--- pam-1.0.1.orig/debian/watch +++ pam-1.0.1/debian/watch @@ -0,0 +1,3 @@ +version=3 +opts=pasv ftp://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-(.*).tar.gz + --- pam-1.0.1.orig/debian/copyright +++ pam-1.0.1/debian/copyright @@ -0,0 +1,67 @@ +This package was debianized by J.H.M. Dassen (Ray) jdassen@debian.org on +Wed, 23 Sep 1998 20:29:32 +0200. + +It was downloaded from ftp://ftp.kernel.org/pub/linux/libs/pam/pre/ + +Copyright (C) 1994, 1995, 1996 Olaf Kirch, +Copyright (C) 1995 Wietse Venema +Copyright (C) 1995, 2001-2008 Red Hat, Inc. +Copyright (C) 1996-1999, 2000-2003, 2005 Andrew G. Morgan +Copyright (C) 1996, 1997, 1999 Cristian Gafton +Copyright (C) 1996, 1999 Theodore Ts'o +Copyright (C) 1996 Alexander O. Yuriev +Copyright (C) 1996 Elliot Lee +Copyright (C) 1997 Philip W. Dalrymple +Copyright (C) 1999 Jan Rękorajski +Copyright (C) 1999 Ben Collins +Copyright (C) 2000-2001, 2003, 2005, 2007 Steve Langasek +Copyright (C) 2003, 2005 IBM Corporation +Copyright (C) 2003, 2006 SuSE Linux AG. +Copyright (C) 2003 Nalin Dahyabhai +Copyright (C) 2005-2008 Thorsten Kukuk +Copyright (C) 2005 Darren Tucker + + +Unless otherwise *explicitly* stated the following text describes the +licensed conditions under which the contents of this Linux-PAM release +may be distributed: + +------------------------------------------------------------------------- +Redistribution and use in source and binary forms of Linux-PAM, with +or without modification, are permitted provided that the following +conditions are met: + +1. Redistributions of source code must retain any existing copyright + notice, and this entire permission notice in its entirety, + including the disclaimer of warranties. + +2. Redistributions in binary form must reproduce all prior and current + copyright notices, this list of conditions, and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + +3. The name of any author may not be used to endorse or promote + products derived from this software without their specific prior + written permission. + +ALTERNATIVELY, this product may be distributed under the terms of the +GNU General Public License, in which case the provisions of the GNU +GPL are required INSTEAD OF the above restrictions. (This clause is +necessary due to a potential conflict between the GNU GPL and the +restrictions contained in a BSD-style copyright.) + +THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED +WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, +INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS +OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR +TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH +DAMAGE. +------------------------------------------------------------------------- + +On Debian GNU/Linux systems, the complete text of the GNU General +Public License can be found in `/usr/share/common-licenses/GPL'. --- pam-1.0.1.orig/debian/libpam-doc.doc-base.admin-guide +++ pam-1.0.1/debian/libpam-doc.doc-base.admin-guide @@ -0,0 +1,14 @@ +Document: pam-admin-guide +Title: The Linux-PAM System Administrators' Guide +Author: Andrew G. Morgan +Abstract: This manual documents what a system administrator needs to know + about the Linux-PAM library. It covers the correct syntax of the PAM + configuration file and discusses strategies for maintaining a secure system. +Section: System/Administration + +Format: HTML +Index: /usr/share/doc/libpam-doc/html/Linux-PAM_SAG.html +Files: /usr/share/doc/libpam-doc/html/Linux-PAM_SAG.html /usr/share/doc/libpam-doc/html/sag-*.html + +Format: text +Files: /usr/share/doc/libpam-doc/txt/Linux-PAM_SAG.txt.gz --- pam-1.0.1.orig/debian/libpam-modules.manpages +++ pam-1.0.1/debian/libpam-modules.manpages @@ -0,0 +1,2 @@ +debian/tmp/usr/share/man/man8/*.8 +debian/tmp/usr/share/man/man5/*.5 --- pam-1.0.1.orig/debian/libpam-runtime.postinst +++ pam-1.0.1/debian/libpam-runtime.postinst @@ -0,0 +1,31 @@ +#!/bin/sh -e + +# If the user has removed the config file, respect this sign of dementia +# -- only create on package install. + +force= +if [ -z "$2" ] || dpkg --compare-versions "$2" lt 1.0.1-6 +then + force=--force + for configfile in common-auth common-account common-session \ + common-password + do + if [ -f /etc/pam.d/$configfile ] && \ + ! fgrep -q `md5sum /etc/pam.d/$configfile` \ + /usr/share/pam/$configfile.md5sums 2>/dev/null + then + force= + fi + done +fi + +pam-auth-update --package $force + +if [ -n "$force" ]; then + rm -f /etc/pam.d/common-auth.pam-old \ + /etc/pam.d/common-account.pam-old \ + /etc/pam.d/common-password.pam-old \ + /etc/pam.d/common-session.pam-old +fi + +#DEBHELPER# --- pam-1.0.1.orig/debian/libpam0g.symbols +++ pam-1.0.1/debian/libpam0g.symbols @@ -0,0 +1,9 @@ +libpam.so.0 libpam0g #MINVER# + *@LIBPAM_1.0 0.99.7.1 + *@LIBPAM_EXTENSION_1.0 0.99.7.1 + *@LIBPAM_MODUTIL_1.0 0.99.7.1 + *@LIBPAM_MODUTIL_1.1 0.99.10.0 +libpam_misc.so.0 libpam0g #MINVER# + *@LIBPAM_MISC_1.0 0.99.7.1 +libpamc.so.0 libpam0g #MINVER# + *@LIBPAMC_1.0 0.99.7.1 --- pam-1.0.1.orig/debian/libpam-cracklib.files +++ pam-1.0.1/debian/libpam-cracklib.files @@ -0,0 +1 @@ +lib/security/pam_cracklib.so --- pam-1.0.1.orig/debian/rules +++ pam-1.0.1/debian/rules @@ -0,0 +1,151 @@ +#!/usr/bin/make -f +# Made with the aid of dh_make, by Craig Small +# Sample debian/rules that uses debhelper. GNU copyright 1997 by Joey Hess. +# This version is for a hypothetical package that builds an +# architecture-dependant package, as well as an architecture-independant +# package. + +CFLAGS := -g -D_GNU_SOURCE -D_REENTRANT -fPIC + +ifeq (,$(findstring noopt, ${DEB_BUILD_OPTIONS})) +CFLAGS += -O2 +endif + +DEB_HOST_GNU_TYPE := $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +DEB_BUILD_GNU_TYPE := $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) + +ifeq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE)) + conf_args = --build $(DEB_BUILD_GNU_TYPE) +else + conf_args = --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE) +endif + +LC_COLLATE=C +export LC_COLLATE + +QUILT_PATCH_DIR = debian/patches-applied +include /usr/share/quilt/quilt.make + +BUILD_TREE=$(CURDIR) + +d = $(CURDIR)/debian +dl = $(d)/local +i = install -p -m 0644 +ie = install -p -m 0755 + +build: configure build-stamp +build-stamp: + dh_testdir + + # Compile everything else + $(MAKE) -C $(BUILD_TREE) CFLAGS="$(CFLAGS)" + + pod2man --section 8 --release="Debian GNU/Linux" $(dl)/pam_getenv >$(dl)/pam_getenv.8 + + touch build-stamp + +configure: patch configure-stamp +configure-stamp: + cd $(BUILD_TREE) && \ + ./configure $(conf_args) \ + --sysconfdir=/etc --prefix=/usr --enable-static --enable-shared \ + --mandir=/usr/share/man --infodir=/usr/share/info --libdir=/lib \ + --sbindir=/sbin --enable-docdir=/usr/share/doc/libpam-doc \ + --with-mailspool=/var/mail --disable-audit + touch configure-stamp + + +clean: clean-patched unpatch + +clean-patched: + dh_testdir + dh_testroot + [ ! -f $(BUILD_TREE)/Makefile ] || $(MAKE) -C $(BUILD_TREE) distclean + rm -f $(dl)/pam_getenv.8 + rm -f build-stamp configure-stamp + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + $(MAKE) -C $(BUILD_TREE) DESTDIR=$(CURDIR)/debian/tmp install + + # .la files are teh devil + rm -f $(CURDIR)/debian/tmp/lib/*.la + # for modules, we only want the .so + rm -f $(CURDIR)/debian/tmp/lib/security/*.la \ + $(CURDIR)/debian/tmp/lib/security/*.a + +# Build architecture-independent files here. +binary-indep: install + dh_testdir -i + dh_testroot -i + + mkdir -p debian/tmp/etc/pam.d + mkdir -p debian/tmp/usr/share/pam + $(i) $(dl)/pam.conf $(d)/tmp/etc + -mkdir -p $(d)/tmp/usr/sbin $(d)/tmp/usr/share/man/man8 + $(ie) $(dl)/pam_getenv $(d)/tmp/usr/sbin + $(i) $(dl)/other $(d)/tmp/etc/pam.d + $(i) $(dl)/common-* $(d)/tmp/usr/share/pam/ + + dh_install -i + + dh_installman -i + dh_installdocs -i + dh_installdebconf -i + dh_installchangelogs -i $(BUILD_TREE)/ChangeLog + dh_compress -i -X.html + dh_link -i + dh_fixperms -i + dh_installdeb -i + dh_gencontrol -i + dh_md5sums -i + dh_builddeb -i + +binary-arch: install + dh_testdir -a + dh_testroot -a + + mkdir -p debian/tmp/usr/lib + mv debian/tmp/lib/*.a debian/tmp/usr/lib + dh_movefiles -plibpam0g-dev -plibpam-cracklib -plibpam0g + dh_movefiles -plibpam-modules `cd $(d)/tmp && ls lib/security/*.so` + mkdir -p debian/libpam-cracklib/usr/share/pam-configs + $(i) $(d)/pam-configs/cracklib debian/libpam-cracklib/usr/share/pam-configs/cracklib + dh_link -a + dh_installman -a + rm -rf $(d)/libpam-modules/usr/share/man/man7 + rm -f $(d)/libpam-modules/usr/share/man/man8/pam.8 + rm -f $(d)/libpam-modules/usr/share/man/man5/pam.conf.5 + rm -f $(d)/libpam-modules/usr/share/man/man5/pam.d.5 + + dh_installdebconf -a + dh_installdocs -a $(BUILD_TREE)/README + dh_installexamples -a + find $(d)/libpam0g-dev/usr/share/doc/libpam0g-dev/examples -type f -name 'Makefile*' -print0 | xargs -0 rm -f + + dh_installcron -a + + dh_installchangelogs -a $(BUILD_TREE)/ChangeLog + for pkg in libpam0g libpam-modules libpam-runtime; do \ + install -m 0644 -D $(d)/$$pkg.lintian $(d)/$$pkg/usr/share/lintian/overrides/$$pkg || exit; \ + done + + dh_strip -a + dh_compress -a + dh_fixperms -a + chgrp shadow $(d)/libpam-modules/sbin/unix_chkpwd + chmod 02755 $(d)/libpam-modules/sbin/unix_chkpwd + dh_makeshlibs -plibpam0g -V "libpam0g (>= 0.99.10.0)" + dh_installdeb -a + dh_shlibdeps -a -L libpam0g -l$(CURDIR)/debian/libpam0g/lib + dh_gencontrol -a + dh_md5sums -a + dh_builddeb -a + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary patch unpatch install configure --- pam-1.0.1.orig/debian/libpam-runtime.links +++ pam-1.0.1/debian/libpam-runtime.links @@ -0,0 +1 @@ +usr/share/man/man7/PAM.7.gz usr/share/man/man7/pam.7.gz --- pam-1.0.1.orig/debian/control +++ pam-1.0.1/debian/control @@ -0,0 +1,93 @@ +Source: pam +Section: libs +Priority: optional +Uploaders: Karl Ramm , Sam Hartman , Roger Leigh +Maintainer: Ubuntu Core Developers +XSBC-Original-Maintainer: Steve Langasek +Standards-Version: 3.8.0 +Build-Depends: libcrack2-dev (>= 2.8), bzip2, debhelper, quilt, flex, libdb-dev, libselinux1-dev [!hurd-i386 !kfreebsd-i386 !kfreebsd-amd64 !netbsd-i386], po-debconf +Build-Depends-Indep: xsltproc, libxml2-utils, docbook-xml, docbook-xsl, w3m +Build-Conflicts-Indep: fop +Build-Conflicts: libdb4.2-dev, libxcrypt-dev +Vcs-Bzr: https://code.launchpad.net/~ubuntu-core-dev/pam/ubuntu +Homepage: http://pam.sourceforge.net/ + +Package: libpam0g +Priority: required +Architecture: any +Conflicts: libpam0 (<= 0.56-2), libpam +Replaces: libpam0g-util +Depends: ${shlibs:Depends}, ${misc:Depends}, libpam-runtime +Suggests: libpam-doc +Description: Pluggable Authentication Modules library + Contains the C shared library for Linux-PAM, a suite of shared + libraries that enable the local system administrator to choose how + applications authenticate users. In other words, without rewriting + or recompiling a PAM-aware application, it is possible to switch + between the authentication mechanism(s) it uses. One may entirely + upgrade the local authentication system without touching the + applications themselves. + +Package: libpam-modules +Section: admin +Priority: required +Architecture: any +Pre-Depends: ${shlibs:Depends}, ${misc:Depends} +Conflicts: libpam0g-modules (= 0.66-1), libpam-motd, libpam-mkhomedir, libpam-umask, suidmanager (<< 0.50) +Depends: base-files (>= 5.0.0ubuntu6) +Replaces: libpam0g-util, libpam-umask +Provides: libpam-motd, libpam-mkhomedir, libpam-umask +Description: Pluggable Authentication Modules for PAM + This package completes the set of modules for PAM. It includes the + pam_unix_*.so module as well as some specialty modules. + +Package: libpam-runtime +Section: admin +Priority: required +Architecture: all +Depends: debconf (>= 1.5.19) +Replaces: libpam0g-util, libpam0g-dev +Conflicts: libpam0g-util, libpam0g (<< 0.66-0) +Description: Runtime support for the PAM library + Contains configuration files and directories required for + authentication to work on Debian systems. This package is required + on almost all installations. + +Package: libpam0g-dev +Section: libdevel +Priority: optional +Architecture: any +Depends: libpam0g (= ${binary:Version}), libc6-dev|libc-dev +Conflicts: libpam-dev, libpam-dbg +Replaces: libpam0g (<= 0.65) +Provides: libpam-dev +Description: Development files for PAM + Contains C header files and development shared libraries for libpam, the + pluggable authentication modules, a suite of shared libraries that enable + the local system administrator to choose how applications authenticate + users. + . + PAM decouples applications from the authentication mechanism, making it + possible to upgrade the authentication system without recompiling or + rewriting the applications. + +Package: libpam-cracklib +Section: admin +Priority: optional +Architecture: any +Replaces: libpam0g-cracklib +Depends: ${shlibs:Depends}, libpam-runtime (>= 1.0.1-6), cracklib-runtime, wamerican | wordlist +Description: PAM module to enable cracklib support + This package includes libpam_cracklib, a PAM module that tests + passwords to make sure they are not too weak during password change. + +Package: libpam-doc +Provides: pam-doc +Section: doc +Priority: optional +Architecture: all +Description: Documentation of PAM + Contains documentation (in HTML, ASCII, and PostScript format) for + libpam, the Pluggable Authentication Modules library, a suite of shared + libraries that enable the local system administrator to choose how + applications authenticate users. --- pam-1.0.1.orig/debian/libpam-doc.doc-base.applications-guide +++ pam-1.0.1/debian/libpam-doc.doc-base.applications-guide @@ -0,0 +1,17 @@ +Document: pam-applications-guide +Title: The Linux-PAM Application Developers' Guide +Author: Andrew G. Morgan +Abstract: This manual documents what an application developer needs to know + about the Linux-PAM library. It describes how an application might use + the Linux-PAM library to authenticate users. In addition it contains a + description of the funtions to be found in libpam_misc library, that can + be used in general applications. Finally, it contains some comments on PAM + related security issues for the application developer. +Section: Programming + +Format: HTML +Index: /usr/share/doc/libpam-doc/html/Linux-PAM_ADG.html +Files: /usr/share/doc/libpam-doc/html/Linux-PAM_ADG.html /usr/share/doc/libpam-doc/html/adg*.html + +Format: text +Files: /usr/share/doc/libpam-doc/txt/Linux-PAM_ADG.txt.gz --- pam-1.0.1.orig/debian/libpam-modules.templates +++ pam-1.0.1/debian/libpam-modules.templates @@ -0,0 +1,9 @@ +Template: libpam-modules/disable-screensaver +Type: error +_Description: xscreensaver and xlockmore must be restarted before upgrading + One or more running instances of xscreensaver or xlockmore have been + detected on this system. Because of incompatible library changes, the + upgrade of the libpam-modules package will leave you unable to + authenticate to these programs. You should arrange for these programs + to be restarted or stopped before continuing this upgrade, to avoid + locking your users out of their current sessions. --- pam-1.0.1.orig/debian/libpam-runtime.manpages +++ pam-1.0.1/debian/libpam-runtime.manpages @@ -0,0 +1,5 @@ +debian/tmp/usr/share/man/man5/pam.conf.5 +debian/tmp/usr/share/man/man5/pam.d.5 +debian/tmp/usr/share/man/man8/PAM.8 +debian/local/pam_getenv.8 +debian/local/pam-auth-update.8 --- pam-1.0.1.orig/debian/libpam-modules.links +++ pam-1.0.1/debian/libpam-modules.links @@ -0,0 +1,5 @@ +/lib/security/pam_unix.so /lib/security/pam_unix_acct.so +/lib/security/pam_unix.so /lib/security/pam_unix_auth.so +/lib/security/pam_unix.so /lib/security/pam_unix_passwd.so +/lib/security/pam_unix.so /lib/security/pam_unix_session.so +/lib/security/pam_rhosts.so /lib/security/pam_rhosts_auth.so --- pam-1.0.1.orig/debian/libpam0g.postinst +++ pam-1.0.1/debian/libpam0g.postinst @@ -0,0 +1,231 @@ +#!/bin/bash + +# postinst based heavily on the postinst of libssl0.9.8, courtesy of +# Christoph Martin. + +. /usr/share/debconf/confmodule + +set -e + +# element() is a helper function for file-rc: +element() { + local element list IFS + + element="$1" + + [ "$2" = "in" ] && shift + list="$2" + [ "$list" = "-" ] && return 1 + [ "$list" = "*" ] && return 0 + + IFS="," + set -- $list + case $element in + "$1"|"$2"|"$3"|"$4"|"$5"|"$6"|"$7"|"$8"|"$9") + return 0 + esac + return 1 +} + +# filerc (runlevel, service) returns /etc/init.d/service, if service is +# running in $runlevel: +filerc() { + local runlevel basename + runlevel=$1 + basename=$2 + while read LINE + do + case $LINE in + \#*|"") continue + esac + + set -- $LINE + SORT_NO="$1"; STOP="$2"; START="$3"; CMD="$4" + [ "$CMD" = "/etc/init.d/$basename" ] || continue + + if element "$runlevel" in "$START" || element "S" in "$START" + then + echo "/etc/init.d/$basename" + return 0 + fi + done < /etc/runlevel.conf + echo "" +} + +installed_services() { + check="$@" + + # Only get the ones that are installed, and configured + check=$(dpkg -s $check 2> /dev/null | egrep '^Package:|^Status:' | awk '{if ($1 ~ /^Package:/) { package=$2 } else if ($0 ~ /^Status: .* installed$/) { print package }}') + + # some init scripts don't match the package names + check=$(echo $check | \ + sed -e's/\bapache2-common\b/apache2/g' \ + -e's/\bat\b/atd/g' \ + -e's/\bdovecot-common\b/dovecot/g' \ + -e's/\bdante-server\b/danted/g' \ + -e's/\bexim4-base\b/exim4/g' \ + -e's/\bheartbeat-2\b/heartbeat/g' \ + -e's/\bhylafax-server\b/hylafax/g' \ + -e's/\bpartimage-server\b/partimaged/g' \ + -e's/\bsasl2-bin\b/saslauthd/g' \ + ) + + for service in $check; do + if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then + idl=$(ls /etc/init.d/${service} 2> /dev/null | head -n 1) + if [ -n "$idl" ] && [ -x $idl ]; then + services="$service $services" + else + echo "WARNING: init script for $service not found." >&2 + fi + else + if [ -f /usr/share/file-rc/rc ] || [ -f /usr/lib/file-rc/rc ] && [ -f /etc/runlevel.conf ]; then + idl=$(filerc $rl $service) + else + idl=$(ls /etc/rc${rl}.d/S??${service} 2> /dev/null | head -n 1) + fi + if [ -n "$idl" ] && [ -x $idl ]; then + services="$service $services" + fi + fi + done + echo "$services" +} + +if [ "$1" = "configure" ] +then + if [ ! -z "$2" ]; then + if dpkg --compare-versions "$2" lt 0.99.10.0; then + db_version 2.0 + + echo -n "Checking for services that may need to be restarted..." + + check="apache2-common at bayonne cherokee courier-authdaemon" + check="$check cron cups" + check="$check dante-server diald dovecot-common exim exim4-base" + check="$check fcron fireflier-server freeradius gdm heartbeat" + check="$check heartbeat-2 hylafax-server iiimf-server inn2" + check="$check kannel linesrv linesrv-mysql lsh-server" + check="$check muddleftpd netatalk nuauth partimage-server" + check="$check perdition pgpool popa3d postgresql-7.4" + check="$check postgresql-8.1 postgresql-8.2 proftpd pure-ftpd" + check="$check pure-ftpd-ldap pure-ftpd-mysql" + check="$check pure-ftpd-postgresql racoon samba sasl2-bin" + check="$check sfs-server solid-pop3d squid squid3 tac-plus" + check="$check vsftpd wu-ftpd wzdftpd xrdp yardradius yaws" + + if ! who | awk '{print $2}'|grep -q ':[0-9]'; then + check="$check kdm wdm xdm" + fi + + echo "Checking init scripts..." + services=$(installed_services "$check") + if [ -n "$services" ]; then + db_reset libpam0g/restart-services + db_set libpam0g/restart-services "$services" + question_priority="critical" + # Do not prompt when we're running in the upgrade-manager + # and only default services need restarting. + nondefault_services=$(echo "$services" | sed \ + -e's/\batd\b//g' \ + -e's/\bcron\b//g' \ + -e's/\bcups\b//g' \ + -e's/\bgdm\b//g' \ + -e's/\bkdm\b//g' \ + -e's/\bsamba\b//g' \ + -e's/^ *//g') + if [ -n "$RELEASE_UPGRADE_IN_PROGRESS" ] && [ -z "$nondefault_services" ]; then + question_priority="medium" + fi + db_input "$question_priority" libpam0g/restart-services || true + db_go || true + db_get libpam0g/restart-services + + if [ "x$RET" != "x" ] + then + services=$RET + else + services="" + fi + echo + if [ "$services" != "" ]; then + echo "Restarting services possibly affected by the upgrade:" + failed="" + rl=$(runlevel | sed 's/.*\ //') + for service in $services; do + if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then + idl="invoke-rc.d ${service}" + elif [ -f /usr/share/file-rc/rc ] || [ -f /usr/lib/file-rc/rc ] && [ -f /etc/runlevel.conf ]; then + idl=$(filerc $rl $service) + else + idl=$(ls /etc/rc${rl}.d/S??${service} 2> /dev/null | head -n 1) + fi + + case "$service" in + gdm) + echo -n " $service: reloading..." + if $idl reload > /dev/null 2>&1; then + echo "done." + else + echo "FAILED! ($?)" + failed="$service $failed" + fi + continue + ;; + esac + echo -n " $service: stopping..." + $idl stop > /dev/null 2>&1 || true + sleep 1 + echo -n "starting..." + if $idl start > /dev/null 2>&1; then + echo "done." + else + echo "FAILED! ($?)" + failed="$service $failed" + fi + done + echo + if [ -n "$failed" ]; then + db_subst libpam0g/restart-failed services "$failed" + db_input critical libpam0g/restart-failed || true + db_go || true + else + echo "Services restarted successfully." + fi + echo + fi + else + echo "Nothing to restart." + fi + + if who | awk '{print $2}' | grep -q ':[0-9]'; then + dms="" + for service in kdm wdm xdm; do + case "$services" in + *$service*) ;; + *) dms="$dms $service" + esac + done + services=$(installed_services "$dms") + if [ -n "$services" ]; then + if [ -n "$RELEASE_UPGRADE_IN_PROGRESS" ] \ + && [ -x /usr/share/update-notifier/notify-reboot-required ] + then + /usr/share/update-notifier/notify-reboot-required + else + db_input critical libpam0g/xdm-needs-restart || true + db_go || true + fi + fi + fi + + # Shut down the frontend, to make sure none of the + # restarted services keep a connection open to it + db_stop + fi # end upgrading and $2 lt 0.99.10.0 + fi # Upgrading +fi + +#DEBHELPER# + --- pam-1.0.1.orig/debian/libpam-runtime.dirs +++ pam-1.0.1/debian/libpam-runtime.dirs @@ -0,0 +1 @@ +/var/lib/pam --- pam-1.0.1.orig/debian/libpam0g.templates +++ pam-1.0.1/debian/libpam0g.templates @@ -0,0 +1,26 @@ +Template: libpam0g/restart-services +Type: string +_Description: Services to restart for PAM library upgrade: + Most services that use PAM need to be restarted to use modules built for + this new version of libpam. Please review the following space-separated + list of init.d scripts for services to be restarted now, and correct it + if needed. + +Template: libpam0g/xdm-needs-restart +Type: error +_Description: Display manager must be restarted manually + The kdm, wdm, and xdm display managers require a restart for the new + version of libpam, but there are X login sessions active on your system that + would be terminated by this restart. You will therefore need to restart + these services by hand before further X logins will be possible. + +Template: libpam0g/restart-failed +Type: error +#flag:translate!:3 +_Description: Failure restarting some services for PAM upgrade + The following services could not be restarted for the PAM library upgrade: + . + ${services} + . + You will need to start these manually by running + '/etc/init.d/ start'. --- pam-1.0.1.orig/debian/libpam-modules.examples +++ pam-1.0.1/debian/libpam-modules.examples @@ -0,0 +1,2 @@ +modules/pam_filter/upperLOWER/*.c + --- pam-1.0.1.orig/debian/changelog +++ pam-1.0.1/debian/changelog @@ -0,0 +1,2747 @@ +pam (1.0.1-9ubuntu3) karmic; urgency=low + + * Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure + run-parts does the right thing in /etc/update-motd.d. + + -- Steve Langasek Wed, 15 Jul 2009 23:55:50 -0700 + +pam (1.0.1-9ubuntu2) karmic; urgency=low + + [ Dustin Kirkland ] + * debian/patches/update-motd: run the update-motd scripts in pam_motd; + render update-motd obsolete, LP: #399071 + * debian/patches-applied/pam_motd-legal-notice: display the contents of + /etc/legal once, then set a flag in the user's homedir to prevent showing + it again. + + -- Steve Langasek Wed, 15 Jul 2009 20:41:52 -0700 + +pam (1.0.1-9ubuntu1) jaunty; urgency=low + + * Merge from Debian unstable + * Remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf. (should send to Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t + type rather than __u8. + - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic + module option 'missingok' which will suppress logging of errors by + libpam if the module is not found. + - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for + password on bad username. + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - debian/patches-applied/ubuntu-user_defined_environment: Look at + ~/.pam_environment too, with the same format as + /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.) + - Change Vcs-Bzr to point at the Ubuntu branch. + - debian/local/common-password, debian/pam-configs/unix: switch from + "md5" to "sha512" as password crypt default. + + -- Steve Langasek Fri, 20 Mar 2009 19:12:10 -0700 + +pam (1.0.1-9) unstable; urgency=low + + * Move the pam module packages to section 'admin'. + * 027_pam_limits_better_init_allow_explicit_root: defaults need to be + declared as LIMITS_DEF_DEFAULT instead of LIMITS_DEF_ALL, otherwise + global limits will fail to be applied. LP: #314222. + + -- Steve Langasek Fri, 20 Mar 2009 19:48:47 -0700 + +pam (1.0.1-8) unstable; urgency=low + + * Updated debconf translations: + - Bulgarian, thanks to Damyan Ivanov (closes: #518121) + - Spanish, thanks to Javier Fernandez-Sanguino Peña + (closes: #518214) + - Swedish, thanks to Martin Bagge (closes: #518324) + - Vietnamese, thanks to Clytie Siddall + (closes: #518329) + - Japanese, thanks to Kenshi Muto (closes: #518335) + - Slovak, thanks to Ivan Masár (closes: #518341) + - Czech, thanks to Miroslav Kure (closes: #518992) + - Portuguese, thanks to Américo Monteiro + (closes: #519204) + - Galician, thanks to Marce Villarino + (closes: #519447) + - Romanian, thanks to Eddy Petrișor + (closes: #520552) + * 027_pam_limits_better_init_allow_explicit_root: set the RLIMIT_MEMLOCK + limit correctly to match the kernel default, which is not RLIM_INFINITY. + Closes: #472629. + + -- Steve Langasek Fri, 20 Mar 2009 18:15:07 -0700 + +pam (1.0.1-7ubuntu1) jaunty; urgency=low + + * Merge from Debian unstable + * Remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf. (should send to Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t + type rather than __u8. + - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic + module option 'missingok' which will suppress logging of errors by + libpam if the module is not found. + - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for + password on bad username. + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - debian/patches-applied/ubuntu-user_defined_environment: Look at + ~/.pam_environment too, with the same format as + /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.) + - Change Vcs-Bzr to point at the Ubuntu branch. + - debian/local/common-password, debian/pam-configs/unix: switch from + "md5" to "sha512" as password crypt default. + * Dropped changes, merged in Debian: + - debian/local/pam-auth-update (et al): new interface for managing + /etc/pam.d/common-*, using drop-in config snippets provided by module + packages. + - New patch dont_freeze_password_chain, cherry-picked from upstream: + don't always follow the same path through the password stack on + the PAM_UPDATE_AUTHTOK pass as was used in the PAM_PRELIM_CHECK + pass; this Linux-PAM deviation from the original PAM spec causes a + number of problems, in particular causing wrong return values when + using the refactored pam-auth-update stack. LP: #303515, #305882. + - debian/patches/027_pam_limits_better_init_allow_explicit_root: + Add documentation to the patch showing how to set limits for root. + * Bump the libpam-cracklib dependency on libpam-runtime to 1.0.1-6, + reducing the delta with Debian. + * Drop upgrade handling code from libpam-runtime.postinst that's only + needed when upgrading from 1.0.1-2ubuntu1, a superseded intrepid + pre-release version of the package. + * pam-auth-update: swap out known md5sums from intrepid pre-release versions + with the md5sums from the released intrepid version + * pam-auth-update: drop some md5sums that will only be seen on upgrade from + pre-intrepid versions; skipping over the 8.10 final release is not + supported, and upgrading via 8.10 means those config files will be + replaced so the old md5sums will never be seen again. + + -- Steve Langasek Tue, 03 Mar 2009 17:34:19 -0800 + +pam (1.0.1-7) unstable; urgency=low + + * 027_pam_limits_better_init_allow_explicit_root: + - fix the patch so that our limit resets are actually *applied*, + which has apparently been broken for who knows how long! + - shadow the finite kernel defaults for RLIMIT_SIGPENDING and + RLIMIT_MSGQUEUE as well, so that the preceding change doesn't + suddenly expose systems to DoS or other issues. + - include documentation in the patch, giving examples of how to set + limits for root. Thanks to Jonathan Marsden. + * pam-auth-update: swap out known md5sums from intrepid pre-release + versions with the md5sums from the released intrepid version + * pam-auth-update: set the umask, so we don't accidentally mark + /etc/pam.d/common-* unreadable. Thanks to Martin Krafft for catching. + Closes: #518042. + + -- Steve Langasek Tue, 03 Mar 2009 17:18:42 -0800 + +pam (1.0.1-6) unstable; urgency=low + + * Updated debconf translations: + - Vietnamese, thanks to Clytie Siddall + * New patch dont_freeze_password_chain, cherry-picked from upstream: + don't always follow the same path through the password stack on + the PAM_UPDATE_AUTHTOK pass as was used in the PAM_PRELIM_CHECK + pass; this Linux-PAM deviation from the original PAM spec causes a + number of problems, in particular causing wrong return values when + using the refactored pam-auth-update stack. LP: #303515, #305882. + * debian/local/pam-auth-update (et al): new interface for managing + /etc/pam.d/common-*, using drop-in config snippets provided by module + packages. + + -- Steve Langasek Sat, 28 Feb 2009 13:36:57 -0800 + +pam (1.0.1-5ubuntu2) jaunty; urgency=low + + * New patch dont_freeze_password_chain, cherry-picked from upstream: + don't always follow the same path through the password stack on + the PAM_UPDATE_AUTHTOK pass as was used in the PAM_PRELIM_CHECK + pass; this Linux-PAM deviation from the original PAM spec causes a + number of problems, in particular causing wrong return values when + using the refactored pam-auth-update stack. LP: #303515, #305882. + + -- Steve Langasek Fri, 27 Feb 2009 16:20:24 -0800 + +pam (1.0.1-5ubuntu1) jaunty; urgency=low + + * Merge from Debian unstable + * Remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf. (should send to Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t + type rather than __u8. + - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic + module option 'missingok' which will suppress logging of errors by + libpam if the module is not found. + - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for + password on bad username. + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - debian/patches-applied/ubuntu-user_defined_environment: Look at + ~/.pam_environment too, with the same format as + /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.) + - Change Vcs-Bzr to point at the Ubuntu branch. + - debian/local/pam-auth-update (et al): new interface for managing + /etc/pam.d/common-*, using drop-in config snippets provided by module + packages. + - debian/local/common-password, debian/pam-configs/unix: switch from + "md5" to "sha512" as password crypt default. + * Bump the version numbers referenced in the config files, again, as pam + has revved in Debian and moved the bar. + * pam-auth-update: If /var/lib/pam/seen is absent, treat this the same + as a present but empty file; thanks to Greg Price for the patch. + LP: #294513. + * pam-auth-update: Ignore removed profiles when detecting an empty set + of currently-enabled modules. Thanks to Greg Price for this as well. + * debian/control: libpam-runtime needs a versioned dependency on + debconf, because it uses the x_loadtemplatefile extension that's + not supported by debconf versions before hardy. LP: #295135. + * pam-auth-update: trim leading whitespace from multiline fields when + parsing PAM profiles. LP: #295441. + * pam-auth-update: factor out the duplicate code used for returning + the lines for a given module + + [ Jonathan Marsden ] + * debian/patches/027_pam_limits_better_init_allow_explicit_root: + Add to patch, documenting how to set limits for root user. + Include an example. Alters limits.conf, limits.conf.5.xml, + and limits.conf.5 . (LP: #65244) + + -- Steve Langasek Thu, 08 Jan 2009 20:26:25 +0000 + +pam (1.0.1-5) unstable; urgency=low + + * Build-conflict with libxcrypt-dev, which otherwise pulls libxcrypt in as + a dependency of libpam-modules if it's installed during the build. + Thanks to Larry Doolittle for catching. + * Don't refer to gnome-screensaver in the debconf template; it isn't + actually affected by the libpam symbol issue because it forks a separate + process to display the screensaver dialog. + * Have libpam-modules Pre-Depend on ${misc:Depends}, so that we can + warn users about needing to disable xscreensaver and xlockmore + before libpam-modules is unpacked. Closes: #502140, LP: #256238. + * Updated debconf translations for the new template: + - Italian, thanks to David Paleino + - Simplified Chinese, thanks to Deng Xiyue + (closes: #510371) + - Portuguese, thanks to Américo Monteiro + - Swedish, thanks to Martin Bagge (closes: #510379) + - Japanese, thanks to Kenshi Muto (closes: #510380) + - Finnish, thanks to Esko Arajärvi (closes: #510382) + - Spanish, thanks to Javier Fernandez-Sanguino Peña + (closes: #510389) + - Galician, thanks to Marce Villarino + - Slovak, thanks to helix84 (closes: #510412) + - Bulgarian, thanks to Damyan Ivanov + - Czech, thanks to Miroslav Kure < + (closes: #510608) + - French, thanks to Steve Petruzzello + - German, thanks to Sven Joachim (closes: #510617) + - Basque, thanks to Piarres Beobide + (closes: #510699) + - Russian, thanks to Yuri Kozlov (closes: #510701) + - Turkish, thanks to Mert Dirik (closes: #510707) + + -- Steve Langasek Tue, 06 Jan 2009 00:05:13 -0800 + +pam (1.0.1-4ubuntu5.4) jaunty; urgency=low + + * No-change upload to jaunty to fix publication on armel. + + -- Colin Watson Tue, 18 Nov 2008 14:09:00 +0000 + +pam (1.0.1-4ubuntu5.3) intrepid-updates; urgency=low + + * No-change upload of 1.0.1-4ubuntu5.1 to -updates. -proposed package was + copied while some ports were not built yet. + + -- Martin Pitt Tue, 11 Nov 2008 14:50:12 +0100 + +pam (1.0.1-4ubuntu5.2) intrepid-proposed; urgency=low + + * No-change rebuild because the archive admin (me) copied the package + to jaunty too soon. + + -- Steve Langasek Wed, 05 Nov 2008 20:28:11 +0000 + +pam (1.0.1-4ubuntu5.1) intrepid-proposed; urgency=low + + * Allow passwords to change on expired accounts, by passing + new_authtok_reqd return codes immediately (LP: #291091). + + -- Kees Cook Wed, 05 Nov 2008 09:31:45 -0800 + +pam (1.0.1-4ubuntu5) intrepid; urgency=low + + * debian/libpam0g.postinst: change 'cupsys' to 'cups' in the list of + default desktop services that are ignored in deciding whether to prompt + for service restarts on upgrade. Partially addresses LP #278117. + * debian/libpam0g.postinst: also filter out samba, which may be installed + on the desktop to enable filesharing. + * debian/libpam-cracklib.prerm, debian/libpam-runtime.prerm: add the + ubiquitous debhelper tokens (currently a no-op) + * pam-auth-update: Use -Initial only for the first profile, even when + there's no explicit -Initial config for that first profile + * fix common-session/common-password to use the same overall stack + structure as auth/account, so that we get the correct behavior when + all password modules fail. LP: #272232. + + -- Steve Langasek Wed, 15 Oct 2008 18:11:13 -0700 + +pam (1.0.1-4ubuntu4) intrepid; urgency=low + + * Fix a bug in the parser that caused spewing of errors when there + were more lines in the config file following the managed block. + LP: #270328. + + -- Steve Langasek Tue, 23 Sep 2008 06:34:56 +0000 + +pam (1.0.1-4ubuntu3) intrepid; urgency=low + + * Fix up the code that saves state to /var/lib/pam, so that it matches + what's expected by the code which later compares the saved and active + profiles in the case that there are both primary and additional + modules present. + + -- Steve Langasek Tue, 16 Sep 2008 06:49:56 +0000 + +pam (1.0.1-4ubuntu2) intrepid; urgency=low + + * Brown paper bag bug: fix a missing comma in pam-auth-update. + + -- Steve Langasek Sat, 13 Sep 2008 08:55:32 +0000 + +pam (1.0.1-4ubuntu1) intrepid; urgency=low + + * Merge from Debian unstable + * Remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf. (should send to Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t + type rather than __u8. + - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic + module option 'missingok' which will suppress logging of errors by + libpam if the module is not found. + - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for + password on bad username. + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - debian/patches-applied/ubuntu-user_defined_environment: Look at + ~/.pam_environment too, with the same format as + /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.) + - Change Vcs-Bzr to point at the Ubuntu branch. + - debian/local/pam-auth-update (et al): new interface for managing + /etc/pam.d/common-*, using drop-in config snippets provided by module + packages. + - debian/local/common-password, debian/pam-configs/unix: switch from + "md5" to "sha512" as password crypt default. + * Bump the version numbers referenced in the config files, again, as pam + has revved in Debian and moved the bar. + * debian/pam-config/*: refine the password profiles to use a 'primary' + block, to better parallel the auth structure. + * Drop '-Final' from the field names in /usr/share/pam-configs, supporting + these field names for backwards compatibility only + * Bump the dependency version requirement to 1.0.1-4ubuntu1 for the above + change + + -- Steve Langasek Sat, 13 Sep 2008 08:55:19 +0000 + +pam (1.0.1-4) unstable; urgency=high + + * High-urgency upload for RC bugfix. + + [ Julien Cristau ] + * pam_unix-chkpwd-wait: don't assume that the unix_chkpwd process exits + normally; if it was killed by a signal, we don't want to accept the + password. Closes: #495879. + + [ Steve Langasek ] + * 007_modules_pam_unix: update the manpage at the same time as the xml + source (grr, autogenerated files in source packages). Closes: #495804. + * 055_pam_unix_nullok_secure: also don't call the helper at all from + _unix_blankpasswd when we can detect that null passwords are disallowed, + to avoid causing spammy logs on successful authentications. + Closes: #496620. + * debian/rules: call chgrp *before* calling chmod, lest the sgid bit + on unix_chkpwd be cleared during the build when using -rsudo. + Closes: #496983. + + -- Steve Langasek Thu, 28 Aug 2008 22:59:23 -0700 + +pam (1.0.1-3ubuntu5) intrepid; urgency=low + + [ Steve Langasek ] + * Never remove the .pam-old files; just avoid creating them if --force isn't + set. + * Add a manpage for pam-auth-update. + * Automatically upgrade the boilerplate for /etc/pam.d/common-* if we + detect that they have not been locally modified. + + [ Kees Cook ] + * debian/local/common-password, debian/pam-configs/unix: switch from "md5" + to "sha512" as password crypt default. + + -- Steve Langasek Tue, 26 Aug 2008 06:33:07 +0000 + +pam (1.0.1-3ubuntu4) intrepid; urgency=low + + * If two profiles have the same Priority, sort by the profile name to + ensure a complete sort so we can filter out all the duplicates from the + list and not write out broken configs. LP: #260371. + + -- Steve Langasek Fri, 22 Aug 2008 17:33:14 +0000 + +pam (1.0.1-3ubuntu3) intrepid; urgency=low + + * s/pam-auth-config/pam-auth-update/ in the source, I can't seem to get + this name consistent to save my life - I'm starting to think I named it + wrong... + * Fix the regex used when suppressing jump counts when reading the saved + config, so that we don't clobber module options with numbers in them. + * If the target doesn't already exist, don't try to copy it. + * Filter the config list to exclude configs that no longer exist. + LP: #260122. + * Avoid unnecessary sort/grep in the case where we already have a sorted + list. + * Implement pam-auth-update --remove, for use in package prerms when called + with "remove". + + -- Steve Langasek Thu, 21 Aug 2008 15:38:37 -0700 + +pam (1.0.1-3ubuntu2) intrepid; urgency=high + + * debian/local/common-session: the session stack needs to be handled the + same way as the password stack, with the possibility of zero primary + modules; required to fix build failures on the Ubuntu buildds due to + su not being able to open sessions by default. LP: #259867. + * debian/libpam-runtime.postinst: when upgrading from the broken + 1.0.1-2ubuntu1 version, manually edit /etc/pam.d/common-session to + recover. + + -- Steve Langasek Wed, 20 Aug 2008 13:27:10 -0700 + +pam (1.0.1-3ubuntu1) intrepid; urgency=low + + * Merge from Debian unstable + * Remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf. (should send to Debian). + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t + type rather than __u8. + - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic + module option 'missingok' which will suppress logging of errors by + libpam if the module is not found. + - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for + password on bad username. + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - debian/patches-applied/ubuntu-user_defined_environment: Look at + ~/.pam_environment too, with the same format as + /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.) + - Change Vcs-Bzr to point at the Ubuntu branch. + - debian/local/pam-auth-update (et al): new interface for managing + /etc/pam.d/common-*, using drop-in config snippets provided by module + packages. + * Remove spurious 'conflict' with a non-existent module, which was added + just as an example + + -- Steve Langasek Wed, 20 Aug 2008 11:58:35 -0700 + +pam (1.0.1-3) unstable; urgency=high + + * 055_pam_unix_nullok_secure: don't call _pammodutil_tty_secure with a NULL + tty argument, since this will cause our helper to segfault instead of + returning a useful value. Thanks to Troy Davis for the report. + Closes: #495806. + + -- Steve Langasek Wed, 20 Aug 2008 11:55:47 -0700 + +pam (1.0.1-2ubuntu1) intrepid; urgency=low + + * Merge from Debian unstable + * Remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf. (should send to Debian). + - debian/libpam-runtime.postinst, + debian/local/common-{auth,password}{,.md5sums}: + Use the new 'missingok' option by default for pam_smbpass in case + libpam-smbpass is not installed (LP: #216990); must use "requisite" + rather than "required" to prevent "pam_smbpass migrate" from firing in + the event of an auth failure; md5sums updated accordingly. + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t + type rather than __u8. + - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic + module option 'missingok' which will suppress logging of errors by + libpam if the module is not found. + - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for + password on bad username. + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - debian/patches-applied/ubuntu-user_defined_environment: Look at + ~/.pam_environment too, with the same format as + /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.) + - Change Vcs-Bzr to point at the Ubuntu branch. + * debian/local/pam-auth-update (et al): new interface for managing + /etc/pam.d/common-*, using drop-in config snippets provided by module + packages. + + -- Steve Langasek Wed, 20 Aug 2008 09:17:28 +0000 + +pam (1.0.1-2) unstable; urgency=low + + * 007_modules_pam_unix: update the documentation to correctly document + the default minimum password length is 6, not 1. + * Look for cups instead of cupsys as an init script name when restarting + services; thanks to Stephen Olander-Waters for pointing this out. + Closes: #492977. + * Update the Debian PAM mini-policy to remove references to the + long-obsolete pam_pwdb, and clarify the relationship between pam_stack + and @include. + * Drop various bits of unused cruft from the debian/ directory. + * Drop libpam-runtime.preinst, only used for upgrades from woody to sarge + to deal with modified conffiles. + * Build-Conflict with libdb4.2-dev, which satisfies the libdb-dev + build-dependency but causes pam_userdb to be silently omitted. + Closes: #493574. + * 054_pam_security_abstract_securetty_handling: move the warning log about + an insecure tty back to pam_securetty proper; we don't want to generate + log messages every time pam_unix is called as non-root. + Closes: #493283. As a side-effect, pam_unix no longer logs any warnings + about NULL password + insecure tty, but I don't think this is critical. + + -- Steve Langasek Fri, 08 Aug 2008 10:47:26 -0700 + +pam (1.0.1-1ubuntu1) intrepid; urgency=low + + * Merge from Debian unstable + * Dropped changes: + - Linux-PAM/modules/pam_selinux/pam_selinux.8: Ubuntu pam_selinux manpage + is 2 years newer than Debian's, contains a number of character escaping + fixes plus content updates + - debian/patches-applied/ubuntu-pam_selinux_seusers: patch pam_selinux to + correctly support seusers (backported from changes in PAM 0.99.8). + - debian/rules: install unix_chkpwd setgid shadow instead of setuid root. + The nis package handles overriding this as necessary. + - debian/patches-applied/ubuntu-rlimit_nice_correction: Bound RLIMIT_NICE + from below as well as from above. Fix off-by-one error when converting + RLIMIT_NICE to the range of values used by the kernel. + * Remaining changes: + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf. (should send to Debian). + - debian/libpam-runtime.postinst, + debian/local/common-{auth,password}{,.md5sums}: + Use the new 'missingok' option by default for pam_smbpass in case + libpam-smbpass is not installed (LP: #216990); must use "requisite" + rather than "required" to prevent "pam_smbpass migrate" from firing in + the event of an auth failure; md5sums updated accordingly. + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running. + - debian/patches-applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t + type rather than __u8. + - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic + module option 'missingok' which will suppress logging of errors by + libpam if the module is not found. + - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for + password on bad username. + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. + - debian/patches-applied/ubuntu-user_defined_environment: Look at + ~/.pam_environment too, with the same format as + /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.) + * Refresh patch ubuntu-no-error-if-missingok for the new upstream version. + * Change Vcs-Bzr to point at the new Ubuntu branch. + + -- Steve Langasek Mon, 28 Jul 2008 20:58:26 +0000 + +pam (1.0.1-1) unstable; urgency=low + + * New upstream version. + - pam_limits: bound RLIMIT_NICE from below. Closes: #403718. + - pam_mail: set the MAIL variable even when .hushlogin is set. + Closes: #421010. + - new minclass option introduced for pam_cracklib. Closes: #454237. + - fix a failure to check the string length when matching usernames in + pam_group. Closes: #444427. + - fix setting shell security context in pam_selinux. Closes: #451722. + - use --disable-audit, to avoid libaudit being linked in + accidentally + - pam_unix now supports SHA-256 and SHA-512 password hashes. + Closes: #484249, LP: #245786. + - pam_rhosts_auth is dropped upstream (closes: #382987); add a compat + symlink to pam_rhosts to support upgrades for a release, and give a + warning in NEWS.Debian. + - new symbol in libpam.so.0, pam_modutil_audit_write; shlibs bump, and + do another round of service restarts on upgrade. + - pam_unix helper is now called whenever an unprivileged process + tries and fails to query a user's account status. Closes: #367834. + * Drop patches 006_docs_cleanup, 015_hurd_portability, + 019_pam_listfile_quiet, 024_debian_cracklib_dict_path, 038_support_hurd, + 043_pam_unix_unknown_user_not_alert, 046_pam_group_example, + no_pthread_mutexes, limits_wrong_strncpy, misc_conv_allow_sigint.patch, + pam_tally_audit.patch, 057_pam_unix_passwd_OOM_check, and + 065_pam_unix_cracklib_disable which have been merged upstream. + * Patch 022_pam_unix_group_time_miscfixes: partially merged upstream; + now is really just "pam_group_miscfixes". + * Patch 007_modules_pam_unix partially superseded upstream; stripping + hpux-style expiry information off of password fields is now supported. + * New patch pam_unix_thread-safe_save_old_password.patch, to make sure all + our getpwnam() use in pam_unix is thread-safe (fixes an upstream + regression) + * New patch pam_unix_fix_sgid_shadow_auth.patch, fixing an upstream + regression which prevents sgid shadow apps from being able to authenticate + any more because the module forces use of the helper and the helper won't + allow authentication of arbitrary users. This change does mean we're + going to be noisier for the time being in an SELinux environment, which + should be addressed but is not a regression on Debian. + * New patch pam_unix_dont_trust_chkpwd_caller.patch, rolling back an + upstream change that causes unix_chkpwd to assume that setuid(getuid()) + is sufficient to drop permissions and attempt any authentication on + behalf of the user. + * The password-changing helper functionality for SELinux systems has been + split out into a separate unix_update binary, so at long last we can + change unix_chkpwd to be sgid shadow instead of suid root. + Closes: #155583. + - Update the lintian override to match. + * Install the new unix_update helper into libpam-modules. + * Use a pristine upstream tarball instead of repacking; requires various + changes to debian/rules and debhelper files. + * Replace the Vcs-Svn field with a Vcs-Bzr field; jumping ship from svn, + and how! + * Debconf translations: + - Romanian, thanks to Igor Stirbu + (closes: #491821) + * Add libpam0g.symbols, for finer-grained package dependencies with + dpkg-gensymbols. + * Fix debian/copyright to list the known copyright holders + * Fix up the doc-base sections for the libpam-doc documentation, "Apps" + should not be part of the section name + * Also fix up whitespace issues in the doc-base abstracts + * Fix a typo in the libpam0g-dev description. + * 027_pam_limits_better_init_allow_explicit_root: RLIM_INFINITY is also + invalid for RLIMIT_NOFILE, so when resetting the limits for a new session, + use the kernel default of 1024 instead. Closes: #404836. + * Create /etc/environment on initial install of libpam-modules (or on + upgrade from an old version), to quell warnings in the logs about it + being missing. Closes: #442049. + * 026_pam_unix_passwd_unknown_user: drop a redundant, and broken, check for + the NSS source of our user; this was preventing password changes for NIS + users, which otherwise should have worked. Closes: #203222, LP: #9224. + * New patch do_not_check_nis_accidentally: respect the 'nis' option + (set or unset) when looking up the user's password entry for password + changes. Thanks to Quentin Godfroy for the + patch. Closes: #469635. + * Drop patch 049_pam_unix_sane_locking, which upon review is not needed; + it reduces the length of time we hold the lock, but at the expense of + being able to enforce minimum times between password changes. + * debian/watch: upstream has hit 1.0, so we're no longer in a "pre" + directory. Fix up the regex for uscan. + * Fix the libpam0g-dev examples directory to not include a gratuitous + .cvsignore file. + * New patch, pam.d-manpage-section, to fix the manpage references to + point to section 5 instead of section 8. + * Update patch PAM-manpage-section to fix the references to pam(7) from + other manpages. Closes: #470137. + * Add debian/README.source documenting that this package uses quilt. + * Bump Standards-Version to 3.8.0. + * Fix a bug in the uid-restoring code in the hurd_no_setfsuid patch; thanks + to Tomas Mraz for indirectly bringing this to my + attention + + -- Steve Langasek Mon, 28 Jul 2008 13:56:26 -0700 + +pam (0.99.7.1-7) unstable; urgency=medium + + * Medium-urgency upload for RC bugfix + * Debconf translations: + - Italian, thanks to David Paleino (closes: #483913) + - Slovak, thanks to Ivan Masár (closes: #488908) + - Turkish, thanks to Mert Dirik (closes: #490880) + - Basque, thanks to Piarres Beobide + (closes: #473975) + * Drop the 'XS' from Vcs-Svn/Vcs-Browser, since these are now officially + recognized fields. + * Add a Homepage field. Closes: #473338. + * Drop -DCRACKLIB_DICTS from CFLAGS, since the referenced define is no + longer provided by cracklib2-dev 2.8 and above. This requires a + build-dependency on the corresponding version of libcrack2-dev. + Closes: #490236. + + -- Steve Langasek Mon, 21 Jul 2008 11:49:59 -0700 + +pam (0.99.7.1-6ubuntu2) intrepid; urgency=low + + * debian/libpam-modules.postinst: revert addition of ~/bin to the end of the + default PATH set in /etc/environment as it was pointed out by Colin + Watson that getenv() does not properly expand '~' + + -- Jamie Strandboge Tue, 24 Jun 2008 06:29:40 -0400 + +pam (0.99.7.1-6ubuntu1) intrepid; urgency=low + + * Merge from debian unstable + * Dropped changes: + - Linux-PAM/modules/pam_limits/README, + Linux-PAM/modules/pam_selinux/README: Ubuntu versions had some + insignificant character differences, dropping in favor of Debian + versions; pam_selinux documentation has dropped "multiple", and added + "select_context", and "use_current_range" as options. + - debian/control, debian/local/common-session{,md5sums}: use + libpam-foreground for session management. + - Build using db4.5 instead of db4.6. + * Remaining changes: + - Linux-PAM/modules/pam_selinux/pam_selinux.8: Ubuntu pam_selinux manpage + is 2 years newer than Debian's, contains a number of character escaping + fixes plus content updates; (should send to Debian). + - debian/control: Maintainer updated. + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf; add ~/bin to PATH + (LP: #64064); (should send to Debian). + - debian/libpam-runtime.postinst, + debian/local/common-{auth,password}{,.md5sums}: + Use the new 'missingok' option by default for pam_smbpass in case + libpam-smbpass is not installed (LP: #216990); must use "requisite" + rather than "required" to prevent "pam_smbpass migrate" from firing in + the event of an auth failure; md5sums updated accordingly. + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running (LP: #141309). + - debian/applied/series: Ubuntu patches are as below ... + - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t + type rather than __u8. + - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic + module option 'missingok' which will suppress logging of errors by + libpam if the module is not found. + - debian/patches-applied/ubuntu-pam_selinux_seusers: patch pam_selinux to + correctly support seusers (backported from changes in PAM 0.99.8). + Without this patch login will not get correct security context when + using libselinux >= 1.27.2 (LP: #187822). + - debian/patches-applied/ubuntu-regression_fix_securetty: securetty's + earlier behavior would correctly prompt for password on bad usernames + (LP: #139075). + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. Bound + RLIMIT_NICE from below as well as from above. Fix off-by-one error when + converting RLIMIT_NICE to the range of values used by the kernel. + - debian/patches-applied/ubuntu-user_defined_environment: Look at + ~/.pam_environment too, with the same format as + /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.) + - debian/rules: install unix_chkpwd setgid shadow instead of setuid root. + The nis package handles overriding this as necessary. + * Alphabetized this merge changelog entry by filename (easier reading + against Ubuntu patch). + + -- Dustin Kirkland Fri, 20 Jun 2008 10:32:00 -0500 + +pam (0.99.7.1-6) unstable; urgency=low + + * Debconf translations: + - Updated Vietnamese, thanks to Clytie Siddall + (closes: #444437) + - Updated Spanish, thanks to Javier Fernández-Sanguino Peña + (closes: #444479) + - Updated German, thanks to Sven Joachim + (closes: #444566) + - Galician, thanks to Jacobo Tarrio (closes: #444758) + - Updated Czech, thanks to Miroslav Kure + (closes: #445022) + - French, thanks to Cyril Brulebois + (closes: #445869) + - Japanese, thanks to Kenshi Muto (closes: #446584) + - Dutch, thanks to Bart Cornelis (closes: #448930) + - Basque, thanks to Piarres Beobide (closes: #457042) + - Updated Finnish, thanks to Esko Arajärvi (closes: #458264) + - Swedish, thanks to Christer Andersson + (closes: #457674) + * Make sure the "audit" option is specified in octal instead of in decimal, + so that it doesn't randomly set other options. Thanks to Corey Wright + for the catch. Closes: #446327. + + -- Steve Langasek Sun, 16 Mar 2008 02:06:28 -0700 + +pam (0.99.7.1-5ubuntu8) intrepid; urgency=low + + * debian/libpam-modules.postinst: Add ~/bin to the end of the default PATH + set in /etc/environment (LP: #64064). + + -- Dustin Kirkland Thu, 19 Jun 2008 12:52:48 -0500 + +pam (0.99.7.1-5ubuntu7) intrepid; urgency=low + + * debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic + module option 'missingok' which will suppress logging of errors by + libpam if the module is not found. + * debian/local/common-{auth,password}, debian/libpam-runtime.postinst: + Use the new 'missingok' option by default for pam_smbpass, to + correct the problem of very loud logging introduced in the previous + upload when libpam-smbpass is not installed. LP: #216990. + + -- Steve Langasek Tue, 22 Apr 2008 18:53:37 +0000 + +pam (0.99.7.1-5ubuntu6) hardy; urgency=low + + * debian/local/common-{auth,password}, debian/libpam-runtime.postinst: + Add pam_smbpass as an optional module in the stack, to keep NTLM + passwords (for filesharing) in sync with the main system passwords on a + best-effort basis. LP: #208419. + + -- Steve Langasek Tue, 08 Apr 2008 18:21:40 +0000 + +pam (0.99.7.1-5ubuntu5) hardy; urgency=low + + * debian/local/common-session: Drop libpam-foreground. It's gone for good, + and we do not want this in the PAM config for new installations, since it + just spams syslog with error messages. (LP: #198714) + + -- Martin Pitt Tue, 11 Mar 2008 11:22:11 +0100 + +pam (0.99.7.1-5ubuntu4) hardy; urgency=low + + * ubuntu-pam_selinux_seusers: patch pam_selinux to correctly support + seusers (backported from changes in PAM 0.99.8). Without this patch + login will not get correct security context when using libselinux + >= 1.27.2 (LP: #187822). + + -- Caleb Case Wed, 30 Jan 2008 06:39:48 -0500 + +pam (0.99.7.1-5ubuntu3) hardy; urgency=low + + * Temporarily reenable libpam-foreground in common-session again, until + dbus' at_console policy works with ConsoleKit. + + -- Martin Pitt Thu, 29 Nov 2007 15:17:54 +0100 + +pam (0.99.7.1-5ubuntu2) hardy; urgency=low + + * debian/local/common-session{,.md5sums}, debian/control: Drop + libpam-foreground, superseded by ConsoleKit integration into hal. + * debian/control: Build against libdb4.6 again. This drops this Debian delta + and 4.6 is our target version in Hardy. + + -- Martin Pitt Thu, 22 Nov 2007 18:56:47 +0100 + +pam (0.99.7.1-5ubuntu1) gutsy; urgency=low + + * Resynchronise with Debian. Remaining changes: + - debian/control, debian/local/common-session{,md5sums}: use + libpam-foreground for session management. + - debian/rules: install unix_chkpwd setgid shadow instead of setuid root. + The nis package handles overriding this as necessary. + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf. + - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t + type rather than __u8. + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. Bound + RLIMIT_NICE from below as well as from above. Fix off-by-one error when + converting RLIMIT_NICE to the range of values used by the kernel. + (Originally patch 101; converted to quilt.) + - debian/patches-applied/ubuntu-user_defined_environment: Look at + ~/.pam_environment too, with the same format as + /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.) + - debian/patches-applied/ubuntu-regression_fix_securetty: securetty's + earlier behavior would correctly prompt for password on bad usernames + (LP: #139075). + - Build using db4.5 instead of db4.6. + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running (LP: #141309). + * debian/libpam0g.postinst: don't display a debconf warning about display + managers that need restarting when update-manager is running, instead + signal to update-notifier if a reboot is required. + + -- Steve Langasek Fri, 28 Sep 2007 23:45:24 -0700 + +pam (0.99.7.1-5) unstable; urgency=low + + * More lintian overrides, related to debconf prompting in the postinst + * Debconf translations: + - Brazilian Portuguese, thanks to Eder L. Marques + (closes: #440385) + - Russian, thanks to Yuri Kozlov + (closes: #440390, #440953, #444039) + - Bulgarian, thanks to Damyan Ivanov + (closes: #441863) + - Finnish, thanks to Esko Arajärvi (closes: #443720) + - Simplified Chinese, thanks to Ming Hua + (closes: #443924) + - Updated Portuguese, thanks to Américo Monteiro + - Updated Vietnamese, thanks to Clytie Siddall + (closes: #440800) + - Updated German, thanks to Sven Joachim + - Updated Spanish, thanks to Javier Fernández-Sanguino Peña + + - Updated Czech, thanks to Miroslav Kure + (closes: #441325) + * Further cleanups of 007_modules_pam_unix -- don't use a global variable + for pass_min_len, don't gratuitously move the length checking into the + "obscure" checks, and internationalize the error strings. + * Stop overriding the built-in default minimum password length in + /etc/pam.d/common-password, and also drop the "max" option which has now + been obsoleted. + * Fix up the comments in /etc/pam.d/common-password to make it clear that + the options are specific to pam_unix. Closes: #414559. + * Patch 038: fix another thinko in the getline handling. Closes: #442276. + * If there are active X logins, don't restart kdm, wdm, and xdm by default; + instead, display a debconf error if they haven't been restarted. + Closes: #441843. + * Drop the local patch for Linux capabilities in pam_limits; Linux + capabilities are not generally useful in a PAM context, and the PAM + capabilities patch has been broken through much of its life. + Closes: #440130. + * -Wl,-z,defs was never enabled correctly, drop it since upstream is + already using -no-undefined + * Pass --build and --host args to ./configure as necessary, for + cross-building support. + + -- Steve Langasek Fri, 28 Sep 2007 00:17:00 -0700 + +pam (0.99.7.1-4ubuntu4) gutsy; urgency=low + + * debian/libpam0g.postinst: call "reload" for all display managers + (LP: #139065). + * debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running (LP: #141309). + + -- Kees Cook Mon, 24 Sep 2007 15:01:29 -0700 + +pam (0.99.7.1-4ubuntu3) gutsy; urgency=low + + * ubuntu-regression_fix_securetty: securetty's earlier behavior would + correctly prompt for password on bad usernames (LP: #139075). + + -- Kees Cook Wed, 12 Sep 2007 15:20:09 -0700 + +pam (0.99.7.1-4ubuntu2) gutsy; urgency=low + + * Build using db4.5 (instead of db4.6). One db4.x version less on the CD. + + -- Matthias Klose Wed, 12 Sep 2007 17:44:25 +0200 + +pam (0.99.7.1-4ubuntu1) gutsy; urgency=low + + * Resynchronise with Debian (LP: #43169, #14505, #80431). Remaining changes: + - debian/control, debian/local/common-session{,md5sums}: use + libpam-foreground for session management. + - debian/rules: install unix_chkpwd setgid shadow instead of setuid root. + The nis package handles overriding this as necessary. + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf. + - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t + type rather than __u8. + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. Bound + RLIMIT_NICE from below as well as from above. Fix off-by-one error when + converting RLIMIT_NICE to the range of values used by the kernel. + (Originally patch 101; converted to quilt.) + - debian/patches-applied/ubuntu-user_defined_environment: Look at + ~/.pam_environment too, with the same format as + /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.) + * Dropped: + - debian/rules: bashism fixes (merged upstream). + - debian/control: Conflict on ancient nis (expired with Breezy). + - debian/libpam-runtime.postinst: check for ancient pam (expired with + Breezy). + + -- Kees Cook Wed, 05 Sep 2007 15:18:36 -0700 + +pam (0.99.7.1-4) unstable; urgency=low + + * libpam0g.postinst, libpam0g.templates: gdm doesn't need to be restarted + to fix the library skew, only reloaded; special-case this daemon in the + postinst and remove the mention of it from the debconf template, also + tightening the language of the debconf template in the process. + Closes: #440074. + * Add courier-authdaemon to the list of services that need to be + restarted; thanks to Micah Anderson for reporting. + * New patch pam_env_ignore_garbage.patch: fix pam_env to really skip over + garbage lines in /etc/environment and log an error, instead of failing + with an obscure error; and ignore any PAM_BAD_ITEM values returned + by pam_putenv(), since this is the expected error return when trying + to delete a non-existent var. Closes: #439984. + * Yet another thinko in hurd_no_setfsuid and in + 029_pam_limits_capabilities; this code should really be Hurd-safe at + last... + * getline() returns -1 on EOF, not 0; check this appropriately, to fix + an infinite loop in pam_rhosts_auth. Thanks to Stephan Springl + for the fix. Closes: #440019. + * Use ${misc:Depends} for libpam0g, so we get a proper dependency on + debconf. + * 019_pam_listfile_quiet: per discussion with upstream, don't suppress + errors about missing files or files with wrong permissions; these are + real errors that should not be buried. + * Drop the remainder of 061_pam_issue_double_free, not required for the + original bugfix. + * Drop patch 064_pam_unix_cracklib_dictpath, which is not needed now that + we define CRACKLIB_DICTS in debian/rules. + * Drop patch 063_paswd_segv, superseded by a different upstream fix + * Split 047_pam_limits_chroot_string_value up between + 008_modules_pam_limits_chroot and 029_pam_limits_capabilites + * Updates to patch 007_modules_pam_unix: restore the same built-in min + password len of 6 that upstream uses; fix a typo panlindrome -> + palindrome. + * The 'max=' option was never intended to be used to limit maximum password + length for users, only to declare what the number of significant + characters /is/ for a password. But we don't need a config option to + tell us that, we know the answer based on which crypt type we're using, + so drop this as a config file option. Closes: #389197. + * Debconf translations: + - Spanish, thanks to Javier Fernández-Sanguino Peña + - Vietnamese, thanks to Clytie Siddall + - German, thanks to Sven Joachim (closes: #440355) + - Czech, thanks to Miroslav Kure + (closes: #440362) + - Portuguese, thanks to Américo Monteiro + (closes: #440368) + + -- Steve Langasek Fri, 31 Aug 2007 17:11:05 -0700 + +pam (0.99.7.1-3) unstable; urgency=low + + * New patch limits_wrong_strncpy: fix unnecessary manipulations of string + buffers, including an illegal use of strncpy(). Thanks to Paul Hampson + for reporting. Closes: #331278. + * New patch misc_conv_allow_sigint.patch: allow SIGINT to be handled by the + application, instead of blocking it when misc_conv is in use and + preventing users from being able to ^C at any PAM prompt. Closes: #1708. + * 024_debian_cracklib_dict_path: default to NULL instead of a specific + dictionary path when none is defined for consistency with the new upstream + version of cracklib, and define our path in debian/rules. + * 055_pam_unix_nullok_secure: document the pam_unix "nullok_secure" option, + a prereq for forwarding this patch upstream. Closes: #325974. + * Create /etc/security/opasswd on new installs or on upgrades from + 0.99.7.1-2 or below, so that users that enable the remember= option to + pam_unix aren't left unable to change passwords. Closes: #95324. + * Fix a couple of thinkos in hurd_no_setfsuid, that were preventing the code + from compiling on the Hurd still. Thanks to Michael Banck for the catch. + * Fix a memory leak in the pam_limits capabilities patch: always + cap_free() the cap_t before returning from pam_sm_open_session(). + Closes: #153157. + * libpam0g.postinst, libpam0g.templates: on upgrades from versions + prior to 0.99.7.1-3, restart known PAM-using services so that they + get the new libpam symbols, since otherwise the newer PAM modules + will fail to load. Postinst taken from libssl0.9.8; thanks to + Christoph Martin for the fine example! Closes: #439835. + * Build-depend on po-debconf to support l10n of the debconf questions + from the above. + + -- Steve Langasek Tue, 28 Aug 2007 06:33:33 -0700 + +pam (0.99.7.1-2) unstable; urgency=low + + * New upstream release; thanks to Roger Leigh and Jan Christoph Nordholz + for their extensive work in helping to prepare for this update in Debian. + Closes: #360460. + - now uses autoconf for library detection, so SELinux should not be + unconditionally enabled on non-Linux archs. Closes: #333141. + - pam_mail notice handling has been completely reworked, so there should + no longer be missing spaces in the messages. Closes: #119689. + - with libtool and autoconf, now behaves "sensibly" on unknown + platforms. Closes: #165067. + - the source now builds without warnings. Closes: #212165. + - uses automake instead of hand-rolled makefiles with indentation + bugs. Closes: #241661, #328084. + - pam_mkhomedir now creates directories recursively as needed. + Closes: #178225. + - pam_listfile now supports being used as a session module too. + Closes: #416665. + - misspelled pam_userdb log message has been corrected. Closes: #305058. + - the current pam_strerror manpage no longer mentions "Unknown + Linux-PAM error". Closes: #220157. + - the text documentation no longer uses ANSI bold sequences. + Closes: #181451. + - pam_localuser now supports being used as a session module. + Closes: #412484. + - package no longer fails to build with dash as /bin/sh. + Closes: #331208. + - All modules should now be documented in the system administrator + guide. Closes: #350620. + - pam_userdb now logs an error instead of segfaulting when no db= + option is provided. Closes: #436005. + - pam_time now warns on a missing tty instead of erroring out, + making it possible to use the module with non-console services. + Closes: #127931. + - upstream changelog is now 'ChangeLog' instead of 'CHANGELOG'; install + accordingly + - bump the shlibs + - the 'test.c' example no longer exists + - add /usr/share/locale to libpam-runtime. + - CVE-2005-2977: only uid=0 is allowed to invoke unix_chkpwd with an + arbitrary username, and then only when SELinux is active. + Closes: #336344. + * Mark myself as primary maintainer as previously discussed with Sam, and + add Roger as an uploader. + * Refactor to use quilt. + * Update to Standards-Version 3.7.2. + * Drop unnecessary build-dependency on patch, which is + build-essential (and no longer invoked directly). + * Drop patches 002_debian_no_ldconfig_call, 010_pam_cplusplus, + 018_man_fixes, 030_makefile_link_against_libpam, + 037_pam_issue_ttyname_can_be_null, 044_configure_supports_bsd, + 050_configure_in_gnu and 052_pam_unix_no_openlog, which have been + superseded upstream. + * Drop patches 005_pam_limits_099_6, + 012_pam_group_less_restrictive_charset, 023_pam_env_limits_miscfixes, + 048_pam_group_colon_valid_char, 058_pam_env_enable, 059_pam_userdb_segv, + 060_pam_tally_segv and 062_c++_safe_headers, which have been integrated + upstream. + * Patch 057: SELinux support is merged upstream, leaving only an + unrelated OOM check for pam_unix_passwd. Rename as + 057_pam_unix_passwd_OOM_check. + * Patches 006, 008, 036: update for the switch from SGML to XML. + * Patch 007: update for the switch from SGML to XML; drop some log + messages that were already added upstream; update for the pam_modutil + changes; tighten the flag handling of the 'obscure' option; drop bogus + check in unix_chkpwd for null passwords. Also fix a grammar error + along the way. Closes: #362855. + * Patch 024: CRACKLIB_DICTPATH is no longer set in configure.in, so patch + pam_cracklib.c instead to use the default dictpath already available + from crack.h; and patch configure.in to use AC_CHECK_HEADERS instead + of AC_CHECK_HEADER, so crack.h is actually included. Also remove + unnecessary string copies, which break on the Hurd due to PATH_MAX. + * Patch 038: partially merged/superseded upstream; also add new Hurd + fix for pam_xauth. + * Patch 061: partially merged upstream + * Use ${binary:Version} instead of ${Source-Version} in + debian/control. + * Remove empty maintainer scripts debian/libpam0g-dev.{postinst,prerm}, + debian/libpam0g.{postinst,prerm}, and + debian/libpam-modules.{postinst,prerm}; debhelper can autogenerate these + just fine without our help. + * Build-Depend on xsltproc, libxml2-utils, docbook-xml, docbook-xsl + and w3m instead of on linuxdoc-tools, linuxdoc-tools-latex, tetex-extra, + groff, and opensp. + * Also build-depend on flex for libfl.a. + * Updates for documentation handling: + - move debian/local/pam-*-guide to debian/libpam-doc.doc-base.foo-guide, + and invoke dh_installdocs instead of installing these by hand. + - drop libpam-doc.