocated in lookup().
+
+2016-09-12 Bartos-Elekes Zsolt <muszi@kite.hu>
+
+ pam_issue: Fix no prompting in parse escape codes mode.
+ * modules/pam_issue/pam_issue.c (read_issue_quoted): Fix misplaced strcat().
+
+2016-06-30 Maxin B. John <maxin.john@intel.com>
+
+ xtests: remove bash dependency.
+ There are no bash specific syntax in the xtest scripts. So, remove
+ the bash dependency.
+
+2016-06-30 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Unification and cleanup of syslog log levels.
+ * libpam/pam_handlers.c: Make memory allocation failures LOG_CRIT.
+ * libpam/pam_modutil_priv.c: Make memory allocation failures LOG_CRIT.
+ * modules/pam_echo/pam_echo.c: Make memory allocation failures LOG_CRIT.
+ * modules/pam_env/pam_env.c: Make memory allocation failures LOG_CRIT.
+ * modules/pam_exec/pam_exec.c: Make memory allocation failures LOG_CRIT.
+ * modules/pam_filter/pam_filter.c: Make all non-memory call errors LOG_ERR.
+ * modules/pam_group/pam_group.c: Make memory allocation failures LOG_CRIT.
+ * modules/pam_issue/pam_issue.c: Make memory allocation failures LOG_CRIT.
+ * modules/pam_lastlog/pam_lastlog.c: The lastlog file creation is syslogged
+ with LOG_NOTICE, memory allocation errors with LOG_CRIT, other errors
+ with LOG_ERR.
+ * modules/pam_limits/pam_limits.c: User login limit messages are syslogged
+ with LOG_NOTICE, stale utmp entry with LOG_INFO, non-memory errors with
+ LOG_ERR.
+ * modules/pam_listfile/pam_listfile.c: Rejection of user is syslogged
+ with LOG_NOTICE.
+ * modules/pam_namespace/pam_namespace.c: Make memory allocation failures
+ LOG_CRIT.
+ * modules/pam_nologin/pam_nologin.c: Make memory allocation failures
+ LOG_CRIT, other errors LOG_ERR.
+ * modules/pam_securetty/pam_securetty.c: Rejection of access is syslogged
+ with LOG_NOTICE, non-memory errors with LOG_ERR.
+ * modules/pam_selinux/pam_selinux.c: Make memory allocation failures LOG_CRIT.
+ * modules/pam_succeed_if/pam_succeed_if.c: Make all non-memory call errors
+ LOG_ERR.
+ * modules/pam_time/pam_time.c: Make memory allocation failures LOG_CRIT.
+ * modules/pam_timestamp/pam_timestamp.c: Make memory allocation failures
+ LOG_CRIT.
+ * modules/pam_unix/pam_unix_acct.c: Make all non-memory call errors LOG_ERR.
+ * modules/pam_unix/pam_unix_passwd.c: Make memory allocation failures LOG_CRIT,
+ other errors LOG_ERR.
+ * modules/pam_unix/pam_unix_sess.c: Make all non-memory call errors LOG_ERR.
+ * modules/pam_unix/passverify.c: Unknown user is syslogged with LOG_NOTICE.
+ * modules/pam_unix/support.c: Unknown user is syslogged with LOG_NOTICE and
+ max retries ignorance by application likewise.
+ * modules/pam_unix/unix_chkpwd.c: Make all non-memory call errors LOG_ERR.
+ * modules/pam_userdb/pam_userdb.c: Password authentication error is syslogged
+ with LOG_NOTICE.
+ * modules/pam_xauth/pam_xauth.c: Make memory allocation failures LOG_CRIT.
+
+2016-06-14 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_timestamp: fix typo in strncmp usage.
+ Before this fix, a typo in check_login_time resulted to ruser and
+ struct utmp.ut_user being compared by the first character only,
+ which in turn could lead to a too low timestamp value being assigned
+ to oldest_login, effectively causing bypass of check_login_time.
+
+ * modules/pam_timestamp/pam_timestamp.c (check_login_time): Fix typo
+ in strncmp usage.
+
+ Patch-by: Anton V. Boyarshinov <boyarsh@altlinux.org>
+
+2016-05-30 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Correct the examples in pam_fail_delay(3) man page.
+ doc/man/pam_fail_delay.3.xml: Correct the examples.
+
+2016-05-11 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Remove spaces in examples for access.conf.
+ The spaces are ignored only with the default listsep. To remove confusion
+ if non-default listsep is used they are removed from the examples.
+
+ * modules/pam_access/access.conf: Remove all spaces around ':' in examples.
+ * modules/pam_access/access.conf.5.xml: Likewise.
+
+2016-05-05 Mike Frysinger <vapier@gentoo.org>
+
+ build: avoid non-portable == with "test" (ticket #60)
+ POSIX says test only accepts =. Some shells (including bash) accept ==,
+ but we should still stick to = for portability.
+
+ * configure.ac: Replace == with = in "test" invocations.
+
+2016-04-28 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ Release version 1.3.0.
+ * NEWS: add changes for 1.3.0.
+ * configure.ac: bump version number.
+ * libpam/Makefile.am: bump revision of libpam.so version.
+
+2016-04-28 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Updated translations from Zanata.
+ * po/*.po: Updated translations from Zanata.
+
+2016-04-19 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_wheel: Correct the documentation of the root_only option.
+ * modules/pam_wheel/pam_wheel.8.xml: Correct the documentation of the
+ root_only option.
+
+ pam_unix: Document that MD5 password hash is used to store old passwords.
+ modules/pam_unix/pam_unix.8.xml: Document that the MD5 password hash is used
+ to store the old passwords when remember option is set.
+
+2016-04-14 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Project registered at Zanata (fedora.zanata.org) for translations.
+ * zanata.xml: Configuration file for zanata client.
+ * po/LINGUAS: Update languages as supported by Zanata.
+ * po/Linux-PAM.pot: Updated from sources.
+ * po/*.po: Updated from sources.
+
+2016-04-06 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_unix: Use pam_get_authtok() instead of direct pam_prompt() calls.
+ We have to drop support for not_set_pass option which is not much useful
+ anyway. Instead we get proper support for authtok_type option.
+
+ * modules/pam_unix/pam_unix.8.xml: Removed not_set_pass option, added authtok_ty
+ pe
+ option.
+ * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace _unix_read_pas
+ sword()
+ call with equivalent pam_get_authtok() call.
+ * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Likewise and also drop
+ support for not_set_pass.
+ * modules/pam_unix/support.c (_unix_read_password): Remove.
+ * modules/pam_unix/support.h: Remove UNIX_NOT_SET_PASS add UNIX_AUTHTOK_TYPE.
+
+2016-04-06 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_get_authtok(): Add authtok_type support to current password prompt.
+ * libpam/pam_get_authtok.c (pam_get_authtok_internal): When changing password,
+ use different prompt for current password allowing for authtok_type to be
+ displayed to the user.
+
+2016-04-04 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_unix: Make password expiration messages more user-friendly.
+ * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Make password
+ expiration messages more user-friendly.
+
+2016-04-04 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ innetgr may not be there so make sure that when innetgr is not present then we inform about it and not use it. [ticket#46]
+ * modules/pam_group/pam_group.c: ditto
+ * modules/pam_succeed_if/pam_succeed_if.c: ditto
+ * modules/pam_time/pam_time.c: ditto
+
+ build: fix build when crypt() is not part of crypt_libs [ticket#46]
+ * configure.ac: Don't set empty -l option in crypt check
+
+ build: use $host_cpu for lib64 directory handling [ticket#46]
+ * configure.ac: use $host_cpu for lib64 directory handling.
+
+2016-04-01 Dmitry V. Levin <ldv@altlinux.org>
+
+ Fix whitespace issues.
+ Remove blank lines at EOF introduced by commit
+ a684595c0bbd88df71285f43fb27630e3829121e,
+ making the project free of warnings reported by
+ git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD
+
+ * libpam/pam_dynamic.c: Remove blank line at EOF.
+ * modules/pam_echo/pam_echo.c: Likewise.
+ * modules/pam_keyinit/pam_keyinit.c: Likewise.
+ * modules/pam_mkhomedir/pam_mkhomedir.c: Likewise.
+ * modules/pam_pwhistory/pam_pwhistory.c: Likewise.
+ * modules/pam_rhosts/pam_rhosts.c: Likewise.
+ * modules/pam_sepermit/pam_sepermit.c: Likewise.
+ * modules/pam_stress/pam_stress.c: Likewise.
+
+2016-04-01 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ Use TI-RPC functions if we compile and link against libtirpc. The old SunRPC functions don't work with IPv6.
+ * configure.ac: Set and restore CPPFLAGS
+ * modules/pam_unix/pam_unix_passwd.c: Replace getrpcport with
+ rpcb_getaddr if available.
+
+2016-03-29 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ PAM_EXTERN isn't needed anymore, but don't remove it to not break lot of external code using it.
+ * libpam/include/security/pam_modules.h: Readd PAM_EXTERN for compatibility
+
+ Remove "--enable-static-modules" option and support from Linux-PAM. It was never official supported and was broken since years.
+ * configure.ac: Remove --enable-static-modules option.
+ * doc/man/pam_sm_acct_mgmt.3.xml: Remove PAM_EXTERN.
+ * doc/man/pam_sm_authenticate.3.xml: Likewise.
+ * doc/man/pam_sm_chauthtok.3.xml: Likewise.
+ * doc/man/pam_sm_close_session.3.xml: Likewise.
+ * doc/man/pam_sm_open_session.3.xml: Likewise.
+ * doc/man/pam_sm_setcred.3.xml: Likewise.
+ * libpam/Makefile.am: Remove STATIC_MODULES cases.
+ * libpam/include/security/pam_modules.h: Remove PAM_STATIC parts.
+ * libpam/pam_dynamic.c: Likewise.
+ * libpam/pam_handlers.c: Likewise.
+ * libpam/pam_private.h: Likewise.
+ * libpam/pam_static.c: Remove file.
+ * libpam/pam_static_modules.h: Remove header file.
+ * modules/pam_access/pam_access.c: Remove PAM_EXTERN and PAM_STATIC parts.
+ * modules/pam_cracklib/pam_cracklib.c: Likewise.
+ * modules/pam_debug/pam_debug.c: Likewise.
+ * modules/pam_deny/pam_deny.c: Likewise.
+ * modules/pam_echo/pam_echo.c: Likewise.
+ * modules/pam_env/pam_env.c: Likewise.
+ * modules/pam_exec/pam_exec.c: Likewise.
+ * modules/pam_faildelay/pam_faildelay.c: Likewise.
+ * modules/pam_filter/pam_filter.c: Likewise.
+ * modules/pam_ftp/pam_ftp.c: Likewise.
+ * modules/pam_group/pam_group.c: Likewise.
+ * modules/pam_issue/pam_issue.c: Likewise.
+ * modules/pam_keyinit/pam_keyinit.c: Likewise.
+ * modules/pam_lastlog/pam_lastlog.c: Likewise.
+ * modules/pam_limits/pam_limits.c: Likewise.
+ * modules/pam_listfile/pam_listfile.c: Likewise.
+ * modules/pam_localuser/pam_localuser.c: Likewise.
+ * modules/pam_loginuid/pam_loginuid.c: Likewise.
+ * modules/pam_mail/pam_mail.c: Likewise.
+ * modules/pam_mkhomedir/pam_mkhomedir.c: Likewise.
+ * modules/pam_motd/pam_motd.c: Likewise.
+ * modules/pam_namespace/pam_namespace.c: Likewise.
+ * modules/pam_nologin/pam_nologin.c: Likewise.
+ * modules/pam_permit/pam_permit.c: Likewise.
+ * modules/pam_pwhistory/pam_pwhistory.c: Likewise.
+ * modules/pam_rhosts/pam_rhosts.c: Likewise.
+ * modules/pam_rootok/pam_rootok.c: Likewise.
+ * modules/pam_securetty/pam_securetty.c: Likewise.
+ * modules/pam_selinux/pam_selinux.c: Likewise.
+ * modules/pam_sepermit/pam_sepermit.c: Likewise.
+ * modules/pam_shells/pam_shells.c: Likewise.
+ * modules/pam_stress/pam_stress.c: Likewise.
+ * modules/pam_succeed_if/pam_succeed_if.c: Likewise.
+ * modules/pam_tally/pam_tally.c: Likewise.
+ * modules/pam_tally2/pam_tally2.c: Likewise.
+ * modules/pam_time/pam_time.c: Likewise.
+ * modules/pam_timestamp/pam_timestamp.c: Likewise.
+ * modules/pam_tty_audit/pam_tty_audit.c: Likewise.
+ * modules/pam_umask/pam_umask.c: Likewise.
+ * modules/pam_userdb/pam_userdb.c: Likewise.
+ * modules/pam_warn/pam_warn.c: Likewise.
+ * modules/pam_wheel/pam_wheel.c: Likewise.
+ * modules/pam_xauth/pam_xauth.c: Likewise.
+ * modules/pam_unix/Makefile.am: Remove STATIC_MODULES part.
+ * modules/pam_unix/pam_unix_acct.c: Remove PAM_STATIC part.
+ * modules/pam_unix/pam_unix_auth.c: Likewise.
+ * modules/pam_unix/pam_unix_passwd.c: Likewise.
+ * modules/pam_unix/pam_unix_sess.c: Likewise.
+ * modules/pam_unix/pam_unix_static.c: Removed.
+ * modules/pam_unix/pam_unix_static.h: Removed.
+ * po/POTFILES.in: Remove removed files.
+ * tests/tst-dlopen.c: Remove PAM_STATIC part.
+
+2016-03-24 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ Fix check for libtirpc and enhance check for libnsl to include new libnsl.
+ * configure.ac: fix setting of CFLAGS/LIBS, enhance libnsl check
+ * modules/pam_unix/Makefile.am: replace NIS_* with TIRPC_* and NSL_*
+
+2016-03-23 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ Remove YP dependencies from pam_access, they were never used and such not needed.
+ * modules/pam_access/Makefile.am: Remove NIS_CFLAGS and NIS_LIBS
+ * modules/pam_access/pam_access.c: Remove yp_get_default_domain case,
+ it will never be used.
+
+2016-03-04 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Add checks for localtime() returning NULL.
+ * modules/pam_lastlog/pam_lastlog.c (last_login_read): Check for localtime_r
+ returning NULL.
+ * modules/pam_tally2/pam_tally2.c (print_one): Check for localtime returning
+ NULL.
+
+2016-03-04 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_unix: Silence warnings and fix a minor bug.
+ Fixes a minor bug in behavior when is_selinux_enabled()
+ returned negative value.
+
+ * modules/pam_unix/passverify.c: Add parentheses to SELINUX_ENABLED macro.
+ (unix_update_shadow): Safe cast forwho to non-const char *.
+ * modules/pam_unix/support.c: Remove unused SELINUX_ENABLED macro.
+
+2016-02-17 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_env: Document the /etc/environment file.
+ * modules/pam_env/Makefile.am: Add the environment.5 soelim stub.
+ * modules/pam_env/pam_env.8.xml: Add environ(7) reference.
+ * modules/pam_env/pam_env.conf.5.xml: Add environment alias name.
+ Add a paragraph about /etc/environment. Add environ(7) reference.
+
+ pam_unix: Add no_pass_expiry option to ignore password expiration.
+ * modules/pam_unix/pam_unix.8.xml: Document the no_pass_expiry option.
+ * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): If no_pass_expiry
+ is on and return value data is not set to PAM_SUCCESS then ignore
+ PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED returns.
+ * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Always set the
+ return value data.
+ (pam_sm_setcred): Test for likeauth option and use the return value data
+ only if set.
+ * modules/pam_unix/support.h: Add the no_pass_expiry option.
+
+2016-01-25 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_unix: Change the salt length for new hashes to 16 characters.
+ * modules/pam_unix/passverify.c (create_password_hash): Change the
+ salt length for new hashes to 16 characters.
+
+2015-12-17 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Relax the conditions for fatal failure on auditing.
+ The PAM library calls will not fail anymore for any uid if the return
+ value from the libaudit call is -EPERM.
+
+ * libpam/pam_audit.c (_pam_audit_writelog): Remove check for uid != 0.
+
+2015-12-16 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_tally2: Optionally log the tally count when checking.
+ * modules/pam_tally2/pam_tally2.c (tally_parse_args): Add debug option.
+ (tally_check): Always log the tally count with debug option.
+
+2015-10-02 Jakub Hrozek <jakub.hrozek@posteo.se>
+
+ Docfix: pam handle is const in pam_syslog() and pam_vsyslog()
+ * doc/man/pam_syslog.3.xml: Add const to pam handle in pam_syslog() and pam_vsyslog().
+
+2015-09-24 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_loginuid: Add syslog message if required auditd is not detected.
+ * modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Add syslog message
+ if required auditd is not detected.
+
+2015-09-04 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Allow links to be used instead of w3m for documentation regeneration.
+ * configure.ac: If w3m is not found check for links.
+
+ Add missing space in pam_misc_setenv man page.
+ * doc/man/pam_misc_setenv.3.xml: Add a missing space.
+
+2015-08-12 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_rootok: use rootok permission instead of passwd permission in SELinux check.
+ * modules/pam_rootok/pam_rootok.c (selinux_check_root): Use rootok instead of
+ passwd permission.
+
+2015-08-05 Amarnath Valluri <amarnath.valluri@intel.com>
+
+ pam_timestamp: Avoid leaking file descriptor.
+ * modules/pam_timestamp/hmacsha1.c(hmac_key_create):
+ close 'keyfd' when failed to own it.
+
+2015-06-22 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ Release version 1.2.1.
+ Security fix: CVE-2015-3238
+
+ If the process executing pam_sm_authenticate or pam_sm_chauthtok method
+ of pam_unix is not privileged enough to check the password, e.g.
+ if selinux is enabled, the _unix_run_helper_binary function is called.
+ When a long enough password is supplied (16 pages or more, i.e. 65536+
+ bytes on a system with 4K pages), this helper function hangs
+ indefinitely, blocked in the write(2) call while writing to a blocking
+ pipe that has a limited capacity.
+ With this fix, the verifiable password length will be limited to
+ PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix.
+
+ * NEWS: Update
+ * configure.ac: Bump version
+ * modules/pam_exec/pam_exec.8.xml: document limitation of password length
+ * modules/pam_exec/pam_exec.c: limit password length to PAM_MAX_RESP_SIZE
+ * modules/pam_unix/pam_unix.8.xml: document limitation of password length
+ * modules/pam_unix/pam_unix_passwd.c: limit password length
+ * modules/pam_unix/passverify.c: Likewise
+ * modules/pam_unix/passverify.h: Likewise
+ * modules/pam_unix/support.c: Likewise
+
+2015-04-27 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ Update NEWS file.
+
+ Release version 1.2.0.
+ * NEWS: Update
+ * configure.ac: Bump version
+ * libpam/Makefile.am: Bump version of libpam
+ * libpam_misc/Makefile.am: Bump version of libpam_misc
+ * po/*: Regenerate po files
+
+ Fix some grammatical errors in documentation. Patch by Louis Sautier.
+ * doc/adg/Linux-PAM_ADG.xml: Fix gramatical errors.
+ * doc/man/pam.3.xml: Likewise.
+ * doc/man/pam_acct_mgmt.3.xml: Likewise.
+ * doc/man/pam_chauthtok.3.xml: Likewise.
+ * doc/man/pam_sm_chauthtok.3.xml: Likewise.
+ * modules/pam_limits/limits.conf.5.xml: Likewise.
+ * modules/pam_mail/pam_mail.8.xml: Likewise.
+ * modules/pam_rhosts/pam_rhosts.c: Likewise.
+ * modules/pam_shells/pam_shells.8.xml: Likewise.
+ * modules/pam_tally/pam_tally.8.xml: Likewise.
+ * modules/pam_tally2/pam_tally2.8.xml: Likewise.
+ * modules/pam_unix/pam_unix.8.xml: Likewise.
+
+2015-04-23 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ Add "quiet" option to pam_unix to suppress informential info messages from session.
+ * modules/pam_unix/pam_unix.8.xml: Document new option.
+ * modules/pam_unix/support.h: Add quiet option.
+ * modules/pam_unix/pam_unix_sess.c: Don't print LOG_INFO messages if
+ 'quiet' option is set.
+
+2015-04-07 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Use crypt_r if available in pam_userdb and in pam_unix.
+ * modules/pam_unix/passverify.c (create_password_hash): Call crypt_r()
+ instead of crypt() if available.
+ * modules/pam_userdb/pam_userdb.c (user_lookup): Call crypt_r()
+ instead of crypt() if available.
+
+2015-03-25 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ Support alternative "vendor configuration" files as fallback to /etc (Ticket#34, patch from ay Sievers <kay@vrfy.org>)
+ * doc/man/pam.8.xml: document additonal config directory
+ * libpam/pam_handlers.c: add /usr/lib/pam.d as config file fallback directory
+ * libpam/pam_private.h: adjust defines
+
+ pam_env: expand @{HOME} and @{SHELL} and enhance documentation (Ticket#24 and #29)
+ * modules/pam_env/pam_env.c: Replace @{HOME} and @{SHELL} with passwd entries
+ * modules/pam_env/pam_env.conf.5.xml: Document @{HOME} and @{SHELL}
+ * modules/pam_env/pam_env.8.xml: Enhance documentation
+
+2015-03-24 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ Clarify pam_access docs re PAM service names and X $DISPLAY value testing. (Ticket #39)
+ * modules/pam_access/access.conf.5.xml
+ * modules/pam_access/pam_access.8.xml
+
+ Don't use sudo directory, the timestamp format is different (Ticket#32)
+ * modules/pam_timestamp/pam_timestamp.c: Change default timestamp directory.
+
+ Enhance group.conf examples (Ticket#35)
+ * modules/pam_group/group.conf.5.xml: Enhance example by logic group entry.
+
+ Document timestampdir option (Ticket#33)
+ * modules/pam_timestamp/pam_timestamp.8.xml: Add timestampdir option.
+
+ Adjust documentation (Ticket#36)
+ * libpam/pam_delay.c: Change 25% in comment to 50% as used in code.
+ * doc/man/pam_fail_delay.3.xml: Change 25% to 50%
+
+2015-02-18 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Updated translations from Transifex.
+ * po/*.po: Updated translations from Transifex.
+
+2015-01-07 Dmitry V. Levin <ldv@altlinux.org>
+
+ build: raise gettext version requirement.
+ Raise gettext requirement to the latest oldstable version 0.18.3.
+ This fixes the following automake warning:
+
+ configure.ac:581: warning: The 'AM_PROG_MKDIR_P' macro is deprecated, and its use is discouraged.
+ configure.ac:581: You should use the Autoconf-provided 'AC_PROG_MKDIR_P' macro instead,
+ configure.ac:581: and use '$(MKDIR_P)' instead of '$(mkdir_p)'in your Makefile.am files.
+
+ * configure.ac (AM_GNU_GETTEXT_VERSION): Raise from 0.15 to 0.18.3.
+ * po/Makevars: Update from gettext-0.18.3.
+
+2015-01-07 Ronny Chevalier <chevalier.ronny@gmail.com>
+
+ build: adjust automake warning flags.
+ Enable all automake warning flags except for the portability issues,
+ since non portable features are used among the makefiles.
+
+ * configure.ac (AM_INIT_AUTOMAKE): Add -Wall -Wno-portability.
+
+2015-01-07 Dmitry V. Levin <ldv@altlinux.org>
+
+ build: rename configure.in to configure.ac.
+ This fixes the following automake warning:
+ aclocal: warning: autoconf input should be named 'configure.ac', not 'configure.in'
+
+ * configure.in: Rename to configure.ac.
+
+2015-01-07 Dmitry V. Levin <ldv@altlinux.org>
+
+ Remove unmodified GNU gettext files installed by autopoint.
+ These files are part of GNU gettext; we have not modified them, they are
+ installed by autopoint which is called by autoreconf, so they had to be
+ removed from this repository along with ABOUT-NLS, config.rpath, and
+ mkinstalldirs files that were removed by commit
+ Linux-PAM-1_1_5-7-g542ec8b.
+
+ * po/Makefile.in.in: Remove.
+ * po/Rules-quot: Likewise.
+ * po/boldquot.sed: Likewise.
+ * po/en@boldquot.header: Likewise.
+ * po/en@quot.header: Likewise.
+ * po/insert-header.sin: Likewise.
+ * po/quot.sed: Likewise.
+ * po/remove-potcdate.sin: Likewise.
+ * po/.gitignore: Ignore these files.
+
+2015-01-06 Ronny Chevalier <chevalier.ronny@gmail.com>
+
+ Update .gitignore.
+ * .gitignore: Ignore *.log and *.trs files.
+
+2015-01-02 Luke Shumaker <lukeshu@sbcglobal.net>
+
+ libpam: Only print "Password change aborted" when it's true.
+ pam_get_authtok() may be used any time that a password needs to be entered,
+ unlike pam_get_authtok_{no,}verify(), which may only be used when
+ changing a password; yet when the user aborts, it prints "Password change
+ aborted." whether or not that was the operation being performed.
+
+ This bug was non-obvious because none of the modules distributed with
+ Linux-PAM use it for anything but changing passwords; pam_unix has its
+ own utility function that it uses instead. As an example, the
+ nss-pam-ldapd package uses it in pam_sm_authenticate().
+
+ libpam/pam_get_authtok.c (pam_get_authtok_internal): check that the
+ password is trying to be changed before printing a message about the
+ password change being aborted.
+
+2014-12-10 Dmitry V. Levin <ldv@altlinux.org>
+
+ build: extend cross compiling check to cover CPPFLAGS (ticket #21)
+ Use BUILD_CPPFLAGS variable to override CPPFLAGS where necessary in
+ case of cross compiling, in addition to CC_FOR_BUILD, BUILD_CFLAGS,
+ and BUILD_LDFLAGS variables introduced earlier to override CC,
+ CFLAGS, and LDFLAGS, respectively.
+
+ * configure.in (BUILD_CPPFLAGS): Define.
+ * doc/specs/Makefile.am (CPPFLAGS): Define to @BUILD_CPPFLAGS@.
+
+2014-12-09 Dmitry V. Levin <ldv@altlinux.org>
+
+ Do not use yywrap (ticket #42)
+ Our scanners do not really use yywrap. Explicitly disable yywrap
+ so that no references to yywrap will be generated and no LEXLIB
+ would be needed.
+
+ * conf/pam_conv1/Makefile.am (pam_conv1_LDADD): Remove.
+ * conf/pam_conv1/pam_conv_l.l: Enable noyywrap option.
+ * doc/specs/Makefile.am (padout_LDADD): Remove.
+ * doc/specs/parse_l.l: Enable noyywrap option.
+
+2014-12-09 Kyle Manna <kyle@kylemanna.com>
+
+ doc: fix a trivial typo in pam_authenticate return values (ticket #38)
+ * doc/man/pam_authenticate.3.xml: Fix a typo in PAM_AUTHINFO_UNAVAIL.
+
+2014-12-08 Ronny Chevalier <chevalier.ronny@gmail.com>
+
+ doc: fix typo in pam_authenticate.3.xml.
+ * doc/man/pam_authenticate.3.xml: Fix typo.
+
+2014-10-17 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_succeed_if: Fix copy&paste error in rhost and tty values.
+ modules/pam_succeed_if/pam_succeed_if.c (evaluate): Use PAM_RHOST
+ and PAM_TTY properly for the rhost and tty values.
+
+2014-10-17 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_succeed_if: Use long long type for numeric values.
+ The currently used long with additional conversion to int is
+ too small for uids and gids.
+
+ modules/pam_succeed_if/pam_succeed_if.c (evaluate_num): Replace
+ strtol() with strtoll() and int with long long in the parameters
+ of comparison functions.
+
+2014-09-05 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Add grantor field to audit records of libpam.
+ The grantor field gives audit trail of PAM modules which granted access
+ for successful return from libpam calls. In case of failed return
+ the grantor field is set to '?'.
+ libpam/pam_account.c (pam_acct_mgmt): Remove _pam_auditlog() call.
+ libpam/pam_auth.c (pam_authenticate, pam_setcred): Likewise.
+ libpam/pam_password.c (pam_chauthtok): Likewise.
+ libpam/pam_session.c (pam_open_session, pam_close_session): Likewise.
+ libpam/pam_audit.c (_pam_audit_writelog): Add grantors parameter,
+ add grantor= field to the message if grantors is set.
+ (_pam_list_grantors): New function creating the string with grantors list.
+ (_pam_auditlog): Add struct handler pointer parameter, call _pam_list_grantors()
+ to list the grantors from the handler list.
+ (_pam_audit_end): Add NULL handler parameter to _pam_auditlog() call.
+ (pam_modutil_audit_write): Add NULL grantors parameter to _pam_audit_writelog().
+ libpam/pam_dispatch.c (_pam_dispatch_aux): Set h->grantor where appropriate.
+ (_pam_clear_grantors): New function to clear grantor field of handler.
+ (_pam_dispatch): Call _pam_clear_grantors() before executing the stack.
+ Call _pam_auditlog() when appropriate.
+ libpam/pam_handlers.c (extract_modulename): Do not allow empty module name
+ or just "?" to avoid confusing audit trail.
+ (_pam_add_handler): Test for NULL return from extract_modulename().
+ Clear grantor field of handler.
+ libpam/pam_private.h: Add grantor field to struct handler, add handler pointer
+ parameter to _pam_auditlog().
+
+2014-08-26 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_mkhomedir: Drop superfluous stat() call.
+ modules/pam_mkhomedir/mkhomedir_helper.c (create_homedir): Drop superfluous
+ stat() call.
+
+ pam_exec: Do not depend on open() returning STDOUT_FILENO.
+ modules/pam_exec/pam_exec.c (call_exec): Move the descriptor to
+ STDOUT_FILENO if needed.
+
+2014-08-25 Robin Hack <rhack@redhat.com>
+
+ pam_keyinit: Check return value of setregid.
+ modules/pam_keyinit/pam_keyinit.c (pam_sm_open_session): Log if setregid() fails.
+
+ pam_filter: Avoid leaking descriptors when fork() fails.
+ modules/pam_filter/pam_filter.c (set_filter): Close descriptors when fork() fails.
+
+2014-08-14 Robin Hack <rhack@redhat.com>
+
+ pam_echo: Avoid leaking file descriptor.
+ modules/pam_echo/pam_echo.c (pam_echo): Close fd in error cases.
+
+2014-08-13 Robin Hack <rhack@redhat.com>
+
+ pam_tty_audit: Silence Coverity reporting uninitialized use.
+ modules/pam_tty_audit/pam_tty_audit.c (nl_recv): Initialize also
+ msg_flags.
+
+2014-08-13 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_tally2: Avoid uninitialized use of fileinfo.
+ Problem found by Robin Hack <rhack@redhat.com>.
+ modules/pam_tally2/pam_tally2.c (get_tally): Do not depend on file size
+ just try to read it.
+
+ pam_access: Avoid uninitialized access of line.
+ * modules/pam_access/pam_access.c (login_access): Reorder condition
+ so line is not accessed when uninitialized.
+
+2014-08-05 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_lastlog: Properly clean up last_login structure before use.
+ modules/pam_lastlog/pam_lastlog.c (last_login_write): Properly clean up last_login
+ structure before use.
+
+2014-07-21 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Make pam_pwhistory and pam_unix tolerant of corrupted opasswd file.
+ * modules/pam_pwhistory/opasswd.c (parse_entry): Test for missing fields
+ in opasswd entry and return error.
+ * modules/pam_unix/passverify.c (save_old_password): Test for missing fields
+ in opasswd entry and skip it.
+
+2014-06-30 Dmitry V. Levin <ldv@altlinux.org>
+
+ doc: add missing build dependencies for soelim stubs.
+ * doc/man/Makefile.am [ENABLE_REGENERATE_MAN]: Add dependencies for
+ pam_verror.3, pam_vinfo.3, pam_vprompt.3, and pam_vsyslog.3 soelim stubs.
+
+2014-06-23 Dmitry V. Levin <ldv@altlinux.org>
+
+ doc: fix install in case of out of tree build (ticket #31)
+ * doc/adg/Makefile.am (install-data-local, releasedocs): Fall back
+ to srcdir if documentation files haven't been found in builddir.
+ (releasedocs): Treat missing documentation files as an error.
+ * doc/mwg/Makefile.am: Likewise.
+ * doc/sag/Makefile.am: Likewise.
+
+2014-06-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ doc: fix installation of adg-*.html and mwg-*.html files (ticket #31)
+ Fix a typo due to which sag-*.html files might be installed instead of
+ adg-*.html and mwg-*.html files.
+
+ * doc/adg/Makefile.am (install-data-local): Install adg-*.html instead
+ of sag-*.html.
+ * doc/mwg/Makefile.am (install-data-local): Install mwg-*.html instead
+ of sag-*.html.
+
+ Patch-by: Mike Frysinger <vapier@gentoo.org>
+
+2014-06-19 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_limits: nofile refers to file descriptors not files.
+ modules/pam_limits/limits.conf.5.xml: Correct documentation of nofile limit.
+ modules/pam_limits/limits.conf: Likewise.
+
+ pam_limits: clarify documentation of maxlogins and maxsyslogins limits.
+ modules/pam_limits/limits.conf.5.xml: clarify documentation of
+ maxlogins and maxsyslogins limits.
+
+ pam_unix: Check for NULL return from Goodcrypt_md5().
+ modules/pam_unix/pam_unix_passwd.c (check_old_password): Check for
+ NULL return from Goodcrypt_md5().
+
+ pam_unix: check for NULL return from malloc()
+ * modules/pam_unix/md5_crypt.c (crypt_md5): Check for NULL return from malloc().
+
+2014-05-22 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_loginuid: Document one more possible case of PAM_IGNORE return.
+ modules/pam_loginuid/pam_loginuid.8.xml: Document one more possible case
+ of PAM_IGNORE return value.
+
+ pam_loginuid: Document other possible return values.
+ modules/pam_loginuid/pam_loginuid.8.xml: Document the possible return
+ values.
+
+2014-03-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_timestamp: fix potential directory traversal issue (ticket #27)
+ pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
+ the timestamp pathname it creates, so extra care should be taken to
+ avoid potential directory traversal issues.
+
+ * modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
+ "." and ".." tty values as invalid.
+ (get_ruser): Treat "." and ".." ruser values, as well as any ruser
+ value containing '/', as invalid.
+
+ Fixes CVE-2014-2583.
+
+ Reported-by: Sebastian Krahmer <krahmer@suse.de>
+
+2014-03-20 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_userdb: document that .db suffix should not be used.
+ modules/pam_userdb/pam_userdb.8.xml: Document that .db suffix
+ should not be used and correct the example.
+
+2014-03-11 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_selinux: canonicalize user name.
+ SELinux expects canonical user name for example without domain component.
+
+ * modules/pam_selinux/pam_selinux.c (compute_exec_context): Canonicalize user name with pam_modutil_getpwnam().
+
+2014-01-28 Dmitry V. Levin <ldv@altlinux.org>
+
+ Change tarball name back to "Linux-PAM"
+ As a side effect of commit Linux-PAM-1_1_8-11-g3fa23ce, tarball name
+ changed accidentally from "Linux-PAM" to "linux-pam".
+ This change brings it back to "Linux-PAM".
+
+ * configure.in (AC_INIT): Explicitly specify TARNAME argument.
+
+2014-01-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ Introduce pam_modutil_sanitize_helper_fds.
+ This change introduces pam_modutil_sanitize_helper_fds - a new function
+ that redirects standard descriptors and closes all other descriptors.
+
+ pam_modutil_sanitize_helper_fds supports three types of input and output
+ redirection:
+ - PAM_MODUTIL_IGNORE_FD: do not redirect at all.
+ - PAM_MODUTIL_PIPE_FD: redirect to a pipe. For stdin, it is implemented
+ by creating a pipe, closing its write end, and redirecting stdin to
+ its read end. Likewise, for stdout/stderr it is implemented by
+ creating a pipe, closing its read end, and redirecting to its write
+ end. Unlike stdin redirection, stdout/stderr redirection to a pipe
+ has a side effect that a process writing to such descriptor should be
+ prepared to handle SIGPIPE appropriately.
+ - PAM_MODUTIL_NULL_FD: redirect to /dev/null. For stdin, it is
+ implemented via PAM_MODUTIL_PIPE_FD because there is no functional
+ difference. For stdout/stderr, it is classic redirection to
+ /dev/null.
+
+ PAM_MODUTIL_PIPE_FD is usually more suitable due to linux kernel
+ security restrictions, but when the helper process might be writing to
+ the corresponding descriptor and termination of the helper process by
+ SIGPIPE is not desirable, one should choose PAM_MODUTIL_NULL_FD.
+
+ * libpam/pam_modutil_sanitize.c: New file.
+ * libpam/Makefile.am (libpam_la_SOURCES): Add it.
+ * libpam/include/security/pam_modutil.h (pam_modutil_redirect_fd,
+ pam_modutil_sanitize_helper_fds): New declarations.
+ * libpam/libpam.map (LIBPAM_MODUTIL_1.1.9): New interface.
+ * modules/pam_exec/pam_exec.c (call_exec): Use
+ pam_modutil_sanitize_helper_fds.
+ * modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Likewise.
+ * modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Likewise.
+ * modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary):
+ Likewise.
+ * modules/pam_unix/support.c (_unix_run_helper_binary): Likewise.
+ * modules/pam_xauth/pam_xauth.c (run_coprocess): Likewise.
+ * modules/pam_unix/support.h (MAX_FD_NO): Remove.
