From 9987222f7b65b1c9b7984bb5e79f21226feef28b3e6ab3f0ca0f6754a7f6943d Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Thu, 2 Apr 2009 15:28:15 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=27 --- Linux-PAM-1.0.2-SUSE-docs.tar.bz2 | 3 - Linux-PAM-1.0.2.tar.bz2 | 3 - Linux-PAM-1.0.91-docs.tar.bz2 | 3 + Linux-PAM-1.0.91.tar.bz2 | 3 + Linux-PAM-docu-generated.diff | 15318 --------------------------- Linux-PAM-docu.diff | 1620 --- cvs.diff | 2333 ++++ libpam-password-requisite.diff | 49 - pam-1.0.0-selinux-env-params.patch | 561 - pam-1.0.1-namespace-create.patch | 679 -- pam.changes | 24 + pam.spec | 93 +- pam_cracklib-no-pwhistory.diff | 88 - pam_lastlog.diff | 325 - pam_limits-doc.diff | 23 - pam_limits-logging.diff | 125 - pam_mail.diff | 49 - pam_pwhistory-0.1.diff | 1725 --- pam_pwhistory-type.diff | 102 - pam_sepermit.diff | 17 - pam_tally-deprecated.diff | 55 + pam_tally-fdleak.diff | 37 - pam_tally.diff | 173 - pam_tally2.diff | 1622 --- pam_time.diff | 18 - pam_xauth-XAUTHLOCALHOSTNAME.diff | 54 - pam_xauth.diff | 26 - 27 files changed, 2459 insertions(+), 22669 deletions(-) delete mode 100644 Linux-PAM-1.0.2-SUSE-docs.tar.bz2 delete mode 100644 Linux-PAM-1.0.2.tar.bz2 create mode 100644 Linux-PAM-1.0.91-docs.tar.bz2 create mode 100644 Linux-PAM-1.0.91.tar.bz2 delete mode 100644 Linux-PAM-docu-generated.diff delete mode 100644 Linux-PAM-docu.diff create mode 100644 cvs.diff delete mode 100644 libpam-password-requisite.diff delete mode 100644 pam-1.0.0-selinux-env-params.patch delete mode 100644 pam-1.0.1-namespace-create.patch delete mode 100644 pam_cracklib-no-pwhistory.diff delete mode 100644 pam_lastlog.diff delete mode 100644 pam_limits-doc.diff delete mode 100644 pam_limits-logging.diff delete mode 100644 pam_mail.diff delete mode 100644 pam_pwhistory-0.1.diff delete mode 100644 pam_pwhistory-type.diff delete mode 100644 pam_sepermit.diff create mode 100644 pam_tally-deprecated.diff delete mode 100644 pam_tally-fdleak.diff delete mode 100644 pam_tally.diff delete mode 100644 pam_tally2.diff delete mode 100644 pam_time.diff delete mode 100644 pam_xauth-XAUTHLOCALHOSTNAME.diff delete mode 100644 pam_xauth.diff diff --git a/Linux-PAM-1.0.2-SUSE-docs.tar.bz2 b/Linux-PAM-1.0.2-SUSE-docs.tar.bz2 deleted file mode 100644 index 28cfd32..0000000 --- a/Linux-PAM-1.0.2-SUSE-docs.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:82a4195effbfd56af6eb3dd80de9690c1fef3fa8b9c25457037d3d591d15dcd9 -size 468691 diff --git a/Linux-PAM-1.0.2.tar.bz2 b/Linux-PAM-1.0.2.tar.bz2 deleted file mode 100644 index a4087f8..0000000 --- a/Linux-PAM-1.0.2.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:1f85b4ed494c73b43fcfb195758ee6570615fd6e5f7cf09fd27644a1838019ae -size 980339 diff --git a/Linux-PAM-1.0.91-docs.tar.bz2 b/Linux-PAM-1.0.91-docs.tar.bz2 new file mode 100644 index 0000000..4dd19e1 --- /dev/null +++ b/Linux-PAM-1.0.91-docs.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3c6e610cae207e7af87ab471228ab3311536a27f061d86dd0c75413ae8f96d09 +size 498156 diff --git a/Linux-PAM-1.0.91.tar.bz2 b/Linux-PAM-1.0.91.tar.bz2 new file mode 100644 index 0000000..2c3765c --- /dev/null +++ b/Linux-PAM-1.0.91.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b729820717cbf07a7ab07672180d070ce384ac923cc2129904fdc975342a35c4 +size 1112332 diff --git a/Linux-PAM-docu-generated.diff b/Linux-PAM-docu-generated.diff deleted file mode 100644 index 40ae346..0000000 --- a/Linux-PAM-docu-generated.diff +++ /dev/null @@ -1,15318 +0,0 @@ ---- Linux-PAM-1.0.2-orig/doc/man/pam_getenv.3 2008-04-16 11:09:52.000000000 +0200 -+++ Linux-PAM-1.0.2/doc/man/pam_getenv.3 2009-01-20 12:00:42.000000000 +0100 -@@ -1,39 +1,202 @@ - .\" Title: pam_getenv --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_GETENV" "3" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" -+.TH "PAM_GETENV" "3" "01/20/2009" "Linux-PAM Manual" "Linux-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_getenv - get a PAM environment variable --.SH "SYNOPSIS" -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_getenv \- get a PAM environment variable -+.SH "Synopsis" - .sp - .ft B -+.fam C -+.ps -1 - .nf --#include -+#include - .fi -+.fam -+.ps +1 - .ft --.HP 23 -+.fam C -+.HP \w'const\ char\ *pam_getenv('u - .BI "const char *pam_getenv(pam_handle_t\ *" "pamh" ", const\ char\ *" "name" ");" -+.fam - .SH "DESCRIPTION" - .PP - The - \fBpam_getenv\fR - function searches the PAM environment list as associated with the handle - \fIpamh\fR --for a string that matches the string pointed to by --\fIname\fR\. The return values are of the form: "\fIname=value\fR"\. -+for an item that matches the string pointed to by -+\fIname\fR -+and returns the value of the environment variable\&. - .SH "RETURN VALUES" - .PP - The - \fBpam_getenv\fR --function returns NULL on failure\. -+function returns NULL on failure\&. - .SH "SEE ALSO" - .PP - ---- Linux-PAM-1.0.2-orig/doc/man/pam_prompt.3 2008-04-16 11:09:59.000000000 +0200 -+++ Linux-PAM-1.0.2/doc/man/pam_prompt.3 2009-01-20 12:00:43.000000000 +0100 -@@ -1,53 +1,219 @@ - .\" Title: pam_prompt --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_PROMPT" "3" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" -+.TH "PAM_PROMPT" "3" "01/20/2009" "Linux-PAM Manual" "Linux-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_prompt, pam_vprompt - interface to conversation function --.SH "SYNOPSIS" -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_prompt, pam_vprompt \- interface to conversation function -+.SH "Synopsis" - .sp - .ft B -+.fam C -+.ps -1 - .nf --#include -+#include - .fi -+.fam -+.ps +1 - .ft --.HP 16 --.BI "void pam_prompt(pam_handle_t\ *" "pamh" ", int\ " "style" ", char\ **" "response" ", const\ char\ *" "fmt" ", " "\.\.\." ");" --.HP 17 -+.fam C -+.HP \w'void\ pam_prompt('u -+.BI "void pam_prompt(pam_handle_t\ *" "pamh" ", int\ " "style" ", char\ **" "response" ", const\ char\ *" "fmt" ", " "\&.\&.\&." ");" -+.fam -+.fam C -+.HP \w'void\ pam_vprompt('u - .BI "void pam_vprompt(pam_handle_t\ *" "pamh" ", int\ " "style" ", char\ **" "response" ", const\ char\ *" "fmt" ", va_list\ " "args" ");" -+.fam - .SH "DESCRIPTION" - .PP - The - \fBpam_prompt\fR --function constructs a message from the specified format string and arguments and passes it to -+function constructs a message from the specified format string and arguments and passes it to the conversation function as set by the service\&. Upon successful return, -+\fIresponse\fR -+is set to point to a string returned from the conversation function\&. This string is allocated on heap and should be freed\&. - .SH "RETURN VALUES" - .PP - PAM_BUF_ERR - .RS 4 --Memory buffer error\. -+Memory buffer error\&. - .RE - .PP - PAM_CONV_ERR - .RS 4 --Conversation failure\. -+Conversation failure\&. - .RE - .PP - PAM_SUCCESS - .RS 4 --Transaction was successful created\. -+Transaction was successful created\&. - .RE - .PP - PAM_SYSTEM_ERR - .RS 4 --System error\. -+System error\&. - .RE - .SH "SEE ALSO" - .PP -@@ -60,4 +226,4 @@ - \fBpam_prompt\fR - and - \fBpam_vprompt\fR --functions are Linux\-PAM extensions\. -+functions are Linux\-PAM extensions\&. ---- Linux-PAM-1.0.2-orig/modules/pam_access/pam_access.8 2008-04-16 11:06:35.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_access/pam_access.8 2009-01-20 11:58:09.000000000 +0100 -@@ -1,103 +1,265 @@ - .\" Title: pam_access --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHORS" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_ACCESS" "8" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" -+.TH "PAM_ACCESS" "8" "01/20/2009" "Linux-PAM Manual" "Linux-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_access - PAM module for logdaemon style login access control --.SH "SYNOPSIS" --.HP 14 --\fBpam_access\.so\fR [debug] [nodefgroup] [noaudit] [accessfile=\fIfile\fR] [fieldsep=\fIsep\fR] [listsep=\fIsep\fR] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_access \- PAM module for logdaemon style login access control -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_access\&.so\fR\ 'u -+\fBpam_access\&.so\fR [debug] [nodefgroup] [noaudit] [accessfile=\fIfile\fR] [fieldsep=\fIsep\fR] [listsep=\fIsep\fR] -+.fam - .SH "DESCRIPTION" - .PP --The pam_access PAM module is mainly for access management\. It provides logdaemon style login access control based on login names, host or domain names, internet addresses or network numbers, or on terminal line names in case of non\-networked logins\. -+The pam_access PAM module is mainly for access management\&. It provides logdaemon style login access control based on login names, host or domain names, internet addresses or network numbers, or on terminal line names in case of non\-networked logins\&. - .PP - By default rules for access management are taken from config file --\fI/etc/security/access\.conf\fR --if you don\'t specify another file\. -+\FC/etc/security/access\&.conf\F[] -+if you don\'t specify another file\&. - .PP --If Linux PAM is compiled with audit support the module will report when it denies access based on origin (host or tty)\. -+If Linux PAM is compiled with audit support the module will report when it denies access based on origin (host or tty)\&. - .SH "OPTIONS" - .PP --\fBaccessfile=\fR\fB\fI/path/to/access\.conf\fR\fR -+\fBaccessfile=\fR\fB\fI/path/to/access\&.conf\fR\fR - .RS 4 - Indicate an alternative --\fIaccess\.conf\fR --style configuration file to override the default\. This can be useful when different services need different access lists\. -+\FCaccess\&.conf\F[] -+style configuration file to override the default\&. This can be useful when different services need different access lists\&. - .RE - .PP - \fBdebug\fR - .RS 4 - A lot of debug informations are printed with --\fBsyslog\fR(3)\. -+\fBsyslog\fR(3)\&. - .RE - .PP - \fBnoaudit\fR - .RS 4 --Do not report logins from disallowed hosts and ttys to the audit subsystem\. -+Do not report logins from disallowed hosts and ttys to the audit subsystem\&. - .RE - .PP - \fBfieldsep=\fR\fB\fIseparators\fR\fR - .RS 4 --This option modifies the field separator character that pam_access will recognize when parsing the access configuration file\. For example: -+This option modifies the field separator character that pam_access will recognize when parsing the access configuration file\&. For example: - \fBfieldsep=|\fR --will cause the default `:\' character to be treated as part of a field value and `|\' becomes the field separator\. Doing this may be useful in conjuction with a system that wants to use pam_access with X based applications, since the -+will cause the default `:\' character to be treated as part of a field value and `|\' becomes the field separator\&. Doing this may be useful in conjuction with a system that wants to use pam_access with X based applications, since the - \fBPAM_TTY\fR --item is likely to be of the form "hostname:0" which includes a `:\' character in its value\. But you should not need this\. -+item is likely to be of the form "hostname:0" which includes a `:\' character in its value\&. But you should not need this\&. - .RE - .PP - \fBlistsep=\fR\fB\fIseparators\fR\fR - .RS 4 --This option modifies the list separator character that pam_access will recognize when parsing the access configuration file\. For example: -+This option modifies the list separator character that pam_access will recognize when parsing the access configuration file\&. For example: - \fBlistsep=,\fR --will cause the default ` \' (space) and `\et\' (tab) characters to be treated as part of a list element value and `,\' becomes the only list element separator\. Doing this may be useful on a system with group information obtained from a Windows domain, where the default built\-in groups "Domain Users", "Domain Admins" contain a space\. -+will cause the default ` \' (space) and `\et\' (tab) characters to be treated as part of a list element value and `,\' becomes the only list element separator\&. Doing this may be useful on a system with group information obtained from a Windows domain, where the default built\-in groups "Domain Users", "Domain Admins" contain a space\&. - .RE - .PP - \fBnodefgroup\fR - .RS 4 --The group database will not be used for tokens not identified as account name\. -+The group database will not be used for tokens not identified as account name\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP --All services are supported\. -+All module types (\fBauth\fR, -+\fBaccount\fR, -+\fBpassword\fR -+and -+\fBsession\fR) are provided\&. - .SH "RETURN VALUES" - .PP - PAM_SUCCESS - .RS 4 --Access was granted\. -+Access was granted\&. - .RE - .PP - PAM_PERM_DENIED - .RS 4 --Access was not granted\. -+Access was not granted\&. - .RE - .PP - PAM_IGNORE - .RS 4 - - \fBpam_setcred\fR --was called which does nothing\. -+was called which does nothing\&. - .RE - .PP - PAM_ABORT - .RS 4 --Not all relevant data or options could be gotten\. -+Not all relevant data or options could be gotten\&. - .RE - .PP - PAM_USER_UNKNOWN - .RS 4 --The user is not known to the system\. -+The user is not known to the system\&. - .RE - .SH "FILES" - .PP --\fI/etc/security/access\.conf\fR -+\FC/etc/security/access\&.conf\F[] - .RS 4 - Default configuration file - .RE -@@ -105,8 +267,8 @@ - .PP - - \fBaccess.conf\fR(5), --\fBpam.d\fR(8), --\fBpam\fR(8)\. -+\fBpam.d\fR(5), -+\fBpam\fR(8)\&. - .SH "AUTHORS" - .PP --The logdaemon style login access control scheme was designed and implemented by Wietse Venema\. The pam_access PAM module was developed by Alexei Nogin \. The IPv6 support and the network(address) / netmask feature was developed and provided by Mike Becher \. -+The logdaemon style login access control scheme was designed and implemented by Wietse Venema\&. The pam_access PAM module was developed by Alexei Nogin \&. The IPv6 support and the network(address) / netmask feature was developed and provided by Mike Becher \&. ---- Linux-PAM-1.0.2-orig/modules/pam_cracklib/pam_cracklib.8 2008-04-16 11:06:38.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_cracklib/pam_cracklib.8 2009-01-20 11:58:12.000000000 +0100 -@@ -1,33 +1,191 @@ - .\" Title: pam_cracklib --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_CRACKLIB" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_CRACKLIB" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_cracklib - PAM module to check the password against dictionary words --.SH "SYNOPSIS" --.HP 16 --\fBpam_cracklib\.so\fR [\fI\.\.\.\fR] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_cracklib \- PAM module to check the password against dictionary words -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_cracklib\&.so\fR\ 'u -+\fBpam_cracklib\&.so\fR [\fI\&.\&.\&.\fR] -+.fam - .SH "DESCRIPTION" - .PP - This module can be plugged into the - \fIpassword\fR --stack of a given application to provide some plug\-in strength\-checking for passwords\. -+stack of a given application to provide some plug\-in strength\-checking for passwords\&. - .PP --The action of this module is to prompt the user for a password and check its strength against a system dictionary and a set of rules for identifying poor choices\. -+The action of this module is to prompt the user for a password and check its strength against a system dictionary and a set of rules for identifying poor choices\&. - .PP --The first action is to prompt for a single password, check its strength and then, if it is considered strong, prompt for the password a second time (to verify that it was typed correctly on the first occasion)\. All being well, the password is passed on to subsequent modules to be installed as the new authentication token\. -+The first action is to prompt for a single password, check its strength and then, if it is considered strong, prompt for the password a second time (to verify that it was typed correctly on the first occasion)\&. All being well, the password is passed on to subsequent modules to be installed as the new authentication token\&. - .PP - The strength checks works in the following manner: at first the - \fBCracklib\fR --routine is called to check if the password is part of a dictionary; if this is not the case an additional set of strength checks is done\. These checks are: -+routine is called to check if the password is part of a dictionary; if this is not the case an additional set of strength checks is done\&. These checks are: - .PP - Palindrome - .RS 4 -@@ -43,15 +201,15 @@ - .RS 4 - Is the new password too much like the old one? This is primarily controlled by one argument, - \fBdifok\fR --which is a number of characters that if different between the old and new are enough to accept the new password, this defaults to 10 or 1/2 the size of the new password whichever is smaller\. -+which is a number of characters that if different between the old and new are enough to accept the new password, this defaults to 10 or 1/2 the size of the new password whichever is smaller\&. - .sp - To avoid the lockup associated with trying to change a long and complicated password, - \fBdifignore\fR --is available\. This argument can be used to specify the minimum length a new password needs to be before the -+is available\&. This argument can be used to specify the minimum length a new password needs to be before the - \fBdifok\fR --value is ignored\. The default value for -+value is ignored\&. The default value for - \fBdifignore\fR --is 23\. -+is 23\&. - .RE - .PP - Simple -@@ -61,7 +219,7 @@ - \fBdcredit\fR, - \fBucredit\fR, - \fBlcredit\fR, and --\fBocredit\fR\. See the section on the arguments for the details of how these work and there defaults\. -+\fBocredit\fR\&. See the section on the arguments for the details of how these work and there defaults\&. - .RE - .PP - Rotated -@@ -69,13 +227,7 @@ - Is the new password a rotated version of the old password? - .RE - .PP --Already used --.RS 4 --Was the password used in the past? Previously used passwords are to be found in --\fI/etc/security/opasswd\fR\. --.RE --.PP --This module with no arguments will work well for standard unix password encryption\. With md5 encryption, passwords can be longer than 8 characters and the default settings for this module can make it hard for the user to choose a satisfactory new password\. Notably, the requirement that the new password contain no more than 1/2 of the characters in the old password becomes a non\-trivial constraint\. For example, an old password of the form "the quick brown fox jumped over the lazy dogs" would be difficult to change\.\.\. In addition, the default action is to allow passwords as small as 5 characters in length\. For a md5 systems it can be a good idea to increase the required minimum size of a password\. One can then allow more credit for different kinds of characters but accept that the new password may share most of these characters with the old password\. -+This module with no arguments will work well for standard unix password encryption\&. With md5 encryption, passwords can be longer than 8 characters and the default settings for this module can make it hard for the user to choose a satisfactory new password\&. Notably, the requirement that the new password contain no more than 1/2 of the characters in the old password becomes a non\-trivial constraint\&. For example, an old password of the form "the quick brown fox jumped over the lazy dogs" would be difficult to change\&.\&.\&. In addition, the default action is to allow passwords as small as 5 characters in length\&. For a md5 systems it can be a good idea to increase the required minimum size of a password\&. One can then allow more credit for different kinds of characters but accept that the new password may share most of these characters with the old password\&. - .SH "OPTIONS" - .PP - .PP -@@ -83,21 +235,21 @@ - .RS 4 - This option makes the module write information to - \fBsyslog\fR(3) --indicating the behavior of the module (this option does not write password information to the log file)\. -+indicating the behavior of the module (this option does not write password information to the log file)\&. - .RE - .PP - \fBtype=\fR\fB\fIXXX\fR\fR - .RS 4 --The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: "\. The default word -+The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: "\&. The default word - \fIUNIX\fR --can be replaced with this option\. -+can be replaced with this option\&. - .RE - .PP - \fBretry=\fR\fB\fIN\fR\fR - .RS 4 - Prompt user at most - \fIN\fR --times before returning with error\. The default is -+times before returning with error\&. The default is - \fI1\fR - .RE - .PP -@@ -105,98 +257,98 @@ - .RS 4 - This argument will change the default of - \fI5\fR --for the number of characters in the new password that must not be present in the old password\. In addition, if 1/2 of the characters in the new password are different then the new password will be accepted anyway\. -+for the number of characters in the new password that must not be present in the old password\&. In addition, if 1/2 of the characters in the new password are different then the new password will be accepted anyway\&. - .RE - .PP - \fBdifignore=\fR\fB\fIN\fR\fR - .RS 4 --How many characters should the password have before difok will be ignored\. The default is --\fI23\fR\. -+How many characters should the password have before difok will be ignored\&. The default is -+\fI23\fR\&. - .RE - .PP - \fBminlen=\fR\fB\fIN\fR\fR - .RS 4 --The minimum acceptable size for the new password (plus one if credits are not disabled which is the default)\. In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (\fIother\fR, -+The minimum acceptable size for the new password (plus one if credits are not disabled which is the default)\&. In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (\fIother\fR, - \fIupper\fR, - \fIlower\fR - and --\fIdigit\fR)\. The default for this parameter is -+\fIdigit\fR)\&. The default for this parameter is - \fI9\fR --which is good for a old style UNIX password all of the same type of character but may be too low to exploit the added security of a md5 system\. Note that there is a pair of length limits in -+which is good for a old style UNIX password all of the same type of character but may be too low to exploit the added security of a md5 system\&. Note that there is a pair of length limits in - \fICracklib\fR - itself, a "way too short" limit of 4 which is hard coded in and a defined limit (6) that will be checked without reference to --\fBminlen\fR\. If you want to allow passwords as short as 5 characters you should not use this module\. -+\fBminlen\fR\&. If you want to allow passwords as short as 5 characters you should not use this module\&. - .RE - .PP - \fBdcredit=\fR\fB\fIN\fR\fR - .RS 4 --(N >= 0) This is the maximum credit for having digits in the new password\. If you have less than or -+(N >= 0) This is the maximum credit for having digits in the new password\&. If you have less than or - \fIN\fR - digits, each digit will count +1 towards meeting the current - \fBminlen\fR --value\. The default for -+value\&. The default for - \fBdcredit\fR - is 1 which is the recommended value for - \fBminlen\fR --less than 10\. -+less than 10\&. - .sp --(N < 0) This is the minimum number of digits that must be met for a new password\. -+(N < 0) This is the minimum number of digits that must be met for a new password\&. - .RE - .PP - \fBucredit=\fR\fB\fIN\fR\fR - .RS 4 --(N >= 0) This is the maximum credit for having upper case letters in the new password\. If you have less than or -+(N >= 0) This is the maximum credit for having upper case letters in the new password\&. If you have less than or - \fIN\fR - upper case letters each letter will count +1 towards meeting the current - \fBminlen\fR --value\. The default for -+value\&. The default for - \fBucredit\fR - is - \fI1\fR - which is the recommended value for - \fBminlen\fR --less than 10\. -+less than 10\&. - .sp --(N > 0) This is the minimum number of upper case letters that must be met for a new password\. -+(N < 0) This is the minimum number of upper case letters that must be met for a new password\&. - .RE - .PP - \fBlcredit=\fR\fB\fIN\fR\fR - .RS 4 --(N >= 0) This is the maximum credit for having lower case letters in the new password\. If you have less than or -+(N >= 0) This is the maximum credit for having lower case letters in the new password\&. If you have less than or - \fIN\fR - lower case letters, each letter will count +1 towards meeting the current - \fBminlen\fR --value\. The default for -+value\&. The default for - \fBlcredit\fR - is 1 which is the recommended value for - \fBminlen\fR --less than 10\. -+less than 10\&. - .sp --(N < 0) This is the minimum number of lower case letters that must be met for a new password\. -+(N < 0) This is the minimum number of lower case letters that must be met for a new password\&. - .RE - .PP - \fBocredit=\fR\fB\fIN\fR\fR - .RS 4 --(N >= 0) This is the maximum credit for having other characters in the new password\. If you have less than or -+(N >= 0) This is the maximum credit for having other characters in the new password\&. If you have less than or - \fIN\fR - other characters, each character will count +1 towards meeting the current - \fBminlen\fR --value\. The default for -+value\&. The default for - \fBocredit\fR - is 1 which is the recommended value for - \fBminlen\fR --less than 10\. -+less than 10\&. - .sp --(N < 0) This is the minimum number of other characters that must be met for a new password\. -+(N < 0) This is the minimum number of other characters that must be met for a new password\&. - .RE - .PP - \fBminclass=\fR\fB\fIN\fR\fR - .RS 4 --The minimum number of required classes of characters for the new password\. The default number is zero\. The four classes are digits, upper and lower letters and other characters\. The difference to the -+The minimum number of required classes of characters for the new password\&. The default number is zero\&. The four classes are digits, upper and lower letters and other characters\&. The difference to the - \fBcredit\fR --check is that a specific class if of characters is not required\. Instead -+check is that a specific class if of characters is not required\&. Instead - \fIN\fR --out of four of the classes are required\. -+out of four of the classes are required\&. - .RE - .PP - \fBuse_authtok\fR -@@ -205,105 +357,159 @@ - \fIforce\fR - the module to not prompt the user for a new password but use the one provided by the previously stacked - \fIpassword\fR --module\. -+module\&. - .RE - .PP - \fBdictpath=\fR\fB\fI/path/to/dict\fR\fR - .RS 4 --Path to the cracklib dictionaries\. -+Path to the cracklib dictionaries\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP --Only he -+Only the - \fBpassword\fR --service is supported\. -+module type is provided\&. - .SH "RETURN VALUES" - .PP - .PP - PAM_SUCCESS - .RS 4 --The new password passes all checks\. -+The new password passes all checks\&. - .RE - .PP - PAM_AUTHTOK_ERR - .RS 4 --No new password was entered, the username could not be determined or the new password fails the strength checks\. -+No new password was entered, the username could not be determined or the new password fails the strength checks\&. - .RE - .PP - PAM_AUTHTOK_RECOVERY_ERR - .RS 4 --The old password was not supplied by a previous stacked module or got not requested from the user\. The first error can happen if -+The old password was not supplied by a previous stacked module or got not requested from the user\&. The first error can happen if - \fBuse_authtok\fR --is specified\. -+is specified\&. - .RE - .PP - PAM_SERVICE_ERR - .RS 4 --A internal error occured\. -+A internal error occured\&. - .RE - .SH "EXAMPLES" - .PP - For an example of the use of this module, we show how it may be stacked with the password component of - \fBpam_unix\fR(8) - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ - # --# These lines stack two password type modules\. In this example the --# user is given 3 opportunities to enter a strong password\. The -+# These lines stack two password type modules\&. In this example the -+# user is given 3 opportunities to enter a strong password\&. The - # "use_authtok" argument ensures that the pam_unix module does not - # prompt for a password, but instead uses the one provided by --# pam_cracklib\. -+# pam_cracklib\&. - # --passwd password required pam_cracklib\.so retry=3 --passwd password required pam_unix\.so use_authtok -+passwd password required pam_cracklib\&.so retry=3 -+passwd password required pam_unix\&.so use_authtok - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .PP - Another example (in the --\fI/etc/pam\.d/passwd\fR -+\FC/etc/pam\&.d/passwd\F[] - format) is for the case that you want to use md5 password encryption: - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf --#%PAM\-1\.0 -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+#%PAM\-1\&.0 - # - # These lines allow a md5 systems to support passwords of at least 14 - # bytes with extra credit of 2 for digits and 2 for others the new - # password must have at least three bytes that are not present in the - # old password - # --password required pam_cracklib\.so \e -+password required pam_cracklib\&.so \e - difok=3 minlen=15 dcredit= 2 ocredit=2 --password required pam_unix\.so use_authtok nullok md5 -+password required pam_unix\&.so use_authtok nullok md5 - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .PP - And here is another example in case you don\'t want to use credits: - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf --#%PAM\-1\.0 -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+#%PAM\-1\&.0 - # - # These lines require the user to select a password with a minimum - # length of 8 and with at least 1 digit number, 1 upper case letter, - # and 1 other character - # --password required pam_cracklib\.so \e -+password required pam_cracklib\&.so \e - dcredit=\-1 ucredit=\-1 ocredit=\-1 lcredit=0 minlen=8 --password required pam_unix\.so use_authtok nullok md5 -+password required pam_unix\&.so use_authtok nullok md5 - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .sp - .SH "SEE ALSO" - .PP - - \fBpam.conf\fR(5), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBpam\fR(8) - .SH "AUTHOR" - .PP --pam_cracklib was written by Cristian Gafton -+pam_cracklib was written by Cristian Gafton ---- Linux-PAM-1.0.2-orig/modules/pam_cracklib/README 2008-04-16 11:06:39.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_cracklib/README 2009-01-20 11:58:14.000000000 +0100 -@@ -51,11 +51,6 @@ - - Is the new password a rotated version of the old password? - --Already used -- -- Was the password used in the past? Previously used passwords are to be -- found in /etc/security/opasswd. -- - This module with no arguments will work well for standard unix password - encryption. With md5 encryption, passwords can be longer than 8 characters and - the default settings for this module can make it hard for the user to choose a -@@ -129,7 +124,7 @@ - will count +1 towards meeting the current minlen value. The default for - ucredit is 1 which is the recommended value for minlen less than 10. - -- (N > 0) This is the minimum number of upper case letters that must be met -+ (N < 0) This is the minimum number of upper case letters that must be met - for a new password. - - lcredit=N ---- Linux-PAM-1.0.2-orig/modules/pam_debug/pam_debug.8 2008-04-16 11:06:41.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_debug/pam_debug.8 2009-01-20 11:58:16.000000000 +0100 -@@ -1,23 +1,181 @@ - .\" Title: pam_debug --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_DEBUG" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_DEBUG" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_debug - PAM module to debug the PAM stack --.SH "SYNOPSIS" --.HP 13 --\fBpam_debug\.so\fR [auth=\fIvalue\fR] [cred=\fIvalue\fR] [acct=\fIvalue\fR] [prechauthtok=\fIvalue\fR] [chauthtok=\fIvalue\fR] [auth=\fIvalue\fR] [open_session=\fIvalue\fR] [close_session=\fIvalue\fR] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_debug \- PAM module to debug the PAM stack -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_debug\&.so\fR\ 'u -+\fBpam_debug\&.so\fR [auth=\fIvalue\fR] [cred=\fIvalue\fR] [acct=\fIvalue\fR] [prechauthtok=\fIvalue\fR] [chauthtok=\fIvalue\fR] [auth=\fIvalue\fR] [open_session=\fIvalue\fR] [close_session=\fIvalue\fR] -+.fam - .SH "DESCRIPTION" - .PP --The pam_debug PAM module is intended as a debugging aide for determining how the PAM stack is operating\. This module returns what its module arguments tell it to return\. -+The pam_debug PAM module is intended as a debugging aide for determining how the PAM stack is operating\&. This module returns what its module arguments tell it to return\&. - .SH "OPTIONS" - .PP - \fBauth=\fR\fB\fIvalue\fR\fR -@@ -25,7 +183,7 @@ - The - \fBpam_sm_authenticate\fR(3) - function will return --\fIvalue\fR\. -+\fIvalue\fR\&. - .RE - .PP - \fBcred=\fR\fB\fIvalue\fR\fR -@@ -33,7 +191,7 @@ - The - \fBpam_sm_setcred\fR(3) - function will return --\fIvalue\fR\. -+\fIvalue\fR\&. - .RE - .PP - \fBacct=\fR\fB\fIvalue\fR\fR -@@ -41,7 +199,7 @@ - The - \fBpam_sm_acct_mgmt\fR(3) - function will return --\fIvalue\fR\. -+\fIvalue\fR\&. - .RE - .PP - \fBprechauthtok=\fR\fB\fIvalue\fR\fR -@@ -52,7 +210,7 @@ - \fIvalue\fR - if the - \fIPAM_PRELIM_CHECK\fR --flag is set\. -+flag is set\&. - .RE - .PP - \fBchauthtok=\fR\fB\fIvalue\fR\fR -@@ -65,7 +223,7 @@ - \fIPAM_PRELIM_CHECK\fR - flag is - \fBnot\fR --set\. -+set\&. - .RE - .PP - \fBopen_session=\fR\fB\fIvalue\fR\fR -@@ -73,7 +231,7 @@ - The - \fBpam_sm_open_session\fR(3) - function will return --\fIvalue\fR\. -+\fIvalue\fR\&. - .RE - .PP - \fBclose_session=\fR\fB\fIvalue\fR\fR -@@ -81,46 +239,62 @@ - The - \fBpam_sm_close_session\fR(3) - function will return --\fIvalue\fR\. -+\fIvalue\fR\&. - .RE - .PP - Where - \fIvalue\fR --can be one of: success, open_err, symbol_err, service_err, system_err, buf_err, perm_denied, auth_err, cred_insufficient, authinfo_unavail, user_unknown, maxtries, new_authtok_reqd, acct_expired, session_err, cred_unavail, cred_expired, cred_err, no_module_data, conv_err, authtok_err, authtok_recover_err, authtok_lock_busy, authtok_disable_aging, try_again, ignore, abort, authtok_expired, module_unknown, bad_item, conv_again, incomplete\. --.SH "MODULE SERVICES PROVIDED" -+can be one of: success, open_err, symbol_err, service_err, system_err, buf_err, perm_denied, auth_err, cred_insufficient, authinfo_unavail, user_unknown, maxtries, new_authtok_reqd, acct_expired, session_err, cred_unavail, cred_expired, cred_err, no_module_data, conv_err, authtok_err, authtok_recover_err, authtok_lock_busy, authtok_disable_aging, try_again, ignore, abort, authtok_expired, module_unknown, bad_item, conv_again, incomplete\&. -+.SH "MODULE TYPES PROVIDED" - .PP --The services --\fBauth\fR, -+All module types (\fBauth\fR, - \fBaccount\fR, - \fBpassword\fR - and --\fBsession\fR --are supported\. -+\fBsession\fR) are provided\&. - .SH "RETURN VALUES" - .PP - PAM_SUCCESS - .RS 4 --Default return code if no other value was specified, else specified return value\. -+Default return code if no other value was specified, else specified return value\&. - .RE - .SH "EXAMPLES" - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf --auth requisite pam_permit\.so --auth [success=2 default=ok] pam_debug\.so auth=perm_denied cred=success --auth [default=reset] pam_debug\.so auth=success cred=perm_denied --auth [success=done default=die] pam_debug\.so --auth optional pam_debug\.so auth=perm_denied cred=perm_denied --auth sufficient pam_debug\.so auth=success cred=success -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+auth requisite pam_permit\&.so -+auth [success=2 default=ok] pam_debug\&.so auth=perm_denied cred=success -+auth [default=reset] pam_debug\&.so auth=success cred=perm_denied -+auth [success=done default=die] pam_debug\&.so -+auth optional pam_debug\&.so auth=perm_denied cred=perm_denied -+auth sufficient pam_debug\&.so auth=success cred=success - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .SH "SEE ALSO" - .PP - - \fBpam.conf\fR(5), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBpam\fR(8) - .SH "AUTHOR" - .PP --pam_debug was written by Andrew G\. Morgan \. -+pam_debug was written by Andrew G\&. Morgan \&. ---- Linux-PAM-1.0.2-orig/modules/pam_deny/pam_deny.8 2008-04-16 11:06:44.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_deny/pam_deny.8 2009-01-20 11:58:19.000000000 +0100 -@@ -1,82 +1,258 @@ - .\" Title: pam_deny --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_DENY" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_DENY" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_deny - The locking-out PAM module --.SH "SYNOPSIS" --.HP 12 --\fBpam_deny\.so\fR -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_deny \- The locking\-out PAM module -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_deny\&.so\fR\ 'u -+\fBpam_deny\&.so\fR -+.fam - .SH "DESCRIPTION" - .PP --This module can be used to deny access\. It always indicates a failure to the application through the PAM framework\. It might be suitable for using for default (the --\fIOTHER\fR) entries\. -+This module can be used to deny access\&. It always indicates a failure to the application through the PAM framework\&. It might be suitable for using for default (the -+\fIOTHER\fR) entries\&. - .SH "OPTIONS" - .PP --This module does not recognise any options\. --.SH "MODULE SERVICES PROVIDED" -+This module does not recognise any options\&. -+.SH "MODULE TYPES PROVIDED" - .PP --All services (\fBaccount\fR, -+All module types (\fBaccount\fR, - \fBauth\fR, - \fBpassword\fR - and --\fBsession\fR) are supported\. -+\fBsession\fR) are provided\&. - .SH "RETURN VALUES" - .PP - .PP - PAM_AUTH_ERR - .RS 4 --This is returned by the account and auth services\. -+This is returned by the account and auth services\&. - .RE - .PP - PAM_CRED_ERR - .RS 4 --This is returned by the setcred function\. -+This is returned by the setcred function\&. - .RE - .PP - PAM_AUTHTOK_ERR - .RS 4 --This is returned by the password service\. -+This is returned by the password service\&. - .RE - .PP - PAM_SESSION_ERR - .RS 4 --This is returned by the session service\. -+This is returned by the session service\&. - .RE - .SH "EXAMPLES" - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf --#%PAM\-1\.0 -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+#%PAM\-1\&.0 - # - # If we don\'t have config entries for a service, the --# OTHER entries are used\. To be secure, warn and deny --# access to everything\. --other auth required pam_warn\.so --other auth required pam_deny\.so --other account required pam_warn\.so --other account required pam_deny\.so --other password required pam_warn\.so --other password required pam_deny\.so --other session required pam_warn\.so --other session required pam_deny\.so -+# OTHER entries are used\&. To be secure, warn and deny -+# access to everything\&. -+other auth required pam_warn\&.so -+other auth required pam_deny\&.so -+other account required pam_warn\&.so -+other account required pam_deny\&.so -+other password required pam_warn\&.so -+other password required pam_deny\&.so -+other session required pam_warn\&.so -+other session required pam_deny\&.so - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .SH "SEE ALSO" - .PP - - \fBpam.conf\fR(5), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBpam\fR(8) - .SH "AUTHOR" - .PP --pam_deny was written by Andrew G\. Morgan -+pam_deny was written by Andrew G\&. Morgan ---- Linux-PAM-1.0.2-orig/modules/pam_echo/pam_echo.8 2008-04-16 11:06:47.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_echo/pam_echo.8 2009-01-20 11:58:22.000000000 +0100 -@@ -1,108 +1,288 @@ - .\" Title: pam_echo --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_ECHO" "8" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" -+.TH "PAM_ECHO" "8" "01/20/2009" "Linux-PAM Manual" "Linux-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_echo - PAM module for printing text messages --.SH "SYNOPSIS" --.HP 12 --\fBpam_echo\.so\fR [file=\fI/path/message\fR] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_echo \- PAM module for printing text messages -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_echo\&.so\fR\ 'u -+\fBpam_echo\&.so\fR [file=\fI/path/message\fR] -+.fam - .SH "DESCRIPTION" - .PP - The - \fIpam_echo\fR --PAM module is for printing text messages to inform user about special things\. Sequences starting with the -+PAM module is for printing text messages to inform user about special things\&. Sequences starting with the - \fI%\fR - character are interpreted in the following way: - .PP - \fI%H\fR - .RS 4 --The name of the remote host (PAM_RHOST)\. -+The name of the remote host (PAM_RHOST)\&. - .RE - .PP - \fB%h\fR - .RS 4 --The name of the local host\. -+The name of the local host\&. - .RE - .PP - \fI%s\fR - .RS 4 --The service name (PAM_SERVICE)\. -+The service name (PAM_SERVICE)\&. - .RE - .PP - \fI%t\fR - .RS 4 --The name of the controlling terminal (PAM_TTY)\. -+The name of the controlling terminal (PAM_TTY)\&. - .RE - .PP - \fI%U\fR - .RS 4 --The remote user name (PAM_RUSER)\. -+The remote user name (PAM_RUSER)\&. - .RE - .PP - \fI%u\fR - .RS 4 --The local user name (PAM_USER)\. -+The local user name (PAM_USER)\&. - .RE - .PP - All other sequences beginning with - \fI%\fR - expands to the characters following the - \fI%\fR --character\. -+character\&. - .SH "OPTIONS" - .PP - \fBfile=\fR\fB\fI/path/message\fR\fR - .RS 4 - The content of the file --\fI/path/message\fR --will be printed with the PAM conversion function as PAM_TEXT_INFO\. -+\FC/path/message\F[] -+will be printed with the PAM conversion function as PAM_TEXT_INFO\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP --All services are supported\. -+All module types (\fBauth\fR, -+\fBaccount\fR, -+\fBpassword\fR -+and -+\fBsession\fR) are provided\&. - .SH "RETURN VALUES" - .PP - PAM_BUF_ERR - .RS 4 --Memory buffer error\. -+Memory buffer error\&. - .RE - .PP - PAM_SUCCESS - .RS 4 --Message was successful printed\. -+Message was successful printed\&. - .RE - .PP - PAM_IGNORE - .RS 4 --PAM_SILENT flag was given or message file does not exist, no message printed\. -+PAM_SILENT flag was given or message file does not exist, no message printed\&. - .RE - .SH "EXAMPLES" - .PP - For an example of the use of this module, we show how it may be used to print informations about good passwords: - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf --password optional pam_echo\.so file=/usr/share/doc/good\-password\.txt --password required pam_unix\.so -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+password optional pam_echo\&.so file=/usr/share/doc/good\-password\&.txt -+password required pam_unix\&.so - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .sp - .SH "SEE ALSO" - .PP - - \fBpam.conf\fR(8), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBpam\fR(8) - .SH "AUTHOR" - .PP --Thorsten Kukuk -+Thorsten Kukuk ---- Linux-PAM-1.0.2-orig/modules/pam_env/pam_env.8 2008-04-16 11:06:52.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_env/pam_env.8 2009-01-20 11:58:25.000000000 +0100 -@@ -1,100 +1,258 @@ - .\" Title: pam_env --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_ENV" "8" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" -+.TH "PAM_ENV" "8" "01/20/2009" "Linux-PAM Manual" "Linux-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_env - PAM module to set/unset environment variables --.SH "SYNOPSIS" --.HP 11 --\fBpam_env\.so\fR [debug] [conffile=\fIconf\-file\fR] [envfile=\fIenv\-file\fR] [readenv=\fI0|1\fR] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_env \- PAM module to set/unset environment variables -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_env\&.so\fR\ 'u -+\fBpam_env\&.so\fR [debug] [conffile=\fIconf\-file\fR] [envfile=\fIenv\-file\fR] [readenv=\fI0|1\fR] -+.fam - .SH "DESCRIPTION" - .PP --The pam_env PAM module allows the (un)setting of environment variables\. Supported is the use of previously set environment variables as well as -+The pam_env PAM module allows the (un)setting of environment variables\&. Supported is the use of previously set environment variables as well as - \fIPAM_ITEM\fRs such as --\fIPAM_RHOST\fR\. -+\fIPAM_RHOST\fR\&. - .PP - By default rules for (un)setting of variables is taken from the config file --\fI/etc/security/pam_env\.conf\fR --if no other file is specified\. -+\FC/etc/security/pam_env\&.conf\F[] -+if no other file is specified\&. - .PP - This module can also parse a file with simple - \fIKEY=VAL\fR --pairs on seperate lines (\fI/etc/environment\fR --by default)\. You can change the default file to parse, with the -+pairs on separate lines (\FC/etc/environment\F[] -+by default)\&. You can change the default file to parse, with the - \fIenvfile\fR - flag and turn it on or off by setting the - \fIreadenv\fR --flag to 1 or 0 respectively\. -+flag to 1 or 0 respectively\&. - .SH "OPTIONS" - .PP --\fBconffile=\fR\fB\fI/path/to/pam_env\.conf\fR\fR -+\fBconffile=\fR\fB\fI/path/to/pam_env\&.conf\fR\fR - .RS 4 - Indicate an alternative --\fIpam_env\.conf\fR --style configuration file to override the default\. This can be useful when different services need different environments\. -+\FCpam_env\&.conf\F[] -+style configuration file to override the default\&. This can be useful when different services need different environments\&. - .RE - .PP - \fBdebug\fR - .RS 4 - A lot of debug informations are printed with --\fBsyslog\fR(3)\. -+\fBsyslog\fR(3)\&. - .RE - .PP - \fBenvfile=\fR\fB\fI/path/to/environment\fR\fR - .RS 4 - Indicate an alternative --\fIenvironment\fR --file to override the default\. This can be useful when different services need different environments\. -+\FCenvironment\F[] -+file to override the default\&. This can be useful when different services need different environments\&. - .RE - .PP - \fBreadenv=\fR\fB\fI0|1\fR\fR - .RS 4 --Turns on or off the reading of the file specified by envfile (0 is off, 1 is on)\. By default this option is on\. -+Turns on or off the reading of the file specified by envfile (0 is off, 1 is on)\&. By default this option is on\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP - The - \fBauth\fR - and - \fBsession\fR --services are supported\. -+module types are provided\&. - .SH "RETURN VALUES" - .PP - PAM_ABORT - .RS 4 --Not all relevant data or options could be gotten\. -+Not all relevant data or options could be gotten\&. - .RE - .PP - PAM_BUF_ERR - .RS 4 --Memory buffer error\. -+Memory buffer error\&. - .RE - .PP - PAM_IGNORE - .RS 4 --No pam_env\.conf and environment file was found\. -+No pam_env\&.conf and environment file was found\&. - .RE - .PP - PAM_SUCCESS - .RS 4 --Environment variables were set\. -+Environment variables were set\&. - .RE - .SH "FILES" - .PP --\fI/etc/security/pam_env\.conf\fR -+\FC/etc/security/pam_env\&.conf\F[] - .RS 4 - Default configuration file - .RE - .PP --\fI/etc/environment\fR -+\FC/etc/environment\F[] - .RS 4 - Default environment file - .RE -@@ -102,8 +260,8 @@ - .PP - - \fBpam_env.conf\fR(5), --\fBpam.d\fR(8), --\fBpam\fR(8)\. -+\fBpam.d\fR(5), -+\fBpam\fR(8)\&. - .SH "AUTHOR" - .PP --pam_env was written by Dave Kinchlea \. -+pam_env was written by Dave Kinchlea \&. ---- Linux-PAM-1.0.2-orig/modules/pam_env/README 2008-04-16 11:06:53.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_env/README 2009-01-20 11:58:27.000000000 +0100 -@@ -11,7 +11,7 @@ - By default rules for (un)setting of variables is taken from the config file / - etc/security/pam_env.conf if no other file is specified. - --This module can also parse a file with simple KEY=VAL pairs on seperate lines -+This module can also parse a file with simple KEY=VAL pairs on separate lines - (/etc/environment by default). You can change the default file to parse, with - the envfile flag and turn it on or off by setting the readenv flag to 1 or 0 - respectively. ---- Linux-PAM-1.0.2-orig/modules/pam_exec/pam_exec.8 2008-04-16 11:09:09.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_exec/pam_exec.8 2009-01-20 11:58:29.000000000 +0100 -@@ -1,23 +1,181 @@ - .\" Title: pam_exec --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_EXEC" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_EXEC" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_exec - PAM module which calls an external command --.SH "SYNOPSIS" --.HP 12 --\fBpam_exec\.so\fR [debug] [seteuid] [quiet] [log=\fIfile\fR] \fIcommand\fR [\fI\.\.\.\fR] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_exec \- PAM module which calls an external command -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_exec\&.so\fR\ 'u -+\fBpam_exec\&.so\fR [debug] [seteuid] [quiet] [log=\fIfile\fR] \fIcommand\fR [\fI\&.\&.\&.\fR] -+.fam - .SH "DESCRIPTION" - .PP --pam_exec is a PAM module that can be used to run an external command\. -+pam_exec is a PAM module that can be used to run an external command\&. - .PP - The child\'s environment is set to the current PAM environment list, as returned by - \fBpam_getenvlist\fR(3) -@@ -26,91 +184,117 @@ - \fIPAM_RUSER\fR, - \fIPAM_SERVICE\fR, - \fIPAM_TTY\fR, and --\fIPAM_USER\fR\. -+\fIPAM_USER\fR\&. - .SH "OPTIONS" - .PP - .PP - \fBdebug\fR - .RS 4 --Print debug information\. -+Print debug information\&. - .RE - .PP - \fBlog=\fR\fB\fIfile\fR\fR - .RS 4 - The output of the command is appended to --\fIfile\fR -+\FCfile\F[] - .RE - .PP - \fBquiet\fR - .RS 4 --Per default pam_exec\.so will echo the exit status of the external command if it fails\. Specifying this option will suppress the message\. -+Per default pam_exec\&.so will echo the exit status of the external command if it fails\&. Specifying this option will suppress the message\&. - .RE - .PP - \fBseteuid\fR - .RS 4 --Per default pam_exec\.so will execute the external command with the real user ID of the calling process\. Specifying this option means the command is run with the effective user ID\. -+Per default pam_exec\&.so will execute the external command with the real user ID of the calling process\&. Specifying this option means the command is run with the effective user ID\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP --The services --\fBauth\fR, -+All module types (\fBauth\fR, - \fBaccount\fR, - \fBpassword\fR - and --\fBsession\fR --are supported\. -+\fBsession\fR) are provided\&. - .SH "RETURN VALUES" - .PP - .PP - PAM_SUCCESS - .RS 4 --The external command runs successfull\. -+The external command runs successfull\&. - .RE - .PP - PAM_SERVICE_ERR - .RS 4 --No argument or a wrong number of arguments were given\. -+No argument or a wrong number of arguments were given\&. - .RE - .PP - PAM_SYSTEM_ERR - .RS 4 --A system error occured or the command to execute failed\. -+A system error occured or the command to execute failed\&. - .RE - .PP - PAM_IGNORE - .RS 4 - - \fBpam_setcred\fR --was called, which does not execute the command\. -+was called, which does not execute the command\&. - .RE - .SH "EXAMPLES" - .PP - Add the following line to --\fI/etc/pam\.d/passwd\fR -+\FC/etc/pam\&.d/passwd\F[] - to rebuild the NIS database after each local password change: - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf -- passwd optional pam_exec\.so seteuid make \-C /var/yp -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+ passwd optional pam_exec\&.so seteuid make \-C /var/yp - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .sp - This will execute the command - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf -+.BB lightgray - make \-C /var/yp -+.EB lightgray - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .sp --with effective user ID\. -+with effective user ID\&. - .SH "SEE ALSO" - .PP - - \fBpam.conf\fR(5), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBpam\fR(8) - .SH "AUTHOR" - .PP --pam_exec was written by Thorsten Kukuk \. -+pam_exec was written by Thorsten Kukuk \&. ---- Linux-PAM-1.0.2-orig/modules/pam_faildelay/pam_faildelay.8 2008-04-16 11:09:21.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_faildelay/pam_faildelay.8 2009-01-20 11:58:33.000000000 +0100 -@@ -1,73 +1,249 @@ - .\" Title: pam_faildelay --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_FAILDELAY" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_FAILDELAY" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_faildelay - Change the delay on failure per-application --.SH "SYNOPSIS" --.HP 17 --\fBpam_faildelay\.so\fR [debug] [delay=\fImicroseconds\fR] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_faildelay \- Change the delay on failure per\-application -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_faildelay\&.so\fR\ 'u -+\fBpam_faildelay\&.so\fR [debug] [delay=\fImicroseconds\fR] -+.fam - .SH "DESCRIPTION" - .PP --pam_faildelay is a PAM module that can be used to set the delay on failure per\-application\. -+pam_faildelay is a PAM module that can be used to set the delay on failure per\-application\&. - .PP - If no - \fBdelay\fR - is given, pam_faildelay will use the value of FAIL_DELAY from --\fI/etc/login\.defs\fR\. -+\FC/etc/login\&.defs\F[]\&. - .SH "OPTIONS" - .PP - \fBdebug\fR - .RS 4 --Turns on debugging messages sent to syslog\. -+Turns on debugging messages sent to syslog\&. - .RE - .PP - \fBdelay=\fR\fB\fIN\fR\fR - .RS 4 --Set the delay on failure to N microseconds\. -+Set the delay on failure to N microseconds\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP - Only the - \fBauth\fR --service is supported\. -+module type is provided\&. - .SH "RETURN VALUES" - .PP - PAM_IGNORE - .RS 4 --Delay was successful adjusted\. -+Delay was successful adjusted\&. - .RE - .PP - PAM_SYSTEM_ERR - .RS 4 --The specified delay was not valid\. -+The specified delay was not valid\&. - .RE - .SH "EXAMPLES" - .PP - The following example will set the delay on failure to 10 seconds: - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf --auth optional pam_faildelay\.so delay=10000000 -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+auth optional pam_faildelay\&.so delay=10000000 - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .sp - .SH "SEE ALSO" - .PP - - \fBpam_fail_delay\fR(3), - \fBpam.conf\fR(5), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBpam\fR(8) - .SH "AUTHOR" - .PP --pam_faildelay was written by Darren Tucker \. -+pam_faildelay was written by Darren Tucker \&. ---- Linux-PAM-1.0.2-orig/modules/pam_filter/pam_filter.8 2008-04-16 11:06:56.