From f4b22a2f215f6f80558d9e4075c9de306c8b9953 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 16:22:53 +0200 Subject: Adding debian version 1.5.2-6+deb12u1. Signed-off-by: Daniel Baumann --- debian/patches-applied/007_modules_pam_unix | 524 ++++++ .../patches-applied/008_modules_pam_limits_chroot | 132 ++ debian/patches-applied/021_nis_cleanup | 24 + .../022_pam_unix_group_time_miscfixes | 22 + .../026_pam_unix_passwd_unknown_user | 33 + .../027_pam_limits_better_init_allow_explicit_root | 253 +++ debian/patches-applied/031_pam_include | 72 + .../patches-applied/032_pam_limits_EPERM_NOT_FATAL | 22 + .../036_pam_wheel_getlogin_considered_harmful | 157 ++ debian/patches-applied/040_pam_limits_log_failure | 36 + .../045_pam_dispatch_jump_is_ignore | 34 + debian/patches-applied/PAM-manpage-section | 1723 ++++++++++++++++++++ .../patches-applied/do_not_check_nis_accidentally | 22 + debian/patches-applied/fix-autoreconf.patch | 27 + debian/patches-applied/hurd_no_setfsuid | 77 + .../patches-applied/lib_security_multiarch_compat | 72 + .../make_documentation_reproducible.patch | 19 + debian/patches-applied/no_PATH_MAX_on_hurd | 22 + debian/patches-applied/nullok_secure-compat.patch | 27 + .../pam-limits-nofile-fd-setsize-cap | 60 + .../pam_mkhomedir_stat_before_opendir | 25 + .../pam_unix_dont_trust_chkpwd_caller.patch | 25 + debian/patches-applied/series | 24 + debian/patches-applied/update-motd | 113 ++ 24 files changed, 3545 insertions(+) create mode 100644 debian/patches-applied/007_modules_pam_unix create mode 100644 debian/patches-applied/008_modules_pam_limits_chroot create mode 100644 debian/patches-applied/021_nis_cleanup create mode 100644 debian/patches-applied/022_pam_unix_group_time_miscfixes create mode 100644 debian/patches-applied/026_pam_unix_passwd_unknown_user create mode 100644 debian/patches-applied/027_pam_limits_better_init_allow_explicit_root create mode 100644 debian/patches-applied/031_pam_include create mode 100644 debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL create mode 100644 debian/patches-applied/036_pam_wheel_getlogin_considered_harmful create mode 100644 debian/patches-applied/040_pam_limits_log_failure create mode 100644 debian/patches-applied/045_pam_dispatch_jump_is_ignore create mode 100644 debian/patches-applied/PAM-manpage-section create mode 100644 debian/patches-applied/do_not_check_nis_accidentally create mode 100644 debian/patches-applied/fix-autoreconf.patch create mode 100644 debian/patches-applied/hurd_no_setfsuid create mode 100644 debian/patches-applied/lib_security_multiarch_compat create mode 100644 debian/patches-applied/make_documentation_reproducible.patch create mode 100644 debian/patches-applied/no_PATH_MAX_on_hurd create mode 100644 debian/patches-applied/nullok_secure-compat.patch create mode 100644 debian/patches-applied/pam-limits-nofile-fd-setsize-cap create mode 100644 debian/patches-applied/pam_mkhomedir_stat_before_opendir create mode 100644 debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch create mode 100644 debian/patches-applied/series create mode 100644 debian/patches-applied/update-motd (limited to 'debian/patches-applied') diff --git a/debian/patches-applied/007_modules_pam_unix b/debian/patches-applied/007_modules_pam_unix new file mode 100644 index 0000000..218379c --- /dev/null +++ b/debian/patches-applied/007_modules_pam_unix @@ -0,0 +1,524 @@ +Index: pam/modules/pam_unix/pam_unix_passwd.c +=================================================================== +--- pam.orig/modules/pam_unix/pam_unix_passwd.c ++++ pam/modules/pam_unix/pam_unix_passwd.c +@@ -95,6 +95,9 @@ + # endif /* GNU libc 2.1 */ + #endif + ++extern const char *obscure_msg(const char *, const char *, const struct passwd *, ++ unsigned int); ++ + /* + How it works: + Gets in username (has to be done) from the calling program +@@ -593,6 +596,11 @@ + return retval; + } + } ++ if (!remark && pass_old != NULL) { /* only check if we don't already have a failure */ ++ struct passwd *pwd; ++ pwd = pam_modutil_getpwnam(pamh, user); ++ remark = (char *)obscure_msg(pass_old,pass_new,pwd,ctrl); /* do obscure checks */ ++ } + } + if (remark) { + _make_remark(pamh, ctrl, PAM_ERROR_MSG, remark); +@@ -608,7 +616,7 @@ + int retval; + int remember = -1; + int rounds = 0; +- int pass_min_len = 0; ++ int pass_min_len = 6; + + /* */ + const char *user; +Index: pam/modules/pam_unix/support.h +=================================================================== +--- pam.orig/modules/pam_unix/support.h ++++ pam/modules/pam_unix/support.h +@@ -101,50 +101,52 @@ + #define UNIX_GOST_YESCRYPT_PASS 31 /* new password hashes will use gost-yescrypt */ + #define UNIX_YESCRYPT_PASS 32 /* new password hashes will use yescrypt */ + #define UNIX_NULLRESETOK 33 /* allow empty password if password reset is enforced */ ++#define UNIX_OBSCURE_CHECKS 34 /* enable obscure checks on passwords */ + /* -------------- */ +-#define UNIX_CTRLS_ 34 /* number of ctrl arguments defined */ ++#define UNIX_CTRLS_ 35 /* number of ctrl arguments defined */ + + #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)&&off(UNIX_GOST_YESCRYPT_PASS,ctrl)&&off(UNIX_YESCRYPT_PASS,ctrl)) + + static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = + { +-/* symbol token name ctrl mask ctrl * +- * --------------------------- -------------------- ------------------------- ---------------- */ ++/* symbol token name ctrl mask ctrl * ++ * --------------------------- -------------------- ------------------------- ------------ */ + +-/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01, 0}, +-/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02, 0}, +-/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04, 0}, +-/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010, 0}, +-/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060ULL), 020, 0}, +-/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060ULL), 040, 0}, +-/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0}, +-/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600ULL), 0200, 0}, +-/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600ULL), 0400, 0}, +-/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0}, +-/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0}, +-/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0}, +-/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0}, +-/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(015660420000ULL), 020000, 1}, +-/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000ULL), 0, 0}, +-/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000, 0}, +-/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000, 0}, +-/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000, 0}, +-/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(015660420000ULL), 0400000, 1}, +-/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000, 0}, +-/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000, 0}, +-/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000, 0}, +-/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000, 0}, +-/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(015660420000ULL), 020000000, 1}, +-/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(015660420000ULL), 040000000, 1}, +-/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0}, +-/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(015660420000ULL), 0200000000, 1}, +-/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0}, +-/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0}, +-/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0}, +-/* UNIX_DES */ {"des", _ALL_ON_^(015660420000ULL), 0, 1}, +-/* UNIX_GOST_YESCRYPT_PASS */ {"gost_yescrypt", _ALL_ON_^(015660420000ULL), 04000000000, 1}, +-/* UNIX_YESCRYPT_PASS */ {"yescrypt", _ALL_ON_^(015660420000ULL), 010000000000, 1}, +-/* UNIX_NULLRESETOK */ {"nullresetok", _ALL_ON_, 020000000000, 0}, ++/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 0x1, 0}, ++/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 0x2, 0}, ++/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 0x4, 0}, ++/* UNIX_AUDIT */ {"audit", _ALL_ON_, 0x8, 0}, ++/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(0x30ULL), 0x10, 0}, ++/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(0x30ULL), 0x20, 0}, ++/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0x40, 0}, ++/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0x180ULL), 0x80, 0}, ++/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0x180ULL), 0x100, 0}, ++/* UNIX__NONULL */ {NULL, _ALL_ON_, 0x200, 0}, ++/* UNIX__QUIET */ {NULL, _ALL_ON_, 0x400, 0}, ++/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 0x800, 0}, ++/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 0x1000, 0}, ++/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0x6EC22000ULL), 0x2000, 1}, ++/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(0x200ULL), 0, 0}, ++/* UNIX_DEBUG */ {"debug", _ALL_ON_, 0x4000, 0}, ++/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0x8000, 0}, ++/* UNIX_NIS */ {"nis", _ALL_ON_, 0x10000, 0}, ++/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0x6EC22000ULL), 0x20000, 1}, ++/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 0x40000, 0}, ++/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 0x80000, 0}, ++/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 0x100000, 0}, ++/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 0x200000, 0}, ++/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0x6EC22000ULL), 0x400000, 1}, ++/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0x6EC22000ULL), 0x800000, 1}, ++/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0x1000000, 0}, ++/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0x6EC22000ULL), 0x2000000, 1}, ++/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0x4000000, 0}, ++/* UNIX_QUIET */ {"quiet", _ALL_ON_, 0x8000000, 0}, ++/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 0x10000000, 0}, ++/* UNIX_DES */ {"des", _ALL_ON_^(0x6EC22000ULL), 0, 1}, ++/* UNIX_GOST_YESCRYPT_PASS */ {"gost_yescrypt", _ALL_ON_^(0x6EC22000ULL), 0x20000000, 1}, ++/* UNIX_YESCRYPT_PASS */ {"yescrypt", _ALL_ON_^(0x6EC22000ULL), 0x40000000, 1}, ++/* UNIX_NULLRESETOK */ {"nullresetok", _ALL_ON_, 0x80000000, 0}, ++/* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x100000000, 0}, + }; + + #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) +Index: pam/modules/pam_unix/pam_unix.8.xml +=================================================================== +--- pam.orig/modules/pam_unix/pam_unix.8.xml ++++ pam/modules/pam_unix/pam_unix.8.xml +@@ -400,8 +400,81 @@ + + + Set a minimum password length of n +- characters. The max. for DES crypt based passwords are 8 +- characters. ++ characters. The default value is 6. The maximum for DES ++ crypt-based passwords is 8 characters. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Enable some extra checks on password strength. These checks ++ are based on the "obscure" checks in the original shadow ++ package. The behavior is similar to the pam_cracklib ++ module, but for non-dictionary-based checks. The following ++ checks are implemented: ++ ++ ++ ++ ++ ++ ++ ++ Verifies that the new password is not a palindrome ++ of (i.e., the reverse of) the previous one. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Verifies that the new password isn't the same as the ++ old one with a change of case. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Verifies that the new password isn't too much like ++ the previous one. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Is the new password too simple? This is based on ++ the length of the password and the number of ++ different types of characters (alpha, numeric, etc.) ++ used. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Is the new password a rotated version of the old ++ password? (E.g., "billy" and "illyb") ++ ++ ++ ++ + + + +Index: pam/modules/pam_unix/obscure.c +=================================================================== +--- /dev/null ++++ pam/modules/pam_unix/obscure.c +@@ -0,0 +1,198 @@ ++/* ++ * Copyright 1989 - 1994, Julianne Frances Haugh ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors ++ * may be used to endorse or promote products derived from this software ++ * without specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND ++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE ++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT ++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY ++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ++ * SUCH DAMAGE. ++ */ ++ ++#include "config.h" ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++ ++#include "support.h" ++ ++/* can't be a palindrome - like `R A D A R' or `M A D A M' */ ++static int palindrome(const char *old, const char *new) { ++ int i, j; ++ ++ i = strlen (new); ++ ++ for (j = 0;j < i;j++) ++ if (new[i - j - 1] != new[j]) ++ return 0; ++ ++ return 1; ++} ++ ++/* more than half of the characters are different ones. */ ++static int similar(const char *old, const char *new) { ++ int i, j; ++ ++ /* ++ * XXX - sometimes this fails when changing from a simple password ++ * to a really long one (MD5). For now, I just return success if ++ * the new password is long enough. Please feel free to suggest ++ * something better... --marekm ++ */ ++ if (strlen(new) >= 8) ++ return 0; ++ ++ for (i = j = 0; new[i] && old[i]; i++) ++ if (strchr(new, old[i])) ++ j++; ++ ++ if (i >= j * 2) ++ return 0; ++ ++ return 1; ++} ++ ++/* a nice mix of characters. */ ++static int simple(const char *old, const char *new) { ++ int digits = 0; ++ int uppers = 0; ++ int lowers = 0; ++ int others = 0; ++ int size; ++ int i; ++ ++ for (i = 0;new[i];i++) { ++ if (isdigit (new[i])) ++ digits++; ++ else if (isupper (new[i])) ++ uppers++; ++ else if (islower (new[i])) ++ lowers++; ++ else ++ others++; ++ } ++ ++ /* ++ * The scam is this - a password of only one character type ++ * must be 8 letters long. Two types, 7, and so on. ++ */ ++ ++ size = 9; ++ if (digits) size--; ++ if (uppers) size--; ++ if (lowers) size--; ++ if (others) size--; ++ ++ if (size <= i) ++ return 0; ++ ++ return 1; ++} ++ ++static char *str_lower(char *string) { ++ char *cp; ++ ++ for (cp = string; *cp; cp++) ++ *cp = tolower(*cp); ++ return string; ++} ++ ++static const char * password_check(const char *old, const char *new, ++ const struct passwd *pwdp) { ++ const char *msg = NULL; ++ char *oldmono, *newmono, *wrapped; ++ ++ if (strcmp(new, old) == 0) ++ return _("Bad: new password must be different than the old one"); ++ ++ newmono = str_lower(strdup(new)); ++ oldmono = str_lower(strdup(old)); ++ wrapped = (char *)malloc(strlen(oldmono) * 2 + 1); ++ strcpy (wrapped, oldmono); ++ strcat (wrapped, oldmono); ++ ++ if (palindrome(oldmono, newmono)) { ++ msg = _("Bad: new password cannot be a palindrome"); ++ } else if (strcmp(oldmono, newmono) == 0) { ++ msg = _("Bad: new and old password must differ by more than just case"); ++ } else if (similar(oldmono, newmono)) { ++ msg = _("Bad: new and old password are too similar"); ++ } else if (simple(old, new)) { ++ msg = _("Bad: new password is too simple"); ++ } else if (strstr(wrapped, newmono)) { ++ msg = _("Bad: new password is just a wrapped version of the old one"); ++ } ++ ++ _pam_delete(newmono); ++ _pam_delete(oldmono); ++ _pam_delete(wrapped); ++ ++ return msg; ++} ++ ++const char *obscure_msg(const char *old, const char *new, ++ const struct passwd *pwdp, unsigned int ctrl) { ++ int oldlen, newlen; ++ char *new1, *old1; ++ const char *msg; ++ ++ if (old == NULL) ++ return NULL; /* no check if old is NULL */ ++ ++ oldlen = strlen(old); ++ newlen = strlen(new); ++ ++ /* Remaining checks are optional. */ ++ if (off(UNIX_OBSCURE_CHECKS,ctrl)) ++ return NULL; ++ ++ if ((msg = password_check(old, new, pwdp)) != NULL) ++ return msg; ++ ++ /* The traditional crypt() truncates passwords to 8 chars. It is ++ possible to circumvent the above checks by choosing an easy ++ 8-char password and adding some random characters to it... ++ Example: "password$%^&*123". So check it again, this time ++ truncated to the maximum length. Idea from npasswd. --marekm */ ++ ++ if (!UNIX_DES_CRYPT(ctrl)) ++ return NULL; /* unlimited password length */ ++ ++ if (oldlen <= 8 && newlen <= 8) ++ return NULL; ++ ++ new1 = strndup(new,8); ++ old1 = strndup(old,8); ++ ++ msg = password_check(old1, new1, pwdp); ++ ++ _pam_delete(new1); ++ _pam_delete(old1); ++ ++ return msg; ++} +Index: pam/modules/pam_unix/Makefile.am +=================================================================== +--- pam.orig/modules/pam_unix/Makefile.am ++++ pam/modules/pam_unix/Makefile.am +@@ -39,7 +39,7 @@ + + pam_unix_la_SOURCES = bigcrypt.c pam_unix_acct.c \ + pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \ +- passverify.c yppasswd_xdr.c md5_good.c md5_broken.c ++ passverify.c yppasswd_xdr.c md5_good.c md5_broken.c obscure.c + + bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c + bigcrypt_CFLAGS = $(AM_CFLAGS) +Index: pam/modules/pam_unix/pam_unix.8 +=================================================================== +--- pam.orig/modules/pam_unix/pam_unix.8 ++++ pam/modules/pam_unix/pam_unix.8 +@@ -216,7 +216,38 @@ + .RS 4 + Set a minimum password length of + \fIn\fR +-characters\&. The max\&. for DES crypt based passwords are 8 characters\&. ++characters\&. The default value is 6\&. The maximum for DES crypt\-based passwords is 8 characters\&. ++.RE ++.PP ++\fBobscure\fR ++.RS 4 ++Enable some extra checks on password strength\&. These checks are based on the "obscure" checks in the original shadow package\&. The behavior is similar to the pam_cracklib module, but for non\-dictionary\-based checks\&. The following checks are implemented: ++.PP ++\fBPalindrome\fR ++.RS 4 ++Verifies that the new password is not a palindrome of (i\&.e\&., the reverse of) the previous one\&. ++.RE ++.PP ++\fBCase Change Only\fR ++.RS 4 ++Verifies that the new password isn\*(Aqt the same as the old one with a change of case\&. ++.RE ++.PP ++\fBSimilar\fR ++.RS 4 ++Verifies that the new password isn\*(Aqt too much like the previous one\&. ++.RE ++.PP ++\fBSimple\fR ++.RS 4 ++Is the new password too simple? This is based on the length of the password and the number of different types of characters (alpha, numeric, etc\&.) used\&. ++.RE ++.PP ++\fBRotated\fR ++.RS 4 ++Is the new password a rotated version of the old password? (E\&.g\&., "billy" and "illyb") ++.RE ++.sp + .RE + .PP + \fBno_pass_expiry\fR +Index: pam/modules/pam_unix/README +=================================================================== +--- pam.orig/modules/pam_unix/README ++++ pam/modules/pam_unix/README +@@ -171,8 +171,40 @@ + + minlen=n + +- Set a minimum password length of n characters. The max. for DES crypt based +- passwords are 8 characters. ++ Set a minimum password length of n characters. The default value is 6. The ++ maximum for DES crypt-based passwords is 8 characters. ++ ++obscure ++ ++ Enable some extra checks on password strength. These checks are based on ++ the "obscure" checks in the original shadow package. The behavior is ++ similar to the pam_cracklib module, but for non-dictionary-based checks. ++ The following checks are implemented: ++ ++ Palindrome ++ ++ Verifies that the new password is not a palindrome of (i.e., the ++ reverse of) the previous one. ++ ++ Case Change Only ++ ++ Verifies that the new password isn't the same as the old one with a ++ change of case. ++ ++ Similar ++ ++ Verifies that the new password isn't too much like the previous one. ++ ++ Simple ++ ++ Is the new password too simple? This is based on the length of the ++ password and the number of different types of characters (alpha, ++ numeric, etc.) used. ++ ++ Rotated ++ ++ Is the new password a rotated version of the old password? (E.g., ++ "billy" and "illyb") + + no_pass_expiry + diff --git a/debian/patches-applied/008_modules_pam_limits_chroot b/debian/patches-applied/008_modules_pam_limits_chroot new file mode 100644 index 0000000..7a86fdd --- /dev/null +++ b/debian/patches-applied/008_modules_pam_limits_chroot @@ -0,0 +1,132 @@ +Index: pam/modules/pam_limits/pam_limits.c +=================================================================== +--- pam.orig/modules/pam_limits/pam_limits.c ++++ pam/modules/pam_limits/pam_limits.c +@@ -90,6 +90,7 @@ + specific user or to count all logins */ + int priority; /* the priority to run user process with */ + int nonewprivs; /* whether to prctl(PR_SET_NO_NEW_PRIVS) */ ++ char chroot_dir[8092]; /* directory to chroot into */ + struct user_limits_struct limits[RLIM_NLIMITS]; + const char *conf_file; + int utmp_after_pam_call; +@@ -101,6 +102,7 @@ + + #define LIMIT_PRI RLIM_NLIMITS+3 + #define LIMIT_NONEWPRIVS RLIM_NLIMITS+4 ++#define LIMIT_CHROOT RLIM_NLIMITS+5 + + #define LIMIT_SOFT 1 + #define LIMIT_HARD 2 +@@ -484,6 +486,8 @@ + pl->login_limit = -2; + pl->login_limit_def = LIMITS_DEF_NONE; + ++ pl->chroot_dir[0] = '\0'; ++ + return retval; + } + +@@ -591,6 +595,8 @@ + limit_item = LIMIT_PRI; + } else if (strcmp(lim_item, "nonewprivs") == 0) { + limit_item = LIMIT_NONEWPRIVS; ++ } else if (strcmp(lim_item, "chroot") == 0) { ++ limit_item = LIMIT_CHROOT; + } else { + pam_syslog(pamh, LOG_DEBUG, "unknown limit item '%s'", lim_item); + return; +@@ -640,9 +646,9 @@ + pam_syslog(pamh, LOG_DEBUG, + "wrong limit value '%s' for limit type '%s'", + lim_value, lim_type); +- return; ++ return; + } +- } else { ++ } else if (limit_item != LIMIT_CHROOT) { + #ifdef __USE_FILE_OFFSET64 + rlimit_value = strtoull (lim_value, &endptr, 10); + #else +@@ -717,7 +723,11 @@ + break; + } + +- if ( (limit_item != LIMIT_LOGIN) ++ if (limit_item == LIMIT_CHROOT) { ++ strncpy(pl->chroot_dir, value_orig, sizeof(pl->chroot_dir)-1); ++ pl->chroot_dir[sizeof(pl->chroot_dir)-1]='\0'; ++ } ++ else if ( (limit_item != LIMIT_LOGIN) + && (limit_item != LIMIT_NUMSYSLOGINS) + && (limit_item != LIMIT_PRI) + && (limit_item != LIMIT_NONEWPRIVS) ) { +@@ -1071,6 +1081,15 @@ + } + } + ++ if (!retval && pl->chroot_dir[0]) { ++ i = chdir(pl->chroot_dir); ++ if (i == 0) ++ i = chroot(pl->chroot_dir); ++ if (i == 0) ++ i = chdir("/"); ++ if (i != 0) ++ retval = LIMIT_ERR; ++ } + return retval; + } + +Index: pam/modules/pam_limits/limits.conf.5.xml +=================================================================== +--- pam.orig/modules/pam_limits/limits.conf.5.xml ++++ pam/modules/pam_limits/limits.conf.5.xml +@@ -273,6 +273,12 @@ + (Linux 2.6.12 and higher) + + ++ ++ ++ ++ the directory to chroot the user to ++ ++ + + + +Index: pam/modules/pam_limits/limits.conf.5 +=================================================================== +--- pam.orig/modules/pam_limits/limits.conf.5 ++++ pam/modules/pam_limits/limits.conf.5 +@@ -279,6 +279,11 @@ + .RS 4 + maximum realtime priority allowed for non\-privileged processes (Linux 2\&.6\&.12 and higher) + .RE ++.PP ++\fBchroot\fR ++.RS 4 ++the directory to chroot the user to ++.RE + .RE + .PP + All items support the values +Index: pam/modules/pam_limits/limits.conf +=================================================================== +--- pam.orig/modules/pam_limits/limits.conf ++++ pam/modules/pam_limits/limits.conf +@@ -46,6 +46,7 @@ + # - msgqueue - max memory used by POSIX message queues (bytes) + # - nice - max nice priority allowed to raise to values: [-20, 19] + # - rtprio - max realtime priority ++# - chroot - change root to directory (Debian-specific) + # + # + # +@@ -56,6 +57,7 @@ + #@faculty soft nproc 20 + #@faculty hard nproc 50 + #ftp hard nproc 0 ++#ftp - chroot /ftp + #@student - maxlogins 4 + + # End of file diff --git a/debian/patches-applied/021_nis_cleanup b/debian/patches-applied/021_nis_cleanup new file mode 100644 index 0000000..f05c710 --- /dev/null +++ b/debian/patches-applied/021_nis_cleanup @@ -0,0 +1,24 @@ +Patch from Philippe Troin + +Originally this included a bunch of changes to locking, but the more +recent code pulled from Linux_pam CVS seems to fix that issue. + +Index: pam/modules/pam_unix/pam_unix_passwd.c +=================================================================== +--- pam.orig/modules/pam_unix/pam_unix_passwd.c ++++ pam/modules/pam_unix/pam_unix_passwd.c +@@ -708,9 +708,12 @@ + "password - (old) token not obtained"); + return retval; + } +- /* verify that this is the password for this user */ ++ /* verify that this is the password for this user ++ * if we're not using NIS */ + +- retval = _unix_verify_password(pamh, user, pass_old, ctrl); ++ if (off(UNIX_NIS, ctrl)) { ++ retval = _unix_verify_password(pamh, user, pass_old, ctrl); ++ } + } else { + D(("process run by root so do nothing this time around")); + pass_old = NULL; diff --git a/debian/patches-applied/022_pam_unix_group_time_miscfixes b/debian/patches-applied/022_pam_unix_group_time_miscfixes new file mode 100644 index 0000000..8239fd9 --- /dev/null +++ b/debian/patches-applied/022_pam_unix_group_time_miscfixes @@ -0,0 +1,22 @@ +Description: handle the case of flags being empty or only PAM_SILENT, which is + documented in other PAM implementations as meaning PAM_ESTABLISH_CRED: + http://publib.boulder.ibm.com/infocenter/aix/v6r1/index.jsp?topic=%2Fcom.ibm.aix.basetechref%2Fdoc%2Fbasetrf1%2Fpam_setcred.htm + +Index: pam/modules/pam_group/pam_group.c +=================================================================== +--- pam.orig/modules/pam_group/pam_group.c ++++ pam/modules/pam_group/pam_group.c +@@ -754,9 +754,12 @@ + unsigned setting; + + /* only interested in establishing credentials */ ++ /* PAM docs say that an empty flag is to be treated as PAM_ESTABLISH_CRED. ++ Some people just pass PAM_SILENT, so cope with it, too. */ + + setting = flags; +- if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))) { ++ if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED)) ++ && (setting != 0) && (setting != PAM_SILENT)) { + D(("ignoring call - not for establishing credentials")); + return PAM_SUCCESS; /* don't fail because of this */ + } diff --git a/debian/patches-applied/026_pam_unix_passwd_unknown_user b/debian/patches-applied/026_pam_unix_passwd_unknown_user new file mode 100644 index 0000000..d277fee --- /dev/null +++ b/debian/patches-applied/026_pam_unix_passwd_unknown_user @@ -0,0 +1,33 @@ +Description: distinguish between password manipulation failure and missing user. +Author: Martin Schwenke + +Index: pam/modules/pam_unix/passverify.c +=================================================================== +--- pam.orig/modules/pam_unix/passverify.c ++++ pam/modules/pam_unix/passverify.c +@@ -801,7 +801,7 @@ + struct passwd *tmpent = NULL; + struct stat st; + FILE *pwfile, *opwfile; +- int err = 1; ++ int err = 1, found = 0; + int oldmask; + #ifdef WITH_SELINUX + char *prev_context_raw = NULL; +@@ -872,6 +872,7 @@ + + tmpent->pw_passwd = assigned_passwd.charp; + err = 0; ++ found = 1; + } + if (putpwent(tmpent, pwfile)) { + D(("error writing entry to password file: %m")); +@@ -914,7 +915,7 @@ + return PAM_SUCCESS; + } else { + unlink(PW_TMPFILE); +- return PAM_AUTHTOK_ERR; ++ return found ? PAM_AUTHTOK_ERR : PAM_USER_UNKNOWN; + } + } + diff --git a/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root new file mode 100644 index 0000000..c4603f5 --- /dev/null +++ b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root @@ -0,0 +1,253 @@ +Description: Allow explicit limits for root and reset limits on each session + When crossing session boundaries (such as when su'ing from one user to + another), if the target account has no limit specified in limits.conf we + want to use the default, not the current value configured for the + source account. + . + If /proc/1/limits is unavailable, fall back to a set of hard-coded values + that shadow the currently known defaults on Linux. + . + Also, don't apply wildcard limits to the root account; only apply limits to + root that reference root by name. +Author: Peter Paluch , + Ben Collins , + Steve Langasek , +Bug-Debian: http://bugs.debian.org/63230 +Index: pam/modules/pam_limits/pam_limits.c +=================================================================== +--- pam.orig/modules/pam_limits/pam_limits.c ++++ pam/modules/pam_limits/pam_limits.c +@@ -47,6 +47,14 @@ + #include + #endif + ++#ifndef MLOCK_LIMIT ++#ifdef __FreeBSD_kernel__ ++#define MLOCK_LIMIT RLIM_INFINITY ++#else ++#define MLOCK_LIMIT (64*1024) ++#endif ++#endif ++ + /* Module defines */ + #define LINE_LENGTH 1024 + +@@ -84,6 +92,7 @@ + + /* internal data */ + struct pam_limit_s { ++ int root; /* running as root? */ + int login_limit; /* the max logins limit */ + int login_limit_def; /* which entry set the login limit */ + int flag_numsyslogins; /* whether to limit logins only for a +@@ -447,9 +456,18 @@ + { + int i; + int retval = PAM_SUCCESS; ++ static int mlock_limit = 0; + + D(("called.")); + ++ pl->root = 0; ++ ++ if (mlock_limit == 0) { ++ mlock_limit = sysconf(_SC_PAGESIZE); ++ if (mlock_limit < MLOCK_LIMIT) ++ mlock_limit = MLOCK_LIMIT; ++ } ++ + for(i = 0; i < RLIM_NLIMITS; i++) { + int r = getrlimit(i, &pl->limits[i].limit); + if (r == -1) { +@@ -465,18 +483,68 @@ + } + + #ifdef __linux__ +- if (ctrl & PAM_SET_ALL) { +- parse_kernel_limits(pamh, pl, ctrl); ++ parse_kernel_limits(pamh, pl, ctrl); ++#endif + +- for(i = 0; i < RLIM_NLIMITS; i++) { ++ for(i = 0; i < RLIM_NLIMITS; i++) { + if (pl->limits[i].supported && + (pl->limits[i].src_soft == LIMITS_DEF_NONE || + pl->limits[i].src_hard == LIMITS_DEF_NONE)) { +- pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM default", rlimit2str(i)); ++#ifdef __linux__ ++ pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM default", rlimit2str(i)); ++#endif ++ pl->limits[i].src_soft = LIMITS_DEF_DEFAULT; ++ pl->limits[i].src_hard = LIMITS_DEF_DEFAULT; ++ switch(i) { ++ case RLIMIT_CPU: ++ case RLIMIT_FSIZE: ++ case RLIMIT_DATA: ++ case RLIMIT_RSS: ++ case RLIMIT_NPROC: ++#ifdef RLIMIT_AS ++ case RLIMIT_AS: ++#endif ++#ifdef RLIMIT_LOCKS ++ case RLIMIT_LOCKS: ++#endif ++ pl->limits[i].limit.rlim_cur = RLIM_INFINITY; ++ pl->limits[i].limit.rlim_max = RLIM_INFINITY; ++ break; ++ case RLIMIT_MEMLOCK: ++ pl->limits[i].limit.rlim_cur = mlock_limit; ++ pl->limits[i].limit.rlim_max = mlock_limit; ++ break; ++#ifdef RLIMIT_SIGPENDING ++ case RLIMIT_SIGPENDING: ++ pl->limits[i].limit.rlim_cur = 16382; ++ pl->limits[i].limit.rlim_max = 16382; ++ break; ++#endif ++#ifdef RLIMIT_MSGQUEUE ++ case RLIMIT_MSGQUEUE: ++ pl->limits[i].limit.rlim_cur = 819200; ++ pl->limits[i].limit.rlim_max = 819200; ++ break; ++#endif ++ case RLIMIT_CORE: ++ pl->limits[i].limit.rlim_cur = 0; ++ pl->limits[i].limit.rlim_max = RLIM_INFINITY; ++ break; ++ case RLIMIT_STACK: ++ pl->limits[i].limit.rlim_cur = 8192*1024; ++ pl->limits[i].limit.rlim_max = RLIM_INFINITY; ++ break; ++ case RLIMIT_NOFILE: ++ pl->limits[i].limit.rlim_cur = 1024; ++ pl->limits[i].limit.rlim_max = 1024; ++ break; ++ default: ++ pl->limits[i].src_soft = LIMITS_DEF_NONE; ++ pl->limits[i].src_hard = LIMITS_DEF_NONE; ++ break; ++ } + } +- } + } +-#endif + + errno = 0; + pl->priority = getpriority (PRIO_PROCESS, 0); +@@ -881,7 +949,7 @@ + + if (strcmp(uname, domain) == 0) /* this user have a limit */ + process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl); +- else if (domain[0]=='@') { ++ else if (domain[0]=='@' && !pl->root) { + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_DEBUG, + "checking if %s is in group %s", +@@ -907,7 +975,7 @@ + process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, + pl); + } +- } else if (domain[0]=='%') { ++ } else if (domain[0]=='%' && !pl->root) { + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_DEBUG, + "checking if %s is in group %s", +@@ -941,7 +1009,7 @@ + } else { + switch(rngtype) { + case LIMIT_RANGE_NONE: +- if (strcmp(domain, "*") == 0) ++ if (strcmp(domain, "*") == 0 && !pl->root) + process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl, + pl); + break; +@@ -1134,6 +1202,8 @@ + return PAM_ABORT; + } + ++ if (pwd->pw_uid == 0) ++ pl->root = 1; + retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl); + if (retval == PAM_IGNORE) { + D(("the configuration file ('%s') has an applicable ' -' entry", CONF_FILE)); +Index: pam/modules/pam_limits/limits.conf +=================================================================== +--- pam.orig/modules/pam_limits/limits.conf ++++ pam/modules/pam_limits/limits.conf +@@ -22,6 +22,9 @@ + # - the wildcard *, for default entry + # - the wildcard %, can be also used with %group syntax, + # for maxlogin limit ++# - NOTE: group and wildcard limits are not applied to root. ++# To apply a limit to the root user, must be ++# the literal username root. + # + # can have the two values: + # - "soft" for enforcing the soft limits +@@ -52,6 +55,7 @@ + # + + #* soft core 0 ++#root hard core 100000 + #* hard rss 10000 + #@student hard nproc 20 + #@faculty soft nproc 20 +Index: pam/modules/pam_limits/limits.conf.5.xml +=================================================================== +--- pam.orig/modules/pam_limits/limits.conf.5.xml ++++ pam/modules/pam_limits/limits.conf.5.xml +@@ -96,6 +96,11 @@ + + + ++ ++ NOTE: group and wildcard limits are not ++ applied to the root user. To set a limit for the root user, this field ++ must contain the literal username root. ++ + + + +@@ -333,6 +338,7 @@ + + + * soft core 0 ++root hard core 100000 + * hard nofile 512 + @student hard nproc 20 + @faculty soft nproc 20 +Index: pam/modules/pam_limits/limits.conf.5 +=================================================================== +--- pam.orig/modules/pam_limits/limits.conf.5 ++++ pam/modules/pam_limits/limits.conf.5 +@@ -145,6 +145,10 @@ + \fB%:\fR\fI\fR + applicable to maxlogins limit only\&. It limits the total number of logins of all users that are member of the group with the specified gid\&. + .RE ++.sp ++\fBNOTE:\fR ++group and wildcard limits are not applied to the root user\&. To set a limit for the root user, this field must contain the literal username ++\fBroot\fR\&. + .RE + .PP + \fB\fR +@@ -327,6 +331,7 @@ + .\} + .nf + * soft core 0 ++root hard core 100000 + * hard nofile 512 + @student hard nproc 20 + @faculty soft nproc 20 +Index: pam/modules/pam_limits/README +=================================================================== +--- pam.orig/modules/pam_limits/README ++++ pam/modules/pam_limits/README +@@ -56,6 +56,7 @@ + limits.conf. + + * soft core 0 ++root hard core 100000 + * hard nofile 512 + @student hard nproc 20 + @faculty soft nproc 20 diff --git a/debian/patches-applied/031_pam_include b/debian/patches-applied/031_pam_include new file mode 100644 index 0000000..16cf6d3 --- /dev/null +++ b/debian/patches-applied/031_pam_include @@ -0,0 +1,72 @@ +Patch to implement an @include directive for use in pam.d config files. + +Authors: Jan Christoph Nordholz + +Upstream status: not yet submitted + +Index: pam/libpam/pam_handlers.c +=================================================================== +--- pam.orig/libpam/pam_handlers.c ++++ pam/libpam/pam_handlers.c +@@ -123,6 +123,10 @@ + module_type = PAM_T_ACCT; + } else if (!strcasecmp("password", tok)) { + module_type = PAM_T_PASS; ++ } else if (!strcasecmp("@include", tok)) { ++ pam_include = 1; ++ module_type = requested_module_type; ++ goto parsing_done; + } else { + /* Illegal module type */ + D(("_pam_init_handlers: bad module type: %s", tok)); +@@ -193,8 +197,10 @@ + _pam_set_default_control(actions, _PAM_ACTION_BAD); + } + ++parsing_done: + tok = _pam_StrTok(NULL, " \n\t", &nexttok); + if (pam_include) { ++ struct stat include_dir; + if (substack) { + res = _pam_add_handler(pamh, PAM_HT_SUBSTACK, other, + stack_level, module_type, actions, tok, +@@ -205,13 +211,35 @@ + return PAM_ABORT; + } + } +- if (_pam_load_conf_file(pamh, tok, this_service, module_type, +- stack_level + substack ++ if (tok[0] == '/') { ++ if (_pam_load_conf_file(pamh, tok, this_service, ++ module_type, stack_level + substack ++#ifdef PAM_READ_BOTH_CONFS ++ , !other ++#endif /* PAM_READ_BOTH_CONFS */ ++ ) == PAM_SUCCESS) ++ continue; ++ } ++ else if (!stat(PAM_CONFIG_D, &include_dir) ++ && S_ISDIR(include_dir.st_mode)) ++ { ++ char *include_file; ++ if (asprintf (&include_file, PAM_CONFIG_DF, tok) < 0) { ++ pam_syslog(pamh, LOG_CRIT, "asprintf failed"); ++ return PAM_ABORT; ++ } ++ if (_pam_load_conf_file(pamh, include_file, this_service, ++ module_type, stack_level + substack + #ifdef PAM_READ_BOTH_CONFS + , !other + #endif /* PAM_READ_BOTH_CONFS */ +- ) == PAM_SUCCESS) +- continue; ++ ) == PAM_SUCCESS) ++ { ++ free(include_file); ++ continue; ++ } ++ free(include_file); ++ } + _pam_set_default_control(actions, _PAM_ACTION_BAD); + mod_path = NULL; + handler_type = PAM_HT_MUST_FAIL; diff --git a/debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL b/debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL new file mode 100644 index 0000000..ec97b44 --- /dev/null +++ b/debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL @@ -0,0 +1,22 @@ +setrlimit will sometimes return EPERM for example if you try to increase the +number of open files too much. This is not something we want to consider +fatal. This also happens if you use non-root and try to decrease a limit. +Running PAM as non-root is not so great. + +Authors: ? + +Upstream status: submitted in <20070830171918.GB30563@dario.dodds.net> + +Index: pam/modules/pam_limits/pam_limits.c +=================================================================== +--- pam.orig/modules/pam_limits/pam_limits.c ++++ pam/modules/pam_limits/pam_limits.c +@@ -1111,6 +1111,8 @@ + if (res != 0) + pam_syslog(pamh, LOG_ERR, "Could not set limit for '%s': %m", + rlimit2str(i)); ++ if (res == -1 && errno == EPERM) ++ continue; + status |= res; + } + diff --git a/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful b/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful new file mode 100644 index 0000000..805c62f --- /dev/null +++ b/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful @@ -0,0 +1,157 @@ +Patch for Debian bug #163787 et al + +Always use the process uid, not getlogin(), to identify an applicant in +pam_wheel; utmp may be wrong or may have no entry at all in the case of +an xterm + +Authors: Ben Collins + +Upstream status: submitted in <20070901175405.GA26092@dario.dodds.net> + +Index: pam/modules/pam_wheel/pam_wheel.c +=================================================================== +--- pam.orig/modules/pam_wheel/pam_wheel.c ++++ pam/modules/pam_wheel/pam_wheel.c +@@ -47,9 +47,8 @@ + /* argument parsing */ + + #define PAM_DEBUG_ARG 0x0001 +-#define PAM_USE_UID_ARG 0x0002 +-#define PAM_TRUST_ARG 0x0004 +-#define PAM_DENY_ARG 0x0010 ++#define PAM_TRUST_ARG 0x0002 ++#define PAM_DENY_ARG 0x0004 + #define PAM_ROOT_ONLY_ARG 0x0020 + + static int +@@ -68,8 +67,7 @@ + + if (!strcmp(*argv,"debug")) + ctrl |= PAM_DEBUG_ARG; +- else if (!strcmp(*argv,"use_uid")) +- ctrl |= PAM_USE_UID_ARG; ++ else if (!strcmp(*argv,"use_uid")); /* ignored for compat. */ + else if (!strcmp(*argv,"trust")) + ctrl |= PAM_TRUST_ARG; + else if (!strcmp(*argv,"deny")) +@@ -118,39 +116,14 @@ + } + } + +- if (ctrl & PAM_USE_UID_ARG) { +- tpwd = pam_modutil_getpwuid (pamh, getuid()); +- if (tpwd == NULL) { +- if (ctrl & PAM_DEBUG_ARG) { +- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); +- } +- return PAM_SERVICE_ERR; +- } +- fromsu = tpwd->pw_name; +- } else { +- fromsu = pam_modutil_getlogin(pamh); +- +- /* if getlogin fails try a fallback to PAM_RUSER */ +- if (fromsu == NULL) { +- const char *rhostname; +- +- retval = pam_get_item(pamh, PAM_RHOST, (const void **)&rhostname); +- if (retval != PAM_SUCCESS || rhostname == NULL) { +- retval = pam_get_item(pamh, PAM_RUSER, (const void **)&fromsu); +- } +- } +- +- if (fromsu != NULL) { +- tpwd = pam_modutil_getpwnam (pamh, fromsu); +- } +- +- if (fromsu == NULL || tpwd == NULL) { +- if (ctrl & PAM_DEBUG_ARG) { +- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); +- } +- return PAM_SERVICE_ERR; ++ tpwd = pam_modutil_getpwuid (pamh, getuid()); ++ if (tpwd == NULL) { ++ if (ctrl & PAM_DEBUG_ARG) { ++ pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); + } ++ return PAM_SERVICE_ERR; + } ++ fromsu = tpwd->pw_name; + + /* + * At this point fromsu = username-of-invoker; tpwd = pwd ptr for fromsu +Index: pam/modules/pam_wheel/pam_wheel.8.xml +=================================================================== +--- pam.orig/modules/pam_wheel/pam_wheel.8.xml ++++ pam/modules/pam_wheel/pam_wheel.8.xml +@@ -33,9 +33,6 @@ + + trust + +- +- use_uid +- + + + +@@ -116,18 +113,6 @@ + + + +- +- +- +- +- +- +- The check will be done against the real uid of the calling process, +- instead of trying to obtain the user from the login session +- associated with the terminal in use. +- +- +- + + + +Index: pam/modules/pam_wheel/pam_wheel.8 +=================================================================== +--- pam.orig/modules/pam_wheel/pam_wheel.8 ++++ pam/modules/pam_wheel/pam_wheel.8 +@@ -31,7 +31,7 @@ + pam_wheel \- Only permit root access to members of group wheel + .SH "SYNOPSIS" + .HP \w'\fBpam_wheel\&.so\fR\ 'u +-\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid] ++\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] + .SH "DESCRIPTION" + .PP + The pam_wheel PAM module is used to enforce the so\-called +@@ -72,11 +72,6 @@ + .RS 4 + The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd)\&. + .RE +-.PP +-\fBuse_uid\fR +-.RS 4 +-The check will be done against the real uid of the calling process, instead of trying to obtain the user from the login session associated with the terminal in use\&. +-.RE + .SH "MODULE TYPES PROVIDED" + .PP + The +Index: pam/modules/pam_wheel/README +=================================================================== +--- pam.orig/modules/pam_wheel/README ++++ pam/modules/pam_wheel/README +@@ -39,12 +39,6 @@ + modules the wheel members may be able to su to root without being prompted + for a passwd). + +-use_uid +- +- The check will be done against the real uid of the calling process, instead +- of trying to obtain the user from the login session associated with the +- terminal in use. +- + EXAMPLES + + The root account gains access by default (rootok), only wheel members can diff --git a/debian/patches-applied/040_pam_limits_log_failure b/debian/patches-applied/040_pam_limits_log_failure new file mode 100644 index 0000000..0ef703b --- /dev/null +++ b/debian/patches-applied/040_pam_limits_log_failure @@ -0,0 +1,36 @@ +Patch for Debian bug #180310 + +Generate some (low-severity) log information whenever setrlimit() fails, +for debugging purposes. + +Authors: Sam Hartman + +Upstream status: submitted in <20070830171918.GB30563@dario.dodds.net> + +Index: pam/modules/pam_limits/pam_limits.c +=================================================================== +--- pam.orig/modules/pam_limits/pam_limits.c ++++ pam/modules/pam_limits/pam_limits.c +@@ -1108,9 +1108,19 @@ + if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max) + pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max; + res = setrlimit(i, &pl->limits[i].limit); +- if (res != 0) +- pam_syslog(pamh, LOG_ERR, "Could not set limit for '%s': %m", +- rlimit2str(i)); ++ if (res != 0 && (i != RLIMIT_NOFILE ++ || pl->limits[i].limit.rlim_cur != RLIM_INFINITY)) ++ { ++ int save_errno = errno; ++ pam_syslog(pamh, LOG_DEBUG, ++ "Could not set limit for '%s' to soft=%d, hard=%d:" ++ " %m; uid=%lu,euid=%lu", rlimit2str(i), ++ pl->limits[i].limit.rlim_cur, ++ pl->limits[i].limit.rlim_max, ++ (unsigned long) getuid(), ++ (unsigned long) geteuid()); ++ errno = save_errno; ++ } + if (res == -1 && errno == EPERM) + continue; + status |= res; diff --git a/debian/patches-applied/045_pam_dispatch_jump_is_ignore b/debian/patches-applied/045_pam_dispatch_jump_is_ignore new file mode 100644 index 0000000..e19a545 --- /dev/null +++ b/debian/patches-applied/045_pam_dispatch_jump_is_ignore @@ -0,0 +1,34 @@ + +Previously jumps were treated as PAM_IGNORE in the freezing part of +the chain and PAM_OK (aka required) in the frozen part of the chain. +No one on pam-list was able to explain this behavior, so I changed it +to be consistent. + +Index: pam/libpam/pam_dispatch.c +=================================================================== +--- pam.orig/libpam/pam_dispatch.c ++++ pam/libpam/pam_dispatch.c +@@ -260,22 +260,7 @@ + if ( _PAM_ACTION_IS_JUMP(action) ) { + + /* If we are evaluating a cached chain, we treat this +- module as required (aka _PAM_ACTION_OK) as well as +- executing the jump. */ +- +- if (use_cached_chain) { +- if (impression == _PAM_UNDEF +- || (impression == _PAM_POSITIVE +- && status == PAM_SUCCESS) ) { +- if ( retval != PAM_IGNORE || cached_retval == retval ) { +- if ( impression == _PAM_UNDEF && retval == PAM_SUCCESS ) { +- h->grantor = 1; +- } +- impression = _PAM_POSITIVE; +- status = retval; +- } +- } +- } ++ module as ignored as well as executing the jump. */ + + /* this means that we need to skip #action stacked modules */ + while (h->next != NULL && h->next->stack_level >= stack_level && action > 0) { diff --git a/debian/patches-applied/PAM-manpage-section b/debian/patches-applied/PAM-manpage-section new file mode 100644 index 0000000..7cdadad --- /dev/null +++ b/debian/patches-applied/PAM-manpage-section @@ -0,0 +1,1723 @@ +Patch to put the PAM manpage in section 7 (general topics) instead of 8 +(system administration commands) + +Authors: Steve Langasek + +Upstream status: maybe provide a backwards-compatibility link first? + +Index: pam/doc/man/pam.8.xml +=================================================================== +--- pam.orig/doc/man/pam.8.xml ++++ pam/doc/man/pam.8.xml +@@ -6,7 +6,7 @@ + + + pam +- 8 ++ 7 + Linux-PAM Manual + + +@@ -209,7 +209,7 @@ + pam_strerror3 + , + +- PAM8 ++ PAM7 + + + +Index: pam/doc/man/PAM.8 +=================================================================== +--- pam.orig/doc/man/PAM.8 ++++ pam/doc/man/PAM.8 +@@ -7,7 +7,7 @@ + .\" Source: Linux-PAM Manual + .\" Language: English + .\" +-.TH "PAM" "8" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM" "7" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" + .\" ----------------------------------------------------------------- + .\" * Define some portability stuff + .\" ----------------------------------------------------------------- +@@ -146,4 +146,4 @@ + \fBpam_authenticate\fR(3), + \fBpam_sm_setcred\fR(3), + \fBpam_strerror\fR(3), +-\fBPAM\fR(8) ++\fBPAM\fR(7) +Index: pam/modules/pam_access/access.conf.5.xml +=================================================================== +--- pam.orig/modules/pam_access/access.conf.5.xml ++++ pam/modules/pam_access/access.conf.5.xml +@@ -233,7 +233,7 @@ + + pam_access8, + pam.d5, +- pam8 ++ pam7 + + + +Index: pam/modules/pam_access/access.conf.5 +=================================================================== +--- pam.orig/modules/pam_access/access.conf.5 ++++ pam/modules/pam_access/access.conf.5 +@@ -210,7 +210,7 @@ + .PP + \fBpam_access\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHORS" + .PP + Original +Index: pam/modules/pam_env/pam_env.conf.5.xml +=================================================================== +--- pam.orig/modules/pam_env/pam_env.conf.5.xml ++++ pam/modules/pam_env/pam_env.conf.5.xml +@@ -122,7 +122,7 @@ + + pam_env8, + pam.d5, +- pam8, ++ pam7, + environ7 + + +Index: pam/modules/pam_env/pam_env.conf.5 +=================================================================== +--- pam.orig/modules/pam_env/pam_env.conf.5 ++++ pam/modules/pam_env/pam_env.conf.5 +@@ -125,7 +125,7 @@ + .PP + \fBpam_env\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8), ++\fBpam\fR(7), + \fBenviron\fR(7) + .SH "AUTHOR" + .PP +Index: pam/modules/pam_group/group.conf.5.xml +=================================================================== +--- pam.orig/modules/pam_group/group.conf.5.xml ++++ pam/modules/pam_group/group.conf.5.xml +@@ -134,7 +134,7 @@ + + pam_group8, + pam.d5, +- pam8 ++ pam7 + + + +Index: pam/modules/pam_group/group.conf.5 +=================================================================== +--- pam.orig/modules/pam_group/group.conf.5 ++++ pam/modules/pam_group/group.conf.5 +@@ -115,7 +115,7 @@ + .PP + \fBpam_group\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_group was written by Andrew G\&. Morgan \&. +Index: pam/modules/pam_limits/limits.conf.5.xml +=================================================================== +--- pam.orig/modules/pam_limits/limits.conf.5.xml ++++ pam/modules/pam_limits/limits.conf.5.xml +@@ -357,7 +357,7 @@ + + pam_limits8, + pam.d5, +- pam8, ++ pam7, + getrlimit2, + getrlimit3p + +Index: pam/modules/pam_limits/limits.conf.5 +=================================================================== +--- pam.orig/modules/pam_limits/limits.conf.5 ++++ pam/modules/pam_limits/limits.conf.5 +@@ -351,7 +351,7 @@ + .PP + \fBpam_limits\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8), ++\fBpam\fR(7), + \fBgetrlimit\fR(2), + \fBgetrlimit\fR(3p) + .SH "AUTHOR" +Index: pam/modules/pam_namespace/namespace.conf.5.xml +=================================================================== +--- pam.orig/modules/pam_namespace/namespace.conf.5.xml ++++ pam/modules/pam_namespace/namespace.conf.5.xml +@@ -209,7 +209,7 @@ + + pam_namespace8, + pam.d5, +- pam8 ++ pam7 + + + +Index: pam/modules/pam_namespace/namespace.conf.5 +=================================================================== +--- pam.orig/modules/pam_namespace/namespace.conf.5 ++++ pam/modules/pam_namespace/namespace.conf.5 +@@ -162,7 +162,7 @@ + .PP + \fBpam_namespace\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHORS" + .PP + The namespace\&.conf manual page was written by Janak Desai \&. More features added by Tomas Mraz \&. +Index: pam/modules/pam_time/time.conf.5.xml +=================================================================== +--- pam.orig/modules/pam_time/time.conf.5.xml ++++ pam/modules/pam_time/time.conf.5.xml +@@ -136,7 +136,7 @@ + + pam_time8, + pam.d5, +- pam8 ++ pam7 + + + +Index: pam/modules/pam_time/time.conf.5 +=================================================================== +--- pam.orig/modules/pam_time/time.conf.5 ++++ pam/modules/pam_time/time.conf.5 +@@ -109,7 +109,7 @@ + .PP + \fBpam_time\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_time was written by Andrew G\&. Morgan \&. +Index: pam/modules/pam_access/pam_access.8.xml +=================================================================== +--- pam.orig/modules/pam_access/pam_access.8.xml ++++ pam/modules/pam_access/pam_access.8.xml +@@ -246,7 +246,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + . + + +Index: pam/modules/pam_access/pam_access.8 +=================================================================== +--- pam.orig/modules/pam_access/pam_access.8 ++++ pam/modules/pam_access/pam_access.8 +@@ -133,7 +133,7 @@ + .PP + \fBaccess.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8)\&. ++\fBpam\fR(7)\&. + .SH "AUTHORS" + .PP + The logdaemon style login access control scheme was designed and implemented by Wietse Venema\&. The pam_access PAM module was developed by Alexei Nogin \&. The IPv6 support and the network(address) / netmask feature was developed and provided by Mike Becher \&. +Index: pam/modules/pam_debug/pam_debug.8.xml +=================================================================== +--- pam.orig/modules/pam_debug/pam_debug.8.xml ++++ pam/modules/pam_debug/pam_debug.8.xml +@@ -216,7 +216,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam/modules/pam_debug/pam_debug.8 +=================================================================== +--- pam.orig/modules/pam_debug/pam_debug.8 ++++ pam/modules/pam_debug/pam_debug.8 +@@ -138,7 +138,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_debug was written by Andrew G\&. Morgan \&. +Index: pam/modules/pam_deny/pam_deny.8.xml +=================================================================== +--- pam.orig/modules/pam_deny/pam_deny.8.xml ++++ pam/modules/pam_deny/pam_deny.8.xml +@@ -120,7 +120,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam/modules/pam_deny/pam_deny.8 +=================================================================== +--- pam.orig/modules/pam_deny/pam_deny.8 ++++ pam/modules/pam_deny/pam_deny.8 +@@ -96,7 +96,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_deny was written by Andrew G\&. Morgan +Index: pam/modules/pam_echo/pam_echo.8.xml +=================================================================== +--- pam.orig/modules/pam_echo/pam_echo.8.xml ++++ pam/modules/pam_echo/pam_echo.8.xml +@@ -159,7 +159,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam/modules/pam_echo/pam_echo.8 +=================================================================== +--- pam.orig/modules/pam_echo/pam_echo.8 ++++ pam/modules/pam_echo/pam_echo.8 +@@ -126,7 +126,7 @@ + .PP + \fBpam.conf\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + Thorsten Kukuk +Index: pam/modules/pam_env/pam_env.8.xml +=================================================================== +--- pam.orig/modules/pam_env/pam_env.8.xml ++++ pam/modules/pam_env/pam_env.8.xml +@@ -254,7 +254,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + , + + environ7 +Index: pam/modules/pam_exec/pam_exec.8.xml +=================================================================== +--- pam.orig/modules/pam_exec/pam_exec.8.xml ++++ pam/modules/pam_exec/pam_exec.8.xml +@@ -303,7 +303,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam/modules/pam_exec/pam_exec.8 +=================================================================== +--- pam.orig/modules/pam_exec/pam_exec.8 ++++ pam/modules/pam_exec/pam_exec.8 +@@ -182,7 +182,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_exec was written by Thorsten Kukuk and Josh Triplett \&. +Index: pam/modules/pam_faildelay/pam_faildelay.8.xml +=================================================================== +--- pam.orig/modules/pam_faildelay/pam_faildelay.8.xml ++++ pam/modules/pam_faildelay/pam_faildelay.8.xml +@@ -121,7 +121,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam/modules/pam_faildelay/pam_faildelay.8 +=================================================================== +--- pam.orig/modules/pam_faildelay/pam_faildelay.8 ++++ pam/modules/pam_faildelay/pam_faildelay.8 +@@ -87,7 +87,7 @@ + \fBpam_fail_delay\fR(3), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_faildelay was written by Darren Tucker \&. +Index: pam/modules/pam_filter/pam_filter.8.xml +=================================================================== +--- pam.orig/modules/pam_filter/pam_filter.8.xml ++++ pam/modules/pam_filter/pam_filter.8.xml +@@ -246,7 +246,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam/modules/pam_filter/pam_filter.8 +=================================================================== +--- pam.orig/modules/pam_filter/pam_filter.8 ++++ pam/modules/pam_filter/pam_filter.8 +@@ -166,7 +166,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_filter was written by Andrew G\&. Morgan \&. +Index: pam/modules/pam_ftp/pam_ftp.8.xml +=================================================================== +--- pam.orig/modules/pam_ftp/pam_ftp.8.xml ++++ pam/modules/pam_ftp/pam_ftp.8.xml +@@ -168,7 +168,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam/modules/pam_ftp/pam_ftp.8 +=================================================================== +--- pam.orig/modules/pam_ftp/pam_ftp.8 ++++ pam/modules/pam_ftp/pam_ftp.8 +@@ -119,7 +119,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_ftp was written by Andrew G\&. Morgan \&. +Index: pam/modules/pam_group/pam_group.8.xml +=================================================================== +--- pam.orig/modules/pam_group/pam_group.8.xml ++++ pam/modules/pam_group/pam_group.8.xml +@@ -148,7 +148,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + . + + +Index: pam/modules/pam_group/pam_group.8 +=================================================================== +--- pam.orig/modules/pam_group/pam_group.8 ++++ pam/modules/pam_group/pam_group.8 +@@ -103,7 +103,7 @@ + .PP + \fBgroup.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8)\&. ++\fBpam\fR(7)\&. + .SH "AUTHORS" + .PP + pam_group was written by Andrew G\&. Morgan \&. +Index: pam/modules/pam_issue/pam_issue.8.xml +=================================================================== +--- pam.orig/modules/pam_issue/pam_issue.8.xml ++++ pam/modules/pam_issue/pam_issue.8.xml +@@ -219,7 +219,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam/modules/pam_issue/pam_issue.8 +=================================================================== +--- pam.orig/modules/pam_issue/pam_issue.8 ++++ pam/modules/pam_issue/pam_issue.8 +@@ -152,7 +152,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_issue was written by Ben Collins \&. +Index: pam/modules/pam_keyinit/pam_keyinit.8.xml +=================================================================== +--- pam.orig/modules/pam_keyinit/pam_keyinit.8.xml ++++ pam/modules/pam_keyinit/pam_keyinit.8.xml +@@ -232,7 +232,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + , + + keyctl1 +Index: pam/modules/pam_keyinit/pam_keyinit.8 +=================================================================== +--- pam.orig/modules/pam_keyinit/pam_keyinit.8 ++++ pam/modules/pam_keyinit/pam_keyinit.8 +@@ -137,7 +137,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8), ++\fBpam\fR(7), + \fBkeyctl\fR(1) + .SH "AUTHOR" + .PP +Index: pam/modules/pam_lastlog/pam_lastlog.8.xml +=================================================================== +--- pam.orig/modules/pam_lastlog/pam_lastlog.8.xml ++++ pam/modules/pam_lastlog/pam_lastlog.8.xml +@@ -325,7 +325,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam/modules/pam_lastlog/pam_lastlog.8 +=================================================================== +--- pam.orig/modules/pam_lastlog/pam_lastlog.8 ++++ pam/modules/pam_lastlog/pam_lastlog.8 +@@ -189,7 +189,7 @@ + \fBlimits.conf\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_lastlog was written by Andrew G\&. Morgan \&. +Index: pam/modules/pam_limits/pam_limits.8.xml +=================================================================== +--- pam.orig/modules/pam_limits/pam_limits.8.xml ++++ pam/modules/pam_limits/pam_limits.8.xml +@@ -243,7 +243,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + . + + +Index: pam/modules/pam_limits/pam_limits.8 +=================================================================== +--- pam.orig/modules/pam_limits/pam_limits.8 ++++ pam/modules/pam_limits/pam_limits.8 +@@ -146,7 +146,7 @@ + .PP + \fBlimits.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8)\&. ++\fBpam\fR(7)\&. + .SH "AUTHORS" + .PP + pam_limits was initially written by Cristian Gafton +Index: pam/modules/pam_listfile/pam_listfile.8.xml +=================================================================== +--- pam.orig/modules/pam_listfile/pam_listfile.8.xml ++++ pam/modules/pam_listfile/pam_listfile.8.xml +@@ -281,7 +281,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam/modules/pam_listfile/pam_listfile.8 +=================================================================== +--- pam.orig/modules/pam_listfile/pam_listfile.8 ++++ pam/modules/pam_listfile/pam_listfile.8 +@@ -205,7 +205,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_listfile was written by Michael K\&. Johnson and Elliot Lee \&. +Index: pam/modules/pam_localuser/pam_localuser.8.xml +=================================================================== +--- pam.orig/modules/pam_localuser/pam_localuser.8.xml ++++ pam/modules/pam_localuser/pam_localuser.8.xml +@@ -187,7 +187,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam/modules/pam_localuser/pam_localuser.8 +=================================================================== +--- pam.orig/modules/pam_localuser/pam_localuser.8 ++++ pam/modules/pam_localuser/pam_localuser.8 +@@ -117,7 +117,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_localuser was written by Nalin Dahyabhai \&. +Index: pam/modules/pam_loginuid/pam_loginuid.8.xml +=================================================================== +--- pam.orig/modules/pam_loginuid/pam_loginuid.8.xml ++++ pam/modules/pam_loginuid/pam_loginuid.8.xml +@@ -121,7 +121,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + , + + auditctl8 +Index: pam/modules/pam_loginuid/pam_loginuid.8 +=================================================================== +--- pam.orig/modules/pam_loginuid/pam_loginuid.8 ++++ pam/modules/pam_loginuid/pam_loginuid.8 +@@ -85,7 +85,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8), ++\fBpam\fR(7), + \fBauditctl\fR(8), + \fBauditd\fR(8) + .SH "AUTHOR" +Index: pam/modules/pam_mail/pam_mail.8.xml +=================================================================== +--- pam.orig/modules/pam_mail/pam_mail.8.xml ++++ pam/modules/pam_mail/pam_mail.8.xml +@@ -265,7 +265,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam/modules/pam_mail/pam_mail.8 +=================================================================== +--- pam.orig/modules/pam_mail/pam_mail.8 ++++ pam/modules/pam_mail/pam_mail.8 +@@ -153,7 +153,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_mail was written by Andrew G\&. Morgan \&. +Index: pam/modules/pam_mkhomedir/pam_mkhomedir.8.xml +=================================================================== +--- pam.orig/modules/pam_mkhomedir/pam_mkhomedir.8.xml ++++ pam/modules/pam_mkhomedir/pam_mkhomedir.8.xml +@@ -205,7 +205,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + . + + +Index: pam/modules/pam_mkhomedir/pam_mkhomedir.8 +=================================================================== +--- pam.orig/modules/pam_mkhomedir/pam_mkhomedir.8 ++++ pam/modules/pam_mkhomedir/pam_mkhomedir.8 +@@ -129,7 +129,7 @@ + .SH "SEE ALSO" + .PP + \fBpam.d\fR(5), +-\fBpam\fR(8)\&. ++\fBpam\fR(7)\&. + .SH "AUTHOR" + .PP + pam_mkhomedir was written by Jason Gunthorpe \&. +Index: pam/modules/pam_motd/pam_motd.8.xml +=================================================================== +--- pam.orig/modules/pam_motd/pam_motd.8.xml ++++ pam/modules/pam_motd/pam_motd.8.xml +@@ -196,7 +196,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam/modules/pam_motd/pam_motd.8 +=================================================================== +--- pam.orig/modules/pam_motd/pam_motd.8 ++++ pam/modules/pam_motd/pam_motd.8 +@@ -185,7 +185,7 @@ + \fBmotd\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_motd was written by Ben Collins \&. +Index: pam/modules/pam_namespace/pam_namespace.8.xml +=================================================================== +--- pam.orig/modules/pam_namespace/pam_namespace.8.xml ++++ pam/modules/pam_namespace/pam_namespace.8.xml +@@ -362,7 +362,7 @@ + mount8 + , + +- pam8 ++ pam7 + . + + +Index: pam/modules/pam_namespace/pam_namespace.8 +=================================================================== +--- pam.orig/modules/pam_namespace/pam_namespace.8 ++++ pam/modules/pam_namespace/pam_namespace.8 +@@ -148,7 +148,7 @@ + \fBnamespace.conf\fR(5), + \fBpam.d\fR(5), + \fBmount\fR(8), +-\fBpam\fR(8)\&. ++\fBpam\fR(7)\&. + .SH "AUTHORS" + .PP + The namespace setup scheme was designed by Stephen Smalley, Janak Desai and Chad Sellers\&. The pam_namespace PAM module was developed by Janak Desai , Chad Sellers and Steve Grubb \&. Additional improvements by Xavier Toth and Tomas Mraz \&. +Index: pam/modules/pam_nologin/pam_nologin.8.xml +=================================================================== +--- pam.orig/modules/pam_nologin/pam_nologin.8.xml ++++ pam/modules/pam_nologin/pam_nologin.8.xml +@@ -160,7 +160,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam/modules/pam_nologin/pam_nologin.8 +=================================================================== +--- pam.orig/modules/pam_nologin/pam_nologin.8 ++++ pam/modules/pam_nologin/pam_nologin.8 +@@ -124,7 +124,7 @@ + \fBnologin\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_nologin was written by Michael K\&. Johnson \&. +Index: pam/modules/pam_permit/pam_permit.8.xml +=================================================================== +--- pam.orig/modules/pam_permit/pam_permit.8.xml ++++ pam/modules/pam_permit/pam_permit.8.xml +@@ -91,7 +91,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam/modules/pam_permit/pam_permit.8 +=================================================================== +--- pam.orig/modules/pam_permit/pam_permit.8 ++++ pam/modules/pam_permit/pam_permit.8 +@@ -78,7 +78,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_permit was written by Andrew G\&. Morgan, \&. +Index: pam/modules/pam_rhosts/pam_rhosts.8.xml +=================================================================== +--- pam.orig/modules/pam_rhosts/pam_rhosts.8.xml ++++ pam/modules/pam_rhosts/pam_rhosts.8.xml +@@ -156,7 +156,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam/modules/pam_rhosts/pam_rhosts.8 +=================================================================== +--- pam.orig/modules/pam_rhosts/pam_rhosts.8 ++++ pam/modules/pam_rhosts/pam_rhosts.8 +@@ -122,7 +122,7 @@ + \fBrhosts\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_rhosts was written by Thorsten Kukuk +Index: pam/modules/pam_rootok/pam_rootok.8.xml +=================================================================== +--- pam.orig/modules/pam_rootok/pam_rootok.8.xml ++++ pam/modules/pam_rootok/pam_rootok.8.xml +@@ -116,7 +116,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam/modules/pam_rootok/pam_rootok.8 +=================================================================== +--- pam.orig/modules/pam_rootok/pam_rootok.8 ++++ pam/modules/pam_rootok/pam_rootok.8 +@@ -100,7 +100,7 @@ + \fBsu\fR(1), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_rootok was written by Andrew G\&. Morgan, \&. +Index: pam/modules/pam_securetty/pam_securetty.8.xml +=================================================================== +--- pam.orig/modules/pam_securetty/pam_securetty.8.xml ++++ pam/modules/pam_securetty/pam_securetty.8.xml +@@ -187,7 +187,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam/modules/pam_securetty/pam_securetty.8 +=================================================================== +--- pam.orig/modules/pam_securetty/pam_securetty.8 ++++ pam/modules/pam_securetty/pam_securetty.8 +@@ -134,7 +134,7 @@ + \fBsecuretty\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_securetty was written by Elliot Lee \&. +Index: pam/modules/pam_selinux/pam_selinux.8.xml +=================================================================== +--- pam.orig/modules/pam_selinux/pam_selinux.8.xml ++++ pam/modules/pam_selinux/pam_selinux.8.xml +@@ -258,7 +258,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + , + + selinux8 +Index: pam/modules/pam_selinux/pam_selinux.8 +=================================================================== +--- pam.orig/modules/pam_selinux/pam_selinux.8 ++++ pam/modules/pam_selinux/pam_selinux.8 +@@ -7,7 +7,7 @@ + .