+
+2014-01-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_xauth: avoid potential SIGPIPE when writing to xauth process.
+ Similar issue in pam_unix was fixed by commit Linux-PAM-0-73~8.
+
+ * modules/pam_xauth/pam_xauth.c (run_coprocess): In the parent process,
+ close the read end of input pipe after writing to its write end.
+
+2014-01-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_loginuid: log significant loginuid write errors.
+ * modules/pam_loginuid/pam_loginuid.c (set_loginuid): Log those errors
+ during /proc/self/loginuid update that are not ignored.
+
+2014-01-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ Fix gratuitous use of strdup and x_strdup.
+ There is no need to copy strings passed as arguments to execve,
+ the only potentially noticeable effect of using strdup/x_strdup
+ would be a malformed argument list in case of memory allocation error.
+
+ Also, x_strdup, being a thin wrapper around strdup, is of no benefit
+ when its argument is known to be non-NULL, and should not be used in
+ such cases.
+
+ * modules/pam_cracklib/pam_cracklib.c (password_check): Use strdup
+ instead of x_strdup, the latter is of no benefit in this case.
+ * modules/pam_ftp/pam_ftp.c (lookup): Likewise.
+ * modules/pam_userdb/pam_userdb.c (user_lookup): Likewise.
+ * modules/pam_userdb/pam_userdb.h (x_strdup): Remove.
+ * modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Do not use
+ x_strdup for strings passed as arguments to execve.
+ * modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Likewise.
+ * modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary): Likewise.
+ * modules/pam_unix/support.c (_unix_run_helper_binary): Likewise.
+ (_unix_verify_password): Use strdup instead of x_strdup, the latter
+ is of no benefit in this case.
+ * modules/pam_xauth/pam_xauth.c (run_coprocess): Do not use strdup for
+ strings passed as arguments to execv.
+
+2014-01-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_userdb: fix password hash comparison.
+ Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed
+ passwords support in pam_userdb, hashes are compared case-insensitively.
+ This bug leads to accepting hashes for completely different passwords in
+ addition to those that should be accepted.
+
+ Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for
+ modern password hashes with different lengths and settings, did not
+ update the hash comparison accordingly, which leads to accepting
+ computed hashes longer than stored hashes when the latter is a prefix
+ of the former.
+
+ * modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed
+ hash whose length differs from the stored hash length.
+ Compare computed and stored hashes case-sensitively.
+ Fixes CVE-2013-7041.
+
+ Bug-Debian: http://bugs.debian.org/731368
+
+2014-01-24 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_xauth: log fatal errors preventing xauth process execution.
+ * modules/pam_xauth/pam_xauth.c (run_coprocess): Log errors from pipe()
+ and fork() calls.
+
+2014-01-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_loginuid: cleanup loginuid buffer initialization.
+ * modules/pam_loginuid/pam_loginuid.c (set_loginuid): Move loginuid
+ buffer initialization closer to its first use.
+
+2014-01-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ libpam_misc: fix an inconsistency in handling memory allocation errors.
+ When misc_conv fails to allocate memory for pam_response array, it
+ returns PAM_CONV_ERR. However, when read_string fails to allocate
+ memory for a response string, it loses the response string and silently
+ ignores the error, with net result as if EOF has been read.
+
+ * libpam_misc/misc_conv.c (read_string): Use strdup instead of x_strdup,
+ the latter is of no benefit in this case.
+ Do not ignore potential memory allocation errors returned by strdup,
+ forward them to misc_conv.
+
+2014-01-20 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_limits: fix utmp->ut_user handling.
+ ut_user member of struct utmp is a string that is not necessarily
+ null-terminated, so extra care should be taken when using it.
+
+ * modules/pam_limits/pam_limits.c (check_logins): Convert ut->UT_USER to
+ a null-terminated string and consistently use it where a null-terminated
+ string is expected.
+
+2014-01-20 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_mkhomedir: check and create home directory for the same user (ticket #22)
+ Before pam_mkhomedir helper was introduced in commit
+ 7b14630ef39e71f603aeca0c47edf2f384717176, pam_mkhomedir was checking for
+ existance and creating the same directory - the home directory of the
+ user NAME returned by pam_get_item(PAM_USER).
+
+ The change in behaviour accidentally introduced along with
+ mkhomedir_helper is not consistent: while the module still checks for
+ getpwnam(NAME)->pw_dir, the directory created by mkhomedir_helper is
+ getpwnam(getpwnam(NAME)->pw_name)->pw_dir, which is not necessarily
+ the same as the directory being checked.
+
+ This change brings check and creation back in sync, both handling
+ getpwnam(NAME)->pw_dir.
+
+ * modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Replace
+ "struct passwd *" argument with user's name and home directory.
+ Pass user's name to MKHOMEDIR_HELPER.
+ (pam_sm_open_session): Update create_homedir call.
+
+2014-01-20 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_limits: detect and ignore stale utmp entries.
+ Original idea by Christopher Hailey
+
+ * modules/pam_limits/pam_limits.c (check_logins): Use kill() to
+ detect if pid of the utmp entry is still running and ignore the entry
+ if it is not.
+
+2014-01-19 Stéphane Graber <stgraber@ubuntu.com>
+
+ pam_loginuid: Always return PAM_IGNORE in userns.
+ The previous patch to support user namespaces works fine with containers
+ that are started from a desktop/terminal session but fails when dealing
+ with containers that were started from a remote session such as ssh.
+
+ I haven't looked at the exact reason for that in the kernel but on the
+ userspace side of things, the difference is that containers started from
+ an ssh session will happily let pam open /proc/self/loginuid read-write,
+ will let it read its content but will then fail with EPERM when trying
+ to write to it.
+
+ So to make the userns support bullet proof, this commit moves the userns
+ check earlier in the function (which means a small performance impact as
+ it'll now happen everytime on kernels that have userns support) and will
+ set rc = PAM_IGNORE instead of rc = PAM_ERROR.
+
+ The rest of the code is still executed in the event that PAM is run on a
+ future kernel where we have some kind of audit namespace that includes a
+ working loginuid.
+
+2014-01-15 Steve Langasek <vorlon@debian.org>
+
+ pam_namespace: don't use bashisms in default namespace.init script.
+ * modules/pam_namespace/pam_namespace.c: call setuid() before execing the
+ namespace init script, so that scripts run with maximum privilege regardless
+ of the shell implementation.
+ * modules/pam_namespace/namespace.init: drop the '-p' bashism from the
+ shebang line
+
+ This is not a POSIX standard option, it's a bashism. The bash manpage says
+ that it's used to prevent the effective user id from being reset to the real
+ user id on startup, and to ignore certain unsafe variables from the
+ environment.
+
+ In the case of pam_namespace, the -p is not necessary for environment
+ sanitizing because the PAM module (properly) sanitizes the environment
+ before execing the script.
+
+ The stated reason given in CVS history for passing -p is to "preserve euid
+ when called from setuid apps (su, newrole)." This should be done more
+ portably, by calling setuid() before spawning the shell.
+
+ Bug-Debian: http://bugs.debian.org/624842
+ Bug-Ubuntu: https://bugs.launchpad.net/bugs/1081323
+
+2014-01-10 Stéphane Graber <stgraber@ubuntu.com>
+
+ pam_loginuid: Ignore failure in user namespaces.
+ When running pam_loginuid in a container using the user namespaces, even
+ uid 0 isn't allowed to set the loginuid property.
+
+ This change catches the EACCES from opening loginuid, checks if the user
+ is in the host namespace (by comparing the uid_map with the host's one)
+ and only if that's the case, sets rc to 1.
+
+ Should uid_map not exist or be unreadable for some reason, it'll be
+ assumed that the process is running on the host's namespace.
+
+ The initial reason behind this change was failure to ssh into an
+ unprivileged container (using a 3.13 kernel and current LXC) when using
+ a standard pam profile for sshd (which requires success from
+ pam_loginuid).
+
+ I believe this solution doesn't have any drawback and will allow people
+ to use unprivileged containers normally. An alternative would be to have
+ all distros set pam_loginuid as optional but that'd be bad for any of
+ the other potential failure case which people may care about.
+
+ There has also been some discussions to get some of the audit features
+ tied with the user namespaces but currently none of that has been merged
+ upstream and the currently proposed implementation doesn't cover
+ loginuid (nor is it clear how this should even work when loginuid is set
+ as immutable after initial write).
+
+2014-01-10 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_loginuid: return PAM_IGNORE when /proc/self/loginuid does not exist.
+ When /proc/self/loginuid does not exist, return PAM_IGNORE instead of
+ PAM_SUCCESS, so that we can distinguish between "loginuid set
+ successfully" and "loginuid not set, but this is expected".
+
+ Suggested by Steve Langasek.
+
+ * modules/pam_loginuid/pam_loginuid.c (set_loginuid): Change return
+ code semantics: return PAM_SUCCESS on success, PAM_IGNORE when loginuid
+ does not exist, PAM_SESSION_ERR in case of any other error.
+ (_pam_loginuid): Forward the PAM error code returned by set_loginuid.
+
+2013-11-20 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_access: fix debug level logging (ticket #19)
+ * modules/pam_access/pam_access.c (group_match): Log the group token
+ passed to the function, not an uninitialized data on the stack.
+
+ pam_warn: log flags passed to the module (ticket #25)
+ * modules/pam_warn/pam_warn.c (log_items): Take "flags" argument and
+ log it using pam_syslog.
+ (pam_sm_authenticate, pam_sm_setcred, pam_sm_chauthtok,
+ pam_sm_acct_mgmt, pam_sm_open_session, pam_sm_close_session): Pass
+ "flags" argument to log_items.
+
+2013-11-20 Dmitry V. Levin <ldv@altlinux.org>
+
+ Modernize AM_INIT_AUTOMAKE invocation.
+ Before this change, automake complained that two- and three-arguments
+ forms of AM_INIT_AUTOMAKE are deprecated.
+
+ * configure.in: Pass PACKAGE and VERSION arguments to AC_INIT instead
+ of AM_INIT_AUTOMAKE.
+
+2013-11-20 Dmitry V. Levin <ldv@altlinux.org>
+
+ Fix autoconf warnings.
+ Before this change, autoconf complained that AC_COMPILE_IFELSE
+ and AC_RUN_IFELSE was called before AC_USE_SYSTEM_EXTENSIONS.
+
+ * configure.in: Call AC_USE_SYSTEM_EXTENSIONS before LT_INIT.
+
+2013-11-20 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_securetty: check return value of fgets.
+ Checking return value of fgets not only silences the warning from glibc
+ but also leads to a cleaner code.
+
+ * modules/pam_securetty/pam_securetty.c (securetty_perform_check):
+ Check return value of fgets.
+
+2013-11-20 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_lastlog: fix format string.
+ gcc -Wformat justly complains:
+ format '%d' expects argument of type 'int', but argument 5 has type 'time_t'
+
+ * modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Fix format
+ string.
+
+2013-11-20 Darren Tucker <dtucker@zip.com.au>
+
+ If the correct loginuid is set already, skip writing it.
+ modules/pam_loginuid/pam_loginuid.c (set_loginuid): Read the current loginuid
+ and skip writing if already correctly set.
+
+2013-11-11 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ Always ask for old password if changing NIS account.
+ * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): ask
+ for old password if NIS account.
+
+2013-11-08 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ Allow DES as compatibility option for /etc/login.defs.
+ * modules/pam_unix/support.h: Add UNIX_DES
+
+2013-10-14 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Docfix: pam_prompt() and pam_vprompt() return int.
+ doc/man/pam_prompt.3.xml: pam_prompt() and pam_vprompt() return int.
+
+ Make pam_tty_audit work with old kernels not supporting log_passwd.
+ modules/pam_tty_audit/pam_tty_audit.c(nl_recv): Pad result with zeros
+ if message is short from older kernel.
+
+2013-09-25 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Fix pam_tty_audit log_passwd support and regression.
+ modules/pam_tty_audit/pam_tty_audit.c: Add missing "config.h" include.
+ (pam_sm_open_session): Always copy the old status as initialization of new.
+
+2013-09-19 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ Release version 1.1.8.
+
+2013-09-16 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ Check return value of setuid to remove glibc warnings.
+ * modules/pam_unix/pam_unix_acct.c: Check setuid return value.
+ * modules/pam_unix/support.c: Likewise.
+
+2013-09-13 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Write to *rounds only if non-NULL.
+ modules/pam_unix/support.c(_set_ctrl): Write to *rounds only if non-NULL.
+
+ Add missing ')'
+ modules/pam_unix/pam_unix_passwd.c: Add missing ')'..
+
+2013-09-11 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ Release version 1.1.7.
+
+2013-09-11 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Updated translations from Transifex.
+ po/*.po: Updated translations from Transifex.
+
+2013-09-04 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ Extend pam_exec by stdout and type= options (ticket #8):
+ * modules/pam_exec/pam_exec.c: Add stdout and type= option
+ * modules/pam_exec/pam_exec.8.xml: Document new options
+
+2013-08-30 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ Fix compile error.
+ * modules/pam_unix/pam_unix_acct.c: fix last change
+
+2013-08-29 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ Restart waitpid if it returns with EINTR (ticket #17)
+ * modules/pam_unix/pam_unix_acct.c: run waitpid in a while loop.
+ * modules/pam_unix/pam_unix_passwd.c: Likewise.
+ * modules/pam_unix/support.c: Likewise.
+
+2013-08-28 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ misc_conv.3: Fix documentation of misc_conv.
+ doc/man/misc_conv.3.xml: Fix return value of misc_conv
+
+2013-08-23 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Apply the exclusive check in pam_sepermit only when loginuid not set.
+ * modules/pam_sepermit/pam_sepermit.c(get_loginuid): Read loginuid from
+ /proc
+ (sepermit_match): Apply the exclusive check only when loginuid not set.
+
+2013-08-22 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Updated translations from Transifex.
+ * po/*.po: Updated translations from Transifex.
+
+2013-07-01 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_rootok: fix linking in --enable-audit mode.
+ pam_rootok.c explicitly uses functions from libaudit, so the module has
+ to be linked with the library.
+
+ * modules/pam_rootok/Makefile.am (pam_rootok_la_LIBADD): Add @LIBAUDIT@.
+
+2013-07-01 Richard Guy Briggs <rgb@redhat.com>
+
+ pam_tty_audit: fix a typo that crept in during patch review.
+ * modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Replace
+ all occurrences of HAVE_AUDIT_TTY_STATUS_LOG_PASSWD with
+ HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD.
+ * configure.in (HAVE_AUDIT_TTY_STATUS_LOG_PASSWD): Remove.
+
+2013-06-21 Richard Guy Briggs <rgb@redhat.com>
+
+ pam_tty_audit: add an option to control logging of passwords: log_passwd
+ Most commands are entered one line at a time and processed as complete lines
+ in non-canonical mode. Commands that interactively require a password, enter
+ canonical mode with echo set to off to do this. This feature (icanon and
+ !echo) can be used to avoid logging passwords by audit while still logging the
+ rest of the command. Adding a member to the struct audit_tty_status passed in
+ by pam_tty_audit allows control of logging passwords per task.
+
+ * configure.in: autoconf bits to conditionally add support at compile time
+ depending on struct audit_tty_status kernel header version.
+ * modules/pam_tty_audit/pam_tty_audit.8.xml: Document new pam_tty_audit module
+ log_passwd option.
+ * modules/pam_tty_audit/pam_tty_audit.c: (pam_sm_open_session): Added
+ "log_passwd" option parsing.
+
+2013-06-20 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Man page fix - unix_update runs in the permissive mode as well.
+ modules/pam_unix/unix_update.8.xml: unix_update helper runs in the
+ permissive mode as well.
+
+2013-06-18 Thorsten Kukuk <kukuk@orinoco.thkukuk.de>
+
+ Use hash from /etc/login.defs as default if no other one is specified as argument.
+ * modules/pam_unix/support.c: Add search_key, call from __set_ctrl
+ * modules/pam_unix/support.h: Add define for /etc/login.defs
+ * modules/pam_unix/pam_unix.8.xml: Document new behavior.
+ * modules/pam_umask/pam_umask.c: Add missing NULL pointer check
+
+2013-04-12 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_access: better not change the default function used to get domain name.
+ modules/pam_access/pam_access.c (netgroup_match): As we did not use
+ yp_get_default_domain() in the 1.1 branch due to typo in ifdef
+ we should use it only as fallback.
+
+2013-03-28 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Fix strict aliasing issue in MD5 implementations.
+ modules/pam_namespace/md5.c (MD5Final): Use memcpy instead of assignment.
+ modules/pam_unix/md5.c (MD5Final): Use memcpy instead of assignment.
+
+2013-03-22 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_lastlog: Do not fail on short read if btmp is corrupted.
+ modules/pam_lastlog/pam_lastlog.c (last_login_failed): Just warn, not fail
+ on short read or read error.
+
+ pam_rootok: Allow proper logging of the user AVC if access disallowed by SELinux
+ modules/pam_rootok/pam_rootok.c (log_callback, selinux_check_root): New functions.
+ (check_for_root): Use the selinux_check_root() instead of checkPasswdAccess.
+
+2013-02-08 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Add checks for crypt() returning NULL.
+ modules/pam_pwhistory/opasswd.c (compare_password): Add check for crypt() NULL return.
+ modules/pam_unix/bigcrypt.c (bigcrypt): Likewise.
+
+2013-02-07 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_userdb: Allow also modern password hashes supported by crypt().
+ modules/pam_userdb/pam_userdb.c (user_lookup): Allow password hashes
+ longer than 13 characters and long salt.
+
+2013-01-18 Walter de Jong <walter.dejong@surfsara.nl>
+
+ pam_access: fix typo in ifdef.
+ modules/pam_access/pam_access.c (netgroup_match): Fix typo
+ in #ifdef HAVE_YP_GET_DEFAULT_DOMAIN.
+
+2012-12-20 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_cracklib: Mention checks that are not run for root.
+ modules/pam_cracklib/pam_cracklib.8.xml: Add note about checks
+ when run as root.
+
+ Update also the POT file.
+ po/Linux-PAM.pot: Update to reflect current sources.
+
+2012-12-12 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Updated translations from Transifex, added new languages.
+ po/LINGUAS: Added new languages.
+ po/*.po: Updated translations from Transifex including new languages.
+
+2012-11-30 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_selinux: Drop obsolete and unsupported manual context selection.
+ modules/pam_selinux/pam_selinux.c (manual_context): Drop function.
+ (compute_exec_context): Drop manual_context() call.
+
+2012-11-23 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_limits: fix grammatical mistake.
+ modules/pam_limits/limits.conf: Fix grammatical mistake.
+
+2012-11-13 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Reflect the enforce_for_root semantics change in pam_pwhistory xtest.
+ xtests/tst-pam_pwhistory1.pamd: Use enforce_for_root as the test is
+ running with real uid == 0.
+
+2012-10-10 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_unix: fix build in --enable-selinux mode.
+ glibc's <sys/wait.h> starting with commit
+ http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=glibc-2.15-231-gd94a467
+ does not include <sys/resource.h> for POSIX 2008 conformance reasons, so
+ when pam is being built with SELinux support enabled, pam_unix_passwd.c
+ uses getrlimit(2) and therefore should include <sys/resource.h> without
+ relying on other headers.
+
+ * modules/pam_unix/pam_unix_passwd.c: Include <sys/resource.h>.
+
+ Reported-by: Guido Trentalancia <guido@trentalancia.com>
+ Reported-by: "Jory A. Pratt" <anarchy@gentoo.org>
+ Reported-by: Diego Elio Pettenò <flameeyes@flameeyes.eu>
+
+2012-10-10 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_namespace: add mntopts flag for tmpfs mount options.
+ modules/pam_namespace/pam_namespace.h: Add mount_opts member to polydir
+ structure.
+ modules/pam_namespace/pam_namespace.c (del_polydir): Free the mount_opts.
+ (parse_method): Parse the mntopts flag.
+ (ns_setup): Pass the mount_opts to mount().
+ modules/pam_namespace/namespace.conf.5.xml: Document the mntopts flag.
+
+2012-09-06 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_selinux, pam_tally2: Add tty and rhost to audit data.
+ modules/pam_selinux/pam_selinux.c (send_audit_message): Obtain tty and
+ rhost from PAM items and pass them to audit.
+ modules/pam_tally2/pam_tally2.c (tally_check): Obtain tty and
+ rhost from PAM items and pass them to audit.
+ (main): Obtain tty name of stdin and pass it to audit.
+
+ Update configure.in to use more recent interfaces.
+ configure.in: Use LT_INIT instead of AC_PROG_LIBTOOL and AS_HELP_STRING instead
+ of AC_HELP_STRING.
+
+2012-08-17 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Add missing $(DESTDIR) when making directories on install.
+ modules/pam_namespace/Makefile.am: Add missing $(DESTDIR) when making
+ $(namespaceddir) on install.
+ modules/pam_sepermit/Makefile.am: Add missing $(DESTDIR) when making
+ $(sepermitlockdir) on install.
+
+2012-08-17 Thorsten Kukuk <kukuk@orinoco.thkukuk.de>
+
+ release version 1.1.6.
+ configure.in: Bump version to 1.1.6
+ NEWS: Document changes
+ po/*.po: Regenerate *.po files
+
+2012-08-16 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ Small documentation and define fixes.
+ modules/pam_limits/limits.conf.5.xml: Document race of maxlogins [#10]
+ modules/pam_namespace/pam_namespace.h: Define MS_SLAVE if necessary
+ modules/pam_pwhistory/pam_pwhistory.c: Document how the module works
+ modules/pam_unix/pam_unix.8.xml: Document remember option obsoleted by pam_pwhistory [#6]
+
+2012-08-13 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Respect PAM_AUTHTOK_TYPE in pam_get_authtok_verify().
+ libpam/pam_get_authtok.c (pam_get_authtok_internal): Set the PAM_AUTHTOK_TYPE
+ item when obtained from module options.
+ (pam_get_authtok_verify): Use the PAM_AUTHTOK_TYPE item when prompting.
+
+2012-08-09 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Document limits.d also in the limits.conf manpage.
+ modules/pam_limits/limits.conf.5.xml: Document the limits.d existence.
+
+2012-07-23 Tomas Mraz <tmraz@fedoraproject.org>
+
+ New autotools do not create empty directories on install.
+ modules/pam_namespace/Makefile.am: Add install-data-local target to create
+ namespaceddir.
+ modules/pam_sepermit/Makefile.am: Add install-data-local target to create
+ sepermitlockdir.
+
+2012-07-09 Stevan Bajić <stevan@bajic.ch>
+
+ RLIMIT_* variables are no longer defined unless you explicitly include sys/resource.h.
+
+ modules/pam_unix/pam_unix_acct.c: Include sys/resource.h.
+
+2012-06-27 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_umask: correct the documentation of GECOS field parsing.
+ modules/pam_umask/pam_umask.8.xml: Correct the documentation of GECOS field
+ parsing.
+
+2012-06-22 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_cracklib: Add monotonic character sequence checking.
+ modules/pam_cracklib/pam_cracklib.c (_pam_parse): Parse the maxsequence option.
+ (sequence): New function to check for too long monotonic sequence of characters.
+ (password_check): Call the sequence().
+ modules/pam_cracklib/pam_cracklib.8.xml: Document the maxsequence check.
+
+2012-06-01 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_timestamp: Fix copy&paste error in manpage.
+ modules/pam_timestamp/pam_timestamp.8.xml: Fix AUTHOR section.
+
+2012-05-28 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Pulled new translations from Transifex.
+ po/*.po: Updated translations.
+
+ pam_pwhistory: Always record the old password even when root changes it.
+ modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Use the UID of
+ the process instead of the target user UID (same as in pam_cracklib) to
+ check for root. Always record old password.
+
+2012-05-24 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_cracklib: Add enforce_for_root option.
+ modules/pam_cracklib/pam_cracklib.c (_pam_parse): Recognize the enforce_for_root option.
+ (pam_sm_chauthtok): Enforce errors for root with the option.
+ modules/pam_cracklib/pam_cracklib.8.xml: Document the enforce_for_root option.
+
+2012-04-30 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_cracklib: Add maxclassrepeat, gecoscheck checks and remove unused difignore.
+ modules/pam_cracklib/pam_cracklib.c (_pam_parse): Recognize the maxclassrepeat, gecoscheck options. Ignore difignore option.
+ (simple): Add the check for the same class repetition.
+ (usercheck): Refactor into wordcheck().
+ (gecoscheck): New test for words from the GECOS field.
+ (password_check): Call the gecoscheck().
+ (pam_sm_chauthtok): Drop the diff_ignore from options struct.
+ modules/pam_cracklib/pam_cracklib.8.xml: Document the maxclassrepeat and gecoscheck checks, update the documentation of the difok test.
+
+ pam_lastlog: Never lock out the root account.
+ modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Return PAM_SUCCESS if
+ uid==0.
+ modules/pam_lastlog/pam_lastlog.8.xml: Improve documentation.
+
+2012-04-17 Tomas Mraz <tmraz@fedoraproject.org>
+
+ pam_lastlog: add possibility to lock out inactive users in auth or account
+ * modules/pam_lastlog/pam_lastlog.8.xml: Document the new functionality and
+ option.
+ * modules/pam_lastlog/pam_lastlog.c: Add the inactive user lock out.
+ (_pam_session_parse): Renamed from _pam_parse.
+ (_pam_auth_parse): New function to parse auth arguments.
+ (_last_login_open): Factor out opening of the lastlog file.
+ (_last_login_read): Factor out opening of the lastlog file.
+ (pam_sm_authenticate): Implement the lockout functionality.
+ (pam_sm_setcred): Just return PAM_SUCCESS.
+ (pam_sm_acct_mgmt): Call pam_sm_authenticate().
+
+2012-04-11 Paul Wouters <pwouters@redhat.com>
+
+ Check for crypt() failure returning NULL.
+ * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Adjust syslog message.
+ * modules/pam_unix/passverify.c (create_password_hash): Check for crypt()
+ returning NULL.
+
+2012-02-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_unix: make configuration consistent in --enable-static-modules mode.
+ In --enable-static-modules mode, it was not possible to use "pam_unix"
+ in PAM config files. Instead, different names had to be used for each
+ management group: pam_unix_auth, pam_unix_acct, pam_unix_passwd and
+ pam_unix_session. This change makes pam_unix configuration consistent
+ with other PAM modules.
+
+ * README: Remove the paragraph describing pam_unix distinctions in
+ --enable-static-modules mode.
+ * libpam/pam_static_modules.h (_pam_unix_acct_modstruct,
+ _pam_unix_auth_modstruct, _pam_unix_passwd_modstruct,
+ _pam_unix_session_modstruct): Remove.
+ (_pam_unix_modstruct): New pam_module declaration.
+ * modules/pam_unix/pam_unix_static.h: New file.
+ * modules/pam_unix/pam_unix_static.c: Likewise.
+ * modules/pam_unix/Makefile.am (noinst_HEADERS): Add pam_unix_static.h
+ (pam_unix_la_SOURCES) [STATIC_MODULES]: Add pam_unix_static.c
+ * modules/pam_unix/pam_unix_acct.c [PAM_STATIC]: Include
+ pam_unix_static.h
+ [PAM_STATIC] (_pam_unix_acct_modstruct): Remove.
+ * modules/pam_unix/pam_unix_auth.c [PAM_STATIC]: Include
+ pam_unix_static.h
+ [PAM_STATIC] (_pam_unix_auth_modstruct): Remove.
+ * modules/pam_unix/pam_unix_passwd.c [PAM_STATIC]: Include
+ pam_unix_static.h
+ [PAM_STATIC] (_pam_unix_passwd_modstruct): Remove.
+ * modules/pam_unix/pam_unix_sess.c [PAM_STATIC]: Include
+ pam_unix_static.h
+ [PAM_STATIC] (_pam_unix_session_modstruct): Remove.
+
+ Suggested-by: Matveychikov Ilya <i.matveychikov@securitycode.ru>
+
+2012-01-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ Make --disable-cracklib compatible with --enable-static-modules mode.
+ * configure.in: Define HAVE_LIBCRACK when cracklib is enabled.
+ * libpam/pam_static_modules.h (static_modules): Guard the use of
+ _pam_cracklib_modstruct by HAVE_LIBCRACK macro.
+
+2012-02-10 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Add missing includes for types used in the pam_modutil.h.
+ * libpam/include/security/pam_modutil.h: Add missing includes for used types.
+
+2012-01-27 Matveychikov Ilya <i.matveychikov@securitycode.ru>
+
+ Fix compile time errors in --enable-static-modules mode.
+ * libpam/pam_static_modules.h (_pam_rhosts_auth_modstruct): Remove
+ obsolete declaration.
+ (static_modules): Remove undefined reference to
+ _pam_rhosts_auth_modstruct.
+ * modules/pam_pwhistory/opasswd.h: Rename {save,check}_old_password to
+ {save,check}_old_pass in order to avoid conflicts with pam_unix.
+ * modules/pam_pwhistory/opasswd.c: Likewise.
+ * modules/pam_pwhistory/pam_pwhistory.c: Likewise.
+ * modules/pam_tally2/pam_tally2.c: Rename _pam_tally_modstruct to
+ _pam_tally2_modstruct.
+
+2012-01-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ Fix SUBDIRS for --enable-static-modules mode.
+ There is no way to build "modules" subdirectory before "libpam" anyway.
+ In STATIC_MODULES mode, "libpam" subdirectory must be built twice to
+ produce a usable libpam.a without undefined references to multiple
+ _pam_*_modstruct symbols.
+
+ * Makefile.am: Use default SUBDIRS in STATIC_MODULES mode.
+
+2012-01-26 Matveychikov Ilya <i.matveychikov@securitycode.ru>
+
+ configure: fix typo in --disable-nis help string.
+ * configure.in: Change '-disable-nis' to '--disable-nis'.
+
+2012-01-26 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Do not unmount anything by default in pam_namespace close session call.
+ * modules/pam_namespace/pam_namespace.c (pam_sm_close_session): Recognize
+ the unmount_on_close option and make the default to be to not unmount.
+ * modules/pam_namespace/pam_namespace.h: Rename PAMNS_NO_UNMOUNT_ON_CLOSE to
+ PAMNS_UNMOUNT_ON_CLOSE.
+ * modules/pam_namespace/pam_namespace.8.xml: Document the change.
+
+2012-01-24 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Make / mount as rslave instead of bind mounting polydirs.
+ * modules/pam_namespace/pam_namespace.c (protect_dir): Drop the always argument.
+ (check_inst_parent): Drop the always argument from protect_dir().
+ (create_polydir): Likewise.
+ (ns_setup): Likewise and do not mark the polydir with MS_PRIVATE.
+ (setup_namespace): Mark the / with MS_SLAVE|MS_REC.
+ * modules/pam_namespace/pam_namespace.8.xml: Reflect the change in docs.
+
+2012-01-13 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Add possibility to match ruser, rhost, and tty in pam_succeed_if.
+ * modules/pam_succeed_if/pam_succeed_if.c (evaluate): Match ruser,
+ rhost, and tty as left operand.
+ * modules/pam_succeed_if/pam_succeed_if.8.xml: Document the new
+ possible left operands.
+
+2012-01-03 Tomas Mraz <tmraz@fedoraproject.org>
+
+ Merge branch 'master' of ssh://git.fedorahosted.org/git/linux-pam.
+
+ Fix matching of usernames in the pam_unix remember feature.
+ * modules/pam_unix/pam_unix_passwd.c (check_old_password): Make
+ sure we match only the whole username in opasswd entry.
+ * modules/pam_unix/passverify.c (save_old_password): Likewise make
+ sure we match only the whole username in opasswd entry.
+
+2011-12-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_start: fix memory leak on error path.
+ * libpam/pam_start.c (pam_start): If _pam_make_env() or
+ _pam_init_handlers() returned an error, release the memory allocated
+ for pam_conv structure.
+
+ Patch-by: cancel <suntsu@yandex.ru>.
+
+2011-11-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ pam_selinux.8.xml: update.
+ * modules/pam_selinux/pam_selinux.8.xml (pam_selinux-cmdsynopsis):
+ Reorder options, add new "restore" option.
+ pam_selinux-description): Rewrite.
+ (pam_selinux-options): Reorder options, describe new "restore" option.
+ (pam_selinux-return_values): Remove PAM_AUTH_ERR, PAM_SESSION_ERR
+ and PAM_BUF_ERR.
+ (pam_selinux-see_also): Remove pam.conf(5). Add execve(2), tty(4)
+ and selinux(8).
+
+ pam_selinux.c: add "restore" option.
+ * modules/pam_selinux/pam_selinux.c (pam_sm_open_session): Add new
+ "restore" option.
+
+ pam_selinux.c: rewrite using pam_get_data/pam_set_data.
+ * modules/pam_selinux/pam_selinux.c (security_restorelabel_tty,
+ security_label_tty): Remove old functions.
+ (module_data_t): New structure.
+ (free_module_data, cleanup, get_module_data, get_item,
+ set_exec_context, set_file_context, compute_exec_context,
+ compute_tty_context, restore_context, set_context,
+ create_context): New functions.
+ (pam_sm_authenticate, pam_sm_setcred, pam_sm_open_session,
+ pam_sm_close_session): Use them.
+
+2011-10-28 Dmitry V. Levin <ldv@altlinux.org>
+
+ Use libpam.la/libpam_misc.la to link with -lpam/-lpam_misc.
+ GNU automake documentation recommends to avoid using -l options in
+ LDADD or LIBADD when referring to libraries built by the package.
+ Instead, it recommends to write the file name of the library explicitly,
+ and use -l option only to list third-party libraries. As result, the
+ default value of *_DEPENDENCIES will list all local libraries and omit
+ the other ones.
+ * modules/pam_access/Makefile.am (pam_access_la_LIBADD): Replace
+ "-L$(top_builddir)/libpam -lpam" with
+ "$(top_builddir)/libpam/libpam.la", to follow GNU automake
+ recommendations.
+ * modules/pam_cracklib/Makefile.am (pam_cracklib_la_LIBADD): Likewise.
+ * modules/pam_debug/Makefile.am (pam_debug_la_LIBADD): Likewise.
+ * modules/pam_deny/Makefile.am (pam_deny_la_LIBADD): Likewise.
+ * modules/pam_echo/Makefile.am (pam_echo_la_LIBADD): Likewise.
+ * modules/pam_env/Makefile.am (pam_env_la_LIBADD): Likewise.
+ * modules/pam_exec/Makefile.am (pam_exec_la_LIBADD): Likewise.
+ * modules/pam_faildelay/Makefile.am (pam_faildelay_la_LIBADD): Likewise.
+ * modules/pam_filter/Makefile.am (pam_filter_la_LIBADD): Likewise.
+ * modules/pam_filter/upperLOWER/Makefile.am (LDADD): Likewise.
+ * modules/pam_ftp/Makefile.am (pam_ftp_la_LIBADD): Likewise.
+ * modules/pam_group/Makefile.am (pam_group_la_LIBADD): Likewise.
+ * modules/pam_issue/Makefile.am (pam_issue_la_LIBADD): Likewise.
+ * modules/pam_keyinit/Makefile.am (pam_keyinit_la_LIBADD): Likewise.
+ * modules/pam_lastlog/Makefile.am (pam_lastlog_la_LIBADD): Likewise.
+ * modules/pam_limits/Makefile.am (pam_limits_la_LIBADD): Likewise.
+ * modules/pam_listfile/Makefile.am (pam_listfile_la_LIBADD): Likewise.
+ * modules/pam_localuser/Makefile.am (pam_localuser_la_LIBADD): Likewise.
+ * modules/pam_loginuid/Makefile.am (pam_loginuid_la_LIBADD): Likewise.
+ * modules/pam_mail/Makefile.am (pam_mail_la_LIBADD): Likewise.
+ * modules/pam_mkhomedir/Makefile.am (pam_mkhomedir_la_LIBADD,
+ mkhomedir_helper_LDADD): Likewise.
+ * modules/pam_motd/Makefile.am (pam_motd_la_LIBADD): Likewise.
+ * modules/pam_namespace/Makefile.am (pam_namespace_la_LIBADD): Likewise.
+ * modules/pam_nologin/Makefile.am (pam_nologin_la_LIBADD): Likewise.
+ * modules/pam_permit/Makefile.am (pam_permit_la_LIBADD): Likewise.
+ * modules/pam_pwhistory/Makefile.am (pam_pwhistory_la_LIBADD): Likewise.
+ * modules/pam_rhosts/Makefile.am (pam_rhosts_la_LIBADD): Likewise.
+ * modules/pam_rootok/Makefile.am (pam_rootok_la_LIBADD): Likewise.
+ * modules/pam_securetty/Makefile.am (pam_securetty_la_LIBADD): Likewise.
+ * modules/pam_sepermit/Makefile.am (pam_sepermit_la_LIBADD): Likewise.
+ * modules/pam_shells/Makefile.am (pam_shells_la_LIBADD): Likewise.
+ * modules/pam_stress/Makefile.am (pam_stress_la_LIBADD): Likewise.
+ * modules/pam_succeed_if/Makefile.am (pam_succeed_if_la_LIBADD):
+ Likewise.
+ * modules/pam_tally/Makefile.am (pam_tally_la_LIBADD): Likewise.
+ * modules/pam_tally2/Makefile.am (pam_tally2_la_LIBADD,
+ pam_tally2_LDADD): Likewise.
+ * modules/pam_time/Makefile.am (pam_time_la_LIBADD): Likewise.
+ * modules/pam_timestamp/Makefile.am (pam_timestamp_la_LIBADD,
+ pam_timestamp_check_LDADD, hmacfile_LDADD): Likewise.