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_filter/pam_filter.8 2009-01-20 11:58:36.000000000 +0100 -@@ -1,73 +1,231 @@ - .\" Title: pam_filter --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_FILTER" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_FILTER" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_filter - PAM filter module --.SH "SYNOPSIS" --.HP 14 --\fBpam_filter\.so\fR [debug] [new_term] [non_term] run1|run2 \fIfilter\fR [\fI\.\.\.\fR] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_filter \- PAM filter module -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_filter\&.so\fR\ 'u -+\fBpam_filter\&.so\fR [debug] [new_term] [non_term] run1|run2 \fIfilter\fR [\fI\&.\&.\&.\fR] -+.fam - .SH "DESCRIPTION" - .PP --This module is intended to be a platform for providing access to all of the input/output that passes between the user and the application\. It is only suitable for tty\-based and (stdin/stdout) applications\. -+This module is intended to be a platform for providing access to all of the input/output that passes between the user and the application\&. It is only suitable for tty\-based and (stdin/stdout) applications\&. - .PP - To function this module requires - \fIfilters\fR --to be installed on the system\. The single filter provided with the module simply transposes upper and lower case letters in the input and output streams\. (This can be very annoying and is not kind to termcap based editors)\. -+to be installed on the system\&. The single filter provided with the module simply transposes upper and lower case letters in the input and output streams\&. (This can be very annoying and is not kind to termcap based editors)\&. - .PP --Each component of the module has the potential to invoke the desired filter\. The filter is always -+Each component of the module has the potential to invoke the desired filter\&. The filter is always - \fBexecv\fR(2) - with the privilege of the calling application and - \fInot\fR --that of the user\. For this reason it cannot usually be killed by the user without closing their session\. -+that of the user\&. For this reason it cannot usually be killed by the user without closing their session\&. - .SH "OPTIONS" - .PP - .PP - \fBdebug\fR - .RS 4 --Print debug information\. -+Print debug information\&. - .RE - .PP - \fBnew_term\fR - .RS 4 - The default action of the filter is to set the - \fIPAM_TTY\fR --item to indicate the terminal that the user is using to connect to the application\. This argument indicates that the filter should set -+item to indicate the terminal that the user is using to connect to the application\&. This argument indicates that the filter should set - \fIPAM_TTY\fR --to the filtered pseudo\-terminal\. -+to the filtered pseudo\-terminal\&. - .RE - .PP - \fBnon_term\fR - .RS 4 - don\'t try to set the - \fIPAM_TTY\fR --item\. -+item\&. - .RE - .PP - \fBrunX\fR - .RS 4 --In order that the module can invoke a filter it should know when to invoke it\. This argument is required to tell the filter when to do this\. -+In order that the module can invoke a filter it should know when to invoke it\&. This argument is required to tell the filter when to do this\&. - .sp - Permitted values for - \fIX\fR - are - \fI1\fR - and --\fI2\fR\. These indicate the precise time that the filter is to be run\. To understand this concept it will be useful to have read the -+\fI2\fR\&. These indicate the precise time that the filter is to be run\&. To understand this concept it will be useful to have read the - \fBpam\fR(3) --manual page\. Basically, for each management group there are up to two ways of calling the module\'s functions\. In the case of the -+manual page\&. Basically, for each management group there are up to two ways of calling the module\'s functions\&. In the case of the - \fIauthentication\fR - and - \fIsession\fR --components there are actually two separate functions\. For the case of authentication, these functions are -+components there are actually two separate functions\&. For the case of authentication, these functions are - \fBpam_authenticate\fR(3) - and - \fBpam_setcred\fR(3), here -@@ -77,20 +235,20 @@ - function and - \fBrun2\fR - means run the filter from --\fBpam_setcred\fR\. In the case of the session modules, -+\fBpam_setcred\fR\&. In the case of the session modules, - \fIrun1\fR - implies that the filter is invoked at the - \fBpam_open_session\fR(3) - stage, and - \fIrun2\fR - for --\fBpam_close_session\fR(3)\. -+\fBpam_close_session\fR(3)\&. - .sp --For the case of the account component\. Either -+For the case of the account component\&. Either - \fIrun1\fR - or - \fIrun2\fR --may be used\. -+may be used\&. - .sp - For the case of the password component, - \fIrun1\fR -@@ -102,53 +260,69 @@ - \fIrun2\fR - is used to indicate that the filter is run on the second occasion (the - \fIPAM_UPDATE_AUTHTOK\fR --phase)\. -+phase)\&. - .RE - .PP - \fBfilter\fR - .RS 4 --The full pathname of the filter to be run and any command line arguments that the filter might expect\. -+The full pathname of the filter to be run and any command line arguments that the filter might expect\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP --The services --\fBauth\fR, -+All module types (\fBauth\fR, - \fBaccount\fR, - \fBpassword\fR - and --\fBsession\fR --are supported\. -+\fBsession\fR) are provided\&. - .SH "RETURN VALUES" - .PP - .PP - PAM_SUCCESS - .RS 4 --The new filter was set successfull\. -+The new filter was set successfull\&. - .RE - .PP - PAM_ABORT - .RS 4 --Critical error, immediate abort\. -+Critical error, immediate abort\&. - .RE - .SH "EXAMPLES" - .PP - Add the following line to --\fI/etc/pam\.d/login\fR -+\FC/etc/pam\&.d/login\F[] - to see how to configure login to transpose upper and lower case letters once the user has logged in: - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf -- session required pam_filter\.so run1 /lib/security/pam_filter/upperLOWER -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+ session required pam_filter\&.so run1 /lib/security/pam_filter/upperLOWER - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .sp - .SH "SEE ALSO" - .PP - - \fBpam.conf\fR(5), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBpam\fR(8) - .SH "AUTHOR" - .PP --pam_filter was written by Andrew G\. Morgan \. -+pam_filter was written by Andrew G\&. Morgan \&. ---- Linux-PAM-1.0.2-orig/modules/pam_ftp/pam_ftp.8 2008-04-16 11:07:01.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_ftp/pam_ftp.8 2009-01-20 11:58:39.000000000 +0100 -@@ -1,25 +1,183 @@ - .\" Title: pam_ftp --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_FTP" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_FTP" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_ftp - PAM module for anonymous access module --.SH "SYNOPSIS" --.HP 11 --\fBpam_ftp\.so\fR [debug] [ignore] [users=\fIXXX,YYY,\fR...] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_ftp \- PAM module for anonymous access module -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_ftp\&.so\fR\ 'u -+\fBpam_ftp\&.so\fR [debug] [ignore] [users=\fIXXX,YYY,\fR...] -+.fam - .SH "DESCRIPTION" - .PP --pam_ftp is a PAM module which provides a pluggable anonymous ftp mode of access\. -+pam_ftp is a PAM module which provides a pluggable anonymous ftp mode of access\&. - .PP --This module intercepts the user\'s name and password\. If the name is -+This module intercepts the user\'s name and password\&. If the name is - \fIftp\fR - or - \fIanonymous\fR, the user\'s password is broken up at the -@@ -28,78 +186,96 @@ - \fIPAM_RUSER\fR - and a - \fIPAM_RHOST\fR --part; these pam\-items being set accordingly\. The username (\fIPAM_USER\fR) is set to --\fIftp\fR\. In this case the module succeeds\. Alternatively, the module sets the -+part; these pam\-items being set accordingly\&. The username (\fIPAM_USER\fR) is set to -+\fIftp\fR\&. In this case the module succeeds\&. Alternatively, the module sets the - \fIPAM_AUTHTOK\fR --item with the entered password and fails\. -+item with the entered password and fails\&. - .PP --This module is not safe and easily spoofable\. -+This module is not safe and easily spoofable\&. - .SH "OPTIONS" - .PP - .PP - \fBdebug\fR - .RS 4 --Print debug information\. -+Print debug information\&. - .RE - .PP - \fBignore\fR - .RS 4 --Pay no attention to the email address of the user (if supplied)\. -+Pay no attention to the email address of the user (if supplied)\&. - .RE - .PP --\fBftp=\fR\fB\fIXXX,YYY,\.\.\.\fR\fR -+\fBftp=\fR\fB\fIXXX,YYY,\&.\&.\&.\fR\fR - .RS 4 - Instead of - \fIftp\fR - or - \fIanonymous\fR, provide anonymous login to the comma separated list of users: --\fB\fIXXX,YYY,\.\.\.\fR\fR\. Should the applicant enter one of these usernames the returned username is set to the first in the list: --\fIXXX\fR\. -+\fB\fIXXX,YYY,\&.\&.\&.\fR\fR\&. Should the applicant enter one of these usernames the returned username is set to the first in the list: -+\fIXXX\fR\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP - Only the - \fBauth\fR --service is supported\. -+module type is provided\&. - .SH "RETURN VALUES" - .PP - .PP - PAM_SUCCESS - .RS 4 --The authentication was successfull\. -+The authentication was successfull\&. - .RE - .PP - PAM_USER_UNKNOWN - .RS 4 --User not known\. -+User not known\&. - .RE - .SH "EXAMPLES" - .PP - Add the following line to --\fI/etc/pam\.d/ftpd\fR -+\FC/etc/pam\&.d/ftpd\F[] - to handle ftp style anonymous login: - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ - # --# ftpd; add ftp\-specifics\. These lines enable anonymous ftp over -+# ftpd; add ftp\-specifics\&. These lines enable anonymous ftp over - # standard UN*X access (the listfile entry blocks access to - # users listed in /etc/ftpusers) - # --auth sufficient pam_ftp\.so --auth required pam_unix\.so use_first_pass --auth required pam_listfile\.so \e -+auth sufficient pam_ftp\&.so -+auth required pam_unix\&.so use_first_pass -+auth required pam_listfile\&.so \e - onerr=succeed item=user sense=deny file=/etc/ftpusers - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .sp - .SH "SEE ALSO" - .PP - - \fBpam.conf\fR(5), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBpam\fR(8) - .SH "AUTHOR" - .PP --pam_ftp was written by Andrew G\. Morgan \. -+pam_ftp was written by Andrew G\&. Morgan \&. ---- Linux-PAM-1.0.2-orig/modules/pam_group/pam_group.8 2008-04-16 11:07:06.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_group/pam_group.8 2009-01-20 11:58:43.000000000 +0100 -@@ -1,85 +1,243 @@ - .\" Title: pam_group --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHORS" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_GROUP" "8" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" -+.TH "PAM_GROUP" "8" "01/20/2009" "Linux-PAM Manual" "Linux-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_group - PAM module for group access --.SH "SYNOPSIS" --.HP 13 --\fBpam_group\.so\fR -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_group \- PAM module for group access -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_group\&.so\fR\ 'u -+\fBpam_group\&.so\fR -+.fam - .SH "DESCRIPTION" - .PP --The pam_group PAM module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user\. Such memberships are based on the service they are applying for\. -+The pam_group PAM module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user\&. Such memberships are based on the service they are applying for\&. - .PP - By default rules for group memberships are taken from config file --\fI/etc/security/group\.conf\fR\. -+\FC/etc/security/group\&.conf\F[]\&. - .PP --This module\'s usefulness relies on the file\-systems accessible to the user\. The point being that once granted the membership of a group, the user may attempt to create a -+This module\'s usefulness relies on the file\-systems accessible to the user\&. The point being that once granted the membership of a group, the user may attempt to create a - \fBsetgid\fR --binary with a restricted group ownership\. Later, when the user is not given membership to this group, they can recover group membership with the precompiled binary\. The reason that the file\-systems that the user has access to are so significant, is the fact that when a system is mounted -+binary with a restricted group ownership\&. Later, when the user is not given membership to this group, they can recover group membership with the precompiled binary\&. The reason that the file\-systems that the user has access to are so significant, is the fact that when a system is mounted - \fInosuid\fR --the user is unable to create or execute such a binary file\. For this module to provide any level of security, all file\-systems that the user has write access to should be mounted --\fInosuid\fR\. -+the user is unable to create or execute such a binary file\&. For this module to provide any level of security, all file\-systems that the user has write access to should be mounted -+\fInosuid\fR\&. - .PP - The pam_group module fuctions in parallel with the --\fI/etc/group\fR --file\. If the user is granted any groups based on the behavior of this module, they are granted -+\FC/etc/group\F[] -+file\&. If the user is granted any groups based on the behavior of this module, they are granted - \fIin addition\fR - to those entries --\fI/etc/group\fR --(or equivalent)\. -+\FC/etc/group\F[] -+(or equivalent)\&. - .SH "OPTIONS" - .PP --This module does not recognise any options\. --.SH "MODULE SERVICES PROVIDED" -+This module does not recognise any options\&. -+.SH "MODULE TYPES PROVIDED" - .PP - Only the - \fBauth\fR --service is supported\. -+module type is provided\&. - .SH "RETURN VALUES" - .PP - PAM_SUCCESS - .RS 4 --group membership was granted\. -+group membership was granted\&. - .RE - .PP - PAM_ABORT - .RS 4 --Not all relevant data could be gotten\. -+Not all relevant data could be gotten\&. - .RE - .PP - PAM_BUF_ERR - .RS 4 --Memory buffer error\. -+Memory buffer error\&. - .RE - .PP - PAM_CRED_ERR - .RS 4 --Group membership was not granted\. -+Group membership was not granted\&. - .RE - .PP - PAM_IGNORE - .RS 4 - - \fBpam_sm_authenticate\fR --was called which does nothing\. -+was called which does nothing\&. - .RE - .PP - PAM_USER_UNKNOWN - .RS 4 --The user is not known to the system\. -+The user is not known to the system\&. - .RE - .SH "FILES" - .PP --\fI/etc/security/group\.conf\fR -+\FC/etc/security/group\&.conf\F[] - .RS 4 - Default configuration file - .RE -@@ -87,8 +245,8 @@ - .PP - - \fBgroup.conf\fR(5), --\fBpam.d\fR(8), --\fBpam\fR(8)\. -+\fBpam.d\fR(5), -+\fBpam\fR(8)\&. - .SH "AUTHORS" - .PP --pam_group was written by Andrew G\. Morgan \. -+pam_group was written by Andrew G\&. Morgan \&. ---- Linux-PAM-1.0.2-orig/modules/pam_issue/pam_issue.8 2008-04-16 11:07:09.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_issue/pam_issue.8 2009-01-20 11:58:46.000000000 +0100 -@@ -1,23 +1,181 @@ - .\" Title: pam_issue --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_ISSUE" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_ISSUE" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_issue - PAM module to add issue file to user prompt --.SH "SYNOPSIS" --.HP 13 --\fBpam_issue\.so\fR [noesc] [issue=\fIissue\-file\-name\fR] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_issue \- PAM module to add issue file to user prompt -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_issue\&.so\fR\ 'u -+\fBpam_issue\&.so\fR [noesc] [issue=\fIissue\-file\-name\fR] -+.fam - .SH "DESCRIPTION" - .PP --pam_issue is a PAM module to prepend an issue file to the username prompt\. It also by default parses escape codes in the issue file similar to some common getty\'s (using \ex format)\. -+pam_issue is a PAM module to prepend an issue file to the username prompt\&. It also by default parses escape codes in the issue file similar to some common getty\'s (using \ex format)\&. - .PP - Recognized escapes: - .PP -@@ -68,7 +226,7 @@ - .PP - \fB\eU\fR - .RS 4 --same as \eu except it is suffixed with "user" or "users" (eg\. "1 user" or "10 users") -+same as \eu except it is suffixed with "user" or "users" (eg\&. "1 user" or "10 users") - .RE - .PP - \fB\ev\fR -@@ -80,59 +238,77 @@ - .PP - \fBnoesc\fR - .RS 4 --Turns off escape code parsing\. -+Turns off escape code parsing\&. - .RE - .PP - \fBissue=\fR\fB\fIissue\-file\-name\fR\fR - .RS 4 --The file to output if not using the default\. -+The file to output if not using the default\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP - Only the - \fBauth\fR --service is supported\. -+module type is provided\&. - .SH "RETURN VALUES" - .PP - .PP - PAM_BUF_ERR - .RS 4 --Memory buffer error\. -+Memory buffer error\&. - .RE - .PP - PAM_IGNORE - .RS 4 --The prompt was already changed\. -+The prompt was already changed\&. - .RE - .PP - PAM_SERVICE_ERR - .RS 4 --A service module error occured\. -+A service module error occured\&. - .RE - .PP - PAM_SUCCESS - .RS 4 --The new prompt was set successfull\. -+The new prompt was set successfull\&. - .RE - .SH "EXAMPLES" - .PP - Add the following line to --\fI/etc/pam\.d/login\fR -+\FC/etc/pam\&.d/login\F[] - to set the user specific issue at login: - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf -- auth optional pam_issue\.so issue=/etc/issue -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+ auth optional pam_issue\&.so issue=/etc/issue - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .sp - .SH "SEE ALSO" - .PP - - \fBpam.conf\fR(5), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBpam\fR(8) - .SH "AUTHOR" - .PP --pam_issue was written by Ben Collins \. -+pam_issue was written by Ben Collins \&. ---- Linux-PAM-1.0.2-orig/modules/pam_keyinit/pam_keyinit.8 2008-04-16 11:07:12.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_keyinit/pam_keyinit.8 2009-01-20 11:58:50.000000000 +0100 -@@ -1,63 +1,221 @@ - .\" Title: pam_keyinit --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_KEYINIT" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_KEYINIT" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_keyinit - Kernel session keyring initialiser module --.SH "SYNOPSIS" --.HP 15 --\fBpam_keyinit\.so\fR [debug] [force] [revoke] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_keyinit \- Kernel session keyring initialiser module -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_keyinit\&.so\fR\ 'u -+\fBpam_keyinit\&.so\fR [debug] [force] [revoke] -+.fam - .SH "DESCRIPTION" - .PP --The pam_keyinit PAM module ensures that the invoking process has a session keyring other than the user default session keyring\. -+The pam_keyinit PAM module ensures that the invoking process has a session keyring other than the user default session keyring\&. - .PP --The session component of the module checks to see if the process\'s session keyring is the user default, and, if it is, creates a new anonymous session keyring with which to replace it\. -+The session component of the module checks to see if the process\'s session keyring is the user default, and, if it is, creates a new anonymous session keyring with which to replace it\&. - .PP --If a new session keyring is created, it will install a link to the user common keyring in the session keyring so that keys common to the user will be automatically accessible through it\. -+If a new session keyring is created, it will install a link to the user common keyring in the session keyring so that keys common to the user will be automatically accessible through it\&. - .PP --The session keyring of the invoking process will thenceforth be inherited by all its children unless they override it\. -+The session keyring of the invoking process will thenceforth be inherited by all its children unless they override it\&. - .PP --This module is intended primarily for use by login processes\. Be aware that after the session keyring has been replaced, the old session keyring and the keys it contains will no longer be accessible\. -+This module is intended primarily for use by login processes\&. Be aware that after the session keyring has been replaced, the old session keyring and the keys it contains will no longer be accessible\&. - .PP - This module should not, generally, be invoked by programs like --\fBsu\fR, since it is usually desirable for the key set to percolate through to the alternate context\. The keys have their own permissions system to manage this\. -+\fBsu\fR, since it is usually desirable for the key set to percolate through to the alternate context\&. The keys have their own permissions system to manage this\&. - .PP --This module should be included as early as possible in a PAM configuration, so that other PAM modules can attach tokens to the keyring\. -+This module should be included as early as possible in a PAM configuration, so that other PAM modules can attach tokens to the keyring\&. - .PP --The keyutils package is used to manipulate keys more directly\. This can be obtained from: -+The keyutils package is used to manipulate keys more directly\&. This can be obtained from: - .PP - --\fI Keyutils \fR\&[1] -+\m[blue]\fB Keyutils \fR\m[]\&\s-2\u[1]\d\s+2 - .SH "OPTIONS" - .PP - \fBdebug\fR - .RS 4 - Log debug information with --\fBsyslog\fR(3)\. -+\fBsyslog\fR(3)\&. - .RE - .PP - \fBforce\fR - .RS 4 --Causes the session keyring of the invoking process to be replaced unconditionally\. -+Causes the session keyring of the invoking process to be replaced unconditionally\&. - .RE - .PP - \fBrevoke\fR - .RS 4 --Causes the session keyring of the invoking process to be revoked when the invoking process exits if the session keyring was created for this process in the first place\. -+Causes the session keyring of the invoking process to be revoked when the invoking process exits if the session keyring was created for this process in the first place\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP - Only the - \fBsession\fR --service is supported\. -+module type is provided\&. - .SH "RETURN VALUES" - .PP - PAM_SUCCESS -@@ -67,56 +225,74 @@ - .PP - PAM_AUTH_ERR - .RS 4 --Authentication failure\. -+Authentication failure\&. - .RE - .PP - PAM_BUF_ERR - .RS 4 --Memory buffer error\. -+Memory buffer error\&. - .RE - .PP - PAM_IGNORE - .RS 4 --The return value should be ignored by PAM dispatch\. -+The return value should be ignored by PAM dispatch\&. - .RE - .PP - PAM_SERVICE_ERR - .RS 4 --Cannot determine the user name\. -+Cannot determine the user name\&. - .RE - .PP - PAM_SESSION_ERR - .RS 4 --This module will return this value if its arguments are invalid or if a system error such as ENOMEM occurs\. -+This module will return this value if its arguments are invalid or if a system error such as ENOMEM occurs\&. - .RE - .PP - PAM_USER_UNKNOWN - .RS 4 --User not known\. -+User not known\&. - .RE - .SH "EXAMPLES" - .PP - Add this line to your login entries to start each login session with its own session keyring: - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf --session required pam_keyinit\.so -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+session required pam_keyinit\&.so - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .PP --This will prevent keys from one session leaking into another session for the same user\. -+This will prevent keys from one session leaking into another session for the same user\&. - .SH "SEE ALSO" - .PP - - \fBpam.conf\fR(5), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBpam\fR(8) - \fBkeyctl\fR(1) - .SH "AUTHOR" - .PP --pam_keyinit was written by David Howells, \. --.SH "NOTES" -+pam_keyinit was written by David Howells, \&. -+.SH "Notes" - .IP " 1." 4 - Keyutils - .RS 4 ---- Linux-PAM-1.0.2-orig/modules/pam_lastlog/pam_lastlog.8 2008-04-16 11:07:16.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_lastlog/pam_lastlog.8 2009-01-20 11:58:53.000000000 +0100 -@@ -1,104 +1,292 @@ - .\" Title: pam_lastlog --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_LASTLOG" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_LASTLOG" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_lastlog - PAM module to display date of last login --.SH "SYNOPSIS" --.HP 15 --\fBpam_lastlog\.so\fR [debug] [silent] [never] [nodate] [nohost] [noterm] [nowtmp] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_lastlog \- PAM module to display date of last login -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_lastlog\&.so\fR\ 'u -+\fBpam_lastlog\&.so\fR [debug] [silent] [never] [nodate] [nohost] [noterm] [nowtmp] [noupdate] [showfailed] -+.fam - .SH "DESCRIPTION" - .PP --pam_lastlog is a PAM module to display a line of information about the last login of the user\. In addition, the module maintains the --\fI/var/log/lastlog\fR --file\. -+pam_lastlog is a PAM module to display a line of information about the last login of the user\&. In addition, the module maintains the -+\FC/var/log/lastlog\F[] -+file\&. - .PP --Some applications may perform this function themselves\. In such cases, this module is not necessary\. -+Some applications may perform this function themselves\&. In such cases, this module is not necessary\&. - .SH "OPTIONS" - .PP - \fBdebug\fR - .RS 4 --Print debug information\. -+Print debug information\&. - .RE - .PP - \fBsilent\fR - .RS 4 - Don\'t inform the user about any previous login, just upate the --\fI/var/log/lastlog\fR --file\. -+\FC/var/log/lastlog\F[] -+file\&. - .RE - .PP - \fBnever\fR - .RS 4 - If the --\fI/var/log/lastlog\fR --file does not contain any old entries for the user, indicate that the user has never previously logged in with a welcome message\. -+\FC/var/log/lastlog\F[] -+file does not contain any old entries for the user, indicate that the user has never previously logged in with a welcome message\&. - .RE - .PP - \fBnodate\fR - .RS 4 --Don\'t display the date of the last login\. -+Don\'t display the date of the last login\&. - .RE - .PP - \fBnoterm\fR - .RS 4 --Don\'t display the terminal name on which the last login was attempted\. -+Don\'t display the terminal name on which the last login was attempted\&. - .RE - .PP - \fBnohost\fR - .RS 4 --Don\'t indicate from which host the last login was attempted\. -+Don\'t indicate from which host the last login was attempted\&. - .RE - .PP - \fBnowtmp\fR - .RS 4 --Don\'t update the wtmp entry\. -+Don\'t update the wtmp entry\&. -+.RE -+.PP -+\fBnoupdate\fR -+.RS 4 -+Don\'t update any file\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.PP -+\fBshowfailed\fR -+.RS 4 -+Display number of failed login attempts and the date of the last failed attempt from btmp\&. The date is not displayed when -+\fBnodate\fR -+is specified\&. -+.RE -+.SH "MODULE TYPES PROVIDED" - .PP - Only the - \fBsession\fR --service is supported\. -+module type is provided\&. - .SH "RETURN VALUES" - .PP - .PP - PAM_SUCCESS - .RS 4 --Everything was successfull\. -+Everything was successfull\&. - .RE - .PP - PAM_SERVICE_ERR - .RS 4 --Internal service module error\. -+Internal service module error\&. - .RE - .PP - PAM_USER_UNKNOWN - .RS 4 --User not known\. -+User not known\&. - .RE - .SH "EXAMPLES" - .PP - Add the following line to --\fI/etc/pam\.d/login\fR -+\FC/etc/pam\&.d/login\F[] - to display the last login time of an user: - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf -- session required pam_lastlog\.so nowtmp -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+ session required pam_lastlog\&.so nowtmp - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .SH "FILES" - .PP --\fI/var/log/lastlog\fR -+\FC/var/log/lastlog\F[] - .RS 4 - Lastlog logging file - .RE -@@ -106,8 +294,8 @@ - .PP - - \fBpam.conf\fR(5), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBpam\fR(8) - .SH "AUTHOR" - .PP --pam_lastlog was written by Andrew G\. Morgan \. -+pam_lastlog was written by Andrew G\&. Morgan \&. ---- Linux-PAM-1.0.2-orig/modules/pam_lastlog/README 2008-04-16 11:07:17.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_lastlog/README 2009-01-20 11:58:55.000000000 +0100 -@@ -43,6 +43,15 @@ - - Don't update the wtmp entry. - -+noupdate -+ -+ Don't update any file. -+ -+showfailed -+ -+ Display number of failed login attempts and the date of the last failed -+ attempt from btmp. The date is not displayed when nodate is specified. -+ - EXAMPLES - - Add the following line to /etc/pam.d/login to display the last login time of an ---- Linux-PAM-1.0.2-orig/modules/pam_limits/limits.conf.5 2008-04-16 11:07:19.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_limits/limits.conf.5 2009-01-20 11:58:57.000000000 +0100 -@@ -1,17 +1,173 @@ - .\" Title: limits.conf --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "LIMITS\.CONF" "5" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "LIMITS\&.CONF" "5" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --limits.conf - configuration file for the pam_limits module -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+limits.conf \- configuration file for the pam_limits module - .SH "DESCRIPTION" - .PP - The syntax of the lines is as follows: -@@ -28,25 +184,53 @@ - .RS 4 - .sp - .RS 4 --\h'-04'\(bu\h'+03'a username -+.ie n \{\ -+\h'-04'\(bu\h'+03'\c -+.\} -+.el \{\ -+.sp -1 -+.IP \(bu 2.3 -+.\} -+a username - .RE - .sp - .RS 4 --\h'-04'\(bu\h'+03'a groupname, with -+.ie n \{\ -+\h'-04'\(bu\h'+03'\c -+.\} -+.el \{\ -+.sp -1 -+.IP \(bu 2.3 -+.\} -+a groupname, with - \fB@group\fR --syntax\. This should not be confused with netgroups\. -+syntax\&. This should not be confused with netgroups\&. - .RE - .sp - .RS 4 --\h'-04'\(bu\h'+03'the wildcard --\fB*\fR, for default entry\. -+.ie n \{\ -+\h'-04'\(bu\h'+03'\c -+.\} -+.el \{\ -+.sp -1 -+.IP \(bu 2.3 -+.\} -+the wildcard -+\fB*\fR, for default entry\&. - .RE - .sp - .RS 4 --\h'-04'\(bu\h'+03'the wildcard -+.ie n \{\ -+\h'-04'\(bu\h'+03'\c -+.\} -+.el \{\ -+.sp -1 -+.IP \(bu 2.3 -+.\} -+the wildcard - \fB%\fR, for maxlogins limit only, can also be used with - \fI%group\fR --syntax\. -+syntax\&. - .RE - .RE - .PP -@@ -57,18 +241,18 @@ - .RS 4 - for enforcing - \fBhard\fR --resource limits\. These limits are set by the superuser and enforced by the Kernel\. The user cannot raise his requirement of system resources above such values\. -+resource limits\&. These limits are set by the superuser and enforced by the Kernel\&. The user cannot raise his requirement of system resources above such values\&. - .RE - .PP - \fBsoft\fR - .RS 4 - for enforcing - \fBsoft\fR --resource limits\. These limits are ones that the user can move up or down within the permitted range by any pre\-existing -+resource limits\&. These limits are ones that the user can move up or down within the permitted range by any pre\-existing - \fBhard\fR --limits\. The values specified with this token can be thought of as -+limits\&. The values specified with this token can be thought of as - \fIdefault\fR --values, for normal system usage\. -+values, for normal system usage\&. - .RE - .PP - \fB\-\fR -@@ -77,9 +261,9 @@ - \fBsoft\fR - and - \fBhard\fR --resource limits together\. -+resource limits together\&. - .sp --Note, if you specify a type of \'\-\' but neglect to supply the item and value fields then the module will never enforce any limits on the specified user/group etc\. \. -+Note, if you specify a type of \'\-\' but neglect to supply the item and value fields then the module will never enforce any limits on the specified user/group etc\&. \&. - .RE - .RE - .PP -@@ -154,50 +338,70 @@ - .PP - \fBlocks\fR - .RS 4 --maximum locked files (Linux 2\.4 and higher) -+maximum locked files (Linux 2\&.4 and higher) - .RE - .PP - \fBsigpending\fR - .RS 4 --maximum number of pending signals (Linux 2\.6 and higher) -+maximum number of pending signals (Linux 2\&.6 and higher) - .RE - .PP - \fBmsqqueue\fR - .RS 4 --maximum memory used by POSIX message queues (bytes) (Linux 2\.6 and higher) -+maximum memory used by POSIX message queues (bytes) (Linux 2\&.6 and higher) - .RE - .PP - \fBnice\fR - .RS 4 --maximum nice priority allowed to raise to (Linux 2\.6\.12 and higher) values: [\-20,19] -+maximum nice priority allowed to raise to (Linux 2\&.6\&.12 and higher) values: [\-20,19] - .RE - .PP - \fBrtprio\fR - .RS 4 --maximum realtime priority allowed for non\-privileged processes (Linux 2\.6\.12 and higher) -+maximum realtime priority allowed for non\-privileged processes (Linux 2\&.6\&.12 and higher) - .RE - .RE - .PP -+All items support the values -+\fI\-1\fR, -+\fIunlimited\fR -+or -+\fIinfinity\fR -+indicating no limit, except for -+\fBpriority\fR -+and -+\fBnice\fR\&. -+.PP - In general, individual limits have priority over group limits, so if you impose no limits for - \fIadmin\fR --group, but one of the members in this group have a limits line, the user will have its limits set according to this line\. -+group, but one of the members in this group have a limits line, the user will have its limits set according to this line\&. - .PP - Also, please note that all limit settings are set --\fIper login\fR\. They are not global, nor are they permanent; existing only for the duration of the session\. -+\fIper login\fR\&. They are not global, nor are they permanent; existing only for the duration of the session\&. - .PP - In the - \fIlimits\fR --configuration file, the \'\fB#\fR\' character introduces a comment \- after which the rest of the line is ignored\. -+configuration file, the \'\fB#\fR\' character introduces a comment \- after which the rest of the line is ignored\&. - .PP - The pam_limits module does its best to report configuration problems found in its configuration file via --\fBsyslog\fR(3)\. -+\fBsyslog\fR(3)\&. - .SH "EXAMPLES" - .PP - These are some example lines which might be specified in --\fI/etc/security/limits\.conf\fR\. -+\FC/etc/security/limits\&.conf\F[]\&. - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ - * soft core 0 - * hard rss 10000 - @student hard nproc 20 -@@ -206,14 +410,23 @@ - ftp hard nproc 0 - @student \- maxlogins 4 - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .SH "SEE ALSO" - .PP - - \fBpam_limits\fR(8), - \fBpam.d\fR(5), --\fBpam\fR(8) -+\fBpam\fR(8), -+\fBgetrlimit\fR(2) - .SH "AUTHOR" - .PP --pam_limits was initially written by Cristian Gafton -+pam_limits was initially written by Cristian Gafton ---- Linux-PAM-1.0.2-orig/modules/pam_limits/pam_limits.8 2008-04-16 11:07:20.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_limits/pam_limits.8 2009-01-20 11:58:58.000000000 +0100 -@@ -1,132 +1,308 @@ - .\" Title: pam_limits --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHORS" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_LIMITS" "8" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" -+.TH "PAM_LIMITS" "8" "01/20/2009" "Linux-PAM Manual" "Linux-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_limits - PAM module to limit resources --.SH "SYNOPSIS" --.HP 14 --\fBpam_limits\.so\fR [change_uid] [conf=\fI/path/to/limits\.conf\fR] [debug] [utmp_early] [noaudit] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_limits \- PAM module to limit resources -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_limits\&.so\fR\ 'u -+\fBpam_limits\&.so\fR [change_uid] [conf=\fI/path/to/limits\&.conf\fR] [debug] [utmp_early] [noaudit] -+.fam - .SH "DESCRIPTION" - .PP --The pam_limits PAM module sets limits on the system resources that can be obtained in a user\-session\. Users of -+The pam_limits PAM module sets limits on the system resources that can be obtained in a user\-session\&. Users of - \fIuid=0\fR --are affected by this limits, too\. -+are affected by this limits, too\&. - .PP - By default limits are taken from the --\fI/etc/security/limits\.conf\fR --config file\. Then individual files from the --\fI/etc/security/limits\.d/\fR --directory are read\. The files are parsed one after another in the order of "C" locale\. The effect of the individual files is the same as if all the files were concatenated together in the order of parsing\. If a config file is explicitely specified with a module option then the files in the above directory are not parsed\. -+\FC/etc/security/limits\&.conf\F[] -+config file\&. Then individual files from the -+\FC/etc/security/limits\&.d/\F[] -+directory are read\&. The files are parsed one after another in the order of "C" locale\&. The effect of the individual files is the same as if all the files were concatenated together in the order of parsing\&. If a config file is explicitely specified with a module option then the files in the above directory are not parsed\&. - .PP --The module must not be called by a multithreaded application\. -+The module must not be called by a multithreaded application\&. - .PP --If Linux PAM is compiled with audit support the module will report when it denies access based on limit of maximum number of concurrent login sessions\. -+If Linux PAM is compiled with audit support the module will report when it denies access based on limit of maximum number of concurrent login sessions\&. - .SH "OPTIONS" - .PP - \fBchange_uid\fR - .RS 4 --Change real uid to the user for who the limits are set up\. Use this option if you have problems like login not forking a shell for user who has no processes\. Be warned that something else may break when you do this\. -+Change real uid to the user for who the limits are set up\&. Use this option if you have problems like login not forking a shell for user who has no processes\&. Be warned that something else may break when you do this\&. - .RE - .PP --\fBconf=\fR\fB\fI/path/to/limits\.conf\fR\fR -+\fBconf=\fR\fB\fI/path/to/limits\&.conf\fR\fR - .RS 4 --Indicate an alternative limits\.conf style configuration file to override the default\. -+Indicate an alternative limits\&.conf style configuration file to override the default\&. - .RE - .PP - \fBdebug\fR - .RS 4 --Print debug information\. -+Print debug information\&. - .RE - .PP - \fButmp_early\fR - .RS 4 --Some broken applications actually allocate a utmp entry for the user before the user is admitted to the system\. If some of the services you are configuring PAM for do this, you can selectively use this module argument to compensate for this behavior and at the same time maintain system\-wide consistency with a single limits\.conf file\. -+Some broken applications actually allocate a utmp entry for the user before the user is admitted to the system\&. If some of the services you are configuring PAM for do this, you can selectively use this module argument to compensate for this behavior and at the same time maintain system\-wide consistency with a single limits\&.conf file\&. - .RE - .PP - \fBnoaudit\fR - .RS 4 --Do not report exceeded maximum logins count to the audit subsystem\. -+Do not report exceeded maximum logins count to the audit subsystem\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP - Only the - \fBsession\fR --service is supported\. -+module type is provided\&. - .SH "RETURN VALUES" - .PP - PAM_ABORT - .RS 4 --Cannot get current limits\. -+Cannot get current limits\&. - .RE - .PP - PAM_IGNORE - .RS 4 --No limits found for this user\. -+No limits found for this user\&. - .RE - .PP - PAM_PERM_DENIED - .RS 4 --New limits could not be set\. -+New limits could not be set\&. - .RE - .PP - PAM_SERVICE_ERR - .RS 4 --Cannot read config file\. -+Cannot read config file\&. - .RE - .PP - PAM_SESSEION_ERR - .RS 4 --Error recovering account name\. -+Error recovering account name\&. - .RE - .PP - PAM_SUCCESS - .RS 4 --Limits were changed\. -+Limits were changed\&. - .RE - .PP - PAM_USER_UNKNOWN - .RS 4 --The user is not known to the system\. -+The user is not known to the system\&. - .RE - .SH "FILES" - .PP --\fI/etc/security/limits\.conf\fR -+\FC/etc/security/limits\&.conf\F[] - .RS 4 - Default configuration file - .RE - .SH "EXAMPLES" - .PP - For the services you need resources limits (login for example) put a the following line in --\fI/etc/pam\.d/login\fR -+\FC/etc/pam\&.d/login\F[] - as the last line for that service (usually after the pam_unix session line): - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf --#%PAM\-1\.0 -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+#%PAM\-1\&.0 - # - # Resource limits imposed on login sessions via pam_limits - # --session required pam_limits\.so -+session required pam_limits\&.so - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .PP --Replace "login" for each service you are using this module\. -+Replace "login" for each service you are using this module\&. - .SH "SEE ALSO" - .PP - - \fBlimits.conf\fR(5), --\fBpam.d\fR(8), --\fBpam\fR(8)\. -+\fBpam.d\fR(5), -+\fBpam\fR(8)\&. - .SH "AUTHORS" - .PP --pam_limits was initially written by Cristian Gafton -+pam_limits was initially written by Cristian Gafton ---- Linux-PAM-1.0.2-orig/modules/pam_listfile/pam_listfile.8 2008-04-16 11:07:24.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_listfile/pam_listfile.8 2009-01-20 11:59:02.000000000 +0100 -@@ -1,23 +1,181 @@ - .\" Title: pam_listfile --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_LISTFILE" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_LISTFILE" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_listfile - deny or allow services based on an arbitrary file --.SH "SYNOPSIS" --.HP 16 --\fBpam_listfile\.so\fR item=[tty|user|rhost|ruser|group|shell] sense=[allow|deny] file=\fI/path/filename\fR onerr=[succeed|fail] [apply=[\fIuser\fR|\fI@group\fR]] [quiet] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_listfile \- deny or allow services based on an arbitrary file -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_listfile\&.so\fR\ 'u -+\fBpam_listfile\&.so\fR item=[tty|user|rhost|ruser|group|shell] sense=[allow|deny] file=\fI/path/filename\fR onerr=[succeed|fail] [apply=[\fIuser\fR|\fI@group\fR]] [quiet] -+.fam - .SH "DESCRIPTION" - .PP --pam_listfile is a PAM module which provides a way to deny or allow services based on an arbitrary file\. -+pam_listfile is a PAM module which provides a way to deny or allow services based on an arbitrary file\&. - .PP - The module gets the - \fBitem\fR -@@ -29,18 +187,18 @@ - \fIPAM_RHOST\fR; and ruser specifies the name of the remote user (if available) who made the request, - \fIPAM_RUSER\fR - \-\- and looks for an instance of that item in the --\fBfile=\fR\fB\fIfilename\fR\fR\. --\fIfilename\fR --contains one line per item listed\. If the item is found, then if -+\fBfile=\fR\fB\fIfilename\fR\fR\&. -+\FCfilename\F[] -+contains one line per item listed\&. If the item is found, then if - \fBsense=\fR\fB\fIallow\fR\fR, - \fIPAM_SUCCESS\fR - is returned, causing the authorization request to succeed; else if - \fBsense=\fR\fB\fIdeny\fR\fR, - \fIPAM_AUTH_ERR\fR --is returned, causing the authorization request to fail\. -+is returned, causing the authorization request to fail\&. - .PP - If an error is encountered (for instance, if --\fIfilename\fR -+\FCfilename\F[] - does not exist, or a poorly\-constructed argument is encountered), then if - \fIonerr=succeed\fR, - \fIPAM_SUCCESS\fR -@@ -49,141 +207,175 @@ - \fIPAM_AUTH_ERR\fR - or - \fIPAM_SERVICE_ERR\fR --(as appropriate) will be returned\. -+(as appropriate) will be returned\&. - .PP - An additional argument, --\fBapply=\fR, can be used to restrict the application of the above to a specific user (\fBapply=\fR\fB\fIusername\fR\fR) or a given group (\fBapply=\fR\fB\fI@groupname\fR\fR)\. This added restriction is only meaningful when used with the -+\fBapply=\fR, can be used to restrict the application of the above to a specific user (\fBapply=\fR\fB\fIusername\fR\fR) or a given group (\fBapply=\fR\fB\fI@groupname\fR\fR)\&. This added restriction is only meaningful when used with the - \fItty\fR, - \fIrhost\fR - and - \fIshell\fR --items\. -+items\&. - .PP --Besides this last one, all arguments should be specified; do not count on any default behavior\. -+Besides this last one, all arguments should be specified; do not count on any default behavior\&. - .PP --No credentials are awarded by this module\. -+No credentials are awarded by this module\&. - .SH "OPTIONS" - .PP - .PP - \fBitem=[tty|user|rhost|ruser|group|shell]\fR - .RS 4 --What is listed in the file and should be checked for\. -+What is listed in the file and should be checked for\&. - .RE - .PP - \fBsense=[allow|deny]\fR - .RS 4 --Action to take if found in file, if the item is NOT found in the file, then the opposite action is requested\. -+Action to take if found in file, if the item is NOT found in the file, then the opposite action is requested\&. - .RE - .PP - \fBfile=\fR\fB\fI/path/filename\fR\fR - .RS 4 --File containing one item per line\. The file needs to be a plain file and not world writeable\. -+File containing one item per line\&. The file needs to be a plain file and not world writeable\&. - .RE - .PP - \fBonerr=[succeed|fail]\fR - .RS 4 --What to do if something weird happens like being unable to open the file\. -+What to do if something weird happens like being unable to open the file\&. - .RE - .PP - \fBapply=[\fR\fB\fIuser\fR\fR\fB|\fR\fB\fI@group\fR\fR\fB]\fR - .RS 4 --Restrict the user class for which the restriction apply\. Note that with -+Restrict the user class for which the restriction apply\&. Note that with - \fBitem=[user|ruser|group]\fR - this does not make sense, but for - \fBitem=[tty|rhost|shell]\fR --it have a meaning\. -+it have a meaning\&. - .RE - .PP - \fBquiet\fR - .RS 4 --Do not treat service refusals or missing list files as errors that need to be logged\. -+Do not treat service refusals or missing list files as errors that need to be logged\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP --The services --\fBauth\fR, -+All module types (\fBauth\fR, - \fBaccount\fR, - \fBpassword\fR - and --\fBsession\fR --are supported\. -+\fBsession\fR) are provided\&. - .SH "RETURN VALUES" - .PP - .PP - PAM_AUTH_ERR - .RS 4 --Authentication failure\. -+Authentication failure\&. - .RE - .PP - PAM_BUF_ERR - .RS 4 --Memory buffer error\. -+Memory buffer error\&. - .RE - .PP - PAM_IGNORE - .RS 4 - The rule does not apply to the - \fBapply\fR --option\. -+option\&. - .RE - .PP - PAM_SERVICE_ERR - .RS 4 --Error in service module\. -+Error in service module\&. - .RE - .PP - PAM_SUCCESS - .RS 4 --Success\. -+Success\&. - .RE - .SH "EXAMPLES" - .PP - Classic \'ftpusers\' authentication can be implemented with this entry in --\fI/etc/pam\.d/ftpd\fR: -+\FC/etc/pam\&.d/ftpd\F[]: - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ - # - # deny ftp\-access to users listed in the /etc/ftpusers file - # --auth required pam_listfile\.so \e -+auth required pam_listfile\&.so \e - onerr=succeed item=user sense=deny file=/etc/ftpusers - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .sp - Note, users listed in --\fI/etc/ftpusers\fR -+\FC/etc/ftpusers\F[] - file are (counterintuitively) - \fInot\fR --allowed access to the ftp service\. -+allowed access to the ftp service\&. - .PP - To allow login access only for certain users, you can use a --\fI/etc/pam\.d/login\fR -+\FC/etc/pam\&.d/login\F[] - entry like this: - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ - # - # permit login to users listed in /etc/loginusers - # --auth required pam_listfile\.so \e -+auth required pam_listfile\&.so \e - onerr=fail item=user sense=allow file=/etc/loginusers - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .sp - For this example to work, all users who are allowed to use the login service should be listed in the file --\fI/etc/loginusers\fR\. Unless you are explicitly trying to lock out root, make sure that when you do this, you leave a way for root to log in, either by listing root in --\fI/etc/loginusers\fR, or by listing a user who is able to -+\FC/etc/loginusers\F[]\&. Unless you are explicitly trying to lock out root, make sure that when you do this, you leave a way for root to log in, either by listing root in -+\FC/etc/loginusers\F[], or by listing a user who is able to - \fIsu\fR --to the root account\. -+to the root account\&. - .SH "SEE ALSO" - .PP - - \fBpam.conf\fR(5), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBpam\fR(8) - .SH "AUTHOR" - .PP --pam_listfile was written by Michael K\. Johnson and Elliot Lee \. -+pam_listfile was written by Michael K\&. Johnson and Elliot Lee \&. ---- Linux-PAM-1.0.2-orig/modules/pam_localuser/pam_localuser.8 2008-04-16 11:07:27.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_localuser/pam_localuser.8 2009-01-20 11:59:06.000000000 +0100 -@@ -1,88 +1,264 @@ - .\" Title: pam_localuser --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_LOCALUSER" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_LOCALUSER" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_localuser - require users to be listed in /etc/passwd --.SH "SYNOPSIS" --.HP 17 --\fBpam_localuser\.so\fR [debug] [file=\fI/path/passwd\fR] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_localuser \- require users to be listed in /etc/passwd -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_localuser\&.so\fR\ 'u -+\fBpam_localuser\&.so\fR [debug] [file=\fI/path/passwd\fR] -+.fam - .SH "DESCRIPTION" - .PP --pam_localuser is a PAM module to help implementing site\-wide login policies, where they typically include a subset of the network\'s users and a few accounts that are local to a particular workstation\. Using pam_localuser and pam_wheel or pam_listfile is an effective way to restrict access to either local users and/or a subset of the network\'s users\. -+pam_localuser is a PAM module to help implementing site\-wide login policies, where they typically include a subset of the network\'s users and a few accounts that are local to a particular workstation\&. Using pam_localuser and pam_wheel or pam_listfile is an effective way to restrict access to either local users and/or a subset of the network\'s users\&. - .PP --This could also be implemented using pam_listfile\.so and a very short awk script invoked by cron, but it\'s common enough to have been separated out\. -+This could also be implemented using pam_listfile\&.so and a very short awk script invoked by cron, but it\'s common enough to have been separated out\&. - .SH "OPTIONS" - .PP - .PP - \fBdebug\fR - .RS 4 --Print debug information\. -+Print debug information\&. - .RE - .PP - \fBfile=\fR\fB\fI/path/passwd\fR\fR - .RS 4 - Use a file other than --\fI/etc/passwd\fR\. -+\FC/etc/passwd\F[]\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP --All services (\fBaccount\fR, -+All module types (\fBaccount\fR, - \fBauth\fR, - \fBpassword\fR - and --\fBsession\fR) are supported\. -+\fBsession\fR) are provided\&. - .SH "RETURN VALUES" - .PP - .PP - PAM_SUCCESS - .RS 4 --The new localuser was set successfull\. -+The new localuser was set successfull\&. - .RE - .PP - PAM_SERVICE_ERR - .RS 4 --No username was given\. -+No username was given\&. - .RE - .PP - PAM_USER_UNKNOWN - .RS 4 --User not known\. -+User not known\&. - .RE - .SH "EXAMPLES" - .PP - Add the following line to --\fI/etc/pam\.d/su\fR --to allow only local users in group wheel to use su\. -+\FC/etc/pam\&.d/su\F[] -+to allow only local users in group wheel to use su\&. - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf --account sufficient pam_localuser\.so --account required pam_wheel\.so -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+account sufficient pam_localuser\&.so -+account required pam_wheel\&.so - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .sp - .SH "FILES" - .PP --\fI/etc/passwd\fR -+\FC/etc/passwd\F[] - .RS 4 --Local user account information\. -+Local user account information\&. - .RE - .SH "SEE ALSO" - .PP - - \fBpam.conf\fR(5), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBpam\fR(8) - .SH "AUTHOR" - .PP --pam_localuser was written by Nalin Dahyabhai \. -+pam_localuser was written by Nalin Dahyabhai \&. ---- Linux-PAM-1.0.2-orig/modules/pam_loginuid/pam_loginuid.8 2008-04-16 11:09:18.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_loginuid/pam_loginuid.8 2009-01-20 11:59:09.000000000 +0100 -@@ -1,63 +1,239 @@ - .