{postinst,prerm}, which are no longer needed. + - add an install target to debian/rules, and have binary-indep depend on + it instead of trying to install doc files individually from the source + tree + - consequently, drop libpam-doc.dirs as well which is no longer needed + and no longer accurate + - add debian/libpam-doc.install for moving the docs to the right place, + and also replace libpam-runtime.files with libpam-runtime.install; + for the moment this means we're using both dh_movefiles and + dh_install... + - libpam0g.docs: install the Debian-PAM-MiniPolicy from here, further + cleaning up debian/rules + * Drop debian/libpam0g.links, no longer needed because upstream now has a + working install target which creates the library symlinks + * Add libpam-modules.links: create pam_unix_{acct,auth,passwd,session}.so + symlinks by hand, no longer provided upstream. + * debian/patches-applied/PAM-manpage-section: "PAM" is not a daemon, manpage + belongs in section 7, not in section 8. + * Actually ship the pam, pam.conf, and pam.d manpages in libpam-runtime. + * debian/patches-applied/autoconf.patch: move all changes to autotools + generated files into a single patch at the end of the stack. + - don't touch configure in debian/rules, the quilt patch takes care + of this for us. + * New patch 064_pam_unix_cracklib_dictpath: correctly define + CRACKLIB_DICTS, since this is not defined by configure. Thanks to Jan + Christoph Nordholz. + * New patch 065_pam_unix_cracklib_disable: Debian-specific patch to disable + cracklib support in pam_unix. Thanks to Christoph Nordholz. + * debian/rules: + - Rename OS_CFLAGS to CFLAGS. + - kill off references to unused variables + - make binary-arch also depend on the install target, and streamline the + rules + - fix up the clean target to not ignore errors; thanks to Roger Leigh + - drop the local module_check target in favor of using -Wl,-z,defs + in LDFLAGS to enforce correct linkage of all objects at build time + * Drop debian/local/unix_chkpwd.8 in favor of the upstream manpage. + * libpam-modules.files: /usr/sbin/pam_tally has moved to /sbin/pam_tally + for consistency. + * Update to debhelper V5. + * Don't ship Makefiles as part of the libpam0g-dev examples. + * libpam-modules.manpages, libpam-runtime.manpages, libpam0g-dev.manpages: + put all the manpages in the correct packages. Closes: #411812, + #62193, #313486, #300773, #330545, #184270. + * Drop libpam{0g,0g-dev,-modules,-runtime}.dirs, not needed for anything + because we aren't trying to ship empty directories in the packages + * Build-Conflict with fop, to avoid unreproducible builds of pdf + documentation from a tool in contrib. + * libpam-cracklib should depend on a real wordlist package, per policy; + use wamerican as the default. + * Drop local/pam-undocumented.7 from the package, since we no longer have + a reason to ship it + * Add lintian overrides for known false-positives + * Conflicts/Replaces/Provides libpam-umask, now included upstream. + Closes: #436222. + * Upstream no longer marks unix_chkpwd suid-root for us, so set the perms + by hand in debian/rules. In the process, unix_chkpwd is now writable + by the owner, as expected by policy. Closes: #368100. + * Migrate from db4.3 to db4.6; once again, no administrator action should + be needed for upgrading on-disk database formats. Closes: #354309. + * Add XS-Vcs-Svn and XS-Vcs-Browser fields to debian/control; thanks to + Laurent Bigonville for the hint. Closes: #439038. + * Add a watch file for use with uscan; thanks to Laurent Bigonville for + this patch as well. Closes: #439040. + * Rewrite of 031_pam_include, fixing a memory leak and letting us drop + patch 056_no_label_at_end; thanks to Jan Christoph Nordholz + for this much-improved version! + * New patch no_pthread_mutexes: don't use pthread mutexes in + pam_modutil functions, they're not needed because pam handles + themselves should not be used concurrently by multiple threads and + using pthreads causes problems for portable linking. + * New patch hurd_no_setfsuid: if we don't have sys/fsuid.h, work around + using setreuid instead. + + -- Steve Langasek Sun, 26 Aug 2007 19:15:09 -0700 + +pam (0.79-4ubuntu2) feisty; urgency=low + + * Remove /usr/bin/X11 from default PATH (new installs only). + + -- Colin Watson Wed, 20 Dec 2006 16:14:37 +0000 + +pam (0.79-4ubuntu1) feisty; urgency=low + + * Resynchronise with Debian. Remaining changes: + - Patch 100 (renumbered from 060): Look at ~/.pam_environment too, with + the same format as /etc/security/pam_env.conf. + - Patch 101 (renumbered from 061): Explicitly initialise RLIMIT_NICE + rather than relying on the kernel limits. Bound RLIMIT_NICE from below + as well as from above. Fix off-by-one error when converting + RLIMIT_NICE to the range of values used by the kernel. + - Add PATH to /etc/environment if it's not present there or in + /etc/security/pam_env.conf. + - debian/rules: Fix a bashism. + - Install unix_chkpwd setgid shadow instead of setuid root. The nis + package handles overriding this as necessary. + - Use pam_foreground in the default session. + - Linux-PAM/libpamc/test/regress/test.libpamc.c: Use standard u_int8_t + type rather than __u8. + + -- Colin Watson Tue, 19 Dec 2006 10:32:47 +0000 + +pam (0.79-4) unstable; urgency=medium + + * Medium-urgency upload; at least one RC bugfix, but also a + significant number of changes, hence not urgency=high. + * Move libpam-modules and libpam0g to Section: libs and libpam-runtime + to section: admin, to match the overrides in the archive. + * Move old changelog entries (well, entry) that don't follow the current + format to debian/changelog.old, since there's no way to figure out a + timestamp for an 8-year-old upload, and this is the most effective + way to clear a glut of lintian warnings. + * Fix the formatting of the libpam-cracklib package description. + * Patch 010: remove parts of the patch that aren't necessary for C++ + compatibility. + * Patch 060: fix a segfault in pam_tally caused by misuse of + pam_get_data(); already fixed upstream. Closes: #335273. + * Patch 061: fix a double free in pam_issue, caused by overuse (and misuse) + of strdup (similar to patch 059). Already fixed upstream. + Closes: #327272. + * Don't build-depend on libselinux1-dev and libcap-dev on kfreebsd archs. + Closes: #352329. + * Patch 005: sync pam_limits with upstream: + - support "-" (unlimited) for all limit types except process priority. + - support the additional aliases "-1", "unlimited", and "infinity" for + clearing the limits; closes: #122400, #149027. + - restrict the range of process priority, login count, and system login + count settings to (INT_MIN,INT_MAX) (heh). + - special-case RLIM_INFINITY when applying multipliers to values from + the config. + - document maxsyslogins in the default limits.conf; closes: #149883. + - use the current process priority as a default instead of resetting to + 0; closes: #241663. + - add support for (and document) new RLIMIT_NICE and RLIMIT_RTPRIO + settings in Linux 2.6.12 and above; closes: #313542, #313588. + - allow imposing limits on uid=0. + * Patch 027: only set RLIM_INFINITY as the default for the limits where + we know this is sensible, so that recompiling in an environment with new + limits doesn't create a security hole -- as happened with RLIMIT_NICE and + RLIMIT_RTPRIO! Thanks to Ville Hallik for the initial patch. + Closes: #388431. + * Patch 029, 047: Fix up the broken pam_limits capabilities patch so it + actually works -- which may well be a first... Closes: #318452. + + -- Steve Langasek Mon, 23 Oct 2006 05:36:08 -0700 + +pam (0.79-3.2) unstable; urgency=low + + * Non-maintainer upload to fix important bug, that makes passwd segfault + when CTRL-D is pressed at the password prompt. Applied the patch + provided by Dann Frazier. (Closes: #360657) + + -- Margarita Manterola Sat, 5 Aug 2006 02:11:22 -0300 + +pam (0.79-3.1ubuntu1) edgy; urgency=low + + * Resynchronise with Debian. + + -- Colin Watson Thu, 29 Jun 2006 17:27:34 +0100 + +pam (0.79-3.1) unstable; urgency=low + + * Non-maintainer upload. + * Linux-PAM/libpamc/include/security/pam_client.h, + Linux-PAM/libpamc/pamc_converse.c: Apply patch from + latest upstream version to remove redefinition of internal + glibc/libstdc++ types. Closes: #344447. + + -- Roger Leigh Sun, 5 Feb 2006 21:46:59 +0000 + +pam (0.79-3ubuntu14) dapper; urgency=low + + * debian/patches-applied/061_pam_rlimits_nice_rtprio: Protect use of + RLIMIT_NICE in init_limits() with an #ifdef. + + -- Colin Watson Fri, 12 May 2006 17:42:40 +0100 + +pam (0.79-3ubuntu13) dapper; urgency=low + + * debian/patches-applied/061_pam_rlimits_nice_rtprio: Set soft and hard + nice limits to 20 (= userland nice value 0) rather than unlimited by + default. Correct off-by-one error (the same error as in Linux 2.6.12, + but fixed in 2.6.13) in user<->kernel translation of nice limit. + + -- Colin Watson Thu, 11 May 2006 11:29:58 +0100 + +pam (0.79-3ubuntu12) dapper; urgency=low + + * debian/control: Add libpam-foreground dependency to libpam-runtime, since + the default /etc/pam.d/common-session refers to it. Closes: LP#35142 + + -- Martin Pitt Mon, 10 Apr 2006 14:42:40 +0200 + +pam (0.79-3ubuntu11) dapper; urgency=low + + [ Dana Olson ] + * debian/patches-applied/061_pam_rlimits_nice_rtprio: removed glibc + workaround now that glibc is aware of rlimits. + + [ Martin Pitt ] + * debian/rules: Fix bashisms. + + -- Martin Pitt Thu, 6 Apr 2006 15:03:37 +0200 + +pam (0.79-3ubuntu10) dapper; urgency=low + + * debian/patches-applied/061_pam_rlimits_nice_rtprio: Support "nice" and + "rtprio" rlimits, new in Linux 2.6.12. Backported from upstream thanks + to Dana Olson and others (closes: Malone #17348). + + -- Colin Watson Thu, 23 Feb 2006 16:22:12 +0000 + +pam (0.79-3ubuntu9) dapper; urgency=low + + * Fix operator precedence in libpam-modules.postinst. + + -- Colin Watson Thu, 16 Feb 2006 15:23:04 +0000 + +pam (0.79-3ubuntu8) dapper; urgency=low + + * Make pam_env be quiet if it can't find the user's configuration file, + since it's optional. + + -- Tollef Fog Heen Sat, 4 Feb 2006 16:44:12 +0100 + +pam (0.79-3ubuntu7) dapper; urgency=low + + * Add the PATH on initial install for real this time. + + -- Tollef Fog Heen Thu, 2 Feb 2006 20:33:42 +0100 + +pam (0.79-3ubuntu6) dapper; urgency=low + + * Changes from Roger Leigh: + + * Linux-PAM/libpamc/include/security/pam_client.h, + Linux-PAM/libpamc/pamc_converse.c: Apply patch from + latest upstream version to remove redefinition of internal + glibc/libstdc++ types. Closes: #344447. + * Linux-PAM/libpamc/test/regress/test.libpamc.c: Also switch to standard + types; not taken from upstream. + + -- Reinhard Tartler Wed, 1 Feb 2006 13:14:24 +0000 + +pam (0.79-3ubuntu5) dapper; urgency=low + + * Add pam_foreground to /etc/pam.d/common-session + + -- Matthew Garrett Tue, 24 Jan 2006 02:26:19 +0000 + +pam (0.79-3ubuntu4) dapper; urgency=low + + * Add PATH on initial install, too. + + -- Tollef Fog Heen Mon, 23 Jan 2006 15:55:40 +0100 + +pam (0.79-3ubuntu3) dapper; urgency=low + + * Add PATH to /etc/environment if it's not present there or in + /etc/security/pam_env.conf and we are upgrading from a version which + didn't add it. + + -- Tollef Fog Heen Tue, 17 Jan 2006 15:54:01 +0100 + +pam (0.79-3ubuntu2) dapper; urgency=low + + * Look at ~/.pam_environment too. Same format as + /etc/security/pam_env.conf. The patch is recorded as + patches-applied/060_pam_env_per_user + + -- Tollef Fog Heen Tue, 17 Jan 2006 15:32:55 +0100 + +pam (0.79-3ubuntu1) dapper; urgency=low + + * Resynchronise with Debian. + + -- Colin Watson Mon, 21 Nov 2005 12:15:44 +0000 + +pam (0.79-3) unstable; urgency=low + + * Patch 059 + - Fix a segfault in pam_userdb when the new "crypt=" option + is unset, as will be the case for all existing users; already fixed + upstream. Closes: #330829. + - Fix a memory leak in the same code due to gratuitous strdup()s. + * Further regression in pam_env: don't treat a missing /etc/environment + as a fatal error, either. Amend patch 058 accordingly. Closes: #330852. + + -- Steve Langasek Fri, 30 Sep 2005 01:17:53 -0700 + +pam (0.79-2) unstable; urgency=low + + The ".c.o: rm -rf $@" release + * Fix debian/rules so that make clean doesn't remove ./configure when the + timestamp on configure.in is newer (!). + * Switch pam_userdb from db3 to db4.3, which according to the libdb + maintainers should require no manual intervention for upgrading on-disk + database formats. Closes: #165068. + * Patch 058: yes, of course we want to read /etc/environment by + default. Grr! Revert upstream change which disables this for no + apparent reason (closes: #330458). + * Tweak selinux rootok code to use the version of the function call that + doesn't pollute namespace + + -- Steve Langasek Tue, 27 Sep 2005 02:44:36 -0700 + +pam (0.79-1) unstable; urgency=low + + * New upstream version (closes: #284954, #300775). + - includes some fixes for typos (closes: #319026). + - pam_unix should now be LSB 3.0-compliant (closes: #323982). + - fixes segfaults in libpam on config file syntax errors + (closes: #330097). + * Drop patches 000_bootstrap, 004_libpam_makefile_static_works, + 011_pam_access, 013_pam_filter_termio_to_termios, 017_misc_fixes, + 025_pam_group_conffile_name, 028_pam_mail_delete_only_when_set, + 033_use_gcc_not_ld, 034_pam_dispatch_ignore_PAM_IGNORE, + 035_pam_unix_security, 039_pam_mkhomedir_no_maxpathlen_required, + 041_call_bootstrap, 042_pam_mkhomedir_dest_not_source_for_errors, + 051_32_bit_pam_lastlog_ll_time, and + 053_pam_unix_user_known_returns_user_unknown which have been + integrated upstream. + * Merge one last bit of patch 053 into patch 043, where it should have + been in the first place + * Patch 057: SELinux support: + - add support to pam_unix for copying SELinux security contexts when + writing out new passwd/shadow files and creating lockfiles + - support calling unix_chkpwd if opening /etc/shadow fails due to + SELinux permissions + - allow unix_chkpwd to authenticate for any user when in an SELinux + context (hurray!); we depend on SELinux policies to prevent the + helper's use as a brute force tool + - also support querying user expiration info via unix_chkpwd + - misc cleanup: clean up file descriptors when invoking unix_chkpwd + (closes: #248310) + - make pam_rootok check the SELinux passwd class permissions, not just + the uid + - add new pam_selinux module (closes: #249499) + * Build-depend on libselinux1-dev. + * Fix pam_getenv, so that it can read the actual format of /etc/environment + instead of trying to read it using the syntax of + /etc/security/pam_env.conf; thanks to Colin Watson for the patch. + Closes: #327876. + * Set LC_COLLATE=C when using alphabetic range expressions in + debian/rules; bah, so *that's* what kept happening to my README file + when trying to build out of svn! Closes: #295296. + * Add a reference to the text of the GPL to debian/copyright. + + -- Steve Langasek Sun, 25 Sep 2005 22:08:20 -0700 + +pam (0.76-23) unstable; urgency=low + + * Fix Gcc 3.4 compilation, Closes: #259634 + * Note that pam.conf is not read if /etc/pam.d exists, Closes: #248928 + * Fix typo in pam_env.conf, Closes: #277633 + + -- Sam Hartman Sun, 10 Jul 2005 16:42:25 -0400 + +pam (0.76-22ubuntu3) breezy; urgency=low + + * Fix pam_getenv, which never worked: + - Parse /etc/security/pam_env.conf using its own syntax, and then + /etc/environment using its own syntax rather than the syntax of + /etc/security/pam_env.conf. + - 'my $val' was used in an incorrect scope; fixed. + - Exit non-zero if the requested environment variable is not found. + + -- Colin Watson Mon, 12 Sep 2005 18:32:54 +0100 + +pam (0.76-22ubuntu2) breezy; urgency=low + + * debian/rules: Install unix_chkpwd setgid shadow instead of setuid root. + This only breaks when using NIS lookups, therefore the new nis package + dpkg-statoverrides it back to setuid root while being installed. + (Debian #155583, http://udu.wiki.ubuntu.com/ProactiveSecurityRoadmap) + * debian/control: Added conflict to nis (<< 3.13-3ubuntu1): This is the + version that corrects the permissions for usage with NIS. + + -- Martin Pitt Fri, 17 Jun 2005 12:34:23 +0200 + +pam (0.76-22ubuntu1) breezy; urgency=low + + * Fix FTBFS with gcc-3.4 (closes: #259634). Ubuntu 9037. + + -- Matthias Klose Wed, 4 May 2005 18:14:51 +0200 + +pam (0.76-22) unstable; urgency=medium + + * Add uploaders + * Document location of repository + * Fix options containing arguments in pam_unix, Closes: #254904 + + -- Sam Hartman Mon, 28 Jun 2004 14:28:08 -0400 + +pam (0.76-21) unstable; urgency=medium + + * Fix patch 055 again because -20 was broken and didn't actually fix the + problem. + + -- Sam Hartman Tue, 4 May 2004 21:37:38 -0400 + +pam (0.76-20) unstable; urgency=medium + + * Update to patch 55 to only check securetty when we are sure the + password is null, Closes: #243698 + * Medium urgency because the version now in testing has confusing and + verbose log messages. + * Include pam_getenv script which hopefully will be used by some people + somewhere for some purpose + + -- Sam Hartman Wed, 28 Apr 2004 22:51:18 -0400 + +pam (0.76-19) unstable; urgency=low + + * Oops, too busy testing the upgrade from woody to make sure the upgrade + from -16 to -18 worked. Thanks to all those who reported, + Closes: #243413 + + -- Sam Hartman Tue, 13 Apr 2004 16:08:54 -0400 + +pam (0.76-18) unstable; urgency=low + + * Manipulate conffiles to avoid unnecessary prompt in woody to sarge + upgrade, Closes: #218318 + + -- Sam Hartman Sat, 10 Apr 2004 18:10:35 -0400 + +pam (0.76-17) unstable; urgency=low + + * common-password now includes length restrictions and cracklib + examples, Closes: #227681, #237537 + * Patch 054: abstract out the logic from pam_securetty to determine if a + tty is in /etc/securetty into a library function + * Patch 55: Add nullok_secure option to pam_unix. If set, then null + passwords are accepted from terminals in /etc/securetty. + * common-auth now includes nullok_secure, Closes: #228114 + + + -- Sam Hartman Sun, 4 Apr 2004 23:10:11 -0400 + +pam (0.76-16) unstable; urgency=low + + * Patch 51 from the x86-64 folks to support 32-bit ll_time in + pam_lastlog even if time_t is 64-bits + * Don't call openlog in pam_unix (patch 52), Closes: #213566 + * Return PAM_USER_UNKNOWN for unknown users in pam_unix (patch 53), Closes: #204506 + + -- Sam Hartman Tue, 23 Mar 2004 22:26:04 -0500 + +pam (0.76-15) unstable; urgency=low + + * Fix description of libpam-runtime, Closes: #209755 + * Fix description of libpam-cracklib, Closes: #210014 + * Depend on libc6-dev|libc-dev not libc6-dev, Closes: #212354 + * Clean up binaries, Thanks Russell, Closes: #212158 + * Depend on sufficiently new cracklib2-dev, Closes: #214092 + * Treate GNU/* as GNU for OS variable to make pam_limits compile, + (patch 050) Closes: #220980 + * No longer build-depend on latex2html, Closes: #221318 + * Allow : in tty specification for pam_group, (patch 048) Closes: #220439 + * Pull in locking patch from Linux-PAM CVS; this ended up causing + 021_pam_nis_locking to be reworked and that patch now no longer + contains locking fixes, but just NIS cleanup in general. See + 049_pam_unix_sane_locking for the locking changes, Closes: #220158 + + -- Sam Hartman Mon, 12 Jan 2004 02:23:59 -0500 + +pam (0.76-14) unstable; urgency=low + + * Pull in NMU diff from 13.1, Closes: #186011 + * Split out common-password into its own file, Closes: #207497 + * Make other a conffile again and update to @include stuff + * Add missing symlink, Closes: #196605 + * Remove undocumented manpages + * Update PAM mini-policy + + -- Sam Hartman Mon, 1 Sep 2003 18:08:54 -0400 + +pam (0.76-13.1) unstable; urgency=low + + * NMU with maintainer's permission. + * Add three new config files (/etc/pam.d/common-{auth,account,session}) + to libpam-runtime. Other packages which depend on libpam-runtime + can now @include these files from their own PAM configs. + * Convert /etc/pam.d/other from a conffile to a non-conffile config + file. Closes: #186011. + * Remove empty libpam-runtime.prerm script (debhelper will autocreate if needed) + + -- Steve Langasek Tue, 19 Aug 2003 19:41:03 -0500 + +pam (0.76-13) unstable; urgency=low + + * Nope, that dependency didn't work, so let's remove it. If we run into other module versioning issues, I now have an arm build environment to debug with. Closes: #198618 + + -- Sam Hartman Mon, 7 Jul 2003 00:22:34 -0400 + +pam (0.76-12) unstable; urgency=low + + * Fix group.conf example, (patch 046) Closes: #197080 + * Ignore module return value in jumps, (patch 045) Closes: #176693 + * Accept string value for chroot limit, thanks Andrei Pelinescu-Onciul, + Patch (047), Closes: #196903 + * Depend on libpam-modules instead of conflicting with older versions. + This creates a circular dependency between libpam0g and + libpam-modules. James says this works fine; we hope he's right. + Closes: #196949 + -- Sam Hartman Sat, 21 Jun 2003 17:19:29 -0400 + +pam (0.76-11) unstable; urgency=low + + * Don't allow db4 to satisfy build-depends because it doesn't actually + work, and sometimes building with it would be wrong. + * Don't depend on libpcap-dev on Debian BSD + * Conflict with old libpam-modules, Closes: #191906 + * Incorrect username should not be logged at alert (patch 43), + Closes: #175900 + * Patch to support FreeBSD (patch 44, thanks Robert), Closes: #191906 + + -- Sam Hartman Sat, 31 May 2003 19:55:26 -0400 + +pam (0.76-10) unstable; urgency=low + + * Don't double list conffiles, Closes: #190954 + * Only install example sources not executables, Closes: #185286 + * Display correct directory in error message for pam_mkhomedir, patch + 042 thanks to Akira TAGOH, Closes: #165240 + * Don't log EPERM when setting NOFILE limit as Linux doesn't let you + set that to -1, Closes: #180310 + * Add newline to end of distributed time.conf, Closes: #172229 + * Up our standards version and support noopt in DEB_BUILD_OPTIONS + + -- Sam Hartman Sat, 3 May 2003 22:28:37 -0400 + +pam (0.76-9) unstable; urgency=low + + * Fix pam_rhosts hurd patch so it actually works, Closes: #172914 + * Fix patch 040 not to clobber errno when logging the error fails, + Closes: #172186 + * Fix dependency for linuxdoc-tools, Closes: #173097 + + -- Sam Hartman Sun, 15 Dec 2002 17:10:58 -0500 + +pam (0.76-8) unstable; urgency=low + + * Have makefile appropriately depend on bootstrap-libpam + * Install pam minipolicy, Closes: #167798 + * Don't segfault if ttyname is null; this avoids the segfault but does + not actually make pam_issue useful for ssh. I believe the way + pam_issue works is fundamentally incompatible with what sshd expects + from PAM (patch 037), Closes: #153152 + * We actually fixed passwords containing , in 0.76-6, but failed to + document it. They do work, Closes: #164713 + * Note that /etc/pam.d/other is a fall back for each service + * Patches from Michal 'hramrach' Suchanek" to + make HURD work, Closes: #165066 (patch 038 and 039) + * Don't depend on gs and other doc prep tools for build-depends, just + build-depends-indep, Closes: #165065 + * Patch from Eric Anderson to log failures of + setrlimit (patch 040), Closes: #169836 + * Build pam_limits on hurd, Closes: #165190 + + -- Sam Hartman Sun, 24 Nov 2002 22:04:28 -0500 + +pam (0.76-7) unstable; urgency=low + + * Fix handling of pam_ignore in case where we're skipping modules; + update to patch 034 + + -- Sam Hartman Sun, 20 Oct 2002 21:49:22 -0400 + +pam (0.76-6) unstable; urgency=low + + * The "No, I don't think I actually want any of what upstream is + smoking" release + * If this were already in testing, this would be an severity emergency + upload + * pam_unix currently treats * in shadow file as no password not + disabled; major security issue; fixed in upstream CVS, (patch 035) Closes: #164659 + * OK, I think this actually fixes the rest of the manpage symlinks, + Closes: #163839, #164298 + * You don't want to use getlogin for pam_wheel because utmp may be wrong or for xterm have no entry, pull forward patch from the 0.72 packages (patch 036), Closes: #163787 + + -- Sam Hartman Tue, 15 Oct 2002 10:44:56 -0400 + +pam (0.76-5) unstable; urgency=low + + * Fix library links from 0.75 to 0.76 + * Ignore PAM_IGNORE in _pam_dispatch_aux (patch 34), Closes: #163841 + * Fix man page symlinks, Closes: #163839 + + -- Sam Hartman Fri, 11 Oct 2002 01:08:06 -0400 + +pam (0.76-4) unstable; urgency=low + + * Upstream correctly states that one should use gcc not ld when + linking and then hapilly proceeds to actually use ld, fixed, Closes: #163711 + + * Remove experimental warning from readme, Closes: 163742 + + -- Sam Hartman Mon, 7 Oct 2002 23:45:53 -0400 + +pam (0.76-3) unstable; urgency=low + + * Oops, let's try building -fpic. This currently builds everything + -fpic which is somewhat wrong, but doing more than that requires + significant build system hacking (touch every makefile for dynamic + objects), so it will wait, Closes: #163600 + + -- Sam Hartman Sun, 6 Oct 2002 23:33:12 -0400 + +pam (0.76-2) unstable; urgency=low + + * Link against appropriate libraries so we find the symbols we need, + Closes: #162175 + * The if everyone's going to complain when I upload broken software to + experimental release, I might as well upload to unstable and give them + something worth actually complaining about release. + * Also the remove the scourge of dbs release + * Include patch 034 from the 0.72 packages, meaning that we've included + all the patches we need before release + * Reject the patch to pam_wheel as I cannot find out what reasonable + thing it was trying to do and it seemed broken + * libpam-cracklib should depend on wordlist so it actually works; + thanks Olaf Meeuwissen, + Closes: #112965 + * Merge build-depends and build-depends-indep because I'm a bad person + and was too lazy to make docs build in a separate pass. I'll deal in + a few versions. + + -- Sam Hartman Sun, 6 Oct 2002 18:52:13 -0400 + +pam (0.76-1) experimental; urgency=low + + * New upstream version + * Upstream includes fix to not break cron, Closes: 160566 + * New Upstream correctly handles priority < 0 for pam_limits, Closes: #126251 + * .cvsignores removed, Closes: #159961 + + -- Sam Hartman Sun, 22 Sep 2002 16:11:35 -0400 + +pam (0.75-3) experimental; urgency=low + + * Apply patch 027 pam_limits so that we initialize to wide open not + current limits. + * In pam_mail, don't complain about deleting environment variable if + we never set it, Closes: #58429 + * Don't set default max procs limit in pam_limits, Closes: #116874 + * libpam-runtime now arch all since it has no arch-specific files, + Closes: #132545 + * Update mini policy to reflect confusion on debian-devel + + -- Sam Hartman Tue, 16 Jul 2002 09:30:50 -0400 + +pam (0.75-2) experimental; urgency=low + + * Fix pam_userdb to build and to build against db3, fixes patch 020 + * Fix upstream makefile so pam_group has valid configuration, closes: #148657 + * time.conf reference to logoutd removed, closes: #143801 + * The static library contains all the appropriate symbols in this + version. You may find the complete lack of PAM modules somewhat + frustrating; currently the static pam library is only useful if you + register your own modules. Fixing this would require annoying hacking + on the upstream build system, closes: #103495 + * unix_chkpwd.8 typo fixes thanks to dancer@anthill.echidna.id.au, + Closes: #139949 + * Since we're working on the new upstream version, we also have the new docs, closes: #147763 + * Patch from Martin Schwenke to only change + passwords in pam_unix when they exist in the password file; hopefully + does not break NIS, closes: #135990 + * Another patch from Martin to return PAM_USER_UNKNOWN if we ever + actually do get into the password changing routine only to find that + we have no password to change, closes: #135604 + * .cvsignore no longer installed, closes: #120795 + * We're using debhelper 3, just in time to be obselete, Closes: #93414 + + -- Sam Hartman Sat, 8 Jun 2002 18:04:40 -0400 + +pam (0.75-1) experimental; urgency=low + + * Preliminary test packages + * New upstream version + * Hopefully works mostly the same as 0.72 except for upstream bug + fixes and for the fact that pam_limits is fairly broken right now. + * If it breaks you are lucky if you get to keep both pieces release. + + -- Sam Hartman Sat, 25 May 2002 22:57:57 -0400 + +pam (0.72-35) unstable; urgency=medium + + * Fix like_auth to make libpam-krb5 and libpam-heimdal actually useful, + patch from RISKO Gergely , closes: #126251 + + -- Sam Hartman Mon, 21 Jan 2002 15:20:22 -0500 + +pam (0.72-34) unstable; urgency=medium + + * Note that HOME may not be useful in pam_environment, closes: #109281 + * Don't smash case domains (groups/users) in pam_limits, closes: #119893 + * Remove double the from description, closes: #107705 + * Fix typo on mail message, closes: #119689 + * Medium since these are small fixes that should go into woody + + -- Sam Hartman Fri, 23 Nov 2001 21:24:20 -0500 + +pam (0.72-33) unstable; urgency=low + + * Fix pam_mail to look in /var/mail not /var/spool/mail, thanks mjb. + + -- Sam Hartman Thu, 11 Oct 2001 15:44:32 -0400 + +pam (0.72-32) unstable; urgency=medium + + * This should probably get into testing before freeze; medium. + * Patch from Volker Stolz to fix bug in previous pam_group patch, + closes: #111854 + + -- Sam Hartman Sat, 22 Sep 2001 06:32:29 -0400 + +pam (0.72-31) unstable; urgency=low + + * Add support for credential reinitialization in pam_group, closes: #108697 + + -- Sam Hartman Fri, 31 Aug 2001 13:16:39 -0400 + +pam (0.72-30) unstable; urgency=low + + * Include patch from robbe@orcus.priv.at to build pam_limits on hurd, + closes: #103556 + * Start installing limits.conf for hurd (may not work quite right) + + -- Sam Hartman Mon, 16 Jul 2001 09:35:51 -0400 + +pam (0.72-29) unstable; urgency=low + + * Correctly declare uint32 type for ia64, closes: #104584 + + -- Sam Hartman Sat, 14 Jul 2001 01:30:39 -0400 + +pam (0.72-28) unstable; urgency=low + + * Fix scanf string so pam_limits chroot works, closes: #100812 + * Only log unknown user at warning, not alert, closes: #95220 + * By default do complete matches not substring matches for pam_time. + You can include explicit wildcard for substring, closes: #66152 + + -- Sam Hartman Tue, 3 Jul 2001 17:31:45 -0400 + +pam (0.72-27) unstable; urgency=low + + * Fix typo in last patch + + -- Sam Hartman Mon, 25 Jun 2001 18:27:42 -0400 + +pam (0.72-26) unstable; urgency=low + + * Block SIGCHLD when calling unix password verification program, patch from mdz@debian.org, fixes pam part of #97977 + + -- Sam Hartman Mon, 25 Jun 2001 08:47:12 -0400 + +pam (0.72-25) unstable; urgency=medium + + * Depend on opensp, working around #89063, closes: #100125 + * This is urgency medium to get docs back into testing. + + -- Sam Hartman Fri, 8 Jun 2001 11:44:12 -0400 + +pam (0.72-24) unstable; urgency=low + + * New NIS double locking and root password patch from Philippe Troin + , fixes bug in unreleased patch submitted for + 0.72-23. Also improves changing root password so it does something; + ongoing discussion on whether this is right. + + -- Sam Hartman Mon, 21 May 2001 08:06:05 -0400 + +pam (0.72-23) unstable; urgency=low + + * Patch from Benoit Gaussen , Don't trim from , to end + of string in user input, only trim from salt + grabbed from passwd file, closes: #96779 + * Fix NIS double locking, closes: #96736 + + -- Sam Hartman Wed, 16 May 2001 15:46:34 -0400 + +pam (0.72-22) unstable; urgency=low + + * Fix pam.8 to be pam.7, closes: #92874 + + -- Sam Hartman Tue, 17 Apr 2001 23:04:04 -0400 + +pam (0.72-21) unstable; urgency=low + + * Don't depend on libcap for hurd, closes: #91998 + * Don't list scurity/limits.conf as a conffile for hurd + + -- Sam Hartman Mon, 9 Apr 2001 12:30:18 -0400 + +pam (0.72-20) unstable; urgency=low + + * Install pam-undocumented in -runtime not -dev, closes: #93063 + * Mark pam-runtime as replacing files from -dev in case you installed + -19 and have pam-undocumented in the wrong place + + -- Sam Hartman Fri, 6 Apr 2001 06:38:15 -0400 + +pam (0.72-19) unstable; urgency=low + + * New maintainer, closes: #92353 + * Install pam-undocumented; somehow it was not installed in -18 + + -- Sam Hartman Wed, 4 Apr 2001 21:32:17 -0400 + +pam (0.72-18) unstable; urgency=low + + * pam_securetty: log failed tty checks. Normally this was only done if + the "debug" option was on...do it regardless now, closes: #89390 + * Get rid of log message for when "root" is not applied to group checks. + closes: #88825 + * Add quiet option to pam_listfile, closes: #84428 + * pam(8) should be pam(7), pam.conf(8) should be pam.conf(5), closes: + #89322 + * Added groff to Build-Depends-Indep, closes: #88794 + + -- Ben Collins Sun, 25 Mar 2001 21:40:32 -0500 + +pam (0.72-17) unstable; urgency=low + + * Fixed login in pam_limits where the max logins could be ignored. + + -- Ben Collins Fri, 9 Mar 2001 09:14:48 -0500 + +pam (0.72-16) unstable; urgency=low + + * New pam limits cap patch from Topi Miettinen + , closes: #88401, #88406, #88525, #88399, + #86197 + * pwdb no longer used, closes: #59917 + * fix patch 023 for gethostbyname build failure, closes: #86156 + * Make sure unix_chkpwd gets installed as suid root, closes: #88519 + * Fix whatis parse of manpages, closes: #86203 + * pam_listfile, fix arg parsing when arg does not contain '=', closes: + #86070 + + -- Ben Collins Sun, 4 Mar 2001 22:45:58 -0500 + +pam (0.72-15) unstable; urgency=low + + * Doh, added build-depends for libcap, closes: #85352 + * Change section of libpam-cracklib from admin to libs to match + overrides. + + -- Ben Collins Fri, 9 Feb 2001 09:06:40 -0500 + +pam (0.72-14) unstable; urgency=low + + * Added fix to pam_access for gethostname decleration. closes: #82100 + * Just name the lib/security directory instead of all the modules + seperately for dh_movefiles. closes: #76119 + * Fix pam_env corruption, closes: #66849, #77229 + * Add patch to allow recursive /etc/skel copy in pam_mkhomedir, closes: + #67211 + * remove dh_suidregister call, added conflict for old suidregister + package + * Applied patch for Linux capabilities in pam_limits, closes: #74176 + * pam_issue.so works for me, without segv, and even with escapes. This + is with login. Note, things like pam_issue do not work with ssh simply + because ssh is not able to work in that way (does not support + arbiitrary conversations). So if you want it to work there, file a bug + on ssh, not on libpam-modules. closes: #77228 + * unix_chkpwd: check for NULL password, closes: #69960 + + -- Ben Collins Thu, 8 Feb 2001 11:06:03 -0500 + +pam (0.72-13) unstable; urgency=low + + * Fix grammar in pam_source.sgml, closes: #78959 + * pam_undocumented.7: Fix escaped 's, closes: #75987 + * Fix build ordering, closes: #71442, #80397, #77017 + * Applied Hurd patch, closes: #76119 + * Use gcc for linking, not ld. closes: #71941 + * Pretty sure this was fixed, closes: #67172 + * Applied spealang fixes to Debian-mini-policy. closes: #80249 + * Applied patch to allow devfs style terminal devices with pam_group, + closes: #77661 + * Could not reproduce, even using md5 passwords. User, if you still have + * this problem, you need to tell me with what service (login, which I + tested, sshd, telnet, etc...) and also send me the entire pam.d file + for that service. closes: #76087 + * Fixed awhile back, closes: #72858 + * Closing this since I am not going to include any modules in this + package that aren't in upstream. If someone else wants to package + these modules seperately, they can do so. closes: #69550 + * For correct usage, pam_wheel.so should be used with "sufficient" and + not "required". This is documented. If you use "required", then you + must also use the "trust" option, but that doesn't give you the + results you want. closes: #76236 + + -- Ben Collins Sun, 31 Dec 2000 05:38:23 -0500 + +pam (0.72-12) frozen unstable; urgency=low + + * Recompile against db2 for glibc change + * Add db2 to build-deps + + -- Ben Collins Wed, 27 Sep 2000 12:08:11 -0400 + +pam (0.72-11) frozen unstable; urgency=low + + * Removed all traces of pwdb in packages. libpwdb has been removed from + the archive. This means that the pam_pwdb and pam_radius modules are + no longer available (from the libpam-pwdb package). + * doc/modules/pam_wheel.sgml: Really spell out that being a member of a + group meands the user is listed in /etc/group, closes: #69242 + * doc/*: s/PAM_AUTHOK_RECOVERY_ERR/PAM_AUTHOK_RECOVER_ERR/g, + closes: #64473 + * pam_wheel: PAM does not distinguish it, the libc calls make the + distinction. The users gid is returned in their passwd info, while + getgrent() returns only the members of the group listed in /etc/group. + This is ok, because if it's really that important, you can actually + have it in both places. The fact that it's documented should suffice + in making this clear, closes: #69236 + * Sorry, but seperate modules generally need to be packaged seperately. + I don't want to overload this package with everyone's pet module, so I + have to put my foot down, closes: #61759 + * Actually, I'm going to move in Woody to make packages depend more on + the defaults in /etc/pam.d/other, so that admins have less to + maintain. For one, all packages should not have a password service + listed, closes: #70000 (YAY! I got the 70k rollover bug number!) + * Sorry, I can't include this. "," is a legitimate char in a password + salt/hash. If you can code up something that is super intelligent + about lenghts of the field, I can go for it, maybe, closes: #59459 + * modules/pam_limits: Added chroot feature patch, closes: #61090 + * modules/pam_access: Allow last field to contain ':', closes: #67291 + * modules/pam_limits: Allow explicit limits for root, closes: #62448 + * modules/pam_unix: Do not zero old/new password fields, libpam does + this itself, and doing so in the module breaks stacking, + closes: #66270 + * modules/pam_group: Allow alpha *and* numeric in tty field (duh), + closes: #63752 + * modules/pam_access: Enable NIS, closes: #64854 + * libpam0g-dbg: removed, useless anyway + + -- Ben Collins Wed, 30 Aug 2000 18:39:32 -0400 + +pam (0.72-10) frozen unstable; urgency=low + + * Update build depends + * Fixed logic for showing non-existent user names when auth failed in + pam_unix.so, closes: #67786 (thanks to Jim Breton for being patient in + helping track this down). It would sometimes show them, even if we + didn't want to. + + -- Ben Collins Thu, 27 Jul 2000 09:17:08 -0400 + +pam (0.72-9) frozen unstable; urgency=low + + * pam_unix: do not call obscure_msg() of pass_old is NULL, + closes: #65321 + * pam_access: check for from[0] == '\0' so that tty logic is actually + used, closes: #65401 + + -- Ben Collins Wed, 14 Jun 2000 11:38:35 -0400 + +pam (0.72-8) frozen unstable; urgency=low + + * Build depends added in previous version, closes: #60817, #61439 + * Allow use of ":0" in group.conf, closes: #61966 + * Added syslog entry to notify that a user succesfully changed their + password, closes: #61724 + * Make pam_unix compatible with HP-UX style NIS+ password information, + patch from ldaffner@rsn.hp.com, closes: #61942 + * If "audit" is not enabled, don't let pam_unix print the names of + unknown users for auth attempts, closes: #61942 + * Fixed ttyname() parsing in pam_access to match that of the old shadow + access.conf s,/dev/,, closes: #61644 + * Set some sane defaults for pam_limits.so instead of carrying over + potentially bad defaults, patch from Peter Paluch + closes: #63230 + * Allow explicit (e.g. specified specifically for) limits for root, + patch from Topi Miettinen , closes: #62448 + * Added information to time.conf about logoutd, which is now enabled via + this file. + * cracklib maintainer claims this isn't a bug, closes: #54180 + * fixed control syntax handling which was causing segfaults, closes: #62237 + + -- Ben Collins Sat, 29 Apr 2000 11:39:59 -0400 + +pam (0.72-7) frozen unstable; urgency=low + + * pam_limits: fix parsing of users which explicitly removes limits, + closes: #59911, #60287 + * Added build-depends + + -- Ben Collins Mon, 20 Mar 2000 16:06:28 -0500 + +pam (0.72-6) frozen unstable; urgency=low + + * Remove conflict for libpam0g-util from libpam0g and put it in + libpam-runtime. This should fix a problem with upgrades that apt + experiences, closes: #58677 + + -- Ben Collins Mon, 28 Feb 2000 14:05:28 -0500 + +pam (0.72-5) frozen unstable; urgency=low + + * Added obscure password checks to pam_unix. Required for shadow to be + able to emulate the pre-PAM setup (referenced in a bug on passwd). + * Applied patch from #57800 to fix NIS/NIS+ shadow accounting checks, + closes: #57800, #58164 + * Fixed two typos in the PAM System Administrators Guide, + closes: #56578, #56587 + + -- Ben Collins Mon, 28 Feb 2000 10:58:09 -0500 + +pam (0.72-4) frozen unstable; urgency=low + + * unix_chkpwd: check for NULL on stdin aswell as 0 reads, closes: #56375 + * pam_unix/Makefile: removed bashism, closes: #56370 + * fixed in shadow upload, closes: #49832 + + -- Ben Collins Sat, 29 Jan 2000 00:27:28 -0500 + +pam (0.72-3) unstable; urgency=low + + * Added cpluplus wraps in all the headers, closes: #53653 + + -- Ben Collins Sun, 2 Jan 2000 15:15:40 -0500 + +pam (0.72-2) unstable; urgency=low + + * Well, this is an odd one. A recompile fixes it. So it must have been a + problem from linking with 0.71 when this is version 0.72. All of this + build daemons seem to have compiled the latest 0.72, so this should be + resolved after this gets recompiled on all of them, closes: #51619, #49584 + * This is from a very old version (0.56) of libpam0. It is not relevant + to the latest version, closes: #47162 + + -- Ben Collins Sun, 26 Dec 1999 09:10:13 -0500 + +pam (0.72-1) unstable; urgency=low + + * New upstream source release, lots of patches merged upstream (thanks + Andrew). + * libpam-doc: now provides pam-doc, closes: #45631 + * cleanups to the build system + * shlibs.local: bumped shlib deps + + -- Ben Collins Tue, 14 Dec 1999 11:17:36 -0500 + +pam (0.71-3) unstable; urgency=low + + * Debian-PAM-MiniPolicy: new document describing how PAM is implemented + in Debian + + -- Ben Collins Fri, 26 Nov 1999 17:26:40 -0500 + +pam (0.71-2) unstable; urgency=low + + * pam_listfile: lstat -> stat, closes: #49833 + * pam_tally: install the pam_tally program, closes: #50314 + * debian/control: libpam-modules, replaces libpam0g-util, closes: #50716 + + -- Ben Collins Thu, 25 Nov 1999 21:02:23 -0500 + +pam (0.71-1) unstable; urgency=low + + * New upstream release, merges lots of patches from the Debian source, + also merges the pam_{motd,mkhomedir,issue} modules into the main + source. Lots of minor bugs fixed, and compiler warnings + * pam_mail: Reimplemented the authentication handlers, so now this works + as both (changes nothing in Debian, but was required to get the patch + accepted upstream) + * general: Lots of small edits to fix compiler warnings + * pam_userdb: fixed potential usage of an unitialized value as + PAM_AUTHTOK, doesn't look particularly exploitable, but better safe + than sorry + + -- Ben Collins Mon, 8 Nov 1999 19:21:52 -0500 + +pam (0.70-4) unstable; urgency=low + + * pam_wheel/pam_wheel.c: change to use getpwuid(getuid()) by default, so + avoid the problems associated with getlogin() + + -- Ben Collins Mon, 1 Nov 1999 13:33:10 -0500 + +pam (0.70-3) unstable; urgency=low + + * Applied patch from Herbert Xu to enable PAM_CONV_AGAIN support in + pam_ftp, closes: #47288 + + -- Ben Collins Wed, 13 Oct 1999 13:25:21 -0400 + +pam (0.70-2) unstable; urgency=low + + * 100_pam_pwdb_security_fix: new patch fixes security problem with + regard to NIS accounts + + -- Ben Collins Wed, 13 Oct 1999 11:42:41 -0400 + +pam (0.70-1) unstable; urgency=low + + * New upstream release + * Seems there were a lot of fixes merged/matches upstream, looks good, + (maybe it's time I start sending my patches in, since the maintainer + is active again). + * libpamc: new library (libpam client library), this actually used to be + in the Debian packages for a few versions, but it was removed upstream. + Guess what, it's back :) + + -- Ben Collins Sun, 10 Oct 1999 01:07:43 -0400 + +pam (0.69-11) unstable; urgency=low + + * {pwdb,unix}_chkpwd.8: fixed format to get rid of "no whatis" warnings + from mandb, closes: #47004 + * pam_unix.sgml: new file, documents the pam_unix.so module, + closes: #46511 + + -- Ben Collins Sat, 9 Oct 1999 12:41:58 -0400 + +pam (0.69-10) unstable; urgency=low + + * libpam/pam_item.c: fixed debug message being in wrong place + * 013_pam_issue: new patch, provides issue file parsing for PAM + applications (helps to replace lost functionality in login). + + -- Ben Collins Wed, 6 Oct 1999 20:30:17 -0400 + +pam (0.69-9) unstable; urgency=low + + * Fix typo in pam_mail.so module's "no" return + + -- Ben Collins Sun, 3 Oct 1999 15:08:56 -0400 + +pam (0.69-8) unstable; urgency=low + + * docs/modules/pam_mkhomedir.sgml: Fixed module name + * changed build system structure + * libpam/Makefile: add -lcrypt to the linked libs, closes: #46104 + * increase shlib deps to 0.69-7, closes: #45801 + * pam_motd.c: close motd file after reading, closes: #46122 + * pam_motd.c: fix setting \0 in the wrong place when motd file is + zero length, closes: #45686, #45632 + * pam_unix_acct.c: allow '0' to denote disabled for some expiry fields + since chage(1) documents it this way, closes: #45446 + * pam_mail.c|modules/pam_mail.sgml: added 2 options, one "standard" to + give the old style "You have ..." response and "quiet" which only + reports new mail for both formats, documented both options, + closes: #45670 + * with the new pam_unix module, this bug is fixed, closes: #42230 + * pam_limits.c: make sure that we not only ignore limits on root, we + also remove them just in case we are su'ing from a limited user to + the root account (since as root they can remove the limits anyway), + closes: #35302 + + -- Ben Collins Sun, 3 Oct 1999 12:07:28 -0400 + +pam (0.69-7) unstable; urgency=low + + * debian/rules: fixed module_check + * pam_env/pam_env.c: fixed env parsing to include values wrapped in '' + and also allow continued lines with a trailing '\'. + * pam_motd,pam_mail: converted to session modules, so that they could + be ordered with the lastlog module + * updated default pam.d/login to reflect above change (now login looks + the same as the non-PAM version, lastlog, then motd, and then mail + check) + * pam_motd: removed extraneous \n from output + * modules/pam_limits/pam_limits.c: Fixed parsing of lines with only + "domain -", which was documented as being able to get rid of limits + for that user or group. + * debian/control: (libpam-cracklib) Added depends for cracklib-runtime, + closes: #45488 + * modules/pam_env.c: Fixed /etc/environment parsing causing segfaults on + long lines, closes: #45408 + + -- Ben Collins Sun, 19 Sep 1999 13:50:40 -0400 + +pam (0.69-6) unstable; urgency=low + + * Install unix_chkpwd suid root, it's needed for NIS to work without + modification to the binary. + * modules/pam_limits/pam_limits.c: hmm, some how I got a strange broken + patch left over from the source upgrade...removed all but the pwdb + purging, closes: #45088 + * modules/pam_env/pam_env.c: Changed to a debug message, instead of a + syslog message when /etc/environment does not exist. + + -- Ben Collins Wed, 15 Sep 1999 04:25:21 -0400 + +pam (0.69-5) unstable; urgency=low + + * Removed libpam0g's preinst check for full paths in the pam.d files, + this should really be a lintian check at build (i think the old libpam + could not work like this, but hey...things change for the better some + times. This PAM works fine like that). closes: #45001 + +NOTE: Debian packages should not reference modules by the full path + so they don't break if I ever decide to move the modules to a different + default directory. Only the admin should reference full paths and only + for locally installed modules. I have submitted a request to check for + this in lintian along with a few other devious things. + * debian/patches/008_pam_mkhomedir: Fix title of sgml doc + * modules/pam_userdb/Makefile: added patch for building against glibc 2.0 + (request from Roman Hodek), closes: #45064 + + -- Ben Collins Tue, 14 Sep 1999 06:12:34 -0400 + +pam (0.69-4) unstable; urgency=low + + * Link all dynamic modules with libpam. For some reason, alpha doesn't + like it when we don't + + -- Ben Collins Mon, 13 Sep 1999 06:01:40 -0400 + +pam (0.69-3) unstable; urgency=low + + * doc/modules/pam_cracklib.sgml: changed to correct path for + cracklib_dict reference. + * modules/pam_env/pam_env.c: now groks bash style env's from + /etc/environment to be compatible with other programs that use it. + * modules/pam_securetty/pam_securetty.c: don't just plain fail when + root isn't allowed to login, fake a password request just like any + good auth module would. Keeps us from letting them know that they + are doing something bad :) + * modules/pam_{motd,mkhomedir}: merged these two modules into this + source, also wrote corresponding sgml files for libpam-doc, + closes: #40754 + * debian/control: Moved libpam0g, libpam-modules and libpam-runtime + to base with required priority since login depends on them and + policy will require this + + -- Ben Collins Sat, 11 Sep 1999 08:06:02 -0400 + +pam (0.69-2) unstable; urgency=low + + * Modified build so that it uses libs and headers in the build tree + rather than on the local system. This involved changint the build + order slightly and should make it easier to compile on new archs. + * Modified pam_limits so that it was invoked during pam_sm_setcred() + instead of during pam_sm_session_open() so that it will work with + shadow's su. + * Fixed missing symbols in libpam.so, they were caused by it thinking + it was supposed to have static modules built in. + * Fixed problem where libpam was getting built with -DDEBUG + * pam_unix_passwd.c: Changed the perms on shadow to be 0.42 and 0640 + instead of 0.0 and 0600 + * unix_chkpwd: fix it not being sgid shadow + + -- Ben Collins Thu, 9 Sep 1999 13:52:01 -0400 + +pam (0.69-1) unstable; urgency=low + + * New upstream source + - Now with a new and improved pam_unix module, closes: #38631 + - Lot's of documentation cleanups + * Converted build system to dbs (doogie's build system, aka Adam Heath) + * Fixed libpam.so compilation so that it did not link with any of the + modules (this was causing lot's of problems, closes; #43913, #40739 + * modules/pam_ftp/pam_ftp.c: Fixed sizeof, to use strlen, + closes: #44054, #41845, #44142, #39129, #39871, #44412 + * Postscript pages are now generated correctly, closes: #41608 + * Moved to FHS compliance (including use of debhelper 2.0.40), + this also raises the policy version to 3.0.1.1 + * Don't check the paths in /etc/pam.d files anymore. This is old + and causes nothing but complaints, closes: #39747 + * Build libpam0g-dbg with debuggable static and shared libraries, also + enabled the internal DEBUG_REL compile flag for these so that the + debugging messages will also be output + + -- Ben Collins Tue, 7 Sep 1999 17:45:20 -0400 + +pam (0.66-10) unstable; urgency=low + + * Added ability for pam_env to parse /etc/environment and updated + docs to reflect it + * Applied patch for pwdb_chkpwd man page, closes: #38976 + * Merged pam_unix_*.so modules into one pam_unix.so with symlinks + for backward compatibility. This helps centralize this module the + same way the pam_pwdb.so is and the way pam_unix.so is on other + operating systems (commercial ones specifically). + * Closed by pam-apps upload, closes: #38632 + * Fixed `sgml2latex' syntax, closes: #39119 + * Added doc-base support, closes: #37627 + + -- Ben Collins Wed, 16 Jun 1999 01:20:23 -0400 + +pam (0.66-9.1) unstable; urgency=low + + * SPARC NMU to fix chown symbols when compiling with glibc 2.1.1 + + -- Ben Collins Tue, 11 May 1999 13:33:33 +0000 + +pam (0.66-9) unstable; urgency=low + + * Changed the debian/rules to not mess with the library symlinks (ie + running ldconfig in the lib dir) and all is well, closes: #36169 + + -- Ben Collins Sun, 18 Apr 1999 09:09:51 -0400 + +pam (0.66-8) unstable; urgency=low + + * Compiled with libpam_client.so now (seperate lib in libpam0g) + * Made regex for libpam0g postinst a little more specific so it + didn't flag false problems. closes: #34626 + * Applied patch to fix pam_ftp, closes: #35388 + * Modified pam_mail and pam_lastlog to honor PAM_SILENT in order to + enable apps to use hushlogin/PAM_SILENT + * Fixed problem with libpam_client.so being static + + -- Ben Collins Mon, 15 Mar 1999 20:54:23 -0500 + +pam (0.66-7) unstable; urgency=low + + * Fixed XCASE in pam_filter.c (not really in glibc 2.1 by default) + + -- Ben Collins Sat, 6 Mar 1999 18:46:56 -0500 + +pam (0.66-6) unstable; urgency=low + + * Removed empty /lib/security/ from libpam0g (is created in + libpam-runtime) + * Added a depends for libpam-runtime to libpam0g (was supposed to be + there, must have deleted it) + * Removed empty /usr/bin from libpam-runtime (old directory where + upperLOWER was) + + -- Ben Collins Wed, 24 Feb 1999 13:14:25 -0500 + +pam (0.66-5) unstable; urgency=low + + * Removed harcoded libc6 dependency from libpam0g-dev and changed it to + libc6-dev. closes: #33615 + * Added md5 flag for pam_unix_passwd.so + * Removed upperLOWER program since it is just an example. Moved it's + source to the examples directory in libpam-modules + * Fixed documentation of pam_strerror() and examples. closes #31142 + * Made pam_unix_passwd.so leave /etc/shadow mode 640 and root.shadow + after changes + * Fixed problem in pam_unix_auth that didn't let you su from a normal + user to another normal user (ie. neither one was root) + * Closing misc fixed bugs. closes #32809, #32274 (have been fixed, + just need closing) + * Tested lockvc with pam support, works for normal users (pam_pwdb) + closes: #31150 + * Changed /var/log/wtmp in pam_lastlog docs to reflect correct + /var/log/lastlog file. closes: #26544 + * Added -ldl to libpam.so, so apps don't have to + + -- Ben Collins Fri, 19 Feb 1999 18:47:30 -0500 + +pam (0.66-4) unstable; urgency=low + + * Changed pwdb_chkpwd to sgid shadow instead of suid root since it only + needs read permissions to /etc/shadow and not write. + * Moved a lot of files arouns to get rid of libpam-runtime dependencies + * Put libpam-pwdb into it's own package + * Removed -lpwdb links for modules since libpwdb is somewhat buggy (or + alteast it's interaction with libpam is) + * Fixed bug in pam_unix_passwd.so that caused it to never authenticate + the correct passwd, making it so you couldn't change the passwd + + -- Ben Collins Tue, 16 Feb 1999 15:50:28 -0500 + +pam (0.66-3) unstable; urgency=low + + * Fixed defaults in /etc/pam.d/other to be pam_unix_*.so modules instead + of the accidental pam_pwdb.so module + * Fixed suid of pwdb_chkpwd (had to move dh_fixperms after + dh_suidregister) + * Added Replaces: libpam0g-util in order to help dpkg upgrade from + older packages + * Applied glibc 2.1 patch from Christian Meder. closes: #32809 + * Moved libpam-doc to Section doc. closes: #32274 + + -- Ben Collins Fri, 12 Feb 1999 02:01:43 -0500 + +pam (0.66-2) unstable; urgency=low + + * Removed all of the versioned module stuff. Modules are now in + /lib/security and stay there. Seems after discussion, that modules may + not change as often as thought + * Fixed suidregister for pwdb_chkpwd + * Fixed incomplete descriptions in control file + * This is a kludge to close some bugs since the last upload was yanked + before being installed in the archive, closes: #16882, #30862, #7725, + #10234, #10406, #12210, #14291, #15528, #15529, #20660, #25330, + #29868, #31088, #31128, #9131, #9919, #19383, #5132, #14533, #25915, + #28075, #31548, #31191 + + -- Ben Collins Tue, 2 Feb 1999 12:47:25 -0500 + +pam (0.66-1) unstable; urgency=low + + * New maintainer + * New upstream release. closes: #16882, #30862, #7725 + * Created a better split of the main lib and the runtime to kill the + circular dependencies and make it possible to have two .so version of + the library installed for upgrades. closes: #10234, #10406, #12210, + bug #14291, #15528, #15529, #20660, #25330, #29868, #31088, #31128, + bug #9131, #9919. + * Harcoded modules directory prefixed with the .so version, and + used alternatives to create the symlink to the 'default' modules + directory. libpam will use the full path when specified, but use the + versioned modules directory for relative names. + * Put libpam0g-cracklib modules back in (own package). This means that + cracklib support is _not_ in the static libpam.a, also cracklib + support is _not_ in pam_unix_passwd.o, but only in pam_cracklib.so + by itself. + * Fixed a few typos in the source causing compile errors + * Fixed source #include's so that pam _didn't_ have to be installed + in order to compile the source ( changed from <> to "" ) + * Removed empty directories from built packages + * Opted not to build examples, only going to put *.c files in examples + directory for libpam0g-dev + * Moved *.sgml files for modules into their own directory (looks like + that is what the original maintainer wanted to do, but it didn't go) + * Moved doc build to arch-indep build in rules so that it doesn't get + built when specifying -B with debuild/dpkg-buildpackage. + * Moved `touch .quiet...' to build-stamp in order to have -B builds not + ask about pam.conf + * Split out non-standard modules to their own package, so as to make the + base install smaller (planning for base inclusion here) + * Created small manpage for pwdb_chkpwd. closes: #10941 + * The Copright file in /usr/doc/*/ was already named copright and not + compressed. closes: #14533 + * Package is now lintian clean. closes #19383, #5132 + * There is a maintainer now and the patch for #25915 is still included + so.... closes: #25915 + * Added check for editor backup files in /etc/pam.d (*~). closes: #28075 + * Applied patch for md5.h in pam_pwdb module. closes: #31548 + * Added support for dhelp in libpam-doc. closes: #31191 + + -- Ben Collins Wed, 20 Jan 1999 07:09:15 -0500 + +pam (0.65-0.8) frozen unstable; urgency=high + + * Marked PAM as orphaned, given that there has been no maintainer upload + in almost two years. + * [defs/debian.defs] Removed superflous cracklib2 dependency. + (Urgent as cracklib still has release-critical bugs). + (Fixes #30862). + + -- J.H.M. Dassen (Ray) Wed, 20 Jan 1999 09:34:35 +0100 + +pam (0.65-0.7) frozen unstable; urgency=high + + * Fixed security vulnerability in the pam_unix and pam_tally modules + (reported by Michal Zalewski on bugtraq; patch + A000-SECURITY-PATCH-0.65-and-below.gz by Andrey V. Savochkin). + + -- J.H.M. Dassen (Ray) Tue, 29 Dec 1998 16:20:18 +0100 + +pam (0.65-0.6) unstable; urgency=high + + * Fixed distribution of files over the various packages, which was + severely messed up. + * Added appropriate Replaces: to ensure upgrading from both the hamm + version and previous slink versions. + * Fixed debug libraries, PAM module loading. + * Added examples. + * Added a "pam-undocumented" manpage pointing to libpam-doc, and + made links for functions without a manpage to that. + + -- J.H.M. Dassen (Ray) Sun, 11 Oct 1998 19:29:40 +0200 + +pam (0.65-0.5) unstable; urgency=low + + * Rewritten the preinst warning text (it still mentioned the search path). + + -- J.H.M. Dassen (Ray) Fri, 9 Oct 1998 14:23:18 +0200 + +pam (0.65-0.4) unstable; urgency=high + + * It looks like I misunderstood DEFAULT_MODULE_PATH: Linux-PAM does not + currently seem to be easily configured to look for modules in more than + one directory. With this version, it's configured to look only in + /lib/security . + + -- J.H.M. Dassen (Ray) Fri, 9 Oct 1998 11:43:34 +0200 + +pam (0.65-0.3) unstable; urgency=medium + + * Moving the PAM modules to /lib/security broke netatalk. + Added a preinst script to detect /etc/pam.d files with explicit paths to + PAM modules, give a warning about them, and offer to abort the install + (Fixes #27514). + + -- J.H.M. Dassen (Ray) Tue, 6 Oct 1998 20:10:43 +0200 + +pam (0.65-0.2) unstable; urgency=low + + * Argh. The tools didn't recognise -0.1 as a new upstream release, so + my previous upload was rejected due to a missing .orig.tar.gz . + + -- J.H.M. Dassen (Ray) Sun, 4 Oct 1998 17:15:09 +0200 + +pam (0.65-0.1) experimental; urgency=low + + * New upstream version. + * Non-maintainer upload. + * Major package overhaul; now uses debhelper. + * In experimental for now. *Please* provide feedback; if the feedback is + positive, we can put this in slink. + * Dropped libc5 support. + * [libpam/pam_static.c] Fixed compilation: "pamh" was undefined; use "NULL". + is this the correct fix? + * [defs/debian.defs] New. + * [Makefile] + * Exit when a make in a subdirectory fails. + * Compile statically too. + * New variables: LC, LP, LPLIBS, DEFAULT_MODULE_PATH . + * [libpam/Makefile] + * Use DEFAULT_MODULE_PATH if nonempty. + * Link libpam against LPLIBS. + * [modules/*/Makefile] + * Link the dynamic security objects against libpam and libc + (LP and LC). + * [modules/pam_pwdb/Makefile] + * Link dynamic security objects against libcrypt and libnsl. + * [conf/install_conf] Allow for non-interactive install (as the other + install_conf scripts already did). + * Automatically determine the list of /etc/security/* conffiles. + * Moved libpam to /lib, and PAM modules to /lib/security as they will + become part of the base system in the future. + * Built without cracklib support, to keep the base system smaller. + * /sbin/pwdb_chkpwd is undocumented, as is upperLOWER. + + -- J.H.M. Dassen (Ray) Fri, 2 Oct 1998 20:23:27 +0200 + +pam (0.57b-0.4) unstable; urgency=high + + * Non maintainer upload + My previous upload had removed the libc5 stuff from the controlfile + messing up things. Change 'Architecture: any' to 'i386 m68k' for those + .deb's instead. + + -- Turbo Fredriksson Thu, 20 Aug 1998 20:06:50 -0400 + +pam (0.57b-0.3) unstable; urgency=high + + * Non maintainer upload + On a glibc2.1 system, XCASE is only defined in the + _IF_ '__USE_MISC' or '__USE_UNIX98' is defined. + + -- Turbo Fredriksson Sun, 16 Aug 1998 22:13:45 -0400 + +pam (0.57b-0.2) unstable; urgency=high + + * Yet another non-maintainer release. + * Zero changes; simply a re-upload due to a rm-trigger happy release + ``manager''. + + -- James Troup Tue, 17 Mar 1998 19:55:16 +0100 + +pam (0.57b-0.1) unstable; urgency=medium + + * Non-maintainer release. + * debian/control (Standards-Version): Updated to 2.4.0.0. + * debian/control (libpam0g-dev): Also conflict with libpam-dbg. + * debian/postinst: use case statement instead of if. + * debian/rules (COMPAT_ARCHES): removed sparc. + * debian/rules (binary-libc6-dev, binary-libc5-altdev): strip static libraries with + --strip-debug, not --strip-unneeded. + * debian/rules: each package now has it's own doc directory under + /usr/doc/, containing at least the copyright file (Policy 5.6). + * debian/rules: install files with `install -m 644' not `cp -p' to avoid + read-only files. + * debian/rules (binary-libc6-util): strip /usr/lib/*/security/*.so with + --strip-unneeded. + * debian/rules (binary-libc5-util): ditto. + * debian/rules (binary-libc5): don't depend on binary-libc5. + + -- James Troup Sat, 7 Mar 1998 18:04:19 +0100 + +pam (0.57b-0) unstable; urgency=medium + + * Non-maintainer release. + * New upstream version. + * Doesn't use pristine upstream source as the upstream tar ball is broken. + * Added libc6 libraries libpam0g, libpam0g-dev, libpam0g-dbg and + libpam0g-util. [#11697] + * libpam-dev becomes libpam0-altdev, libpam-util -> libpam0-altutil and + libpam-dbg is removed. + * libpam0 depends on libpam0g because libpam0g contains the pam conffile. + * libpam0-util depends on libpam0g-util because libpam0g contains the binary. + * Compiled with -D_REENTRANT and link with -lc. + * Fixed permissions on shared libraries. + * Corrected syntax of /etc/pam.d/other. [#10497, #10758, #12030] + * Fixed typos in postinst. [#10474, #11365] + * Made /etc/pam.conf a conffile. + * Updated URL in copyright file. + * Removed over-zelaously installed README* files from libpam-doc. + + -- James Troup Sat, 22 Nov 1997 17:54:30 +0100 + +pam (0.56-2) unstable; urgency=low + + * Added /etc/pam.d/other with policy 'deny'. + * Add manual pages for PAM security modules. + + -- Klee Dienes Sat, 15 Mar 1997 22:33:22 -0500 + +pam (0.56-1) unstable; urgency=low + + * New upstream release. + * Converted to new packaging format. + * Reorganization of package structure (-dev, -dbg, etc). + + -- Klee Dienes Sat, 8 Mar 1997 01:21:17 -0500 + --- pam-1.0.1.orig/debian/README.debian +++ pam-1.0.1/debian/README.debian @@ -0,0 +1,36 @@ +PAM for DEBIAN +-------------- + +PAM (Pluggable Authentication Modules) provides system administrators with a +powerful method of controlling system access and methods of authentication. + +The documentation for PAM is packaged in the "libpam-doc" package. The +"Linux-PAM System Administrator's Guide" covers configuring PAM, what +modules are available etc. The documentation also includes "The Linux-PAM +Application Developers' Guide" and "The Linux-PAM Module Writers' Guide". + +The Debian default configuration is to emulate the old UNIX authentication. + +The Debian PAM packages live at svn://svn.debian.org/pkg-pam/. The +current version is in the trunk directory; previous versions live in +the tags directory. + +Changes Since Debian 3.0 +------------------------ + +The pam_securetty module used to prompt for a password when it was +going to fail access. This Debian-specific patch defeats one of the +key uses of this module: to deny access to privileged accounts soon +enough in the PAM stack that the password is never requested and is +not compromised over insecure network links. If you want to ask for +the password use required not requisite in your PAM config. + +Previously, pam_rhosts allowed the .rhosts file to be a symlink. This +was a debian specific change that has been dropped because it is not +the upstream behavior nor is it the documented behavior of ruserok(3). + +Similarly, pam_listfile used to allow the user file to be a symlink. +This is no longer allowed because upstream seems to be against the +change. Please see discussion started by Sam Hartman on +pam-list@redhat.com during the May 2002 time frame. + --- pam-1.0.1.orig/debian/libpam-runtime.templates +++ pam-1.0.1/debian/libpam-runtime.templates @@ -0,0 +1,37 @@ +Template: libpam-runtime/profiles +Type: multiselect +Choices: ${profiles} +Choices-C: ${profile_names} +_Description: PAM profiles to enable: + Pluggable Authentication Modules (PAM) determine how authentication, + authorization, and password changing are handled on the system, as well + as allowing configuration of additional actions to take when starting + user sessions. + . + Some PAM module packages provide profiles that can be used to + automatically adjust the behavior of all PAM-using applications on the + system. Please indicate which of these behaviors you wish to enable. + +Template: libpam-runtime/conflicts +Type: error +#flag:translate!:3 +#flag:comment:2 +# This paragraph is followed by a (currently) non-translatable list of +# PAM profile names. +_Description: Incompatible PAM profiles selected. + The following PAM profiles cannot be used together: + . + ${conflicts} + . + Please select a different set of modules to enable. + +Template: libpam-runtime/override +Type: boolean +Default: false +_Description: Override local changes to /etc/pam.d/common-*? + One or more of the files /etc/pam.d/common-{auth,account,password,session} + have been locally modified. Please indicate whether these local changes + should be overridden using the system-provided configuration. If you + decline this option, you will need to manage your system's + authentication configuration by hand. + --- pam-1.0.1.orig/debian/libpam0g-dev.files +++ pam-1.0.1/debian/libpam0g-dev.files @@ -0,0 +1,4 @@ +usr/include/security/* +usr/lib/libpam.a +usr/lib/libpamc.a +usr/lib/libpam_misc.a --- pam-1.0.1.orig/debian/changelog.old +++ pam-1.0.1/debian/changelog.old @@ -0,0 +1,13 @@ +pam (0.50-1) unstable; urgency=low + + * added Debian GNU/Linux package maintenance system files. + * changes to the installation procedure to fit the Debian packaging + system ($PREFIX handling, unconditionally install configuration files, + don't run ldconfig after installing the shared libraries). + * added documentation in the extradoc directory + * commented out all unused entries in etc/pam.conf, etc/secure/group.conf + and etc/secure/time.conf + + -- Patrick Weemeeuw + + --- pam-1.0.1.orig/debian/libpam-runtime.install +++ pam-1.0.1/debian/libpam-runtime.install @@ -0,0 +1,7 @@ +debian/tmp/etc/pam.conf etc +debian/tmp/etc/pam.d/other etc/pam.d +debian/tmp/usr/share/pam usr/share +debian/tmp/usr/sbin/pam_getenv usr/sbin +debian/tmp/usr/share/locale usr/share +debian/local/pam-auth-update usr/sbin +debian/pam-configs/unix usr/share/pam-configs/ --- pam-1.0.1.orig/debian/libpam-modules.preinst +++ pam-1.0.1/debian/libpam-modules.preinst @@ -0,0 +1,16 @@ +#!/bin/sh + +set -e + +. /usr/share/debconf/confmodule + +if dpkg --compare-versions "$2" lt-nl 0.99.10.0; then + db_version 2.0 + + if pidof xscreensaver xlockmore >/dev/null; then + db_input critical libpam-modules/disable-screensaver || true + db_go || true + fi +fi + +#DEBHELPER# --- pam-1.0.1.orig/debian/libpam-modules.lintian +++ pam-1.0.1/debian/libpam-modules.lintian @@ -0,0 +1,3 @@ +# yes, we know it's sgid, that's the whole point... +libpam-modules: setgid-binary sbin/unix_chkpwd 2755 root/shadow + --- pam-1.0.1.orig/debian/libpam-doc.doc-base.modules-guide +++ pam-1.0.1/debian/libpam-doc.doc-base.modules-guide @@ -0,0 +1,14 @@ +Document: pam-modules-guide +Title: The Linux-PAM Module Writers' Guide +Author: ndrew G. Morgan +Abstract: This manual documents what a programmer needs to know in order to + write a module that conforms to the Linux-PAM standard. It also discusses + some security issues from the point of view of the module programmer. +Section: Programming + +Format: HTML +Index: /usr/share/doc/libpam-doc/html/Linux-PAM_MWG.html +Files: /usr/share/doc/libpam-doc/html/Linux-PAM_MWG.html /usr/share/doc/libpam-doc/html/mwg*.html + +Format: text +Files: /usr/share/doc/libpam-doc/txt/Linux-PAM_MWG.txt.gz --- pam-1.0.1.orig/debian/libpam0g.lintian +++ pam-1.0.1/debian/libpam0g.lintian @@ -0,0 +1,8 @@ +# obvious multilib package false-positive; also the package name hasn't +# changed since the glibc transition, go us! +libpam0g: package-name-doesnt-match-sonames libpam0 libpam-misc0 libpamc0 +# yes, these are deliberately asked in the postinst because the checking +# for daemons to be restarted needs to be done in the postinst and not +# before +libpam0g: no-debconf-config +libpam0g: postinst-uses-db-input --- pam-1.0.1.orig/debian/libpam0g.files +++ pam-1.0.1/debian/libpam0g.files @@ -0,0 +1 @@ +lib/lib*.so.* --- pam-1.0.1.orig/debian/libpam-modules.files +++ pam-1.0.1/debian/libpam-modules.files @@ -0,0 +1,4 @@ +etc/security/ +sbin/unix_chkpwd +sbin/unix_update +sbin/pam_tally --- pam-1.0.1.orig/debian/libpam-runtime.postrm +++ pam-1.0.1/debian/libpam-runtime.postrm @@ -0,0 +1,11 @@ +#!/bin/sh -e + +if [ "$1" = "purge" ]; then + rm -f /etc/pam.d/common-auth /etc/pam.d/common-account \ + /etc/pam.d/common-session /etc/pam.d/common-password + rm -f /var/lib/pam/auth /var/lib/pam/account /var/lib/pam/session \ + /var/lib/pam/password /var/lib/pam/seen + rmdir --ignore-fail-on-non-empty /var/lib/pam +fi + +#DEBHELPER# --- pam-1.0.1.orig/debian/NEWS +++ pam-1.0.1/debian/NEWS @@ -0,0 +1,39 @@ +pam (0.99.10.0-1) unstable; urgency=low + + * pam_rhosts_auth module obsolete + + The pam_rhosts_auth module has been dropped upstream in favor of the + more featureful and better-maintained pam_rhosts module. To ease the + transition to pam_rhosts, a compatibility symlink has been provided to + map pam_rhosts_auth to pam_rhosts on your system; however, pam_rhosts + doesn't support all of the same module options and the compatibility + symlink will be dropped in a future release. You should update any + configs to use pam_rhosts instead of pam_rhosts_auth as soon as possible. + + For information on using pam_rhosts, see the pam_rhosts(8) manpage. + + -- Steve Langasek Sat, 26 Jul 2008 22:01:22 -0700 + +pam (0.99.7.1-5) unstable; urgency=low + + * Default Unix minimum password length has changed + + Previous versions of pam_unix on Debian had a built-in minimum password + length of 1 character, and a minimum password length configured in + /etc/pam.d/common-password of 4 characters. This differed from the + upstream default of 6 characters. This has been changed, so the + default /etc/pam.d/common-password no longer overrides the compile-time + default and the compile-time default has been raised to 6 characters. + If you are using pam_unix but are not using the default + /etc/pam.d/common-password file, it is recommended that you drop any + min= options to pam_unix from your config unless you have stronger + local password requirements that the upstream default. + + The password length 'max' option has also been deprecated in this + version because it was never written to work as suggested in the + documentation. If you are using pam_unix but are not using the default + /etc/pam.d/common-password file, you should remove any old max= options + to pam_unix from your config as this option will be considered an error + in future versions of pam. + + -- Steve Langasek Sat, 01 Sep 2007 21:27:11 -0700 --- pam-1.0.1.orig/debian/libpam-modules.postinst +++ pam-1.0.1/debian/libpam-modules.postinst @@ -0,0 +1,30 @@ +#!/bin/sh -e + +# If the user has removed the config file, respect this sign of dementia +# -- only create on package install. + +if [ -z "$2" ] || dpkg --compare-versions "$2" lt 0.99.7.1-3 +then + if ! [ -f /etc/security/opasswd ]; then + umask 066 + touch /etc/security/opasswd + umask 022 + fi +fi + +if dpkg --compare-versions "$2" lt 0.99.9.0-1 && ! [ -f /etc/environment ] +then + touch /etc/environment +fi + +# Add PATH to /etc/environment if it's not present there or in +# /etc/security/pam_env.conf +if [ "$1" = "configure" ] && (dpkg --compare-versions 0.79-3ubuntu6 ge "$2" || [ "$2" = "" ]); then + if ! grep -qs ^PATH /etc/security/pam_env.conf; then + if ! grep -qs ^PATH /etc/environment; then + echo 'PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games"' >> /etc/environment + fi + fi +fi + +#DEBHELPER# --- pam-1.0.1.orig/debian/libpam-cracklib.postinst +++ pam-1.0.1/debian/libpam-cracklib.postinst @@ -0,0 +1,9 @@ +#!/bin/sh + +set -e + +if dpkg --compare-versions "$2" lt 1.0.1-6; then + pam-auth-update --package +fi + +#DEBHELPER# --- pam-1.0.1.orig/debian/libpam0g-dev.links +++ pam-1.0.1/debian/libpam0g-dev.links @@ -0,0 +1,3 @@ +/lib/libpam.so.0 usr/lib/libpam.so +/lib/libpamc.so.0 usr/lib/libpamc.so +/lib/libpam_misc.so.0 usr/lib/libpam_misc.so --- pam-1.0.1.orig/debian/TODO +++ pam-1.0.1/debian/TODO @@ -0,0 +1,7 @@ +- make pam_unix.so modules have some means of allowing other than root + to auth users via unix_chkpwd (maybe unix_chkpwd needs a secure conf + file?) +- Put in some of the Hurd related fixes +- Build-Depend-Indep on fop and install PDF docs, and add them to + doc-base. This depends on fop being patched to build using Java in + main so it can move out of contrib. --- pam-1.0.1.orig/debian/libpam0g-dev.examples +++ pam-1.0.1/debian/libpam0g-dev.examples @@ -0,0 +1,6 @@ +examples/Makefile +examples/blank.c +examples/check_user.c +examples/vpass.c +examples/xsh.c +libpamc/test/* --- pam-1.0.1.orig/debian/libpam0g.docs +++ pam-1.0.1/debian/libpam0g.docs @@ -0,0 +1 @@ +debian/local/Debian-PAM-MiniPolicy --- pam-1.0.1.orig/debian/libpam-runtime.lintian +++ pam-1.0.1/debian/libpam-runtime.lintian @@ -0,0 +1,5 @@ +# deliberate. +W: libpam-runtime: no-debconf-config +# this warning is just plain crack, there's no reason that using debconf +# outside of a maintainer script implies an error. +W: libpam-runtime: debconf-is-not-a-registry ./usr/sbin/pam-auth-update --- pam-1.0.1.orig/debian/libpam-doc.install +++ pam-1.0.1/debian/libpam-doc.install @@ -0,0 +1,3 @@ +debian/tmp/usr/share/doc/Linux-PAM/*.html usr/share/doc/libpam-doc/html +debian/tmp/usr/share/doc/Linux-PAM/*.txt usr/share/doc/libpam-doc/txt + --- pam-1.0.1.orig/debian/README.source +++ pam-1.0.1/debian/README.source @@ -0,0 +1,8 @@ +This package uses quilt to manage all modifications to the upstream +source. Changes are stored in the source package as diffs in +debian/patches-applied and applied during the build. Please see: + + /usr/share/doc/quilt/README.source + +for more information on how to apply the patches, modify patches, or +remove a patch. --- pam-1.0.1.orig/debian/compat +++ pam-1.0.1/debian/compat @@ -0,0 +1 @@ +5 --- pam-1.0.1.orig/debian/libpam0g-dev.manpages +++ pam-1.0.1/debian/libpam0g-dev.manpages @@ -0,0 +1 @@ +debian/tmp/usr/share/man/man3/* --- pam-1.0.1.orig/debian/libpam-cracklib.prerm +++ pam-1.0.1/debian/libpam-cracklib.prerm @@ -0,0 +1,9 @@ +#!/bin/sh + +set -e + +if [ "$1" = remove ]; then + pam-auth-update --package --remove cracklib +fi + +#DEBHELPER# --- pam-1.0.1.orig/debian/libpam-runtime.prerm +++ pam-1.0.1/debian/libpam-runtime.prerm @@ -0,0 +1,9 @@ +#!/bin/sh + +set -e + +if [ "$1" = remove ]; then + pam-auth-update --package --remove unix +fi + +#DEBHELPER# --- pam-1.0.1.orig/debian/po/it.po +++ pam-1.0.1/debian/po/it.po @@ -0,0 +1,168 @@ +# Debconf questions for the Linux-PAM package. +# Copyright (C) 2007 Steve Langasek +# This file is distributed under the same license as the pam package. +# David Paleino , 2008. +# +msgid "" +msgstr "" +"Project-Id-Version: pam 0.99.7.1-5\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2009-02-28 13:06-0800\n" +"PO-Revision-Date: 2009-01-01 02:41+0100\n" +"Last-Translator: David Paleino \n" +"Language-Team: LANGUAGE \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=utf-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Servizi da riavviare per l'aggiornamento della libreria PAM:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"Molti servizi che usano PAM hanno bisogno di essere riavviati per utilizzare " +"i moduli compilati per questa nuova versione di libpam. Per favore, " +"controllare la seguente lista, separata da spazi, di script di init.d per i " +"servizi da riavviare, e correggere se necessario." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Il Display Manager deve essere riavviato manualmente" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"I display manager kdm, wdm e xdm richiedono un riavvia per la nuova versione " +"di libpam, ma ci sono sessioni di login X attive sul sistema che verrebbero " +"terminate da questo riavvio. Bisognerà riavviare questi servizi manualmente " +"prima che qualunque altro login X sia possibile." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Fallito riavvio di alcuni servizi per l'aggiornamento di PAM" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"I seguenti servizi non sono stati riavviati per l'aggiornamento della " +"libreria PAM:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Bisognerà avviarli manualmente eseguendo '/etc/init.d/ start'." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM profiles to enable:" +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Incompatible PAM profiles selected." +msgstr "" + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:2001 +msgid "The following PAM profiles cannot be used together:" +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Please select a different set of modules to enable." +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "" +"xscreensaver e xlockmore devono essere riavviati prima dell'aggiornamento" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"Una o più istanze in esecuzione di xscreensaver o xlockmore sono state " +"rilevate su questo sistema. A causa di cambiamenti incompatibili alle " +"librerie, l'aggiornamento del pacchetto libpam-modules renderà impossibile " +"l'autenticazione a questi programmi. Si dovrebbe organizzare il riavvio o " +"la chiusura di questi programmi prima di continuare con l'aggiornamento, al " +"fine di evitare che gli utenti restino bloccati al di fuori delle proprie " +"sessioni." --- pam-1.0.1.orig/debian/po/pt.po +++ pam-1.0.1/debian/po/pt.po @@ -0,0 +1,181 @@ +# translation of pam debconf to Portuguese +# Copyright (C) 2007 Américo Monteiro +# This file is distributed under the same license as the pam package. +# +# Américo Monteiro , 2007, 2009. +msgid "" +msgstr "" +"Project-Id-Version: pam 1.0.1-7\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2009-02-28 13:06-0800\n" +"PO-Revision-Date: 2009-03-10 22:53+0000\n" +"Last-Translator: Américo Monteiro \n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Serviços a reiniciar para a actualização da biblioteca PAM:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"A maioria dos serviços que usam PAM precisam ser reiniciados para usarem os " +"módulos construidos para esta nova versão do libpam. Por favor, reveja a " +"seguinte lista de scripts init.d de serviços, separados por espaços, para " +"serem reiniciados agora e corrija-a se for necessário." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "O gestor de sessão gráfica tem que ser reiniciado manualmente" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Os gestores de sessão gráfica kdm, wdm, e xdm necessitam de reiniciar para a " +"nova versão de libpam, mas existem sessões de login X activas no seu sistema " +"que seriam terminadas por esta operação. Então, você irá necessitar de " +"reiniciar estes serviços manualmente antes que sejam possíveis mais logins X." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Falha ao reiniciar alguns serviços para a actualização PAM" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Os seguintes serviços não puderam ser reiniciados para a actualização da " +"biblioteca PAM:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Você precisa de iniciar manualmente estes serviços fazendo '/etc/init.d/" +" start'." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM profiles to enable:" +msgstr "Perfis PAM para activar:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"O PAM (Pluggable Authentication Modules) determina como a autenticação, a " +"autorização, e a mudança de palavras-chave são manuseadas no sistema, assim " +"como permitir a configuração de acções adicionais a tomar quando arrancam " +"sessões de utilizador." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"Alguns pacotes de módulos do PAM disponibilizam perfis que podem ser usados " +"para ajustar automaticamente o comportamento de todas as aplicações no " +"sistema que usam o PAM. Por favor indique quais destes comportamentos deseja " +"activar." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Incompatible PAM profiles selected." +msgstr "Perfis PAM incompatíveis seleccionados." + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:2001 +msgid "The following PAM profiles cannot be used together:" +msgstr "Os seguintes perfis do PAM não podem ser usados juntamente:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Please select a different set of modules to enable." +msgstr "Por favor seleccione um conjunto diferente de módulos para activar." + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "Sobreescrever as alterações locais em /etc/pam.d/common-*?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"Um ou mais dos ficheiros /etc/pam.d/common-{auth,account,password,session} " +"foi modificado localmente. Por favor indique se estas alterações locais " +"deverão ser sobreescritas usando a configuração disponibilizada pelo " +"sistema. Se você recusar esta opção, irá precisar de gerir a configuração de " +"autenticação do sistema manualmente." + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "xscreensaver e xlockmore têm que ser reiniciados antes da actualização" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"Uma ou mais instâncias do xscreensaver ou xlockmore foram detectadas a " +"funcionar neste sistema. Devido a alterações incompatíveis em bibliotecas, a " +"actualização do pacote libpam-modules irá deixá-lo incapaz de se autenticar " +"nestes programas. Você deve fazer com que estes programas sejam reiniciados " +"ou parados antes de continuar com esta actualização, para evitar trancar os " +"seus utilizadores fora das suas sessões correntes." --- pam-1.0.1.orig/debian/po/pt_BR.po +++ pam-1.0.1/debian/po/pt_BR.po @@ -0,0 +1,163 @@ +# pam Brazilian Portuguese translation +# Copyright (c) 2007 Steve Langasek +# This file is distributed under the same license as the pam package. +# Eder L. Marques , 2007. +# +msgid "" +msgstr "" +"Project-Id-Version: pam_0.99.7.1-5\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2009-02-28 13:06-0800\n" +"PO-Revision-Date: 2007-09-26 15:53-0300\n" +"Last-Translator: Eder L. Marques \n" +"Language-Team: l10n Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"pt_BR utf-8\n" +"X-Generator: KBabel 1.11.4\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Serviços a serem reiniciados para a atualização de bibliotecas PAM:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"A maioria dos serviços que utilizam PAM precisam ser reiniciados para usar " +"os módulos construídos para esta nova versão da libpam. Por favor, revise a " +"seguinte lista separada por espaços de seus scripts init.d para os serviços " +"a serem reiniciados agora, e a corrija se necessário." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Gerenciadores de display devem ser reiniciados manualmente" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Os gerenciadores de display kdm, wdm e xdm precisam ser reiniciados para a " +"nova versão da libpam, mas existem sessões de login X ativas em seu sistema " +"que podem ser terminadas por este reinicio. Você consequentemente " +"necessitará reiniciar estes serviços manualmente antes que logins X " +"adicionais sejam possíveis." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Falha ao reiniciar alguns serviços para a atualização da PAM" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Os seguintes serviços não puderam ser reiniciados para a atualização da " +"biblioteca PAM:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Você deverá iniciá-los manualmente executando '/etc/init.d/ start'." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM profiles to enable:" +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Incompatible PAM profiles selected." +msgstr "" + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:2001 +msgid "The following PAM profiles cannot be used together:" +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Please select a different set of modules to enable." +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" --- pam-1.0.1.orig/debian/po/sk.po +++ pam-1.0.1/debian/po/sk.po @@ -0,0 +1,176 @@ +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the pam package. +# Ivan Masár , 2008, 2009. +# +msgid "" +msgstr "" +"Project-Id-Version: pam\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2009-02-28 13:06-0800\n" +"PO-Revision-Date: \n" +"Last-Translator: Ivan Masár \n" +"Language-Team: Slovak \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Pri aktualizácii knižnice PAM reštartovať nasledovné služby:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"Väčšinu služieb využívajúcich PAM je potrebné reštartovať, aby začali " +"používať moduly zostavené pre túto novú verziu libpam. Prosím, skontrolujte " +"nasledovný zoznam init.d skriptov (oddelené čiarkami), ktoré sa majú teraz " +"reštartovať a ak je to potrebné, opravte ho." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Správcu obrazovky je potrebné reštartovať ručne" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Správcovia obrazovky kdm, wdm a xdm vyžadujú reštart kvôli novej verzii " +"libpam, ale na vašom systéme sú aktívne prihlasovacie relácie X, ktoré by " +"tento reštart ukončil. Preto tieto služby budete musieť reštartovať ručne " +"predtým, než bude možné uskutočniť ďalšie prihlásenie k X." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Zlyhal reštart niektorých služieb pri aktualizácii PAM" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Nasledovné služby nebolo možné reštartovať pri aktualizácii knižnice PAM:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Budete ich musieť reštartovať ručne spustením „/etc/init.d/ start”." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM profiles to enable:" +msgstr "Zapnúř nasledovné profily PAM:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"Zásuvné autentifikačné moduly (PAM) určujú ako systém pracuje s " +"autentifikáciou, autorizáciou, zmenou hesiel a umožňuje tiež nastavenie " +"ďalších operácií, ktoré sa majú vykonať pri prihlásení používateľa." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"Niektoré balíky modulov PAM poskytujú profily, ktorými možno automaticky " +"prisôpsobiť správanie všetkých aplikácií v systéme, ktoré používajú PAM. " +"Prosím označte tie z nich, ktoré chcete zapnúť." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Incompatible PAM profiles selected." +msgstr "Boli vybrané nekompatibilné profily PAM." + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:2001 +msgid "The following PAM profiles cannot be used together:" +msgstr "Nasledovné profily PAM nemožno použiť súčasne:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Please select a different set of modules to enable." +msgstr "Prosím, zmeňte množinu modulov, ktoré sa majú zapnúť." + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "Prepísať lokálne zmeny v /etc/pam.d/common-*?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"Jeden alebo viac zo súborov /etc/pam.d/common-{auth,account,password," +"session} bolo na lokálnom systéme zmenených. Uveďte prosím, či sa majú tieto " +"lokálne zmeny prepísať štandardnými konfiguračnými voľbami. Ak túto možnosť " +"zamietnete, budete musieť spravovať nastavenia autentifikácie tohto systému " +"ručne." + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "Pred aktualizáciou je potrebné reštartovať xscreensaver a xlockmore" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"Na tomto systéme bola zistená jedna alebo viacero bežiacich inštancií " +"programov xscreensaver alebo xlockmore. Z dôvodu nekomaptibilných zmien v " +"knižniciach balíka libpam-modules by ste po aktualizácii neboli schopní " +"overiť sa týmto programom. Mali by ste zariadiť, aby sa tieto programy " +"reštartovali alebo zastavili predtým, než budete v tejto aktualizácii " +"pokračovať, aby ste predišli tomu, že používatelia sa nebudú môcť prihlásiť " +"zo svojich súčasných relácií." --- pam-1.0.1.orig/debian/po/eu.po +++ pam-1.0.1/debian/po/eu.po @@ -0,0 +1,175 @@ +# translation of pam_1.0.1-5_eu.po to Basque +# Debconf questions for the Linux-PAM package. +# Copyright (C) 2007 Steve Langasek +# This file is distributed under the same license as the pam package. +# +# Piarres Beobide , 2007, 2008. +# Iñaki Larrañaga Murgoitio , 2009. +msgid "" +msgstr "" +"Project-Id-Version: pam_1.0.1-5_eu\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2009-02-28 13:06-0800\n" +"PO-Revision-Date: 2009-01-02 12:30+0100\n" +"Last-Translator: Iñaki Larrañaga Murgoitio \n" +"Language-Team: Basque \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "" +"PAM liburutegia bertsio-berritzean berrabiarazi behar diren zerbitzuak:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"PAM erabiltzen duten zerbitzu gehienak berrabiarazi egin behar dira libpam " +"bertsio honetako moduluak erabiltzeko. Mesedez gainbegiratu berrabiaraziko " +"diren hurrengo zuriunez bereiziriko init.d script zerrenda hau eta zuzendu " +"behar izanez gero." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Pantaila kudeatzailea eskuz berrabiarazi behar da" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Kdm, wdm, eta xdm pantaila kudeatzaileek berrabiaraztea behar dute libpam " +"bertsio berria erabiltzeko. Baina berrabiarazteak eragin izan dezaken " +"abiarazitako X saioak daude sistema honetan. Zerbitzu hori beranduago eskuz " +"berrabiarazi beharko duzu X saioak hastea posible izateko." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Huts egin du zenbait zerbitzu berrabiaraztean PAM bertsio-berritzeko." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Hurrengo zerbitzuak ezin izan dira berrabiarazi PAM liburutegia bertsio-" +"berritzean:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Hauek eskuz berrabiarazi beharko dituzu '/etc/init.d/ start' " +"exekutatuz." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM profiles to enable:" +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Incompatible PAM profiles selected." +msgstr "" + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:2001 +msgid "The following PAM profiles cannot be used together:" +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Please select a different set of modules to enable." +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "" +"xscreensaver eta xlockmore berrabiarazi egin behar dira bertsio-berritu " +"aurretik." + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"xscreensaver edo xlockmore-ren instantzia bat edo gehiago exekutatzen " +"dagoela detektatu da sisteman. Liburutegiaren aldaketaren " +"bateraezintasunagatik libpam-modules paketearen bertsio-berritzeak programa " +"horiekin ezin autentifikatzea eragingo dizu. Programa horiek berrabiarazi " +"edop gelditu egin beharko zenituzke bertsio-berritzearekin jarraitu " +"aurretik, sistemako erabiltzaileak beraien uneko saioan blokeatzea " +"saihesteko." --- pam-1.0.1.orig/debian/po/fr.po +++ pam-1.0.1/debian/po/fr.po @@ -0,0 +1,170 @@ +# Copyright (C) 2007 Cyril Brulebois +# This file is distributed under the same license as the pam package. +# Cyril Brulebois , 2007 +# +msgid "" +msgstr "" +"Project-Id-Version: pam\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2009-02-28 13:06-0800\n" +"PO-Revision-Date: 2007-10-03 12:07+0200\n" +"Last-Translator: Cyril Brulebois \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "" +"Services à redémarrer lors de la mise à niveau de la bibliothèque PAM :" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"La plupart des services utilisant PAM doivent être redémarrés pour utiliser " +"les modules compilés pour cette nouvelle version de libpam. Veuillez " +"vérifier la liste suivante de scripts de démarrage à relancer maintenant, et " +"la corriger si nécessaire." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Pas de redémarrage automatique du gestionnaire graphique de sessions" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Les gestionnaires graphiques de session kdm, wdm et xdm nécessitent un " +"redémarrage lors de la mise à niveau de libpam, mais il existe des sessions " +"X actives sur ce système, qui seraient fermées par ce redémarrage. Vous " +"devez donc redémarrer ces services vous-même avant de pouvoir effectuer à " +"nouveau une connexion au serveur graphique." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "" +"Erreur du redémarrage de certains services pour la mise à niveau de PAM" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Les services suivants n'ont pas pu être redémarrés lors de la mise à niveau " +"de la bibliothèque PAM :" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Vous devez les démarrer vous-même avec la commande « /etc/init.d/ " +"start »." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM profiles to enable:" +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Incompatible PAM profiles selected." +msgstr "" + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:2001 +msgid "The following PAM profiles cannot be used together:" +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Please select a different set of modules to enable." +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "" +"xscreensaver et xlockmore doivent être redémarrés avant la mise à niveau" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"Une ou plusieurs instances de xscreensaver et/ou de xlockmore ont été " +"détectées sur le système. À cause de la modification de certaines " +"bibliothèques, la mise à niveau du paquet libpam-modules entrainera " +"l'impossibilité de s'authentifier. Avant de poursuivre la mise à niveau, ces " +"programmes doivent être redémarrés ou arrêtés pour éviter que des " +"utilisateurs ne puissent plus accéder à leurs sessions." --- pam-1.0.1.orig/debian/po/zh_CN.po +++ pam-1.0.1/debian/po/zh_CN.po @@ -0,0 +1,164 @@ +# Simplified Chinese translation for debconf templates of the pam package +# +# The original English strings (msgid) are: +# Copyright (C) 2007 Steve Langasek +# The translations (msgstr) are: +# Copyright (C) 2007 Ming Hua +# Copyright (C) 2009 Deng Xiyue +# +# This file is distributed under the same license as the pam package. +# +msgid "" +msgstr "" +"Project-Id-Version: pam\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2009-02-28 13:06-0800\n" +"PO-Revision-Date: 2009-01-01 12:30+0800\n" +"Last-Translator: Deng Xiyue \n" +"Language-Team: Debian Chinese [GB] \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "因 PAM 库升级而需要重新启动的服务:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"为了使用基于这个新版本 libpam 编译的模块,绝大部分使用 PAM 的服务都需要被重新" +"启动。请复查下面这个需要重新启动的服务所对应的 init.d script 列表,script 名" +"称之间以半角空格分隔。如列表有误,请直接更正。" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "必须手动重新启动显示管理器" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"由于 lipam 更新到新版本,显示管理器 kdm、wdm 和 xdm 需要被重新启动。但是您的" +"系统上有正在运行的 X 登录会话,而如果重新启动显示管理器服务,这些 X 会话就会" +"被强行结束。因此,您需要手动重新启动这些服务,否则您将无法再登录进 X 窗口系" +"统。" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "为 PAM 升级重新启动某些服务失败" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "升级 PAM 库时,下列服务无法被重新启动:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "您需要运行“/etc/init.d/<服务> start”来手动启动这些服务。" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM profiles to enable:" +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Incompatible PAM profiles selected." +msgstr "" + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:2001 +msgid "The following PAM profiles cannot be used together:" +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Please select a different set of modules to enable." +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "在升级前必须重新启动 xscreensaver 和 xlockmore" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"检测到一个或多个 xscreensaver 或 xlockmore 运行实例。因为不兼容的库的变化," +"libpam-module 软件包的升级将使您无法向这些程序认证。您需要在继续此升级前安排" +"这些程序重新启动或者停止运行,以避免将您的用户锁在他们的当前会话之外。" --- pam-1.0.1.orig/debian/po/nl.po +++ pam-1.0.1/debian/po/nl.po @@ -0,0 +1,162 @@ +# Debconf questions for the Linux-PAM package. +# Copyright (C) 2007 Steve Langasek +# This file is distributed under the same license as the pam package. +# FIRST AUTHOR , YEAR. +# +msgid "" +msgstr "" +"Project-Id-Version: pam\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2009-02-28 13:06-0800\n" +"PO-Revision-Date: 2007-10-26 19:55+0100\n" +"Last-Translator: Bart Cornelis \n" +"Language-Team: debian-l10n-dutch \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=utf-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Poedit-Language: Dutch\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Bij de opwaardering van de PAM-bibliotheek te herstarten diensten:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"De meeste PAM-gebruikende diensten moeten herstart worden voor ze gebruik " +"kunnen maken van modules die gebouwd zijn voor de nieuwe libpam-versie. De " +"volgende, met spaties gescheiden, lijst van init.d scripts wordt herstart. " +"Gelieve deze lijst te controleren en indien nodig aan te passen." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "De beeldschermbeheerder dient handmatig herstart te worden" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"De beelschermbeheerders kdm, wdm en xdm vereisen een herstart vanwege de " +"nieuwe libpam-versie. Er zijn echter X-login-sessies actief op uw systeem " +"die hierdoor afgesloten zouden worden. Nieuwe X-sessies starten via deze " +"diensten is pas mogelijk eens u ze handmatig herstart heeft." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Herstarten van sommige diensten bij de PAM-opwaardering is mislukt" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"De volgende diensten konden niet herstart worden bij de opwaardering van de " +"PAM-bibliotheek:." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"U dient deze diensten handmatig op te starten via het commando '/etc/init.d/" +" start'." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM profiles to enable:" +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Incompatible PAM profiles selected." +msgstr "" + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:2001 +msgid "The following PAM profiles cannot be used together:" +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Please select a different set of modules to enable." +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" --- pam-1.0.1.orig/debian/po/ru.po +++ pam-1.0.1/debian/po/ru.po @@ -0,0 +1,168 @@ +# translation of ru.po to Russian +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# +# Yuri Kozlov , 2007. +# Yuri Kozlov , 2009. +msgid "" +msgstr "" +"Project-Id-Version: pam 1.0.1-5\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2009-02-28 13:06-0800\n" +"PO-Revision-Date: 2009-01-01 13:11+0300\n" +"Last-Translator: Yuri Kozlov \n" +"Language-Team: Russian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%" +"10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Службы, которые будут перезапущены после обновления библиотеки PAM:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"Чтобы задействовать новые версии модулей из libpam нужно перезапустить " +"большинство служб, использующих PAM. Внимательно просмотрите и при " +"необходимости отредактируйте список (элементы разделяются пробелом) " +"сценариев из init.d для служб, которые будут перезапущены." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Программу входа в систему нужно перезапустить вручную" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Для работы с новой версией libpam программам для входа в систему kdm, wdm и " +"xdm требуется перезапуск, но это прервёт все запущенные X-сеансы. Поэтому " +"вам нужно перезапустить эти службы вручную для того, чтобы можно было снова " +"входить в систему через X." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "При обновлении PAM перезапуск некоторых служб завершился неудачно" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"При обновлении библиотеки PAM не удалось перезапустить следующие службы:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "Вам нужно запустить их вручную, выполнив '/etc/init.d/<служба> start'." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM profiles to enable:" +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Incompatible PAM profiles selected." +msgstr "" + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:2001 +msgid "The following PAM profiles cannot be used together:" +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Please select a different set of modules to enable." +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "Перед обновлением требуется перезапустить xscreensaver и xlockmore" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"Обнаружено, что в системе запущен один или несколько процессов xscreensaver " +"или xlockmore. Из-за изменений в библиотеке, обновление пакета libpam-" +"modules приведёт к невозможности выполнения аутентификации из этих программ. " +"Перед тем как продолжить обновление вам нужно перезапустить или остановить " +"работу этих программ, чтобы избежать блокировки пользователей в их активных " +"сеансах." --- pam-1.0.1.orig/debian/po/templates.pot +++ pam-1.0.1/debian/po/templates.pot @@ -0,0 +1,150 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# FIRST AUTHOR , YEAR. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2009-02-28 13:06-0800\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME \n" +"Language-Team: LANGUAGE \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=CHARSET\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM profiles to enable:" +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Incompatible PAM profiles selected." +msgstr "" + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:2001 +msgid "The following PAM profiles cannot be used together:" +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Please select a different set of modules to enable." +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" --- pam-1.0.1.orig/debian/po/sv.po +++ pam-1.0.1/debian/po/sv.po @@ -0,0 +1,179 @@ +# Debconf questions for the Linux-PAM package. +# Copyright (C) 2007 Steve Langasek +# This file is distributed under the same license as the pam package. +# Christer Andersson , 2007. +# +msgid "" +msgstr "" +"Project-Id-Version: pam 0.99.7.1-5\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2009-02-28 13:06-0800\n" +"PO-Revision-Date: 2009-03-05 13:51+0100\n" +"Last-Translator: Martin Bagge \n" +"Language-Team: Swedish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=utf-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Tjänster att starta om för PAM-biblioteksuppgradering:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"De flesta tjänster som använder PAM behöver startas om för att använda\n" +"moduler som byggts för denna nya libpam-version. Gå igenom följande lista\n" +"av init.d-skript (separerade med mellanslag) för tjänster som nu kommer \n" +"att startas om och korrigera den om nödvändigt." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Skärmhanterare måste startas om manuellt" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Skärmhanterarna kdm, wdm och xdm måste startas om för den nya versionen\n" +"av libpam men det finns X-inloggningssessioner som skulle avslutas av en\n" +"sådan omstart. Du behöver därför starta om dessa tjänster manuellt innan\n" +"ytterligare X-inloggningar är möjliga." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Misslyckades med att starta om vissa tjänster för PAM-uppgradering" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Följande tjänster kunde inte startas om efter PAM-biblioteksuppgradering:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Du behöver starta om dessa manuellt genom att köra \"/etc/init.d/ " +"start\"." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM profiles to enable:" +msgstr "Aktivera följande PAM-profiler:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"Pluggable Authentication Modules (PAM) hanterar hur autentisering, " +"identifiering och byte av lösenord ska utföras på systemet. Dessutom " +"hanteras särskilda åtgärder som ska vidtas vid uppstarta av " +"användarsessioner." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"Vissa paket med PAM-moduler tillhandahåller profiler som kan användas för " +"att automatiskt justera hur applikationer som använder PAM fungerar på " +"systemet. Ange vilka av dessa funkitoner du önskar aktivera." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Incompatible PAM profiles selected." +msgstr "Inkompatibla PAM-profiler har valdes." + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:2001 +msgid "The following PAM profiles cannot be used together:" +msgstr "Följande PAM-profiler kan inte användas tillsammans:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Please select a different set of modules to enable." +msgstr "Ange en annan uppsättning med moduler som ska aktiveras." + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "Skriva över lokala förändringar i /etc/pam.d/common-*?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"En eller flera av filerna /etc/pam.d/common-{auth,account.password,session} " +"har förändrats. Ange om dessa lokala förändringar ska skrivas över med " +"standardinställningarna. Om du avböjer detta alternativ kommer du behöva " +"hantera inställningarna för systemets autentisering manuellt." + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "" +"xscreensaver och xlockmore måste startas om innan uppgraderingen kan " +"genomföras" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"En eller flera instanser av xscreensaver eller xlockmore körs på det här " +"systemet. På grund av förändringar i biblioteket kan uppgraderingen av " +"paketet libpam-modules innebära att du inte kan identifiera dig i dessa " +"program. Programmen behöver startas om eller allra helst stängas av helt " +"före uppgraderingen, resultatet kan annars innebära att du inte kan komma åt " +"dina aktiva sessioner på systemet." --- pam-1.0.1.orig/debian/po/gl.po +++ pam-1.0.1/debian/po/gl.po @@ -0,0 +1,179 @@ +# Galician translation of pam's debconf templates +# This file is distributed under the same license as the pam package. +# +# Jacobo Tarrio , 2007. +# Marce Villarino , 2009. +msgid "" +msgstr "" +"Project-Id-Version: pam\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2009-02-28 13:06-0800\n" +"PO-Revision-Date: 2009-03-12 21:43+0100\n" +"Last-Translator: Marce Villarino \n" +"Language-Team: Galician \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: Lokalize 0.2\n" +"Plural-Forms: nplurals=2; plural=n != 1;\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Servizos a reiniciar para a actualización da biblioteca PAM:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"A maioría dos servizos que empregan PAM deben reiniciarse para empregar os " +"módulos compilados para esta versión de libpam. Revise a seguinte lista de " +"scripts de init.d que se han reiniciar agora, e corríxaa se é preciso." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Débese reiniciar manualmente o xestor de pantallas" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"É necesario reiniciar os xestores de pantallas kdm, wdm e xdm para a nova " +"versión de libpam, pero hai sesións de X activas no sistema que se pecharían " +"co reinicio. Polo tanto, ha ter que reiniciar eses servizos manualmente para " +"poder iniciar novas sesións mediante X." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Fallou o reinicio de algúns servizos para a actualización de PAM" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Non foi posíbel reiniciar os seguintes servizos para a actualización da " +"biblioteca PAM:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Ha ter que reinicialos manualmente executando «/etc/init.d/ start»." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM profiles to enable:" +msgstr "Perfís de PAM a activar:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"Os Pluggable Authentication Modules (PAM) determinan como se xestiona a " +"autenticación, autorización e mudanza do contrasinal no sistema, e tamén " +"permiten configurar accións adicionais a realizar cando se inician sesións " +"de usuario." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"Algúns paquetes de módulos de PAM fornecen perfís que poden empregarse para " +"axustar automaticamente o comportamento de todos os programas do sistema que " +"empregan PAM. Indique cais destes comportamentos desexa activar." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Incompatible PAM profiles selected." +msgstr "Escolléronse perfís de PAM incompatíbeis." + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:2001 +msgid "The following PAM profiles cannot be used together:" +msgstr "Non se poden empregar xuntos os seguintes perfís de PAM:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Please select a different set of modules to enable." +msgstr "Escolla un conxunto diferente de módulos para activalos." + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "Desexa sobrepor as mudanzas locais a /etc/pam.d/common-*?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"Modificouse localmente un ou varios dos ficheiros /etc/pam.d/common-{auth," +"account,password,session}. Indique se estas modificacións locais deben " +"sobrescribirse empregando a configuración fornecida polo sistema. Se rexeita " +"esta opción deberá xestionar manualmente a configuración da autenticación do " +"sistema." + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "xscreensaver e xlockmore deben ser reiniciados antes da actualización" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"Detectouse que se están a executar unha ou máis instancias de xscreensaver " +"ou xlockmore no sistema. Por mor de modificacións incompatíbeis en " +"bibliotecas, a actualización do paquete libpam-modules ha facer que non sexa " +"quen de autenticarse nestes programas. Deber reiniciar ou deter estes " +"programas antes de continuar coa actualización, para evitar deixar trancados " +"os usuarios fora das súas sesións de traballo actuais." --- pam-1.0.1.orig/debian/po/ro.po +++ pam-1.0.1/debian/po/ro.po @@ -0,0 +1,184 @@ +# Romanian translation of pam debconf templates +# Debconf questions for the Linux-PAM package. +# Copyright (C) 2007 Steve Langasek +# This file is distributed under the same license as the pam package. +# +# Igor Stirbu , 2008. +# Eddy Petrișor , 2009. +msgid "" +msgstr "" +"Project-Id-Version: pam 1.0.1-7\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2009-02-28 13:06-0800\n" +"PO-Revision-Date: 2009-03-12 01:49+0200\n" +"Last-Translator: Eddy Petrișor \n" +"Language-Team: Romanian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" +"Plural-Forms: nplurals=3; plural=n==1 ? 0 : (n==0 || (n%100 > 0 && n%100 < " +"20)) ? 1 : 2;\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Serviciile repornite la actualizarea bibliotecii PAM:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"Majoritatea serviciilor ce folosesc PAM trebuie repornite pentru a folosi " +"modulele pentru noua versiune de libpam. Următoarea listă folosește ca " +"separator spațiul și conține script-uri init.d care urmează să fie repornite " +"acum; verificați-o și corectați-o, dacă este necesar." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Administratorul de ecran trebuie repornit manual" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Administratorii de ecran kdm, wdm și xmd trebuie reporniți pentru ca să " +"folosească noua versiune de libpam, dar sunt sesiuni active de X pe sistemul " +"dumneavoastră care ar fi oprite odată cu această repornire. Drept urmare, " +"trebuie să reporniți manual aceste servicii înainte ca autentificările X " +"ulterioare să fie posibile." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Eșec la repornirea unor servicii la actualizarea PAM" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Următoarele servicii nu au putut fi repornite la actualizarea bibliotecii " +"PAM:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Trebuie să reporniți manual aceste servicii rulând „/etc/init.d/ " +"start”" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM profiles to enable:" +msgstr "Profile PAM de activat:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"Modulele de autentificare conectabile (PAM) definesc cum se manevrează în " +"sistem autentificările, autorizațiile și schimbările de parole, dar permite " +"și adăugarea de diverse acțiuni ce se vor efectua la pornirea sesiunilor " +"utilizatorilor." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"Unele pachete de module PAM furnizează profile care pot fi folosite pentru " +"ajustarea automată a comportamentului aplicațiilor din sistem care folosesc " +"PAM. Indicați pe care dintre aceste comportamente le doriți activate." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Incompatible PAM profiles selected." +msgstr "Selecție de profile PAM incompatibile." + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:2001 +msgid "The following PAM profiles cannot be used together:" +msgstr "Următoarele profile PAM nu pot fi folosite împreună:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Please select a different set of modules to enable." +msgstr "Selectați un alt set de module de activat." + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "Se ignoră schimbările locale făcute în /etc/pam.d/common-*?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"Există modificari locale într-unul sau mai multe dintre fișierele /etc/pam.d/" +"common-{auth,account,password,session}. Precizați dacă aceste schimbări " +"locale trebuie suprascrise cu configurația oferită de sistem. Dacă refuzați, " +"va trebui să administrați manual configurația de autentificare a sistemului." + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "xscreensaver și xlockmore trebuie repornite înainte de înnoire" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"în sistem s-a detectat cel puțin o instanță activa de xscreensaver sau " +"xlockmore. Datorită unor schimbări de compatibilitate în biblioteci, " +"înnoirea pachetului libpam-modules nu vă va mai permite să vă autentificați " +"în aceste programe. Va trebui să aranjați lucrurile în așa fel încât aceste " +"programe să fie repornite sau oprite înainte de a continua înnoirea pentru a " +"evita blocarea utilizatorilor în afara sesiunilor lor curente." --- pam-1.0.1.orig/debian/po/cs.po +++ pam-1.0.1/debian/po/cs.po @@ -0,0 +1,176 @@ +# Czech translation of pam debconf mesages. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the pam package. +# Miroslav Kure , 2007-2009. +# +msgid "" +msgstr "" +"Project-Id-Version: pam\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2009-02-28 13:06-0800\n" +"PO-Revision-Date: 2009-03-09 19:58+0100\n" +"Last-Translator: Miroslav Kure \n" +"Language-Team: Czech \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Služby, které se mají restartovat po aktualizaci knihovny PAM:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"Aby se začaly používat moduly z nové verze knihovny libpam, musí se většina " +"služeb používajících PAM restartovat. Zkontrolujte prosím následující seznam " +"služeb (init.d skriptů), které se mají nyní restartovat a v případě potřeby " +"seznam opravte." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Správce displeje se musí restartovat ručně" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Správcové displejů kdm, wdm a xdm musí být s novou verzí knihovny libpam " +"restartováni. Restart těchto služeb by však ukončil probíhající X sezení a " +"proto je ponechán restart zmíněných správců displejů na vás, až určíte, že " +"nastal vhodný okamžik. S restartem byste neměli otálet, protože do té doby " +"se pomocí nich nebudou moci uživatelé přihlásit." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Restartování některých služeb při aktualizaci PAMu selhalo" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Následující služby nemohly být při aktualizaci knihovny PAM restartovány:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Tyto služby budete muset spustit ručně příkazem '/etc/init.d/ start'." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM profiles to enable:" +msgstr "PAM profily, které se mají povolit:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"Moduly PAM (Pluggable Authentication Modules) určují, jakým způsobem je na " +"systému řešena autentizace, autorizace, změna hesel a také umožňují nastavit " +"dodatečné akce při spouštění uživatelských sezení." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"Některé balíky s PAM moduly poskytují profily, které mohou automaticky " +"upravit chování všech aplikací používajících PAM. Vyberte si, která chování " +"chcete povolit." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Incompatible PAM profiles selected." +msgstr "Vybrány nekompatibilní PAM profily." + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:2001 +msgid "The following PAM profiles cannot be used together:" +msgstr "Následující PAM profily nelze používat současně:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Please select a different set of modules to enable." +msgstr "Povolte prosím jinou sadu modulů." + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "Přepsat místní změny v /etc/pam.d/common-*?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"Některé ze souborů /etc/pam.d/common-{auth,account,password,session} " +"obsahují místní úpravy. Vyberte si, zda se mají tyto změny přepsat verzí z " +"balíku. Zamítnete-li tuto možnost, budete muset spravovat tyto soubory ručně." + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "" +"Programy xscreensaver a xlockmore musí být před aktualizací restartovány" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"Zdá se, že v systému běží jedna nebo více instancí programu xscreensaver " +"resp. xlockmore. Z důvodu nekompatibilních změn v knihovnách se po " +"aktualizaci balíku libpam-modules nebudete moci pomocí těchto programů " +"autentizovat. To jinými slovy znamená, že se uživatelé nedostanou ke svým " +"uzamčeným sezením. Abyste tomu předešli, měli byste před aktualizací zmíněné " +"programy zastavit, nebo je ve vhodný čas restartovat." --- pam-1.0.1.orig/debian/po/POTFILES.in +++ pam-1.0.1/debian/po/POTFILES.in @@ -0,0 +1,3 @@ +[type: gettext/rfc822deb] libpam0g.templates +[type: gettext/rfc822deb] libpam-runtime.templates +[type: gettext/rfc822deb] libpam-modules.templates --- pam-1.0.1.orig/debian/po/ja.po +++ pam-1.0.1/debian/po/ja.po @@ -0,0 +1,174 @@ +# Debconf questions for the Linux-PAM package. +# Copyright (C) 2007 Steve Langasek +# This file is distributed under the same license as the pam package. +# FIRST AUTHOR , YEAR. +# +msgid "" +msgstr "" +"Project-Id-Version: pam 1.0.1-7\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2009-02-28 13:06-0800\n" +"PO-Revision-Date: 2009-03-05 23:03+0900\n" +"Last-Translator: Kenshi Muto \n" +"Language-Team: Japanese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "PAM ライブラリの更新のために再起動するサービス:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"PAM を利用するほとんどのサービスは、この libpam の新しいバージョンでビルドさ" +"れたモジュールを使うために再起動を必要とします。以下の、スペースで区切られた" +"今再起動するサービスの init.d スクリプトのリストを見て、必要なら修正してくだ" +"さい。" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "ディスプレイマネージャは手動で再起動されなければなりません" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"kdm、wdm、xdm といったディスプレイマネージャは libpam の新しいバージョンのた" +"めに再起動が必要ですが、あなたのシステムには、再起動をすると強制終了してしま" +"う実行中の X ログインセッションが存在します。そのため、さらなる X のログイン" +"が可能になる前に、これらのサービスを手動で再起動する必要があります。" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "PAM 更新のためのいくつかのサービスの再起動で失敗" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "PAM ライブラリ更新のための、以下のサービスの再起動ができませんでした:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"/etc/init.d/<サービス> start' を実行することで、これらを手動で起動する必要が" +"あります。" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM profiles to enable:" +msgstr "有効化する PAM プロファイル:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"PAM (Pluggable Authentication Modules) は、ユーザのセッションが開始したときに" +"起こす追加のアクション設定の許可と共に、どのように認証、認可、パスワード変更" +"がシステムで扱われるかを決定します。" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"いくつかの PAM モジュールパッケージは、システム上のすべての PAM 利用アプリ" +"ケーションの挙動を自動で調整するのに利用できるプロファイルを提供しています。" +"これらの挙動の中から有効化したいものを指定してください。" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Incompatible PAM profiles selected." +msgstr "矛盾する PAM プロファイルが選択されました。" + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:2001 +msgid "The following PAM profiles cannot be used together:" +msgstr "次の PAM プロファイルは一緒に利用することはできません:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Please select a different set of modules to enable." +msgstr "有効化するために違うモジュールセットを選択してください。" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "/etc/pam.d/common-* にローカルの変更を上書きしますか?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"/etc/pam.d/common-{auth,account,password,session} のファイルのうちの 1 つ以上" +"がローカルで変更されています。これらのローカルの変更をシステムで提供される設" +"定を使って上書きすべきかどうかを指示してください。この選択肢で「いいえ」と答" +"える場合、あなたのシステムの認証設定を手動で管理する必要があります。" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "xscreensaver と xlockmore を更新前に再起動する必要があります" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"このシステムで 1 つ以上の xscreensaver あるいは xlockmore の動作が検出されま" +"した。非互換のライブラリ変更のため、libpam-modules パッケージの更新はこれらの" +"プログラムでの認証ができなくなるという事態にあなたを追いやります。ユーザが現" +"在のセッションの外に締め出されるのを避けるため、このパッケージの更新を継続す" +"る前に、これらのプログラムを再起動するか停止するように手配すべきです。" --- pam-1.0.1.orig/debian/po/tr.po +++ pam-1.0.1/debian/po/tr.po @@ -0,0 +1,170 @@ +# Debconf questions for the Linux-PAM package. +# Copyright (C) 2007 Steve Langasek +# This file is distributed under the same license as the pam package. +# Mert Dirik , 2008. +# +msgid "" +msgstr "" +"Project-Id-Version: pam 0.99.7.1-5\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2009-02-28 13:06-0800\n" +"PO-Revision-Date: 2009-01-01 19:20+0200\n" +"Last-Translator: Mert Dirik \n" +"Language-Team: Debian L10n Turkish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Poedit-Language: Turkish\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "" +"PAM kitaplığının yükseltilmesi için yeniden başlatılacak olan hizmetler:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"PAM kullanan çoğu hizmet, libpam'ın bu yeni sürümü için derlenmiş " +"modüllerden yararlanabilmek için yeniden başlatılmak zorunda. Lütfen " +"yeniden başlatılacak hizmetlere ilişkin init.d betiklerinin boşluklarla " +"ayrılmış aşağıdaki listesini inceleyin ve gerekliyse listeyi düzeltin." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Görüntü yöneticisinin elle yeniden başlatılması gerekli" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"kdm, wdm ve xdm görüntü yöneticileri, libpam'ın yeni sürümünden " +"yararlanabilmek için yeniden başlatılmalı; fakat sisteminizde etkin X " +"oturumları var. Görüntü yöneticisi yeniden başlatılırsa bu oturumlar da " +"kapatılır. Bu yüzden ileride yeni X oturumları açabilmek için bu hizmetleri " +"elle yeniden başlatmanız gerekecek. " + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Bazı hizmetler PAM yükseltmesi için yeniden başlatılamadı" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Aşağıdaki hizmetler PAM kitaplığının yükseltmesi için yeniden başlatılamadı:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Bu hizmetleri '/etc/init.d/ start' komutunu kullanarak elinizle " +"başlatmanız gerekecek." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM profiles to enable:" +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Incompatible PAM profiles selected." +msgstr "" + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:2001 +msgid "The following PAM profiles cannot be used together:" +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Please select a different set of modules to enable." +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "" +"Yükseltme işleminden önce xscreensaver ve xlockmore yeniden başlatılmalı" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"Sisteminizde çalışmakta olan birden fazla xscreensaver ya da xlockmore " +"örneğine rastlandı. Uyumsuz kitaplık değişiklikleri yüzünden, libpam-modules " +"paketinin yükseltilmesi bu programlarda kimlik doğrulamasını olanaksız hale " +"getirecek. Mevcut oturumların kilitlenmesi önlemek için, yükseltme işlemine " +"devam etmeden önce bu programları durdurmalı ya da yeniden başlatmalısınız." --- pam-1.0.1.orig/debian/po/bg.po +++ pam-1.0.1/debian/po/bg.po @@ -0,0 +1,173 @@ +# translation of bg.po to Bulgarian +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# +# Damyan Ivanov , 2007, 2009. +msgid "" +msgstr "" +"Project-Id-Version: bg\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2009-02-28 13:06-0800\n" +"PO-Revision-Date: 2009-03-04 22:54+0200\n" +"Last-Translator: Damyan Ivanov \n" +"Language-Team: Bulgarian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Рестартиране на услуги при обновяване на PAM:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"Повечето услуги, които използват PAM трябва да бъдат рестартирани за да " +"могат да използват модулите за новата версия на libpam. Прегледайте списъка " +"от init.d скриптове по-долу и го коригирайте ако е необходимо. Имената на " +"отделните скриптове трябва да са отделени с интервал." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Мениджъра на дисплеи трябва да бъде рестартиран ръчно" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Мениджърите на дисплеи kdm, wdm и xdm трябва да бъдат рестартирани, но това би прекъснало активните влизания и затова тази операция няма да бъде извършена автоматично. Преди " +"да може отново да се влезе в системата " +"чрез тези услуги, те трябва да бъдат рестартирани ръчно." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Грешка при рестартиране на някои услуги за обновяване на PAM" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "Следните услуги не бяха рестартирани за обновяването на PAM:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "Ще трябва сами да ги стартирате чрез „/etc/init.d/<услуга> start“." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM profiles to enable:" +msgstr "Разрешаване на PAM профили:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"Модулите за идентификация (PAM, Pluggable Authentication Modules) управляват " +"идентификацията, оторизацията и промяната на паролите. Те дават и възможност " +"за изпълняване на допълнителни действия при стартиране на нови потребителски " +"сесии." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"Някои пакети с PAM модули предлагат „профили“, чрез които може да се промени " +"поведението на всички приложения, използващи PAM. Изберете кои от профилите " +"желаете да разрешите." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Incompatible PAM profiles selected." +msgstr "Избрани са несъвместими PAM профили." + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:2001 +msgid "The following PAM profiles cannot be used together:" +msgstr "Следните PAM профили не могат да се използват едновременно:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Please select a different set of modules to enable." +msgstr "Изберете друга група профили." + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "Отмяна на локалните промени в /etc/pam.d/common-*?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"Някои от файловете /etc/pam.d/common-{auth,account,password,session} са " +"променени. Укажете дали желаете променените файлове да бъдат презаписани и " +"да се използват настройките доставени със системата. Ако откажете ще трябва " +"ръчно да настроите PAM." + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "xscreensaver и xlockmore трябва да бъдат рестартирани" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"Открити са работещи процеси xscreensaver или xlockmore. Поради несъвместими " +"промени в библиотеката, обновяването на пакета libpam-modules ще направи " +"невъзможно идентифицирането с тези програми. Трябва да осигурите " +"рестартирането или спирането на xscreensaver и xlockmore за да избегнете " +"проблеми с идентификацията при потребителите, които ги използват." --- pam-1.0.1.orig/debian/po/es.po +++ pam-1.0.1/debian/po/es.po @@ -0,0 +1,215 @@ +# pam po-debconf translation to Spanish +# Copyright (C) 2007 Software in the Public Interest, SPI Inc. +# This file is distributed under the same license as the pam package. +# +# Changes: +# - Initial translation +# Javier Fernández-Sanguino , 2007 +# - Updates: +# Steve Langasek, 2008 +# Javier Fernández-Sanguino, 2009 +# +# Traductores, si no conoce el formato PO, merece la pena leer la +# documentación de gettext, especialmente las secciones dedicadas a este +# formato, por ejemplo ejecutando: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Equipo de traducción al español, por favor lean antes de traducir +# los siguientes documentos: +# +# - El proyecto de traducción de Debian al español +# http://www.debian.org/intl/spanish/ +# especialmente las notas y normas de traducción en +# http://www.debian.org/intl/spanish/notas +# +# - La guía de traducción de po's de debconf: +# /usr/share/doc/po-debconf/README-trans +# o http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Si tiene dudas o consultas sobre esta traducción consulte con el último +# traductor (campo Last-Translator) y ponga en copia a la lista de +# traducción de Debian al español () +# +msgid "" +msgstr "" +"Project-Id-Version: pam 0.79-4\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2009-02-28 13:06-0800\n" +"PO-Revision-Date: 2009-03-04 21:36+0100\n" +"Last-Translator: Javier Fernandez-Sanguino \n" +"Language-Team: Debian Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-POFile-SpellExtra: kdm gnome xscreensaver xdm xlockmore wdm start init\n" +"X-POFile-SpellExtra: screensaver PAM libpam corríjala\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Servicios a reiniciar para la actualización de la biblioteca de PAM:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"Es necesario reiniciar la mayoría de los servicios que utilizan PAM para que " +"usen los módulos de esta versión de libpam. Por favor, revise la lista " +"separada por espacios mostrada a continuación que indica los servicios a " +"reiniciar ahora y corríjala si es necesario." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Debe reiniciar manualmente los gestores de pantalla" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Entre los servicios que deben reiniciarse debido a la nueva versión de " +"libpam están los gestores de pantalla kdm, wdm y xdm. Sin embargo, hay " +"sesiones de X ejecutándose en el sistema que se terminarían si se " +"reiniciaran estos servicios. Debe reiniciarlos manualmente si desea que " +"funcionen los accesos a través de una sesión X más adelante." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Fallo al reiniciar alguno de los servicios en la actualización de PAM" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"No fue posible reiniciar los servicios indicados a continuación dentro la " +"actualización de la biblioteca de PAM:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Deberá arrancar manualmente estos servicios ejecutando «/etc/init.d/" +" start»." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM profiles to enable:" +msgstr "Perfiles PAM a habilitar:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"Los «Pluggable Authentication Modules» (PAM, o Módulos de autenticación " +"insertables, N. del T.) determinan cómo se gestiona dentro del sistema la " +"autenticación, autorización y modificación de contraseñas. Tambien permiten " +"la definición de acciones adicionales a realizar cuando se inicia la sesión " +"de un usuario." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"Algunos de los paquetes de módulos de PAM ofrecen perfiles que pueden " +"utilizarse para ajustar automáticamente el comportamiento de todas las " +"aplicaciones que utilicen PAM en el sistema. Indique qué comportamiento " +"desea activar." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Incompatible PAM profiles selected." +msgstr "Se han seleccionado perfiles PAM incompatibles." + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:2001 +msgid "The following PAM profiles cannot be used together:" +msgstr "" +"No pueden utilizarse conjuntamente los perfiles de PAM indicados a " +"continuación:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Please select a different set of modules to enable." +msgstr "Seleccione un conjunto distinto de módulos a activar." + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "" +"¿Desea sobreescribir los cambios locales realizados a «/etc/pam.d/common-*»?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"Se ha modificado localmente alguno de los ficheros «/etc/pam.d/common-{auth," +"account,password,session}». Indique si desea que estos cambios locales se " +"sobreescriban con la configuración definida para el sistema. Deberá " +"gestionar la configuración de autenticación de su sistema manualmente si " +"rechaza esta opción." + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "Debe reiniciar xscreensaver y xlockmore antes de la actualización" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"Se han detectado una o más instancias de los programas xscreensaver o " +"xlockmore. La actualización del paquete libpam-modules podría impedir que " +"pueda autenticarse en estos programas debido a cambios incompatibles en las " +"librerías. Debería procurar que estos programas se reinicien o se paren " +"antes de continuar con la actualización. Así evitará que los usuarios queden " +"bloqueados y no puedan reanudar sus sesiones actuales." --- pam-1.0.1.orig/debian/po/de.po +++ pam-1.0.1/debian/po/de.po @@ -0,0 +1,169 @@ +# German translation of pam debconf templates +# Copyright (C) 2007, 2008 Steve Langasek +# This file is distributed under the same license as the pam package. +# Sven Joachim , 2007, 2009. +# +msgid "" +msgstr "" +"Project-Id-Version: pam 1.0.1-5\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2009-02-28 13:06-0800\n" +"PO-Revision-Date: 2009-01-03 09:17+0100\n" +"Last-Translator: Sven Joachim \n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Neu zu startende Dienste für das Upgrade der PAM-Bibliothek:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"Die meisten Dienste, die PAM verwenden, müssen neu gestartet werden, um " +"Module dieser neuen Version von libpam verwenden zu können. Bitte überprüfen " +"Sie die folgende, Leerzeichen-getrennte Liste von init.d-Skripten für " +"Dienste, die jetzt neu zu starten sind, und korrigieren Sie diese Liste " +"nötigenfalls." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Display-Manager müssen manuell neu gestartet werden" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Die Display-Manager kdm, wdm und xdm erfordern einen Neustart für die neue " +"Version von libpam, aber auf Ihrem System sind X-Login-Sitzungen aktiv, die " +"von diesem Neustart beendet werden würden. Sie müssen diese Dienste daher " +"von Hand neu starten, bevor Logins unter X wieder möglich sind." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Fehler beim Neustart einiger Dienste für das PAM-Upgrade" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Die folgenden Dienste konnten für das Upgrade der PAM-Bibliothek nicht neu " +"gestartet werden:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Sie müssen diese manuell neu starten, indem Sie »/etc/init.d/ start« " +"ausführen." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM profiles to enable:" +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Incompatible PAM profiles selected." +msgstr "" + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:2001 +msgid "The following PAM profiles cannot be used together:" +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Please select a different set of modules to enable." +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "Xscreensaver und xlockmore müssen vor dem Upgrade neu gestartet werden" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"Eine oder mehrere laufende Instanzen von xscreensaver oder xlockmore sind " +"auf diesem System entdeckt worden. Aufgrund inkompatibler Änderungen in " +"Bibliotheken wird das Upgrade des libpam-modules-Paketes Sie außerstande " +"setzen, sich gegenüber diesen Programmen zu authentifizieren. Sie sollten " +"dafür sorgen, dass diese Programme neu gestartet oder beendet werden, bevor " +"Sie dieses Upgrade fortsetzen, damit Ihre Benutzer nicht aus ihren laufenden " +"Sitzungen ausgesperrt werden." --- pam-1.0.1.orig/debian/po/fi.po +++ pam-1.0.1/debian/po/fi.po @@ -0,0 +1,167 @@ +msgid "" +msgstr "" +"Project-Id-Version: pam 0.99.7.1-4\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2009-02-28 13:06-0800\n" +"PO-Revision-Date: 2009-01-01 12:27+0200\n" +"Last-Translator: Esko Arajärvi \n" +"Language-Team: Finnish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=utf-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Poedit-Language: Finnish\n" +"X-Poedit-Country: FINLAND\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Palvelut, jotka käynnistetään uudelleen PAM-kirjastoa päivitettäessä:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"Useimmat PAMia käyttävät palvelut pitää käynnistää uudelleen libpamin uuden " +"version käyttöönottamiseksi. Tarkista seuraava välilyönnein eroteltu lista " +"niiden palveluiden init.d-komentotiedostoista, jotka käynnistetään " +"uudelleen, ja muokkaa listaa tarvittaessa." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Näytönhallintaohjelma tulee käynnistää uudelleen käsin" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Näytönhallintaohjelmat kdm, wdm ja zdm tulee käynnistää uudelleen, jotta " +"libpamin uusi versio tulee käyttöön. Järjestelmässä on kuitenkin aktiivisia " +"X-istuntoja, jotka lopetettaisiin tämän uudelleenkäynnistyksen yhteydessä. " +"Tästä syystä nämä palvelut tulee käynnistää uudelleen käsin ennen kuin uusia " +"X-istuntoja voidaan avata." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "" +"Virhe PAM:in päivityksen yhteydessä käynnistettäessä uudelleen joitain " +"palveluita" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Seuraavia palveluita ei voitu käynnistää uudelleen PAM-kirjastoa " +"päivitettäessä:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Nämä palvelut tulee käynnistää uudelleen ajamalla '/etc/init.d/ " +"start'." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM profiles to enable:" +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Incompatible PAM profiles selected." +msgstr "" + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:2001 +msgid "The following PAM profiles cannot be used together:" +msgstr "" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Please select a different set of modules to enable." +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "xscreensaver ja xlockmore täytyy käynnistää uudelleen ennen päivitystä" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"Järjestelmässä ajetaan parhaillaan yhtä tai useampaa xscreensaverin tai " +"xlockmoren instanssia. Paketin libpam-modules kirjastot ovat muuttuneet " +"niin, että päivityksen jälkeen näihin ohjelmiin ei voitaisi " +"yhteensopivuussyistä enää tunnistautua. Nämä ohjelmat tulisi pysäyttää tai " +"käynnistää uudelleen ennen päivityksen jatkamista, jotta käyttäjät eivät " +"lukitse itseään ulos nykyisistä istunnoistaan." --- pam-1.0.1.orig/debian/po/vi.po +++ pam-1.0.1/debian/po/vi.po @@ -0,0 +1,178 @@ +# Vietnamese translation for PAM. +# Copyright © 2009 Free Software Foundation, Inc. +# Clytie Siddall , 2007-2009. +# +msgid "" +msgstr "" +"Project-Id-Version: pam 1.0.1-7\n" +"Report-Msgid-Bugs-To: pam@packages.debian.org\n" +"POT-Creation-Date: 2009-02-28 13:06-0800\n" +"PO-Revision-Date: 2009-03-06 00:05+0930\n" +"Last-Translator: Clytie Siddall \n" +"Language-Team: Vietnamese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=1; plural=0;\n" +"X-Generator: LocFactoryEditor 1.8\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Dịch vụ cần khởi chạy lại để nâng cấp thư viện PAM:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"Phần lớn dịch vụ sử dụng PAM thì cũng cần phải được khởi chạy lại để sử dụng " +"những mô-đun được xây dựng cho phiên bản libpam mới này. Hãy xem lại danh " +"sách định giới bằng dấu cách theo đây hiển thị những văn lệnh khởi động " +"(init.d) cho dịch vụ cần khởi chạy lại ngay bây giờ, và sửa chữa nếu cần " +"thiết." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Trình quản lý trình bày phải được khởi chạy bằng tay" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Trình quản lý trình bày kdm, wdm, hay xdm cần thiết được khởi chạy lại để sử " +"dụng phiên bản mới của thư viện libpam, nhưng việc khởi chạy lại sẽ cũng " +"chấm dứt một số buổi hợp đang nhập X đang chạy. Sau đó thì bạn cần phải tự " +"khởi chạy lại những dịch vụ này để đăng nhập lại vào X." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Lỗi khởi chạy lại một số dịch vụ để nâng cấp PAM" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Những dịch vụ theo đây không thể được khởi chạy lại để nâng cấp thư viện PAM:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/ " +"start'." +msgstr "" +"Bạn cần phải tự khởi chạy lại chúng bằng cách chạy câu lệnh « /etc/init.d/" +" start »." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "PAM profiles to enable:" +msgstr "Các hồ sơ PAM cần bật:" + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Pluggable Authentication Modules (PAM) determine how authentication, " +"authorization, and password changing are handled on the system, as well as " +"allowing configuration of additional actions to take when starting user " +"sessions." +msgstr "" +"Mô-đun Xác thực Dễ kết hợp (PAM) quyết định quá trình xác thực, cho phép và " +"thay đổi mật khẩu được quản lý như thế nào trên hệ thống, cũng như cho phép " +"cấu hình các hành vi bổ sung cần làm khi khởi chạy buổi hợp người dùng." + +#. Type: multiselect +#. Description +#: ../libpam-runtime.templates:1001 +msgid "" +"Some PAM module packages provide profiles that can be used to automatically " +"adjust the behavior of all PAM-using applications on the system. Please " +"indicate which of these behaviors you wish to enable." +msgstr "" +"Một số mô-đun PAM nào đó cũng cung cấp các hồ sơ có thể được dùng để tự động " +"điều chỉnh ứng xử của tất cả các ứng dụng dùng PAM trên hệ thống. Hãy ngụ ý " +"những ứng xử nào bạn muốn hiệu lực." + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Incompatible PAM profiles selected." +msgstr "Bạn đã chọn một số hồ sơ PAM không tương thích với nhau." + +#. Type: error +#. Description +#. This paragraph is followed by a (currently) non-translatable list of +#. PAM profile names. +#: ../libpam-runtime.templates:2001 +msgid "The following PAM profiles cannot be used together:" +msgstr "Không thể sử dụng với nhau những hồ sơ PAM theo đây:" + +#. Type: error +#. Description +#: ../libpam-runtime.templates:2001 +msgid "Please select a different set of modules to enable." +msgstr "Hãy chọn một tập hợp mô-đun khác để hiệu lực." + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "Override local changes to /etc/pam.d/common-*?" +msgstr "Có quyền cao hơn thay đổi cục bộ trong « /etc/pam.d/common-* » không?" + +#. Type: boolean +#. Description +#: ../libpam-runtime.templates:3001 +msgid "" +"One or more of the files /etc/pam.d/common-{auth,account,password,session} " +"have been locally modified. Please indicate whether these local changes " +"should be overridden using the system-provided configuration. If you " +"decline this option, you will need to manage your system's authentication " +"configuration by hand." +msgstr "" +"Một hay nhiều tập tin « /etc/pam.d/common-{auth,account,password,session} » " +"đã bị sửa đổi cục bộ. Hãy ngụ ý có nên ghi đè lên các thay đổi cục bộ này " +"dùng cấu hình được hệ thống cung cấp, hay không. Không bật tuỳ chọn này thì " +"bạn cần phải tự quản lý cấu hình xác thực của hệ thống này." + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "xscreensaver and xlockmore must be restarted before upgrading" +msgstr "xscreensaver và xlockmore phải được khởi chạy lại trước khi nâng cấp" + +#. Type: error +#. Description +#: ../libpam-modules.templates:1001 +msgid "" +"One or more running instances of xscreensaver or xlockmore have been " +"detected on this system. Because of incompatible library changes, the " +"upgrade of the libpam-modules package will leave you unable to authenticate " +"to these programs. You should arrange for these programs to be restarted or " +"stopped before continuing this upgrade, to avoid locking your users out of " +"their current sessions." +msgstr "" +"Một hai nhiều tiến trình xscreensaver hay xlockmore được phát hiện trên hệ " +"thống này. Do thay đổi thư viện không tương thích, việc nâng cấp gói libpam-" +"modules sẽ để lại trường hợp người dùng không thể xác thực với những chương " +"trình này. Vì thế bạn nên khởi chạy lại hoặc ngừng chạy những chương trình " +"này trước khi tiếp tục tiến trình nâng cấp, để tránh chặn người dùng đăng " +"nhập vào buổi hợp đang chạy." --- pam-1.0.1.orig/debian/patches-applied/055_pam_unix_nullok_secure +++ pam-1.0.1/debian/patches-applied/055_pam_unix_nullok_secure @@ -0,0 +1,225 @@ +Debian patch to add a new 'nullok_secure' option to pam_unix, which +accepts users with null passwords only when the applicant is connected +from a tty listed in /etc/securetty. + +Authors: Sam Hartman , + Steve Langasek + +Upstream status: not yet submitted + +Index: pam.deb/modules/pam_unix/support.c +=================================================================== +--- pam.deb.orig/modules/pam_unix/support.c ++++ pam.deb/modules/pam_unix/support.c +@@ -83,15 +83,22 @@ + /* now parse the arguments to this module */ + + while (argc-- > 0) { +- int j; ++ int j, sl; + + D(("pam_unix arg: %s", *argv)); + + for (j = 0; j < UNIX_CTRLS_; ++j) { +- if (unix_args[j].token +- && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) +- { +- break; ++ if (unix_args[j].token) { ++ sl = strlen(unix_args[j].token); ++ if (unix_args[j].token[sl-1] == '=') { ++ /* exclude argument from comparison */ ++ if (!strncmp(*argv, unix_args[j].token, sl)) ++ break; ++ } else { ++ /* compare full strings */ ++ if (!strcmp(*argv, unix_args[j].token)) ++ break; ++ } + } + } + +@@ -430,6 +437,7 @@ + child = fork(); + if (child == 0) { + int i=0; ++ int nullok = off(UNIX__NONULL, ctrl); + struct rlimit rlim; + static char *envp[] = { NULL }; + char *args[] = { NULL, NULL, NULL, NULL }; +@@ -457,7 +465,18 @@ + /* exec binary helper */ + args[0] = strdup(CHKPWD_HELPER); + args[1] = x_strdup(user); +- if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */ ++ ++ if (on(UNIX_NULLOK_SECURE, ctrl)) { ++ const void *uttyname; ++ retval = pam_get_item(pamh, PAM_TTY, &uttyname); ++ if (retval != PAM_SUCCESS || uttyname == NULL ++ || _pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) ++ { ++ nullok = 0; ++ } ++ } ++ ++ if (nullok) { + args[2]=strdup("nullok"); + } else { + args[2]=strdup("nonull"); +@@ -527,6 +546,17 @@ + if (on(UNIX__NONULL, ctrl)) + return 0; /* will fail but don't let on yet */ + ++ if (on(UNIX_NULLOK_SECURE, ctrl)) { ++ int retval2; ++ const void *uttyname; ++ retval2 = pam_get_item(pamh, PAM_TTY, &uttyname); ++ if (retval2 != PAM_SUCCESS || uttyname == NULL) ++ return 0; ++ ++ if (_pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) ++ return 0; ++ } ++ + /* UNIX passwords area */ + + retval = get_pwd_hash(pamh, name, &pwd, &salt); +@@ -613,7 +643,8 @@ + } + } + } else { +- retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl)); ++ retval = verify_pwd_hash(p, salt, ++ _unix_blankpasswd(pamh, ctrl, name)); + } + + if (retval == PAM_SUCCESS) { +Index: pam.deb/modules/pam_unix/support.h +=================================================================== +--- pam.deb.orig/modules/pam_unix/support.h ++++ pam.deb/modules/pam_unix/support.h +@@ -91,8 +91,9 @@ + #define UNIX_MAX_PASS_LEN 26 /* internal, for compatibility only */ + #define UNIX_MIN_PASS_LEN 27 /* Min length for password */ + #define UNIX_OBSCURE_CHECKS 28 /* enable obscure checks on passwords */ ++#define UNIX_NULLOK_SECURE 29 /* NULL passwords allowed only on secure ttys */ + /* -------------- */ +-#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */ ++#define UNIX_CTRLS_ 30 /* number of ctrl arguments defined */ + + + static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = +@@ -109,7 +110,7 @@ + /* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0x40}, + /* UNIX__PRELIM */ {NULL, _ALL_ON_^(0x180), 0x80}, + /* UNIX__UPDATE */ {NULL, _ALL_ON_^(0x180), 0x100}, +-/* UNIX__NONULL */ {NULL, _ALL_ON_, 0x200}, ++/* UNIX__NONULL */ {NULL, _ALL_ON_^(0x8000000), 0x200}, + /* UNIX__QUIET */ {NULL, _ALL_ON_, 0x400}, + /* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 0x800}, + /* UNIX_SHADOW */ {"shadow", _ALL_ON_, 0x1000}, +@@ -129,6 +130,7 @@ + /* UNIX_MAX_PASS_LEN */ {"max=", _ALL_ON_, 0}, + /* UNIX_MIN_PASS_LEN */ {"min=", _ALL_ON_, 0x2000000}, + /* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x4000000}, ++/* UNIX__NULLOK */ {"nullok_secure", _ALL_ON_^(0x200), 0x8000000}, + }; + + #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) +@@ -163,6 +165,9 @@ + ,const char *data_name + ,const void **pass); + ++extern int _pammodutil_tty_secure(const pam_handle_t *pamh, ++ const char *uttyname); ++ + extern int _unix_run_verify_binary(pam_handle_t *pamh, + unsigned int ctrl, const char *user, int *daysleft); + #endif /* _PAM_UNIX_SUPPORT_H */ +Index: pam.deb/modules/pam_unix/Makefile.am +=================================================================== +--- pam.deb.orig/modules/pam_unix/Makefile.am ++++ pam.deb/modules/pam_unix/Makefile.am +@@ -28,7 +28,8 @@ + pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map + endif + pam_unix_la_LIBADD = @LIBNSL@ -L$(top_builddir)/libpam -lpam \ +- @LIBCRYPT@ @LIBSELINUX@ ++ @LIBCRYPT@ @LIBSELINUX@ \ ++ ../pam_securetty/tty_secure.lo + + securelib_LTLIBRARIES = pam_unix.la + +Index: pam.deb/modules/pam_unix/README +=================================================================== +--- pam.deb.orig/modules/pam_unix/README ++++ pam.deb/modules/pam_unix/README +@@ -57,7 +57,16 @@ + + The default action of this module is to not permit the user access to a + service if their official password is blank. The nullok argument overrides +- this default. ++ this default and allows any user with a blank password to access the ++ service. ++ ++nullok_secure ++ ++ The default action of this module is to not permit the user access to a ++ service if their official password is blank. The nullok_secure argument ++ overrides this default and allows any user with a blank password to access ++ the service as long as the value of PAM_TTY is set to one of the values ++ found in /etc/securetty. + + try_first_pass + +Index: pam.deb/modules/pam_unix/pam_unix.8 +=================================================================== +--- pam.deb.orig/modules/pam_unix/pam_unix.8 ++++ pam.deb/modules/pam_unix/pam_unix.8 +@@ -62,7 +62,14 @@ + .RS 4 + The default action of this module is to not permit the user access to a service if their official password is blank\&. The + \fBnullok\fR +-argument overrides this default\&. ++argument overrides this default and allows any user with a blank password to access the service\&. ++.RE ++.PP ++\fBnullok_secure\fR ++.RS 4 ++The default action of this module is to not permit the user access to a service if their official password is blank\&. The ++\fBnullok_secure\fR ++argument overrides this default and allows any user with a blank password to access the service as long as the value of PAM_TTY is set to one of the values found in /etc/securetty\&. + .RE + .PP + \fBtry_first_pass\fR +Index: pam.deb/modules/pam_unix/pam_unix.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_unix/pam_unix.8.xml ++++ pam.deb/modules/pam_unix/pam_unix.8.xml +@@ -135,7 +135,24 @@ + + The default action of this module is to not permit the + user access to a service if their official password is blank. +- The argument overrides this default. ++ The argument overrides this default ++ and allows any user with a blank password to access the ++ service. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ The default action of this module is to not permit the ++ user access to a service if their official password is blank. ++ The argument overrides this ++ default and allows any user with a blank password to access ++ the service as long as the value of PAM_TTY is set to one of ++ the values found in /etc/securetty. + + + --- pam-1.0.1.orig/debian/patches-applied/007_modules_pam_unix +++ pam-1.0.1/debian/patches-applied/007_modules_pam_unix @@ -0,0 +1,913 @@ +Index: pam.deb/modules/pam_unix/pam_unix_passwd.c +=================================================================== +--- pam.deb.orig/modules/pam_unix/pam_unix_passwd.c ++++ pam.deb/modules/pam_unix/pam_unix_passwd.c +@@ -88,6 +88,9 @@ + unsigned long versnum, unsigned int proto); + #endif /* GNU libc 2.1 */ + ++extern const char *obscure_msg(const char *, const char *, const struct passwd *, ++ unsigned int); ++ + /* + How it works: + Gets in username (has to be done) from the calling program +@@ -431,7 +434,8 @@ + static int _pam_unix_approve_pass(pam_handle_t * pamh + ,unsigned int ctrl + ,const char *pass_old +- ,const char *pass_new) ++ ,const char *pass_new, ++ int pass_min_len) + { + const void *user; + const char *remark = NULL; +@@ -462,7 +466,7 @@ + } + } + if (off(UNIX__IAMROOT, ctrl)) { +- if (strlen(pass_new) < 6) ++ if (strlen(pass_new) < pass_min_len) + remark = _("You must choose a longer password"); + D(("length check [%s]", remark)); + if (on(UNIX_REMEMBER_PASSWD, ctrl)) { +@@ -474,6 +478,11 @@ + return retval; + } + } ++ if (!remark && pass_old != NULL) { /* only check if we don't already have a failure */ ++ struct passwd *pwd; ++ pwd = pam_modutil_getpwnam(pamh, user); ++ remark = (char *)obscure_msg(pass_old,pass_new,pwd,ctrl); /* do obscure checks */ ++ } + } + if (remark) { + _make_remark(pamh, ctrl, PAM_ERROR_MSG, remark); +@@ -490,6 +499,7 @@ + int retval; + int remember = -1; + int rounds = -1; ++ int pass_min_len = 6; + + /* */ + const char *user; +@@ -498,7 +508,8 @@ + + D(("called.")); + +- ctrl = _set_ctrl(pamh, flags, &remember, &rounds, argc, argv); ++ ctrl = _set_ctrl(pamh, flags, &remember, &rounds, &pass_min_len, ++ argc, argv); + + /* + * First get the name of a user +@@ -698,7 +709,8 @@ + if (*(const char *)pass_new == '\0') { /* "\0" password = NULL */ + pass_new = NULL; + } +- retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new); ++ retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, ++ pass_new, pass_min_len); + } + + if (retval != PAM_SUCCESS) { +@@ -727,7 +739,8 @@ + return retval; + } + +- retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new); ++ retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new, ++ pass_min_len); + if (retval != PAM_SUCCESS) { + pam_syslog(pamh, LOG_NOTICE, + "new password not acceptable 2"); +Index: pam.deb/modules/pam_unix/pam_unix_acct.c +=================================================================== +--- pam.deb.orig/modules/pam_unix/pam_unix_acct.c ++++ pam.deb/modules/pam_unix/pam_unix_acct.c +@@ -184,7 +184,7 @@ + + D(("called.")); + +- ctrl = _set_ctrl(pamh, flags, NULL, NULL, argc, argv); ++ ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv); + + retval = pam_get_item(pamh, PAM_USER, &void_uname); + uname = void_uname; +Index: pam.deb/modules/pam_unix/support.c +=================================================================== +--- pam.deb.orig/modules/pam_unix/support.c ++++ pam.deb/modules/pam_unix/support.c +@@ -53,7 +53,7 @@ + */ + + int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, +- int argc, const char **argv) ++ int *pass_min_len, int argc, const char **argv) + { + unsigned int ctrl; + +@@ -79,6 +79,7 @@ + D(("SILENT")); + set(UNIX__QUIET, ctrl); + } ++ + /* now parse the arguments to this module */ + + while (argc-- > 0) { +@@ -88,7 +89,8 @@ + + for (j = 0; j < UNIX_CTRLS_; ++j) { + if (unix_args[j].token +- && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) { ++ && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) ++ { + break; + } + } +@@ -100,15 +102,17 @@ + ctrl &= unix_args[j].mask; /* for turning things off */ + ctrl |= unix_args[j].flag; /* for turning things on */ + +- if (remember != NULL) { +- if (j == UNIX_REMEMBER_PASSWD) { +- *remember = strtol(*argv + 9, NULL, 10); +- if ((*remember == INT_MIN) || (*remember == INT_MAX)) +- *remember = -1; +- if (*remember > 400) +- *remember = 400; +- } ++ /* special cases */ ++ if (remember != NULL && j == UNIX_REMEMBER_PASSWD) { ++ *remember = strtol(*argv + 9, NULL, 10); ++ if ((*remember == INT_MIN) || (*remember == INT_MAX)) ++ *remember = -1; ++ if (*remember > 400) ++ *remember = 400; ++ } else if (pass_min_len && j == UNIX_MIN_PASS_LEN) { ++ *pass_min_len = atoi(*argv + 4); + } ++ + if (rounds != NULL) { + if (j == UNIX_ALGO_ROUNDS) { + *rounds = strtol(*argv + 7, NULL, 10); +@@ -124,6 +128,11 @@ + ++argv; /* step to next argument */ + } + ++ if (off(UNIX_BIGCRYPT|UNIX_MD5_PASS|UNIX_SHA256_PASS|UNIX_SHA512_PASS, ++ ctrl) ++ && pass_min_len && *pass_min_len > 8) ++ *pass_min_len = 8; ++ + if (flags & PAM_DISALLOW_NULL_AUTHTOK) { + D(("DISALLOW_NULL_AUTHTOK")); + set(UNIX__NONULL, ctrl); +Index: pam.deb/modules/pam_unix/support.h +=================================================================== +--- pam.deb.orig/modules/pam_unix/support.h ++++ pam.deb/modules/pam_unix/support.h +@@ -88,8 +88,11 @@ + #define UNIX_SHA512_PASS 24 /* new password hashes will use SHA512 */ + #define UNIX_ALGO_ROUNDS 25 /* optional number of rounds for new + password hash algorithms */ ++#define UNIX_MAX_PASS_LEN 26 /* internal, for compatibility only */ ++#define UNIX_MIN_PASS_LEN 27 /* Min length for password */ ++#define UNIX_OBSCURE_CHECKS 28 /* enable obscure checks on passwords */ + /* -------------- */ +-#define UNIX_CTRLS_ 26 /* number of ctrl arguments defined */ ++#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */ + + + static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = +@@ -97,32 +100,35 @@ + /* symbol token name ctrl mask ctrl * + * ----------------------- ------------------- --------------------- -------- */ + +-/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01}, +-/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02}, +-/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04}, +-/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010}, +-/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060), 020}, +-/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060), 040}, +-/* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0100}, +-/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200}, +-/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400}, +-/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000}, +-/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000}, +-/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000}, +-/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000}, +-/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0400000), 020000}, +-/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000), 0}, +-/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000}, +-/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000}, +-/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000}, +-/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(020000), 0400000}, +-/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000}, +-/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000}, +-/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000}, +-/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000}, +-/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(040420000), 020000000}, +-/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(020420000), 040000000}, +-/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000}, ++/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 0x1}, ++/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 0x2}, ++/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 0x4}, ++/* UNIX_AUDIT */ {"audit", _ALL_ON_, 0x8}, ++/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(0x30), 0x10}, ++/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(0x30), 0x20}, ++/* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0x40}, ++/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0x180), 0x80}, ++/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0x180), 0x100}, ++/* UNIX__NONULL */ {NULL, _ALL_ON_, 0x200}, ++/* UNIX__QUIET */ {NULL, _ALL_ON_, 0x400}, ++/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 0x800}, ++/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 0x1000}, ++/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0xC22000), 0x2000}, ++/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(0x200), 0}, ++/* UNIX_DEBUG */ {"debug", _ALL_ON_, 0x4000}, ++/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0x8000}, ++/* UNIX_NIS */ {"nis", _ALL_ON_, 0x10000}, ++/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0xC22000), 0x20000}, ++/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 0x40000}, ++/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 0x80000}, ++/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 0x100000}, ++/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 0x200000}, ++/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0xC22000), 0x400000}, ++/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0xC22000), 0x800000}, ++/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0x1000000}, ++/* UNIX_MAX_PASS_LEN */ {"max=", _ALL_ON_, 0}, ++/* UNIX_MIN_PASS_LEN */ {"min=", _ALL_ON_, 0x2000000}, ++/* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x4000000}, + }; + + #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) +@@ -139,7 +145,7 @@ + extern int _make_remark(pam_handle_t * pamh, unsigned int ctrl + ,int type, const char *text); + extern int _set_ctrl(pam_handle_t * pamh, int flags, int *remember, int *rounds, +- int argc, const char **argv); ++ int *pass_min_len, int argc, const char **argv); + extern int _unix_getpwnam (pam_handle_t *pamh, + const char *name, int files, int nis, + struct passwd **ret); +Index: pam.deb/modules/pam_unix/pam_unix.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_unix/pam_unix.8.xml ++++ pam.deb/modules/pam_unix/pam_unix.8.xml +@@ -306,6 +306,90 @@ + + + ++ ++ ++ ++ ++ ++ ++ Set a minimum password length of n ++ characters. The default value is 6. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Enable some extra checks on password strength. These checks ++ are based on the "obscure" checks in the original shadow ++ package. The behavior is similar to the pam_cracklib ++ module, but for non-dictionary-based checks. The following ++ checks are implemented: ++ ++ ++ ++ ++ ++ ++ ++ Verifies that the new password is not a palindrome ++ of (i.e., the reverse of) the previous one. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Verifies that the new password isn't the same as the ++ old one with a change of case. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Verifies that the new password isn't too much like ++ the previous one. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Is the new password too simple? This is based on ++ the length of the password and the number of ++ different types of characters (alpha, numeric, etc.) ++ used. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Is the new password a rotated version of the old ++ password? (E.g., "billy" and "illyb") ++ ++ ++ ++ ++ ++ ++ + + + Invalid arguments are logged with +Index: pam.deb/modules/pam_unix/obscure.c +=================================================================== +--- /dev/null ++++ pam.deb/modules/pam_unix/obscure.c +@@ -0,0 +1,198 @@ ++/* ++ * Copyright 1989 - 1994, Julianne Frances Haugh ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors ++ * may be used to endorse or promote products derived from this software ++ * without specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND ++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE ++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT ++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY ++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ++ * SUCH DAMAGE. ++ */ ++ ++#include "config.h" ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++ ++#include "support.h" ++ ++/* can't be a palindrome - like `R A D A R' or `M A D A M' */ ++static int palindrome(const char *old, const char *new) { ++ int i, j; ++ ++ i = strlen (new); ++ ++ for (j = 0;j < i;j++) ++ if (new[i - j - 1] != new[j]) ++ return 0; ++ ++ return 1; ++} ++ ++/* more than half of the characters are different ones. */ ++static int similar(const char *old, const char *new) { ++ int i, j; ++ ++ /* ++ * XXX - sometimes this fails when changing from a simple password ++ * to a really long one (MD5). For now, I just return success if ++ * the new password is long enough. Please feel free to suggest ++ * something better... --marekm ++ */ ++ if (strlen(new) >= 8) ++ return 0; ++ ++ for (i = j = 0; new[i] && old[i]; i++) ++ if (strchr(new, old[i])) ++ j++; ++ ++ if (i >= j * 2) ++ return 0; ++ ++ return 1; ++} ++ ++/* a nice mix of characters. */ ++static int simple(const char *old, const char *new) { ++ int digits = 0; ++ int uppers = 0; ++ int lowers = 0; ++ int others = 0; ++ int size; ++ int i; ++ ++ for (i = 0;new[i];i++) { ++ if (isdigit (new[i])) ++ digits++; ++ else if (isupper (new[i])) ++ uppers++; ++ else if (islower (new[i])) ++ lowers++; ++ else ++ others++; ++ } ++ ++ /* ++ * The scam is this - a password of only one character type ++ * must be 8 letters long. Two types, 7, and so on. ++ */ ++ ++ size = 9; ++ if (digits) size--; ++ if (uppers) size--; ++ if (lowers) size--; ++ if (others) size--; ++ ++ if (size <= i) ++ return 0; ++ ++ return 1; ++} ++ ++static char *str_lower(char *string) { ++ char *cp; ++ ++ for (cp = string; *cp; cp++) ++ *cp = tolower(*cp); ++ return string; ++} ++ ++static const char * password_check(const char *old, const char *new, ++ const struct passwd *pwdp) { ++ const char *msg = NULL; ++ char *oldmono, *newmono, *wrapped; ++ ++ if (strcmp(new, old) == 0) ++ return _("Bad: new password must be different than the old one"); ++ ++ newmono = str_lower(strdup(new)); ++ oldmono = str_lower(strdup(old)); ++ wrapped = (char *)malloc(strlen(oldmono) * 2 + 1); ++ strcpy (wrapped, oldmono); ++ strcat (wrapped, oldmono); ++ ++ if (palindrome(oldmono, newmono)) { ++ msg = _("Bad: new password cannot be a palindrome"); ++ } else if (strcmp(oldmono, newmono) == 0) { ++ msg = _("Bad: new and old password must differ by more than just case"); ++ } else if (similar(oldmono, newmono)) { ++ msg = _("Bad: new and old password are too similar"); ++ } else if (simple(old, new)) { ++ msg = _("Bad: new password is too simple"); ++ } else if (strstr(wrapped, newmono)) { ++ msg = _("Bad: new password is just a wrapped version of the old one"); ++ } ++ ++ _pam_delete(newmono); ++ _pam_delete(oldmono); ++ _pam_delete(wrapped); ++ ++ return msg; ++} ++ ++const char *obscure_msg(const char *old, const char *new, ++ const struct passwd *pwdp, unsigned int ctrl) { ++ int oldlen, newlen; ++ char *new1, *old1; ++ const char *msg; ++ ++ if (old == NULL) ++ return NULL; /* no check if old is NULL */ ++ ++ oldlen = strlen(old); ++ newlen = strlen(new); ++ ++ /* Remaining checks are optional. */ ++ if (off(UNIX_OBSCURE_CHECKS,ctrl)) ++ return NULL; ++ ++ if ((msg = password_check(old, new, pwdp)) != NULL) ++ return msg; ++ ++ /* The traditional crypt() truncates passwords to 8 chars. It is ++ possible to circumvent the above checks by choosing an easy ++ 8-char password and adding some random characters to it... ++ Example: "password$%^&*123". So check it again, this time ++ truncated to the maximum length. Idea from npasswd. --marekm */ ++ ++ if (on(UNIX_MD5_PASS,ctrl) || on(UNIX_BIGCRYPT,ctrl)) ++ return NULL; /* unlimited password length */ ++ ++ if (oldlen <= 8 && newlen <= 8) ++ return NULL; ++ ++ new1 = strndup(new,8); ++ old1 = strndup(old,8); ++ ++ msg = password_check(old1, new1, pwdp); ++ ++ _pam_delete(new1); ++ _pam_delete(old1); ++ ++ return msg; ++} +Index: pam.deb/modules/pam_unix/Makefile.am +=================================================================== +--- pam.deb.orig/modules/pam_unix/Makefile.am ++++ pam.deb/modules/pam_unix/Makefile.am +@@ -40,7 +40,7 @@ + + pam_unix_la_SOURCES = bigcrypt.c pam_unix_acct.c \ + pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \ +- passverify.c yppasswd_xdr.c md5_good.c md5_broken.c ++ passverify.c yppasswd_xdr.c md5_good.c md5_broken.c obscure.c + + bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c + bigcrypt_CFLAGS = $(AM_CFLAGS) +Index: pam.deb/modules/pam_unix/pam_unix_auth.c +=================================================================== +--- pam.deb.orig/modules/pam_unix/pam_unix_auth.c ++++ pam.deb/modules/pam_unix/pam_unix_auth.c +@@ -111,7 +111,7 @@ + + D(("called.")); + +- ctrl = _set_ctrl(pamh, flags, NULL, NULL, argc, argv); ++ ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv); + + /* Get a few bytes so we can pass our return value to + pam_sm_setcred(). */ +Index: pam.deb/modules/pam_unix/pam_unix_sess.c +=================================================================== +--- pam.deb.orig/modules/pam_unix/pam_unix_sess.c ++++ pam.deb/modules/pam_unix/pam_unix_sess.c +@@ -73,7 +73,7 @@ + + D(("called.")); + +- ctrl = _set_ctrl(pamh, flags, NULL, NULL, argc, argv); ++ ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv); + + retval = pam_get_item(pamh, PAM_USER, (void *) &user_name); + if (user_name == NULL || *user_name == '\0' || retval != PAM_SUCCESS) { +@@ -107,7 +107,7 @@ + + D(("called.")); + +- ctrl = _set_ctrl(pamh, flags, NULL, NULL, argc, argv); ++ ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv); + + retval = pam_get_item(pamh, PAM_USER, (void *) &user_name); + if (user_name == NULL || *user_name == '\0' || retval != PAM_SUCCESS) { +Index: pam.deb/modules/pam_unix/passverify.c +=================================================================== +--- pam.deb.orig/modules/pam_unix/passverify.c ++++ pam.deb/modules/pam_unix/passverify.c +@@ -261,7 +261,9 @@ + *daysleft = -1; + curdays = (long int)(time(NULL) / (60 * 60 * 24)); + D(("today is %d, last change %d", curdays, spent->sp_lstchg)); +- if ((curdays > spent->sp_expire) && (spent->sp_expire != -1)) { ++ if ((curdays > spent->sp_expire) && (spent->sp_expire != -1) ++ && (spent->sp_expire != 0)) ++ { + D(("account expired")); + return PAM_ACCT_EXPIRED; + } +@@ -279,17 +281,23 @@ + if ((curdays - spent->sp_lstchg > spent->sp_max) + && (curdays - spent->sp_lstchg > spent->sp_inact) + && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact) +- && (spent->sp_max != -1) && (spent->sp_inact != -1)) { ++ && (spent->sp_max != -1) && (spent->sp_max != 0) ++ && (spent->sp_inact != -1) && (spent->sp_inact != 0)) ++ { + *daysleft = (int)((spent->sp_lstchg + spent->sp_max) - curdays); + D(("authtok expired")); + return PAM_AUTHTOK_EXPIRED; + } +- if ((curdays - spent->sp_lstchg > spent->sp_max) && (spent->sp_max != -1)) { ++ if ((curdays - spent->sp_lstchg > spent->sp_max) ++ && (spent->sp_max != -1) && (spent->sp_max != 0)) ++ { + D(("need a new password 2")); + return PAM_NEW_AUTHTOK_REQD; + } + if ((curdays - spent->sp_lstchg > spent->sp_max - spent->sp_warn) +- && (spent->sp_max != -1) && (spent->sp_warn != -1)) { ++ && (spent->sp_max != -1) && (spent->sp_warn != -1) ++ && (spent->sp_max != 0) && (spent->sp_warn != 0)) ++ { + *daysleft = (int)((spent->sp_lstchg + spent->sp_max) - curdays); + D(("warn before expiry")); + } +Index: pam.deb/modules/pam_unix/pam_unix.8 +=================================================================== +--- pam.deb.orig/modules/pam_unix/pam_unix.8 ++++ pam.deb/modules/pam_unix/pam_unix.8 +@@ -1,85 +1,85 @@ + .\" Title: pam_unix + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/21/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_UNIX" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_UNIX" "8" "08/21/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_unix - Module for traditional password authentication ++pam_unix \- Module for traditional password authentication + .SH "SYNOPSIS" + .HP 12 +-\fBpam_unix\.so\fR [\.\.\.] ++\fBpam_unix\&.so\fR [\&.\&.