+ * modules/pam_tty_audit/Makefile.am (pam_tty_audit_la_LIBADD): Likewise.
+ * modules/pam_umask/Makefile.am (pam_umask_la_LIBADD): Likewise.
+ * modules/pam_unix/Makefile.am (pam_unix_la_LIBADD): Likewise.
+ * modules/pam_userdb/Makefile.am (pam_userdb_la_LIBADD): Likewise.
+ * modules/pam_warn/Makefile.am (pam_warn_la_LIBADD): Likewise.
+ * modules/pam_wheel/Makefile.am (pam_wheel_la_LIBADD): Likewise.
+ * modules/pam_xauth/Makefile.am (pam_xauth_la_LIBADD): Likewise.
+ * tests/Makefile.am (LDADD): Likewise.
+ * examples/Makefile.am (LDADD): Replace "-L$(top_builddir)/libpam -lpam"
+ with "$(top_builddir)/libpam/libpam.la", and
+ "-L$(top_builddir)/libpam_misc -lpam_misc" with
+ "$(top_builddir)/libpam_misc/libpam_misc.la", to follow GNU automake
+ recommendations.
+ * xtests/Makefile.am (LDADD): Likewise.
+ * modules/pam_selinux/Makefile.am (pam_selinux_la_LIBADD): Likewise.
+
+ Fix usage of LIBADD, LDADD and LDFLAGS.
+ * modules/pam_selinux/Makefile.am: Rename pam_selinux_check_LDFLAGS to
+ pam_selinux_check_LDADD.
+ * modules/pam_userdb/Makefile.am: Split out pam_userdb_la_LIBADD from
+ AM_LDFLAGS.
+ * modules/pam_warn/Makefile.am: Split out pam_warn_la_LIBADD from
+ AM_LDFLAGS.
+ * modules/pam_wheel/Makefile.am: Split out pam_wheel_la_LIBADD from
+ AM_LDFLAGS.
+ * modules/pam_xauth/Makefile.am: split out pam_xauth_la_LIBADD from
+ AM_LDFLAGS.
+ * xtests/Makefile.am: Rename AM_LDFLAGS to LDADD.
+
+2011-10-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ Update .gitignore files.
+ * .gitignore: Add common ignore patterns.
+ * m4/.gitignore: Unignore local m4 files.
+ * dynamic/.gitignore: Unignore Makefile.
+ * libpamc/test/modules/.gitignore: Likewise.
+ * libpamc/test/regress/.gitignore: Likewise.
+ * po/.gitignore: Add Makevars.template.
+ * conf/.gitignore: Remove common ignore patterns.
+ * conf/pam_conv1/.gitignore: Likewise.
+ * doc/.gitignore: Likewise.
+ * doc/specs/.gitignore: Likewise.
+ * doc/specs/formatter/.gitignore: Likewise.
+ * examples/.gitignore: Likewise.
+ * modules/pam_filter/upperLOWER/.gitignore: Likewise.
+ * modules/pam_mkhomedir/.gitignore: Likewise.
+ * modules/pam_selinux/.gitignore: Likewise.
+ * modules/pam_stress/.gitignore: Likewise.
+ * modules/pam_tally/.gitignore: Likewise.
+ * modules/pam_tally2/.gitignore: Likewise.
+ * modules/pam_timestamp/.gitignore: Likewise.
+ * modules/pam_unix/.gitignore: Likewise.
+ * tests/.gitignore: Likewise.
+ * xtests/.gitignore: Likewise.
+ * doc/adg/.gitignore: Remove.
+ * doc/man/.gitignore: Remove.
+ * doc/mwg/.gitignore: Remove.
+ * doc/sag/.gitignore: Remove.
+ * libpamc/.gitignore: Remove.
+ * libpamc/test/.gitignore: Remove.
+ * libpam/.gitignore: Remove.
+ * libpam_misc/.gitignore: Remove.
+ * modules/.gitignore: Remove.
+ * modules/pam_access/.gitignore: Remove.
+ * modules/pam_cracklib/.gitignore: Remove.
+ * modules/pam_debug/.gitignore: Remove.
+ * modules/pam_deny/.gitignore: Remove.
+ * modules/pam_echo/.gitignore: Remove.
+ * modules/pam_env/.gitignore: Remove.
+ * modules/pam_exec/.gitignore: Remove.
+ * modules/pam_faildelay/.gitignore: Remove.
+ * modules/pam_filter/.gitignore: Remove.
+ * modules/pam_ftp/.gitignore: Remove.
+ * modules/pam_group/.gitignore: Remove.
+ * modules/pam_issue/.gitignore: Remove.
+ * modules/pam_keyinit/.gitignore: Remove.
+ * modules/pam_lastlog/.gitignore: Remove.
+ * modules/pam_limits/.gitignore: Remove.
+ * modules/pam_listfile/.gitignore: Remove.
+ * modules/pam_localuser/.gitignore: Remove.
+ * modules/pam_loginuid/.gitignore: Remove.
+ * modules/pam_mail/.gitignore: Remove.
+ * modules/pam_motd/.gitignore: Remove.
+ * modules/pam_namespace/.gitignore: Remove.
+ * modules/pam_nologin/.gitignore: Remove.
+ * modules/pam_permit/.gitignore: Remove.
+ * modules/pam_pwhistory/.gitignore: Remove.
+ * modules/pam_rhosts/.gitignore: Remove.
+ * modules/pam_rootok/.gitignore: Remove.
+ * modules/pam_securetty/.gitignore: Remove.
+ * modules/pam_sepermit/.gitignore: Remove.
+ * modules/pam_shells/.gitignore: Remove.
+ * modules/pam_succeed_if/.gitignore: Remove.
+ * modules/pam_time/.gitignore: Remove.
+ * modules/pam_tty_audit/.gitignore: Remove.
+ * modules/pam_umask/.gitignore: Remove.
+ * modules/pam_userdb/.gitignore: Remove.
+ * modules/pam_warn/.gitignore: Remove.
+ * modules/pam_wheel/.gitignore: Remove.
+ * modules/pam_xauth/.gitignore: Remove.
+
+ Move generated auxiliary files to build-aux directory.
+ * configure.in: Add AC_CONFIG_AUX_DIR([build-aux]).
+
+ Remove generated files.
+ * ABOUT-NLS: Remove.
+ * INSTALL: Remove.
+ * config.rpath: Remove.
+ * install-sh: Remove.
+ * mkinstalldirs: Remove.
+ * Makefile.am (EXTRA_DIST): Remove config.rpath and mkinstalldirs.
+ * .gitignore: Add ABOUT-NLS and INSTALL.
+
+ Create release tarballs using safe ownership and permissions.
+ * Makefile.am: Define and export TAR_OPTIONS.
+
+ Generate ChangeLog from git log.
+ * .gitignore: Add ChangeLog
+ * ChangeLog: Rename to ChangeLog-CVS.
+ * Makefile.am (gen-changelog): New rule.
+ (dist-hook, .PHONY): Depend on it.
+ (EXTRA_DIST): Add ChangeLog-CVS.
+ * README-hacking: New file.
+ * gitlog-to-changelog: Import from gnulib.
+ * autogen.sh: Create empty ChangeLog file to make automake strictness
+ check happy. Use automated "autoreconf -fiv" instead of manual
+ invocations of various autotools.
+
+ Fix "make distcheck"
+ There is no use to distribute m4 files manually, because automake does
+ the right thing, while manual distribution is not only redundant but
+ also very fragile.
+ * Makefile.am (M4_FILES): Remove.
+ (EXTRA_DIST): Remove M4_FILES.
+
+ Remove modules/pam_timestamp/hmacfile from distribution.
+ * modules/pam_timestamp/Makefile.am (dist_TESTS): Add tst-pam_timestamp.
+ (nodist_TESTS): Add hmacfile.
+ (EXTRA_DIST): Replace TESTS with dist_TESTS.
+
+ Rename all .cvsignore files to .gitignore.
+
+2011-10-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ Fix whitespace issues.
+ Cleanup trailing whitespaces, indentation that uses spaces before tabs,
+ and blank lines at EOF. Make the project free of warnings reported by
+ git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD
+
+
+See ChangeLog-CVS for earlier changes.
diff --git a/ChangeLog-CVS b/ChangeLog-CVS
new file mode 100644
index 0000000..47b54ce
--- /dev/null
+++ b/ChangeLog-CVS
@@ -0,0 +1,5099 @@
+2011-10-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ NB: ChangeLog file is no longer manually maintained.
+ See README-hacking for details.
+
+2011-10-25 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * release version 1.1.5
+
+ * configure.in: Bump version number.
+
+ * modules/pam_tally2/pam_tally2.8.xml: Remove never used option
+ "no_lock_time".
+
+2011-10-14 Kees Cook <kees@debian.org>
+
+ * modules/pam_env/pam_env.c (_expand_arg): Abort when encountering an
+ overflowed environment variable expansion.
+ Fixes CVE-2011-3149.
+ Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874565
+
+ * modules/pam_env/pam_env.c (_assemble_line): Correctly count leading
+ whitespace.
+ Fixes CVE-2011-3148.
+ Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874469
+
+2011-10-10 Tomas Mraz <tm@t8m.info>
+
+ * modules/pam_access/pam_access.c: Add hostname resolution
+ cache.
+ (user_match): Clear the cache in fake_item.
+ (from_match): If from is not hostname, do not try to resolve it.
+ Cache the getaddrinfo() result.
+ (network_netmask_match): Cache the getaddrinfo() result.
+ (pam_sm_authenticate): Free the getaddrinfo() result.
+
+ * modules/pam_access/pam_access.c (netgroup_match): If getdomainname()
+ fails or domainname not set use NULL as domain in innetgr().
+
+2011-09-30 Tomas Mraz <tm@t8m.info>
+
+ * doc/man/pam.conf-syntax.xml: Improve documentation of the
+ sufficient and requisite control values. (Red Hat Bug #742413)
+
+2011-08-25 Tomas Mraz <tm@t8m.info>
+
+ * modules/pam_access/pam_access.c (user_match): Fix the split
+ on @ in the user field. (Red Hat Bug #732081)
+
+ * modules/pam_loginuid/pam_loginuid.c: Correct the FSF address.
+
+2011-08-23 Tomas Mraz <tm@t8m.info>
+
+ * modules/pam_env/pam_env.c (_pam_parse): Fix missing dereference.
+
+2011-06-22 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * release version 1.1.4
+
+ * configure.in: Bump version number.
+ * NEWS: Document changes since 1.1.3
+ * libpam/Makefile.am: Bump release number of shared library
+ * po/de.po: Translate new string.
+
+ * modules/pam_unix/Makefile.am (pam_unix_la_LIBADD): Reorder
+ Libraries.
+
+2011-06-21 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_limits/pam_limits.c: Add set_all option,
+ read limits from PID one if no limit is specified and set_all
+ is set.
+ * modules/pam_limits/pam_limits.8.xml: Document set_all option.
+ Based on Patch by Kees Cook.
+
+2011-06-15 Tomas Mraz <tm@t8m.info>
+
+ * modules/pam_sepermit/pam_sepermit.c (check_running): Avoid
+ leaking memory and dir handle on realloc failure.
+ (sepermit_unlock): Cast fcntl() and close() calls to void.
+
+ * modules/pam_pwhistory/opasswd.c (check_old_password): Do not
+ needlessly call strdupa().
+ (save_old_password): Avoid memleaks in error paths. Avoid memleak of
+ buf. Make the opasswd entry parsing more robust.
+ * modules/pam_pwhistory/pam_pwhistory.8.xml: Document the
+ special meaning of remember=0.
+
+ * modules/pam_unix/support.c (_set_ctrl): Do not crash when remember,
+ minlen, or rounds options are used with wrong module type.
+
+ * modules/pam_timestamp/pam_timestamp.c (pam_sm_authenticate): Avoid
+ memleak in error path.
+ (pam_sm_open_session): Avoid memleak and fd leak in error path.
+
+ * modules/pam_access/pam_access.c (user_match): Initialize the
+ fake_item from item.
+
+2011-06-14 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * configure.in: Check for libtirpc by default.
+ * libpam/Makefile.am: Add support for libtirpc.
+ * modules/pam_access/Makefile.am: Likewise.
+ * modules/pam_unix/Makefile.am: Likewise.
+ * modules/pam_unix/pam_unix_passwd.c: Change ifdefs for
+ new libtirpc support.
+ * modules/pam_unix/yppasswd_xdr.c: Only compile if we have rpc/rpc.h.
+
+2011-06-13 Tomas Mraz <tm@t8m.info>
+
+ * modules/pam_securetty/pam_securetty.c (securetty_perform_check): Test
+ also whether the tty is in the /sys/class/tty/console/active file.
+ * modules/pam_securetty/pam_securetty.8.xml: Document the new check of
+ /sys/class/tty/console/active/file.
+
+2011-06-07 Tomas Mraz <tm@t8m.info>
+
+ * modules/pam_namespace/pam_namespace.c (root_shared): New
+ function to detect shared / mount.
+ (pam_sm_open_session): Call the root_shared() and enable
+ private mounts based on that.
+ * modules/pam_namespace/pam_namespace.8.xml: Document the
+ automatic detection of shared / mount.
+
+2011-06-06 Tomas Mraz <tm@t8m.info>
+
+ * modules/pam_group/pam_group.c (shift_bytes): Removed.
+ (shift_buf, trim_spaces): Added new functions.
+ (read_field): Thorough rewrite of the parsing.
+ (check_account): read_field() now uses state information. No
+ extra read_field() call at the end of configuration line.
+ * modules/pam_time/pam_time.c (shift_bytes): Removed.
+ (shift_buf, trim_spaces): Added new functions.
+ (read_field): Thorough rewrite of the parsing.
+ (check_account): read_field() now uses state information. No
+ extra read_field() call at the end of configuration line.
+
+ * modules/pam_namespace/pam_namespace.h: Define the MS_PRIVATE and
+ MS_REC flags if they are not in sys/mount.h.
+
+2011-06-06 Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
+
+ * po/LINGUAS: Add vietnamese.
+ * po/vi.po: Add vietnamese translation.
+
+2011-06-02 Tomas Mraz <tm@t8m.info>
+
+ * modules/pam_namespace/pam_namespace.c (protect_dir): Add parameter
+ to always do protect mount the last directory in the path.
+ (check_inst_parent, create_polydir): Update the protect_dir() call.
+ (ns_setup): Likewise and add the MS_PRIVATE mount() call.
+ (pam_sm_open_session): Check the mount_private option.
+ * modules/pam_namespace/pam_namespace.h: Add the PAMNS_MOUNT_PRIVATE.
+ * modules/pam_namespace/pam_namespace.8.xml: Document the mount_private
+ option.
+
+ * modules/pam_cracklib/pam_cracklib.c (str_lower): Make it no-op
+ on NULL strings.
+ (password_check): Guard for NULLs returned from memory allocation.
+
+ * modules/pam_filter/pam_filter.c (process_args): Guard for error return
+ from pam_get_user().
+
+ * modules/pam_echo/pam_echo.c (replace_and_print): Guard for error return
+ from pam_get_item().
+
+2011-05-30 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_timestamp/pam_timestamp.c (main): Remove unsused
+ variable pretval.
+
+ * modules/pam_stress/pam_stress.c (converse): **message is const.
+ (stress_get_password): pmsg is const.
+ (pam_sm_chauthtok): Likewise.
+ * libpam/pam_item.c (pam_get_user): Make pmsg const and remove
+ casts.
+
+2011-05-30 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_env/pam_env.c (_pam_parse): Implement debug option.
+ Based on patch by Tomas Mraz.
+
+2011-05-24 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): quiet
+ option has no argument, print no missing file if quiet is set
+ [sf#3194930].
+
+2011-05-04 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_lastlog/pam_lastlog.c (last_login_failed): Don't
+ abort with error if btmp file does not exist.
+
+2011-03-21 Tomas Mraz <tm@t8m.info>
+
+ * modules/pam_unix/md5.c (MD5Final): Clear the whole ctx.
+
+2011-03-18 Tomas Mraz <tm@t8m.info>
+
+ * modules/pam_namespace/md5.c (MD5Final): Clear the whole ctx.
+ * modules/pam_namespace/pam_namespace.c (del_polydir): Guard for NULL poly.
+ (protect_dir): Guard for -1 passing to close().
+ (ns_setup): Likewise.
+ (pam_sm_open_session): Correctly test for SELinux enabled flag.
+
+2011-03-17 Tomas Mraz <tm@t8m.info>
+
+ * modules/pam_selinux/pam_selinux.c (config_context): Fix leak of type.
+ (manual_context): Likewise.
+ (context_from_env): Remove extraneous auditing in success case.
+
+ * modules/pam_unix/support.c (_unix_run_helper_binary): Remove extra
+ close() call.
+
+2011-02-22 Tomas Mraz <tm@t8m.info>
+
+ * modules/pam_nologin/pam_nologin.8.xml: Add missing space.
+ * modules/pam_limits/limits.conf.5.xml: Fix typo.
+
+2010-12-21 Tomas Mraz <tm@t8m.info>
+
+ * modules/pam_selinux/pam_selinux.c (mls_range_allowed): Unhardcode
+ values for security class and av permission bit.
+
+2010-12-14 Tomas Mraz <tm@t8m.info>
+
+ * modules/pam_limits/pam_limits.c (parse_uid_range): New function
+ to parse the range of uids or gids.
+ (parse_config_file): Call parse_uid_range() and if uid/gid range
+ is identified, setup the limits if the range matches. New parameters
+ containing user's uid and primary gid.
+ (pam_sm_open_session): Pass the user's uid and primary gid to
+ parse_config_file().
+ * modules/pam_limits/limits.conf.5.xml: Document the uid/gid ranges.
+
+2010-12-14 Bahadır Kandemir <bahadir@pardus.org.tr>
+
+ * po/tr.po: Updated translations.
+
+2010-11-25 Tomas Mraz <tm@t8m.info>
+
+ * modules/pam_securetty/pam_securetty.8.xml: Improve documentation
+ of the kernel console feature and the noconsole option.
+
+2010-11-24 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_securetty/pam_securetty.c: Parse console= kernel
+ option, add noconsole option.
+ * modules/pam_securetty/pam_securetty.8.xml: Document new behavior
+ for serial console.
+ Patch from Lennart Poettering.
+
+2010-11-24 Tomas Mraz <tm@t8m.info>
+
+ * modules/pam_limits/limits.conf.5.xml: Document the %group syntax.
+
+2010-11-18 Tomas Mraz <tm@t8m.info>
+
+ * modules/pam_limits/pam_limits.c (pam_parse,pam_sm_open_session):
+ Drop obsolete and broken option change_uid.
+ * modules/pam_limits/pam_limits.8.xml: Likewise.
+
+2010-11-16 Tomas Mraz <tm@t8m.info>
+
+ * modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Remove
+ dead and duplicate code. Return PAM_INCOMPLETE instead of
+ PAM_CONV_AGAIN.
+
+2010-11-11 Tomas Mraz <tm@t8m.info>
+
+ * modules/pam_selinux/pam_selinux.c (pam_sm_open_session): Fix
+ potential use after free in case SELinux is misconfigured.
+
+ * modules/pam_namespace/pam_namespace.c (process_line): Fix memory
+ leak when parsing empty config file lines.
+
+2010-10-28 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * release version 1.1.3
+
+ * configure.in: Increase version to 1.1.3
+
+ * NEWS: document visible changes
+
+ * libpam/Makefile.am (libpam_la_LDFLAGS): Bump version number.
+
+2010-10-27 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * doc/adg/Makefile.am: Use UTF-8 for html docu.
+ * doc/mwg/Makefile.am: Likewise.
+ * doc/sag/Makefile.am: Likewise.
+
+2010-10-22 Tomas Mraz <tm@t8m.info>
+
+ * modules/pam_namespace/pam_namespace.c (inst_init): Use execle()
+ to execute the init script with clean environment. (CVE-2010-3853)
+ (cleanup_tmpdirs): Likewise for executing rm.
+
+2010-10-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ * modules/pam_mkhomedir/mkhomedir_helper.c (rec_mkdir): Remove.
+ (create_homedir): Use mkdir() instead of rec_mkdir().
+ (make_parent_dirs): New function.
+ (main): Use make_parent_dirs() to create parent directories only
+ for the home directory itself.
+
+2010-10-21 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_unix/support.c (_unix_getpwnam): Don't allocate
+ unneeded buffer for uid/gid [sf#3059572].
+
+2010-10-20 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * doc/man/pam_get_authtok.3.xml: Fix xml code.
+
+ * doc/man/Makefile.am: Fix build dependencys of pam_get_authtok.3.
+
+ * xtests/Makefile.am: Only build xtests if we run xtests.
+ * configure.in: Check for libdb with symbol versions, too.
+ Patch from Diego Elio Pettenò.
+
+ * modules/pam_mkhomedir/mkhomedir_helper.c (rec_mkdir): Create
+ parent directories always with mode 0755.
+ (create_homedir): Create main directory with mode 0700 at first.
+
+2010-10-19 Dmitry V. Levin <ldv@altlinux.org>
+
+ * modules/pam_selinux/Makefile.am (pam_selinux_la_LIBADD): Add
+ @LIBAUDIT@.
+
+ * m4/ld-O1.m4 (PAM_LD_O1): Fix typo.
+
+ * m4/ld-no-undefined.m4: New file.
+ * configure.in: Use PAM_LD_NO_UNDEFINED.
+ * Makefile.am (M4_FILES): Add m4/ld-no-undefined.m4.
+
+ * modules/pam_selinux/pam_selinux.c (verbose_message): Remove.
+ (pam_sm_open_session): Call send_text() instead of verbose_message().
+
+2010-10-19 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_env/pam_env.8.xml: Document side effects of
+ environment variables in the stack.
+ * modules/pam_exec/pam_exec.8.xml: Document that user can
+ have controll over the environment.
+
+2010-10-07 Dmitry V. Levin <ldv@altlinux.org>
+
+ * modules/pam_selinux/pam_selinux.c (verbose_message): Fix format
+ string.
+
+2010-10-04 Dmitry V. Levin <ldv@altlinux.org>
+
+ * libpam/pam_modutil_priv.c: New file.
+ * libpam/Makefile.am (libpam_la_SOURCES): Add it.
+ * libpam/include/security/pam_modutil.h (struct pam_modutil_privs,
+ PAM_MODUTIL_DEF_PRIVS, pam_modutil_drop_priv,
+ pam_modutil_regain_priv): New declarations.
+ * libpam/libpam.map (LIBPAM_MODUTIL_1.1.3): New interface.
+ * modules/pam_env/pam_env.c (handle_env): Use new pam_modutil interface.
+ * modules/pam_mail/pam_mail.c (_do_mail): Likewise.
+ * modules/pam_xauth/pam_xauth.c (check_acl, pam_sm_open_session,
+ pam_sm_close_session): Likewise.
+ (pam_sm_open_session): Remove redundant fchown call.
+ Fixes CVE-2010-3430, CVE-2010-3431.
+
+2010-10-01 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * configure.in: Extend cross compiling check.
+ * doc/specs/Makefile.am: Set CFLAGS and LDFLAGS to BUILD_CFLAGS
+ and BUILD_LDFLAGS.
+ Bug #3078936 / gentoo #339174
+
+2010-09-30 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_xauth/pam_xauth.c (pam_sm_close_session): Warn if
+ unlink() fails.
+
+2010-09-27 Dmitry V. Levin <ldv@altlinux.org>
+
+ * modules/pam_xauth/pam_xauth.c (pam_sm_close_session): Return
+ PAM_SUCCESS immediately if no cookie file is defined. Return
+ PAM_SESSION_ERR if cookie file is defined but target uid cannot be
+ determined. Do not modify cookiefile string returned by pam_get_data.
+
+ * modules/pam_xauth/pam_xauth.c (check_acl): Ensure that the given
+ access control file is a regular file.
+
+2010-09-16 Dmitry V. Levin <ldv@altlinux.org>
+
+ * modules/pam_env/pam_env.c (handle_env): Use setfsuid() return code.
+ * modules/pam_mail/pam_mail.c (_do_mail): Likewise.
+ * modules/pam_xauth/pam_xauth.c (check_acl, pam_sm_open_session,
+ pam_sm_close_session): Likewise.
+
+2010-08-31 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * release version 1.1.2
+
+ * configure.in: Bump version number.
+ * NEWS: Document changes since 1.1.1.
+ * doc/adg/Linux-PAM_ADG.xml: Bump version number.
+ * doc/mwg/Linux-PAM_MWG.xml: Likewise.
+ * doc/sag/Linux-PAM_SAG.xml: Likewise.
+ * libpam/Makefile.am: Bump revision of shared library.
+ * po/*.po: Regenerate.
+
+2010-08-26 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_nologin/pam_nologin.c (perform_check): Try first
+ /var/run/nologin if the nologin file is not explicitly specified.
+ * modules/pam_nologin/pam_nologin.8.xml: Document that /var/run/nologin
+ is tried first.
+
+2010-08-26 Sweta Kothari <swkothar@redhat.com>
+
+ * po/gu.po: Updated translations.
+
+2010-08-26 Geert Warrink <geert.warrink@onsnet.nu>
+
+ * po/nl.po: Updated translations.
+
+2010-08-26 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * doc/specs/Makefile.am: Use CC_FOR_BUILD as compiler (cross
+ compile support).
+ * configure.in: Check for host compiler if cross compiling.
+ Bug #2315432, debian#284854#42.
+
+2010-08-17 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_unix/pam_unix_passwd.c: Implement minlen option.
+ * modules/pam_unix/support.c: Likewise.
+ * modules/pam_unix/support.h: Likewise.
+
+ * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Adjust
+ arguments for _set_ctrl call.
+ * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Likewise.
+ * modules/pam_unix/pam_unix_session.c: Likewise.
+
+ * modules/pam_unix/pam_unix.8.xml: Document minlen option.
+ Based on patch by Steve Langasek.
+
+2010-08-12 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_mail/pam_mail.c: Check for mail only with user
+ privilegs.
+
+ * modules/pam_xauth/pam_xauth.c (run_coprocess): Check return
+ value of setgid, setgroups and setuid.
+
+ * modules/pam_xauth/pam_xauth.c (check_acl): Save errno for
+ later usage.
+
+ * modules/pam_env/pam_env.c (handle_env): Check if user exists,
+ read local user config only with user privilegs.`
+
+2010-08-09 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_tally/pam_tally.8.xml: Document that pam_tally is
+ deprecated.
+
+ * modules/pam_tty_audit/Makefile.am (EXTRA_DIST): Fix make dist.
+
+ * modules/pam_unix/passverify.c (check_shadow_expiry): Correct
+ check for expired date.
+
+ * modules/pam_unix/pam_unix_passwd.c (_pam_unix_approve_pass): Remove
+ check for password length. Bug #2923437.
+
+2010-08-04 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_tally2/pam_tally2.c (get_tally): Create file
+ with correct permissions. Patch by Diego Elio “Flameeyes” Pettenò.
+
+ * modules/pam_unix/passverify.c (PAMH_ARG_DECL): Don't request
+ password change if time is not yet set (1.1.1970). Bug #2730965.
+
+ * modules/pam_access/pam_access.c (user_match): Make sure
+ that user@host will not match @@netgroup. Bug #3035919.
+
+ * modules/pam_group/pam_group.c (check_account): Add '%' for
+ UNIX groups.
+ * modules/pam_group/group.conf: Add example for '%'.
+ * modules/pam_group/group.conf.5.xml: Document '%' syntax.
+ Bug #3002340, #3037155.
+
+2010-08-02 Steve Langasek <vorlon@debian.org>
+
+ * modules/pam_mkhomedir/Makefile.am: don't pass --version-script
+ options when linking executables, only when linking libraries
+ Patch from Julien Cristau <jcristau@debian.org>
+
+2010-07-12 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Add
+ audit flag to enable logging about unknown user (#2917257).
+ * modules/pam_succeed_if/pam_succeed_if.8.xml: Document audit.
+ * modules/pam_succeed_if/pam_succeed_if.8: Regenerated from xml.
+ * modules/pam_succeed_if/README: Regenerated from xml.
+
+2010-06-22 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_umask/pam_umask.8.xml: Remove comparisation of
+ gid and uid for usergroups.
+ * modules/pam_umask/pam_umask.c (setup_limits_from_gecos): Likewise.
+ Bug #3004656
+
+ * configure.in: Don't check for libxcrypt if no xcrypt.h exists,
+ fix typo introduced with 1.1.1.
+ Reported by Diego Elio “Flameeyes” Pettenò.
+
+2010-06-15 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_xauth/pam_xauth.c (pam_sm_close_session): Call
+ setfsuid to be allowed to remove temporary files (#3010705).
+ (pam_sm_open_session): Call fchown with correct permissions.
+
+2010-06-09 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_tty_audit/Makefile.am (TESTS): Add tst-pam_tty_audit.
+ * modules/pam_tty_audit/tst-pam_tty_audit: New.
+
+2010-06-07 Steve Langasek <vorlon@debian.org>
+
+ * modules/pam_tty_audit/Makefile.am: If we don't have the libraries
+ required for building pam_tty_audit, we shouldn't install the manpage
+ either.
+
+2010-05-27 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_userdb/pam_userdb.c: Define HAVE_DBM
+ for BerkDB 5.0 support. Patch by Diego Elio Pettenò.
+
+2010-04-15 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_exec/pam_exec.8.xml: Fix example.
+
+2010-04-13 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_pwhistory/opasswd.c: Fix compilation if
+ cyprt_r() is not available.
+ * configure.in: check for getutent_r.
+ * modules/pam_timestamp/pam_timestamp.c: Use getutent()
+ if getutent_r() does not exist.
+ Patch from Diego Elio “Flameeyes” Pettenò.
+
+2010-04-12 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * doc/man/pam.conf-syntax.xml: Better documentation of
+ "actionN". Patch from Michal Soltys <soltys@ziu.info>.
+
+2010-04-06 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_rootok/pam_rootok.c: Add support for acct_mgmt
+ and chauthtok.
+ * modules/pam_rootok/pam_rootok.8.xml: Document new module
+ types.
+
+2010-03-29 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * po/ar.po: Add missing Plural-Forms entry to header.
+
+2010-03-25 Daniel Nylander <po@danielnylander.se>
+
+ * po/sv.po: Updated translations.
+
+2010-03-24 Ani Peter <anipeter@fedoraproject.org>
+
+ * po/ml.po: Updated translations.
+
+2010-03-08 Yuri Chornoivan <yurchor@ukr.net>
+
+ * po/uk.po: Updated translations.
+
+2010-02-09 Tomas Mraz <t8m@centrum.cz>
+
+ * libpam/pam_get_authtok.c (pam_get_authtok_internal): Fix
+ regression in the new password prompt.
+
+2010-01-04 Elad <el.il@doom.co.il>
+
+ * po/he.po: New translation to Hebrew.
+ * po/LINGUAS: Add Hebrew to the list.
+
+2009-12-16 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * release version 1.1.1
+
+ * NEWS: Adjust for 1.1.1
+ * configure.in: Likewise.
+ * doc/adg/Linux-PAM_ADG.xml: Likewise.
+ * doc/mwg/Linux-PAM_MWG.xml: Likewise.
+ * doc/sag/Linux-PAM_SAG.xml: Likewise.
+ * po/*.po: Regenerated.
+
+2009-12-08 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * configure.in: Rename DEBUG to PAM_DEBUG.
+ * libpam/pam_env.c: Likewise
+ * libpam/pam_handlers.c: Likewise
+ * libpam/pam_miscc.c: Likewise
+ * libpam/pam_password.c: Likewise
+ * libpam/include/security/_pam_macros.h: Likewise
+ * libpamc/test/modules/pam_secret.c: Likewise
+ * modules/pam_group/pam_group.c: Likewise
+ * modules/pam_listfile/pam_listfile.c: Likewise
+ * modules/pam_unix/pam_unix_auth.c: Likewise
+ * modules/pam_unix/pam_unix_passwd.c: Likewise
+
+2009-12-08 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_unix/passverify.c(unix_update_shadow): Create a shadow
+ entry if not present in the file.
+
+ * modules/pam_listfile/pam_listfile.c(pam_sm_authenticate): Remove
+ unused function and variable.
+
+2009-11-19 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_sepermit/pam_sepermit.c(sepermit_match): Return
+ PAM_AUTH_ERR from the module if sepermit_lock() fails.
+
+2009-11-18 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_access/pam_access.c(user_match): Revert the netgroup
+ match to the original behavior, add new syntax for adding the local
+ hostname.
+ * modules/pam_access/access.conf.5.xml: Document the new syntax
+ for adding the local hostname to the netgroup match.
+
+2009-11-10 Thorsten Kukuk <kukuk@suse.de>
+
+ * doc/man/pam_get_authtok.3.xml: Document pam_get_authtok_noverify
+ and pam_get_authtok_verify.
+
+ * libpam/Makefile.am (libpam_la_LDFLAGS): Bump revesion of libpam.
+
+ * libpam/pam_get_authtok.c (pam_get_authtok_internal): Renamed
+ from pam_get_authtok, add flags argument, always check return
+ values.
+
+ * modules/pam_cracklib/pam_cracklib.c (pam_sm_chauthtok): Use
+ pam_get_authtok_noverify and pam_get_authtok_verify.
+
+ * libpam/include/security/pam_ext.h: Add prototypes for
+ pam_get_authtok_noverify and pam_get_authtok_verify.
+
+ * libpam/libpam.map: Add new pam_get_authtok_* functions.
+
+2009-11-02 Ani Peter <anipeter@fedoraproject.org>
+
+ * po/ml.po: Updated translations.
+
+2009-11-02 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_sepermit/Makefile.am: Add sepermit.conf(5) manual page.
+ * modules/pam_sepermit/pam_sepermit.8.xml: Add reference to
+ sepermit.conf(5). Drop some redundant text.
+ * modules/pam_sepermit/sepermit.conf.5.xml: New file.
+
+ * modules/pam_sepermit/pam_sepermit.c(sepermit_match): Implement the ignore
+ option in sepermit.conf.
+
+2009-10-29 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_xauth/Makefile.am: Link with libselinux.
+ * modules/pam_xauth/pam_xauth.c(pam_sm_open_session): Call
+ setfscreatecon() if selinux is enabled to create the .xauth file
+ with the right label. Original idea by Dan Walsh.
+
+2009-10-08 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_tty_audit/pam_tty_audit.8.xml: Add notice about aureport
+ add SEE ALSO section.
+
+2009-10-06 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_listfile/pam_listfile.c(pam_sm_authenticate): Just
+ call pam_modutil_user_in_group_nam_nam() instead of reimplementation
+ of group matching.
+
+2009-10-05 Kris Thomsen <lakristho@gmail.com>
+
+ * po/da.po: Updated translations.
+
+2009-09-29 Piotr Drąg <piotrdrag@gmail.com>
+
+ * po/pl.po: Updated translations.
+
+2009-09-21 Yulia Poyarkova <yulia.poyarkova@redhat.com>
+
+ * po/ru.po: Updated translations.
+
+2009-09-17 Kiyoto Hashida <khashida@redhat.com>
+
+ * po/ja.po: Updated translations.
+
+2009-09-17 Eunju Kim <eukim@redhat.com>
+
+ * po/ko.po: Updated translations.
+
+2009-09-17 Yulia Poyarkova <yulia.poyarkova@redhat.com>
+
+ * po/ru.po: Updated translations.
+
+2009-09-10 Steve Langasek <vorlon@debian.org>
+
+ * modules/pam_securetty/pam_securetty.c: pam_securetty should not
+ return PAM_USER_UNKNOWN when the tty is secure, regardless of what
+ was entered as a username.
+ Patch from Nicolas François <nicolas.francois@centraliens.net>.
+
+2009-08-31 Steve Langasek <vorlon@debian.org>
+
+ * modules/pam_namespace/namespace.init: make this portable to POSIX
+ awk, instead of using GNU awk extensions.
+
+2009-08-25 Steve Langasek <vorlon@debian.org>
+
+ * modules/pam_sepermit/pam_sepermit.8.xml: fix up one reference
+ to pam.d(8) left behind because I've forgotten how CVS works
+ * po/es.po: fix missing whitespace in password prompts.
+
+2009-08-24 Steve Langasek <vorlon@debian.org>
+
+ * doc/pam_get_authtok.3.xml: grammar fix.
+ * doc/adg/Linux-PAM-ADG.xml: Likewise.
+ * doc/mwg/Linux-PAM_MWG.xml: Likewise.
+ * doc/man/pam_setcred.3.xml: fix a typo.
+
+2009-07-21 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_cracklib/pam_cracklib.c (pam_sm_chauthtok): Delete
+ new token if it does not match strength criteria.
+
+2009-06-29 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_unix/yppasswd_xdr.c: Remove unnecessary header files.
+
+ * modules/pam_unix/support.c (_unix_getpwnam): Only compile in NIS
+ support if all necessary functions exist.
+
+ * modules/pam_unix/pam_unix_passwd.c (getNISserver): Add debug
+ option, handle correct if OS has no NIS support.
+
+ * modules/pam_access/pam_access.c (netgroup_match): Check if
+ yp_get_default_domain and innetgr are available at compile time.
+
+ * configure.in: Check for functions: innetgr, getdomainname
+ check for headers: rpcsvc/ypclnt.h, rpcsvc/yp_prot.h.
+
+2009-06-29 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_unix/pam_unix.8.xml: Fix blowfish description.
+ Reported by Diego E. “Flameeyes” Pettenò.
+
+2009-06-26 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_namespace/Makefile.am: Fix make maintainer-clean,
+ fix docu dependencies.