\" Title: pam_loginuid --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_LOGINUID" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_LOGINUID" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_loginuid - Record user's login uid to the process attribute --.SH "SYNOPSIS" --.HP 16 --\fBpam_loginuid\.so\fR [require_auditd] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_loginuid \- Record user\'s login uid to the process attribute -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_loginuid\&.so\fR\ 'u -+\fBpam_loginuid\&.so\fR [require_auditd] -+.fam - .SH "DESCRIPTION" - .PP --The pam_loginuid module sets the loginuid process attribute for the process that was authenticated\. This is necessary for applications to be correctly audited\. This PAM module should only be used for entry point applications like: login, sshd, gdm, vsftpd, crond and atd\. There are probably other entry point applications besides these\. You should not use it for applications like sudo or su as that defeats the purpose by changing the loginuid to the account they just switched to\. -+The pam_loginuid module sets the loginuid process attribute for the process that was authenticated\&. This is necessary for applications to be correctly audited\&. This PAM module should only be used for entry point applications like: login, sshd, gdm, vsftpd, crond and atd\&. There are probably other entry point applications besides these\&. You should not use it for applications like sudo or su as that defeats the purpose by changing the loginuid to the account they just switched to\&. - .SH "OPTIONS" - .PP - \fBrequire_auditd\fR - .RS 4 --This option, when given, will cause this module to query the audit daemon status and deny logins if it is not running\. -+This option, when given, will cause this module to query the audit daemon status and deny logins if it is not running\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP --The -+Only the - \fBsession\fR --service is supported\. -+module type is provided\&. - .SH "RETURN VALUES" - .PP - .PP - PAM_SESSION_ERR - .RS 4 --An error occured during session management\. -+An error occured during session management\&. - .RE - .SH "EXAMPLES" - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf --#%PAM\-1\.0 --auth required pam_unix\.so --auth required pam_nologin\.so --account required pam_unix\.so --password required pam_unix\.so --session required pam_unix\.so --session required pam_loginuid\.so -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+#%PAM\-1\&.0 -+auth required pam_unix\&.so -+auth required pam_nologin\&.so -+account required pam_unix\&.so -+password required pam_unix\&.so -+session required pam_unix\&.so -+session required pam_loginuid\&.so - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .SH "SEE ALSO" - .PP - - \fBpam.conf\fR(5), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBpam\fR(8), - \fBauditctl\fR(8), - \fBauditd\fR(8) - .SH "AUTHOR" - .PP --pam_loginuid was written by Steve Grubb -+pam_loginuid was written by Steve Grubb ---- Linux-PAM-1.0.2-orig/modules/pam_mail/pam_mail.8 2008-04-16 11:07:30.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_mail/pam_mail.8 2009-01-20 11:59:12.000000000 +0100 -@@ -1,139 +1,315 @@ - .\" Title: pam_mail --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_MAIL" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_MAIL" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_mail - Inform about available mail --.SH "SYNOPSIS" --.HP 12 --\fBpam_mail\.so\fR [close] [debug] [dir=\fImaildir\fR] [empty] [hash=\fIcount\fR] [noenv] [nopen] [quit] [standard] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_mail \- Inform about available mail -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_mail\&.so\fR\ 'u -+\fBpam_mail\&.so\fR [close] [debug] [dir=\fImaildir\fR] [empty] [hash=\fIcount\fR] [noenv] [nopen] [quiet] [standard] -+.fam - .SH "DESCRIPTION" - .PP --The pam_mail PAM module provides the "you have new mail" service to the user\. It can be plugged into any application that has credential or session hooks\. It gives a single message indicating the -+The pam_mail PAM module provides the "you have new mail" service to the user\&. It can be plugged into any application that has credential or session hooks\&. It gives a single message indicating the - \fInewness\fR --of any mail it finds in the user\'s mail folder\. This module also sets the PAM environment variable, --\fBMAIL\fR, to the user\'s mail directory\. -+of any mail it finds in the user\'s mail folder\&. This module also sets the PAM environment variable, -+\fBMAIL\fR, to the user\'s mail directory\&. - .PP - If the mail spool file (be it --\fI/var/mail/$USER\fR -+\FC/var/mail/$USER\F[] - or a pathname given with the - \fBdir=\fR - parameter) is a directory then pam_mail assumes it is in the - \fIMaildir\fR --format\. -+format\&. - .SH "OPTIONS" - .PP - .PP - \fBclose\fR - .RS 4 --Indicate if the user has any mail also on logout\. -+Indicate if the user has any mail also on logout\&. - .RE - .PP - \fBdebug\fR - .RS 4 --Print debug information\. -+Print debug information\&. - .RE - .PP - \fBdir=\fR\fB\fImaildir\fR\fR - .RS 4 - Look for the users\' mail in an alternative location defined by --\fImaildir/\fR\. The default location for mail is --\fI/var/mail/\fR\. Note, if the supplied --\fImaildir\fR --is prefixed by a \'~\', the directory is interpreted as indicating a file in the user\'s home directory\. -+\FCmaildir/\F[]\&. The default location for mail is -+\FC/var/mail/\F[]\&. Note, if the supplied -+\FCmaildir\F[] -+is prefixed by a \'~\', the directory is interpreted as indicating a file in the user\'s home directory\&. - .RE - .PP - \fBempty\fR - .RS 4 --Also print message if user has no mail\. -+Also print message if user has no mail\&. - .RE - .PP - \fBhash=\fR\fB\fIcount\fR\fR - .RS 4 --Mail directory hash depth\. For example, a -+Mail directory hash depth\&. For example, a - \fIhashcount\fR - of 2 would make the mail file be --\fI/var/spool/mail/u/s/user\fR\. -+\FC/var/spool/mail/u/s/user\F[]\&. - .RE - .PP - \fBnoenv\fR - .RS 4 - Do not set the - \fBMAIL\fR --environment variable\. -+environment variable\&. - .RE - .PP - \fBnopen\fR - .RS 4 --Don\'t print any mail information on login\. This flag is useful to get the -+Don\'t print any mail information on login\&. This flag is useful to get the - \fBMAIL\fR --environment variable set, but to not display any information about it\. -+environment variable set, but to not display any information about it\&. - .RE - .PP - \fBquiet\fR - .RS 4 --Only report when there is new mail\. -+Only report when there is new mail\&. - .RE - .PP - \fBstandard\fR - .RS 4 --Old style "You have\.\.\." format which doesn\'t show the mail spool being used\. This also implies "empty"\. -+Old style "You have\&.\&.\&." format which doesn\'t show the mail spool being used\&. This also implies "empty"\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP - The --\fBauth\fR -+\fBsession\fR - and --\fBaccount\fR --services are supported\. -+\fBauth\fR -+(on establishment and deletion of credentials) module types are provided\&. - .SH "RETURN VALUES" - .PP - PAM_BUF_ERR - .RS 4 --Memory buffer error\. -+Memory buffer error\&. - .RE - .PP - PAM_SERVICE_ERR - .RS 4 --Badly formed arguments\. -+Badly formed arguments\&. - .RE - .PP - PAM_SUCCESS - .RS 4 --Success\. -+Success\&. - .RE - .PP - PAM_USER_UNKNOWN - .RS 4 --User not known\. -+User not known\&. - .RE - .SH "EXAMPLES" - .PP - Add the following line to --\fI/etc/pam\.d/login\fR --to indicate that the user has new mail when they login to the system\. -+\FC/etc/pam\&.d/login\F[] -+to indicate that the user has new mail when they login to the system\&. - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf --session optional pam_mail\.so standard -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+session optional pam_mail\&.so standard - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .sp - .SH "SEE ALSO" - .PP - - \fBpam.conf\fR(5), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBpam\fR(8) - .SH "AUTHOR" - .PP --pam_mail was written by Andrew G\. Morgan \. -+pam_mail was written by Andrew G\&. Morgan \&. ---- Linux-PAM-1.0.2-orig/modules/pam_mkhomedir/pam_mkhomedir.8 2008-04-16 11:07:34.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_mkhomedir/pam_mkhomedir.8 2009-01-20 11:59:15.000000000 +0100 -@@ -1,109 +1,285 @@ - .\" Title: pam_mkhomedir --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_MKHOMEDIR" "8" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" -+.TH "PAM_MKHOMEDIR" "8" "01/20/2009" "Linux-PAM Manual" "Linux-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_mkhomedir - PAM module to create users home directory --.SH "SYNOPSIS" --.HP 17 --\fBpam_mkhomedir\.so\fR [silent] [umask=\fImode\fR] [skel=\fIskeldir\fR] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_mkhomedir \- PAM module to create users home directory -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_mkhomedir\&.so\fR\ 'u -+\fBpam_mkhomedir\&.so\fR [silent] [umask=\fImode\fR] [skel=\fIskeldir\fR] -+.fam - .SH "DESCRIPTION" - .PP --The pam_mkhomedir PAM module will create a users home directory if it does not exist when the session begins\. This allows users to be present in central database (such as NIS, kerberos or LDAP) without using a distributed file system or pre\-creating a large number of directories\. The skeleton directory (usually --\fI/etc/skel/\fR) is used to copy default files and also set\'s a umask for the creation\. -+The pam_mkhomedir PAM module will create a users home directory if it does not exist when the session begins\&. This allows users to be present in central database (such as NIS, kerberos or LDAP) without using a distributed file system or pre\-creating a large number of directories\&. The skeleton directory (usually -+\FC/etc/skel/\F[]) is used to copy default files and also set\'s a umask for the creation\&. - .PP --The new users home directory will not be removed after logout of the user\. -+The new users home directory will not be removed after logout of the user\&. - .SH "OPTIONS" - .PP - \fBsilent\fR - .RS 4 --Don\'t print informative messages\. -+Don\'t print informative messages\&. - .RE - .PP - \fBumask=\fR\fB\fImask\fR\fR - .RS 4 - The user file\-creation mask is set to --\fImask\fR\. The default value of mask is 0022\. -+\fImask\fR\&. The default value of mask is 0022\&. - .RE - .PP - \fBskel=\fR\fB\fI/path/to/skel/directory\fR\fR - .RS 4 - Indicate an alternative --\fIskel\fR -+\FCskel\F[] - directory to override the default --\fI/etc/skel\fR\. -+\FC/etc/skel\F[]\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP - Only the - \fBsession\fR --service is supported\. -+module type is provided\&. - .SH "RETURN VALUES" - .PP - PAM_BUF_ERR - .RS 4 --Memory buffer error\. -+Memory buffer error\&. - .RE - .PP - PAM_CRED_INSUFFICIENT - .RS 4 --Insufficient credentials to access authentication data\. -+Insufficient credentials to access authentication data\&. - .RE - .PP - PAM_PERM_DENIED - .RS 4 --Not enough permissions to create the new directory or read the skel directory\. -+Not enough permissions to create the new directory or read the skel directory\&. - .RE - .PP - PAM_USER_UNKNOWN - .RS 4 --User not known to the underlying authentication module\. -+User not known to the underlying authentication module\&. - .RE - .PP - PAM_SUCCESS - .RS 4 --Environment variables were set\. -+Environment variables were set\&. - .RE - .SH "FILES" - .PP --\fI/etc/skel\fR -+\FC/etc/skel\F[] - .RS 4 - Default skel directory - .RE - .SH "EXAMPLES" - .PP --A sample /etc/pam\.d/login file: -+A sample /etc/pam\&.d/login file: - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf -- auth requisite pam_securetty\.so -- auth sufficient pam_ldap\.so -- auth required pam_unix\.so -- auth required pam_nologin\.so -- account sufficient pam_ldap\.so -- account required pam_unix\.so -- password required pam_unix\.so -- session required pam_mkhomedir\.so skel=/etc/skel/ umask=0022 -- session required pam_unix\.so -- session optional pam_lastlog\.so -- session optional pam_mail\.so standard -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+ auth requisite pam_securetty\&.so -+ auth sufficient pam_ldap\&.so -+ auth required pam_unix\&.so -+ auth required pam_nologin\&.so -+ account sufficient pam_ldap\&.so -+ account required pam_unix\&.so -+ password required pam_unix\&.so -+ session required pam_mkhomedir\&.so skel=/etc/skel/ umask=0022 -+ session required pam_unix\&.so -+ session optional pam_lastlog\&.so -+ session optional pam_mail\&.so standard - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .sp - .SH "SEE ALSO" - .PP - --\fBpam.d\fR(8), --\fBpam\fR(8)\. -+\fBpam.d\fR(5), -+\fBpam\fR(8)\&. - .SH "AUTHOR" - .PP --pam_mkhomedir was written by Jason Gunthorpe \. -+pam_mkhomedir was written by Jason Gunthorpe \&. ---- Linux-PAM-1.0.2-orig/modules/pam_motd/pam_motd.8 2008-04-16 11:07:37.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_motd/pam_motd.8 2009-01-20 11:59:18.000000000 +0100 -@@ -1,64 +1,240 @@ - .\" Title: pam_motd --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_MOTD" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_MOTD" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_motd - Display the motd file --.SH "SYNOPSIS" --.HP 12 --\fBpam_motd\.so\fR [motd=\fI/path/filename\fR] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_motd \- Display the motd file -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_motd\&.so\fR\ 'u -+\fBpam_motd\&.so\fR [motd=\fI/path/filename\fR] -+.fam - .SH "DESCRIPTION" - .PP --pam_motd is a PAM module that can be used to display arbitrary motd (message of the day) files after a succesful login\. By default the --\fI/etc/motd\fR --file is shown\. The message size is limited to 64KB\. -+pam_motd is a PAM module that can be used to display arbitrary motd (message of the day) files after a succesful login\&. By default the -+\FC/etc/motd\F[] -+file is shown\&. The message size is limited to 64KB\&. - .SH "OPTIONS" - .PP - \fBmotd=\fR\fB\fI/path/filename\fR\fR - .RS 4 - The --\fI/path/filename\fR --file is displayed as message of the day\. -+\FC/path/filename\F[] -+file is displayed as message of the day\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP - Only the - \fBsession\fR --service is supported\. -+module type is provided\&. - .SH "RETURN VALUES" - .PP - PAM_IGNORE - .RS 4 --This is the only return value of this module\. -+This is the only return value of this module\&. - .RE - .SH "EXAMPLES" - .PP - The suggested usage for --\fI/etc/pam\.d/login\fR -+\FC/etc/pam\&.d/login\F[] - is: - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf --session optional pam_motd\.so motd=/etc/motd -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+session optional pam_motd\&.so motd=/etc/motd - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .sp - .SH "SEE ALSO" - .PP - - \fBmotd\fR(5), - \fBpam.conf\fR(5), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBpam\fR(8) - .SH "AUTHOR" - .PP --pam_motd was written by Ben Collins \. -+pam_motd was written by Ben Collins \&. ---- Linux-PAM-1.0.2-orig/modules/pam_namespace/namespace.conf.5 2008-04-16 11:09:13.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_namespace/namespace.conf.5 2009-01-20 11:59:23.000000000 +0100 -@@ -1,40 +1,196 @@ - .\" Title: namespace.conf --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHORS" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "NAMESPACE\.CONF" "5" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "NAMESPACE\&.CONF" "5" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --namespace.conf - the namespace configuration file -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+namespace.conf \- the namespace configuration file - .SH "DESCRIPTION" - .PP - The --\fIpam_namespace\.so\fR --module allows setup of private namespaces with polyinstantiated directories\. Directories can be polyinstantiated based on user name or, in the case of SELinux, user name, sensitivity level or complete security context\. If an executable script --\fI/etc/security/namespace\.init\fR --exists, it is used to initialize the namespace every time a new instance directory is setup\. The script receives the polyinstantiated directory path and the instance directory path as its arguments\. -+\fIpam_namespace\&.so\fR -+module allows setup of private namespaces with polyinstantiated directories\&. Directories can be polyinstantiated based on user name or, in the case of SELinux, user name, sensitivity level or complete security context\&. If an executable script -+\FC/etc/security/namespace\&.init\F[] -+exists, it is used to initialize the namespace every time an instance directory is set up and mounted\&. The script receives the polyinstantiated directory path and the instance directory path as its arguments\&. - .PP - The --\fI/etc/security/namespace\.conf\fR --file specifies which directories are polyinstantiated, how they are polyinstantiated, how instance directories would be named, and any users for whom polyinstantiation would not be performed\. -+\FC/etc/security/namespace\&.conf\F[] -+file specifies which directories are polyinstantiated, how they are polyinstantiated, how instance directories would be named, and any users for whom polyinstantiation would not be performed\&. - .PP - When someone logs in, the file --\fInamespace\.conf\fR --is scanned\. Comments are marked by -+\FCnamespace\&.conf\F[] -+is scanned\&. Comments are marked by - \fI#\fR --characters\. Each non comment line represents one polyinstantiated directory\. The fields are separated by spaces but can be quoted by -+characters\&. Each non comment line represents one polyinstantiated directory\&. The fields are separated by spaces but can be quoted by - \fI"\fR - characters also escape sequences - \fI\eb\fR, - \fI\en\fR, and - \fI\et\fR --are recognized\. The fields are as follows: -+are recognized\&. The fields are as follows: - .PP - \fIpolydir\fR - \fIinstance_prefix\fR -@@ -42,92 +198,110 @@ - \fIlist_of_uids\fR - .PP - The first field, --\fIpolydir\fR, is the absolute pathname of the directory to polyinstantiate\. The special string -+\fIpolydir\fR, is the absolute pathname of the directory to polyinstantiate\&. The special string - \fI$HOME\fR - is replaced with the user\'s home directory, and - \fI$USER\fR --with the username\. This field cannot be blank\. -+with the username\&. This field cannot be blank\&. - .PP - The second field, - \fIinstance_prefix\fR --is the string prefix used to build the pathname for the instantiation of \. Depending on the polyinstantiation -+is the string prefix used to build the pathname for the instantiation of \&. Depending on the polyinstantiation - \fImethod\fR --it is then appended with "instance differentiation string" to generate the final instance directory path\. This directory is created if it did not exist already, and is then bind mounted on the to provide an instance of based on the column\. The special string -+it is then appended with "instance differentiation string" to generate the final instance directory path\&. This directory is created if it did not exist already, and is then bind mounted on the to provide an instance of based on the column\&. The special string - \fI$HOME\fR - is replaced with the user\'s home directory, and - \fI$USER\fR --with the username\. This field cannot be blank\. -+with the username\&. This field cannot be blank\&. - .PP - The third field, --\fImethod\fR, is the method used for polyinstantiation\. It can take these values; "user" for polyinstantiation based on user name, "level" for polyinstantiation based on process MLS level and user name, "context" for polyinstantiation based on process security context and user name, "tmpfs" for mounting tmpfs filesystem as an instance dir, and "tmpdir" for creating temporary directory as an instance dir which is removed when the user\'s session is closed\. Methods "context" and "level" are only available with SELinux\. This field cannot be blank\. -+\fImethod\fR, is the method used for polyinstantiation\&. It can take these values; "user" for polyinstantiation based on user name, "level" for polyinstantiation based on process MLS level and user name, "context" for polyinstantiation based on process security context and user name, "tmpfs" for mounting tmpfs filesystem as an instance dir, and "tmpdir" for creating temporary directory as an instance dir which is removed when the user\'s session is closed\&. Methods "context" and "level" are only available with SELinux\&. This field cannot be blank\&. - .PP - The fourth field, --\fIlist_of_uids\fR, is a comma separated list of user names for whom the polyinstantiation is not performed\. If left blank, polyinstantiation will be performed for all users\. If the list is preceded with a single "~" character, polyinstantiation is performed only for users in the list\. -+\fIlist_of_uids\fR, is a comma separated list of user names for whom the polyinstantiation is not performed\&. If left blank, polyinstantiation will be performed for all users\&. If the list is preceded with a single "~" character, polyinstantiation is performed only for users in the list\&. - .PP - The - \fImethod\fR - field can contain also following optional flags separated by - \fI:\fR --characters\. -+characters\&. - .PP - \fIcreate\fR=\fImode\fR,\fIowner\fR,\fIgroup\fR --\- create the polyinstantiated directory\. The mode, owner and group parameters are optional\. The default for mode is determined by umask, the default owner is the user whose session is opened, the default group is the primary group of the user\. -+\- create the polyinstantiated directory\&. The mode, owner and group parameters are optional\&. The default for mode is determined by umask, the default owner is the user whose session is opened, the default group is the primary group of the user\&. - .PP - \fIiscript\fR=\fIpath\fR --\- path to the instance directory init script\. The base directory for relative paths is --\fI/etc/security/namespace\.d\fR\. -+\- path to the instance directory init script\&. The base directory for relative paths is -+\FC/etc/security/namespace\&.d\F[]\&. - .PP - \fInoinit\fR --\- instance directory init script will not be executed\. -+\- instance directory init script will not be executed\&. - .PP - \fIshared\fR --\- the instance directories for "context" and "level" methods will not contain the user name and will be shared among all users\. -+\- the instance directories for "context" and "level" methods will not contain the user name and will be shared among all users\&. - .PP --The directory where polyinstantiated instances are to be created, must exist and must have, by default, the mode of 0000\. The requirement that the instance parent be of mode 0000 can be overridden with the command line option -+The directory where polyinstantiated instances are to be created, must exist and must have, by default, the mode of 0000\&. The requirement that the instance parent be of mode 0000 can be overridden with the command line option - \fIignore_instance_parent_mode\fR - .PP --In case of context or level polyinstantiation the SELinux context which is used for polyinstantiation is the context used for executing a new process as obtained by getexeccon\. This context must be set by the calling application or --\fIpam_selinux\.so\fR --module\. If this context is not set the polyinstatiation will be based just on user name\. -+In case of context or level polyinstantiation the SELinux context which is used for polyinstantiation is the context used for executing a new process as obtained by getexeccon\&. This context must be set by the calling application or -+\FCpam_selinux\&.so\F[] -+module\&. If this context is not set the polyinstatiation will be based just on user name\&. - .PP --The "instance differentiation string" is for "user" method and _ for "context" and "level" methods\. If the whole string is too long the end of it is replaced with md5sum of itself\. Also when command line option -+The "instance differentiation string" is for "user" method and _ for "context" and "level" methods\&. If the whole string is too long the end of it is replaced with md5sum of itself\&. Also when command line option - \fIgen_hash\fR --is used the whole string is replaced with md5sum of itself\. -+is used the whole string is replaced with md5sum of itself\&. - .SH "EXAMPLES" - .PP - These are some example lines which might be specified in --\fI/etc/security/namespace\.conf\fR\. -+\FC/etc/security/namespace\&.conf\F[]\&. - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ - # The following three lines will polyinstantiate /tmp, -- # /var/tmp and user\'s home directories\. /tmp and /var/tmp -+ # /var/tmp and user\'s home directories\&. /tmp and /var/tmp - # will be polyinstantiated based on the security level - # as well as user name, whereas home directory will be -- # polyinstantiated based on the full security context and user name\. -+ # polyinstantiated based on the full security context and user name\&. - # Polyinstantiation will not be performed for user root - # and adm for directories /tmp and /var/tmp, whereas home -- # directories will be polyinstantiated for all users\. -+ # directories will be polyinstantiated for all users\&. - # - # Note that instance directories do not have to reside inside -- # the polyinstantiated directory\. In the examples below, -+ # the polyinstantiated directory\&. In the examples below, - # instances of /tmp will be created in /tmp\-inst directory, - # where as instances of /var/tmp and users home directories - # will reside within the directories that are being -- # polyinstantiated\. -+ # polyinstantiated\&. - # - /tmp /tmp\-inst/ level root,adm - /var/tmp /var/tmp/tmp\-inst/ level root,adm -- $HOME $HOME/$USER\.inst/inst\- context -+ $HOME $HOME/$USER\&.inst/inst\- context - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .PP --For the s you need polyinstantiation (login for example) put the following line in /etc/pam\.d/ as the last line for session group: -+For the s you need polyinstantiation (login for example) put the following line in /etc/pam\&.d/ as the last line for session group: - .PP --session required pam_namespace\.so [arguments] -+session required pam_namespace\&.so [arguments] - .PP --This module also depends on pam_selinux\.so setting the context\. -+This module also depends on pam_selinux\&.so setting the context\&. - .SH "SEE ALSO" - .PP - -@@ -136,4 +310,4 @@ - \fBpam\fR(8) - .SH "AUTHORS" - .PP --The namespace\.conf manual page was written by Janak Desai \. More features added by Tomas Mraz \. -+The namespace\&.conf manual page was written by Janak Desai \&. More features added by Tomas Mraz \&. ---- Linux-PAM-1.0.2-orig/modules/pam_namespace/pam_namespace.8 2008-04-16 11:09:14.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_namespace/pam_namespace.8 2009-01-20 11:59:24.000000000 +0100 -@@ -1,27 +1,185 @@ - .\" Title: pam_namespace --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHORS" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_NAMESPACE" "8" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" -+.TH "PAM_NAMESPACE" "8" "01/20/2009" "Linux-PAM Manual" "Linux-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_namespace - PAM module for configuring namespace for a session --.SH "SYNOPSIS" --.HP 17 --\fBpam_namespace\.so\fR [debug] [unmnt_remnt] [unmnt_only] [require_selinux] [gen_hash] [ignore_config_error] [ignore_instance_parent_mode] [no_unmount_on_close] [use_current_context] [use_default_context] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_namespace \- PAM module for configuring namespace for a session -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_namespace\&.so\fR\ 'u -+\fBpam_namespace\&.so\fR [debug] [unmnt_remnt] [unmnt_only] [require_selinux] [gen_hash] [ignore_config_error] [ignore_instance_parent_mode] [no_unmount_on_close] [use_current_context] [use_default_context] -+.fam - .SH "DESCRIPTION" - .PP --The pam_namespace PAM module sets up a private namespace for a session with polyinstantiated directories\. A polyinstantiated directory provides a different instance of itself based on user name, or when using SELinux, user name, security context or both\. If an executable script --\fI/etc/security/namespace\.init\fR --exists, it is used to initialize the namespace every time a new instance directory is setup\. The script receives the polyinstantiated directory path, the instance directory path, flag whether the instance directory was newly created (0 for no, 1 for yes), and the user name as its arguments\. -+The pam_namespace PAM module sets up a private namespace for a session with polyinstantiated directories\&. A polyinstantiated directory provides a different instance of itself based on user name, or when using SELinux, user name, security context or both\&. If an executable script -+\FC/etc/security/namespace\&.init\F[] -+exists, it is used to initialize the instance directory after it is set up and mounted on the polyinstantiated direcory\&. The script receives the polyinstantiated directory path, the instance directory path, flag whether the instance directory was newly created (0 for no, 1 for yes), and the user name as its arguments\&. - .PP --The pam_namespace module disassociates the session namespace from the parent namespace\. Any mounts/unmounts performed in the parent namespace, such as mounting of devices, are not reflected in the session namespace\. To propagate selected mount/unmount events from the parent namespace into the disassociated session namespace, an administrator may use the special shared\-subtree feature\. For additional information on shared\-subtree feature, please refer to the mount(8) man page and the shared\-subtree description at http://lwn\.net/Articles/159077 and http://lwn\.net/Articles/159092\. -+The pam_namespace module disassociates the session namespace from the parent namespace\&. Any mounts/unmounts performed in the parent namespace, such as mounting of devices, are not reflected in the session namespace\&. To propagate selected mount/unmount events from the parent namespace into the disassociated session namespace, an administrator may use the special shared\-subtree feature\&. For additional information on shared\-subtree feature, please refer to the mount(8) man page and the shared\-subtree description at http://lwn\&.net/Articles/159077 and http://lwn\&.net/Articles/159092\&. - .SH "OPTIONS" - .PP - \fBdebug\fR -@@ -31,7 +189,7 @@ - .PP - \fBunmnt_remnt\fR - .RS 4 --For programs such as su and newrole, the login session has already setup a polyinstantiated namespace\. For these programs, polyinstantiation is performed based on new user id or security context, however the command first needs to undo the polyinstantiation performed by login\. This argument instructs the command to first undo previous polyinstantiation before proceeding with new polyinstantiation based on new id/context -+For programs such as su and newrole, the login session has already setup a polyinstantiated namespace\&. For these programs, polyinstantiation is performed based on new user id or security context, however the command first needs to undo the polyinstantiation performed by login\&. This argument instructs the command to first undo previous polyinstantiation before proceeding with new polyinstantiation based on new id/context - .RE - .PP - \fBunmnt_only\fR -@@ -46,112 +204,130 @@ - .PP - \fBgen_hash\fR - .RS 4 --Instead of using the security context string for the instance name, generate and use its md5 hash\. -+Instead of using the security context string for the instance name, generate and use its md5 hash\&. - .RE - .PP - \fBignore_config_error\fR - .RS 4 --If a line in the configuration file corresponding to a polyinstantiated directory contains format error, skip that line process the next line\. Without this option, pam will return an error to the calling program resulting in termination of the session\. -+If a line in the configuration file corresponding to a polyinstantiated directory contains format error, skip that line process the next line\&. Without this option, pam will return an error to the calling program resulting in termination of the session\&. - .RE - .PP - \fBignore_instance_parent_mode\fR - .RS 4 --Instance parent directories by default are expected to have the restrictive mode of 000\. Using this option, an administrator can choose to ignore the mode of the instance parent\. This option should be used with caution as it will reduce security and isolation goals of the polyinstantiation mechanism\. -+Instance parent directories by default are expected to have the restrictive mode of 000\&. Using this option, an administrator can choose to ignore the mode of the instance parent\&. This option should be used with caution as it will reduce security and isolation goals of the polyinstantiation mechanism\&. - .RE - .PP - \fBno_unmount_on_close\fR - .RS 4 --For certain trusted programs such as newrole, open session is called from a child process while the parent perfoms close session and pam end functions\. For these commands use this option to instruct pam_close_session to not unmount the bind mounted polyinstantiated directory in the parent\. -+For certain trusted programs such as newrole, open session is called from a child process while the parent perfoms close session and pam end functions\&. For these commands use this option to instruct pam_close_session to not unmount the bind mounted polyinstantiated directory in the parent\&. - .RE - .PP - \fBuse_current_context\fR - .RS 4 --Useful for services which do not change the SELinux context with setexeccon call\. The module will use the current SELinux context of the calling process for the level and context polyinstantiation\. -+Useful for services which do not change the SELinux context with setexeccon call\&. The module will use the current SELinux context of the calling process for the level and context polyinstantiation\&. - .RE - .PP - \fBuse_default_context\fR - .RS 4 --Useful for services which do not use pam_selinux for changing the SELinux context with setexeccon call\. The module will use the default SELinux context of the user for the level and context polyinstantiation\. -+Useful for services which do not use pam_selinux for changing the SELinux context with setexeccon call\&. The module will use the default SELinux context of the user for the level and context polyinstantiation\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP --The -+Only the - \fBsession\fR --service is supported\. The module must not be called from multithreaded processes\. -+module type is provided\&. The module must not be called from multithreaded processes\&. - .SH "RETURN VALUES" - .PP - PAM_SUCCESS - .RS 4 --Namespace setup was successful\. -+Namespace setup was successful\&. - .RE - .PP - PAM_SERVICE_ERR - .RS 4 --Unexpected system error occurred while setting up namespace\. -+Unexpected system error occurred while setting up namespace\&. - .RE - .PP - PAM_SESSION_ERR - .RS 4 --Unexpected namespace configuration error occurred\. -+Unexpected namespace configuration error occurred\&. - .RE - .SH "FILES" - .PP --\fI/etc/security/namespace\.conf\fR -+\FC/etc/security/namespace\&.conf\F[] - .RS 4 - Main configuration file - .RE - .PP --\fI/etc/security/namespace\.d\fR -+\FC/etc/security/namespace\&.d\F[] - .RS 4 - Directory for additional configuration files - .RE - .PP --\fI/etc/security/namespace\.init\fR -+\FC/etc/security/namespace\&.init\F[] - .RS 4 - Init script for instance directories - .RE - .SH "EXAMPLES" - .PP --For the s you need polyinstantiation (login for example) put the following line in /etc/pam\.d/ as the last line for session group: -+For the s you need polyinstantiation (login for example) put the following line in /etc/pam\&.d/ as the last line for session group: - .PP --session required pam_namespace\.so [arguments] -+session required pam_namespace\&.so [arguments] - .PP - To use polyinstantiation with graphical display manager gdm, insert the following line, before exit 0, in /etc/gdm/PostSession/Default: - .PP - /usr/sbin/gdm\-safe\-restart - .PP --This allows gdm to restart after each session and appropriately adjust namespaces of display manager and the X server\. If polyinstantiation of /tmp is desired along with the graphical environment, then additional configuration changes are needed to address the interaction of X server and font server namespaces with their use of /tmp to create communication sockets\. Please use the initialization script --\fI/etc/security/namespace\.init\fR --to ensure that the X server and its clients can appropriately access the communication socket X0\. Please refer to the sample instructions provided in the comment section of the instance initialization script --\fI/etc/security/namespace\.init\fR\. In addition, perform the following changes to use graphical environment with polyinstantiation of /tmp: -+This allows gdm to restart after each session and appropriately adjust namespaces of display manager and the X server\&. If polyinstantiation of /tmp is desired along with the graphical environment, then additional configuration changes are needed to address the interaction of X server and font server namespaces with their use of /tmp to create communication sockets\&. Please use the initialization script -+\FC/etc/security/namespace\&.init\F[] -+to ensure that the X server and its clients can appropriately access the communication socket X0\&. Please refer to the sample instructions provided in the comment section of the instance initialization script -+\FC/etc/security/namespace\&.init\F[]\&. In addition, perform the following changes to use graphical environment with polyinstantiation of /tmp: - .PP - - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf -- 1\. Disable the use of font server by commenting out "FontPath" -- line in /etc/X11/xorg\.conf\. If you do want to use the font server -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+ 1\&. Disable the use of font server by commenting out "FontPath" -+ line in /etc/X11/xorg\&.conf\&. If you do want to use the font server - then you will have to augment the instance initialization -- script to appropriately provide /tmp/\.font\-unix from the -- polyinstantiated /tmp\. -- 2\. Ensure that the gdm service is setup to use pam_namespace, -- as described above, by modifying /etc/pam\.d/gdm\. -- 3\. Ensure that the display manager is configured to restart X server -- with each new session\. This default setup can be verified by -- making sure that /usr/share/gdm/defaults\.conf contains -+ script to appropriately provide /tmp/\&.font\-unix from the -+ polyinstantiated /tmp\&. -+ 2\&. Ensure that the gdm service is setup to use pam_namespace, -+ as described above, by modifying /etc/pam\&.d/gdm\&. -+ 3\&. Ensure that the display manager is configured to restart X server -+ with each new session\&. This default setup can be verified by -+ making sure that /usr/share/gdm/defaults\&.conf contains - "AlwaysRestartServer=true", and it is not overridden by -- /etc/gdm/custom\.conf\. -+ /etc/gdm/custom\&.conf\&. - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .sp - .SH "SEE ALSO" - .PP - - \fBnamespace.conf\fR(5), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBmount\fR(8), --\fBpam\fR(8)\. -+\fBpam\fR(8)\&. - .SH "AUTHORS" - .PP --The namespace setup scheme was designed by Stephen Smalley, Janak Desai and Chad Sellers\. The pam_namespace PAM module was developed by Janak Desai , Chad Sellers and Steve Grubb \. Additional improvements by Xavier Toth and Tomas Mraz \. -+The namespace setup scheme was designed by Stephen Smalley, Janak Desai and Chad Sellers\&. The pam_namespace PAM module was developed by Janak Desai , Chad Sellers and Steve Grubb \&. Additional improvements by Xavier Toth and Tomas Mraz \&. ---- Linux-PAM-1.0.2-orig/modules/pam_nologin/pam_nologin.8 2008-04-16 11:07:40.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_nologin/pam_nologin.8 2009-01-20 11:59:26.000000000 +0100 -@@ -1,110 +1,286 @@ - .\" Title: pam_nologin --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_NOLOGIN" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_NOLOGIN" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_nologin - Prevent non-root users from login --.SH "SYNOPSIS" --.HP 15 --\fBpam_nologin\.so\fR [file=\fI/path/nologin\fR] [successok] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_nologin \- Prevent non\-root users from login -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_nologin\&.so\fR\ 'u -+\fBpam_nologin\&.so\fR [file=\fI/path/nologin\fR] [successok] -+.fam - .SH "DESCRIPTION" - .PP - pam_nologin is a PAM module that prevents users from logging into the system when --\fI/etc/nologin\fR --exists\. The contents of the --\fI/etc/nologin\fR --file are displayed to the user\. The pam_nologin module has no effect on the root user\'s ability to log in\. -+\FC/etc/nologin\F[] -+exists\&. The contents of the -+\FC/etc/nologin\F[] -+file are displayed to the user\&. The pam_nologin module has no effect on the root user\'s ability to log in\&. - .SH "OPTIONS" - .PP - \fBfile=\fR\fB\fI/path/nologin\fR\fR - .RS 4 - Use this file instead the default --\fI/etc/nologin\fR\. -+\FC/etc/nologin\F[]\&. - .RE - .PP - \fBsuccessok\fR - .RS 4 --Return PAM_SUCCESS if no file exists, the default is PAM_IGNORE\. -+Return PAM_SUCCESS if no file exists, the default is PAM_IGNORE\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP - The - \fBauth\fR - and - \fBacct\fR --services are supported\. -+module types are provided\&. - .SH "RETURN VALUES" - .PP - PAM_AUTH_ERR - .RS 4 - The user is not root and --\fI/etc/nologin\fR --exists, so the user is not permitted to log in\. -+\FC/etc/nologin\F[] -+exists, so the user is not permitted to log in\&. - .RE - .PP - PAM_BUF_ERR - .RS 4 --Memory buffer error\. -+Memory buffer error\&. - .RE - .PP - PAM_IGNORE - .RS 4 --This is the default return value\. -+This is the default return value\&. - .RE - .PP - PAM_SUCCESS - .RS 4 - Success: either the user is root or the --\fI/etc/nologin\fR --file does not exist\. -+\FC/etc/nologin\F[] -+file does not exist\&. - .RE - .PP - PAM_USER_UNKNOWN - .RS 4 --User not known to the underlying authentication module\. -+User not known to the underlying authentication module\&. - .RE - .SH "EXAMPLES" - .PP - The suggested usage for --\fI/etc/pam\.d/login\fR -+\FC/etc/pam\&.d/login\F[] - is: - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf --auth required pam_nologin\.so -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+auth required pam_nologin\&.so - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .sp - .SH "NOTES" - .PP --In order to make this module effective, all login methods should be secured by it\. It should be used as a -+In order to make this module effective, all login methods should be secured by it\&. It should be used as a - \fIrequired\fR - method listed before any - \fIsufficient\fR --methods in order to get standard Unix nologin semantics\. Note, the use of -+methods in order to get standard Unix nologin semantics\&. Note, the use of - \fBsuccessok\fR - module argument causes the module to return - \fIPAM_SUCCESS\fR - and as such would break such a configuration \- failing - \fIsufficient\fR - modules would lead to a successful login because the nologin module --\fIsucceeded\fR\. -+\fIsucceeded\fR\&. - .SH "SEE ALSO" - .PP - - \fBnologin\fR(5), - \fBpam.conf\fR(5), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBpam\fR(8) - .SH "AUTHOR" - .PP --pam_nologin was written by Michael K\. Johnson \. -+pam_nologin was written by Michael K\&. Johnson \&. ---- Linux-PAM-1.0.2-orig/modules/pam_permit/pam_permit.8 2008-04-16 11:07:43.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_permit/pam_permit.8 2009-01-20 11:59:29.000000000 +0100 -@@ -1,64 +1,240 @@ - .\" Title: pam_permit --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_PERMIT" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_PERMIT" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_permit - The promiscuous module --.SH "SYNOPSIS" --.HP 14 --\fBpam_permit\.so\fR -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_permit \- The promiscuous module -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_permit\&.so\fR\ 'u -+\fBpam_permit\&.so\fR -+.fam - .SH "DESCRIPTION" - .PP --pam_permit is a PAM module that always permit access\. It does nothing else\. -+pam_permit is a PAM module that always permit access\&. It does nothing else\&. - .PP - In the case of authentication, the user\'s name will be set to - \fInobody\fR --if the application didn\'t set one\. Many applications and PAM modules become confused if this name is unknown\. -+if the application didn\'t set one\&. Many applications and PAM modules become confused if this name is unknown\&. - .PP --This module is very dangerous\. It should be used with extreme caution\. -+This module is very dangerous\&. It should be used with extreme caution\&. - .SH "OPTIONS" - .PP --This module does not recognise any options\. --.SH "MODULE SERVICES PROVIDED" -+This module does not recognise any options\&. -+.SH "MODULE TYPES PROVIDED" - .PP --The services -+The - \fBauth\fR, - \fBaccount\fR, - \fBpassword\fR - and - \fBsession\fR --are supported\. -+module types are provided\&. - .SH "RETURN VALUES" - .PP - PAM_SUCCESS - .RS 4 --This module always returns this value\. -+This module always returns this value\&. - .RE - .SH "EXAMPLES" - .PP --Add this line to your other login entries to disable account management, but continue to permit users to log in\. -+Add this line to your other login entries to disable account management, but continue to permit users to log in\&. - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf --account required pam_permit\.so -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+account required pam_permit\&.so - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .sp - .SH "SEE ALSO" - .PP - - \fBpam.conf\fR(5), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBpam\fR(8) - .SH "AUTHOR" - .PP --pam_permit was written by Andrew G\. Morgan, \. -+pam_permit was written by Andrew G\&. Morgan, \&. ---- Linux-PAM-1.0.2-orig/modules/pam_pwhistory/README 1970-01-01 01:00:00.000000000 +0100 -+++ Linux-PAM-1.0.2/modules/pam_pwhistory/README 2009-01-20 11:59:33.000000000 +0100 -@@ -0,0 +1,67 @@ -+pam_pwhistory — PAM module to remember last passwords -+ -+â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” -+ -+DESCRIPTION -+ -+This module saves the last passwords for each user in order to force password -+change history and keep the user from alternating between the same password too -+frequently. -+ -+This module does not work togehter with kerberos. In general, it does not make -+much sense to use this module in conjuction with NIS or LDAP, since the old -+passwords are stored on the local machine and are not available on another -+machine for password history checking. -+ -+OPTIONS -+ -+debug -+ -+ Turns on debugging via syslog(3). -+ -+use_authtok -+ -+ When password changing enforce the module to use the new password provided -+ by a previously stacked password module (this is used in the example of the -+ stacking of the pam_cracklib module documented below). -+ -+enforce_for_root -+ -+ If this option is set, the check is enforced for root, too. -+ -+remember=N -+ -+ The last N passwords for each user are saved in /etc/security/opasswd. The -+ default is 10. -+ -+retry=N -+ -+ Prompt user at most N times before returning with error. The default is 1. -+ -+type=STRING -+ -+ The default action is for the module to use the following prompts when -+ requesting passwords: "New UNIX password: " and "Retype UNIX password: ". -+ The default word UNIX can be replaced with this option. -+ -+EXAMPLES -+ -+An example password section would be: -+ -+#%PAM-1.0 -+password required pam_pwhistory.so -+password required pam_unix.so use_authtok -+ -+ -+In combination with pam_cracklib: -+ -+#%PAM-1.0 -+password required pam_cracklib.so retry=3 -+password required pam_pwhistory.so use_authtok -+password required pam_unix.so use_authtok -+ -+ -+AUTHOR -+ -+pam_pwhistory was written by Thorsten Kukuk -+ ---- Linux-PAM-1.0.2-orig/modules/pam_rhosts/pam_rhosts.8 2008-04-16 11:07:46.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_rhosts/pam_rhosts.8 2009-01-20 11:59:35.000000000 +0100 -@@ -1,98 +1,274 @@ - .\" Title: pam_rhosts --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_RHOSTS" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_RHOSTS" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_rhosts - The rhosts PAM module --.SH "SYNOPSIS" --.HP 14 --\fBpam_rhosts\.so\fR -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_rhosts \- The rhosts PAM module -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_rhosts\&.so\fR\ 'u -+\fBpam_rhosts\&.so\fR -+.fam - .SH "DESCRIPTION" - .PP - This module performs the standard network authentication for services, as used by traditional implementations of - \fBrlogin\fR - and - \fBrsh\fR --etc\. -+etc\&. - .PP - The authentication mechanism of this module is based on the contents of two files; --\fI/etc/hosts\.equiv\fR -+\FC/etc/hosts\&.equiv\F[] - (or and --\fI~/\.rhosts\fR\. Firstly, hosts listed in the former file are treated as equivalent to the localhost\. Secondly, entries in the user\'s own copy of the latter file is used to map "\fIremote\-host remote\-user\fR" pairs to that user\'s account on the current host\. Access is granted to the user if their host is present in --\fI/etc/hosts\.equiv\fR --and their remote account is identical to their local one, or if their remote account has an entry in their personal configuration file\. -+\FC~/\&.rhosts\F[]\&. Firstly, hosts listed in the former file are treated as equivalent to the localhost\&. Secondly, entries in the user\'s own copy of the latter file is used to map "\fIremote\-host remote\-user\fR" pairs to that user\'s account on the current host\&. Access is granted to the user if their host is present in -+\FC/etc/hosts\&.equiv\F[] -+and their remote account is identical to their local one, or if their remote account has an entry in their personal configuration file\&. - .PP - The module authenticates a remote user (internally specified by the item - \fIPAM_RUSER\fR - connecting from the remote host (internally specified by the item --\fBPAM_RHOST\fR)\. Accordingly, for applications to be compatible this authentication module they must set these items prior to calling --\fBpam_authenticate()\fR\. The module is not capable of independently probing the network connection for such information\. -+\fBPAM_RHOST\fR)\&. Accordingly, for applications to be compatible this authentication module they must set these items prior to calling -+\fBpam_authenticate()\fR\&. The module is not capable of independently probing the network connection for such information\&. - .SH "OPTIONS" - .PP - \fBdebug\fR - .RS 4 --Print debug information\. -+Print debug information\&. - .RE - .PP - \fBsilent\fR - .RS 4 --Don\'t print informative messages\. -+Don\'t print informative messages\&. - .RE - .PP - \fBsuperuser=\fR\fB\fIaccount\fR\fR - .RS 4 - Handle - \fIaccount\fR --as root\. -+as root\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP - Only the - \fBauth\fR --service is supported\. -+module type is provided\&. - .SH "RETURN VALUES" - .PP - PAM_AUTH_ERR - .RS 4 - The remote host, remote user name or the local user name couldn\'t be determined or access was denied by --\fI\.rhosts\fR --file\. -+\FC\&.rhosts\F[] -+file\&. - .RE - .PP - PAM_USER_UNKNOWN - .RS 4 --User is not known to system\. -+User is not known to system\&. - .RE - .SH "EXAMPLES" - .PP - To grant a remote user access by --\fI/etc/hosts\.equiv\fR -+\FC/etc/hosts\&.equiv\F[] - or --\fI\.rhosts\fR -+\FC\&.rhosts\F[] - for - \fBrsh\fR - add the following lines to --\fI/etc/pam\.d/rsh\fR: -+\FC/etc/pam\&.d/rsh\F[]: - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf --#%PAM\-1\.0 -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+#%PAM\-1\&.0 - # --auth required pam_rhosts\.so --auth required pam_nologin\.so --auth required pam_env\.so --auth required pam_unix\.so -+auth required pam_rhosts\&.so -+auth required pam_nologin\&.so -+auth required pam_env\&.so -+auth required pam_unix\&.so - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .sp - .SH "SEE ALSO" - .PP -@@ -101,8 +277,8 @@ - \fBhosts.equiv\fR(5), - \fBrhosts\fR(5), - \fBpam.conf\fR(5), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBpam\fR(8) - .SH "AUTHOR" - .PP --pam_rhosts was written by Thorsten Kukuk -+pam_rhosts was written by Thorsten Kukuk ---- Linux-PAM-1.0.2-orig/modules/pam_rootok/pam_rootok.8 2008-04-16 11:07:49.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_rootok/pam_rootok.8 2009-01-20 11:59:38.000000000 +0100 -@@ -1,41 +1,199 @@ - .\" Title: pam_rootok --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_ROOTOK" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_ROOTOK" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_rootok - Gain only root access --.SH "SYNOPSIS" --.HP 14 --\fBpam_rootok\.so\fR [debug] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_rootok \- Gain only root access -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_rootok\&.so\fR\ 'u -+\fBpam_rootok\&.so\fR [debug] -+.fam - .SH "DESCRIPTION" - .PP - pam_rootok is a PAM module that authenticates the user if their - \fIUID\fR - is --\fI0\fR\. Applications that are created setuid\-root generally retain the -+\fI0\fR\&. Applications that are created setuid\-root generally retain the - \fIUID\fR --of the user but run with the authority of an enhanced effective\-UID\. It is the real -+of the user but run with the authority of an enhanced effective\-UID\&. It is the real - \fIUID\fR --that is checked\. -+that is checked\&. - .SH "OPTIONS" - .PP - \fBdebug\fR - .RS 4 --Print debug information\. -+Print debug information\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP - Only the - \fBauth\fR --service is supported\. -+type is provided\&. - .SH "RETURN VALUES" - .PP - PAM_SUCCESS -@@ -43,7 +201,7 @@ - The - \fIUID\fR - is --\fI0\fR\. -+\fI0\fR\&. - .RE - .PP - PAM_AUTH_ERR -@@ -52,32 +210,50 @@ - \fIUID\fR - is - \fBnot\fR --\fI0\fR\. -+\fI0\fR\&. - .RE - .SH "EXAMPLES" - .PP - In the case of the - \fBsu\fR(1) --application the historical usage is to permit the superuser to adopt the identity of a lesser user without the use of a password\. To obtain this behavior with PAM the following pair of lines are needed for the corresponding entry in the --\fI/etc/pam\.d/su\fR -+application the historical usage is to permit the superuser to adopt the identity of a lesser user without the use of a password\&. To obtain this behavior with PAM the following pair of lines are needed for the corresponding entry in the -+\FC/etc/pam\&.d/su\F[] - configuration file: - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf --# su authentication\. Root is granted access by default\. --auth sufficient pam_rootok\.so --auth required pam_unix\.so -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+# su authentication\&. Root is granted access by default\&. -+auth sufficient pam_rootok\&.so -+auth required pam_unix\&.so - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .sp - .SH "SEE ALSO" - .PP - - \fBsu\fR(1), - \fBpam.conf\fR(5), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBpam\fR(8) - .SH "AUTHOR" - .PP --pam_rootok was written by Andrew G\. Morgan, \. -+pam_rootok was written by Andrew G\&. Morgan, \&. ---- Linux-PAM-1.0.2-orig/modules/pam_securetty/pam_securetty.8 2008-04-16 11:07:52.