\&.] + .SH "DESCRIPTION" + .PP +-This is the standard Unix authentication module\. It uses standard calls from the system\'s libraries to retrieve and set account information as well as authentication\. Usually this is obtained from the /etc/passwd and the /etc/shadow file as well if shadow is enabled\. ++This is the standard Unix authentication module\&. It uses standard calls from the system\'s libraries to retrieve and set account information as well as authentication\&. Usually this is obtained from the /etc/passwd and the /etc/shadow file as well if shadow is enabled\&. + .PP + The account component performs the task of establishing the status of the user\'s account and password based on the following + \fIshadow\fR +-elements: expire, last_change, max_change, min_change, warn_change\. In the case of the latter, it may offer advice to the user on changing their password or, through the ++elements: expire, last_change, max_change, min_change, warn_change\&. In the case of the latter, it may offer advice to the user on changing their password or, through the + \fBPAM_AUTHTOKEN_REQD\fR +-return, delay giving service to the user until they have established a new password\. The entries listed above are documented in the ++return, delay giving service to the user until they have established a new password\&. The entries listed above are documented in the + \fBshadow\fR(5) +-manual page\. Should the user\'s record not contain one or more of these entries, the corresponding ++manual page\&. Should the user\'s record not contain one or more of these entries, the corresponding + \fIshadow\fR +-check is not performed\. ++check is not performed\&. + .PP +-The authentication component performs the task of checking the users credentials (password)\. The default action of this module is to not permit the user access to a service if their official password is blank\. ++The authentication component performs the task of checking the users credentials (password)\&. The default action of this module is to not permit the user access to a service if their official password is blank\&. + .PP + A helper binary, +-\fBunix_chkpwd\fR(8), is provided to check the user\'s password when it is stored in a read protected database\. This binary is very simple and will only check the password of the user invoking it\. It is called transparently on behalf of the user by the authenticating component of this module\. In this way it is possible for applications like ++\fBunix_chkpwd\fR(8), is provided to check the user\'s password when it is stored in a read protected database\&. This binary is very simple and will only check the password of the user invoking it\&. It is called transparently on behalf of the user by the authenticating component of this module\&. In this way it is possible for applications like + \fBxlock\fR(1) +-to work without being setuid\-root\. The module, by default, will temporarily turn off SIGCHLD handling for the duration of execution of the helper binary\. This is generally the right thing to do, as many applications are not prepared to handle this signal from a child they didn\'t know was +-\fBfork()\fRd\. The ++to work without being setuid\-root\&. The module, by default, will temporarily turn off SIGCHLD handling for the duration of execution of the helper binary\&. This is generally the right thing to do, as many applications are not prepared to handle this signal from a child they didn\'t know was ++\fBfork()\fRd\&. The + \fBnoreap\fR +-module argument can be used to suppress this temporary shielding and may be needed for use with certain applications\. ++module argument can be used to suppress this temporary shielding and may be needed for use with certain applications\&. + .PP +-The password component of this module performs the task of updating the user\'s password\. ++The password component of this module performs the task of updating the user\'s password\&. + .PP +-The session component of this module logs when a user logins or leave the system\. ++The session component of this module logs when a user logins or leave the system\&. + .PP +-Remaining arguments, supported by others functions of this module, are silently ignored\. Other arguments are logged as errors through +-\fBsyslog\fR(3)\. ++Remaining arguments, supported by others functions of this module, are silently ignored\&. Other arguments are logged as errors through ++\fBsyslog\fR(3)\&. + .SH "OPTIONS" + .PP + \fBdebug\fR + .RS 4 + Turns on debugging via +-\fBsyslog\fR(3)\. ++\fBsyslog\fR(3)\&. + .RE + .PP + \fBaudit\fR + .RS 4 +-A little more extreme than debug\. ++A little more extreme than debug\&. + .RE + .PP + \fBnullok\fR + .RS 4 +-The default action of this module is to not permit the user access to a service if their official password is blank\. The ++The default action of this module is to not permit the user access to a service if their official password is blank\&. The + \fBnullok\fR +-argument overrides this default\. ++argument overrides this default\&. + .RE + .PP + \fBtry_first_pass\fR + .RS 4 +-Before prompting the user for their password, the module first tries the previous stacked module\'s password in case that satisfies this module as well\. ++Before prompting the user for their password, the module first tries the previous stacked module\'s password in case that satisfies this module as well\&. + .RE + .PP + \fBuse_first_pass\fR + .RS 4 + The argument + \fBuse_first_pass\fR +-forces the module to use a previous stacked modules password and will never prompt the user \- if no password is available or the password is not appropriate, the user will be denied access\. ++forces the module to use a previous stacked modules password and will never prompt the user \- if no password is available or the password is not appropriate, the user will be denied access\&. + .RE + .PP + \fBnodelay\fR + .RS 4 +-This argument can be used to discourage the authentication component from requesting a delay should the authentication as a whole fail\. The default action is for the module to request a delay\-on\-failure of the order of two second\. ++This argument can be used to discourage the authentication component from requesting a delay should the authentication as a whole fail\&. The default action is for the module to request a delay\-on\-failure of the order of two second\&. + .RE + .PP + \fBuse_authtok\fR +@@ -88,17 +88,17 @@ + \fBpassword\fR + module (this is used in the example of the stacking of the + \fBpam_cracklib\fR +-module documented above)\. ++module documented above)\&. + .RE + .PP + \fBnot_set_pass\fR + .RS 4 +-This argument is used to inform the module that it is not to pay attention to/make available the old or new passwords from/to other (stacked) password modules\. ++This argument is used to inform the module that it is not to pay attention to/make available the old or new passwords from/to other (stacked) password modules\&. + .RE + .PP + \fBnis\fR + .RS 4 +-NIS RPC is used for setting new passwords\. ++NIS RPC is used for setting new passwords\&. + .RE + .PP + \fBremember=\fR\fB\fIn\fR\fR +@@ -107,73 +107,111 @@ + \fIn\fR + passwords for each user are saved in + \fI/etc/security/opasswd\fR +-in order to force password change history and keep the user from alternating between the same password too frequently\. ++in order to force password change history and keep the user from alternating between the same password too frequently\&. + .RE + .PP + \fBshadow\fR + .RS 4 +-Try to maintain a shadow based system\. ++Try to maintain a shadow based system\&. + .RE + .PP + \fBmd5\fR + .RS 4 +-When a user changes their password next, encrypt it with the MD5 algorithm\. ++When a user changes their password next, encrypt it with the MD5 algorithm\&. + .RE + .PP + \fBbigcrypt\fR + .RS 4 +-When a user changes their password next, encrypt it with the DEC C2 algorithm\. ++When a user changes their password next, encrypt it with the DEC C2 algorithm\&. + .RE + .PP + \fBsha256\fR + .RS 4 +-When a user changes their password next, encrypt it with the SHA256 algorithm\. If the SHA256 algorithm is not known to the libcrypt, fall back to MD5\. ++When a user changes their password next, encrypt it with the SHA256 algorithm\&. If the SHA256 algorithm is not known to the libcrypt, fall back to MD5\&. + .RE + .PP + \fBsha512\fR + .RS 4 +-When a user changes their password next, encrypt it with the SHA512 algorithm\. If the SHA512 algorithm is not known to the libcrypt, fall back to MD5\. ++When a user changes their password next, encrypt it with the SHA512 algorithm\&. If the SHA512 algorithm is not known to the libcrypt, fall back to MD5\&. + .RE + .PP + \fBrounds=\fR\fB\fIn\fR\fR + .RS 4 + Set the optional number of rounds of the SHA256 and SHA512 password hashing algorithms to +-\fIn\fR\. ++\fIn\fR\&. + .RE + .PP + \fBbroken_shadow\fR + .RS 4 +-Ignore errors reading shadow inforation for users in the account management module\. ++Ignore errors reading shadow inforation for users in the account management module\&. ++.RE ++.PP ++\fBmin=\fR\fB\fIn\fR\fR ++.RS 4 ++Set a minimum password length of ++\fIn\fR ++characters\&. The default value is 6\&. ++.RE ++.PP ++\fBobscure\fR ++.RS 4 ++Enable some extra checks on password strength\&. These checks are based on the "obscure" checks in the original shadow package\&. The behavior is similar to the pam_cracklib module, but for non\-dictionary\-based checks\&. The following checks are implemented: ++.PP ++\fBPalindrome\fR ++.RS 4 ++Verifies that the new password is not a palindrome of (i\&.e\&., the reverse of) the previous one\&. ++.RE ++.PP ++\fBCase Change Only\fR ++.RS 4 ++Verifies that the new password isn\'t the same as the old one with a change of case\&. ++.RE ++.PP ++\fBSimilar\fR ++.RS 4 ++Verifies that the new password isn\'t too much like the previous one\&. ++.RE ++.PP ++\fBSimple\fR ++.RS 4 ++Is the new password too simple? This is based on the length of the password and the number of different types of characters (alpha, numeric, etc\&.) used\&. ++.RE ++.PP ++\fBRotated\fR ++.RS 4 ++Is the new password a rotated version of the old password? (E\&.g\&., "billy" and "illyb") ++.RE ++.sp + .RE + .PP + Invalid arguments are logged with +-\fBsyslog\fR(3)\. ++\fBsyslog\fR(3)\&. + .SH "MODULE SERVICES PROVIDED" + .PP +-All service are supported\. ++All service are supported\&. + .SH "RETURN VALUES" + .PP + PAM_IGNORE + .RS 4 +-Ignore this module\. ++Ignore this module\&. + .RE + .SH "EXAMPLES" + .PP + An example usage for +-\fI/etc/pam\.d/login\fR ++\fI/etc/pam\&.d/login\fR + would be: + .sp + .RS 4 + .nf + # Authenticate the user +-auth required pam_unix\.so ++auth required pam_unix\&.so + # Ensure users account and password are still active +-account required pam_unix\.so ++account required pam_unix\&.so + # Change the users password, but at first check the strength + # with pam_cracklib(8) +-password required pam_cracklib\.so retry=3 minlen=6 difok=3 +-password required pam_unix\.so use_authtok nullok md5 +-session required pam_unix\.so ++password required pam_cracklib\&.so retry=3 minlen=6 difok=3 ++password required pam_unix\&.so use_authtok nullok md5 ++session required pam_unix\&.so + + .fi + .RE +@@ -186,4 +224,4 @@ + \fBpam\fR(8) + .SH "AUTHOR" + .PP +-pam_unix was written by various people\. ++pam_unix was written by various people\&. --- pam-1.0.1.orig/debian/patches-applied/021_nis_cleanup +++ pam-1.0.1/debian/patches-applied/021_nis_cleanup @@ -0,0 +1,44 @@ +Patch from Philippe Troin + +Originally this included a bunch of changes to locking, but the more +recent code pulled from Linux_pam CVS seems to fix that issue. + +Index: pam.deb/modules/pam_unix/pam_unix_passwd.c +=================================================================== +--- pam.deb.orig/modules/pam_unix/pam_unix_passwd.c ++++ pam.deb/modules/pam_unix/pam_unix_passwd.c +@@ -577,7 +577,7 @@ + + if (_unix_blankpasswd(pamh, ctrl, user)) { + return PAM_SUCCESS; +- } else if (off(UNIX__IAMROOT, ctrl)) { ++ } else if (off(UNIX__IAMROOT, ctrl) || on(UNIX_NIS, ctrl)) { + /* instruct user what is happening */ + if (asprintf(&Announce, _("Changing password for %s."), + user) < 0) { +@@ -590,7 +590,9 @@ + set(UNIX__OLD_PASSWD, lctrl); + retval = _unix_read_password(pamh, lctrl + ,Announce +- ,_("(current) UNIX password: ") ++ ,(on(UNIX__IAMROOT, ctrl) ++ ? _("NIS server root password: ") ++ : _("(current) UNIX password: ")) + ,NULL + ,_UNIX_OLD_AUTHTOK + ,&pass_old); +@@ -601,9 +603,12 @@ + "password - (old) token not obtained"); + return retval; + } +- /* verify that this is the password for this user */ ++ /* verify that this is the password for this user ++ * if we're not using NIS */ + +- retval = _unix_verify_password(pamh, user, pass_old, ctrl); ++ if (off(UNIX_NIS, ctrl)) { ++ retval = _unix_verify_password(pamh, user, pass_old, ctrl); ++ } + } else { + D(("process run by root so do nothing this time around")); + pass_old = NULL; --- pam-1.0.1.orig/debian/patches-applied/series +++ pam-1.0.1/debian/patches-applied/series @@ -0,0 +1,31 @@ +pam_unix_thread-safe_save_old_password.patch +pam_unix_fix_sgid_shadow_auth.patch +pam_unix_dont_trust_chkpwd_caller.patch +007_modules_pam_unix +008_modules_pam_limits_chroot +021_nis_cleanup +022_pam_unix_group_time_miscfixes +026_pam_unix_passwd_unknown_user +do_not_check_nis_accidentally +027_pam_limits_better_init_allow_explicit_root +031_pam_include +032_pam_limits_EPERM_NOT_FATAL +036_pam_wheel_getlogin_considered_harmful +hurd_no_setfsuid +040_pam_limits_log_failure +045_pam_dispatch_jump_is_ignore +054_pam_security_abstract_securetty_handling +055_pam_unix_nullok_secure +PAM-manpage-section +pam_env_ignore_garbage.patch -p2 +pam.d-manpage-section +pam_unix-chkpwd-wait +autoconf.patch +ubuntu-fix_standard_types -p2 +ubuntu-rlimit_nice_correction -p2 +ubuntu-user_defined_environment -p2 +ubuntu-regression_fix_securetty -p2 +ubuntu-no-error-if-missingok +dont_freeze_password_chain -p0 +update-motd +pam_motd-legal-notice --- pam-1.0.1.orig/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful +++ pam-1.0.1/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful @@ -0,0 +1,274 @@ +Patch for Debian bug #163787 et al + +Always use the process uid, not getlogin(), to identify an applicant in +pam_wheel; utmp may be wrong or may have no entry at all in the case of +an xterm + +Authors: Ben Collins + +Upstream status: submitted in <20070901175405.GA26092@dario.dodds.net> + +Index: pam.deb/modules/pam_wheel/pam_wheel.c +=================================================================== +--- pam.deb.orig/modules/pam_wheel/pam_wheel.c ++++ pam.deb/modules/pam_wheel/pam_wheel.c +@@ -60,9 +60,8 @@ + /* argument parsing */ + + #define PAM_DEBUG_ARG 0x0001 +-#define PAM_USE_UID_ARG 0x0002 +-#define PAM_TRUST_ARG 0x0004 +-#define PAM_DENY_ARG 0x0010 ++#define PAM_TRUST_ARG 0x0002 ++#define PAM_DENY_ARG 0x0004 + #define PAM_ROOT_ONLY_ARG 0x0020 + + static int +@@ -80,8 +79,7 @@ + + if (!strcmp(*argv,"debug")) + ctrl |= PAM_DEBUG_ARG; +- else if (!strcmp(*argv,"use_uid")) +- ctrl |= PAM_USE_UID_ARG; ++ else if (!strcmp(*argv,"use_uid")); /* ignored for compat. */ + else if (!strcmp(*argv,"trust")) + ctrl |= PAM_TRUST_ARG; + else if (!strcmp(*argv,"deny")) +@@ -129,27 +127,14 @@ + } + } + +- if (ctrl & PAM_USE_UID_ARG) { +- tpwd = pam_modutil_getpwuid (pamh, getuid()); +- if (!tpwd) { +- if (ctrl & PAM_DEBUG_ARG) { +- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); +- } +- return PAM_SERVICE_ERR; +- } +- fromsu = tpwd->pw_name; +- } else { +- fromsu = pam_modutil_getlogin(pamh); +- if (fromsu) { +- tpwd = pam_modutil_getpwnam (pamh, fromsu); +- } +- if (!fromsu || !tpwd) { +- if (ctrl & PAM_DEBUG_ARG) { +- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); +- } +- return PAM_SERVICE_ERR; ++ tpwd = pam_modutil_getpwuid (pamh, getuid()); ++ if (!tpwd) { ++ if (ctrl & PAM_DEBUG_ARG) { ++ pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); + } ++ return PAM_SERVICE_ERR; + } ++ fromsu = tpwd->pw_name; + + /* + * At this point fromsu = username-of-invoker; tpwd = pwd ptr for fromsu +Index: pam.deb/modules/pam_wheel/pam_wheel.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_wheel/pam_wheel.8.xml ++++ pam.deb/modules/pam_wheel/pam_wheel.8.xml +@@ -33,9 +33,6 @@ + + trust + +- +- use_uid +- + + + +@@ -115,18 +112,6 @@ + + + +- +- +- +- +- +- +- The check for wheel membership will be done against +- the current uid instead of the original one (useful when +- jumping with su from one account to another for example). +- +- +- + + + +Index: pam.deb/modules/pam_wheel/pam_wheel.8 +=================================================================== +--- pam.deb.orig/modules/pam_wheel/pam_wheel.8 ++++ pam.deb/modules/pam_wheel/pam_wheel.8 +@@ -1,64 +1,59 @@ + .\" Title: pam_wheel + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_WHEEL" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_WHEEL" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_wheel - Only permit root access to members of group wheel ++pam_wheel \- Only permit root access to members of group wheel + .SH "SYNOPSIS" + .HP 13 +-\fBpam_wheel\.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid] ++\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] + .SH "DESCRIPTION" + .PP + The pam_wheel PAM module is used to enforce the so\-called + \fIwheel\fR +-group\. By default it permits root access to the system if the applicant user is a member of the ++group\&. By default it permits root access to the system if the applicant user is a member of the + \fIwheel\fR +-group\. If no group with this name exist, the module is using the group with the group\-ID +-\fB0\fR\. ++group\&. If no group with this name exist, the module is using the group with the group\-ID ++\fB0\fR\&. + .SH "OPTIONS" + .PP + \fBdebug\fR + .RS 4 +-Print debug information\. ++Print debug information\&. + .RE + .PP + \fBdeny\fR + .RS 4 + Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the + \fBgroup\fR +-option), deny access\. Conversely, if the user is not in the group, return PAM_IGNORE (unless ++option), deny access\&. Conversely, if the user is not in the group, return PAM_IGNORE (unless + \fBtrust\fR +-was also specified, in which case we return PAM_SUCCESS)\. ++was also specified, in which case we return PAM_SUCCESS)\&. + .RE + .PP + \fBgroup=\fR\fB\fIname\fR\fR + .RS 4 + Instead of checking the wheel or GID 0 groups, use the + \fB\fIname\fR\fR +-group to perform the authentication\. ++group to perform the authentication\&. + .RE + .PP + \fBroot_only\fR + .RS 4 +-The check for wheel membership is done only\. ++The check for wheel membership is done only\&. + .RE + .PP + \fBtrust\fR + .RS 4 +-The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd)\. +-.RE +-.PP +-\fBuse_uid\fR +-.RS 4 +-The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example)\. ++The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd)\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP +@@ -66,52 +61,52 @@ + \fBauth\fR + and + \fBaccount\fR +-services are supported\. ++services are supported\&. + .SH "RETURN VALUES" + .PP + PAM_AUTH_ERR + .RS 4 +-Authentication failure\. ++Authentication failure\&. + .RE + .PP + PAM_BUF_ERR + .RS 4 +-Memory buffer error\. ++Memory buffer error\&. + .RE + .PP + PAM_IGNORE + .RS 4 +-The return value should be ignored by PAM dispatch\. ++The return value should be ignored by PAM dispatch\&. + .RE + .PP + PAM_PERM_DENY + .RS 4 +-Permission denied\. ++Permission denied\&. + .RE + .PP + PAM_SERVICE_ERR + .RS 4 +-Cannot determine the user name\. ++Cannot determine the user name\&. + .RE + .PP + PAM_SUCCESS + .RS 4 +-Success\. ++Success\&. + .RE + .PP + PAM_USER_UNKNOWN + .RS 4 +-User not known\. ++User not known\&. + .RE + .SH "EXAMPLES" + .PP +-The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non\-root applicants\. ++The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non\-root applicants\&. + .sp + .RS 4 + .nf +-su auth sufficient pam_rootok\.so +-su auth required pam_wheel\.so +-su auth required pam_unix\.so ++su auth sufficient pam_rootok\&.so ++su auth required pam_wheel\&.so ++su auth required pam_unix\&.so + + .fi + .RE +@@ -124,4 +119,4 @@ + \fBpam\fR(8) + .SH "AUTHOR" + .PP +-pam_wheel was written by Cristian Gafton \. ++pam_wheel was written by Cristian Gafton \&. +Index: pam.deb/modules/pam_wheel/README +=================================================================== +--- pam.deb.orig/modules/pam_wheel/README ++++ pam.deb/modules/pam_wheel/README +@@ -39,12 +39,6 @@ + modules the wheel members may be able to su to root without being prompted + for a passwd). + +-use_uid +- +- The check for wheel membership will be done against the current uid instead +- of the original one (useful when jumping with su from one account to +- another for example). +- + EXAMPLES + + The root account gains access by default (rootok), only wheel members can --- pam-1.0.1.orig/debian/patches-applied/022_pam_unix_group_time_miscfixes +++ pam-1.0.1/debian/patches-applied/022_pam_unix_group_time_miscfixes @@ -0,0 +1,20 @@ + * Add support for credential reinitialization in pam_group, closes: #108697 + +Index: pam.deb/modules/pam_group/pam_group.c +=================================================================== +--- pam.deb.orig/modules/pam_group/pam_group.c ++++ pam.deb/modules/pam_group/pam_group.c +@@ -765,9 +765,12 @@ + unsigned setting; + + /* only interested in establishing credentials */ ++ /* PAM docs say that an empty flag is to be treated as PAM_ESTABLISH_CRED. ++ Some people just pass PAM_SILENT, so cope with it, too. */ + + setting = flags; +- if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))) { ++ if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED)) ++ && (setting != 0) && (setting != PAM_SILENT)) { + D(("ignoring call - not for establishing credentials")); + return PAM_SUCCESS; /* don't fail because of this */ + } --- pam-1.0.1.orig/debian/patches-applied/pam_motd-legal-notice +++ pam-1.0.1/debian/patches-applied/pam_motd-legal-notice @@ -0,0 +1,67 @@ +Patch for Ubuntu bug #399071 + +Display the contents of /etc/legal as part of the MOTD, the first time the +user logs in, and set a flag in the user's homedir if possible to prevent +repeat displays. + +Authors: Dustin Kirkland + +Upstream status: Ubuntu-specific, maybe submit to Debian + +Index: pam.ubuntu/modules/pam_motd/pam_motd.c +=================================================================== +--- pam.ubuntu.orig/modules/pam_motd/pam_motd.c ++++ pam.ubuntu/modules/pam_motd/pam_motd.c +@@ -73,6 +73,42 @@ + close(fd); + } + ++void display_legal(pam_handle_t *pamh) ++{ ++ int retval; ++ char *user = NULL; ++ char *dir = NULL; ++ char *flag = NULL; ++ struct passwd *pwd = NULL; ++ struct stat s; ++ int f; ++ /* Get the user name to determine if we need to print the disclaimer */ ++ retval = pam_get_item(pamh, PAM_USER, &user); ++ if (retval == PAM_SUCCESS && user != NULL && *(const char *)user != '\0') ++ { ++ /* Get the password entry */ ++ pwd = pam_modutil_getpwnam (pamh, user); ++ if (pwd != NULL) ++ { ++ if (asprintf(&flag, "%s/.cache/motd.legal-displayed", pwd->pw_dir) == -1) ++ return; ++ if (stat(flag, &s) != 0) ++ { ++ display_file(pamh, "/etc/legal"); ++ if (asprintf(&dir, "%s/.cache", pwd->pw_dir) == -1) ++ return; ++ mkdir(dir, 0755); ++ chown(dir, pwd->pw_uid, pwd->pw_gid); ++ f = open(flag, O_WRONLY|O_CREAT, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); ++ chown(flag, pwd->pw_uid, pwd->pw_gid); ++ close(f); ++ _pam_drop(dir); ++ } ++ _pam_drop(flag); ++ } ++ } ++} ++ + PAM_EXTERN + int pam_sm_open_session(pam_handle_t *pamh, int flags, + int argc, const char **argv) +@@ -116,6 +152,9 @@ + /* Display the updated motd */ + display_file(pamh, motd_path); + ++ /* Display the legal disclaimer only if necessary */ ++ display_legal(pamh); ++ + return retval; + } + --- pam-1.0.1.orig/debian/patches-applied/ubuntu-no-error-if-missingok +++ pam-1.0.1/debian/patches-applied/ubuntu-no-error-if-missingok @@ -0,0 +1,70 @@ +Index: pam.ubuntu/libpam/pam_handlers.c +=================================================================== +--- pam.ubuntu.orig/libpam/pam_handlers.c ++++ pam.ubuntu/libpam/pam_handlers.c +@@ -637,7 +637,7 @@ + } + + static struct loaded_module * +-_pam_load_module(pam_handle_t *pamh, const char *mod_path) ++_pam_load_module(pam_handle_t *pamh, const char *mod_path, int missingok) + { + int x = 0; + int success; +@@ -722,8 +722,10 @@ + } + if (mod->dl_handle == NULL) { + D(("_pam_load_module: _pam_dlopen(%s) failed", mod_path)); +- pam_syslog(pamh, LOG_ERR, "unable to dlopen(%s): %s", mod_path, +- _pam_dlerror()); ++ if (!missingok) { ++ pam_syslog(pamh, LOG_ERR, "unable to dlopen(%s): %s", mod_path, ++ _pam_dlerror()); ++ } + /* Don't abort yet; static code may be able to find function. + * But defaults to abort if nothing found below... */ + } else { +@@ -738,7 +740,8 @@ + mod->dl_handle = NULL; + mod->type = PAM_MT_FAULTY_MOD; + pamh->handlers.modules_used++; +- pam_syslog(pamh, LOG_ERR, "adding faulty module: %s", mod_path); ++ if (!missingok) ++ pam_syslog(pamh, LOG_ERR, "adding faulty module: %s", mod_path); + success = PAM_SUCCESS; /* We have successfully added a module */ + } + +@@ -769,19 +772,31 @@ + char *mod_full_path; + servicefn func, func2; + int mod_type = PAM_MT_FAULTY_MOD; ++ int i; ++ int missingok = 0; + + D(("called.")); + IF_NO_PAMH("_pam_add_handler",pamh,PAM_SYSTEM_ERR); + ++ for (i = 0; i < argc; i++) ++ { ++ /* recognize a magic 'missingok' option to any module, which will ++ suppress error logging if the module can't be dlopen()ed. */ ++ if (!strcmp(argv[i],"missingok")) { ++ missingok = 1; ++ break; ++ } ++ } ++ + D(("_pam_add_handler: adding type %d, handler_type %d, module `%s'", + type, handler_type, mod_path)); + + if (handler_type == PAM_HT_MODULE && mod_path != NULL) { + if (mod_path[0] == '/') { +- mod = _pam_load_module(pamh, mod_path); ++ mod = _pam_load_module(pamh, mod_path, missingok); + } else if (asprintf(&mod_full_path, "%s%s", + DEFAULT_MODULE_PATH, mod_path) >= 0) { +- mod = _pam_load_module(pamh, mod_full_path); ++ mod = _pam_load_module(pamh, mod_full_path, missingok); + _pam_drop(mod_full_path); + } else { + pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path"); --- pam-1.0.1.orig/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch +++ pam-1.0.1/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch @@ -0,0 +1,28 @@ +Revert upstream change that causes unix_chkpwd to assume it's ok to +attempt authentication for any username as long as we call +setuid(getuid()) first. This is specifically *not* the case on Debian +and Ubuntu, where unix_chkpwd is setgid shadow instead of setuid root. + +Adding an additional setgid(getgid()) call may be enough to fix this, +but this needs further examination before pushing out such a change. + +Authors: Steve Langasek + +Upstream status: Debian-specific, pending the above analysis + +Index: pam.deb/modules/pam_unix/unix_chkpwd.c +=================================================================== +--- pam.deb.orig/modules/pam_unix/unix_chkpwd.c ++++ pam.deb/modules/pam_unix/unix_chkpwd.c +@@ -101,10 +101,7 @@ + /* if the caller specifies the username, verify that user + matches it */ + if (strcmp(user, argv[1])) { +- user = argv[1]; +- /* no match -> permanently change to the real user and proceed */ +- if (setuid(getuid()) != 0) +- return PAM_AUTH_ERR; ++ return PAM_AUTH_ERR; + } + } + --- pam-1.0.1.orig/debian/patches-applied/031_pam_include +++ pam-1.0.1/debian/patches-applied/031_pam_include @@ -0,0 +1,72 @@ +Patch to implement an @include directive for use in pam.d config files. + +Authors: Jan Christoph Nordholz + +Upstream status: not yet submitted + +Index: pam.deb/libpam/pam_handlers.c +=================================================================== +--- pam.deb.orig/libpam/pam_handlers.c ++++ pam.deb/libpam/pam_handlers.c +@@ -117,6 +117,10 @@ + module_type = PAM_T_ACCT; + } else if (!strcasecmp("password", tok)) { + module_type = PAM_T_PASS; ++ } else if (!strcasecmp("@include", tok)) { ++ pam_include = 1; ++ module_type = requested_module_type; ++ goto parsing_done; + } else { + /* Illegal module type */ + D(("_pam_init_handlers: bad module type: %s", tok)); +@@ -186,8 +190,10 @@ + _pam_set_default_control(actions, _PAM_ACTION_BAD); + } + ++parsing_done: + tok = _pam_StrTok(NULL, " \n\t", &nexttok); + if (pam_include) { ++ struct stat include_dir; + if (substack) { + res = _pam_add_handler(pamh, PAM_HT_SUBSTACK, other, + stack_level, module_type, actions, tok, +@@ -198,13 +204,35 @@ + return PAM_ABORT; + } + } +- if (_pam_load_conf_file(pamh, tok, this_service, module_type, +- stack_level + substack ++ if (tok[0] == '/') { ++ if (_pam_load_conf_file(pamh, tok, this_service, ++ module_type, stack_level + substack ++#ifdef PAM_READ_BOTH_CONFS ++ , !other ++#endif /* PAM_READ_BOTH_CONFS */ ++ ) == PAM_SUCCESS) ++ continue; ++ } ++ else if (!stat(PAM_CONFIG_D, &include_dir) ++ && S_ISDIR(include_dir.st_mode)) ++ { ++ char *include_file; ++ if (asprintf (&include_file, PAM_CONFIG_DF, tok) < 0) { ++ pam_syslog(pamh, LOG_CRIT, "asprintf failed"); ++ return PAM_ABORT; ++ } ++ if (_pam_load_conf_file(pamh, include_file, this_service, ++ module_type, stack_level + substack + #ifdef PAM_READ_BOTH_CONFS + , !other + #endif /* PAM_READ_BOTH_CONFS */ +- ) == PAM_SUCCESS) +- continue; ++ ) == PAM_SUCCESS) ++ { ++ free(include_file); ++ continue; ++ } ++ free(include_file); ++ } + _pam_set_default_control(actions, _PAM_ACTION_BAD); + mod_path = NULL; + handler_type = PAM_HT_MUST_FAIL; --- pam-1.0.1.orig/debian/patches-applied/dont_freeze_password_chain +++ pam-1.0.1/debian/patches-applied/dont_freeze_password_chain @@ -0,0 +1,117 @@ +Don't freeze the chain for chauthtok. + +bugzilla.novell.com#470337, LP: #303515. + +Author: Thorsten Kukuk + +Upstream status: cherry-picked from upstream. + +=== modified file 'doc/man/pam_sm_chauthtok.3.xml' +--- doc/man/pam_sm_chauthtok.3.xml 2006-06-28 14:22:40 +0000 ++++ doc/man/pam_sm_chauthtok.3.xml 2009-02-18 00:34:47 +0000 +@@ -40,7 +40,7 @@ + interface. + + +- This function is used to (re-)set the authentication token of the user. ++ This function is used to (re-)set the authentication token of the user. + + + Valid flags, which may be logically OR'd with +@@ -60,10 +60,10 @@ + + + This argument indicates to the module that the users +- authentication token (password) should only be changed if +- it has expired. This flag is optional and +- must be combined with one of the +- following two flags. Note, however, the following two options ++ authentication token (password) should only be changed if ++ it has expired. This flag is optional and ++ must be combined with one of the ++ following two flags. Note, however, the following two options + are mutually exclusive. + + +@@ -72,15 +72,20 @@ + PAM_PRELIM_CHECK + + +- This indicates that the modules are being probed as to +- their ready status for altering the user's authentication +- token. If the module requires access to another system over +- some network it should attempt to verify it can connect to +- this system on receiving this flag. If a module cannot establish +- it is ready to update the user's authentication token it should ++ This indicates that the modules are being probed as to ++ their ready status for altering the user's authentication ++ token. If the module requires access to another system over ++ some network it should attempt to verify it can connect to ++ this system on receiving this flag. If a module cannot establish ++ it is ready to update the user's authentication token it should + return PAM_TRY_AGAIN, this + information will be passed back to the application. + ++ ++ If the control value sufficient is used in ++ the password stack, the PAM_PRELIM_CHECK section ++ of the modules following that control value is not always executed. ++ + + + +@@ -89,18 +94,18 @@ + + This informs the module that this is the call it should change + the authorization tokens. If the flag is logically OR'd with +- PAM_CHANGE_EXPIRED_AUTHTOK, the ++ PAM_CHANGE_EXPIRED_AUTHTOK, the + token is only changed if it has actually expired. + + + + + +- The PAM library calls this function twice in succession. The first +- time with PAM_PRELIM_CHECK and then, +- if the module does not return ++ The PAM library calls this function twice in succession. The first ++ time with PAM_PRELIM_CHECK and then, ++ if the module does not return + PAM_TRY_AGAIN, subsequently with +- PAM_UPDATE_AUTHTOK. It is only on ++ PAM_UPDATE_AUTHTOK. It is only on + the second call that the authorization token is (possibly) changed. + + + +=== modified file 'libpam/pam_dispatch.c' +--- libpam/pam_dispatch.c 2008-12-03 22:16:33 +0000 ++++ libpam/pam_dispatch.c 2009-02-18 00:34:47 +0000 +@@ -132,11 +132,10 @@ + } + + /* +- * use_cached_chain is how we ensure that the setcred/close_session +- * and chauthtok(2) modules are called in the same order as they did +- * when they were invoked as auth/open_session/chauthtok(1). This +- * feature was added in 0.75 to make the behavior of pam_setcred +- * sane. It was debugged by release 0.76. ++ * use_cached_chain is how we ensure that the setcred and ++ * close_session modules are called in the same order as they did ++ * when they were invoked as auth/open_session. This feature was ++ * added in 0.75 to make the behavior of pam_setcred sane. + */ + if (use_cached_chain != _PAM_PLEASE_FREEZE) { + +@@ -358,9 +357,6 @@ + break; + case PAM_CHAUTHTOK: + h = pamh->handlers.conf.chauthtok; +- if (flags & PAM_UPDATE_AUTHTOK) { +- use_cached_chain = _PAM_MUST_BE_FROZEN; +- } + break; + default: + pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice); + --- pam-1.0.1.orig/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root +++ pam-1.0.1/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root @@ -0,0 +1,236 @@ +Allow explicit limits for root. +Also, remove limits on su. +Index: pam.ubuntu/modules/pam_limits/pam_limits.c +=================================================================== +--- pam.deb.orig/modules/pam_limits/pam_limits.c ++++ pam.deb/modules/pam_limits/pam_limits.c +@@ -45,6 +45,10 @@ + #include + #endif + ++#ifndef MLOCK_LIMIT ++#define MLOCK_LIMIT (64*1024) ++#endif ++ + /* Module defines */ + #define LINE_LENGTH 1024 + +@@ -74,6 +78,7 @@ + + /* internal data */ + struct pam_limit_s { ++ int root; /* running as root? */ + int login_limit; /* the max logins limit */ + int login_limit_def; /* which entry set the login limit */ + int flag_numsyslogins; /* whether to limit logins only for a +@@ -228,9 +233,18 @@ + { + int i; + int retval = PAM_SUCCESS; ++ static int mlock_limit = 0; + + D(("called.")); + ++ pl->root = 0; ++ ++ if (mlock_limit == 0) { ++ mlock_limit = sysconf(_SC_PAGESIZE); ++ if (mlock_limit < MLOCK_LIMIT) ++ mlock_limit = MLOCK_LIMIT; ++ } ++ + for(i = 0; i < RLIM_NLIMITS; i++) { + int r = getrlimit(i, &pl->limits[i].limit); + if (r == -1) { +@@ -240,8 +254,56 @@ + } + } else { + pl->limits[i].supported = 1; +- pl->limits[i].src_soft = LIMITS_DEF_NONE; +- pl->limits[i].src_hard = LIMITS_DEF_NONE; ++ pl->limits[i].src_soft = LIMITS_DEF_DEFAULT; ++ pl->limits[i].src_hard = LIMITS_DEF_DEFAULT; ++ switch(i) { ++ case RLIMIT_CPU: ++ case RLIMIT_FSIZE: ++ case RLIMIT_DATA: ++ case RLIMIT_RSS: ++ case RLIMIT_NPROC: ++#ifdef RLIMIT_AS ++ case RLIMIT_AS: ++#endif ++#ifdef RLIMIT_LOCKS ++ case RLIMIT_LOCKS: ++#endif ++ pl->limits[i].limit.rlim_cur = RLIM_INFINITY; ++ pl->limits[i].limit.rlim_max = RLIM_INFINITY; ++ break; ++ case RLIMIT_MEMLOCK: ++ pl->limits[i].limit.rlim_cur = mlock_limit; ++ pl->limits[i].limit.rlim_max = mlock_limit; ++ break; ++#ifdef RLIMIT_SIGPENDING ++ case RLIMIT_SIGPENDING: ++ pl->limits[i].limit.rlim_cur = 16382; ++ pl->limits[i].limit.rlim_max = 16382; ++ break; ++#endif ++#ifdef RLIMIT_MSGQUEUE ++ case RLIMIT_MSGQUEUE: ++ pl->limits[i].limit.rlim_cur = 819200; ++ pl->limits[i].limit.rlim_max = 819200; ++ break; ++#endif ++ case RLIMIT_CORE: ++ pl->limits[i].limit.rlim_cur = 0; ++ pl->limits[i].limit.rlim_max = RLIM_INFINITY; ++ break; ++ case RLIMIT_STACK: ++ pl->limits[i].limit.rlim_cur = 8192*1024; ++ pl->limits[i].limit.rlim_max = RLIM_INFINITY; ++ break; ++ case RLIMIT_NOFILE: ++ pl->limits[i].limit.rlim_cur = 1024; ++ pl->limits[i].limit.rlim_max = 1024; ++ break; ++ default: ++ pl->limits[i].src_soft = LIMITS_DEF_NONE; ++ pl->limits[i].src_hard = LIMITS_DEF_NONE; ++ break; ++ } + } + } + +@@ -524,7 +586,7 @@ + + if (strcmp(uname, domain) == 0) /* this user have a limit */ + process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl); +- else if (domain[0]=='@') { ++ else if (domain[0]=='@' && !pl->root) { + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_DEBUG, + "checking if %s is in group %s", +@@ -533,7 +595,7 @@ + if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) + process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, + pl); +- } else if (domain[0]=='%') { ++ } else if (domain[0]=='%' && !pl->root) { + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_DEBUG, + "checking if %s is in group %s", +@@ -547,7 +609,7 @@ + process_limit(pamh, LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl, + pl); + } +- } else if (strcmp(domain, "*") == 0) ++ } else if (strcmp(domain, "*") == 0 && !pl->root) + process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl, + pl); + } else if (i == 2 && ltype[0] == '-') { /* Probably a no-limit line */ +@@ -582,6 +644,12 @@ + int status; + int retval = LIMITED_OK; + ++ if (uid == 0) { ++ /* do not impose +ve priority limits on the superuser */ ++ if (pl->priority > 0) ++ pl->priority = 0; ++ } ++ + for (i=0, status=LIMITED_OK; ilimits[i].supported) { + /* skip it if its not known to the system */ +@@ -675,6 +743,8 @@ + return PAM_ABORT; + } + ++ if (pwd->pw_uid == 0) ++ pl->root = 1; + retval = parse_config_file(pamh, pwd->pw_name, ctrl, pl); + if (retval == PAM_IGNORE) { + D(("the configuration file ('%s') has an applicable ' -' entry", CONF_FILE)); +Index: pam.deb/modules/pam_limits/limits.conf +=================================================================== +--- pam.deb.orig/modules/pam_limits/limits.conf ++++ pam.deb/modules/pam_limits/limits.conf +@@ -11,6 +11,9 @@ + # - the wildcard *, for default entry + # - the wildcard %, can be also used with %group syntax, + # for maxlogin limit ++# - NOTE: group and wildcard limits are not applied to root. ++# To apply a limit to the root user, must be ++# the literal username root. + # + # can have the two values: + # - "soft" for enforcing the soft limits +@@ -41,6 +44,7 @@ + # + + #* soft core 0 ++#root hard core 100000 + #* hard rss 10000 + #@student hard nproc 20 + #@faculty soft nproc 20 +Index: pam.deb/modules/pam_limits/limits.conf.5.xml +=================================================================== +--- pam.deb.orig/modules/pam_limits/limits.conf.5.xml ++++ pam.deb/modules/pam_limits/limits.conf.5.xml +@@ -57,6 +57,11 @@ + + + ++ ++ NOTE: group and wildcard limits are not ++ applied to the root user. To set a limit for the root user, this field ++ must contain the literal username root. ++ + + + +@@ -266,6 +271,7 @@ + + + * soft core 0 ++root hard core 100000 + * hard rss 10000 + @student hard nproc 20 + @faculty soft nproc 20 +Index: pam.deb/modules/pam_limits/limits.conf.5 +=================================================================== +--- pam.deb.orig/modules/pam_limits/limits.conf.5 ++++ pam.deb/modules/pam_limits/limits.conf.5 +@@ -1,11 +1,11 @@ + .\" Title: limits.conf + .\" Author: + .\" Generator: DocBook XSL Stylesheets v1.73.2 +-.\" Date: 07/27/2008 ++.\" Date: 11/09/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "LIMITS\&.CONF" "5" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "LIMITS\&.CONF" "5" "11/09/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -48,6 +48,11 @@ + \fI%group\fR + syntax\&. + .RE ++.IP "" 4 ++ ++\fBNOTE:\fR ++group and wildcard limits are not applied to the root user\&. To set a limit for the root user, this field must contain the literal username ++\fBroot\fR\&. + .RE + .PP + \fB\fR +@@ -204,6 +209,7 @@ + .RS 4 + .nf + * soft core 0 ++root hard core 100000 + * hard rss 10000 + @student hard nproc 20 + @faculty soft nproc 20 --- pam-1.0.1.orig/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch +++ pam-1.0.1/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch @@ -0,0 +1,25 @@ +Revert upstream change that prevents pam_unix from working with sgid +shadow applications. + +Authors: Steve Langasek + +Upstream status: to be submitted (and debated...) + +Index: pam.deb/modules/pam_unix/passverify.c +=================================================================== +--- pam.deb.orig/modules/pam_unix/passverify.c ++++ pam.deb/modules/pam_unix/passverify.c +@@ -198,11 +198,11 @@ + * ...and shadow password file entry for this user, + * if shadowing is enabled + */ ++ *spwdent = pam_modutil_getspnam(pamh, name); + #ifndef HELPER_COMPILE +- if (geteuid() || SELINUX_ENABLED) ++ if (*spwdent == NULL && (geteuid() || SELINUX_ENABLED)) + return PAM_UNIX_RUN_HELPER; + #endif +- *spwdent = pam_modutil_getspnam(pamh, name); + if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL) + return PAM_AUTHINFO_UNAVAIL; + } --- pam-1.0.1.orig/debian/patches-applied/update-motd +++ pam-1.0.1/debian/patches-applied/update-motd @@ -0,0 +1,98 @@ +Patch for Ubuntu bug #399071 + +Provide a more dynamic MOTD, based on the short-lived update-motd project. + +Authors: Dustin Kirkland + +Upstream status: not yet submitted + +Index: pam-1.0.1/modules/pam_motd/pam_motd.c +=================================================================== +--- pam-1.0.1.orig/modules/pam_motd/pam_motd.c ++++ pam-1.0.1/modules/pam_motd/pam_motd.c +@@ -48,14 +48,38 @@ + + static char default_motd[] = DEFAULT_MOTD; + ++static void display_file(pam_handle_t *pamh, const char *motd_path) ++{ ++ int fd; ++ char *mtmp = NULL; ++ while ((fd = open(motd_path, O_RDONLY, 0)) >= 0) { ++ struct stat st; ++ /* fill in message buffer with contents of motd */ ++ if ((fstat(fd, &st) < 0) || !st.st_size || st.st_size > 0x10000) ++ break; ++ if (!(mtmp = malloc(st.st_size+1))) ++ break; ++ if (pam_modutil_read(fd, mtmp, st.st_size) != st.st_size) ++ break; ++ if (mtmp[st.st_size-1] == '\n') ++ mtmp[st.st_size-1] = '\0'; ++ else ++ mtmp[st.st_size] = '\0'; ++ pam_info (pamh, "%s", mtmp); ++ break; ++ } ++ _pam_drop (mtmp); ++ if (fd >= 0) ++ close(fd); ++} ++ + PAM_EXTERN + int pam_sm_open_session(pam_handle_t *pamh, int flags, + int argc, const char **argv) + { + int retval = PAM_IGNORE; +- int fd; + const char *motd_path = NULL; +- char *mtmp = NULL; ++ struct stat st; + + if (flags & PAM_SILENT) { + return retval; +@@ -80,34 +104,19 @@ + if (motd_path == NULL) + motd_path = default_motd; + +- while ((fd = open(motd_path, O_RDONLY, 0)) >= 0) { +- struct stat st; +- +- /* fill in message buffer with contents of motd */ +- if ((fstat(fd, &st) < 0) || !st.st_size || st.st_size > 0x10000) +- break; +- +- if (!(mtmp = malloc(st.st_size+1))) +- break; +- +- if (pam_modutil_read(fd, mtmp, st.st_size) != st.st_size) +- break; +- +- if (mtmp[st.st_size-1] == '\n') +- mtmp[st.st_size-1] = '\0'; +- else +- mtmp[st.st_size] = '\0'; +- +- pam_info (pamh, "%s", mtmp); +- break; ++ /* Run the update-motd dynamic motd scripts, outputting to /var/run/motd. ++ If /etc/motd -> /var/run/motd, the displayed MOTD will be dynamic. ++ Otherwise, the admin can force a static MOTD by breaking that symlink ++ and publishing into an /etc/motd text file. */ ++ if ((stat("/etc/update-motd.d", &st) == 0) && S_ISDIR(st.st_mode)) { ++ if (!system("run-parts --lsbsysinit /etc/update-motd.d > /var/run/motd.new")) ++ rename("/var/run/motd.new", "/var/run/motd"); + } + +- _pam_drop (mtmp); +- +- if (fd >= 0) +- close(fd); ++ /* Display the updated motd */ ++ display_file(pamh, motd_path); + +- return retval; ++ return retval; + } + + --- pam-1.0.1.orig/debian/patches-applied/pam.d-manpage-section +++ pam-1.0.1/debian/patches-applied/pam.d-manpage-section @@ -0,0 +1,997 @@ +Patch for Debian bug #470137 + +pam.d is a directory, so it's in section 5, not in section 8. Update +the manpage references. + +Authors: Steve Langasek + +Upstream status: committed to CVS + +Index: pam.deb/modules/pam_access/pam_access.8 +=================================================================== +--- pam.deb.orig/modules/pam_access/pam_access.8 ++++ pam.deb/modules/pam_access/pam_access.8 +@@ -105,7 +105,7 @@ + .PP + + \fBaccess.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7)\&. + .SH "AUTHORS" + .PP +Index: pam.deb/modules/pam_access/pam_access.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_access/pam_access.8.xml ++++ pam.deb/modules/pam_access/pam_access.8.xml +@@ -231,7 +231,7 @@ + access.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_cracklib/pam_cracklib.8 +=================================================================== +--- pam.deb.orig/modules/pam_cracklib/pam_cracklib.8 ++++ pam.deb/modules/pam_cracklib/pam_cracklib.8 +@@ -302,7 +302,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_cracklib/pam_cracklib.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_cracklib/pam_cracklib.8.xml ++++ pam.deb/modules/pam_cracklib/pam_cracklib.8.xml +@@ -495,7 +495,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_debug/pam_debug.8 +=================================================================== +--- pam.deb.orig/modules/pam_debug/pam_debug.8 ++++ pam.deb/modules/pam_debug/pam_debug.8 +@@ -119,7 +119,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_debug/pam_debug.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_debug/pam_debug.8.xml ++++ pam.deb/modules/pam_debug/pam_debug.8.xml +@@ -213,7 +213,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_deny/pam_deny.8 +=================================================================== +--- pam.deb.orig/modules/pam_deny/pam_deny.8 ++++ pam.deb/modules/pam_deny/pam_deny.8 +@@ -75,7 +75,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_deny/pam_deny.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_deny/pam_deny.8.xml ++++ pam.deb/modules/pam_deny/pam_deny.8.xml +@@ -117,7 +117,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_echo/pam_echo.8 +=================================================================== +--- pam.deb.orig/modules/pam_echo/pam_echo.8 ++++ pam.deb/modules/pam_echo/pam_echo.8 +@@ -101,7 +101,7 @@ + .PP + + \fBpam.conf\fR(8), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_echo/pam_echo.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_echo/pam_echo.8.xml ++++ pam.deb/modules/pam_echo/pam_echo.8.xml +@@ -154,7 +154,7 @@ + pam.conf8 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_env/pam_env.8 +=================================================================== +--- pam.deb.orig/modules/pam_env/pam_env.8 ++++ pam.deb/modules/pam_env/pam_env.8 +@@ -102,7 +102,7 @@ + .PP + + \fBpam_env.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7)\&. + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_env/pam_env.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_env/pam_env.8.xml ++++ pam.deb/modules/pam_env/pam_env.8.xml +@@ -189,7 +189,7 @@ + pam_env.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_exec/pam_exec.8 +=================================================================== +--- pam.deb.orig/modules/pam_exec/pam_exec.8 ++++ pam.deb/modules/pam_exec/pam_exec.8 +@@ -109,7 +109,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_exec/pam_exec.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_exec/pam_exec.8.xml ++++ pam.deb/modules/pam_exec/pam_exec.8.xml +@@ -199,7 +199,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_faildelay/pam_faildelay.8 +=================================================================== +--- pam.deb.orig/modules/pam_faildelay/pam_faildelay.8 ++++ pam.deb/modules/pam_faildelay/pam_faildelay.8 +@@ -66,7 +66,7 @@ + + \fBpam_fail_delay\fR(3), + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_faildelay/pam_faildelay.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_faildelay/pam_faildelay.8.xml ++++ pam.deb/modules/pam_faildelay/pam_faildelay.8.xml +@@ -118,7 +118,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_filter/pam_filter.8 +=================================================================== +--- pam.deb.orig/modules/pam_filter/pam_filter.8 ++++ pam.deb/modules/pam_filter/pam_filter.8 +@@ -147,7 +147,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_filter/pam_filter.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_filter/pam_filter.8.xml ++++ pam.deb/modules/pam_filter/pam_filter.8.xml +@@ -243,7 +243,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_ftp/pam_ftp.8 +=================================================================== +--- pam.deb.orig/modules/pam_ftp/pam_ftp.8 ++++ pam.deb/modules/pam_ftp/pam_ftp.8 +@@ -98,7 +98,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_ftp/pam_ftp.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_ftp/pam_ftp.8.xml ++++ pam.deb/modules/pam_ftp/pam_ftp.8.xml +@@ -165,7 +165,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_group/pam_group.8 +=================================================================== +--- pam.deb.orig/modules/pam_group/pam_group.8 ++++ pam.deb/modules/pam_group/pam_group.8 +@@ -87,7 +87,7 @@ + .PP + + \fBgroup.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7)\&. + .SH "AUTHORS" + .PP +Index: pam.deb/modules/pam_group/pam_group.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_group/pam_group.8.xml ++++ pam.deb/modules/pam_group/pam_group.8.xml +@@ -145,7 +145,7 @@ + group.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_issue/pam_issue.8 +=================================================================== +--- pam.deb.orig/modules/pam_issue/pam_issue.8 ++++ pam.deb/modules/pam_issue/pam_issue.8 +@@ -131,7 +131,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_issue/pam_issue.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_issue/pam_issue.8.xml ++++ pam.deb/modules/pam_issue/pam_issue.8.xml +@@ -216,7 +216,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_keyinit/pam_keyinit.8 +=================================================================== +--- pam.deb.orig/modules/pam_keyinit/pam_keyinit.8 ++++ pam.deb/modules/pam_keyinit/pam_keyinit.8 +@@ -110,7 +110,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + \fBkeyctl\fR(1) + .SH "AUTHOR" +Index: pam.deb/modules/pam_keyinit/pam_keyinit.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_keyinit/pam_keyinit.8.xml ++++ pam.deb/modules/pam_keyinit/pam_keyinit.8.xml +@@ -220,7 +220,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_lastlog/pam_lastlog.8 +=================================================================== +--- pam.deb.orig/modules/pam_lastlog/pam_lastlog.8 ++++ pam.deb/modules/pam_lastlog/pam_lastlog.8 +@@ -106,7 +106,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_lastlog/pam_lastlog.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_lastlog/pam_lastlog.8.xml ++++ pam.deb/modules/pam_lastlog/pam_lastlog.8.xml +@@ -213,7 +213,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_limits/pam_limits.8 +=================================================================== +--- pam.deb.orig/modules/pam_limits/pam_limits.8 ++++ pam.deb/modules/pam_limits/pam_limits.8 +@@ -125,7 +125,7 @@ + .PP + + \fBlimits.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7)\&. + .SH "AUTHORS" + .PP +Index: pam.deb/modules/pam_limits/pam_limits.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_limits/pam_limits.8.xml ++++ pam.deb/modules/pam_limits/pam_limits.8.xml +@@ -239,7 +239,7 @@ + limits.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_listfile/pam_listfile.8 +=================================================================== +--- pam.deb.orig/modules/pam_listfile/pam_listfile.8 ++++ pam.deb/modules/pam_listfile/pam_listfile.8 +@@ -182,7 +182,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_listfile/pam_listfile.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_listfile/pam_listfile.8.xml ++++ pam.deb/modules/pam_listfile/pam_listfile.8.xml +@@ -278,7 +278,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_localuser/pam_localuser.8 +=================================================================== +--- pam.deb.orig/modules/pam_localuser/pam_localuser.8 ++++ pam.deb/modules/pam_localuser/pam_localuser.8 +@@ -81,7 +81,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_localuser/pam_localuser.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_localuser/pam_localuser.8.xml ++++ pam.deb/modules/pam_localuser/pam_localuser.8.xml +@@ -155,7 +155,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_loginuid/pam_loginuid.8 +=================================================================== +--- pam.deb.orig/modules/pam_loginuid/pam_loginuid.8 ++++ pam.deb/modules/pam_loginuid/pam_loginuid.8 +@@ -54,7 +54,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7), + \fBauditctl\fR(8), + \fBauditd\fR(8) +Index: pam.deb/modules/pam_loginuid/pam_loginuid.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_loginuid/pam_loginuid.8.xml ++++ pam.deb/modules/pam_loginuid/pam_loginuid.8.xml +@@ -101,7 +101,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_mail/pam_mail.8 +=================================================================== +--- pam.deb.orig/modules/pam_mail/pam_mail.8 ++++ pam.deb/modules/pam_mail/pam_mail.8 +@@ -132,7 +132,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_mail/pam_mail.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_mail/pam_mail.8.xml ++++ pam.deb/modules/pam_mail/pam_mail.8.xml +@@ -261,7 +261,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_mkhomedir/pam_mkhomedir.8 +=================================================================== +--- pam.deb.orig/modules/pam_mkhomedir/pam_mkhomedir.8 ++++ pam.deb/modules/pam_mkhomedir/pam_mkhomedir.8 +@@ -102,7 +102,7 @@ + .SH "SEE ALSO" + .PP + +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7)\&. + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_mkhomedir/pam_mkhomedir.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_mkhomedir/pam_mkhomedir.8.xml ++++ pam.deb/modules/pam_mkhomedir/pam_mkhomedir.8.xml +@@ -186,7 +186,7 @@ + SEE ALSO + + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_motd/pam_motd.8 +=================================================================== +--- pam.deb.orig/modules/pam_motd/pam_motd.8 ++++ pam.deb/modules/pam_motd/pam_motd.8 +@@ -57,7 +57,7 @@ + + \fBmotd\fR(5), + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_motd/pam_motd.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_motd/pam_motd.8.xml ++++ pam.deb/modules/pam_motd/pam_motd.8.xml +@@ -96,7 +96,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_namespace/pam_namespace.8 +=================================================================== +--- pam.deb.orig/modules/pam_namespace/pam_namespace.8 ++++ pam.deb/modules/pam_namespace/pam_namespace.8 +@@ -149,7 +149,7 @@ + .PP + + \fBnamespace.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBmount\fR(8), + \fBpam\fR(7)\&. + .SH "AUTHORS" +Index: pam.deb/modules/pam_namespace/pam_namespace.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_namespace/pam_namespace.8.xml ++++ pam.deb/modules/pam_namespace/pam_namespace.8.xml +@@ -365,7 +365,7 @@ + namespace.conf5 + , + +- pam.d8 ++ pam.d5 + , + + mount8 +Index: pam.deb/modules/pam_nologin/pam_nologin.8 +=================================================================== +--- pam.deb.orig/modules/pam_nologin/pam_nologin.8 ++++ pam.deb/modules/pam_nologin/pam_nologin.8 +@@ -103,7 +103,7 @@ + + \fBnologin\fR(5), + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_nologin/pam_nologin.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_nologin/pam_nologin.8.xml ++++ pam.deb/modules/pam_nologin/pam_nologin.8.xml +@@ -156,7 +156,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_permit/pam_permit.8 +=================================================================== +--- pam.deb.orig/modules/pam_permit/pam_permit.8 ++++ pam.deb/modules/pam_permit/pam_permit.8 +@@ -57,7 +57,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_permit/pam_permit.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_permit/pam_permit.8.xml ++++ pam.deb/modules/pam_permit/pam_permit.8.xml +@@ -87,7 +87,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_rhosts/pam_rhosts.8 +=================================================================== +--- pam.deb.orig/modules/pam_rhosts/pam_rhosts.8 ++++ pam.deb/modules/pam_rhosts/pam_rhosts.8 +@@ -101,7 +101,7 @@ + \fBhosts.equiv\fR(5), + \fBrhosts\fR(5), + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_rhosts/pam_rhosts.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_rhosts/pam_rhosts.8.xml ++++ pam.deb/modules/pam_rhosts/pam_rhosts.8.xml +@@ -153,7 +153,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_rootok/pam_rootok.8 +=================================================================== +--- pam.deb.orig/modules/pam_rootok/pam_rootok.8 ++++ pam.deb/modules/pam_rootok/pam_rootok.8 +@@ -76,7 +76,7 @@ + + \fBsu\fR(1), + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_rootok/pam_rootok.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_rootok/pam_rootok.8.xml ++++ pam.deb/modules/pam_rootok/pam_rootok.8.xml +@@ -112,7 +112,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_securetty/pam_securetty.8 +=================================================================== +--- pam.deb.orig/modules/pam_securetty/pam_securetty.8 ++++ pam.deb/modules/pam_securetty/pam_securetty.8 +@@ -90,7 +90,7 @@ + + \fBsecuretty\fR(5), + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_securetty/pam_securetty.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_securetty/pam_securetty.8.xml ++++ pam.deb/modules/pam_securetty/pam_securetty.8.xml +@@ -149,7 +149,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_selinux/pam_selinux.8 +=================================================================== +--- pam.deb.orig/modules/pam_selinux/pam_selinux.8 ++++ pam.deb/modules/pam_selinux/pam_selinux.8 +@@ -94,7 +94,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_selinux/pam_selinux.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_selinux/pam_selinux.8.xml ++++ pam.deb/modules/pam_selinux/pam_selinux.8.xml +@@ -202,7 +202,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_sepermit/pam_sepermit.8 +=================================================================== +--- pam.deb.orig/modules/pam_sepermit/pam_sepermit.8 ++++ pam.deb/modules/pam_sepermit/pam_sepermit.8 +@@ -103,7 +103,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_sepermit/pam_sepermit.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_sepermit/pam_sepermit.8.xml ++++ pam.deb/modules/pam_sepermit/pam_sepermit.8.xml +@@ -171,7 +171,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_shells/pam_shells.8 +=================================================================== +--- pam.deb.orig/modules/pam_shells/pam_shells.8 ++++ pam.deb/modules/pam_shells/pam_shells.8 +@@ -66,7 +66,7 @@ + + \fBshells\fR(5), + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_shells/pam_shells.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_shells/pam_shells.8.xml ++++ pam.deb/modules/pam_shells/pam_shells.8.xml +@@ -99,7 +99,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_tally/pam_tally.8 +=================================================================== +--- pam.deb.orig/modules/pam_tally/pam_tally.8 ++++ pam.deb/modules/pam_tally/pam_tally.8 +@@ -214,7 +214,7 @@ + + \fBfaillog\fR(8), + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_tally/pam_tally.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_tally/pam_tally.8.xml ++++ pam.deb/modules/pam_tally/pam_tally.8.xml +@@ -409,7 +409,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_time/pam_time.8 +=================================================================== +--- pam.deb.orig/modules/pam_time/pam_time.8 ++++ pam.deb/modules/pam_time/pam_time.8 +@@ -88,7 +88,7 @@ + .PP + + \fBtime.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7)\&. + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_time/pam_time.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_time/pam_time.8.xml ++++ pam.deb/modules/pam_time/pam_time.8.xml +@@ -166,7 +166,7 @@ + time.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_umask/pam_umask.8 +=================================================================== +--- pam.deb.orig/modules/pam_umask/pam_umask.8 ++++ pam.deb/modules/pam_umask/pam_umask.8 +@@ -109,7 +109,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_umask/pam_umask.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_umask/pam_umask.8.xml ++++ pam.deb/modules/pam_umask/pam_umask.8.xml +@@ -202,7 +202,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_unix/pam_unix.8 +=================================================================== +--- pam.deb.orig/modules/pam_unix/pam_unix.8 ++++ pam.deb/modules/pam_unix/pam_unix.8 +@@ -227,7 +227,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_unix/pam_unix.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_unix/pam_unix.8.xml ++++ pam.deb/modules/pam_unix/pam_unix.8.xml +@@ -462,7 +462,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_userdb/pam_userdb.8 +=================================================================== +--- pam.deb.orig/modules/pam_userdb/pam_userdb.8 ++++ pam.deb/modules/pam_userdb/pam_userdb.8 +@@ -129,7 +129,7 @@ + + \fBcrypt\fR(3), + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_userdb/pam_userdb.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_userdb/pam_userdb.8.xml ++++ pam.deb/modules/pam_userdb/pam_userdb.8.xml +@@ -274,7 +274,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_warn/pam_warn.8 +=================================================================== +--- pam.deb.orig/modules/pam_warn/pam_warn.8 ++++ pam.deb/modules/pam_warn/pam_warn.8 +@@ -62,7 +62,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_warn/pam_warn.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_warn/pam_warn.8.xml ++++ pam.deb/modules/pam_warn/pam_warn.8.xml +@@ -86,7 +86,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_wheel/pam_wheel.8 +=================================================================== +--- pam.deb.orig/modules/pam_wheel/pam_wheel.8 ++++ pam.deb/modules/pam_wheel/pam_wheel.8 +@@ -115,7 +115,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_wheel/pam_wheel.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_wheel/pam_wheel.8.xml ++++ pam.deb/modules/pam_wheel/pam_wheel.8.xml +@@ -209,7 +209,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 +Index: pam.deb/modules/pam_xauth/pam_xauth.8 +=================================================================== +--- pam.deb.orig/modules/pam_xauth/pam_xauth.8 ++++ pam.deb/modules/pam_xauth/pam_xauth.8 +@@ -156,7 +156,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(7) + .SH "AUTHOR" + .PP +Index: pam.deb/modules/pam_xauth/pam_xauth.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_xauth/pam_xauth.8.xml ++++ pam.deb/modules/pam_xauth/pam_xauth.8.xml +@@ -273,7 +273,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam7 --- pam-1.0.1.orig/debian/patches-applied/045_pam_dispatch_jump_is_ignore +++ pam-1.0.1/debian/patches-applied/045_pam_dispatch_jump_is_ignore @@ -0,0 +1,31 @@ + +Previously jumps were treated as PAM_IGNORE in the freezing part of +the chain and PAM_OK (aka required) in the frozen part of the chain. +No one on pam-list was able to explain this behavior, so I changed it +to be consistent. + +Index: pam.deb/libpam/pam_dispatch.c +=================================================================== +--- pam.deb.orig/libpam/pam_dispatch.c ++++ pam.deb/libpam/pam_dispatch.c +@@ -251,19 +251,7 @@ + if ( _PAM_ACTION_IS_JUMP(action) ) { + + /* If we are evaluating a cached chain, we treat this +- module as required (aka _PAM_ACTION_OK) as well as +- executing the jump. */ +- +- if (use_cached_chain) { +- if (impression == _PAM_UNDEF +- || (impression == _PAM_POSITIVE +- && status == PAM_SUCCESS) ) { +- if ( retval != PAM_IGNORE || cached_retval == retval ) { +- impression = _PAM_POSITIVE; +- status = retval; +- } +- } +- } ++ module as ignored as well as executing the jump. */ + + /* this means that we need to skip #action stacked modules */ + while (h->next != NULL && h->next->stack_level >= stack_level && action > 0) { --- pam-1.0.1.orig/debian/patches-applied/008_modules_pam_limits_chroot +++ pam-1.0.1/debian/patches-applied/008_modules_pam_limits_chroot @@ -0,0 +1,265 @@ +Index: pam.deb/modules/pam_limits/pam_limits.c +=================================================================== +--- pam.deb.orig/modules/pam_limits/pam_limits.c ++++ pam.deb/modules/pam_limits/pam_limits.c +@@ -79,6 +79,7 @@ + int flag_numsyslogins; /* whether to limit logins only for a + specific user or to count all logins */ + int priority; /* the priority to run user process with */ ++ char chroot_dir[8092]; /* directory to chroot into */ + struct user_limits_struct limits[RLIM_NLIMITS]; + const char *conf_file; + int utmp_after_pam_call; +@@ -89,6 +90,7 @@ + #define LIMIT_NUMSYSLOGINS RLIM_NLIMITS+2 + + #define LIMIT_PRI RLIM_NLIMITS+3 ++#define LIMIT_CHROOT RLIM_NLIMITS+4 + + #define LIMIT_SOFT 1 + #define LIMIT_HARD 2 +@@ -250,6 +252,8 @@ + pl->login_limit = -2; + pl->login_limit_def = LIMITS_DEF_NONE; + ++ pl->chroot_dir[0] = '\0'; ++ + return retval; + } + +@@ -320,6 +324,8 @@ + pl->flag_numsyslogins = 1; + } else if (strcmp(lim_item, "priority") == 0) { + limit_item = LIMIT_PRI; ++ } else if (strcmp(lim_item, "chroot") == 0) { ++ limit_item = LIMIT_CHROOT; + } else { + pam_syslog(pamh, LOG_DEBUG, "unknown limit item '%s'", lim_item); + return; +@@ -357,9 +363,9 @@ + pam_syslog(pamh, LOG_DEBUG, + "wrong limit value '%s' for limit type '%s'", + lim_value, lim_type); +- return; ++ return; + } +- } else { ++ } else if (limit_item != LIMIT_CHROOT) { + #ifdef __USE_FILE_OFFSET64 + rlimit_value = strtoull (lim_value, &endptr, 10); + #else +@@ -420,7 +426,9 @@ + break; + } + +- if ( (limit_item != LIMIT_LOGIN) ++ if (limit_item == LIMIT_CHROOT) ++ strncpy(pl->chroot_dir, value_orig, sizeof(pl->chroot_dir)); ++ else if ( (limit_item != LIMIT_LOGIN) + && (limit_item != LIMIT_NUMSYSLOGINS) + && (limit_item != LIMIT_PRI) ) { + if (limit_type & LIMIT_SOFT) { +@@ -615,6 +623,13 @@ + retval |= LOGIN_ERR; + } + ++ if (!retval && pl->chroot_dir[0]) { ++ i = chdir(pl->chroot_dir); ++ if (i == 0) ++ i = chroot(pl->chroot_dir); ++ if (i != 0) ++ retval = LIMIT_ERR; ++ } + return retval; + } + +Index: pam.deb/modules/pam_limits/limits.conf.5.xml +=================================================================== +--- pam.deb.orig/modules/pam_limits/limits.conf.5.xml ++++ pam.deb/modules/pam_limits/limits.conf.5.xml +@@ -224,6 +224,12 @@ + (Linux 2.6.12 and higher) + + ++ ++ ++ ++ the directory to chroot the user to ++ ++ + + + +Index: pam.deb/modules/pam_limits/limits.conf.5 +=================================================================== +--- pam.deb.orig/modules/pam_limits/limits.conf.5 ++++ pam.deb/modules/pam_limits/limits.conf.5 +@@ -1,17 +1,17 @@ + .\" Title: limits.conf + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "LIMITS\.CONF" "5" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "LIMITS\&.CONF" "5" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-limits.conf - configuration file for the pam_limits module ++limits.conf \- configuration file for the pam_limits module + .SH "DESCRIPTION" + .PP + The syntax of the lines is as follows: +@@ -34,19 +34,19 @@ + .RS 4 + \h'-04'\(bu\h'+03'a groupname, with + \fB@group\fR +-syntax\. This should not be confused with netgroups\. ++syntax\&. This should not be confused with netgroups\&. + .RE + .sp + .RS 4 + \h'-04'\(bu\h'+03'the wildcard +-\fB*\fR, for default entry\. ++\fB*\fR, for default entry\&. + .RE + .sp + .RS 4 + \h'-04'\(bu\h'+03'the wildcard + \fB%\fR, for maxlogins limit only, can also be used with + \fI%group\fR +-syntax\. ++syntax\&. + .RE + .RE + .PP +@@ -57,18 +57,18 @@ + .RS 4 + for enforcing + \fBhard\fR +-resource limits\. These limits are set by the superuser and enforced by the Kernel\. The user cannot raise his requirement of system resources above such values\. ++resource limits\&. These limits are set by the superuser and enforced by the Kernel\&. The user cannot raise his requirement of system resources above such values\&. + .RE + .PP + \fBsoft\fR + .RS 4 + for enforcing + \fBsoft\fR +-resource limits\. These limits are ones that the user can move up or down within the permitted range by any pre\-existing ++resource limits\&. These limits are ones that the user can move up or down within the permitted range by any pre\-existing + \fBhard\fR +-limits\. The values specified with this token can be thought of as ++limits\&. The values specified with this token can be thought of as + \fIdefault\fR +-values, for normal system usage\. ++values, for normal system usage\&. + .RE + .PP + \fB\-\fR +@@ -77,9 +77,9 @@ + \fBsoft\fR + and + \fBhard\fR +-resource limits together\. ++resource limits together\&. + .sp +-Note, if you specify a type of \'\-\' but neglect to supply the item and value fields then the module will never enforce any limits on the specified user/group etc\. \. ++Note, if you specify a type of \'\-\' but neglect to supply the item and value fields then the module will never enforce any limits on the specified user/group etc\&. \&. + .RE + .RE + .PP +@@ -154,47 +154,52 @@ + .PP + \fBlocks\fR + .RS 4 +-maximum locked files (Linux 2\.4 and higher) ++maximum locked files (Linux 2\&.4 and higher) + .RE + .PP + \fBsigpending\fR + .RS 4 +-maximum number of pending signals (Linux 2\.6 and higher) ++maximum number of pending signals (Linux 2\&.6 and higher) + .RE + .PP + \fBmsqqueue\fR + .RS 4 +-maximum memory used by POSIX message queues (bytes) (Linux 2\.6 and higher) ++maximum memory used by POSIX message queues (bytes) (Linux 2\&.6 and higher) + .RE + .PP + \fBnice\fR + .RS 4 +-maximum nice priority allowed to raise to (Linux 2\.6\.12 and higher) values: [\-20,19] ++maximum nice priority allowed to raise to (Linux 2\&.6\&.12 and higher) values: [\-20,19] + .RE + .PP + \fBrtprio\fR + .RS 4 +-maximum realtime priority allowed for non\-privileged processes (Linux 2\.6\.12 and higher) ++maximum realtime priority allowed for non\-privileged processes (Linux 2\&.6\&.12 and higher) ++.RE ++.PP ++\fBchroot\fR ++.RS 4 ++the directory to chroot the user to + .RE + .RE + .PP + In general, individual limits have priority over group limits, so if you impose no limits for + \fIadmin\fR +-group, but one of the members in this group have a limits line, the user will have its limits set according to this line\. ++group, but one of the members in this group have a limits line, the user will have its limits set according to this line\&. + .PP + Also, please note that all limit settings are set +-\fIper login\fR\. They are not global, nor are they permanent; existing only for the duration of the session\. ++\fIper login\fR\&. They are not global, nor are they permanent; existing only for the duration of the session\&. + .PP + In the + \fIlimits\fR +-configuration file, the \'\fB#\fR\' character introduces a comment \- after which the rest of the line is ignored\. ++configuration file, the \'\fB#\fR\' character introduces a comment \- after which the rest of the line is ignored\&. + .PP + The pam_limits module does its best to report configuration problems found in its configuration file via +-\fBsyslog\fR(3)\. ++\fBsyslog\fR(3)\&. + .SH "EXAMPLES" + .PP + These are some example lines which might be specified in +-\fI/etc/security/limits\.conf\fR\. ++\fI/etc/security/limits\&.conf\fR\&. + .sp + .RS 4 + .nf +@@ -216,4 +221,4 @@ + \fBpam\fR(8) + .SH "AUTHOR" + .PP +-pam_limits was initially written by Cristian Gafton ++pam_limits was initially written by Cristian Gafton +Index: pam.deb/modules/pam_limits/limits.conf +=================================================================== +--- pam.deb.orig/modules/pam_limits/limits.conf ++++ pam.deb/modules/pam_limits/limits.conf +@@ -35,6 +35,7 @@ + # - msgqueue - max memory used by POSIX message queues (bytes) + # - nice - max nice priority allowed to raise to values: [-20, 19] + # - rtprio - max realtime priority ++# - chroot - change root to directory (Debian-specific) + # + # + # +@@ -45,6 +46,7 @@ + #@faculty soft nproc 20 + #@faculty hard nproc 50 + #ftp hard nproc 0 ++#ftp - chroot /ftp + #@student - maxlogins 4 + + # End of file --- pam-1.0.1.orig/debian/patches-applied/hurd_no_setfsuid +++ pam-1.0.1/debian/patches-applied/hurd_no_setfsuid @@ -0,0 +1,110 @@ +On systems without setfsuid(), use setreuid() instead. + +Authors: Steve Langasek + +Upstream status: superseded by pam_modutil_set_euid proposal + +Index: Linux-PAM/modules/pam_xauth/pam_xauth.c +=================================================================== +--- Linux-PAM/modules/pam_xauth/pam_xauth.c.orig ++++ Linux-PAM/modules/pam_xauth/pam_xauth.c +@@ -35,7 +35,9 @@ + + #include "config.h" + #include ++#ifdef HAVE_SYS_FSUID_H + #include ++#endif /* HAVE_SYS_FSUID_H */ + #include + #include + #include +@@ -210,6 +212,9 @@ + FILE *fp; + int i; + uid_t euid; ++#ifndef HAVE_SYS_FSUID_H ++ uid_t uid; ++#endif + /* Check this user's file. */ + pwd = pam_modutil_getpwnam(pamh, this_user); + if (pwd == NULL) { +@@ -226,9 +231,34 @@ + return PAM_SESSION_ERR; + } + euid = geteuid(); ++#ifdef HAVE_SYS_FSUID_H + setfsuid(pwd->pw_uid); ++#else ++ uid = getuid(); ++ if (uid == pwd->pw_uid) ++ setreuid(euid, uid); ++ else { ++ setreuid(0, -1); ++ if (setreuid(-1, uid) == -1) { ++ setreuid(-1, 0); ++ setreuid(0, -1); ++ if (setreuid(-1, pwd->pw_uid)) ++ return PAM_CRED_INSUFFICIENT; ++ } ++ } ++#endif + fp = fopen(path, "r"); ++#ifdef HAVE_SYS_FSUID_H + setfsuid(euid); ++#else ++ if (uid == pwd->pw_uid) ++ setreuid(uid, euid); ++ else { ++ if (setreuid(-1, 0) != -1) ++ setreuid(uid, -1); ++ setreuid(-1, euid); ++ } ++#endif + if (fp != NULL) { + char buf[LINE_MAX], *tmp; + /* Scan the file for a list of specs of users to "trust". */ +@@ -297,6 +327,9 @@ + int fd, i, debug = 0; + int retval = PAM_SUCCESS; + uid_t systemuser = 499, targetuser = 0, euid; ++#ifndef HAVE_SYS_FSUID_H ++ uid_t uid; ++#endif + + /* Parse arguments. We don't understand many, so no sense in breaking + * this into a separate function. */ +@@ -541,9 +574,34 @@ + + /* Generate a new file to hold the data. */ + euid = geteuid(); ++#ifdef HAVE_SYS_FSUID_H + setfsuid(tpwd->pw_uid); ++#else ++ uid = getuid(); ++ if (uid == tpwd->pw_uid) ++ setreuid(euid, uid); ++ else { ++ setreuid(0, -1); ++ if (setreuid(-1, uid) == -1) { ++ setreuid(-1, 0); ++ setreuid(0, -1); ++ if (setreuid(-1, tpwd->pw_uid)) ++ return PAM_CRED_INSUFFICIENT; ++ } ++ } ++#endif + fd = mkstemp(xauthority + strlen(XAUTHENV) + 1); ++#ifdef HAVE_SYS_FSUID_H + setfsuid(euid); ++#else ++ if (uid == tpwd->pw_uid) ++ setreuid(uid, euid); ++ else { ++ if (setreuid(-1, 0) == -1) ++ setreuid(uid, -1); ++ setreuid(-1, euid); ++ } ++#endif + if (fd == -1) { + pam_syslog(pamh, LOG_ERR, + "error creating temporary file `%s': %m", --- pam-1.0.1.orig/debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL +++ pam-1.0.1/debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL @@ -0,0 +1,33 @@ +setrlimit will sometimes return EPERM for example if youp try to +increase the number of open files too much. This is not something we +want to consider fatal. This also happens if you use non-root and +try to decrease a limit. Running PAM as non-root is not so great. + +Authors: ? + +Upstream status: submitted in <20070830171918.GB30563@dario.dodds.net> + +Index: pam.deb/modules/pam_limits/pam_limits.c +=================================================================== +--- pam.deb.orig/modules/pam_limits/pam_limits.c ++++ pam.deb/modules/pam_limits/pam_limits.c +@@ -626,6 +626,7 @@ + } + + for (i=0, status=LIMITED_OK; ilimits[i].supported) { + /* skip it if its not known to the system */ + continue; +@@ -637,7 +638,10 @@ + } + if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max) + pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max; +- status |= setrlimit(i, &pl->limits[i].limit); ++ retval = setrlimit(i, &pl->limits[i].limit); ++ if (retval == -1 && errno==EPERM) ++ continue; ++ status |= retval; + } + + if (status) { --- pam-1.0.1.orig/debian/patches-applied/do_not_check_nis_accidentally +++ pam-1.0.1/debian/patches-applied/do_not_check_nis_accidentally @@ -0,0 +1,22 @@ +Patch for Debian bug #469635 + +Always call _unix_getpwnam() consistent with the value of the 'nis' +option, so that we only grab from the backends we're expecting. + +Authors: Quentin Godfroy + +Upstream status: should be submitted + +Index: pam.deb/modules/pam_unix/pam_unix_passwd.c +=================================================================== +--- pam.deb.orig/modules/pam_unix/pam_unix_passwd.c ++++ pam.deb/modules/pam_unix/pam_unix_passwd.c +@@ -551,7 +551,7 @@ + return PAM_USER_UNKNOWN; + } else { + struct passwd *pwd; +- _unix_getpwnam(pamh, user, 1, 1, &pwd); ++ _unix_getpwnam(pamh, user, 1, on(UNIX_NIS, ctrl), &pwd); + if (pwd == NULL) { + pam_syslog(pamh, LOG_DEBUG, + "user \"%s\" has corrupted passwd entry", --- pam-1.0.1.orig/debian/patches-applied/pam_env_ignore_garbage.patch +++ pam-1.0.1/debian/patches-applied/pam_env_ignore_garbage.patch @@ -0,0 +1,46 @@ +Patch for Debian bug #439984 + +pam_env was not correctly skipping over non-alphanumeric variable names, +and was not handling the PAM_BAD_ITEM error return from pam_putenv() +when clearing an unset variable. + +Authors: Steve Langasek + +Upstream status: committed to CVS + +Index: pam/Linux-PAM/modules/pam_env/pam_env.c +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_env/pam_env.c ++++ pam/Linux-PAM/modules/pam_env/pam_env.c +@@ -232,9 +232,14 @@ + + for ( i = 0 ; key[i] != '=' && key[i] != '\0' ; i++ ) + if (!isalnum(key[i]) && key[i] != '_') { +- D(("key is not alpha numeric - '%s', ignoring", key)); +- continue; ++ pam_syslog(pamh, LOG_ERR, ++ "non-alphanumeric key '%s' in %s', ignoring", ++ key, file); ++ break; + } ++ /* non-alphanumeric key, ignore this line */ ++ if (key[i] != '=' && key[i] != '\0') ++ continue; + + /* now we try to be smart about quotes around the value, + but not too smart, we can't get all fancy with escaped +@@ -248,6 +253,14 @@ + key[i] = '\0'; + } + ++ /* if this is a request to delete a variable, check that it's ++ actually set first, so we don't get a vague error back from ++ pam_putenv() */ ++ for (i = 0; key[i] != '=' && key[i] != '\0'; i++); ++ ++ if (key[i] == '\0' && !pam_getenv(pamh,key)) ++ continue; ++ + /* set the env var, if it fails, we break out of the loop */ + retval = pam_putenv(pamh, key); + if (retval != PAM_SUCCESS) { --- pam-1.0.1.orig/debian/patches-applied/ubuntu-fix_standard_types +++ pam-1.0.1/debian/patches-applied/ubuntu-fix_standard_types @@ -0,0 +1,13 @@ +Index: pam-0.99.7.1/Linux-PAM/libpamc/test/regress/test.libpamc.c +=================================================================== +--- pam-0.99.7.1.orig/Linux-PAM/libpamc/test/regress/test.libpamc.c 2007-09-05 15:34:52.000000000 -0700 ++++ pam-0.99.7.1/Linux-PAM/libpamc/test/regress/test.libpamc.c 2007-09-05 15:35:12.000000000 -0700 +@@ -157,7 +157,7 @@ + return temp_packet.buffer; + } + +-void packet_to_prompt(pamc_bp_t *prompt_p, __u8 control, ++void packet_to_prompt(pamc_bp_t *prompt_p, u_int8_t control, + struct internal_packet *packet) + { + PAM_BP_RENEW(prompt_p, control, packet->at); --- pam-1.0.1.orig/debian/patches-applied/040_pam_limits_log_failure +++ pam-1.0.1/debian/patches-applied/040_pam_limits_log_failure @@ -0,0 +1,33 @@ +Patch for Debian bug #180310 + +Generate some (low-severity) log information whenever setrlimit() fails, +for debugging purposes. + +Authors: Sam Hartman + +Upstream status: submitted in <20070830171918.GB30563@dario.dodds.net> + +Index: pam.deb/modules/pam_limits/pam_limits.c +=================================================================== +--- pam.deb.orig/modules/pam_limits/pam_limits.c ++++ pam.deb/modules/pam_limits/pam_limits.c +@@ -639,6 +639,19 @@ + if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max) + pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max; + retval = setrlimit(i, &pl->limits[i].limit); ++ if (retval != 0 && (i != RLIMIT_NOFILE ++ || pl->limits[i].limit.rlim_cur != RLIM_INFINITY)) ++ { ++ int save_errno = errno; ++ pam_syslog(pamh, LOG_DEBUG, ++ "setrlimit limit #%d to soft=%d, hard=%d failed:" ++ " %m; uid=%lu,euid=%lu", i, ++ pl->limits[i].limit.rlim_cur, ++ pl->limits[i].limit.rlim_max, ++ (unsigned long) getuid(), ++ (unsigned long) geteuid()); ++ errno = save_errno; ++ } + if (retval == -1 && errno==EPERM) + continue; + status |= retval; --- pam-1.0.1.orig/debian/patches-applied/026_pam_unix_passwd_unknown_user +++ pam-1.0.1/debian/patches-applied/026_pam_unix_passwd_unknown_user @@ -0,0 +1,58 @@ +Patch from Martin Schwenke + +Index: pam.deb/modules/pam_unix/passverify.c +=================================================================== +--- pam.deb.orig/modules/pam_unix/passverify.c ++++ pam.deb/modules/pam_unix/passverify.c +@@ -715,7 +715,7 @@ + struct passwd *tmpent = NULL; + struct stat st; + FILE *pwfile, *opwfile; +- int err = 1; ++ int err = 1, found = 0; + int oldmask; + #ifdef WITH_SELINUX + security_context_t prev_context=NULL; +@@ -786,6 +786,7 @@ + + tmpent->pw_passwd = assigned_passwd.charp; + err = 0; ++ found = 1; + } + if (putpwent(tmpent, pwfile)) { + D(("error writing entry to password file: %m")); +@@ -827,7 +828,7 @@ + return PAM_SUCCESS; + } else { + unlink(PW_TMPFILE); +- return PAM_AUTHTOK_ERR; ++ return found ? PAM_AUTHTOK_ERR : PAM_USER_UNKNOWN; + } + } + +@@ -842,7 +843,7 @@ + struct spwd *spwdent = NULL, *stmpent = NULL; + struct stat st; + FILE *pwfile, *opwfile; +- int err = 1; ++ int err = 1, found = 0; + int oldmask; + #ifdef WITH_SELINUX + security_context_t prev_context=NULL; +@@ -913,6 +914,7 @@ + stmpent->sp_pwdp = towhat; + stmpent->sp_lstchg = time(NULL) / (60 * 60 * 24); + err = 0; ++ found = 1; + D(("Set password %s for %s", stmpent->sp_pwdp, forwho)); + } + +@@ -959,7 +961,7 @@ + return PAM_SUCCESS; + } else { + unlink(SH_TMPFILE); +- return PAM_AUTHTOK_ERR; ++ return found ? PAM_AUTHTOK_ERR : PAM_USER_UNKNOWN; + } + } + --- pam-1.0.1.orig/debian/patches-applied/ubuntu-user_defined_environment +++ pam-1.0.1/debian/patches-applied/ubuntu-user_defined_environment @@ -0,0 +1,220 @@ +Index: pam-0.99.7.1/Linux-PAM/modules/pam_env/pam_env.c +=================================================================== +--- pam-0.99.7.1.orig/Linux-PAM/modules/pam_env/pam_env.c 2007-09-05 16:19:34.000000000 -0700 ++++ pam-0.99.7.1/Linux-PAM/modules/pam_env/pam_env.c 2007-09-05 16:21:28.000000000 -0700 +@@ -11,6 +11,9 @@ + #define DEFAULT_ETC_ENVFILE "/etc/environment" + #define DEFAULT_READ_ENVFILE 1 + ++#define DEFAULT_USER_ENVFILE ".pam_environment" ++#define DEFAULT_USER_READ_ENVFILE 1 ++ + #include "config.h" + + #include +@@ -75,16 +78,20 @@ + /* argument parsing */ + + #define PAM_DEBUG_ARG 0x01 +-#define PAM_NEW_CONF_FILE 0x02 +-#define PAM_ENV_SILENT 0x04 +-#define PAM_NEW_ENV_FILE 0x10 + + static int + _pam_parse (const pam_handle_t *pamh, int argc, const char **argv, +- const char **conffile, const char **envfile, int *readenv) ++ char **conffile, char **envfile, int *readenv, ++ int *user_read_env, char **user_env_file) + { + int ctrl=0; + ++ /* handle out of memory ; fixme */ ++ *user_env_file = strdup(DEFAULT_USER_ENVFILE); ++ *envfile = strdup(DEFAULT_ETC_ENVFILE); ++ *readenv = DEFAULT_READ_ENVFILE; ++ *user_read_env = DEFAULT_USER_READ_ENVFILE; ++ *conffile = strdup(DEFAULT_CONF_FILE); + + /* step through arguments */ + for (; argc-- > 0; ++argv) { +@@ -94,25 +101,36 @@ + if (!strcmp(*argv,"debug")) + ctrl |= PAM_DEBUG_ARG; + else if (!strncmp(*argv,"conffile=",9)) { +- *conffile = 9 + *argv; +- if (**conffile != '\0') { +- D(("new Configuration File: %s", *conffile)); +- ctrl |= PAM_NEW_CONF_FILE; +- } else { ++ if (*argv+9 == '\0') { + pam_syslog(pamh, LOG_ERR, + "conffile= specification missing argument - ignored"); ++ } else { ++ free(*conffile); ++ *conffile = x_strdup(9+*argv); ++ D(("new Configuration File: %s", *conffile)); + } + } else if (!strncmp(*argv,"envfile=",8)) { +- *envfile = 8 + *argv; +- if (**envfile != '\0') { +- D(("new Env File: %s", *envfile)); +- ctrl |= PAM_NEW_ENV_FILE; +- } else { ++ if (*argv+8 == '\0') { + pam_syslog (pamh, LOG_ERR, + "envfile= specification missing argument - ignored"); ++ } else { ++ free(*envfile); ++ *envfile = x_strdup(8+*argv); ++ D(("new Env File: %s", *envfile)); ++ } ++ } else if (!strncmp(*argv,"user_env_file=",13)) { ++ if (*argv+13 == '\0') { ++ pam_syslog (pamh, LOG_ERR, ++ "user_env_file= specification missing argument - ignored"); ++ } else { ++ free(*user_env_file); ++ *user_env_file = x_strdup(13+*argv); ++ D(("new User Env File: %s", *user_env_file)); + } + } else if (!strncmp(*argv,"readenv=",8)) + *readenv = atoi(8+*argv); ++ else if (!strncmp(*argv,"user_readenv=",13)) ++ *user_read_env = atoi(13+*argv); + else + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); + } +@@ -121,10 +139,9 @@ + } + + static int +-_parse_config_file(pam_handle_t *pamh, int ctrl, const char *conffile) ++_parse_config_file(pam_handle_t *pamh, const char *file) + { + int retval; +- const char *file; + char buffer[BUF_SIZE]; + FILE *conf; + VAR Var, *var=&Var; +@@ -132,12 +149,6 @@ + var->name=NULL; var->defval=NULL; var->override=NULL; + D(("Called.")); + +- if (ctrl & PAM_NEW_CONF_FILE) { +- file = conffile; +- } else { +- file = DEFAULT_CONF_FILE; +- } +- + D(("Config file name is: %s", file)); + + /* +@@ -184,18 +195,12 @@ + } + + static int +-_parse_env_file(pam_handle_t *pamh, int ctrl, const char *env_file) ++_parse_env_file(pam_handle_t *pamh, const char *file) + { + int retval=PAM_SUCCESS, i, t; +- const char *file; + char buffer[BUF_SIZE], *key, *mark; + FILE *conf; + +- if (ctrl & PAM_NEW_ENV_FILE) +- file = env_file; +- else +- file = DEFAULT_ETC_ENVFILE; +- + D(("Env file name is: %s", file)); + + if ((conf = fopen(file,"r")) == NULL) { +@@ -751,23 +756,52 @@ + int argc, const char **argv) + { + int retval, ctrl, readenv=DEFAULT_READ_ENVFILE; +- const char *conf_file = NULL, *env_file = NULL; ++ int read_user_env = DEFAULT_USER_READ_ENVFILE; ++ char *conf_file = NULL, *env_file = NULL, *user_env_file = NULL; + + /* + * this module sets environment variables read in from a file + */ + + D(("Called.")); +- ctrl = _pam_parse(pamh, argc, argv, &conf_file, &env_file, &readenv); ++ ctrl = _pam_parse(pamh, argc, argv, &conf_file, &env_file, &readenv, ++ &read_user_env, &user_env_file); + +- retval = _parse_config_file(pamh, ctrl, conf_file); ++ retval = _parse_config_file(pamh, conf_file); + + if(readenv && retval == PAM_SUCCESS) { +- retval = _parse_env_file(pamh, ctrl, env_file); ++ retval = _parse_env_file(pamh, env_file); + if (retval == PAM_IGNORE) + retval = PAM_SUCCESS; + } + ++ if(read_user_env && retval == PAM_SUCCESS) { ++ char *envpath = NULL; ++ struct passwd *user_entry; ++ const char *username; ++ struct stat statbuf; ++ ++ username = _pam_get_item_byname(pamh, "PAM_USER"); ++ ++ user_entry = getpwnam(username); ++ if (!user_entry) { ++ pam_syslog(pamh, LOG_ERR, "No such user!?"); ++ } ++ else { ++ if (!