\" Source: Linux-PAM Manual + .\" Language: English + .\" +-.TH "PAM_SELINUX" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_SELINUX" "7" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" ----------------------------------------------------------------- + .\" * Define some portability stuff + .\" ----------------------------------------------------------------- +@@ -144,7 +144,7 @@ + \fBexecve\fR(2), + \fBtty\fR(4), + \fBpam.d\fR(5), +-\fBpam\fR(8), ++\fBpam\fR(7), + \fBselinux\fR(8) + .SH "AUTHOR" + .PP +Index: pam/modules/pam_sepermit/pam_sepermit.8.xml +=================================================================== +--- pam.orig/modules/pam_sepermit/pam_sepermit.8.xml ++++ pam/modules/pam_sepermit/pam_sepermit.8.xml +@@ -176,7 +176,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + selinux8 +Index: pam/modules/pam_sepermit/pam_sepermit.8 +=================================================================== +--- pam.orig/modules/pam_sepermit/pam_sepermit.8 ++++ pam/modules/pam_sepermit/pam_sepermit.8 +@@ -124,7 +124,7 @@ + \fBsepermit.conf\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + \fBselinux\fR(8) + .SH "AUTHOR" + .PP +Index: pam/modules/pam_shells/pam_shells.8.xml +=================================================================== +--- pam.orig/modules/pam_shells/pam_shells.8.xml ++++ pam/modules/pam_shells/pam_shells.8.xml +@@ -102,7 +102,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam/modules/pam_shells/pam_shells.8 +=================================================================== +--- pam.orig/modules/pam_shells/pam_shells.8 ++++ pam/modules/pam_shells/pam_shells.8 +@@ -85,7 +85,7 @@ + \fBshells\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_shells was written by Erik Troan \&. +Index: pam/modules/pam_succeed_if/pam_succeed_if.8.xml +=================================================================== +--- pam.orig/modules/pam_succeed_if/pam_succeed_if.8.xml ++++ pam/modules/pam_succeed_if/pam_succeed_if.8.xml +@@ -295,7 +295,7 @@ + glob7 + , + +- pam8 ++ pam7 + + + +Index: pam/modules/pam_succeed_if/pam_succeed_if.8 +=================================================================== +--- pam.orig/modules/pam_succeed_if/pam_succeed_if.8 ++++ pam/modules/pam_succeed_if/pam_succeed_if.8 +@@ -220,7 +220,7 @@ + .SH "SEE ALSO" + .PP + \fBglob\fR(7), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + Nalin Dahyabhai +Index: pam/modules/pam_time/pam_time.8.xml +=================================================================== +--- pam.orig/modules/pam_time/pam_time.8.xml ++++ pam/modules/pam_time/pam_time.8.xml +@@ -184,7 +184,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + . + + +Index: pam/modules/pam_time/pam_time.8 +=================================================================== +--- pam.orig/modules/pam_time/pam_time.8 ++++ pam/modules/pam_time/pam_time.8 +@@ -116,7 +116,7 @@ + .PP + \fBtime.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8)\&. ++\fBpam\fR(7)\&. + .SH "AUTHOR" + .PP + pam_time was written by Andrew G\&. Morgan \&. +Index: pam/modules/pam_umask/pam_umask.8.xml +=================================================================== +--- pam.orig/modules/pam_umask/pam_umask.8.xml ++++ pam/modules/pam_umask/pam_umask.8.xml +@@ -246,7 +246,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam/modules/pam_umask/pam_umask.8 +=================================================================== +--- pam.orig/modules/pam_umask/pam_umask.8 ++++ pam/modules/pam_umask/pam_umask.8 +@@ -170,7 +170,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_umask was written by Thorsten Kukuk \&. +Index: pam/modules/pam_unix/pam_unix.8.xml +=================================================================== +--- pam.orig/modules/pam_unix/pam_unix.8.xml ++++ pam/modules/pam_unix/pam_unix.8.xml +@@ -559,7 +559,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam/modules/pam_unix/pam_unix.8 +=================================================================== +--- pam.orig/modules/pam_unix/pam_unix.8 ++++ pam/modules/pam_unix/pam_unix.8 +@@ -310,7 +310,7 @@ + \fBlogin.defs\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_unix was written by various people\&. +Index: pam/doc/man/misc_conv.3.xml +=================================================================== +--- pam.orig/doc/man/misc_conv.3.xml ++++ pam/doc/man/misc_conv.3.xml +@@ -171,7 +171,7 @@ + pam_conv3 + , + +- pam8 ++ pam7 + + + +Index: pam/doc/man/misc_conv.3 +=================================================================== +--- pam.orig/doc/man/misc_conv.3 ++++ pam/doc/man/misc_conv.3 +@@ -117,7 +117,7 @@ + .SH "SEE ALSO" + .PP + \fBpam_conv\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The +Index: pam/doc/man/pam_acct_mgmt.3.xml +=================================================================== +--- pam.orig/doc/man/pam_acct_mgmt.3.xml ++++ pam/doc/man/pam_acct_mgmt.3.xml +@@ -138,7 +138,7 @@ + pam_strerror3 + , + +- pam8 ++ pam7 + + + +Index: pam/doc/man/pam_acct_mgmt.3 +=================================================================== +--- pam.orig/doc/man/pam_acct_mgmt.3 ++++ pam/doc/man/pam_acct_mgmt.3 +@@ -97,4 +97,4 @@ + \fBpam_authenticate\fR(3), + \fBpam_chauthtok\fR(3), + \fBpam_strerror\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam/doc/man/pam_authenticate.3.xml +=================================================================== +--- pam.orig/doc/man/pam_authenticate.3.xml ++++ pam/doc/man/pam_authenticate.3.xml +@@ -162,7 +162,7 @@ + pam_strerror3 + , + +- pam8 ++ pam7 + + + +Index: pam/doc/man/pam_authenticate.3 +=================================================================== +--- pam.orig/doc/man/pam_authenticate.3 ++++ pam/doc/man/pam_authenticate.3 +@@ -107,4 +107,4 @@ + \fBpam_setcred\fR(3), + \fBpam_chauthtok\fR(3), + \fBpam_strerror\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam/doc/man/pam_chauthtok.3.xml +=================================================================== +--- pam.orig/doc/man/pam_chauthtok.3.xml ++++ pam/doc/man/pam_chauthtok.3.xml +@@ -157,7 +157,7 @@ + pam_strerror3 + , + +- pam8 ++ pam7 + + + +Index: pam/doc/man/pam_chauthtok.3 +=================================================================== +--- pam.orig/doc/man/pam_chauthtok.3 ++++ pam/doc/man/pam_chauthtok.3 +@@ -106,4 +106,4 @@ + \fBpam_setcred\fR(3), + \fBpam_get_item\fR(3), + \fBpam_strerror\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam/doc/man/pam_conv.3.xml +=================================================================== +--- pam.orig/doc/man/pam_conv.3.xml ++++ pam/doc/man/pam_conv.3.xml +@@ -221,7 +221,7 @@ + pam_strerror3 + , + +- pam8 ++ pam7 + + + +Index: pam/doc/man/pam_conv.3 +=================================================================== +--- pam.orig/doc/man/pam_conv.3 ++++ pam/doc/man/pam_conv.3 +@@ -174,4 +174,4 @@ + \fBpam_set_item\fR(3), + \fBpam_get_item\fR(3), + \fBpam_strerror\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam/doc/man/pam_error.3.xml +=================================================================== +--- pam.orig/doc/man/pam_error.3.xml ++++ pam/doc/man/pam_error.3.xml +@@ -105,7 +105,7 @@ + pam_vprompt3 + , + +- pam8 ++ pam7 + + + +Index: pam/doc/man/pam_error.3 +=================================================================== +--- pam.orig/doc/man/pam_error.3 ++++ pam/doc/man/pam_error.3 +@@ -80,7 +80,7 @@ + \fBpam_vinfo\fR(3), + \fBpam_prompt\fR(3), + \fBpam_vprompt\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The +Index: pam/doc/man/pam_getenv.3.xml +=================================================================== +--- pam.orig/doc/man/pam_getenv.3.xml ++++ pam/doc/man/pam_getenv.3.xml +@@ -60,7 +60,7 @@ + pam_putenv3 + , + +- pam8 ++ pam7 + + + +Index: pam/doc/man/pam_getenv.3 +=================================================================== +--- pam.orig/doc/man/pam_getenv.3 ++++ pam/doc/man/pam_getenv.3 +@@ -57,4 +57,4 @@ + \fBpam_start\fR(3), + \fBpam_getenvlist\fR(3), + \fBpam_putenv\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam/doc/man/pam_getenvlist.3.xml +=================================================================== +--- pam.orig/doc/man/pam_getenvlist.3.xml ++++ pam/doc/man/pam_getenvlist.3.xml +@@ -78,7 +78,7 @@ + pam_putenv3 + , + +- pam8 ++ pam7 + + + +Index: pam/doc/man/pam_getenvlist.3 +=================================================================== +--- pam.orig/doc/man/pam_getenvlist.3 ++++ pam/doc/man/pam_getenvlist.3 +@@ -63,4 +63,4 @@ + \fBpam_start\fR(3), + \fBpam_getenv\fR(3), + \fBpam_putenv\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam/doc/man/pam_info.3.xml +=================================================================== +--- pam.orig/doc/man/pam_info.3.xml ++++ pam/doc/man/pam_info.3.xml +@@ -93,7 +93,7 @@ + SEE ALSO + + +- pam8 ++ pam7 + + + +Index: pam/doc/man/pam_info.3 +=================================================================== +--- pam.orig/doc/man/pam_info.3 ++++ pam/doc/man/pam_info.3 +@@ -76,7 +76,7 @@ + .RE + .SH "SEE ALSO" + .PP +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The +Index: pam/doc/man/pam_misc_drop_env.3.xml +=================================================================== +--- pam.orig/doc/man/pam_misc_drop_env.3.xml ++++ pam/doc/man/pam_misc_drop_env.3.xml +@@ -46,7 +46,7 @@ + pam_getenvlist3 + , + +- pam8 ++ pam7 + + + +Index: pam/doc/man/pam_misc_drop_env.3 +=================================================================== +--- pam.orig/doc/man/pam_misc_drop_env.3 ++++ pam/doc/man/pam_misc_drop_env.3 +@@ -52,7 +52,7 @@ + .SH "SEE ALSO" + .PP + \fBpam_getenvlist\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The +Index: pam/doc/man/pam_misc_paste_env.3.xml +=================================================================== +--- pam.orig/doc/man/pam_misc_paste_env.3.xml ++++ pam/doc/man/pam_misc_paste_env.3.xml +@@ -44,7 +44,7 @@ + pam_putenv3 + , + +- pam8 ++ pam7 + + + +Index: pam/doc/man/pam_misc_paste_env.3 +=================================================================== +--- pam.orig/doc/man/pam_misc_paste_env.3 ++++ pam/doc/man/pam_misc_paste_env.3 +@@ -47,7 +47,7 @@ + .SH "SEE ALSO" + .PP + \fBpam_putenv\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The +Index: pam/doc/man/pam_misc_setenv.3.xml +=================================================================== +--- pam.orig/doc/man/pam_misc_setenv.3.xml ++++ pam/doc/man/pam_misc_setenv.3.xml +@@ -51,7 +51,7 @@ + pam_putenv3 + , + +- pam8 ++ pam7 + + + +Index: pam/doc/man/pam_misc_setenv.3 +=================================================================== +--- pam.orig/doc/man/pam_misc_setenv.3 ++++ pam/doc/man/pam_misc_setenv.3 +@@ -52,7 +52,7 @@ + .SH "SEE ALSO" + .PP + \fBpam_putenv\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The +Index: pam/doc/man/pam_prompt.3.xml +=================================================================== +--- pam.orig/doc/man/pam_prompt.3.xml ++++ pam/doc/man/pam_prompt.3.xml +@@ -95,7 +95,7 @@ + SEE ALSO + + +- pam8 ++ pam7 + , + + pam_conv3 +Index: pam/doc/man/pam_prompt.3 +=================================================================== +--- pam.orig/doc/man/pam_prompt.3 ++++ pam/doc/man/pam_prompt.3 +@@ -70,7 +70,7 @@ + .RE + .SH "SEE ALSO" + .PP +-\fBpam\fR(8), ++\fBpam\fR(7), + \fBpam_conv\fR(3) + .SH "STANDARDS" + .PP +Index: pam/doc/man/pam_putenv.3.xml +=================================================================== +--- pam.orig/doc/man/pam_putenv.3.xml ++++ pam/doc/man/pam_putenv.3.xml +@@ -145,7 +145,7 @@ + pam_strerror3 + , + +- pam8 ++ pam7 + + + +Index: pam/doc/man/pam_putenv.3 +=================================================================== +--- pam.orig/doc/man/pam_putenv.3 ++++ pam/doc/man/pam_putenv.3 +@@ -108,4 +108,4 @@ + \fBpam_getenv\fR(3), + \fBpam_getenvlist\fR(3), + \fBpam_strerror\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam/doc/man/pam_strerror.3.xml +=================================================================== +--- pam.orig/doc/man/pam_strerror.3.xml ++++ pam/doc/man/pam_strerror.3.xml +@@ -51,7 +51,7 @@ + SEE ALSO + + +- pam8 ++ pam7 + + + +Index: pam/doc/man/pam_strerror.3 +=================================================================== +--- pam.orig/doc/man/pam_strerror.3 ++++ pam/doc/man/pam_strerror.3 +@@ -49,4 +49,4 @@ + This function returns always a pointer to a string\&. + .SH "SEE ALSO" + .PP +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam/doc/man/pam_syslog.3.xml +=================================================================== +--- pam.orig/doc/man/pam_syslog.3.xml ++++ pam/doc/man/pam_syslog.3.xml +@@ -66,7 +66,7 @@ + SEE ALSO + + +- pam8 ++ pam7 + + + +Index: pam/doc/man/pam_syslog.3 +=================================================================== +--- pam.orig/doc/man/pam_syslog.3 ++++ pam/doc/man/pam_syslog.3 +@@ -67,7 +67,7 @@ + variable argument list macros\&. + .SH "SEE ALSO" + .PP +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The +Index: pam/modules/pam_userdb/pam_userdb.8.xml +=================================================================== +--- pam.orig/modules/pam_userdb/pam_userdb.8.xml ++++ pam/modules/pam_userdb/pam_userdb.8.xml +@@ -279,7 +279,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam/modules/pam_userdb/pam_userdb.8 +=================================================================== +--- pam.orig/modules/pam_userdb/pam_userdb.8 ++++ pam/modules/pam_userdb/pam_userdb.8 +@@ -152,7 +152,7 @@ + \fBcrypt\fR(3), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_userdb was written by Cristian Gafton >gafton@redhat\&.com<\&. +Index: pam/modules/pam_warn/pam_warn.8.xml +=================================================================== +--- pam.orig/modules/pam_warn/pam_warn.8.xml ++++ pam/modules/pam_warn/pam_warn.8.xml +@@ -90,7 +90,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam/modules/pam_warn/pam_warn.8 +=================================================================== +--- pam.orig/modules/pam_warn/pam_warn.8 ++++ pam/modules/pam_warn/pam_warn.8 +@@ -83,7 +83,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_warn was written by Andrew G\&. Morgan \&. +Index: pam/modules/pam_wheel/pam_wheel.8.xml +=================================================================== +--- pam.orig/modules/pam_wheel/pam_wheel.8.xml ++++ pam/modules/pam_wheel/pam_wheel.8.xml +@@ -213,7 +213,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam/modules/pam_wheel/pam_wheel.8 +=================================================================== +--- pam.orig/modules/pam_wheel/pam_wheel.8 ++++ pam/modules/pam_wheel/pam_wheel.8 +@@ -136,7 +136,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_wheel was written by Cristian Gafton \&. +Index: pam/modules/pam_xauth/pam_xauth.8.xml +=================================================================== +--- pam.orig/modules/pam_xauth/pam_xauth.8.xml ++++ pam/modules/pam_xauth/pam_xauth.8.xml +@@ -276,7 +276,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam/modules/pam_xauth/pam_xauth.8 +=================================================================== +--- pam.orig/modules/pam_xauth/pam_xauth.8 ++++ pam/modules/pam_xauth/pam_xauth.8 +@@ -177,7 +177,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_xauth was written by Nalin Dahyabhai , based on original version by Michael K\&. Johnson \&. +Index: pam/modules/pam_env/pam_env.8 +=================================================================== +--- pam.orig/modules/pam_env/pam_env.8 ++++ pam/modules/pam_env/pam_env.8 +@@ -7,7 +7,7 @@ + .\" Source: Linux-PAM Manual + .\" Language: English + .\" +-.TH "PAM_ENV" "8" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_ENV" "7" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" + .\" ----------------------------------------------------------------- + .\" * Define some portability stuff + .\" ----------------------------------------------------------------- +Index: pam/modules/pam_pwhistory/pam_pwhistory.8.xml +=================================================================== +--- pam.orig/modules/pam_pwhistory/pam_pwhistory.8.xml ++++ pam/modules/pam_pwhistory/pam_pwhistory.8.xml +@@ -229,7 +229,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + pam_get_authtok3 +Index: pam/modules/pam_pwhistory/pam_pwhistory.8 +=================================================================== +--- pam.orig/modules/pam_pwhistory/pam_pwhistory.8 ++++ pam/modules/pam_pwhistory/pam_pwhistory.8 +@@ -156,7 +156,7 @@ + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + \fBpam_get_authtok\fR(3) + .SH "AUTHOR" + .PP +Index: pam/modules/pam_sepermit/sepermit.conf.5.xml +=================================================================== +--- pam.orig/modules/pam_sepermit/sepermit.conf.5.xml ++++ pam/modules/pam_sepermit/sepermit.conf.5.xml +@@ -96,7 +96,7 @@ + + pam_sepermit8, + pam.d5, +- pam8, ++ pam7, + selinux8, + + +Index: pam/modules/pam_sepermit/sepermit.conf.5 +=================================================================== +--- pam.orig/modules/pam_sepermit/sepermit.conf.5 ++++ pam/modules/pam_sepermit/sepermit.conf.5 +@@ -110,7 +110,7 @@ + .PP + \fBpam_sepermit\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8), ++\fBpam\fR(7), + \fBselinux\fR(8), + .SH "AUTHOR" + .PP +Index: pam/modules/pam_timestamp/pam_timestamp.8.xml +=================================================================== +--- pam.orig/modules/pam_timestamp/pam_timestamp.8.xml ++++ pam/modules/pam_timestamp/pam_timestamp.8.xml +@@ -193,7 +193,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam/modules/pam_timestamp/pam_timestamp.8 +=================================================================== +--- pam.orig/modules/pam_timestamp/pam_timestamp.8 ++++ pam/modules/pam_timestamp/pam_timestamp.8 +@@ -129,7 +129,7 @@ + \fBpam_timestamp_check\fR(8), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_timestamp was written by Nalin Dahyabhai\&. +Index: pam/modules/pam_timestamp/pam_timestamp_check.8.xml +=================================================================== +--- pam.orig/modules/pam_timestamp/pam_timestamp_check.8.xml ++++ pam/modules/pam_timestamp/pam_timestamp_check.8.xml +@@ -192,7 +192,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam/modules/pam_timestamp/pam_timestamp_check.8 +=================================================================== +--- pam.orig/modules/pam_timestamp/pam_timestamp_check.8 ++++ pam/modules/pam_timestamp/pam_timestamp_check.8 +@@ -127,7 +127,7 @@ + \fBpam_timestamp_check\fR(8), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_timestamp was written by Nalin Dahyabhai\&. +Index: pam/modules/pam_tty_audit/pam_tty_audit.8.xml +=================================================================== +--- pam.orig/modules/pam_tty_audit/pam_tty_audit.8.xml ++++ pam/modules/pam_tty_audit/pam_tty_audit.8.xml +@@ -181,7 +181,7 @@ + pam.d5 + , + +- pam8 ++ pam7 + + + +Index: pam/modules/pam_tty_audit/pam_tty_audit.8 +=================================================================== +--- pam.orig/modules/pam_tty_audit/pam_tty_audit.8 ++++ pam/modules/pam_tty_audit/pam_tty_audit.8 +@@ -129,7 +129,7 @@ + \fBaureport\fR(8), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_tty_audit was written by Miloslav Trmač \&. The log_passwd option was added by Richard Guy Briggs \&. +Index: pam/doc/man/pam_get_authtok.3.xml +=================================================================== +--- pam.orig/doc/man/pam_get_authtok.3.xml ++++ pam/doc/man/pam_get_authtok.3.xml +@@ -232,7 +232,7 @@ + SEE ALSO + + +- pam8 ++ pam7 + + + +Index: pam/doc/man/pam_get_authtok.3 +=================================================================== +--- pam.orig/doc/man/pam_get_authtok.3 ++++ pam/doc/man/pam_get_authtok.3 +@@ -162,7 +162,7 @@ + .RE + .SH "SEE ALSO" + .PP +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The diff --git a/debian/patches-applied/do_not_check_nis_accidentally b/debian/patches-applied/do_not_check_nis_accidentally new file mode 100644 index 0000000..29ce609 --- /dev/null +++ b/debian/patches-applied/do_not_check_nis_accidentally @@ -0,0 +1,22 @@ +Patch for Debian bug #469635 + +Always call _unix_getpwnam() consistent with the value of the 'nis' +option, so that we only grab from the backends we're expecting. + +Authors: Quentin Godfroy + +Upstream status: should be submitted + +Index: pam/modules/pam_unix/pam_unix_passwd.c +=================================================================== +--- pam.orig/modules/pam_unix/pam_unix_passwd.c ++++ pam/modules/pam_unix/pam_unix_passwd.c +@@ -669,7 +669,7 @@ + return PAM_USER_UNKNOWN; + } else { + struct passwd *pwd; +- _unix_getpwnam(pamh, user, 1, 1, &pwd); ++ _unix_getpwnam(pamh, user, 1, on(UNIX_NIS, ctrl), &pwd); + if (pwd == NULL) { + pam_syslog(pamh, LOG_DEBUG, + "user \"%s\" has corrupted passwd entry", diff --git a/debian/patches-applied/fix-autoreconf.patch b/debian/patches-applied/fix-autoreconf.patch new file mode 100644 index 0000000..bdd9626 --- /dev/null +++ b/debian/patches-applied/fix-autoreconf.patch @@ -0,0 +1,27 @@ +From: Andreas Henriksson +Date: Thu, 8 Nov 2018 19:09:21 +0100 +Subject: fix-autoreconf.patch + +Do not override user variables in Makefile.am, see the +"Flag Variables Ordering" section of the automake manual. +--- + doc/specs/Makefile.am | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +Index: pam/doc/specs/Makefile.am +=================================================================== +--- pam.orig/doc/specs/Makefile.am ++++ pam/doc/specs/Makefile.am +@@ -12,9 +12,9 @@ + AM_YFLAGS = -d + + CC = @CC_FOR_BUILD@ +-CPPFLAGS = @BUILD_CPPFLAGS@ +-CFLAGS = @BUILD_CFLAGS@ +-LDFLAGS = @BUILD_LDFLAGS@ ++AM_CPPFLAGS = @BUILD_CPPFLAGS@ ++AM_CFLAGS = @BUILD_CFLAGS@ ++AM_LDFLAGS = @BUILD_LDFLAGS@ + + padout_CFLAGS = $(WARN_CFLAGS) -Wno-unused-function -Wno-sign-compare + diff --git a/debian/patches-applied/hurd_no_setfsuid b/debian/patches-applied/hurd_no_setfsuid new file mode 100644 index 0000000..00610a8 --- /dev/null +++ b/debian/patches-applied/hurd_no_setfsuid @@ -0,0 +1,77 @@ +On systems without setfsuid(), use setreuid() instead. + +Authors: Steve Langasek + +Upstream status: to be forwarded, now that pam_modutil_{drop,regain}_priv + are implemented + +Index: pam/libpam/pam_modutil_priv.c +=================================================================== +--- pam.orig/libpam/pam_modutil_priv.c ++++ pam/libpam/pam_modutil_priv.c +@@ -14,7 +14,9 @@ + #include + #include + #include ++#ifdef HAVE_SYS_FSUID_H + #include ++#endif /* HAVE_SYS_FSUID_H */ + + /* + * Two setfsuid() calls in a row are necessary to check +@@ -22,17 +24,55 @@ + */ + static int change_uid(uid_t uid, uid_t *save) + { ++#ifdef HAVE_SYS_FSUID_H + uid_t tmp = setfsuid(uid); + if (save) + *save = tmp; + return (uid_t) setfsuid(uid) == uid ? 0 : -1; ++#else ++ uid_t euid = geteuid(); ++ uid_t ruid = getuid(); ++ if (save) ++ *save = ruid; ++ if (ruid == uid && uid != 0) ++ if (setreuid(euid, uid)) ++ return -1; ++ else { ++ setreuid(0, -1); ++ if (setreuid(-1, uid)) { ++ setreuid(-1, 0); ++ setreuid(0, -1); ++ if (setreuid(-1, uid)) ++ return -1; ++ } ++ } ++#endif + } + static int change_gid(gid_t gid, gid_t *save) + { ++#ifdef HAVE_SYS_FSUID_H + gid_t tmp = setfsgid(gid); + if (save) + *save = tmp; + return (gid_t) setfsgid(gid) == gid ? 0 : -1; ++#else ++ gid_t egid = getegid(); ++ gid_t rgid = getgid(); ++ if (save) ++ *save = rgid; ++ if (rgid == gid) ++ if (setregid(egid, gid)) ++ return -1; ++ else { ++ setregid(0, -1); ++ if (setregid(-1, gid)) { ++ setregid(-1, 0); ++ setregid(0, -1); ++ if (setregid(-1, gid)) ++ return -1; ++ } ++ } ++#endif + } + + static int cleanup(struct pam_modutil_privs *p) diff --git a/debian/patches-applied/lib_security_multiarch_compat b/debian/patches-applied/lib_security_multiarch_compat new file mode 100644 index 0000000..e386ff3 --- /dev/null +++ b/debian/patches-applied/lib_security_multiarch_compat @@ -0,0 +1,72 @@ +Unqualified module paths should always be looked up in *both* the default +module dir, *and* the ISA dir. That's what paths are for. + +This lets us have a soft transition to multiarch for modules without having +to rewrite /etc/pam.d/ files or add ugly symlinks. + +Authors: Steve Langasek + +Upstream status: not ready to be committed - this needs tweaked, we're +currently abusing the existing variables and inverting their meaning in +order to get everything installed where we want it and get absolute paths +the way we want them. + +Index: pam-1.4.0/libpam/pam_handlers.c +=================================================================== +--- pam-1.4.0.orig/libpam/pam_handlers.c ++++ pam-1.4.0/libpam/pam_handlers.c +@@ -735,7 +735,27 @@ _pam_load_module(pam_handle_t *pamh, con + success = PAM_ABORT; + + D(("_pam_load_module: _pam_dlopen(%s)", mod_path)); +- mod->dl_handle = _pam_dlopen(mod_path); ++ if (mod_path[0] == '/') { ++ mod->dl_handle = _pam_dlopen(mod_path); ++ } else { ++ char *mod_full_path = NULL; ++ if (asprintf(&mod_full_path, "%s%s", ++ DEFAULT_MODULE_PATH, mod_path) >= 0) { ++ mod->dl_handle = _pam_dlopen(mod_full_path); ++ _pam_drop(mod_full_path); ++ } else { ++ pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path"); ++ } ++ if (!mod->dl_handle) { ++ if (asprintf(&mod_full_path, "%s/%s", ++ _PAM_ISA, mod_path) >= 0) { ++ mod->dl_handle = _pam_dlopen(mod_full_path); ++ _pam_drop(mod_full_path); ++ } else { ++ pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path"); ++ } ++ } ++ } + D(("_pam_load_module: _pam_dlopen'ed")); + D(("_pam_load_module: dlopen'ed")); + if (mod->dl_handle == NULL) { +@@ -812,7 +832,6 @@ int _pam_add_handler(pam_handle_t *pamh + struct handler **handler_p2; + struct handlers *the_handlers; + const char *sym, *sym2; +- char *mod_full_path; + servicefn func, func2; + int mod_type = PAM_MT_FAULTY_MOD; + +@@ -824,16 +843,7 @@ int _pam_add_handler(pam_handle_t *pamh + + if ((handler_type == PAM_HT_MODULE || handler_type == PAM_HT_SILENT_MODULE) && + mod_path != NULL) { +- if (mod_path[0] == '/') { +- mod = _pam_load_module(pamh, mod_path, handler_type); +- } else if (asprintf(&mod_full_path, "%s%s", +- DEFAULT_MODULE_PATH, mod_path) >= 0) { +- mod = _pam_load_module(pamh, mod_full_path, handler_type); +- _pam_drop(mod_full_path); +- } else { +- pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path"); +- return PAM_ABORT; +- } ++ mod = _pam_load_module(pamh, mod_path, handler_type); + + if (mod == NULL) { + /* if we get here with NULL it means allocation error */ diff --git a/debian/patches-applied/make_documentation_reproducible.patch b/debian/patches-applied/make_documentation_reproducible.patch new file mode 100644 index 0000000..b6a4bfe --- /dev/null +++ b/debian/patches-applied/make_documentation_reproducible.patch @@ -0,0 +1,19 @@ +Description: Make documentation reproducible + Add LC_ALL=C.UTF-8 to w3m to avoid changes in the output when build the + documentation with different locales. +Author: Juan Picca , Steve Langasek +Last-Update: 2019-01-06 + +Index: pam/configure.ac +=================================================================== +--- pam.orig/configure.ac ++++ pam/configure.ac +@@ -585,7 +585,7 @@ + + AC_PATH_PROG([BROWSER], [w3m]) + if test -n "$BROWSER"; then +- BROWSER="$BROWSER -T text/html -dump" ++ BROWSER="LC_ALL=C.UTF-8 $BROWSER -T text/html -dump" + else + AC_PATH_PROG([BROWSER], [elinks]) + if test -n "$BROWSER"; then diff --git a/debian/patches-applied/no_PATH_MAX_on_hurd b/debian/patches-applied/no_PATH_MAX_on_hurd new file mode 100644 index 0000000..ab2403d --- /dev/null +++ b/debian/patches-applied/no_PATH_MAX_on_hurd @@ -0,0 +1,22 @@ +Description: define PATH_MAX for compatibility when it's not already set + Some platforms, such as the Hurd, don't set PATH_MAX. Set a reasonable + default value in this case. +Author: Steve Langasek +Bug-Debian: http://bugs.debian.org/552043 + +Index: pam/tests/tst-dlopen.c +=================================================================== +--- pam.orig/tests/tst-dlopen.c ++++ pam/tests/tst-dlopen.c +@@ -16,6 +16,11 @@ + #include + #include + ++/* Hurd compatibility */ ++#ifndef PATH_MAX ++#define PATH_MAX 4096 ++#endif ++ + /* Simple program to see if dlopen() would succeed. */ + int main(int argc, char **argv) + { diff --git a/debian/patches-applied/nullok_secure-compat.patch b/debian/patches-applied/nullok_secure-compat.patch new file mode 100644 index 0000000..d85aa9f --- /dev/null +++ b/debian/patches-applied/nullok_secure-compat.patch @@ -0,0 +1,27 @@ +Description: Support nullok_secure as a deprecated alias for nullok +Author: Steve Langasek +Last-Update: 2020-08-11 + +Index: pam/modules/pam_unix/support.h +=================================================================== +--- pam.orig/modules/pam_unix/support.h ++++ pam/modules/pam_unix/support.h +@@ -102,8 +102,9 @@ + #define UNIX_YESCRYPT_PASS 32 /* new password hashes will use yescrypt */ + #define UNIX_NULLRESETOK 33 /* allow empty password if password reset is enforced */ + #define UNIX_OBSCURE_CHECKS 34 /* enable obscure checks on passwords */ ++#define UNIX_NULLOK_SECURE 35 /* deprecated alias for nullok */ + /* -------------- */ +-#define UNIX_CTRLS_ 35 /* number of ctrl arguments defined */ ++#define UNIX_CTRLS_ 36 /* number of ctrl arguments defined */ + + #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)&&off(UNIX_GOST_YESCRYPT_PASS,ctrl)&&off(UNIX_YESCRYPT_PASS,ctrl)) + +@@ -147,6 +148,7 @@ + /* UNIX_YESCRYPT_PASS */ {"yescrypt", _ALL_ON_^(0x6EC22000ULL), 0x40000000, 1}, + /* UNIX_NULLRESETOK */ {"nullresetok", _ALL_ON_, 0x80000000, 0}, + /* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x100000000, 0}, ++/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(0x200ULL), 0, 0}, + }; + + #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) diff --git a/debian/patches-applied/pam-limits-nofile-fd-setsize-cap b/debian/patches-applied/pam-limits-nofile-fd-setsize-cap new file mode 100644 index 0000000..9c0503c --- /dev/null +++ b/debian/patches-applied/pam-limits-nofile-fd-setsize-cap @@ -0,0 +1,60 @@ +From: Robie Basak +Subject: pam_limits: cap the default soft nofile limit read from pid 1 to FD_SETSIZE + +Cap the default soft nofile limit read from pid 1 to FD_SETSIZE since +larger values can cause problems with fd_set overflow and systemd sets +itself higher. + +See: +https://lists.ubuntu.com/archives/ubuntu-devel/2010-September/031446.html +http://www.outflux.net/blog/archives/2014/06/13/5-year-old-glibc-select-weakness-fixed/ +https://sourceware.org/bugzilla/show_bug.cgi?id=10352 +https://github.com/systemd/systemd/commit/4096d6f5879aef73e20dd7b62a01f447629945b0 + +pam_limits reads the default limits from /proc/1/limits. Previously, +using upstart, this resulted in a 1024 nofile soft limit on Ubuntu +systems by default. Using systemd, this results in a limit of 65536 +instead. This is not the intention of systemd upstream. See systemd +commit 4096d6f for an explanation of systemd's behaviour. + +If we want to make such a change to the default distribution soft limit +in PAM, we should do it deliberately and carefully, not accidentally. A +change should consider what uses select(2) and might inadvertently (and +incorrectly) assume that file descriptors will always fit into an +fd_set, what vulnerabilities or crashes the change could consequently +create, and whether the protection now present with FORTIFY_SOURCE is +suitably enabled in all relevant builds. + +So this keeps the soft limit at 1024 for now. The hard limit will rise +to 65536 along with systemd. Anything that knows that it will not be +buggy with respect to fd_set and FD_SETSIZE, such as by using poll(2) or +epoll(7) instead of select(2), can always raise the soft limit itself +without issue. + +20:54 slangasek: [...] I'm also not sure how to go about +upstreaming this as pam_limits seems to be heavily patched already. + +Forwarded: no +Reviewed-by: Adam Conrad +Reviewed-by: Martin Pitt +Last-Update: 2015-04-22 + +Index: pam/modules/pam_limits/pam_limits.c +=================================================================== +--- pam.orig/modules/pam_limits/pam_limits.c ++++ pam/modules/pam_limits/pam_limits.c +@@ -450,6 +450,14 @@ + pl->limits[i].src_hard = LIMITS_DEF_KERNEL; + } + fclose(limitsfile); ++ ++ /* Cap the default soft nofile limit read from pid 1 to FD_SETSIZE ++ * since larger values can cause problems with fd_set overflow and ++ * systemd sets itself higher. */ ++ if (pl->limits[RLIMIT_NOFILE].src_soft == LIMITS_DEF_KERNEL && ++ pl->limits[RLIMIT_NOFILE].limit.rlim_cur > FD_SETSIZE) { ++ pl->limits[RLIMIT_NOFILE].limit.rlim_cur = FD_SETSIZE; ++ } + } + + static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl) diff --git a/debian/patches-applied/pam_mkhomedir_stat_before_opendir b/debian/patches-applied/pam_mkhomedir_stat_before_opendir new file mode 100644 index 0000000..aec49b6 --- /dev/null +++ b/debian/patches-applied/pam_mkhomedir_stat_before_opendir @@ -0,0 +1,25 @@ +Index: pam/modules/pam_mkhomedir/mkhomedir_helper.c +=================================================================== +--- pam.orig/modules/pam_mkhomedir/mkhomedir_helper.c ++++ pam/modules/pam_mkhomedir/mkhomedir_helper.c +@@ -39,6 +39,7 @@ + DIR *d; + struct dirent *dent; + int retval = PAM_SESSION_ERR; ++ struct stat stat_buf; + + /* Create the new directory */ + if (mkdir(dest, 0700) && errno != EEXIST) +@@ -54,6 +55,12 @@ + goto go_out; + } + ++ /* Various things such as an autofs mount with browsing disabled ++ * can cause the directory to appear only on stat. The intent is ++ * to minimize network traversal when a file explorer tries to ++ * traverse large chunks of a directory tree. So stat first.*/ ++ stat(source, &stat_buf); ++ + /* Scan the directory */ + d = opendir(source); + if (d == NULL) diff --git a/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch new file mode 100644 index 0000000..6a9e525 --- /dev/null +++ b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch @@ -0,0 +1,25 @@ +Dropping suid bits is not enough to let us trust the caller; the unix_chkpwd +helper could be sgid shadow instead of suid root, as it is in Debian and +Ubuntu by default. Drop any sgid bits as well. + +Authors: Steve Langasek , + Michael Spang + +Upstream status: to be submitted + +Index: pam/modules/pam_unix/unix_chkpwd.c +=================================================================== +--- pam.orig/modules/pam_unix/unix_chkpwd.c ++++ pam/modules/pam_unix/unix_chkpwd.c +@@ -138,9 +138,10 @@ + /* if the caller specifies the username, verify that user + matches it */ + if (user == NULL || strcmp(user, argv[1])) { ++ gid_t gid = getgid(); + user = argv[1]; + /* no match -> permanently change to the real user and proceed */ +- if (setuid(getuid()) != 0) ++ if (setresgid(gid, gid, gid) != 0 || setuid(getuid()) != 0) + return PAM_AUTH_ERR; + } + } diff --git a/debian/patches-applied/series b/debian/patches-applied/series new file mode 100644 index 0000000..3ea285a --- /dev/null +++ b/debian/patches-applied/series @@ -0,0 +1,24 @@ +pam_unix_dont_trust_chkpwd_caller.patch +make_documentation_reproducible.patch +007_modules_pam_unix +008_modules_pam_limits_chroot +021_nis_cleanup +022_pam_unix_group_time_miscfixes +026_pam_unix_passwd_unknown_user +do_not_check_nis_accidentally +027_pam_limits_better_init_allow_explicit_root +031_pam_include +032_pam_limits_EPERM_NOT_FATAL +036_pam_wheel_getlogin_considered_harmful +hurd_no_setfsuid +040_pam_limits_log_failure +045_pam_dispatch_jump_is_ignore +PAM-manpage-section +update-motd +no_PATH_MAX_on_hurd +lib_security_multiarch_compat +pam-limits-nofile-fd-setsize-cap +fix-autoreconf.patch +nullok_secure-compat.patch + +pam_mkhomedir_stat_before_opendir diff --git a/debian/patches-applied/update-motd b/debian/patches-applied/update-motd new file mode 100644 index 0000000..14d5fee --- /dev/null +++ b/debian/patches-applied/update-motd @@ -0,0 +1,113 @@ +Provide a more dynamic MOTD, based on the short-lived update-motd project. + +Authors: Dustin Kirkland + +Last-Update: 2019-02-12 +Forwarded: no +Bug-Ubuntu: https://bugs.launchpad.net/bugs/399071 + +Index: pam/modules/pam_motd/pam_motd.c +=================================================================== +--- pam.orig/modules/pam_motd/pam_motd.c ++++ pam/modules/pam_motd/pam_motd.c +@@ -352,6 +352,7 @@ + int argc, const char **argv) + { + int retval = PAM_IGNORE; ++ int do_update = 1; + const char *motd_path = NULL; + char *motd_path_copy = NULL; + unsigned int num_motd_paths = 0; +@@ -361,6 +362,7 @@ + unsigned int num_motd_dir_paths = 0; + char **motd_dir_path_split = NULL; + int report_missing; ++ struct stat st; + + if (flags & PAM_SILENT) { + return retval; +@@ -390,6 +392,9 @@ + "motd_dir= specification missing argument - ignored"); + } + } ++ else if (!strcmp(*argv,"noupdate")) { ++ do_update = 0; ++ } + else + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); + } +@@ -402,6 +407,19 @@ + report_missing = 1; + } + ++ /* Run the update-motd dynamic motd scripts, outputting to /run/motd.dynamic. ++ This will be displayed only when calling pam_motd with ++ motd=/run/motd.dynamic; current /etc/pam.d/login and /etc/pam.d/sshd ++ display both this file and /etc/motd. */ ++ if (do_update && (stat("/etc/update-motd.d", &st) == 0) ++ && S_ISDIR(st.st_mode)) ++ { ++ mode_t old_mask = umask(0022); ++ if (!system("/usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new")) ++ rename("/run/motd.dynamic.new", "/run/motd.dynamic"); ++ umask(old_mask); ++ } ++ + if (motd_path != NULL) { + motd_path_copy = strdup(motd_path); + } +Index: pam/modules/pam_motd/pam_motd.8.xml +=================================================================== +--- pam.orig/modules/pam_motd/pam_motd.8.xml ++++ pam/modules/pam_motd/pam_motd.8.xml +@@ -115,6 +115,17 @@ + + + ++ ++ ++ ++ ++ ++ ++ Don't run the scripts in /etc/update-motd.d ++ to refresh the motd file. ++ ++ ++ + + + When no options are given, the default behavior applies for both +Index: pam/modules/pam_motd/pam_motd.8 +=================================================================== +--- pam.orig/modules/pam_motd/pam_motd.8 ++++ pam/modules/pam_motd/pam_motd.8 +@@ -109,6 +109,13 @@ + /etc/motd\&.d:/run/motd\&.d:/usr/lib/motd\&.d\&. + .RE + .PP ++\fBnoupdate\fR ++.RS 4 ++Don\*(Aqt run the scripts in ++/etc/update\-motd\&.d ++to refresh the motd file\&. ++.RE ++.PP + When no options are given, the default behavior applies for both options\&. Specifying either option (or both) will disable the default behavior for both options\&. + .SH "MODULE TYPES PROVIDED" + .PP +Index: pam/modules/pam_motd/README +=================================================================== +--- pam.orig/modules/pam_motd/README ++++ pam/modules/pam_motd/README +@@ -52,6 +52,10 @@ + colon-separated list. By default this option is set to /etc/motd.d:/run/ + motd.d:/usr/lib/motd.d. + ++noupdate ++ ++ Don't run the scripts in /etc/update-motd.d to refresh the motd file. ++ + When no options are given, the default behavior applies for both options. + Specifying either option (or both) will disable the default behavior for both + options. -- cgit v1.2.3