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_securetty/pam_securetty.8 2009-01-20 11:59:41.000000000 +0100 -@@ -1,97 +1,273 @@ - .\" Title: pam_securetty --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_SECURETTY" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_SECURETTY" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_securetty - Limit root login to special devices --.SH "SYNOPSIS" --.HP 17 --\fBpam_securetty\.so\fR [debug] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_securetty \- Limit root login to special devices -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_securetty\&.so\fR\ 'u -+\fBpam_securetty\&.so\fR [debug] -+.fam - .SH "DESCRIPTION" - .PP - pam_securetty is a PAM module that allows root logins only if the user is logging in on a "secure" tty, as defined by the listing in --\fI/etc/securetty\fR\. pam_securetty also checks to make sure that --\fI/etc/securetty\fR --is a plain file and not world writable\. -+\FC/etc/securetty\F[]\&. pam_securetty also checks to make sure that -+\FC/etc/securetty\F[] -+is a plain file and not world writable\&. - .PP - This module has no effect on non\-root users and requires that the application fills in the - \fBPAM_TTY\fR --item correctly\. -+item correctly\&. - .PP - For canonical usage, should be listed as a - \fBrequired\fR - authentication method before any - \fBsufficient\fR --authentication methods\. -+authentication methods\&. - .SH "OPTIONS" - .PP - \fBdebug\fR - .RS 4 --Print debug information\. -+Print debug information\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP - Only the - \fBauth\fR --service is supported\. -+module type is provided\&. - .SH "RETURN VALUES" - .PP - PAM_SUCCESS - .RS 4 --The user is allowed to continue authentication\. Either the user is not root, or the root user is trying to log in on an acceptable device\. -+The user is allowed to continue authentication\&. Either the user is not root, or the root user is trying to log in on an acceptable device\&. - .RE - .PP - PAM_AUTH_ERR - .RS 4 --Authentication is rejected\. Either root is attempting to log in via an unacceptable device, or the --\fI/etc/securetty\fR --file is world writable or not a normal file\. -+Authentication is rejected\&. Either root is attempting to log in via an unacceptable device, or the -+\FC/etc/securetty\F[] -+file is world writable or not a normal file\&. - .RE - .PP - PAM_INCOMPLETE - .RS 4 --An application error occurred\. pam_securetty was not able to get information it required from the application that called it\. -+An application error occurred\&. pam_securetty was not able to get information it required from the application that called it\&. - .RE - .PP - PAM_SERVICE_ERR - .RS 4 - An error occurred while the module was determining the user\'s name or tty, or the module could not open --\fI/etc/securetty\fR\. -+\FC/etc/securetty\F[]\&. - .RE - .PP --PAM_IGNORE -+PAM_USER_UNKNOWN - .RS 4 - The module could not find the user name in the --\fI/etc/passwd\fR --file to verify whether the user had a UID of 0\. Therefore, the results of running this module are ignored\. -+\FC/etc/passwd\F[] -+file to verify whether the user had a UID of 0\&. Therefore, the results of running this module are ignored\&. - .RE - .SH "EXAMPLES" - .PP - - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf --auth required pam_securetty\.so --auth required pam_unix\.so -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+auth required pam_securetty\&.so -+auth required pam_unix\&.so - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .sp - .SH "SEE ALSO" - .PP - - \fBsecuretty\fR(5), - \fBpam.conf\fR(5), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBpam\fR(8) - .SH "AUTHOR" - .PP --pam_securetty was written by Elliot Lee \. -+pam_securetty was written by Elliot Lee \&. ---- Linux-PAM-1.0.2-orig/modules/pam_selinux/pam_selinux.8 2008-04-16 11:07:56.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_selinux/pam_selinux.8 2009-01-20 11:59:45.000000000 +0100 -@@ -1,95 +1,279 @@ - .\" Title: pam_selinux --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_SELINUX" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_SELINUX" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_selinux - PAM module to set the default security context --.SH "SYNOPSIS" --.HP 15 --\fBpam_selinux\.so\fR [close] [debug] [open] [nottys] [verbose] [select_context] [use_current_range] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_selinux \- PAM module to set the default security context -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_selinux\&.so\fR\ 'u -+\fBpam_selinux\&.so\fR [close] [debug] [open] [nottys] [verbose] [select_context] [env_params] [use_current_range] -+.fam - .SH "DESCRIPTION" - .PP --In a nutshell, pam_selinux sets up the default security context for the next execed shell\. -+In a nutshell, pam_selinux sets up the default security context for the next execed shell\&. - .PP --When an application opens a session using pam_selinux, the shell that gets executed will be run in the default security context, or if the user chooses and the pam file allows the selected security context\. Also the controlling tty will have it\'s security context modified to match the users\. -+When an application opens a session using pam_selinux, the shell that gets executed will be run in the default security context, or if the user chooses and the pam file allows the selected security context\&. Also the controlling tty will have it\'s security context modified to match the users\&. - .PP --Adding pam_selinux into a pam file could cause other pam modules to change their behavior if the exec another application\. The close and open option help mitigate this problem\. close option will only cause the close portion of the pam_selinux to execute, and open will only cause the open portion to run\. You can add pam_selinux to the config file twice\. Add the pam_selinux close as the executes the open pass through the modules, pam_selinux open_session will happen last\. When PAM executes the close pass through the modules pam_selinux close_session will happen first\. -+Adding pam_selinux into a pam file could cause other pam modules to change their behavior if the exec another application\&. The close and open option help mitigate this problem\&. close option will only cause the close portion of the pam_selinux to execute, and open will only cause the open portion to run\&. You can add pam_selinux to the config file twice\&. Add the pam_selinux close as the executes the open pass through the modules, pam_selinux open_session will happen last\&. When PAM executes the close pass through the modules pam_selinux close_session will happen first\&. - .SH "OPTIONS" - .PP - \fBclose\fR - .RS 4 --Only execute the close_session portion of the module\. -+Only execute the close_session portion of the module\&. - .RE - .PP - \fBdebug\fR - .RS 4 - Turns on debugging via --\fBsyslog\fR(3)\. -+\fBsyslog\fR(3)\&. - .RE - .PP - \fBopen\fR - .RS 4 --Only execute the open_session portion of the module\. -+Only execute the open_session portion of the module\&. - .RE - .PP - \fBnottys\fR - .RS 4 --Do not try to setup the ttys security context\. -+Do not try to setup the ttys security context\&. - .RE - .PP - \fBverbose\fR - .RS 4 --attempt to inform the user when security context is set\. -+attempt to inform the user when security context is set\&. - .RE - .PP - \fBselect_context\fR - .RS 4 --Attempt to ask the user for a custom security context role\. If MLS is on ask also for sensitivity level\. -+Attempt to ask the user for a custom security context role\&. If MLS is on ask also for sensitivity level\&. -+.RE -+.PP -+\fBenv_params\fR -+.RS 4 -+Attempt to obtain a custom security context role from PAM environment\&. If MLS is on obtain also sensitivity level\&. This option and the select_context option are mutually exclusive\&. The respective PAM environment variables are -+\fISELINUX_ROLE_REQUESTED\fR, -+\fISELINUX_LEVEL_REQUESTED\fR, and -+\fISELINUX_USE_CURRENT_RANGE\fR\&. The first two variables are self describing and the last one if set to 1 makes the PAM module behave as if the use_current_range was specified on the command line of the module\&. - .RE - .PP - \fBuse_current_range\fR - .RS 4 --Use the sensitivity range of the process for the user context\. This option and the select_context option are mutually exclusive\. -+Use the sensitivity level of the current process for the user context instead of the default level\&. Also supresses asking of the sensitivity level from the user or obtaining it from PAM environment\&. - .RE - .SH "MODULE SERVICES PROVIDED" - .PP - Only the - \fBsession\fR --service is supported\. -+service is supported\&. - .SH "RETURN VALUES" - .PP - PAM_AUTH_ERR - .RS 4 --Unable to get or set a valid context\. -+Unable to get or set a valid context\&. - .RE - .PP - PAM_SUCCESS - .RS 4 --The security context was set successfull\. -+The security context was set successfull\&. - .RE - .PP - PAM_USER_UNKNOWN - .RS 4 --The user is not known to the system\. -+The user is not known to the system\&. - .RE - .SH "EXAMPLES" - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf --auth required pam_unix\.so --session required pam_permit\.so --session optional pam_selinux\.so -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+auth required pam_unix\&.so -+session required pam_permit\&.so -+session optional pam_selinux\&.so - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .SH "SEE ALSO" - .PP - -@@ -98,4 +282,4 @@ - \fBpam\fR(8) - .SH "AUTHOR" - .PP --pam_selinux was written by Dan Walsh \. -+pam_selinux was written by Dan Walsh \&. ---- Linux-PAM-1.0.2-orig/modules/pam_selinux/README 2008-04-16 11:07:55.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_selinux/README 2009-01-20 11:59:47.000000000 +0100 -@@ -48,10 +48,21 @@ - Attempt to ask the user for a custom security context role. If MLS is on - ask also for sensitivity level. - -+env_params -+ -+ Attempt to obtain a custom security context role from PAM environment. If -+ MLS is on obtain also sensitivity level. This option and the select_context -+ option are mutually exclusive. The respective PAM environment variables are -+ SELINUX_ROLE_REQUESTED, SELINUX_LEVEL_REQUESTED, and -+ SELINUX_USE_CURRENT_RANGE. The first two variables are self describing and -+ the last one if set to 1 makes the PAM module behave as if the -+ use_current_range was specified on the command line of the module. -+ - use_current_range - -- Use the sensitivity range of the process for the user context. This option -- and the select_context option are mutually exclusive. -+ Use the sensitivity level of the current process for the user context -+ instead of the default level. Also supresses asking of the sensitivity -+ level from the user or obtaining it from PAM environment. - - EXAMPLES - ---- Linux-PAM-1.0.2-orig/modules/pam_sepermit/pam_sepermit.8 2008-04-16 11:07:59.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_sepermit/pam_sepermit.8 2009-01-20 11:59:49.000000000 +0100 -@@ -1,104 +1,280 @@ - .\" Title: pam_sepermit --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_SEPERMIT" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_SEPERMIT" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_sepermit - PAM module to allow/deny login depending on SELinux enforcement state --.SH "SYNOPSIS" --.HP 16 --\fBpam_sepermit\.so\fR [debug] [conf=\fI/path/to/config/file\fR] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_sepermit \- PAM module to allow/deny login depending on SELinux enforcement state -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_sepermit\&.so\fR\ 'u -+\fBpam_sepermit\&.so\fR [debug] [conf=\fI/path/to/config/file\fR] -+.fam - .SH "DESCRIPTION" - .PP --The pam_sepermit module allows or denies login depending on SELinux enforcement state\. -+The pam_sepermit module allows or denies login depending on SELinux enforcement state\&. - .PP --When the user which is logging in matches an entry in the config file he is allowed access only when the SELinux is in enforcing mode\. Otherwise he is denied access\. For users not matching any entry in the config file the pam_sepermit module returns PAM_IGNORE return value\. -+When the user which is logging in matches an entry in the config file he is allowed access only when the SELinux is in enforcing mode\&. Otherwise he is denied access\&. For users not matching any entry in the config file the pam_sepermit module returns PAM_IGNORE return value\&. - .PP --The config file contains a simple list of user names one per line\. If the -+The config file contains a simple list of user names one per line\&. If the - \fIname\fR - is prefixed with - \fI@\fR - character it means that all users in the group - \fIname\fR --match\. If it is prefixed with a -+match\&. If it is prefixed with a - \fI%\fR - character the SELinux user is used to match against the - \fIname\fR --instead of the account name\. Note that when SELinux is disabled the SELinux user assigned to the account cannot be determined\. This means that such entries are never matched when SELinux is disabled and pam_sepermit will return PAM_IGNORE\. -+instead of the account name\&. Note that when SELinux is disabled the SELinux user assigned to the account cannot be determined\&. This means that such entries are never matched when SELinux is disabled and pam_sepermit will return PAM_IGNORE\&. - .PP - Each user name in the configuration file can have optional arguments separated by - \fI:\fR --character\. The only currently recognized argument is --\fIexclusive\fR\. The pam_sepermit module will allow only single concurrent user session for the user with this argument specified and it will attempt to kill all processes of the user after logout\. -+character\&. The only currently recognized argument is -+\fIexclusive\fR\&. The pam_sepermit module will allow only single concurrent user session for the user with this argument specified and it will attempt to kill all processes of the user after logout\&. - .SH "OPTIONS" - .PP - \fBdebug\fR - .RS 4 - Turns on debugging via --\fBsyslog\fR(3)\. -+\fBsyslog\fR(3)\&. - .RE - .PP - \fBconf=\fR\fB\fI/path/to/config/file\fR\fR - .RS 4 --Path to alternative config file overriding the default\. -+Path to alternative config file overriding the default\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP --Only the -+The - \fBauth\fR - and - \fBaccount\fR --services are supported\. -+module types are provided\&. - .SH "RETURN VALUES" - .PP - PAM_AUTH_ERR - .RS 4 --SELinux is disabled or in the permissive mode and the user matches\. -+SELinux is disabled or in the permissive mode and the user matches\&. - .RE - .PP - PAM_SUCCESS - .RS 4 --SELinux is in the enforcing mode and the user matches\. -+SELinux is in the enforcing mode and the user matches\&. - .RE - .PP - PAM_IGNORE - .RS 4 --The user does not match any entry in the config file\. -+The user does not match any entry in the config file\&. - .RE - .PP - PAM_USER_UNKNOWN - .RS 4 --The module was unable to determine the user\'s name\. -+The module was unable to determine the user\'s name\&. - .RE - .PP - PAM_SERVICE_ERR - .RS 4 --Error during reading or parsing the config file\. -+Error during reading or parsing the config file\&. - .RE - .SH "FILES" - .PP --\fI/etc/security/sepermit\.conf\fR -+\FC/etc/security/sepermit\&.conf\F[] - .RS 4 - Default configuration file - .RE - .SH "EXAMPLES" - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf --auth [success=done ignore=ignore default=bad] pam_sepermit\.so --auth required pam_unix\.so --account required pam_unix\.so --session required pam_permit\.so -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+auth [success=done ignore=ignore default=bad] pam_sepermit\&.so -+auth required pam_unix\&.so -+account required pam_unix\&.so -+session required pam_permit\&.so - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .SH "SEE ALSO" - .PP - -@@ -107,4 +283,4 @@ - \fBpam\fR(8) - .SH "AUTHOR" - .PP --pam_sepermit was written by Tomas Mraz \. -+pam_sepermit was written by Tomas Mraz \&. ---- Linux-PAM-1.0.2-orig/modules/pam_shells/pam_shells.8 2008-04-16 11:08:01.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_shells/pam_shells.8 2009-01-20 11:59:52.000000000 +0100 -@@ -1,73 +1,249 @@ - .\" Title: pam_shells --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_SHELLS" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_SHELLS" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_shells - PAM module to check for valid login shell --.SH "SYNOPSIS" --.HP 14 --\fBpam_shells\.so\fR -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_shells \- PAM module to check for valid login shell -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_shells\&.so\fR\ 'u -+\fBpam_shells\&.so\fR -+.fam - .SH "DESCRIPTION" - .PP - pam_shells is a PAM module that only allows access to the system if the users shell is listed in --\fI/etc/shells\fR\. -+\FC/etc/shells\F[]\&. - .PP - It also checks if --\fI/etc/shells\fR --is a plain file and not world writable\. -+\FC/etc/shells\F[] -+is a plain file and not world writable\&. - .SH "OPTIONS" - .PP --This module does not recognise any options\. --.SH "MODULE SERVICES PROVIDED" -+This module does not recognise any options\&. -+.SH "MODULE TYPES PROVIDED" - .PP --The services -+The - \fBauth\fR - and - \fBaccount\fR --are supported\. -+module types are provided\&. - .SH "RETURN VALUES" - .PP - PAM_AUTH_ERR - .RS 4 --Access to the system was denied\. -+Access to the system was denied\&. - .RE - .PP - PAM_SUCCESS - .RS 4 - The users login shell was listed as valid shell in --\fI/etc/shells\fR\. -+\FC/etc/shells\F[]\&. - .RE - .PP - PAM_SERVICE_ERR - .RS 4 --The module was not able to get the name of the user\. -+The module was not able to get the name of the user\&. - .RE - .SH "EXAMPLES" - .PP - - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf --auth required pam_shells\.so -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+auth required pam_shells\&.so - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .sp - .SH "SEE ALSO" - .PP - - \fBshells\fR(5), - \fBpam.conf\fR(5), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBpam\fR(8) - .SH "AUTHOR" - .PP --pam_shells was written by Erik Troan \. -+pam_shells was written by Erik Troan \&. ---- Linux-PAM-1.0.2-orig/modules/pam_succeed_if/pam_succeed_if.8 2008-04-16 11:08:05.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_succeed_if/pam_succeed_if.8 2009-01-20 11:59:56.000000000 +0100 -@@ -1,25 +1,183 @@ - .\" Title: pam_succeed_if --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM - .\" Source: Linux-PAM -+.\" Language: English - .\" --.TH "PAM_SUCCEED_IF" "8" "04/16/2008" "Linux-PAM" "Linux\-PAM" -+.TH "PAM_SUCCEED_IF" "8" "01/20/2009" "Linux-PAM" "Linux\-PAM" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_succeed_if - test account characteristics --.SH "SYNOPSIS" --.HP 18 --\fBpam_succeed_if\.so\fR [\fIflag\fR...] [\fIcondition\fR...] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_succeed_if \- test account characteristics -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_succeed_if\&.so\fR\ 'u -+\fBpam_succeed_if\&.so\fR [\fIflag\fR...] [\fIcondition\fR...] -+.fam - .SH "DESCRIPTION" - .PP --pam_succeed_if\.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated\. One use is to select whether to load other modules based on this test\. -+pam_succeed_if\&.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated\&. One use is to select whether to load other modules based on this test\&. - .PP --The module should be given one or more conditions as module arguments, and authentication will succeed only if all of the conditions are met\. -+The module should be given one or more conditions as module arguments, and authentication will succeed only if all of the conditions are met\&. - .SH "OPTIONS" - .PP - The following -@@ -27,31 +185,31 @@ - .PP - \fBdebug\fR - .RS 4 --Turns on debugging messages sent to syslog\. -+Turns on debugging messages sent to syslog\&. - .RE - .PP - \fBuse_uid\fR - .RS 4 --Evaluate conditions using the account of the user whose UID the application is running under instead of the user being authenticated\. -+Evaluate conditions using the account of the user whose UID the application is running under instead of the user being authenticated\&. - .RE - .PP - \fBquiet\fR - .RS 4 --Don\'t log failure or success to the system log\. -+Don\'t log failure or success to the system log\&. - .RE - .PP - \fBquiet_fail\fR - .RS 4 --Don\'t log failure to the system log\. -+Don\'t log failure to the system log\&. - .RE - .PP - \fBquiet_success\fR - .RS 4 --Don\'t log success to the system log\. -+Don\'t log success to the system log\&. - .RE - .PP - --\fICondition\fRs are three words: a field, a test, and a value to test for\. -+\fICondition\fRs are three words: a field, a test, and a value to test for\&. - .PP - Available fields are - \fIuser\fR, -@@ -64,123 +222,163 @@ - .PP - \fBfield < number\fR - .RS 4 --Field has a value numerically less than number\. -+Field has a value numerically less than number\&. - .RE - .PP - \fBfield <= number\fR - .RS 4 --Field has a value numerically less than or equal to number\. -+Field has a value numerically less than or equal to number\&. - .RE - .PP - \fBfield eq number\fR - .RS 4 --Field has a value numerically equal to number\. -+Field has a value numerically equal to number\&. - .RE - .PP - \fBfield >= number\fR - .RS 4 --Field has a value numerically greater than or equal to number\. -+Field has a value numerically greater than or equal to number\&. - .RE - .PP - \fBfield > number\fR - .RS 4 --Field has a value numerically greater than number\. -+Field has a value numerically greater than number\&. - .RE - .PP - \fBfield ne number\fR - .RS 4 --Field has a value numerically different from number\. -+Field has a value numerically different from number\&. - .RE - .PP - \fBfield = string\fR - .RS 4 --Field exactly matches the given string\. -+Field exactly matches the given string\&. - .RE - .PP - \fBfield != string\fR - .RS 4 --Field does not match the given string\. -+Field does not match the given string\&. - .RE - .PP - \fBfield =~ glob\fR - .RS 4 --Field matches the given glob\. -+Field matches the given glob\&. - .RE - .PP - \fBfield !~ glob\fR - .RS 4 --Field does not match the given glob\. -+Field does not match the given glob\&. - .RE - .PP --\fBfield in item:item:\.\.\.\fR -+\fBfield in item:item:\&.\&.\&.\fR - .RS 4 --Field is contained in the list of items separated by colons\. -+Field is contained in the list of items separated by colons\&. - .RE - .PP --\fBfield notin item:item:\.\.\.\fR -+\fBfield notin item:item:\&.\&.\&.\fR - .RS 4 --Field is not contained in the list of items separated by colons\. -+Field is not contained in the list of items separated by colons\&. - .RE - .PP - \fBuser ingroup group\fR - .RS 4 --User is in given group\. -+User is in given group\&. - .RE - .PP - \fBuser notingroup group\fR - .RS 4 --User is not in given group\. -+User is not in given group\&. - .RE - .PP - \fBuser innetgr netgroup\fR - .RS 4 --(user,host) is in given netgroup\. -+(user,host) is in given netgroup\&. - .RE - .PP - \fBuser notinnetgr group\fR - .RS 4 --(user,host) is not in given netgroup\. -+(user,host) is not in given netgroup\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP --All services are supported\. -+All module types (\fBaccount\fR, -+\fBauth\fR, -+\fBpassword\fR -+and -+\fBsession\fR) are provided\&. - .SH "RETURN VALUES" - .PP - PAM_SUCCESS - .RS 4 --The condition was true\. -+The condition was true\&. - .RE - .PP - PAM_AUTH_ERR - .RS 4 --The condition was false\. -+The condition was false\&. - .RE - .PP - PAM_SERVICE_ERR - .RS 4 --A service error occured or the arguments can\'t be parsed as numbers\. -+A service error occured or the arguments can\'t be parsed correctly\&. - .RE - .SH "EXAMPLES" - .PP - To emulate the behaviour of - \fIpam_wheel\fR, except there is no fallback to group 0: - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf --auth required pam_succeed_if\.so quiet user ingroup wheel -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+auth required pam_succeed_if\&.so quiet user ingroup wheel - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .PP --Given that the type matches, only loads the othermodule rule if the UID is over 500\. Adjust the number after default to skip several rules\. -+Given that the type matches, only loads the othermodule rule if the UID is over 500\&. Adjust the number after default to skip several rules\&. - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf --type [default=1 success=ignore] pam_succeed_if\.so quiet uid > 500 --type required othermodule\.so arguments\.\.\. -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+type [default=1 success=ignore] pam_succeed_if\&.so quiet uid > 500 -+type required othermodule\&.so arguments\&.\&.\&. - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .SH "SEE ALSO" - .PP - -@@ -188,4 +386,4 @@ - \fBpam\fR(8) - .SH "AUTHOR" - .PP --Nalin Dahyabhai -+Nalin Dahyabhai ---- Linux-PAM-1.0.2-orig/modules/pam_tally/pam_tally.8 2008-04-16 11:08:10.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_tally/pam_tally.8 2009-01-20 11:59:59.000000000 +0100 -@@ -1,34 +1,194 @@ - .\" Title: pam_tally --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_TALLY" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_TALLY" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_tally - The login counter (tallying) module --.SH "SYNOPSIS" --.HP 13 --\fBpam_tally\.so\fR [file=\fI/path/to/counter\fR] [onerr=[\fIfail\fR|\fIsucceed\fR]] [magic_root] [even_deny_root_account] [deny=\fIn\fR] [lock_time=\fIn\fR] [unlock_time=\fIn\fR] [per_user] [no_lock_time] [no_reset] [audit] --.HP 10 -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_tally \- The login counter (tallying) module -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_tally\&.so\fR\ 'u -+\fBpam_tally\&.so\fR [file=\fI/path/to/counter\fR] [onerr=[\fIfail\fR|\fIsucceed\fR]] [magic_root] [even_deny_root_account] [deny=\fIn\fR] [lock_time=\fIn\fR] [unlock_time=\fIn\fR] [per_user] [no_lock_time] [no_reset] [audit] [silent] [no_log_info] -+.fam -+.fam C -+.HP \w'\fBpam_tally\fR\ 'u - \fBpam_tally\fR [\-\-file\ \fI/path/to/counter\fR] [\-\-user\ \fIusername\fR] [\-\-reset[=\fIn\fR]] [\-\-quiet] -+.fam - .SH "DESCRIPTION" - .PP --This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail\. -+This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail\&. - .PP - pam_tally comes in two parts: --\fBpam_tally\.so\fR -+\fBpam_tally\&.so\fR - and --\fBpam_tally\fR\. The former is the PAM module and the latter, a stand\-alone program\. -+\fBpam_tally\fR\&. The former is the PAM module and the latter, a stand\-alone program\&. - \fBpam_tally\fR --is an (optional) application which can be used to interrogate and manipulate the counter file\. It can display users\' counts, set individual counts, or clear all counts\. Setting artificially high counts may be useful for blocking users without changing their passwords\. For example, one might find it useful to clear all counts every midnight from a cron job\. The -+is an (optional) application which can be used to interrogate and manipulate the counter file\&. It can display users\' counts, set individual counts, or clear all counts\&. Setting artificially high counts may be useful for blocking users without changing their passwords\&. For example, one might find it useful to clear all counts every midnight from a cron job\&. The - \fBfaillog\fR(8) --command can be used instead of pam_tally to to maintain the counter file\. -+command can be used instead of pam_tally to to maintain the counter file\&. - .PP - Normally, failed attempts to access - \fIroot\fR -@@ -36,7 +196,7 @@ - \fBnot\fR - cause the root account to become blocked, to prevent denial\-of\-service: if your users aren\'t given shell accounts and root may only login via - \fBsu\fR --or at the machine console (not telnet/rsh, etc), this is safe\. -+or at the machine console (not telnet/rsh, etc), this is safe\&. - .SH "OPTIONS" - .PP - GLOBAL OPTIONS -@@ -45,7 +205,7 @@ - \fIauth\fR - and - \fIaccount\fR --services\. -+module types\&. - .PP - \fBonerr=[\fR\fB\fIfail\fR\fR\fB|\fR\fB\fIsucceed\fR\fR\fB]\fR - .RS 4 -@@ -53,85 +213,96 @@ - \fBPAM_SUCESS\fR - if - \fBonerr=\fR\fB\fIsucceed\fR\fR --is given, else with the corresponding PAM error code\. -+is given, else with the corresponding PAM error code\&. - .RE - .PP - \fBfile=\fR\fB\fI/path/to/counter\fR\fR - .RS 4 --File where to keep counts\. Default is --\fI/var/log/faillog\fR\. -+File where to keep counts\&. Default is -+\FC/var/log/faillog\F[]\&. - .RE - .PP - \fBaudit\fR - .RS 4 --Will log the user name into the system log if the user is not found\. -+Will log the user name into the system log if the user is not found\&. -+.RE -+.PP -+\fBsilent\fR -+.RS 4 -+Don\'t print informative messages\&. -+.RE -+.PP -+\fBno_log_info\fR -+.RS 4 -+Don\'t log informative messages via -+\fBsyslog\fR(3)\&. - .RE - .RE - .PP - AUTH OPTIONS - .RS 4 --Authentication phase first checks if user should be denied access and if not it increments attempted login counter\. Then on call to -+Authentication phase first checks if user should be denied access and if not it increments attempted login counter\&. Then on call to - \fBpam_setcred\fR(3) --it resets the attempts counter\. -+it resets the attempts counter\&. - .PP - \fBdeny=\fR\fB\fIn\fR\fR - .RS 4 - Deny access if tally for this user exceeds --\fIn\fR\. -+\fIn\fR\&. - .RE - .PP - \fBlock_time=\fR\fB\fIn\fR\fR - .RS 4 - Always deny for - \fIn\fR --seconds after failed attempt\. -+seconds after failed attempt\&. - .RE - .PP - \fBunlock_time=\fR\fB\fIn\fR\fR - .RS 4 - Allow access after - \fIn\fR --seconds after failed attempt\. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts\. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator\. -+seconds after failed attempt\&. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts\&. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator\&. - .RE - .PP - \fBmagic_root\fR - .RS 4 --If the module is invoked by a user with uid=0 the counter is not incremented\. The sys\-admin should use this for user launched services, like --\fBsu\fR, otherwise this argument should be omitted\. -+If the module is invoked by a user with uid=0 the counter is not incremented\&. The sys\-admin should use this for user launched services, like -+\fBsu\fR, otherwise this argument should be omitted\&. - .RE - .PP - \fBno_lock_time\fR - .RS 4 --Do not use the \.fail_locktime field in --\fI/var/log/faillog\fR --for this user\. -+Do not use the \&.fail_locktime field in -+\FC/var/log/faillog\F[] -+for this user\&. - .RE - .PP - \fBno_reset\fR - .RS 4 --Don\'t reset count on successful entry, only decrement\. -+Don\'t reset count on successful entry, only decrement\&. - .RE - .PP - \fBeven_deny_root_account\fR - .RS 4 --Root account can become unavailable\. -+Root account can become unavailable\&. - .RE - .PP - \fBper_user\fR - .RS 4 - If --\fI/var/log/faillog\fR --contains a non\-zero \.fail_max/\.fail_locktime field for this user then use it instead of -+\FC/var/log/faillog\F[] -+contains a non\-zero \&.fail_max/\&.fail_locktime field for this user then use it instead of - \fBdeny=\fR\fB\fIn\fR\fR/ - \fBlock_time=\fR\fB\fIn\fR\fR --parameter\. -+parameter\&. - .RE - .PP - \fBno_lock_time\fR - .RS 4 --Don\'t use \.fail_locktime filed in --\fI/var/log/faillog\fR --for this user\. -+Don\'t use \&.fail_locktime filed in -+\FC/var/log/faillog\F[] -+for this user\&. - .RE - .RE - .PP -@@ -139,73 +310,91 @@ - .RS 4 - Account phase resets attempts counter if the user is - \fBnot\fR --magic root\. This phase can be used optionaly for services which don\'t call -+magic root\&. This phase can be used optionaly for services which don\'t call - \fBpam_setcred\fR(3) --correctly or if the reset should be done regardless of the failure of the account phase of other modules\. -+correctly or if the reset should be done regardless of the failure of the account phase of other modules\&. - .PP - \fBmagic_root\fR - .RS 4 --If the module is invoked by a user with uid=0 the counter is not incremented\. The sys\-admin should use this for user launched services, like --\fBsu\fR, otherwise this argument should be omitted\. -+If the module is invoked by a user with uid=0 the counter is not incremented\&. The sys\-admin should use this for user launched services, like -+\fBsu\fR, otherwise this argument should be omitted\&. - .RE - .PP - \fBno_reset\fR - .RS 4 --Don\'t reset count on successful entry, only decrement\. -+Don\'t reset count on successful entry, only decrement\&. - .RE - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP - The - \fBauth\fR - and - \fBaccount\fR --services are supported\. -+module types are provided\&. - .SH "RETURN VALUES" - .PP - PAM_AUTH_ERR - .RS 4 --A invalid option was given, the module was not able to retrive the user name, no valid counter file was found, or too many failed logins\. -+A invalid option was given, the module was not able to retrive the user name, no valid counter file was found, or too many failed logins\&. - .RE - .PP - PAM_SUCCESS - .RS 4 --Everything was successfull\. -+Everything was successfull\&. - .RE - .PP - PAM_USER_UNKNOWN - .RS 4 --User not known\. -+User not known\&. - .RE - .SH "EXAMPLES" - .PP - Add the following line to --\fI/etc/pam\.d/login\fR --to lock the account after too many failed logins\. The number of allowed fails is specified by --\fI/var/log/faillog\fR -+\FC/etc/pam\&.d/login\F[] -+to lock the account after too many failed logins\&. The number of allowed fails is specified by -+\FC/var/log/faillog\F[] - and needs to be set with pam_tally or - \fBfaillog\fR(8) --before\. -+before\&. - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf --auth required pam_securetty\.so --auth required pam_tally\.so per_user --auth required pam_env\.so --auth required pam_unix\.so --auth required pam_nologin\.so --account required pam_unix\.so --password required pam_unix\.so --session required pam_limits\.so --session required pam_unix\.so --session required pam_lastlog\.so nowtmp --session optional pam_mail\.so standard -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+auth required pam_securetty\&.so -+auth required pam_tally\&.so per_user -+auth required pam_env\&.so -+auth required pam_unix\&.so -+auth required pam_nologin\&.so -+account required pam_unix\&.so -+password required pam_unix\&.so -+session required pam_limits\&.so -+session required pam_unix\&.so -+session required pam_lastlog\&.so nowtmp -+session optional pam_mail\&.so standard - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .SH "FILES" - .PP --\fI/var/log/faillog\fR -+\FC/var/log/faillog\F[] - .RS 4 - failure logging file - .RE -@@ -214,8 +403,8 @@ - - \fBfaillog\fR(8), - \fBpam.conf\fR(5), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBpam\fR(8) - .SH "AUTHOR" - .PP --pam_tally was written by Tim Baverstock and Tomas Mraz\. -+pam_tally was written by Tim Baverstock and Tomas Mraz\&. ---- Linux-PAM-1.0.2-orig/modules/pam_tally/README 2008-04-16 11:08:11.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_tally/README 2009-01-20 12:00:01.000000000 +0100 -@@ -25,7 +25,7 @@ - - GLOBAL OPTIONS - -- This can be used for auth and account services. -+ This can be used for auth and account module types. - - onerr=[fail|succeed] - -@@ -41,6 +41,14 @@ - - Will log the user name into the system log if the user is not found. - -+ silent -+ -+ Don't print informative messages. -+ -+ no_log_info -+ -+ Don't log informative messages via syslog(3). -+ - AUTH OPTIONS - - Authentication phase first checks if user should be denied access and if ---- Linux-PAM-1.0.2-orig/modules/pam_tally2/pam_tally2.8 1970-01-01 01:00:00.000000000 +0100 -+++ Linux-PAM-1.0.2/modules/pam_tally2/pam_tally2.8 2009-01-20 12:00:03.000000000 +0100 -@@ -0,0 +1,402 @@ -+.\" Title: pam_tally2 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 -+.\" Manual: Linux-PAM Manual -+.\" Source: Linux-PAM Manual -+.\" Language: English -+.\" -+.TH "PAM_TALLY2" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- -+.\" disable hyphenation -+.nh -+.\" disable justification (adjust text to left margin only) -+.ad l -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_tally2 \- The login counter (tallying) module -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_tally2\&.so\fR\ 'u -+\fBpam_tally2\&.so\fR [file=\fI/path/to/counter\fR] [onerr=[\fIfail\fR|\fIsucceed\fR]] [magic_root] [even_deny_root] [deny=\fIn\fR] [lock_time=\fIn\fR] [unlock_time=\fIn\fR] [root_unlock_time=\fIn\fR] [audit] [silent] [no_log_info] -+.fam -+.fam C -+.HP \w'\fBpam_tally2\fR\ 'u -+\fBpam_tally2\fR [\-\-file\ \fI/path/to/counter\fR] [\-\-user\ \fIusername\fR] [\-\-reset[=\fIn\fR]] [\-\-quiet] -+.fam -+.SH "DESCRIPTION" -+.PP -+This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail\&. -+.PP -+pam_tally2 comes in two parts: -+\fBpam_tally2\&.so\fR -+and -+\fBpam_tally2\fR\&. The former is the PAM module and the latter, a stand\-alone program\&. -+\fBpam_tally2\fR -+is an (optional) application which can be used to interrogate and manipulate the counter file\&. It can display users\' counts, set individual counts, or clear all counts\&. Setting artificially high counts may be useful for blocking users without changing their passwords\&. For example, one might find it useful to clear all counts every midnight from a cron job\&. -+.PP -+Normally, failed attempts to access -+\fIroot\fR -+will -+\fBnot\fR -+cause the root account to become blocked, to prevent denial\-of\-service: if your users aren\'t given shell accounts and root may only login via -+\fBsu\fR -+or at the machine console (not telnet/rsh, etc), this is safe\&. -+.SH "OPTIONS" -+.PP -+GLOBAL OPTIONS -+.RS 4 -+This can be used for -+\fIauth\fR -+and -+\fIaccount\fR -+module types\&. -+.PP -+\fBonerr=[\fR\fB\fIfail\fR\fR\fB|\fR\fB\fIsucceed\fR\fR\fB]\fR -+.RS 4 -+If something weird happens (like unable to open the file), return with -+\fBPAM_SUCESS\fR -+if -+\fBonerr=\fR\fB\fIsucceed\fR\fR -+is given, else with the corresponding PAM error code\&. -+.RE -+.PP -+\fBfile=\fR\fB\fI/path/to/counter\fR\fR -+.RS 4 -+File where to keep counts\&. Default is -+\FC/var/log/tallylog\F[]\&. -+.RE -+.PP -+\fBaudit\fR -+.RS 4 -+Will log the user name into the system log if the user is not found\&. -+.RE -+.PP -+\fBsilent\fR -+.RS 4 -+Don\'t print informative messages\&. -+.RE -+.PP -+\fBno_log_info\fR -+.RS 4 -+Don\'t log informative messages via -+\fBsyslog\fR(3)\&. -+.RE -+.RE -+.PP -+AUTH OPTIONS -+.RS 4 -+Authentication phase first increments attempted login counter and checks if user should be denied access\&. If the user is authenticated and the login process continues on call to -+\fBpam_setcred\fR(3) -+it resets the attempts counter\&. -+.PP -+\fBdeny=\fR\fB\fIn\fR\fR -+.RS 4 -+Deny access if tally for this user exceeds -+\fIn\fR\&. -+.RE -+.PP -+\fBlock_time=\fR\fB\fIn\fR\fR -+.RS 4 -+Always deny for -+\fIn\fR -+seconds after failed attempt\&. -+.RE -+.PP -+\fBunlock_time=\fR\fB\fIn\fR\fR -+.RS 4 -+Allow access after -+\fIn\fR -+seconds after failed attempt\&. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts\&. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator\&. -+.RE -+.PP -+\fBmagic_root\fR -+.RS 4 -+If the module is invoked by a user with uid=0 the counter is not incremented\&. The sys\-admin should use this for user launched services, like -+\fBsu\fR, otherwise this argument should be omitted\&. -+.RE -+.PP -+\fBno_lock_time\fR -+.RS 4 -+Do not use the \&.fail_locktime field in -+\FC/var/log/faillog\F[] -+for this user\&. -+.RE -+.PP -+\fBno_reset\fR -+.RS 4 -+Don\'t reset count on successful entry, only decrement\&. -+.RE -+.PP -+\fBeven_deny_root\fR -+.RS 4 -+Root account can become unavailable\&. -+.RE -+.PP -+\fBroot_unlock_time=\fR\fB\fIn\fR\fR -+.RS 4 -+This option implies -+\fBeven_deny_root\fR -+option\&. Allow access after -+\fIn\fR -+seconds to root acccount after failed attempt\&. If this option is used the root user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts\&. -+.RE -+.RE -+.PP -+ACCOUNT OPTIONS -+.RS 4 -+Account phase resets attempts counter if the user is -+\fBnot\fR -+magic root\&. This phase can be used optionaly for services which don\'t call -+\fBpam_setcred\fR(3) -+correctly or if the reset should be done regardless of the failure of the account phase of other modules\&. -+.PP -+\fBmagic_root\fR -+.RS 4 -+If the module is invoked by a user with uid=0 the counter is not changed\&. The sys\-admin should use this for user launched services, like -+\fBsu\fR, otherwise this argument should be omitted\&. -+.RE -+.RE -+.SH "MODULE TYPES PROVIDED" -+.PP -+The -+\fBauth\fR -+and -+\fBaccount\fR -+module types are provided\&. -+.SH "RETURN VALUES" -+.PP -+PAM_AUTH_ERR -+.RS 4 -+A invalid option was given, the module was not able to retrive the user name, no valid counter file was found, or too many failed logins\&. -+.RE -+.PP -+PAM_SUCCESS -+.RS 4 -+Everything was successfull\&. -+.RE -+.PP -+PAM_USER_UNKNOWN -+.RS 4 -+User not known\&. -+.RE -+.SH "NOTES" -+.PP -+pam_tally2 is not compatible with the old pam_tally faillog file format\&. This is caused by requirement of compatibility of the tallylog file format between 32bit and 64bit architectures on multiarch systems\&. -+.PP -+There is no setuid wrapper for access to the data file such as when the -+\fBpam_tally2\&.so\fR -+module is called from xscreensaver\&. As this would make it impossible to share PAM configuration with such services the following workaround is used: If the data file cannot be opened because of insufficient permissions (\fBEPERM\fR) the module returns -+\fBPAM_IGNORE\fR\&. -+.SH "EXAMPLES" -+.PP -+Add the following line to -+\FC/etc/pam\&.d/login\F[] -+to lock the account after 4 failed logins\&. Root account will be locked as well\&. The accounts will be automatically unlocked after 20 minutes\&. The module does not have to be called in the account phase because the -+\fBlogin\fR -+calls -+\fBpam_setcred\fR(3) -+correctly\&. -+.sp -+.if n \{\ -+.RS 4 -+.\} -+.fam C -+.ps -1 -+.nf -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+auth required pam_securetty\&.so -+auth required pam_tally2\&.so deny=4 even_deny_root unlock_time=1200 -+auth required pam_env\&.so -+auth required pam_unix\&.so -+auth required pam_nologin\&.so -+account required pam_unix\&.so -+password required pam_unix\&.so -+session required pam_limits\&.so -+session required pam_unix\&.so -+session required pam_lastlog\&.so nowtmp -+session optional pam_mail\&.so standard -+ -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} -+.fi -+.fam -+.ps +1 -+.if n \{\ -+.RE -+.\} -+.SH "FILES" -+.PP -+\FC/var/log/tallylog\F[] -+.RS 4 -+failure count logging file -+.RE -+.SH "SEE ALSO" -+.PP -+ -+\fBpam.conf\fR(5), -+\fBpam.d\fR(5), -+\fBpam\fR(8) -+.SH "AUTHOR" -+.PP -+pam_tally was written by Tim Baverstock and Tomas Mraz\&. ---- Linux-PAM-1.0.2-orig/modules/pam_tally2/README 1970-01-01 01:00:00.000000000 +0100 -+++ Linux-PAM-1.0.2/modules/pam_tally2/README 2009-01-20 12:00:06.000000000 +0100 -@@ -0,0 +1,146 @@ -+pam_tally2 — The login counter (tallying) module -+ -+â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” -+ -+DESCRIPTION -+ -+This module maintains a count of attempted accesses, can reset count on -+success, can deny access if too many attempts fail. -+ -+pam_tally2 comes in two parts: pam_tally2.so and pam_tally2. The former is the -+PAM module and the latter, a stand-alone program. pam_tally2 is an (optional) -+application which can be used to interrogate and manipulate the counter file. -+It can display users' counts, set individual counts, or clear all counts. -+Setting artificially high counts may be useful for blocking users without -+changing their passwords. For example, one might find it useful to clear all -+counts every midnight from a cron job. -+ -+Normally, failed attempts to access root will not cause the root account to -+become blocked, to prevent denial-of-service: if your users aren't given shell -+accounts and root may only login via su or at the machine console (not telnet/ -+rsh, etc), this is safe. -+ -+OPTIONS -+ -+GLOBAL OPTIONS -+ -+ This can be used for auth and account module types. -+ -+ onerr=[fail|succeed] -+ -+ If something weird happens (like unable to open the file), return with -+ PAM_SUCESS if onerr=succeed is given, else with the corresponding PAM -+ error code. -+ -+ file=/path/to/counter -+ -+ File where to keep counts. Default is /var/log/tallylog. -+ -+ audit -+ -+ Will log the user name into the system log if the user is not found. -+ -+ silent -+ -+ Don't print informative messages. -+ -+ no_log_info -+ -+ Don't log informative messages via syslog(3). -+ -+AUTH OPTIONS -+ -+ Authentication phase first increments attempted login counter and checks if -+ user should be denied access. If the user is authenticated and the login -+ process continues on call to pam_setcred(3) it resets the attempts counter. -+ -+ deny=n -+ -+ Deny access if tally for this user exceeds n. -+ -+ lock_time=n -+ -+ Always deny for n seconds after failed attempt. -+ -+ unlock_time=n -+ -+ Allow access after n seconds after failed attempt. If this option is -+ used the user will be locked out for the specified amount of time after -+ he exceeded his maximum allowed attempts. Otherwise the account is -+ locked until the lock is removed by a manual intervention of the system -+ administrator. -+ -+ magic_root -+ -+ If the module is invoked by a user with uid=0 the counter is not -+ incremented. The sys-admin should use this for user launched services, -+ like su, otherwise this argument should be omitted. -+ -+ no_lock_time -+ -+ Do not use the .fail_locktime field in /var/log/faillog for this user. -+ -+ no_reset -+ -+ Don't reset count on successful entry, only decrement. -+ -+ even_deny_root -+ -+ Root account can become unavailable. -+ -+ root_unlock_time=n -+ -+ This option implies even_deny_root option. Allow access after n seconds -+ to root acccount after failed attempt. If this option is used the root -+ user will be locked out for the specified amount of time after he -+ exceeded his maximum allowed attempts. -+ -+ACCOUNT OPTIONS -+ -+ Account phase resets attempts counter if the user is not magic root. This -+ phase can be used optionaly for services which don't call pam_setcred(3) -+ correctly or if the reset should be done regardless of the failure of the -+ account phase of other modules. -+ -+ magic_root -+ -+ If the module is invoked by a user with uid=0 the counter is not -+ changed. The sys-admin should use this for user launched services, like -+ su, otherwise this argument should be omitted. -+ -+NOTES -+ -+pam_tally2 is not compatible with the old pam_tally faillog file format. This -+is caused by requirement of compatibility of the tallylog file format between -+32bit and 64bit architectures on multiarch systems. -+ -+There is no setuid wrapper for access to the data file such as when the -+pam_tally2.so module is called from xscreensaver. As this would make it -+impossible to share PAM configuration with such services the following -+workaround is used: If the data file cannot be opened because of insufficient -+permissions (EPERM) the module returns PAM_IGNORE. -+ -+EXAMPLES -+ -+Add the following line to /etc/pam.d/login to lock the account after 4 failed -+logins. Root account will be locked as well. The accounts will be automatically -+unlocked after 20 minutes. The module does not have to be called in the account -+phase because the login calls pam_setcred(3) correctly. -+ -+auth required pam_securetty.so -+auth required pam_tally2.so deny=4 even_deny_root unlock_time=1200 -+auth required pam_env.so -+auth required pam_unix.so -+auth required pam_nologin.so -+account required pam_unix.so -+password required pam_unix.so -+session required pam_limits.so -+session required pam_unix.so -+session required pam_lastlog.so nowtmp -+session optional pam_mail.so standard -+ -+ -+AUTHOR -+ -+pam_tally was written by Tim Baverstock and Tomas Mraz. -+ ---- Linux-PAM-1.0.2-orig/modules/pam_time/pam_time.8 2008-04-16 11:08:15.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_time/pam_time.8 2009-01-20 12:00:08.000000000 +0100 -@@ -1,95 +1,271 @@ - .\" Title: pam_time --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_TIME" "8" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" -+.TH "PAM_TIME" "8" "01/20/2009" "Linux-PAM Manual" "Linux-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_time - PAM module for time control access --.SH "SYNOPSIS" --.HP 12 --\fBpam_time\.so\fR [debug] [noaudit] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_time \- PAM module for time control access -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_time\&.so\fR\ 'u -+\fBpam_time\&.so\fR [debug] [noaudit] -+.fam - .SH "DESCRIPTION" - .PP --The pam_time PAM module does not authenticate the user, but instead it restricts access to a system and or specific applications at various times of the day and on specific days or over various terminal lines\. This module can be configured to deny access to (individual) users based on their name, the time of day, the day of week, the service they are applying for and their terminal from which they are making their request\. -+The pam_time PAM module does not authenticate the user, but instead it restricts access to a system and or specific applications at various times of the day and on specific days or over various terminal lines\&. This module can be configured to deny access to (individual) users based on their name, the time of day, the day of week, the service they are applying for and their terminal from which they are making their request\&. - .PP - By default rules for time/port access are taken from config file --\fI/etc/security/time\.conf\fR\. -+\FC/etc/security/time\&.conf\F[]\&. - .PP --If Linux PAM is compiled with audit support the module will report when it denies access\. -+If Linux PAM is compiled with audit support the module will report when it denies access\&. - .SH "OPTIONS" - .PP - \fBdebug\fR - .RS 4 - Some debug informations are printed with --\fBsyslog\fR(3)\. -+\fBsyslog\fR(3)\&. - .RE - .PP - \fBnoaudit\fR - .RS 4 --Do not report logins at disallowed time to the audit subsystem\. -+Do not report logins at disallowed time to the audit subsystem\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP - Only the - \fBaccount\fR --service is supported\. -+type is provided\&. - .SH "RETURN VALUES" - .PP - PAM_SUCCESS - .RS 4 --Access was granted\. -+Access was granted\&. - .RE - .PP - PAM_ABORT - .RS 4 --Not all relevant data could be gotten\. -+Not all relevant data could be gotten\&. - .RE - .PP - PAM_BUF_ERR - .RS 4 --Memory buffer error\. -+Memory buffer error\&. - .RE - .PP - PAM_PERM_DENIED - .RS 4 --Access was not granted\. -+Access was not granted\&. - .RE - .PP - PAM_USER_UNKNOWN - .RS 4 --The user is not known to the system\. -+The user is not known to the system\&. - .RE - .SH "FILES" - .PP --\fI/etc/security/time\.conf\fR -+\FC/etc/security/time\&.conf\F[] - .RS 4 - Default configuration file - .RE - .SH "EXAMPLES" - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf --#%PAM\-1\.0 -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+#%PAM\-1\&.0 - # - # apply pam_time accounting to login requests - # --login account required pam_time\.so -+login account required pam_time\&.so - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .SH "SEE ALSO" - .PP - - \fBtime.conf\fR(5), --\fBpam.d\fR(8), --\fBpam\fR(8)\. -+\fBpam.d\fR(5), -+\fBpam\fR(8)\&. - .SH "AUTHOR" - .PP --pam_time was written by Andrew G\. Morgan \. -+pam_time was written by Andrew G\&. Morgan \&. ---- Linux-PAM-1.0.2-orig/modules/pam_tty_audit/pam_tty_audit.8 2008-04-16 11:08:21.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_tty_audit/pam_tty_audit.8 2009-01-20 12:00:11.000000000 +0100 -@@ -1,80 +1,256 @@ - .