(envpath = malloc(strlen(user_entry->pw_dir) + 1 + strlen(user_env_file) + 1))) { ++ pam_syslog(pamh, LOG_ERR, "Malloc failed"); ++ return PAM_BUF_ERR; ++ } ++ sprintf(envpath, "%s/%s", user_entry->pw_dir, user_env_file); ++ if (stat(envpath, &statbuf) == 0) { ++ retval = _parse_config_file(pamh, envpath); ++ if (retval == PAM_IGNORE) ++ retval = PAM_SUCCESS; ++ } ++ free(envpath); ++ } ++ } ++ + /* indicate success or failure */ + + D(("Exit.")); +@@ -786,28 +820,9 @@ + pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) + { +- int retval, ctrl, readenv=DEFAULT_READ_ENVFILE; +- const char *conf_file = NULL, *env_file = NULL; +- +- /* +- * this module sets environment variables read in from a file +- */ +- +- D(("Called.")); +- ctrl = _pam_parse(pamh, argc, argv, &conf_file, &env_file, &readenv); +- +- retval = _parse_config_file(pamh, ctrl, conf_file); +- +- if(readenv && retval == PAM_SUCCESS) { +- retval = _parse_env_file(pamh, ctrl, env_file); +- if (retval == PAM_IGNORE) +- retval = PAM_SUCCESS; +- } +- +- /* indicate success or failure */ +- +- D(("Exit.")); +- return retval; ++ /* Function was identical to pam_sm_setcred, so call it instead */ ++ D(("Called -- calling pam_sm_setcred instead...")); ++ return pam_sm_setcred(pamh, flags, argc, argv); + } + + PAM_EXTERN int --- pam-1.0.1.orig/debian/patches-applied/PAM-manpage-section +++ pam-1.0.1/debian/patches-applied/PAM-manpage-section @@ -0,0 +1,8392 @@ +Patch to put the PAM manpage in section 7 (general topics) instead of 8 +(system administration commands) + +Authors: Steve Langasek + +Upstream status: maybe provide a backwards-compatibility link first? + +Index: pam.deb/doc/man/PAM.8 +=================================================================== +--- pam.deb.orig/doc/man/PAM.8 ++++ pam.deb/doc/man/PAM.8 +@@ -5,7 +5,7 @@ + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM" "8" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM" "7" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -104,4 +104,4 @@ + \fBpam_authenticate\fR(3), + \fBpam_sm_setcred\fR(3), + \fBpam_strerror\fR(3), +-\fBPAM\fR(8) ++\fBPAM\fR(7) +Index: pam.deb/doc/man/pam.8 +=================================================================== +--- pam.deb.orig/doc/man/pam.8 ++++ pam.deb/doc/man/pam.8 +@@ -1 +1 @@ +-.so man8/PAM.8 ++.so man7/PAM.7 +Index: pam.deb/doc/man/pam.8.xml +=================================================================== +--- pam.deb.orig/doc/man/pam.8.xml ++++ pam.deb/doc/man/pam.8.xml +@@ -6,7 +6,7 @@ + + + pam +- 8 ++ 7 + Linux-PAM Manual + + +@@ -179,7 +179,7 @@ + pam_strerror3 + , + +- PAM8 ++ PAM7 + + + +Index: pam.deb/modules/pam_access/access.conf.5 +=================================================================== +--- pam.deb.orig/modules/pam_access/access.conf.5 ++++ pam.deb/modules/pam_access/access.conf.5 +@@ -1,32 +1,32 @@ + .\" Title: access.conf + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "ACCESS\.CONF" "5" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "ACCESS\&.CONF" "5" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-access.conf - the login access control table file ++access.conf \- the login access control table file + .SH "DESCRIPTION" + .PP + The +-\fI/etc/security/access\.conf\fR ++\fI/etc/security/access\&.conf\fR + file specifies (\fIuser/group\fR, + \fIhost\fR), (\fIuser/group\fR, + \fInetwork/netmask\fR) or (\fIuser/group\fR, +-\fItty\fR) combinations for which a login will be either accepted or refused\. ++\fItty\fR) combinations for which a login will be either accepted or refused\&. + .PP + When someone logs in, the file +-\fIaccess\.conf\fR ++\fIaccess\&.conf\fR + is scanned for the first entry that matches the (\fIuser/group\fR, + \fIhost\fR) or (\fIuser/group\fR, + \fInetwork/netmask\fR) combination, or, in case of non\-networked logins, the first entry that matches the (\fIuser/group\fR, +-\fItty\fR) combination\. The permissions field of that table entry determines whether the login will be accepted or refused\. ++\fItty\fR) combination\&. The permissions field of that table entry determines whether the login will be accepted or refused\&. + .PP + Each line of the login access control table has three fields separated by a ":" character (colon): + .PP +@@ -35,92 +35,92 @@ + .PP + The first field, the + \fIpermission\fR +-field, can be either a "\fI+\fR" character (plus) for access granted or a "\fI\-\fR" character (minus) for access denied\. ++field, can be either a "\fI+\fR" character (plus) for access granted or a "\fI\-\fR" character (minus) for access denied\&. + .PP + The second field, the + \fIusers\fR/\fIgroup\fR + field, should be a list of one or more login names, group names, or + \fIALL\fR +-(which always matches)\. To differentiate user entries from group entries, group entries should be written with brackets, e\.g\. +-\fI(group)\fR\. ++(which always matches)\&. To differentiate user entries from group entries, group entries should be written with brackets, e\&.g\&. ++\fI(group)\fR\&. + .PP + The third field, the + \fIorigins\fR +-field, should be a list of one or more tty names (for non\-networked logins), host names, domain names (begin with "\."), host addresses, internet network numbers (end with "\."), internet network addresses with network mask (where network mask can be a decimal number or an internet address also), ++field, should be a list of one or more tty names (for non\-networked logins), host names, domain names (begin with "\&."), host addresses, internet network numbers (end with "\&."), internet network addresses with network mask (where network mask can be a decimal number or an internet address also), + \fIALL\fR + (which always matches) or + \fILOCAL\fR +-(which matches any string that does not contain a "\." character)\. If supported by the system you can use ++(which matches any string that does not contain a "\&." character)\&. If supported by the system you can use + \fI@netgroupname\fR +-in host or user patterns\. ++in host or user patterns\&. + .PP + The + \fIEXCEPT\fR +-operator makes it possible to write very compact rules\. ++operator makes it possible to write very compact rules\&. + .PP + If the + \fBnodefgroup\fR +-is not set, the group file is searched when a name does not match that of the logged\-in user\. Only groups are matched in which users are explicitly listed\. However the PAM module does not look at the primary group id of a user\. ++is not set, the group file is searched when a name does not match that of the logged\-in user\&. Only groups are matched in which users are explicitly listed\&. However the PAM module does not look at the primary group id of a user\&. + .PP +-The "\fI#\fR" character at start of line (no space at front) can be used to mark this line as a comment line\. ++The "\fI#\fR" character at start of line (no space at front) can be used to mark this line as a comment line\&. + .SH "EXAMPLES" + .PP + These are some example lines which might be specified in +-\fI/etc/security/access\.conf\fR\. ++\fI/etc/security/access\&.conf\fR\&. + .PP + User + \fIroot\fR + should be allowed to get access via + \fIcron\fR, X11 terminal + \fI:0\fR, +-\fItty1\fR, \.\.\., ++\fItty1\fR, \&.\&.\&., + \fItty5\fR, +-\fItty6\fR\. ++\fItty6\fR\&. + .PP + + : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6 + .PP + User + \fIroot\fR +-should be allowed to get access from hosts which own the IPv4 addresses\. This does not mean that the connection have to be a IPv4 one, a IPv6 connection from a host with one of this IPv4 addresses does work, too\. ++should be allowed to get access from hosts which own the IPv4 addresses\&. This does not mean that the connection have to be a IPv4 one, a IPv6 connection from a host with one of this IPv4 addresses does work, too\&. + .PP +-+ : root : 192\.168\.200\.1 192\.168\.200\.4 192\.168\.200\.9 +++ : root : 192\&.168\&.200\&.1 192\&.168\&.200\&.4 192\&.168\&.200\&.9 + .PP +-+ : root : 127\.0\.0\.1 +++ : root : 127\&.0\&.0\&.1 + .PP + User + \fIroot\fR + should get access from network +-192\.168\.201\. +-where the term will be evaluated by string matching\. But it might be better to use network/netmask instead\. The same meaning of +-192\.168\.201\. ++192\&.168\&.201\&. ++where the term will be evaluated by string matching\&. But it might be better to use network/netmask instead\&. The same meaning of ++192\&.168\&.201\&. + is +-\fI192\.168\.201\.0/24\fR ++\fI192\&.168\&.201\&.0/24\fR + or +-\fI192\.168\.201\.0/255\.255\.255\.0\fR\. ++\fI192\&.168\&.201\&.0/255\&.255\&.255\&.0\fR\&. + .PP +-+ : root : 192\.168\.201\. +++ : root : 192\&.168\&.201\&. + .PP + User + \fIroot\fR + should be able to have access from hosts +-\fIfoo1\.bar\.org\fR ++\fIfoo1\&.bar\&.org\fR + and +-\fIfoo2\.bar\.org\fR +-(uses string matching also)\. ++\fIfoo2\&.bar\&.org\fR ++(uses string matching also)\&. + .PP +-+ : root : foo1\.bar\.org foo2\.bar\.org +++ : root : foo1\&.bar\&.org foo2\&.bar\&.org + .PP + User + \fIroot\fR + should be able to have access from domain +-\fIfoo\.bar\.org\fR +-(uses string matching also)\. ++\fIfoo\&.bar\&.org\fR ++(uses string matching also)\&. + .PP +-+ : root : \.foo\.bar\.org +++ : root : \&.foo\&.bar\&.org + .PP + User + \fIroot\fR +-should be denied to get access from all other sources\. ++should be denied to get access from all other sources\&. + .PP + \- : root : ALL + .PP +@@ -128,7 +128,7 @@ + \fIfoo\fR + and members of netgroup + \fIadmins\fR +-should be allowed to get access from all sources\. This will only work if netgroup service is available\. ++should be allowed to get access from all sources\&. This will only work if netgroup service is available\&. + .PP + + : @admins foo : ALL + .PP +@@ -136,21 +136,21 @@ + \fIjohn\fR + and + \fIfoo\fR +-should get access from IPv6 host address\. ++should get access from IPv6 host address\&. + .PP + + : john foo : 2001:4ca0:0:101::1 + .PP + User + \fIjohn\fR +-should get access from IPv6 net/mask\. ++should get access from IPv6 net/mask\&. + .PP + + : john : 2001:4ca0:0:101::/64 + .PP +-Disallow console logins to all but the shutdown, sync and all other accounts, which are a member of the wheel group\. ++Disallow console logins to all but the shutdown, sync and all other accounts, which are a member of the wheel group\&. + .PP + \-:ALL EXCEPT (wheel) shutdown sync:LOCAL + .PP +-All other users should be denied to get access from all sources\. ++All other users should be denied to get access from all sources\&. + .PP + \- : ALL : ALL + .SH "SEE ALSO" +@@ -158,13 +158,13 @@ + + \fBpam_access\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHORS" + .PP + Original + \fBlogin.access\fR(5) + manual was provided by Guido van Rooij which was renamed to + \fBaccess.conf\fR(5) +-to reflect relation to default config file\. ++to reflect relation to default config file\&. + .PP +-Network address / netmask description and example text was introduced by Mike Becher \. ++Network address / netmask description and example text was introduced by Mike Becher \&. +Index: pam.deb/modules/pam_access/access.conf.5.xml +=================================================================== +--- pam.deb.orig/modules/pam_access/access.conf.5.xml ++++ pam.deb/modules/pam_access/access.conf.5.xml +@@ -183,7 +183,7 @@ + + pam_access8, + pam.d5, +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_env/pam_env.conf.5 +=================================================================== +--- pam.deb.orig/modules/pam_env/pam_env.conf.5 ++++ pam.deb/modules/pam_env/pam_env.conf.5 +@@ -1,37 +1,37 @@ + .\" Title: pam_env.conf + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_ENV\.CONF" "5" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_ENV\&.CONF" "5" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_env.conf - the environment variables config file ++pam_env.conf \- the environment variables config file + .SH "DESCRIPTION" + .PP + The +-\fI/etc/security/pam_env\.conf\fR ++\fI/etc/security/pam_env\&.conf\fR + file specifies the environment variables to be set, unset or modified by +-\fBpam_env\fR(8)\. When someone logs in, this file is read and the environment variables are set according\. ++\fBpam_env\fR(8)\&. When someone logs in, this file is read and the environment variables are set according\&. + .PP +-Each line starts with the variable name, there are then two possible options for each variable DEFAULT and OVERRIDE\. DEFAULT allows and administrator to set the value of the variable to some default value, if none is supplied then the empty string is assumed\. The OVERRIDE option tells pam_env that it should enter in its value (overriding the default value) if there is one to use\. OVERRIDE is not used, "" is assumed and no override will be done\. ++Each line starts with the variable name, there are then two possible options for each variable DEFAULT and OVERRIDE\&. DEFAULT allows and administrator to set the value of the variable to some default value, if none is supplied then the empty string is assumed\&. The OVERRIDE option tells pam_env that it should enter in its value (overriding the default value) if there is one to use\&. OVERRIDE is not used, "" is assumed and no override will be done\&. + .PP + + \fIVARIABLE\fR + [\fIDEFAULT=[value]\fR] [\fIOVERRIDE=[value]\fR] + .PP +-(Possibly non\-existent) environment variables may be used in values using the ${string} syntax and (possibly non\-existent) PAM_ITEMs may be used in values using the @{string} syntax\. Both the $ and @ characters can be backslash escaped to be used as literal values values can be delimited with "", escaped " not supported\. Note that many environment variables that you would like to use may not be set by the time the module is called\. For example, HOME is used below several times, but many PAM applications don\'t make it available by the time you need it\. ++(Possibly non\-existent) environment variables may be used in values using the ${string} syntax and (possibly non\-existent) PAM_ITEMs may be used in values using the @{string} syntax\&. Both the $ and @ characters can be backslash escaped to be used as literal values values can be delimited with "", escaped " not supported\&. Note that many environment variables that you would like to use may not be set by the time the module is called\&. For example, HOME is used below several times, but many PAM applications don\'t make it available by the time you need it\&. + .PP +-The "\fI#\fR" character at start of line (no space at front) can be used to mark this line as a comment line\. ++The "\fI#\fR" character at start of line (no space at front) can be used to mark this line as a comment line\&. + .SH "EXAMPLES" + .PP + These are some example lines which might be specified in +-\fI/etc/security/pam_env\.conf\fR\. ++\fI/etc/security/pam_env\&.conf\fR\&. + .PP + Set the REMOTEHOST variable for any hosts that are remote, default to "localhost" rather than not being set at all + .sp +@@ -46,7 +46,7 @@ + .sp + .RS 4 + .nf +- DISPLAY DEFAULT=${REMOTEHOST}:0\.0 OVERRIDE=${DISPLAY} ++ DISPLAY DEFAULT=${REMOTEHOST}:0\&.0 OVERRIDE=${DISPLAY} + + .fi + .RE +@@ -65,7 +65,7 @@ + .fi + .RE + .PP +-Silly examples of escaped variables, just to show how they work\. ++Silly examples of escaped variables, just to show how they work\&. + .sp + .RS 4 + .nf +@@ -81,7 +81,7 @@ + + \fBpam_env\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-pam_env was written by Dave Kinchlea \. ++pam_env was written by Dave Kinchlea \&. +Index: pam.deb/modules/pam_env/pam_env.conf.5.xml +=================================================================== +--- pam.deb.orig/modules/pam_env/pam_env.conf.5.xml ++++ pam.deb/modules/pam_env/pam_env.conf.5.xml +@@ -110,7 +110,7 @@ + + pam_env8, + pam.d5, +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_group/group.conf.5 +=================================================================== +--- pam.deb.orig/modules/pam_group/group.conf.5 ++++ pam.deb/modules/pam_group/group.conf.5 +@@ -1,24 +1,24 @@ + .\" Title: group.conf + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "GROUP\.CONF" "5" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "GROUP\&.CONF" "5" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-group.conf - configuration file for the pam_group module ++group.conf \- configuration file for the pam_group module + .SH "DESCRIPTION" + .PP +-The pam_group PAM module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user\. Such memberships are based on the service they are applying for\. ++The pam_group PAM module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user\&. Such memberships are based on the service they are applying for\&. + .PP + For this module to function correctly there must be a correctly formatted +-\fI/etc/security/group\.conf\fR +-file present\. White spaces are ignored and lines maybe extended with \'\e\' (escaped newlines)\. Text following a \'#\' is ignored to the end of the line\. ++\fI/etc/security/group\&.conf\fR ++file present\&. White spaces are ignored and lines maybe extended with \'\e\' (escaped newlines)\&. Text following a \'#\' is ignored to the end of the line\&. + .PP + The syntax of the lines is as follows: + .PP +@@ -27,33 +27,33 @@ + .PP + The first field, the + \fIservices\fR +-field, is a logic list of PAM service names that the rule applies to\. ++field, is a logic list of PAM service names that the rule applies to\&. + .PP + The second field, the + \fItty\fR +-field, is a logic list of terminal names that this rule applies to\. ++field, is a logic list of terminal names that this rule applies to\&. + .PP + The third field, the + \fIusers\fR +-field, is a logic list of users or a netgroup of users to whom this rule applies\. ++field, is a logic list of users or a netgroup of users to whom this rule applies\&. + .PP +-For these items the simple wildcard \'*\' may be used only once\. With netgroups no wildcards or logic operators are allowed\. ++For these items the simple wildcard \'*\' may be used only once\&. With netgroups no wildcards or logic operators are allowed\&. + .PP + The + \fItimes\fR +-field is used to indicate "when" these groups are to be given to the user\. The format here is a logic list of day/time\-range entries\. The days are specified by a sequence of two character entries, MoTuSa for example is Monday Tuesday and Saturday\. Note that repeated days are unset MoMo = no day, and MoWk = all weekdays bar Monday\. The two character combinations accepted are Mo Tu We Th Fr Sa Su Wk Wd Al, the last two being week\-end days and all 7 days of the week respectively\. As a final example, AlFr means all days except Friday\. ++field is used to indicate "when" these groups are to be given to the user\&. The format here is a logic list of day/time\-range entries\&. The days are specified by a sequence of two character entries, MoTuSa for example is Monday Tuesday and Saturday\&. Note that repeated days are unset MoMo = no day, and MoWk = all weekdays bar Monday\&. The two character combinations accepted are Mo Tu We Th Fr Sa Su Wk Wd Al, the last two being week\-end days and all 7 days of the week respectively\&. As a final example, AlFr means all days except Friday\&. + .PP +-Each day/time\-range can be prefixed with a \'!\' to indicate "anything but"\. The time\-range part is two 24\-hour times HHMM, separated by a hyphen, indicating the start and finish time (if the finish time is smaller than the start time it is deemed to apply on the following day)\. ++Each day/time\-range can be prefixed with a \'!\' to indicate "anything but"\&. The time\-range part is two 24\-hour times HHMM, separated by a hyphen, indicating the start and finish time (if the finish time is smaller than the start time it is deemed to apply on the following day)\&. + .PP + The + \fIgroups\fR +-field is a comma or space separated list of groups that the user inherits membership of\. These groups are added if the previous fields are satisfied by the user\'s request\. ++field is a comma or space separated list of groups that the user inherits membership of\&. These groups are added if the previous fields are satisfied by the user\'s request\&. + .PP +-For a rule to be active, ALL of service+ttys+users must be satisfied by the applying process\. ++For a rule to be active, ALL of service+ttys+users must be satisfied by the applying process\&. + .SH "EXAMPLES" + .PP + These are some example lines which might be specified in +-\fI/etc/security/group\.conf\fR\. ++\fI/etc/security/group\&.conf\fR\&. + .PP + Running \'xsh\' on tty* (any ttyXXX device), the user \'us\' is given access to the floppy (through membership of the floppy group) + .sp +@@ -63,7 +63,7 @@ + .fi + .RE + .PP +-Running \'xsh\' on tty* (any ttyXXX device), the user \'sword\' is given access to games (through membership of the floppy group) after work hours\. ++Running \'xsh\' on tty* (any ttyXXX device), the user \'sword\' is given access to games (through membership of the floppy group) after work hours\&. + .sp + .RS 4 + .nf +@@ -77,7 +77,7 @@ + + \fBpam_group\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-pam_group was written by Andrew G\. Morgan \. ++pam_group was written by Andrew G\&. Morgan \&. +Index: pam.deb/modules/pam_group/group.conf.5.xml +=================================================================== +--- pam.deb.orig/modules/pam_group/group.conf.5.xml ++++ pam.deb/modules/pam_group/group.conf.5.xml +@@ -118,7 +118,7 @@ + + pam_group8, + pam.d5, +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_limits/limits.conf.5 +=================================================================== +--- pam.deb.orig/modules/pam_limits/limits.conf.5 ++++ pam.deb/modules/pam_limits/limits.conf.5 +@@ -218,7 +218,7 @@ + + \fBpam_limits\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_limits was initially written by Cristian Gafton +Index: pam.deb/modules/pam_limits/limits.conf.5.xml +=================================================================== +--- pam.deb.orig/modules/pam_limits/limits.conf.5.xml ++++ pam.deb/modules/pam_limits/limits.conf.5.xml +@@ -280,7 +280,7 @@ + + pam_limits8, + pam.d5, +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_namespace/namespace.conf.5 +=================================================================== +--- pam.deb.orig/modules/pam_namespace/namespace.conf.5 ++++ pam.deb/modules/pam_namespace/namespace.conf.5 +@@ -1,40 +1,40 @@ + .\" Title: namespace.conf + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "NAMESPACE\.CONF" "5" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "NAMESPACE\&.CONF" "5" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-namespace.conf - the namespace configuration file ++namespace.conf \- the namespace configuration file + .SH "DESCRIPTION" + .PP + The +-\fIpam_namespace\.so\fR +-module allows setup of private namespaces with polyinstantiated directories\. Directories can be polyinstantiated based on user name or, in the case of SELinux, user name, sensitivity level or complete security context\. If an executable script +-\fI/etc/security/namespace\.init\fR +-exists, it is used to initialize the namespace every time a new instance directory is setup\. The script receives the polyinstantiated directory path and the instance directory path as its arguments\. ++\fIpam_namespace\&.so\fR ++module allows setup of private namespaces with polyinstantiated directories\&. Directories can be polyinstantiated based on user name or, in the case of SELinux, user name, sensitivity level or complete security context\&. If an executable script ++\fI/etc/security/namespace\&.init\fR ++exists, it is used to initialize the namespace every time a new instance directory is setup\&. The script receives the polyinstantiated directory path and the instance directory path as its arguments\&. + .PP + The +-\fI/etc/security/namespace\.conf\fR +-file specifies which directories are polyinstantiated, how they are polyinstantiated, how instance directories would be named, and any users for whom polyinstantiation would not be performed\. ++\fI/etc/security/namespace\&.conf\fR ++file specifies which directories are polyinstantiated, how they are polyinstantiated, how instance directories would be named, and any users for whom polyinstantiation would not be performed\&. + .PP + When someone logs in, the file +-\fInamespace\.conf\fR +-is scanned\. Comments are marked by ++\fInamespace\&.conf\fR ++is scanned\&. Comments are marked by + \fI#\fR +-characters\. Each non comment line represents one polyinstantiated directory\. The fields are separated by spaces but can be quoted by ++characters\&. Each non comment line represents one polyinstantiated directory\&. The fields are separated by spaces but can be quoted by + \fI"\fR + characters also escape sequences + \fI\eb\fR, + \fI\en\fR, and + \fI\et\fR +-are recognized\. The fields are as follows: ++are recognized\&. The fields are as follows: + .PP + \fIpolydir\fR + \fIinstance_prefix\fR +@@ -42,98 +42,98 @@ + \fIlist_of_uids\fR + .PP + The first field, +-\fIpolydir\fR, is the absolute pathname of the directory to polyinstantiate\. The special string ++\fIpolydir\fR, is the absolute pathname of the directory to polyinstantiate\&. The special string + \fI$HOME\fR + is replaced with the user\'s home directory, and + \fI$USER\fR +-with the username\. This field cannot be blank\. ++with the username\&. This field cannot be blank\&. + .PP + The second field, + \fIinstance_prefix\fR +-is the string prefix used to build the pathname for the instantiation of \. Depending on the polyinstantiation ++is the string prefix used to build the pathname for the instantiation of \&. Depending on the polyinstantiation + \fImethod\fR +-it is then appended with "instance differentiation string" to generate the final instance directory path\. This directory is created if it did not exist already, and is then bind mounted on the to provide an instance of based on the column\. The special string ++it is then appended with "instance differentiation string" to generate the final instance directory path\&. This directory is created if it did not exist already, and is then bind mounted on the to provide an instance of based on the column\&. The special string + \fI$HOME\fR + is replaced with the user\'s home directory, and + \fI$USER\fR +-with the username\. This field cannot be blank\. ++with the username\&. This field cannot be blank\&. + .PP + The third field, +-\fImethod\fR, is the method used for polyinstantiation\. It can take these values; "user" for polyinstantiation based on user name, "level" for polyinstantiation based on process MLS level and user name, "context" for polyinstantiation based on process security context and user name, "tmpfs" for mounting tmpfs filesystem as an instance dir, and "tmpdir" for creating temporary directory as an instance dir which is removed when the user\'s session is closed\. Methods "context" and "level" are only available with SELinux\. This field cannot be blank\. ++\fImethod\fR, is the method used for polyinstantiation\&. It can take these values; "user" for polyinstantiation based on user name, "level" for polyinstantiation based on process MLS level and user name, "context" for polyinstantiation based on process security context and user name, "tmpfs" for mounting tmpfs filesystem as an instance dir, and "tmpdir" for creating temporary directory as an instance dir which is removed when the user\'s session is closed\&. Methods "context" and "level" are only available with SELinux\&. This field cannot be blank\&. + .PP + The fourth field, +-\fIlist_of_uids\fR, is a comma separated list of user names for whom the polyinstantiation is not performed\. If left blank, polyinstantiation will be performed for all users\. If the list is preceded with a single "~" character, polyinstantiation is performed only for users in the list\. ++\fIlist_of_uids\fR, is a comma separated list of user names for whom the polyinstantiation is not performed\&. If left blank, polyinstantiation will be performed for all users\&. If the list is preceded with a single "~" character, polyinstantiation is performed only for users in the list\&. + .PP + The + \fImethod\fR + field can contain also following optional flags separated by + \fI:\fR +-characters\. ++characters\&. + .PP + \fIcreate\fR=\fImode\fR,\fIowner\fR,\fIgroup\fR +-\- create the polyinstantiated directory\. The mode, owner and group parameters are optional\. The default for mode is determined by umask, the default owner is the user whose session is opened, the default group is the primary group of the user\. ++\- create the polyinstantiated directory\&. The mode, owner and group parameters are optional\&. The default for mode is determined by umask, the default owner is the user whose session is opened, the default group is the primary group of the user\&. + .PP + \fIiscript\fR=\fIpath\fR +-\- path to the instance directory init script\. The base directory for relative paths is +-\fI/etc/security/namespace\.d\fR\. ++\- path to the instance directory init script\&. The base directory for relative paths is ++\fI/etc/security/namespace\&.d\fR\&. + .PP + \fInoinit\fR +-\- instance directory init script will not be executed\. ++\- instance directory init script will not be executed\&. + .PP + \fIshared\fR +-\- the instance directories for "context" and "level" methods will not contain the user name and will be shared among all users\. ++\- the instance directories for "context" and "level" methods will not contain the user name and will be shared among all users\&. + .PP +-The directory where polyinstantiated instances are to be created, must exist and must have, by default, the mode of 0000\. The requirement that the instance parent be of mode 0000 can be overridden with the command line option ++The directory where polyinstantiated instances are to be created, must exist and must have, by default, the mode of 0000\&. The requirement that the instance parent be of mode 0000 can be overridden with the command line option + \fIignore_instance_parent_mode\fR + .PP +-In case of context or level polyinstantiation the SELinux context which is used for polyinstantiation is the context used for executing a new process as obtained by getexeccon\. This context must be set by the calling application or +-\fIpam_selinux\.so\fR +-module\. If this context is not set the polyinstatiation will be based just on user name\. ++In case of context or level polyinstantiation the SELinux context which is used for polyinstantiation is the context used for executing a new process as obtained by getexeccon\&. This context must be set by the calling application or ++\fIpam_selinux\&.so\fR ++module\&. If this context is not set the polyinstatiation will be based just on user name\&. + .PP +-The "instance differentiation string" is for "user" method and _ for "context" and "level" methods\. If the whole string is too long the end of it is replaced with md5sum of itself\. Also when command line option ++The "instance differentiation string" is for "user" method and _ for "context" and "level" methods\&. If the whole string is too long the end of it is replaced with md5sum of itself\&. Also when command line option + \fIgen_hash\fR +-is used the whole string is replaced with md5sum of itself\. ++is used the whole string is replaced with md5sum of itself\&. + .SH "EXAMPLES" + .PP + These are some example lines which might be specified in +-\fI/etc/security/namespace\.conf\fR\. ++\fI/etc/security/namespace\&.conf\fR\&. + .sp + .RS 4 + .nf + # The following three lines will polyinstantiate /tmp, +- # /var/tmp and user\'s home directories\. /tmp and /var/tmp ++ # /var/tmp and user\'s home directories\&. /tmp and /var/tmp + # will be polyinstantiated based on the security level + # as well as user name, whereas home directory will be +- # polyinstantiated based on the full security context and user name\. ++ # polyinstantiated based on the full security context and user name\&. + # Polyinstantiation will not be performed for user root + # and adm for directories /tmp and /var/tmp, whereas home +- # directories will be polyinstantiated for all users\. ++ # directories will be polyinstantiated for all users\&. + # + # Note that instance directories do not have to reside inside +- # the polyinstantiated directory\. In the examples below, ++ # the polyinstantiated directory\&. In the examples below, + # instances of /tmp will be created in /tmp\-inst directory, + # where as instances of /var/tmp and users home directories + # will reside within the directories that are being +- # polyinstantiated\. ++ # polyinstantiated\&. + # + /tmp /tmp\-inst/ level root,adm + /var/tmp /var/tmp/tmp\-inst/ level root,adm +- $HOME $HOME/$USER\.inst/inst\- context ++ $HOME $HOME/$USER\&.inst/inst\- context + + .fi + .RE + .PP +-For the s you need polyinstantiation (login for example) put the following line in /etc/pam\.d/ as the last line for session group: ++For the s you need polyinstantiation (login for example) put the following line in /etc/pam\&.d/ as the last line for session group: + .PP +-session required pam_namespace\.so [arguments] ++session required pam_namespace\&.so [arguments] + .PP +-This module also depends on pam_selinux\.so setting the context\. ++This module also depends on pam_selinux\&.so setting the context\&. + .SH "SEE ALSO" + .PP + + \fBpam_namespace\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHORS" + .PP +-The namespace\.conf manual page was written by Janak Desai \. More features added by Tomas Mraz \. ++The namespace\&.conf manual page was written by Janak Desai \&. More features added by Tomas Mraz \&. +Index: pam.deb/modules/pam_namespace/namespace.conf.5.xml +=================================================================== +--- pam.deb.orig/modules/pam_namespace/namespace.conf.5.xml ++++ pam.deb/modules/pam_namespace/namespace.conf.5.xml +@@ -196,7 +196,7 @@ + + pam_namespace8, + pam.d5, +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_time/time.conf.5 +=================================================================== +--- pam.deb.orig/modules/pam_time/time.conf.5 ++++ pam.deb/modules/pam_time/time.conf.5 +@@ -1,62 +1,62 @@ + .\" Title: time.conf + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "TIME\.CONF" "5" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "TIME\&.CONF" "5" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-time.conf - configuration file for the pam_time module ++time.conf \- configuration file for the pam_time module + .SH "DESCRIPTION" + .PP +-The pam_time PAM module does not authenticate the user, but instead it restricts access to a system and or specific applications at various times of the day and on specific days or over various terminal lines\. This module can be configured to deny access to (individual) users based on their name, the time of day, the day of week, the service they are applying for and their terminal from which they are making their request\. ++The pam_time PAM module does not authenticate the user, but instead it restricts access to a system and or specific applications at various times of the day and on specific days or over various terminal lines\&. This module can be configured to deny access to (individual) users based on their name, the time of day, the day of week, the service they are applying for and their terminal from which they are making their request\&. + .PP + For this module to function correctly there must be a correctly formatted +-\fI/etc/security/time\.conf\fR +-file present\. White spaces are ignored and lines maybe extended with \'\e\' (escaped newlines)\. Text following a \'#\' is ignored to the end of the line\. ++\fI/etc/security/time\&.conf\fR ++file present\&. White spaces are ignored and lines maybe extended with \'\e\' (escaped newlines)\&. Text following a \'#\' is ignored to the end of the line\&. + .PP + The syntax of the lines is as follows: + .PP + + \fIservices\fR;\fIttys\fR;\fIusers\fR;\fItimes\fR + .PP +-In words, each rule occupies a line, terminated with a newline or the beginning of a comment; a \'\fB#\fR\'\. It contains four fields separated with semicolons, \'\fB;\fR\'\. ++In words, each rule occupies a line, terminated with a newline or the beginning of a comment; a \'\fB#\fR\'\&. It contains four fields separated with semicolons, \'\fB;\fR\'\&. + .PP + The first field, the + \fIservices\fR +-field, is a logic list of PAM service names that the rule applies to\. ++field, is a logic list of PAM service names that the rule applies to\&. + .PP + The second field, the + \fItty\fR +-field, is a logic list of terminal names that this rule applies to\. ++field, is a logic list of terminal names that this rule applies to\&. + .PP + The third field, the + \fIusers\fR +-field, is a logic list of users or a netgroup of users to whom this rule applies\. ++field, is a logic list of users or a netgroup of users to whom this rule applies\&. + .PP +-For these items the simple wildcard \'*\' may be used only once\. With netgroups no wildcards or logic operators are allowed\. ++For these items the simple wildcard \'*\' may be used only once\&. With netgroups no wildcards or logic operators are allowed\&. + .PP + The + \fItimes\fR +-field is used to indicate the times at which this rule applies\. The format here is a logic list of day/time\-range entries\. The days are specified by a sequence of two character entries, MoTuSa for example is Monday Tuesday and Saturday\. Note that repeated days are unset MoMo = no day, and MoWk = all weekdays bar Monday\. The two character combinations accepted are Mo Tu We Th Fr Sa Su Wk Wd Al, the last two being week\-end days and all 7 days of the week respectively\. As a final example, AlFr means all days except Friday\. ++field is used to indicate the times at which this rule applies\&. The format here is a logic list of day/time\-range entries\&. The days are specified by a sequence of two character entries, MoTuSa for example is Monday Tuesday and Saturday\&. Note that repeated days are unset MoMo = no day, and MoWk = all weekdays bar Monday\&. The two character combinations accepted are Mo Tu We Th Fr Sa Su Wk Wd Al, the last two being week\-end days and all 7 days of the week respectively\&. As a final example, AlFr means all days except Friday\&. + .PP +-Each day/time\-range can be prefixed with a \'!\' to indicate "anything but"\. The time\-range part is two 24\-hour times HHMM, separated by a hyphen, indicating the start and finish time (if the finish time is smaller than the start time it is deemed to apply on the following day)\. ++Each day/time\-range can be prefixed with a \'!\' to indicate "anything but"\&. The time\-range part is two 24\-hour times HHMM, separated by a hyphen, indicating the start and finish time (if the finish time is smaller than the start time it is deemed to apply on the following day)\&. + .PP +-For a rule to be active, ALL of service+ttys+users must be satisfied by the applying process\. ++For a rule to be active, ALL of service+ttys+users must be satisfied by the applying process\&. + .PP +-Note, currently there is no daemon enforcing the end of a session\. This needs to be remedied\. ++Note, currently there is no daemon enforcing the end of a session\&. This needs to be remedied\&. + .PP + Poorly formatted rules are logged as errors using +-\fBsyslog\fR(3)\. ++\fBsyslog\fR(3)\&. + .SH "EXAMPLES" + .PP + These are some example lines which might be specified in +-\fI/etc/security/time\.conf\fR\. ++\fI/etc/security/time\&.conf\fR\&. + .PP + All users except for + \fIroot\fR +@@ -69,7 +69,7 @@ + .fi + .RE + .PP +-Games (configured to use PAM) are only to be accessed out of working hours\. This rule does not apply to the user ++Games (configured to use PAM) are only to be accessed out of working hours\&. This rule does not apply to the user + \fIwaster\fR: + .sp + .RS 4 +@@ -85,7 +85,7 @@ + + \fBpam_time\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-pam_time was written by Andrew G\. Morgan \. ++pam_time was written by Andrew G\&. Morgan \&. +Index: pam.deb/modules/pam_time/time.conf.5.xml +=================================================================== +--- pam.deb.orig/modules/pam_time/time.conf.5.xml ++++ pam.deb/modules/pam_time/time.conf.5.xml +@@ -130,7 +130,7 @@ + + pam_time8, + pam.d5, +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_access/pam_access.8 +=================================================================== +--- pam.deb.orig/modules/pam_access/pam_access.8 ++++ pam.deb/modules/pam_access/pam_access.8 +@@ -1,103 +1,103 @@ + .\" Title: pam_access + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_ACCESS" "8" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_ACCESS" "8" "07/27/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_access - PAM module for logdaemon style login access control ++pam_access \- PAM module for logdaemon style login access control + .SH "SYNOPSIS" + .HP 14 +-\fBpam_access\.so\fR [debug] [nodefgroup] [noaudit] [accessfile=\fIfile\fR] [fieldsep=\fIsep\fR] [listsep=\fIsep\fR] ++\fBpam_access\&.so\fR [debug] [nodefgroup] [noaudit] [accessfile=\fIfile\fR] [fieldsep=\fIsep\fR] [listsep=\fIsep\fR] + .SH "DESCRIPTION" + .PP +-The pam_access PAM module is mainly for access management\. It provides logdaemon style login access control based on login names, host or domain names, internet addresses or network numbers, or on terminal line names in case of non\-networked logins\. ++The pam_access PAM module is mainly for access management\&. It provides logdaemon style login access control based on login names, host or domain names, internet addresses or network numbers, or on terminal line names in case of non\-networked logins\&. + .PP + By default rules for access management are taken from config file +-\fI/etc/security/access\.conf\fR +-if you don\'t specify another file\. ++\fI/etc/security/access\&.conf\fR ++if you don\'t specify another file\&. + .PP +-If Linux PAM is compiled with audit support the module will report when it denies access based on origin (host or tty)\. ++If Linux PAM is compiled with audit support the module will report when it denies access based on origin (host or tty)\&. + .SH "OPTIONS" + .PP +-\fBaccessfile=\fR\fB\fI/path/to/access\.conf\fR\fR ++\fBaccessfile=\fR\fB\fI/path/to/access\&.conf\fR\fR + .RS 4 + Indicate an alternative +-\fIaccess\.conf\fR +-style configuration file to override the default\. This can be useful when different services need different access lists\. ++\fIaccess\&.conf\fR ++style configuration file to override the default\&. This can be useful when different services need different access lists\&. + .RE + .PP + \fBdebug\fR + .RS 4 + A lot of debug informations are printed with +-\fBsyslog\fR(3)\. ++\fBsyslog\fR(3)\&. + .RE + .PP + \fBnoaudit\fR + .RS 4 +-Do not report logins from disallowed hosts and ttys to the audit subsystem\. ++Do not report logins from disallowed hosts and ttys to the audit subsystem\&. + .RE + .PP + \fBfieldsep=\fR\fB\fIseparators\fR\fR + .RS 4 +-This option modifies the field separator character that pam_access will recognize when parsing the access configuration file\. For example: ++This option modifies the field separator character that pam_access will recognize when parsing the access configuration file\&. For example: + \fBfieldsep=|\fR +-will cause the default `:\' character to be treated as part of a field value and `|\' becomes the field separator\. Doing this may be useful in conjuction with a system that wants to use pam_access with X based applications, since the ++will cause the default `:\' character to be treated as part of a field value and `|\' becomes the field separator\&. Doing this may be useful in conjuction with a system that wants to use pam_access with X based applications, since the + \fBPAM_TTY\fR +-item is likely to be of the form "hostname:0" which includes a `:\' character in its value\. But you should not need this\. ++item is likely to be of the form "hostname:0" which includes a `:\' character in its value\&. But you should not need this\&. + .RE + .PP + \fBlistsep=\fR\fB\fIseparators\fR\fR + .RS 4 +-This option modifies the list separator character that pam_access will recognize when parsing the access configuration file\. For example: ++This option modifies the list separator character that pam_access will recognize when parsing the access configuration file\&. For example: + \fBlistsep=,\fR +-will cause the default ` \' (space) and `\et\' (tab) characters to be treated as part of a list element value and `,\' becomes the only list element separator\. Doing this may be useful on a system with group information obtained from a Windows domain, where the default built\-in groups "Domain Users", "Domain Admins" contain a space\. ++will cause the default ` \' (space) and `\et\' (tab) characters to be treated as part of a list element value and `,\' becomes the only list element separator\&. Doing this may be useful on a system with group information obtained from a Windows domain, where the default built\-in groups "Domain Users", "Domain Admins" contain a space\&. + .RE + .PP + \fBnodefgroup\fR + .RS 4 +-The group database will not be used for tokens not identified as account name\. ++The group database will not be used for tokens not identified as account name\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP +-All services are supported\. ++All services are supported\&. + .SH "RETURN VALUES" + .PP + PAM_SUCCESS + .RS 4 +-Access was granted\. ++Access was granted\&. + .RE + .PP + PAM_PERM_DENIED + .RS 4 +-Access was not granted\. ++Access was not granted\&. + .RE + .PP + PAM_IGNORE + .RS 4 + + \fBpam_setcred\fR +-was called which does nothing\. ++was called which does nothing\&. + .RE + .PP + PAM_ABORT + .RS 4 +-Not all relevant data or options could be gotten\. ++Not all relevant data or options could be gotten\&. + .RE + .PP + PAM_USER_UNKNOWN + .RS 4 +-The user is not known to the system\. ++The user is not known to the system\&. + .RE + .SH "FILES" + .PP +-\fI/etc/security/access\.conf\fR ++\fI/etc/security/access\&.conf\fR + .RS 4 + Default configuration file + .RE +@@ -106,7 +106,7 @@ + + \fBaccess.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8)\. ++\fBpam\fR(7)\&. + .SH "AUTHORS" + .PP +-The logdaemon style login access control scheme was designed and implemented by Wietse Venema\. The pam_access PAM module was developed by Alexei Nogin \. The IPv6 support and the network(address) / netmask feature was developed and provided by Mike Becher \. ++The logdaemon style login access control scheme was designed and implemented by Wietse Venema\&. The pam_access PAM module was developed by Alexei Nogin \&. The IPv6 support and the network(address) / netmask feature was developed and provided by Mike Becher \&. +Index: pam.deb/modules/pam_access/pam_access.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_access/pam_access.8.xml ++++ pam.deb/modules/pam_access/pam_access.8.xml +@@ -234,7 +234,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + . + + +Index: pam.deb/modules/pam_cracklib/pam_cracklib.8 +=================================================================== +--- pam.deb.orig/modules/pam_cracklib/pam_cracklib.8 ++++ pam.deb/modules/pam_cracklib/pam_cracklib.8 +@@ -1,33 +1,33 @@ + .\" Title: pam_cracklib + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_CRACKLIB" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_CRACKLIB" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_cracklib - PAM module to check the password against dictionary words ++pam_cracklib \- PAM module to check the password against dictionary words + .SH "SYNOPSIS" + .HP 16 +-\fBpam_cracklib\.so\fR [\fI\.\.\.\fR] ++\fBpam_cracklib\&.so\fR [\fI\&.\&.\&.\fR] + .SH "DESCRIPTION" + .PP + This module can be plugged into the + \fIpassword\fR +-stack of a given application to provide some plug\-in strength\-checking for passwords\. ++stack of a given application to provide some plug\-in strength\-checking for passwords\&. + .PP +-The action of this module is to prompt the user for a password and check its strength against a system dictionary and a set of rules for identifying poor choices\. ++The action of this module is to prompt the user for a password and check its strength against a system dictionary and a set of rules for identifying poor choices\&. + .PP +-The first action is to prompt for a single password, check its strength and then, if it is considered strong, prompt for the password a second time (to verify that it was typed correctly on the first occasion)\. All being well, the password is passed on to subsequent modules to be installed as the new authentication token\. ++The first action is to prompt for a single password, check its strength and then, if it is considered strong, prompt for the password a second time (to verify that it was typed correctly on the first occasion)\&. All being well, the password is passed on to subsequent modules to be installed as the new authentication token\&. + .PP + The strength checks works in the following manner: at first the + \fBCracklib\fR +-routine is called to check if the password is part of a dictionary; if this is not the case an additional set of strength checks is done\. These checks are: ++routine is called to check if the password is part of a dictionary; if this is not the case an additional set of strength checks is done\&. These checks are: + .PP + Palindrome + .RS 4 +@@ -43,15 +43,15 @@ + .RS 4 + Is the new password too much like the old one? This is primarily controlled by one argument, + \fBdifok\fR +-which is a number of characters that if different between the old and new are enough to accept the new password, this defaults to 10 or 1/2 the size of the new password whichever is smaller\. ++which is a number of characters that if different between the old and new are enough to accept the new password, this defaults to 10 or 1/2 the size of the new password whichever is smaller\&. + .sp + To avoid the lockup associated with trying to change a long and complicated password, + \fBdifignore\fR +-is available\. This argument can be used to specify the minimum length a new password needs to be before the ++is available\&. This argument can be used to specify the minimum length a new password needs to be before the + \fBdifok\fR +-value is ignored\. The default value for ++value is ignored\&. The default value for + \fBdifignore\fR +-is 23\. ++is 23\&. + .RE + .PP + Simple +@@ -61,7 +61,7 @@ + \fBdcredit\fR, + \fBucredit\fR, + \fBlcredit\fR, and +-\fBocredit\fR\. See the section on the arguments for the details of how these work and there defaults\. ++\fBocredit\fR\&. See the section on the arguments for the details of how these work and there defaults\&. + .RE + .PP + Rotated +@@ -72,10 +72,10 @@ + Already used + .RS 4 + Was the password used in the past? Previously used passwords are to be found in +-\fI/etc/security/opasswd\fR\. ++\fI/etc/security/opasswd\fR\&. + .RE + .PP +-This module with no arguments will work well for standard unix password encryption\. With md5 encryption, passwords can be longer than 8 characters and the default settings for this module can make it hard for the user to choose a satisfactory new password\. Notably, the requirement that the new password contain no more than 1/2 of the characters in the old password becomes a non\-trivial constraint\. For example, an old password of the form "the quick brown fox jumped over the lazy dogs" would be difficult to change\.\.\. In addition, the default action is to allow passwords as small as 5 characters in length\. For a md5 systems it can be a good idea to increase the required minimum size of a password\. One can then allow more credit for different kinds of characters but accept that the new password may share most of these characters with the old password\. ++This module with no arguments will work well for standard unix password encryption\&. With md5 encryption, passwords can be longer than 8 characters and the default settings for this module can make it hard for the user to choose a satisfactory new password\&. Notably, the requirement that the new password contain no more than 1/2 of the characters in the old password becomes a non\-trivial constraint\&. For example, an old password of the form "the quick brown fox jumped over the lazy dogs" would be difficult to change\&.\&.\&. In addition, the default action is to allow passwords as small as 5 characters in length\&. For a md5 systems it can be a good idea to increase the required minimum size of a password\&. One can then allow more credit for different kinds of characters but accept that the new password may share most of these characters with the old password\&. + .SH "OPTIONS" + .PP + .PP +@@ -83,21 +83,21 @@ + .RS 4 + This option makes the module write information to + \fBsyslog\fR(3) +-indicating the behavior of the module (this option does not write password information to the log file)\. ++indicating the behavior of the module (this option does not write password information to the log file)\&. + .RE + .PP + \fBtype=\fR\fB\fIXXX\fR\fR + .RS 4 +-The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: "\. The default word ++The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: "\&. The default word + \fIUNIX\fR +-can be replaced with this option\. ++can be replaced with this option\&. + .RE + .PP + \fBretry=\fR\fB\fIN\fR\fR + .RS 4 + Prompt user at most + \fIN\fR +-times before returning with error\. The default is ++times before returning with error\&. The default is + \fI1\fR + .RE + .PP +@@ -105,98 +105,98 @@ + .RS 4 + This argument will change the default of + \fI5\fR +-for the number of characters in the new password that must not be present in the old password\. In addition, if 1/2 of the characters in the new password are different then the new password will be accepted anyway\. ++for the number of characters in the new password that must not be present in the old password\&. In addition, if 1/2 of the characters in the new password are different then the new password will be accepted anyway\&. + .RE + .PP + \fBdifignore=\fR\fB\fIN\fR\fR + .RS 4 +-How many characters should the password have before difok will be ignored\. The default is +-\fI23\fR\. ++How many characters should the password have before difok will be ignored\&. The default is ++\fI23\fR\&. + .RE + .PP + \fBminlen=\fR\fB\fIN\fR\fR + .RS 4 +-The minimum acceptable size for the new password (plus one if credits are not disabled which is the default)\. In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (\fIother\fR, ++The minimum acceptable size for the new password (plus one if credits are not disabled which is the default)\&. In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (\fIother\fR, + \fIupper\fR, + \fIlower\fR + and +-\fIdigit\fR)\. The default for this parameter is ++\fIdigit\fR)\&. The default for this parameter is + \fI9\fR +-which is good for a old style UNIX password all of the same type of character but may be too low to exploit the added security of a md5 system\. Note that there is a pair of length limits in ++which is good for a old style UNIX password all of the same type of character but may be too low to exploit the added security of a md5 system\&. Note that there is a pair of length limits in + \fICracklib\fR + itself, a "way too short" limit of 4 which is hard coded in and a defined limit (6) that will be checked without reference to +-\fBminlen\fR\. If you want to allow passwords as short as 5 characters you should not use this module\. ++\fBminlen\fR\&. If you want to allow passwords as short as 5 characters you should not use this module\&. + .RE + .PP + \fBdcredit=\fR\fB\fIN\fR\fR + .RS 4 +-(N >= 0) This is the maximum credit for having digits in the new password\. If you have less than or ++(N >= 0) This is the maximum credit for having digits in the new password\&. If you have less than or + \fIN\fR + digits, each digit will count +1 towards meeting the current + \fBminlen\fR +-value\. The default for ++value\&. The default for + \fBdcredit\fR + is 1 which is the recommended value for + \fBminlen\fR +-less than 10\. ++less than 10\&. + .sp +-(N < 0) This is the minimum number of digits that must be met for a new password\. ++(N < 0) This is the minimum number of digits that must be met for a new password\&. + .RE + .PP + \fBucredit=\fR\fB\fIN\fR\fR + .RS 4 +-(N >= 0) This is the maximum credit for having upper case letters in the new password\. If you have less than or ++(N >= 0) This is the maximum credit for having upper case letters in the new password\&. If you have less than or + \fIN\fR + upper case letters each letter will count +1 towards meeting the current + \fBminlen\fR +-value\. The default for ++value\&. The default for + \fBucredit\fR + is + \fI1\fR + which is the recommended value for + \fBminlen\fR +-less than 10\. ++less than 10\&. + .sp +-(N > 0) This is the minimum number of upper case letters that must be met for a new password\. ++(N > 0) This is the minimum number of upper case letters that must be met for a new password\&. + .RE + .PP + \fBlcredit=\fR\fB\fIN\fR\fR + .RS 4 +-(N >= 0) This is the maximum credit for having lower case letters in the new password\. If you have less than or ++(N >= 0) This is the maximum credit for having lower case letters in the new password\&. If you have less than or + \fIN\fR + lower case letters, each letter will count +1 towards meeting the current + \fBminlen\fR +-value\. The default for ++value\&. The default for + \fBlcredit\fR + is 1 which is the recommended value for + \fBminlen\fR +-less than 10\. ++less than 10\&. + .sp +-(N < 0) This is the minimum number of lower case letters that must be met for a new password\. ++(N < 0) This is the minimum number of lower case letters that must be met for a new password\&. + .RE + .PP + \fBocredit=\fR\fB\fIN\fR\fR + .RS 4 +-(N >= 0) This is the maximum credit for having other characters in the new password\. If you have less than or ++(N >= 0) This is the maximum credit for having other characters in the new password\&. If you have less than or + \fIN\fR + other characters, each character will count +1 towards meeting the current + \fBminlen\fR +-value\. The default for ++value\&. The default for + \fBocredit\fR + is 1 which is the recommended value for + \fBminlen\fR +-less than 10\. ++less than 10\&. + .sp +-(N < 0) This is the minimum number of other characters that must be met for a new password\. ++(N < 0) This is the minimum number of other characters that must be met for a new password\&. + .RE + .PP + \fBminclass=\fR\fB\fIN\fR\fR + .RS 4 +-The minimum number of required classes of characters for the new password\. The default number is zero\. The four classes are digits, upper and lower letters and other characters\. The difference to the ++The minimum number of required classes of characters for the new password\&. The default number is zero\&. The four classes are digits, upper and lower letters and other characters\&. The difference to the + \fBcredit\fR +-check is that a specific class if of characters is not required\. Instead ++check is that a specific class if of characters is not required\&. Instead + \fIN\fR +-out of four of the classes are required\. ++out of four of the classes are required\&. + .RE + .PP + \fBuse_authtok\fR +@@ -205,41 +205,41 @@ + \fIforce\fR + the module to not prompt the user for a new password but use the one provided by the previously stacked + \fIpassword\fR +-module\. ++module\&. + .RE + .PP + \fBdictpath=\fR\fB\fI/path/to/dict\fR\fR + .RS 4 +-Path to the cracklib dictionaries\. ++Path to the cracklib dictionaries\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP + Only he + \fBpassword\fR +-service is supported\. ++service is supported\&. + .SH "RETURN VALUES" + .PP + .PP + PAM_SUCCESS + .RS 4 +-The new password passes all checks\. ++The new password passes all checks\&. + .RE + .PP + PAM_AUTHTOK_ERR + .RS 4 +-No new password was entered, the username could not be determined or the new password fails the strength checks\. ++No new password was entered, the username could not be determined or the new password fails the strength checks\&. + .RE + .PP + PAM_AUTHTOK_RECOVERY_ERR + .RS 4 +-The old password was not supplied by a previous stacked module or got not requested from the user\. The first error can happen if ++The old password was not supplied by a previous stacked module or got not requested from the user\&. The first error can happen if + \fBuse_authtok\fR +-is specified\. ++is specified\&. + .RE + .PP + PAM_SERVICE_ERR + .RS 4 +-A internal error occured\. ++A internal error occured\&. + .RE + .SH "EXAMPLES" + .PP +@@ -249,34 +249,34 @@ + .RS 4 + .nf + # +-# These lines stack two password type modules\. In this example the +-# user is given 3 opportunities to enter a strong password\. The ++# These lines stack two password type modules\&. In this example the ++# user is given 3 opportunities to enter a strong password\&. The + # "use_authtok" argument ensures that the pam_unix module does not + # prompt for a password, but instead uses the one provided by +-# pam_cracklib\. ++# pam_cracklib\&. + # +-passwd password required pam_cracklib\.so retry=3 +-passwd password required pam_unix\.so use_authtok ++passwd password required pam_cracklib\&.so retry=3 ++passwd password required pam_unix\&.so use_authtok + + .fi + .RE + .PP + Another example (in the +-\fI/etc/pam\.d/passwd\fR ++\fI/etc/pam\&.d/passwd\fR + format) is for the case that you want to use md5 password encryption: + .sp + .RS 4 + .nf +-#%PAM\-1\.0 ++#%PAM\-1\&.0 + # + # These lines allow a md5 systems to support passwords of at least 14 + # bytes with extra credit of 2 for digits and 2 for others the new + # password must have at least three bytes that are not present in the + # old password + # +-password required pam_cracklib\.so \e ++password required pam_cracklib\&.so \e + difok=3 minlen=15 dcredit= 2 ocredit=2 +-password required pam_unix\.so use_authtok nullok md5 ++password required pam_unix\&.so use_authtok nullok md5 + + .fi + .RE +@@ -285,15 +285,15 @@ + .sp + .RS 4 + .nf +-#%PAM\-1\.0 ++#%PAM\-1\&.0 + # + # These lines require the user to select a password with a minimum + # length of 8 and with at least 1 digit number, 1 upper case letter, + # and 1 other character + # +-password required pam_cracklib\.so \e ++password required pam_cracklib\&.so \e + dcredit=\-1 ucredit=\-1 ocredit=\-1 lcredit=0 minlen=8 +-password required pam_unix\.so use_authtok nullok md5 ++password required pam_unix\&.so use_authtok nullok md5 + + .fi + .RE +@@ -303,7 +303,7 @@ + + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-pam_cracklib was written by Cristian Gafton ++pam_cracklib was written by Cristian Gafton +Index: pam.deb/modules/pam_cracklib/pam_cracklib.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_cracklib/pam_cracklib.8.xml ++++ pam.deb/modules/pam_cracklib/pam_cracklib.8.xml +@@ -498,7 +498,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_debug/pam_debug.8 +=================================================================== +--- pam.deb.orig/modules/pam_debug/pam_debug.8 ++++ pam.deb/modules/pam_debug/pam_debug.8 +@@ -1,23 +1,23 @@ + .\" Title: pam_debug + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_DEBUG" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_DEBUG" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_debug - PAM module to debug the PAM stack ++pam_debug \- PAM module to debug the PAM stack + .SH "SYNOPSIS" + .HP 13 +-\fBpam_debug\.so\fR [auth=\fIvalue\fR] [cred=\fIvalue\fR] [acct=\fIvalue\fR] [prechauthtok=\fIvalue\fR] [chauthtok=\fIvalue\fR] [auth=\fIvalue\fR] [open_session=\fIvalue\fR] [close_session=\fIvalue\fR] ++\fBpam_debug\&.so\fR [auth=\fIvalue\fR] [cred=\fIvalue\fR] [acct=\fIvalue\fR] [prechauthtok=\fIvalue\fR] [chauthtok=\fIvalue\fR] [auth=\fIvalue\fR] [open_session=\fIvalue\fR] [close_session=\fIvalue\fR] + .SH "DESCRIPTION" + .PP +-The pam_debug PAM module is intended as a debugging aide for determining how the PAM stack is operating\. This module returns what its module arguments tell it to return\. ++The pam_debug PAM module is intended as a debugging aide for determining how the PAM stack is operating\&. This module returns what its module arguments tell it to return\&. + .SH "OPTIONS" + .PP + \fBauth=\fR\fB\fIvalue\fR\fR +@@ -25,7 +25,7 @@ + The + \fBpam_sm_authenticate\fR(3) + function will return +-\fIvalue\fR\. ++\fIvalue\fR\&. + .RE + .PP + \fBcred=\fR\fB\fIvalue\fR\fR +@@ -33,7 +33,7 @@ + The + \fBpam_sm_setcred\fR(3) + function will return +-\fIvalue\fR\. ++\fIvalue\fR\&. + .RE + .PP + \fBacct=\fR\fB\fIvalue\fR\fR +@@ -41,7 +41,7 @@ + The + \fBpam_sm_acct_mgmt\fR(3) + function will return +-\fIvalue\fR\. ++\fIvalue\fR\&. + .RE + .PP + \fBprechauthtok=\fR\fB\fIvalue\fR\fR +@@ -52,7 +52,7 @@ + \fIvalue\fR + if the + \fIPAM_PRELIM_CHECK\fR +-flag is set\. ++flag is set\&. + .RE + .PP + \fBchauthtok=\fR\fB\fIvalue\fR\fR +@@ -65,7 +65,7 @@ + \fIPAM_PRELIM_CHECK\fR + flag is + \fBnot\fR +-set\. ++set\&. + .RE + .PP + \fBopen_session=\fR\fB\fIvalue\fR\fR +@@ -73,7 +73,7 @@ + The + \fBpam_sm_open_session\fR(3) + function will return +-\fIvalue\fR\. ++\fIvalue\fR\&. + .RE + .PP + \fBclose_session=\fR\fB\fIvalue\fR\fR +@@ -81,12 +81,12 @@ + The + \fBpam_sm_close_session\fR(3) + function will return +-\fIvalue\fR\. ++\fIvalue\fR\&. + .RE + .PP + Where + \fIvalue\fR +-can be one of: success, open_err, symbol_err, service_err, system_err, buf_err, perm_denied, auth_err, cred_insufficient, authinfo_unavail, user_unknown, maxtries, new_authtok_reqd, acct_expired, session_err, cred_unavail, cred_expired, cred_err, no_module_data, conv_err, authtok_err, authtok_recover_err, authtok_lock_busy, authtok_disable_aging, try_again, ignore, abort, authtok_expired, module_unknown, bad_item, conv_again, incomplete\. ++can be one of: success, open_err, symbol_err, service_err, system_err, buf_err, perm_denied, auth_err, cred_insufficient, authinfo_unavail, user_unknown, maxtries, new_authtok_reqd, acct_expired, session_err, cred_unavail, cred_expired, cred_err, no_module_data, conv_err, authtok_err, authtok_recover_err, authtok_lock_busy, authtok_disable_aging, try_again, ignore, abort, authtok_expired, module_unknown, bad_item, conv_again, incomplete\&. + .SH "MODULE SERVICES PROVIDED" + .PP + The services +@@ -95,23 +95,23 @@ + \fBpassword\fR + and + \fBsession\fR +-are supported\. ++are supported\&. + .SH "RETURN VALUES" + .PP + PAM_SUCCESS + .RS 4 +-Default return code if no other value was specified, else specified return value\. ++Default return code if no other value was specified, else specified return value\&. + .RE + .SH "EXAMPLES" + .sp + .RS 4 + .nf +-auth requisite pam_permit\.so +-auth [success=2 default=ok] pam_debug\.so auth=perm_denied cred=success +-auth [default=reset] pam_debug\.so auth=success cred=perm_denied +-auth [success=done default=die] pam_debug\.so +-auth optional pam_debug\.so auth=perm_denied cred=perm_denied +-auth sufficient pam_debug\.so auth=success cred=success ++auth requisite pam_permit\&.so ++auth [success=2 default=ok] pam_debug\&.so auth=perm_denied cred=success ++auth [default=reset] pam_debug\&.so auth=success cred=perm_denied ++auth [success=done default=die] pam_debug\&.so ++auth optional pam_debug\&.so auth=perm_denied cred=perm_denied ++auth sufficient pam_debug\&.so auth=success cred=success + + .fi + .RE +@@ -120,7 +120,7 @@ + + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-pam_debug was written by Andrew G\. Morgan \. ++pam_debug was written by Andrew G\&. Morgan \&. +Index: pam.deb/modules/pam_debug/pam_debug.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_debug/pam_debug.8.xml ++++ pam.deb/modules/pam_debug/pam_debug.8.xml +@@ -216,7 +216,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_deny/pam_deny.8 +=================================================================== +--- pam.deb.orig/modules/pam_deny/pam_deny.8 ++++ pam.deb/modules/pam_deny/pam_deny.8 +@@ -1,73 +1,73 @@ + .\" Title: pam_deny + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_DENY" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_DENY" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_deny - The locking-out PAM module ++pam_deny \- The locking-out PAM module + .SH "SYNOPSIS" + .HP 12 +-\fBpam_deny\.so\fR ++\fBpam_deny\&.so\fR + .SH "DESCRIPTION" + .PP +-This module can be used to deny access\. It always indicates a failure to the application through the PAM framework\. It might be suitable for using for default (the +-\fIOTHER\fR) entries\. ++This module can be used to deny access\&. It always indicates a failure to the application through the PAM framework\&. It might be suitable for using for default (the ++\fIOTHER\fR) entries\&. + .SH "OPTIONS" + .PP +-This module does not recognise any options\. ++This module does not recognise any options\&. + .SH "MODULE SERVICES PROVIDED" + .PP + All services (\fBaccount\fR, + \fBauth\fR, + \fBpassword\fR + and +-\fBsession\fR) are supported\. ++\fBsession\fR) are supported\&. + .SH "RETURN VALUES" + .PP + .PP + PAM_AUTH_ERR + .RS 4 +-This is returned by the account and auth services\. ++This is returned by the account and auth services\&. + .RE + .PP + PAM_CRED_ERR + .RS 4 +-This is returned by the setcred function\. ++This is returned by the setcred function\&. + .RE + .PP + PAM_AUTHTOK_ERR + .RS 4 +-This is returned by the password service\. ++This is returned by the password service\&. + .RE + .PP + PAM_SESSION_ERR + .RS 4 +-This is returned by the session service\. ++This is returned by the session service\&. + .RE + .SH "EXAMPLES" + .sp + .RS 4 + .nf +-#%PAM\-1\.0 ++#%PAM\-1\&.0 + # + # If we don\'t have config entries for a service, the +-# OTHER entries are used\. To be secure, warn and deny +-# access to everything\. +-other auth required pam_warn\.so +-other auth required pam_deny\.so +-other account required pam_warn\.so +-other account required pam_deny\.so +-other password required pam_warn\.so +-other password required pam_deny\.so +-other session required pam_warn\.so +-other session required pam_deny\.so ++# OTHER entries are used\&. To be secure, warn and deny ++# access to everything\&. ++other auth required pam_warn\&.so ++other auth required pam_deny\&.so ++other account required pam_warn\&.so ++other account required pam_deny\&.so ++other password required pam_warn\&.so ++other password required pam_deny\&.so ++other session required pam_warn\&.so ++other session required pam_deny\&.so + + .fi + .RE +@@ -76,7 +76,7 @@ + + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-pam_deny was written by Andrew G\. Morgan ++pam_deny was written by Andrew G\&. Morgan +Index: pam.deb/modules/pam_deny/pam_deny.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_deny/pam_deny.8.xml ++++ pam.deb/modules/pam_deny/pam_deny.8.xml +@@ -120,7 +120,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_echo/pam_echo.8 +=================================================================== +--- pam.deb.orig/modules/pam_echo/pam_echo.8 ++++ pam.deb/modules/pam_echo/pam_echo.8 +@@ -1,89 +1,89 @@ + .\" Title: pam_echo + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_ECHO" "8" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_ECHO" "8" "07/27/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_echo - PAM module for printing text messages ++pam_echo \- PAM module for printing text messages + .SH "SYNOPSIS" + .HP 12 +-\fBpam_echo\.so\fR [file=\fI/path/message\fR] ++\fBpam_echo\&.so\fR [file=\fI/path/message\fR] + .SH "DESCRIPTION" + .PP + The + \fIpam_echo\fR +-PAM module is for printing text messages to inform user about special things\. Sequences starting with the ++PAM module is for printing text messages to inform user about special things\&. Sequences starting with the + \fI%\fR + character are interpreted in the following way: + .PP + \fI%H\fR + .RS 4 +-The name of the remote host (PAM_RHOST)\. ++The name of the remote host (PAM_RHOST)\&. + .RE + .PP + \fB%h\fR + .RS 4 +-The name of the local host\. ++The name of the local host\&. + .RE + .PP + \fI%s\fR + .RS 4 +-The service name (PAM_SERVICE)\. ++The service name (PAM_SERVICE)\&. + .RE + .PP + \fI%t\fR + .RS 4 +-The name of the controlling terminal (PAM_TTY)\. ++The name of the controlling terminal (PAM_TTY)\&. + .RE + .PP + \fI%U\fR + .RS 4 +-The remote user name (PAM_RUSER)\. ++The remote user name (PAM_RUSER)\&. + .RE + .PP + \fI%u\fR + .RS 4 +-The local user name (PAM_USER)\. ++The local user name (PAM_USER)\&. + .RE + .PP + All other sequences beginning with + \fI%\fR + expands to the characters following the + \fI%\fR +-character\. ++character\&. + .SH "OPTIONS" + .PP + \fBfile=\fR\fB\fI/path/message\fR\fR + .RS 4 + The content of the file + \fI/path/message\fR +-will be printed with the PAM conversion function as PAM_TEXT_INFO\. ++will be printed with the PAM conversion function as PAM_TEXT_INFO\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP +-All services are supported\. ++All services are supported\&. + .SH "RETURN VALUES" + .PP + PAM_BUF_ERR + .RS 4 +-Memory buffer error\. ++Memory buffer error\&. + .RE + .PP + PAM_SUCCESS + .RS 4 +-Message was successful printed\. ++Message was successful printed\&. + .RE + .PP + PAM_IGNORE + .RS 4 +-PAM_SILENT flag was given or message file does not exist, no message printed\. ++PAM_SILENT flag was given or message file does not exist, no message printed\&. + .RE + .SH "EXAMPLES" + .PP +@@ -91,8 +91,8 @@ + .sp + .RS 4 + .nf +-password optional pam_echo\.so file=/usr/share/doc/good\-password\.txt +-password required pam_unix\.so ++password optional pam_echo\&.so file=/usr/share/doc/good\-password\&.txt ++password required pam_unix\&.so + + .fi + .RE +@@ -102,7 +102,7 @@ + + \fBpam.conf\fR(8), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-Thorsten Kukuk ++Thorsten Kukuk +Index: pam.deb/modules/pam_echo/pam_echo.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_echo/pam_echo.8.xml ++++ pam.deb/modules/pam_echo/pam_echo.8.xml +@@ -157,7 +157,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_env/pam_env.8 +=================================================================== +--- pam.deb.orig/modules/pam_env/pam_env.8 ++++ pam.deb/modules/pam_env/pam_env.8 +@@ -1,63 +1,63 @@ + .\" Title: pam_env + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_ENV" "8" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_ENV" "8" "07/27/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_env - PAM module to set/unset environment variables ++pam_env \- PAM module to set/unset environment variables + .SH "SYNOPSIS" + .HP 11 +-\fBpam_env\.so\fR [debug] [conffile=\fIconf\-file\fR] [envfile=\fIenv\-file\fR] [readenv=\fI0|1\fR] ++\fBpam_env\&.so\fR [debug] [conffile=\fIconf\-file\fR] [envfile=\fIenv\-file\fR] [readenv=\fI0|1\fR] + .SH "DESCRIPTION" + .PP +-The pam_env PAM module allows the (un)setting of environment variables\. Supported is the use of previously set environment variables as well as ++The pam_env PAM module allows the (un)setting of environment variables\&. Supported is the use of previously set environment variables as well as + \fIPAM_ITEM\fRs such as +-\fIPAM_RHOST\fR\. ++\fIPAM_RHOST\fR\&. + .PP + By default rules for (un)setting of variables is taken from the config file +-\fI/etc/security/pam_env\.conf\fR +-if no other file is specified\. ++\fI/etc/security/pam_env\&.conf\fR ++if no other file is specified\&. + .PP + This module can also parse a file with simple + \fIKEY=VAL\fR + pairs on seperate lines (\fI/etc/environment\fR +-by default)\. You can change the default file to parse, with the ++by default)\&. You can change the default file to parse, with the + \fIenvfile\fR + flag and turn it on or off by setting the + \fIreadenv\fR +-flag to 1 or 0 respectively\. ++flag to 1 or 0 respectively\&. + .SH "OPTIONS" + .PP +-\fBconffile=\fR\fB\fI/path/to/pam_env\.conf\fR\fR ++\fBconffile=\fR\fB\fI/path/to/pam_env\&.conf\fR\fR + .RS 4 + Indicate an alternative +-\fIpam_env\.conf\fR +-style configuration file to override the default\. This can be useful when different services need different environments\. ++\fIpam_env\&.conf\fR ++style configuration file to override the default\&. This can be useful when different services need different environments\&. + .RE + .PP + \fBdebug\fR + .RS 4 + A lot of debug informations are printed with +-\fBsyslog\fR(3)\. ++\fBsyslog\fR(3)\&. + .RE + .PP + \fBenvfile=\fR\fB\fI/path/to/environment\fR\fR + .RS 4 + Indicate an alternative + \fIenvironment\fR +-file to override the default\. This can be useful when different services need different environments\. ++file to override the default\&. This can be useful when different services need different environments\&. + .RE + .PP + \fBreadenv=\fR\fB\fI0|1\fR\fR + .RS 4 +-Turns on or off the reading of the file specified by envfile (0 is off, 1 is on)\. By default this option is on\. ++Turns on or off the reading of the file specified by envfile (0 is off, 1 is on)\&. By default this option is on\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP +@@ -65,31 +65,31 @@ + \fBauth\fR + and + \fBsession\fR +-services are supported\. ++services are supported\&. + .SH "RETURN VALUES" + .PP + PAM_ABORT + .RS 4 +-Not all relevant data or options could be gotten\. ++Not all relevant data or options could be gotten\&. + .RE + .PP + PAM_BUF_ERR + .RS 4 +-Memory buffer error\. ++Memory buffer error\&. + .RE + .PP + PAM_IGNORE + .RS 4 +-No pam_env\.conf and environment file was found\. ++No pam_env\&.conf and environment file was found\&. + .RE + .PP + PAM_SUCCESS + .RS 4 +-Environment variables were set\. ++Environment variables were set\&. + .RE + .SH "FILES" + .PP +-\fI/etc/security/pam_env\.conf\fR ++\fI/etc/security/pam_env\&.conf\fR + .RS 4 + Default configuration file + .RE +@@ -103,7 +103,7 @@ + + \fBpam_env.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8)\. ++\fBpam\fR(7)\&. + .SH "AUTHOR" + .PP +-pam_env was written by Dave Kinchlea \. ++pam_env was written by Dave Kinchlea \&. +Index: pam.deb/modules/pam_env/pam_env.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_env/pam_env.8.xml ++++ pam.deb/modules/pam_env/pam_env.8.xml +@@ -192,7 +192,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + . + + +Index: pam.deb/modules/pam_exec/pam_exec.8 +=================================================================== +--- pam.deb.orig/modules/pam_exec/pam_exec.8 ++++ pam.deb/modules/pam_exec/pam_exec.8 +@@ -1,23 +1,23 @@ + .\" Title: pam_exec + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_EXEC" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_EXEC" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_exec - PAM module which calls an external command ++pam_exec \- PAM module which calls an external command + .SH "SYNOPSIS" + .HP 12 +-\fBpam_exec\.so\fR [debug] [seteuid] [quiet] [log=\fIfile\fR] \fIcommand\fR [\fI\.\.\.\fR] ++\fBpam_exec\&.so\fR [debug] [seteuid] [quiet] [log=\fIfile\fR] \fIcommand\fR [\fI\&.\&.\&.\fR] + .SH "DESCRIPTION" + .PP +-pam_exec is a PAM module that can be used to run an external command\. ++pam_exec is a PAM module that can be used to run an external command\&. + .PP + The child\'s environment is set to the current PAM environment list, as returned by + \fBpam_getenvlist\fR(3) +@@ -26,13 +26,13 @@ + \fIPAM_RUSER\fR, + \fIPAM_SERVICE\fR, + \fIPAM_TTY\fR, and +-\fIPAM_USER\fR\. ++\fIPAM_USER\fR\&. + .SH "OPTIONS" + .PP + .PP + \fBdebug\fR + .RS 4 +-Print debug information\. ++Print debug information\&. + .RE + .PP + \fBlog=\fR\fB\fIfile\fR\fR +@@ -43,12 +43,12 @@ + .PP + \fBquiet\fR + .RS 4 +-Per default pam_exec\.so will echo the exit status of the external command if it fails\. Specifying this option will suppress the message\. ++Per default pam_exec\&.so will echo the exit status of the external command if it fails\&. Specifying this option will suppress the message\&. + .RE + .PP + \fBseteuid\fR + .RS 4 +-Per default pam_exec\.so will execute the external command with the real user ID of the calling process\. Specifying this option means the command is run with the effective user ID\. ++Per default pam_exec\&.so will execute the external command with the real user ID of the calling process\&. Specifying this option means the command is run with the effective user ID\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP +@@ -58,40 +58,40 @@ + \fBpassword\fR + and + \fBsession\fR +-are supported\. ++are supported\&. + .SH "RETURN VALUES" + .PP + .PP + PAM_SUCCESS + .RS 4 +-The external command runs successfull\. ++The external command runs successfull\&. + .RE + .PP + PAM_SERVICE_ERR + .RS 4 +-No argument or a wrong number of arguments were given\. ++No argument or a wrong number of arguments were given\&. + .RE + .PP + PAM_SYSTEM_ERR + .RS 4 +-A system error occured or the command to execute failed\. ++A system error occured or the command to execute failed\&. + .RE + .PP + PAM_IGNORE + .RS 4 + + \fBpam_setcred\fR +-was called, which does not execute the command\. ++was called, which does not execute the command\&. + .RE + .SH "EXAMPLES" + .PP + Add the following line to +-\fI/etc/pam\.d/passwd\fR ++\fI/etc/pam\&.d/passwd\fR + to rebuild the NIS database after each local password change: + .sp + .RS 4 + .nf +- passwd optional pam_exec\.so seteuid make \-C /var/yp ++ passwd optional pam_exec\&.so seteuid make \-C /var/yp + + .fi + .RE +@@ -104,13 +104,13 @@ + .fi + .RE + .sp +-with effective user ID\. ++with effective user ID\&. + .SH "SEE ALSO" + .PP + + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-pam_exec was written by Thorsten Kukuk \. ++pam_exec was written by Thorsten Kukuk \&. +Index: pam.deb/modules/pam_exec/pam_exec.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_exec/pam_exec.8.xml ++++ pam.deb/modules/pam_exec/pam_exec.8.xml +@@ -202,7 +202,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_faildelay/pam_faildelay.8 +=================================================================== +--- pam.deb.orig/modules/pam_faildelay/pam_faildelay.8 ++++ pam.deb/modules/pam_faildelay/pam_faildelay.8 +@@ -1,54 +1,54 @@ + .\" Title: pam_faildelay + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_FAILDELAY" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_FAILDELAY" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_faildelay - Change the delay on failure per-application ++pam_faildelay \- Change the delay on failure per-application + .SH "SYNOPSIS" + .HP 17 +-\fBpam_faildelay\.so\fR [debug] [delay=\fImicroseconds\fR] ++\fBpam_faildelay\&.so\fR [debug] [delay=\fImicroseconds\fR] + .SH "DESCRIPTION" + .PP +-pam_faildelay is a PAM module that can be used to set the delay on failure per\-application\. ++pam_faildelay is a PAM module that can be used to set the delay on failure per\-application\&. + .PP + If no + \fBdelay\fR + is given, pam_faildelay will use the value of FAIL_DELAY from +-\fI/etc/login\.defs\fR\. ++\fI/etc/login\&.defs\fR\&. + .SH "OPTIONS" + .PP + \fBdebug\fR + .RS 4 +-Turns on debugging messages sent to syslog\. ++Turns on debugging messages sent to syslog\&. + .RE + .PP + \fBdelay=\fR\fB\fIN\fR\fR + .RS 4 +-Set the delay on failure to N microseconds\. ++Set the delay on failure to N microseconds\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP + Only the + \fBauth\fR +-service is supported\. ++service is supported\&. + .SH "RETURN VALUES" + .PP + PAM_IGNORE + .RS 4 +-Delay was successful adjusted\. ++Delay was successful adjusted\&. + .RE + .PP + PAM_SYSTEM_ERR + .RS 4 +-The specified delay was not valid\. ++The specified delay was not valid\&. + .RE + .SH "EXAMPLES" + .PP +@@ -56,7 +56,7 @@ + .sp + .RS 4 + .nf +-auth optional pam_faildelay\.so delay=10000000 ++auth optional pam_faildelay\&.so delay=10000000 + + .fi + .RE +@@ -67,7 +67,7 @@ + \fBpam_fail_delay\fR(3), + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-pam_faildelay was written by Darren Tucker \. ++pam_faildelay was written by Darren Tucker \&. +Index: pam.deb/modules/pam_faildelay/pam_faildelay.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_faildelay/pam_faildelay.8.xml ++++ pam.deb/modules/pam_faildelay/pam_faildelay.8.xml +@@ -121,7 +121,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_filter/pam_filter.8 +=================================================================== +--- pam.deb.orig/modules/pam_filter/pam_filter.8 ++++ pam.deb/modules/pam_filter/pam_filter.8 +@@ -1,73 +1,73 @@ + .