+
+ * modules/pam_xauth/Makefile.am: Fix make maintainer-clean.
+ * modules/pam_access/Makefile.am: Likewise.
+ * modules/pam_debug/Makefile.am: Likewise.
+ * modules/pam_deny/Makefile.am: Likewise.
+ * modules/pam_echo/Makefile.am: Likewise.
+ * modules/pam_env/Makefile.am: Likewise.
+ * modules/pam_faildelay/Makefile.am: Likewise.
+ * modules/pam_ftp/Makefile.am: Likewise.
+ * modules/pam_group/Makefile.am: Likewise.
+ * modules/pam_issue/Makefile.am: Likewise.
+ * modules/pam_keyinit/Makefile.am: Likewise.
+ * modules/pam_lastlog/Makefile.am: Likewise.
+ * modules/pam_limits/Makefile.am: Likewise.
+ * modules/pam_listfile/Makefile.am: Likewise.
+ * modules/pam_localuser/Makefile.am: Likewise.
+ * modules/pam_loginuid/Makefile.am: Likewise.
+ * modules/pam_mail/Makefile.am: Likewise.
+ * modules/pam_mkhomedir/Makefile.am: Likewise.
+ * modules/pam_motd/Makefile.am: Likewise.
+ * modules/pam_nologin/Makefile.am: Likewise.
+ * modules/pam_pwhistory/Makefile.am: Likewise.
+ * modules/pam_rhosts/Makefile.am: Likewise.
+ * modules/pam_rootok/Makefile.am: Likewise.
+ * modules/pam_securetty/Makefile.am: Likewise.
+ * modules/pam_shells/Makefile.am: Likewise.
+ * modules/pam_succeed_if/Makefile.am: Likewise.
+ * modules/pam_tally2/Makefile.am: Likewise.
+ * modules/pam_tally/Makefile.am: Likewise.
+ * modules/pam_time/Makefile.am: Likewise.
+ * modules/pam_timestamp/Makefile.am: Likewise.
+ * modules/pam_tty_audit/Makefile.am: Likewise.
+ * modules/pam_umask/Makefile.am: Likewise.
+ * modules/pam_unix/Makefile.am: Likewise.
+ * modules/pam_warn/Makefile.am: Likewise.
+ * modules/pam_wheel/Makefile.am: Likewise.
+ * modules/pam_filter/Makefile.am: Likewise.
+
+ * configure.in: Make regeneration of docu configureable,
+ rename enable_man to enable_docu.
+
+ * modules/pam_env/pam_env.c (_pam_parse): Fix typo in debug
+ code.
+
+ * modules/pam_cracklib/Makefile.am: Don't install docu if
+ module is disabled for building.
+ * modules/pam_userdb/Makefile.am: Likewise.
+
+ * modules/pam_unix/pam_unix_passwd.c: Remove dead SELinux
+ code.
+
+ * modules/pam_lastlog/pam_lastlog.c (last_login_failed): Fix
+ usage of wrong variable [bug#2809661].
+
+2009-06-25 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * configure.in: Rename crypt_gensalt_rn to crypt_gensalt_r
+ * modules/pam_unix/passverify.c: Likewise.
+
+2009-06-19 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * release version 1.1.0
+
+2009-06-16 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * doc/sag/Linux-PAM_SAG.xml: Fix typos.
+ * doc/adg/Linux-PAM_ADG.xml: Likewise.
+ * doc/mwg/Linux-PAM_MWG.xml: Likewise.
+
+2009-06-08 Rajesh Ranjan <rajesh672@gmail.com>
+
+ * po/hi.po: Updated translations.
+
+2009-06-01 Jaswinder Singh <jsingh@redhat.com>
+
+ * po/pa.po: Updated translations.
+
+2009-06-01 Tomáš Mráz <t8m@centrum.cz>
+
+ * modules/pam_pwhistory/opasswd.c (save_old_password): Don't
+ call fclose() on NULL descriptor. Found by Steve Grubb.
+
+2009-06-01 Ville Skyttä <ville.skytta@iki.fi>
+
+ * modules/pam_limits/pam_limits.8.xml: Only *.conf
+ files are parsed. Spelling fixes.
+ * modules/pam_access/pam_access.8.xml: Spelling fixes.
+ * modules/pam_cracklib/pam_cracklib.8.xml: Likewise.
+ * modules/pam_echo/pam_echo.8.xml: Likewise.
+ * modules/pam_env/pam_env.8.xml: Likewise.
+ * modules/pam_exec/pam_exec.8.xml: Likewise.
+ * modules/pam_filter/pam_filter.8.xml: Likewise.
+ * modules/pam_ftp/pam_ftp.8.xml: Likewise.
+ * modules/pam_group/pam_group.8.xml: Likewise.
+ * modules/pam_issue/pam_issue.8.xml: Likewise.
+ * modules/pam_lastlog/pam_lastlog.8.xml: Likewise.
+ * modules/pam_listfile/pam_listfile.8.xml: Likewise.
+ * modules/pam_localuser/pam_localuser.8.xml: Likewise.
+ * modules/pam_loginuid/pam_loginuid.8.xml: Likewise.
+ * modules/pam_mkhomedir/pam_mkhomedir.8.xml: Likewise.
+ * modules/pam_motd/pam_motd.8.xml: Likewise.
+ * modules/pam_namespace/pam_namespace.8.xml: Likewise.
+ * modules/pam_pwhistory/pam_pwhistory.8.xml: Likewise.
+ * modules/pam_selinux/pam_selinux.8.xml: Likewise.
+ * modules/pam_succeed_if/pam_succeed_if.8.xml: Likewise.
+ * modules/pam_tally/pam_tally.8.xml: Likewise.
+ * modules/pam_tally2/pam_tally2.8.xml: Likewise.
+ * modules/pam_time/pam_time.8.xml: Likewise.
+ * modules/pam_timestamp/pam_timestamp.8.xml: Likewise.
+ * modules/pam_timestamp/pam_timestamp_check.8.xml: Likewise.
+ * modules/pam_tty_audit/pam_tty_audit.8.xml: Likewise.
+ * modules/pam_umask/pam_umask.8.xml: Likewise.
+ * modules/pam_unix/pam_unix.8.xml: Likewise.
+ * modules/pam_xauth/pam_xauth.8.xml: Likewise.
+
+2009-05-28 Jaswinder Singh <jsingh@redhat.com>
+
+ * po/pa.po: Updated translations.
+
+2009-05-21 Albert Carabasa Giribet <albertc@asic.udl.cat>
+
+ * po/ca.po: Updated translations.
+
+2009-05-11 Ani Peter <anipeter@fedoraproject.org>
+
+ * po/ml.po: Updated translations.
+
+2009-05-11 Charles-Antoine Couret <cacouret@wanadoo.fr>
+
+ * po/fr.po: Updated translations.
+
+2009-05-11 Tomáš Mráz <t8m@centrum.cz>
+
+ * modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary): Remove
+ unnecessary setuid() call.
+
+2009-05-05 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * release version 1.0.92
+ * libpamc/Makefile.am (libpamc_la_LDFLAGS): Increase revesion.
+ * configure.in: Increase version to 1.0.92.
+
+2009-04-20 Mario Santagiuliana <mario@marionline.it>
+
+ * po/it.po: Updated translations.
+
+2009-04-17 Fabian Affolter <fab@fedoraproject.org>
+
+ * po/de.po: Updated translations.
+
+2009-04-16 Tomáš Mráz <t8m@centrum.cz>
+
+ * modules/pam_succeed_if/pam_succeed_if.c (evaluate): Add user
+ parameter. Use user instead of pwd->pw_name in comparsions.
+ (pam_sm_authenticate): Pass the original user to evaluate().
+
+2009-04-14 Amitakhya Phukan <aphukan@fedoraproject.org>
+
+ * po/as.po: Updated translations.
+
+2009-04-14 Runa Bhattacharjee <runab@fedoraproject.org>
+
+ * po/bn_IN.po: Updated translations.
+
+2009-04-14 Sweta Kothari <swkothar@redhat.com>
+
+ * po/gu.po: Updated translations.
+
+2009-04-14 Sandeep Shedmake <sandeep.shedmake@gmail.com>
+
+ * po/mr.po: Updated translations.
+
+2009-04-14 Rui Gouveia <rui.gouveia@globaltek.pt>
+
+ * po/pt.po: Updated translations.
+
+2009-04-14 I. Felix <ifelix@redhat.com>
+
+ * po/ta.po: Updated translations.
+
+2009-04-14 Krishna Babu K <kkrothap@redhat.com>
+
+ * po/te.po: Updated translations.
+
+2009-04-09 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_unix/yppasswd.h: Update license to GPLv2 or later
+ on request of Olaf Kirch (Author).
+ * modules/pam_unix/yppasswd_xdr.c: Likewise.
+
+2009-04-06 R.E. van der Luit <nippur@fedoraproject.org>
+
+ * po/nl.po: Updated translations.
+
+2009-04-06 Terry Chuang <tchuang@redhat.com>
+
+ * po/zh_TW.po: Updated translations.
+
+2009-04-03 Shankar Prasad <svenkate@redhat.com>
+
+ * po/kn.po: Updated translations.
+
+2009-04-03 Manoj Kumar Giri <mgiri@redhat.com>
+
+ * po/or.po: Updated translations.
+
+2009-04-03 Miloš Komarčević <kmilos@gmail.com>
+
+ * po/sr.po: Updated translations.
+ * po/sr@latin.po: Updated translations.
+
+2009-04-03 Leah Liu <lliu@redhat.com>
+
+ * po/zh_CN.po: Updated translations.
+
+2009-04-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ * libpamc/pamc_load.c (__pamc_exec_agent): Replace call to exit(3)
+ in child process with call to _exit(2).
+ * modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Likewise.
+ * modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary):
+ Likewise.
+ * modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary):
+ Likewise.
+ * modules/pam_unix/support.c (_unix_run_helper_binary): Likewise.
+ * modules/pam_xauth/pam_xauth.c (run_coprocess): Likewise.
+ * modules/pam_exec/pam_exec.c (call_exec): Replace all calls to
+ exit(3) in child process with calls to _exit(2).
+ * modules/pam_filter/pam_filter.c (set_filter): Likewise.
+ * modules/pam_namespace/pam_namespace.c (inst_init,
+ cleanup_tmpdirs): Likewise.
+
+2009-03-27 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_unix/support.c (_unix_run_helper_binary): Don't
+ ignore return value of write().
+
+ * libpamc/include/security/pam_client.h (PAM_BP_ASSERT): Honour
+ NDEBUG.
+ * modules/pam_timestamp/pam_timestamp.c: don't ignore return
+ values of lchown and fchown.
+
+2009-03-25 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_mkhomedir/pam_mkhomedir.c: Make option handling
+ reentrant (#2487654)
+ (_pam_parse): Fix umask option.
+
+ * modules/pam_unix/passverify.c: Fix typo.
+
+ * modules/pam_issue/pam_issue.c: Fix compiler warning.
+ * modules/pam_ftp/pam_ftp.c: Likewise.
+
+2009-03-25 Pavol Šimo <palo.simo@gmail.com>
+
+ * po/sk.po: Updated translations.
+
+2009-03-24 Sulyok Péter <peti@sulyok.hu>
+
+ * po/hu.po: Updated translations.
+
+2009-03-24 Domingo Becker <domingobecker@gmail.com>
+
+ * po/es.po: Updated translations.
+
+2009-03-24 Diego Búrigo Zacarão <diegobz@projetofedora.org>
+
+ * po/pt_BR.po: Updated translations.
+
+2009-03-24 Piotr Drąg <piotrdrag@gmail.com>
+
+ * po/pl.po: Updated translations.
+
+2009-03-24 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_unix/passverify.c(save_old_password): Call fflush() and
+ fsync().
+ (unix_update_passwd, unix_update_shadow): Likewise.
+ * modules/pam_pwhistory/opasswd.c(save_old_password): Likewise.
+
+ * po/cs.po: Updated translations.
+
+2009-03-09 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * release version 1.0.91
+
+ * libpam/Makefile.am (libpam_la_LDFLAGS): Bump version number.
+ * xtests/Makefile.am: Add tst-pam_unix4.pamd, tst-pam_unix4.sh
+ and time.conf.
+
+2009-03-03 Dmitry V. Levin <ldv@altlinux.org>
+
+ * tests/tst-pam_mkargv.c (main): Fix for non-64bit architectures.
+
+2009-03-03 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_unix/pam_unix_acct.c(_unix_run_verify_binary): Test
+ for abnormal exit of the helper binary.
+ * modules/pam_unix/pam_unix_passwd.c(_unix_run_update_binary): Likewise.
+ * modules/pam_unix/support.c(_unix_run_helper_binary): Likewise.
+ * modules/pam_mkhomedir/pam_mkhomedir.c(create_homedir): Likewise.
+
+2009-02-27 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_mkhomedir/pam_mkhomedir.c(create_homedir): Replace
+ signal() with sigaction().
+ * modules/pam_namespace/pam_namespace.c(inst_init, cleanup_tmpdirs):
+ Likewise.
+ * modules/pam_unix/pam_unix_acct.c(_unix_run_verify_binary): Likewise.
+ * modules/pam_unix/pam_unix_passwd.c(_unix_run_update_binary):
+ Likewise.
+ * modules/pam_unix/passverify.c(su_sighandler): Likewise.
+ * modules/pam_unix/support.c(_unix_run_helper_binary): Likewise.
+
+ * modules/pam_tally2/Makefile.am: Link the pam_tally2 app to libpam
+ for auxiliary functions.
+ * modules/pam_tally2/pam_tally2.8.xml: Drop non-existing no_reset
+ option. Document new serialize option.
+ * modules/pam_tally2/pam_tally2.c: Add support for the new serialize
+ option.
+ (_cleanup, tally_set_data, tally_get_data): Add tally file handle to
+ tally PAM data. Needed for fcntl() locking.
+ (get_tally): Use low level file access instead of stdio buffered FILE.
+ If serialize option is used lock the tally file access.
+ (set_tally, tally_bump, tally_reset): Use low level file access instead
+ of stdio buffered FILE. Close the file handle only when it is not owned
+ by PAM data.
+ (pam_sm_authenticate, pam_sm_setcred, pam_sm_acct_mgmt): Pass the tally
+ file handle to tally_set_data(). Get it from tally_get_data().
+ (main): Use low level file access instead of stdio buffered FILE.
+
+2009-02-26 Tomas Mraz <t8m@centrum.cz>
+
+ * xtests/Makefile.am: Add tst-pam_unix4.
+ * xtests/tst-pam_unix4.c: New test for password change
+ and shadow min days limit.
+ * xtests/tst-pam_unix4.pamd: Likewise.
+ * xtests/tst-pam_unix4.sh: Likewise.
+
+ * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Ignore
+ PAM_AUTHTOK_ERR on shadow verification.
+ * modules/pam_unix/passverify.c (check_shadow_expiry): Return
+ PAM_AUTHTOK_ERR if sp_min limit for password change is defied.
+
+2009-02-26 Timur Birsh <taem@linukz.org>
+
+ * po/LINGUAS: New Kazakh translation.
+ * po/kk.po: New Kazakh translation.
+
+2009-02-25 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * libpam/pam_misc.c (_pam_StrTok): Use unsigned char
+ instead of int. Reported by Marcus Granado.
+ * tests/Makefile.am (TESTS): Add tst-pam_mkargv.
+ * tests/tst-pam_mkargv.c (main): Test case for
+ _pam_mkargv.
+
+ * po/de.po: Update fuzzy translations.
+
+2009-02-25 Tomas Mraz <t8m@centrum.cz>
+
+ * xtests/access.conf: Add a line for name resolution test case.
+ * xtests/tst-pam_access4.c (main): Set PAM_RHOST for testing the LOCAL
+ keyword. Add a test case for name resolution.
+
+ * modules/pam_access/pam_access.c (from_match): Move name resolution
+ to network_netmask_match().
+ (network_netmask_match): Do a name resolution of the origin only if
+ matching against a real network/netmask.
+
+2009-02-25 Fabian Affolter <fabian@bernewireless.net>
+
+ * po/de.po: Updated translations.
+
+2009-02-25 Taylon Silmer Lacerda Silva <taylonsilva@gmail.com>
+
+ * po/pt_BR.po: Updated translations.
+
+2009-02-25 Domingo Becker <domingobecker@gmail.com>
+
+ * po/es.po: Updated translations.
+
+2009-02-20 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_limits/limits.conf.5.xml: Document that the kernel
+ can refuse values out of range for the local system.
+ * modules/pam_limits/pam_limits.c (setup_limits): Log if setrlimit
+ fails.
+
+2009-02-18 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * libpam/pam_password.c (pam_chauthtok): Make sure applications
+ don't set internal flags.
+
+2009-02-17 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * doc/man/pam_sm_chauthtok.3.xml: Document that sufficient
+ can break the PRELIM_CHECK chain.
+
+ * libpam/pam_dispatch.c: Don't freeze chain for chauthtok
+ [bugzilla.novell.com#470337]
+
+2009-02-11 Daniel Nylander <po@danielnylander.se>
+
+ * po/sv.po: Updated translations.
+
+2009-01-29 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * doc/man/pam_sm_setcred.3.xml: Document PAM_ESTABLISH_CRED.
+
+2009-01-19 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_mkhomedir/Makefile.am: Add mkhomedir_helper.
+ * modules/pam_mkhomedir/mkhomedir_helper.8.xml: New file. Manual page
+ for mkhomedir_helper.
+ * modules/pam_mkhomedir/mkhomedir_helper.c: New file. Source
+ for mkhomedir_helper. Most of the code moved from pam_mkhomedir.c.
+ * modules/pam_mkhomedir/pam_mkhomedir.c (_pam_parse): Do not convert umask
+ to integer.
+ (rec_mkdir): Moved to mkhomedir_helper.c.
+ (create_homedir): Just exec the helper.
+ (pam_sm_open_session): Improve logging.
+
+2009-01-19 Daniel Cabrera <h.daniel.cabrera@gmail.com>
+
+ * po/es.po: Updated translations.
+
+2009-01-14 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * po/de.po: Updated translations.
+
+2009-01-07 Piotr Drąg <piotrdrag@gmail.com>
+
+ * po/pl.po: Updated translations.
+
+2008-12-23 Piotr Drąg <piotrdrag@gmail.com>
+
+ * po/pl.po: Updated translations.
+
+2008-12-18 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_pwhistory/pam_pwhistory.c (parse_option): Rename
+ type= option to authtok_type= (because of pam_get_authtok).
+ * modules/pam_pwhistory/pam_pwhistory.8.xml: Likewise.
+
+2008-12-17 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Do
+ not abort on unknown option. Avoid double free of old_status.
+ (pam_sm_close_session): Use LOG_DEBUG for restored status message.
+
+ * configure.in: Test for getseuser().
+ * modules/pam_selinux/pam_selinux.c (pam_sm_open_session): Call getseuser()
+ instead of getseuserbyname() if the function is available.
+
+2008-12-12 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * release version 1.0.90
+
+ * libpam_misc/Makefile.am: Increase version number of shared library.
+ * libpamc/Makefile.am: Likewise.
+
+2008-12-12 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_tally2/pam_tally2.c (get_tally): Test for EACCES
+ instead of EPERM.
+ * modules/pam_tally2/pam_tally2.8.xml: Fix documentation.
+
+2008-12-10 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * doc/man/pam_item_types_ext.inc.xml: Document PAM_AUTHTOK_TYPE.
+ * libpam/pam_end.c (pam_end): Free authtok_type.
+ * tests/tst-pam_get_item.c: Add PAM_AUTHTOK_TYPE
+ as test case.
+ * tests/tst-pam_set_item.c: Likewise.
+ * libpam/pam_start.c (pam_start): Initialize xdisplay,
+ xauth and authtok_type.
+ * libpam/pam_get_authtok.c (pam_get_authtok): Rename "type"
+ to "authtok_type".
+ * modules/pam_cracklib/pam_cracklib.8.xml: Replace "type=" with
+ "authtok_type=".
+ * doc/man/pam_get_authtok.3.xml: Document authtok_type argument.
+ * modules/pam_cracklib/pam_cracklib.c (pam_sm_chauthtok): Set
+ type= argument as PAM_AUTHTOK_TYPE item.
+ * libpam/pam_get_authtok.c (pam_get_authtok): If no type
+ argument given, use PAM_AUTHTOK_TYPE item.
+ * libpam/pam_item.c (pam_get_item): Fetch PAM_AUTHTOK_TYPE item.
+ (pam_set_item): Store PAM_AUTHTOK_TYPE item.
+ * libpam/pam_private.h: Add authtok_type to pam_handle.
+ * libpam/include/security/_pam_types.h (PAM_AUTHTOK_TYPE): New.
+
+2008-12-03 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_access/access.conf.5.xml: Replace
+ 2001:4ca0 with 2001:db8:: [bug#2356400].
+
+ * doc/man/Makefile.am: Add pam_get_authtok.3.xml.
+ * doc/man/pam_get_authtok.3.xml: New.
+ * libpam/Makefile.am: Add pam_get_authtok.c.
+ * libpam/libpam.map: Export pam_get_authtok.
+ * libpam/pam_get_authtok.c: New.
+ * libpam/pam_private.h: Add mod_argc and mod_argv to pam_handle.
+ * libpam_include/security/pam_ext.h: Add pam_get_authtok
+ prototype.
+ * modules/pam_cracklib/pam_cracklib.c: Use pam_get_authtok.
+ * modules/pam_pwhistory/pam_pwhistory.c: Likewise.
+ * po/POTFILES.in: Add libpam/pam_get_authtok.c.
+ * xtests/tst-pam_cracklib1.c: Adjust error codes.
+
+ * modules/pam_timestamp/Makefile.am: Remove hmactest.c from
+ EXTRA_DIST.
+
+ * po/*.po: Regenerated.
+
+2008-12-02 Michael Calmer <mc@suse.de>
+
+ * modules/pam_limits/limits.conf.5.xml: Document valid values
+ for limits (bnc#448314).
+
+2008-12-02 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_env/pam_env.c: Add support for user specific
+ environment file. Based on a patch from Ubuntu.
+ * modules/pam_env/pam_env.8.xml: Document new options.
+
+2008-12-02 Olivier Fourdan <ofourdan@redhat.com>
+
+ * modules/pam_filter/pam_filter.c (master): Use /dev/ptmx
+ instead of the old BSD pseudoterminal API.
+ (set_filter): Call grantpt(), unlockpt() and ptsname(). Do not
+ close pseudoterminal handle in filter child.
+ * modules/pam_filter/upperLOWER/upperLOWER.c (main): Use
+ regular read() instead of pam_modutil_read() to allow for
+ short reads.
+
+2008-12-02 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_timestamp/Makefile.am: Add hmacfile to tests.
+ * modules/pam_timestamp/hmacfile.c: Do not try the short key
+ testvector.
+
+2008-12-01 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_unix/support.h: Fix masks for cipher algorithm
+ flags.
+
+2008-12-01 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_unix/pam_unix.8.xml: Document blowfish option.
+
+ * configure.in: Check for crypt_gensalt_rn.
+ * modules/pam_unix/pam_unix_passwd.c: Pass pamh to
+ create_password_hash function.
+ * modules/pam_unix/passverify.c (create_password_hash): Add
+ blowfish support.
+ * modules/pam_unix/passverify.h: Adjust create_password_hash
+ prototype.
+ * modules/pam_unix/support.c: Add support for blowfish option.
+ * modules/pam_unix/support.h: Add defines for blowfish option.
+ Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+
+2008-12-01 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_access/pam_access.8.xml: Fix description of nodefgroup
+ option.
+
+ * modules/pam_group/pam_group.c (is_same): Fix check for correct
+ string length.
+
+2008-11-29 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * configure.in: Check for xcrypt.h, fix typo in libaudit check.
+ * modules/pam_cracklib/pam_cracklib.c: Include xcrypt.h if
+ available.
+ * modules/pam_unix/bigcrypt.c: Likewise.
+ * modules/pam_unix/passverify.c: Likewise.
+ * modules/pam_userdb/pam_userdb.c: Likewise.
+ Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+
+ * doc/man/pam_getenv.3.xml: Document that application should
+ not free return value.
+
+ * doc/man/pam.3.xml: Add Note about thread-safeness of libpam
+ functions.
+
+2008-11-28 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_unix/unix_update.c (set_password): Allow root to change
+ passwords without verification of the old ones.
+
+ * modules/pam_tally2/pam_tally2.c (tally_check): Fix info format
+ to be the same as in pam_tally.
+
+ * configure.in: Add modules/pam_timestamp/Makefile.
+ * doc/sag/Linux-PAM_SAG.xml: Include pam_timestamp.xml.
+ * doc/sag/pam_timestamp.xml: New.
+ * libpam/pam_static_modules.h: Add pam_timestamp static struct.
+ * modules/Makefile.am: Add pam_timestamp directory.
+ * modules/pam_timestamp/Makefile.am: New.
+ * modules/pam_timestamp/README.xml: New.
+ * modules/pam_timestamp/hmacsha1.h: New.
+ * modules/pam_timestamp/sha1.h: New.
+ * modules/pam_timestamp/pam_timestamp.8.xml: New.
+ * modules/pam_timestamp/pam_timestamp_check.8.xml: New.
+ * modules/pam_timestamp/pam_timestamp.c: New.
+ * modules/pam_timestamp/pam_timestamp_check.c: New.
+ * modules/pam_timestamp/hmacfile.c: New.
+ * modules/pam_timestamp/hmacsha1.c: New.
+ * modules/pam_timestamp/sha1.c: New.
+ * modules/pam_timestamp/tst-pam_timestamp: New.
+ * po/POTFILES.in: Add pam_timestamp sources.
+ * po/*.po: Regenerate.
+ * po/cs.po: Updated translations.
+
+2008-11-25 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_pwhistory/opasswd.c (save_old_password): Fix typo.
+
+ * modules/pam_time/pam_time.c (is_same): Fix check
+ of correct string length (debian bug #326407).
+
+2008-11-24 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * xtests/Makefile.am: Add pam_time1 tests.
+ * xtests/tst-pam_time1.c: New test case.
+ * xtests/tst-pam_time1.pamd: New.
+ * xtests/time.conf: New.
+ * xtests/run-xtests.sh: Copy time.conf.
+
+2008-11-24 Tomas Mraz <t8m@centrum.cz>
+
+ * libpam/pam_handlers.c (_pam_parse_conf_file): '-' at
+ beginning of type token marks silent module.
+ (_pam_load_module): Add handler_type parameter. Do not log
+ module load error if module is silent.
+ (_pam_add_handler): Pass handler_type to _pam_load_module().
+ * libpam/pam_private.h: Add PAM_HT_SILENT_MODULE.
+ * doc/man/pam.conf-syntax.xml: Document the '-' at beginning
+ of type.
+
+ * modules/pam_cracklib/pam_cracklib.c (pam_sm_chauthtok): Fix leaks
+ in error path.
+ * modules/pam_env/pam_env.c (_parse_env_file): Remove superfluous
+ condition.
+ * modules/pam_group/pam_group.c (check_account): Fix leak
+ in error path.
+ * modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Fix leak
+ in error path.
+ * modules/pam_securetty/pam_securetty.c (securetty_perform_check): Remove
+ superfluous condition.
+ * modules/pam_stress/pam_stress.c (stress_get_password,pam_sm_authenticate):
+ Remove superfluous conditions.
+ (pam_sm_chauthtok): Fix mistaken && for &.
+ * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Remove
+ superfluous condition.
+ All the problems fixed in this commit were found by Steve Grubb.
+
+2008-11-20 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_sepermit/pam_sepermit.c (sepermit_match): Do not
+ call sepermit_lock() if sense is deny. Do not crash on NULL seuser
+ match.
+ (pam_sm_authenticate): Try to call getseuserbyname() even if
+ SELinux is disabled.
+
+2008-11-19 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_xauth/pam_xauth.c (pam_sm_open_session):
+ Preserve XAUTHLOCALHOSTNAME environment variable.
+
+ * modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Finish
+ implementation of type=STRING option.
+
+ * modules/pam_pwhistory/pam_pwhistory.8.xml: Document
+ "type=STRING" option.
+
+2008-10-27 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * doc/man/pam_setcred.3.xml: Document when credentials
+ should be deleted.
+ * po/ja.po: Fix syntax error.
+ * po/de.po: Update translations.
+ * po/*.po: Regenerate with pam_tally2 added.
+
+2008-10-23 Taylon Silmer Lacerda Silva <taylonsilva@gmail.com>
+
+ * po/pt_BR.po: Updated translations.
+
+2008-10-23 Krishna Babu K <kkrothap@redhat.com>
+
+ * po/LINGUAS: New language.
+ * po/te.po: New translation to Telugu.
+
+2008-10-23 Manoj Kumar Giri <mgiri@redhat.com>
+
+ * po/or.po: Updated translations.
+
+2008-10-21 Amitakhya Phukan <aphukan@redhat.com>
+
+ * po/as.po: Updated translations.
+
+2008-10-21 Ondrej Sulek <feonsu@gmail.com>
+
+ * po/sk.po: Updated translations.
+
+2008-10-21 Terry Chuang <tchuang@redhat.com>
+
+ * po/zh_TW.po: Updated translations.
+
+2008-10-21 Kiyoto Hashida <khashida@redhat.com>
+
+ * po/ja.po: Updated translations.
+
+2008-10-21 Francesco Valente <fvalen@redhat.com>
+
+ * po/it.po: Updated translations.
+
+2008-10-21 Peter van Egdom <p.van.egdom@gmail.com>
+
+ * po/nl.po: Updated translations.
+
+2008-10-20 Ani Peter <apeter@redhat.com>
+
+ * po/ml.po: Updated translations.
+
+2008-10-20 Pablo Martin-Gomez <pablo.martin-gomez@laposte.net>
+
+ * po/fr.po: Updated translations.
+
+2008-10-20 Runa Bhattacharjee <runab@redhat.com>
+
+ * po/bn_IN.po: Updated translations.
+
+2008-10-20 Shankar Prasad <svenkate@redhat.com>
+
+ * po/kn.po: Updated translations.
+
+2008-10-20 Leah Liu <lliu@redhat.com>
+
+ * po/zh_CN.po: Updated translations.
+
+2008-10-20 Ondrej Sulek <feonsu@gmail.com>
+
+ * po/LINGUAS: New language.
+ * po/sk.po: New translation to Slovak.
+
+2008-10-17 Tomas Mraz <t8m@centrum.cz>
+
+ * configure.in: Add modules/pam_tally2/Makefile.
+ * doc/sag/Linux-PAM_SAG.xml: Include pam_tally2.xml.
+ * doc/sag/pam_tally2.xml: New.
+ * libpam/pam_static_modules.h: Add pam_tally2 static struct.
+ * modules/Makefile.am: Add pam_tally2 directory.
+ * modules/pam_tally2/Makefile.am: New.
+ * modules/pam_tally2/README.xml: New.
+ * modules/pam_tally2/tallylog.h: New.
+ * modules/pam_tally2/pam_tally2.8.xml: New.
+ * modules/pam_tally2/pam_tally2.c: New.
+ * modules/pam_tally2/pam_tally2_app.c: New.
+ * modules/pam_tally2/tst-pam_tally2: New.
+ * po/POTFILES.in: Add pam_tally2 sources.
+
+2008-10-17 Xavier Queralt Mateu <xqueralt@gmail.com>
+
+ * po/ca.po: Updated translations.
+
+2008-10-15 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_keyinit/pam_keyinit.c (kill_keyrings): Save the old
+ euid to suid to be able to restore it.
+
+2008-10-15 Piotr Drąg <piotrdrag@gmail.com>
+
+ * po/pl.po: Updated translations.
+
+2008-10-13 Tomas Mraz <t8m@centrum.cz>
+
+ * po/LINGUAS: New languages.
+ * po/cs.po: Updated translations.
+
+2008-10-13 Amitakhya Phukan <aphukan@redhat.com>
+
+ * po/as.po: Updated translations.
+
+2008-10-13 Shankar Prasad <svenkate@redhat.com>
+
+ * po/kn.po: Updated translations.
+
+2008-10-13 Sandeep Sheshrao Shedmake <sshedmak@redhat.com>
+
+ * po/mr.po: New translation to Marathi.
+
+2008-10-13 Runa Bhattacharjee <runab@redhat.com>
+
+ * po/bn_IN.po: Updated translations.
+
+2008-10-13 Sharuzzaman Ahmat Raslan <sharuzzaman@gmail.com>
+
+ * po/ms.po: New translation to Malay.
+
+2008-10-10 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass):
+ Remove check for re-used passwords.
+ * modules/pam_cracklib/pam_cracklib.8.xml: Remove documentation
+ of re-used password check.
+
+ * configure.in: add modules/pam_pwhistory/Makefile.
+ * doc/sag/Linux-PAM_SAG.xml: Include pam_pwhistory.xml.
+ * doc/sag/pam_pwhistory.xml: New.
+ * libpam/pam_static_modules.h: Add pam_pwhistory data.
+ * modules/Makefile.am: Add pam_pwhistory directory.
+ * modules/pam_pwhistory/Makefile.am: New.
+ * modules/pam_pwhistory/README.xml: New.
+ * modules/pam_pwhistory/opasswd.c: New.
+ * modules/pam_pwhistory/opasswd.h: New.
+ * modules/pam_pwhistory/pam_pwhistory.8.xml: New.
+ * modules/pam_pwhistory/pam_pwhistory.c: New.
+ * modules/pam_pwhistory/tst-pam_pwhistory: New.
+ * xtests/Makefile.am: New.
+ * xtests/run-xtests.sh: New.
+ * xtests/tst-pam_pwhistory1.c: New.
+ * xtests/tst-pam_pwhistory1.pamd: New.
+ * xtests/tst-pam_pwhistory1.sh: New.
+ * po/POTFILES.in: Add modules/pam_pwhistory/.
+ * po/de.po: Update translations.
+
+2008-10-02 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * po/de.po: Update translations.
+
+2008-09-30 Manoj Kumar Giri <mgiri@redhat.com>
+
+ * po/or.po: Updated translations.
+
+2008-09-30 Taylon Silmer Lacerda Silva <taylonsilva@gmail.com>
+
+ * po/pt_BR.po: Updated translations.
+
+2008-09-30 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_lastlog/pam_lastlog.8.xml: Document new options
+ noupdate and showfailed.
+ * modules/pam_lastlog/pam_lastlog.c(pam_parse): Recognize the new
+ options.
+ (last_login_read): New output parameter lltime. Do not display
+ the last login message if it would be empty.
+ (last_login_date): New output parameter lltime. Do not write the
+ last login info when LASTLOG_UPDATE is not set.
+ (last_login_failed): New function to display the last bad login
+ attempt from btmp.
+ (pam_sm_open_session): Obtain lltime from last_login_date() and
+ call last_login_failed() when appropriate.
+
+ * po/Linux-pam.pot: Updated strings to translate.
+ * po/*.po: Likewise.
+
+2008-09-29 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_echo/pam_echo.8.xml: Fix format error.
+
+2008-09-25 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_tally/pam_tally.c(get_tally): Fix syslog message.
+ (tally_check): Open faillog read only. Close file descriptor.
+ Fix typos in messages.
+
+2008-09-25 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_mail/pam_mail.c (report_mail): Fix logic of
+ "quiet" option (Patch from Andreas Henriksson <andreas@fatal.se>)
+
+ * modules/pam_mail/pam_mail.8.xml: Fix typo.
+
+2008-09-23 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_limits/limits.conf.5.xml: Comment that rss limit is
+ ignored.
+
+2008-09-19 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_cracklib/pam_cracklib.8.xml: Fix description
+ of the palindrome test. Document new options maxrepeat and
+ reject_username.
+ * modules/pam_cracklib/pam_cracklib.c(_pam_parse): Parse
+ the maxrepeat and reject_username options.
+ (password_check): Call the new tests usercheck() and
+ consecutive().
+ (_pam_unix_approve_pass): Pass user name to the password_check().
+
+2008-09-16 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_cracklib/pam_cracklib.8.xml: Fix typo.
+
+ * modules/pam_unix/pam_unix.8.xml: Fix typo.
+
+2008-09-03 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_exec/pam_exec.c: Expose authtok if requested,
+ provide environment variable containing service type.
+ * modules/pam_exec/pam_exec.8.xml: Document new option.
+
+2008-08-29 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_loginuid/pam_loginuid.c(set_loginuid): Uids
+ are unsigned.
+
+2008-08-18 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * Makefile.am (M4_FILES): Adjust list.
+
+ * modules/pam_access/pam_access.8.xml: Fix module service
+ vs. module type.
+ * modules/pam_cracklib/pam_cracklib.8.xml: Likewise.
+ * modules/pam_debug/pam_debug.8.xml: Likewise.
+ * modules/pam_deny/pam_deny.8.xml: Likewise.
+ * modules/pam_echo/pam_echo.8.xml: Likewise.
+ * modules/pam_env/pam_env.8.xml: Likewise.
+ * modules/pam_exec/pam_exec.8.xml: Likewise.
+ * modules/pam_faildelay/pam_faildelay.8.xml: Likewise.
+ * modules/pam_filter/pam_filter.8.xml: Likewise.
+ * modules/pam_ftp/pam_ftp.8.xml: Likewise.
+ * modules/pam_group/pam_group.8.xml: Likewise.
+ * modules/pam_issue/pam_issue.8.xml: Likewise.
+ * modules/pam_keyinit/pam_keyinit.8.xml: Likewise.
+ * modules/pam_lastlog/pam_lastlog.8.xml: Likewise.