\" Title: pam_tty_audit --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_TTY_AUDIT" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_TTY_AUDIT" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_tty_audit - Enable or disable TTY auditing for specified users --.SH "SYNOPSIS" --.HP 17 --\fBpam_tty_audit\.so\fR [disable=\fIpatterns\fR] [enable=\fIpatterns\fR] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_tty_audit \- Enable or disable TTY auditing for specified users -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_tty_audit\&.so\fR\ 'u -+\fBpam_tty_audit\&.so\fR [disable=\fIpatterns\fR] [enable=\fIpatterns\fR] -+.fam - .SH "DESCRIPTION" - .PP --The pam_tty_audit PAM module is used to enable or disable TTY auditing\. By default, the kernel does not audit input on any TTY\. -+The pam_tty_audit PAM module is used to enable or disable TTY auditing\&. By default, the kernel does not audit input on any TTY\&. - .SH "OPTIONS" - .PP - \fBdisable=\fR\fB\fIpatterns\fR\fR - .RS 4 - For each user matching one of comma\-separated glob --\fB\fIpatterns\fR\fR, disable TTY auditing\. This overrides any previous -+\fB\fIpatterns\fR\fR, disable TTY auditing\&. This overrides any previous - \fBenable\fR --option matchin the same user name on the command line\. -+option matchin the same user name on the command line\&. - .RE - .PP - \fBenable=\fR\fB\fIpatterns\fR\fR - .RS 4 - For each user matching one of comma\-separated glob --\fB\fIpatterns\fR\fR, enable TTY auditing\. This overrides any previous -+\fB\fIpatterns\fR\fR, enable TTY auditing\&. This overrides any previous - \fBdisable\fR --option matching the same user name on the command line\. -+option matching the same user name on the command line\&. - .RE - .PP - \fBopen_only\fR - .RS 4 --Set the TTY audit flag when opening the session, but do not restore it when closing the session\. Using this option is necessary for some services that don\'t -+Set the TTY audit flag when opening the session, but do not restore it when closing the session\&. Using this option is necessary for some services that don\'t - \fBfork()\fR - to run the authenticated session, such as --\fBsudo\fR\. -+\fBsudo\fR\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP - Only the - \fBsession\fR --service is supported\. -+type is supported\&. - .SH "RETURN VALUES" - .PP - PAM_SESSION_ERR - .RS 4 --Error reading or modifying the TTY audit flag\. See the system log for more details\. -+Error reading or modifying the TTY audit flag\&. See the system log for more details\&. - .RE - .PP - PAM_SUCCESS - .RS 4 --Success\. -+Success\&. - .RE - .SH "NOTES" - .PP --When TTY auditing is enabled, it is inherited by all processes started by that user\. In particular, daemons restarted by an user will still have TTY auditing enabled, and audit TTY input even by other users unless auditing for these users is explicitly disabled\. Therefore, it is recommended to use -+When TTY auditing is enabled, it is inherited by all processes started by that user\&. In particular, daemons restarted by an user will still have TTY auditing enabled, and audit TTY input even by other users unless auditing for these users is explicitly disabled\&. Therefore, it is recommended to use - \fBdisable=*\fR --as the first option for most daemons using PAM\. -+as the first option for most daemons using PAM\&. - .SH "EXAMPLES" - .PP --Audit all administrative actions\. -+Audit all administrative actions\&. - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf --session required pam_tty_audit\.so disable=* enable=root -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+session required pam_tty_audit\&.so disable=* enable=root - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .sp - .SH "AUTHOR" - .PP --pam_tty_audit was written by Miloslav TrmaÄ \. -+pam_tty_audit was written by Miloslav TrmaÄ \&. ---- Linux-PAM-1.0.2-orig/modules/pam_umask/pam_umask.8 2008-04-16 11:08:27.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_umask/pam_umask.8 2009-01-20 12:00:14.000000000 +0100 -@@ -1,48 +1,248 @@ - .\" Title: pam_umask --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_UMASK" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_UMASK" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_umask - PAM module to set the file mode creation mask --.SH "SYNOPSIS" --.HP 13 --\fBpam_umask\.so\fR [debug] [silent] [usergroups] [umask=\fImask\fR] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_umask \- PAM module to set the file mode creation mask -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_umask\&.so\fR\ 'u -+\fBpam_umask\&.so\fR [debug] [silent] [usergroups] [umask=\fImask\fR] -+.fam - .SH "DESCRIPTION" - .PP --pam_umask is a PAM module to set the file mode creation mask of the current environment\. The umask affects the default permissions assigned to newly created files\. -+pam_umask is a PAM module to set the file mode creation mask of the current environment\&. The umask affects the default permissions assigned to newly created files\&. - .PP - The PAM module tries to get the umask value from the following places in the following order: - .sp - .RS 4 --\h'-04'\(bu\h'+03'umask= argument -+.ie n \{\ -+\h'-04'\(bu\h'+03'\c -+.\} -+.el \{\ -+.sp -1 -+.IP \(bu 2.3 -+.\} -+umask= argument - .RE - .sp - .RS 4 --\h'-04'\(bu\h'+03'umask= entry of the users GECOS field -+.ie n \{\ -+\h'-04'\(bu\h'+03'\c -+.\} -+.el \{\ -+.sp -1 -+.IP \(bu 2.3 -+.\} -+umask= entry of the users GECOS field - .RE - .sp - .RS 4 --\h'-04'\(bu\h'+03'pri= entry of the users GECOS field -+.ie n \{\ -+\h'-04'\(bu\h'+03'\c -+.\} -+.el \{\ -+.sp -1 -+.IP \(bu 2.3 -+.\} -+pri= entry of the users GECOS field - .RE - .sp - .RS 4 --\h'-04'\(bu\h'+03'ulimit= entry of the users GECOS field -+.ie n \{\ -+\h'-04'\(bu\h'+03'\c -+.\} -+.el \{\ -+.sp -1 -+.IP \(bu 2.3 -+.\} -+ulimit= entry of the users GECOS field - .RE - .sp - .RS 4 --\h'-04'\(bu\h'+03'UMASK= entry from /etc/default/login -+.ie n \{\ -+\h'-04'\(bu\h'+03'\c -+.\} -+.el \{\ -+.sp -1 -+.IP \(bu 2.3 -+.\} -+UMASK= entry from /etc/default/login - .RE - .sp - .RS 4 --\h'-04'\(bu\h'+03'UMASK entry from /etc/login\.defs -+.ie n \{\ -+\h'-04'\(bu\h'+03'\c -+.\} -+.el \{\ -+.sp -1 -+.IP \(bu 2.3 -+.\} -+UMASK entry from /etc/login\&.defs - .RE - .sp - .RE -@@ -51,66 +251,84 @@ - .PP - \fBdebug\fR - .RS 4 --Print debug information\. -+Print debug information\&. - .RE - .PP - \fBsilent\fR - .RS 4 --Don\'t print informative messages\. -+Don\'t print informative messages\&. - .RE - .PP - \fBusergroups\fR - .RS 4 --If the user is not root, and the user ID is equal to the group ID, and the username is the same as primary group name, the umask group bits are set to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007)\. -+If the user is not root, and the user ID is equal to the group ID, and the username is the same as primary group name, the umask group bits are set to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007)\&. - .RE - .PP - \fBumask=\fR\fB\fImask\fR\fR - .RS 4 - Sets the calling process\'s file mode creation mask (umask) to - \fBmask\fR --& 0777\. The value is interpreted as Octal\. -+& 0777\&. The value is interpreted as Octal\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP - Only the - \fBsession\fR --service is supported\. -+type is provided\&. - .SH "RETURN VALUES" - .PP - .PP - PAM_SUCCESS - .RS 4 --The new umask was set successfull\. -+The new umask was set successfull\&. - .RE - .PP - PAM_SERVICE_ERR - .RS 4 --No username was given\. -+No username was given\&. - .RE - .PP - PAM_USER_UNKNOWN - .RS 4 --User not known\. -+User not known\&. - .RE - .SH "EXAMPLES" - .PP - Add the following line to --\fI/etc/pam\.d/login\fR -+\FC/etc/pam\&.d/login\F[] - to set the user specific umask at login: - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf -- session optional pam_umask\.so umask=0022 -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+ session optional pam_umask\&.so umask=0022 - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .sp - .SH "SEE ALSO" - .PP - - \fBpam.conf\fR(5), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBpam\fR(8) - .SH "AUTHOR" - .PP --pam_umask was written by Thorsten Kukuk \. -+pam_umask was written by Thorsten Kukuk \&. ---- Linux-PAM-1.0.2-orig/modules/pam_unix/pam_unix.8 2008-04-16 11:08:40.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_unix/pam_unix.8 2009-01-20 12:00:24.000000000 +0100 -@@ -1,85 +1,243 @@ - .\" Title: pam_unix --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_UNIX" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_UNIX" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_unix - Module for traditional password authentication --.SH "SYNOPSIS" --.HP 12 --\fBpam_unix\.so\fR [\.\.\.] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_unix \- Module for traditional password authentication -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_unix\&.so\fR\ 'u -+\fBpam_unix\&.so\fR [\&.\&.\&.] -+.fam - .SH "DESCRIPTION" - .PP --This is the standard Unix authentication module\. It uses standard calls from the system\'s libraries to retrieve and set account information as well as authentication\. Usually this is obtained from the /etc/passwd and the /etc/shadow file as well if shadow is enabled\. -+This is the standard Unix authentication module\&. It uses standard calls from the system\'s libraries to retrieve and set account information as well as authentication\&. Usually this is obtained from the /etc/passwd and the /etc/shadow file as well if shadow is enabled\&. - .PP - The account component performs the task of establishing the status of the user\'s account and password based on the following - \fIshadow\fR --elements: expire, last_change, max_change, min_change, warn_change\. In the case of the latter, it may offer advice to the user on changing their password or, through the -+elements: expire, last_change, max_change, min_change, warn_change\&. In the case of the latter, it may offer advice to the user on changing their password or, through the - \fBPAM_AUTHTOKEN_REQD\fR --return, delay giving service to the user until they have established a new password\. The entries listed above are documented in the -+return, delay giving service to the user until they have established a new password\&. The entries listed above are documented in the - \fBshadow\fR(5) --manual page\. Should the user\'s record not contain one or more of these entries, the corresponding -+manual page\&. Should the user\'s record not contain one or more of these entries, the corresponding - \fIshadow\fR --check is not performed\. -+check is not performed\&. - .PP --The authentication component performs the task of checking the users credentials (password)\. The default action of this module is to not permit the user access to a service if their official password is blank\. -+The authentication component performs the task of checking the users credentials (password)\&. The default action of this module is to not permit the user access to a service if their official password is blank\&. - .PP - A helper binary, --\fBunix_chkpwd\fR(8), is provided to check the user\'s password when it is stored in a read protected database\. This binary is very simple and will only check the password of the user invoking it\. It is called transparently on behalf of the user by the authenticating component of this module\. In this way it is possible for applications like -+\fBunix_chkpwd\fR(8), is provided to check the user\'s password when it is stored in a read protected database\&. This binary is very simple and will only check the password of the user invoking it\&. It is called transparently on behalf of the user by the authenticating component of this module\&. In this way it is possible for applications like - \fBxlock\fR(1) --to work without being setuid\-root\. The module, by default, will temporarily turn off SIGCHLD handling for the duration of execution of the helper binary\. This is generally the right thing to do, as many applications are not prepared to handle this signal from a child they didn\'t know was --\fBfork()\fRd\. The -+to work without being setuid\-root\&. The module, by default, will temporarily turn off SIGCHLD handling for the duration of execution of the helper binary\&. This is generally the right thing to do, as many applications are not prepared to handle this signal from a child they didn\'t know was -+\fBfork()\fRd\&. The - \fBnoreap\fR --module argument can be used to suppress this temporary shielding and may be needed for use with certain applications\. -+module argument can be used to suppress this temporary shielding and may be needed for use with certain applications\&. - .PP --The password component of this module performs the task of updating the user\'s password\. -+The password component of this module performs the task of updating the user\'s password\&. - .PP --The session component of this module logs when a user logins or leave the system\. -+The session component of this module logs when a user logins or leave the system\&. - .PP --Remaining arguments, supported by others functions of this module, are silently ignored\. Other arguments are logged as errors through --\fBsyslog\fR(3)\. -+Remaining arguments, supported by others functions of this module, are silently ignored\&. Other arguments are logged as errors through -+\fBsyslog\fR(3)\&. - .SH "OPTIONS" - .PP - \fBdebug\fR - .RS 4 - Turns on debugging via --\fBsyslog\fR(3)\. -+\fBsyslog\fR(3)\&. - .RE - .PP - \fBaudit\fR - .RS 4 --A little more extreme than debug\. -+A little more extreme than debug\&. - .RE - .PP - \fBnullok\fR - .RS 4 --The default action of this module is to not permit the user access to a service if their official password is blank\. The -+The default action of this module is to not permit the user access to a service if their official password is blank\&. The - \fBnullok\fR --argument overrides this default\. -+argument overrides this default\&. - .RE - .PP - \fBtry_first_pass\fR - .RS 4 --Before prompting the user for their password, the module first tries the previous stacked module\'s password in case that satisfies this module as well\. -+Before prompting the user for their password, the module first tries the previous stacked module\'s password in case that satisfies this module as well\&. - .RE - .PP - \fBuse_first_pass\fR - .RS 4 - The argument - \fBuse_first_pass\fR --forces the module to use a previous stacked modules password and will never prompt the user \- if no password is available or the password is not appropriate, the user will be denied access\. -+forces the module to use a previous stacked modules password and will never prompt the user \- if no password is available or the password is not appropriate, the user will be denied access\&. - .RE - .PP - \fBnodelay\fR - .RS 4 --This argument can be used to discourage the authentication component from requesting a delay should the authentication as a whole fail\. The default action is for the module to request a delay\-on\-failure of the order of two second\. -+This argument can be used to discourage the authentication component from requesting a delay should the authentication as a whole fail\&. The default action is for the module to request a delay\-on\-failure of the order of two second\&. - .RE - .PP - \fBuse_authtok\fR -@@ -88,17 +246,17 @@ - \fBpassword\fR - module (this is used in the example of the stacking of the - \fBpam_cracklib\fR --module documented above)\. -+module documented above)\&. - .RE - .PP - \fBnot_set_pass\fR - .RS 4 --This argument is used to inform the module that it is not to pay attention to/make available the old or new passwords from/to other (stacked) password modules\. -+This argument is used to inform the module that it is not to pay attention to/make available the old or new passwords from/to other (stacked) password modules\&. - .RE - .PP - \fBnis\fR - .RS 4 --NIS RPC is used for setting new passwords\. -+NIS RPC is used for setting new passwords\&. - .RE - .PP - \fBremember=\fR\fB\fIn\fR\fR -@@ -106,84 +264,106 @@ - The last - \fIn\fR - passwords for each user are saved in --\fI/etc/security/opasswd\fR --in order to force password change history and keep the user from alternating between the same password too frequently\. -+\FC/etc/security/opasswd\F[] -+in order to force password change history and keep the user from alternating between the same password too frequently\&. - .RE - .PP - \fBshadow\fR - .RS 4 --Try to maintain a shadow based system\. -+Try to maintain a shadow based system\&. - .RE - .PP - \fBmd5\fR - .RS 4 --When a user changes their password next, encrypt it with the MD5 algorithm\. -+When a user changes their password next, encrypt it with the MD5 algorithm\&. - .RE - .PP - \fBbigcrypt\fR - .RS 4 --When a user changes their password next, encrypt it with the DEC C2 algorithm\. -+When a user changes their password next, encrypt it with the DEC C2 algorithm\&. - .RE - .PP - \fBsha256\fR - .RS 4 --When a user changes their password next, encrypt it with the SHA256 algorithm\. If the SHA256 algorithm is not known to the libcrypt, fall back to MD5\. -+When a user changes their password next, encrypt it with the SHA256 algorithm\&. If the SHA256 algorithm is not known to the libcrypt, fall back to MD5\&. - .RE - .PP - \fBsha512\fR - .RS 4 --When a user changes their password next, encrypt it with the SHA512 algorithm\. If the SHA512 algorithm is not known to the libcrypt, fall back to MD5\. -+When a user changes their password next, encrypt it with the SHA512 algorithm\&. If the SHA512 algorithm is not known to the libcrypt, fall back to MD5\&. - .RE - .PP - \fBrounds=\fR\fB\fIn\fR\fR - .RS 4 - Set the optional number of rounds of the SHA256 and SHA512 password hashing algorithms to --\fIn\fR\. -+\fIn\fR\&. - .RE - .PP - \fBbroken_shadow\fR - .RS 4 --Ignore errors reading shadow inforation for users in the account management module\. -+Ignore errors reading shadow inforation for users in the account management module\&. - .RE - .PP - Invalid arguments are logged with --\fBsyslog\fR(3)\. --.SH "MODULE SERVICES PROVIDED" -+\fBsyslog\fR(3)\&. -+.SH "MODULE TYPES PROVIDED" - .PP --All service are supported\. -+All module types (\fBaccount\fR, -+\fBauth\fR, -+\fBpassword\fR -+and -+\fBsession\fR) are provided\&. - .SH "RETURN VALUES" - .PP - PAM_IGNORE - .RS 4 --Ignore this module\. -+Ignore this module\&. - .RE - .SH "EXAMPLES" - .PP - An example usage for --\fI/etc/pam\.d/login\fR -+\FC/etc/pam\&.d/login\F[] - would be: - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ - # Authenticate the user --auth required pam_unix\.so -+auth required pam_unix\&.so - # Ensure users account and password are still active --account required pam_unix\.so -+account required pam_unix\&.so - # Change the users password, but at first check the strength - # with pam_cracklib(8) --password required pam_cracklib\.so retry=3 minlen=6 difok=3 --password required pam_unix\.so use_authtok nullok md5 --session required pam_unix\.so -+password required pam_cracklib\&.so retry=3 minlen=6 difok=3 -+password required pam_unix\&.so use_authtok nullok md5 -+session required pam_unix\&.so - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .sp - .SH "SEE ALSO" - .PP - - \fBpam.conf\fR(5), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBpam\fR(8) - .SH "AUTHOR" - .PP --pam_unix was written by various people\. -+pam_unix was written by various people\&. ---- Linux-PAM-1.0.2-orig/modules/pam_userdb/pam_userdb.8 2008-04-16 11:08:48.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_userdb/pam_userdb.8 2009-01-20 12:00:28.000000000 +0100 -@@ -1,136 +1,312 @@ - .\" Title: pam_userdb --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_USERDB" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_USERDB" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_userdb - PAM module to authenticate against a db database --.SH "SYNOPSIS" --.HP 14 --\fBpam_userdb\.so\fR db=\fI/path/database\fR [debug] [crypt=[crypt|none]] [icase] [dump] [try_first_pass] [use_first_pass] [unknown_ok] [key_only] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_userdb \- PAM module to authenticate against a db database -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_userdb\&.so\fR\ 'u -+\fBpam_userdb\&.so\fR db=\fI/path/database\fR [debug] [crypt=[crypt|none]] [icase] [dump] [try_first_pass] [use_first_pass] [unknown_ok] [key_only] -+.fam - .SH "DESCRIPTION" - .PP --The pam_userdb module is used to verify a username/password pair against values stored in a Berkeley DB database\. The database is indexed by the username, and the data fields corresponding to the username keys are the passwords\. -+The pam_userdb module is used to verify a username/password pair against values stored in a Berkeley DB database\&. The database is indexed by the username, and the data fields corresponding to the username keys are the passwords\&. - .SH "OPTIONS" - .PP - \fBcrypt=[crypt|none]\fR - .RS 4 --Indicates whether encrypted or plaintext passwords are stored in the database\. If it is -+Indicates whether encrypted or plaintext passwords are stored in the database\&. If it is - \fBcrypt\fR, passwords should be stored in the database in - \fBcrypt\fR(3) --form\. If -+form\&. If - \fBnone\fR --is selected, passwords should be stored in the database as plaintext\. -+is selected, passwords should be stored in the database as plaintext\&. - .RE - .PP - \fBdb=\fR\fB\fI/path/database\fR\fR - .RS 4 - Use the --\fI/path/database\fR --database for performing lookup\. There is no default; the module will return -+\FC/path/database\F[] -+database for performing lookup\&. There is no default; the module will return - \fBPAM_IGNORE\fR --if no database is provided\. -+if no database is provided\&. - .RE - .PP - \fBdebug\fR - .RS 4 --Print debug information\. -+Print debug information\&. - .RE - .PP - \fBdump\fR - .RS 4 --Dump all the entries in the database to the log\. Don\'t do this by default! -+Dump all the entries in the database to the log\&. Don\'t do this by default! - .RE - .PP - \fBicase\fR - .RS 4 --Make the password verification to be case insensitive (ie when working with registration numbers and such)\. Only works with plaintext password storage\. -+Make the password verification to be case insensitive (ie when working with registration numbers and such)\&. Only works with plaintext password storage\&. - .RE - .PP - \fBtry_first_pass\fR - .RS 4 --Use the authentication token previously obtained by another module that did the conversation with the application\. If this token can not be obtained then the module will try to converse\. This option can be used for stacking different modules that need to deal with the authentication tokens\. -+Use the authentication token previously obtained by another module that did the conversation with the application\&. If this token can not be obtained then the module will try to converse\&. This option can be used for stacking different modules that need to deal with the authentication tokens\&. - .RE - .PP - \fBuse_first_pass\fR - .RS 4 --Use the authentication token previously obtained by another module that did the conversation with the application\. If this token can not be obtained then the module will fail\. This option can be used for stacking different modules that need to deal with the authentication tokens\. -+Use the authentication token previously obtained by another module that did the conversation with the application\&. If this token can not be obtained then the module will fail\&. This option can be used for stacking different modules that need to deal with the authentication tokens\&. - .RE - .PP - \fBunknown_ok\fR - .RS 4 --Do not return error when checking for a user that is not in the database\. This can be used to stack more than one pam_userdb module that will check a username/password pair in more than a database\. -+Do not return error when checking for a user that is not in the database\&. This can be used to stack more than one pam_userdb module that will check a username/password pair in more than a database\&. - .RE - .PP - \fBkey_only\fR - .RS 4 --The username and password are concatenated together in the database hash as \'username\-password\' with a random value\. if the concatenation of the username and password with a dash in the middle returns any result, the user is valid\. this is useful in cases where the username may not be unique but the username and password pair are\. -+The username and password are concatenated together in the database hash as \'username\-password\' with a random value\&. if the concatenation of the username and password with a dash in the middle returns any result, the user is valid\&. this is useful in cases where the username may not be unique but the username and password pair are\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP --The services -+The - \fBauth\fR - and - \fBaccount\fR --are supported\. -+module types are provided\&. - .SH "RETURN VALUES" - .PP - PAM_AUTH_ERR - .RS 4 --Authentication failure\. -+Authentication failure\&. - .RE - .PP - PAM_AUTHTOK_RECOVERY_ERR - .RS 4 --Authentication information cannot be recovered\. -+Authentication information cannot be recovered\&. - .RE - .PP - PAM_BUF_ERR - .RS 4 --Memory buffer error\. -+Memory buffer error\&. - .RE - .PP - PAM_CONV_ERR - .RS 4 --Conversation failure\. -+Conversation failure\&. - .RE - .PP - PAM_SERVICE_ERR - .RS 4 --Error in service module\. -+Error in service module\&. - .RE - .PP - PAM_SUCCESS - .RS 4 --Success\. -+Success\&. - .RE - .PP - PAM_USER_UNKNOWN - .RS 4 --User not known to the underlying authentication module\. -+User not known to the underlying authentication module\&. - .RE - .SH "EXAMPLES" - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf --auth sufficient pam_userdb\.so icase db=/etc/dbtest\.db -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+auth sufficient pam_userdb\&.so icase db=/etc/dbtest\&.db - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .SH "SEE ALSO" - .PP - - \fBcrypt\fR(3), - \fBpam.conf\fR(5), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBpam\fR(8) - .SH "AUTHOR" - .PP --pam_userdb was written by Cristian Gafton >gafton@redhat\.com<\. -+pam_userdb was written by Cristian Gafton >gafton@redhat\&.com<\&. ---- Linux-PAM-1.0.2-orig/modules/pam_warn/pam_warn.8 2008-04-16 11:08:53.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_warn/pam_warn.8 2009-01-20 12:00:31.000000000 +0100 -@@ -1,69 +1,245 @@ - .\" Title: pam_warn --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_WARN" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_WARN" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_warn - PAM module which logs all PAM items if called --.SH "SYNOPSIS" --.HP 12 --\fBpam_warn\.so\fR -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_warn \- PAM module which logs all PAM items if called -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_warn\&.so\fR\ 'u -+\fBpam_warn\&.so\fR -+.fam - .SH "DESCRIPTION" - .PP - pam_warn is a PAM module that logs the service, terminal, user, remote user and remote host to --\fBsyslog\fR(3)\. The items are not probed for, but instead obtained from the standard PAM items\. The module always returns --\fBPAM_IGNORE\fR, indicating that it does not want to affect the authentication process\. -+\fBsyslog\fR(3)\&. The items are not probed for, but instead obtained from the standard PAM items\&. The module always returns -+\fBPAM_IGNORE\fR, indicating that it does not want to affect the authentication process\&. - .SH "OPTIONS" - .PP --This module does not recognise any options\. --.SH "MODULE SERVICES PROVIDED" -+This module does not recognise any options\&. -+.SH "MODULE TYPES PROVIDED" - .PP --The services -+The - \fBauth\fR, - \fBaccount\fR, - \fBpassword\fR - and - \fBsession\fR --are supported\. -+module types are provided\&. - .SH "RETURN VALUES" - .PP - PAM_IGNORE - .RS 4 --This module always returns PAM_IGNORE\. -+This module always returns PAM_IGNORE\&. - .RE - .SH "EXAMPLES" - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf --#%PAM\-1\.0 -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+#%PAM\-1\&.0 - # - # If we don\'t have config entries for a service, the --# OTHER entries are used\. To be secure, warn and deny --# access to everything\. --other auth required pam_warn\.so --other auth required pam_deny\.so --other account required pam_warn\.so --other account required pam_deny\.so --other password required pam_warn\.so --other password required pam_deny\.so --other session required pam_warn\.so --other session required pam_deny\.so -+# OTHER entries are used\&. To be secure, warn and deny -+# access to everything\&. -+other auth required pam_warn\&.so -+other auth required pam_deny\&.so -+other account required pam_warn\&.so -+other account required pam_deny\&.so -+other password required pam_warn\&.so -+other password required pam_deny\&.so -+other session required pam_warn\&.so -+other session required pam_deny\&.so - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .SH "SEE ALSO" - .PP - - \fBpam.conf\fR(5), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBpam\fR(8) - .SH "AUTHOR" - .PP --pam_warn was written by Andrew G\. Morgan \. -+pam_warn was written by Andrew G\&. Morgan \&. ---- Linux-PAM-1.0.2-orig/modules/pam_wheel/pam_wheel.8 2008-04-16 11:08:57.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_wheel/pam_wheel.8 2009-01-20 12:00:34.000000000 +0100 -@@ -1,127 +1,303 @@ - .\" Title: pam_wheel --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_WHEEL" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_WHEEL" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_wheel - Only permit root access to members of group wheel --.SH "SYNOPSIS" --.HP 13 --\fBpam_wheel\.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_wheel \- Only permit root access to members of group wheel -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_wheel\&.so\fR\ 'u -+\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid] -+.fam - .SH "DESCRIPTION" - .PP - The pam_wheel PAM module is used to enforce the so\-called - \fIwheel\fR --group\. By default it permits root access to the system if the applicant user is a member of the -+group\&. By default it permits root access to the system if the applicant user is a member of the - \fIwheel\fR --group\. If no group with this name exist, the module is using the group with the group\-ID --\fB0\fR\. -+group\&. If no group with this name exist, the module is using the group with the group\-ID -+\fB0\fR\&. - .SH "OPTIONS" - .PP - \fBdebug\fR - .RS 4 --Print debug information\. -+Print debug information\&. - .RE - .PP - \fBdeny\fR - .RS 4 - Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the - \fBgroup\fR --option), deny access\. Conversely, if the user is not in the group, return PAM_IGNORE (unless -+option), deny access\&. Conversely, if the user is not in the group, return PAM_IGNORE (unless - \fBtrust\fR --was also specified, in which case we return PAM_SUCCESS)\. -+was also specified, in which case we return PAM_SUCCESS)\&. - .RE - .PP - \fBgroup=\fR\fB\fIname\fR\fR - .RS 4 - Instead of checking the wheel or GID 0 groups, use the - \fB\fIname\fR\fR --group to perform the authentication\. -+group to perform the authentication\&. - .RE - .PP - \fBroot_only\fR - .RS 4 --The check for wheel membership is done only\. -+The check for wheel membership is done only\&. - .RE - .PP - \fBtrust\fR - .RS 4 --The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd)\. -+The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd)\&. - .RE - .PP - \fBuse_uid\fR - .RS 4 --The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example)\. -+The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example)\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP - The - \fBauth\fR - and - \fBaccount\fR --services are supported\. -+module types are provided\&. - .SH "RETURN VALUES" - .PP - PAM_AUTH_ERR - .RS 4 --Authentication failure\. -+Authentication failure\&. - .RE - .PP - PAM_BUF_ERR - .RS 4 --Memory buffer error\. -+Memory buffer error\&. - .RE - .PP - PAM_IGNORE - .RS 4 --The return value should be ignored by PAM dispatch\. -+The return value should be ignored by PAM dispatch\&. - .RE - .PP - PAM_PERM_DENY - .RS 4 --Permission denied\. -+Permission denied\&. - .RE - .PP - PAM_SERVICE_ERR - .RS 4 --Cannot determine the user name\. -+Cannot determine the user name\&. - .RE - .PP - PAM_SUCCESS - .RS 4 --Success\. -+Success\&. - .RE - .PP - PAM_USER_UNKNOWN - .RS 4 --User not known\. -+User not known\&. - .RE - .SH "EXAMPLES" - .PP --The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non\-root applicants\. -+The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non\-root applicants\&. - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf --su auth sufficient pam_rootok\.so --su auth required pam_wheel\.so --su auth required pam_unix\.so -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+su auth sufficient pam_rootok\&.so -+su auth required pam_wheel\&.so -+su auth required pam_unix\&.so - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .sp - .SH "SEE ALSO" - .PP - - \fBpam.conf\fR(5), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBpam\fR(8) - .SH "AUTHOR" - .PP --pam_wheel was written by Cristian Gafton \. -+pam_wheel was written by Cristian Gafton \&. ---- Linux-PAM-1.0.2-orig/modules/pam_xauth/pam_xauth.8 2008-04-16 11:09:03.000000000 +0200 -+++ Linux-PAM-1.0.2/modules/pam_xauth/pam_xauth.8 2009-01-20 12:00:38.000000000 +0100 -@@ -1,154 +1,330 @@ - .\" Title: pam_xauth --.\" Author: --.\" Generator: DocBook XSL Stylesheets v1.73.1 --.\" Date: 04/16/2008 -+.\" Author: [see the "AUTHOR" section] -+.\" Generator: DocBook XSL Stylesheets v1.74.0 -+.\" Date: 01/20/2009 - .\" Manual: Linux-PAM Manual - .\" Source: Linux-PAM Manual -+.\" Language: English - .\" --.TH "PAM_XAUTH" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_XAUTH" "8" "01/20/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" ----------------------------------------------------------------- -+.\" * (re)Define some macros -+.\" ----------------------------------------------------------------- -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" toupper - uppercase a string (locale-aware) -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de toupper -+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -+\\$* -+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH-xref - format a cross-reference to an SH section -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de SH-xref -+.ie n \{\ -+.\} -+.toupper \\$* -+.el \{\ -+\\$* -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SH - level-one heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SH -+.\" put an extra blank line of space above the head in non-TTY output -+.if t \{\ -+.sp 1 -+.\} -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[an-margin]u -+.ti 0 -+.HTML-TAG ".NH \\n[an-level]" -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+\." make the size of the head bigger -+.ps +3 -+.ft B -+.ne (2v + 1u) -+.ie n \{\ -+.\" if n (TTY output), use uppercase -+.toupper \\$* -+.\} -+.el \{\ -+.nr an-break-flag 0 -+.\" if not n (not TTY), use normal case (not uppercase) -+\\$1 -+.in \\n[an-margin]u -+.ti 0 -+.\" if not n (not TTY), put a border/line under subheading -+.sp -.6 -+\l'\n(.lu' -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" SS - level-two heading that works better for non-TTY output -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de1 SS -+.sp \\n[PD]u -+.nr an-level 1 -+.set-an-margin -+.nr an-prevailing-indent \\n[IN] -+.fi -+.in \\n[IN]u -+.ti \\n[SN]u -+.it 1 an-trap -+.nr an-no-space-flag 1 -+.nr an-break-flag 1 -+.ps \\n[PS-SS]u -+\." make the size of the head bigger -+.ps +2 -+.ft B -+.ne (2v + 1u) -+.if \\n[.$] \&\\$* -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BB/BE - put background/screen (filled box) around block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BB -+.if t \{\ -+.sp -.5 -+.br -+.in +2n -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EB -+.if t \{\ -+.if "\\$2"adjust-for-leading-newline" \{\ -+.sp -1 -+.\} -+.br -+.di -+.in -+.ll -+.gcolor -+.nr BW \\n(.lu-\\n(.i -+.nr BH \\n(dn+.5v -+.ne \\n(BHu+.5v -+.ie "\\$2"adjust-for-leading-newline" \{\ -+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.el \{\ -+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -+.\} -+.in 0 -+.sp -.5v -+.nf -+.BX -+.in -+.sp .5v -+.fi -+.\} -+.. -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.\" BM/EM - put colored marker in margin next to block of text -+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+.de BM -+.if t \{\ -+.br -+.ll -2n -+.gcolor red -+.di BX -+.\} -+.. -+.de EM -+.if t \{\ -+.br -+.di -+.ll -+.gcolor -+.nr BH \\n(dn -+.ne \\n(BHu -+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -+.in 0 -+.nf -+.BX -+.in -+.fi -+.\} -+.. -+.\" ----------------------------------------------------------------- -+.\" * set default formatting -+.\" ----------------------------------------------------------------- - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l --.SH "NAME" --pam_xauth - PAM module to forward xauth keys between users --.SH "SYNOPSIS" --.HP 13 --\fBpam_xauth\.so\fR [debug] [xauthpath=\fI/path/to/xauth\fR] [systemuser=\fIUID\fR] [targetuser=\fIUID\fR] -+.\" ----------------------------------------------------------------- -+.\" * MAIN CONTENT STARTS HERE * -+.\" ----------------------------------------------------------------- -+.SH "Name" -+pam_xauth \- PAM module to forward xauth keys between users -+.SH "Synopsis" -+.fam C -+.HP \w'\fBpam_xauth\&.so\fR\ 'u -+\fBpam_xauth\&.so\fR [debug] [xauthpath=\fI/path/to/xauth\fR] [systemuser=\fIUID\fR] [targetuser=\fIUID\fR] -+.fam - .SH "DESCRIPTION" - .PP --The pam_xauth PAM module is designed to forward xauth keys (sometimes referred to as "cookies") between users\. -+The pam_xauth PAM module is designed to forward xauth keys (sometimes referred to as "cookies") between users\&. - .PP - Without pam_xauth, when xauth is enabled and a user uses the - \fBsu\fR(1) --command to assume another user\'s priviledges, that user is no longer able to access the original user\'s X display because the new user does not have the key needed to access the display\. pam_xauth solves the problem by forwarding the key from the user running su (the source user) to the user whose identity the source user is assuming (the target user) when the session is created, and destroying the key when the session is torn down\. -+command to assume another user\'s priviledges, that user is no longer able to access the original user\'s X display because the new user does not have the key needed to access the display\&. pam_xauth solves the problem by forwarding the key from the user running su (the source user) to the user whose identity the source user is assuming (the target user) when the session is created, and destroying the key when the session is torn down\&. - .PP - This means, for example, that when you run - \fBsu\fR(1) - from an xterm sesssion, you will be able to run X programs without explicitly dealing with the - \fBxauth\fR(1) --xauth command or ~/\.Xauthority files\. -+xauth command or ~/\&.Xauthority files\&. - .PP --pam_xauth will only forward keys if xauth can list a key connected to the $DISPLAY environment variable\. -+pam_xauth will only forward keys if xauth can list a key connected to the $DISPLAY environment variable\&. - .PP - Primitive access control is provided by --\fI~/\.xauth/export\fR -+\FC~/\&.xauth/export\F[] - in the invoking user\'s home directory and --\fI~/\.xauth/import\fR --in the target user\'s home directory\. -+\FC~/\&.xauth/import\F[] -+in the target user\'s home directory\&. - .PP - If a user has a --\fI~/\.xauth/import\fR --file, the user will only receive cookies from users listed in the file\. If there is no --\fI~/\.xauth/import\fR --file, the user will accept cookies from any other user\. -+\FC~/\&.xauth/import\F[] -+file, the user will only receive cookies from users listed in the file\&. If there is no -+\FC~/\&.xauth/import\F[] -+file, the user will accept cookies from any other user\&. - .PP - If a user has a --\fI\.xauth/export\fR --file, the user will only forward cookies to users listed in the file\. If there is no --\fI~/\.xauth/export\fR -+\FC\&.xauth/export\F[] -+file, the user will only forward cookies to users listed in the file\&. If there is no -+\FC~/\&.xauth/export\F[] - file, and the invoking user is not --\fBroot\fR, the user will forward cookies to any other user\. If there is no --\fI~/\.xauth/export\fR -+\fBroot\fR, the user will forward cookies to any other user\&. If there is no -+\FC~/\&.xauth/export\F[] - file, and the invoking user is - \fBroot\fR, the user will - \fInot\fR --forward cookies to other users\. -+forward cookies to other users\&. - .PP - Both the import and export files support wildcards (such as --\fI*\fR)\. Both the import and export files can be empty, signifying that no users are allowed\. -+\fI*\fR)\&. Both the import and export files can be empty, signifying that no users are allowed\&. - .SH "OPTIONS" - .PP - \fBdebug\fR - .RS 4 --Print debug information\. -+Print debug information\&. - .RE - .PP - \fBxauthpath=\fR\fB\fI/path/to/xauth\fR\fR - .RS 4 - Specify the path the xauth program (it is expected in --\fI/usr/X11R6/bin/xauth\fR, --\fI/usr/bin/xauth\fR, or --\fI/usr/bin/X11/xauth\fR --by default)\. -+\FC/usr/X11R6/bin/xauth\F[], -+\FC/usr/bin/xauth\F[], or -+\FC/usr/bin/X11/xauth\F[] -+by default)\&. - .RE - .PP - \fBsystemuser=\fR\fB\fIUID\fR\fR - .RS 4 --Specify the highest UID which will be assumed to belong to a "system" user\. pam_xauth will refuse to forward credentials to users with UID less than or equal to this number, except for root and the "targetuser", if specified\. -+Specify the highest UID which will be assumed to belong to a "system" user\&. pam_xauth will refuse to forward credentials to users with UID less than or equal to this number, except for root and the "targetuser", if specified\&. - .RE - .PP - \fBtargetuser=\fR\fB\fIUID\fR\fR - .RS 4 --Specify a single target UID which is exempt from the systemuser check\. -+Specify a single target UID which is exempt from the systemuser check\&. - .RE --.SH "MODULE SERVICES PROVIDED" -+.SH "MODULE TYPES PROVIDED" - .PP - Only the - \fBsession\fR --service is supported\. -+type is provided\&. - .SH "RETURN VALUES" - .PP - PAM_BUF_ERR - .RS 4 --Memory buffer error\. -+Memory buffer error\&. - .RE - .PP - PAM_PERM_DENIED - .RS 4 --Permission denied by import/export file\. -+Permission denied by import/export file\&. - .RE - .PP - PAM_SESSION_ERR - .RS 4 --Cannot determine user name, UID or access users home directory\. -+Cannot determine user name, UID or access users home directory\&. - .RE - .PP - PAM_SUCCESS - .RS 4 --Success\. -+Success\&. - .RE - .PP - PAM_USER_UNKNOWN - .RS 4 --User not known\. -+User not known\&. - .RE - .SH "EXAMPLES" - .PP - Add the following line to --\fI/etc/pam\.d/su\fR -+\FC/etc/pam\&.d/su\F[] - to forward xauth keys between users when calling su: - .sp -+.if n \{\ - .RS 4 -+.\} -+.fam C -+.ps -1 - .nf --session optional pam_xauth\.so -+.if t \{\ -+.sp -1 -+.\} -+.BB lightgray adjust-for-leading-newline -+.sp -1 -+ -+session optional pam_xauth\&.so - -+.EB lightgray adjust-for-leading-newline -+.if t \{\ -+.sp 1 -+.\} - .fi -+.fam -+.ps +1 -+.if n \{\ - .RE -+.\} - .sp - .SH "IMPLEMENTATION DETAILS" - .PP - pam_xauth will work - \fIonly\fR - if it is used from a setuid application in which the --\fBgetuid\fR() call returns the id of the user running the application, and for which PAM can supply the name of the account that the user is attempting to assume\. The typical application of this type is --\fBsu\fR(1)\. The application must call both -+\fBgetuid\fR() call returns the id of the user running the application, and for which PAM can supply the name of the account that the user is attempting to assume\&. The typical application of this type is -+\fBsu\fR(1)\&. The application must call both - \fBpam_open_session\fR() and --\fBpam_close_session\fR() with the ruid set to the uid of the calling user and the euid set to root, and must have provided as the PAM_USER item the name of the target user\. -+\fBpam_close_session\fR() with the ruid set to the uid of the calling user and the euid set to root, and must have provided as the PAM_USER item the name of the target user\&. - .PP - pam_xauth calls - \fBxauth\fR(1) --as the source user to extract the key for $DISPLAY, then calls xauth as the target user to merge the key into the a temporary database and later remove the database\. -+as the source user to extract the key for $DISPLAY, then calls xauth as the target user to merge the key into the a temporary database and later remove the database\&. - .PP --pam_xauth cannot be told to not remove the keys when the session is closed\. -+pam_xauth cannot be told to not remove the keys when the session is closed\&. - .SH "FILES" - .PP --\fI~/\.xauth/import\fR -+\FC~/\&.xauth/import\F[] - .RS 4 - XXX - .RE - .PP --\fI~/\.xauth/export\fR -+\FC~/\&.xauth/export\F[] - .RS 4 - XXX - .RE -@@ -156,8 +332,8 @@ - .PP - - \fBpam.conf\fR(5), --\fBpam.d\fR(8), -+\fBpam.d\fR(5), - \fBpam\fR(8) - .SH "AUTHOR" - .PP --pam_xauth was written by Nalin Dahyabhai , based on original version by Michael K\. Johnson \. -+pam_xauth was written by Nalin Dahyabhai , based on original version by Michael K\&. Johnson \&. diff --git a/Linux-PAM-docu.diff b/Linux-PAM-docu.diff deleted file mode 100644 index bd2f5b3..0000000 --- a/Linux-PAM-docu.diff +++ /dev/null @@ -1,1620 +0,0 @@ ---- Linux-PAM-1.0/doc/man/pam_getenv.3.xml 2006-06-25 21:01:00.000000000 +0200 -+++ Linux-PAM/doc/man/pam_getenv.3.xml 2008-06-22 09:47:28.000000000 +0200 -@@ -32,9 +32,9 @@ - - The pam_getenv function searches the - PAM environment list as associated with the handle -- pamh for a string that matches the string -- pointed to by name. The return values are -- of the form: "name=value". -+ pamh for an item that matches the string -+ pointed to by name and returns the value -+ of the environment variable. - - - ---- Linux-PAM-1.0/doc/man/pam_prompt.3.xml 2006-05-04 08:56:08.000000000 +0200 -+++ Linux-PAM/doc/man/pam_prompt.3.xml 2008-06-22 09:47:29.000000000 +0200 -@@ -44,7 +44,11 @@ - DESCRIPTION - - The pam_prompt function constructs a message -- from the specified format string and arguments and passes it to -+ from the specified format string and arguments and passes it to the -+ conversation function as set by the service. Upon successful return, -+ response is set to point to a string -+ returned from the conversation function. This string is allocated -+ on heap and should be freed. - - - ---- Linux-PAM-1.0/doc/sag/pam_access.xml 2006-10-13 13:33:18.000000000 +0200 -+++ Linux-PAM/doc/sag/pam_access.xml 2008-08-20 20:56:21.000000000 +0200 -@@ -19,9 +19,9 @@ - - --
-+
- -+ href="../../modules/pam_access/pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_cracklib/pam_cracklib.8.xml" xpointer='xpointer(//refsect1[@id = "pam_cracklib-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_debug/pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_deny/pam_deny.8.xml" xpointer='xpointer(//refsect1[@id = "pam_deny-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_echo/pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_env/pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_exec/pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_faildelay/pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_filter/pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_ftp/pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_group/pam_group.8.xml" xpointer='xpointer(//refsect1[@id = "pam_group-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_issue/pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_keyinit/pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_lastlog/pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_limits/pam_limits.8.xml" xpointer='xpointer(//refsect1[@id = "pam_limits-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_listfile/pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_localuser/pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_loginuid/pam_loginuid.8.xml" xpointer='xpointer(//refsect1[@id = "pam_loginuid-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_mail/pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_mkhomedir/pam_mkhomedir.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mkhomedir-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_motd/pam_motd.8.xml" xpointer='xpointer(//refsect1[@id = "pam_motd-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_namespace/pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_nologin/pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_permit/pam_permit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_permit-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_rhosts/pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_rootok/pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_securetty/pam_securetty.8.xml" xpointer='xpointer(//refsect1[@id = "pam_securetty-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_sepermit/pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_shells/pam_shells.8.xml" xpointer='xpointer(//refsect1[@id = "pam_shells-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_succeed_if/pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_tally/pam_tally.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_time/pam_time.8.xml" xpointer='xpointer(//refsect1[@id = "pam_time-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_tty_audit/pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_umask/pam_umask.8.xml" xpointer='xpointer(//refsect1[@id = "pam_umask-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_unix/pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_userdb/pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_warn/pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_wheel/pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-types"]/*)'/> -
-
- -
--
-+
- -+ href="../../modules/pam_xauth/pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-types"]/*)'/> -
-