\" Title: pam_filter + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_FILTER" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_FILTER" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_filter - PAM filter module ++pam_filter \- PAM filter module + .SH "SYNOPSIS" + .HP 14 +-\fBpam_filter\.so\fR [debug] [new_term] [non_term] run1|run2 \fIfilter\fR [\fI\.\.\.\fR] ++\fBpam_filter\&.so\fR [debug] [new_term] [non_term] run1|run2 \fIfilter\fR [\fI\&.\&.\&.\fR] + .SH "DESCRIPTION" + .PP +-This module is intended to be a platform for providing access to all of the input/output that passes between the user and the application\. It is only suitable for tty\-based and (stdin/stdout) applications\. ++This module is intended to be a platform for providing access to all of the input/output that passes between the user and the application\&. It is only suitable for tty\-based and (stdin/stdout) applications\&. + .PP + To function this module requires + \fIfilters\fR +-to be installed on the system\. The single filter provided with the module simply transposes upper and lower case letters in the input and output streams\. (This can be very annoying and is not kind to termcap based editors)\. ++to be installed on the system\&. The single filter provided with the module simply transposes upper and lower case letters in the input and output streams\&. (This can be very annoying and is not kind to termcap based editors)\&. + .PP +-Each component of the module has the potential to invoke the desired filter\. The filter is always ++Each component of the module has the potential to invoke the desired filter\&. The filter is always + \fBexecv\fR(2) + with the privilege of the calling application and + \fInot\fR +-that of the user\. For this reason it cannot usually be killed by the user without closing their session\. ++that of the user\&. For this reason it cannot usually be killed by the user without closing their session\&. + .SH "OPTIONS" + .PP + .PP + \fBdebug\fR + .RS 4 +-Print debug information\. ++Print debug information\&. + .RE + .PP + \fBnew_term\fR + .RS 4 + The default action of the filter is to set the + \fIPAM_TTY\fR +-item to indicate the terminal that the user is using to connect to the application\. This argument indicates that the filter should set ++item to indicate the terminal that the user is using to connect to the application\&. This argument indicates that the filter should set + \fIPAM_TTY\fR +-to the filtered pseudo\-terminal\. ++to the filtered pseudo\-terminal\&. + .RE + .PP + \fBnon_term\fR + .RS 4 + don\'t try to set the + \fIPAM_TTY\fR +-item\. ++item\&. + .RE + .PP + \fBrunX\fR + .RS 4 +-In order that the module can invoke a filter it should know when to invoke it\. This argument is required to tell the filter when to do this\. ++In order that the module can invoke a filter it should know when to invoke it\&. This argument is required to tell the filter when to do this\&. + .sp + Permitted values for + \fIX\fR + are + \fI1\fR + and +-\fI2\fR\. These indicate the precise time that the filter is to be run\. To understand this concept it will be useful to have read the ++\fI2\fR\&. These indicate the precise time that the filter is to be run\&. To understand this concept it will be useful to have read the + \fBpam\fR(3) +-manual page\. Basically, for each management group there are up to two ways of calling the module\'s functions\. In the case of the ++manual page\&. Basically, for each management group there are up to two ways of calling the module\'s functions\&. In the case of the + \fIauthentication\fR + and + \fIsession\fR +-components there are actually two separate functions\. For the case of authentication, these functions are ++components there are actually two separate functions\&. For the case of authentication, these functions are + \fBpam_authenticate\fR(3) + and + \fBpam_setcred\fR(3), here +@@ -77,20 +77,20 @@ + function and + \fBrun2\fR + means run the filter from +-\fBpam_setcred\fR\. In the case of the session modules, ++\fBpam_setcred\fR\&. In the case of the session modules, + \fIrun1\fR + implies that the filter is invoked at the + \fBpam_open_session\fR(3) + stage, and + \fIrun2\fR + for +-\fBpam_close_session\fR(3)\. ++\fBpam_close_session\fR(3)\&. + .sp +-For the case of the account component\. Either ++For the case of the account component\&. Either + \fIrun1\fR + or + \fIrun2\fR +-may be used\. ++may be used\&. + .sp + For the case of the password component, + \fIrun1\fR +@@ -102,12 +102,12 @@ + \fIrun2\fR + is used to indicate that the filter is run on the second occasion (the + \fIPAM_UPDATE_AUTHTOK\fR +-phase)\. ++phase)\&. + .RE + .PP + \fBfilter\fR + .RS 4 +-The full pathname of the filter to be run and any command line arguments that the filter might expect\. ++The full pathname of the filter to be run and any command line arguments that the filter might expect\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP +@@ -117,28 +117,28 @@ + \fBpassword\fR + and + \fBsession\fR +-are supported\. ++are supported\&. + .SH "RETURN VALUES" + .PP + .PP + PAM_SUCCESS + .RS 4 +-The new filter was set successfull\. ++The new filter was set successfull\&. + .RE + .PP + PAM_ABORT + .RS 4 +-Critical error, immediate abort\. ++Critical error, immediate abort\&. + .RE + .SH "EXAMPLES" + .PP + Add the following line to +-\fI/etc/pam\.d/login\fR ++\fI/etc/pam\&.d/login\fR + to see how to configure login to transpose upper and lower case letters once the user has logged in: + .sp + .RS 4 + .nf +- session required pam_filter\.so run1 /lib/security/pam_filter/upperLOWER ++ session required pam_filter\&.so run1 /lib/security/pam_filter/upperLOWER + + .fi + .RE +@@ -148,7 +148,7 @@ + + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-pam_filter was written by Andrew G\. Morgan \. ++pam_filter was written by Andrew G\&. Morgan \&. +Index: pam.deb/modules/pam_filter/pam_filter.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_filter/pam_filter.8.xml ++++ pam.deb/modules/pam_filter/pam_filter.8.xml +@@ -246,7 +246,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_ftp/pam_ftp.8 +=================================================================== +--- pam.deb.orig/modules/pam_ftp/pam_ftp.8 ++++ pam.deb/modules/pam_ftp/pam_ftp.8 +@@ -1,25 +1,25 @@ + .\" Title: pam_ftp + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_FTP" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_FTP" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_ftp - PAM module for anonymous access module ++pam_ftp \- PAM module for anonymous access module + .SH "SYNOPSIS" + .HP 11 +-\fBpam_ftp\.so\fR [debug] [ignore] [users=\fIXXX,YYY,\fR...] ++\fBpam_ftp\&.so\fR [debug] [ignore] [users=\fIXXX,YYY,\fR...] + .SH "DESCRIPTION" + .PP +-pam_ftp is a PAM module which provides a pluggable anonymous ftp mode of access\. ++pam_ftp is a PAM module which provides a pluggable anonymous ftp mode of access\&. + .PP +-This module intercepts the user\'s name and password\. If the name is ++This module intercepts the user\'s name and password\&. If the name is + \fIftp\fR + or + \fIanonymous\fR, the user\'s password is broken up at the +@@ -28,67 +28,67 @@ + \fIPAM_RUSER\fR + and a + \fIPAM_RHOST\fR +-part; these pam\-items being set accordingly\. The username (\fIPAM_USER\fR) is set to +-\fIftp\fR\. In this case the module succeeds\. Alternatively, the module sets the ++part; these pam\-items being set accordingly\&. The username (\fIPAM_USER\fR) is set to ++\fIftp\fR\&. In this case the module succeeds\&. Alternatively, the module sets the + \fIPAM_AUTHTOK\fR +-item with the entered password and fails\. ++item with the entered password and fails\&. + .PP +-This module is not safe and easily spoofable\. ++This module is not safe and easily spoofable\&. + .SH "OPTIONS" + .PP + .PP + \fBdebug\fR + .RS 4 +-Print debug information\. ++Print debug information\&. + .RE + .PP + \fBignore\fR + .RS 4 +-Pay no attention to the email address of the user (if supplied)\. ++Pay no attention to the email address of the user (if supplied)\&. + .RE + .PP +-\fBftp=\fR\fB\fIXXX,YYY,\.\.\.\fR\fR ++\fBftp=\fR\fB\fIXXX,YYY,\&.\&.\&.\fR\fR + .RS 4 + Instead of + \fIftp\fR + or + \fIanonymous\fR, provide anonymous login to the comma separated list of users: +-\fB\fIXXX,YYY,\.\.\.\fR\fR\. Should the applicant enter one of these usernames the returned username is set to the first in the list: +-\fIXXX\fR\. ++\fB\fIXXX,YYY,\&.\&.\&.\fR\fR\&. Should the applicant enter one of these usernames the returned username is set to the first in the list: ++\fIXXX\fR\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP + Only the + \fBauth\fR +-service is supported\. ++service is supported\&. + .SH "RETURN VALUES" + .PP + .PP + PAM_SUCCESS + .RS 4 +-The authentication was successfull\. ++The authentication was successfull\&. + .RE + .PP + PAM_USER_UNKNOWN + .RS 4 +-User not known\. ++User not known\&. + .RE + .SH "EXAMPLES" + .PP + Add the following line to +-\fI/etc/pam\.d/ftpd\fR ++\fI/etc/pam\&.d/ftpd\fR + to handle ftp style anonymous login: + .sp + .RS 4 + .nf + # +-# ftpd; add ftp\-specifics\. These lines enable anonymous ftp over ++# ftpd; add ftp\-specifics\&. These lines enable anonymous ftp over + # standard UN*X access (the listfile entry blocks access to + # users listed in /etc/ftpusers) + # +-auth sufficient pam_ftp\.so +-auth required pam_unix\.so use_first_pass +-auth required pam_listfile\.so \e ++auth sufficient pam_ftp\&.so ++auth required pam_unix\&.so use_first_pass ++auth required pam_listfile\&.so \e + onerr=succeed item=user sense=deny file=/etc/ftpusers + + .fi +@@ -99,7 +99,7 @@ + + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-pam_ftp was written by Andrew G\. Morgan \. ++pam_ftp was written by Andrew G\&. Morgan \&. +Index: pam.deb/modules/pam_ftp/pam_ftp.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_ftp/pam_ftp.8.xml ++++ pam.deb/modules/pam_ftp/pam_ftp.8.xml +@@ -168,7 +168,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_group/pam_group.8 +=================================================================== +--- pam.deb.orig/modules/pam_group/pam_group.8 ++++ pam.deb/modules/pam_group/pam_group.8 +@@ -1,85 +1,85 @@ + .\" Title: pam_group + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_GROUP" "8" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_GROUP" "8" "07/27/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_group - PAM module for group access ++pam_group \- PAM module for group access + .SH "SYNOPSIS" + .HP 13 +-\fBpam_group\.so\fR ++\fBpam_group\&.so\fR + .SH "DESCRIPTION" + .PP +-The pam_group PAM module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user\. Such memberships are based on the service they are applying for\. ++The pam_group PAM module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user\&. Such memberships are based on the service they are applying for\&. + .PP + By default rules for group memberships are taken from config file +-\fI/etc/security/group\.conf\fR\. ++\fI/etc/security/group\&.conf\fR\&. + .PP +-This module\'s usefulness relies on the file\-systems accessible to the user\. The point being that once granted the membership of a group, the user may attempt to create a ++This module\'s usefulness relies on the file\-systems accessible to the user\&. The point being that once granted the membership of a group, the user may attempt to create a + \fBsetgid\fR +-binary with a restricted group ownership\. Later, when the user is not given membership to this group, they can recover group membership with the precompiled binary\. The reason that the file\-systems that the user has access to are so significant, is the fact that when a system is mounted ++binary with a restricted group ownership\&. Later, when the user is not given membership to this group, they can recover group membership with the precompiled binary\&. The reason that the file\-systems that the user has access to are so significant, is the fact that when a system is mounted + \fInosuid\fR +-the user is unable to create or execute such a binary file\. For this module to provide any level of security, all file\-systems that the user has write access to should be mounted +-\fInosuid\fR\. ++the user is unable to create or execute such a binary file\&. For this module to provide any level of security, all file\-systems that the user has write access to should be mounted ++\fInosuid\fR\&. + .PP + The pam_group module fuctions in parallel with the + \fI/etc/group\fR +-file\. If the user is granted any groups based on the behavior of this module, they are granted ++file\&. If the user is granted any groups based on the behavior of this module, they are granted + \fIin addition\fR + to those entries + \fI/etc/group\fR +-(or equivalent)\. ++(or equivalent)\&. + .SH "OPTIONS" + .PP +-This module does not recognise any options\. ++This module does not recognise any options\&. + .SH "MODULE SERVICES PROVIDED" + .PP + Only the + \fBauth\fR +-service is supported\. ++service is supported\&. + .SH "RETURN VALUES" + .PP + PAM_SUCCESS + .RS 4 +-group membership was granted\. ++group membership was granted\&. + .RE + .PP + PAM_ABORT + .RS 4 +-Not all relevant data could be gotten\. ++Not all relevant data could be gotten\&. + .RE + .PP + PAM_BUF_ERR + .RS 4 +-Memory buffer error\. ++Memory buffer error\&. + .RE + .PP + PAM_CRED_ERR + .RS 4 +-Group membership was not granted\. ++Group membership was not granted\&. + .RE + .PP + PAM_IGNORE + .RS 4 + + \fBpam_sm_authenticate\fR +-was called which does nothing\. ++was called which does nothing\&. + .RE + .PP + PAM_USER_UNKNOWN + .RS 4 +-The user is not known to the system\. ++The user is not known to the system\&. + .RE + .SH "FILES" + .PP +-\fI/etc/security/group\.conf\fR ++\fI/etc/security/group\&.conf\fR + .RS 4 + Default configuration file + .RE +@@ -88,7 +88,7 @@ + + \fBgroup.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8)\. ++\fBpam\fR(7)\&. + .SH "AUTHORS" + .PP +-pam_group was written by Andrew G\. Morgan \. ++pam_group was written by Andrew G\&. Morgan \&. +Index: pam.deb/modules/pam_group/pam_group.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_group/pam_group.8.xml ++++ pam.deb/modules/pam_group/pam_group.8.xml +@@ -148,7 +148,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + . + + +Index: pam.deb/modules/pam_issue/pam_issue.8 +=================================================================== +--- pam.deb.orig/modules/pam_issue/pam_issue.8 ++++ pam.deb/modules/pam_issue/pam_issue.8 +@@ -1,23 +1,23 @@ + .\" Title: pam_issue + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_ISSUE" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_ISSUE" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_issue - PAM module to add issue file to user prompt ++pam_issue \- PAM module to add issue file to user prompt + .SH "SYNOPSIS" + .HP 13 +-\fBpam_issue\.so\fR [noesc] [issue=\fIissue\-file\-name\fR] ++\fBpam_issue\&.so\fR [noesc] [issue=\fIissue\-file\-name\fR] + .SH "DESCRIPTION" + .PP +-pam_issue is a PAM module to prepend an issue file to the username prompt\. It also by default parses escape codes in the issue file similar to some common getty\'s (using \ex format)\. ++pam_issue is a PAM module to prepend an issue file to the username prompt\&. It also by default parses escape codes in the issue file similar to some common getty\'s (using \ex format)\&. + .PP + Recognized escapes: + .PP +@@ -68,7 +68,7 @@ + .PP + \fB\eU\fR + .RS 4 +-same as \eu except it is suffixed with "user" or "users" (eg\. "1 user" or "10 users") ++same as \eu except it is suffixed with "user" or "users" (eg\&. "1 user" or "10 users") + .RE + .PP + \fB\ev\fR +@@ -80,49 +80,49 @@ + .PP + \fBnoesc\fR + .RS 4 +-Turns off escape code parsing\. ++Turns off escape code parsing\&. + .RE + .PP + \fBissue=\fR\fB\fIissue\-file\-name\fR\fR + .RS 4 +-The file to output if not using the default\. ++The file to output if not using the default\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP + Only the + \fBauth\fR +-service is supported\. ++service is supported\&. + .SH "RETURN VALUES" + .PP + .PP + PAM_BUF_ERR + .RS 4 +-Memory buffer error\. ++Memory buffer error\&. + .RE + .PP + PAM_IGNORE + .RS 4 +-The prompt was already changed\. ++The prompt was already changed\&. + .RE + .PP + PAM_SERVICE_ERR + .RS 4 +-A service module error occured\. ++A service module error occured\&. + .RE + .PP + PAM_SUCCESS + .RS 4 +-The new prompt was set successfull\. ++The new prompt was set successfull\&. + .RE + .SH "EXAMPLES" + .PP + Add the following line to +-\fI/etc/pam\.d/login\fR ++\fI/etc/pam\&.d/login\fR + to set the user specific issue at login: + .sp + .RS 4 + .nf +- auth optional pam_issue\.so issue=/etc/issue ++ auth optional pam_issue\&.so issue=/etc/issue + + .fi + .RE +@@ -132,7 +132,7 @@ + + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-pam_issue was written by Ben Collins \. ++pam_issue was written by Ben Collins \&. +Index: pam.deb/modules/pam_issue/pam_issue.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_issue/pam_issue.8.xml ++++ pam.deb/modules/pam_issue/pam_issue.8.xml +@@ -219,7 +219,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_keyinit/pam_keyinit.8 +=================================================================== +--- pam.deb.orig/modules/pam_keyinit/pam_keyinit.8 ++++ pam.deb/modules/pam_keyinit/pam_keyinit.8 +@@ -1,38 +1,38 @@ + .\" Title: pam_keyinit + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_KEYINIT" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_KEYINIT" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_keyinit - Kernel session keyring initialiser module ++pam_keyinit \- Kernel session keyring initialiser module + .SH "SYNOPSIS" + .HP 15 +-\fBpam_keyinit\.so\fR [debug] [force] [revoke] ++\fBpam_keyinit\&.so\fR [debug] [force] [revoke] + .SH "DESCRIPTION" + .PP +-The pam_keyinit PAM module ensures that the invoking process has a session keyring other than the user default session keyring\. ++The pam_keyinit PAM module ensures that the invoking process has a session keyring other than the user default session keyring\&. + .PP +-The session component of the module checks to see if the process\'s session keyring is the user default, and, if it is, creates a new anonymous session keyring with which to replace it\. ++The session component of the module checks to see if the process\'s session keyring is the user default, and, if it is, creates a new anonymous session keyring with which to replace it\&. + .PP +-If a new session keyring is created, it will install a link to the user common keyring in the session keyring so that keys common to the user will be automatically accessible through it\. ++If a new session keyring is created, it will install a link to the user common keyring in the session keyring so that keys common to the user will be automatically accessible through it\&. + .PP +-The session keyring of the invoking process will thenceforth be inherited by all its children unless they override it\. ++The session keyring of the invoking process will thenceforth be inherited by all its children unless they override it\&. + .PP +-This module is intended primarily for use by login processes\. Be aware that after the session keyring has been replaced, the old session keyring and the keys it contains will no longer be accessible\. ++This module is intended primarily for use by login processes\&. Be aware that after the session keyring has been replaced, the old session keyring and the keys it contains will no longer be accessible\&. + .PP + This module should not, generally, be invoked by programs like +-\fBsu\fR, since it is usually desirable for the key set to percolate through to the alternate context\. The keys have their own permissions system to manage this\. ++\fBsu\fR, since it is usually desirable for the key set to percolate through to the alternate context\&. The keys have their own permissions system to manage this\&. + .PP +-This module should be included as early as possible in a PAM configuration, so that other PAM modules can attach tokens to the keyring\. ++This module should be included as early as possible in a PAM configuration, so that other PAM modules can attach tokens to the keyring\&. + .PP +-The keyutils package is used to manipulate keys more directly\. This can be obtained from: ++The keyutils package is used to manipulate keys more directly\&. This can be obtained from: + .PP + + \fI Keyutils \fR\&[1] +@@ -41,23 +41,23 @@ + \fBdebug\fR + .RS 4 + Log debug information with +-\fBsyslog\fR(3)\. ++\fBsyslog\fR(3)\&. + .RE + .PP + \fBforce\fR + .RS 4 +-Causes the session keyring of the invoking process to be replaced unconditionally\. ++Causes the session keyring of the invoking process to be replaced unconditionally\&. + .RE + .PP + \fBrevoke\fR + .RS 4 +-Causes the session keyring of the invoking process to be revoked when the invoking process exits if the session keyring was created for this process in the first place\. ++Causes the session keyring of the invoking process to be revoked when the invoking process exits if the session keyring was created for this process in the first place\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP + Only the + \fBsession\fR +-service is supported\. ++service is supported\&. + .SH "RETURN VALUES" + .PP + PAM_SUCCESS +@@ -67,32 +67,32 @@ + .PP + PAM_AUTH_ERR + .RS 4 +-Authentication failure\. ++Authentication failure\&. + .RE + .PP + PAM_BUF_ERR + .RS 4 +-Memory buffer error\. ++Memory buffer error\&. + .RE + .PP + PAM_IGNORE + .RS 4 +-The return value should be ignored by PAM dispatch\. ++The return value should be ignored by PAM dispatch\&. + .RE + .PP + PAM_SERVICE_ERR + .RS 4 +-Cannot determine the user name\. ++Cannot determine the user name\&. + .RE + .PP + PAM_SESSION_ERR + .RS 4 +-This module will return this value if its arguments are invalid or if a system error such as ENOMEM occurs\. ++This module will return this value if its arguments are invalid or if a system error such as ENOMEM occurs\&. + .RE + .PP + PAM_USER_UNKNOWN + .RS 4 +-User not known\. ++User not known\&. + .RE + .SH "EXAMPLES" + .PP +@@ -100,22 +100,22 @@ + .sp + .RS 4 + .nf +-session required pam_keyinit\.so ++session required pam_keyinit\&.so + + .fi + .RE + .PP +-This will prevent keys from one session leaking into another session for the same user\. ++This will prevent keys from one session leaking into another session for the same user\&. + .SH "SEE ALSO" + .PP + + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + \fBkeyctl\fR(1) + .SH "AUTHOR" + .PP +-pam_keyinit was written by David Howells, \. ++pam_keyinit was written by David Howells, \&. + .SH "NOTES" + .IP " 1." 4 + Keyutils +Index: pam.deb/modules/pam_keyinit/pam_keyinit.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_keyinit/pam_keyinit.8.xml ++++ pam.deb/modules/pam_keyinit/pam_keyinit.8.xml +@@ -223,7 +223,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + keyctl1 +Index: pam.deb/modules/pam_lastlog/pam_lastlog.8 +=================================================================== +--- pam.deb.orig/modules/pam_lastlog/pam_lastlog.8 ++++ pam.deb/modules/pam_lastlog/pam_lastlog.8 +@@ -1,98 +1,98 @@ + .\" Title: pam_lastlog + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_LASTLOG" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_LASTLOG" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_lastlog - PAM module to display date of last login ++pam_lastlog \- PAM module to display date of last login + .SH "SYNOPSIS" + .HP 15 +-\fBpam_lastlog\.so\fR [debug] [silent] [never] [nodate] [nohost] [noterm] [nowtmp] ++\fBpam_lastlog\&.so\fR [debug] [silent] [never] [nodate] [nohost] [noterm] [nowtmp] + .SH "DESCRIPTION" + .PP +-pam_lastlog is a PAM module to display a line of information about the last login of the user\. In addition, the module maintains the ++pam_lastlog is a PAM module to display a line of information about the last login of the user\&. In addition, the module maintains the + \fI/var/log/lastlog\fR +-file\. ++file\&. + .PP +-Some applications may perform this function themselves\. In such cases, this module is not necessary\. ++Some applications may perform this function themselves\&. In such cases, this module is not necessary\&. + .SH "OPTIONS" + .PP + \fBdebug\fR + .RS 4 +-Print debug information\. ++Print debug information\&. + .RE + .PP + \fBsilent\fR + .RS 4 + Don\'t inform the user about any previous login, just upate the + \fI/var/log/lastlog\fR +-file\. ++file\&. + .RE + .PP + \fBnever\fR + .RS 4 + If the + \fI/var/log/lastlog\fR +-file does not contain any old entries for the user, indicate that the user has never previously logged in with a welcome message\. ++file does not contain any old entries for the user, indicate that the user has never previously logged in with a welcome message\&. + .RE + .PP + \fBnodate\fR + .RS 4 +-Don\'t display the date of the last login\. ++Don\'t display the date of the last login\&. + .RE + .PP + \fBnoterm\fR + .RS 4 +-Don\'t display the terminal name on which the last login was attempted\. ++Don\'t display the terminal name on which the last login was attempted\&. + .RE + .PP + \fBnohost\fR + .RS 4 +-Don\'t indicate from which host the last login was attempted\. ++Don\'t indicate from which host the last login was attempted\&. + .RE + .PP + \fBnowtmp\fR + .RS 4 +-Don\'t update the wtmp entry\. ++Don\'t update the wtmp entry\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP + Only the + \fBsession\fR +-service is supported\. ++service is supported\&. + .SH "RETURN VALUES" + .PP + .PP + PAM_SUCCESS + .RS 4 +-Everything was successfull\. ++Everything was successfull\&. + .RE + .PP + PAM_SERVICE_ERR + .RS 4 +-Internal service module error\. ++Internal service module error\&. + .RE + .PP + PAM_USER_UNKNOWN + .RS 4 +-User not known\. ++User not known\&. + .RE + .SH "EXAMPLES" + .PP + Add the following line to +-\fI/etc/pam\.d/login\fR ++\fI/etc/pam\&.d/login\fR + to display the last login time of an user: + .sp + .RS 4 + .nf +- session required pam_lastlog\.so nowtmp ++ session required pam_lastlog\&.so nowtmp + + .fi + .RE +@@ -107,7 +107,7 @@ + + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-pam_lastlog was written by Andrew G\. Morgan \. ++pam_lastlog was written by Andrew G\&. Morgan \&. +Index: pam.deb/modules/pam_lastlog/pam_lastlog.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_lastlog/pam_lastlog.8.xml ++++ pam.deb/modules/pam_lastlog/pam_lastlog.8.xml +@@ -216,7 +216,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_limits/pam_limits.8 +=================================================================== +--- pam.deb.orig/modules/pam_limits/pam_limits.8 ++++ pam.deb/modules/pam_limits/pam_limits.8 +@@ -1,132 +1,132 @@ + .\" Title: pam_limits + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_LIMITS" "8" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_LIMITS" "8" "07/27/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_limits - PAM module to limit resources ++pam_limits \- PAM module to limit resources + .SH "SYNOPSIS" + .HP 14 +-\fBpam_limits\.so\fR [change_uid] [conf=\fI/path/to/limits\.conf\fR] [debug] [utmp_early] [noaudit] ++\fBpam_limits\&.so\fR [change_uid] [conf=\fI/path/to/limits\&.conf\fR] [debug] [utmp_early] [noaudit] + .SH "DESCRIPTION" + .PP +-The pam_limits PAM module sets limits on the system resources that can be obtained in a user\-session\. Users of ++The pam_limits PAM module sets limits on the system resources that can be obtained in a user\-session\&. Users of + \fIuid=0\fR +-are affected by this limits, too\. ++are affected by this limits, too\&. + .PP + By default limits are taken from the +-\fI/etc/security/limits\.conf\fR +-config file\. Then individual files from the +-\fI/etc/security/limits\.d/\fR +-directory are read\. The files are parsed one after another in the order of "C" locale\. The effect of the individual files is the same as if all the files were concatenated together in the order of parsing\. If a config file is explicitely specified with a module option then the files in the above directory are not parsed\. ++\fI/etc/security/limits\&.conf\fR ++config file\&. Then individual files from the ++\fI/etc/security/limits\&.d/\fR ++directory are read\&. The files are parsed one after another in the order of "C" locale\&. The effect of the individual files is the same as if all the files were concatenated together in the order of parsing\&. If a config file is explicitely specified with a module option then the files in the above directory are not parsed\&. + .PP +-The module must not be called by a multithreaded application\. ++The module must not be called by a multithreaded application\&. + .PP +-If Linux PAM is compiled with audit support the module will report when it denies access based on limit of maximum number of concurrent login sessions\. ++If Linux PAM is compiled with audit support the module will report when it denies access based on limit of maximum number of concurrent login sessions\&. + .SH "OPTIONS" + .PP + \fBchange_uid\fR + .RS 4 +-Change real uid to the user for who the limits are set up\. Use this option if you have problems like login not forking a shell for user who has no processes\. Be warned that something else may break when you do this\. ++Change real uid to the user for who the limits are set up\&. Use this option if you have problems like login not forking a shell for user who has no processes\&. Be warned that something else may break when you do this\&. + .RE + .PP +-\fBconf=\fR\fB\fI/path/to/limits\.conf\fR\fR ++\fBconf=\fR\fB\fI/path/to/limits\&.conf\fR\fR + .RS 4 +-Indicate an alternative limits\.conf style configuration file to override the default\. ++Indicate an alternative limits\&.conf style configuration file to override the default\&. + .RE + .PP + \fBdebug\fR + .RS 4 +-Print debug information\. ++Print debug information\&. + .RE + .PP + \fButmp_early\fR + .RS 4 +-Some broken applications actually allocate a utmp entry for the user before the user is admitted to the system\. If some of the services you are configuring PAM for do this, you can selectively use this module argument to compensate for this behavior and at the same time maintain system\-wide consistency with a single limits\.conf file\. ++Some broken applications actually allocate a utmp entry for the user before the user is admitted to the system\&. If some of the services you are configuring PAM for do this, you can selectively use this module argument to compensate for this behavior and at the same time maintain system\-wide consistency with a single limits\&.conf file\&. + .RE + .PP + \fBnoaudit\fR + .RS 4 +-Do not report exceeded maximum logins count to the audit subsystem\. ++Do not report exceeded maximum logins count to the audit subsystem\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP + Only the + \fBsession\fR +-service is supported\. ++service is supported\&. + .SH "RETURN VALUES" + .PP + PAM_ABORT + .RS 4 +-Cannot get current limits\. ++Cannot get current limits\&. + .RE + .PP + PAM_IGNORE + .RS 4 +-No limits found for this user\. ++No limits found for this user\&. + .RE + .PP + PAM_PERM_DENIED + .RS 4 +-New limits could not be set\. ++New limits could not be set\&. + .RE + .PP + PAM_SERVICE_ERR + .RS 4 +-Cannot read config file\. ++Cannot read config file\&. + .RE + .PP + PAM_SESSEION_ERR + .RS 4 +-Error recovering account name\. ++Error recovering account name\&. + .RE + .PP + PAM_SUCCESS + .RS 4 +-Limits were changed\. ++Limits were changed\&. + .RE + .PP + PAM_USER_UNKNOWN + .RS 4 +-The user is not known to the system\. ++The user is not known to the system\&. + .RE + .SH "FILES" + .PP +-\fI/etc/security/limits\.conf\fR ++\fI/etc/security/limits\&.conf\fR + .RS 4 + Default configuration file + .RE + .SH "EXAMPLES" + .PP + For the services you need resources limits (login for example) put a the following line in +-\fI/etc/pam\.d/login\fR ++\fI/etc/pam\&.d/login\fR + as the last line for that service (usually after the pam_unix session line): + .sp + .RS 4 + .nf +-#%PAM\-1\.0 ++#%PAM\-1\&.0 + # + # Resource limits imposed on login sessions via pam_limits + # +-session required pam_limits\.so ++session required pam_limits\&.so + + .fi + .RE + .PP +-Replace "login" for each service you are using this module\. ++Replace "login" for each service you are using this module\&. + .SH "SEE ALSO" + .PP + + \fBlimits.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8)\. ++\fBpam\fR(7)\&. + .SH "AUTHORS" + .PP +-pam_limits was initially written by Cristian Gafton ++pam_limits was initially written by Cristian Gafton +Index: pam.deb/modules/pam_limits/pam_limits.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_limits/pam_limits.8.xml ++++ pam.deb/modules/pam_limits/pam_limits.8.xml +@@ -242,7 +242,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + . + + +Index: pam.deb/modules/pam_listfile/pam_listfile.8 +=================================================================== +--- pam.deb.orig/modules/pam_listfile/pam_listfile.8 ++++ pam.deb/modules/pam_listfile/pam_listfile.8 +@@ -1,23 +1,23 @@ + .\" Title: pam_listfile + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_LISTFILE" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_LISTFILE" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_listfile - deny or allow services based on an arbitrary file ++pam_listfile \- deny or allow services based on an arbitrary file + .SH "SYNOPSIS" + .HP 16 +-\fBpam_listfile\.so\fR item=[tty|user|rhost|ruser|group|shell] sense=[allow|deny] file=\fI/path/filename\fR onerr=[succeed|fail] [apply=[\fIuser\fR|\fI@group\fR]] [quiet] ++\fBpam_listfile\&.so\fR item=[tty|user|rhost|ruser|group|shell] sense=[allow|deny] file=\fI/path/filename\fR onerr=[succeed|fail] [apply=[\fIuser\fR|\fI@group\fR]] [quiet] + .SH "DESCRIPTION" + .PP +-pam_listfile is a PAM module which provides a way to deny or allow services based on an arbitrary file\. ++pam_listfile is a PAM module which provides a way to deny or allow services based on an arbitrary file\&. + .PP + The module gets the + \fBitem\fR +@@ -29,15 +29,15 @@ + \fIPAM_RHOST\fR; and ruser specifies the name of the remote user (if available) who made the request, + \fIPAM_RUSER\fR + \-\- and looks for an instance of that item in the +-\fBfile=\fR\fB\fIfilename\fR\fR\. ++\fBfile=\fR\fB\fIfilename\fR\fR\&. + \fIfilename\fR +-contains one line per item listed\. If the item is found, then if ++contains one line per item listed\&. If the item is found, then if + \fBsense=\fR\fB\fIallow\fR\fR, + \fIPAM_SUCCESS\fR + is returned, causing the authorization request to succeed; else if + \fBsense=\fR\fB\fIdeny\fR\fR, + \fIPAM_AUTH_ERR\fR +-is returned, causing the authorization request to fail\. ++is returned, causing the authorization request to fail\&. + .PP + If an error is encountered (for instance, if + \fIfilename\fR +@@ -49,54 +49,54 @@ + \fIPAM_AUTH_ERR\fR + or + \fIPAM_SERVICE_ERR\fR +-(as appropriate) will be returned\. ++(as appropriate) will be returned\&. + .PP + An additional argument, +-\fBapply=\fR, can be used to restrict the application of the above to a specific user (\fBapply=\fR\fB\fIusername\fR\fR) or a given group (\fBapply=\fR\fB\fI@groupname\fR\fR)\. This added restriction is only meaningful when used with the ++\fBapply=\fR, can be used to restrict the application of the above to a specific user (\fBapply=\fR\fB\fIusername\fR\fR) or a given group (\fBapply=\fR\fB\fI@groupname\fR\fR)\&. This added restriction is only meaningful when used with the + \fItty\fR, + \fIrhost\fR + and + \fIshell\fR +-items\. ++items\&. + .PP +-Besides this last one, all arguments should be specified; do not count on any default behavior\. ++Besides this last one, all arguments should be specified; do not count on any default behavior\&. + .PP +-No credentials are awarded by this module\. ++No credentials are awarded by this module\&. + .SH "OPTIONS" + .PP + .PP + \fBitem=[tty|user|rhost|ruser|group|shell]\fR + .RS 4 +-What is listed in the file and should be checked for\. ++What is listed in the file and should be checked for\&. + .RE + .PP + \fBsense=[allow|deny]\fR + .RS 4 +-Action to take if found in file, if the item is NOT found in the file, then the opposite action is requested\. ++Action to take if found in file, if the item is NOT found in the file, then the opposite action is requested\&. + .RE + .PP + \fBfile=\fR\fB\fI/path/filename\fR\fR + .RS 4 +-File containing one item per line\. The file needs to be a plain file and not world writeable\. ++File containing one item per line\&. The file needs to be a plain file and not world writeable\&. + .RE + .PP + \fBonerr=[succeed|fail]\fR + .RS 4 +-What to do if something weird happens like being unable to open the file\. ++What to do if something weird happens like being unable to open the file\&. + .RE + .PP + \fBapply=[\fR\fB\fIuser\fR\fR\fB|\fR\fB\fI@group\fR\fR\fB]\fR + .RS 4 +-Restrict the user class for which the restriction apply\. Note that with ++Restrict the user class for which the restriction apply\&. Note that with + \fBitem=[user|ruser|group]\fR + this does not make sense, but for + \fBitem=[tty|rhost|shell]\fR +-it have a meaning\. ++it have a meaning\&. + .RE + .PP + \fBquiet\fR + .RS 4 +-Do not treat service refusals or missing list files as errors that need to be logged\. ++Do not treat service refusals or missing list files as errors that need to be logged\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP +@@ -106,47 +106,47 @@ + \fBpassword\fR + and + \fBsession\fR +-are supported\. ++are supported\&. + .SH "RETURN VALUES" + .PP + .PP + PAM_AUTH_ERR + .RS 4 +-Authentication failure\. ++Authentication failure\&. + .RE + .PP + PAM_BUF_ERR + .RS 4 +-Memory buffer error\. ++Memory buffer error\&. + .RE + .PP + PAM_IGNORE + .RS 4 + The rule does not apply to the + \fBapply\fR +-option\. ++option\&. + .RE + .PP + PAM_SERVICE_ERR + .RS 4 +-Error in service module\. ++Error in service module\&. + .RE + .PP + PAM_SUCCESS + .RS 4 +-Success\. ++Success\&. + .RE + .SH "EXAMPLES" + .PP + Classic \'ftpusers\' authentication can be implemented with this entry in +-\fI/etc/pam\.d/ftpd\fR: ++\fI/etc/pam\&.d/ftpd\fR: + .sp + .RS 4 + .nf + # + # deny ftp\-access to users listed in the /etc/ftpusers file + # +-auth required pam_listfile\.so \e ++auth required pam_listfile\&.so \e + onerr=succeed item=user sense=deny file=/etc/ftpusers + + .fi +@@ -156,10 +156,10 @@ + \fI/etc/ftpusers\fR + file are (counterintuitively) + \fInot\fR +-allowed access to the ftp service\. ++allowed access to the ftp service\&. + .PP + To allow login access only for certain users, you can use a +-\fI/etc/pam\.d/login\fR ++\fI/etc/pam\&.d/login\fR + entry like this: + .sp + .RS 4 +@@ -167,23 +167,23 @@ + # + # permit login to users listed in /etc/loginusers + # +-auth required pam_listfile\.so \e ++auth required pam_listfile\&.so \e + onerr=fail item=user sense=allow file=/etc/loginusers + + .fi + .RE + .sp + For this example to work, all users who are allowed to use the login service should be listed in the file +-\fI/etc/loginusers\fR\. Unless you are explicitly trying to lock out root, make sure that when you do this, you leave a way for root to log in, either by listing root in ++\fI/etc/loginusers\fR\&. Unless you are explicitly trying to lock out root, make sure that when you do this, you leave a way for root to log in, either by listing root in + \fI/etc/loginusers\fR, or by listing a user who is able to + \fIsu\fR +-to the root account\. ++to the root account\&. + .SH "SEE ALSO" + .PP + + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-pam_listfile was written by Michael K\. Johnson and Elliot Lee \. ++pam_listfile was written by Michael K\&. Johnson and Elliot Lee \&. +Index: pam.deb/modules/pam_listfile/pam_listfile.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_listfile/pam_listfile.8.xml ++++ pam.deb/modules/pam_listfile/pam_listfile.8.xml +@@ -281,7 +281,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_localuser/pam_localuser.8 +=================================================================== +--- pam.deb.orig/modules/pam_localuser/pam_localuser.8 ++++ pam.deb/modules/pam_localuser/pam_localuser.8 +@@ -1,37 +1,37 @@ + .\" Title: pam_localuser + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_LOCALUSER" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_LOCALUSER" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_localuser - require users to be listed in /etc/passwd ++pam_localuser \- require users to be listed in /etc/passwd + .SH "SYNOPSIS" + .HP 17 +-\fBpam_localuser\.so\fR [debug] [file=\fI/path/passwd\fR] ++\fBpam_localuser\&.so\fR [debug] [file=\fI/path/passwd\fR] + .SH "DESCRIPTION" + .PP +-pam_localuser is a PAM module to help implementing site\-wide login policies, where they typically include a subset of the network\'s users and a few accounts that are local to a particular workstation\. Using pam_localuser and pam_wheel or pam_listfile is an effective way to restrict access to either local users and/or a subset of the network\'s users\. ++pam_localuser is a PAM module to help implementing site\-wide login policies, where they typically include a subset of the network\'s users and a few accounts that are local to a particular workstation\&. Using pam_localuser and pam_wheel or pam_listfile is an effective way to restrict access to either local users and/or a subset of the network\'s users\&. + .PP +-This could also be implemented using pam_listfile\.so and a very short awk script invoked by cron, but it\'s common enough to have been separated out\. ++This could also be implemented using pam_listfile\&.so and a very short awk script invoked by cron, but it\'s common enough to have been separated out\&. + .SH "OPTIONS" + .PP + .PP + \fBdebug\fR + .RS 4 +-Print debug information\. ++Print debug information\&. + .RE + .PP + \fBfile=\fR\fB\fI/path/passwd\fR\fR + .RS 4 + Use a file other than +-\fI/etc/passwd\fR\. ++\fI/etc/passwd\fR\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP +@@ -39,34 +39,34 @@ + \fBauth\fR, + \fBpassword\fR + and +-\fBsession\fR) are supported\. ++\fBsession\fR) are supported\&. + .SH "RETURN VALUES" + .PP + .PP + PAM_SUCCESS + .RS 4 +-The new localuser was set successfull\. ++The new localuser was set successfull\&. + .RE + .PP + PAM_SERVICE_ERR + .RS 4 +-No username was given\. ++No username was given\&. + .RE + .PP + PAM_USER_UNKNOWN + .RS 4 +-User not known\. ++User not known\&. + .RE + .SH "EXAMPLES" + .PP + Add the following line to +-\fI/etc/pam\.d/su\fR +-to allow only local users in group wheel to use su\. ++\fI/etc/pam\&.d/su\fR ++to allow only local users in group wheel to use su\&. + .sp + .RS 4 + .nf +-account sufficient pam_localuser\.so +-account required pam_wheel\.so ++account sufficient pam_localuser\&.so ++account required pam_wheel\&.so + + .fi + .RE +@@ -75,14 +75,14 @@ + .PP + \fI/etc/passwd\fR + .RS 4 +-Local user account information\. ++Local user account information\&. + .RE + .SH "SEE ALSO" + .PP + + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-pam_localuser was written by Nalin Dahyabhai \. ++pam_localuser was written by Nalin Dahyabhai \&. +Index: pam.deb/modules/pam_localuser/pam_localuser.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_localuser/pam_localuser.8.xml ++++ pam.deb/modules/pam_localuser/pam_localuser.8.xml +@@ -158,7 +158,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_loginuid/pam_loginuid.8 +=================================================================== +--- pam.deb.orig/modules/pam_loginuid/pam_loginuid.8 ++++ pam.deb/modules/pam_loginuid/pam_loginuid.8 +@@ -1,52 +1,52 @@ + .\" Title: pam_loginuid + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_LOGINUID" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_LOGINUID" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_loginuid - Record user's login uid to the process attribute ++pam_loginuid \- Record user's login uid to the process attribute + .SH "SYNOPSIS" + .HP 16 +-\fBpam_loginuid\.so\fR [require_auditd] ++\fBpam_loginuid\&.so\fR [require_auditd] + .SH "DESCRIPTION" + .PP +-The pam_loginuid module sets the loginuid process attribute for the process that was authenticated\. This is necessary for applications to be correctly audited\. This PAM module should only be used for entry point applications like: login, sshd, gdm, vsftpd, crond and atd\. There are probably other entry point applications besides these\. You should not use it for applications like sudo or su as that defeats the purpose by changing the loginuid to the account they just switched to\. ++The pam_loginuid module sets the loginuid process attribute for the process that was authenticated\&. This is necessary for applications to be correctly audited\&. This PAM module should only be used for entry point applications like: login, sshd, gdm, vsftpd, crond and atd\&. There are probably other entry point applications besides these\&. You should not use it for applications like sudo or su as that defeats the purpose by changing the loginuid to the account they just switched to\&. + .SH "OPTIONS" + .PP + \fBrequire_auditd\fR + .RS 4 +-This option, when given, will cause this module to query the audit daemon status and deny logins if it is not running\. ++This option, when given, will cause this module to query the audit daemon status and deny logins if it is not running\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP + The + \fBsession\fR +-service is supported\. ++service is supported\&. + .SH "RETURN VALUES" + .PP + .PP + PAM_SESSION_ERR + .RS 4 +-An error occured during session management\. ++An error occured during session management\&. + .RE + .SH "EXAMPLES" + .sp + .RS 4 + .nf +-#%PAM\-1\.0 +-auth required pam_unix\.so +-auth required pam_nologin\.so +-account required pam_unix\.so +-password required pam_unix\.so +-session required pam_unix\.so +-session required pam_loginuid\.so ++#%PAM\-1\&.0 ++auth required pam_unix\&.so ++auth required pam_nologin\&.so ++account required pam_unix\&.so ++password required pam_unix\&.so ++session required pam_unix\&.so ++session required pam_loginuid\&.so + + .fi + .RE +@@ -55,9 +55,9 @@ + + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8), ++\fBpam\fR(7), + \fBauditctl\fR(8), + \fBauditd\fR(8) + .SH "AUTHOR" + .PP +-pam_loginuid was written by Steve Grubb ++pam_loginuid was written by Steve Grubb +Index: pam.deb/modules/pam_loginuid/pam_loginuid.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_loginuid/pam_loginuid.8.xml ++++ pam.deb/modules/pam_loginuid/pam_loginuid.8.xml +@@ -104,7 +104,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + , + + auditctl8 +Index: pam.deb/modules/pam_mail/pam_mail.8 +=================================================================== +--- pam.deb.orig/modules/pam_mail/pam_mail.8 ++++ pam.deb/modules/pam_mail/pam_mail.8 +@@ -1,26 +1,26 @@ + .\" Title: pam_mail + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_MAIL" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_MAIL" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_mail - Inform about available mail ++pam_mail \- Inform about available mail + .SH "SYNOPSIS" + .HP 12 +-\fBpam_mail\.so\fR [close] [debug] [dir=\fImaildir\fR] [empty] [hash=\fIcount\fR] [noenv] [nopen] [quit] [standard] ++\fBpam_mail\&.so\fR [close] [debug] [dir=\fImaildir\fR] [empty] [hash=\fIcount\fR] [noenv] [nopen] [quit] [standard] + .SH "DESCRIPTION" + .PP +-The pam_mail PAM module provides the "you have new mail" service to the user\. It can be plugged into any application that has credential or session hooks\. It gives a single message indicating the ++The pam_mail PAM module provides the "you have new mail" service to the user\&. It can be plugged into any application that has credential or session hooks\&. It gives a single message indicating the + \fInewness\fR +-of any mail it finds in the user\'s mail folder\. This module also sets the PAM environment variable, +-\fBMAIL\fR, to the user\'s mail directory\. ++of any mail it finds in the user\'s mail folder\&. This module also sets the PAM environment variable, ++\fBMAIL\fR, to the user\'s mail directory\&. + .PP + If the mail spool file (be it + \fI/var/mail/$USER\fR +@@ -28,64 +28,64 @@ + \fBdir=\fR + parameter) is a directory then pam_mail assumes it is in the + \fIMaildir\fR +-format\. ++format\&. + .SH "OPTIONS" + .PP + .PP + \fBclose\fR + .RS 4 +-Indicate if the user has any mail also on logout\. ++Indicate if the user has any mail also on logout\&. + .RE + .PP + \fBdebug\fR + .RS 4 +-Print debug information\. ++Print debug information\&. + .RE + .PP + \fBdir=\fR\fB\fImaildir\fR\fR + .RS 4 + Look for the users\' mail in an alternative location defined by +-\fImaildir/\fR\. The default location for mail is +-\fI/var/mail/\fR\. Note, if the supplied ++\fImaildir/\fR\&. The default location for mail is ++\fI/var/mail/\fR\&. Note, if the supplied + \fImaildir\fR +-is prefixed by a \'~\', the directory is interpreted as indicating a file in the user\'s home directory\. ++is prefixed by a \'~\', the directory is interpreted as indicating a file in the user\'s home directory\&. + .RE + .PP + \fBempty\fR + .RS 4 +-Also print message if user has no mail\. ++Also print message if user has no mail\&. + .RE + .PP + \fBhash=\fR\fB\fIcount\fR\fR + .RS 4 +-Mail directory hash depth\. For example, a ++Mail directory hash depth\&. For example, a + \fIhashcount\fR + of 2 would make the mail file be +-\fI/var/spool/mail/u/s/user\fR\. ++\fI/var/spool/mail/u/s/user\fR\&. + .RE + .PP + \fBnoenv\fR + .RS 4 + Do not set the + \fBMAIL\fR +-environment variable\. ++environment variable\&. + .RE + .PP + \fBnopen\fR + .RS 4 +-Don\'t print any mail information on login\. This flag is useful to get the ++Don\'t print any mail information on login\&. This flag is useful to get the + \fBMAIL\fR +-environment variable set, but to not display any information about it\. ++environment variable set, but to not display any information about it\&. + .RE + .PP + \fBquiet\fR + .RS 4 +-Only report when there is new mail\. ++Only report when there is new mail\&. + .RE + .PP + \fBstandard\fR + .RS 4 +-Old style "You have\.\.\." format which doesn\'t show the mail spool being used\. This also implies "empty"\. ++Old style "You have\&.\&.\&." format which doesn\'t show the mail spool being used\&. This also implies "empty"\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP +@@ -93,37 +93,37 @@ + \fBauth\fR + and + \fBaccount\fR +-services are supported\. ++services are supported\&. + .SH "RETURN VALUES" + .PP + PAM_BUF_ERR + .RS 4 +-Memory buffer error\. ++Memory buffer error\&. + .RE + .PP + PAM_SERVICE_ERR + .RS 4 +-Badly formed arguments\. ++Badly formed arguments\&. + .RE + .PP + PAM_SUCCESS + .RS 4 +-Success\. ++Success\&. + .RE + .PP + PAM_USER_UNKNOWN + .RS 4 +-User not known\. ++User not known\&. + .RE + .SH "EXAMPLES" + .PP + Add the following line to +-\fI/etc/pam\.d/login\fR +-to indicate that the user has new mail when they login to the system\. ++\fI/etc/pam\&.d/login\fR ++to indicate that the user has new mail when they login to the system\&. + .sp + .RS 4 + .nf +-session optional pam_mail\.so standard ++session optional pam_mail\&.so standard + + .fi + .RE +@@ -133,7 +133,7 @@ + + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-pam_mail was written by Andrew G\. Morgan \. ++pam_mail was written by Andrew G\&. Morgan \&. +Index: pam.deb/modules/pam_mail/pam_mail.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_mail/pam_mail.8.xml ++++ pam.deb/modules/pam_mail/pam_mail.8.xml +@@ -264,7 +264,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_mkhomedir/pam_mkhomedir.8 +=================================================================== +--- pam.deb.orig/modules/pam_mkhomedir/pam_mkhomedir.8 ++++ pam.deb/modules/pam_mkhomedir/pam_mkhomedir.8 +@@ -1,37 +1,37 @@ + .\" Title: pam_mkhomedir + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_MKHOMEDIR" "8" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_MKHOMEDIR" "8" "07/27/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_mkhomedir - PAM module to create users home directory ++pam_mkhomedir \- PAM module to create users home directory + .SH "SYNOPSIS" + .HP 17 +-\fBpam_mkhomedir\.so\fR [silent] [umask=\fImode\fR] [skel=\fIskeldir\fR] ++\fBpam_mkhomedir\&.so\fR [silent] [umask=\fImode\fR] [skel=\fIskeldir\fR] + .SH "DESCRIPTION" + .PP +-The pam_mkhomedir PAM module will create a users home directory if it does not exist when the session begins\. This allows users to be present in central database (such as NIS, kerberos or LDAP) without using a distributed file system or pre\-creating a large number of directories\. The skeleton directory (usually +-\fI/etc/skel/\fR) is used to copy default files and also set\'s a umask for the creation\. ++The pam_mkhomedir PAM module will create a users home directory if it does not exist when the session begins\&. This allows users to be present in central database (such as NIS, kerberos or LDAP) without using a distributed file system or pre\-creating a large number of directories\&. The skeleton directory (usually ++\fI/etc/skel/\fR) is used to copy default files and also set\'s a umask for the creation\&. + .PP +-The new users home directory will not be removed after logout of the user\. ++The new users home directory will not be removed after logout of the user\&. + .SH "OPTIONS" + .PP + \fBsilent\fR + .RS 4 +-Don\'t print informative messages\. ++Don\'t print informative messages\&. + .RE + .PP + \fBumask=\fR\fB\fImask\fR\fR + .RS 4 + The user file\-creation mask is set to +-\fImask\fR\. The default value of mask is 0022\. ++\fImask\fR\&. The default value of mask is 0022\&. + .RE + .PP + \fBskel=\fR\fB\fI/path/to/skel/directory\fR\fR +@@ -39,38 +39,38 @@ + Indicate an alternative + \fIskel\fR + directory to override the default +-\fI/etc/skel\fR\. ++\fI/etc/skel\fR\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP + Only the + \fBsession\fR +-service is supported\. ++service is supported\&. + .SH "RETURN VALUES" + .PP + PAM_BUF_ERR + .RS 4 +-Memory buffer error\. ++Memory buffer error\&. + .RE + .PP + PAM_CRED_INSUFFICIENT + .RS 4 +-Insufficient credentials to access authentication data\. ++Insufficient credentials to access authentication data\&. + .RE + .PP + PAM_PERM_DENIED + .RS 4 +-Not enough permissions to create the new directory or read the skel directory\. ++Not enough permissions to create the new directory or read the skel directory\&. + .RE + .PP + PAM_USER_UNKNOWN + .RS 4 +-User not known to the underlying authentication module\. ++User not known to the underlying authentication module\&. + .RE + .PP + PAM_SUCCESS + .RS 4 +-Environment variables were set\. ++Environment variables were set\&. + .RE + .SH "FILES" + .PP +@@ -80,21 +80,21 @@ + .RE + .SH "EXAMPLES" + .PP +-A sample /etc/pam\.d/login file: ++A sample /etc/pam\&.d/login file: + .sp + .RS 4 + .nf +- auth requisite pam_securetty\.so +- auth sufficient pam_ldap\.so +- auth required pam_unix\.so +- auth required pam_nologin\.so +- account sufficient pam_ldap\.so +- account required pam_unix\.so +- password required pam_unix\.so +- session required pam_mkhomedir\.so skel=/etc/skel/ umask=0022 +- session required pam_unix\.so +- session optional pam_lastlog\.so +- session optional pam_mail\.so standard ++ auth requisite pam_securetty\&.so ++ auth sufficient pam_ldap\&.so ++ auth required pam_unix\&.so ++ auth required pam_nologin\&.so ++ account sufficient pam_ldap\&.so ++ account required pam_unix\&.so ++ password required pam_unix\&.so ++ session required pam_mkhomedir\&.so skel=/etc/skel/ umask=0022 ++ session required pam_unix\&.so ++ session optional pam_lastlog\&.so ++ session optional pam_mail\&.so standard + + .fi + .RE +@@ -103,7 +103,7 @@ + .PP + + \fBpam.d\fR(8), +-\fBpam\fR(8)\. ++\fBpam\fR(7)\&. + .SH "AUTHOR" + .PP +-pam_mkhomedir was written by Jason Gunthorpe \. ++pam_mkhomedir was written by Jason Gunthorpe \&. +Index: pam.deb/modules/pam_mkhomedir/pam_mkhomedir.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_mkhomedir/pam_mkhomedir.8.xml ++++ pam.deb/modules/pam_mkhomedir/pam_mkhomedir.8.xml +@@ -189,7 +189,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + . + + +Index: pam.deb/modules/pam_motd/pam_motd.8 +=================================================================== +--- pam.deb.orig/modules/pam_motd/pam_motd.8 ++++ pam.deb/modules/pam_motd/pam_motd.8 +@@ -1,53 +1,53 @@ + .\" Title: pam_motd + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_MOTD" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_MOTD" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_motd - Display the motd file ++pam_motd \- Display the motd file + .SH "SYNOPSIS" + .HP 12 +-\fBpam_motd\.so\fR [motd=\fI/path/filename\fR] ++\fBpam_motd\&.so\fR [motd=\fI/path/filename\fR] + .SH "DESCRIPTION" + .PP +-pam_motd is a PAM module that can be used to display arbitrary motd (message of the day) files after a succesful login\. By default the ++pam_motd is a PAM module that can be used to display arbitrary motd (message of the day) files after a succesful login\&. By default the + \fI/etc/motd\fR +-file is shown\. The message size is limited to 64KB\. ++file is shown\&. The message size is limited to 64KB\&. + .SH "OPTIONS" + .PP + \fBmotd=\fR\fB\fI/path/filename\fR\fR + .RS 4 + The + \fI/path/filename\fR +-file is displayed as message of the day\. ++file is displayed as message of the day\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP + Only the + \fBsession\fR +-service is supported\. ++service is supported\&. + .SH "RETURN VALUES" + .PP + PAM_IGNORE + .RS 4 +-This is the only return value of this module\. ++This is the only return value of this module\&. + .RE + .SH "EXAMPLES" + .PP + The suggested usage for +-\fI/etc/pam\.d/login\fR ++\fI/etc/pam\&.d/login\fR + is: + .sp + .RS 4 + .nf +-session optional pam_motd\.so motd=/etc/motd ++session optional pam_motd\&.so motd=/etc/motd + + .fi + .RE +@@ -58,7 +58,7 @@ + \fBmotd\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-pam_motd was written by Ben Collins \. ++pam_motd was written by Ben Collins \&. +Index: pam.deb/modules/pam_motd/pam_motd.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_motd/pam_motd.8.xml ++++ pam.deb/modules/pam_motd/pam_motd.8.xml +@@ -99,7 +99,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_namespace/pam_namespace.8 +=================================================================== +--- pam.deb.orig/modules/pam_namespace/pam_namespace.8 ++++ pam.deb/modules/pam_namespace/pam_namespace.8 +@@ -1,27 +1,27 @@ + .\" Title: pam_namespace + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_NAMESPACE" "8" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_NAMESPACE" "8" "07/27/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_namespace - PAM module for configuring namespace for a session ++pam_namespace \- PAM module for configuring namespace for a session + .SH "SYNOPSIS" + .HP 17 +-\fBpam_namespace\.so\fR [debug] [unmnt_remnt] [unmnt_only] [require_selinux] [gen_hash] [ignore_config_error] [ignore_instance_parent_mode] [no_unmount_on_close] [use_current_context] [use_default_context] ++\fBpam_namespace\&.so\fR [debug] [unmnt_remnt] [unmnt_only] [require_selinux] [gen_hash] [ignore_config_error] [ignore_instance_parent_mode] [no_unmount_on_close] [use_current_context] [use_default_context] + .SH "DESCRIPTION" + .PP +-The pam_namespace PAM module sets up a private namespace for a session with polyinstantiated directories\. A polyinstantiated directory provides a different instance of itself based on user name, or when using SELinux, user name, security context or both\. If an executable script +-\fI/etc/security/namespace\.init\fR +-exists, it is used to initialize the namespace every time a new instance directory is setup\. The script receives the polyinstantiated directory path, the instance directory path, flag whether the instance directory was newly created (0 for no, 1 for yes), and the user name as its arguments\. ++The pam_namespace PAM module sets up a private namespace for a session with polyinstantiated directories\&. A polyinstantiated directory provides a different instance of itself based on user name, or when using SELinux, user name, security context or both\&. If an executable script ++\fI/etc/security/namespace\&.init\fR ++exists, it is used to initialize the namespace every time a new instance directory is setup\&. The script receives the polyinstantiated directory path, the instance directory path, flag whether the instance directory was newly created (0 for no, 1 for yes), and the user name as its arguments\&. + .PP +-The pam_namespace module disassociates the session namespace from the parent namespace\. Any mounts/unmounts performed in the parent namespace, such as mounting of devices, are not reflected in the session namespace\. To propagate selected mount/unmount events from the parent namespace into the disassociated session namespace, an administrator may use the special shared\-subtree feature\. For additional information on shared\-subtree feature, please refer to the mount(8) man page and the shared\-subtree description at http://lwn\.net/Articles/159077 and http://lwn\.net/Articles/159092\. ++The pam_namespace module disassociates the session namespace from the parent namespace\&. Any mounts/unmounts performed in the parent namespace, such as mounting of devices, are not reflected in the session namespace\&. To propagate selected mount/unmount events from the parent namespace into the disassociated session namespace, an administrator may use the special shared\-subtree feature\&. For additional information on shared\-subtree feature, please refer to the mount(8) man page and the shared\-subtree description at http://lwn\&.net/Articles/159077 and http://lwn\&.net/Articles/159092\&. + .SH "OPTIONS" + .PP + \fBdebug\fR +@@ -31,7 +31,7 @@ + .PP + \fBunmnt_remnt\fR + .RS 4 +-For programs such as su and newrole, the login session has already setup a polyinstantiated namespace\. For these programs, polyinstantiation is performed based on new user id or security context, however the command first needs to undo the polyinstantiation performed by login\. This argument instructs the command to first undo previous polyinstantiation before proceeding with new polyinstantiation based on new id/context ++For programs such as su and newrole, the login session has already setup a polyinstantiated namespace\&. For these programs, polyinstantiation is performed based on new user id or security context, however the command first needs to undo the polyinstantiation performed by login\&. This argument instructs the command to first undo previous polyinstantiation before proceeding with new polyinstantiation based on new id/context + .RE + .PP + \fBunmnt_only\fR +@@ -46,101 +46,101 @@ + .PP + \fBgen_hash\fR + .RS 4 +-Instead of using the security context string for the instance name, generate and use its md5 hash\. ++Instead of using the security context string for the instance name, generate and use its md5 hash\&. + .RE + .PP + \fBignore_config_error\fR + .RS 4 +-If a line in the configuration file corresponding to a polyinstantiated directory contains format error, skip that line process the next line\. Without this option, pam will return an error to the calling program resulting in termination of the session\. ++If a line in the configuration file corresponding to a polyinstantiated directory contains format error, skip that line process the next line\&. Without this option, pam will return an error to the calling program resulting in termination of the session\&. + .RE + .PP + \fBignore_instance_parent_mode\fR + .RS 4 +-Instance parent directories by default are expected to have the restrictive mode of 000\. Using this option, an administrator can choose to ignore the mode of the instance parent\. This option should be used with caution as it will reduce security and isolation goals of the polyinstantiation mechanism\. ++Instance parent directories by default are expected to have the restrictive mode of 000\&. Using this option, an administrator can choose to ignore the mode of the instance parent\&. This option should be used with caution as it will reduce security and isolation goals of the polyinstantiation mechanism\&. + .RE + .PP + \fBno_unmount_on_close\fR + .RS 4 +-For certain trusted programs such as newrole, open session is called from a child process while the parent perfoms close session and pam end functions\. For these commands use this option to instruct pam_close_session to not unmount the bind mounted polyinstantiated directory in the parent\. ++For certain trusted programs such as newrole, open session is called from a child process while the parent perfoms close session and pam end functions\&. For these commands use this option to instruct pam_close_session to not unmount the bind mounted polyinstantiated directory in the parent\&. + .RE + .PP + \fBuse_current_context\fR + .RS 4 +-Useful for services which do not change the SELinux context with setexeccon call\. The module will use the current SELinux context of the calling process for the level and context polyinstantiation\. ++Useful for services which do not change the SELinux context with setexeccon call\&. The module will use the current SELinux context of the calling process for the level and context polyinstantiation\&. + .RE + .PP + \fBuse_default_context\fR + .RS 4 +-Useful for services which do not use pam_selinux for changing the SELinux context with setexeccon call\. The module will use the default SELinux context of the user for the level and context polyinstantiation\. ++Useful for services which do not use pam_selinux for changing the SELinux context with setexeccon call\&. The module will use the default SELinux context of the user for the level and context polyinstantiation\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP + The + \fBsession\fR +-service is supported\. The module must not be called from multithreaded processes\. ++service is supported\&. The module must not be called from multithreaded processes\&. + .SH "RETURN VALUES" + .PP + PAM_SUCCESS + .RS 4 +-Namespace setup was successful\. ++Namespace setup was successful\&. + .RE + .PP + PAM_SERVICE_ERR + .RS 4 +-Unexpected system error occurred while setting up namespace\. ++Unexpected system error occurred while setting up namespace\&. + .RE + .PP + PAM_SESSION_ERR + .RS 4 +-Unexpected namespace configuration error occurred\. ++Unexpected namespace configuration error occurred\&. + .RE + .SH "FILES" + .PP +-\fI/etc/security/namespace\.conf\fR ++\fI/etc/security/namespace\&.conf\fR + .RS 4 + Main configuration file + .RE + .PP +-\fI/etc/security/namespace\.d\fR ++\fI/etc/security/namespace\&.d\fR + .RS 4 + Directory for additional configuration files + .RE + .PP +-\fI/etc/security/namespace\.init\fR ++\fI/etc/security/namespace\&.init\fR + .RS 4 + Init script for instance directories + .RE + .SH "EXAMPLES" + .PP +-For the s you need polyinstantiation (login for example) put the following line in /etc/pam\.d/ as the last line for session group: ++For the s you need polyinstantiation (login for example) put the following line in /etc/pam\&.d/ as the last line for session group: + .PP +-session required pam_namespace\.so [arguments] ++session required pam_namespace\&.so [arguments] + .PP + To use polyinstantiation with graphical display manager gdm, insert the following line, before exit 0, in /etc/gdm/PostSession/Default: + .PP + /usr/sbin/gdm\-safe\-restart + .PP +-This allows gdm to restart after each session and appropriately adjust namespaces of display manager and the X server\. If polyinstantiation of /tmp is desired along with the graphical environment, then additional configuration changes are needed to address the interaction of X server and font server namespaces with their use of /tmp to create communication sockets\. Please use the initialization script +-\fI/etc/security/namespace\.init\fR +-to ensure that the X server and its clients can appropriately access the communication socket X0\. Please refer to the sample instructions provided in the comment section of the instance initialization script +-\fI/etc/security/namespace\.init\fR\. In addition, perform the following changes to use graphical environment with polyinstantiation of /tmp: ++This allows gdm to restart after each session and appropriately adjust namespaces of display manager and the X server\&. If polyinstantiation of /tmp is desired along with the graphical environment, then additional configuration changes are needed to address the interaction of X server and font server namespaces with their use of /tmp to create communication sockets\&. Please use the initialization script ++\fI/etc/security/namespace\&.init\fR ++to ensure that the X server and its clients can appropriately access the communication socket X0\&. Please refer to the sample instructions provided in the comment section of the instance initialization script ++\fI/etc/security/namespace\&.init\fR\&. In addition, perform the following changes to use graphical environment with polyinstantiation of /tmp: + .PP + + .sp + .RS 4 + .nf +- 1\. Disable the use of font server by commenting out "FontPath" +- line in /etc/X11/xorg\.conf\. If you do want to use the font server ++ 1\&. Disable the use of font server by commenting out "FontPath" ++ line in /etc/X11/xorg\&.conf\&. If you do want to use the font server + then you will have to augment the instance initialization +- script to appropriately provide /tmp/\.font\-unix from the +- polyinstantiated /tmp\. +- 2\. Ensure that the gdm service is setup to use pam_namespace, +- as described above, by modifying /etc/pam\.d/gdm\. +- 3\. Ensure that the display manager is configured to restart X server +- with each new session\. This default setup can be verified by +- making sure that /usr/share/gdm/defaults\.conf contains ++ script to appropriately provide /tmp/\&.font\-unix from the ++ polyinstantiated /tmp\&. ++ 2\&. Ensure that the gdm service is setup to use pam_namespace, ++ as described above, by modifying /etc/pam\&.d/gdm\&. ++ 3\&. Ensure that the display manager is configured to restart X server ++ with each new session\&. This default setup can be verified by ++ making sure that /usr/share/gdm/defaults\&.conf contains + "AlwaysRestartServer=true", and it is not overridden by +- /etc/gdm/custom\.conf\. ++ /etc/gdm/custom\&.conf\&. + + .fi + .RE +@@ -151,7 +151,7 @@ + \fBnamespace.conf\fR(5), + \fBpam.d\fR(8), + \fBmount\fR(8), +-\fBpam\fR(8)\. ++\fBpam\fR(7)\&. + .SH "AUTHORS" + .PP +-The namespace setup scheme was designed by Stephen Smalley, Janak Desai and Chad Sellers\. The pam_namespace PAM module was developed by Janak Desai , Chad Sellers and Steve Grubb \. Additional improvements by Xavier Toth and Tomas Mraz \. ++The namespace setup scheme was designed by Stephen Smalley, Janak Desai and Chad Sellers\&. The pam_namespace PAM module was developed by Janak Desai , Chad Sellers and Steve Grubb \&. Additional improvements by Xavier Toth and Tomas Mraz \&. +Index: pam.deb/modules/pam_namespace/pam_namespace.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_namespace/pam_namespace.8.xml ++++ pam.deb/modules/pam_namespace/pam_namespace.8.xml +@@ -371,7 +371,7 @@ + mount8 + , + +- pam8 ++ pam7 + . + + +Index: pam.deb/modules/pam_nologin/pam_nologin.8 +=================================================================== +--- pam.deb.orig/modules/pam_nologin/pam_nologin.8 ++++ pam.deb/modules/pam_nologin/pam_nologin.8 +@@ -1,38 +1,38 @@ + .\" Title: pam_nologin + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_NOLOGIN" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_NOLOGIN" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_nologin - Prevent non-root users from login ++pam_nologin \- Prevent non-root users from login + .SH "SYNOPSIS" + .HP 15 +-\fBpam_nologin\.so\fR [file=\fI/path/nologin\fR] [successok] ++\fBpam_nologin\&.so\fR [file=\fI/path/nologin\fR] [successok] + .SH "DESCRIPTION" + .PP + pam_nologin is a PAM module that prevents users from logging into the system when + \fI/etc/nologin\fR +-exists\. The contents of the ++exists\&. The contents of the + \fI/etc/nologin\fR +-file are displayed to the user\. The pam_nologin module has no effect on the root user\'s ability to log in\. ++file are displayed to the user\&. The pam_nologin module has no effect on the root user\'s ability to log in\&. + .SH "OPTIONS" + .PP + \fBfile=\fR\fB\fI/path/nologin\fR\fR + .RS 4 + Use this file instead the default +-\fI/etc/nologin\fR\. ++\fI/etc/nologin\fR\&. + .RE + .PP + \fBsuccessok\fR + .RS 4 +-Return PAM_SUCCESS if no file exists, the default is PAM_IGNORE\. ++Return PAM_SUCCESS if no file exists, the default is PAM_IGNORE\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP +@@ -40,71 +40,71 @@ + \fBauth\fR + and + \fBacct\fR +-services are supported\. ++services are supported\&. + .SH "RETURN VALUES" + .PP + PAM_AUTH_ERR + .RS 4 + The user is not root and + \fI/etc/nologin\fR +-exists, so the user is not permitted to log in\. ++exists, so the user is not permitted to log in\&. + .RE + .PP + PAM_BUF_ERR + .RS 4 +-Memory buffer error\. ++Memory buffer error\&. + .RE + .PP + PAM_IGNORE + .RS 4 +-This is the default return value\. ++This is the default return value\&. + .RE + .PP + PAM_SUCCESS + .RS 4 + Success: either the user is root or the + \fI/etc/nologin\fR +-file does not exist\. ++file does not exist\&. + .RE + .PP + PAM_USER_UNKNOWN + .RS 4 +-User not known to the underlying authentication module\. ++User not known to the underlying authentication module\&. + .RE + .SH "EXAMPLES" + .PP + The suggested usage for +-\fI/etc/pam\.d/login\fR ++\fI/etc/pam\&.d/login\fR + is: + .sp + .RS 4 + .nf +-auth required pam_nologin\.so ++auth required pam_nologin\&.so + + .fi + .RE + .sp + .SH "NOTES" + .PP +-In order to make this module effective, all login methods should be secured by it\. It should be used as a ++In order to make this module effective, all login methods should be secured by it\&. It should be used as a + \fIrequired\fR + method listed before any + \fIsufficient\fR +-methods in order to get standard Unix nologin semantics\. Note, the use of ++methods in order to get standard Unix nologin semantics\&. Note, the use of + \fBsuccessok\fR + module argument causes the module to return + \fIPAM_SUCCESS\fR + and as such would break such a configuration \- failing + \fIsufficient\fR + modules would lead to a successful login because the nologin module +-\fIsucceeded\fR\. ++\fIsucceeded\fR\&. + .SH "SEE ALSO" + .PP + + \fBnologin\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-pam_nologin was written by Michael K\. Johnson \. ++pam_nologin was written by Michael K\&. Johnson \&. +Index: pam.deb/modules/pam_nologin/pam_nologin.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_nologin/pam_nologin.8.xml ++++ pam.deb/modules/pam_nologin/pam_nologin.8.xml +@@ -159,7 +159,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_permit/pam_permit.8 +=================================================================== +--- pam.deb.orig/modules/pam_permit/pam_permit.8 ++++ pam.deb/modules/pam_permit/pam_permit.8 +@@ -1,32 +1,32 @@ + .\" Title: pam_permit + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_PERMIT" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_PERMIT" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_permit - The promiscuous module ++pam_permit \- The promiscuous module + .SH "SYNOPSIS" + .HP 14 +-\fBpam_permit\.so\fR ++\fBpam_permit\&.so\fR + .SH "DESCRIPTION" + .PP +-pam_permit is a PAM module that always permit access\. It does nothing else\. ++pam_permit is a PAM module that always permit access\&. It does nothing else\&. + .PP + In the case of authentication, the user\'s name will be set to + \fInobody\fR +-if the application didn\'t set one\. Many applications and PAM modules become confused if this name is unknown\. ++if the application didn\'t set one\&. Many applications and PAM modules become confused if this name is unknown\&. + .PP +-This module is very dangerous\. It should be used with extreme caution\. ++This module is very dangerous\&. It should be used with extreme caution\&. + .SH "OPTIONS" + .PP +-This module does not recognise any options\. ++This module does not recognise any options\&. + .SH "MODULE SERVICES PROVIDED" + .PP + The services +@@ -35,20 +35,20 @@ + \fBpassword\fR + and + \fBsession\fR +-are supported\. ++are supported\&. + .SH "RETURN VALUES" + .PP + PAM_SUCCESS + .RS 4 +-This module always returns this value\. ++This module always returns this value\&. + .RE + .SH "EXAMPLES" + .PP +-Add this line to your other login entries to disable account management, but continue to permit users to log in\. ++Add this line to your other login entries to disable account management, but continue to permit users to log in\&. + .sp + .RS 4 + .nf +-account required pam_permit\.so ++account required pam_permit\&.so + + .fi + .RE +@@ -58,7 +58,7 @@ + + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-pam_permit was written by Andrew G\. Morgan, \. ++pam_permit was written by Andrew G\&. Morgan, \&. +Index: pam.deb/modules/pam_permit/pam_permit.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_permit/pam_permit.8.xml ++++ pam.deb/modules/pam_permit/pam_permit.8.xml +@@ -90,7 +90,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_rhosts/pam_rhosts.8 +=================================================================== +--- pam.deb.orig/modules/pam_rhosts/pam_rhosts.8 ++++ pam.deb/modules/pam_rhosts/pam_rhosts.8 +@@ -1,95 +1,95 @@ + .\" Title: pam_rhosts + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_RHOSTS" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_RHOSTS" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_rhosts - The rhosts PAM module ++pam_rhosts \- The rhosts PAM module + .SH "SYNOPSIS" + .HP 14 +-\fBpam_rhosts\.so\fR ++\fBpam_rhosts\&.so\fR + .SH "DESCRIPTION" + .PP + This module performs the standard network authentication for services, as used by traditional implementations of + \fBrlogin\fR + and + \fBrsh\fR +-etc\. ++etc\&. + .PP + The authentication mechanism of this module is based on the contents of two files; +-\fI/etc/hosts\.equiv\fR ++\fI/etc/hosts\&.equiv\fR + (or and +-\fI~/\.rhosts\fR\. Firstly, hosts listed in the former file are treated as equivalent to the localhost\. Secondly, entries in the user\'s own copy of the latter file is used to map "\fIremote\-host remote\-user\fR" pairs to that user\'s account on the current host\. Access is granted to the user if their host is present in +-\fI/etc/hosts\.equiv\fR +-and their remote account is identical to their local one, or if their remote account has an entry in their personal configuration file\. ++\fI~/\&.rhosts\fR\&. Firstly, hosts listed in the former file are treated as equivalent to the localhost\&. Secondly, entries in the user\'s own copy of the latter file is used to map "\fIremote\-host remote\-user\fR" pairs to that user\'s account on the current host\&. Access is granted to the user if their host is present in ++\fI/etc/hosts\&.equiv\fR ++and their remote account is identical to their local one, or if their remote account has an entry in their personal configuration file\&. + .PP + The module authenticates a remote user (internally specified by the item + \fIPAM_RUSER\fR + connecting from the remote host (internally specified by the item +-\fBPAM_RHOST\fR)\. Accordingly, for applications to be compatible this authentication module they must set these items prior to calling +-\fBpam_authenticate()\fR\. The module is not capable of independently probing the network connection for such information\. ++\fBPAM_RHOST\fR)\&. Accordingly, for applications to be compatible this authentication module they must set these items prior to calling ++\fBpam_authenticate()\fR\&. The module is not capable of independently probing the network connection for such information\&. + .SH "OPTIONS" + .PP + \fBdebug\fR + .RS 4 +-Print debug information\. ++Print debug information\&. + .RE + .PP + \fBsilent\fR + .RS 4 +-Don\'t print informative messages\. ++Don\'t print informative messages\&. + .RE + .PP + \fBsuperuser=\fR\fB\fIaccount\fR\fR + .RS 4 + Handle + \fIaccount\fR +-as root\. ++as root\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP + Only the + \fBauth\fR +-service is supported\. ++service is supported\&. + .SH "RETURN VALUES" + .PP + PAM_AUTH_ERR + .RS 4 + The remote host, remote user name or the local user name couldn\'t be determined or access was denied by +-\fI\.rhosts\fR +-file\. ++\fI\&.rhosts\fR ++file\&. + .RE + .PP + PAM_USER_UNKNOWN + .RS 4 +-User is not known to system\. ++User is not known to system\&. + .RE + .SH "EXAMPLES" + .PP + To grant a remote user access by +-\fI/etc/hosts\.equiv\fR ++\fI/etc/hosts\&.equiv\fR + or +-\fI\.rhosts\fR ++\fI\&.rhosts\fR + for + \fBrsh\fR + add the following lines to +-\fI/etc/pam\.d/rsh\fR: ++\fI/etc/pam\&.d/rsh\fR: + .sp + .RS 4 + .nf +-#%PAM\-1\.0 ++#%PAM\-1\&.0 + # +-auth required pam_rhosts\.so +-auth required pam_nologin\.so +-auth required pam_env\.so +-auth required pam_unix\.so ++auth required pam_rhosts\&.so ++auth required pam_nologin\&.so ++auth required pam_env\&.so ++auth required pam_unix\&.so + + .fi + .RE +@@ -102,7 +102,7 @@ + \fBrhosts\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-pam_rhosts was written by Thorsten Kukuk ++pam_rhosts was written by Thorsten Kukuk +Index: pam.deb/modules/pam_rhosts/pam_rhosts.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_rhosts/pam_rhosts.8.xml ++++ pam.deb/modules/pam_rhosts/pam_rhosts.8.xml +@@ -156,7 +156,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_rootok/pam_rootok.8 +=================================================================== +--- pam.deb.orig/modules/pam_rootok/pam_rootok.8 ++++ pam.deb/modules/pam_rootok/pam_rootok.8 +@@ -1,41 +1,41 @@ + .\" Title: pam_rootok + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_ROOTOK" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_ROOTOK" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_rootok - Gain only root access ++pam_rootok \- Gain only root access + .SH "SYNOPSIS" + .HP 14 +-\fBpam_rootok\.so\fR [debug] ++\fBpam_rootok\&.so\fR [debug] + .SH "DESCRIPTION" + .PP + pam_rootok is a PAM module that authenticates the user if their + \fIUID\fR + is +-\fI0\fR\. Applications that are created setuid\-root generally retain the ++\fI0\fR\&. Applications that are created setuid\-root generally retain the + \fIUID\fR +-of the user but run with the authority of an enhanced effective\-UID\. It is the real ++of the user but run with the authority of an enhanced effective\-UID\&. It is the real + \fIUID\fR +-that is checked\. ++that is checked\&. + .SH "OPTIONS" + .PP + \fBdebug\fR + .RS 4 +-Print debug information\. ++Print debug information\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP + Only the + \fBauth\fR +-service is supported\. ++service is supported\&. + .SH "RETURN VALUES" + .PP + PAM_SUCCESS +@@ -43,7 +43,7 @@ + The + \fIUID\fR + is +-\fI0\fR\. ++\fI0\fR\&. + .RE + .PP + PAM_AUTH_ERR +@@ -52,21 +52,21 @@ + \fIUID\fR + is + \fBnot\fR +-\fI0\fR\. ++\fI0\fR\&. + .RE + .SH "EXAMPLES" + .PP + In the case of the + \fBsu\fR(1) +-application the historical usage is to permit the superuser to adopt the identity of a lesser user without the use of a password\. To obtain this behavior with PAM the following pair of lines are needed for the corresponding entry in the +-\fI/etc/pam\.d/su\fR ++application the historical usage is to permit the superuser to adopt the identity of a lesser user without the use of a password\&. To obtain this behavior with PAM the following pair of lines are needed for the corresponding entry in the ++\fI/etc/pam\&.d/su\fR + configuration file: + .sp + .RS 4 + .nf +-# su authentication\. Root is granted access by default\. +-auth sufficient pam_rootok\.so +-auth required pam_unix\.so ++# su authentication\&. Root is granted access by default\&. ++auth sufficient pam_rootok\&.so ++auth required pam_unix\&.so + + .fi + .RE +@@ -77,7 +77,7 @@ + \fBsu\fR(1), + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-pam_rootok was written by Andrew G\. Morgan, \. ++pam_rootok was written by Andrew G\&. Morgan, \&. +Index: pam.deb/modules/pam_rootok/pam_rootok.