+ * modules/pam_limits/pam_limits.8.xml: Likewise.
+ * modules/pam_listfile/pam_listfile.8.xml: Likewise.
+ * modules/pam_localuser/pam_localuser.8.xml: Likewise.
+ * modules/pam_loginuid/pam_loginuid.8.xml: Likewise.
+ * modules/pam_mail/pam_mail.8.xml: Likewise.
+ * modules/pam_mkhomedir/pam_mkhomedir.8.xml: Likewise.
+ * modules/pam_motd/pam_motd.8.xml: Likewise.
+ * modules/pam_namespace/pam_namespace.8.xml: Likewise.
+ * modules/pam_nologin/pam_nologin.8.xml: Likewise.
+ * modules/pam_permit/pam_permit.8.xml: Likewise.
+ * modules/pam_rhosts/pam_rhosts.8.xml: Likewise.
+ * modules/pam_rootok/pam_rootok.8.xml: Likewise.
+ * modules/pam_securetty/pam_securetty.8.xml: Likewise.
+ * modules/pam_selinux/pam_selinux.8.xml: Likewise.
+ * modules/pam_sepermit/pam_sepermit.8.xml: Likewise.
+ * modules/pam_shells/pam_shells.8.xml: Likewise.
+ * modules/pam_succeed_if/pam_succeed_if.8.xml: Likewise.
+ * modules/pam_tally/pam_tally.8.xml: Likewise.
+ * modules/pam_time/pam_time.8.xml: Likewise.
+ * modules/pam_tty_audit/pam_tty_audit.8.xml: Likewise.
+ * modules/pam_umask/pam_umask.8.xml: Likewise.
+ * modules/pam_unix/pam_unix.8.xml: Likewise.
+ * modules/pam_userdb/pam_userdb.8.xml: Likewise.
+ * modules/pam_warn/pam_warn.8.xml: Likewise.
+ * modules/pam_wheel/pam_wheel.8.xml: Likewise.
+ * modules/pam_xauth/pam_xauth.8.xml: Likewise.
+
+2008-08-01 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * configure.in: Add version for gettext, add search path
+ for m4 directory, fix handling of --disable-* options.
+ Patches from Diego Pettenò <flameeyes@gmail.com>.
+
+ * configure.in: Run autoupdate on it.
+
+ * acincludde.m4: Rename to ...
+ * m4/jh_path_xml_catalog.m4: ... this.
+
+ * m4/*.m4: Remove all autoconf m4 files.
+
+2008-07-29 Steve Langasek <vorlon@debian.org>
+
+ * modules/pam_cracklib/pam_cracklib.8.xml: correct a typo,
+ "Only he" -> "Only the"
+
+2008-07-28 Steve Langasek <vorlon@debian.org>
+
+ * libpamc/test/regress/test.libpamc.c: use standard u_int8_t
+ type instead of __u8, as elsewhere.
+ Patch from Roger Leigh <rleigh@debian.org>.
+ * modules/pam_unix/passverify.c: make save_old_password()
+ thread-safe by using pam_modutil_getpwnam() instead of getpwnam()
+ * modules/pam_unix/passverify.c, modules/pam_unix/passverify.h,
+ modules/pam_unix/pam_unix_passwd.c: add pamh argument to
+ save_old_password()
+
+2008-07-27 Steve Langasek <vorlon@debian.org>
+
+ * modules/pam_*/pam_*.8.xml: fix up the references to pam.d,
+ which is in manpage section 5, not 8.
+ * modules/pam_env/environment, modules/pam_env/pam_env.8.xml:
+ spelling fix, seperate -> separate
+
+2008-07-26 Steve Langasek <vorlon@debian.org>
+
+ * modules/pam_env/pam_env.c: Fix module to skip over
+ non-alphanumeric variable names, and to handle the case when
+ asked to delete a non-existent variable.
+
+2008-07-13 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_mail/pam_mail.8.xml: Module supports session and
+ not account service (#1980773).
+
+2008-07-11 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Do
+ not close the pipe descriptor in borderline case (#2009766).
+ * modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary):
+ Likewise.
+ * modules/pam_unix/support.c (_unix_run_helper_binary): Likewise.
+ * modules/pam_unix/support.h: Define upper limit of fds we will
+ attempt to close.
+
+ * modules/pam_selinux/pam_selinux.c (config_context): Do not
+ ask for the level if use_current_range is set.
+ (context_from_env): New function to obtain the context from
+ PAM environment variables.
+ (pam_sm_open_session): Call context_from_env() if env_params option
+ is present. use_current_range now modifies behavior of the
+ context_from_env and config_context options.
+ * modules/pam_selinux/pam_selinux.8.xml: Describe the env_params
+ option. Adjust description of use_current_range option.
+
+2008-07-09 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_exec/pam_exec.c (call_exec): Move all variable
+ declaration to begin of a block (#1976310).
+
+ * xtests/tst-pam_group1.c (run_test): Move no_grps declaration
+ to begin of function (#1976310).
+
+ * modules/pam_securetty/pam_securetty.8.xml: Replace
+ PAM_IGNORE with PAM_USER_UNKNOWN (#1994330).
+
+ * modules/pam_tally/pam_tally.c: Add support for silent and
+ no_log_info options.
+ * modules/pam_tally/pam_tally.8.xml: Document silent and
+ no_log_info options.
+
+2008-07-08 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_unix/passverify.c (verify_pwd_hash): Adjust debug
+ statement.
+
+2008-06-22 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_unix/unix_chkpwd.c (main): Fix compiling without
+ audit support.
+
+ * modules/pam_cracklib/pam_cracklib.8.xml: Fix typo in ucredit
+ description (reported by Wayne Pollock <pollock@acm.org>)
+
+2008-06-19 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate):
+ Detect configuration errors. Fail on incomplete condition.
+
+2008-05-20 Tomas Mraz <t8m@centrum.cz>
+
+ * configure.in: Work correctly with autoconf-2.62.
+
+2008-05-19 Tomas Mraz <t8m@centrum.cz>
+
+ * doc/man/pam_getenv.3.xml: Correct the pam_getenv documentation.
+
+ * doc/man/pam_prompt.3.xml: Add missing description.
+
+2008-05-14 Kjartan Maraas <kmaraas@gnome.org>
+
+ * po/nb.po: Updated translation.
+
+2008-05-14 Sulyok Péter <peti@sulyok.hu>
+
+ * po/hu.po: Updated translation.
+
+2008-05-14 Tomas Mraz <t8m@centrum.cz>
+
+ * libpam/pam_modutil_getgrgid.c: Replace hardcoded constant with
+ define PWD_LENGTH_SHIFT.
+ * libpam/pam_modutil_getgrnam.c: Likewise.
+ * libpam/pam_modutil_getpwnam.c: Likewise.
+ * libpam/pam_modutil_getpwuid.c: Likewise.
+ * libpam/pam_modutil_getspnam.c: Likewise.
+ * libpam/pam_modutil_private.h: Adjust values for PWD_ constants.
+
+ * modules/pam_unix/pam_unix_passwd.c(pam_sm_chauthtok): Unset authtok
+ item when password is not approved.
+ * modules/pam_unix/support.c(_unix_read_password): UNIX_USE_FIRST_PASS
+ is always set when UNIX_AUTHTOK is set, change order of conditions.
+
+2008-05-02 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_selinux/pam_selinux.c(query_response): Add handling
+ for NULL response.
+ (manual_context): Handle failed query_response() properly. Rename
+ variable responses to response which is more correct name.
+ (config_context): Likewise.
+ (pam_sm_open_session): Do not base decision on whether there is a tty.
+
+2008-04-22 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_selinux/pam_selinux.c(pam_sm_close_sesion): Fix
+ regression from the change from 2008-03-20. setexeccon() must be
+ called also with NULL prev_context.
+
+2008-04-21 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_access/access.conf.5.xml: Document changed behavior
+ of LOCAL keyword.
+ * modules/pam_access/pam_access.c: Add from_remote_host to
+ struct login_info to change behavior of LOCAL keyword: if
+ PAM_RHOST is not set, LOCAL will be true.
+
+2008-04-18 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_namespace/pam_namespace.c: New functions
+ unprotect_dirs(), cleanup_protect_data(), protect_mount(),
+ protect_dir() to protect directory by bind mount.
+ (cleanup_data): Renamed to cleanup_polydir_data().
+ (parse_create_params): Allow missing specification of mode
+ or owner.
+ (check_inst_parent): Call protect_dir() on the instance parent
+ directory. The directory is created when it doesn't exist.
+ (create_polydir): Protect and make the polydir by protect_dir(),
+ remove potential races.
+ (create_dirs): Renamed to create_instance(), remove call to
+ inst_init().
+ (ns_setup): Call protect_dir() on the polydir if it already exists.
+ Call inst_init() after the polydir is mounted.
+ (setup_namespace): Set the namespace protect data to be cleaned up
+ on pam_close_session()/pam_end().
+ (pam_sm_open_session): Initialize the protect_dirs.
+ (pam_sm_close_session): Cleanup namespace protect data.
+ * modules/pam_namespace/pam_namespace.h: Define struct for the
+ stack of protected dirs.
+ * modules/pam_namespace/pam_namespace.8.xml: Document when the
+ instance init script is called.
+ * modules/pam_namespace/namespace.conf.5.xml: Likewise.
+
+2008-04-17 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_access/pam_access.c(myhostname): Removed function.
+ (user_match): Supply hostname of the machine to the netgroup_match().
+ Use hostname from the loginfo instead of calling myhostname().
+ (pam_sm_authenticate): Call gethostname() to fill hostname in the
+ loginfo.
+
+ * modules/pam_sepermit/pam_sepermit.c(sepermit_match): Do not try
+ to lock if euid != 0.
+
+2008-04-16 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_unix/Makefile.am: Link unix_chkpwd with libaudit.
+ * modules/pam_unix/unix_chkpwd.c(_audit_log): New function for audit.
+ (main): Call _audit_log() when appropriate.
+
+ * modules/pam_cracklib/pam_cracklib.c(_pam_parse): Recognize also
+ try_first_pass and use_first_pass options.
+ (pam_sm_chauthtok): Implement the new options.
+
+2008-04-08 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_xauth/pam_xauth.c(run_coprocess): Avoid multiple
+ calls to sysconf() (based on patch by Sami Farin).
+
+ * libpam/pam_item.c (TRY_SET): Do not set when destination
+ is identical to source.
+ (pam_set_item): Do not overwrite destination when it
+ is identical to source.
+
+2008-04-07 Miloš Komarčević <kmilos@gmail.com>
+
+ * po/sr.po: New file with translation.
+ * po/sr@latin.po: Likewise.
+ * po/LINGUAS: Add sr and sr@latin.
+
+2008-04-03 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * release version 1.0.0
+
+ * configure.in: Set version number to 1.0.0.
+ * libpam/Makefile.am: Bump patchlevel of libpam.
+ * doc/adg/Linux-PAM_ADG.xml: Update version/date.
+ * doc/mwg/Linux-PAM_MWG.xml: Likewise.
+ * doc/sag/Linux-PAM_SAG.xml: Likewise.
+
+2008-03-31 Dan Walsh <dwalsh@redhat.com>
+
+ * modules/pam_sepermit/pam_sepermit.c(sepermit_lock): Mark lock fd to
+ be closed on exec.
+
+2008-03-25 Leah Liu <lliu@redhat.com>
+
+ * po/zh_CN.po: Updated translation.
+
+2008-03-20 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_namespace/pam_namespace.c(poly_name): Switch to USER
+ method only when appropriate.
+ (setup_namespace): Do not umount when not mounted with RUSER.
+
+ * modules/pam_selinux/pam_selinux.c(pam_sm_close_session): Call
+ freecontext() after the context is logged not before.
+
+2008-03-18 Canniot Thomas <thomas.canniot@mrtomlinux.org>
+
+ * po/fr.po: Updated translation.
+
+2008-03-13 Ankit Patel <ankit@redhat.com>
+
+ * po/gu.po: Updated translation.
+
+2008-03-05 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_cracklib/pam_cracklib.c(pam_sm_chauthtok): Avoid
+ unnecessary x_strdup() of resp.
+ * modules/pam_ftp/pam_ftp(pam_sm_authenticate): Call _pam_overwrite()
+ before dropping password resp.
+
+2008-03-03 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_selinux/pam_selinux.c: Do not translate syslog messages.
+ * po/Linux-PAM.pot: Update.
+
+ * libpam/pam_item.c(RESET): Rename to TRY_SET, handle strdup failure.
+ (pam_set_item): Use TRY_SET() also for PAM_AUTHTOK and PAM_OLDAUTHTOK.
+ Handle allocation failure for PAM_XAUTHDATA.
+ (pam_get_user): Return error when conversation returns NULL user.
+ Call pam_set_item() instead of RESET().
+
+2008-02-26 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_unix/Makefile.am: Do not link to cracklib.
+ * modules/pam_unix/pam_unix_passwd.c(_pam_unix_approve_pass):
+ Do not call FascistCheck() from cracklib.
+
+2008-02-29 Fabian Affolter <fab@fedoraproject.org>
+
+ * po/de.po: Updated translation.
+
+2008-02-28 Piotr Drąg <piotrdrag@gmail.com>
+
+ * po/pl.po: Updated translation.
+
+2008-02-26 Tomas Mraz <t8m@centrum.cz>
+
+ * po/LINUGAS: New languages added.
+ * po/es.po: Updated translations.
+ * po/fr.po: Likewise.
+ * po/it.po: Likewise.
+ * po/ja.po: Likewise.
+ * po/nl.po: Likewise.
+ * po/pl.po: Likewise.
+ * po/pt_BR.po: Likewise.
+ * po/ru.po: Likewise.
+ * po/zh_CN.po: Likewise.
+ * po/as.po: New file.
+ * po/gu.po: Likewise.
+ * po/hi.po: Likewise.
+ * po/kn.po: Likewise.
+ * po/ko.po: Likewise.
+ * po/ml.po: Likewise.
+ * po/or.po: Likewise.
+ * po/si.po: Likewise.
+ * po/ta.po: Likewise.
+
+2008-02-21 Tomas Mraz <t8m@centrum.cz>
+
+ * libpam/pam_audit.c (_pam_audit_writelog): Silence syslog
+ message on non-error return.
+
+ * modules/pam_unix/unix_chkpwd.c (main): Proceed as unprivileged
+ user when checking password of another user.
+ * modules/pam_unix/unix_update.c: Fix comment.
+
+2008-02-18 Dmitry V. Levin <ldv@altlinux.org>
+
+ * libpam/pam_handlers.c (_pam_assemble_line): Fix potential
+ buffer overflow.
+ * xtests/tst-pam_assemble_line1.pamd: New test for
+ _pam_assemble_line.
+ * xtests/tst-pam_assemble_line1.sh: New script for
+ tst-pam_assemble_line1.
+ * xtests/Makefile.am (NOSRCTESTS): Add tst-pam_assemble_line1.
+ (EXTRA_DIST): Add tst-pam_assemble_line1.pamd and
+ tst-pam_assemble_line1.sh
+
+ * modules/pam_exec/pam_exec.c (call_exec): Fix asprintf return
+ code check.
+
+2008-02-13 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * release version 0.99.10.0
+
+ * configure.in: set version number.
+
+ * modules/pam_rhosts/Makefile.am: Remove pam_rhosts_auth.
+ * modules/pam_rhosts/pam_rhosts_auth.c: Removed.
+ * modules/pam_rhosts/tst-pam_rhosts_auth: Removed.
+
+ * modules/pam_namespace/Makefile.am (noinst_HEADERS): Add
+ pam_namespace.h.
+
+2008-02-13 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_namespace/Makefile.am: Add argv_parse files and namespace.d
+ dir.
+ * modules/pam_namespace/argv_parse.c: New file.
+ * modules/pam_namespace/argv_parse.h: New file.
+ * modules/pam_namespace/namespace.conf.5.xml: Document new features.
+ * modules/pam_namespace/pam_namespace.8.xml: Likewise.
+ * modules/pam_namespace/pam_namespace.h: Use SECURECONF_DIR define.
+ Define NAMESPACE_D_DIR and NAMESPACE_D_GLOB. Define new option flags
+ and polydir flags.
+ (polydir_s): Add rdir, replace exclusive with flags, add init_script,
+ owner, group, and mode.
+ (instance_data): Add ruser, gid, and ruid.
+ * modules/pam_namespace/pam_namespace.c: Remove now unused copy_ent().
+ (add_polydir_entry): Add the entry directly, no copy.
+ (del_polydir): New function.
+ (del_polydir_list): Call del_polydir().
+ (expand_variables, parse_create_params, parse_iscript_params,
+ parse_method): New functions.
+ (process_line): Call expand_variables() on polydir and instance prefix.
+ Call argv_parse() instead of strtok_r(). Allocate struct polydir_s on heap.
+ (parse_config_file): Parse .conf files from namespace.d dir after
+ namespace.conf.
+ (form_context): Call getcon() or get_default_context_with_level() when
+ appropriate flags are set.
+ (poly_name): Handle shared polydir flag.
+ (inst_init): Execute non-default init script when specified.
+ (create_polydir): New function.
+ (create_dirs): Remove the code which checks the polydir. Do not call
+ inst_init() when noinit flag is set.
+ (ns_setup): Check the polydir and eventually create it if the create flag
+ is set.
+ (setup_namespace): Use ruser uid from idata. Set the namespace polydir
+ pam data only when namespace was set up correctly. Unmount polydir
+ based on ruser.
+ (get_user_data): New function.
+ (pam_sm_open_session): Check for use_current_context and
+ use_default_context options. Call get_user_data().
+ (pam_sm_close_session): Call get_user_data().
+
+2008-02-06 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * po/de.po: Translate some more strings.
+
+2008-02-05 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_unix/unix_update.c: Remove unused declarations.
+
+2008-02-04 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * libpam/pam_static_modules.h: Add _pam_sepermit_modstruct.
+ * modules/pam_sepermit/pam_sepermit.c: Fix typo.
+ * modules/pam_sepermit/Makefile.am: Install config file only
+ if we build the module.
+
+ * README: Add --disable-pie to configure options for static library.
+
+ * doc/man/Makefile.am: Fix building outside of src directory.
+
+ * libpam/Makefile.am: Bump version number of libpam.
+
+ * modules/Makefile.am: Add pam_sepermit.
+
+ * doc/Makefile.am: Fix build out of source directory.
+
+ * po/POTFILES.in: Add pam_sepermit.c.
+
+ * modules/pam_exec/pam_exec.c: Set PAM environment variables and
+ add 'quiet' option.
+ * modules/pam_exec/pam_exec.8.xml: Document new behavior.
+ Patch from Julien Lecomte <julien@lecomte.at>.
+
+2008-02-01 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_namespace/namespace.conf.5.xml: Add documentation for
+ tmpfs and tmpdir polyinst and for ~ user list modifier.
+ * modules/pam_namespace/namespace.init: Add documentation for the
+ new init parameter. Add home directory initialization script.
+ * modules/pam_namespace/pam_namespace.8.xml: Document the new
+ init parameter of the namespace.init script.
+ * modules/pam_namespace/pam_namespace.c(copy_ent): Copy exclusive flag.
+ (cleanup_data): New function.
+ (process_line): Set exclusive flag. Add tmpfs and tmpdir methods.
+ (ns_override): Change behavior on the exclusive flag.
+ (poly_name): Process tmpfs and tmpdir methods.
+ (inst_init): Add flag for new directory initialization.
+ (create_dirs): Process the tmpdir method, add the new directory
+ flag.
+ (ns_setup): Remove unused code. Process the tmpfs method.
+ (cleanup_tmpdirs): New function.
+ (setup_namespace): Set data for proper cleanup. Cleanup the tmpdirs
+ on failures.
+ (pam_sm_close_session): Instead of parsing the config file again use
+ the previously set data for cleanup.
+ * modules/pam_namespace/pam_namespace.h: Add TMPFS and TMPDIR methods
+ and exclusive flag.
+
+2008-01-29 Tomas Mraz <t8m@centrum.cz>
+
+ * configure.in: Test for setkeycreatecon needs libselinux.
+ Add new module pam_sepermit.
+ * modules/Makefile.am: Add new module pam_sepermit.
+ * modules/pam_sepermit/.cvsignore: New file.
+ * modules/pam_sepermit/Makefile.am: Likewise.
+ * modules/pam_sepermit/README.xml: Likewise.
+ * modules/pam_sepermit/pam_sepermit.8.xml: Likewise.
+ * modules/pam_sepermit/pam_sepermit.c: Likewise.
+ * modules/pam_sepermit/sepermit.conf: Likewise.
+ * modules/pam_sepermit/tst-pam_sepermit: Likewise.
+ * doc/sag/pam_sepermit.xml: Likewise.
+
+ * doc/sag/pam_tty_audit.xml: Add pam_tty_audit to SAG.
+
+2008-01-29 Miloslav Trmac <mitr@redhat.com>
+
+ * modules/pam_tty_audit/README.xml: Add notes section.
+ * modules/pam_tty_audit/pam_tty_audit.8.xml: Describe patterns
+ support and open_only option. Add notes.
+ * modules/pam_tty_audit/pam_tty_audit.c(pam_sm_open_session): Add
+ support for pattern matching and the open_only option.
+
+2008-01-28 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * libpam/pam_audit.c: Include pam_modutil_private.h.
+
+ * libpam/pam_item.c (pam_set_item): Fix compiler warning.
+
+ * libpam/pam_end.c (pam_end): Cast to correct pointer type.
+ * libpam/include/security/_pam_macros.h (_pam_overwrite_n): Use
+ unsigned int.
+
+ * modules/pam_unix/passverify.c: Fix compiling without SELinux
+ support.
+
+2008-01-24 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_unix/bigcrypt.c (bigcrypt): Use crypt_r() when
+ available.
+ * modules/pam_unix/passverify.c (strip_hpux_aging): New function
+ to strip HP/UX aging info from password hash.
+ (verify_pwd_hash): Call strip_hpux_aging(), use crypt_r() when
+ available.
+
+2008-01-23 Tomas Mraz <t8m@centrum.cz>
+
+ * configure.in: Add test for crypt_r(). Add setting/disabling random
+ device support.
+
+ * modules/pam_unix/Makefile.am: Add unix_update.8 manpage generated from
+ XML, generate also unix_chkpwd.8 from XML.
+ * modules/pam_unix/pam_unix_acct.c: Add rounds parameter to _set_ctrl().
+ * modules/pam_unix/pam_unix_auth.c: Likewise.
+ * modules/pam_unix/pam_unix_sess.c: Likewise.
+ * modules/pam_unix/pam_unix_passwd.c: Likewise.
+ * modules/pam_unix/support.c(_set_ctrl): Likewise.
+ * modules/pam_unix/support.h: Likewise. Add UNIX_SHA256_PASS,
+ UNIX_SHA512_PASS, and UNIX_ALGO_ROUNDS ctrls.
+ (pam_sm_chauthtok): Refactor out new password encryption.
+ * modules/pam_unix/passverify.c(crypt_make_salt): New function.
+ (crypt_md5_wrapper): Call crypt_make_salt().
+ (create_password_hash): New function refactored out of
+ pam_sm_chauthtok(). Support for new password hashes.
+ * modules/pam_unix/passverify.h: Drop ascii_to_bin() and bin_to_ascii()
+ macros. Add prototype for create_password_hash().
+ * modules/pam_unix/unix_update.8.xml: New file.
+ * modules/pam_unix/unix_chkpwd.8.xml: Likewise.
+
+ * modules/pam_unix/Makefile.am: Add unix_update helper.
+ * modules/pam_unix/pam_unix_passwd.c: Move functions i64c(),
+ crypt_md5_wrapper(), save_old_password(), _update_passwd() and
+ _update_shadow() to passverify.c file. Rename _unix_run_shadow_binary()
+ to _unix_run_update_binary(), which also verifies old password and
+ does all writing.
+ (_do_setpass, pam_sm_chauthtok): lckpwdf()->lock_pwdf(), the same for unlock.
+ Call _unix_run_update_binary() appropriately.
+ _update_passwd()->unix_update_passwd(), the same for shadow.
+ * modules/pam_unix/passverify.c: Add new functions moved from
+ pam_unix_passwd.c and unix_chkpwd.c.
+ * modules/pam_unix/passverify.h: Likewise.
+ * modules/pam_unix/unix_chkpwd.c: Remove SELinux checks. Move
+ su_sighandler(), setup_signals(), getuidname() to passverify.c.
+ (main): Remove 'shadow' option. Refactor out read_passwords() and
+ call it. More strict checking how the binary is called.
+ * modules/pam_unix/unix_update.c: New helper binary - non-setuid,
+ called from SELinux confined apps only.
+
+ * modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Return
+ status and daysleft instead of fake shadow entry.
+ (pam_sm_acct_mgmt): Call _unix_run_verify_binary() appropriately.
+ * modules/pam_unix/pam_unix_passwd.c (_unix_verify_shadow): Call
+ get_account_info() and check_shadow_expiry().
+ * modules/pam_unix/support.h: Adjust _unix_run_verify_binary()
+ prototype.
+ * modules/pam_unix/support.c (_unix_run_helper_binary): Remove check
+ on selinux enabled/disabled.
+ * modules/pam_unix/unix_chkpwd.c (_verify_account): Rename to
+ _check_expiry(), now checks shadow expiry info.
+ (main): Remove check on selinux enabled/disabled. Check shadow
+ expiry through _check_expiry().
+
+ * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Call
+ get_account_info() and check_shadow_expiry().
+ * modules/pam_unix/passverify.c: Add get_account_info() to
+ obtain shadow and passwd entry. Add check_shadow_expiry() to
+ for shadow password expiry check.
+ (get_pwd_hash): Call get_account_info().
+ * modules/pam_unix/passverify.h: Add prototypes for get_account_info()
+ and check_shadow_expiry().
+
+2008-01-08 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * doc/man/Makefile.am: Fix manual page dependencies,
+ add hack for bug in xsl stylestheets.
+
+2008-01-07 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * po/it.po: Fix typos.
+ * po/de.po: Few new translations.
+ * po/POTFILES.in: Add pam_tty_audit.c and passverify.c.
+ * doc/man/pam_xauth_data.3.xml: Added to CVS.
+ * doc/man/pam_xauth_data.3: Likewise.
+ * modules/pam_tty_audit/README: Likewise.
+ * modules/pam_tty_audit/pam_tty_audit.8: Likewise.
+ * po/sv.po: Update swedish translation [#1857531].
+ * modules/pam_succeed_if/pam_succeed_if.8.xml: Fix
+ cut & paste error [#1863490].
+
+2008-01-02 Petteri Räty <betelgeuse@gentoo.org>
+ * modules/pam_limits/limits.conf: document allowed values for
+ nice.
+ * modules/pam_limits/limits.conf.5.xml: Likewise.
+
+2007-12-18 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * README: Document how to run make check with static modules
+ (SF#1822779).
+
+2007-12-18 Peter Breitenlohner <peb@mppmu.mpg.de>
+ * README: Document that "make check" requires a file
+ /etc/pam.d/other (SF#1822764).
+
+2007-12-12 Eamon Walsh <ewalsh@tycho.nsa.gov>
+
+ * doc/man/pam_item_types_ext.inc.xml: More appropriate wording
+ for PAM_XDISPLAY doc.
+
+2007-12-07 Tomas Mraz <t8m@centrum.cz>
+
+ * po/cs.po: Updated translations.
+
+ * libpam/libpam.map: Add LIBPAM_MODUTIL_1.1 version.
+ * libpam/pam_audit.c: Add _pam_audit_open() and
+ pam_modutil_audit_write().
+ (_pam_auditlog): Call _pam_audit_open().
+ * libpam/include/security/pam_modutil.h: Add pam_modutil_audit_write().
+ * modules/pam_access/pam_access.8.xml: Add noaudit option.
+ Document auditing.
+ * modules/pam_access/pam_access.c: Move fs, sep, pam_access_debug, and
+ only_new_group_syntax variables to struct login_info. Add noaudit
+ member.
+ (_parse_args): Adjust for the move of variables and add support for
+ noaudit option.
+ (group_match): Add debug parameter.
+ (string_match): Likewise.
+ (network_netmask_match): Likewise.
+ (login_access): Adjust for the move of variables. Add nonall_match.
+ Add call to pam_modutil_audit_write().
+ (list_match): Adjust for the move of variables.
+ (user_match): Likewise.
+ (from_match): Likewise.
+ (pam_sm_authenticate): Call _parse_args() earlier.
+ * modules/pam_limits/pam_limits.8.xml: Add noaudit option.
+ Document auditing.
+ * modules/pam_limits/pam_limits.c (_pam_parse): Add noaudit option.
+ (setup_limits): Call pam_modutil_audit_write().
+ * modules/pam_time/pam_time.8.xml: Add debug and noaudit options.
+ Document auditing.
+ * modules/pam_time/pam_time.c: Add option parsing (_pam_parse()).
+ (check_account): Call _pam_parse(). Call pam_modutil_audit_write()
+ and pam_syslog() on login denials.
+
+2007-12-07 Luca Bruno <luca.br@uno.it>
+
+ * po/it.po: Updated translations.
+
+2007-12-06 Eamon Walsh <ewalsh@tycho.nsa.gov>
+
+ * libpam/include/security/_pam_macros.h: Add _pam_overwrite_n()
+ macro.
+ * libpam/include/security/_pam_types.h: Add PAM_XDISPLAY,
+ PAM_XAUTHDATA items, pam_xauth_data struct.
+ * libpam/pam_item.c (pam_set_item, pam_get_item): Handle
+ PAM_XDISPLAY and PAM_XAUTHDATA items.
+ * libpam/pam_end.c (pam_end): Destroy the new items.
+ * libpam/pam_private.h (pam_handle): Add data members for new
+ items. Add prototype for _pam_memdup.
+ * libpam/pam_misc.c: Add _pam_memdup.
+ * doc/man/Makefile.am: Add pam_xauth_data.3. Replace
+ pam_item_types.inc.xml with pam_item_types_std.inc.xml and
+ pam_item_types_ext.inc.xml.
+ * doc/man/pam_get_item.3.xml: Replace pam_item_types.inc.xml
+ with pam_item_types_std.inc.xml and pam_item_types_ext.inc.xml.
+ * doc/man/pam_set_item.3.xml: Likewise.
+ * doc/man/pam_item_types.inc.xml: Removed file.
+ * doc/man/pam_item_types_ext.inc.xml: New file.
+ * doc/man/pam_item_types_std.inc.xml: New file.
+
+2007-12-06 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_tty_audit/pam_tty_audit.8.xml: Fix example.
+
+2007-12-05 Miloslav Trmac <mitr@redhat.com>
+
+ * configure.in: Add test for audit_tty_status struct. Add
+ pam_tty_audit module.
+ * libpam/pam_static_modules.h: Add pam_tty_audit module.
+ * modules/pam_tty_audit/Makefile.am: New file.
+ * modules/pam_tty_audit/README.xml: Likewise.
+ * modules/pam_tty_audit/pam_tty_audit.8.xml: Likewise.
+ * modules/pam_tty_audit/pam_tty_audit.c: Likewise.
+
+2007-12-05 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_unix/Makefile.am: Add passverify.h and passverify.c
+ as first part of pam_unix refactorization.
+ * modules/pam_unix/pam_unix/pam_unix_acct.c: Include passverify.h.
+ * modules/pam_unix/pam_unix_passwd.c: Likewise.
+ * modules/pam_unix/passverify.c: New file with common functions.
+ * modules/pam_unix/passverify.h: Prototypes for the common functions.
+ * modules/pam_unix/support.c: Include passverify.h, move
+ _unix_shadowed() to passverify.c.
+ (_unix_verify_password): Refactor out verify_pwd_hash() function.
+ * modules/pam_unix/support.h: Move _unix_shadowed() prototype to
+ passverify.h
+ * modules/pam_unix/unix_chkpwd.c: Use _unix_shadowed() and
+ verify_pwd_hash() from passverify.c.
+
+2007-11-20 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_unix/Makefile.am (unix_chkpwd_LDADD): Don't link
+ unix_chkpwd unnecessary against libpam (#1822779).
+
+ * modules/pam_tally/pam_tally.c (tally_log): Map
+ pam_modutil_getpwnam to getpwnam if we don't compile
+ as module.
+ * modules/pam_tally/Makefile.am: Don't link pam_tally_app
+ against libpam (#1822779).
+
+2007-11-06 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * xtests/tst-pam_group1.c: Include stdlib.h
+ * xtests/tst-pam_succeed_if1.c: Likewise.
+ * xtests/tst-pam_limits1.c: Likewise.
+ * xtests/tst-pam_access1.c: Likewise.
+ * xtests/tst-pam_access2.c: Likewise.
+ * xtests/tst-pam_access3.c: Likewise.
+ * xtests/tst-pam_access4.c: Likewise.
+ * xtests/tst-pam_unix1.c: Likewise.
+ * xtests/tst-pam_unix2.c: Likewise.
+ * xtests/tst-pam_unix3.c: Likewise.
+ * xtests/tst-pam_cracklib1.c: Likewise.
+ * xtests/tst-pam_cracklib2.c: Likewise.
+
+ * libpam/pam_static_modules.h: Fix name of pam_namespace variable.
+
+2007-11-01 Peter Breitenlohner <peb@mppmu.mpg.de>
+
+ * doc/man/pam_conv.3.xml: Correct typo.
+
+2007-10-30 Peter Breitenlohner <peb@mppmu.mpg.de>
+
+ * modules/pam_rhosts/pam_rhosts_auth.c (__icheckhost): Correct
+ misplaced parenthesis.
+ * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Prevent use of
+ dngettext() when NLS is disabled.
+ * modules/pam_exec/pam_exec.c (call_exec): Avoid gcc warning.
+ * doc/specs/parse_y.y (set_label, new_counter): Break trigraphs to
+ avoid gcc warning.
+ * modules/pam_wheel/pam_wheel.c: Remove excessive initializer
+ elements.
+
+ * modules/pam_cracklib/pam_cracklib.8.xml: Correct typo.
+ * modules/pam_limits/limits.conf.5.xml: Likewise.
+ * modules/pam_listfile/pam_listfile.8.xml: Likewise.
+ * modules/pam_xauth/pam_xauth.8.xml: Likewise.
+
+ * modules/pam_deny/pam_deny.8.xml: Correct spelling.
+ * modules/pam_group/pam_group.8.xml: Likewise.
+ * modules/pam_permit/pam_permit.8.xml: Likewise.
+ * modules/pam_shells/pam_shells.8.xml: Likewise.
+ * modules/pam_time/pam_time.8.xml: Likewise.
+ * modules/pam_warn/pam_warn.8.xml: Likewise.
+
+ * tests/tst-dlopen.c: Return 77 in case of static modules, such that
+ all modules/pam_*/tst-pam_* tests yield SKIP instead of FAIL.
+ * libpam/Makefile.am (libpam_la_LIBADD): Use "$(shell ls ...)" instead
+ of "`ls ...`", to allow for static modules.
+ * libpam/pam_static_modules.h: Make pam_keyinit module depend on
+ HAVE_KEY_MANAGEMENT; correct name of pam_faildelay pam_module struct.
+ * modules/pam_faildelay/pam_faildelay.c: Correct name of pam_module
+ struct.
+
+2007-10-25 Steve Langasek <vorlon@debian.org>
+
+ * modules/pam_tally/pam_tally.c: fix the definition of OPT_AUDIT
+ to be octal instead of decimal, so that it works properly in a
+ bit field instead of forcing the "even_deny_root_account" and
+ "no_reset" options to on.
+ Patch from Corey Wright <undefined@pobox.com>.
+
+2007-10-19 Tomas Mraz <t8m@centrum.cz>
+
+ * xtests/tst-pam_access1.c: Use different name for user and group.
+ * xtests/tst-pam_access1.sh: Likewise.
+ * xtests/tst-pam_access2.c: Likewise.
+ * xtests/tst-pam_access2.sh: Likewise.
+ * xtests/tst-pam_access4.c: Likewise.
+ * xtests/tst-pam_access4.sh: Likewise.
+ * xtests/group.conf: Likewise.
+ * xtests/tst-pam_group1.c: Likewise.
+ * xtests/tst-pam_group1.sh: Likewise.
+
+ * libpam/pam_dispatch.c (_pam_dispatch_aux): Save states for substacks,
+ record substack level, skip over virtual substack modules, implement
+ evaluation of done, die, reset and jumps in substacks. Also fixes
+ too far jumps in substacks.
+ * libpam/pam_end.c (pam_end): Drop substack evaluation states.
+ * libpam/pam_handlers.c (_pam_parse_conf_file): Add substack level
+ parameter, instead of must_fail use handler_type needed for virtual
+ substack modules.
+ (_pam_load_conf_file): Add substack level parameter.
+ (_pam_init_handlers): Substack level parameter added to
+ _pam_parse_conf_file() calls.
+ (_pam_load_module): New function.
+ (_pam_add_handler): Refactor code into the _pam_load_module(). Add
+ support for virtual substack modules.
+ * libpam/pam_private.h: Rename must_fail to handler_type, add stack_level
+ to struct handler. Define handler type constants. Add struct
+ for substack evaluation states. Define constant for maximum
+ substack level. Add substack states pointer to former state struct.
+ * libpam/pam_start.c (pam_start): Initialize pointer to substack states.
+ * doc/man/pam.conf-syntax.xml: Document substack control.
+ * xtests/Makefile.am: Add new tests for substack evaluation.
+ * xtests/run_xtests.sh: Support multiple .pamd files in a test.
+ * xtests/tst-pam_authfail.pamd: New tests for substack evaluation.