- - - If Linux PAM is compiled with audit support the module will report -- when it denies access based on origin (host or tty). -+ when it denies access based on origin (host or tty). - - - -@@ -159,10 +159,11 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- All services are supported. -+ All module types (, , -+ and ) are provided. - - - -@@ -231,7 +232,7 @@ - access.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_cracklib/pam_cracklib.8.xml 2007-11-06 15:58:54.000000000 +0100 -+++ Linux-PAM/modules/pam_cracklib/pam_cracklib.8.xml 2008-08-20 20:56:25.000000000 +0200 -@@ -281,7 +281,7 @@ - than 10. - - -- (N > 0) This is the minimum number of upper -+ (N < 0) This is the minimum number of upper - case letters that must be met for a new password. - - -@@ -376,10 +376,10 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- Only he service is supported. -+ Only the module type is provided. - - - -@@ -495,7 +495,7 @@ - pam.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_debug/pam_debug.8.xml 2006-06-17 19:20:40.000000000 +0200 -+++ Linux-PAM/modules/pam_debug/pam_debug.8.xml 2008-08-20 20:56:25.000000000 +0200 -@@ -171,11 +171,11 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- The services , , -- and are supported. -+ All module types (, , -+ and ) are provided. - - - -@@ -213,7 +213,7 @@ - pam.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_deny/pam_deny.8.xml 2007-11-06 15:58:54.000000000 +0100 -+++ Linux-PAM/modules/pam_deny/pam_deny.8.xml 2008-08-20 20:56:25.000000000 +0200 -@@ -38,11 +38,11 @@ - This module does not recognise any options. - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- All services (, , -- and ) are supported. -+ All module types (, , -+ and ) are provided. - - - -@@ -117,7 +117,7 @@ - pam.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_echo/pam_echo.8.xml 2006-06-22 21:44:30.000000000 +0200 -+++ Linux-PAM/modules/pam_echo/pam_echo.8.xml 2008-08-20 20:56:25.000000000 +0200 -@@ -96,10 +96,12 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- All services are supported. -+ All module types (, , -+ and ) are provided. -+ - - - -@@ -154,7 +156,7 @@ - pam.conf8 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_env/environment 2006-09-01 13:37:13.000000000 +0200 -+++ Linux-PAM/modules/pam_env/environment 2008-08-01 14:10:43.000000000 +0200 -@@ -1,5 +1,5 @@ - # - # This file is parsed by pam_env module - # --# Syntax: simple "KEY=VAL" pairs on seperate lines -+# Syntax: simple "KEY=VAL" pairs on separate lines - # ---- Linux-PAM-1.0/modules/pam_env/pam_env.8.xml 2006-06-22 21:44:30.000000000 +0200 -+++ Linux-PAM/modules/pam_env/pam_env.8.xml 2008-08-20 20:56:25.000000000 +0200 -@@ -53,7 +53,7 @@ - - - This module can also parse a file with simple -- KEY=VAL pairs on seperate lines -+ KEY=VAL pairs on separate lines - (/etc/environment by default). You can - change the default file to parse, with the envfile - flag and turn it on or off by setting the readenv -@@ -118,11 +118,11 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- The and services -- are supported. -+ The and module -+ types are provided. - - - -@@ -189,7 +189,7 @@ - pam_env.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_exec/pam_exec.8.xml 2008-02-04 16:27:31.000000000 +0100 -+++ Linux-PAM/modules/pam_exec/pam_exec.8.xml 2008-08-20 20:56:25.000000000 +0200 -@@ -123,11 +123,11 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- The services , , -- and are supported. -+ All module types (, , -+ and ) are provided. - - - -@@ -199,7 +199,7 @@ - pam.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_faildelay/pam_faildelay.8.xml 2006-12-07 13:34:00.000000000 +0100 -+++ Linux-PAM/modules/pam_faildelay/pam_faildelay.8.xml 2008-08-20 20:56:25.000000000 +0200 -@@ -68,10 +68,10 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- Only the service is supported. -+ Only the module type is provided. - - - -@@ -118,7 +118,7 @@ - pam.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_filter/pam_filter.8.xml 2006-06-09 18:44:06.000000000 +0200 -+++ Linux-PAM/modules/pam_filter/pam_filter.8.xml 2008-08-20 20:56:26.000000000 +0200 -@@ -188,11 +188,11 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- The services , , -- and are supported. -+ All module types (, , -+ and ) are provided. - - - -@@ -243,7 +243,7 @@ - pam.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_ftp/pam_ftp.8.xml 2006-06-09 18:44:06.000000000 +0200 -+++ Linux-PAM/modules/pam_ftp/pam_ftp.8.xml 2008-08-20 20:56:26.000000000 +0200 -@@ -105,10 +105,10 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- Only the service is supported. -+ Only the module type is provided. - - - -@@ -165,7 +165,7 @@ - pam.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_group/pam_group.8.xml 2007-11-06 15:58:54.000000000 +0100 -+++ Linux-PAM/modules/pam_group/pam_group.8.xml 2008-08-20 20:56:26.000000000 +0200 -@@ -65,10 +65,10 @@ - This module does not recognise any options. - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- Only the service is supported. -+ Only the module type is provided. - - - -@@ -145,7 +145,7 @@ - group.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_issue/pam_issue.8.xml 2006-06-21 08:35:25.000000000 +0200 -+++ Linux-PAM/modules/pam_issue/pam_issue.8.xml 2008-08-20 20:56:26.000000000 +0200 -@@ -146,10 +146,10 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- Only the service is supported. -+ Only the module type is provided. - - - -@@ -216,7 +216,7 @@ - pam.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_keyinit/pam_keyinit.8.xml 2006-06-27 14:34:07.000000000 +0200 -+++ Linux-PAM/modules/pam_keyinit/pam_keyinit.8.xml 2008-08-20 20:56:26.000000000 +0200 -@@ -121,10 +121,10 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- Only the session service is supported. -+ Only the module type is provided. - - - -@@ -220,7 +220,7 @@ - pam.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_limits/pam_limits.8.xml 2007-12-07 16:40:02.000000000 +0100 -+++ Linux-PAM/modules/pam_limits/pam_limits.8.xml 2008-08-20 20:56:26.000000000 +0200 -@@ -132,10 +132,10 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- Only the service is supported. -+ Only the module type is provided. - - - -@@ -239,7 +239,7 @@ - limits.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_listfile/pam_listfile.8.xml 2007-11-06 15:58:54.000000000 +0100 -+++ Linux-PAM/modules/pam_listfile/pam_listfile.8.xml 2008-08-20 20:56:27.000000000 +0200 -@@ -175,11 +175,11 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- The services , , -- and are supported. -+ All module types (, , -+ and ) are provided. - - - -@@ -278,7 +278,7 @@ - pam.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_localuser/pam_localuser.8.xml 2006-12-13 11:35:49.000000000 +0100 -+++ Linux-PAM/modules/pam_localuser/pam_localuser.8.xml 2008-08-20 20:56:27.000000000 +0200 -@@ -80,11 +80,11 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- All services (, , -- and ) are supported. -+ All module types (, , -+ and ) are provided. - - - -@@ -155,7 +155,7 @@ - pam.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_loginuid/pam_loginuid.8.xml 2006-09-01 15:17:47.000000000 +0200 -+++ Linux-PAM/modules/pam_loginuid/pam_loginuid.8.xml 2008-08-20 20:56:27.000000000 +0200 -@@ -57,10 +57,10 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- The service is supported. -+ Only the module type is provided. - - - -@@ -101,7 +101,7 @@ - pam.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_mail/pam_mail.8.xml 2006-06-09 18:44:07.000000000 +0200 -+++ Linux-PAM/modules/pam_mail/pam_mail.8.xml 2008-08-20 20:56:27.000000000 +0200 -@@ -193,11 +193,12 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- The auth and -- account services are supported. -+ The and -+ (on establishment and -+ deletion of credentials) module types are provided. - - - -@@ -261,7 +262,7 @@ - pam.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_mkhomedir/pam_mkhomedir.8.xml 2006-05-30 15:03:09.000000000 +0200 -+++ Linux-PAM/modules/pam_mkhomedir/pam_mkhomedir.8.xml 2008-08-20 20:56:27.000000000 +0200 -@@ -95,10 +95,10 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- Only the service is supported. -+ Only the module type is provided. - - - -@@ -186,7 +186,7 @@ - SEE ALSO - - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_motd/pam_motd.8.xml 2006-10-26 15:51:51.000000000 +0200 -+++ Linux-PAM/modules/pam_motd/pam_motd.8.xml 2008-08-20 20:56:27.000000000 +0200 -@@ -55,10 +55,10 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- Only the service is supported. -+ Only the module type is provided. - - - -@@ -96,7 +96,7 @@ - pam.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_namespace/pam_namespace.8.xml 2008-02-13 13:49:44.000000000 +0100 -+++ Linux-PAM/modules/pam_namespace/pam_namespace.8.xml 2008-08-20 20:56:27.000000000 +0200 -@@ -237,11 +237,11 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- The service is supported. The module must not -- be called from multithreaded processes. -+ Only the module type is provided. -+ The module must not be called from multithreaded processes. - - - -@@ -365,7 +365,7 @@ - namespace.conf5 - , - -- pam.d8 -+ pam.d5 - , - - mount8 ---- Linux-PAM-1.0/modules/pam_nologin/pam_nologin.8.xml 2006-06-04 03:48:34.000000000 +0200 -+++ Linux-PAM/modules/pam_nologin/pam_nologin.8.xml 2008-08-20 20:56:27.000000000 +0200 -@@ -68,11 +68,11 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- The and services are -- supported. -+ The and module -+ types are provided. - - - -@@ -156,7 +156,7 @@ - pam.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_permit/pam_permit.8.xml 2007-11-06 15:58:54.000000000 +0100 -+++ Linux-PAM/modules/pam_permit/pam_permit.8.xml 2008-08-20 20:56:27.000000000 +0200 -@@ -47,11 +47,12 @@ - This module does not recognise any options. - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- The services , , -- and are supported. -+ The , , -+ and -+ module types are provided. - - - -@@ -87,7 +88,7 @@ - pam.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_rhosts/pam_rhosts.8.xml 2006-06-28 09:22:43.000000000 +0200 -+++ Linux-PAM/modules/pam_rhosts/pam_rhosts.8.xml 2008-08-20 20:56:28.000000000 +0200 -@@ -89,10 +89,10 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- Only the service is supported. -+ Only the module type is provided. - - - -@@ -153,7 +153,7 @@ - pam.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_rootok/pam_rootok.8.xml 2006-06-04 14:11:16.000000000 +0200 -+++ Linux-PAM/modules/pam_rootok/pam_rootok.8.xml 2008-08-20 20:56:28.000000000 +0200 -@@ -54,10 +54,10 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- Only the service is supported. -+ Only the type is provided. - - - -@@ -112,7 +112,7 @@ - pam.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_securetty/pam_securetty.8.xml 2006-06-04 17:29:23.000000000 +0200 -+++ Linux-PAM/modules/pam_securetty/pam_securetty.8.xml 2008-08-20 20:56:28.000000000 +0200 -@@ -64,10 +64,10 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- Only the service is supported. -+ Only the module type is provided. - - - -@@ -116,7 +116,7 @@ - - - -- PAM_IGNORE -+ PAM_USER_UNKNOWN - - - The module could not find the user name in the -@@ -149,7 +149,7 @@ - pam.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_sepermit/pam_sepermit.8.xml 2008-01-29 16:38:35.000000000 +0100 -+++ Linux-PAM/modules/pam_sepermit/pam_sepermit.8.xml 2008-08-20 20:56:28.000000000 +0200 -@@ -87,11 +87,11 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- Only the and -- services are supported. -+ The and -+ module types are provided. - - - ---- Linux-PAM-1.0/modules/pam_shells/pam_shells.8.xml 2007-11-06 15:58:54.000000000 +0100 -+++ Linux-PAM/modules/pam_shells/pam_shells.8.xml 2008-08-20 20:56:28.000000000 +0200 -@@ -41,11 +41,11 @@ - This module does not recognise any options. - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- The services and -- are supported. -+ The and -+ module types are provided. - - - -@@ -99,7 +99,7 @@ - pam.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_succeed_if/pam_succeed_if.8.xml 2008-01-07 15:54:50.000000000 +0100 -+++ Linux-PAM/modules/pam_succeed_if/pam_succeed_if.8.xml 2008-08-20 20:56:28.000000000 +0200 -@@ -215,10 +215,11 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- All services are supported. -+ All module types (, , -+ and ) are provided. - - - -@@ -249,7 +250,7 @@ - - - A service error occured or the arguments can't be -- parsed as numbers. -+ parsed correctly. - - - ---- Linux-PAM-1.0/modules/pam_tally/pam_tally.8.xml 2007-10-10 16:10:07.000000000 +0200 -+++ Linux-PAM/modules/pam_tally/pam_tally.8.xml 2008-08-20 20:56:28.000000000 +0200 -@@ -113,7 +119,7 @@ - - - This can be used for auth and -- account services. -+ account module types. - - - -@@ -322,11 +348,11 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - - The and -- services are supported. -+ module types are provided. - - - -@@ -409,7 +435,7 @@ - pam.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_time/pam_time.8.xml 2007-12-07 16:40:02.000000000 +0100 -+++ Linux-PAM/modules/pam_time/pam_time.8.xml 2008-08-20 20:56:28.000000000 +0200 -@@ -49,7 +49,7 @@ - - - If Linux PAM is compiled with audit support the module will report -- when it denies access. -+ when it denies access. - - - -@@ -83,10 +83,10 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- Only the service is supported. -+ Only the type is provided. - - - -@@ -166,7 +166,7 @@ - time.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_tty_audit/pam_tty_audit.8.xml 2008-01-29 16:09:29.000000000 +0100 -+++ Linux-PAM/modules/pam_tty_audit/pam_tty_audit.8.xml 2008-08-20 20:56:29.000000000 +0200 -@@ -80,10 +80,10 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- Only the session service is supported. -+ Only the session type is supported. - - - ---- Linux-PAM-1.0/modules/pam_umask/pam_umask.8.xml 2006-08-06 13:38:43.000000000 +0200 -+++ Linux-PAM/modules/pam_umask/pam_umask.8.xml 2008-08-20 20:56:29.000000000 +0200 -@@ -141,10 +141,10 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- Only the service is supported. -+ Only the type is provided. - - - -@@ -202,7 +202,7 @@ - pam.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_unix/pam_unix.8.xml 2008-01-23 16:35:12.000000000 +0100 -+++ Linux-PAM/modules/pam_unix/pam_unix.8.xml 2008-08-20 20:56:29.000000000 +0200 -@@ -85,7 +85,7 @@ - - - -- The session component of this module logs when a user logins -+ The session component of this module logs when a user logins - or leave the system. - - -@@ -314,10 +314,11 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- All service are supported. -+ All module types (, , -+ and ) are provided. - - - -@@ -361,7 +362,7 @@ - pam.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_userdb/pam_userdb.8.xml 2006-06-09 18:44:07.000000000 +0200 -+++ Linux-PAM/modules/pam_userdb/pam_userdb.8.xml 2008-08-20 20:56:29.000000000 +0200 -@@ -189,11 +189,11 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- The services and -- are supported. -+ The and module -+ types are provided. - - - -@@ -274,7 +274,7 @@ - pam.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_warn/pam_warn.8.xml 2007-11-06 15:58:54.000000000 +0100 -+++ Linux-PAM/modules/pam_warn/pam_warn.8.xml 2008-08-20 20:56:29.000000000 +0200 -@@ -38,11 +38,12 @@ - This module does not recognise any options. - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- The services , , -- and are supported. -+ The , , -+ and module -+ types are provided. - - - -@@ -86,7 +87,7 @@ - pam.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_wheel/pam_wheel.8.xml 2006-09-10 01:11:34.000000000 +0200 -+++ Linux-PAM/modules/pam_wheel/pam_wheel.8.xml 2008-08-20 20:56:29.000000000 +0200 -@@ -130,11 +130,11 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - - The auth and -- account services are supported. -+ account module types are provided. - - - -@@ -224,7 +224,7 @@ - pam.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- Linux-PAM-1.0/modules/pam_xauth/pam_xauth.8.xml 2007-11-06 15:58:54.000000000 +0100 -+++ Linux-PAM/modules/pam_xauth/pam_xauth.8.xml 2008-08-20 20:56:30.000000000 +0200 -@@ -147,10 +147,10 @@ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- Only the session service is supported. -+ Only the session type is provided. - - - -@@ -273,7 +273,7 @@ - pam.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 diff --git a/cvs.diff b/cvs.diff new file mode 100644 index 0000000..a9517a1 --- /dev/null +++ b/cvs.diff @@ -0,0 +1,2333 @@ +Index: libpamc/include/security/pam_client.h +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/libpamc/include/security/pam_client.h,v +retrieving revision 1.7 +diff -u -r1.7 pam_client.h +--- libpamc/include/security/pam_client.h 20 May 2005 14:58:58 -0000 1.7 ++++ libpamc/include/security/pam_client.h 27 Mar 2009 10:11:14 -0000 +@@ -9,8 +9,8 @@ + #ifndef PAM_CLIENT_H + #define PAM_CLIENT_H + +-#ifdef __cplusplus +-extern "C" { ++#ifdef __cplusplus ++extern "C" { + #endif /* def __cplusplus */ + + #include +@@ -74,8 +74,12 @@ + #include + + #ifndef PAM_BP_ASSERT +-# define PAM_BP_ASSERT(x) do { printf(__FILE__ "(%d): %s\n", \ +- __LINE__, x) ; exit(1); } while (0) ++# ifdef NDEBUG ++# define PAM_BP_ASSERT(x) do {} while (0) ++# else ++# define PAM_BP_ASSERT(x) do { printf(__FILE__ "(%d): %s\n", \ ++ __LINE__, x) ; exit(1); } while (0) ++# endif /* NDEBUG */ + #endif /* PAM_BP_ASSERT */ + + #ifndef PAM_BP_CALLOC +Index: modules/pam_ftp/pam_ftp.c +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/modules/pam_ftp/pam_ftp.c,v +retrieving revision 1.12 +diff -u -r1.12 pam_ftp.c +--- modules/pam_ftp/pam_ftp.c 5 Mar 2008 20:21:38 -0000 1.12 ++++ modules/pam_ftp/pam_ftp.c 27 Mar 2009 10:11:14 -0000 +@@ -1,7 +1,7 @@ + /* pam_ftp module */ + + /* +- * $Id: pam_ftp.c,v 1.12 2008/03/05 20:21:38 t8m Exp $ ++ * $Id: pam_ftp.c,v 1.13 2009/03/25 10:54:23 kukuk Exp $ + * + * Written by Andrew Morgan 1996/3/11 + * +@@ -79,7 +79,7 @@ + if (list && *list) { + const char *l; + char *list_copy, *x; +- char *sptr; ++ char *sptr = NULL; + + list_copy = x_strdup(list); + x = list_copy; +@@ -172,7 +172,7 @@ + /* XXX: Some effort should be made to verify this email address! */ + + if (!(ctrl & PAM_IGNORE_EMAIL)) { +- char *sptr; ++ char *sptr = NULL; + token = strtok_r(resp, "@", &sptr); + retval = pam_set_item(pamh, PAM_RUSER, token); + +Index: modules/pam_issue/pam_issue.c +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/modules/pam_issue/pam_issue.c,v +retrieving revision 1.14 +retrieving revision 1.15 +diff -u -r1.14 -r1.15 +--- modules/pam_issue/pam_issue.c 19 Sep 2005 16:47:20 -0000 1.14 ++++ modules/pam_issue/pam_issue.c 25 Mar 2009 10:54:23 -0000 1.15 +@@ -145,7 +145,7 @@ + return PAM_BUF_ERR; + } + +- if (fread(issue, 1, st.st_size, fp) != st.st_size) { ++ if ((off_t)fread(issue, 1, st.st_size, fp) != st.st_size) { + pam_syslog(pamh, LOG_ERR, "read error: %m"); + _pam_drop(issue); + return PAM_SERVICE_ERR; +Index: modules/pam_mkhomedir/pam_mkhomedir.c +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/modules/pam_mkhomedir/pam_mkhomedir.c,v +retrieving revision 1.27 +retrieving revision 1.28 +diff -u -r1.27 -r1.28 +--- modules/pam_mkhomedir/pam_mkhomedir.c 3 Mar 2009 08:10:53 -0000 1.27 ++++ modules/pam_mkhomedir/pam_mkhomedir.c 25 Mar 2009 10:54:23 -0000 1.28 +@@ -64,50 +64,52 @@ + #define MKHOMEDIR_DEBUG 020 /* be verbose about things */ + #define MKHOMEDIR_QUIET 040 /* keep quiet about things */ + +-static char UMask[16] = "0022"; +-static char SkelDir[BUFSIZ] = "/etc/skel"; /* THIS MODULE IS NOT THREAD SAFE */ ++struct options_t { ++ int ctrl; ++ const char *umask; ++ const char *skeldir; ++}; ++typedef struct options_t options_t; + +-static int +-_pam_parse (const pam_handle_t *pamh, int flags, int argc, const char **argv) ++static void ++_pam_parse (const pam_handle_t *pamh, int flags, int argc, const char **argv, ++ options_t *opt) + { +- int ctrl = 0; ++ opt->ctrl = 0; ++ opt->umask = "0022"; ++ opt->skeldir = "/etc/skel"; + + /* does the appliction require quiet? */ + if ((flags & PAM_SILENT) == PAM_SILENT) +- ctrl |= MKHOMEDIR_QUIET; ++ opt->ctrl |= MKHOMEDIR_QUIET; + + /* step through arguments */ + for (; argc-- > 0; ++argv) + { + if (!strcmp(*argv, "silent")) { +- ctrl |= MKHOMEDIR_QUIET; ++ opt->ctrl |= MKHOMEDIR_QUIET; + } else if (!strcmp(*argv, "debug")) { +- ctrl |= MKHOMEDIR_DEBUG; ++ opt->ctrl |= MKHOMEDIR_DEBUG; + } else if (!strncmp(*argv,"umask=",6)) { +- strncpy(SkelDir,*argv+6,sizeof(UMask)); +- UMask[sizeof(UMask)-1] = '\0'; ++ opt->umask = *argv+6; + } else if (!strncmp(*argv,"skel=",5)) { +- strncpy(SkelDir,*argv+5,sizeof(SkelDir)); +- SkelDir[sizeof(SkelDir)-1] = '\0'; ++ opt->skeldir = *argv+5; + } else { + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); + } + } +- +- D(("ctrl = %o", ctrl)); +- return ctrl; + } + + /* Do the actual work of creating a home dir */ + static int +-create_homedir (pam_handle_t *pamh, int ctrl, ++create_homedir (pam_handle_t *pamh, options_t *opt, + const struct passwd *pwd) + { + int retval, child; + struct sigaction newsa, oldsa; + + /* Mention what is happening, if the notification fails that is OK */ +- if (!(ctrl & MKHOMEDIR_QUIET)) ++ if (!(opt->ctrl & MKHOMEDIR_QUIET)) + pam_info(pamh, _("Creating directory '%s'."), pwd->pw_dir); + + +@@ -121,8 +123,8 @@ + memset(&newsa, '\0', sizeof(newsa)); + newsa.sa_handler = SIG_DFL; + sigaction(SIGCHLD, &newsa, &oldsa); +- +- if (ctrl & MKHOMEDIR_DEBUG) { ++ ++ if (opt->ctrl & MKHOMEDIR_DEBUG) { + pam_syslog(pamh, LOG_DEBUG, "Executing mkhomedir_helper."); + } + +@@ -145,8 +147,8 @@ + /* exec the mkhomedir helper */ + args[0] = x_strdup(MKHOMEDIR_HELPER); + args[1] = pwd->pw_name; +- args[2] = UMask; +- args[3] = SkelDir; ++ args[2] = x_strdup(opt->umask); ++ args[3] = x_strdup(opt->skeldir); + + execve(MKHOMEDIR_HELPER, args, envp); + +@@ -173,11 +175,11 @@ + + sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */ + +- if (ctrl & MKHOMEDIR_DEBUG) { ++ if (opt->ctrl & MKHOMEDIR_DEBUG) { + pam_syslog(pamh, LOG_DEBUG, "mkhomedir_helper returned %d", retval); + } + +- if (retval != PAM_SUCCESS && !(ctrl & MKHOMEDIR_QUIET)) { ++ if (retval != PAM_SUCCESS && !(opt->ctrl & MKHOMEDIR_QUIET)) { + pam_error(pamh, _("Unable to create and initialize directory '%s'."), + pwd->pw_dir); + } +@@ -192,13 +194,14 @@ + pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, + const char **argv) + { +- int retval, ctrl; ++ int retval; ++ options_t opt; + const void *user; + const struct passwd *pwd; + struct stat St; + + /* Parse the flag values */ +- ctrl = _pam_parse(pamh, flags, argc, argv); ++ _pam_parse(pamh, flags, argc, argv, &opt); + + /* Determine the user name so we can get the home directory */ + retval = pam_get_item(pamh, PAM_USER, &user); +@@ -220,14 +223,14 @@ + /* Stat the home directory, if something exists then we assume it is + correct and return a success*/ + if (stat(pwd->pw_dir, &St) == 0) { +- if (ctrl & MKHOMEDIR_DEBUG) { ++ if (opt.ctrl & MKHOMEDIR_DEBUG) { + pam_syslog(pamh, LOG_DEBUG, "Home directory %s already exists.", + pwd->pw_dir); + } + return PAM_SUCCESS; + } + +- return create_homedir(pamh, ctrl, pwd); ++ return create_homedir(pamh, &opt, pwd); + } + + /* Ignore */ +Index: modules/pam_pwhistory/opasswd.c +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/modules/pam_pwhistory/opasswd.c,v +retrieving revision 1.2 +retrieving revision 1.3 +diff -u -r1.2 -r1.3 +--- modules/pam_pwhistory/opasswd.c 25 Nov 2008 14:29:41 -0000 1.2 ++++ modules/pam_pwhistory/opasswd.c 24 Mar 2009 16:33:21 -0000 1.3 +@@ -452,6 +452,15 @@ + goto error_opasswd; + } + ++ if (fflush (newpf) != 0 || fsync (fileno (newpf)) != 0) ++ { ++ pam_syslog (pamh, LOG_ERR, ++ "Error while syncing temporary opasswd file: %m"); ++ retval = PAM_AUTHTOK_ERR; ++ fclose (newpf); ++ goto error_opasswd; ++ } ++ + if (fclose (newpf) != 0) + { + pam_syslog (pamh, LOG_ERR, +Index: modules/pam_timestamp/pam_timestamp.c +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/modules/pam_timestamp/pam_timestamp.c,v +retrieving revision 1.1 +diff -u -r1.1 pam_timestamp.c +--- modules/pam_timestamp/pam_timestamp.c 28 Nov 2008 14:29:12 -0000 1.1 ++++ modules/pam_timestamp/pam_timestamp.c 27 Mar 2009 10:11:14 -0000 +@@ -194,7 +194,7 @@ + } + + static int +-check_login_time(const char *ruser, time_t timestamp) ++check_login_time(const char *ruser, time_t timestamp) + { + struct utmp utbuf, *ut; + time_t oldest_login = 0; +@@ -237,14 +237,14 @@ + if (pwd != NULL) { + ruser = pwd->pw_name; + } +- } ++ } + if (ruser == NULL || strlen(ruser) >= ruserbuflen) { + *ruserbuf = '\0'; + return -1; + } + strcpy(ruserbuf, ruser); + return 0; +-} ++} + + /* Get the path to the timestamp to use. */ + static int +@@ -299,7 +299,7 @@ + tty = NULL; + } else { + tty = void_tty; +- } ++ } + if ((tty == NULL) || (strlen(tty) == 0)) { + tty = ttyname(STDIN_FILENO); + if ((tty == NULL) || (strlen(tty) == 0)) { +@@ -413,7 +413,7 @@ + int count; + void *mac; + size_t maclen; +- char ruser[BUFLEN]; ++ char ruser[BUFLEN]; + + /* Check that the file is owned by the superuser. */ + if ((st.st_uid != 0) || (st.st_gid != 0)) { +@@ -483,7 +483,7 @@ + free(mac); + memmove(&then, message + strlen(path) + 1, sizeof(then)); + free(message); +- ++ + /* Check oldest login against timestamp */ + if (get_ruser(pamh, ruser, sizeof(ruser))) + { +@@ -565,7 +565,14 @@ + subdir[i] = '\0'; + if (mkdir(subdir, 0700) == 0) { + /* Attempt to set the owner to the superuser. */ +- lchown(subdir, 0, 0); ++ if (lchown(subdir, 0, 0) != 0) { ++ if (debug) { ++ pam_syslog(pamh, LOG_DEBUG, ++ "error setting permissions on `%s': %m", ++ subdir); ++ } ++ return PAM_SESSION_ERR; ++ } + } else { + if (errno != EEXIST) { + if (debug) { +@@ -617,7 +624,15 @@ + } + + /* Attempt to set the owner to the superuser. */ +- fchown(fd, 0, 0); ++ if (fchown(fd, 0, 0) != 0) { ++ if (debug) { ++ pam_syslog(pamh, LOG_DEBUG, ++ "error setting ownership of `%s': %m", ++ path); ++ } ++ return PAM_SESSION_ERR; ++ } ++ + + /* Write the timestamp to the file. */ + if (write(fd, text, p - text) != p - text) { +Index: modules/pam_unix/passverify.c +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/modules/pam_unix/passverify.c,v +retrieving revision 1.10 +retrieving revision 1.12 +diff -u -r1.10 -r1.12 +--- modules/pam_unix/passverify.c 27 Feb 2009 14:29:40 -0000 1.10 ++++ modules/pam_unix/passverify.c 25 Mar 2009 10:54:23 -0000 1.12 +@@ -680,8 +680,13 @@ + } + } + ++ if (fflush(pwfile) || fsync(fileno(pwfile))) { ++ D(("fflush or fsync error writing entries to old passwords file: %m")); ++ err = 1; ++ } ++ + if (fclose(pwfile)) { +- D(("error writing entries to old passwords file: %m")); ++ D(("fclose error writing entries to old passwords file: %m")); + err = 1; + } + +@@ -795,8 +800,13 @@ + } + fclose(opwfile); + ++ if (fflush(pwfile) || fsync(fileno(pwfile))) { ++ D(("fflush or fsync error writing entries to password file: %m")); ++ err = 1; ++ } ++ + if (fclose(pwfile)) { +- D(("error writing entries to password file: %m")); ++ D(("fclose error writing entries to password file: %m")); + err = 1; + } + +@@ -916,8 +926,13 @@ + } + fclose(opwfile); + ++ if (fflush(pwfile) || fsync(fileno(pwfile))) { ++ D(("fflush or fsync error writing entries to shadow file: %m")); ++ err = 1; ++ } ++ + if (fclose(pwfile)) { +- D(("error writing entries to shadow file: %m")); ++ D(("fclose error writing entries to shadow file: %m")); + err = 1; + } + +@@ -996,7 +1011,7 @@ + /* emulate the behaviour of the SA_RESETHAND flag */ + if ( sig == SIGILL || sig == SIGTRAP || sig == SIGBUS || sig = SIGSERV ) { + struct sigaction sa; +- memset(&sa, '\0, sizeof(sa)); ++ memset(&sa, '\0', sizeof(sa)); + sa.sa_handler = SIG_DFL; + sigaction(sig, &sa, NULL); + } +Index: modules/pam_unix/support.c +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/modules/pam_unix/support.c,v +retrieving revision 1.52 +diff -u -r1.52 support.c +--- modules/pam_unix/support.c 3 Mar 2009 08:10:53 -0000 1.52 ++++ modules/pam_unix/support.c 27 Mar 2009 10:11:14 -0000 +@@ -120,13 +120,13 @@ + D(("DISALLOW_NULL_AUTHTOK")); + set(UNIX__NONULL, ctrl); + } +- ++ + /* Set default rounds for blowfish */ + if (on(UNIX_BLOWFISH_PASS, ctrl) && off(UNIX_ALGO_ROUNDS, ctrl)) { + *rounds = 5; + set(UNIX_ALGO_ROUNDS, ctrl); + } +- ++ + /* Enforce sane "rounds" values */ + if (on(UNIX_ALGO_ROUNDS, ctrl)) { + if (on(UNIX_BLOWFISH_PASS, ctrl)) { +@@ -478,10 +478,18 @@ + /* if the stored password is NULL */ + int rc=0; + if (passwd != NULL) { /* send the password to the child */ +- write(fds[1], passwd, strlen(passwd)+1); ++ if (write(fds[1], passwd, strlen(passwd)+1) == -1) { ++ pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m"); ++ close(fds[1]); ++ retval = PAM_AUTH_ERR; ++ } + passwd = NULL; +- } else { +- write(fds[1], "", 1); /* blank password */ ++ } else { /* blank password */ ++ if (write(fds[1], "", 1) == -1) { ++ pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m"); ++ close(fds[1]); ++ retval = PAM_AUTH_ERR; ++ } + } + close(fds[0]); /* close here to avoid possible SIGPIPE above */ + close(fds[1]); +@@ -871,7 +879,7 @@ + } + + /* ****************************************************************** * +- * Copyright (c) Jan Rêkorajski 1999. ++ * Copyright (c) Jan Rêkorajski 1999. + * Copyright (c) Andrew G. Morgan 1996-8. + * Copyright (c) Alex O. Yuriev, 1996. + * Copyright (c) Cristian Gafton 1996. +Index: po/Linux-PAM.pot +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/Linux-PAM.pot,v +retrieving revision 1.52 +retrieving revision 1.53 +diff -u -r1.52 -r1.53 +--- po/Linux-PAM.pot 9 Mar 2009 13:07:35 -0000 1.52 ++++ po/Linux-PAM.pot 25 Mar 2009 10:54:23 -0000 1.53 +@@ -8,7 +8,7 @@ + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" + "Last-Translator: FULL NAME \n" + "Language-Team: LANGUAGE \n" +@@ -349,12 +349,12 @@ + msgid "You have mail in folder %s." + msgstr "" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "" +Index: po/ar.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/ar.po,v +retrieving revision 1.19 +retrieving revision 1.20 +diff -u -r1.19 -r1.20 +--- po/ar.po 9 Mar 2009 13:07:35 -0000 1.19 ++++ po/ar.po 25 Mar 2009 10:54:23 -0000 1.20 +@@ -8,7 +8,7 @@ + msgstr "" + "Project-Id-Version: @PACKAGE@\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2001-07-13 15:36+0200\n" + "Last-Translator: Novell Language \n" + "Language-Team: Novell Language \n" +@@ -349,12 +349,12 @@ + msgid "You have mail in folder %s." + msgstr "لديك بريد ÙÙŠ مجلد %s." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "" +Index: po/as.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/as.po,v +retrieving revision 1.14 +retrieving revision 1.15 +diff -u -r1.14 -r1.15 +--- po/as.po 9 Mar 2009 13:07:35 -0000 1.14 ++++ po/as.po 25 Mar 2009 10:54:23 -0000 1.15 +@@ -8,7 +8,7 @@ + msgstr "" + "Project-Id-Version: Linux-PAM.tip\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2008-10-13 11:23+0530\n" + "Last-Translator: Amitakhya Phukan \n" + "Language-Team: Assamese\n" +@@ -351,12 +351,12 @@ + msgid "You have mail in folder %s." + msgstr "%s ফোলà§à¦¡à¦¾à§°à¦¤ আপোনাৰ ডাক আছে ।" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "'%s' পঞà§à¦œà¦¿à¦•à¦¾ সৃষà§à¦Ÿà¦¿ কৰা হৈছে ।" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, fuzzy, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "%s পঞà§à¦œà¦¿à¦•à¦¾ সৃষà§à¦Ÿà¦¿ কৰিব নোৱাৰি: %m" +Index: po/bn_IN.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/bn_IN.po,v +retrieving revision 1.14 +retrieving revision 1.15 +diff -u -r1.14 -r1.15 +--- po/bn_IN.po 9 Mar 2009 13:07:35 -0000 1.14 ++++ po/bn_IN.po 25 Mar 2009 10:54:23 -0000 1.15 +@@ -7,7 +7,7 @@ + msgstr "" + "Project-Id-Version: Linux-PAM.tip\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2008-10-20 12:40+0530\n" + "Last-Translator: Runa Bhattacharjee \n" + "Language-Team: Bengali INDIA \n" +@@ -349,12 +349,12 @@ + msgid "You have mail in folder %s." + msgstr "%s ফোলà§à¦¡à¦¾à¦°à§‡ মেইল উপসà§à¦¥à¦¿à¦¤ রয়েছে।" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "'%s' ডিরেকà§à¦Ÿà¦°à¦¿ নিরà§à¦®à¦¾à¦£ করা হচà§à¦›à§‡à¥¤" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, fuzzy, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "ডিরেকà§à¦Ÿà¦°à¦¿ %s নিরà§à¦®à¦¾à¦£ করতে বà§à¦¯à¦°à§à¦¥: %m" +Index: po/ca.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/ca.po,v +retrieving revision 1.20 +retrieving revision 1.21 +diff -u -r1.20 -r1.21 +--- po/ca.po 9 Mar 2009 13:07:35 -0000 1.20 ++++ po/ca.po 25 Mar 2009 10:54:23 -0000 1.21 +@@ -17,7 +17,7 @@ + msgstr "" + "Project-Id-Version: linux-PAM\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2008-10-15 16:10+0200\n" + "Last-Translator: Xavier Queralt Mateu \n" + "Language-Team: Catalan \n" +@@ -359,12 +359,12 @@ + msgid "You have mail in folder %s." + msgstr "Teniu correu a la carpeta %s." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "Creant el directori '%s'." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, fuzzy, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "No s'ha pogut crear el directori %s: %m" +Index: po/cs.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/cs.po,v +retrieving revision 1.55 +retrieving revision 1.57 +diff -u -r1.55 -r1.57 +--- po/cs.po 9 Mar 2009 13:07:35 -0000 1.55 ++++ po/cs.po 25 Mar 2009 10:54:23 -0000 1.57 +@@ -1,14 +1,14 @@ + # translation of Linux-PAM.po to cs_CZ +-# This file is distributed under the same license as the PACKAGE package. +-# Copyright (C) YEAR Linux-PAM Project. ++# This file is distributed under the same license as the Linux-PAM package. ++# Copyright (C) 2005-2009 Linux-PAM Project. + # Klara Cihlarova , 2005, 2006. +-# Tomas Mraz , 2005, 2008. ++# Tomas Mraz , 2005, 2008, 2009. + msgid "" + msgstr "" + "Project-Id-Version: Linux-PAM\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" +-"PO-Revision-Date: 2008-11-28 15:22+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" ++"PO-Revision-Date: 2009-03-24 15:22+0100\n" + "Last-Translator: Tomas Mraz \n" + "Language-Team: cs_CZ \n" + "MIME-Version: 1.0\n" +@@ -52,7 +52,7 @@ + #: libpam/pam_get_authtok.c:127 + #, c-format + msgid "Retype %s" +-msgstr "" ++msgstr "Opakujte %s" + + #: libpam/pam_get_authtok.c:146 + msgid "Password change aborted." +@@ -350,15 +350,15 @@ + msgid "You have mail in folder %s." + msgstr "Máte poÅ¡tu ve složce %s." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "Vytváření adresáře '%s'." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 +-#, fuzzy, c-format ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 ++#, c-format + msgid "Unable to create and initialize directory '%s'." +-msgstr "NezdaÅ™ilo se vytvoÅ™it adresář %s: %m" ++msgstr "NezdaÅ™ilo se vytvoÅ™it a inicializovat adresář '%s'." + + #: modules/pam_pwhistory/pam_pwhistory.c:218 + #: modules/pam_unix/pam_unix_passwd.c:475 +Index: po/da.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/da.po,v +retrieving revision 1.19 +retrieving revision 1.20 +diff -u -r1.19 -r1.20 +--- po/da.po 9 Mar 2009 13:07:35 -0000 1.19 ++++ po/da.po 25 Mar 2009 10:54:23 -0000 1.20 +@@ -8,7 +8,7 @@ + msgstr "" + "Project-Id-Version: @PACKAGE@\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2005-08-16 20:00+0200\n" + "Last-Translator: Novell Language \n" + "Language-Team: Novell Language \n" +@@ -354,12 +354,12 @@ + msgid "You have mail in folder %s." + msgstr "Du har e-mail i mappe %s." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "" +Index: po/de.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/de.po,v +retrieving revision 1.63 +retrieving revision 1.64 +diff -u -r1.63 -r1.64 +--- po/de.po 9 Mar 2009 13:07:35 -0000 1.63 ++++ po/de.po 25 Mar 2009 10:54:23 -0000 1.64 +@@ -6,7 +6,7 @@ + msgstr "" + "Project-Id-Version: Linux-PAM\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2009-02-25 18:04+01:00\n" + "Last-Translator: Fabian Affolter \n" + "Language-Team: German \n" +@@ -355,12 +355,12 @@ + msgid "You have mail in folder %s." + msgstr "Sie haben Nachrichten in %s." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "Erstelle Verzeichnis '%s'." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "Verzeichnis %s kann nicht erstellt und initialisiert werden: %m" +Index: po/es.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/es.po,v +retrieving revision 1.56 +retrieving revision 1.58 +diff -u -r1.56 -r1.58 +--- po/es.po 9 Mar 2009 13:07:35 -0000 1.56 ++++ po/es.po 25 Mar 2009 10:54:23 -0000 1.58 +@@ -10,10 +10,10 @@ + msgstr "" + "Project-Id-Version: Linux-PAM.tip.es\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" +-"PO-Revision-Date: 2009-02-21 02:08-0300\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" ++"PO-Revision-Date: 2009-03-18 22:51-0300\n" + "Last-Translator: Domingo Becker \n" +-"Language-Team: Spanish \n" ++"Language-Team: Fedora Spanish \n" + "MIME-Version: 1.0\n" + "Content-Type: text/plain; charset=UTF-8\n" + "Content-Transfer-Encoding: 8bit\n" +@@ -357,15 +357,15 @@ + msgid "You have mail in folder %s." + msgstr "Tiene correo en la carpeta %s." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "Creando directorio '%s'." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 +-#, fuzzy, c-format ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 ++#, c-format + msgid "Unable to create and initialize directory '%s'." +-msgstr "No se pudo crear el directorio %s: %m" ++msgstr "No se pudo crear e inicializar el directorio '%s'." + + #: modules/pam_pwhistory/pam_pwhistory.c:218 + #: modules/pam_unix/pam_unix_passwd.c:475 +Index: po/fi.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/fi.po,v +retrieving revision 1.47 +retrieving revision 1.48 +diff -u -r1.47 -r1.48 +--- po/fi.po 9 Mar 2009 13:07:35 -0000 1.47 ++++ po/fi.po 25 Mar 2009 10:54:23 -0000 1.48 +@@ -10,7 +10,7 @@ + msgstr "" + "Project-Id-Version: Linux-PAM\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2006-05-04 08:30+0200\n" + "Last-Translator: Jyri Palokangas \n" + "Language-Team: \n" +@@ -352,12 +352,12 @@ + msgid "You have mail in folder %s." + msgstr "Sinulla on postia kansiossa %s." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "" +Index: po/fr.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/fr.po,v +retrieving revision 1.57 +retrieving revision 1.58 +diff -u -r1.57 -r1.58 +--- po/fr.po 9 Mar 2009 13:07:35 -0000 1.57 ++++ po/fr.po 25 Mar 2009 10:54:23 -0000 1.58 +@@ -9,7 +9,7 @@ + msgstr "" + "Project-Id-Version: pam.fr2\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2008-10-19 18:59+0200\n" + "Last-Translator: Pablo Martin-Gomez \n" + "Language-Team: Français \n" +@@ -362,12 +362,12 @@ + msgid "You have mail in folder %s." + msgstr "Vous avez des messages dans le dossier %s." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "Création du répertoire « %s »." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, fuzzy, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "Impossible de créer le répertoire %s : %m" +Index: po/gu.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/gu.po,v +retrieving revision 1.14 +retrieving revision 1.15 +diff -u -r1.14 -r1.15 +--- po/gu.po 9 Mar 2009 13:07:35 -0000 1.14 ++++ po/gu.po 25 Mar 2009 10:54:23 -0000 1.15 +@@ -7,7 +7,7 @@ + msgstr "" + "Project-Id-Version: Linux-PAM.tip.gu\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2008-03-13 14:29+0530\n" + "Last-Translator: Ankit Patel \n" + "Language-Team: Gujarati \n" +@@ -352,12 +352,12 @@ + msgid "You have mail in folder %s." + msgstr "તમારી પાસે ફોલà«àª¡àª° %s માં મેઈલ છે." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "ડિરેકà«àªŸàª°à«€ '%s' બનાવી રહà«àª¯àª¾ છીàª." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, fuzzy, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "ડિરેકà«àªŸàª°à«€ %s બનાવવામાં અસમરà«àª¥: %m" +Index: po/hi.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/hi.po,v +retrieving revision 1.13 +retrieving revision 1.14 +diff -u -r1.13 -r1.14 +--- po/hi.po 9 Mar 2009 13:07:35 -0000 1.13 ++++ po/hi.po 25 Mar 2009 10:54:23 -0000 1.14 +@@ -7,7 +7,7 @@ + msgstr "" + "Project-Id-Version: hi\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2007-06-21 15:22+0530\n" + "Last-Translator: Rajesh Ranjan \n" + "Language-Team: Hindi \n" +@@ -352,12 +352,12 @@ + msgid "You have mail in folder %s." + msgstr "आपके लिठ%s फोलà¥à¤¡à¤° में मेल है." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "" +Index: po/hu.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/hu.po,v +retrieving revision 1.55 +retrieving revision 1.57 +diff -u -r1.55 -r1.57 +--- po/hu.po 9 Mar 2009 13:07:35 -0000 1.55 ++++ po/hu.po 25 Mar 2009 10:54:23 -0000 1.57 +@@ -2,27 +2,24 @@ + # translation of Linux-pam.po to + # translation of hu.po to + # This file is distributed under the same license as the PACKAGE package. +-# Copyright (C) YEAR Linux-PAM Project. +-# ++# Copyright (C) 2009 Linux-PAM Project. + # Papp Zsolt , 2006. + # Keresztes Ãkos , 2006. + # Kalman Kemenczy , 2006, 2007. ++# ++# + msgid "" + msgstr "" + "Project-Id-Version: pam\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" +-"PO-Revision-Date: 2008-04-30 08:23+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" ++"PO-Revision-Date: 2009-03-20 20:53+0100\n" + "Last-Translator: Sulyok Péter \n" + "Language-Team: Hungarian \n" + "MIME-Version: 1.0\n" + "Content-Type: text/plain; charset=UTF-8\n" + "Content-Transfer-Encoding: 8bit\n" +-"X-Generator: KBabel 1.11.4\n" + "Plural-Forms: nplurals=2; plural=(n!=1);\n" +-"X-Poedit-Language: Hungarian\n" +-"X-Poedit-Country: HUNGARY\n" +-"X-Poedit-SourceCharset: utf-8\n" + + #: libpam_misc/misc_conv.c:33 + msgid "...Time is running out...\n" +@@ -59,12 +56,11 @@ + #: libpam/pam_get_authtok.c:127 + #, c-format + msgid "Retype %s" +-msgstr "" ++msgstr "Ismét %s" + + #: libpam/pam_get_authtok.c:146 +-#, fuzzy + msgid "Password change aborted." +-msgstr "Változatlan jelszó" ++msgstr "Jelszó változtatás elvetve." + + #: libpam/pam_item.c:310 + msgid "login:" +@@ -234,11 +230,11 @@ + + #: modules/pam_cracklib/pam_cracklib.c:522 + msgid "contains too many same characters consecutively" +-msgstr "" ++msgstr "túl sok egymást követÅ‘ betű egyezik meg" + + #: modules/pam_cracklib/pam_cracklib.c:525 + msgid "contains the user name in some form" +-msgstr "" ++msgstr "valahogy tartalmazza a használó nevét" + + #: modules/pam_cracklib/pam_cracklib.c:555 + #: modules/pam_unix/pam_unix_passwd.c:454 +@@ -300,23 +296,23 @@ + + #. TRANSLATORS: "Last failed login: from on " + #: modules/pam_lastlog/pam_lastlog.c:460 +-#, fuzzy, c-format ++#, c-format + msgid "Last failed login:%s%s%s" +-msgstr "Utolsó belépés:%s%s%s" ++msgstr "Utolsó sikertelen belépés:%s %s %s" + + #: modules/pam_lastlog/pam_lastlog.c:469 modules/pam_lastlog/pam_lastlog.c:476 + #, c-format + msgid "There was %d failed login attempt since the last successful login." + msgid_plural "" + "There were %d failed login attempts since the last successful login." +-msgstr[0] "" +-msgstr[1] "" ++msgstr[0] "%d sikertelen belépés kísérlet volt az utolsó sikeres belépés óta." ++msgstr[1] "%d sikertelen belépés kísérlet volt az utolsó sikeres belépés óta." + + #. TRANSLATORS: only used if dngettext is not supported + #: modules/pam_lastlog/pam_lastlog.c:481 + #, c-format + msgid "There were %d failed login attempts since the last successful login." +-msgstr "" ++msgstr "%d sikertelen belépés kísérlet volt az utolsó sikeres belépés óta." + + #: modules/pam_limits/pam_limits.c:786 + #, c-format +@@ -359,15 +355,15 @@ + msgid "You have mail in folder %s." + msgstr "%s mappában levelek vannak." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "\"%s\" mappa teremtése" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 +-#, fuzzy, c-format ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 ++#, c-format + msgid "Unable to create and initialize directory '%s'." +-msgstr "%s mapa nem teremthetÅ‘ meg: %m" ++msgstr "„%s†mapa nem teremthetÅ‘ meg." + + #: modules/pam_pwhistory/pam_pwhistory.c:218 + #: modules/pam_unix/pam_unix_passwd.c:475 +@@ -454,12 +450,12 @@ + #: modules/pam_tally/pam_tally.c:541 modules/pam_tally2/pam_tally2.c:596 + #, c-format + msgid "Account temporary locked (%ld seconds left)" +-msgstr "" ++msgstr "Számla ideiglenesen lakat alatt (még %ld másodpercig)" + + #: modules/pam_tally/pam_tally.c:566 modules/pam_tally2/pam_tally2.c:575 + #, c-format + msgid "Account locked due to %u failed logins" +-msgstr "" ++msgstr "Számla lakat alatt %u sikertelen belépés miatt" + + #: modules/pam_tally/pam_tally.c:777 modules/pam_tally2/pam_tally2.c:884 + msgid "Authentication error" +@@ -502,21 +498,23 @@ + #: modules/pam_tally2/pam_tally2.c:937 + #, c-format + msgid "Login Failures Latest failure From\n" +-msgstr "" ++msgstr "Belépés bukások Utolsó bukás innen\n" + + #: modules/pam_tally2/pam_tally2.c:953 +-#, fuzzy, c-format ++#, c-format + msgid "" + "%s: [-f rooted-filename] [--file rooted-filename]\n" + " [-u username] [--user username]\n" + " [-r] [--reset[=n]] [--quiet]\n" + msgstr "" +-"%s: [--file rooted-fájlnév] [--user használó] [--reset[=n]] [--quiet]\n" ++"%s: [-f rooted-fájlnév] [--file rooted-fájlnév]\n" ++" [-u használó] [--user használó]\n" ++" [-r] [--reset[=n]] [--quiet]\n" + + #: modules/pam_timestamp/pam_timestamp.c:339 + #, c-format + msgid "Access granted (last access was %ld seconds ago)." +-msgstr "" ++msgstr "Hozzáférés megadva (utolsó hozzáférés %ld másodperce volt)." + + #: modules/pam_unix/pam_unix_acct.c:235 modules/pam_unix/pam_unix_acct.c:257 + msgid "Your account has expired; please contact your system administrator" +@@ -572,6 +570,13 @@ + msgid "Retype new UNIX password: " + msgstr "Ãrja be újra a UNIX jelszót: " + ++#~ msgid "" ++#~ "There was %d failed login attempt since the last successful login.There " ++#~ "were %d failed login attempts since the last successful login." ++#~ msgstr "" ++#~ "%d sikertelen belépés kísérlet volt az utolsó sikeres belépés óta.%d " ++#~ "sikertelen belépés kísérlet volt az utolsó sikeres belépés óta." ++ + #~ msgid "has been already used" + #~ msgstr "használt" + +Index: po/it.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/it.po,v +retrieving revision 1.56 +retrieving revision 1.57 +diff -u -r1.56 -r1.57 +--- po/it.po 9 Mar 2009 13:07:35 -0000 1.56 ++++ po/it.po 25 Mar 2009 10:54:23 -0000 1.57 +@@ -9,7 +9,7 @@ + msgstr "" + "Project-Id-Version: Linux-PAM.tip\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2008-10-21 13:21+1000\n" + "Last-Translator: \n" + "Language-Team: \n" +@@ -361,12 +361,12 @@ + msgid "You have mail in folder %s." + msgstr "La cartella %s contiene email." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "Creazione della directory \"%s\"." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, fuzzy, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "Impossibile creare la directory %s: %m" +Index: po/ja.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/ja.po,v +retrieving revision 1.56 +retrieving revision 1.57 +diff -u -r1.56 -r1.57 +--- po/ja.po 9 Mar 2009 13:07:35 -0000 1.56 ++++ po/ja.po 25 Mar 2009 10:54:23 -0000 1.57 +@@ -8,7 +8,7 @@ + msgstr "" + "Project-Id-Version: Linux-PAM.tip.ja\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2008-10-21 15:08+1000\n" + "Last-Translator: Kiyoto Hashida \n" + "Language-Team: Japanese \n" +@@ -349,12 +349,12 @@ + msgid "You have mail in folder %s." + msgstr "フォルダ%sã«ãƒ¡ãƒ¼ãƒ«ãŒã‚ã‚Šã¾ã™ã€‚" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "ディレクトリ '%s' を作æˆä¸­" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, fuzzy, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "ディレクトリ %s を作æˆã§ãã¾ã›ã‚“: %m" +Index: po/kk.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/kk.po,v +retrieving revision 1.2 +retrieving revision 1.3 +diff -u -r1.2 -r1.3 +--- po/kk.po 9 Mar 2009 13:07:35 -0000 1.2 ++++ po/kk.po 25 Mar 2009 10:54:23 -0000 1.3 +@@ -7,7 +7,7 @@ + msgstr "" + "Project-Id-Version: Linux-PAM 1.0.3\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2009-02-26 13:07+0600\n" + "Last-Translator: Baurzhan M. \n" + "Language-Team: Kazakh \n" +@@ -349,12 +349,12 @@ + msgid "You have mail in folder %s." + msgstr "Сізде %s бумаÑында поштаңыз бар." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "'%s' бумаÑын құру." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "%s бумаÑын құру мүмкін емеÑ: %m" +Index: po/km.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/km.po,v +retrieving revision 1.30 +retrieving revision 1.31 +diff -u -r1.30 -r1.31 +--- po/km.po 9 Mar 2009 13:07:35 -0000 1.30 ++++ po/km.po 25 Mar 2009 10:54:23 -0000 1.31 +@@ -8,7 +8,7 @@ + msgstr "" + "Project-Id-Version: Linux-PAM\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2006-03-17 10:32+0700\n" + "Last-Translator: Khoem Sokhem \n" + "Language-Team: Khmer \n" +@@ -353,12 +353,12 @@ + msgid "You have mail in folder %s." + msgstr "អ្នក​មាន​សំបុážáŸ’រ​នៅ​ក្នុង​ážáž %s ។" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "" +Index: po/kn.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/kn.po,v +retrieving revision 1.14 +retrieving revision 1.15 +diff -u -r1.14 -r1.15 +--- po/kn.po 9 Mar 2009 13:07:35 -0000 1.14 ++++ po/kn.po 25 Mar 2009 10:54:23 -0000 1.15 +@@ -7,7 +7,7 @@ + msgstr "" + "Project-Id-Version: Linux-PAM.tip.kn\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2008-10-20 12:29+0530\n" + "Last-Translator: Shankar Prasad \n" + "Language-Team: Kannada \n" +@@ -349,12 +349,12 @@ + msgid "You have mail in folder %s." + msgstr "%s ಫೋಲà³à²¡à²°à²¿à²¨à²²à³à²²à²¿ ನಿಮಗಾಗಿ ಮೈಲೠಇದೆ." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "ಕೋಶ '%s' ಅನà³à²¨à³ ರಚಿಸಲಾಗà³à²¤à³à²¤à²¿à²¦à³†." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, fuzzy, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "ಕೋಶ '%s' ಅನà³à²¨à³ ರಚಿಸಲೠಸಾಧà³à²¯à²µà²¾à²—ಿಲà³à²².: %m" +Index: po/ko.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/ko.po,v +retrieving revision 1.13 +retrieving revision 1.14 +diff -u -r1.13 -r1.14 +--- po/ko.po 9 Mar 2009 13:07:35 -0000 1.13 ++++ po/ko.po 25 Mar 2009 10:54:23 -0000 1.14 +@@ -7,7 +7,7 @@ + msgstr "" + "Project-Id-Version: ko\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2007-06-22 10:02+1000\n" + "Last-Translator: Eunju Kim \n" + "Language-Team: Korean \n" +@@ -349,12 +349,12 @@ + msgid "You have mail in folder %s." + msgstr "%s í´ë”ì— ë©”ì¼ì´ 있습니다." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "" +Index: po/ml.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/ml.po,v +retrieving revision 1.14 +retrieving revision 1.15 +diff -u -r1.14 -r1.15 +--- po/ml.po 9 Mar 2009 13:07:35 -0000 1.14 ++++ po/ml.po 25 Mar 2009 10:54:23 -0000 1.15 +@@ -7,7 +7,7 @@ + msgstr "" + "Project-Id-Version: Linux-PAM.tip.ml\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2008-10-20 12:50+0530\n" + "Last-Translator: \n" + "Language-Team: \n" +@@ -349,12 +349,12 @@ + msgid "You have mail in folder %s." + msgstr "%s ഫോളàµâ€à´¡à´±à´¿à´²àµâ€ നിങàµà´™à´³àµâ€à´•àµà´•àµ മെയിലàµâ€ ഉണàµà´Ÿàµ." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "'%s' ഡയറകàµà´Ÿà´±à´¿ ഉണàµà´Ÿà´¾à´•àµà´•àµà´¨àµà´¨àµ." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, fuzzy, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "%s ഡയറകàµà´Ÿà´±à´¿ ഉണàµà´Ÿà´¾à´•àµà´•àµà´µà´¾à´¨àµâ€ സാധàµà´¯à´®à´¾à´¯à´¿à´²àµà´²: %m" +Index: po/mr.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/mr.po,v +retrieving revision 1.7 +retrieving revision 1.8 +diff -u -r1.7 -r1.8 +--- po/mr.po 9 Mar 2009 13:07:35 -0000 1.7 ++++ po/mr.po 25 Mar 2009 10:54:23 -0000 1.8 +@@ -7,7 +7,7 @@ + msgstr "" + "Project-Id-Version: Linux-PAM.tip\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2008-10-10 07:07+0530\n" + "Last-Translator: Sandeep Shedmake \n" + "Language-Team: marathi\n" +@@ -350,12 +350,12 @@ + msgid "You have mail in folder %s." + msgstr "संचयीका %s अंतरà¥à¤—त मेल आढळले गेले." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "संचयीका '%s' बनवित आहे." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, fuzzy, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "संचयीका %s बनवू शकत नाही: %m" +Index: po/ms.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/ms.po,v +retrieving revision 1.7 +retrieving revision 1.8 +diff -u -r1.7 -r1.8 +--- po/ms.po 9 Mar 2009 13:07:35 -0000 1.7 ++++ po/ms.po 25 Mar 2009 10:54:23 -0000 1.8 +@@ -7,7 +7,7 @@ + msgstr "" + "Project-Id-Version: linux-pam\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2008-09-25 23:52+0800\n" + "Last-Translator: Sharuzzaman Ahmat Raslan \n" + "Language-Team: Malay \n" +@@ -379,12 +379,12 @@ + msgid "You have mail in folder %s." + msgstr "Pemindahan mel dalam proses" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, fuzzy, c-format + msgid "Creating directory '%s'." + msgstr "Menbuat direktori initrd" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, fuzzy, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "gagal untuk mencipta direktori %s: %s\n" +Index: po/nb.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/nb.po,v +retrieving revision 1.53 +retrieving revision 1.54 +diff -u -r1.53 -r1.54 +--- po/nb.po 9 Mar 2009 13:07:35 -0000 1.53 ++++ po/nb.po 25 Mar 2009 10:54:23 -0000 1.54 +@@ -7,7 +7,7 @@ + msgstr "" + "Project-Id-Version: Linux-PAM\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2008-04-30 12:59+0200\n" + "Last-Translator: Olav Pettershagen \n" + "Language-Team: \n" +@@ -349,12 +349,12 @@ + msgid "You have mail in folder %s." + msgstr "Du har e-post i mappen %s." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "Oppretter katalog «%s»." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, fuzzy, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "Kan ikke opprette katalog %s: %m" +Index: po/nl.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/nl.po,v +retrieving revision 1.31 +retrieving revision 1.32 +diff -u -r1.31 -r1.32 +--- po/nl.po 9 Mar 2009 13:07:35 -0000 1.31 ++++ po/nl.po 25 Mar 2009 10:54:23 -0000 1.32 +@@ -9,7 +9,7 @@ + msgstr "" + "Project-Id-Version: Linux-PAM\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2008-10-20 23:45+0200\n" + "Last-Translator: Peter van Egdom \n" + "Language-Team: Dutch \n" +@@ -355,12 +355,12 @@ + msgid "You have mail in folder %s." + msgstr "U hebt e-mail in map %s." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "Aanmaken van map '%s'." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, fuzzy, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "Niet in staat om map %s aan te maken: %m" +Index: po/or.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/or.po,v +retrieving revision 1.14 +retrieving revision 1.15 +diff -u -r1.14 -r1.15 +--- po/or.po 9 Mar 2009 13:07:35 -0000 1.14 ++++ po/or.po 25 Mar 2009 10:54:23 -0000 1.15 +@@ -8,7 +8,7 @@ + msgstr "" + "Project-Id-Version: Linux-PAM.tip.or\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2008-09-30 11:42+0530\n" + "Last-Translator: Manoj Kumar Giri \n" + "Language-Team: Oriya\n" +@@ -354,12 +354,12 @@ + msgid "You have mail in folder %s." + msgstr "ଆପଣଙà­à¬• ନିକଟରେ %s ଫୋଲଡରରେ ଚିଠି ଅଛି।" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "ଡ଼ିରେକà­à¬Ÿà­‹à¬°à­€ '%s' ନିରà­à¬®à¬¾à¬£ କରà­à¬…ଛି." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, fuzzy, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "ଡ଼ିରେକà­à¬Ÿà­‹à¬°à­€ '%s' ନିରà­à¬®à¬¾à¬£ କରିବାରେ ଅସମରà­à¬¥: %m" +Index: po/pa.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/pa.po,v +retrieving revision 1.51 +retrieving revision 1.52 +diff -u -r1.51 -r1.52 +--- po/pa.po 9 Mar 2009 13:07:35 -0000 1.51 ++++ po/pa.po 25 Mar 2009 10:54:23 -0000 1.52 +@@ -8,7 +8,7 @@ + msgstr "" + "Project-Id-Version: Linux-PAM.pa\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2005-08-06 08:34+0530\n" + "Last-Translator: Amanpreet Singh Alam[ਆਲਮ] \n" + "Language-Team: Panjabi \n" +@@ -354,12 +354,12 @@ + msgid "You have mail in folder %s." + msgstr "" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "" +Index: po/pl.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/pl.po,v +retrieving revision 1.58 +retrieving revision 1.60 +diff -u -r1.58 -r1.60 +--- po/pl.po 9 Mar 2009 13:07:35 -0000 1.58 ++++ po/pl.po 25 Mar 2009 10:54:23 -0000 1.60 +@@ -7,8 +7,8 @@ + msgstr "" + "Project-Id-Version: pl\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" +-"PO-Revision-Date: 2009-01-04 23:16+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" ++"PO-Revision-Date: 2009-02-26 22:10+0100\n" + "Last-Translator: Piotr DrÄ…g \n" + "Language-Team: Polish \n" + "MIME-Version: 1.0\n" +@@ -355,15 +355,15 @@ + msgid "You have mail in folder %s." + msgstr "WiadomoÅ›ci w folderze %s." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "Tworzenie katalogu \"%s\"." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 +-#, fuzzy, c-format ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 ++#, c-format + msgid "Unable to create and initialize directory '%s'." +-msgstr "Nie można utworzyć katalogu %s: %m" ++msgstr "Nie można utworzyć i zainicjować katalogu \"%s\"." + + #: modules/pam_pwhistory/pam_pwhistory.c:218 + #: modules/pam_unix/pam_unix_passwd.c:475 +Index: po/pt.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/pt.po,v +retrieving revision 1.53 +retrieving revision 1.54 +diff -u -r1.53 -r1.54 +--- po/pt.po 9 Mar 2009 13:07:35 -0000 1.53 ++++ po/pt.po 25 Mar 2009 10:54:23 -0000 1.54 +@@ -7,7 +7,7 @@ + msgstr "" + "Project-Id-Version: Linux-PAM.pt\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2006-05-03 21:54+0200\n" + "Last-Translator: Antonio Cardoso Martins \n" + "Language-Team: portuguese\n" +@@ -350,12 +350,12 @@ + msgid "You have mail in folder %s." + msgstr "Tem correio electrónico na pasta %s." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "" +Index: po/pt_BR.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/pt_BR.po,v +retrieving revision 1.56 +retrieving revision 1.58 +diff -u -r1.56 -r1.58 +--- po/pt_BR.po 9 Mar 2009 13:07:35 -0000 1.56 ++++ po/pt_BR.po 25 Mar 2009 10:54:23 -0000 1.58 +@@ -10,7 +10,7 @@ + msgstr "" + "Project-Id-Version: Linux-PAM.tip\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2009-02-20 12:41-0300\n" + "Last-Translator: Taylon \n" + "Language-Team: Brazilian Portuguese \n" +@@ -352,15 +352,15 @@ + msgid "You have mail in folder %s." + msgstr "Há mensagens na pasta %s." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "Criando o diretório '%s'." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 +-#, fuzzy, c-format ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 ++#, c-format + msgid "Unable to create and initialize directory '%s'." +-msgstr "Impossível criar o diretório %s: %m" ++msgstr "Impossível criar e inicializar o diretório \"%s\"." + + #: modules/pam_pwhistory/pam_pwhistory.c:218 + #: modules/pam_unix/pam_unix_passwd.c:475 +Index: po/ru.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/ru.po,v +retrieving revision 1.20 +retrieving revision 1.21 +diff -u -r1.20 -r1.21 +--- po/ru.po 9 Mar 2009 13:07:35 -0000 1.20 ++++ po/ru.po 25 Mar 2009 10:54:23 -0000 1.21 +@@ -11,7 +11,7 @@ + msgstr "" + "Project-Id-Version: Linux-PAM.tip\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2008-02-23 20:11+0300\n" + "Last-Translator: Andrew Martynov \n" + "Language-Team: Russian \n" +@@ -362,12 +362,12 @@ + msgid "You have mail in folder %s." + msgstr "ЕÑÑ‚ÑŒ почта в папке %s." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "Создание каталога '%s'." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, fuzzy, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "Ðевозможно Ñоздать каталог %s: %m" +Index: po/si.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/si.po,v +retrieving revision 1.13 +retrieving revision 1.14 +diff -u -r1.13 -r1.14 +--- po/si.po 9 Mar 2009 13:07:35 -0000 1.13 ++++ po/si.po 25 Mar 2009 10:54:23 -0000 1.14 +@@ -7,7 +7,7 @@ + msgstr "" + "Project-Id-Version: si\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2007-06-22 12:24+0530\n" + "Last-Translator: Danishka Navin \n" + "Language-Team: Sinhala \n" +@@ -350,12 +350,12 @@ + msgid "You have mail in folder %s." + msgstr "%s බහලුම තුළ ඔබට තà·à¶´à·à¶½à·Š ඇත." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "" +Index: po/sk.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/sk.po,v +retrieving revision 1.8 +retrieving revision 1.10 +diff -u -r1.8 -r1.10 +--- po/sk.po 9 Mar 2009 13:07:35 -0000 1.8 ++++ po/sk.po 25 Mar 2009 10:54:23 -0000 1.10 +@@ -2,19 +2,19 @@ + # This file is distributed under the same license as the Linux-PAM package. + # + # Ondrej Å ulek , 2008. ++# Pavol Å imo , 2009. + msgid "" + msgstr "" + "Project-Id-Version: Linux-PAM\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" +-"PO-Revision-Date: 2008-10-21 09:13+0200\n" +-"Last-Translator: Ondrej Å ulek \n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" ++"PO-Revision-Date: 2009-03-24 22:24+0100\n" ++"Last-Translator: Pavol Å imo \n" + "Language-Team: Slovak \n" + "MIME-Version: 1.0\n" + "Content-Type: text/plain; charset=UTF-8\n" + "Content-Transfer-Encoding: 8bit\n" + "Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" +-"X-Generator: Lokalize 0.2\n" + + #: libpam_misc/misc_conv.c:33 + msgid "...Time is running out...\n" +@@ -27,7 +27,7 @@ + #: libpam_misc/misc_conv.c:342 + #, c-format + msgid "erroneous conversation (%d)\n" +-msgstr "nesprávna konverzácia (%d)\n" ++msgstr "chybná konverzácia (%d)\n" + + #: libpam/pam_get_authtok.c:39 modules/pam_exec/pam_exec.c:142 + #: modules/pam_unix/pam_unix_auth.c:159 modules/pam_userdb/pam_userdb.c:63 +@@ -46,16 +46,16 @@ + + #: libpam/pam_get_authtok.c:44 modules/pam_cracklib/pam_cracklib.c:69 + msgid "Sorry, passwords do not match." +-msgstr "Heslá sa nezhodujú." ++msgstr "PrepáÄte, heslá sa nezhodujú." + + #: libpam/pam_get_authtok.c:127 + #, c-format + msgid "Retype %s" +-msgstr "" ++msgstr "Opakujte %s" + + #: libpam/pam_get_authtok.c:146 + msgid "Password change aborted." +-msgstr "Zmena hesla preruÅ¡ená." ++msgstr "Zmena hesla zruÅ¡ená." + + #: libpam/pam_item.c:310 + msgid "login:" +@@ -67,7 +67,7 @@ + + #: libpam/pam_strerror.c:42 + msgid "Critical error - immediate abort" +-msgstr "Kritická chyba - okamžité preruÅ¡enie" ++msgstr "Kritická chyba - okamžité zruÅ¡enie" + + #: libpam/pam_strerror.c:44 + msgid "Failed to load module" +@@ -95,19 +95,19 @@ + + #: libpam/pam_strerror.c:56 + msgid "Authentication failure" +-msgstr "Zlyhanie autentifikácie" ++msgstr "Zlyhanie overenia" + + #: libpam/pam_strerror.c:58 + msgid "Insufficient credentials to access authentication data" +-msgstr "NedostatoÄné oprávnenia pre prístup k autentifikaÄným dátam" ++msgstr "NedostatoÄné oprávnenia pre prístup k údajom overenia" + + #: libpam/pam_strerror.c:60 + msgid "Authentication service cannot retrieve authentication info" +-msgstr "AutentifikaÄná služba nemôže získaÅ¥ informácie pre autentifikáciu" ++msgstr "Overovacia služba nemôže získaÅ¥ informácie pre overenie" + + #: libpam/pam_strerror.c:62 + msgid "User not known to the underlying authentication module" +-msgstr "Používateľ nie je známy pre podriadený autentifikaÄný modul" ++msgstr "Používateľ nie je známy pre podriadený overovací modul" + + #: libpam/pam_strerror.c:64 + msgid "Have exhausted maximum number of retries for service" +@@ -115,7 +115,7 @@ + + #: libpam/pam_strerror.c:66 + msgid "Authentication token is no longer valid; new one required" +-msgstr "AutentifikaÄný token už nie je platný; požadovaný nový" ++msgstr "Overovací token už nie je platný; požadovaný je nový" + + #: libpam/pam_strerror.c:68 + msgid "User account has expired" +@@ -123,11 +123,11 @@ + + #: libpam/pam_strerror.c:70 + msgid "Cannot make/remove an entry for the specified session" +-msgstr "Pre zadané sedenie nie je možné vytvoriÅ¥/odstrániÅ¥ záznam" ++msgstr "Pre zadanú reláciu nie je možné vytvoriÅ¥/odstrániÅ¥ záznam" + + #: libpam/pam_strerror.c:72 + msgid "Authentication service cannot retrieve user credentials" +-msgstr "AutentifikaÄná služba nemôže získaÅ¥ oprávnenia používateľa" ++msgstr "Overovacia služba nemôže získaÅ¥ oprávnenia používateľa" + + #: libpam/pam_strerror.c:74 + msgid "User credentials expired" +@@ -151,19 +151,19 @@ + + #: libpam/pam_strerror.c:84 + msgid "Authentication token manipulation error" +-msgstr "Chyba pri manipulácii s autentifikaÄným tokenom" ++msgstr "Chyba pri manipulácii s overovacím tokenom" + + #: libpam/pam_strerror.c:86 + msgid "Authentication information cannot be recovered" +-msgstr "AutentifikaÄnú informáciu nie je možné obnoviÅ¥" ++msgstr "Overovaciu informáciu nie je možné obnoviÅ¥" + + #: libpam/pam_strerror.c:88 + msgid "Authentication token lock busy" +-msgstr "AutentifikaÄný token je uzamknutý" ++msgstr "Overovací token je uzamknutý" + + #: libpam/pam_strerror.c:90 + msgid "Authentication token aging disabled" +-msgstr "Starnutie autentifikaÄného tokenu zakázané" ++msgstr "Starnutie overovacieho tokenu zakázané" + + #: libpam/pam_strerror.c:92 + msgid "Failed preliminary check by password service" +@@ -179,7 +179,7 @@ + + #: libpam/pam_strerror.c:98 + msgid "Authentication token expired" +-msgstr "VyprÅ¡ala platnosÅ¥ autentifikaÄného tokenu" ++msgstr "VyprÅ¡ala platnosÅ¥ overovacieho tokenu" + + #: libpam/pam_strerror.c:100 + msgid "Conversation is waiting for event" +@@ -219,7 +219,7 @@ + + #: modules/pam_cracklib/pam_cracklib.c:519 + msgid "not enough character classes" +-msgstr "dostatok rôznych druhov znakov" ++msgstr "nedostatok rôznych druhov znakov" + + #: modules/pam_cracklib/pam_cracklib.c:522 + msgid "contains too many same characters consecutively" +@@ -248,22 +248,22 @@ + #: modules/pam_exec/pam_exec.c:215 + #, c-format + msgid "%s failed: exit code %d" +-msgstr "%s zlyhal: výstupný kód %d" ++msgstr "%s zlyhalo: výstupný kód %d" + + #: modules/pam_exec/pam_exec.c:224 + #, c-format + msgid "%s failed: caught signal %d%s" +-msgstr "%s zlyhal: dostal signál %d%s" ++msgstr "%s zlyhalo: dostal signál %d%s" + + #: modules/pam_exec/pam_exec.c:233 + #, c-format + msgid "%s failed: unknown status 0x%x" +-msgstr "%s zlyhal: neznámy stav 0x%x" ++msgstr "%s zlyhalo: neznámy stav 0x%x" + + #. TRANSLATORS: "strftime options for date of last login" + #: modules/pam_lastlog/pam_lastlog.c:201 modules/pam_lastlog/pam_lastlog.c:429 + msgid " %a %b %e %H:%M:%S %Z %Y" +-msgstr "%a %d.%m.%Y %H:%M:%S %Z" ++msgstr " %a %d.%m.%Y %H:%M:%S %Z" + + #. TRANSLATORS: " from " + #: modules/pam_lastlog/pam_lastlog.c:210 modules/pam_lastlog/pam_lastlog.c:438 +@@ -285,7 +285,7 @@ + + #: modules/pam_lastlog/pam_lastlog.c:238 + msgid "Welcome to your new account!" +-msgstr "Vítajte vo vaÅ¡om novom úÄte!" ++msgstr "Vitajte vo vaÅ¡om novom úÄte!" + + #. TRANSLATORS: "Last failed login: from on " + #: modules/pam_lastlog/pam_lastlog.c:460 +@@ -357,24 +357,24 @@ + msgid "You have mail in folder %s." + msgstr "Máte poÅ¡tu v prieÄinku %s." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "Vytváranie prieÄinka '%s'." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 +-#, fuzzy, c-format ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 ++#, c-format + msgid "Unable to create and initialize directory '%s'." +-msgstr "Nedá sa vytvoriÅ¥ prieÄinok %s: %m" ++msgstr "Nedá sa vytvoriÅ¥ a inicializovaÅ¥ prieÄinok '%s'." + + #: modules/pam_pwhistory/pam_pwhistory.c:218 + #: modules/pam_unix/pam_unix_passwd.c:475 + msgid "Password has been already used. Choose another." +-msgstr "Heslo už bolo použité. Vyberte iné." ++msgstr "Heslo už bolo použité. Zvoľte si iné." + + #: modules/pam_selinux/pam_selinux.c:172 + msgid "Would you like to enter a security context? [N] " +-msgstr "Chcete zadaÅ¥ kontext zabezpeÄenia? [N] " ++msgstr "Želáte si zadaÅ¥ kontext zabezpeÄenia? [N] " + + #: modules/pam_selinux/pam_selinux.c:191 modules/pam_selinux/pam_selinux.c:282 + msgid "role:" +@@ -395,7 +395,7 @@ + + #: modules/pam_selinux/pam_selinux.c:269 + msgid "Would you like to enter a different role or level?" +-msgstr "Chcete zadaÅ¥ inú rolu alebo úroveň?" ++msgstr "Želáte si zadaÅ¥ inú rolu alebo úroveň?" + + #: modules/pam_selinux/pam_selinux.c:285 + #, c-format +@@ -405,7 +405,7 @@ + #: modules/pam_selinux/pam_selinux.c:677 + #, c-format + msgid "Unable to get valid context for %s" +-msgstr "Nepodaril sa získaÅ¥ platný kontext zabezpeÄenia pre %s" ++msgstr "Nepodarilo sa získaÅ¥ platný kontext zabezpeÄenia pre %s" + + #: modules/pam_selinux/pam_selinux.c:728 + #, c-format +@@ -425,7 +425,7 @@ + #: modules/pam_selinux/pam_selinux_check.c:105 + #, c-format + msgid "failed to pam_set_item()\n" +-msgstr "chyba pam_set_item()\n" ++msgstr "chyba pri pam_set_item()\n" + + #: modules/pam_selinux/pam_selinux_check.c:133 + #, c-format +@@ -443,7 +443,7 @@ + + #: modules/pam_stress/pam_stress.c:492 + msgid "Retype new STRESS password: " +-msgstr "Znovu zadajte nové STRESS heslo: " ++msgstr "Znovu zadajte nové STRESS heslo: " + + #: modules/pam_stress/pam_stress.c:521 + msgid "Verification mis-typed; password unchanged" +@@ -461,7 +461,7 @@ + + #: modules/pam_tally/pam_tally.c:777 modules/pam_tally2/pam_tally2.c:884 + msgid "Authentication error" +-msgstr "Chyba autentifikácie" ++msgstr "Chyba overenia" + + #: modules/pam_tally/pam_tally.c:778 modules/pam_tally2/pam_tally2.c:885 + msgid "Service error" +@@ -478,12 +478,12 @@ + #: modules/pam_tally/pam_tally.c:796 modules/pam_tally2/pam_tally2.c:906 + #, c-format + msgid "%s: Bad number given to --reset=\n" +-msgstr "%s: Zadaná zlá hodnota --reset=\n" ++msgstr "%s: Zadané zlé Äíslo pre --reset=\n" + + #: modules/pam_tally/pam_tally.c:800 modules/pam_tally2/pam_tally2.c:910 + #, c-format + msgid "%s: Unrecognised option %s\n" +-msgstr "%s: Neznáma možnosÅ¥ %s\n" ++msgstr "%s: Neznáma voľba %s\n" + + #: modules/pam_tally/pam_tally.c:812 + #, c-format +@@ -501,22 +501,23 @@ + #: modules/pam_tally2/pam_tally2.c:937 + #, c-format + msgid "Login Failures Latest failure From\n" +-msgstr "" ++msgstr "Login Zlyhaní Ostatné zlyhanie Z\n" + + #: modules/pam_tally2/pam_tally2.c:953 +-#, fuzzy, c-format ++#, c-format + msgid "" + "%s: [-f rooted-filename] [--file rooted-filename]\n" + " [-u username] [--user username]\n" + " [-r] [--reset[=n]] [--quiet]\n" + msgstr "" +-"%s: [--file meno_suboru] [--user pouzivatelske_meno] [--reset[=n]] [--" +-"quiet]\n" ++"%s: [-f meno_suboru] [--file meno_suboru]\n" ++" [-u pouzivatelske_meno] [--user pouzivatelske_meno]\n" ++" [-r] [--reset[=n]] [--quiet]\n" + + #: modules/pam_timestamp/pam_timestamp.c:339 + #, c-format + msgid "Access granted (last access was %ld seconds ago)." +-msgstr "" ++msgstr "Prístup povolený (ostatný prístup pred %ld sekundami)." + + #: modules/pam_unix/pam_unix_acct.c:235 modules/pam_unix/pam_unix_acct.c:257 + msgid "Your account has expired; please contact your system administrator" +@@ -525,7 +526,7 @@ + + #: modules/pam_unix/pam_unix_acct.c:243 + msgid "You are required to change your password immediately (root enforced)" +-msgstr "Je vyžadovaná okamžitá zmena vaÅ¡eho hesla (vynútené rootom)" ++msgstr "Je vyžadovaná okamžitá zmena vaÅ¡eho hesla (vynútené správcom)" + + #: modules/pam_unix/pam_unix_acct.c:249 + msgid "You are required to change your password immediately (password aged)" +@@ -551,7 +552,7 @@ + + #: modules/pam_unix/pam_unix_passwd.c:471 + msgid "You must choose a longer password" +-msgstr "Musíte vybraÅ¥ dlhÅ¡ie heslo" ++msgstr "Musíte si zvoliÅ¥ dlhÅ¡ie heslo" + + #: modules/pam_unix/pam_unix_passwd.c:576 + #, c-format +Index: po/sr.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/sr.po,v +retrieving revision 1.11 +retrieving revision 1.12 +diff -u -r1.11 -r1.12 +--- po/sr.po 9 Mar 2009 13:07:35 -0000 1.11 ++++ po/sr.po 25 Mar 2009 10:54:23 -0000 1.12 +@@ -9,7 +9,7 @@ + msgstr "" + "Project-Id-Version: Linux-PAM\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2008-04-05 10:48+0100\n" + "Last-Translator: MiloÅ¡ KomarÄević \n" + "Language-Team: Serbian (sr) \n" +@@ -355,12 +355,12 @@ + msgid "You have mail in folder %s." + msgstr "Имате поруке у директоријуму %s." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "Правим директоријум „%s“." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, fuzzy, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "Ðе могу да направим директоријум %s: %m" +Index: po/sr@latin.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/sr@latin.po,v +retrieving revision 1.11 +retrieving revision 1.12 +diff -u -r1.11 -r1.12 +--- po/sr@latin.po 9 Mar 2009 13:07:35 -0000 1.11 ++++ po/sr@latin.po 25 Mar 2009 10:54:23 -0000 1.12 +@@ -9,7 +9,7 @@ + msgstr "" + "Project-Id-Version: Linux-PAM\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2008-04-05 10:48+0100\n" + "Last-Translator: MiloÅ¡ KomarÄević \n" + "Language-Team: Serbian (sr) \n" +@@ -355,12 +355,12 @@ + msgid "You have mail in folder %s." + msgstr "Imate poruke u direktorijumu %s." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "Pravim direktorijum „%s“." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, fuzzy, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "Ne mogu da napravim direktorijum %s: %m" +Index: po/sv.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/sv.po,v +retrieving revision 1.21 +retrieving revision 1.22 +diff -u -r1.21 -r1.22 +--- po/sv.po 9 Mar 2009 13:07:35 -0000 1.21 ++++ po/sv.po 25 Mar 2009 10:54:23 -0000 1.22 +@@ -8,7 +8,7 @@ + msgstr "" + "Project-Id-Version: Linux-PAM\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2009-02-11 12:22+0100\n" + "Last-Translator: Daniel Nylander \n" + "Language-Team: Swedish \n" +@@ -355,12 +355,12 @@ + msgid "You have mail in folder %s." + msgstr "Du har brev i katalogen %s." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "Skapar katalogen \"%s\"." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, fuzzy, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "Kan inte skapa katalogen %s: %m" +Index: po/ta.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/ta.po,v +retrieving revision 1.13 +retrieving revision 1.14 +diff -u -r1.13 -r1.14 +--- po/ta.po 9 Mar 2009 13:07:35 -0000 1.13 ++++ po/ta.po 25 Mar 2009 10:54:23 -0000 1.14 +@@ -7,7 +7,7 @@ + msgstr "" + "Project-Id-Version: ta\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2007-06-21 15:33+0530\n" + "Last-Translator: I felix \n" + "Language-Team: Tamil \n" +@@ -352,12 +352,12 @@ + msgid "You have mail in folder %s." + msgstr "உஙà¯à®•à®³à¯à®•à¯à®•à¯ %s அடைவில௠அஞà¯à®šà®²à¯ உளà¯à®³à®¤à¯." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "" +Index: po/te.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/te.po,v +retrieving revision 1.7 +retrieving revision 1.8 +diff -u -r1.7 -r1.8 +--- po/te.po 9 Mar 2009 13:07:35 -0000 1.7 ++++ po/te.po 25 Mar 2009 10:54:23 -0000 1.8 +@@ -7,7 +7,7 @@ + msgstr "" + "Project-Id-Version: te\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2008-10-22 16:24+0530\n" + "Last-Translator: Krishna Babu K \n" + "Language-Team: Telugu \n" +@@ -352,12 +352,12 @@ + msgid "You have mail in folder %s." + msgstr "మీరౠఫోలà±à°¡à°°à± %sనందౠమెయిలà±â€Œà°¨à± కలిగివà±à°¨à±à°¨à°¾à°°à±." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "డెరెకà±à°Ÿà°°à±€ '%s' సృషà±à°Ÿà°¿à°‚à°šà±à°Ÿ." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, fuzzy, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "డైరెకà±à°Ÿà°°à±€ %sనౠసృషà±à°Ÿà°¿à°‚చలేక పోయింది: %m" +Index: po/tr.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/tr.po,v +retrieving revision 1.26 +retrieving revision 1.27 +diff -u -r1.26 -r1.27 +--- po/tr.po 9 Mar 2009 13:07:35 -0000 1.26 ++++ po/tr.po 25 Mar 2009 10:54:23 -0000 1.27 +@@ -7,7 +7,7 @@ + msgstr "" + "Project-Id-Version: Linux-PAM\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2006-05-03 19:00+0200\n" + "Last-Translator: Koray Löker \n" + "Language-Team: Türkçe \n" +@@ -349,12 +349,12 @@ + msgid "You have mail in folder %s." + msgstr "%s dizininde iletiniz var" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "" +Index: po/uk.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/uk.po,v +retrieving revision 1.26 +retrieving revision 1.27 +diff -u -r1.26 -r1.27 +--- po/uk.po 9 Mar 2009 13:07:35 -0000 1.26 ++++ po/uk.po 25 Mar 2009 10:54:23 -0000 1.27 +@@ -7,7 +7,7 @@ + msgstr "" + "Project-Id-Version: Linux-PAM.uk\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2006-05-03 18:59+0200\n" + "Last-Translator: Ivan Petrouchtchak \n" + "Language-Team: Ukrainian \n" +@@ -352,12 +352,12 @@ + msgid "You have mail in folder %s." + msgstr "Ви маєте пошту в теці %s." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "" +Index: po/zh_CN.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/zh_CN.po,v +retrieving revision 1.56 +retrieving revision 1.57 +diff -u -r1.56 -r1.57 +--- po/zh_CN.po 9 Mar 2009 13:07:35 -0000 1.56 ++++ po/zh_CN.po 25 Mar 2009 10:54:23 -0000 1.57 +@@ -9,7 +9,7 @@ + msgstr "" + "Project-Id-Version: Linux-PAM.tip\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2008-10-20 15:43+1000\n" + "Last-Translator: Leah Liu \n" + "Language-Team: Simplified Chinese \n" +@@ -350,12 +350,12 @@ + msgid "You have mail in folder %s." + msgstr "您在文件夹 %s 中有邮件。" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "创建目录 '%s'。" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, fuzzy, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "无法创建目录 %s:%m" +Index: po/zh_TW.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/zh_TW.po,v +retrieving revision 1.54 +retrieving revision 1.55 +diff -u -r1.54 -r1.55 +--- po/zh_TW.po 9 Mar 2009 13:07:35 -0000 1.54 ++++ po/zh_TW.po 25 Mar 2009 10:54:23 -0000 1.55 +@@ -7,7 +7,7 @@ + msgstr "" + "Project-Id-Version: Linux-PAM.tip\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2008-10-21 15:51+1000\n" + "Last-Translator: Terry Chuang \n" + "Language-Team: \n" +@@ -350,12 +350,12 @@ + msgid "You have mail in folder %s." + msgstr "資料夾 %s 中有您的郵件。" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "建立目錄「%sã€ã€‚" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, fuzzy, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "無法建立 %s 目錄:%m" +Index: po/zu.po +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/po/zu.po,v +retrieving revision 1.19 +retrieving revision 1.20 +diff -u -r1.19 -r1.20 +--- po/zu.po 9 Mar 2009 13:07:35 -0000 1.19 ++++ po/zu.po 25 Mar 2009 10:54:23 -0000 1.20 +@@ -5,7 +5,7 @@ + msgstr "" + "Project-Id-Version: Linux-PAM\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2009-03-03 14:56+0100\n" ++"POT-Creation-Date: 2009-03-25 11:53+0100\n" + "PO-Revision-Date: 2006-11-03 12:03\n" + "Last-Translator: Novell Language \n" + "Language-Team: Novell Language \n" +@@ -346,12 +346,12 @@ + msgid "You have mail in folder %s." + msgstr "Unemeyili kwifolda %s." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:111 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:113 + #, c-format + msgid "Creating directory '%s'." + msgstr "" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:181 ++#: modules/pam_mkhomedir/pam_mkhomedir.c:183 + #, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "" diff --git a/libpam-password-requisite.diff b/libpam-password-requisite.diff deleted file mode 100644 index 9fc0e8d..0000000 --- a/libpam-password-requisite.diff +++ /dev/null @@ -1,49 +0,0 @@ ---- libpam/pam_dispatch.c 3 Dec 2008 14:16:33 -0000 1.13 -+++ libpam/pam_dispatch.c 4 Feb 2009 13:48:02 -0000 -@@ -132,11 +132,10 @@ - } - - /* -- * use_cached_chain is how we ensure that the setcred/close_session -- * and chauthtok(2) modules are called in the same order as they did -- * when they were invoked as auth/open_session/chauthtok(1). This -- * feature was added in 0.75 to make the behavior of pam_setcred -- * sane. It was debugged by release 0.76. -+ * use_cached_chain is how we ensure that the setcred and -+ * close_session modules are called in the same order as they did -+ * when they were invoked as auth/open_session. This feature was -+ * added in 0.75 to make the behavior of pam_setcred sane. - */ - if (use_cached_chain != _PAM_PLEASE_FREEZE) { - -@@ -358,9 +357,6 @@ - break; - case PAM_CHAUTHTOK: - h = pamh->handlers.conf.chauthtok; -- if (flags & PAM_UPDATE_AUTHTOK) { -- use_cached_chain = _PAM_MUST_BE_FROZEN; -- } - break; - default: - pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice); ---- libpam/pam_password.c 24 Jul 2006 15:47:40 -0000 1.5 -+++ libpam/pam_password.c 4 Feb 2009 13:48:02 -0000 -@@ -24,6 +24,13 @@ - return PAM_SYSTEM_ERR; - } - -+ /* applications are not allowed to set this flags */ -+ if (flags & (PAM_PRELIM_CHECK | PAM_UPDATE_AUTHTOK)) { -+ syslog(LOG_ERR, _PAM_SYSTEM_LOG_PREFIX -+ "PAM_PRELIM_CHECK or PAM_UPDATE_AUTHTOK set by application"); -+ return PAM_SYSTEM_ERR; -+ } -+ - if (pamh->former.choice == PAM_NOT_STACKED) { - _pam_start_timer(pamh); /* we try to make the time for a failure - independent of the time it takes to -@@ -58,4 +67,3 @@ - - return retval; - } -- diff --git a/pam-1.0.0-selinux-env-params.patch b/pam-1.0.0-selinux-env-params.patch deleted file mode 100644 index ac4d53a..0000000 --- a/pam-1.0.0-selinux-env-params.patch +++ /dev/null @@ -1,561 +0,0 @@ -Index: modules/pam_selinux/pam_selinux.8.xml -=================================================================== -RCS file: /cvsroot/pam/Linux-PAM/modules/pam_selinux/pam_selinux.8.xml,v -retrieving revision 1.2 -diff -u -p -r1.2 pam_selinux.8.xml ---- modules/pam_selinux/pam_selinux.8.xml 15 Jun 2007 10:17:22 -0000 1.2 -+++ modules/pam_selinux/pam_selinux.8.xml 19 May 2008 15:44:08 -0000 -@@ -37,6 +37,9 @@ - select_context - - -+ env_params -+ -+ - use_current_range - - -@@ -137,12 +140,30 @@ - - - -+ -+ -+ -+ -+ Attempt to obtain a custom security context role from PAM environment. -+ If MLS is on obtain also sensitivity level. This option and the -+ select_context option are mutually exclusive. The respective PAM -+ environment variables are SELINUX_ROLE_REQUESTED, -+ SELINUX_LEVEL_REQUESTED, and -+ SELINUX_USE_CURRENT_RANGE. The first two variables -+ are self describing and the last one if set to 1 makes the PAM module behave as -+ if the use_current_range was specified on the command line of the module. -+ -+ -+ -+ -+ - - - - -- Use the sensitivity range of the process for the user context. -- This option and the select_context option are mutually exclusive. -+ Use the sensitivity level of the current process for the user context -+ instead of the default level. Also supresses asking of the -+ sensitivity level from the user or obtaining it from PAM environment. - - - -Index: modules/pam_selinux/pam_selinux.c -=================================================================== -RCS file: /cvsroot/pam/Linux-PAM/modules/pam_selinux/pam_selinux.c,v -retrieving revision 1.16 -diff -u -p -r1.16 pam_selinux.c ---- modules/pam_selinux/pam_selinux.c 22 Apr 2008 19:21:37 -0000 1.16 -+++ modules/pam_selinux/pam_selinux.c 19 May 2008 15:44:08 -0000 -@@ -2,8 +2,9 @@ - * A module for Linux-PAM that will set the default security context after login - * via PAM. - * -- * Copyright (c) 2003 Red Hat, Inc. -+ * Copyright (c) 2003-2008 Red Hat, Inc. - * Written by Dan Walsh -+ * Additional improvements by Tomas Mraz - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions -@@ -138,15 +139,22 @@ send_text (pam_handle_t *pamh, const cha - */ - static int - query_response (pam_handle_t *pamh, const char *text, const char *def, -- char **responses, int debug) -+ char **response, int debug) - { - int rc; - if (def) -- rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, responses, "%s [%s] ", text, def); -+ rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, response, "%s [%s] ", text, def); - else -- rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, responses, "%s ", text); -- if (debug) -- pam_syslog(pamh, LOG_NOTICE, "%s %s", text, responses[0]); -+ rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, response, "%s ", text); -+ -+ if (*response == NULL) { -+ rc = PAM_CONV_ERR; -+ } -+ -+ if (rc != PAM_SUCCESS) { -+ pam_syslog(pamh, LOG_WARNING, "No response to query: %s", text); -+ } else if (debug) -+ pam_syslog(pamh, LOG_NOTICE, "%s %s", text, *response); - return rc; - } - -@@ -157,13 +165,15 @@ manual_context (pam_handle_t *pamh, cons - context_t new_context; - int mls_enabled = is_selinux_mls_enabled(); - char *type=NULL; -- char *responses=NULL; -+ char *response=NULL; - - while (1) { -- query_response(pamh, -- _("Would you like to enter a security context? [N] "), NULL, -- &responses,debug); -- if ((responses[0] == 'y') || (responses[0] == 'Y')) -+ if (query_response(pamh, -+ _("Would you like to enter a security context? [N] "), NULL, -+ &response, debug) != PAM_SUCCESS) -+ return NULL; -+ -+ if ((response[0] == 'y') || (response[0] == 'Y')) - { - if (mls_enabled) - new_context = context_new ("user:role:type:level"); -@@ -176,26 +186,29 @@ manual_context (pam_handle_t *pamh, cons - if (context_user_set (new_context, user)) - goto fail_set; - -- _pam_drop(responses); -+ _pam_drop(response); - /* Allow the user to enter each field of the context individually */ -- query_response(pamh,_("role:"), NULL, &responses,debug); -- if (responses[0] != '\0') { -- if (context_role_set (new_context, responses)) -+ if (query_response(pamh, _("role:"), NULL, &response, debug) == PAM_SUCCESS && -+ response[0] != '\0') { -+ if (context_role_set (new_context, response)) - goto fail_set; -- if (get_default_type(responses, &type)) -+ if (get_default_type(response, &type)) - goto fail_set; - if (context_type_set (new_context, type)) - goto fail_set; - } -- _pam_drop(responses); -+ _pam_drop(response); -+ - if (mls_enabled) - { -- query_response(pamh,_("level:"), NULL, &responses,debug); -- if (responses[0] != '\0') { -- if (context_range_set (new_context, responses)) -+ if (query_response(pamh, _("level:"), NULL, &response, debug) == PAM_SUCCESS && -+ response[0] != '\0') { -+ if (context_range_set (new_context, response)) - goto fail_set; - } -+ _pam_drop(response); - } -+ - /* Get the string value of the context and see if it is valid. */ - if (!security_check_context(context_str(new_context))) { - newcon = strdup(context_str(new_context)); -@@ -204,16 +217,17 @@ manual_context (pam_handle_t *pamh, cons - } - else - send_text(pamh,_("Not a valid security context"),debug); -- context_free (new_context); -+ -+ context_free (new_context); - } - else { -- _pam_drop(responses); -+ _pam_drop(response); - return NULL; - } - } /* end while */ - fail_set: - free(type); -- _pam_drop(responses); -+ _pam_drop(response); - context_free (new_context); - return NULL; - } -@@ -239,69 +253,91 @@ static int mls_range_allowed(pam_handle_ - } - - static security_context_t --config_context (pam_handle_t *pamh, security_context_t puser_context, int debug) -+config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_current_range, int debug) - { - security_context_t newcon=NULL; - context_t new_context; - int mls_enabled = is_selinux_mls_enabled(); -- char *responses=NULL; -+ char *response=NULL; - char *type=NULL; - char resp_val = 0; - -- pam_prompt (pamh, PAM_TEXT_INFO, NULL, _("Default Security Context %s\n"), puser_context); -+ pam_prompt (pamh, PAM_TEXT_INFO, NULL, _("Default Security Context %s\n"), defaultcon); - - while (1) { -- query_response(pamh, -+ if (query_response(pamh, - _("Would you like to enter a different role or level?"), "n", -- &responses,debug); -- -- resp_val = responses[0]; -- _pam_drop(responses); -+ &response, debug) == PAM_SUCCESS) { -+ resp_val = response[0]; -+ _pam_drop(response); -+ } else { -+ resp_val = 'N'; -+ } - if ((resp_val == 'y') || (resp_val == 'Y')) - { -- new_context = context_new(puser_context); -- -+ if ((new_context = context_new(defaultcon)) == NULL) -+ goto fail_set; -+ - /* Allow the user to enter role and level individually */ -- query_response(pamh,_("role:"), context_role_get(new_context), -- &responses, debug); -- if (responses[0]) { -- if (get_default_type(responses, &type)) { -- pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("No default type for role %s\n"), responses); -- _pam_drop(responses); -+ if (query_response(pamh, _("role:"), context_role_get(new_context), -+ &response, debug) == PAM_SUCCESS && response[0]) { -+ if (get_default_type(response, &type)) { -+ pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("No default type for role %s\n"), response); -+ _pam_drop(response); - continue; - } else { -- if (context_role_set(new_context, responses)) -+ if (context_role_set(new_context, response)) - goto fail_set; - if (context_type_set (new_context, type)) - goto fail_set; - } - } -- _pam_drop(responses); -+ _pam_drop(response); -+ - if (mls_enabled) - { -- query_response(pamh,_("level:"), context_range_get(new_context), -- &responses, debug); -- if (responses[0]) { -- if (context_range_set(new_context, responses)) -- goto fail_set; -+ if (use_current_range) { -+ security_context_t mycon = NULL; -+ context_t my_context; -+ -+ if (getcon(&mycon) != 0) -+ goto fail_set; -+ my_context = context_new(mycon); -+ if (my_context == NULL) { -+ freecon(mycon); -+ goto fail_set; -+ } -+ freecon(mycon); -+ if (context_range_set(new_context, context_range_get(my_context))) { -+ context_free(my_context); -+ goto fail_set; -+ } -+ context_free(my_context); -+ } else if (query_response(pamh, _("level:"), context_range_get(new_context), -+ &response, debug) == PAM_SUCCESS && response[0]) { -+ if (context_range_set(new_context, response)) -+ goto fail_set; - } -- _pam_drop(responses); -+ _pam_drop(response); - } -+ - if (debug) - pam_syslog(pamh, LOG_NOTICE, "Selected Security Context %s", context_str(new_context)); - - /* Get the string value of the context and see if it is valid. */ - if (!security_check_context(context_str(new_context))) { - newcon = strdup(context_str(new_context)); -- context_free (new_context); -+ if (newcon == NULL) -+ goto fail_set; -+ context_free(new_context); - - /* we have to check that this user is allowed to go into the - range they have specified ... role is tied to an seuser, so that'll - be checked at setexeccon time */ -- if (mls_enabled && !mls_range_allowed(pamh, puser_context, newcon, debug)) { -- pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", puser_context, newcon); -+ if (mls_enabled && !mls_range_allowed(pamh, defaultcon, newcon, debug)) { -+ pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", defaultcon, newcon); - -- send_audit_message(pamh, 0, puser_context, newcon); -+ send_audit_message(pamh, 0, defaultcon, newcon); - - free(newcon); - goto fail_range; -@@ -309,26 +345,120 @@ config_context (pam_handle_t *pamh, secu - return newcon; - } - else { -- send_audit_message(pamh, 0, puser_context, context_str(new_context)); -+ send_audit_message(pamh, 0, defaultcon, context_str(new_context)); - send_text(pamh,_("Not a valid security context"),debug); - } - context_free(new_context); /* next time around allocates another */ - } - else -- return strdup(puser_context); -+ return strdup(defaultcon); - } /* end while */ - - return NULL; - - fail_set: - free(type); -- _pam_drop(responses); -+ _pam_drop(response); - context_free (new_context); -- send_audit_message(pamh, 0, puser_context, NULL); -+ send_audit_message(pamh, 0, defaultcon, NULL); - fail_range: - return NULL; - } - -+static security_context_t -+context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_params, int use_current_range, int debug) -+{ -+ security_context_t newcon = NULL; -+ context_t new_context; -+ context_t my_context = NULL; -+ int mls_enabled = is_selinux_mls_enabled(); -+ const char *env = NULL; -+ char *type = NULL; -+ -+ if ((new_context = context_new(defaultcon)) == NULL) -+ goto fail_set; -+ -+ if (env_params && (env = pam_getenv(pamh, "SELINUX_ROLE_REQUESTED")) != NULL && env[0] != '\0') { -+ if (debug) -+ pam_syslog(pamh, LOG_NOTICE, "Requested role: %s", env); -+ -+ if (get_default_type(env, &type)) { -+ pam_syslog(pamh, LOG_NOTICE, "No default type for role %s", env); -+ goto fail_set; -+ } else { -+ if (context_role_set(new_context, env)) -+ goto fail_set; -+ if (context_type_set(new_context, type)) -+ goto fail_set; -+ } -+ } -+ -+ if (mls_enabled) { -+ if ((env = pam_getenv(pamh, "SELINUX_USE_CURRENT_RANGE")) != NULL && env[0] == '1') { -+ if (debug) -+ pam_syslog(pamh, LOG_NOTICE, "SELINUX_USE_CURRENT_RANGE is set"); -+ use_current_range = 1; -+ } -+ -+ if (use_current_range) { -+ security_context_t mycon = NULL; -+ -+ if (getcon(&mycon) != 0) -+ goto fail_set; -+ my_context = context_new(mycon); -+ if (my_context == NULL) { -+ freecon(mycon); -+ goto fail_set; -+ } -+ freecon(mycon); -+ env = context_range_get(my_context); -+ } else { -+ env = pam_getenv(pamh, "SELINUX_LEVEL_REQUESTED"); -+ } -+ -+ if (env != NULL && env[0] != '\0') { -+ if (debug) -+ pam_syslog(pamh, LOG_NOTICE, "Requested level: %s", env); -+ if (context_range_set(new_context, env)) -+ goto fail_set; -+ } -+ } -+ -+ newcon = strdup(context_str(new_context)); -+ if (newcon == NULL) -+ goto fail_set; -+ -+ if (debug) -+ pam_syslog(pamh, LOG_NOTICE, "Selected Security Context %s", newcon); -+ -+ /* Get the string value of the context and see if it is valid. */ -+ if (security_check_context(newcon)) { -+ pam_syslog(pamh, LOG_NOTICE, "Not a valid security context %s", newcon); -+ send_audit_message(pamh, 0, defaultcon, newcon); -+ freecon(newcon); -+ newcon = NULL; -+ -+ goto fail_set; -+ } -+ -+ /* we have to check that this user is allowed to go into the -+ range they have specified ... role is tied to an seuser, so that'll -+ be checked at setexeccon time */ -+ if (mls_enabled && !mls_range_allowed(pamh, defaultcon, newcon, debug)) { -+ pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", defaultcon, newcon); -+ send_audit_message(pamh, 0, defaultcon, newcon); -+ freecon(newcon); -+ newcon = NULL; -+ } -+ -+ fail_set: -+ free(type); -+ context_free(my_context); -+ context_free(new_context); -+ send_audit_message(pamh, 0, defaultcon, NULL); -+ return newcon; -+} -+ - static void - security_restorelabel_tty(const pam_handle_t *pamh, - const char *tty, security_context_t context) -@@ -439,13 +569,14 @@ PAM_EXTERN int - pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, - int argc, const char **argv) - { -- int i, debug = 0, ttys=1, has_tty=isatty(0); -+ int i, debug = 0, ttys=1; - int verbose=0, close_session=0; - int select_context = 0; - int use_current_range = 0; - int ret = 0; - security_context_t* contextlist = NULL; - int num_contexts = 0; -+ int env_params = 0; - const char *username = NULL; - const void *tty = NULL; - char *seuser=NULL; -@@ -472,13 +603,16 @@ pam_sm_open_session(pam_handle_t *pamh, - if (strcmp(argv[i], "use_current_range") == 0) { - use_current_range = 1; - } -+ if (strcmp(argv[i], "env_params") == 0) { -+ env_params = 1; -+ } - } - - if (debug) - pam_syslog(pamh, LOG_NOTICE, "Open Session"); - -- if (select_context && use_current_range) { -- pam_syslog(pamh, LOG_ERR, "select_context cannot be used with use_current_range"); -+ if (select_context && env_params) { -+ pam_syslog(pamh, LOG_ERR, "select_context cannot be used with env_params"); - select_context = 0; - } - -@@ -510,12 +644,17 @@ pam_sm_open_session(pam_handle_t *pamh, - freeconary(contextlist); - if (default_user_context == NULL) { - pam_syslog(pamh, LOG_ERR, "Out of memory"); -- return PAM_AUTH_ERR; -+ return PAM_BUF_ERR; - } -+ - user_context = default_user_context; -- if (select_context && has_tty) { -- user_context = config_context(pamh, default_user_context, debug); -- if (user_context == NULL) { -+ if (select_context) { -+ user_context = config_context(pamh, default_user_context, use_current_range, debug); -+ } else if (env_params || use_current_range) { -+ user_context = context_from_env(pamh, default_user_context, env_params, use_current_range, debug); -+ } -+ -+ if (user_context == NULL) { - freecon(default_user_context); - pam_syslog(pamh, LOG_ERR, "Unable to get valid context for %s", - username); -@@ -524,11 +663,9 @@ pam_sm_open_session(pam_handle_t *pamh, - return PAM_AUTH_ERR; - else - return PAM_SUCCESS; -- } -- } -+ } - } - else { -- if (has_tty) { - user_context = manual_context(pamh,seuser,debug); - if (user_context == NULL) { - pam_syslog (pamh, LOG_ERR, "Unable to get valid context for %s", -@@ -538,59 +675,6 @@ pam_sm_open_session(pam_handle_t *pamh, - else - return PAM_SUCCESS; - } -- } else { -- pam_syslog (pamh, LOG_ERR, -- "Unable to get valid context for %s, No valid tty", -- username); -- if (security_getenforce() == 1) -- return PAM_AUTH_ERR; -- else -- return PAM_SUCCESS; -- } -- } -- -- if (use_current_range && is_selinux_mls_enabled()) { -- security_context_t process_context=NULL; -- if (getcon(&process_context) == 0) { -- context_t pcon, ucon; -- char *process_level=NULL; -- security_context_t orig_context; -- -- if (user_context) -- orig_context = user_context; -- else -- orig_context = default_user_context; -- -- pcon = context_new(process_context); -- freecon(process_context); -- process_level = strdup(context_range_get(pcon)); -- context_free(pcon); -- -- if (debug) -- pam_syslog (pamh, LOG_DEBUG, "process level=%s", process_level); -- -- ucon = context_new(orig_context); -- -- context_range_set(ucon, process_level); -- free(process_level); -- -- if (!mls_range_allowed(pamh, orig_context, context_str(ucon), debug)) { -- send_text(pamh, _("Requested MLS level not in permitted range"), debug); -- /* even if default_user_context is NULL audit that anyway */ -- send_audit_message(pamh, 0, default_user_context, context_str(ucon)); -- context_free(ucon); -- return PAM_AUTH_ERR; -- } -- -- if (debug) -- pam_syslog (pamh, LOG_DEBUG, "adjusted context=%s", context_str(ucon)); -- -- /* replace the user context with the level adjusted one */ -- freecon(user_context); -- user_context = strdup(context_str(ucon)); -- -- context_free(ucon); -- } - } - - if (getexeccon(&prev_user_context)<0) { -@@ -613,7 +697,7 @@ pam_sm_open_session(pam_handle_t *pamh, - } - } - } -- if(ttys && tty ) { -+ if (ttys && tty) { - ttyn=strdup(tty); - ttyn_context=security_label_tty(pamh,ttyn,user_context); - } diff --git a/pam-1.0.1-namespace-create.patch b/pam-1.0.1-namespace-create.patch deleted file mode 100644 index 7d12105..0000000 --- a/pam-1.0.1-namespace-create.patch +++ /dev/null @@ -1,679 +0,0 @@ -diff -up Linux-PAM-1.0.1/modules/pam_namespace/pam_namespace.c.create Linux-PAM-1.0.1/modules/pam_namespace/pam_namespace.c ---- Linux-PAM-1.0.1/modules/pam_namespace/pam_namespace.c.create 2008-03-20 18:06:32.000000000 +0100 -+++ Linux-PAM-1.0.1/modules/pam_namespace/pam_namespace.c 2008-04-03 17:32:28.000000000 +0200 -@@ -32,6 +32,8 @@ - * DEALINGS IN THE SOFTWARE. - */ - -+#define _ATFILE_SOURCE -+ - #include "pam_namespace.h" - #include "argv_parse.h" - -@@ -78,11 +80,29 @@ static void del_polydir_list(struct poly - } - } - --static void cleanup_data(pam_handle_t *pamh UNUSED , void *data, int err UNUSED) -+static void unprotect_dirs(struct protect_dir_s *dir) -+{ -+ struct protect_dir_s *next; -+ -+ while (dir != NULL) { -+ umount(dir->dir); -+ free(dir->dir); -+ next = dir->next; -+ free(dir); -+ dir = next; -+ } -+} -+ -+static void cleanup_polydir_data(pam_handle_t *pamh UNUSED , void *data, int err UNUSED) - { - del_polydir_list(data); - } - -+static void cleanup_protect_data(pam_handle_t *pamh UNUSED , void *data, int err UNUSED) -+{ -+ unprotect_dirs(data); -+} -+ - static char *expand_variables(const char *orig, const char *var_names[], const char *var_values[]) - { - const char *src = orig; -@@ -132,8 +152,8 @@ static char *expand_variables(const char - - static int parse_create_params(char *params, struct polydir_s *poly) - { -- char *sptr; -- struct passwd *pwd; -+ char *next; -+ struct passwd *pwd = NULL; - struct group *grp; - - poly->mode = (mode_t)ULONG_MAX; -@@ -144,28 +164,40 @@ static int parse_create_params(char *par - return 0; - params++; - -- params = strtok_r(params, ",", &sptr); -- if (params == NULL) -- return 0; -+ next = strchr(params, ','); -+ if (next != NULL) { -+ *next = '\0'; -+ next++; -+ } - -- errno = 0; -- poly->mode = (mode_t)strtoul(params, NULL, 0); -- if (errno != 0) { -- poly->mode = (mode_t)ULONG_MAX; -+ if (*params != '\0') { -+ errno = 0; -+ poly->mode = (mode_t)strtoul(params, NULL, 0); -+ if (errno != 0) { -+ poly->mode = (mode_t)ULONG_MAX; -+ } - } - -- params = strtok_r(NULL, ",", &sptr); -+ params = next; - if (params == NULL) - return 0; -+ next = strchr(params, ','); -+ if (next != NULL) { -+ *next = '\0'; -+ next++; -+ } - -- pwd = getpwnam(params); /* session modules are not reentrant */ -- if (pwd == NULL) -- return -1; -- poly->owner = pwd->pw_uid; -- -- params = strtok_r(NULL, ",", &sptr); -- if (params == NULL) { -- poly->group = pwd->pw_gid; -+ if (*params != '\0') { -+ pwd = getpwnam(params); /* session modules are not reentrant */ -+ if (pwd == NULL) -+ return -1; -+ poly->owner = pwd->pw_uid; -+ } -+ -+ params = next; -+ if (params == NULL || *params == '\0') { -+ if (pwd != NULL) -+ poly->group = pwd->pw_gid; - return 0; - } - grp = getgrnam(params); -@@ -199,7 +231,7 @@ static int parse_method(char *method, st - struct instance_data *idata) - { - enum polymethod pm; -- char *sptr; -+ char *sptr = NULL; - static const char *method_names[] = { "user", "context", "level", "tmpdir", - "tmpfs", NULL }; - static const char *flag_names[] = { "create", "noinit", "iscript", -@@ -921,10 +953,158 @@ fail: - return rc; - } - -+static int protect_mount(int dfd, const char *path, struct instance_data *idata) -+{ -+ struct protect_dir_s *dir = idata->protect_dirs; -+ char tmpbuf[64]; -+ -+ while (dir != NULL) { -+ if (strcmp(path, dir->dir) == 0) { -+ return 0; -+ } -+ dir = dir->next; -+ } -+ -+ dir = calloc(1, sizeof(*dir)); -+ -+ if (dir == NULL) { -+ return -1; -+ } -+ -+ dir->dir = strdup(path); -+ -+ if (dir->dir == NULL) { -+ free(dir); -+ return -1; -+ } -+ -+ snprintf(tmpbuf, sizeof(tmpbuf), "/proc/self/fd/%d", dfd); -+ -+ if (idata->flags & PAMNS_DEBUG) { -+ pam_syslog(idata->pamh, LOG_INFO, -+ "Protect mount of %s over itself", path); -+ } -+ -+ if (mount(tmpbuf, tmpbuf, NULL, MS_BIND, NULL) != 0) { -+ int save_errno = errno; -+ pam_syslog(idata->pamh, LOG_ERR, -+ "Protect mount of %s failed: %m", tmpbuf); -+ free(dir->dir); -+ free(dir); -+ errno = save_errno; -+ return -1; -+ } -+ -+ dir->next = idata->protect_dirs; -+ idata->protect_dirs = dir; -+ -+ return 0; -+} -+ -+static int protect_dir(const char *path, mode_t mode, int do_mkdir, -+ struct instance_data *idata) -+{ -+ char *p = strdup(path); -+ char *d; -+ char *dir = p; -+ int dfd = AT_FDCWD; -+ int dfd_next; -+ int save_errno; -+ int flags = O_RDONLY; -+ int rv = -1; -+ struct stat st; -+ -+ if (p == NULL) { -+ goto error; -+ } -+ -+ if (*dir == '/') { -+ dfd = open("/", flags); -+ if (dfd == -1) { -+ goto error; -+ } -+ dir++; /* assume / is safe */ -+ } -+ -+ while ((d=strchr(dir, '/')) != NULL) { -+ *d = '\0'; -+ dfd_next = openat(dfd, dir, flags); -+ if (dfd_next == -1) { -+ goto error; -+ } -+ -+ if (dfd != AT_FDCWD) -+ close(dfd); -+ dfd = dfd_next; -+ -+ if (fstat(dfd, &st) != 0) { -+ goto error; -+ } -+ -+ if (flags & O_NOFOLLOW) { -+ /* we are inside user-owned dir - protect */ -+ if (protect_mount(dfd, p, idata) == -1) -+ goto error; -+ } else if (st.st_uid != 0 || st.st_gid != 0 || -+ (st.st_mode & S_IWOTH)) { -+ /* do not follow symlinks on subdirectories */ -+ flags |= O_NOFOLLOW; -+ } -+ -+ *d = '/'; -+ dir = d + 1; -+ } -+ -+ rv = openat(dfd, dir, flags); -+ -+ if (rv == -1) { -+ if (!do_mkdir || mkdirat(dfd, dir, mode) != 0) { -+ goto error; -+ } -+ rv = openat(dfd, dir, flags); -+ } -+ -+ if (rv != -1) { -+ if (fstat(rv, &st) != 0) { -+ save_errno = errno; -+ close(rv); -+ rv = -1; -+ errno = save_errno; -+ goto error; -+ } -+ if (!S_ISDIR(st.st_mode)) { -+ close(rv); -+ errno = ENOTDIR; -+ rv = -1; -+ goto error; -+ } -+ } -+ -+ if (flags & O_NOFOLLOW) { -+ /* we are inside user-owned dir - protect */ -+ if (protect_mount(rv, p, idata) == -1) { -+ save_errno = errno; -+ close(rv); -+ rv = -1; -+ errno = save_errno; -+ } -+ } -+ -+error: -+ save_errno = errno; -+ free(p); -+ if (dfd != AT_FDCWD) -+ close(dfd); -+ errno = save_errno; -+ -+ return rv; -+} -+ - static int check_inst_parent(char *ipath, struct instance_data *idata) - { - struct stat instpbuf; - char *inst_parent, *trailing_slash; -+ int dfd; - /* - * stat the instance parent path to make sure it exists - * and is a directory. Check that its mode is 000 (unless the -@@ -942,30 +1122,27 @@ static int check_inst_parent(char *ipath - if (trailing_slash) - *trailing_slash = '\0'; - -- if (stat(inst_parent, &instpbuf) < 0) { -- pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m", inst_parent); -- free(inst_parent); -- return PAM_SESSION_ERR; -- } -+ dfd = protect_dir(inst_parent, 0, 1, idata); - -- /* -- * Make sure we are dealing with a directory -- */ -- if (!S_ISDIR(instpbuf.st_mode)) { -- pam_syslog(idata->pamh, LOG_ERR, "Instance parent %s is not a dir", -- inst_parent); -+ if (dfd == -1 || fstat(dfd, &instpbuf) < 0) { -+ pam_syslog(idata->pamh, LOG_ERR, -+ "Error creating or accessing instance parent %s, %m", inst_parent); -+ if (dfd != -1) -+ close(dfd); - free(inst_parent); - return PAM_SESSION_ERR; - } - - if ((idata->flags & PAMNS_IGN_INST_PARENT_MODE) == 0) { -- if (instpbuf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) { -- pam_syslog(idata->pamh, LOG_ERR, "Mode of inst parent %s not 000", -+ if ((instpbuf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) || instpbuf.st_uid != 0) { -+ pam_syslog(idata->pamh, LOG_ERR, "Mode of inst parent %s not 000 or owner not root", - inst_parent); -+ close(dfd); - free(inst_parent); - return PAM_SESSION_ERR; - } - } -+ close(dfd); - free(inst_parent); - return PAM_SUCCESS; - } -@@ -1051,6 +1228,8 @@ static int create_polydir(struct polydir - security_context_t dircon, oldcon = NULL; - #endif - const char *dir = polyptr->dir; -+ uid_t uid; -+ gid_t gid; - - if (polyptr->mode != (mode_t)ULONG_MAX) - mode = polyptr->mode; -@@ -1077,8 +1256,8 @@ static int create_polydir(struct polydir - } - #endif - -- rc = mkdir(dir, mode); -- if (rc != 0) { -+ rc = protect_dir(dir, mode, 1, idata); -+ if (rc == -1) { - pam_syslog(idata->pamh, LOG_ERR, - "Error creating directory %s: %m", dir); - return PAM_SESSION_ERR; -@@ -1098,36 +1277,41 @@ static int create_polydir(struct polydir - - if (polyptr->mode != (mode_t)ULONG_MAX) { - /* explicit mode requested */ -- if (chmod(dir, mode) != 0) { -+ if (fchmod(rc, mode) != 0) { - pam_syslog(idata->pamh, LOG_ERR, - "Error changing mode of directory %s: %m", dir); -+ close(rc); -+ umount(dir); /* undo the eventual protection bind mount */ - rmdir(dir); - return PAM_SESSION_ERR; - } - } - -- if (polyptr->owner != (uid_t)ULONG_MAX) { -- if (chown(dir, polyptr->owner, polyptr->group) != 0) { -- pam_syslog(idata->pamh, LOG_ERR, -- "Unable to change owner on directory %s: %m", dir); -- rmdir(dir); -- return PAM_SESSION_ERR; -- } -- if (idata->flags & PAMNS_DEBUG) -- pam_syslog(idata->pamh, LOG_DEBUG, -- "Polydir owner %u group %u from configuration", polyptr->owner, polyptr->group); -- } else { -- if (chown(dir, idata->uid, idata->gid) != 0) { -- pam_syslog(idata->pamh, LOG_ERR, -- "Unable to change owner on directory %s: %m", dir); -- rmdir(dir); -- return PAM_SESSION_ERR; -- } -- if (idata->flags & PAMNS_DEBUG) -- pam_syslog(idata->pamh, LOG_DEBUG, -- "Polydir owner %u group %u", idata->uid, idata->gid); -+ if (polyptr->owner != (uid_t)ULONG_MAX) -+ uid = polyptr->owner; -+ else -+ uid = idata->uid; -+ -+ if (polyptr->group != (gid_t)ULONG_MAX) -+ gid = polyptr->group; -+ else -+ gid = idata->gid; -+ -+ if (fchown(rc, uid, gid) != 0) { -+ pam_syslog(idata->pamh, LOG_ERR, -+ "Unable to change owner on directory %s: %m", dir); -+ close(rc); -+ umount(dir); /* undo the eventual protection bind mount */ -+ rmdir(dir); -+ return PAM_SESSION_ERR; - } - -+ close(rc); -+ -+ if (idata->flags & PAMNS_DEBUG) -+ pam_syslog(idata->pamh, LOG_DEBUG, -+ "Polydir owner %u group %u", uid, gid); -+ - return PAM_SUCCESS; - } - -@@ -1135,17 +1319,16 @@ static int create_polydir(struct polydir - * Create polyinstantiated instance directory (ipath). - */ - #ifdef WITH_SELINUX --static int create_dirs(struct polydir_s *polyptr, char *ipath, struct stat *statbuf, -+static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat *statbuf, - security_context_t icontext, security_context_t ocontext, - struct instance_data *idata) - #else --static int create_dirs(struct polydir_s *polyptr, char *ipath, struct stat *statbuf, -+static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat *statbuf, - struct instance_data *idata) - #endif - { - struct stat newstatbuf; - int fd; -- int newdir = 0; - - /* - * Check to make sure instance parent is valid. -@@ -1171,7 +1354,7 @@ static int create_dirs(struct polydir_s - strcpy(ipath, polyptr->instance_prefix); - } else if (mkdir(ipath, S_IRUSR) < 0) { - if (errno == EEXIST) -- goto inst_init; -+ return PAM_IGNORE; - else { - pam_syslog(idata->pamh, LOG_ERR, "Error creating %s, %m", - ipath); -@@ -1179,7 +1362,6 @@ static int create_dirs(struct polydir_s - } - } - -- newdir = 1; - /* Open a descriptor to it to prevent races */ - fd = open(ipath, O_DIRECTORY | O_RDONLY); - if (fd < 0) { -@@ -1235,33 +1417,22 @@ static int create_dirs(struct polydir_s - return PAM_SESSION_ERR; - } - close(fd); -- -- /* -- * Check to see if there is a namespace initialization script in -- * the /etc/security directory. If such a script exists -- * execute it and pass directory to polyinstantiate and instance -- * directory as arguments. -- */ -- --inst_init: -- if (polyptr->flags & POLYDIR_NOINIT) -- return PAM_SUCCESS; -- -- return inst_init(polyptr, ipath, idata, newdir); -+ return PAM_SUCCESS; - } - - - /* - * This function performs the namespace setup for a particular directory -- * that is being polyinstantiated. It creates an MD5 hash of instance -- * directory, calls create_dirs to create it with appropriate -+ * that is being polyinstantiated. It calls poly_name to create name of instance -+ * directory, calls create_instance to mkdir it with appropriate - * security attributes, and performs bind mount to setup the process - * namespace. - */ - static int ns_setup(struct polydir_s *polyptr, - struct instance_data *idata) - { -- int retval = 0; -+ int retval; -+ int newdir = 1; - char *inst_dir = NULL; - char *instname = NULL; - struct stat statbuf; -@@ -1273,37 +1444,40 @@ static int ns_setup(struct polydir_s *po - pam_syslog(idata->pamh, LOG_DEBUG, - "Set namespace for directory %s", polyptr->dir); - -- while (stat(polyptr->dir, &statbuf) < 0) { -- if (retval || !(polyptr->flags & POLYDIR_CREATE)) { -- pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m", -- polyptr->dir); -- return PAM_SESSION_ERR; -- } else { -- if (create_polydir(polyptr, idata) != PAM_SUCCESS) -- return PAM_SESSION_ERR; -- retval = PAM_SESSION_ERR; /* bail out on next failed stat */ -- } -- } -+ retval = protect_dir(polyptr->dir, 0, 0, idata); - -- /* -- * Make sure we are dealing with a directory -- */ -- if (!S_ISDIR(statbuf.st_mode)) { -- pam_syslog(idata->pamh, LOG_ERR, "Polydir %s is not a dir", -+ if (retval < 0 && errno != ENOENT) { -+ pam_syslog(idata->pamh, LOG_ERR, "Polydir %s access error: %m", - polyptr->dir); -- return PAM_SESSION_ERR; -+ return PAM_SESSION_ERR; - } - -+ if (retval < 0 && (polyptr->flags & POLYDIR_CREATE)) { -+ if (create_polydir(polyptr, idata) != PAM_SUCCESS) -+ return PAM_SESSION_ERR; -+ } else { -+ close(retval); -+ } -+ - if (polyptr->method == TMPFS) { - if (mount("tmpfs", polyptr->dir, "tmpfs", 0, NULL) < 0) { - pam_syslog(idata->pamh, LOG_ERR, "Error mounting tmpfs on %s, %m", - polyptr->dir); - return PAM_SESSION_ERR; - } -- /* we must call inst_init after the mount in this case */ -+ -+ if (polyptr->flags & POLYDIR_NOINIT) -+ return PAM_SUCCESS; -+ - return inst_init(polyptr, "tmpfs", idata, 1); - } - -+ if (stat(polyptr->dir, &statbuf) < 0) { -+ pam_syslog(idata->pamh, LOG_ERR, "Error stating %s: %m", -+ polyptr->dir); -+ return PAM_SESSION_ERR; -+ } -+ - /* - * Obtain the name of instance pathname based on the - * polyinstantiation method and instance context returned by -@@ -1341,14 +1515,18 @@ static int ns_setup(struct polydir_s *po - * contexts, owner, group and mode bits. - */ - #ifdef WITH_SELINUX -- retval = create_dirs(polyptr, inst_dir, &statbuf, instcontext, -+ retval = create_instance(polyptr, inst_dir, &statbuf, instcontext, - origcontext, idata); - #else -- retval = create_dirs(polyptr, inst_dir, &statbuf, idata); -+ retval = create_instance(polyptr, inst_dir, &statbuf, idata); - #endif - -- if (retval < 0) { -- pam_syslog(idata->pamh, LOG_ERR, "Error creating instance dir"); -+ if (retval == PAM_IGNORE) { -+ newdir = 0; -+ retval = PAM_SUCCESS; -+ } -+ -+ if (retval != PAM_SUCCESS) { - goto error_out; - } - -@@ -1363,6 +1541,9 @@ static int ns_setup(struct polydir_s *po - goto error_out; - } - -+ if (!