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_rootok/pam_rootok.8.xml ++++ pam.deb/modules/pam_rootok/pam_rootok.8.xml +@@ -115,7 +115,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_securetty/pam_securetty.8 +=================================================================== +--- pam.deb.orig/modules/pam_securetty/pam_securetty.8 ++++ pam.deb/modules/pam_securetty/pam_securetty.8 +@@ -1,77 +1,77 @@ + .\" Title: pam_securetty + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_SECURETTY" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_SECURETTY" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_securetty - Limit root login to special devices ++pam_securetty \- Limit root login to special devices + .SH "SYNOPSIS" + .HP 17 +-\fBpam_securetty\.so\fR [debug] ++\fBpam_securetty\&.so\fR [debug] + .SH "DESCRIPTION" + .PP + pam_securetty is a PAM module that allows root logins only if the user is logging in on a "secure" tty, as defined by the listing in +-\fI/etc/securetty\fR\. pam_securetty also checks to make sure that ++\fI/etc/securetty\fR\&. pam_securetty also checks to make sure that + \fI/etc/securetty\fR +-is a plain file and not world writable\. ++is a plain file and not world writable\&. + .PP + This module has no effect on non\-root users and requires that the application fills in the + \fBPAM_TTY\fR +-item correctly\. ++item correctly\&. + .PP + For canonical usage, should be listed as a + \fBrequired\fR + authentication method before any + \fBsufficient\fR +-authentication methods\. ++authentication methods\&. + .SH "OPTIONS" + .PP + \fBdebug\fR + .RS 4 +-Print debug information\. ++Print debug information\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP + Only the + \fBauth\fR +-service is supported\. ++service is supported\&. + .SH "RETURN VALUES" + .PP + PAM_SUCCESS + .RS 4 +-The user is allowed to continue authentication\. Either the user is not root, or the root user is trying to log in on an acceptable device\. ++The user is allowed to continue authentication\&. Either the user is not root, or the root user is trying to log in on an acceptable device\&. + .RE + .PP + PAM_AUTH_ERR + .RS 4 +-Authentication is rejected\. Either root is attempting to log in via an unacceptable device, or the ++Authentication is rejected\&. Either root is attempting to log in via an unacceptable device, or the + \fI/etc/securetty\fR +-file is world writable or not a normal file\. ++file is world writable or not a normal file\&. + .RE + .PP + PAM_INCOMPLETE + .RS 4 +-An application error occurred\. pam_securetty was not able to get information it required from the application that called it\. ++An application error occurred\&. pam_securetty was not able to get information it required from the application that called it\&. + .RE + .PP + PAM_SERVICE_ERR + .RS 4 + An error occurred while the module was determining the user\'s name or tty, or the module could not open +-\fI/etc/securetty\fR\. ++\fI/etc/securetty\fR\&. + .RE + .PP + PAM_IGNORE + .RS 4 + The module could not find the user name in the + \fI/etc/passwd\fR +-file to verify whether the user had a UID of 0\. Therefore, the results of running this module are ignored\. ++file to verify whether the user had a UID of 0\&. Therefore, the results of running this module are ignored\&. + .RE + .SH "EXAMPLES" + .PP +@@ -79,8 +79,8 @@ + .sp + .RS 4 + .nf +-auth required pam_securetty\.so +-auth required pam_unix\.so ++auth required pam_securetty\&.so ++auth required pam_unix\&.so + + .fi + .RE +@@ -91,7 +91,7 @@ + \fBsecuretty\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-pam_securetty was written by Elliot Lee \. ++pam_securetty was written by Elliot Lee \&. +Index: pam.deb/modules/pam_securetty/pam_securetty.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_securetty/pam_securetty.8.xml ++++ pam.deb/modules/pam_securetty/pam_securetty.8.xml +@@ -152,7 +152,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_selinux/pam_selinux.8 +=================================================================== +--- pam.deb.orig/modules/pam_selinux/pam_selinux.8 ++++ pam.deb/modules/pam_selinux/pam_selinux.8 +@@ -1,92 +1,92 @@ + .\" Title: pam_selinux + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_SELINUX" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_SELINUX" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_selinux - PAM module to set the default security context ++pam_selinux \- PAM module to set the default security context + .SH "SYNOPSIS" + .HP 15 +-\fBpam_selinux\.so\fR [close] [debug] [open] [nottys] [verbose] [select_context] [use_current_range] ++\fBpam_selinux\&.so\fR [close] [debug] [open] [nottys] [verbose] [select_context] [use_current_range] + .SH "DESCRIPTION" + .PP +-In a nutshell, pam_selinux sets up the default security context for the next execed shell\. ++In a nutshell, pam_selinux sets up the default security context for the next execed shell\&. + .PP +-When an application opens a session using pam_selinux, the shell that gets executed will be run in the default security context, or if the user chooses and the pam file allows the selected security context\. Also the controlling tty will have it\'s security context modified to match the users\. ++When an application opens a session using pam_selinux, the shell that gets executed will be run in the default security context, or if the user chooses and the pam file allows the selected security context\&. Also the controlling tty will have it\'s security context modified to match the users\&. + .PP +-Adding pam_selinux into a pam file could cause other pam modules to change their behavior if the exec another application\. The close and open option help mitigate this problem\. close option will only cause the close portion of the pam_selinux to execute, and open will only cause the open portion to run\. You can add pam_selinux to the config file twice\. Add the pam_selinux close as the executes the open pass through the modules, pam_selinux open_session will happen last\. When PAM executes the close pass through the modules pam_selinux close_session will happen first\. ++Adding pam_selinux into a pam file could cause other pam modules to change their behavior if the exec another application\&. The close and open option help mitigate this problem\&. close option will only cause the close portion of the pam_selinux to execute, and open will only cause the open portion to run\&. You can add pam_selinux to the config file twice\&. Add the pam_selinux close as the executes the open pass through the modules, pam_selinux open_session will happen last\&. When PAM executes the close pass through the modules pam_selinux close_session will happen first\&. + .SH "OPTIONS" + .PP + \fBclose\fR + .RS 4 +-Only execute the close_session portion of the module\. ++Only execute the close_session portion of the module\&. + .RE + .PP + \fBdebug\fR + .RS 4 + Turns on debugging via +-\fBsyslog\fR(3)\. ++\fBsyslog\fR(3)\&. + .RE + .PP + \fBopen\fR + .RS 4 +-Only execute the open_session portion of the module\. ++Only execute the open_session portion of the module\&. + .RE + .PP + \fBnottys\fR + .RS 4 +-Do not try to setup the ttys security context\. ++Do not try to setup the ttys security context\&. + .RE + .PP + \fBverbose\fR + .RS 4 +-attempt to inform the user when security context is set\. ++attempt to inform the user when security context is set\&. + .RE + .PP + \fBselect_context\fR + .RS 4 +-Attempt to ask the user for a custom security context role\. If MLS is on ask also for sensitivity level\. ++Attempt to ask the user for a custom security context role\&. If MLS is on ask also for sensitivity level\&. + .RE + .PP + \fBuse_current_range\fR + .RS 4 +-Use the sensitivity range of the process for the user context\. This option and the select_context option are mutually exclusive\. ++Use the sensitivity range of the process for the user context\&. This option and the select_context option are mutually exclusive\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP + Only the + \fBsession\fR +-service is supported\. ++service is supported\&. + .SH "RETURN VALUES" + .PP + PAM_AUTH_ERR + .RS 4 +-Unable to get or set a valid context\. ++Unable to get or set a valid context\&. + .RE + .PP + PAM_SUCCESS + .RS 4 +-The security context was set successfull\. ++The security context was set successfull\&. + .RE + .PP + PAM_USER_UNKNOWN + .RS 4 +-The user is not known to the system\. ++The user is not known to the system\&. + .RE + .SH "EXAMPLES" + .sp + .RS 4 + .nf +-auth required pam_unix\.so +-session required pam_permit\.so +-session optional pam_selinux\.so ++auth required pam_unix\&.so ++session required pam_permit\&.so ++session optional pam_selinux\&.so + + .fi + .RE +@@ -95,7 +95,7 @@ + + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-pam_selinux was written by Dan Walsh \. ++pam_selinux was written by Dan Walsh \&. +Index: pam.deb/modules/pam_selinux/pam_selinux.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_selinux/pam_selinux.8.xml ++++ pam.deb/modules/pam_selinux/pam_selinux.8.xml +@@ -205,7 +205,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_sepermit/pam_sepermit.8 +=================================================================== +--- pam.deb.orig/modules/pam_sepermit/pam_sepermit.8 ++++ pam.deb/modules/pam_sepermit/pam_sepermit.8 +@@ -1,53 +1,53 @@ + .\" Title: pam_sepermit + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_SEPERMIT" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_SEPERMIT" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_sepermit - PAM module to allow/deny login depending on SELinux enforcement state ++pam_sepermit \- PAM module to allow/deny login depending on SELinux enforcement state + .SH "SYNOPSIS" + .HP 16 +-\fBpam_sepermit\.so\fR [debug] [conf=\fI/path/to/config/file\fR] ++\fBpam_sepermit\&.so\fR [debug] [conf=\fI/path/to/config/file\fR] + .SH "DESCRIPTION" + .PP +-The pam_sepermit module allows or denies login depending on SELinux enforcement state\. ++The pam_sepermit module allows or denies login depending on SELinux enforcement state\&. + .PP +-When the user which is logging in matches an entry in the config file he is allowed access only when the SELinux is in enforcing mode\. Otherwise he is denied access\. For users not matching any entry in the config file the pam_sepermit module returns PAM_IGNORE return value\. ++When the user which is logging in matches an entry in the config file he is allowed access only when the SELinux is in enforcing mode\&. Otherwise he is denied access\&. For users not matching any entry in the config file the pam_sepermit module returns PAM_IGNORE return value\&. + .PP +-The config file contains a simple list of user names one per line\. If the ++The config file contains a simple list of user names one per line\&. If the + \fIname\fR + is prefixed with + \fI@\fR + character it means that all users in the group + \fIname\fR +-match\. If it is prefixed with a ++match\&. If it is prefixed with a + \fI%\fR + character the SELinux user is used to match against the + \fIname\fR +-instead of the account name\. Note that when SELinux is disabled the SELinux user assigned to the account cannot be determined\. This means that such entries are never matched when SELinux is disabled and pam_sepermit will return PAM_IGNORE\. ++instead of the account name\&. Note that when SELinux is disabled the SELinux user assigned to the account cannot be determined\&. This means that such entries are never matched when SELinux is disabled and pam_sepermit will return PAM_IGNORE\&. + .PP + Each user name in the configuration file can have optional arguments separated by + \fI:\fR +-character\. The only currently recognized argument is +-\fIexclusive\fR\. The pam_sepermit module will allow only single concurrent user session for the user with this argument specified and it will attempt to kill all processes of the user after logout\. ++character\&. The only currently recognized argument is ++\fIexclusive\fR\&. The pam_sepermit module will allow only single concurrent user session for the user with this argument specified and it will attempt to kill all processes of the user after logout\&. + .SH "OPTIONS" + .PP + \fBdebug\fR + .RS 4 + Turns on debugging via +-\fBsyslog\fR(3)\. ++\fBsyslog\fR(3)\&. + .RE + .PP + \fBconf=\fR\fB\fI/path/to/config/file\fR\fR + .RS 4 +-Path to alternative config file overriding the default\. ++Path to alternative config file overriding the default\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP +@@ -55,36 +55,36 @@ + \fBauth\fR + and + \fBaccount\fR +-services are supported\. ++services are supported\&. + .SH "RETURN VALUES" + .PP + PAM_AUTH_ERR + .RS 4 +-SELinux is disabled or in the permissive mode and the user matches\. ++SELinux is disabled or in the permissive mode and the user matches\&. + .RE + .PP + PAM_SUCCESS + .RS 4 +-SELinux is in the enforcing mode and the user matches\. ++SELinux is in the enforcing mode and the user matches\&. + .RE + .PP + PAM_IGNORE + .RS 4 +-The user does not match any entry in the config file\. ++The user does not match any entry in the config file\&. + .RE + .PP + PAM_USER_UNKNOWN + .RS 4 +-The module was unable to determine the user\'s name\. ++The module was unable to determine the user\'s name\&. + .RE + .PP + PAM_SERVICE_ERR + .RS 4 +-Error during reading or parsing the config file\. ++Error during reading or parsing the config file\&. + .RE + .SH "FILES" + .PP +-\fI/etc/security/sepermit\.conf\fR ++\fI/etc/security/sepermit\&.conf\fR + .RS 4 + Default configuration file + .RE +@@ -92,10 +92,10 @@ + .sp + .RS 4 + .nf +-auth [success=done ignore=ignore default=bad] pam_sepermit\.so +-auth required pam_unix\.so +-account required pam_unix\.so +-session required pam_permit\.so ++auth [success=done ignore=ignore default=bad] pam_sepermit\&.so ++auth required pam_unix\&.so ++account required pam_unix\&.so ++session required pam_permit\&.so + + .fi + .RE +@@ -104,7 +104,7 @@ + + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-pam_sepermit was written by Tomas Mraz \. ++pam_sepermit was written by Tomas Mraz \&. +Index: pam.deb/modules/pam_sepermit/pam_sepermit.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_sepermit/pam_sepermit.8.xml ++++ pam.deb/modules/pam_sepermit/pam_sepermit.8.xml +@@ -174,7 +174,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_shells/pam_shells.8 +=================================================================== +--- pam.deb.orig/modules/pam_shells/pam_shells.8 ++++ pam.deb/modules/pam_shells/pam_shells.8 +@@ -1,54 +1,54 @@ + .\" Title: pam_shells + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_SHELLS" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_SHELLS" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_shells - PAM module to check for valid login shell ++pam_shells \- PAM module to check for valid login shell + .SH "SYNOPSIS" + .HP 14 +-\fBpam_shells\.so\fR ++\fBpam_shells\&.so\fR + .SH "DESCRIPTION" + .PP + pam_shells is a PAM module that only allows access to the system if the users shell is listed in +-\fI/etc/shells\fR\. ++\fI/etc/shells\fR\&. + .PP + It also checks if + \fI/etc/shells\fR +-is a plain file and not world writable\. ++is a plain file and not world writable\&. + .SH "OPTIONS" + .PP +-This module does not recognise any options\. ++This module does not recognise any options\&. + .SH "MODULE SERVICES PROVIDED" + .PP + The services + \fBauth\fR + and + \fBaccount\fR +-are supported\. ++are supported\&. + .SH "RETURN VALUES" + .PP + PAM_AUTH_ERR + .RS 4 +-Access to the system was denied\. ++Access to the system was denied\&. + .RE + .PP + PAM_SUCCESS + .RS 4 + The users login shell was listed as valid shell in +-\fI/etc/shells\fR\. ++\fI/etc/shells\fR\&. + .RE + .PP + PAM_SERVICE_ERR + .RS 4 +-The module was not able to get the name of the user\. ++The module was not able to get the name of the user\&. + .RE + .SH "EXAMPLES" + .PP +@@ -56,7 +56,7 @@ + .sp + .RS 4 + .nf +-auth required pam_shells\.so ++auth required pam_shells\&.so + + .fi + .RE +@@ -67,7 +67,7 @@ + \fBshells\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-pam_shells was written by Erik Troan \. ++pam_shells was written by Erik Troan \&. +Index: pam.deb/modules/pam_shells/pam_shells.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_shells/pam_shells.8.xml ++++ pam.deb/modules/pam_shells/pam_shells.8.xml +@@ -102,7 +102,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_succeed_if/pam_succeed_if.8 +=================================================================== +--- pam.deb.orig/modules/pam_succeed_if/pam_succeed_if.8 ++++ pam.deb/modules/pam_succeed_if/pam_succeed_if.8 +@@ -1,25 +1,25 @@ + .\" Title: pam_succeed_if + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM + .\" Source: Linux-PAM + .\" +-.TH "PAM_SUCCEED_IF" "8" "04/16/2008" "Linux-PAM" "Linux\-PAM" ++.TH "PAM_SUCCEED_IF" "8" "07/27/2008" "Linux-PAM" "Linux\-PAM" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_succeed_if - test account characteristics ++pam_succeed_if \- test account characteristics + .SH "SYNOPSIS" + .HP 18 +-\fBpam_succeed_if\.so\fR [\fIflag\fR...] [\fIcondition\fR...] ++\fBpam_succeed_if\&.so\fR [\fIflag\fR...] [\fIcondition\fR...] + .SH "DESCRIPTION" + .PP +-pam_succeed_if\.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated\. One use is to select whether to load other modules based on this test\. ++pam_succeed_if\&.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated\&. One use is to select whether to load other modules based on this test\&. + .PP +-The module should be given one or more conditions as module arguments, and authentication will succeed only if all of the conditions are met\. ++The module should be given one or more conditions as module arguments, and authentication will succeed only if all of the conditions are met\&. + .SH "OPTIONS" + .PP + The following +@@ -27,31 +27,31 @@ + .PP + \fBdebug\fR + .RS 4 +-Turns on debugging messages sent to syslog\. ++Turns on debugging messages sent to syslog\&. + .RE + .PP + \fBuse_uid\fR + .RS 4 +-Evaluate conditions using the account of the user whose UID the application is running under instead of the user being authenticated\. ++Evaluate conditions using the account of the user whose UID the application is running under instead of the user being authenticated\&. + .RE + .PP + \fBquiet\fR + .RS 4 +-Don\'t log failure or success to the system log\. ++Don\'t log failure or success to the system log\&. + .RE + .PP + \fBquiet_fail\fR + .RS 4 +-Don\'t log failure to the system log\. ++Don\'t log failure to the system log\&. + .RE + .PP + \fBquiet_success\fR + .RS 4 +-Don\'t log success to the system log\. ++Don\'t log success to the system log\&. + .RE + .PP + +-\fICondition\fRs are three words: a field, a test, and a value to test for\. ++\fICondition\fRs are three words: a field, a test, and a value to test for\&. + .PP + Available fields are + \fIuser\fR, +@@ -64,101 +64,101 @@ + .PP + \fBfield < number\fR + .RS 4 +-Field has a value numerically less than number\. ++Field has a value numerically less than number\&. + .RE + .PP + \fBfield <= number\fR + .RS 4 +-Field has a value numerically less than or equal to number\. ++Field has a value numerically less than or equal to number\&. + .RE + .PP + \fBfield eq number\fR + .RS 4 +-Field has a value numerically equal to number\. ++Field has a value numerically equal to number\&. + .RE + .PP + \fBfield >= number\fR + .RS 4 +-Field has a value numerically greater than or equal to number\. ++Field has a value numerically greater than or equal to number\&. + .RE + .PP + \fBfield > number\fR + .RS 4 +-Field has a value numerically greater than number\. ++Field has a value numerically greater than number\&. + .RE + .PP + \fBfield ne number\fR + .RS 4 +-Field has a value numerically different from number\. ++Field has a value numerically different from number\&. + .RE + .PP + \fBfield = string\fR + .RS 4 +-Field exactly matches the given string\. ++Field exactly matches the given string\&. + .RE + .PP + \fBfield != string\fR + .RS 4 +-Field does not match the given string\. ++Field does not match the given string\&. + .RE + .PP + \fBfield =~ glob\fR + .RS 4 +-Field matches the given glob\. ++Field matches the given glob\&. + .RE + .PP + \fBfield !~ glob\fR + .RS 4 +-Field does not match the given glob\. ++Field does not match the given glob\&. + .RE + .PP +-\fBfield in item:item:\.\.\.\fR ++\fBfield in item:item:\&.\&.\&.\fR + .RS 4 +-Field is contained in the list of items separated by colons\. ++Field is contained in the list of items separated by colons\&. + .RE + .PP +-\fBfield notin item:item:\.\.\.\fR ++\fBfield notin item:item:\&.\&.\&.\fR + .RS 4 +-Field is not contained in the list of items separated by colons\. ++Field is not contained in the list of items separated by colons\&. + .RE + .PP + \fBuser ingroup group\fR + .RS 4 +-User is in given group\. ++User is in given group\&. + .RE + .PP + \fBuser notingroup group\fR + .RS 4 +-User is not in given group\. ++User is not in given group\&. + .RE + .PP + \fBuser innetgr netgroup\fR + .RS 4 +-(user,host) is in given netgroup\. ++(user,host) is in given netgroup\&. + .RE + .PP + \fBuser notinnetgr group\fR + .RS 4 +-(user,host) is not in given netgroup\. ++(user,host) is not in given netgroup\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP +-All services are supported\. ++All services are supported\&. + .SH "RETURN VALUES" + .PP + PAM_SUCCESS + .RS 4 +-The condition was true\. ++The condition was true\&. + .RE + .PP + PAM_AUTH_ERR + .RS 4 +-The condition was false\. ++The condition was false\&. + .RE + .PP + PAM_SERVICE_ERR + .RS 4 +-A service error occured or the arguments can\'t be parsed as numbers\. ++A service error occured or the arguments can\'t be parsed as numbers\&. + .RE + .SH "EXAMPLES" + .PP +@@ -167,17 +167,17 @@ + .sp + .RS 4 + .nf +-auth required pam_succeed_if\.so quiet user ingroup wheel ++auth required pam_succeed_if\&.so quiet user ingroup wheel + + .fi + .RE + .PP +-Given that the type matches, only loads the othermodule rule if the UID is over 500\. Adjust the number after default to skip several rules\. ++Given that the type matches, only loads the othermodule rule if the UID is over 500\&. Adjust the number after default to skip several rules\&. + .sp + .RS 4 + .nf +-type [default=1 success=ignore] pam_succeed_if\.so quiet uid > 500 +-type required othermodule\.so arguments\.\.\. ++type [default=1 success=ignore] pam_succeed_if\&.so quiet uid > 500 ++type required othermodule\&.so arguments\&.\&.\&. + + .fi + .RE +@@ -185,7 +185,7 @@ + .PP + + \fBglob\fR(7), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-Nalin Dahyabhai ++Nalin Dahyabhai +Index: pam.deb/modules/pam_succeed_if/pam_succeed_if.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_succeed_if/pam_succeed_if.8.xml ++++ pam.deb/modules/pam_succeed_if/pam_succeed_if.8.xml +@@ -285,7 +285,7 @@ + glob7 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_tally/pam_tally.8 +=================================================================== +--- pam.deb.orig/modules/pam_tally/pam_tally.8 ++++ pam.deb/modules/pam_tally/pam_tally.8 +@@ -1,34 +1,34 @@ + .\" Title: pam_tally + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_TALLY" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_TALLY" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_tally - The login counter (tallying) module ++pam_tally \- The login counter (tallying) module + .SH "SYNOPSIS" + .HP 13 +-\fBpam_tally\.so\fR [file=\fI/path/to/counter\fR] [onerr=[\fIfail\fR|\fIsucceed\fR]] [magic_root] [even_deny_root_account] [deny=\fIn\fR] [lock_time=\fIn\fR] [unlock_time=\fIn\fR] [per_user] [no_lock_time] [no_reset] [audit] ++\fBpam_tally\&.so\fR [file=\fI/path/to/counter\fR] [onerr=[\fIfail\fR|\fIsucceed\fR]] [magic_root] [even_deny_root_account] [deny=\fIn\fR] [lock_time=\fIn\fR] [unlock_time=\fIn\fR] [per_user] [no_lock_time] [no_reset] [audit] + .HP 10 + \fBpam_tally\fR [\-\-file\ \fI/path/to/counter\fR] [\-\-user\ \fIusername\fR] [\-\-reset[=\fIn\fR]] [\-\-quiet] + .SH "DESCRIPTION" + .PP +-This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail\. ++This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail\&. + .PP + pam_tally comes in two parts: +-\fBpam_tally\.so\fR ++\fBpam_tally\&.so\fR + and +-\fBpam_tally\fR\. The former is the PAM module and the latter, a stand\-alone program\. ++\fBpam_tally\fR\&. The former is the PAM module and the latter, a stand\-alone program\&. + \fBpam_tally\fR +-is an (optional) application which can be used to interrogate and manipulate the counter file\. It can display users\' counts, set individual counts, or clear all counts\. Setting artificially high counts may be useful for blocking users without changing their passwords\. For example, one might find it useful to clear all counts every midnight from a cron job\. The ++is an (optional) application which can be used to interrogate and manipulate the counter file\&. It can display users\' counts, set individual counts, or clear all counts\&. Setting artificially high counts may be useful for blocking users without changing their passwords\&. For example, one might find it useful to clear all counts every midnight from a cron job\&. The + \fBfaillog\fR(8) +-command can be used instead of pam_tally to to maintain the counter file\. ++command can be used instead of pam_tally to to maintain the counter file\&. + .PP + Normally, failed attempts to access + \fIroot\fR +@@ -36,7 +36,7 @@ + \fBnot\fR + cause the root account to become blocked, to prevent denial\-of\-service: if your users aren\'t given shell accounts and root may only login via + \fBsu\fR +-or at the machine console (not telnet/rsh, etc), this is safe\. ++or at the machine console (not telnet/rsh, etc), this is safe\&. + .SH "OPTIONS" + .PP + GLOBAL OPTIONS +@@ -45,7 +45,7 @@ + \fIauth\fR + and + \fIaccount\fR +-services\. ++services\&. + .PP + \fBonerr=[\fR\fB\fIfail\fR\fR\fB|\fR\fB\fIsucceed\fR\fR\fB]\fR + .RS 4 +@@ -53,85 +53,85 @@ + \fBPAM_SUCESS\fR + if + \fBonerr=\fR\fB\fIsucceed\fR\fR +-is given, else with the corresponding PAM error code\. ++is given, else with the corresponding PAM error code\&. + .RE + .PP + \fBfile=\fR\fB\fI/path/to/counter\fR\fR + .RS 4 +-File where to keep counts\. Default is +-\fI/var/log/faillog\fR\. ++File where to keep counts\&. Default is ++\fI/var/log/faillog\fR\&. + .RE + .PP + \fBaudit\fR + .RS 4 +-Will log the user name into the system log if the user is not found\. ++Will log the user name into the system log if the user is not found\&. + .RE + .RE + .PP + AUTH OPTIONS + .RS 4 +-Authentication phase first checks if user should be denied access and if not it increments attempted login counter\. Then on call to ++Authentication phase first checks if user should be denied access and if not it increments attempted login counter\&. Then on call to + \fBpam_setcred\fR(3) +-it resets the attempts counter\. ++it resets the attempts counter\&. + .PP + \fBdeny=\fR\fB\fIn\fR\fR + .RS 4 + Deny access if tally for this user exceeds +-\fIn\fR\. ++\fIn\fR\&. + .RE + .PP + \fBlock_time=\fR\fB\fIn\fR\fR + .RS 4 + Always deny for + \fIn\fR +-seconds after failed attempt\. ++seconds after failed attempt\&. + .RE + .PP + \fBunlock_time=\fR\fB\fIn\fR\fR + .RS 4 + Allow access after + \fIn\fR +-seconds after failed attempt\. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts\. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator\. ++seconds after failed attempt\&. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts\&. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator\&. + .RE + .PP + \fBmagic_root\fR + .RS 4 +-If the module is invoked by a user with uid=0 the counter is not incremented\. The sys\-admin should use this for user launched services, like +-\fBsu\fR, otherwise this argument should be omitted\. ++If the module is invoked by a user with uid=0 the counter is not incremented\&. The sys\-admin should use this for user launched services, like ++\fBsu\fR, otherwise this argument should be omitted\&. + .RE + .PP + \fBno_lock_time\fR + .RS 4 +-Do not use the \.fail_locktime field in ++Do not use the \&.fail_locktime field in + \fI/var/log/faillog\fR +-for this user\. ++for this user\&. + .RE + .PP + \fBno_reset\fR + .RS 4 +-Don\'t reset count on successful entry, only decrement\. ++Don\'t reset count on successful entry, only decrement\&. + .RE + .PP + \fBeven_deny_root_account\fR + .RS 4 +-Root account can become unavailable\. ++Root account can become unavailable\&. + .RE + .PP + \fBper_user\fR + .RS 4 + If + \fI/var/log/faillog\fR +-contains a non\-zero \.fail_max/\.fail_locktime field for this user then use it instead of ++contains a non\-zero \&.fail_max/\&.fail_locktime field for this user then use it instead of + \fBdeny=\fR\fB\fIn\fR\fR/ + \fBlock_time=\fR\fB\fIn\fR\fR +-parameter\. ++parameter\&. + .RE + .PP + \fBno_lock_time\fR + .RS 4 +-Don\'t use \.fail_locktime filed in ++Don\'t use \&.fail_locktime filed in + \fI/var/log/faillog\fR +-for this user\. ++for this user\&. + .RE + .RE + .PP +@@ -139,19 +139,19 @@ + .RS 4 + Account phase resets attempts counter if the user is + \fBnot\fR +-magic root\. This phase can be used optionaly for services which don\'t call ++magic root\&. This phase can be used optionaly for services which don\'t call + \fBpam_setcred\fR(3) +-correctly or if the reset should be done regardless of the failure of the account phase of other modules\. ++correctly or if the reset should be done regardless of the failure of the account phase of other modules\&. + .PP + \fBmagic_root\fR + .RS 4 +-If the module is invoked by a user with uid=0 the counter is not incremented\. The sys\-admin should use this for user launched services, like +-\fBsu\fR, otherwise this argument should be omitted\. ++If the module is invoked by a user with uid=0 the counter is not incremented\&. The sys\-admin should use this for user launched services, like ++\fBsu\fR, otherwise this argument should be omitted\&. + .RE + .PP + \fBno_reset\fR + .RS 4 +-Don\'t reset count on successful entry, only decrement\. ++Don\'t reset count on successful entry, only decrement\&. + .RE + .RE + .SH "MODULE SERVICES PROVIDED" +@@ -160,46 +160,46 @@ + \fBauth\fR + and + \fBaccount\fR +-services are supported\. ++services are supported\&. + .SH "RETURN VALUES" + .PP + PAM_AUTH_ERR + .RS 4 +-A invalid option was given, the module was not able to retrive the user name, no valid counter file was found, or too many failed logins\. ++A invalid option was given, the module was not able to retrive the user name, no valid counter file was found, or too many failed logins\&. + .RE + .PP + PAM_SUCCESS + .RS 4 +-Everything was successfull\. ++Everything was successfull\&. + .RE + .PP + PAM_USER_UNKNOWN + .RS 4 +-User not known\. ++User not known\&. + .RE + .SH "EXAMPLES" + .PP + Add the following line to +-\fI/etc/pam\.d/login\fR +-to lock the account after too many failed logins\. The number of allowed fails is specified by ++\fI/etc/pam\&.d/login\fR ++to lock the account after too many failed logins\&. The number of allowed fails is specified by + \fI/var/log/faillog\fR + and needs to be set with pam_tally or + \fBfaillog\fR(8) +-before\. ++before\&. + .sp + .RS 4 + .nf +-auth required pam_securetty\.so +-auth required pam_tally\.so per_user +-auth required pam_env\.so +-auth required pam_unix\.so +-auth required pam_nologin\.so +-account required pam_unix\.so +-password required pam_unix\.so +-session required pam_limits\.so +-session required pam_unix\.so +-session required pam_lastlog\.so nowtmp +-session optional pam_mail\.so standard ++auth required pam_securetty\&.so ++auth required pam_tally\&.so per_user ++auth required pam_env\&.so ++auth required pam_unix\&.so ++auth required pam_nologin\&.so ++account required pam_unix\&.so ++password required pam_unix\&.so ++session required pam_limits\&.so ++session required pam_unix\&.so ++session required pam_lastlog\&.so nowtmp ++session optional pam_mail\&.so standard + + .fi + .RE +@@ -215,7 +215,7 @@ + \fBfaillog\fR(8), + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-pam_tally was written by Tim Baverstock and Tomas Mraz\. ++pam_tally was written by Tim Baverstock and Tomas Mraz\&. +Index: pam.deb/modules/pam_tally/pam_tally.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_tally/pam_tally.8.xml ++++ pam.deb/modules/pam_tally/pam_tally.8.xml +@@ -412,7 +412,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_time/pam_time.8 +=================================================================== +--- pam.deb.orig/modules/pam_time/pam_time.8 ++++ pam.deb/modules/pam_time/pam_time.8 +@@ -1,74 +1,74 @@ + .\" Title: pam_time + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_TIME" "8" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_TIME" "8" "07/27/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_time - PAM module for time control access ++pam_time \- PAM module for time control access + .SH "SYNOPSIS" + .HP 12 +-\fBpam_time\.so\fR [debug] [noaudit] ++\fBpam_time\&.so\fR [debug] [noaudit] + .SH "DESCRIPTION" + .PP +-The pam_time PAM module does not authenticate the user, but instead it restricts access to a system and or specific applications at various times of the day and on specific days or over various terminal lines\. This module can be configured to deny access to (individual) users based on their name, the time of day, the day of week, the service they are applying for and their terminal from which they are making their request\. ++The pam_time PAM module does not authenticate the user, but instead it restricts access to a system and or specific applications at various times of the day and on specific days or over various terminal lines\&. This module can be configured to deny access to (individual) users based on their name, the time of day, the day of week, the service they are applying for and their terminal from which they are making their request\&. + .PP + By default rules for time/port access are taken from config file +-\fI/etc/security/time\.conf\fR\. ++\fI/etc/security/time\&.conf\fR\&. + .PP +-If Linux PAM is compiled with audit support the module will report when it denies access\. ++If Linux PAM is compiled with audit support the module will report when it denies access\&. + .SH "OPTIONS" + .PP + \fBdebug\fR + .RS 4 + Some debug informations are printed with +-\fBsyslog\fR(3)\. ++\fBsyslog\fR(3)\&. + .RE + .PP + \fBnoaudit\fR + .RS 4 +-Do not report logins at disallowed time to the audit subsystem\. ++Do not report logins at disallowed time to the audit subsystem\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP + Only the + \fBaccount\fR +-service is supported\. ++service is supported\&. + .SH "RETURN VALUES" + .PP + PAM_SUCCESS + .RS 4 +-Access was granted\. ++Access was granted\&. + .RE + .PP + PAM_ABORT + .RS 4 +-Not all relevant data could be gotten\. ++Not all relevant data could be gotten\&. + .RE + .PP + PAM_BUF_ERR + .RS 4 +-Memory buffer error\. ++Memory buffer error\&. + .RE + .PP + PAM_PERM_DENIED + .RS 4 +-Access was not granted\. ++Access was not granted\&. + .RE + .PP + PAM_USER_UNKNOWN + .RS 4 +-The user is not known to the system\. ++The user is not known to the system\&. + .RE + .SH "FILES" + .PP +-\fI/etc/security/time\.conf\fR ++\fI/etc/security/time\&.conf\fR + .RS 4 + Default configuration file + .RE +@@ -76,11 +76,11 @@ + .sp + .RS 4 + .nf +-#%PAM\-1\.0 ++#%PAM\-1\&.0 + # + # apply pam_time accounting to login requests + # +-login account required pam_time\.so ++login account required pam_time\&.so + + .fi + .RE +@@ -89,7 +89,7 @@ + + \fBtime.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8)\. ++\fBpam\fR(7)\&. + .SH "AUTHOR" + .PP +-pam_time was written by Andrew G\. Morgan \. ++pam_time was written by Andrew G\&. Morgan \&. +Index: pam.deb/modules/pam_time/pam_time.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_time/pam_time.8.xml ++++ pam.deb/modules/pam_time/pam_time.8.xml +@@ -169,7 +169,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + . + + +Index: pam.deb/modules/pam_umask/pam_umask.8 +=================================================================== +--- pam.deb.orig/modules/pam_umask/pam_umask.8 ++++ pam.deb/modules/pam_umask/pam_umask.8 +@@ -1,23 +1,23 @@ + .\" Title: pam_umask + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_UMASK" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_UMASK" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_umask - PAM module to set the file mode creation mask ++pam_umask \- PAM module to set the file mode creation mask + .SH "SYNOPSIS" + .HP 13 +-\fBpam_umask\.so\fR [debug] [silent] [usergroups] [umask=\fImask\fR] ++\fBpam_umask\&.so\fR [debug] [silent] [usergroups] [umask=\fImask\fR] + .SH "DESCRIPTION" + .PP +-pam_umask is a PAM module to set the file mode creation mask of the current environment\. The umask affects the default permissions assigned to newly created files\. ++pam_umask is a PAM module to set the file mode creation mask of the current environment\&. The umask affects the default permissions assigned to newly created files\&. + .PP + The PAM module tries to get the umask value from the following places in the following order: + .sp +@@ -42,7 +42,7 @@ + .RE + .sp + .RS 4 +-\h'-04'\(bu\h'+03'UMASK entry from /etc/login\.defs ++\h'-04'\(bu\h'+03'UMASK entry from /etc/login\&.defs + .RE + .sp + .RE +@@ -51,56 +51,56 @@ + .PP + \fBdebug\fR + .RS 4 +-Print debug information\. ++Print debug information\&. + .RE + .PP + \fBsilent\fR + .RS 4 +-Don\'t print informative messages\. ++Don\'t print informative messages\&. + .RE + .PP + \fBusergroups\fR + .RS 4 +-If the user is not root, and the user ID is equal to the group ID, and the username is the same as primary group name, the umask group bits are set to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007)\. ++If the user is not root, and the user ID is equal to the group ID, and the username is the same as primary group name, the umask group bits are set to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007)\&. + .RE + .PP + \fBumask=\fR\fB\fImask\fR\fR + .RS 4 + Sets the calling process\'s file mode creation mask (umask) to + \fBmask\fR +-& 0777\. The value is interpreted as Octal\. ++& 0777\&. The value is interpreted as Octal\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP + Only the + \fBsession\fR +-service is supported\. ++service is supported\&. + .SH "RETURN VALUES" + .PP + .PP + PAM_SUCCESS + .RS 4 +-The new umask was set successfull\. ++The new umask was set successfull\&. + .RE + .PP + PAM_SERVICE_ERR + .RS 4 +-No username was given\. ++No username was given\&. + .RE + .PP + PAM_USER_UNKNOWN + .RS 4 +-User not known\. ++User not known\&. + .RE + .SH "EXAMPLES" + .PP + Add the following line to +-\fI/etc/pam\.d/login\fR ++\fI/etc/pam\&.d/login\fR + to set the user specific umask at login: + .sp + .RS 4 + .nf +- session optional pam_umask\.so umask=0022 ++ session optional pam_umask\&.so umask=0022 + + .fi + .RE +@@ -110,7 +110,7 @@ + + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-pam_umask was written by Thorsten Kukuk \. ++pam_umask was written by Thorsten Kukuk \&. +Index: pam.deb/modules/pam_umask/pam_umask.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_umask/pam_umask.8.xml ++++ pam.deb/modules/pam_umask/pam_umask.8.xml +@@ -205,7 +205,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_unix/pam_unix.8 +=================================================================== +--- pam.deb.orig/modules/pam_unix/pam_unix.8 ++++ pam.deb/modules/pam_unix/pam_unix.8 +@@ -228,7 +228,7 @@ + + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_unix was written by various people\&. +Index: pam.deb/modules/pam_unix/pam_unix.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_unix/pam_unix.8.xml ++++ pam.deb/modules/pam_unix/pam_unix.8.xml +@@ -465,7 +465,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/doc/man/misc_conv.3 +=================================================================== +--- pam.deb.orig/doc/man/misc_conv.3 ++++ pam.deb/doc/man/misc_conv.3 +@@ -1,22 +1,22 @@ + .\" Title: misc_conv + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "MISC_CONV" "3" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "MISC_CONV" "3" "07/27/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-misc_conv - text based conversation function ++misc_conv \- text based conversation function + .SH "SYNOPSIS" + .sp + .ft B + .nf +-#include ++#include + .fi + .ft + .HP 15 +@@ -29,28 +29,28 @@ + \fBlibpam_misc\fR + and not of the standard + \fBlibpam\fR +-library\. This function will prompt the user with the appropriate comments and obtain the appropriate inputs as directed by authentication modules\. ++library\&. This function will prompt the user with the appropriate comments and obtain the appropriate inputs as directed by authentication modules\&. + .PP + In addition to simply slotting into the appropriate +-\fBpam_conv\fR(3), this function provides some time\-out facilities\. The function exports five variables that can be used by an application programmer to limit the amount of time this conversation function will spend waiting for the user to type something\. The five variabls are as follows: ++\fBpam_conv\fR(3), this function provides some time\-out facilities\&. The function exports five variables that can be used by an application programmer to limit the amount of time this conversation function will spend waiting for the user to type something\&. The five variabls are as follows: + .PP + \fBtime_t\fR \fIpam_misc_conv_warn_time\fR; + .RS 4 + This variable contains the + \fItime\fR + (as returned by +-\fBtime\fR(2)) that the user should be first warned that the clock is ticking\. By default it has the value +-0, which indicates that no such warning will be given\. The application may set its value to sometime in the future, but this should be done prior to passing control to the ++\fBtime\fR(2)) that the user should be first warned that the clock is ticking\&. By default it has the value ++0, which indicates that no such warning will be given\&. The application may set its value to sometime in the future, but this should be done prior to passing control to the + \fILinux\-PAM\fR +-library\. ++library\&. + .RE + .PP + \fBconst char *\fR\fIpam_misc_conv_warn_line\fR; + .RS 4 + Used in conjuction with +-\fIpam_misc_conv_warn_time\fR, this variable is a pointer to the string that will be displayed when it becomes time to warn the user that the timeout is approaching\. Its default value is a translated version of +-\(lq\.\.\.Time is running out\.\.\.\(rq, but this can be changed by the application prior to passing control to +-\fILinux\-PAM\fR\. ++\fIpam_misc_conv_warn_time\fR, this variable is a pointer to the string that will be displayed when it becomes time to warn the user that the timeout is approaching\&. Its default value is a translated version of ++\(lq\&.\&.\&.Time is running out\&.\&.\&.\(rq, but this can be changed by the application prior to passing control to ++\fILinux\-PAM\fR\&. + .RE + .PP + \fBtime_t\fR \fIpam_misc_conv_die_time\fR; +@@ -58,54 +58,54 @@ + This variable contains the + \fItime\fR + (as returned by +-\fBtime\fR(2)) that the will time out\. By default it has the value +-0, which indicates that the conversation function will not timeout\. The application may set its value to sometime in the future, but this should be done prior to passing control to the ++\fBtime\fR(2)) that the will time out\&. By default it has the value ++0, which indicates that the conversation function will not timeout\&. The application may set its value to sometime in the future, but this should be done prior to passing control to the + \fILinux\-PAM\fR +-library\. ++library\&. + .RE + .PP + \fBconst char *\fR\fIpam_misc_conv_die_line\fR; + .RS 4 + Used in conjuction with +-\fIpam_misc_conv_die_time\fR, this variable is a pointer to the string that will be displayed when the conversation times out\. Its default value is a translated version of +-\(lq\.\.\.Sorry, your time is up!\(rq, but this can be changed by the application prior to passing control to +-\fILinux\-PAM\fR\. ++\fIpam_misc_conv_die_time\fR, this variable is a pointer to the string that will be displayed when the conversation times out\&. Its default value is a translated version of ++\(lq\&.\&.\&.Sorry, your time is up!\(rq, but this can be changed by the application prior to passing control to ++\fILinux\-PAM\fR\&. + .RE + .PP + \fBint\fR \fIpam_misc_conv_died\fR; + .RS 4 + Following a return from the + \fILinux\-PAM\fR +-libraray, the value of this variable indicates whether the conversation has timed out\. A value of ++libraray, the value of this variable indicates whether the conversation has timed out\&. A value of + 1 +-indicates the time\-out occurred\. ++indicates the time\-out occurred\&. + .RE + .PP +-The following two function pointers are available for supporting binary prompts in the conversation function\. They are optimized for the current incarnation of the ++The following two function pointers are available for supporting binary prompts in the conversation function\&. They are optimized for the current incarnation of the + \fBlibpamc\fR +-library and are subject to change\. ++library and are subject to change\&. + .PP + \fBint\fR \fI(*pam_binary_handler_fn)\fR(\fBvoid *\fR\fIappdata\fR, \fBpamc_bp_t *\fR\fIprompt_p\fR); + .RS 4 + This function pointer is initialized to + NULL +-but can be filled with a function that provides machine\-machine (hidden) message exchange\. It is intended for use with hidden authentication protocols such as RSA or Diffie\-Hellman key exchanges\. (This is still under development\.) ++but can be filled with a function that provides machine\-machine (hidden) message exchange\&. It is intended for use with hidden authentication protocols such as RSA or Diffie\-Hellman key exchanges\&. (This is still under development\&.) + .RE + .PP + \fBint\fR \fI(*pam_binary_handler_free)\fR(\fBvoid *\fR\fIappdata\fR, \fBpamc_bp_t *\fR\fIdelete_me\fR); + .RS 4 + This function pointer is initialized to +-\fBPAM_BP_RENEW(delete_me, 0, 0)\fR, but can be redefined as desired by the application\. ++\fBPAM_BP_RENEW(delete_me, 0, 0)\fR, but can be redefined as desired by the application\&. + .RE + .SH "SEE ALSO" + .PP + + \fBpam_conv\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The + \fBmisc_conv\fR + function is part of the + \fBlibpam_misc\fR +-Library and not defined in any standard\. ++Library and not defined in any standard\&. +Index: pam.deb/doc/man/misc_conv.3.xml +=================================================================== +--- pam.deb.orig/doc/man/misc_conv.3.xml ++++ pam.deb/doc/man/misc_conv.3.xml +@@ -171,7 +171,7 @@ + pam_conv3 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/doc/man/pam_acct_mgmt.3 +=================================================================== +--- pam.deb.orig/doc/man/pam_acct_mgmt.3 ++++ pam.deb/doc/man/pam_acct_mgmt.3 +@@ -1,22 +1,22 @@ + .\" Title: pam_acct_mgmt + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_ACCT_MGMT" "3" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_ACCT_MGMT" "3" "07/27/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_acct_mgmt - PAM account validation management ++pam_acct_mgmt \- PAM account validation management + .SH "SYNOPSIS" + .sp + .ft B + .nf +-#include ++#include + .fi + .ft + .HP 18 +@@ -25,54 +25,54 @@ + .PP + The + \fBpam_acct_mgmt\fR +-function is used to determine if the users account is valid\. It checks for authentication token and account expiration and verifies access restrictions\. It is typically called after the user has been authenticated\. ++function is used to determine if the users account is valid\&. It checks for authentication token and account expiration and verifies access restrictions\&. It is typically called after the user has been authenticated\&. + .PP + The + \fIpamh\fR +-argument is an authentication handle obtained by a prior call to pam_start()\. The flags argument is the binary or of zero or more of the following values: ++argument is an authentication handle obtained by a prior call to pam_start()\&. The flags argument is the binary or of zero or more of the following values: + .PP + PAM_SILENT + .RS 4 +-Do not emit any messages\. ++Do not emit any messages\&. + .RE + .PP + PAM_DISALLOW_NULL_AUTHTOK + .RS 4 +-The PAM module service should return PAM_NEW_AUTHTOK_REQD if the user has a null authentication token\. ++The PAM module service should return PAM_NEW_AUTHTOK_REQD if the user has a null authentication token\&. + .RE + .SH "RETURN VALUES" + .PP + PAM_ACCT_EXPIRED + .RS 4 +-User account has expired\. ++User account has expired\&. + .RE + .PP + PAM_AUTH_ERR + .RS 4 +-Authentication failure\. ++Authentication failure\&. + .RE + .PP + PAM_NEW_AUTHTOK_REQD + .RS 4 + The user account is valid but their authentication token is +-\fIexpired\fR\. The correct response to this return\-value is to require that the user satisfies the ++\fIexpired\fR\&. The correct response to this return\-value is to require that the user satisfies the + \fBpam_chauthtok()\fR +-function before obtaining service\. It may not be possible for some applications to do this\. In such cases, the user should be denied access until such time as they can update their password\. ++function before obtaining service\&. It may not be possible for some applications to do this\&. In such cases, the user should be denied access until such time as they can update their password\&. + .RE + .PP + PAM_PERM_DENIED + .RS 4 +-Permission denied\. ++Permission denied\&. + .RE + .PP + PAM_SUCCESS + .RS 4 +-The authentication token was successfully updated\. ++The authentication token was successfully updated\&. + .RE + .PP + PAM_USER_UNKNOWN + .RS 4 +-User unknown to password service\. ++User unknown to password service\&. + .RE + .SH "SEE ALSO" + .PP +@@ -81,4 +81,4 @@ + \fBpam_authenticate\fR(3), + \fBpam_chauthtok\fR(3), + \fBpam_strerror\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam.deb/doc/man/pam_acct_mgmt.3.xml +=================================================================== +--- pam.deb.orig/doc/man/pam_acct_mgmt.3.xml ++++ pam.deb/doc/man/pam_acct_mgmt.3.xml +@@ -138,7 +138,7 @@ + pam_strerror3 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/doc/man/pam_authenticate.3 +=================================================================== +--- pam.deb.orig/doc/man/pam_authenticate.3 ++++ pam.deb/doc/man/pam_authenticate.3 +@@ -1,22 +1,22 @@ + .\" Title: pam_authenticate + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_AUTHENTICATE" "3" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_AUTHENTICATE" "3" "07/27/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_authenticate - account authentication ++pam_authenticate \- account authentication + .SH "SYNOPSIS" + .sp + .ft B + .nf +-#include ++#include + .fi + .ft + .HP 21 +@@ -25,26 +25,26 @@ + .PP + The + \fBpam_authenticate\fR +-function is used to authenticate the user\. The user is required to provide an authentication token depending upon the authentication service, usually this is a password, but could also be a finger print\. ++function is used to authenticate the user\&. The user is required to provide an authentication token depending upon the authentication service, usually this is a password, but could also be a finger print\&. + .PP + The PAM service module may request that the user enter their username vio the the conversation mechanism (see + \fBpam_start\fR(3) + and +-\fBpam_conv\fR(3))\. The name of the authenticated user will be present in the PAM item PAM_USER\. This item may be recovered with a call to +-\fBpam_get_item\fR(3)\. ++\fBpam_conv\fR(3))\&. The name of the authenticated user will be present in the PAM item PAM_USER\&. This item may be recovered with a call to ++\fBpam_get_item\fR(3)\&. + .PP + The + \fIpamh\fR +-argument is an authentication handle obtained by a prior call to pam_start()\. The flags argument is the binary or of zero or more of the following values: ++argument is an authentication handle obtained by a prior call to pam_start()\&. The flags argument is the binary or of zero or more of the following values: + .PP + PAM_SILENT + .RS 4 +-Do not emit any messages\. ++Do not emit any messages\&. + .RE + .PP + PAM_DISALLOW_NULL_AUTHTOK + .RS 4 +-The PAM module service should return PAM_AUTH_ERR if the user does not have a registered authentication token\. ++The PAM module service should return PAM_AUTH_ERR if the user does not have a registered authentication token\&. + .RE + .SH "RETURN VALUES" + .PP +@@ -52,37 +52,37 @@ + .RS 4 + The application should exit immediately after calling + \fBpam_end\fR(3) +-first\. ++first\&. + .RE + .PP + PAM_AUTH_ERR + .RS 4 +-The user was not authenticated\. ++The user was not authenticated\&. + .RE + .PP + PAM_CRED_INSUFFICIENT + .RS 4 +-For some reason the application does not have sufficient credentials to authenticate the user\. ++For some reason the application does not have sufficient credentials to authenticate the user\&. + .RE + .PP + PAM_AUTHINFO_UNVAIL + .RS 4 +-The modules were not able to access the authentication information\. This might be due to a network or hardware failure etc\. ++The modules were not able to access the authentication information\&. This might be due to a network or hardware failure etc\&. + .RE + .PP + PAM_MAXTRIES + .RS 4 +-One or more of the authentication modules has reached its limit of tries authenticating the user\. Do not try again\. ++One or more of the authentication modules has reached its limit of tries authenticating the user\&. Do not try again\&. + .RE + .PP + PAM_SUCCESS + .RS 4 +-The user was successfully authenticated\. ++The user was successfully authenticated\&. + .RE + .PP + PAM_USER_UNKNOWN + .RS 4 +-User unknown to authentication service\. ++User unknown to authentication service\&. + .RE + .SH "SEE ALSO" + .PP +@@ -91,4 +91,4 @@ + \fBpam_setcred\fR(3), + \fBpam_chauthtok\fR(3), + \fBpam_strerror\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam.deb/doc/man/pam_authenticate.3.xml +=================================================================== +--- pam.deb.orig/doc/man/pam_authenticate.3.xml ++++ pam.deb/doc/man/pam_authenticate.3.xml +@@ -162,7 +162,7 @@ + pam_strerror3 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/doc/man/pam_chauthtok.3 +=================================================================== +--- pam.deb.orig/doc/man/pam_chauthtok.3 ++++ pam.deb/doc/man/pam_chauthtok.3 +@@ -1,22 +1,22 @@ + .\" Title: pam_chauthtok + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_CHAUTHTOK" "3" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_CHAUTHTOK" "3" "07/27/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_chauthtok - updating authentication tokens ++pam_chauthtok \- updating authentication tokens + .SH "SYNOPSIS" + .sp + .ft B + .nf +-#include ++#include + .fi + .ft + .HP 18 +@@ -26,61 +26,61 @@ + The + \fBpam_chauthtok\fR + function is used to change the authentication token for a given user (as indicated by the state associated with the handle +-\fIpamh\fR)\. ++\fIpamh\fR)\&. + .PP + The + \fIpamh\fR +-argument is an authentication handle obtained by a prior call to pam_start()\. The flags argument is the binary or of zero or more of the following values: ++argument is an authentication handle obtained by a prior call to pam_start()\&. The flags argument is the binary or of zero or more of the following values: + .PP + PAM_SILENT + .RS 4 +-Do not emit any messages\. ++Do not emit any messages\&. + .RE + .PP + PAM_CHANGE_EXPIRED_AUTHTOK + .RS 4 +-This argument indicates to the modules that the users authentication token (password) should only be changed if it has expired\. If this argument is not passed, the application requires that all authentication tokens are to be changed\. ++This argument indicates to the modules that the users authentication token (password) should only be changed if it has expired\&. If this argument is not passed, the application requires that all authentication tokens are to be changed\&. + .RE + .SH "RETURN VALUES" + .PP + PAM_AUTHTOK_ERR + .RS 4 +-A module was unable to obtain the new authentication token\. ++A module was unable to obtain the new authentication token\&. + .RE + .PP + PAM_AUTHTOK_RECOVERY_ERR + .RS 4 +-A module was unable to obtain the old authentication token\. ++A module was unable to obtain the old authentication token\&. + .RE + .PP + PAM_AUTHTOK_LOCK_BUSY + .RS 4 +-One or more of the modules was unable to change the authentication token since it is currently locked\. ++One or more of the modules was unable to change the authentication token since it is currently locked\&. + .RE + .PP + PAM_AUTHTOK_DISABLE_AGING + .RS 4 +-Authentication token aging has been disabled for at least one of the modules\. ++Authentication token aging has been disabled for at least one of the modules\&. + .RE + .PP + PAM_PERM_DENIED + .RS 4 +-Permission denied\. ++Permission denied\&. + .RE + .PP + PAM_SUCCESS + .RS 4 +-The authentication token was successfully updated\. ++The authentication token was successfully updated\&. + .RE + .PP + PAM_TRY_AGAIN + .RS 4 +-Not all of the modules were in a position to update the authentication token(s)\. In such a case none of the user\'s authentication tokens are updated\. ++Not all of the modules were in a position to update the authentication token(s)\&. In such a case none of the user\'s authentication tokens are updated\&. + .RE + .PP + PAM_USER_UNKNOWN + .RS 4 +-User unknown to password service\. ++User unknown to password service\&. + .RE + .SH "SEE ALSO" + .PP +@@ -90,4 +90,4 @@ + \fBpam_setcred\fR(3), + \fBpam_get_item\fR(3), + \fBpam_strerror\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam.deb/doc/man/pam_chauthtok.3.xml +=================================================================== +--- pam.deb.orig/doc/man/pam_chauthtok.3.xml ++++ pam.deb/doc/man/pam_chauthtok.3.xml +@@ -157,7 +157,7 @@ + pam_strerror3 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/doc/man/pam_conv.3 +=================================================================== +--- pam.deb.orig/doc/man/pam_conv.3 ++++ pam.deb/doc/man/pam_conv.3 +@@ -1,22 +1,22 @@ + .\" Title: pam_conv + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_CONV" "3" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_CONV" "3" "07/27/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_conv - PAM conversation function ++pam_conv \- PAM conversation function + .SH "SYNOPSIS" + .sp + .ft B + .nf +-#include ++#include + .fi + .ft + .sp +@@ -42,36 +42,36 @@ + .RE + .SH "DESCRIPTION" + .PP +-The PAM library uses an application\-defined callback to allow a direct communication between a loaded module and the application\. This callback is specified by the ++The PAM library uses an application\-defined callback to allow a direct communication between a loaded module and the application\&. This callback is specified by the + \fIstruct pam_conv\fR + passed to + \fBpam_start\fR(3) +-at the start of the transaction\. ++at the start of the transaction\&. + .PP + When a module calls the referenced conv() function, the argument + \fIappdata_ptr\fR +-is set to the second element of this structure\. ++is set to the second element of this structure\&. + .PP +-The other arguments of a call to conv() concern the information exchanged by module and application\. That is to say, ++The other arguments of a call to conv() concern the information exchanged by module and application\&. That is to say, + \fInum_msg\fR + holds the length of the array of pointers, +-\fImsg\fR\. After a successful return, the pointer ++\fImsg\fR\&. After a successful return, the pointer + \fIresp\fR +-points to an array of pam_response structures, holding the application supplied text\. The ++points to an array of pam_response structures, holding the application supplied text\&. The + \fIresp_retcode\fR +-member of this struct is unused and should be set to zero\. It is the caller\'s responsibility to release both, this array and the responses themselves, using +-\fBfree\fR(3)\. Note, ++member of this struct is unused and should be set to zero\&. It is the caller\'s responsibility to release both, this array and the responses themselves, using ++\fBfree\fR(3)\&. Note, + \fI*resp\fR + is a + \fIstruct pam_response\fR +-array and not an array of pointers\. ++array and not an array of pointers\&. + .PP + The number of responses is always equal to the + \fInum_msg\fR +-conversation function argument\. This does require that the response array is +-\fBfree\fR(3)\'d after every call to the conversation function\. The index of the responses corresponds directly to the prompt index in the pam_message array\. ++conversation function argument\&. This does require that the response array is ++\fBfree\fR(3)\'d after every call to the conversation function\&. The index of the responses corresponds directly to the prompt index in the pam_message array\&. + .PP +-On failure, the conversation function should release any resources it has allocated, and return one of the predefined PAM error codes\. ++On failure, the conversation function should release any resources it has allocated, and return one of the predefined PAM error codes\&. + .PP + Each message can have one of four types, specified by the + \fImsg_style\fR +@@ -80,36 +80,36 @@ + .PP + PAM_PROMPT_ECHO_OFF + .RS 4 +-Obtain a string without echoing any text\. ++Obtain a string without echoing any text\&. + .RE + .PP + PAM_PROMPT_ECHO_ON + .RS 4 +-Obtain a string whilst echoing text\. ++Obtain a string whilst echoing text\&. + .RE + .PP + PAM_ERROR_MSG + .RS 4 +-Display an error message\. ++Display an error message\&. + .RE + .PP + PAM_TEXT_INFO + .RS 4 +-Display some text\. ++Display some text\&. + .RE + .PP +-The point of having an array of messages is that it becomes possible to pass a number of things to the application in a single call from the module\. It can also be convenient for the application that related things come at once: a windows based application can then present a single form with many messages/prompts on at once\. ++The point of having an array of messages is that it becomes possible to pass a number of things to the application in a single call from the module\&. It can also be convenient for the application that related things come at once: a windows based application can then present a single form with many messages/prompts on at once\&. + .PP +-In passing, it is worth noting that there is a descrepency between the way Linux\-PAM handles the const struct pam_message **msg conversation function argument from the way that Solaris\' PAM (and derivitives, known to include HP/UX, are there others?) does\. Linux\-PAM interprets the msg argument as entirely equivalent to the following prototype const struct pam_message *msg[] (which, in spirit, is consistent with the commonly used prototypes for argv argument to the familiar main() function: char **argv; and char *argv[])\. Said another way Linux\-PAM interprets the msg argument as a pointer to an array of num_msg read only \'struct pam_message\' pointers\. Solaris\' PAM implementation interprets this argument as a pointer to a pointer to an array of num_msg pam_message structures\. Fortunately, perhaps, for most module/application developers when num_msg has a value of one these two definitions are entirely equivalent\. Unfortunately, casually raising this number to two has led to unanticipated compatibility problems\. ++In passing, it is worth noting that there is a descrepency between the way Linux\-PAM handles the const struct pam_message **msg conversation function argument from the way that Solaris\' PAM (and derivitives, known to include HP/UX, are there others?) does\&. Linux\-PAM interprets the msg argument as entirely equivalent to the following prototype const struct pam_message *msg[] (which, in spirit, is consistent with the commonly used prototypes for argv argument to the familiar main() function: char **argv; and char *argv[])\&. Said another way Linux\-PAM interprets the msg argument as a pointer to an array of num_msg read only \'struct pam_message\' pointers\&. Solaris\' PAM implementation interprets this argument as a pointer to a pointer to an array of num_msg pam_message structures\&. Fortunately, perhaps, for most module/application developers when num_msg has a value of one these two definitions are entirely equivalent\&. Unfortunately, casually raising this number to two has led to unanticipated compatibility problems\&. + .PP + For what its worth the two known module writer work\-arounds for trying to maintain source level compatibility with both PAM implementations are: + .sp + .RS 4 +-\h'-04'\(bu\h'+03'never call the conversation function with num_msg greater than one\. ++\h'-04'\(bu\h'+03'never call the conversation function with num_msg greater than one\&. + .RE + .sp + .RS 4 +-\h'-04'\(bu\h'+03'set up msg as doubly referenced so both types of conversation function can find the messages\. That is, make ++\h'-04'\(bu\h'+03'set up msg as doubly referenced so both types of conversation function can find the messages\&. That is, make + .sp + .RS 4 + .nf +@@ -122,18 +122,18 @@ + .PP + PAM_BUF_ERR + .RS 4 +-Memory buffer error\. ++Memory buffer error\&. + .RE + .PP + PAM_CONV_ERR + .RS 4 +-Conversation failure\. The application should not set +-\fI*resp\fR\. ++Conversation failure\&. The application should not set ++\fI*resp\fR\&. + .RE + .PP + PAM_SUCCESS + .RS 4 +-Success\. ++Success\&. + .RE + .SH "SEE ALSO" + .PP +@@ -142,4 +142,4 @@ + \fBpam_set_item\fR(3), + \fBpam_get_item\fR(3), + \fBpam_strerror\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam.deb/doc/man/pam_conv.3.xml +=================================================================== +--- pam.deb.orig/doc/man/pam_conv.3.xml ++++ pam.deb/doc/man/pam_conv.3.xml +@@ -221,7 +221,7 @@ + pam_strerror3 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/doc/man/pam_error.3 +=================================================================== +--- pam.deb.orig/doc/man/pam_error.3 ++++ pam.deb/doc/man/pam_error.3 +@@ -1,33 +1,33 @@ + .\" Title: pam_error + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_ERROR" "3" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_ERROR" "3" "07/27/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_error, pam_verror - display error messages to the user ++pam_error, pam_verror \- display error messages to the user + .SH "SYNOPSIS" + .sp + .ft B + .nf +-#include ++#include + .fi + .ft + .HP 14 +-.BI "int pam_error(pam_handle_t\ *" "pamh" ", const\ char\ *" "fmt" ", " "\.\.\." ");" ++.BI "int pam_error(pam_handle_t\ *" "pamh" ", const\ char\ *" "fmt" ", " "\&.\&.\&." ");" + .HP 15 + .BI "int pam_verror(pam_handle_t\ *" "pamh" ", const\ char\ *" "fmt" ", va_list\ " "args" ");" + .SH "DESCRIPTION" + .PP + The + \fBpam_error\fR +-function prints error messages through the conversation function to the user\. ++function prints error messages through the conversation function to the user\&. + .PP + The + \fBpam_verror\fR +@@ -35,27 +35,27 @@ + \fBpam_error()\fR + with the difference that it takes a set of arguments which have been obtained using the + \fBstdarg\fR(3) +-variable argument list macros\. ++variable argument list macros\&. + .SH "RETURN VALUES" + .PP + PAM_BUF_ERR + .RS 4 +-Memory buffer error\. ++Memory buffer error\&. + .RE + .PP + PAM_CONV_ERR + .RS 4 +-Conversation failure\. ++Conversation failure\&. + .RE + .PP + PAM_SUCCESS + .RS 4 +-Error message was displayed\. ++Error message was displayed\&. + .RE + .PP + PAM_SYSTEM_ERR + .RS 4 +-System error\. ++System error\&. + .RE + .SH "SEE ALSO" + .PP +@@ -64,11 +64,11 @@ + \fBpam_vinfo\fR(3), + \fBpam_prompt\fR(3), + \fBpam_vprompt\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The + \fBpam_error\fR + and + \fBpam_verror\fR +-functions are Linux\-PAM extensions\. ++functions are Linux\-PAM extensions\&. +Index: pam.deb/doc/man/pam_error.3.xml +=================================================================== +--- pam.deb.orig/doc/man/pam_error.3.xml ++++ pam.deb/doc/man/pam_error.3.xml +@@ -105,7 +105,7 @@ + pam_vprompt3 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/doc/man/pam_getenv.3 +=================================================================== +--- pam.deb.orig/doc/man/pam_getenv.3 ++++ pam.deb/doc/man/pam_getenv.3 +@@ -1,22 +1,22 @@ + .\" Title: pam_getenv + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_GETENV" "3" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_GETENV" "3" "07/27/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_getenv - get a PAM environment variable ++pam_getenv \- get a PAM environment variable + .SH "SYNOPSIS" + .sp + .ft B + .nf +-#include ++#include + .fi + .ft + .HP 23 +@@ -28,16 +28,16 @@ + function searches the PAM environment list as associated with the handle + \fIpamh\fR + for a string that matches the string pointed to by +-\fIname\fR\. The return values are of the form: "\fIname=value\fR"\. ++\fIname\fR\&. The return values are of the form: "\fIname=value\fR"\&. + .SH "RETURN VALUES" + .PP + The + \fBpam_getenv\fR +-function returns NULL on failure\. ++function returns NULL on failure\&. + .SH "SEE ALSO" + .PP + + \fBpam_start\fR(3), + \fBpam_getenvlist\fR(3), + \fBpam_putenv\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam.deb/doc/man/pam_getenv.3.xml +=================================================================== +--- pam.deb.orig/doc/man/pam_getenv.3.xml ++++ pam.deb/doc/man/pam_getenv.3.xml +@@ -59,7 +59,7 @@ + pam_putenv3 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/doc/man/pam_getenvlist.3 +=================================================================== +--- pam.deb.orig/doc/man/pam_getenvlist.3 ++++ pam.deb/doc/man/pam_getenvlist.3 +@@ -1,22 +1,22 @@ + .\" Title: pam_getenvlist + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_GETENVLIST" "3" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_GETENVLIST" "3" "07/27/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_getenvlist - getting the PAM environment ++pam_getenvlist \- getting the PAM environment + .SH "SYNOPSIS" + .sp + .ft B + .nf +-#include ++#include + .fi + .ft + .HP 22 +@@ -26,25 +26,25 @@ + The + \fBpam_getenvlist\fR + function returns a complete copy of the PAM environment as associated with the handle +-\fIpamh\fR\. The PAM environment variables represent the contents of the regular environment variables of the authenticated user when service is granted\. ++\fIpamh\fR\&. The PAM environment variables represent the contents of the regular environment variables of the authenticated user when service is granted\&. + .PP +-The format of the memory is a malloc()\'d array of char pointers, the last element of which is set to NULL\. Each of the non\-NULL entries in this array point to a NUL terminated and malloc()\'d char string of the form: "\fIname=value\fR"\. ++The format of the memory is a malloc()\'d array of char pointers, the last element of which is set to NULL\&. Each of the non\-NULL entries in this array point to a NUL terminated and malloc()\'d char string of the form: "\fIname=value\fR"\&. + .PP +-It should be noted that this memory will never be free()\'d by libpam\. Once obtained by a call to +-\fBpam_getenvlist\fR, it is the responsibility of the calling application to free() this memory\. ++It should be noted that this memory will never be free()\'d by libpam\&. Once obtained by a call to ++\fBpam_getenvlist\fR, it is the responsibility of the calling application to free() this memory\&. + .PP + It is by design, and not a coincidence, that the format and contents of the returned array matches that required for the third argument of the + \fBexecle\fR(3) +-function call\. ++function call\&. + .SH "RETURN VALUES" + .PP + The + \fBpam_getenvlist\fR +-function returns NULL on failure\. ++function returns NULL on failure\&. + .SH "SEE ALSO" + .PP + + \fBpam_start\fR(3), + \fBpam_getenv\fR(3), + \fBpam_putenv\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam.deb/doc/man/pam_getenvlist.3.xml +=================================================================== +--- pam.deb.orig/doc/man/pam_getenvlist.3.xml ++++ pam.deb/doc/man/pam_getenvlist.3.xml +@@ -78,7 +78,7 @@ + pam_putenv3 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/doc/man/pam_info.3 +=================================================================== +--- pam.deb.orig/doc/man/pam_info.3 ++++ pam.deb/doc/man/pam_info.3 +@@ -1,33 +1,33 @@ + .\" Title: pam_info + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_INFO" "3" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_INFO" "3" "07/27/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_info, pam_vinfo - display messages to the user ++pam_info, pam_vinfo \- display messages to the user + .SH "SYNOPSIS" + .sp + .ft B + .nf +-#include ++#include + .fi + .ft + .HP 13 +-.BI "int pam_info(pam_handle_t\ *" "pamh" ", const\ char\ *" "fmt" ", " "\.\.\." ");" ++.BI "int pam_info(pam_handle_t\ *" "pamh" ", const\ char\ *" "fmt" ", " "\&.\&.\&." ");" + .HP 14 + .BI "int pam_vinfo(pam_handle_t\ *" "pamh" ", const\ char\ *" "fmt" ", va_list\ " "args" ");" + .SH "DESCRIPTION" + .PP + The + \fBpam_info\fR +-function prints messages through the conversation function to the user\. ++function prints messages through the conversation function to the user\&. + .PP + The + \fBpam_vinfo\fR +@@ -35,36 +35,36 @@ + \fBpam_info()\fR + with the difference that it takes a set of arguments which have been obtained using the + \fBstdarg\fR(3) +-variable argument list macros\. ++variable argument list macros\&. + .SH "RETURN VALUES" + .PP + PAM_BUF_ERR + .RS 4 +-Memory buffer error\. ++Memory buffer error\&. + .RE + .PP + PAM_CONV_ERR + .RS 4 +-Conversation failure\. ++Conversation failure\&. + .RE + .PP + PAM_SUCCESS + .RS 4 +-Transaction was successful created\. ++Transaction was successful created\&. + .RE + .PP + PAM_SYSTEM_ERR + .RS 4 +-System error\. ++System error\&. + .RE + .SH "SEE ALSO" + .PP + +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The + \fBpam_info\fR + and + \fBpam_vinfo\fR +-functions are Linux\-PAM extensions\. ++functions are Linux\-PAM extensions\&. +Index: pam.deb/doc/man/pam_info.3.xml +=================================================================== +--- pam.deb.orig/doc/man/pam_info.3.xml ++++ pam.deb/doc/man/pam_info.3.xml +@@ -93,7 +93,7 @@ + SEE ALSO + + +- pam8 ++ pam7 + + + +Index: pam.deb/doc/man/pam_misc_drop_env.3 +=================================================================== +--- pam.deb.orig/doc/man/pam_misc_drop_env.3 ++++ pam.deb/doc/man/pam_misc_drop_env.3 +@@ -1,22 +1,22 @@ + .\" Title: pam_misc_drop_env + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_MISC_DROP_ENV" "3" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_MISC_DROP_ENV" "3" "07/27/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_misc_drop_env - liberating a locally saved environment ++pam_misc_drop_env \- liberating a locally saved environment + .SH "SYNOPSIS" + .sp + .ft B + .nf +-#include ++#include + .fi + .ft + .HP 22 +@@ -25,22 +25,22 @@ + .PP + This function is defined to complement the + \fBpam_getenvlist\fR(3) +-function\. It liberates the memory associated with ++function\&. It liberates the memory associated with + \fIenv\fR, + \fIoverwriting\fR + with + \fI0\fR + all memory before +-\fBfree()\fRing it\. ++\fBfree()\fRing it\&. + .SH "SEE ALSO" + .PP + + \fBpam_getenvlist\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The + \fBpam_misc_drop_env\fR + function is part of the + \fBlibpam_misc\fR +-Library and not defined in any standard\. ++Library and not defined in any standard\&. +Index: pam.deb/doc/man/pam_misc_drop_env.3.xml +=================================================================== +--- pam.deb.orig/doc/man/pam_misc_drop_env.3.xml ++++ pam.deb/doc/man/pam_misc_drop_env.3.xml +@@ -46,7 +46,7 @@ + pam_getenvlist3 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/doc/man/pam_misc_paste_env.3 +=================================================================== +--- pam.deb.orig/doc/man/pam_misc_paste_env.3 ++++ pam.deb/doc/man/pam_misc_paste_env.3 +@@ -1,22 +1,22 @@ + .\" Title: pam_misc_paste_env + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_MISC_PASTE_ENV" "3" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_MISC_PASTE_ENV" "3" "07/27/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_misc_paste_env - transcribing an environment to that of PAM ++pam_misc_paste_env \- transcribing an environment to that of PAM + .SH "SYNOPSIS" + .sp + .ft B + .nf +-#include ++#include + .fi + .ft + .HP 23 +@@ -25,17 +25,17 @@ + .PP + This function takes the supplied list of environment pointers and + \fIuploads\fR +-its contents to the PAM environment\. Success is indicated by +-PAM_SUCCESS\. ++its contents to the PAM environment\&. Success is indicated by ++PAM_SUCCESS\&. + .SH "SEE ALSO" + .PP + + \fBpam_putenv\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The + \fBpam_misc_paste_env\fR + function is part of the + \fBlibpam_misc\fR +-Library and not defined in any standard\. ++Library and not defined in any standard\&. +Index: pam.deb/doc/man/pam_misc_paste_env.3.xml +=================================================================== +--- pam.deb.orig/doc/man/pam_misc_paste_env.3.xml ++++ pam.deb/doc/man/pam_misc_paste_env.3.xml +@@ -44,7 +44,7 @@ + pam_putenv3 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/doc/man/pam_misc_setenv.3 +=================================================================== +--- pam.deb.orig/doc/man/pam_misc_setenv.3 ++++ pam.deb/doc/man/pam_misc_setenv.3 +@@ -1,22 +1,22 @@ + .\" Title: pam_misc_setenv + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_MISC_SETENV" "3" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_MISC_SETENV" "3" "07/27/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_misc_setenv - BSD like PAM environment variable setting ++pam_misc_setenv \- BSD like PAM environment variable setting + .SH "SYNOPSIS" + .sp + .ft B + .nf +-#include ++#include + .fi + .ft + .HP 20 +@@ -25,22 +25,22 @@ + .PP + This function performs a task equivalent to + \fBpam_putenv\fR(3), its syntax is, however, more like the BSD style function; +-\fBsetenv()\fR\. The ++\fBsetenv()\fR\&. The + \fIname\fR + and + \fIvalue\fR + are concatenated with an \'=\' to form a name=value and passed to +-\fBpam_putenv()\fR\. If, however, the PAM variable is already set, the replacement will only be applied if the last argument, +-\fIreadonly\fR, is zero\. ++\fBpam_putenv()\fR\&. If, however, the PAM variable is already set, the replacement will only be applied if the last argument, ++\fIreadonly\fR, is zero\&. + .SH "SEE ALSO" + .PP + + \fBpam_putenv\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The + \fBpam_misc_setenv\fR + function is part of the + \fBlibpam_misc\fR +-Library and not defined in any standard\. ++Library and not defined in any standard\&. +Index: pam.deb/doc/man/pam_misc_setenv.3.xml +=================================================================== +--- pam.deb.orig/doc/man/pam_misc_setenv.3.xml ++++ pam.deb/doc/man/pam_misc_setenv.3.xml +@@ -51,7 +51,7 @@ + pam_putenv3 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/doc/man/pam_prompt.3 +=================================================================== +--- pam.deb.orig/doc/man/pam_prompt.3 ++++ pam.deb/doc/man/pam_prompt.3 +@@ -1,26 +1,26 @@ + .\" Title: pam_prompt + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_PROMPT" "3" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_PROMPT" "3" "07/27/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_prompt, pam_vprompt - interface to conversation function ++pam_prompt, pam_vprompt \- interface to conversation function + .SH "SYNOPSIS" + .sp + .ft B + .nf +-#include ++#include + .fi + .ft + .HP 16 +-.BI "void pam_prompt(pam_handle_t\ *" "pamh" ", int\ " "style" ", char\ **" "response" ", const\ char\ *" "fmt" ", " "\.\.\." ");" ++.BI "void pam_prompt(pam_handle_t\ *" "pamh" ", int\ " "style" ", char\ **" "response" ", const\ char\ *" "fmt" ", " "\&.\&.\&." ");" + .HP 17 + .BI "void pam_vprompt(pam_handle_t\ *" "pamh" ", int\ " "style" ", char\ **" "response" ", const\ char\ *" "fmt" ", va_list\ " "args" ");" + .SH "DESCRIPTION" +@@ -32,27 +32,27 @@ + .PP + PAM_BUF_ERR + .RS 4 +-Memory buffer error\. ++Memory buffer error\&. + .RE + .PP + PAM_CONV_ERR + .RS 4 +-Conversation failure\. ++Conversation failure\&. + .RE + .PP + PAM_SUCCESS + .RS 4 +-Transaction was successful created\. ++Transaction was successful created\&. + .RE + .PP + PAM_SYSTEM_ERR + .RS 4 +-System error\. ++System error\&. + .RE + .SH "SEE ALSO" + .PP + +-\fBpam\fR(8), ++\fBpam\fR(7), + \fBpam_conv\fR(3) + .SH "STANDARDS" + .PP +@@ -60,4 +60,4 @@ + \fBpam_prompt\fR + and + \fBpam_vprompt\fR +-functions are Linux\-PAM extensions\. ++functions are Linux\-PAM extensions\&. +Index: pam.deb/doc/man/pam_prompt.3.xml +=================================================================== +--- pam.deb.orig/doc/man/pam_prompt.3.xml ++++ pam.deb/doc/man/pam_prompt.3.xml +@@ -91,7 +91,7 @@ + SEE ALSO + + +- pam8 ++ pam7 + , + + pam_conv3 +Index: pam.deb/doc/man/pam_putenv.3 +=================================================================== +--- pam.deb.orig/doc/man/pam_putenv.3 ++++ pam.deb/doc/man/pam_putenv.3 +@@ -1,22 +1,22 @@ + .\" Title: pam_putenv + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_PUTENV" "3" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_PUTENV" "3" "07/27/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_putenv - set or change PAM environment variable ++pam_putenv \- set or change PAM environment variable + .SH "SYNOPSIS" + .sp + .ft B + .nf +-#include ++#include + .fi + .ft + .HP 15 +@@ -27,64 +27,64 @@ + \fBpam_putenv\fR + function is used to add or change the value of PAM environment variables as associated with the + \fIpamh\fR +-handle\. ++handle\&. + .PP + The + \fIpamh\fR +-argument is an authentication handle obtained by a prior call to pam_start()\. The ++argument is an authentication handle obtained by a prior call to pam_start()\&. The + \fIname_value\fR + argument is a single NUL terminated string of one of the following forms: + .PP + NAME=value of variable + .RS 4 + In this case the environment variable of the given NAME is set to the indicated value: +-\fIvalue of variable\fR\. If this variable is already known, it is overwritten\. Otherwise it is added to the PAM environment\. ++\fIvalue of variable\fR\&. If this variable is already known, it is overwritten\&. Otherwise it is added to the PAM environment\&. + .RE + .PP + NAME= + .RS 4 +-This function sets the variable to an empty value\. It is listed separately to indicate that this is the correct way to achieve such a setting\. ++This function sets the variable to an empty value\&. It is listed separately to indicate that this is the correct way to achieve such a setting\&. + .RE + .PP + NAME + .RS 4 + Without an \'=\' the +-\fBpam_putenv\fR() function will delete the corresponding variable from the PAM environment\. ++\fBpam_putenv\fR() function will delete the corresponding variable from the PAM environment\&. + .RE + .PP + + \fBpam_putenv\fR() operates on a copy of + \fIname_value\fR, which means in contrast to +-\fBputenv\fR(3), the application is responsible to free the data\. ++\fBputenv\fR(3), the application is responsible to free the data\&. + .SH "RETURN VALUES" + .PP + PAM_PERM_DENIED + .RS 4 + Argument + \fIname_value\fR +-given is a NULL pointer\. ++given is a NULL pointer\&. + .RE + .PP + PAM_BAD_ITEM + .RS 4 +-Variable requested (for deletion) is not currently set\. ++Variable requested (for deletion) is not currently set\&. + .RE + .PP + PAM_ABORT + .RS 4 + The + \fIpamh\fR +-handle is corrupt\. ++handle is corrupt\&. + .RE + .PP + PAM_BUF_ERR + .RS 4 +-Memory buffer error\. ++Memory buffer error\&. + .RE + .PP + PAM_SUCCESS + .RS 4 +-The environment variable was successfully updated\. ++The environment variable was successfully updated\&. + .RE + .SH "SEE ALSO" + .PP +@@ -93,4 +93,4 @@ + \fBpam_getenv\fR(3), + \fBpam_getenvlist\fR(3), + \fBpam_strerror\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam.deb/doc/man/pam_putenv.3.xml +=================================================================== +--- pam.deb.orig/doc/man/pam_putenv.3.xml ++++ pam.deb/doc/man/pam_putenv.3.xml +@@ -145,7 +145,7 @@ + pam_strerror3 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/doc/man/pam_strerror.3 +=================================================================== +--- pam.deb.orig/doc/man/pam_strerror.3 ++++ pam.deb/doc/man/pam_strerror.3 +@@ -1,22 +1,22 @@ + .