+ * xtests/tst-pam_authsucceed.pamd: Likewise.
+ * xtests/tst-pam_substack1.pamd: Likewise.
+ * xtests/tst-pam_substack1a.pamd: Likewise.
+ * xtests/tst-pam_substack1.sh: Likewise.
+ * xtests/tst-pam_substack2.pamd: Likewise.
+ * xtests/tst-pam_substack2a.pamd: Likewise.
+ * xtests/tst-pam_substack2.sh: Likewise.
+ * xtests/tst-pam_substack3.pamd: Likewise.
+ * xtests/tst-pam_substack3a.pamd: Likewise.
+ * xtests/tst-pam_substack3.sh: Likewise.
+ * xtests/tst-pam_substack4.pamd: Likewise.
+ * xtests/tst-pam_substack4a.pamd: Likewise.
+ * xtests/tst-pam_substack4.sh: Likewise.
+ * xtests/tst-pam_substack5.pamd: Likewise.
+ * xtests/tst-pam_substack5a.pamd: Likewise.
+ * xtests/tst-pam_substack5.sh: Likewise.
+
+2007-10-18 Tomas Mraz <t8m@centrum.cz>
+
+ * xtests/tst-pam_dispatch4.c: Fix comment about the test.
+ * xtests/tst-pam_dispatch4.pamd: Improve the testcase.
+ * xtests/tst-pam_cracklib2.c: Make the testcase more robust.
+
+2007-10-12 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * xtests/Makefile.am: Add tst-pam_dispatch5 sources
+ * xtests/tst-pam_dispatch5.c: New test for jump too far.
+ * xtests/tst-pam_dispatch5.pamd: New test configuration.
+
+2007-10-09 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_tally/pam_tally.8.xml: Document audit option
+ correctly.
+
+2007-10-09 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * release version 0.99.9.0
+
+ * configure.in: Increase vesion number.
+
+ * libpam/Makefile.am: Increase release number.
+ * libpam_misc/Makefile.am: Increase release number.
+
+ * po/*.po: Regenerate.
+
+2007-10-08 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_time/pam_time.c (is_same): Length of strings without
+ wildcard needs to be the same.
+ * modules/pam_group/pam_group.c (is_same): Likewise.
+
+2007-10-01 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * xtests/tst-pam_group1.c: New test case for user compare in pam_group.
+ * xtests/tst-pam_group1.sh: Script to run test case.
+ * xtests/tst-pam_group1.pamd: Config for test case.
+ * xtests/Makefile.am: Add tst-pam_group1 test case.
+ * xtests/run-xtests.sh: Save/restore group.conf.
+ * xtests/group.conf: New.
+
+ * modules/pam_xauth/pam_xauth.c (pam_sm_open_session): Don't
+ free arguments used for putenv().
+
+ * doc/man/pam_putenv.3.xml: Document that application has to free
+ the memory.
+
+2007-09-27 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_succeed_if/pam_succeed_if.c (evaluate_inlist): Fix in
+ operator rhbz #295151.
+ * modules/pam_namespace/pam_namespace.c (poly_name): Do not try to
+ get context when SELinux is disabled.
+
+2007-09-27 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * xtests/tst-pam_succeed_if1.c: New test case for
+ https://bugzilla.redhat.com/show_bug.cgi?id=295151
+ * xtests/tst-pam_succeed_if1.sh: Script to run test case.
+ * xtests/tst-pam_succeed_if1.pamd: Config for test case.
+ * xtests/Makefile.am: Add tst-pam_succeed_if1 test case.
+
+ * xtests/run-xtests.sh: Add support to skip tests.
+ * xtests/tst-pam_limits1.c: Skip test if RLIMIT_NICE is not
+ defined.
+
+2007-09-03 Steve Langasek <vorlon@debian.org>
+
+ * modules/pam_limits/pam_limits.c: remove a number of unnecessary
+ string manipulations, including a strncpy() that was acting on
+ overlapping memory.
+
+ * libpam_misc/misc_conv.c: don't block SIGINT in misc_conv; it's
+ perfectly valid to allow the user to interrupt at a prompt. If
+ an application wants prompts to not be interruptable, the
+ application should take responsibility for blocking SIGINT.
+
+2007-09-02 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * examples/Makefile.am: Fix usage of LIBADD, LDADD and LDFLAGS.
+ * libpam/Makefile.am: Likewise.
+ * modules/pam_access/Makefile.am: Likewise.
+ * modules/pam_cracklib/Makefile.am: Likewise.
+ * modules/pam_debug/Makefile.am: Likewise.
+ * modules/pam_deny/Makefile.am: Likewise.
+ * modules/pam_echo/Makefile.am: Likewise.
+ * modules/pam_env/Makefile.am: Likewise.
+ * modules/pam_exec/Makefile.am: Likewise.
+ * modules/pam_faildelay/Makefile.am: Likewise.
+ * modules/pam_filter/Makefile.am: Likewise.
+ * modules/pam_filter/upperLOWER/Makefile.am: Likewise.
+ * modules/pam_ftp/Makefile.am: Likewise.
+ * modules/pam_group/Makefile.am: Likewise.
+ * modules/pam_issue/Makefile.am: Likewise.
+ * modules/pam_keyinit/Makefile.am: Likewise.
+ * modules/pam_lastlog/Makefile.am: Likewise.
+ * modules/pam_limits/Makefile.am: Likewise.
+ * modules/pam_listfile/Makefile.am: Likewise.
+ * modules/pam_localuser/Makefile.am: Likewise.
+ * modules/pam_loginuid/Makefile.am: Likewise.
+ * modules/pam_mail/Makefile.am: Likewise.
+ * modules/pam_mkhomedir/Makefile.am: Likewise.
+ * modules/pam_motd/Makefile.am: Likewise.
+ * modules/pam_namespace/Makefile.am: Likewise.
+ * modules/pam_nologin/Makefile.am: Likewise.
+ * modules/pam_permit/Makefile.am: Likewise.
+ * modules/pam_rhosts/Makefile.am: Likewise.
+ * modules/pam_rootok/Makefile.am: Likewise.
+ * modules/pam_securetty/Makefile.am: Likewise.
+ * modules/pam_selinux/Makefile.am: Likewise.
+ * modules/pam_shells/Makefile.am: Likewise.
+ * modules/pam_stress/Makefile.am: Likewise.
+ * modules/pam_succeed_if/Makefile.am: Likewise.
+ * modules/pam_tally/Makefile.am: Likewise.
+ * modules/pam_time/Makefile.am: Likewise.
+ * modules/pam_umask/Makefile.am: Likewise.
+ * modules/pam_unix/Makefile.am: Likewise.
+ * tests/Makefile.am: Likewise.
+
+2007-08-31 Steve Langasek <vorlon@debian.org>
+
+ * modules/pam_group/group.conf: don't use "games" as an example
+ group, on some distros this is a pre-existing group that it would
+ be a security hole to give users access to.
+
+2007-08-30 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_limits/limits.conf.5.xml: Document that maxlogins
+ is ignored for users with UID 0.
+
+2007-08-30 Steve Langasek <vorlon@debian.org>
+
+ * modules/pam_unix/support.c, modules/pam_unix/unix_chkpwd.c:
+ A wrong username doesn't need to be logged at LOG_ALERT;
+ LOG_WARNING should be sufficient.
+ Patch from Sam Hartman <hartmans@debian.org>.
+
+ * modules/pam_cracklib/pam_cracklib.c:
+ s/CRACKLIB_DICT/CRACKLIB_DICTS/, for consistency with existing
+ #define in pam_unix
+
+2007-08-29 Steve Langasek <vorlon@debian.org>
+
+ * libpam/pam_modutil_getgrgid.c, libpam/pam_modutil_getgrnam.c,
+ libpam/pam_modutil_getpwnam.c, libpam/pam_modutil_getpwuid.c,
+ libpam/pam_modutil_getspnam.c: don't use pthread mutexes in libpam
+ unnecessarily; this avoids linking problems on non-Linux
+ platforms.
+
+ * modules/pam_listfile/pam_listfile.c, modules/pam_listfile/README,
+ modules/pam_listfile/pam_listfile.8,
+ modules/pam_listfile/pam_listfile.8.xml: add a 'quiet' option to
+ avoid logging errors any time a user is refused service by this
+ module.
+
+2007-08-29 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_rhosts/pam_rhosts_auth.c: buflen needs to be size_t.
+ (__icheckhost): Cast to int32_t to fix limited range error.
+
+ * modules/pam_cracklib/pam_cracklib.c: Mark cracklib_dictpath
+ as const.
+
+2007-08-29 Steve Langasek <vorlon@debian.org>
+
+ * modules/pam_rhosts/pam_rhosts_auth.c: getline returns -1 at
+ EOF, not 0. Check accordingly to fix an infinite loop. Thanks
+ to Stephan Springl <springl-rhosts@bfw-online.de> for catching
+ this.
+
+2007-08-28 Steve Langasek <vorlon@debian.org>
+
+ * configure.in: call AC_CHECK_HEADERS instead of AC_CHECK_HEADER
+ for crack.h, so we get a HAVE_CRACK_H define.
+ * modules/pam_cracklib/pam_cracklib.c: don't copy around the
+ cracklib dictpath into a fixed-width buffer, when we can just
+ point at the existing strings; and allow users to override the
+ default cracklib path with -DCRACKLIB_DICT, required for
+ compatibility with cracklib 2.7.
+
+2007-08-27 Steve Langasek <vorlon@debian.org>
+
+ * modules/pam_limits/pam_limits.c: when building on non-Linux
+ systems, give a warning only, not an error; no one seems to
+ remember why this error was here in the first place, but leave
+ something in that might still grab the attention of non-Linux
+ users.
+ Patch from Michal Suchanek <hramrach_l@centrum.cz>.
+ * configure.in, modules/pam_rhosts/pam_rhosts_auth.c: check for
+ the presence of net/if.h before using, required for Hurd
+ compatibility.
+ Patch from Igor Khavkine <i_khavki@alcor.concordia.ca>.
+ * modules/pam_limits/pam_limits.c: conditionalize the use of
+ RLIMIT_AS, which is not present on the Hurd.
+ Patch from Igor Khavkine <i_khavki@alcor.concordia.ca>.
+ * modules/pam_rhosts/pam_rhosts_auth.c: use getline() instead of
+ a static buffer when available; fixes the build on systems
+ without MAXHOSTNAMELEN (i.e., the Hurd).
+ * modules/pam_xauth/pam_xauth.c: make sure PATH_MAX is defined
+ before using it.
+
+2007-08-26 Andrew Morgan <morgan@kernel.org>
+
+ * doc/man/pam.conf-syntax.xml
+ Minor fixes: '\[' -> '\]'.
+
+2007-08-25 Steve Langasek <vorlon@debian.org>
+
+ * doc/man/pam.conf-syntax.xml, doc/man/pam.conf.5:
+ Document "new" control options conv_again and incomplete, supported
+ in pam.d's extended syntax.
+ Patch from Ben Collins <bcollins@debian.org>.
+
+2007-08-15 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_access/pam_access.c (list_match): Add explicit
+ sptr argument for strtok_r, otherwise the code is not portable.
+
+2007-08-13 Olivier Blin <blino@mandriva.com>
+
+ * doc/man/pam.3.xml: Fix typo.
+ * doc/man/pam.3: Likewise.
+ * doc/man/pam_end.3.xml: Likewise.
+ * doc/man/pam_end.3: Likewise.
+
+2007-07-18 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * release version 0.99.8.1
+
+ * libpam/pam_audit.c: Include unistd.h for getuid().
+ * libpam/Makefile.am: Bump version number.
+
+2007-07-12 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * libpam/pam_audit.c (_pam_audit_writelog): Don't return
+ error if application runs as normal user. Fixes regression
+ introduced with last change.
+
+2007-07-10 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * configure.in: Add --with-db-uniquename option to support
+ db libraries and functions with unique name extension.
+ Patch from Diego 'Flameeyes' Pettenò <flameeyes@gmail.com>.
+
+ * modules/pam_limits/pam_limits.c: Include locale.h.
+
+2007-07-06 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * release version 0.99.8.0
+
+ * configure.in: Check for audit_log_acct_message instead of
+ audit_log_user_message.
+ * libpam/pam_audit.c: Use audit_log_acct_message.
+ Based on patch from Mark J Cox <mjc@redhat.com>.
+ * libpam/Makefile.am: Bump version number of libpam.
+
+ * modules/pam_umask/pam_umask.c (set_umask): mode_t is 32bit,
+ not 64bit.
+
+ * xtests/tst-pam_limits1.c: Fix printf arguments.
+
+ * po/*.po: Merge po files with latest code changes.
+
+2007-06-26 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_limits/pam_limits.c (process_limit): Check upper and
+ lower limit of nice value, fix off-by-one in conversation to rlim_t.
+ * xtests/Makefile.am: Add new pam_limits test case.
+ * xtests/limits.conf: New, config file for test case.
+ * xtests/pam_limits1.c: New, test case for RLIMIT_NICE.
+ * xtests/pam_limits1.sh: Likewise.
+ * xtests/pam_limits1.pamd: Likewise.
+
+2007-06-25 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_access/pam_access.c (list_match): Use saveptr of strtok_r
+ result for recursive calls.
+ * xtests/Makefile.am: Add new pam_access test cases.
+ * xtests/pam_access1.c: New test case.
+ * xtests/pam_access2.c: Likewise.
+ * xtests/pam_access3.c: Likewise.
+ * xtests/pam_access4.c: Likewise.
+ * xtests/pam_access1.sh: Wrapper to create user accounts.
+ * xtests/pam_access2.sh: Likewise.
+ * xtests/pam_access3.sh: Likewise.
+ * xtests/pam_access4.sh: Likewise.
+ * xtests/pam_access1.pamd: PAM config file for pam_access tests.
+ * xtests/pam_access2.pamd: Likewise.
+ * xtests/pam_access3.pamd: Likewise.
+ * xtests/pam_access4.pamd: Likewise.
+ * xtests/access.conf: Config file for pam_access tests.
+ * xtests/run-tests.sh: Install access.conf into system.
+
+2007-06-22 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_loginuid/pam_loginuid.c (set_loginuid): Print
+ better error message if /proc/self/loginuid cannot be opened.
+
+ * modules/pam_limits/pam_limits.c (process_limit): Check for
+ variable overflow after multiplication [bnc#283001].
+
+ * modules/pam_access/pam_access.c: Add new syntax for groups
+ in access.conf to differentiate group names from account names.
+ Based on patch from Julien Lecomte <julien@famille-lecomte.net>,
+ solves feature request [#411390].
+ * modules/pam_access/access.conf: Add example for new group
+ syntax.
+ * modules/pam_access/access.conf.5.xml: Document new syntax.
+
+2007-06-20 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_cracklib/pam_cracklib.8.xml: Document new minclass
+ option.
+ * modules/pam_cracklib/pam_cracklib.c: Add support for minimum
+ character classes [#1688777]. Based on patch from Keith Schincke.
+
+ * xtests/tst-pam_cracklib2.c: New, test case for minclass option.
+ * xtests/tst-pam_cracklib2.pamd: New, PAM config file for test case.
+ * xtests/Makefile.am: Add new testcase.
+
+ * xtests/pam_cracklib.c: Fix comment what this application tests.
+
+ * configure.in: Use /lib64 on x86-64, ppc64, s390x, sparc64
+
+2007-06-15 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_selinux/pam_selinux.8.xml: Remove multiple option,
+ add select_context and use_current_range options.
+ * modules/pam_selinux/pam_selinux.c (send_audit_message): Added
+ function for auditing role/level changes.
+ (query_response): Add default response.
+ (select_context): Removed.
+ (manual_context): Query only role and level.
+ (mls_range_allowed): Added function for range check.
+ (config_context): Added function for role and level override.
+ (pam_sm_open_session): Remove multiple option, add select_context
+ and use_current_range_options. Use getseuserbyname to obtain
+ SELinux user and level. Audit role/level changes. Call setkeycreatecon
+ to assign key creation context. Don't fail on errors when SELinux
+ is not in enforcing mode.
+ * configure.in: Check for setkeycreatecon().
+
+ * modules/pam_namespace/README.xml: Avoid duplication of
+ documentation.
+ * modules/pam_namespace/namespace.conf: More real life example
+ from MLS support.
+ * modules/pam_namespace/namespace.conf.5.xml: Likewise plus
+ properly describe how instance directory names are formed.
+ * modules/pam_namespace/namespace.init: Preserve euid when
+ called from setuid apps (su, newrole).
+ * modules/pam_namespace/pam_namespace.8.xml: Added option
+ no_unmount_on_close.
+ * modules/pam_namespace/pam_namespace.c (process_line): Polyinst
+ methods are now user, level and context. Fix crash on unknown
+ override user in config file.
+ (ns_override): Add explicit uid parameter.
+ (form_context): Skip for user method. Implement level based
+ polyinstantiation.
+ (poly_name): Initialize contexts. Add level based polyinst,
+ remove 'both' metod. Use raw contexts for instance names,
+ truncate long instance names and add hash.
+ (ns_setup): Hashing moved to poly_name().
+ (setup_namespace): Handle correctly override users for
+ su (when unmnt_remnt is used).
+ (pam_sm_close_session): Added no_unmount_on_close option.
+ * modules/pam_namespace/pam_namespace.h: Added
+ no_unmount_on_close_option, level method, limit on instance
+ directory name length.
+
+2007-05-04 Thorsten Kukuk <kukuk@suse.de>
+
+ * xtests/run-xtests.sh: Use SRCDIR to find PAM config files.
+ * xtests/Makefile.am: Call run-xtests.sh with srcdir as first
+ argument.
+ Based on patch by Bernard Leak <thisisnotapipe@hotmail.com>.
+
+2007-04-30 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_limits/limits.conf: Address space limit is KB.
+ * modules/pam_limits/limits.conf.5.xml: Likewise.
+ Reported by Thomas Vander Stichele <thomas@apestaart.org>.
+
+ * modules/pam_mail/pam_mail.c (_do_mail): Remove duplicate
+ check for PAM_SILENT and don't bail out if it is set [#1706247].
+
+2007-03-29 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_access/pam_access.c (login_access, list_match):
+ Replace strtok with strtok_r.
+ * modules/pam_cracklib/pam_cracklib.c (check_old_password):
+ Likewise.
+ * modules/pam_ftp/pam_ftp.c (lookup, pam_authenticate):
+ Likewise.
+ * modules/pam_unix/pam_unix_passwd.c (check_old_password,
+ save_old_password): Likewise.
+
+ * modules/pam_limits/Makefile.am: Define limits.d dir and install it.
+ * modules/pam_limits/pam_limits.8.xml: Describe limits.d parsing.
+ * modules/pam_limits/pam_limits.c (pam_limit_s): Make conf_file ptr.
+ (pam_parse): conf_file is now ptr.
+ (pam_sm_open_session): Add parsing files from limits.d subdir using
+ glob, change pl to pointer.
+
+2007-03-12 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * po/ar.po: New translation.
+ * po/ca.po: Likewise.
+ * po/da.po: Likewise.
+ * po/ru.po: Likewise.
+ * po/sv.po: Likewise.
+ * po/zu.po: Likewise.
+ * po/LINGUAS: Add ar, ca, da, ru, sv, zu
+
+ * po/hu.po: Update translation.
+
+2007-02-21 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_unix/unix_chkpwd.c (_unix_verify_password): Test for
+ allocation failure in bigcrypt().
+
+ * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Allow
+ modification of '*' password by root.
+
+2007-02-06 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_loginuid/pam_loginuid.c (set_loginuid): Remove
+ debug syslog message when loginuid doesn't exist.
+
+2007-02-01 Tomas Mraz <t8m@centrum.cz>
+
+ * xtests/tst-pam_unix3.c: Fix typos in comments.
+
+ * modules/pam_unix/support.c (_unix_verify_password): Explicitly
+ disallow '!' in the beginning of password hash. Treat only
+ 13 bytes password hash specifically. (Suggested by Solar Designer.)
+ Fix a warning and test for allocation failure.
+ * modules/pam_unix/unix_chkpwd.c (_unix_verify_password): Likewise.
+
+2007-01-31 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * xtests/Makefile.am: Add new pam_unix.so tests
+ * xtests/run-xtests.sh: Prefer shell scripts (wrapper)
+ over binaries.
+ * xtests/tst-pam_cracklib1.c: Fix typo.
+ * xtests/tst-pam_unix1.c: New, for sucurity fix.
+ * xtests/tst-pam_unix1.pamd: New.
+ * xtests/tst-pam_unix1.sh: New.
+ * xtests/tst-pam_unix2.c: New, for crypt checks.
+ * xtests/tst-pam_unix2.pamd: New.
+ * xtests/tst-pam_unix2.sh: New.
+ * xtests/tst-pam_unix3.c: New, for bigcrypt checks.
+ * xtests/tst-pam_unix3.pamd: New.
+ * xtests/tst-pam_unix3.sh: New.
+
+2007-01-23 Thorsten Kukuk <kukuk@suse.de>
+
+ * release 0.99.7.1
+
+ * configure.in: Set version number to 0.99.7.1
+
+2007-01-23 Thorsten Kukuk <kukuk@thukuk.de>
+ Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_unix/support.c (_unix_verify_password): Always
+ compare full encrypted passwords (CVE-2007-0003).
+
+2007-01-23 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_loginuid/Makefile.am (AM_LDFLAGS): Add LIBAUDIT.
+
+ * modules/pam_selinux/Makefile.am (pam_selinux_check_LDFLAGS): Add
+ AM_LDFLAGS.
+ (pam_selinux_la_LDFLAGS): Likewise.
+
+2007-01-17 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * release 0.99.7.0
+
+ * configure.in: Set version number to 0.99.7.0
+
+ * Makefile.am (M4_FILES): Replace GNU make extension by listing
+ all m4 files.
+
+2007-01-17 Tomas Mraz <t8m@centrum.cz>
+
+ * po/*.po: Updated strings to translate.
+ * po/Linux-PAM.pot: Likewise.
+
+2007-01-16 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * doc/man/pam.conf-syntax.xml: Improve documentation about
+ sufficient keyword (Patch by Petteri Räty <betelgeuse@gentoo.org>)
+
+2006-12-20 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Forbid
+ only '+' and '-' as first characters for account names.
+ * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Likewise.
+
+2006-12-18 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * configure.in: Fix ENOKEY check (specify errno.h as header
+ file to search in).
+
+ * configure.in: Add AM_PROG_CC_C_O.
+ * libpam/Makefile.am: Add content of AM_LDFLAGS to *_LDFLAGS.
+ * modules/pam_tally/Makefile.am: Likewise.
+ * modules/pam_unix/Makefile.am: Likewise.
+
+ * modules/pam_stress/pam_stress.c (pam_sm_chauthtok): Fix
+ localisation of message printed to user.
+ * po/de.po: Adjust translation.
+
+2006-12-18 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Localize
+ message printed to user.
+
+ * modules/pam_unix/support.c (_unix_verify_password): Use strncmp
+ only for bigcrypt result.
+
+ * modules/pam_keyinit/pam_keyinit.c (kill_keyrings): Switch to new
+ egid first, euid next. Revert euid/egid to old euid/egid and not
+ ruid/rgid.
+ (pam_sm_open_session): Switch to new rgid first, ruid next.
+
+2006-12-13 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_localuser/pam_localuser.c: Add support for session
+ and chauthtok [SF#1606180].
+ * modules/pam_localuser/pam_localuser.8.xml: Document last change.
+
+ * libpam/pam_audit.c (_pam_audit_writelog): Print error message
+ only once.
+
+2006-12-12 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * libpam/pam_audit.c (_pam_audit_writelog): Print error
+ message on failure to syslog.
+
+2006-12-09 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_umask/pam_umask.c: Use strtoul instead of strtol,
+ fix overflow detection.
+
+2006-12-06 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_mkhomedir/pam_mkhomedir.c (rec_mkdir): Fix
+ handling of left-most path component [SF#1591598].
+ (create_homedir): Mark user visible messages for translation.
+ * po/de.po: Adjust german translation for pam_mkhomedir.
+
+ * modules/pam_faildelay/pam_faildelay.c: If no argument is
+ given, try to read FAIL_DELAY from /etc/login.defs.
+ * modules/pam_faildelay/pam_faildelay.8.xml: Document usage
+ of /etc/login.defs.
+
+2006-12-04 Tomas Mraz <t8m@centrun.cz>
+
+ * po/jp.po: Fixed mistake in Password: message (from
+ Peng Huang <phuang@redhat.com>).
+
+2006-11-28 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * po/hu.po: Update hungarian translation (from
+ Kalman Kemenczy <kkemenczy@novell.com>).
+
+ * configure.in: Allow disabling support for cracklib, audit, libdb.
+
+ * modules/pam_faildelay/pam_faildelay.8.xml: Correct name of Author.
+
+ * configure.in: Remove --enable-docdir (obsolete by --docdir).
+ * doc/Makefile.am: Don't overwrite htmldir.
+ * doc/adg/Makefile.am: Use docdir, htmldir and pdfdir.
+ * doc/mwg/Makefile.am: Likewise.
+ * doc/sag/Makefile.am: Likewise.
+ * doc/specs/Makefile.am: Use docdir.
+
+ * tests/tst-pam_set_data.c: New test cases for pam_set_data().
+ * tests/Makefile.am: Add pam_set_data test case.
+
+ * libpam/pam_data.c: Add NULL pointer check for module_data_name.
+ * libpam/Makefile.am: Bump revision of shared library.
+
+2006-11-08 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * configure.in: Add modules/pam_faildelay/Makefile.
+ * doc/sag/Linux-PAM_SAG.xml: Include pam_faildelay.xml.
+ * doc/sag/pam_faildelay.xml: New.
+ * libpam/pam_static_modules.h: Include static pam_faildelay data.
+ * modules/Makefile.am: Add pam_faildelay directory.
+ * modules/pam_faildelay/Makefile.am: New.
+ * modules/pam_faildelay/README: New, generated from XML file.
+ * modules/pam_faildelay/README.xml: New.
+ * modules/pam_faildelay/pam_faildelay.8: New, generated from xml.
+ * modules/pam_faildelay/pam_faildelay.8.xml: New.
+ * modules/pam_faildelay/pam_faildelay.c: New.
+ * modules/pam_faildelay/tst-pam_faildelay: New.
+
+ * po/POTFILES.in: Add pam_faildelay.c and pam_loginuid.c.
+
+2006-11-07 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_cracklib/pam_cracklib.c: PAM_DEBUG_ARG
+ is a bit mask and not a boolean value (Reported by
+ Jochen Voss <voss@seehuhn.de>).
+
+2006-10-26 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * doc/man/pam.3.xml: Add pam_get_user function.
+
+ * modules/pam_motd/pam_motd.8.xml: Fix typo.
+
+2006-10-24 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_namespace/pam_namespace.c: Reserve space for
+ trailing zero.
+
+2006-10-24 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_unix/support.c (_unix_verify_password): Try system
+ crypt() if we don't know the hash alogorithm.
+ * modules/pam_unix/unix_chkpwd.c (_unix_verify_password): Likewise.
+
+2006-10-13 Tomas Mraz <t8m@centrum.cz>
+
+ * doc/mwg/Linux-PAM_MWG.xml: Add id[s] to section[s].
+ * doc/sag/pam_access.xml: Likewise.
+ * doc/sag/pam_echo.xml: Likewise.
+ * doc/sag/pam_env.xml: Likewise.
+ * doc/sag/pam_exec.xml: Likewise.
+ * doc/sag/pam_group.xml: Likewise.
+ * doc/sag/pam_limits.xml: Likewise.
+ * doc/sag/pam_namespace.xml: Likewise.
+ * doc/sag/pam_time.xml: Likewise.
+ * doc/sag/Linux-PAM_SAG.xml: Add id to book.
+ * doc/adg/Linux-PAM_ADG.xml: Add id to book.
+ * doc/mwg/Linux-PAM_MWG.xml: Add id to book.
+
+
+2006-10-07 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * po/hu.po: Updated hungarian translation (from
+ Kalman Kemenczy <kkemenczy@novell.com>)
+
+2006-09-20 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * doc/adg/Makefile.am: Add manual pages as dependency.
+ * doc/mwg/Makefile.am: Likewise.
+ * doc/sag/Makefile.am: Likewise.
+ * doc/sag/Linux-PAM_SAG.xml: Include pam_unix.xml.
+ * doc/sag/pam_unix.xml: New.
+ * modules/pam_unix/Makefile.am: Generate pam_unix.8 manual page.
+ * modules/pam_unix/README.xml: New.
+ * modules/pam_unix/pam_unix.8.xml: New.
+ * modules/pam_unix/README: Regenerate from XML.
+ * modules/pam_unix/pam_unix.8: Generated from XML.
+
+2006-09-09 Dmitry V. Levin <ldv@altlinux.org>
+
+ * modules/pam_wheel/pam_wheel.8.xml: Fix typo.
+ * modules/pam_wheel/pam_wheel.8: Likewise.
+ * modules/pam_wheel/README: Likewise.
+
+2006-09-08 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * po/de.po: Fix typo.
+
+2006-09-06 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * release version 0.99.6.3
+
+2006-09-01 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_loginuid/pam_loginuid.8.xml: Fix typo in
+ config name.
+
+2006-08-31 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_env/environment: New, dummy environment example
+ config file.
+
+ * modules/pam_namespace/Makefile.am: Don't install
+ manual page if we don't build module.
+
+ * m4/ld-as-needed.m4: Don't set LDFLAGS if check failed.
+ * m4/ld-O1: Likewise.
+
+2006-08-30 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_access/pam_access.8.xml: All services supported.
+ * modules/pam_access/pam_access.c (pam_sm_open_session): New.
+ (pam_sm_close_session): New.
+ (pam_sm_chauthtok): New.
+
+ * modules/pam_access/pam_succeed_if.8.xml: All services supported.
+ * modules/pam_access/pam_succeed_if.c (pam_sm_setcred): Return
+ PAM_IGNORE rather than success.
+ (pam_sm_open_session): New.
+ (pam_sm_close_session): New.
+ (pam_sm_chauthtok): New.
+
+2006-08-30 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * xtests/Makefile.am: Move shell code to execute tests from here ...
+ * xtests/run-xtests.sh: ... to here.
+ * xtests/*.c: Include config.h.
+ * tests/*.c: Likewise.
+
+ * modules/pam_namespace/pam_namespace.c: Use pam_modutil_getpwnam()
+ instead of getpwnam().
+
+2006-08-29 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * doc/sag/pam_loginuid.xml: New.
+ * doc/sag/Linux-PAM_SAG.xml: Include pam_loginuid.xml.
+
+ * configure.in: Add modules/pam_loginuid/Makefile.
+ * modules/Makefile.am: Add pam_loginuid sub directory.
+
+ * libpam/pam_static_modules.h: Add pam_loginuid.
+
+ * modules/pam_loginuid/Makefile.am: New.
+ * modules/pam_loginuid/tst-pam_loginuid: New.
+ * modules/pam_loginuid/pam_loginuid.8.xml: New.
+ * modules/pam_loginuid/pam_loginuid.8: New, generated from XML source.
+ * modules/pam_loginuid/pam_loginuid.c: New.
+ * modules/pam_loginuid/README.xml: New.
+ * modules/pam_loginuid/README: New, generated from XML source.
+
+2006-08-29 Dmitry V. Levin <ldv@altlinux.org>
+
+ * modules/pam_exec/pam_exec.c (call_exec): Add required third
+ argument to open() call with O_CREAT flag set.
+
+2006-08-28 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_cracklib/pam_cracklib.c (pam_sm_chauthtok): Remove
+ duplicate code.
+
+2006-08-24 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * release version 0.99.6.2
+
+ * modules/pam_lastlog/pam_lastlog.c (last_login_date): Create
+ lastlog file if it does not exist.
+
+ * modules/pam_cracklib/pam_cracklib.c (pam_sm_chauthtok): Check
+ for error from getting second token.
+ * xtests/Makefile.am: Add tst-pam_cracklib1
+ * xtests/tst-pam_cracklib1.c: New, check for pam_cracklib seg.fault.
+ * xtests/tst-pam_cracklib1.pamd: New, config for cracklib test.
+
+2006-08-24 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * xtests/tst-pam_dispatch4.c: New test.
+ * xtests/tst-pam_dispatch4.pamd: PAM config for new test.
+
+2006-08-09 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * release version 0.99.6.1
+
+2006-08-09 David Howells <dhowells@redhat.com>
+
+ * modules/pam_keyinit/pam_keyinit.c (kill_keyrings): Set real uid
+ to user's before revoking.
+ (pam_sm_open_session): Remember the uid.
+
+2006-08-06 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_umask/pam_umask.c (setup_limits_from_gecos):
+ Add error handling.
+ * modules/pam_umask/pam_umask.8.xml: Document silent option.
+
+ * xtests/Makefile.am: Fix includes for bootstrapping.
+ Reported by Greg Schafer <gschafer@zip.com.au>.
+
+2006-08-05 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * release version 0.99.6.0
+
+ * modules/pam_limits/pam_limits.c (pam_sm_open_session): Use
+ pam_modutil_getpwnam instead of getpwnam.
+
+ * modules/pam_succeed_if/pam_succeed_if.c (evaluate): Cast
+ svc variable to char pointer for snprintf.
+
+ * configure.in: Generate xtests/Makefile.
+ * Makefile.am (SUBDIRS): Add xtests.
+ * README: Document make check and make xtests.
+ * xtests/Makefile.am: New.
+ * xtests/tst-pam_dispatch1.pamd: New.
+ * xtests/tst-pam_dispatch2.pamd: New.
+ * xtests/tst-pam_dispatch3.pamd: New.
+ * xtests/tst-pam_dispatch1.c: New.
+ * xtests/tst-pam_dispatch2.c: New.
+ * xtests/tst-pam_dispatch3.c: New.
+
+2006-08-04 Ray Strode <rstrode@redhat.com>
+
+ * modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate):
+ Return PAM_USER_UNKNOWN instead of PAM_SERVICE_ERR where appropriate.
+
+2006-08-03 David Howells <dhowells@redhat.com>
+
+ * modules/pam_keyinit/pam_keyinit.c: Debug should be off by default.
+ (init_keyrings): Properly handle multiple invocations of the module.
+ (kill_keyrings, pam_sm_open_session, pam_sm_close_session): Likewise.
+
+2006-08-03 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_succeed_if/pam_succeed_if.c (evaluate_inlist):
+ New function for list matching.
+ (evaluate_notinlist): Likewise.
+ (evaluate): Add service value match, list matching.
+ * modules/pam_succeed_if/pam_succeed_if.8.xml: Document the
+ features.
+
+ * modules/pam_selinux/pam_selinux.c (security_label_tty): Don't log
+ relabelling error when the tty device doesn't exist (ENOENT).
+
+2006-08-01 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * doc/man/pam_fail_delay.3.xml: Fix some Bugs and enhance
+ rationale about when this function should be used and when not.
+
+ * doc/index.html: Cleanup to look prettier.
+
+2006-08-01 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * libpam/Makefile.am: Bump patchlevel of libpam.
+ * libpam/pam_dispatch.c (_pam_dispatch_aux): If [return=die]
+ or [return=bad] is used, don't return PAM_IGNORE. Based on
+ patch by Tomas Mraz <t8m@centrum.cz>, [BRC#196859].
+
+2006-07-28 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * ABOUT-NLS: Upgrade to gettext-0.15.
+ * config.rpath: Likewise.
+ * m4/gettext.m4: Upgrade to gettext-0.15.
+ * m4/inttypes-h.m4: New file, from gettext-0.15.
+ * m4/inttypes-pri.m4: Upgrade to gettext-0.15.
+ * m4/lib-link.m4: Upgrade to gettext-0.15.
+ * m4/lib-prefix.m4: Upgrade to gettext-0.15.
+ * m4/lock.m4: New file, from gettext-0.15.
+ * m4/longdouble.m4: Upgrade to gettext-0.15.
+ * m4/nls.m4: Upgrade to gettext-0.15.
+ * m4/po.m4: Upgrade to gettext-0.15.
+ * m4/size_max.m4: Upgrade to gettext-0.15.
+ * m4/visibility.m4: New file, from gettext-0.15.
+ * po/Makefile.in.in: Upgrade to gettext-0.15.
+
+2006-07-24 David Quigley <dpquigl@tycho.nsa.gov>
+
+ * modules/pam_namespace/Makefile.am: Add pam_namespace.h.
+ * modules/pam_namespace/pam_namespace.c: Move includes and
+ data structure definitions from here ...
+ * modules/pam_namespace/pam_namespace.h: ... here. New file.
+
+ * modules/pam_namespace/pam_namespace.c: Move large sections
+ of code into new functions.
+
+2006-07-24 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * doc/adg/Makefile.am: Add uninstall and distclean rules.
+ * doc/mwg/Makefile.am: Likewise.
+ * doc/sag/Makefile.am: Likewise.
+
+2006-07-08 Daniel Richard G. <skunk@iskunk.org>
+
+ * conf/pam_conv1/Makefile.am: Fix rules for lex and yacc files.
+ * conf/pam_conv1/pam_conv.lex: Rename to ...
+ * conf/pam_conv1/pam_conv_l.l: ... this.
+ * conf/pam_conv1/pam_conv.y: Rename to ...
+ * conf/pam_conv1/pam_conv_y.y: ... this.
+ * configure.in: Add AC_HELP_STRING()s to various AC_ARG_ENABLE()
+ calls.
+ * doc/Makefile.am: Fix rule to install index.html.
+ * doc/adg/Makefile.am: Fix test usage.