\" Title: pam_strerror + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_STRERROR" "3" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_STRERROR" "3" "07/27/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_strerror - return string describing PAM error code ++pam_strerror \- return string describing PAM error code + .SH "SYNOPSIS" + .sp + .ft B + .nf +-#include ++#include + .fi + .ft + .HP 25 +@@ -26,11 +26,11 @@ + The + \fBpam_strerror\fR + function returns a pointer to a string describing the error code passed in the argument +-\fIerrnum\fR, possibly using the LC_MESSAGES part of the current locale to select the appropriate language\. This string must not be modified by the application\. No library function will modify this string\. ++\fIerrnum\fR, possibly using the LC_MESSAGES part of the current locale to select the appropriate language\&. This string must not be modified by the application\&. No library function will modify this string\&. + .SH "RETURN VALUES" + .PP +-This function returns always a pointer to a string\. ++This function returns always a pointer to a string\&. + .SH "SEE ALSO" + .PP + +-\fBpam\fR(8) ++\fBpam\fR(7) +Index: pam.deb/doc/man/pam_strerror.3.xml +=================================================================== +--- pam.deb.orig/doc/man/pam_strerror.3.xml ++++ pam.deb/doc/man/pam_strerror.3.xml +@@ -51,7 +51,7 @@ + SEE ALSO + + +- pam8 ++ pam7 + + + +Index: pam.deb/doc/man/pam_syslog.3 +=================================================================== +--- pam.deb.orig/doc/man/pam_syslog.3 ++++ pam.deb/doc/man/pam_syslog.3 +@@ -1,32 +1,32 @@ + .\" Title: pam_syslog + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_SYSLOG" "3" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_SYSLOG" "3" "07/27/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_syslog, pam_vsyslog - send messages to the system logger ++pam_syslog, pam_vsyslog \- send messages to the system logger + .SH "SYNOPSIS" + .sp + .ft B + .nf +-#include ++#include + .fi + .ft + .sp + .ft B + .nf +-#include ++#include + .fi + .ft + .HP 16 +-.BI "void pam_syslog(pam_handle_t\ *" "pamh" ", int\ " "priority" ", const\ char\ *" "fmt" ", " "\.\.\." ");" ++.BI "void pam_syslog(pam_handle_t\ *" "pamh" ", int\ " "priority" ", const\ char\ *" "fmt" ", " "\&.\&.\&." ");" + .HP 17 + .BI "void pam_vsyslog(pam_handle_t\ *" "pamh" ", int\ " "priority" ", const\ char\ *" "fmt" ", va_list\ " "args" ");" + .SH "DESCRIPTION" +@@ -35,11 +35,11 @@ + \fBpam_syslog\fR + function logs messages using + \fBsyslog\fR(3) +-and is intended for internal use by Linux\-PAM and PAM service modules\. The ++and is intended for internal use by Linux\-PAM and PAM service modules\&. The + \fIpriority\fR + argument is formed by ORing the facility and the level values as documented in the + \fBsyslog\fR(3) +-manual page\. ++manual page\&. + .PP + The + \fBpam_vsyslog\fR +@@ -47,15 +47,15 @@ + \fBpam_syslog()\fR + with the difference that it takes a set of arguments which have been obtained using the + \fBstdarg\fR(3) +-variable argument list macros\. ++variable argument list macros\&. + .SH "SEE ALSO" + .PP + +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The + \fBpam_syslog\fR + and + \fBpam_vsyslog\fR +-functions are Linux\-PAM extensions\. ++functions are Linux\-PAM extensions\&. +Index: pam.deb/doc/man/pam_syslog.3.xml +=================================================================== +--- pam.deb.orig/doc/man/pam_syslog.3.xml ++++ pam.deb/doc/man/pam_syslog.3.xml +@@ -66,7 +66,7 @@ + SEE ALSO + + +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_userdb/pam_userdb.8 +=================================================================== +--- pam.deb.orig/modules/pam_userdb/pam_userdb.8 ++++ pam.deb/modules/pam_userdb/pam_userdb.8 +@@ -1,77 +1,77 @@ + .\" Title: pam_userdb + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_USERDB" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_USERDB" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_userdb - PAM module to authenticate against a db database ++pam_userdb \- PAM module to authenticate against a db database + .SH "SYNOPSIS" + .HP 14 +-\fBpam_userdb\.so\fR db=\fI/path/database\fR [debug] [crypt=[crypt|none]] [icase] [dump] [try_first_pass] [use_first_pass] [unknown_ok] [key_only] ++\fBpam_userdb\&.so\fR db=\fI/path/database\fR [debug] [crypt=[crypt|none]] [icase] [dump] [try_first_pass] [use_first_pass] [unknown_ok] [key_only] + .SH "DESCRIPTION" + .PP +-The pam_userdb module is used to verify a username/password pair against values stored in a Berkeley DB database\. The database is indexed by the username, and the data fields corresponding to the username keys are the passwords\. ++The pam_userdb module is used to verify a username/password pair against values stored in a Berkeley DB database\&. The database is indexed by the username, and the data fields corresponding to the username keys are the passwords\&. + .SH "OPTIONS" + .PP + \fBcrypt=[crypt|none]\fR + .RS 4 +-Indicates whether encrypted or plaintext passwords are stored in the database\. If it is ++Indicates whether encrypted or plaintext passwords are stored in the database\&. If it is + \fBcrypt\fR, passwords should be stored in the database in + \fBcrypt\fR(3) +-form\. If ++form\&. If + \fBnone\fR +-is selected, passwords should be stored in the database as plaintext\. ++is selected, passwords should be stored in the database as plaintext\&. + .RE + .PP + \fBdb=\fR\fB\fI/path/database\fR\fR + .RS 4 + Use the + \fI/path/database\fR +-database for performing lookup\. There is no default; the module will return ++database for performing lookup\&. There is no default; the module will return + \fBPAM_IGNORE\fR +-if no database is provided\. ++if no database is provided\&. + .RE + .PP + \fBdebug\fR + .RS 4 +-Print debug information\. ++Print debug information\&. + .RE + .PP + \fBdump\fR + .RS 4 +-Dump all the entries in the database to the log\. Don\'t do this by default! ++Dump all the entries in the database to the log\&. Don\'t do this by default! + .RE + .PP + \fBicase\fR + .RS 4 +-Make the password verification to be case insensitive (ie when working with registration numbers and such)\. Only works with plaintext password storage\. ++Make the password verification to be case insensitive (ie when working with registration numbers and such)\&. Only works with plaintext password storage\&. + .RE + .PP + \fBtry_first_pass\fR + .RS 4 +-Use the authentication token previously obtained by another module that did the conversation with the application\. If this token can not be obtained then the module will try to converse\. This option can be used for stacking different modules that need to deal with the authentication tokens\. ++Use the authentication token previously obtained by another module that did the conversation with the application\&. If this token can not be obtained then the module will try to converse\&. This option can be used for stacking different modules that need to deal with the authentication tokens\&. + .RE + .PP + \fBuse_first_pass\fR + .RS 4 +-Use the authentication token previously obtained by another module that did the conversation with the application\. If this token can not be obtained then the module will fail\. This option can be used for stacking different modules that need to deal with the authentication tokens\. ++Use the authentication token previously obtained by another module that did the conversation with the application\&. If this token can not be obtained then the module will fail\&. This option can be used for stacking different modules that need to deal with the authentication tokens\&. + .RE + .PP + \fBunknown_ok\fR + .RS 4 +-Do not return error when checking for a user that is not in the database\. This can be used to stack more than one pam_userdb module that will check a username/password pair in more than a database\. ++Do not return error when checking for a user that is not in the database\&. This can be used to stack more than one pam_userdb module that will check a username/password pair in more than a database\&. + .RE + .PP + \fBkey_only\fR + .RS 4 +-The username and password are concatenated together in the database hash as \'username\-password\' with a random value\. if the concatenation of the username and password with a dash in the middle returns any result, the user is valid\. this is useful in cases where the username may not be unique but the username and password pair are\. ++The username and password are concatenated together in the database hash as \'username\-password\' with a random value\&. if the concatenation of the username and password with a dash in the middle returns any result, the user is valid\&. this is useful in cases where the username may not be unique but the username and password pair are\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP +@@ -79,48 +79,48 @@ + \fBauth\fR + and + \fBaccount\fR +-are supported\. ++are supported\&. + .SH "RETURN VALUES" + .PP + PAM_AUTH_ERR + .RS 4 +-Authentication failure\. ++Authentication failure\&. + .RE + .PP + PAM_AUTHTOK_RECOVERY_ERR + .RS 4 +-Authentication information cannot be recovered\. ++Authentication information cannot be recovered\&. + .RE + .PP + PAM_BUF_ERR + .RS 4 +-Memory buffer error\. ++Memory buffer error\&. + .RE + .PP + PAM_CONV_ERR + .RS 4 +-Conversation failure\. ++Conversation failure\&. + .RE + .PP + PAM_SERVICE_ERR + .RS 4 +-Error in service module\. ++Error in service module\&. + .RE + .PP + PAM_SUCCESS + .RS 4 +-Success\. ++Success\&. + .RE + .PP + PAM_USER_UNKNOWN + .RS 4 +-User not known to the underlying authentication module\. ++User not known to the underlying authentication module\&. + .RE + .SH "EXAMPLES" + .sp + .RS 4 + .nf +-auth sufficient pam_userdb\.so icase db=/etc/dbtest\.db ++auth sufficient pam_userdb\&.so icase db=/etc/dbtest\&.db + + .fi + .RE +@@ -130,7 +130,7 @@ + \fBcrypt\fR(3), + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-pam_userdb was written by Cristian Gafton >gafton@redhat\.com<\. ++pam_userdb was written by Cristian Gafton >gafton@redhat\&.com<\&. +Index: pam.deb/modules/pam_userdb/pam_userdb.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_userdb/pam_userdb.8.xml ++++ pam.deb/modules/pam_userdb/pam_userdb.8.xml +@@ -277,7 +277,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_warn/pam_warn.8 +=================================================================== +--- pam.deb.orig/modules/pam_warn/pam_warn.8 ++++ pam.deb/modules/pam_warn/pam_warn.8 +@@ -1,28 +1,28 @@ + .\" Title: pam_warn + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_WARN" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_WARN" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_warn - PAM module which logs all PAM items if called ++pam_warn \- PAM module which logs all PAM items if called + .SH "SYNOPSIS" + .HP 12 +-\fBpam_warn\.so\fR ++\fBpam_warn\&.so\fR + .SH "DESCRIPTION" + .PP + pam_warn is a PAM module that logs the service, terminal, user, remote user and remote host to +-\fBsyslog\fR(3)\. The items are not probed for, but instead obtained from the standard PAM items\. The module always returns +-\fBPAM_IGNORE\fR, indicating that it does not want to affect the authentication process\. ++\fBsyslog\fR(3)\&. The items are not probed for, but instead obtained from the standard PAM items\&. The module always returns ++\fBPAM_IGNORE\fR, indicating that it does not want to affect the authentication process\&. + .SH "OPTIONS" + .PP +-This module does not recognise any options\. ++This module does not recognise any options\&. + .SH "MODULE SERVICES PROVIDED" + .PP + The services +@@ -31,30 +31,30 @@ + \fBpassword\fR + and + \fBsession\fR +-are supported\. ++are supported\&. + .SH "RETURN VALUES" + .PP + PAM_IGNORE + .RS 4 +-This module always returns PAM_IGNORE\. ++This module always returns PAM_IGNORE\&. + .RE + .SH "EXAMPLES" + .sp + .RS 4 + .nf +-#%PAM\-1\.0 ++#%PAM\-1\&.0 + # + # If we don\'t have config entries for a service, the +-# OTHER entries are used\. To be secure, warn and deny +-# access to everything\. +-other auth required pam_warn\.so +-other auth required pam_deny\.so +-other account required pam_warn\.so +-other account required pam_deny\.so +-other password required pam_warn\.so +-other password required pam_deny\.so +-other session required pam_warn\.so +-other session required pam_deny\.so ++# OTHER entries are used\&. To be secure, warn and deny ++# access to everything\&. ++other auth required pam_warn\&.so ++other auth required pam_deny\&.so ++other account required pam_warn\&.so ++other account required pam_deny\&.so ++other password required pam_warn\&.so ++other password required pam_deny\&.so ++other session required pam_warn\&.so ++other session required pam_deny\&.so + + .fi + .RE +@@ -63,7 +63,7 @@ + + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-pam_warn was written by Andrew G\. Morgan \. ++pam_warn was written by Andrew G\&. Morgan \&. +Index: pam.deb/modules/pam_warn/pam_warn.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_warn/pam_warn.8.xml ++++ pam.deb/modules/pam_warn/pam_warn.8.xml +@@ -89,7 +89,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_wheel/pam_wheel.8 +=================================================================== +--- pam.deb.orig/modules/pam_wheel/pam_wheel.8 ++++ pam.deb/modules/pam_wheel/pam_wheel.8 +@@ -116,7 +116,7 @@ + + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_wheel was written by Cristian Gafton \&. +Index: pam.deb/modules/pam_wheel/pam_wheel.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_wheel/pam_wheel.8.xml ++++ pam.deb/modules/pam_wheel/pam_wheel.8.xml +@@ -212,7 +212,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + +Index: pam.deb/modules/pam_xauth/pam_xauth.8 +=================================================================== +--- pam.deb.orig/modules/pam_xauth/pam_xauth.8 ++++ pam.deb/modules/pam_xauth/pam_xauth.8 +@@ -1,67 +1,67 @@ + .\" Title: pam_xauth + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 07/27/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_XAUTH" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_XAUTH" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_xauth - PAM module to forward xauth keys between users ++pam_xauth \- PAM module to forward xauth keys between users + .SH "SYNOPSIS" + .HP 13 +-\fBpam_xauth\.so\fR [debug] [xauthpath=\fI/path/to/xauth\fR] [systemuser=\fIUID\fR] [targetuser=\fIUID\fR] ++\fBpam_xauth\&.so\fR [debug] [xauthpath=\fI/path/to/xauth\fR] [systemuser=\fIUID\fR] [targetuser=\fIUID\fR] + .SH "DESCRIPTION" + .PP +-The pam_xauth PAM module is designed to forward xauth keys (sometimes referred to as "cookies") between users\. ++The pam_xauth PAM module is designed to forward xauth keys (sometimes referred to as "cookies") between users\&. + .PP + Without pam_xauth, when xauth is enabled and a user uses the + \fBsu\fR(1) +-command to assume another user\'s priviledges, that user is no longer able to access the original user\'s X display because the new user does not have the key needed to access the display\. pam_xauth solves the problem by forwarding the key from the user running su (the source user) to the user whose identity the source user is assuming (the target user) when the session is created, and destroying the key when the session is torn down\. ++command to assume another user\'s priviledges, that user is no longer able to access the original user\'s X display because the new user does not have the key needed to access the display\&. pam_xauth solves the problem by forwarding the key from the user running su (the source user) to the user whose identity the source user is assuming (the target user) when the session is created, and destroying the key when the session is torn down\&. + .PP + This means, for example, that when you run + \fBsu\fR(1) + from an xterm sesssion, you will be able to run X programs without explicitly dealing with the + \fBxauth\fR(1) +-xauth command or ~/\.Xauthority files\. ++xauth command or ~/\&.Xauthority files\&. + .PP +-pam_xauth will only forward keys if xauth can list a key connected to the $DISPLAY environment variable\. ++pam_xauth will only forward keys if xauth can list a key connected to the $DISPLAY environment variable\&. + .PP + Primitive access control is provided by +-\fI~/\.xauth/export\fR ++\fI~/\&.xauth/export\fR + in the invoking user\'s home directory and +-\fI~/\.xauth/import\fR +-in the target user\'s home directory\. ++\fI~/\&.xauth/import\fR ++in the target user\'s home directory\&. + .PP + If a user has a +-\fI~/\.xauth/import\fR +-file, the user will only receive cookies from users listed in the file\. If there is no +-\fI~/\.xauth/import\fR +-file, the user will accept cookies from any other user\. ++\fI~/\&.xauth/import\fR ++file, the user will only receive cookies from users listed in the file\&. If there is no ++\fI~/\&.xauth/import\fR ++file, the user will accept cookies from any other user\&. + .PP + If a user has a +-\fI\.xauth/export\fR +-file, the user will only forward cookies to users listed in the file\. If there is no +-\fI~/\.xauth/export\fR ++\fI\&.xauth/export\fR ++file, the user will only forward cookies to users listed in the file\&. If there is no ++\fI~/\&.xauth/export\fR + file, and the invoking user is not +-\fBroot\fR, the user will forward cookies to any other user\. If there is no +-\fI~/\.xauth/export\fR ++\fBroot\fR, the user will forward cookies to any other user\&. If there is no ++\fI~/\&.xauth/export\fR + file, and the invoking user is + \fBroot\fR, the user will + \fInot\fR +-forward cookies to other users\. ++forward cookies to other users\&. + .PP + Both the import and export files support wildcards (such as +-\fI*\fR)\. Both the import and export files can be empty, signifying that no users are allowed\. ++\fI*\fR)\&. Both the import and export files can be empty, signifying that no users are allowed\&. + .SH "OPTIONS" + .PP + \fBdebug\fR + .RS 4 +-Print debug information\. ++Print debug information\&. + .RE + .PP + \fBxauthpath=\fR\fB\fI/path/to/xauth\fR\fR +@@ -70,58 +70,58 @@ + \fI/usr/X11R6/bin/xauth\fR, + \fI/usr/bin/xauth\fR, or + \fI/usr/bin/X11/xauth\fR +-by default)\. ++by default)\&. + .RE + .PP + \fBsystemuser=\fR\fB\fIUID\fR\fR + .RS 4 +-Specify the highest UID which will be assumed to belong to a "system" user\. pam_xauth will refuse to forward credentials to users with UID less than or equal to this number, except for root and the "targetuser", if specified\. ++Specify the highest UID which will be assumed to belong to a "system" user\&. pam_xauth will refuse to forward credentials to users with UID less than or equal to this number, except for root and the "targetuser", if specified\&. + .RE + .PP + \fBtargetuser=\fR\fB\fIUID\fR\fR + .RS 4 +-Specify a single target UID which is exempt from the systemuser check\. ++Specify a single target UID which is exempt from the systemuser check\&. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP + Only the + \fBsession\fR +-service is supported\. ++service is supported\&. + .SH "RETURN VALUES" + .PP + PAM_BUF_ERR + .RS 4 +-Memory buffer error\. ++Memory buffer error\&. + .RE + .PP + PAM_PERM_DENIED + .RS 4 +-Permission denied by import/export file\. ++Permission denied by import/export file\&. + .RE + .PP + PAM_SESSION_ERR + .RS 4 +-Cannot determine user name, UID or access users home directory\. ++Cannot determine user name, UID or access users home directory\&. + .RE + .PP + PAM_SUCCESS + .RS 4 +-Success\. ++Success\&. + .RE + .PP + PAM_USER_UNKNOWN + .RS 4 +-User not known\. ++User not known\&. + .RE + .SH "EXAMPLES" + .PP + Add the following line to +-\fI/etc/pam\.d/su\fR ++\fI/etc/pam\&.d/su\fR + to forward xauth keys between users when calling su: + .sp + .RS 4 + .nf +-session optional pam_xauth\.so ++session optional pam_xauth\&.so + + .fi + .RE +@@ -131,24 +131,24 @@ + pam_xauth will work + \fIonly\fR + if it is used from a setuid application in which the +-\fBgetuid\fR() call returns the id of the user running the application, and for which PAM can supply the name of the account that the user is attempting to assume\. The typical application of this type is +-\fBsu\fR(1)\. The application must call both ++\fBgetuid\fR() call returns the id of the user running the application, and for which PAM can supply the name of the account that the user is attempting to assume\&. The typical application of this type is ++\fBsu\fR(1)\&. The application must call both + \fBpam_open_session\fR() and +-\fBpam_close_session\fR() with the ruid set to the uid of the calling user and the euid set to root, and must have provided as the PAM_USER item the name of the target user\. ++\fBpam_close_session\fR() with the ruid set to the uid of the calling user and the euid set to root, and must have provided as the PAM_USER item the name of the target user\&. + .PP + pam_xauth calls + \fBxauth\fR(1) +-as the source user to extract the key for $DISPLAY, then calls xauth as the target user to merge the key into the a temporary database and later remove the database\. ++as the source user to extract the key for $DISPLAY, then calls xauth as the target user to merge the key into the a temporary database and later remove the database\&. + .PP +-pam_xauth cannot be told to not remove the keys when the session is closed\. ++pam_xauth cannot be told to not remove the keys when the session is closed\&. + .SH "FILES" + .PP +-\fI~/\.xauth/import\fR ++\fI~/\&.xauth/import\fR + .RS 4 + XXX + .RE + .PP +-\fI~/\.xauth/export\fR ++\fI~/\&.xauth/export\fR + .RS 4 + XXX + .RE +@@ -157,7 +157,7 @@ + + \fBpam.conf\fR(5), + \fBpam.d\fR(8), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP +-pam_xauth was written by Nalin Dahyabhai , based on original version by Michael K\. Johnson \. ++pam_xauth was written by Nalin Dahyabhai , based on original version by Michael K\&. Johnson \&. +Index: pam.deb/modules/pam_xauth/pam_xauth.8.xml +=================================================================== +--- pam.deb.orig/modules/pam_xauth/pam_xauth.8.xml ++++ pam.deb/modules/pam_xauth/pam_xauth.8.xml +@@ -276,7 +276,7 @@ + pam.d8 + , + +- pam8 ++ pam7 + + + --- pam-1.0.1.orig/debian/patches-applied/pam_unix-chkpwd-wait +++ pam-1.0.1/debian/patches-applied/pam_unix-chkpwd-wait @@ -0,0 +1,22 @@ +Index: pam.deb/modules/pam_unix/support.c +=================================================================== +--- pam.deb.orig/modules/pam_unix/support.c ++++ pam.deb/modules/pam_unix/support.c +@@ -504,7 +504,16 @@ + pam_syslog(pamh, LOG_ERR, "unix_chkpwd waitpid returned %d: %m", rc); + retval = PAM_AUTH_ERR; + } else { +- retval = WEXITSTATUS(retval); ++ if (WIFEXITED(retval)) ++ retval = WEXITSTATUS(retval); ++ else { ++ if (WIFSIGNALED(retval)) ++ pam_syslog(pamh, LOG_ERR, "unix_chkpwd exited on signal %d", ++ WTERMSIG(retval)); ++ else ++ pam_syslog(pamh, LOG_ERR, "unix_chkpwd died unexpectedly"); ++ retval = PAM_AUTH_ERR; ++ } + } + } else { + D(("fork failed")); --- pam-1.0.1.orig/debian/patches-applied/ubuntu-regression_fix_securetty +++ pam-1.0.1/debian/patches-applied/ubuntu-regression_fix_securetty @@ -0,0 +1,13 @@ +Index: pam-0.99.7.1/Linux-PAM/modules/pam_securetty/pam_securetty.c +=================================================================== +--- pam-0.99.7.1.orig/Linux-PAM/modules/pam_securetty/pam_securetty.c 2007-09-12 15:18:49.000000000 -0700 ++++ pam-0.99.7.1/Linux-PAM/modules/pam_securetty/pam_securetty.c 2007-09-12 15:19:37.000000000 -0700 +@@ -83,7 +83,7 @@ + + user_pwd = pam_modutil_getpwnam(pamh, username); + if (user_pwd == NULL) { +- return PAM_USER_UNKNOWN; ++ return PAM_IGNORE; + } else if (user_pwd->pw_uid != 0) { /* If the user is not root, + securetty's does not apply + to them */ --- pam-1.0.1.orig/debian/patches-applied/autoconf.patch +++ pam-1.0.1/debian/patches-applied/autoconf.patch @@ -0,0 +1,520 @@ +The process for refreshing this patch is: + + export QUILT_PATCHES=debian/patches-applied + quilt push autoconf.patch # to get everything applied up to this point + quilt push -f autoconf.patch # to override the errors when applying + autoheader && aclocal -I m4 && automake && autoconf + quilt refresh + find . -name '*.rej' | xargs rm + +Index: pam.deb/Makefile.in +=================================================================== +--- pam.deb.orig/Makefile.in ++++ pam.deb/Makefile.in +@@ -39,7 +39,7 @@ + DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \ + $(srcdir)/Makefile.in $(srcdir)/config.h.in \ + $(top_srcdir)/configure ABOUT-NLS AUTHORS COPYING ChangeLog \ +- INSTALL NEWS compile config.guess config.rpath config.sub \ ++ INSTALL NEWS TODO compile config.guess config.rpath config.sub \ + depcomp install-sh ltmain.sh missing mkinstalldirs ylwrap + ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 + am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ +Index: pam.deb/aclocal.m4 +=================================================================== +--- pam.deb.orig/aclocal.m4 ++++ pam.deb/aclocal.m4 +@@ -21,7 +21,7 @@ + + # libtool.m4 - Configure libtool for the host system. -*-Autoconf-*- + +-# serial 52 AC_PROG_LIBTOOL ++# serial 52 Debian 1.5.26-4 AC_PROG_LIBTOOL + + + # AC_PROVIDE_IFELSE(MACRO-NAME, IF-PROVIDED, IF-NOT-PROVIDED) +@@ -1723,6 +1723,18 @@ + dynamic_linker='GNU/Linux ld.so' + ;; + ++netbsdelf*-gnu) ++ version_type=linux ++ need_lib_prefix=no ++ need_version=no ++ library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' ++ soname_spec='${libname}${release}${shared_ext}$major' ++ shlibpath_var=LD_LIBRARY_PATH ++ shlibpath_overrides_runpath=no ++ hardcode_into_libs=yes ++ dynamic_linker='NetBSD ld.elf_so' ++ ;; ++ + netbsd*) + version_type=sunos + need_lib_prefix=no +@@ -2504,7 +2516,7 @@ + lt_cv_deplibs_check_method=pass_all + ;; + +-netbsd*) ++netbsd* | netbsdelf*-gnu) + if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then + lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$' + else +@@ -3511,7 +3523,7 @@ + ;; + esac + ;; +- netbsd*) ++ netbsd* | netbsdelf*-gnu) + if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then + _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags' + wlarc= +@@ -5203,7 +5215,7 @@ + ;; + esac + ;; +- netbsd*) ++ netbsd* | netbsdelf*-gnu) + ;; + osf3* | osf4* | osf5*) + case $cc_basename in +@@ -5580,6 +5592,9 @@ + cygwin* | mingw*) + _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;/^.*[[ ]]__nm__/s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols' + ;; ++ linux* | k*bsd*-gnu) ++ _LT_AC_TAGVAR(link_all_deplibs, $1)=no ++ ;; + *) + _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' + ;; +@@ -5788,12 +5803,13 @@ + $echo "local: *; };" >> $output_objdir/$libname.ver~ + $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib' + fi ++ _LT_AC_TAGVAR(link_all_deplibs, $1)=no + else + _LT_AC_TAGVAR(ld_shlibs, $1)=no + fi + ;; + +- netbsd*) ++ netbsd* | netbsdelf*-gnu) + if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then + _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' + wlarc= +@@ -6224,7 +6240,7 @@ + _LT_AC_TAGVAR(link_all_deplibs, $1)=yes + ;; + +- netbsd*) ++ netbsd* | netbsdelf*-gnu) + if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then + _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out + else +Index: pam.deb/configure +=================================================================== +--- pam.deb.orig/configure ++++ pam.deb/configure +@@ -4780,7 +4780,7 @@ + lt_cv_deplibs_check_method=pass_all + ;; + +-netbsd*) ++netbsd* | netbsdelf*-gnu) + if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then + lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$' + else +@@ -8611,12 +8611,13 @@ + $echo "local: *; };" >> $output_objdir/$libname.ver~ + $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib' + fi ++ link_all_deplibs=no + else + ld_shlibs=no + fi + ;; + +- netbsd*) ++ netbsd* | netbsdelf*-gnu) + if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then + archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' + wlarc= +@@ -9159,7 +9160,7 @@ + link_all_deplibs=yes + ;; + +- netbsd*) ++ netbsd* | netbsdelf*-gnu) + if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then + archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out + else +@@ -9870,6 +9871,18 @@ + dynamic_linker='GNU/Linux ld.so' + ;; + ++netbsdelf*-gnu) ++ version_type=linux ++ need_lib_prefix=no ++ need_version=no ++ library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' ++ soname_spec='${libname}${release}${shared_ext}$major' ++ shlibpath_var=LD_LIBRARY_PATH ++ shlibpath_overrides_runpath=no ++ hardcode_into_libs=yes ++ dynamic_linker='NetBSD ld.elf_so' ++ ;; ++ + netbsd*) + version_type=sunos + need_lib_prefix=no +@@ -10710,7 +10723,7 @@ + lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 + lt_status=$lt_dlunknown + cat > conftest.$ac_ext < conftest.$ac_ext </dev/null; then + archive_cmds_CXX='$LD -Bshareable -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags' + wlarc= +@@ -13102,7 +13115,7 @@ + ;; + esac + ;; +- netbsd*) ++ netbsd* | netbsdelf*-gnu) + ;; + osf3* | osf4* | osf5*) + case $cc_basename in +@@ -13211,11 +13224,11 @@ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` +- (eval echo "\"\$as_me:13214: $lt_compile\"" >&5) ++ (eval echo "\"\$as_me:13227: $lt_compile\"" >&5) + (eval "$lt_compile" 2>conftest.err) + ac_status=$? + cat conftest.err >&5 +- echo "$as_me:13218: \$? = $ac_status" >&5 ++ echo "$as_me:13231: \$? = $ac_status" >&5 + if (exit $ac_status) && test -s "$ac_outfile"; then + # The compiler can only warn and ignore the option if not recognized + # So say no if there are warnings other than the usual output. +@@ -13315,11 +13328,11 @@ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` +- (eval echo "\"\$as_me:13318: $lt_compile\"" >&5) ++ (eval echo "\"\$as_me:13331: $lt_compile\"" >&5) + (eval "$lt_compile" 2>out/conftest.err) + ac_status=$? + cat out/conftest.err >&5 +- echo "$as_me:13322: \$? = $ac_status" >&5 ++ echo "$as_me:13335: \$? = $ac_status" >&5 + if (exit $ac_status) && test -s out/conftest2.$ac_objext + then + # The compiler can only warn and ignore the option if not recognized +@@ -13387,6 +13400,9 @@ + cygwin* | mingw*) + export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/;/^.*[ ]__nm__/s/^.*[ ]__nm__\([^ ]*\)[ ][^ ]*/\1 DATA/;/^I[ ]/d;/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols' + ;; ++ linux* | k*bsd*-gnu) ++ link_all_deplibs_CXX=no ++ ;; + *) + export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' + ;; +@@ -13833,6 +13849,18 @@ + dynamic_linker='GNU/Linux ld.so' + ;; + ++netbsdelf*-gnu) ++ version_type=linux ++ need_lib_prefix=no ++ need_version=no ++ library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' ++ soname_spec='${libname}${release}${shared_ext}$major' ++ shlibpath_var=LD_LIBRARY_PATH ++ shlibpath_overrides_runpath=no ++ hardcode_into_libs=yes ++ dynamic_linker='NetBSD ld.elf_so' ++ ;; ++ + netbsd*) + version_type=sunos + need_lib_prefix=no +@@ -14898,11 +14926,11 @@ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` +- (eval echo "\"\$as_me:14901: $lt_compile\"" >&5) ++ (eval echo "\"\$as_me:14929: $lt_compile\"" >&5) + (eval "$lt_compile" 2>conftest.err) + ac_status=$? + cat conftest.err >&5 +- echo "$as_me:14905: \$? = $ac_status" >&5 ++ echo "$as_me:14933: \$? = $ac_status" >&5 + if (exit $ac_status) && test -s "$ac_outfile"; then + # The compiler can only warn and ignore the option if not recognized + # So say no if there are warnings other than the usual output. +@@ -15002,11 +15030,11 @@ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` +- (eval echo "\"\$as_me:15005: $lt_compile\"" >&5) ++ (eval echo "\"\$as_me:15033: $lt_compile\"" >&5) + (eval "$lt_compile" 2>out/conftest.err) + ac_status=$? + cat out/conftest.err >&5 +- echo "$as_me:15009: \$? = $ac_status" >&5 ++ echo "$as_me:15037: \$? = $ac_status" >&5 + if (exit $ac_status) && test -s out/conftest2.$ac_objext + then + # The compiler can only warn and ignore the option if not recognized +@@ -15267,12 +15295,13 @@ + $echo "local: *; };" >> $output_objdir/$libname.ver~ + $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib' + fi ++ link_all_deplibs_F77=no + else + ld_shlibs_F77=no + fi + ;; + +- netbsd*) ++ netbsd* | netbsdelf*-gnu) + if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then + archive_cmds_F77='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' + wlarc= +@@ -15795,7 +15824,7 @@ + link_all_deplibs_F77=yes + ;; + +- netbsd*) ++ netbsd* | netbsdelf*-gnu) + if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then + archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out + else +@@ -16454,6 +16483,18 @@ + dynamic_linker='GNU/Linux ld.so' + ;; + ++netbsdelf*-gnu) ++ version_type=linux ++ need_lib_prefix=no ++ need_version=no ++ library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' ++ soname_spec='${libname}${release}${shared_ext}$major' ++ shlibpath_var=LD_LIBRARY_PATH ++ shlibpath_overrides_runpath=no ++ hardcode_into_libs=yes ++ dynamic_linker='NetBSD ld.elf_so' ++ ;; ++ + netbsd*) + version_type=sunos + need_lib_prefix=no +@@ -17209,11 +17250,11 @@ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` +- (eval echo "\"\$as_me:17212: $lt_compile\"" >&5) ++ (eval echo "\"\$as_me:17253: $lt_compile\"" >&5) + (eval "$lt_compile" 2>conftest.err) + ac_status=$? + cat conftest.err >&5 +- echo "$as_me:17216: \$? = $ac_status" >&5 ++ echo "$as_me:17257: \$? = $ac_status" >&5 + if (exit $ac_status) && test -s "$ac_outfile"; then + # The compiler can only warn and ignore the option if not recognized + # So say no if there are warnings other than the usual output. +@@ -17499,11 +17540,11 @@ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` +- (eval echo "\"\$as_me:17502: $lt_compile\"" >&5) ++ (eval echo "\"\$as_me:17543: $lt_compile\"" >&5) + (eval "$lt_compile" 2>conftest.err) + ac_status=$? + cat conftest.err >&5 +- echo "$as_me:17506: \$? = $ac_status" >&5 ++ echo "$as_me:17547: \$? = $ac_status" >&5 + if (exit $ac_status) && test -s "$ac_outfile"; then + # The compiler can only warn and ignore the option if not recognized + # So say no if there are warnings other than the usual output. +@@ -17603,11 +17644,11 @@ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` +- (eval echo "\"\$as_me:17606: $lt_compile\"" >&5) ++ (eval echo "\"\$as_me:17647: $lt_compile\"" >&5) + (eval "$lt_compile" 2>out/conftest.err) + ac_status=$? + cat out/conftest.err >&5 +- echo "$as_me:17610: \$? = $ac_status" >&5 ++ echo "$as_me:17651: \$? = $ac_status" >&5 + if (exit $ac_status) && test -s out/conftest2.$ac_objext + then + # The compiler can only warn and ignore the option if not recognized +@@ -17868,12 +17909,13 @@ + $echo "local: *; };" >> $output_objdir/$libname.ver~ + $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib' + fi ++ link_all_deplibs_GCJ=no + else + ld_shlibs_GCJ=no + fi + ;; + +- netbsd*) ++ netbsd* | netbsdelf*-gnu) + if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then + archive_cmds_GCJ='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' + wlarc= +@@ -18416,7 +18458,7 @@ + link_all_deplibs_GCJ=yes + ;; + +- netbsd*) ++ netbsd* | netbsdelf*-gnu) + if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then + archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out + else +@@ -19075,6 +19117,18 @@ + dynamic_linker='GNU/Linux ld.so' + ;; + ++netbsdelf*-gnu) ++ version_type=linux ++ need_lib_prefix=no ++ need_version=no ++ library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' ++ soname_spec='${libname}${release}${shared_ext}$major' ++ shlibpath_var=LD_LIBRARY_PATH ++ shlibpath_overrides_runpath=no ++ hardcode_into_libs=yes ++ dynamic_linker='NetBSD ld.elf_so' ++ ;; ++ + netbsd*) + version_type=sunos + need_lib_prefix=no +Index: pam.deb/modules/pam_namespace/Makefile.in +=================================================================== +--- pam.deb.orig/modules/pam_namespace/Makefile.in ++++ pam.deb/modules/pam_namespace/Makefile.in +@@ -41,7 +41,7 @@ + host_triplet = @host@ + @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map + subdir = modules/pam_namespace +-DIST_COMMON = $(noinst_HEADERS) $(srcdir)/Makefile.am \ ++DIST_COMMON = README $(noinst_HEADERS) $(srcdir)/Makefile.am \ + $(srcdir)/Makefile.in + ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 + am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ +Index: pam.deb/modules/pam_securetty/Makefile.in +=================================================================== +--- pam.deb.orig/modules/pam_securetty/Makefile.in ++++ pam.deb/modules/pam_securetty/Makefile.in +@@ -65,8 +65,8 @@ + securelibLTLIBRARIES_INSTALL = $(INSTALL) + LTLIBRARIES = $(securelib_LTLIBRARIES) + pam_securetty_la_DEPENDENCIES = +-pam_securetty_la_SOURCES = pam_securetty.c +-pam_securetty_la_OBJECTS = pam_securetty.lo ++am_pam_securetty_la_OBJECTS = pam_securetty.lo tty_secure.lo ++pam_securetty_la_OBJECTS = $(am_pam_securetty_la_OBJECTS) + DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) + depcomp = $(SHELL) $(top_srcdir)/depcomp + am__depfiles_maybe = depfiles +@@ -79,8 +79,8 @@ + LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +-SOURCES = pam_securetty.c +-DIST_SOURCES = pam_securetty.c ++SOURCES = $(pam_securetty_la_SOURCES) ++DIST_SOURCES = $(pam_securetty_la_SOURCES) + man8dir = $(mandir)/man8 + NROFF = nroff + MANS = $(man_MANS) +@@ -258,6 +258,10 @@ + AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) + securelib_LTLIBRARIES = pam_securetty.la + pam_securetty_la_LIBADD = -L$(top_builddir)/libpam -lpam ++pam_securetty_la_SOURCES = \ ++ pam_securetty.c \ ++ tty_secure.c ++ + @ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README + all: all-am + +@@ -329,6 +333,7 @@ + -rm -f *.tab.c + + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_securetty.Plo@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tty_secure.Plo@am__quote@ + + .c.o: + @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +Index: pam.deb/modules/pam_unix/Makefile.in +=================================================================== +--- pam.deb.orig/modules/pam_unix/Makefile.in ++++ pam.deb/modules/pam_unix/Makefile.in +@@ -71,10 +71,10 @@ + "$(DESTDIR)$(man8dir)" + securelibLTLIBRARIES_INSTALL = $(INSTALL) + LTLIBRARIES = $(securelib_LTLIBRARIES) +-pam_unix_la_DEPENDENCIES = ++pam_unix_la_DEPENDENCIES = ../pam_securetty/tty_secure.lo + am_pam_unix_la_OBJECTS = bigcrypt.lo pam_unix_acct.lo pam_unix_auth.lo \ + pam_unix_passwd.lo pam_unix_sess.lo support.lo passverify.lo \ +- yppasswd_xdr.lo md5_good.lo md5_broken.lo ++ yppasswd_xdr.lo md5_good.lo md5_broken.lo obscure.lo + pam_unix_la_OBJECTS = $(am_pam_unix_la_OBJECTS) + pam_unix_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ +@@ -307,13 +307,14 @@ + pam_unix_la_LDFLAGS = -no-undefined -avoid-version -module \ + $(am__append_2) + pam_unix_la_LIBADD = @LIBNSL@ -L$(top_builddir)/libpam -lpam \ +- @LIBCRYPT@ @LIBSELINUX@ ++ @LIBCRYPT@ @LIBSELINUX@ \ ++ ../pam_securetty/tty_secure.lo + + securelib_LTLIBRARIES = pam_unix.la + noinst_HEADERS = md5.h support.h yppasswd.h bigcrypt.h passverify.h + pam_unix_la_SOURCES = bigcrypt.c pam_unix_acct.c \ + pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \ +- passverify.c yppasswd_xdr.c md5_good.c md5_broken.c ++ passverify.c yppasswd_xdr.c md5_good.c md5_broken.c obscure.c + + bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c + bigcrypt_CFLAGS = $(AM_CFLAGS) +@@ -449,6 +450,7 @@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bigcrypt.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5_broken.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5_good.Plo@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/obscure.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_unix_acct.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_unix_auth.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_unix_passwd.Plo@am__quote@ --- pam-1.0.1.orig/debian/patches-applied/pam_unix_thread-safe_save_old_password.patch +++ pam-1.0.1/debian/patches-applied/pam_unix_thread-safe_save_old_password.patch @@ -0,0 +1,70 @@ +Patch to keep save_old_password() thread-safe when called by the PAM +module, since nothing blocks other threads from calling getpwnam in +parallel + +Authors: Steve Langasek + +Upstream status: committed to CVS + +Index: pam.deb/modules/pam_unix/passverify.c +=================================================================== +--- pam.deb.orig/modules/pam_unix/passverify.c ++++ pam.deb/modules/pam_unix/passverify.c +@@ -535,9 +535,15 @@ + } + #endif + ++#ifdef HELPER_COMPILE + int + save_old_password(const char *forwho, const char *oldpass, + int howmany) ++#else ++int ++save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass, ++ int howmany) ++#endif + { + static char buf[16384]; + static char nbuf[16384]; +@@ -653,7 +659,7 @@ + fclose(opwfile); + + if (!found) { +- pwd = getpwnam(forwho); ++ pwd = pam_modutil_getpwnam(pamh, forwho); + if (pwd == NULL) { + err = 1; + } else { +Index: pam.deb/modules/pam_unix/passverify.h +=================================================================== +--- pam.deb.orig/modules/pam_unix/passverify.h ++++ pam.deb/modules/pam_unix/passverify.h +@@ -33,9 +33,15 @@ + void + unlock_pwdf(void); + ++#ifdef HELPER_COMPILE + int + save_old_password(const char *forwho, const char *oldpass, + int howmany); ++#else ++int ++save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass, ++ int howmany); ++#endif + + #ifdef HELPER_COMPILE + void +Index: pam.deb/modules/pam_unix/pam_unix_passwd.c +=================================================================== +--- pam.deb.orig/modules/pam_unix/pam_unix_passwd.c ++++ pam.deb/modules/pam_unix/pam_unix_passwd.c +@@ -378,7 +378,7 @@ + return _unix_run_update_binary(pamh, ctrl, forwho, fromwhat, towhat, remember); + #endif + /* first, save old password */ +- if (save_old_password(forwho, fromwhat, remember)) { ++ if (save_old_password(pamh, forwho, fromwhat, remember)) { + retval = PAM_AUTHTOK_ERR; + goto done; + } --- pam-1.0.1.orig/debian/patches-applied/054_pam_security_abstract_securetty_handling +++ pam-1.0.1/debian/patches-applied/054_pam_security_abstract_securetty_handling @@ -0,0 +1,216 @@ +Index: pam.deb/modules/pam_securetty/pam_securetty.c +=================================================================== +--- pam.deb.orig/modules/pam_securetty/pam_securetty.c ++++ pam.deb/modules/pam_securetty/pam_securetty.c +@@ -1,8 +1,5 @@ + /* pam_securetty module */ + +-#define SECURETTY_FILE "/etc/securetty" +-#define TTY_PREFIX "/dev/" +- + /* + * by Elliot Lee , Red Hat Software. + * July 25, 1996. +@@ -37,6 +34,9 @@ + #include + #include + ++extern int _pammodutil_tty_secure(const pam_handle_t *pamh, ++ const char *uttyname); ++ + #define PAM_DEBUG_ARG 0x0001 + + static int +@@ -67,11 +67,7 @@ + const char *username; + const char *uttyname; + const void *void_uttyname; +- char ttyfileline[256]; +- char ptname[256]; +- struct stat ttyfileinfo; + struct passwd *user_pwd; +- FILE *ttyfile; + + /* log a trail for debugging */ + if (ctrl & PAM_DEBUG_ARG) { +@@ -101,63 +97,13 @@ + return PAM_SERVICE_ERR; + } + +- /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ +- if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) { +- uttyname += sizeof(TTY_PREFIX)-1; +- } +- +- if (stat(SECURETTY_FILE, &ttyfileinfo)) { +- pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE); +- return PAM_SUCCESS; /* for compatibility with old securetty handling, +- this needs to succeed. But we still log the +- error. */ +- } +- +- if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { +- /* If the file is world writable or is not a +- normal file, return error */ +- pam_syslog(pamh, LOG_ERR, +- "%s is either world writable or not a normal file", +- SECURETTY_FILE); +- return PAM_AUTH_ERR; +- } +- +- ttyfile = fopen(SECURETTY_FILE,"r"); +- if (ttyfile == NULL) { /* Check that we opened it successfully */ +- pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); +- return PAM_SERVICE_ERR; +- } +- +- if (isdigit(uttyname[0])) { +- snprintf(ptname, sizeof(ptname), "pts/%s", uttyname); +- } else { +- ptname[0] = '\0'; +- } +- +- retval = 1; +- +- while ((fgets(ttyfileline, sizeof(ttyfileline)-1, ttyfile) != NULL) +- && retval) { +- if (ttyfileline[strlen(ttyfileline) - 1] == '\n') +- ttyfileline[strlen(ttyfileline) - 1] = '\0'; +- +- retval = ( strcmp(ttyfileline, uttyname) +- && (!ptname[0] || strcmp(ptname, uttyname)) ); +- } +- fclose(ttyfile); +- +- if (retval) { +- pam_syslog(pamh, LOG_WARNING, "access denied: tty '%s' is not secure !", +- uttyname); +- +- retval = PAM_AUTH_ERR; +- } else { +- if ((retval == PAM_SUCCESS) && (ctrl & PAM_DEBUG_ARG)) { +- pam_syslog(pamh, LOG_DEBUG, "access allowed for '%s' on '%s'", +- username, uttyname); +- } +- retval = PAM_SUCCESS; +- ++ retval = _pammodutil_tty_secure(pamh, uttyname); ++ if ((retval == PAM_SUCCESS) && (ctrl & PAM_DEBUG_ARG)) { ++ pam_syslog(pamh, LOG_DEBUG, "access allowed for '%s' on '%s'", ++ username, uttyname); ++ } else if (retval != PAM_SUCCESS) { ++ pam_syslog(pamh, LOG_WARNING, "access denied: tty '%s' is not secure !", ++ uttyname); + } + + return retval; +Index: pam.deb/modules/pam_securetty/tty_secure.c +=================================================================== +--- /dev/null ++++ pam.deb/modules/pam_securetty/tty_secure.c +@@ -0,0 +1,90 @@ ++/* ++ * A function to determine if a particular line is in /etc/securetty ++ */ ++ ++ ++#define SECURETTY_FILE "/etc/securetty" ++#define TTY_PREFIX "/dev/" ++ ++/* This function taken out of pam_securetty by Sam Hartman ++ * */ ++/* ++ * by Elliot Lee , Red Hat Software. ++ * July 25, 1996. ++ * Slight modifications AGM. 1996/12/3 ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++extern int _pammodutil_tty_secure(const pam_handle_t *pamh, ++ const char *uttyname); ++ ++int _pammodutil_tty_secure(const pam_handle_t *pamh, const char *uttyname) ++{ ++ int retval = PAM_AUTH_ERR; ++ char ttyfileline[256]; ++ char ptname[256]; ++ struct stat ttyfileinfo; ++ FILE *ttyfile; ++ /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ ++ if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) ++ uttyname += sizeof(TTY_PREFIX)-1; ++ ++ if (stat(SECURETTY_FILE, &ttyfileinfo)) { ++ pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", ++ SECURETTY_FILE); ++ return PAM_SUCCESS; /* for compatibility with old securetty handling, ++ this needs to succeed. But we still log the ++ error. */ ++ } ++ ++ if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { ++ /* If the file is world writable or is not a ++ normal file, return error */ ++ pam_syslog(pamh, LOG_ERR, ++ "%s is either world writable or not a normal file", ++ SECURETTY_FILE); ++ return PAM_AUTH_ERR; ++ } ++ ++ ttyfile = fopen(SECURETTY_FILE,"r"); ++ if(ttyfile == NULL) { /* Check that we opened it successfully */ ++ pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); ++ return PAM_SERVICE_ERR; ++ } ++ ++ if (isdigit(uttyname[0])) { ++ snprintf(ptname, sizeof(ptname), "pts/%s", uttyname); ++ } else { ++ ptname[0] = '\0'; ++ } ++ ++ retval = 1; ++ ++ while ((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL) ++ && retval) { ++ if(ttyfileline[strlen(ttyfileline) - 1] == '\n') ++ ttyfileline[strlen(ttyfileline) - 1] = '\0'; ++ retval = ( strcmp(ttyfileline,uttyname) ++ && (!ptname[0] || strcmp(ptname, uttyname)) ); ++ } ++ fclose(ttyfile); ++ ++ if(retval) { ++ retval = PAM_AUTH_ERR; ++ } ++ ++ return retval; ++} +Index: pam.deb/modules/pam_securetty/Makefile.am +=================================================================== +--- pam.deb.orig/modules/pam_securetty/Makefile.am ++++ pam.deb/modules/pam_securetty/Makefile.am +@@ -23,6 +23,10 @@ + securelib_LTLIBRARIES = pam_securetty.la + pam_securetty_la_LIBADD = -L$(top_builddir)/libpam -lpam + ++pam_securetty_la_SOURCES = \ ++ pam_securetty.c \ ++ tty_secure.c ++ + if ENABLE_REGENERATE_MAN + noinst_DATA = README + README: pam_securetty.8.xml --- pam-1.0.1.orig/debian/patches-applied/ubuntu-rlimit_nice_correction +++ pam-1.0.1/debian/patches-applied/ubuntu-rlimit_nice_correction @@ -0,0 +1,17 @@ +Index: pam-0.99.7.1/Linux-PAM/modules/pam_limits/pam_limits.c +=================================================================== +--- pam-0.99.7.1.orig/Linux-PAM/modules/pam_limits/pam_limits.c 2007-09-05 15:41:41.000000000 -0700 ++++ pam-0.99.7.1/Linux-PAM/modules/pam_limits/pam_limits.c 2007-09-05 15:42:40.000000000 -0700 +@@ -271,6 +271,12 @@ + pl->limits[i].limit.rlim_cur = 8192*1024; + pl->limits[i].limit.rlim_max = RLIM_INFINITY; + break; ++#ifdef RLIMIT_NICE ++ case RLIMIT_NICE: ++ pl->limits[i].limit.rlim_cur = 20; ++ pl->limits[i].limit.rlim_max = 20; ++ break; ++#endif + } + } + } --- pam-1.0.1.orig/debian/local/common-auth.md5sums +++ pam-1.0.1/debian/local/common-auth.md5sums @@ -0,0 +1,4 @@ +933d757dcd5974b00619f68955743be7 /etc/pam.d/common-auth +b58d8e0a6cadbf879df94869cca6be98 /etc/pam.d/common-auth +088442eac95e5d27310cba44cb730ec0 /etc/pam.d/common-auth +29ab94f243130f6866512c2880a74c9c /etc/pam.d/common-auth --- pam-1.0.1.orig/debian/local/common-auth +++ pam-1.0.1/debian/local/common-auth @@ -0,0 +1,26 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +$auth_primary +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +# and here are more per-package modules (the "Additional" block) +$auth_additional +# end of pam-auth-update config --- pam-1.0.1.orig/debian/local/pam.conf +++ pam-1.0.1/debian/local/pam.conf @@ -0,0 +1,15 @@ +# ---------------------------------------------------------------------------# +# /etc/pam.conf # +# ---------------------------------------------------------------------------# +# +# NOTE +# ---- +# +# NOTE: Most program use a file under the /etc/pam.d/ directory to setup their +# PAM service modules. This file is used only if that directory does not exist. +# ---------------------------------------------------------------------------# + +# Format: +# serv. module ctrl module [path] ...[args..] # +# name type flag # + --- pam-1.0.1.orig/debian/local/common-account.md5sums +++ pam-1.0.1/debian/local/common-account.md5sums @@ -0,0 +1 @@ +9f04221fe44762047894adeb96ffd069 debian/local/common-account --- pam-1.0.1.orig/debian/local/common-session +++ pam-1.0.1/debian/local/common-session @@ -0,0 +1,25 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive). +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +$session_primary +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# and here are more per-package modules (the "Additional" block) +$session_additional +# end of pam-auth-update config --- pam-1.0.1.orig/debian/local/common-password.md5sums +++ pam-1.0.1/debian/local/common-password.md5sums @@ -0,0 +1,5 @@ +601ecfbc99fd359877552cb5298087ad /etc/pam.d/common-password +e5ae8ba8d00083c922d9d82a0432ef78 /etc/pam.d/common-password +5d518818f1c6c369040b782f7852f53e /etc/pam.d/common-password +8537a9c7dc11a585d537fe5226c3ea81 /etc/pam.d/common-password +fae12ff334c6ed4b88541dae1a98334c /etc/pam.d/common-password --- pam-1.0.1.orig/debian/local/pam_getenv +++ pam-1.0.1/debian/local/pam_getenv @@ -0,0 +1,123 @@ +#!/usr/bin/perl -w + +=head1 NAME + +pam_getenv - get environment variables from /etc/environment + +=head1 SYNOPSIS + +pam_getenv B<[-l] [-s]> I + +=head1 DESCRIPTION + +This tool will print out the value of I from F. It will attempt to expand environment variable references in the definition of I but will fail if PAM items are expanded. + +The B<-l> option indicates the script should return an environment variable related to default locale information. + +The B<-s> option indicates that the script should return an +system default environment variable. + +Currently neither the B<-l> or B<-s> options do anything. They are +included because future versions of Debian may have a separate +repository for the initial environment used by init scripts and for +system locale information. These options will allow this script to be +a stable interface even in that environment. + +=cut + +# Copyright 2004 by Sam Hartman +# This script may be copied under the terms of the GNU GPL +# version 2, or at your option any later version. + +use strict; +use vars qw(*CONFIGFILE *ENVFILE); + +sub read_line($) { + my $fh = shift; + my $line; + local $_; + line: while (<$fh>) { + chomp; + s/^\s+//; +s/\#.*$//; + next if $_ eq ""; + if (s/\\\s*$//) { + $line .= $_; + next line; + } + + $line .= $_; + last; + } + $line; + +} + + +sub parse_line($) { + my $var; + my (%x, @x); + local $_ = shift; + return undef unless defined $_ and s/(\S+)\s//; + $var->{Name} = $1; + s/^\s*//; + @x = split(/=([^"\s]\S*|"[^"]*")\s*/, $_); + unless (scalar(@x)%2 == 0) { + push @x, undef; + } + %x = @x; + @{$var}{"Default", "Override"} = + @x{"DEFAULT", "OVERRIDE"}; + $var; +} + +sub expand_val($) { + my ($val) = @_; +return undef unless $val; + die "Cannot handle PAM items\n" if /(?{Override})) { + $val = expand_val($var->{Default}); + } + $allvars{$var->{Name}} = $val; +} + +if (open (ENVFILE, "/etc/environment")) { + while (my $line = read_line(\*ENVFILE)) { + $line =~ s/^export //; + $line =~ /(.*?)=(.+)/ or next; + my ($var, $val) = ($1, $2); + # This is bizarre logic (" and ' match each other, quotes are only + # significant at the start and end of the string, and the trailing quote + # may be omitted), but it's what pam_env does. + $val =~ s/^["'](.*?)["']?$/$1/; + $allvars{$var} = $val; + } +} + +if (exists $allvars{$lookup}) { + print $allvars{$lookup}, "\n"; + exit(0); +} --- pam-1.0.1.orig/debian/local/other +++ pam-1.0.1/debian/local/other @@ -0,0 +1,16 @@ +# +# /etc/pam.d/other - specify the PAM fallback behaviour +# +# Note that this file is used for any unspecified service; for example +#if /etc/pam.d/cron specifies no session modules but cron calls +#pam_open_session, the session module out of /etc/pam.d/other is +#used. If you really want nothing to happen then use pam_permit.so or +#pam_deny.so as appropriate. + +# We fall back to the system default in /etc/pam.d/common-* +# + +@include common-auth +@include common-account +@include common-password +@include common-session --- pam-1.0.1.orig/debian/local/pam-auth-update +++ pam-1.0.1/debian/local/pam-auth-update @@ -0,0 +1,677 @@ +#!/usr/bin/perl -w + +# pam-auth-update: update /etc/pam.d/common-* from /usr/share/pam-configs +# +# Update the /etc/pam.d/common-* files based on the per-package profiles +# provided in /usr/share/pam-configs/ taking into consideration user's +# preferences (as determined via debconf prompting). +# +# Written by Steve Langasek +# +# Copyright (C) 2008 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of version 3 of the GNU General Public License as +# published by the Free Software Foundation. +# +# # This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, +# USA. + +use strict; +use Debconf::Client::ConfModule ':all'; +use IPC::Open2 'open2'; + +version('2.0'); +my $capb=capb('backup'); + +my $inputdir = '/usr/share/pam-configs'; +my $template = 'libpam-runtime/profiles'; +my $errtemplate = 'libpam-runtime/conflicts'; +my $overridetemplate = 'libpam-runtime/override'; +my $confdir = '/etc/pam.d'; +my $savedir = '/var/lib/pam'; +my (%profiles, @sorted, @enabled, @conflicts, %removals); +my $force = 0; +my $priority = 'high'; +my %md5sums = ( + 'auth' => [ + '8d4fe17e66ba25de16a117035d1396aa', + '1fd1e8e87cef1c13898410d830229122', + ], + 'account' => [ + '3c0c362eaf3421848b679d63fd48c3fa', + '8a29dc79152ce8441aa90a8f8650d076', + ], + 'password' => [ + '4bd7610f2e85f8ddaef79c7db7cb49eb', + '50fce2113dfda83ac8bdd5a6e706caec', + '9ba753d0824276b44bcadfee1f87b6bc', + '86180c1552203d9b58582cf547309d01', + '6d14efb5c3306c6896b9acf434932808', + ], + 'session' => [ + '240fb92986c885b327cdb21dd641da8c', + '1bd2f3e86f552c57f5ee013b93ffca2b', + '06cffe624c9bb7d9a7b5891c8a0f94b2', + '4a25673e8b36f1805219027d3be02cd2', + ], +); + +opendir(DIR, $inputdir) || die "could not open config directory: $!"; +while (my $profile = readdir(DIR)) { + next if ($profile eq '.' || $profile eq '..'); + %{$profiles{$profile}} = parse_pam_profile($inputdir . '/' . $profile); +} +closedir DIR; + +# use a '--force' arg to specify that /etc/pam.d should be overwritten; +# used only on upgrades where the postinst has already determined that the +# checksums match. Module packages other than libpam-runtime itself must +# NEVER use this option! Document with big skullses and crossboneses! It +# needs to be exposed for libpam-runtime because that's the package that +# decides whether we have a pristine config to be converted, and knows +# whether the version being upgraded from is one for which the conversion +# should be done. + +while ($#ARGV >= 0) { + my $opt = shift; + if ($opt eq '--force') { + $force = 1; + } elsif ($opt eq '--package') { + $priority = 'medium'; + } elsif ($opt eq '--remove') { + while ($#ARGV >= 0) { + last if ($ARGV[0] =~ /^--/); + $removals{shift @ARGV} = 1; + } + # --remove implies --package + $priority = 'medium' if (keys(%removals)); + } +} + +x_loadtemplatefile('/var/lib/dpkg/info/libpam-runtime.templates','libpam-runtime'); + +# always sort by priority, so we have consistency and don't have to +# shuffle later +@sorted = sort { $profiles{$b}->{'Priority'} <=> $profiles{$a}->{'Priority'} + || $b cmp $a } + keys(%profiles); +# If we're being called for package removal, filter out those options here +@sorted = grep { !$removals{$_} } @sorted; + +subst($template, 'profile_names', join(', ',@sorted)); +subst($template, 'profiles', + join(', ', map { $profiles{$_}->{'Name'} } @sorted)); + +my $diff = diff_profiles($confdir,$savedir); + +if ($diff) { + @enabled = grep { !$removals{$_} } @{$diff->{'mods'}}; +} else { + @enabled = split(/, /,get($template)); +} + +# find out what we've seen, so we can ignore those defaults +my %seen; +if (-e $savedir . '/seen') { + open(SEEN,$savedir . '/seen'); + while () { + chomp; + $seen{$_} = 1; + } + close(SEEN); +} + +# filter out any options that are no longer available for any reason +@enabled = grep { $profiles{$_} } @enabled; + +# an empty module set is an error, so in that case grab all the defaults +if (!@enabled) { + %seen = (); + $priority = 'high' unless ($force); +} + +# add any previously-unseen configs +push(@enabled, + grep { $profiles{$_}->{'Default'} eq 'yes' && !$seen{$_} } @sorted); +@enabled = sort { $profiles{$b}->{'Priority'} <=> $profiles{$a}->{'Priority'} + || $b cmp $a } + @enabled; +my $prev = ''; +@enabled = grep { $_ ne $prev && (($prev) = $_) } @enabled; + + +fset($template,'seen','false'); +set($template,join(', ', @enabled)); + +# if diff_profiles() fails, and we weren't passed a 'force' argument +# (because this isn't an upgrade from an old version, or the checksum +# didn't match, or we're being called by some other module package), prompt +# the user whether to override. If the user declines (the default), we +# never again manage this config unless manually called with '--force'. +if (!$diff && !$force) { + input('high',$overridetemplate); + go(); + $force = 1 if (get($overridetemplate) eq 'true'); +} + +if (!$diff && !$force) { + print STDERR <= 0; $i--) + { + my $conflict = $enabled[$i]; + if ($profiles{$elem}->{'Conflicts'}->{$conflict}) { + splice(@enabled,$i,1); + my $desc = $profiles{$elem}->{'Name'} + . ', ' . $profiles{$conflict}->{'Name'}; + push(@conflicts,$desc); + } + } + } + if (@conflicts) { + subst($errtemplate, 'conflicts', join("\n", @conflicts)); + input('high',$errtemplate); + } + fset($template,'seen','false'); + set($template, join(', ', @enabled)); +} while (@conflicts); + +# the decision has been made about what configs to use, so even if +# something fails after this, we shouldn't go munging the default +# options again. Save the list of known configs to /var/lib/pam. +open(SEEN,"> $savedir/seen"); +for my $i (@sorted) { + print SEEN "$i\n"; +} +close(SEEN); + +# @enabled now contains our list of profiles to use for piecing together +# a config +# we have: +# - templates into which we insert the specialness +# - magic comments denoting the beginning and end of our managed block; +# looking at only the functional config lines would potentially let us +# handle more cases, at the expense of much greater complexity, so +# pass on this at least for the first round +# - a representation of the autogenerated config stored in /var/lib/pam, +# that we can diff against in order to account for changed options or +# manually dropped modules +# - a hash describing the local modifications the user has made to the +# config; these are always preserved unless manually overridden with +# the --force option + +write_profiles(\%profiles, \@enabled, $confdir, $savedir, $diff, $force); + + +# take a single line from a stock config, and merge it with the +# information about local admin edits +sub merge_one_line +{ + my ($line,$diff,$count) = @_; + my (@opts,$modline); + + my ($adds,$removes); + + $line =~ /^((\[[^]]+\]|\w+)\s+\S+)\s*(.*)/; + + @opts = split(/\s+/,$3); + $modline = $1; + $modline =~ s/end/$count/g; + if ($diff) { + my $mod = $modline; + $mod =~ s/[0-9]+//g; + $adds = \%{$diff->{'add'}{$mod}}; + $removes = \%{$diff->{'remove'}{$mod}}; + } else { + $adds = $removes = undef; + } + + for (my $i = 0; $i <= $#opts; $i++) { + if ($adds->{$opts[$i]}) { + delete $adds->{$opts[$i]}; + } + if ($removes->{$opts[$i]}) { + splice(@opts,$i,1); + $i--; + } + } + return $modline . " " . join(' ',@opts,keys(%{$adds})) . "\n"; +} + +# return the lines for a given config name, type, and position in the stack +sub lines_for_module_and_type +{ + my ($profiles, $mod, $type, $modpos) = @_; + if ($modpos == 0 && $profiles->{$mod}{$type . '-Initial'}) { + return $profiles->{$mod}{$type . '-Initial'}; + } + return $profiles->{$mod}{$type}; +} + +# create a single PAM config from the indicated template and selections, +# writing to a new file +sub create_from_template +{ + my($template,$dest,$profiles,$enabled,$diff,$type) = @_; + my $state = 0; + my $uctype = ucfirst($type); + + open(INPUT,$template) || return 0; + open(OUTPUT,">$dest") || return 0; + + while () { + if ($state == 1) { + if (/^# here's the fallback if no module succeeds/) { + print OUTPUT; + $state++; + } + next; + } + if ($state == 3) { + if (/^# end of pam-auth-update config/) { + print OUTPUT; + $state++; + } + next; + } + + print OUTPUT; + + my ($pattern,$val); + if ($state == 0) { + $pattern = '^# here are the per-package modules \(the "Primary" block\)'; + $val = 'Primary'; + } elsif ($state == 2) { + $pattern = '^# and here are more per-package modules \(the "Additional" block\)'; + $val = 'Additional'; + } else { + next; + } + + if (/$pattern/) { + my $i = 0; + my $count = 0; + # first we need to get a count of lines that we're + # going to output, so we can fix up the jumps correctly + for my $mod (@{$enabled}) { + my $output; + next if (!$profiles->{$mod}{$uctype . '-Type'}); + next if $profiles->{$mod}{$uctype . '-Type'} ne $val; + $output = lines_for_module_and_type($profiles, $mod, $uctype, $i++); + # bypasses a perl warning about @_, sigh + my @tmparr = split("\n+",$output); + $count += @tmparr; + } + + # in case anything tries to jump in the 'additional' + # block, let's try not to jump off the stack... + $count-- if ($val eq 'Additional'); + + # no primary block, so output a stock pam_permit line + # to keep the stack intact + if ($val eq 'Primary' && $count == 0) + { + print OUTPUT "$type\t[default=1]\t\t\tpam_permit.so\n"; + } + + $i = 0; + for my $mod (@{$enabled}) { + my $output; + my @output; + next if (!$profiles->{$mod}{$uctype . '-Type'}); + next if $profiles->{$mod}{$uctype . '-Type'} ne $val; + $output = lines_for_module_and_type($profiles, $mod, $uctype, $i++); + for my $line (split("\n",$output)) { + $line = merge_one_line($line,$diff, + $count); + print OUTPUT "$type\t$line"; + $count--; + } + } + $state++; + } + } + close(INPUT); + close(OUTPUT); + + if ($state < 4) { + unlink($dest); + return 0; + } + return 1; +} + +# take a template file, strip out everything between the markers, and +# return the md5sum of the remaining contents. Used for testing for +# local modifications of the boilerplate. +sub get_template_md5sum +{ + my($template) = @_; + my $state = 0; + + open(INPUT,$template) || return ''; + my($md5sum_fd,$output_fd); + my $pid = open2($md5sum_fd, $output_fd, 'md5sum'); + return '' if (!$pid); + + while () { + if ($state == 1) { + if (/^# here's the fallback if no module succeeds/) { + print $output_fd $_; + $state++; + } + next; + } + if ($state == 3) { + if (/^# end of pam-auth-update config/) { + print $output_fd $_; + $state++; + } + next; + } + + print $output_fd $_; + + my ($pattern,$val); + if ($state == 0) { + $pattern = '^# here are the per-package modules \(the "Primary" block\)'; + } elsif ($state == 2) { + $pattern = '^# and here are more per-package modules \(the "Additional" block\)'; + } else { + next; + } + + if (/$pattern/) { + $state++; + } + } + close(INPUT); + close($output_fd); + my $md5sum = <$md5sum_fd>; + close($md5sum_fd); + waitpid $pid, 0; + + $md5sum = (split(/\s+/,$md5sum))[0]; + return $md5sum; +} + +# merge a set of module declarations into a set of new config files, +# using the information returned from diff_profiles(). +sub write_profiles +{ + my($profiles,$enabled,$confdir,$savedir,$diff,$force) = @_; + + if (! -d $savedir) { + mkdir($savedir); + } + + # because we can't atomically replace both /var/lib/pam/$foo and + # /etc/pam.d/common-$foo at the same time, take steps to make this + # somewhat robust + for my $type ('auth','account','password','session') { + my $target = $confdir . '/common-' . $type; + my $template = $target; + my $dest = $template . '.pam-new'; + + my $diff = $diff; + if ($diff) { + $diff = \%{$diff->{$type}}; + } + + # Detect if the template is unmodified, and if so, use + # the version from /usr/share. Depends on knowing the + # md5sums of the originals. + my $md5sum = get_template_md5sum($template); + for my $i (@{$md5sums{$type}}) { + if ($md5sum eq $i) { + $template = '/usr/share/pam/common-' . $type; + last; + } + } + + # first, write out the new config + if (!create_from_template($template,$dest,$profiles,$enabled, + $diff,$type)) + { + if (!$force) { + return 0; + } + $template = '/usr/share/pam/common-' . $type; + if (!create_from_template($template,$dest,$profiles, + $enabled,$diff,$type)) + { + return 0; + } + } + + # then write out the saved config + if (!open(OUTPUT, "> $savedir/$type.new")) { + unlink($dest); + return 0; + } + my $i = 0; + my $uctype = ucfirst($type); + for my $mod (@{$enabled}) { + my $output; + next if (!$profiles->{$mod}{$uctype . '-Type'}); + next if ($profiles->{$mod}{$uctype . '-Type'} eq 'Additional'); + + $output = lines_for_module_and_type($profiles, $mod, $uctype, $i++); + if ($output) { + print OUTPUT "Module: $mod\n"; + print OUTPUT $output . "\n"; + } + } + + # no primary block, so output a stock pam_permit line + if ($i == 0) + { + print OUTPUT "Module: null\n"; + print OUTPUT "[default=1]\t\t\tpam_permit.so\n"; + } + + $i = 0; + for my $mod (@{$enabled}) { + my $output; + next if (!$profiles->{$mod}{$uctype . '-Type'}); + next if ($profiles->{$mod}{$uctype . '-Type'} eq 'Primary'); + + $output = lines_for_module_and_type($profiles, $mod, $uctype, $i++); + if ($output) { + print OUTPUT "Module: $mod\n"; + print OUTPUT $output . "\n"; + } + } + + close(OUTPUT); + + # then do the renames, back-to-back + # we have to use system because File::Copy is in + # perl-modules, not perl-base + if (-e "$target" && $force) { + system('cp','-f',$target,$target . '.pam-old'); + } + rename($dest,$target); + rename("$savedir/$type.new","$savedir/$type"); + } + + # at the end of a successful write, reset the 'seen' flag and the + # value of the debconf override question. + fset($overridetemplate,'seen','false'); + set($overridetemplate,'false'); +} + +# reconcile the current config in /etc/pam.d with the saved ones in +# /var/lib/pam; returns a hash of profile names and the corresponding +# options that should be added/removed relative to the stock config. +# returns false if any of the markers are missing that permit a merge, +# or on any other failure. +sub diff_profiles +{ + my ($sourcedir,$savedir) = @_; + my (%diff); + + @{$diff{'mods'}} = (); + # Load the saved config from /var/lib/pam, then iterate through all + # lines in the current config that are in the managed block. + # If anything fails here, just return immediately since we then + # have nothing to merge; instead, the caller will decide later + # whether to force an overwrite. + for my $type ('auth','account','password','session') { + my (@saved,$modname); + + open(SAVED,$savedir . '/' . $type) || return 0; + while () { + if (/^Module: (.*)/) { + $modname = $1; + next; + } + chomp; + # trim out the destination of any jumps; this saves + # us from having to re-parse everything just to fix + # up the jump lengths, when changes to these will + # already show up as inconsistencies elsewhere + s/(\[[^0-9]*)[0-9]+(.*\])/$1$2/g; + s/(\[.*)end(.*\])/$1$2/g; + my (@temp) = ($modname,$_); + push(@saved,\@temp); + } + close(SAVED); + + my $state = 0; + my (@prev_opts,$curmod); + + open(CURRENT,$sourcedir . '/common-' . $type) || return 0; + while () { + if ($state == 0) { + $state = 1 + if (/^# here are the per-package modules \(the "Primary" block\)/); + next; + } + if ($state == 1) { + s/^$type\s+//; + if (/^# here's the fallback if no module succeeds/) { + $state = 2; + next; + } + } + if ($state == 2) { + $state = 3 + if (/^# and here are more per-package modules \(the "Additional" block\)/); + next; + } + if ($state == 3) { + last if (/^# end of pam-auth-update config/); + s/^$type\s+//; + } + + my $found = 0; + my $curopts; + while (!$found && $#saved >= 0) { + my $line; + ($modname,$line) = @{$saved[0]}; + shift(@saved); + $line =~ /^((\[[^]]+\]|\w+)\s+\S+)\s*(.*)/; + @prev_opts = split(/\s+/,$3); + $curmod = $1; + # FIXME: the key isn't derived from the config + # name, so collisions are possible if more + # than one config references the same module + + $_ =~ s/(\[[^0-9]*)[0-9]+(.*\])/$1$2/g; + # check if this is a match for the current line + if ($_ =~ /^\Q$curmod\E\s*(.*)$/) { + $found = 1; + $curopts = $1; + push(@{$diff{'mods'}},$modname); + } + } + + # there's a line in the live config that doesn't + # correspond to anything from the saved config. + # treat this as a failure; it's very error-prone + # to decide what to do with an added line that + # didn't come from a package. + return 0 if (!$found); + + for my $opt (split(/\s+/,$curopts)) { + my $found = 0; + for (my $i = 0; $i <= $#prev_opts; $i++) { + if ($prev_opts[$i] eq $opt) { + $found = 1; + splice(@prev_opts,$i,1); + } + } + $diff{$type}{'add'}{$curmod}{$opt} = 1 if (!$found); + } + for my $opt (@prev_opts) { + $diff{$type}{'remove'}{$curmod}{$opt} = 1; + } + } + close(CURRENT); + + # we couldn't parse the config, so the merge fails + return 0 if ($state < 3); + } + return \%diff; +} + +# simple function to parse a provided config file, in pseudo-RFC822 +# format, +sub parse_pam_profile +{ + my ($profile) = $_[0]; + my $fieldname; + my %profile; + open(PROFILE, $profile) || die "could not read profile $profile: $!"; + while () { + if (/^(\S+):\s+(.*)$/) { + $fieldname = $1; + # compatibility with the first implementation round; + # "Auth-Final" is now just called "Auth" + $fieldname =~ s/-Final$//; + if ($fieldname eq 'Conflicts') { + foreach my $elem (split(/, /, $2)) { + $profile{'Conflicts'}->{$elem} = 1; + } + } else { + $profile{$fieldname} = $2; + } + } else { + chomp; + s/^\s+//; + $profile{$fieldname} .= "\n$_"; + $profile{$fieldname} =~ s/^[\n\s]+//; + } + } + close(PROFILE); + return %profile; +} --- pam-1.0.1.orig/debian/local/common-password +++ pam-1.0.1/debian/local/common-password @@ -0,0 +1,34 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# +# The "sha512" option enables salted SHA512 passwords. Without this option, +# the default is Unix crypt. Prior releases used the option "md5". +# +# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in +# login.defs. +# +# See the pam_unix manpage for other options. + +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +$password_primary +# here's the fallback if no module succeeds +password requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +password required pam_permit.so +# and here are more per-package modules (the "Additional" block) +$password_additional +# end of pam-auth-update config --- pam-1.0.1.orig/debian/local/Debian-PAM-MiniPolicy +++ pam-1.0.1/debian/local/Debian-PAM-MiniPolicy @@ -0,0 +1,135 @@ +Author: Ben Collins +Modified by: Sam Hartman + +Objective: To document a base set of policies regarding PAM (Pluggable +Authentication Modules) usage in Debian packages. + +=========================================================================== + +In order to have a consistent and stable implementation across packages +that use PAM, these guidelines will help to avoid some common mistakes and +be usable as a cross reference for FAQ's. + +This document will not go into the details of how to add PAM usage to +existing code, please read the documentation in the libpam-doc package for +info on this, however it does specify behavior needed to make sure PAM +modules in Debian will work with your application. + +================== + PAM Applications +================== + +Each application that uses PAM also must contain a file in +/etc/pam.d/. This file specifies which PAM modules will be used for +the common PAM functions in that application. There are several notes +concerning what modules to use in this file. Most commonly, this file +should use the @include directive to include common-auth, +common-session, common-account and common-password. Under some +circumstances (such as ftp auth, or auth based on tty) other modules +will be required. + +Here is an example of a PAM configuration file that just includes the common module fragments: + # + # /etc/pam.d/other - specify the PAM fallback behaviour + # + # Note that this file is used for any unspecified service; for example + #if /etc/pam.d/cron specifies no session modules but cron calls + #pam_open_session, the session module out of /etc/pam.d/other is + #used. If you really want nothing to happen then use pam_permit.so or + #pam_deny.so as appropriate. + + # We fall back to the system default in /etc/pam.d/common-* + # + + @include common-auth + @include common-account + @include common-password + @include common-session + + +The name of this file is determined by the call to pam_start() in the +application source code. The first parameter will be a string containing +the "service" name (eg. "login", "httpd", etc..). Please make sure that +the filename coincides with this parameter. + +The file should _not_ reference the full path of the modules. It only needs +to reference the basename (eg. "pam_unix.so"). This will ensure that the +program continues to work even if the module location changes, since +libpam itself will resolve the location. + +You should not use the pam_stack module in the pam config file. +It's not currently in Debian so it won't work. While I cannot stop +someone from packaging pam_stack for Debian, I will try to convince +them that it is not the direction we want. Pam_stack (among other +faults) uses different pam handles for each step in the process--the +handle used for session management is not the same as the handle used +for authentication. This breaks several modules. We have an alternate +solution for shared PAM configuration across modules, in the form of +the @include directive. + + +Currently libpam-modules is in the base setup, so it's dependency is not +needed (since the library depends on the correct version). However, if any +modules other than the base set in libpam-modules are used, that package +must be depended on. + +Applications need to depend on libpam-runtime (>= 0.76-14) to +guarantee that /etc/pam.d/common-* exist. + + +The pam_unix.so module allows programs to verify the authentication of the +uid of the calling process without any set bits (uid or gid). NOTE: this +means the user executing the program, you cannot authenticate against other +users without suid root (root makes sure the NIS and NIS+ works too) or +at least sgid shadow (wont work in the above cases). Most notably this +affects programs like apache from being able to use PAM with much success +since it runs as www-data which has no priviledges and cannot use pam_unix.so +to auth against other users. On the other hand is does allow program like +vlock to auth (but not auth the root password). + +The application needs to follow the following rules to make sure PAM +modules work: + +1) Use the same PAM handle for all operations. This means it is not OK +to call pam_start once for authentication and then later for session +management. Modules need to be able to store pam_data between entry +points. + +2) The pam_open_session and pam_setcred calls must be made in a parent +process of the eventual session. They need to be able to enfluence +the environment of the session. + +3) If you are started as root or have root privs for some other +reason, pam_open_session and pam_setcred should be called while still +root. + +4) Implied by 1, make sure that pam_close_session and pam_end are +called in the same process or a process decended from the execution +context as pam_open_session and pam_setcred. The pam_close_session +call may need state stored in the handle by the open session entry +point to clean up properly. The pam_finish call may need to free data +(thus influencing system state in some cases) allocated in the earlier +calls. + + + +============= + PAM Modules +============= + +Separately packaged pam modules should adhere to a few basic setup rules: + + 1) Packages should use the naming scheme of `libpam-' (eg. + libpam-ldap). + + 2) The modules should be located in the directory of the most recent + libpam-modules (currently /lib/security). + + 3) The module should be named as pam_.so. The module should not + contain a version suffix. + + 4) The module should be linked to libpam (-lpam) when compiled so that + proper version dependencies will work. + + 5) Any config files should be located in /etc/security. The filename + will be in the form of .conf. --- pam-1.0.1.orig/debian/local/pam-auth-update.8 +++ pam-1.0.1/debian/local/pam-auth-update.8 @@ -0,0 +1,101 @@ +.\" Copyright (C) 2008 Canonical Ltd. +.\" +.\" Author: Steve Langasek +.\" +.\" This program is free software; you can redistribute it and/or modify +.\" it under the terms of version 3 of the GNU General Public License as +.\" published by the Free Software Foundation. +.\" +.\" .\" This program is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program; if not, write to the Free Software +.\" Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, +.\" USA. +.TH "PAM\-AUTH\-UPDATE" "8" "08/23/2008" "Debian" +.SH NAME +pam\-auth\-update - manage PAM configuration using packaged profiles +.SH SYNOPSIS +.B pam\-auth\-update +.RB [ \-\-package " [" \-\-remove +.IR profile " [" profile\fR... "]]]" +.RB [ \-\-force ] +.SH DESCRIPTION +.I pam\-auth\-update +is a utility that permits configuring the central authentication policy +for the system using pre-defined profiles as supplied by PAM module +packages. +Profiles shipped in the +.I /usr/share/pam\-configs/ +directory specify the modules, with options, to enable; the preferred +ordering with respect to other profiles; and whether a profile should be +enabled by default. +Packages providing PAM modules register their profiles at install time +by calling +.BR "pam\-auth\-update \-\-package" . +Selection of profiles is done using the standard debconf interface. +The profile selection question will be asked at `medium' priority when +packages are added or removed, so no user interaction is required by +default. +Users may invoke +.B pam\-auth\-update +directly to change their authentication configuration. +.PP +The script makes every effort to respect local changes to +.IR "/etc/pam.d/common-*". +Local modifications to the list of module options will be preserved, and +additions of modules within the managed portion of the stack will cause +.B pam\-auth\-update +to treat the config files as locally modified and not make further +changes to the config files unless given the +.B \-\-force +option. +.PP +If the user specifies that +.B pam\-auth\-update +should override local configuration changes, the locally-modified files +will be saved in +.I /etc/pam.d/ +with a suffix of +.IR "\.pam\-old" . +.SH OPTIONS +.TP +.B \-\-package +Indicate that the caller is a package maintainer script; lowers the +priority of debconf questions to `medium' so that the user is not +prompted by default. +.TP +.B \-\-remove \fIprofile \fR[\fIprofile\fR...] +Remove the specified profiles from the system configuration. +.B pam\-auth\-update \-\-remove +should be used to remove profiles from the configuration before the +modules they reference are removed from disk, to ensure that PAM is in a +consistent and usable state at all times during package upgrades or +removals. +.TP +.B \-\-force +Overwrite the current PAM configuration, without prompting. +This option +.B must not +be used by package maintainer scripts; it is intended for use by +administrators only. +.SH FILES +.PP +.I /etc/pam.d/common\-* +.RS 4 +Global configuration of PAM, affecting all installed services. +.RE +.PP +.I /usr/share/pam\-configs/ +.RS 4 +Package-supplied authentication profiles. +.RE +.SH AUTHOR +Steve Langasek +.SH COPYRIGHT +Copyright (C) 2008 Canonical Ltd. +.SH "SEE ALSO" +PAM(7), pam.d(5), debconf(7) --- pam-1.0.1.orig/debian/local/common-account +++ pam-1.0.1/debian/local/common-account @@ -0,0 +1,26 @@ +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authorization modules that define +# the central access policy for use on the system. The default is to +# only deny service to users whose accounts are expired in /etc/shadow. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +# + +# here are the per-package modules (the "Primary" block) +$account_primary +# here's the fallback if no module succeeds +account requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +account required pam_permit.so +# and here are more per-package modules (the "Additional" block) +$account_additional +# end of pam-auth-update config --- pam-1.0.1.orig/debian/local/common-session.md5sums +++ pam-1.0.1/debian/local/common-session.md5sums @@ -0,0 +1,2 @@ +f7579c375b4f4d51ce36aa74718194f3 /etc/pam.d/common-session +4845c1632b3561a9debe8d59be1b238e /etc/pam.d/common-session --- pam-1.0.1.orig/debian/pam-configs/cracklib +++ pam-1.0.1/debian/pam-configs/cracklib @@ -0,0 +1,9 @@ +Name: Cracklib password strength checking +Default: yes +Priority: 1024 +Conflicts: unix-zany +Password-Type: Primary +Password: + requisite pam_cracklib.so retry=3 minlen=8 difok=3 +Password-Initial: + requisite pam_cracklib.so retry=3 minlen=8 difok=3 --- pam-1.0.1.orig/debian/pam-configs/unix +++ pam-1.0.1/debian/pam-configs/unix @@ -0,0 +1,23 @@ +Name: Unix authentication +Default: yes +Priority: 256 +Auth-Type: Primary +Auth: + [success=end default=ignore] pam_unix.so nullok_secure try_first_pass +Auth-Initial: + [success=end default=ignore] pam_unix.so nullok_secure +Account-Type: Primary +Account: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Account-Initial: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Session-Type: Additional +Session: + required pam_unix.so +Session-Initial: + required pam_unix.so +Password-Type: Primary +Password: + [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 +Password-Initial: + [success=end default=ignore] pam_unix.so obscure sha512