+ * doc/mwg/Makefile.am: Likewise.
+ * doc/sag/Makefile.am: Likewise.
+ * doc/specs/Makefile.am: Fix rules for lex and yacc files.
+ * specs/parse.lex: Rename to ...
+ * doc/specs/parse_l.l: ... this.
+ * doc/specs/parse.y: Rename to ...
+ * doc/specs/parse_y.y: ... this.
+ * libpam/pam_account.c: Fix #if vs. #ifdef.
+ * libpam/pam_audit.c: Likewise.
+ * libpam/pam_auth.c: Likewise.
+ * libpam/pam_password.c: Likewise.
+ * libpam/pam_private.h: Likewise.
+ * libpam/pam_session.c: Likewise.
+ * libpam/pam_start.c: Likewise.
+ * libpam/pam_static.c: Fix "empty sourcefile" warning.
+ * modules/pam_limits/pam_limits.c: Check for __linux, too.
+ * modules/pam_userdb/Makefile.am: Don't run test if no
+ libdb available.
+ * tests/tst-dlopen.c: Include config.h.
+
+2006-07-03 Dan Yefimov
+
+ * configure.in: Fixed have_key_syscalls test.
+
+ * modules/pam_access/pam_access.c (from_match): Fixed IPv4 network
+ match, removed AI_ADDRCONFIG flag.
+
+2006-06-30 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_namespace/Makefile.am(EXTRA_DIST): Add namespace.init.
+
+2006-06-29 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * doc/Makefile.am (releasedocs): Fix directory layout.
+ * doc/adg/Makefile.am: Likewise.
+ * doc/mwg/Makefile.am: Likewise.
+ * doc/sag/Makefile.am: Likewise.
+
+2006-06-28 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * doc/sag: System Administrator Guide as XML source.
+ * doc/sag/Makefile.am: New.
+ * doc/sag/Linux-PAM_SAG.xml: New, main XML document.
+ * doc/sag/pam_*.xml: New, wrapper to include module documentation.
+
+ * doc/adg: Application Developers Guide as XML source.
+ * doc/adg/Makefile.am: New.
+ * doc/adg/Linux-PAM_ADG.xml: New, main XML document.
+ * doc/adg/pam_*.xml: New, wrappers to include manual pages.
+
+ * doc/mwg: Application Developers Guide as XML source.
+ * doc/mwg/Makefile.am: New.
+ * doc/mwg/Linux-PAM_MWG.xml: New, main XML document.
+ * doc/mwg/pam_*.xml: New, wrappers to include manual pages.
+
+ * doc/CREDITS: Removed.
+ * doc/NOTES: Removed.
+ * doc/pam_appl.sgml: Removed.
+ * doc/pam_modules.sgml: Removed.
+ * doc/pam_source.sgml: Removed.
+ * doc/figs/pam_orient.txt: Removed.
+ * doc/figs: Removed.
+
+ * configure.in: Remove checks for sgml2* progrs, add sag, adg
+ and mwg Makefiles.
+
+ * doc/Makefile.am: Remove references to sgml, add sag, adg and mwg
+ directories.
+ * doc/modules: Remove directory.
+ * doc/html: Remove directory.
+ * doc/ps: Remove directory.
+ * doc/pdf: Remove directory.
+ * doc/txts: Remove directory.
+ * doc/index.html: Moved from html directory to here.
+
+2006-06-28 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * release version 0.99.5.0
+
+ * bump version number to 0.99.5.0
+
+ * modules/pam_rhosts/pam_rhosts.c: New module, replaces
+ pam_rhosts_auth.so.
+ * modules/pam_rhosts/pam_rhosts.8.xml: New.
+ * modules/pam_rhosts/pam_rhosts.8: New, generated from XML source.
+ * modules/pam_rhosts/tst-pam_rhosts: New.
+ * modules/pam_rhosts/Makefile.am: Add pam_rhosts, generate
+ manual page and README.
+ * modules/pam_rhosts/README.xml: New.
+ * modules/pam_rhosts/reADME: Regenerated from XML source.
+
+ * doc/man/pam_sm_acct_mgmt.3.xml: Adjust syntax for module
+ writers guide.
+ * doc/man/pam_sm_authenticate.3.xml: Likewise.
+ * doc/man/pam_sm_chauthtok.3.xml: Likewise.
+ * doc/man/pam_sm_close_session.3.xml: Likewise.
+ * doc/man/pam_sm_open_session.3.xml: Likewise.
+ * doc/man/pam_sm_setcred.3.xml: Likewise.
+
+ * po/POTFILES.in: Add new source files.
+
+ * libpam/pam_static_modules.h: Add new modules.
+
+ * modules/pam_keyinit.c: Add _pam_keyinit_modstruct.
+
+ * modules/pam_keyinit/Makefile.am (EXTRA_DIST): Add XML
+ files and manual page.
+
+2006-06-27 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * configure.in: Allow disabling of SELinux support, check for
+ rootok_af.
+
+2006-06-27 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_namespace/pam_namespace.c: New module
+ originally written by Janak Desai.
+ * modules/pam_namespace/Makefile.am: New.
+ * modules/pam_namespace/README: New.
+ * modules/pam_namespace/md5.c: New.
+ * modules/pam_namespace/md5.h: New.
+ * modules/pam_namespace/namespace.conf: New.
+ * modules/pam_namespace/namespace.conf.5: New.
+ * modules/pam_namespace/namespace.conf.5.xml: New.
+ * modules/pam_namespace/namespace.init: New.
+ * modules/pam_namespace/pam_namespace.8: New.
+ * modules/pam_namespace/pam_namespace.8.xml: New.
+ * modules/pam_namespace/tst-pam_namespace: New.
+ * modules/Makefile.am: Added pam_namespace.
+ * configure.in: Added pam_namespace, test for unshare
+ library call.
+
+2006-06-27 David Howells <dhowells@redhat.com>
+
+ * modules/pam_keyinit/pam_keyinit.c: New module.
+ * modules/pam_keyinit/pam_keyinit.8: New.
+ * modules/pam_keyinit/pam_keyinit.8.xml: New.
+ * modules/pam_keyinit/README: New.
+ * modules/pam_keyinit/README.xml: New.
+ * modules/pam_keyinit/Makefile.am: New.
+ * modules/pam_keyinit/tst-pam_keyinit: New.
+ * modules/Makefile.am: Added pam_keyinit.
+ * configure.in: Added test for the key mgmt syscall.
+
+2006-06-27 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * m4/libprelude.m4: Sync with upstream.
+
+2006-06-27 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary):
+ signal() fails with SIG_ERR return
+ * modules/pam_unix/pam_unix_passwd.c(_unix_run_shadow_binary):
+ Likewise.
+ * modules/pam_unix/support.c(_unix_run_helper_binary):
+ Likewise.
+
+2006-06-25 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * doc/man/misc_conv.3.xml: New.
+ * doc/man/misc_conv.3: New.
+ * doc/man/pam_misc_paste_env.3.xml: New.
+ * doc/man/pam_misc_paste_env.3: New.
+ * doc/man/pam_misc_drop_env.3.xml: New.
+ * doc/man/pam_misc_drop_env.3: New.
+ * doc/man/pam_misc_setenv.3.xml: New.
+ * doc/man/pam_misc_setenv.3: New.
+ * doc/man/Makefile.am: Add new manual pages.
+
+ * doc/man/pam_acct_mgmt.3.xml: Fix syntax for inclusion
+ in Applicatoin Developer Guide.
+ * doc/man/pam_authenticate.3.xml: Likewise
+ * doc/man/pam_chauthtok.3.xml: Likewise
+ * doc/man/pam_close_session.3.xml: Likewise
+ * doc/man/pam_conv.3.xml: Likewise
+ * doc/man/pam_end.3.xml: Likewise
+ * doc/man/pam_fail_delay.3.xml: Likewise
+ * doc/man/pam_getenv.3.xml: Likewise
+ * doc/man/pam_getenvlist.3.xml: Likewise
+ * doc/man/pam_open_session.3.xml: Likewise
+ * doc/man/pam_putenv.3.xml: Likewise
+ * doc/man/pam_setcred.3.xml: Likewise
+ * doc/man/pam_start.3.xml: Likewise
+ * doc/man/pam_strerror.3.xml: Likewise
+
+ * doc/man/pam_acct_mgmt.3: Regenerate from XML source.
+ * doc/man/pam_authenticate.3: Likewise
+ * doc/man/pam_chauthtok.3: Likewise
+ * doc/man/pam_close_session.3: Likewise
+ * doc/man/pam_conv.3: Likewise
+ * doc/man/pam_end.3: Likewise
+ * doc/man/pam_fail_delay.3: Likewise
+ * doc/man/pam_getenv.3: Likewise
+ * doc/man/pam_getenvlist.3: Likewise
+ * doc/man/pam_open_session.3: Likewise
+ * doc/man/pam_putenv.3: Likewise
+ * doc/man/pam_setcred.3: Likewise
+ * doc/man/pam_sm_close_session.3: Likewise
+ * doc/man/pam_start.3: Likewise
+ * doc/man/pam_strerror.3: Likewise
+ * doc/man/pam_syslog.3: Likewise
+ * doc/man/PAM.8: Likewise
+
+2006-06-24 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_limits/pam_limits.c (setup_limits): Don't
+ reset priority for root.
+
+2006-06-23 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_access/access.conf.5.xml: Fix syntax for SAG.
+ * modules/pam_access/pam_access.8.xml: Likewise.
+ * modules/pam_deny/pam_deny.8.xml: Likewise.
+ * modules/pam_echo/pam_echo.8.xml: Likewise.
+ * modules/pam_env/pam_env.8.xml: Likewise.
+ * modules/pam_env/pam_env.conf.5.xml: Likewise.
+ * modules/pam_group/group.conf.5.xml: Likewise.
+ * modules/pam_group/pam_group.8.xml: Likewise.
+ * modules/pam_limits/limits.conf.5.xml: Likewise.
+ * modules/pam_listfile/pam_listfile.8.xml: Likewise.
+ * modules/pam_succeed_if/pam_succeed_if.8.xml: Likewise.
+ * modules/pam_time/pam_time.8.xml: Likewise.
+ * modules/pam_time/time.conf.5.xml: Likewise.
+
+ * modules/pam_access/access.conf.5: Regenerate.
+ * modules/pam_access/pam_access.8: Likewise.
+ * modules/pam_deny/pam_deny.8: Likewise.
+ * modules/pam_echo/README: Likewise.
+ * modules/pam_echo/pam_echo.8: Likewise.
+ * modules/pam_env/pam_env.8: Likewise.
+ * modules/pam_env/pam_env.conf.5: Likewise.
+ * modules/pam_group/README: Likewise.
+ * modules/pam_group/group.conf.5: Likewise.
+ * modules/pam_group/pam_group.8: Likewise.
+ * modules/pam_limits/limits.conf.5: Likewise.
+ * modules/pam_listfile/README: Likewise.
+ * modules/pam_listfile/pam_listfile.8: Likewise.
+ * modules/pam_succeed_if/pam_succeed_if.8: Likewise.
+ * modules/pam_time/pam_time.8: Likewise.
+ * modules/pam_time/time.conf.5: Likewise.
+
+ * doc/man/Makefile.am: Add pam.conf-desc.xml, pam.conf-dir.xml
+ and pam.conf-syntax.xml.
+ * doc/man/pam.conf.5.xml: Split into different pieces for SAG.
+ * doc/man/pam.conf.5: Regenerated.
+ * doc/man/pam.conf-desc.xml: New.
+ * doc/man/pam.conf-dir.xml: New.
+ * doc/man/pam.conf-syntax.xml: New.
+
+2006-06-21 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_selinux/Makefile.am: Fix "make dist" if libselinux
+ is not installed.
+
+ * modules/pam_issue/pam_issue.8.xml: Fix listing of escapes.
+ * modules/pam_issue/pam_issue.8: Regenerate.
+
+2006-06-20 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * configure.in: Remove unused check for libcap.
+
+ * m4/ld-as-needed.m4: New.
+ * m4/ld-O1.m4: New.
+ * configure.in: Call PAM_LD_AS_NEEDED and PAM_LD_O1,
+ require docbook version 4.4.
+
+2006-06-19 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * doc/man/pam.8.xml: Syntax cleanup.
+ * doc/pam/PAM.8: Regenerated from xml source.
+ * man/pam_sm_chauthtok.3: New.
+ * man/pam_sm_chauthtok.3.xml: New.
+ * man/pam_sm_close_session.3: New.
+ * man/pam_sm_close_session.3.xml: New.
+ * man/pam_sm_open_session.3: New.
+ * man/pam_sm_open_session.3.xml: New.
+ * man/pam_sm_authenticate.3: New.
+ * man/pam_sm_authenticate.3.xml: New.
+ * man/pam_sm_setcred.3: New.
+ * man/pam_sm_setcred.3.xml: New.
+ * man/Makefile.am: Add new pam_sm_* manual pages.
+
+ * specs/Makefile.am: Fix rule to generate draft.
+
+2006-06-18 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_tally/Makefile.am: Include Make.xml.rules.
+ * modules/pam_tally/pam_tally.8.xml: New.
+ * modules/pam_tally/pam_tally.8: New, generated from xml file.
+ * modules/pam_tally/README.xml: New.
+ * modules/pam_tally/README: Regenerated from xml file.
+
+ * modules/pam_selinux/Makefile.am: Include Make.xml.rules.
+ * modules/pam_selinux/pam_selinux.8.xml: New.
+ * modules/pam_selinux/pam_selinux.8: Regenerated from xml file.
+ * modules/pam_selinux/README.xml: New.
+ * modules/pam_selinux/README: Regenerated from xml file.
+
+2006-06-17 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_debug/Makefile.am: Include Make.xml.rules.
+ * modules/pam_debug/pam_debug.8.xml: New.
+ * modules/pam_debug/pam_debug.8: New, generated from xml file.
+ * modules/pam_debug/README.xml: New.
+ * modules/pam_debug/README: Regenerated from xml file.
+
+ * examples/vpass.c: UID is unsigned on Linux.
+ * modules/pam_exec/pam_exec.c: Likewise.
+ * modules/pam_unix/pam_unix_acct.c: Likewise.
+ * modules/pam_unix/pam_unix_sess.c: Likewise.
+
+ * modules/pam_succeed_if/pam_succeed_if.8.xml: Fix syntax error.
+ * modules/pam_succeed_if/pam_succeed_if.8: Regenerated.
+ * modules/pam_succeed_if/README: Regenerated.
+
+ * modules/pam_limits/Makefile.am: Include Make.xml.rules.
+ * modules/pam_limits/limits.conf.5: New, generated from xml file.
+ * modules/pam_limits/limits.conf.5.xml: New.
+ * modules/pam_limits/pam_limits.8: New, generated from xml file.
+ * modules/pam_limits/pam_limits.8.xml: New.
+ * modules/pam_limits/README.xml: New.
+ * modules/pam_limits/README: Regenerated from README.xml.
+
+2006-06-16 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_unix/pam_unix_passwd.c (save_old_password): UIDs
+ are unsigned on Linux, don't truncate them.
+ (_do_setpass): err is of type clnt_stat, not int.
+
+ * modules/pam_lastlog/pam_lastlog.c (last_login_read): Don't
+ truncate UID for syslog output.
+
+ * modules/pam_time/pam_time.c: Replace type boolean with int.
+ * modules/pam_group/pam_group.c: Likewise.
+
+2006-06-15 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_unix/bigcrypt.h: New.
+ * modules/pam_unix/Makefile.am: Add bigcrypt.h.
+ * modules/pam_unix/bigcrypt.c: Include bigcrypt.h.
+ * modules/pam_unix/support.c: Include bigcrypt.h, remove
+ own prototype.
+ * modules/pam_unix/bigcrypt_main.c: Include bigcrypt.h, remove
+ own prototype.
+ * modules/pam_unix/pam_unix_passwd.c: Include bigcrypt.h, remove
+ own prototype.
+
+ * modules/pam_time/pam_time.c (logic_member): Remove unused
+ variable len.
+
+ * modules/pam_group/pam_group.c (logic_field): Accept
+ colon in tty name. [#1428276].
+ (logic_member): Remove unused variable len.
+ (check_account): Fix usage of err variable in debug code.
+
+ * modules/pam_time/pam_time.c (logic_field): Likewise.
+
+ * configure.in: Add special exceptions for icc: different
+ compiler warnings, no PIE support.
+
+2006-06-14 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * libpam/pam_misc.c (_pam_strdup): Use strlen and strcpy.
+
+ * configure.in: Remove --enable-memory-debug, add option
+ to disable prelude if installed.
+
+ * modules/pam_tally/pam_tally.c: Remove MEMORY_DEBUG
+ * modules/pam_filter/upperLOWER/upperLOWER.c: Likewise.
+ * modules/pam_unix/unix_chkpwd.c: Likewise.
+ * libpam/include/security/_pam_types.h: Likewise.
+ * libpam/libpam.map: Remove LIBPAM_MALLOC_DEBUG export.
+ * libpam/pam_malloc.c: Remove file.
+ * libpam/Makefile.am: Remove pam_malloc.c and pam_malloc.h.
+
+ * libpam/pam_handlers.c (extract_modulename): Use _pam_strdup
+ instead of strdup.
+
+ * libpam/pam_private.h: Remove _pam_strCMP.
+ * libpam/pam_misc.c: Likewise.
+ * libpam/pam_handlers.c: Replaced _pam_strCMP with strcasecmp.
+
+2006-06-12 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_tally/Makefile.am (AM_LDFLAGS): Remove flags
+ for modules from main application.
+
+2006-06-09 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_time/Makefile.am: Include Make.xml.rules.
+ * modules/pam_time/time.conf.5: New, generated from xml file.
+ * modules/pam_time/time.conf.5.xml: New.
+ * modules/pam_time/pam_time.8: New, generated from xml file.
+ * modules/pam_time/pam_time.8.xml: New.
+ * modules/pam_time/README.xml: New.
+ * modules/pam_time/README: Regenerated from README.xml.
+
+ * modules/pam_wheel/Makefile.am: Include Make.xml.rules.
+ * modules/pam_wheel/pam_wheel.8.xml: New.
+ * modules/pam_wheel/pam_wheel.8: New, generated from xml file.
+ * modules/pam_wheel/README.xml: New.
+ * modules/pam_wheel/README: Regenerated from xml file.
+
+ * modules/pam_xauth/Makefile.am: Include Make.xml.rules.
+ * modules/pam_xauth/pam_xauth.8.xml: New.
+ * modules/pam_xauth/pam_xauth.8: Regenerated from xml file.
+ * modules/pam_xauth/README.xml: New.
+ * modules/pam_xauth/README: Regenerated from xml file.
+
+ * modules/pam_deny/pam_deny.8.xml: Fix syntax errors.
+ * modules/pam_deny/pam_deny.8: Regenerate from xml file.
+ * modules/pam_deny/README: Likewise.
+
+ * modules/pam_warn/Makefile.am: Include Make.xml.rules.
+ * modules/pam_warn/pam_warn.8.xml: New.
+ * modules/pam_warn/pam_warn.8: New, generated from xml file.
+ * modules/pam_warn/README.xml: New.
+ * modules/pam_warn/README: Regenerated from xml file.
+
+ * modules/pam_userdb/Makefile.am: Include Make.xml.rules.
+ * modules/pam_userdb/pam_userdb.8.xml: New.
+ * modules/pam_userdb/pam_userdb.8: New, generated from xml file.
+ * modules/pam_userdb/README.xml: New.
+ * modules/pam_userdb/README: Regenerated from xml file.
+
+2006-06-06 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_shells/Makefile.am: Include Make.xml.rules.
+ * modules/pam_shells/pam_shells.8.xml: New.
+ * modules/pam_shells/pam_shells.8: New, generated from xml file.
+ * modules/pam_shells/README.xml: New.
+ * modules/pam_shells/README: Regenerated from xml file.
+
+ * libpam/include/security/pam_malloc.h: Add missing license
+ informations.
+
+ * libpam/include/security/pam_ext.h: Add brackets for C++.
+ * libpam/include/security/pam_modutil.h: Likewise.
+
+ * libpam/include/security/pam_modules.h: Document where to
+ find the copyright/license informations.
+
+ * libpam/include/security/pam_appl.h: Move _pam_compat.h
+ include inside of brackets.
+
+2006-06-04 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_securetty/Makefile.am: Include Make.xml.rules.
+ * modules/pam_securetty/pam_securetty.8.xml: New.
+ * modules/pam_securetty/pam_securetty.8: Regenerated from xml file.
+ * modules/pam_securetty/README.xml: New.
+ * modules/pam_securetty/README: Regenerated from xml file.
+
+ * modules/pam_rootok/Makefile.am: Include Make.xml.rules.
+ * modules/pam_rootok/pam_rootok.8.xml: New.
+ * modules/pam_rootok/pam_rootok.8: New, generated from xml file.
+ * modules/pam_rootok/README.xml: New.
+ * modules/pam_rootok/README: Regenerated from xml file.
+
+ * modules/pam_permit/Makefile.am: Include Make.xml.rules.
+ * modules/pam_permit/pam_permit.8.xml: New.
+ * modules/pam_permit/pam_permit.8: New, generated from xml file.
+ * modules/pam_permit/README.xml: New.
+ * modules/pam_permit/README: Regenerated from xml file.
+
+ * modules/pam_nologin/Makefile.am: Include Make.xml.rules.
+ * modules/pam_nologin/pam_nologin.8.xml: New.
+ * modules/pam_nologin/pam_nologin.8: Regenerated from xml file.
+ * modules/pam_nologin/README.xml: New.
+ * modules/pam_nologin/README: Regenerated from xml file.
+
+2006-06-03 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_motd/Makefile.am: Include Make.xml.rules.
+ * modules/pam_motd/pam_motd.8.xml: New.
+ * modules/pam_motd/pam_motd.8: New, generated from xml file.
+ * modules/pam_motd/README.xml: New.
+ * modules/pam_motd/README: New, generated from xml file.
+
+2006-06-02 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_mail/Makefile.am: Include Make.xml.rules.
+ * modules/pam_mail/pam_mail.8.xml: New.
+ * modules/pam_mail/pam_mail.8: New, generated from xml file.
+ * modules/pam_mail/README.xml: New.
+ * modules/pam_mail/README: Regenerated from xml file.
+
+ * modules/pam_localuser/Makefile.am: Include Make.xml.rules.
+ * modules/pam_localuser/pam_localuser.8.xml: New.
+ * modules/pam_localuser/pam_localuser.8: New, generated from xml file.
+ * modules/pam_localuser/README.xml: New.
+ * modules/pam_localuser/README: Regenerated from xml file.
+
+ * doc/man/PAM.8: Regenerate with DocBook XSL Stylesheets v1.70.1.
+ * doc/man/pam.3: Likewise.
+ * doc/man/pam.conf.5: Likewise.
+ * doc/man/pam_acct_mgmt.3: Likewise.
+ * doc/man/pam_authenticate.3: Likewise.
+ * doc/man/pam_chauthtok.3: Likewise.
+ * doc/man/pam_close_session.3: Likewise.
+ * doc/man/pam_conv.3: Likewise.
+ * doc/man/pam_end.3: Likewise.
+ * doc/man/pam_error.3: Likewise.
+ * doc/man/pam_fail_delay.3: Likewise.
+ * doc/man/pam_get_data.3: Likewise.
+ * doc/man/pam_get_item.3: Likewise.
+ * doc/man/pam_get_user.3: Likewise.
+ * doc/man/pam_getenv.3: Likewise.
+ * doc/man/pam_getenvlist.3: Likewise.
+ * doc/man/pam_info.3: Likewise.
+ * doc/man/pam_open_session.3: Likewise.
+ * doc/man/pam_prompt.3: Likewise.
+ * doc/man/pam_putenv.3: Likewise.
+ * doc/man/pam_set_data.3: Likewise.
+ * doc/man/pam_set_item.3: Likewise.
+ * doc/man/pam_setcred.3: Likewise.
+ * doc/man/pam_sm_acct_mgmt.3: Likewise.
+ * doc/man/pam_start.3: Likewise.
+ * doc/man/pam_strerror.3: Likewise.
+ * doc/man/pam_syslog.3: Likewise.
+ * modules/pam_access/access.conf.5: Likewise.
+ * modules/pam_access/pam_access.8: Likewise.
+ * modules/pam_cracklib/pam_cracklib.8: Likewise.
+ * modules/pam_deny/pam_deny.8: Likewise.
+ * modules/pam_echo/pam_echo.8: Likewise.
+ * modules/pam_env/pam_env.8: Likewise.
+ * modules/pam_env/pam_env.conf.5: Likewise.
+ * modules/pam_exec/pam_exec.8: Likewise.
+ * modules/pam_filter/pam_filter.8: Likewise.
+ * modules/pam_ftp/pam_ftp.8: Likewise.
+ * modules/pam_group/group.conf.5: Likewise.
+ * modules/pam_group/pam_group.8: Likewise.
+ * modules/pam_issue/pam_issue.8: Likewise.
+ * modules/pam_lastlog/pam_lastlog.8: Likewise.
+ * modules/pam_mkhomedir/pam_mkhomedir.8: Likewise.
+ * modules/pam_succeed_if/pam_succeed_if.8: Likewise.
+ * modules/pam_umask/pam_umask.8: Likewise.
+
+ * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Use
+ dngettext if available [#1427738].
+ * configure.in: Check for dngettext [#1427738].
+ * po/*.po: Update to dngettext usage.
+
+ * modules/pam_listfile/Makefile.am: Include Make.xml.rules.
+ * modules/pam_listfile/pam_listfile.8.xml: New.
+ * modules/pam_listfile/pam_listfile.8: New, generated from xml file.
+ * modules/pam_listfile/README.xml: New.
+ * modules/pam_listfile/README: Regenerated from xml file.
+
+2006-06-01 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_lastlog/Makefile.am: Include Make.xml.rules.
+ * modules/pam_lastlog/pam_lastlog.8.xml: New.
+ * modules/pam_lastlog/pam_lastlog.8: New, generated from xml file.
+ * modules/pam_lastlog/README.xml: New.
+ * modules/pam_lastlog/README: Regenerated from xml file.
+
+ * modules/pam_group/Makefile.am: Include Make.xml.rules.
+ * modules/pam_group/group.conf.5.xml: New.
+ * modules/pam_group/group.conf.5: New, generated from xml file.
+ * modules/pam_group/pam_group.8.xml: New.
+ * modules/pam_group/pam_group.8: New, generated from xml file.
+ * modules/pam_group/README.xml: New.
+ * modules/pam_group/README: Regenerated from xml file.
+
+ * modules/pam_ftp/Makefile.am: Include Make.xml.rules.
+ * modules/pam_ftp/pam_ftp.8.xml: New.
+ * modules/pam_ftp/pam_ftp.8: New, generated from xml file.
+ * modules/pam_ftp/README.xml: New.
+ * modules/pam_ftp/README: Regenerated from xml file.
+
+ * modules/pam_issue/Makefile.am: Include Make.xml.rules.
+ * modules/pam_issue/pam_issue.8.xml: New.
+ * modules/pam_issue/pam_issue.8: New, generated from xml file.
+ * modules/pam_issue/README.xml: New.
+ * modules/pam_issue/README: Regenerated from xml file.
+
+ * modules/pam_filter/Makefile.am: Include Make.xml.rules.
+ * modules/pam_filter/pam_filter.8.xml: New.
+ * modules/pam_filter/pam_filter.8: New, generated from xml file.
+ * modules/pam_filter/README.xml: New.
+ * modules/pam_filter/README: Regenerated from xml file.
+
+2006-05-30 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_mkhomedir/pam_mkhomedir.8.xml: Fix umask and skel
+ directory documentation.
+
+ * modules/pam_umask/Makefile.am: Include Make.xml.rules.
+ * modules/pam_umask/pam_umask.8.xml: New.
+ * modules/pam_umask/pam_umask.8: New, generated from xml file.
+ * modules/pam_umask/README.xml: New.
+ * modules/pam_umask/README: Regenerated from xml file.
+
+2006-05-29 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_mkhomedir/Makefile.am: Include Make.xml.rules.
+ * modules/pam_mkhomedir/pam_mkhomedir.8.xml: New.
+ * modules/pam_mkhomedir/pam_mkhomedir.8: New, generated from xml file.
+ * modules/pam_mkhomedir/README.xml: New.
+ * modules/pam_mkhomedir/README: Regenerated from xml file.
+
+2006-05-23 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_echo/pam_echo.c (pam_echo): Use pam_modutil_read()
+ instead of read().
+
+2006-05-22 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_listfile/pam_listfile.c (pam_sm_authenticate):
+ Fix memory leaks, [#1490956] found by Coverity.
+
+ * modules/pam_tally/pam_tally.c (pam_get_uid): Check return
+ value of pam_get_user().
+ (tally_get_data): Check if oldtime is not NULL.
+ [#1489818] found by Coverity.
+
+ * modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Don't
+ ignore return value of stat(). [#1489808] found by Coverity.
+
+ * modules/pam_mail/pam_mail.c (get_folder): Fix a potential
+ NULL pointer dereference. [#1489792] found by Coverity.
+
+ * libpam/Makefile.am: bump release number of libpam.so.
+ * libpam/pam_misc.c (_pam_mkargv): Fix memory leak,
+ [#1489804] found by Coverity.
+
+ * modules/pam_echo/pam_echo.c (replace_and_print): Initialize
+ str, [#1489658] found by Coverity.
+
+ * modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Fix
+ a potential NULL pointer dereference.
+ (pam_sm_chauthtok): Remove dead code.
+ [#1489634] found by Coverity.
+
+2006-05-04 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * configure.in: Check for fseeko.
+ * modules/pam_tally/pam_tally.c: Use fseeko if available
+ (Based on patch by IBM).
+
+2006-05-04 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * release version 0.99.4.0
+
+ * libpam/pam_strerror.c: Unify error messages.
+
+ * po/zh_TW.po: Adjust for last pam_strerror changes.
+ * po/zh_CN.po: Likewise.
+ * po/uk.po: Likewise.
+ * po/tr.po: Likewise.
+ * po/pt.po: Likewise.
+ * po/pt_BR.po: Likewise.
+ * po/pl.po: Likewise.
+ * po/ja.po: Likewise.
+ * po/nl.po: Likewise.
+ * po/nb.po: Likewise.
+ * po/it.po: Likewise.
+ * po/hu.po: Likewise.
+ * po/fr.po: Likewise.
+ * po/fi.po: Likewise.
+ * po/es.po: Likewise.
+ * po/de.po: Likewise.
+ * po/cs.po: Likewise.
+
+ * doc/man/pam.3.xml: New.
+ * doc/man/pam.3. New, generated from XML file.
+
+ * doc/man/pam_sm_acct_mgmt.3.xml: New.
+ * doc/man/pam_sm_acct_mgmt.3: New, generated from XML file.
+
+ * doc/man/*.xml: Fix encoding and use always UTF-8, regenerate
+ all manual pages.
+
+ * doc/pam_modules.sgml (PAM_NEW_AUTHTOKEN_REQD): Fix typo.
+
+2006-05-02 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Use
+ different strings for plural or not [#1427738]
+
+ * po/*.po: Adjust for pam_unix.so translation fix.
+
+ * modules/pam_tally/pam_tally.c: Always close file handle
+ in error case, don't close it depending on *TALLY value [#1478180]
+
+2006-04-21 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * po/fr.po: Updated.
+
+2006-04-11 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * po/km.po: Updated.
+
+2006-03-27 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * po/LINGUAS: Add uk.
+
+ * po/uk.po: New.
+ * po/cs.po: Updated.
+ * po/po/es.po: Updated.
+ * po/fi.po: Updated.
+ * po/fr.po: Updated.
+ * po/hu.po: Updated.
+ * po/it.po: Updated.
+ * po/ja.po: Updated.
+ * po/nb.po: Updated.
+ * po/pl.po: Updated.
+ * po/pt.po: Updated.
+ * po/pt_BR.po: Updated.
+ * po/zh_CN.po: Updated.
+ * po/zh_TW.po: Updated.
+
+2006-03-21 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * configure.in: Remove ALL_LINGUAS.
+ * po/LINGUAS: New.
+ * po/tr.po: New (from Ismail Donmez <ismail@pardus.org.tr>).
+
+2006-03-13 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * doc/man/pam_error.3.xml: New.
+ * doc/man/pam_error.3: New, generated from XML file.
+ * doc/man/pam_verror.3: New, generated from XML file.
+ * doc/man/Makefile.am: Add pam_error.3 and pam_verror.3.
+
+ * modules/pam_lastlog/Makefile.am: Fix typo.
+
+ * modules/pam_lastlog/pam_lastlog.c: Move comment for
+ translators in right line.
+ * po/*.po: Update po files with comment for translator.
+
+2006-03-12 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * doc/man/Makefile.am: Add new manual pages.
+
+ * doc/man/pam.conf.5.xml: Replace link with content
+ of PAM admin guide.
+ * doc/man/pam.conf.5: Regenerated from XML file.
+
+ * doc/man/pam_info.3.xml: New.
+ * doc/man/pam_info.3: New, generated from XML file.
+ * doc/man/pam_vinfo.3: New, generated from XML file.
+
+ * doc/man/pam_conv.3.xml: New.
+ * doc/man/pam_conv.3: New, generated from XML file.
+
+ * doc/man/pam_putenv.3.xml: New.
+ * doc/man/pam_putenv.3: New, generated from XML file.
+
+ * doc/man/pam_getenv.3.xml: New.
+ * doc/man/pam_getenv.3: New, generated from XML file.
+
+ * doc/man/pam_getenvlist.3.xml: New.
+ * doc/man/pam_getenvlist.3: New, generated from XML file.
+
+ * libpam/pam_item.c (pam_get_user): Check for valid pamh before
+ using it.
+
+ * configure.in: create tests/Makefile
+ * Makefile.am (SUBDIRS): Add tests
+ * tests/Makefile.am: New.
+ * tests/tst-dlopen.c: New.
+ * tests/tst-pam_acct_mgmt.c: New.
+ * tests/tst-pam_authenticate.c: New.
+ * tests/tst-pam_chauthtok.c: New.
+ * tests/tst-pam_close_session.c: New.
+ * tests/tst-pam_end.c: New.
+ * tests/tst-pam_fail_delay.c: New.
+ * tests/tst-pam_getenvlist.c: New.
+ * tests/tst-pam_get_item.c: New.
+ * tests/tst-pam_open_session.c: New.
+ * tests/tst-pam_setcred.c: New.
+ * tests/tst-pam_set_item.c: New.
+ * tests/tst-pam_start.c: New.
+ * tests/tst-pam_get_user.c: New.
+
+ * modules/pam_access/Makefile.am: Add rules for make check
+ * modules/pam_access/tst-pam_access: New
+ * modules/pam_cracklib/Makefile.am: Add rules for make check
+ * modules/pam_cracklib/tst-pam_cracklib: New
+ * modules/pam_debug/Makefile.am: Add rules for make check
+ * modules/pam_debug/tst-pam_debug: New
+ * modules/pam_deny/Makefile.am: Add rules for make check
+ * modules/pam_deny/tst-pam_deny: New
+ * modules/pam_echo/Makefile.am: Add rules for make check
+ * modules/pam_echo/tst-pam_echo: New
+ * modules/pam_env/Makefile.am: Add rules for make check
+ * modules/pam_env/tst-pam_env: New
+ * modules/pam_exec/Makefile.am: Add rules for make check
+ * modules/pam_exec/tst-pam_exec: New
+ * modules/pam_filter/Makefile.am: Add rules for make check
+ * modules/pam_filter/tst-pam_filter: New
+ * modules/pam_ftp/Makefile.am: Add rules for make check
+ * modules/pam_ftp/tst-pam_ftp: New
+ * modules/pam_group/Makefile.am: Add rules for make check
+ * modules/pam_group/tst-pam_group: New
+ * modules/pam_issue/Makefile.am: Add rules for make check
+ * modules/pam_issue/tst-pam_issue: New
+ * modules/pam_lastlog/Makefile.am: Add rules for make check
+ * modules/pam_lastlog/tst-pam_lastlog: New
+ * modules/pam_limits/Makefile.am: Add rules for make check
+ * modules/pam_limits/tst-pam_limits: New
+ * modules/pam_listfile/Makefile.am: Add rules for make check
+ * modules/pam_listfile/tst-pam_listfile: New
+ * modules/pam_localuser/Makefile.am: Add rules for make check
+ * modules/pam_localuser/tst-pam_localuser: New
+ * modules/pam_mail/Makefile.am: Add rules for make check
+ * modules/pam_mail/tst-pam_mail: New
+ * modules/pam_mkhomedir/Makefile.am: Add rules for make check
+ * modules/pam_mkhomedir/tst-pam_mkhomedir: New
+ * modules/pam_motd/Makefile.am: Add rules for make check
+ * modules/pam_motd/tst-pam_motd: New
+ * modules/pam_nologin/Makefile.am: Add rules for make check
+ * modules/pam_nologin/tst-pam_nologin: New
+ * modules/pam_permit/Makefile.am: Add rules for make check
+ * modules/pam_permit/tst-pam_permit: New
+ * modules/pam_rhosts/Makefile.am: Add rules for make check
+ * modules/pam_rhosts/tst-pam_rhosts: New
+ * modules/pam_rootok/Makefile.am: Add rules for make check
+ * modules/pam_rootok/tst-pam_rootok: New
+ * modules/pam_securetty/Makefile.am: Add rules for make check
+ * modules/pam_securetty/tst-pam_securetty: New
+ * modules/pam_selinux/Makefile.am: Add rules for make check
+ * modules/pam_selinux/tst-pam_selinux: New
+ * modules/pam_shells/Makefile.am: Add rules for make check
+ * modules/pam_shells/tst-pam_shells: New
+ * modules/pam_stress/Makefile.am: Add rules for make check
+ * modules/pam_stress/tst-pam_stress: New
+ * modules/pam_succeed_if/Makefile.am: Add rules for make check
+ * modules/pam_succeed_if/tst-pam_succeed_if: New
+ * modules/pam_tally/Makefile.am: Add rules for make check
+ * modules/pam_tally/tst-pam_tally: New
+ * modules/pam_time/Makefile.am: Add rules for make check
+ * modules/pam_time/tst-pam_time: New
+ * modules/pam_umask/Makefile.am: Add rules for make check
+ * modules/pam_umask/tst-pam_umask: New
+ * modules/pam_unix/Makefile.am: Add rules for make check
+ * modules/pam_unix/tst-pam_unix: New
+ * modules/pam_userdb/Makefile.am: Add rules for make check
+ * modules/pam_userdb/tst-pam_userdb: New
+ * modules/pam_warn/Makefile.am: Add rules for make check
+ * modules/pam_warn/tst-pam_warn: New
+ * modules/pam_wheel/Makefile.am: Add rules for make check
+ * modules/pam_wheel/tst-pam_wheel: New
+ * modules/pam_xauth/Makefile.am: Add rules for make check
+ * modules/pam_xauth/tst-pam_xauth: New
+
+2006-03-11 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * doc/man/pam_fail_delay.3.xml: New.
+ * doc/man/pam_fail_delay.3: New, generated from xml.
+ * doc/man/pam_prompt.3.xml: New.
+ * doc/man/pam_prompt.3: New, generated from xml.
+ * doc/man/pam_syslog.3.xml: New.
+ * doc/man/pam_syslog.3: New, generated from xml.
+ * doc/man/pam_vprompt.3: New, generated from xml.
+ * doc/man/pam_vsyslog.3: New, generated from xml.
+
+2006-02-24 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * po/km.po: Update Khmer translation.
+
+2006-02-24 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_succeed_if/pam_succeed_if.8.xml: New, based on
+ version from #1425487.
+ * modules/pam_succeed_if/pam_succeed_if.8: Regenerated from xml.
+ * modules/pam_succeed_if/Makefile.am: Include XML rules.
+ * modules/pam_succeed_if/README.xml: New.
+ * modules/pam_succeed_if/README: Regenerated from xml.
+ * modules/pam_succeed_if/pam_succeed_if.c: Fix comment about
+ return values.
+
+2006-02-22 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * configure.in: Fix check for incomplete libaudit installations
+ (Patch from Ruediger Oertel <ro@suse.de>).
+
+ * modules/pam_lastlog/pam_lastlog.c (last_login_write): Initialize
+ correct last_login field [#1427401].
+
+ * modules/pam_lastlog/pam_lastlog.c (last_login_read): Mark strftime
+ format string for translation to allow reorder [#1428269].
+ * po/*.po: Update with last pam_lastlog change.
+
+
+2006-02-17 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * doc/man/Makefile.am: Add new manual pages.
+ * doc/man/pam_end.3: Regenerated from xml file.
+ * doc/man/pam_end.3.xml: Document freeing of item data.
+ * doc/man/pam_get_user.3: New.
+ * doc/man/pam_get_user.3.xml: New.
+ * modules/pam_access/access.conf.5.xml: Fix typos.
+ * modules/pam_env/Makefile.am: Add new manual pages.
+ * modules/pam_env/README: Regenerate from xml file.
+ * modules/pam_env/README.xml: New.
+ * modules/pam_env/pam_env.8: New.
+ * modules/pam_env/pam_env.8.xml: New.
+ * modules/pam_env/pam_env.conf.5: New.
+ * modules/pam_env/pam_env.conf.5.xml New.
+
+2006-02-14 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * po/fi.po: Updated translations.
+ * po/pl.po: Likewise.
+ * po/km.po: New translation.
+ * configure.in: Add km as new language.
+
+2006-02-13 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_echo/pam_echo.8.xml: New.
+ * modules/pam_echo/pam_echo.8: Regenerated from xml file.
+ * modules/pam_echo/Makefile.am: Include Make.xml.rules.
+ * modules/pam_echo/pam_echo.c: Fix return value.
+
+ * doc/modules/pam_chroot.sgml: Remove obsolete sgml file.
+
+2006-02-12 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * configure.in: Add doc/man/Makefile.
+ * Make.xml.rules: Enable xincludes for manual pages.
+ * doc/Makefile.am (EXRA_DIST): Remove manual pages.
+ (SUBDIR): Add man subdirectory.
+ * doc/man/Makefile.am: New.
+ * doc/man/pam_acct_mgmt.3: New.
+ * doc/man/pam_acct_mgmt.3.xml: New.
+ * doc/man/pam_get_data.3: New.
+ * doc/man/pam_get_data.3.xml: New.
+ * doc/man/pam_set_data.3: New.
+ * doc/man/pam_set_data.3.xml: New.
+ * doc/man/pam.8.xml: New.
+ * doc/man/pam.8: Regenerated from xml file.
+ * doc/man/pam_authenticate.3.xml: New.
+ * doc/man/pam_authenticate.3: Regenerated from xml file.
+ * doc/man/pam_chauthtok.3.xml: New.
+ * doc/man/pam_chauthtok.3: Regenerated from xml file.
+ * doc/man/pam_close_session.3.xml: New.
+ * doc/man/pam_close_session.3: Regenerated from xml file.
+ * doc/man/pam_end.3.xml: New.
+ * doc/man/pam_end.3: Regenerated from xml file.
+ * doc/man/pam_fail_delay.3.xml: New.
+ * doc/man/pam_fail_delay.3: Regenerated from xml file.
+ * doc/man/pam_get_item.3.xml: New.
+ * doc/man/pam_get_item.3: Regenerated from xml file.
+ * doc/man/pam_item_types.inc.xml: New.
+ * doc/man/pam_open_session.3.xml: New.
+ * doc/man/pam_open_session.3: Regenerated from xml file.
+ * doc/man/pam_set_item.3.xml: New.
+ * doc/man/pam_set_item.3: Regenerated from xml file.
+ * doc/man/pam_setcred.3.xml: New.
+ * doc/man/pam_setcred.3: Regenerated from xml file.
+ * doc/man/pam_start.3.xml: New.
+ * doc/man/pam_start.3: Regenerated from xml file.
+ * doc/man/pam_strerror.3.xml: New.
+ * doc/man/pam_strerror.3: Regenerated from xml file.
+ * doc/man/template-man: Removed.
+
+2006-02-10 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * configure.in: Remove pam_pwdb support.
+ * modules/Makefile.am: remove pam_pwdb.
+ * modules/pam_pwdb: Remove complete directory.
+ * libpam/Makefile.am: Remove LIBPWDB references.
+ * libpam/pam_static_modules.h: Remove pam_pwdb references.
+ * doc/modules/pam_pwdb.sgml: Removed.
+ * po/POTFILES.in: Remove modules/pam_pwdb/*.c entries.
+ * doc/pam_source.sgml: Remove references to libpwdb.
+ * doc/modules/pam_limits.sgml: Remove wrong reference to libpwdb.
+ * doc/modules/pam_group.sgml: Likewise.
+ * doc/modules/pam_cracklib.sgml: Replace pam_pwdb with pam_unix.
+ * doc/modules/pam_userdb.sgml: Likewise.
+ * modules/pam_cracklib/pam_cracklib.8.xml: Replace pam_pwdb
+ with pam_unix.
+ * modules/pam_mkhomedir/pam_mkhomedir.c: Likewise.
+ * modules/pam_group/pam_group.c: Remove dead code for libpwdb.
+
+ * modules/pam_access/Makefile.am: Fix EXTRA_DIST.
+ * modules/pam_cracklib/Makefile.am: Likewise.
+ * modules/pam_deny/Makefile.am: Likewise.
+ * modules/pam_exec/Makefile.am: Likewise.
+
+2006-02-07 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * configure.in: Check for text browser.
+ * Make.xml.rules: Add rule to generate README from README.xml.
+
+ * modules/pam_access/Makefile.am: Include Make.xml.rules.
+ * modules/pam_access/README: Regenerated from README.xml.
+ * modules/pam_access/README.xml: New.
+ * modules/pam_access/access.conf: Extended by new examples.
+ * modules/pam_access/access.conf.5: New, generated from xml file.
+ * modules/pam_access/access.conf.5.xml: New.
+ * modules/pam_access/pam_access.8: New, generated from xml file.
+ * modules/pam_access/pam_access.8.xml: New.
+ * modules/pam_access/pam_access.c: Add rules for IPv6 and
+ netmasks.
+ Based on patch from Mike Becher <Mike.Becher@lrz-muenchen.de>.
+
+ * modules/pam_deny/Makefile.am: Include Make.xml.rules.
+ * modules/pam_deny/pam_deny.8.xml: New.
+ * modules/pam_deny/pam_deny.8: New, generated from xml file.
+ * modules/pam_deny/README.xml: New.
+ * modules/pam_deny/README: Regenerated from xml file.
+
+ * modules/pam_cracklib/Makefile.am: Include Make.xml.rules.
+ * modules/pam_cracklib/pam_cracklib.8.xml: New.
+ * modules/pam_cracklib/pam_cracklib.8: New, generated from xml file.
+ * modules/pam_cracklib/README.xml: New.
+ * modules/pam_cracklib/README: Regenerated from xml file.
+
+ * modules/pam_exec/Makefile.am: Add rule to generate README.
+ * modules/pam_exec/README: Regenerated from xml file.
+ * modules/pam_exec/pam_exec.8: Regenerated from xml file.
+ * modules/pam_exec/pam_exec.8.xml: Syntax files.
+
+2006-02-06 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * po/nl.po: New.
+ * po/pt.po: Update translations.
+ * configure.in: Add nl as new language.
+
+2006-01-30 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_exec/pam_exec.8.xml: Fix syntax of Return Value section.
+ * modules/pam_exec/Makefile.am: Include Make.xml.rules.
+
+ * Make.xml.rules: New.
+
+ * Makefile.am (EXTRA_DIST): Add Make.xml.rules.
+
+2006-01-27 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * configure.in: Prefer libdb over libndbm, fix check for
+ libcrack and remove not needed BACKUP_LIBS.
+
+2006-01-24 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_debug/pam_debug.c: Fix name of pam_module struct.
+
+ * po/de.po: Fix one translation.
+
+ * configure.in: Add modules/pam_exec.
+ * modules/Makefile.am: Add pam_exec subdirectory.
+ * modules/pam_exec/README: New.
+ * modules/pam_exec/Makefile.am: New.
+ * modules/pam_exec/pam_exec.8: New.
+ * modules/pam_exec/pam_exec.c: New.
+ * modules/pam_exec/pam_exec.8.xml: New.
+ * po/POTFILES.in: Add modules/pam_exec/pam_exec.c.
+ * po/*.po: Merge new pam_exec strings.
+
+ * libpam/pam_static_modules.h: New.
+ * Makefile.am: Reorder subdirectories for static modules.
+ * configure.in: Add --enable-static-modules option.
+ * libpam/Makefile.am: Define WITH_SELINUX and WITH_PWDB if
+ necessary, add pam_static_modules.h, link against all PAM
+ module object files if STATIC_MODULES is defined.
+ * libpam/pam_static.c: Remove old _static_module* includes,
+ include pam_static_modules.h.
+
+ * configure.in: Add checks for xsltproc, xmllint and docbook
+ xsl stylesheet.
+ * m4/jh_path_xml_catalog.m4: New.
+
+2006-01-22 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_succeed_if/pam_succeed_if.c: Add support for
+ static modules.
+ * modules/pam_xauth/pam_xauth.c: Likewise.
+
+ * libpam/pam_static.c (_pam_open_static_handler): Add pamh
+ as argument.
+ * libpam/pam_private.h: Adjust prototype.
+ * libpam/pam_handlers.c (_pam_add_handler): Add pamh to
+ _pam_open_static_handler call.
+
+ * configure.in: Don't define PAM_DYNAMIC.
+ * libpam/pam_handlers.c: Get ride of PAM_DYNAMIC, don't
+ include pam_dynamic.h
+ * libpam/pam_dynamic.c: Don't include pam_dynamic.h,
+ exclude functions if we compile with PAM_STATIC.
+ * libpam/pam_dynamic.h: Remove.
+ * libpam/pam_private.h: Add function prototypes from pam_dynamic.h.
+ * libpam/Makefile.am: Bump version number of libpam, remove
+ pam_dynamic.h.
+
+2006-01-21 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_listfile/pam_listfile.c: Add support for session
+ and password management.
+
+2006-01-19 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * doc/specs/Makefile.am (spec): Add padout to fix parallel
+ build (Reported by Andreas Haumer <andreas@xss.co.at>).
+
+2006-01-15 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_echo/pam_echo.c: Define HOST_NAME_MAX if not
+ already defined.
+
+2006-01-13 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * release version 0.99.3.0
+
+ * libpam_misc/misc_conv.c (misc_conv): Fix strict aliasing
+ error.
+
+ * modules/pam_umask/pam_umask.c (search_key): Don't ignore
+ EOF/error return value from fgets().
+
+ * configure.in: Check for getline and getdelim
+
+ * po/fi.po: Add new translations.
+ * po/de.po: Likewise.
+ * po/es.po: Likewise.
+ * po/fr.po: Likewise.
+ * po/it.po: Likewise.
+ * po/ja.po: Likewise.
+ * po/pt_BR.po: Likewise.
+ * po/zh_CH.po: Likewise.
+ * po/zh_TW.po: Likewise.
+
+2006-01-13 Dmitry V. Levin <ldv@altlinux.org>
+
+ * libpam/pam_audit.c (_pam_auditlog): Replace strerror(errno)
+ call with %m specifier.
+
+2006-01-12 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * configure.in: Add check for -fpie/-pie
+ * modules/pam_filter/upperLOWER/Makefile.am: Compile/link
+ upperLOWER with -fpie/-pie if supported.
+ * modules/pam_unix/Makefile.am: Compile/link unix_chkpwd
+ with -fpie/-pie if supported.
+
+2006-01-12 Steve Grubb <sgrubb@redhat.com>
+
+ * configure.in: Add check for audit library.
+ * libpam/Makefile.am (libpam_la_LDFLAGS): Add LIBAUDIT.
+ (libpam_la_SOURCES): Add pam_audit.c.
+ * libpam/pam_account.c (pam_acct_mgmt): Add _pam_auditlog() call.
+ * libpam/pam_auth.c (pam_authenticate), (pam_setcred): Likewise.
+ * libpam/pam_password.c (pam_chauthtok): Likewise.
+ * libpam/pam_session.c (pam_open_session),
+ (pam_close_session): Likewise.
+ * libpam/pam_private.h: Add audit_state member to pam_handle,
+ declare _pam_auditlog and _pam_audit_end.
+ * libpam/pam_start.c (pam_start): Initialize audit_state.
+ * libpam/pam_audit.c: New file with _pam_auditlog and _pam_audit_end
+ implementation.
+ * libpam/pam_end.c (pam_end): Add _pam_audit_end() call.
+ * NEWS: Note about added auditing.
+
+2006-01-11 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * libpam/Makefile.am (AM_CFLAGS): Define LIBPAM_COMPILE.
+
+ * libpam/include/security/_pam_types.h: Don't define PAM_NONNULL
+ if we compile libpam itself.
+
+ * po/hu.po: Update with new translations.
+
+2006-01-08 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_cracklib/pam_cracklib.c: Use PAM_AUTHTOK_RECOVERY_ERR
+ instead of PAM_AUTHTOK_RECOVER_ERR.
+ * modules/pam_pwdb/support.-c: Likewise.
+ * modules/pam_unix/support.c: Likewise.
+ * modules/pam_userdb/pam_userdb.c (pam_sm_authenticate): Likewise.
+ * libpam/pam_strerror.c (pam_strerror): Likewise.
+
+ * libpam/include/security/_pam_compat.h: Define
+ PAM_AUTHTOK_RECOVER_ERR for backward compatibility.
+
+ * libpam/include/security/_pam_types.h: Rename
+ PAM_AUTHTOK_RECOVER_ERR to PAM_AUTHTOK_RECOVERY_ERR.
+
+2006-01-05 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * libpam/include/security/_pam_types.h: Remove nonnull attribute
+ from third paramter (item) of pam_get_item.
+ * libpam/Makefile.am: Bump version number of shared library.
+
+2005-12-21 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_succeed_if/pam_succeed_if.c (evaluate_ingroup),
+ (evaluate_notingroup): Simplified.
+ (evaluate_innetgr), (evaluate_notinnetgr): New functions.
+ (evaluate): Added calls to evaluate_(not)innetgr().
+ * modules/pam_succeed_if/README: Documented netgroup matching.
+ * NEWS: Mentioned the added netgroup matching support.
+
+2005-12-20 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_lastlog/pam_lastlog.c (last_login_read): Use
+ strftime instead of ctime.
+
+ * po/de.po: Fix typo.
+
+2005-12-19 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * libpam/pam_syslog.c: Define LOG_AUTHPRIV as LOG_AUTH on Solaris.
+ Reported by Charles_H_Bedford@nbc.gov.
+
+ * modules/pam_time/pam_time.c (check_account): Implement
+ support for netgroups.
+
+ * modules/pam_time/time.conf: Document usage of netgroups.
+
+2005-12-16 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_group/pam_group.c (check_account): Implement
+ support for netgroups.
+
+ * modules/pam_group/group.conf: Add all documentation to this
+ example config file and don't reference to outdated configs.
+
+ * modules/pam_group/README: New.
+
+ * modules/pam_group/Makefile.am: Add README to EXTRADIST.
+
+2005-12-15 Thorsten Kukuk <kukuk@suse.de>
+
+ * modules/pam_lastlog/pam_lastlog.c (last_login_read): Don't report an
+ error if user logins the first time.
+
+ * modules/pam_lastlog/README: New.
+
+ * modules/pam_lastlog/Makefile.am: Add README to EXTRADIST.
+
+2005-12-14 Thorsten Kukuk <kukuk@suse.de>
+
+ * modules/pam_deny/pam_deny.c: Fix comment.
+
+ * doc/pam_appl.sgml: Fix typo.
+
+ Reported by Russell Bateman <russ@windofkeltia.com>
+
+2005-12-12 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * release version 0.99.2.1
+
+ * po/de.po: Remove new fuzzy entry
+
+ * NEWS: Add 0.99.2.1 changes
+
+ * configure.in: bump version number to 0.99.2.1
+
+2005-12-12 Dmitry V. Levin <ldv@altlinux.org>
+
+ Cleanup pam_syslog messages.
+
+ * modules/pam_env/pam_env.c (_expand_arg): Fix compiler warning.
+ * modules/pam_filter/pam_filter.c (set_filter): Append %m
+ specifier to pam_syslog messages where appropriate.
+ * modules/pam_group/pam_group.c (read_field): Likewise.
+ * modules/pam_mkhomedir/pam_mkhomedir.c (make_remark): Remove.
+ (create_homedir): Do not use make_remark() wrapper, call
+ pam_info() directly. Call pam_syslog() right after failed
+ operation and append %m specifier to pam_syslog messages where
+ appropriate.
+ * modules/pam_rhosts/pam_rhosts_auth.c (pam_iruserok): Replace
+ sequence of malloc(), strcpy() and strcat() calls with asprintf().
+ Append %m specifier to pam_syslog messages where appropriate.
+ * modules/pam_securetty/pam_securetty.c (securetty_perform_check):
+ Append %m specifier to pam_syslog messages where appropriate.
+ * modules/pam_shells/pam_shells.c (perform_check): Likewise.
+
+2005-12-12 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_mail/pam_mail.c (report_mail): Fixed typo in string.
+ * po/Linux-PAM.pot: Likewise.
+ * po/de.po: Likewise.
+ * po/es.po: Likewise.
+ * po/fi.po: Likewise.
+ * po/fr.po: Likewise.
+ * po/hu.po: Likewise.
+ * po/it.po: Likewise.
+ * po/ja.po: Likewise.
+ * po/nb.po: Likewise.
+ * po/pa.po: Likewise.
+ * po/pl.po: Likewise.
+ * po/pt.po: Likewise.
+ * po/pt_BR.po: Likewise.
+ * po/zh_CN.po: Likewise.
+ * po/zh_TW.po: Likewise.
+ * po/de.po: Add new translation, fixed typo in string.
+
+2005-12-12 Mike Becher <Mike.Becher@lrz-muenchen.de>
+
+ * doc/Makefile.am: Fixed install of PS, PDF, TXT and HTML files.
+
+2005-12-12 Thorsten Kukuk <kukuk@suse.de>
+
+ * modules/pam_mail/README: Document "quiet" and "standard"
+ options.
+
+2005-12-07 Thorsten Kukuk <kukuk@suse.de>
+
+ * modules/pam_mail/pam_mail.c: Modify assembling of output
+ for easier translation.
+
+ * po/de.po: Translate new pam_mail messages.
+
+
+2005-11-24 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * po/de.po: Add new translation, fix wrong format specifier.
+ * po/cs.po: Fix wrong format specifier.
+ * po/es.po: Likewise.
+ * po/fi.po: Likewise.
+ * po/fr.po: Likewise.
+ * po/hu.po: Likewise.
+ * po/it.po: Likewise.
+ * po/ja.po: Likewise.
+ * po/nb.po: Likewise.
+ * po/pa.po: Likewise.
+ * po/pl.po: Likewise.
+ * po/pt.po: Likewise.
+ * po/pt_BR.po: Likewise.
+ * po/zh_CN.po: Likewise.
+ * po/zh_TW.po: Likewise.
+
+2005-11-24 Dmitry V. Levin <ldv@altlinux.org>
+
+ * config.h.in: Remove generated file.
+ * .cvsignore: Add config.h.in.
+
+ * configure.in: Do not check for strerror.
+ * libpam_misc/misc_conv.c (read_string): Replace strerror()
+ call with %m specifier.
+ * libpamc/pamc_converse.c (pamc_converse): Likewise.
+ * modules/pam_echo/pam_echo.c (pam_echo): Likewise.
+ * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate):
+ Likewise.
+ * modules/pam_selinux/pam_selinux.c (security_label_tty):
+ Likewise.
+ (security_restorelabel_tty, security_label_tty): Append %m
+ specifier where appropriate.
+ * modules/pam_selinux/pam_selinux_check.c (main): Replace
+ strerror() call with %m specifier.
+ * modules/pam_unix/pam_unix_passwd.c (save_old_password,
+ _update_passwd, _update_shadow): Likewise.
+ * modules/pam_unix/support.c (_unix_run_helper_binary): Likewise.
+ * modules/pam_unix/unix_chkpwd.c (_update_shadow): Likewise.
+ * po/Linux-PAM.pot: Update strings from pam_selinux.
+ * po/cs.po: Likewise.
+ * po/de.po: Likewise.
+ * po/es.po: Likewise.
+ * po/fi.po: Likewise.
+ * po/fr.po: Likewise.
+ * po/hu.po: Likewise.
+ * po/it.po: Likewise.
+ * po/ja.po: Likewise.
+ * po/nb.po: Likewise.
+ * po/pa.po: Likewise.
+ * po/pl.po: Likewise.
+ * po/pt.po: Likewise.
+ * po/pt_BR.po: Likewise.
+ * po/zh_CN.po: Likewise.
+ * po/zh_TW.po: Likewise.
+
+2005-11-23 Thorsten Kukuk <kukuk@suse.de>
+
+ * modules/pam_xauth/pam_xauth.c (pam_sm_open_session): Introduce
+ new variable to fix compiler warning.
+
+ * libpam/pam_modutil_getlogin.c (pam_modutil_getlogin): PAM_TTY
+ don't need to start with /dev/.
+
+2005-11-21 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * release version 0.99.2.0
+
+ * libpam_misc/Makefile.am: Increase release number (for change
+ from 2005-11-09)
+
+ * NEWS: Adjust for 0.99.2.0
+
+2005-11-17 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * libpam/include/security/_pam_compat.h: Fix wrong #ifdef nesting.
+ Redefine PAM_CHANGE_EXPIRED_AUTHTOK [#604380]
+
+2005-11-16 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * libpam/pam_handlers.c: Replace code for all dlopen variants with
+ a generic wrapper.
+ * libpam/pam_dynamic.c: Implement generic wrapper for dlopen.
+ * libpam/pam_dynamic.h: Provide prototypes.
+ For Mac OS X support [#534205]
+
+2005-11-09 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_access/pam_access.c (pam_sm_acct_mgmt): Parse correctly
+ full path tty name.
+ * modules/pam_time/pam_time.c (pam_sm_acct_mgmt): Parse correctly
+ full path tty name. Allow unset tty.
+ (logic_member): Allow matching ':' in tty name.
+ * modules/pam_group/pam_group.c (pam_sm_acct_mgmt): Parse correctly
+ full path tty name. Allow unset tty.
+ (logic_member): Allow matching ':' in tty name.
+
+ * libpam_misc/misc_conv.c (read_string): Read only up to EOL if stdin
+ is not terminal.
+
+2005-11-07 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_unix/pam_unix_passwd.c (_unix_verify_shadow): Use
+ correct variable names.
+
+2005-11-06 Steve Langasek <vorlon@debian.org>
+
+ * modules/pam_env/pam_env.c: don't treat a missing
+ /etc/environment as a fatal error when attempting to read it,
+ and try to read this file by default; this restores the behavior
+ from Linux-PAM 0.76.
+
+2005-11-02 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_unix/support.c (_unix_getpwnam): Fix typo [#1224807]
+ by ohyajapn.
+
+ * modules/pam_unix/pam_unix_passwd.c (_unix_verify_shadow): Change the
+ logic when comparing dates to handle corner cases better [#1245888].
+
+2005-10-31 Thorsten Kukuk <kukuk@suse.de>
+
+ * modules/pam_filter/pam_filter.c: Use XCASE only if defined
+ [#624214]
+
+2005-10-27 Thorsten Kukuk <kukuk@suse.de>
+
+ * doc/man/pam.8: Fix wording for authentication chapter [#1197444]
+
+2005-10-26 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary),
+ modules/pam_unix/pam_unix_passwd.c (_unix_run_shadow_binary),
+ modules/pam_unix/support.c (_unix_run_shadow_binary_): Set real
+ uid to 0 before executing the helper if SELinux is enabled.
+ * modules/pam_unix/unix_chkpwd.c (main): Disable user check only
+ if real uid is 0 (CVE-2005-2977). Log failed password check attempt.
+
+
+2005-10-20 Tomas Mraz <t8m@centrum.cz>
+
+ * configure.in: Added check for xauth binary and --with-xauth option.
+ * config.h.in: Added configurable PAM_PATH_XAUTH.
+ * modules/pam_xauth/README,
+ modules/pam_xauth/pam_xauth.8: Document where xauth is looked for.
+ * modules/pam_xauth/pam_xauth.c (pam_sm_open_session): Implement
+ searching xauth binary on multiple places.
+ (run_coprocess): Don't use execvp as it can be a security risk.
+
+2005-10-04 Steve Langasek <vorlon@debian.org>
+
+ * libpam/include/security/pam_malloc.h,
+ libpam/include/security/pam_modules.h: Declare public header
+ files extern "C" so that they are C++-safe.
+
+2005-10-02 Dmitry V. Levin <ldv@altlinux.org>
+ Steve Langasek <vorlon@debian.org>
+
+ Cleanup gratuitous use of strdup().
+ Fix "missing argument" checks.
+
+ * modules/pam_env/pam_env.c (_pam_parse): Add const qualifier
+ to conffile and envfile arguments. Do not use x_strdup() for
+ conffile and envfile initialization. Fix "missing argument"
+ checks.
+ (_parse_config_file): Take conffile argument of type "const char *"
+ instead of "char **". Do not free conffile.
+ (_parse_env_file): Take env_file argument of type "const char *"
+ instead of "char **". Do not free env_file.
+ (pam_sm_setcred): Add const qualifier to conf_file and env_file.
+ Pass conf_file and env_file to _parse_config_file() and
+ _parse_env_file() by value.
+ (pam_sm_open_session): Likewise.
+
+ * modules/pam_ftp/pam_ftp.c (_pam_parse): Add const qualifier to
+ users argument. Do not use x_strdup() for users initialization.
+ (lookup): Add const qualifier to list argument.
+ (pam_sm_authenticate): Add const qualifier to users argument.
+
+ * modules/pam_mail/pam_mail.c (_pam_parse): Add const qualifier
+ to maildir argument. Do not use x_strdup() for maildir
+ initialization. Fix "missing argument" check.
+ (get_folder): Take path_mail argument of type "const char *"
+ instead of "char **". Do not free path_mail.
+ (_do_mail): Add const qualifier to path_mail argument.
+ Pass path_mail to get_folder() by value.
+
+ * modules/pam_motd/pam_motd.c: Include <syslog.h>.
+ (pam_sm_open_session): Add const qualifier to motd_path.
+ Do not use x_strdup() for motd_path initialization. Do not
+ free motd_path. Fix "missing argument" check. Add "unknown
+ option" warning.
+
+ * modules/pam_userdb/pam_userdb.c (_pam_parse): Add const
+ qualifier to database and cryptmode arguments. Fix "missing
+ argument" checks.
+ (pam_sm_authenticate): Add const qualifier to database and cryptmode.
+ (pam_sm_acct_mgmt): Likewise.
+
+2005-10-01 Steve Langasek <vorlon@debian.org>
+
+ * modules/pam_userdb/pam_userdb.c: spelling fix in log message.
+
+2005-09-30 Steve Langasek <vorlon@debian.org>
+
+ * modules/pam_userdb/pam_userdb.c: Fix memory leak due to
+ gratuitous use of strdup().
+
+2005-09-27 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * release 0.99.1.0
+
+ * doc/specs/Makefile.am (install-data-local): Install
+ rfc and draft.
+ (all): Copy rfc if we build outside of source directory.
+
+2005-09-27 Thorsten Kukuk <kukuk@suse.de>
+
+ * NEWS: Document removal of pam_radius.
+ * autogen.sh: Make configure script executeable.
+
+ * conv/pam_conv1/Makefile (EXTRA_DIST): Removed lex.yy.c
+ (lex.yy.c): Fixed out of tree build.
+
+ * conv/pam_conv1/pam_conv.y: Fix main prototype.
+
+ * README: Adjust.
+
+ * po/POTFILES.in: Remove files not distributed by tar archive
+ and not containing strings for translation.
+
+2005-09-26 Tomas Mraz <t8m@centrum.cz>
+
+ * NEWS: Add a few missing entries from CHANGELOG.
+
+ * AUTHORS: Fixed entries for Toady and me.
+
+ * Makefile.am (M4_FILES): Fixed out of tree build.
+ * doc/specs/Makefile.am (EXTRA_DIST): Removed lex.yy.c
+ (spec, lex.yy.c): Fixed out of tree build.
+
+ * modules/pam_userdb/README: Document try_first_pass and
+ use_first_pass options, remove use_authtok option.
+
+
+2005-09-26 Dmitry V. Levin <ldv@altlinux.org>
+
+ * NEWS: Mention changes in pam_lastlog.
+
+2005-09-26 Thorsten Kukuk <kukuk@suse.de>
+
+ * NEWS: New file.
+ * autogen.sh: Don't generate NEWS file.
+ * CHANGELOG: Document it as obsolete.
+
+2005-09-26 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary):
+ _log_err() -> pam_syslog()
+ (pam_sm_acct_mgmt): _log_err() -> pam_syslog(), fix warning.
+ * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate):
+ _log_err() -> pam_syslog()
+ * modules/pam_unix/pam_unix_passwd.c: removed obsolete ifdef
+ (getNISserver, _unix_run_shadow_binary, _update_passwd,
+ _update_shadow, _do_setpass, _pam_unix_approve_pass,
+ pam_sm_chauthtok): _log_err() -> pam_syslog()
+ * modules/pam_unix/pam_unix_sess.c: removed obsolete ifdef
+ (pam_sm_open_session, pam_sm_close_session):
+ _log_err() -> pam_syslog()
+ * modules/pam_unix/support.c (_log_err, converse): removed
+ (_make_remark): use pam_prompt() instead of converse()
+ (_set_ctrl, _cleanup_failures, _unix_run_helper_binary,
+ _unix_verify_password, _unix_read_password):
+ _log_err() -> pam_syslog()
+ _cleanup(), _unix_cleanup(): Silence unused param warnings.
+ (_cleanup_failures, _unix_verify_password, _unix_getpwnam,
+ _unix_run_helper_binary): Silence incorrect type warnings.
+ (_unix_read_password): Use multiple pam_prompt() and pam_info() calls
+ instead of converse().
+ * modules/pam_unix/support.h (_log_err): removed
+ * modules/pam_unix/unix_chkpwd.c (_log_err): LOG_AUTH -> LOG_AUTHPRIV
+
+2005-09-26 Thorsten Kukuk <kukuk@suse.de>
+
+ * configure.in: Add doc/specs/Makefile.
+ * Makefile.am: Add releasedocs rule.
+ * doc/Makefile.am: Add specs subdir, remove files from specs
+ directory, add rfc86.0.txt to releasedocs.
+ * doc/specs/Makefile.am: New file.
+ * doc/specs/formatter/parse.y: move from here ...
+ * doc/specs/parse.y: ... here.
+ * doc/specs/formatter/parse.lex: move from here ...
+ * doc/specs/parse.lex: ... here.
+
+ * modules/pam_mail/pam_mail.c: Mark missing strings for translation
+ * po/Linux-PAM.pot: Add new strings from pam_mail
+ * po/cs.po: Likewise.
+ * po/de.po: Likewise.
+ * po/es.po: Likewise.
+ * po/fi.po: Likewise.
+ * po/fr.po: Likewise.
+ * po/hu.po: Likewise.
+ * po/it.po: Likewise.
+ * po/ja.po: Likewise.
+ * po/nb.po: Likewise.
+ * po/pa.po: Likewise.
+ * po/pl.po: Likewise.
+ * po/pt.po: Likewise.
+ * po/pt_BR.po: Likewise.
+ * po/zh_CN.po: Likewise.
+ * po/zh_TW.po: Likewise.
+
+2005-09-23 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_access/pam_access.c (from_match): Support NULL from.
+ (string_match): Support NULL string, add NONE keyword matching it.
+ (pam_sm_acct_mgmt): Don't fail when ttyname returns NULL.
+ * modules/pam_access/access.conf: NONE keyword description
+ * modules/pam_access/README: NONE keyword description
+
+2005-09-22 Dmitry V. Levin <ldv@altlinux.org>
+
+ * modules/pam_xauth/pam_xauth.c: (check_acl, pam_sm_open_session,
+ pam_sm_close_session): Strip redundant "pam_xauth: " prefix from
+ text of log messages.
+ (pam_sm_open_session): Replace sequence of malloc(), strcpy()
+ and strcat() calls with asprintf(). Replace syslog() calls
+ with pam_syslog().
+
+ * modules/pam_nologin/pam_nologin.c (parse_args): Use strncmp()
+ instead of memcmp() for string comparison.
+
+2005-09-21 Dmitry V. Levin <ldv@altlinux.org>
+
+ * modules/pam_nologin/pam_nologin.c: Include <syslog.h>.
+ (parse_args): Add pam_handle_t* argument. Log unrecognized
+ options.
+ (perform_check): Log pam_get_user() and malloc() failures.
+ (pam_sm_authenticate, pam_sm_setcred, pam_sm_acct_mgmt):
+ Pass pam_handle_t* to parse_args().
+
+ * modules/pam_mail/pam_mail.c: Include <errno.h>.
+ Remove YOUR_MAIL_VERBOSE_FORMAT, YOUR_MAIL_STANDARD_FORMAT and
+ NO_MAIL_STANDARD_FORMAT macros.
+ (parse_args, get_folder): Cleanup error messages.
+ (get_folder): Fix leak of the path_mail variable in case of
+ pam_get_user() failure. Cleanup memory management.
+ (get_mail_status): Add pam_handle_t* argument. Fix leaks of
+ namelist variable. Cleanup memory management. Log memory
+ allocation failures. Remove 250-byte limit on Maildir pathname.
+ (report_mail): Mark text messages for translation.
+ (_do_mail): Cleanup memory management. Pass pam_handle_t*
+ to get_mail_status().
+
+ * po/Linux-PAM.pot: Update with new strings from pam_mail for
+ translation.
+ * po/cs.po: Likewise.
+ * po/de.po: Likewise.
+ * po/es.po: Likewise.
+ * po/fi.po: Likewise.
+ * po/fr.po: Likewise.
+ * po/hu.po: Likewise.
+ * po/it.po: Likewise.
+ * po/ja.po: Likewise.
+ * po/nb.po: Likewise.
+ * po/pa.po: Likewise.
+ * po/pl.po: Likewise.
+ * po/pt.po: Likewise.
+ * po/pt_BR.po: Likewise.
+ * po/zh_CN.po: Likewise.
+ * po/zh_TW.po: Likewise.
+
+2005-09-20 Thorsten Kukuk <kukuk@suse.de>
+
+ * configure.in: Add finish translation.
+ * po/fi.po: New.
+
+ * acinclude.m4: remove libprelude macros.
+ * m4/libprelude.m4: New.
+
+ * Makefile.am (EXTRA_DIST): make sure we include all m4 macros.
+
+ * libpamc/Makefile.am (EXTRA_DIST): Add License.
+
+See CHANGELOG for earlier changes.