(polyptr->flags & POLYDIR_NOINIT)) -+ retval = inst_init(polyptr, inst_dir, idata, newdir); -+ - goto cleanup; - - /* -@@ -1600,12 +1781,21 @@ static int setup_namespace(struct instan - } - } - out: -- if (retval != PAM_SUCCESS) -+ if (retval != PAM_SUCCESS) { -+ cleanup_tmpdirs(idata); -+ unprotect_dirs(idata->protect_dirs); -+ } else if (pam_set_data(idata->pamh, NAMESPACE_PROTECT_DATA, idata->protect_dirs, -+ cleanup_protect_data) != PAM_SUCCESS) { -+ pam_syslog(idata->pamh, LOG_ERR, "Unable to set namespace protect data"); - cleanup_tmpdirs(idata); -- else if (pam_set_data(idata->pamh, NAMESPACE_POLYDIR_DATA, idata->polydirs_ptr, -- cleanup_data) != PAM_SUCCESS) { -- pam_syslog(idata->pamh, LOG_ERR, "Unable to set namespace data"); -+ unprotect_dirs(idata->protect_dirs); -+ return PAM_SYSTEM_ERR; -+ } else if (pam_set_data(idata->pamh, NAMESPACE_POLYDIR_DATA, idata->polydirs_ptr, -+ cleanup_polydir_data) != PAM_SUCCESS) { -+ pam_syslog(idata->pamh, LOG_ERR, "Unable to set namespace polydir data"); - cleanup_tmpdirs(idata); -+ pam_set_data(idata->pamh, NAMESPACE_PROTECT_DATA, NULL, NULL); -+ idata->protect_dirs = NULL; - return PAM_SYSTEM_ERR; - } - return retval; -@@ -1742,6 +1932,7 @@ PAM_EXTERN int pam_sm_open_session(pam_h - /* init instance data */ - idata.flags = 0; - idata.polydirs_ptr = NULL; -+ idata.protect_dirs = NULL; - idata.pamh = pamh; - #ifdef WITH_SELINUX - if (is_selinux_enabled()) -@@ -1893,6 +2084,7 @@ PAM_EXTERN int pam_sm_close_session(pam_ - } - - pam_set_data(idata.pamh, NAMESPACE_POLYDIR_DATA, NULL, NULL); -+ pam_set_data(idata.pamh, NAMESPACE_PROTECT_DATA, NULL, NULL); - - return PAM_SUCCESS; - } -diff -up Linux-PAM-1.0.1/modules/pam_namespace/pam_namespace.h.create Linux-PAM-1.0.1/modules/pam_namespace/pam_namespace.h ---- Linux-PAM-1.0.1/modules/pam_namespace/pam_namespace.h.create 2008-02-13 13:49:44.000000000 +0100 -+++ Linux-PAM-1.0.1/modules/pam_namespace/pam_namespace.h 2008-03-20 18:07:29.000000000 +0100 -@@ -107,6 +107,7 @@ - - #define NAMESPACE_MAX_DIR_LEN 80 - #define NAMESPACE_POLYDIR_DATA "pam_namespace:polydir_data" -+#define NAMESPACE_PROTECT_DATA "pam_namespace:protect_data" - - /* - * Polyinstantiation method options, based on user, security context -@@ -156,9 +157,15 @@ struct polydir_s { - struct polydir_s *next; /* pointer to the next polydir entry */ - }; - -+struct protect_dir_s { -+ char *dir; /* protected directory */ -+ struct protect_dir_s *next; /* next entry */ -+}; -+ - struct instance_data { - pam_handle_t *pamh; /* The pam handle for this instance */ - struct polydir_s *polydirs_ptr; /* The linked list pointer */ -+ struct protect_dir_s *protect_dirs; /* The pointer to stack of mount-protected dirs */ - char user[LOGIN_NAME_MAX]; /* User name */ - char ruser[LOGIN_NAME_MAX]; /* Requesting user name */ - uid_t uid; /* The uid of the user */ -@@ -166,3 +173,4 @@ struct instance_data { - uid_t ruid; /* The uid of the requesting user */ - unsigned long flags; /* Flags for debug, selinux etc */ - }; -+ -diff -up Linux-PAM-1.0.1/modules/pam_namespace/namespace.conf.5.xml.create Linux-PAM-1.0.1/modules/pam_namespace/namespace.conf.5.xml ---- Linux-PAM-1.0.1/modules/pam_namespace/namespace.conf.5.xml.create 2008-02-13 13:49:44.000000000 +0100 -+++ Linux-PAM-1.0.1/modules/pam_namespace/namespace.conf.5.xml 2008-04-18 14:38:57.000000000 +0200 -@@ -25,8 +25,8 @@ - Directories can be polyinstantiated based on user name - or, in the case of SELinux, user name, sensitivity level or complete security context. If an - executable script /etc/security/namespace.init -- exists, it is used to initialize the namespace every time a new instance -- directory is setup. The script receives the polyinstantiated -+ exists, it is used to initialize the namespace every time an instance -+ directory is set up and mounted. The script receives the polyinstantiated - directory path and the instance directory path as its arguments. - - -diff -up Linux-PAM-1.0.1/modules/pam_namespace/pam_namespace.8.xml.create Linux-PAM-1.0.1/modules/pam_namespace/pam_namespace.8.xml ---- Linux-PAM-1.0.1/modules/pam_namespace/pam_namespace.8.xml.create 2008-02-13 13:49:44.000000000 +0100 -+++ Linux-PAM-1.0.1/modules/pam_namespace/pam_namespace.8.xml 2008-04-18 14:40:54.000000000 +0200 -@@ -64,11 +64,11 @@ - provides a different instance of itself based on user name, or when - using SELinux, user name, security context or both. If an executable - script /etc/security/namespace.init exists, it -- is used to initialize the namespace every time a new instance -- directory is setup. The script receives the polyinstantiated -- directory path, the instance directory path, flag whether the instance -- directory was newly created (0 for no, 1 for yes), and the user name -- as its arguments. -+ is used to initialize the instance directory after it is set up -+ and mounted on the polyinstantiated direcory. The script receives the -+ polyinstantiated directory path, the instance directory path, flag -+ whether the instance directory was newly created (0 for no, 1 for yes), -+ and the user name as its arguments. - - - diff --git a/pam.changes b/pam.changes index 3349695..4504c4b 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,27 @@ +------------------------------------------------------------------- +Fri Mar 27 11:41:23 CET 2009 - kukuk@suse.de + +- Update to version 1.0.91 aka 1.1 Beta2: + * Changes in the behavior of the password stack. Results of + PRELIM_CHECK are not used for the final run. + * Redefine LOCAL keyword of pam_access configuration file + * Add support for try_first_pass and use_first_pass to + pam_cracklib + * New password quality tests in pam_cracklib + * Add support for passing PAM_AUTHTOK to stdin of helpers from + pam_exec + * New options for pam_lastlog to show last failed login attempt and + to disable lastlog update + * New pam_pwhistory module to store last used passwords + * New pam_tally2 module similar to pam_tally with wordsize independent + tally data format, obsoletes pam_tally + * Make libpam not log missing module if its type is prepended with '-' + * New pam_timestamp module for authentication based on recent successful + login. + * Add blowfish support to pam_unix. + * Add support for user specific environment file to pam_env. + * Add pam_get_authtok to libpam as Linux-PAM extension. + ------------------------------------------------------------------- Wed Feb 11 01:20:15 CET 2009 - ro@suse.de diff --git a/pam.spec b/pam.spec index a0f50bf..097aa11 100644 --- a/pam.spec +++ b/pam.spec @@ -1,5 +1,5 @@ # -# spec file for package pam (Version 1.0.2) +# spec file for package pam (Version 1.0.91) # # Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -17,7 +17,11 @@ # norootforbuild +%if %{suse_version} < 1110 +%define enable_selinux 0 +%else %define enable_selinux 1 +%endif Name: pam Url: http://www.kernel.org/pub/linux/libs/pam/ @@ -28,9 +32,10 @@ BuildRequires: audit-devel %if %{enable_selinux} BuildRequires: libselinux-devel %endif -%define libpam_so_version 0.81.12 -%define libpam_misc_so_version 0.81.3 -%define libpamc_so_version 0.81.0 +BuildRequires: cracklib-dict-full pwdutils +%define libpam_so_version 0.82.1 +%define libpam_misc_so_version 0.82.0 +%define libpamc_so_version 0.82.0 License: BSD 3-Clause; GPL v2 or later Group: System/Libraries AutoReqProv: on @@ -39,11 +44,11 @@ AutoReqProv: on Obsoletes: pam-64bit %endif # -Version: 1.0.2 -Release: 19 +Version: 1.0.91 +Release: 1 Summary: A Security Tool that Provides Authentication for Applications Source: Linux-PAM-%{version}.tar.bz2 -Source1: Linux-PAM-%{version}-SUSE-docs.tar.bz2 +Source1: Linux-PAM-%{version}-docs.tar.bz2 Source2: securetty Source3: other.pamd Source4: common-auth.pamd @@ -51,26 +56,9 @@ Source5: common-account.pamd Source6: common-password.pamd Source7: common-session.pamd Source8: etc.environment +Patch: cvs.diff +Patch1: pam_tally-deprecated.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build -Patch: Linux-PAM-docu.diff -Patch1: pam_tally.diff -Patch2: pam_xauth.diff -Patch3: pam_sepermit.diff -Patch4: pam-1.0.1-namespace-create.patch -Patch5: pam-1.0.0-selinux-env-params.patch -Patch6: Linux-PAM-docu-generated.diff -Patch7: pam_mail.diff -Patch8: pam_tally-fdleak.diff -Patch9: pam_pwhistory-0.1.diff -Patch10: pam_lastlog.diff -Patch11: pam_tally2.diff -Patch12: pam_cracklib-no-pwhistory.diff -Patch13: pam_xauth-XAUTHLOCALHOSTNAME.diff -Patch14: pam_pwhistory-type.diff -Patch15: pam_time.diff -Patch16: pam_limits-doc.diff -Patch17: pam_limits-logging.diff -Patch18: libpam-password-requisite.diff %description PAM (Pluggable Authentication Modules) is a system security tool that @@ -117,34 +105,11 @@ building both PAM-aware applications and modules for use with PAM. %prep %setup -q -n Linux-PAM-%{version} -b 1 -%patch -p1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p0 -%patch6 -p1 -%patch7 -p0 -%patch8 -p0 -%patch9 -p0 -chmod 755 modules/pam_pwhistory/tst-pam_pwhistory -%patch10 -p0 -%patch11 -p1 -chmod 755 modules/pam_tally2/tst-pam_tally2 -%patch12 -p0 -%patch13 -p0 -%patch14 -p0 -%patch15 -p0 -%patch16 -p0 -%patch17 -p0 -%patch18 -p0 +%patch -p0 +%patch1 -p0 %build -aclocal -I m4 --install --force -libtoolize --force --automake --copy -automake --add-missing --copy -autoreconf -CFLAGS="$RPM_OPT_FLAGS" \ +CFLAGS="$RPM_OPT_FLAGS -DNDEBUG" \ ./configure \ --infodir=%{_infodir} \ --mandir=%{_mandir} \ @@ -308,6 +273,7 @@ rm -rf $RPM_BUILD_ROOT /%{_lib}/security/pam_tally.so /%{_lib}/security/pam_tally2.so /%{_lib}/security/pam_time.so +/%{_lib}/security/pam_timestamp.so /%{_lib}/security/pam_tty_audit.so /%{_lib}/security/pam_umask.so /%{_lib}/security/pam_unix.so @@ -319,8 +285,10 @@ rm -rf $RPM_BUILD_ROOT /%{_lib}/security/pam_warn.so /%{_lib}/security/pam_wheel.so /%{_lib}/security/pam_xauth.so +/sbin/mkhomedir_helper /sbin/pam_tally /sbin/pam_tally2 +/sbin/pam_timestamp_check %verify(not mode) %attr(4755,root,shadow) /sbin/unix_chkpwd %attr(0700,root,root) /sbin/unix_update @@ -342,6 +310,27 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/libpam_misc.so %changelog +* Fri Mar 27 2009 kukuk@suse.de +- Update to version 1.0.91 aka 1.1 Beta2: + * Changes in the behavior of the password stack. Results of + PRELIM_CHECK are not used for the final run. + * Redefine LOCAL keyword of pam_access configuration file + * Add support for try_first_pass and use_first_pass to + pam_cracklib + * New password quality tests in pam_cracklib + * Add support for passing PAM_AUTHTOK to stdin of helpers from + pam_exec + * New options for pam_lastlog to show last failed login attempt and + to disable lastlog update + * New pam_pwhistory module to store last used passwords + * New pam_tally2 module similar to pam_tally with wordsize independent + tally data format, obsoletes pam_tally + * Make libpam not log missing module if its type is prepended with '-' + * New pam_timestamp module for authentication based on recent successful + login. + * Add blowfish support to pam_unix. + * Add support for user specific environment file to pam_env. + * Add pam_get_authtok to libpam as Linux-PAM extension. * Wed Feb 11 2009 ro@suse.de - use sr@latin instead of sr@Latn * Thu Feb 05 2009 kukuk@suse.de diff --git a/pam_cracklib-no-pwhistory.diff b/pam_cracklib-no-pwhistory.diff deleted file mode 100644 index 174cef5..0000000 --- a/pam_cracklib-no-pwhistory.diff +++ /dev/null @@ -1,88 +0,0 @@ ---- modules/pam_cracklib/pam_cracklib.8.xml -+++ modules/pam_cracklib/pam_cracklib.8.xml 2008/10/17 10:25:35 -@@ -111,15 +111,6 @@ - - - -- -- Already used -- -- -- Was the password used in the past? Previously used passwords -- are to be found in /etc/security/opasswd. -- -- -- - - - This module with no arguments will work well for standard unix ---- modules/pam_cracklib/pam_cracklib.c -+++ modules/pam_cracklib/pam_cracklib.c 2008/10/17 10:26:56 -@@ -472,43 +472,6 @@ - } - - --#define OLD_PASSWORDS_FILE "/etc/security/opasswd" -- --static const char * check_old_password(const char *forwho, const char *newpass) --{ -- static char buf[16384]; -- char *s_luser, *s_uid, *s_npas, *s_pas; -- const char *msg = NULL; -- FILE *opwfile; -- -- opwfile = fopen(OLD_PASSWORDS_FILE, "r"); -- if (opwfile == NULL) -- return NULL; -- -- while (fgets(buf, 16380, opwfile)) { -- if (!strncmp(buf, forwho, strlen(forwho))) { -- char *sptr; -- buf[strlen(buf)-1] = '\0'; -- s_luser = strtok_r(buf, ":,", &sptr); -- s_uid = strtok_r(NULL, ":,", &sptr); -- s_npas = strtok_r(NULL, ":,", &sptr); -- s_pas = strtok_r(NULL, ":,", &sptr); -- while (s_pas != NULL) { -- if (!strcmp(crypt(newpass, s_pas), s_pas)) { -- msg = _("has been already used"); -- break; -- } -- s_pas = strtok_r(NULL, ":,", &sptr); -- } -- break; -- } -- } -- fclose(opwfile); -- -- return msg; --} -- -- - static int _pam_unix_approve_pass(pam_handle_t *pamh, - unsigned int ctrl, - struct cracklib_options *opt, -@@ -516,7 +479,6 @@ - const char *pass_new) - { - const char *msg = NULL; -- const void *user; - int retval; - - if (pass_new == NULL || (pass_old && !strcmp(pass_old,pass_new))) { -@@ -532,15 +494,6 @@ - * checking this would be the place - */ - msg = password_check(opt, pass_old, pass_new); -- if (!msg) { -- retval = pam_get_item(pamh, PAM_USER, &user); -- if (retval != PAM_SUCCESS || user == NULL) { -- if (ctrl & PAM_DEBUG_ARG) -- pam_syslog(pamh,LOG_ERR,"Can not get username"); -- return PAM_AUTHTOK_ERR; -- } -- msg = check_old_password(user, pass_new); -- } - - if (msg) { - if (ctrl & PAM_DEBUG_ARG) diff --git a/pam_lastlog.diff b/pam_lastlog.diff deleted file mode 100644 index 80c6de4..0000000 --- a/pam_lastlog.diff +++ /dev/null @@ -1,325 +0,0 @@ -2008-09-30 Tomas Mraz - - * modules/pam_lastlog/pam_lastlog.8.xml: Document new options - noupdate and showfailed. - * modules/pam_lastlog/pam_lastlog.c(pam_parse): Recognize the new - options. - (last_login_read): New output parameter lltime. Do not display - the last login message if it would be empty. - (last_login_date): New output parameter lltime. Do not write the - last login info when LASTLOG_UPDATE is not set. - (last_login_failed): New function to display the last bad login - attempt from btmp. - (pam_sm_open_session): Obtain lltime from last_login_date() and - call last_login_failed() when appropriate. - ---- modules/pam_lastlog/pam_lastlog.8.xml 9 Jun 2006 16:44:07 -0000 1.2 -+++ modules/pam_lastlog/pam_lastlog.8.xml 30 Sep 2008 14:40:39 -0000 1.5 -@@ -39,6 +39,12 @@ - - nowtmp - -+ -+ noupdate -+ -+ -+ showfailed -+ - - - -@@ -137,13 +143,35 @@ - - - -+ -+ -+ -+ -+ -+ -+ Don't update any file. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ Display number of failed login attempts and the date of the -+ last failed attempt from btmp. The date is not displayed -+ when is specified. -+ -+ -+ - - - -- -- MODULE SERVICES PROVIDED -+ -+ MODULE TYPES PROVIDED - -- Only the service is supported. -+ Only the module type is provided. - - - -@@ -213,7 +241,7 @@ - pam.conf5 - , - -- pam.d8 -+ pam.d5 - , - - pam8 ---- modules/pam_lastlog/pam_lastlog.c 24 Aug 2006 18:29:30 -0000 1.23 -+++ modules/pam_lastlog/pam_lastlog.c 30 Sep 2008 14:40:39 -0000 1.24 -@@ -46,6 +46,10 @@ - }; - #endif /* hpux */ - -+#ifndef _PATH_BTMP -+# define _PATH_BTMP "/var/log/btmp" -+#endif -+ - /* XXX - time before ignoring lock. Is 1 sec enough? */ - #define LASTLOG_IGNORE_LOCK_TIME 1 - -@@ -75,11 +79,13 @@ - #define LASTLOG_DEBUG 020 /* send info to syslog(3) */ - #define LASTLOG_QUIET 040 /* keep quiet about things */ - #define LASTLOG_WTMP 0100 /* log to wtmp as well as lastlog */ -+#define LASTLOG_BTMP 0200 /* display failed login info from btmp */ -+#define LASTLOG_UPDATE 0400 /* update the lastlog and wtmp files (default) */ - - static int - _pam_parse(pam_handle_t *pamh, int flags, int argc, const char **argv) - { -- int ctrl=(LASTLOG_DATE|LASTLOG_HOST|LASTLOG_LINE|LASTLOG_WTMP); -+ int ctrl=(LASTLOG_DATE|LASTLOG_HOST|LASTLOG_LINE|LASTLOG_WTMP|LASTLOG_UPDATE); - - /* does the appliction require quiet? */ - if (flags & PAM_SILENT) { -@@ -105,6 +111,10 @@ - ctrl |= LASTLOG_NEVER; - } else if (!strcmp(*argv,"nowtmp")) { - ctrl &= ~LASTLOG_WTMP; -+ } else if (!strcmp(*argv,"noupdate")) { -+ ctrl &= ~(LASTLOG_WTMP|LASTLOG_UPDATE); -+ } else if (!strcmp(*argv,"showfailed")) { -+ ctrl |= LASTLOG_BTMP; - } else { - pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); - } -@@ -135,7 +145,7 @@ - } - - static int --last_login_read(pam_handle_t *pamh, int announce, int last_fd, uid_t uid) -+last_login_read(pam_handle_t *pamh, int announce, int last_fd, uid_t uid, time_t *lltime) - { - struct flock last_lock; - struct lastlog last_login; -@@ -166,6 +176,7 @@ - last_lock.l_type = F_UNLCK; - (void) fcntl(last_fd, F_SETLK, &last_lock); /* unlock */ - -+ *lltime = last_login.ll_time; - if (!last_login.ll_time) { - if (announce & LASTLOG_DEBUG) { - pam_syslog(pamh, LOG_DEBUG, -@@ -216,8 +227,9 @@ - } - } - -- /* TRANSLATORS: "Last login: from on " */ -- retval = pam_info(pamh, _("Last login:%s%s%s"), -+ if (date != NULL || host != NULL || line != NULL) -+ /* TRANSLATORS: "Last login: from on " */ -+ retval = pam_info(pamh, _("Last login:%s%s%s"), - date ? date : "", - host ? host : "", - line ? line : ""); -@@ -320,13 +332,13 @@ - } - - static int --last_login_date(pam_handle_t *pamh, int announce, uid_t uid, const char *user) -+last_login_date(pam_handle_t *pamh, int announce, uid_t uid, const char *user, time_t *lltime) - { - int retval; - int last_fd; - - /* obtain the last login date and all the relevant info */ -- last_fd = open(_PATH_LASTLOG, O_RDWR); -+ last_fd = open(_PATH_LASTLOG, announce&LASTLOG_UPDATE ? O_RDWR : O_RDONLY); - if (last_fd < 0) { - if (errno == ENOENT) { - last_fd = open(_PATH_LASTLOG, O_RDWR|O_CREAT, -@@ -353,7 +365,7 @@ - return PAM_SERVICE_ERR; - } - -- retval = last_login_read(pamh, announce, last_fd, uid); -+ retval = last_login_read(pamh, announce, last_fd, uid, lltime); - if (retval != PAM_SUCCESS) - { - close(last_fd); -@@ -361,7 +373,9 @@ - return retval; - } - -- retval = last_login_write(pamh, announce, last_fd, uid, user); -+ if (announce & LASTLOG_UPDATE) { -+ retval = last_login_write(pamh, announce, last_fd, uid, user); -+ } - - close(last_fd); - D(("all done with last login")); -@@ -369,6 +383,121 @@ - return retval; - } - -+static int -+last_login_failed(pam_handle_t *pamh, int announce, const char *user, time_t lltime) -+{ -+ int retval; -+ int fd; -+ struct utmp ut; -+ struct utmp utuser; -+ int failed = 0; -+ char the_time[256]; -+ char *date = NULL; -+ char *host = NULL; -+ char *line = NULL; -+ -+ if (strlen(user) > UT_NAMESIZE) { -+ pam_syslog(pamh, LOG_WARNING, "username too long, output might be inaccurate"); -+ } -+ -+ /* obtain the failed login attempt records from btmp */ -+ fd = open(_PATH_BTMP, O_RDONLY); -+ if (fd < 0) { -+ pam_syslog(pamh, LOG_ERR, "unable to open %s: %m", _PATH_BTMP); -+ D(("unable to open %s file", _PATH_BTMP)); -+ return PAM_SERVICE_ERR; -+ } -+ -+ while ((retval=pam_modutil_read(fd, (void *)&ut, -+ sizeof(ut))) == sizeof(ut)) { -+ if (ut.ut_tv.tv_sec >= lltime && strncmp(ut.ut_user, user, UT_NAMESIZE) == 0) { -+ memcpy(&utuser, &ut, sizeof(utuser)); -+ failed++; -+ } -+ } -+ -+ if (failed) { -+ /* we want the date? */ -+ if (announce & LASTLOG_DATE) { -+ struct tm *tm, tm_buf; -+ time_t lf_time; -+ -+ lf_time = utuser.ut_tv.tv_sec; -+ tm = localtime_r (&lf_time, &tm_buf); -+ strftime (the_time, sizeof (the_time), -+ /* TRANSLATORS: "strftime options for date of last login" */ -+ _(" %a %b %e %H:%M:%S %Z %Y"), tm); -+ -+ date = the_time; -+ } -+ -+ /* we want & have the host? */ -+ if ((announce & LASTLOG_HOST) -+ && (utuser.ut_host[0] != '\0')) { -+ /* TRANSLATORS: " from " */ -+ if (asprintf(&host, _(" from %.*s"), UT_HOSTSIZE, -+ utuser.ut_host) < 0) { -+ pam_syslog(pamh, LOG_ERR, "out of memory"); -+ retval = PAM_BUF_ERR; -+ goto cleanup; -+ } -+ } -+ -+ /* we want and have the terminal? */ -+ if ((announce & LASTLOG_LINE) -+ && (utuser.ut_line[0] != '\0')) { -+ /* TRANSLATORS: " on " */ -+ if (asprintf(&line, _(" on %.*s"), UT_LINESIZE, -+ utuser.ut_line) < 0) { -+ pam_syslog(pamh, LOG_ERR, "out of memory"); -+ retval = PAM_BUF_ERR; -+ goto cleanup; -+ } -+ } -+ -+ if (line != NULL || date != NULL || host != NULL) { -+ /* TRANSLATORS: "Last failed login: from on " */ -+ pam_info(pamh, _("Last failed login:%s%s%s"), -+ date ? date : "", -+ host ? host : "", -+ line ? line : ""); -+ } -+ -+ _pam_drop(line); -+#if defined HAVE_DNGETTEXT && defined ENABLE_NLS -+ retval = asprintf (&line, dngettext(PACKAGE, -+ "There was %d failed login attempt since the last successful login.", -+ "There were %d failed login attempts since the last successful login.", -+ failed), -+ failed); -+#else -+ if (daysleft == 1) -+ retval = asprintf(&line, -+ _("There was %d failed login attempt since the last successful login."), -+ failed); -+ else -+ retval = asprintf(&line, -+ /* TRANSLATORS: only used if dngettext is not supported */ -+ _("There were %d failed login attempts since the last successful login."), -+ failed); -+#endif -+ if (retval >= 0) -+ retval = pam_info(pamh, "%s", line); -+ else { -+ retval = PAM_BUF_ERR; -+ line = NULL; -+ } -+ } -+ -+cleanup: -+ free(host); -+ free(line); -+ close(fd); -+ D(("all done with btmp")); -+ -+ return retval; -+} -+ - /* --- authentication management functions (only) --- */ - - PAM_EXTERN int -@@ -379,6 +508,7 @@ - const void *user; - const struct passwd *pwd; - uid_t uid; -+ time_t lltime = 0; - - /* - * this module gets the uid of the PAM_USER. Uses it to display -@@ -407,7 +537,11 @@ - - /* process the current login attempt (indicate last) */ - -- retval = last_login_date(pamh, ctrl, uid, user); -+ retval = last_login_date(pamh, ctrl, uid, user, &lltime); -+ -+ if ((ctrl & LASTLOG_BTMP) && retval == PAM_SUCCESS) { -+ retval = last_login_failed(pamh, ctrl, user, lltime); -+ } - - /* indicate success or failure */ - diff --git a/pam_limits-doc.diff b/pam_limits-doc.diff deleted file mode 100644 index de00437..0000000 --- a/pam_limits-doc.diff +++ /dev/null @@ -1,23 +0,0 @@ ---- modules/pam_limits/limits.conf.5.xml -+++ modules/pam_limits/limits.conf.5.xml 2008/11/27 14:25:16 -@@ -230,6 +230,11 @@ - - - -+ All items support the values -1, -+ unlimited or infinity indicating no limit, -+ except for priority and nice. -+ -+ - In general, individual limits have priority over group limits, so if - you impose no limits for admin group, but one of - the members in this group have a limits line, the user will have its -@@ -275,6 +280,7 @@ - pam_limits8, - pam.d5, -- pam8 -+ pam8, -+ getrlimit2 - - - diff --git a/pam_limits-logging.diff b/pam_limits-logging.diff deleted file mode 100644 index 51e304d..0000000 --- a/pam_limits-logging.diff +++ /dev/null @@ -1,125 +0,0 @@ ---- modules/pam_limits/pam_limits.c 7 Dec 2007 15:40:02 -0000 1.46 -+++ modules/pam_limits/pam_limits.c 5 Feb 2009 15:48:49 -0000 -@@ -42,7 +42,7 @@ - #include - - #ifdef HAVE_LIBAUDIT --#include -+#include - #endif - - /* Module defines */ -@@ -141,6 +141,73 @@ - return ctrl; - } - -+static const char * -+i2str (int i) -+{ -+ switch (i) { -+ case RLIMIT_CPU: -+ return "cpu"; -+ break; -+ case RLIMIT_FSIZE: -+ return "fsize"; -+ break; -+ case RLIMIT_DATA: -+ return "data"; -+ break; -+ case RLIMIT_STACK: -+ return "stack"; -+ break; -+ case RLIMIT_CORE: -+ return "core"; -+ break; -+ case RLIMIT_RSS: -+ return "rss"; -+ break; -+ case RLIMIT_NPROC: -+ return "nproc"; -+ break; -+ case RLIMIT_NOFILE: -+ return "nofile"; -+ break; -+ case RLIMIT_MEMLOCK: -+ return "memlock"; -+ break; -+#ifdef RLIMIT_AS -+ case RLIMIT_AS: -+ return "as"; -+ break; -+#endif -+#ifdef RLIMIT_LOCKS -+ case RLIMIT_LOCKS: -+ return "locks"; -+ break; -+#endif -+#ifdef RLIMIT_SIGPENDING -+ case RLIMIT_SIGPENDING: -+ return "sigpending"; -+ break; -+#endif -+#ifdef RLIMIT_MSGQUEUE -+ case RLIMIT_MSGQUEUE: -+ return "msgqueue"; -+ break; -+#endif -+#ifdef RLIMIT_NICE -+ case RLIMIT_NICE: -+ return "nice"; -+ break; -+#endif -+#ifdef RLIMIT_RTPRIO -+ case RLIMIT_RTPRIO: -+ return "rtprio"; -+ break; -+#endif -+ default: -+ return "UNKNOWN"; -+ break; -+ } -+} -+ - - #define LIMITED_OK 0 /* limit setting appeared to work */ - #define LIMIT_ERR 1 /* error setting a limit */ -@@ -416,8 +483,8 @@ - if (int_value < -20) - int_value = -20; - rlimit_value = 20 - int_value; --#endif - break; -+#endif - } - - if ( (limit_item != LIMIT_LOGIN) -@@ -575,6 +642,8 @@ - int retval = LIMITED_OK; - - for (i=0, status=LIMITED_OK; ilimits[i].supported) { - /* skip it if its not known to the system */ - continue; -@@ -586,7 +655,11 @@ - } - if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max) - pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max; -- status |= setrlimit(i, &pl->limits[i].limit); -+ res = setrlimit(i, &pl->limits[i].limit); -+ if (res != 0) -+ pam_syslog(pamh, LOG_ERR, "Could not set limit for '%s': %m", -+ i2str(i)); -+ status |= res; - } - - if (status) { -@@ -595,6 +668,7 @@ - - status = setpriority(PRIO_PROCESS, 0, pl->priority); - if (status != 0) { -+ pam_syslog(pamh, LOG_ERR, "Could not set limit for PRIO_PROCESS: %m"); - retval = LIMIT_ERR; - } - diff --git a/pam_mail.diff b/pam_mail.diff deleted file mode 100644 index abeb915..0000000 --- a/pam_mail.diff +++ /dev/null @@ -1,49 +0,0 @@ -2008-09-25 Thorsten Kukuk - - * modules/pam_mail/pam_mail.c (report_mail): Fix logic of - "quiet" option (Patch from Andreas Henriksson ) - - * modules/pam_mail/pam_mail.8.xml: Fix typo. - -diff -u -r1.5 pam_mail.8.xml ---- modules/pam_mail/pam_mail.8.xml 18 Aug 2008 13:29:24 -0000 1.5 -+++ modules/pam_mail/pam_mail.8.xml 25 Sep 2008 11:51:29 -0000 -@@ -40,7 +40,7 @@ - nopen - - -- quit -+ quiet - - - standard ---- modules/pam_mail/pam_mail.c 30 Apr 2007 10:56:24 -0000 1.19 -+++ modules/pam_mail/pam_mail.c 25 Sep 2008 11:51:29 -0000 -@@ -303,8 +303,13 @@ - { - int retval; - -- if (!(ctrl & PAM_MAIL_SILENT) || -- ((ctrl & PAM_QUIET_MAIL) && type == HAVE_NEW_MAIL)) -+ if ((ctrl & PAM_MAIL_SILENT) || -+ ((ctrl & PAM_QUIET_MAIL) && type != HAVE_NEW_MAIL)) -+ { -+ D(("keeping quiet")); -+ retval = PAM_SUCCESS; -+ } -+ else - { - if (ctrl & PAM_STANDARD_MAIL) - switch (type) -@@ -345,11 +350,6 @@ - break; - } - } -- else -- { -- D(("keeping quiet")); -- retval = PAM_SUCCESS; -- } - - D(("returning %s", pam_strerror(pamh, retval))); - return retval; diff --git a/pam_pwhistory-0.1.diff b/pam_pwhistory-0.1.diff deleted file mode 100644 index db71aa6..0000000 --- a/pam_pwhistory-0.1.diff +++ /dev/null @@ -1,1725 +0,0 @@ -2008-10-10 Thorsten Kukuk - - * configure.in: add modules/pam_pwhistory/Makefile. - * doc/sag/Linux-PAM_SAG.xml: Include pam_pwhistory.xml. - * doc/sag/pam_pwhistory.xml: New. - * libpam/pam_static_modules.h: Add pam_pwhistory data. - * modules/Makefile.am: Add pam_pwhistory directory. - * modules/pam_pwhistory/Makefile.am: New. - * modules/pam_pwhistory/README.xml: New. - * modules/pam_pwhistory/opasswd.c: New. - * modules/pam_pwhistory/opasswd.h: New. - * modules/pam_pwhistory/pam_pwhistory.8.xml: New. - * modules/pam_pwhistory/pam_pwhistory.c: New. - * modules/pam_pwhistory/tst-pam_pwhistory: New. - * xtests/Makefile.am: New. - * xtests/run-xtests.sh: New. - * xtests/tst-pam_pwhistory1.c: New. - * xtests/tst-pam_pwhistory1.pamd: New. - * xtests/tst-pam_pwhistory1.sh: New. - * po/POTFILES.in: Add modules/pam_pwhistory/. - ---- configure.in 18 Aug 2008 13:29:21 -0000 1.126 -+++ configure.in 10 Oct 2008 06:52:40 -0000 -@@ -542,7 +542,7 @@ - modules/pam_mkhomedir/Makefile modules/pam_motd/Makefile \ - modules/pam_namespace/Makefile \ - modules/pam_nologin/Makefile modules/pam_permit/Makefile \ -- modules/pam_rhosts/Makefile \ -+ modules/pam_pwhistory/Makefile modules/pam_rhosts/Makefile \ - modules/pam_rootok/Makefile modules/pam_exec/Makefile \ - modules/pam_securetty/Makefile modules/pam_selinux/Makefile \ - modules/pam_sepermit/Makefile \ ---- doc/sag/Linux-PAM_SAG.xml 4 Apr 2008 10:23:00 -0000 1.8 -+++ doc/sag/Linux-PAM_SAG.xml 10 Oct 2008 06:52:40 -0000 -@@ -443,6 +443,8 @@ - - -+ - -Index: doc/sag/pam_pwhistory.xml -=================================================================== -RCS file: doc/sag/pam_pwhistory.xml -diff -N doc/sag/pam_pwhistory.xml ---- /dev/null 1 Jan 1970 00:00:00 -0000 -+++ doc/sag/pam_pwhistory.xml 10 Oct 2008 06:52:40 -0000 -@@ -0,0 +1,38 @@ -+ -+ -+
-+ pam_pwhistory - grant access using .pwhistory file -+ -+ -+ -+
-+ -+
-+
-+ -+
-+
-+ -+
-+
-+ -+
-+
-+ -+
-+
-+ -+
-+
-+ -+
-+
-Index: libpam/pam_static_modules.h -=================================================================== -RCS file: /cvsroot/pam/Linux-PAM/libpam/pam_static_modules.h,v -retrieving revision 1.8 -diff -u -r1.8 pam_static_modules.h ---- libpam/pam_static_modules.h 4 Feb 2008 13:37:35 -0000 1.8 -+++ libpam/pam_static_modules.h 10 Oct 2008 06:52:40 -0000 -@@ -61,6 +61,7 @@ - #endif - extern struct pam_module _pam_nologin_modstruct; - extern struct pam_module _pam_permit_modstruct; -+extern struct pam_module _pam_pwhistory_modstruct; - extern struct pam_module _pam_rhosts_modstruct; - extern struct pam_module _pam_rhosts_auth_modstruct; - extern struct pam_module _pam_rootok_modstruct; -@@ -119,6 +120,7 @@ - #endif - &_pam_nologin_modstruct, - &_pam_permit_modstruct, -+ &_pam_pwhistory_modstruct, - &_pam_rhosts_modstruct, - &_pam_rhosts_auth_modstruct, - &_pam_rootok_modstruct, -Index: modules/Makefile.am -=================================================================== -RCS file: /cvsroot/pam/Linux-PAM/modules/Makefile.am,v -retrieving revision 1.14 -diff -u -r1.14 Makefile.am ---- modules/Makefile.am 4 Feb 2008 14:00:20 -0000 1.14 -+++ modules/Makefile.am 10 Oct 2008 06:52:40 -0000 -@@ -1,15 +1,16 @@ - # --# Copyright (c) 2005, 2006 Thorsten Kukuk -+# Copyright (c) 2005, 2006, 2008 Thorsten Kukuk - # - - SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \ -- pam_env pam_filter pam_ftp pam_group pam_issue pam_keyinit \ -- pam_lastlog pam_limits pam_listfile pam_localuser pam_mail \ -- pam_mkhomedir pam_motd pam_nologin pam_permit pam_rhosts pam_rootok \ -- pam_securetty pam_selinux pam_sepermit pam_shells pam_stress \ -+ pam_env pam_exec pam_faildelay pam_filter pam_ftp \ -+ pam_group pam_issue pam_keyinit pam_lastlog pam_limits \ -+ pam_listfile pam_localuser pam_loginuid pam_mail \ -+ pam_mkhomedir pam_motd pam_namespace pam_nologin \ -+ pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \ -+ pam_selinux pam_sepermit pam_shells pam_stress \ - pam_succeed_if pam_tally pam_time pam_tty_audit pam_umask \ -- pam_unix pam_userdb pam_warn pam_wheel pam_xauth pam_exec \ -- pam_namespace pam_loginuid pam_faildelay -+ pam_unix pam_userdb pam_warn pam_wheel pam_xauth - - CLEANFILES = *~ - -Index: modules/pam_pwhistory/.cvsignore -=================================================================== -RCS file: modules/pam_pwhistory/.cvsignore -diff -N modules/pam_pwhistory/.cvsignore ---- /dev/null 1 Jan 1970 00:00:00 -0000 -+++ modules/pam_pwhistory/.cvsignore 10 Oct 2008 06:52:40 -0000 -@@ -0,0 +1,8 @@ -+*.la -+*.lo -+.deps -+.libs -+Makefile -+Makefile.in -+README -+pam_pwhistory.8 -Index: modules/pam_pwhistory/Makefile.am -=================================================================== -RCS file: modules/pam_pwhistory/Makefile.am -diff -N modules/pam_pwhistory/Makefile.am ---- /dev/null 1 Jan 1970 00:00:00 -0000 -+++ modules/pam_pwhistory/Makefile.am 10 Oct 2008 06:52:40 -0000 -@@ -0,0 +1,35 @@ -+# -+# Copyright (c) 2008 Thorsten Kukuk -+# -+ -+CLEANFILES = *~ -+ -+EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_pwhistory -+ -+TESTS = tst-pam_pwhistory -+ -+man_MANS = pam_pwhistory.8 -+ -+XMLS = README.xml pam_pwhistory.8.xml -+ -+securelibdir = $(SECUREDIR) -+secureconfdir = $(SCONFIGDIR) -+ -+AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include -+AM_LDFLAGS = -no-undefined -avoid-version -module -+if HAVE_VERSIONING -+ AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map -+endif -+ -+noinst_HEADERS = opasswd.h -+ -+securelib_LTLIBRARIES = pam_pwhistory.la -+pam_pwhistory_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBCRYPT@ -+pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c -+ -+if ENABLE_REGENERATE_MAN -+noinst_DATA = README -+README: pam_pwhistory.8.xml -+-include $(top_srcdir)/Make.xml.rules -+endif -+ -Index: modules/pam_pwhistory/README.xml -=================================================================== -RCS file: modules/pam_pwhistory/README.xml -diff -N modules/pam_pwhistory/README.xml ---- /dev/null 1 Jan 1970 00:00:00 -0000 -+++ modules/pam_pwhistory/README.xml 10 Oct 2008 06:52:40 -0000 -@@ -0,0 +1,41 @@ -+ -+ -+--> -+]> -+ -+
-+ -+ -+ -+ -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="pam_pwhistory.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_pwhistory-name"]/*)'/> -+ -+ -+ -+ -+
-+ -+
-+ -+
-+ -+
-+ -+
-+ -+
-+ -+
-+ -+
-+ -+
-Index: modules/pam_pwhistory/opasswd.c -=================================================================== -RCS file: modules/pam_pwhistory/opasswd.c -diff -N modules/pam_pwhistory/opasswd.c ---- /dev/null 1 Jan 1970 00:00:00 -0000 -+++ modules/pam_pwhistory/opasswd.c 10 Oct 2008 06:52:40 -0000 -@@ -0,0 +1,473 @@ -+/* -+ * Copyright (c) 2008 Thorsten Kukuk -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, and the entire permission notice in its entirety, -+ * including the disclaimer of warranties. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. The name of the author may not be used to endorse or promote -+ * products derived from this software without specific prior -+ * written permission. -+ * -+ * ALTERNATIVELY, this product may be distributed under the terms of -+ * the GNU Public License, in which case the provisions of the GPL are -+ * required INSTEAD OF the above restrictions. (This clause is -+ * necessary due to a potential bad interaction between the GPL and -+ * the restrictions contained in a BSD-style copyright.) -+ * -+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#if defined(HAVE_CONFIG_H) -+#include -+#endif -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#if defined (HAVE_XCRYPT_H) -+#include -+#elif defined (HAVE_CRYPT_H) -+#include -+#endif -+ -+#include -+#include -+ -+#include "opasswd.h" -+ -+#ifndef RANDOM_DEVICE -+#define RANDOM_DEVICE "/dev/urandom" -+#endif -+ -+#define OLD_PASSWORDS_FILE "/etc/security/opasswd" -+#define TMP_PASSWORDS_FILE OLD_PASSWORDS_FILE".tmpXXXXXX" -+ -+#define DEFAULT_BUFLEN 4096 -+ -+typedef struct { -+ char *user; -+ char *uid; -+ int count; -+ char *old_passwords; -+} opwd; -+ -+ -+static int -+parse_entry (char *line, opwd *data) -+{ -+ const char delimiters[] = ":"; -+ char *endptr; -+ -+ data->user = strsep (&line, delimiters); -+ data->uid = strsep (&line, delimiters); -+ data->count = strtol (strsep (&line, delimiters), &endptr, 10); -+ if (endptr != NULL && *endptr != '\0') -+ return 1; -+ -+ data->old_passwords = strsep (&line, delimiters); -+ -+ return 0; -+} -+ -+/* Check, if the new password is already in the opasswd file. */ -+int -+check_old_password (pam_handle_t *pamh, const char *user, -+ const char *newpass, int debug) -+{ -+ int retval = PAM_SUCCESS; -+ FILE *oldpf; -+ char *buf = NULL; -+ size_t buflen = 0; -+ opwd entry; -+ int found = 0; -+ -+ if ((oldpf = fopen (OLD_PASSWORDS_FILE, "r")) == NULL) -+ { -+ if (errno != ENOENT) -+ pam_syslog (pamh, LOG_ERR, "Cannot open %s: %m", OLD_PASSWORDS_FILE); -+ return PAM_SUCCESS; -+ } -+ -+ while (!feof (oldpf)) -+ { -+ char *cp, *tmp; -+#if defined(HAVE_GETLINE) -+ ssize_t n = getline (&buf, &buflen, oldpf); -+#elif defined (HAVE_GETDELIM) -+ ssize_t n = getdelim (&buf, &buflen, '\n', oldpf); -+#else -+ ssize_t n; -+ -+ if (buf == NULL) -+ { -+ buflen = DEFAULT_BUFLEN; -+ buf = malloc (buflen); -+ if (buf == NULL) -+ return PAM_BUF_ERR; -+ } -+ buf[0] = '\0'; -+ fgets (buf, buflen - 1, oldpf); -+ n = strlen (buf); -+#endif /* HAVE_GETLINE / HAVE_GETDELIM */ -+ cp = buf; -+ -+ if (n < 1) -+ break; -+ -+ tmp = strchr (cp, '#'); /* remove comments */ -+ if (tmp) -+ *tmp = '\0'; -+ while (isspace ((int)*cp)) /* remove spaces and tabs */ -+ ++cp; -+ if (*cp == '\0') /* ignore empty lines */ -+ continue; -+ -+ if (cp[strlen (cp) - 1] == '\n') -+ cp[strlen (cp) - 1] = '\0'; -+ -+ if (strncmp (cp, user, strlen (user)) == 0 && -+ cp[strlen (user)] == ':') -+ { -+ /* We found the line we needed */ -+ if (parse_entry (cp, &entry) == 0) -+ { -+ found = 1; -+ break; -+ } -+ } -+ } -+ -+ fclose (oldpf); -+ -+ if (found) -+ { -+ const char delimiters[] = ","; -+ struct crypt_data output; -+ char *running; -+ char *oldpass; -+ -+ memset (&output, 0, sizeof (output)); -+ -+ running = strdupa (entry.old_passwords); -+ if (running == NULL) -+ return PAM_BUF_ERR; -+ -+ do { -+ oldpass = strsep (&running, delimiters); -+ if (oldpass && strlen (oldpass) > 0 && -+ strcmp (crypt_r (newpass, oldpass, &output), oldpass) == 0) -+ { -+ if (debug) -+ pam_syslog (pamh, LOG_DEBUG, "New password already used"); -+ retval = PAM_AUTHTOK_ERR; -+ break; -+ } -+ } while (oldpass != NULL); -+ } -+ -+ if (buf) -+ free (buf); -+ -+ return retval; -+} -+ -+int -+save_old_password (pam_handle_t *pamh, const char *user, uid_t uid, -+ const char *oldpass, int howmany, int debug UNUSED) -+{ -+ char opasswd_tmp[] = TMP_PASSWORDS_FILE; -+ struct stat opasswd_stat; -+ FILE *oldpf, *newpf; -+ int newpf_fd; -+ int do_create = 0; -+ int retval = PAM_SUCCESS; -+ char *buf = NULL; -+ size_t buflen = 0; -+ int found = 0; -+ -+ if (howmany <= 0) -+ return PAM_SUCCESS; -+ -+ if (oldpass == NULL || *oldpass == '\0') -+ return PAM_SUCCESS; -+ -+ if ((oldpf = fopen (OLD_PASSWORDS_FILE, "r")) == NULL) -+ { -+ if (errno == ENOENT) -+ { -+ pam_syslog (pamh, LOG_NOTICE, "Creating %s", -+ OLD_PASSWORDS_FILE); -+ do_create = 1; -+ } -+ else -+ { -+ pam_syslog (pamh, LOG_ERR, "Cannot open %s: %m", -+ OLD_PASSWORDS_FILE); -+ return PAM_AUTHTOK_ERR; -+ } -+ } -+ else if (fstat (fileno (oldpf), &opasswd_stat) < 0) -+ { -+ pam_syslog (pamh, LOG_ERR, "Cannot stat %s: %m", OLD_PASSWORDS_FILE); -+ fclose (oldpf); -+ return PAM_AUTHTOK_ERR; -+ } -+ -+ /* Open a temp passwd file */ -+ newpf_fd = mkstemp (opasswd_tmp); -+ if (newpf_fd == -1) -+ { -+ pam_syslog (pamh, LOG_ERR, "Cannot create %s temp file: %m", -+ OLD_PASSWORDS_FILE); -+ fclose (oldpf); -+ return PAM_AUTHTOK_ERR; -+ } -+ if (do_create) -+ { -+ if (fchmod (newpf_fd, S_IRUSR|S_IWUSR) != 0) -+ pam_syslog (pamh, LOG_ERR, -+ "Cannot set permissions of %s temp file: %m", -+ OLD_PASSWORDS_FILE); -+ if (fchown (newpf_fd, 0, 0) != 0) -+ pam_syslog (pamh, LOG_ERR, -+ "Cannot set owner/group of %s temp file: %m", -+ OLD_PASSWORDS_FILE); -+ } -+ else -+ { -+ if (fchmod (newpf_fd, opasswd_stat.st_mode) != 0) -+ pam_syslog (pamh, LOG_ERR, -+ "Cannot set permissions of %s temp file: %m", -+ OLD_PASSWORDS_FILE); -+ if (fchown (newpf_fd, opasswd_stat.st_uid, opasswd_stat.st_gid) != 0) -+ pam_syslog (pamh, LOG_ERR, -+ "Cannot set owner/group of %s temp file: %m", -+ OLD_PASSWORDS_FILE); -+ } -+ newpf = fdopen (newpf_fd, "w+"); -+ if (newpf == NULL) -+ { -+ pam_syslog (pamh, LOG_ERR, "Cannot fdopen %s: %m", opasswd_tmp); -+ fclose (oldpf); -+ close (newpf_fd); -+ retval = PAM_AUTHTOK_ERR; -+ goto error_opasswd; -+ } -+ -+ if (!do_create) -+ while (!feof (oldpf)) -+ { -+ char *cp, *tmp, *save; -+#if defined(HAVE_GETLINE) -+ ssize_t n = getline (&buf, &buflen, oldpf); -+#elif defined (HAVE_GETDELIM) -+ ssize_t n = getdelim (&buf, &buflen, '\n', oldpf); -+#else -+ ssize_t n; -+ -+ if (buf == NULL) -+ { -+ buflen = DEFAULT_BUFLEN; -+ buf = malloc (buflen); -+ if (buf == NULL) -+ return PAM_BUF_ERR; -+ -+ } -+ buf[0] = '\0'; -+ fgets (buf, buflen - 1, oldpf); -+ n = strlen (buf); -+#endif /* HAVE_GETLINE / HAVE_GETDELIM */ -+ -+ cp = buf; -+ save = strdup (buf); /* Copy to write the original data back. */ -+ if (save == NULL) -+ return PAM_BUF_ERR; -+ -+ if (n < 1) -+ break; -+ -+ tmp = strchr (cp, '#'); /* remove comments */ -+ if (tmp) -+ *tmp = '\0'; -+ while (isspace ((int)*cp)) /* remove spaces and tabs */ -+ ++cp; -+ if (*cp == '\0') /* ignore empty lines */ -+ goto write_old_data; -+ -+ if (cp[strlen (cp) - 1] == '\n') -+ cp[strlen (cp) - 1] = '\0'; -+ -+ if (strncmp (cp, user, strlen (user)) == 0 && -+ cp[strlen (user)] == ':') -+ { -+ /* We found the line we needed */ -+ opwd entry; -+ -+ if (parse_entry (cp, &entry) == 0) -+ { -+ char *out = NULL; -+ -+ found = 1; -+ -+ /* Don't save the current password twice */ -+ if (entry.old_passwords) -+ { -+ /* there is only one password */ -+ if (strcmp (entry.old_passwords, oldpass) == 0) -+ goto write_old_data; -+ else -+ { -+ /* check last entry */ -+ cp = strstr (entry.old_passwords, oldpass); -+ -+ if (cp && strcmp (cp, oldpass) == 0) -+ { /* the end is the same, check that there -+ is a "," before. */ -+ --cp; -+ if (*cp == ',') -+ goto write_old_data; -+ } -+ } -+ } -+ -+ /* increase count. */ -+ entry.count++; -+ -+ /* check that we don't remember to many passwords. */ -+ while (entry.count > howmany) -+ { -+ char *p = strpbrk (entry.old_passwords, ","); -+ if (p != NULL) -+ entry.old_passwords = ++p; -+ entry.count--; -+ } -+ -+ if (entry.old_passwords == NULL) -+ { -+ if (asprintf (&out, "%s:%s:%d:%s\n", -+ entry.user, entry.uid, entry.count, -+ oldpass) < 0) -+ { -+ retval = PAM_AUTHTOK_ERR; -+ fclose (oldpf); -+ fclose (newpf); -+ goto error_opasswd; -+ } -+ } -+ else -+ { -+ if (asprintf (&out, "%s:%s:%d:%s,%s\n", -+ entry.user, entry.uid, entry.count, -+ entry.old_passwords, oldpass) < 0) -+ { -+ retval = PAM_AUTHTOK_ERR; -+ fclose (oldpf); -+ fclose (newpf); -+ goto error_opasswd; -+ } -+ } -+ -+ if (fputs (out, newpf) < 0) -+ { -+ free (out); -+ free (save); -+ retval = PAM_AUTHTOK_ERR; -+ fclose (oldpf); -+ fclose (newpf); -+ goto error_opasswd; -+ } -+ free (out); -+ } -+ } -+ else -+ { -+ write_old_data: -+ if (fputs (save, newpf) < 0) -+ { -+ free (save); -+ retval = PAM_AUTHTOK_ERR; -+ fclose (oldpf); -+ fclose (newpf); -+ goto error_opasswd; -+ } -+ } -+ free (save); -+ } -+ -+ if (!found) -+ { -+ char *out; -+ -+ if (asprintf (&out, "%s:%d:1:%s\n", user, uid, oldpass) < 0) -+ { -+ retval = PAM_AUTHTOK_ERR; -+ if (oldpf) -+ fclose (oldpf); -+ fclose (newpf); -+ goto error_opasswd; -+ } -+ if (fputs (out, newpf) < 0) -+ { -+ free (out); -+ retval = PAM_AUTHTOK_ERR; -+ if (oldpf) -+ fclose (oldpf); -+ fclose (newpf); -+ goto error_opasswd; -+ } -+ free (out); -+ } -+ -+ if (oldpf) -+ if (fclose (oldpf) != 0) -+ { -+ pam_syslog (pamh, LOG_ERR, "Error while closing old opasswd file: %m"); -+ retval = PAM_AUTHTOK_ERR; -+ fclose (newpf); -+ goto error_opasswd; -+ } -+ -+ if (fclose (newpf) != 0) -+ { -+ pam_syslog (pamh, LOG_ERR, -+ "Error while closing temporary opasswd file: %m"); -+ retval = PAM_AUTHTOK_ERR; -+ goto error_opasswd; -+ } -+ -+ unlink (OLD_PASSWORDS_FILE".old"); -+ if (link (OLD_PASSWORDS_FILE, OLD_PASSWORDS_FILE".old") != 0 && -+ errno != ENOENT) -+ pam_syslog (pamh, LOG_ERR, "Cannot create backup file of %s: %m", -+ OLD_PASSWORDS_FILE); -+ rename (opasswd_tmp, OLD_PASSWORDS_FILE); -+ error_opasswd: -+ unlink (opasswd_tmp); -+ -+ return retval; -+} -Index: modules/pam_pwhistory/opasswd.h -=================================================================== -RCS file: modules/pam_pwhistory/opasswd.h -diff -N modules/pam_pwhistory/opasswd.h ---- /dev/null 1 Jan 1970 00:00:00 -0000 -+++ modules/pam_pwhistory/opasswd.h 10 Oct 2008 06:52:40 -0000 -@@ -0,0 +1,45 @@ -+/* -+ * Copyright (c) 2008 Thorsten Kukuk -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, and the entire permission notice in its entirety, -+ * including the disclaimer of warranties. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. The name of the author may not be used to endorse or promote -+ * products derived from this software without specific prior -+ * written permission. -+ * -+ * ALTERNATIVELY, this product may be distributed under the terms of -+ * the GNU Public License, in which case the provisions of the GPL are -+ * required INSTEAD OF the above restrictions. (This clause is -+ * necessary due to a potential bad interaction between the GPL and -+ * the restrictions contained in a BSD-style copyright.) -+ * -+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#ifndef __OPASSWD_H__ -+#define __OPASSWD_H__ -+ -+extern int check_old_password (pam_handle_t *pamh, const char *user, -+ const char *newpass, int debug); -+extern int save_old_password (pam_handle_t *pamh, const char *user, -+ uid_t uid, const char *oldpass, -+ int howmany, int debug); -+ -+#endif /* __OPASSWD_H__ */ -Index: modules/pam_pwhistory/pam_pwhistory.8.xml -=================================================================== -RCS file: modules/pam_pwhistory/pam_pwhistory.8.xml -diff -N modules/pam_pwhistory/pam_pwhistory.8.xml ---- /dev/null 1 Jan 1970 00:00:00 -0000 -+++ modules/pam_pwhistory/pam_pwhistory.8.xml 10 Oct 2008 06:52:40 -0000 -@@ -0,0 +1,226 @@ -+ -+ -+ -+ -+ -+ -+ pam_pwhistory -+ 8 -+ Linux-PAM Manual -+ -+ -+ -+ pam_pwhistory -+ PAM module to remember last passwords -+ -+ -+ -+ -+ pam_pwhistory.so -+ -+ debug -+ -+ -+ use_authtok -+ -+ -+ enforce_for_root -+ -+ -+ remember=N -+ -+ -+ retry=N -+ -+ -+ -+ -+ -+ -+ -+ DESCRIPTION -+ -+ -+ This module saves the last passwords for each user in order -+ to force password change history and keep the user from -+ alternating between the same password too frequently. -+ -+ -+ This module does not work togehter with kerberos. In general, -+ it does not make much sense to use this module in conjuction -+ with NIS or LDAP, since the old passwords are stored on the -+ local machine and are not available on another machine for -+ password history checking. -+ -+ -+ -+ -+ OPTIONS -+ -+ -+ -+ -+ -+ -+ -+ Turns on debugging via -+ -+ syslog3 -+ . -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ When password changing enforce the module to use the new password -+ provided by a previously stacked -+ module (this is used in the example of the stacking of the -+ pam_cracklib module documented below). -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ If this option is set, the check is enforced for root, too. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ The last N passwords for each -+ user are saved in /etc/security/opasswd. -+ The default is 10. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ Prompt user at most N times -+ before returning with error. The default is -+ 1. -+ -+ -+ -+ -+ -+ -+ -+ -+ MODULE TYPES PROVIDED -+ -+ Only the module type is provided. -+ -+ -+ -+ -+ RETURN VALUES -+ -+ -+ PAM_AUTHTOK_ERR -+ -+ -+ No new password was entered, the user aborted password -+ change or new password couldn't be set. -+ -+ -+ -+ -+ PAM_IGNORE -+ -+ -+ Password history was disabled. -+ -+ -+ -+ -+ PAM_MAXTRIES -+ -+ -+ Password was rejected too often. -+ -+ -+ -+ -+ PAM_USER_UNKNOWN -+ -+ -+ User is not known to system. -+ -+ -+ -+ -+ -+ -+ -+ EXAMPLES -+ -+ An example password section would be: -+ -+#%PAM-1.0 -+password required pam_pwhistory.so -+password required pam_unix.so use_authtok -+ -+ -+ -+ In combination with pam_cracklib: -+ -+#%PAM-1.0 -+password required pam_cracklib.so retry=3 -+password required pam_pwhistory.so use_authtok -+password required pam_unix.so use_authtok -+ -+ -+ -+ -+ -+ FILES -+ -+ -+ /etc/security/opasswd -+ -+ File with password history -+ -+ -+ -+ -+ -+ -+ SEE ALSO -+ -+ -+ pam.conf5 -+ , -+ -+ pam.d5 -+ , -+ -+ pam8 -+ -+ -+ -+ -+ -+ AUTHOR -+ -+ pam_pwhistory was written by Thorsten Kukuk <kukuk@thkukuk.de> -+ -+ -+ -+ -Index: modules/pam_pwhistory/pam_pwhistory.c -=================================================================== -RCS file: modules/pam_pwhistory/pam_pwhistory.c -diff -N modules/pam_pwhistory/pam_pwhistory.c ---- /dev/null 1 Jan 1970 00:00:00 -0000 -+++ modules/pam_pwhistory/pam_pwhistory.c 10 Oct 2008 06:52:40 -0000 -@@ -0,0 +1,319 @@ -+/* -+ * Copyright (c) 2008 Thorsten Kukuk -+ * Author: Thorsten Kukuk -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, and the entire permission notice in its entirety, -+ * including the disclaimer of warranties. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. The name of the author may not be used to endorse or promote -+ * products derived from this software without specific prior -+ * written permission. -+ * -+ * ALTERNATIVELY, this product may be distributed under the terms of -+ * the GNU Public License, in which case the provisions of the GPL are -+ * required INSTEAD OF the above restrictions. (This clause is -+ * necessary due to a potential bad interaction between the GPL and -+ * the restrictions contained in a BSD-style copyright.) -+ * -+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#if defined(HAVE_CONFIG_H) -+#include -+#endif -+ -+#define PAM_SM_PASSWORD -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+#include -+ -+#include "opasswd.h" -+ -+#define NEW_PASSWORD_PROMPT _("New %s%spassword: ") -+#define AGAIN_PASSWORD_PROMPT _("Retype new %s%spassword: ") -+#define MISTYPED_PASSWORD _("Sorry, passwords do not match.") -+ -+#define DEFAULT_BUFLEN 2048 -+ -+struct options_t { -+ int debug; -+ int use_authtok; -+ int enforce_for_root; -+ int remember; -+ int tries; -+}; -+typedef struct options_t options_t; -+ -+ -+static void -+parse_option (pam_handle_t *pamh, const char *argv, options_t *options) -+{ -+ if (strcasecmp (argv, "use_first_pass") == 0) -+ /* ignore */; -+ else if (strcasecmp (argv, "use_first_pass") == 0) -+ /* ignore */; -+ else if (strcasecmp (argv, "use_authtok") == 0) -+ options->use_authtok = 1; -+ else if (strcasecmp (argv, "debug") == 0) -+ options->debug = 1; -+ else if (strncasecmp (argv, "remember=", 9) == 0) -+ { -+ options->remember = strtol(&argv[9], NULL, 10); -+ if (options->remember < 0) -+ options->remember = 0; -+ if (options->remember > 400) -+ options->remember = 400; -+ } -+ else if (strncasecmp (argv, "retry=", 6) == 0) -+ { -+ options->tries = strtol(&argv[6], NULL, 10); -+ if (options->tries < 0) -+ options->tries = 1; -+ } -+ else if (strcasecmp (argv, "enforce_for_root") == 0) -+ options->enforce_for_root = 1; -+ else -+ pam_syslog (pamh, LOG_ERR, "pam_pwhistory: unknown option: %s", argv); -+} -+ -+ -+PAM_EXTERN int -+pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) -+{ -+ struct passwd *pwd; -+ char *newpass; -+ const char *user; -+ void *newpass_void; -+ int retval, tries; -+ options_t options; -+ -+ memset (&options, 0, sizeof (options)); -+ -+ /* Set some default values, which could be overwritten later. */ -+ options.remember = 10; -+ options.tries = 1; -+ -+ /* Parse parameters for module */ -+ for ( ; argc-- > 0; argv++) -+ parse_option (pamh, *argv, &options); -+ -+ if (options.debug) -+ pam_syslog (pamh, LOG_DEBUG, "pam_sm_chauthtok entered"); -+ -+ -+ if (options.remember == 0) -+ return PAM_IGNORE; -+ -+ retval = pam_get_user (pamh, &user, NULL); -+ if (retval != PAM_SUCCESS) -+ return retval; -+ -+ if (user == NULL || strlen (user) == 0) -+ { -+ if (options.debug) -+ pam_syslog (pamh, LOG_DEBUG, -+ "User is not known to system"); -+ -+ return PAM_USER_UNKNOWN; -+ } -+ -+ if (flags & PAM_PRELIM_CHECK) -+ { -+ if (options.debug) -+ pam_syslog (pamh, LOG_DEBUG, -+ "pam_sm_chauthtok(PAM_PRELIM_CHECK)"); -+ -+ return PAM_SUCCESS; -+ } -+ -+ pwd = pam_modutil_getpwnam (pamh, user); -+ if (pwd == NULL) -+ return PAM_USER_UNKNOWN; -+ -+ /* Ignore root if not enforced */ -+ if (pwd->pw_uid == 0 && !options.enforce_for_root) -+ return PAM_SUCCESS; -+ -+ if ((strcmp(pwd->pw_passwd, "x") == 0) || -+ ((pwd->pw_passwd[0] == '#') && -+ (pwd->pw_passwd[1] == '#') && -+ (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0))) -+ { -+ struct spwd *spw = pam_modutil_getspnam (pamh, user); -+ if (spw == NULL) -+ return PAM_USER_UNKNOWN; -+ -+ retval = save_old_password (pamh, user, pwd->pw_uid, spw->sp_pwdp, -+ options.remember, options.debug); -+ if (retval != PAM_SUCCESS) -+ return retval; -+ } -+ else -+ { -+ retval = save_old_password (pamh, user, pwd->pw_uid, pwd->pw_passwd, -+ options.remember, options.debug); -+ if (retval != PAM_SUCCESS) -+ return retval; -+ } -+ -+ retval = pam_get_item (pamh, PAM_AUTHTOK, (const void **) &newpass_void); -+ newpass = (char *) newpass_void; -+ if (retval != PAM_SUCCESS) -+ return retval; -+ if (options.debug) -+ { -+ if (newpass) -+ pam_syslog (pamh, LOG_DEBUG, "got new auth token"); -+ else -+ pam_syslog (pamh, LOG_DEBUG, "new auth token not set"); -+ } -+ -+ /* If we haven't been given a password yet, prompt for one... */ -+ if (newpass == NULL) -+ { -+ if (options.use_authtok) -+ /* We are not allowed to ask for a new password */ -+ return PAM_AUTHTOK_ERR; -+ -+ tries = 0; -+ -+ while ((newpass == NULL) && (tries++ < options.tries)) -+ { -+ retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &newpass, -+ NEW_PASSWORD_PROMPT, "UNIX", " "); -+ if (retval != PAM_SUCCESS) -+ { -+ _pam_drop (newpass); -+ if (retval == PAM_CONV_AGAIN) -+ retval = PAM_INCOMPLETE; -+ return retval; -+ } -+ -+ if (newpass == NULL) -+ { -+ /* We want to abort the password change */ -+ pam_error (pamh, _("Password change aborted.")); -+ return PAM_AUTHTOK_ERR; -+ } -+ -+ if (options.debug) -+ pam_syslog (pamh, LOG_DEBUG, "check against old password file"); -+ -+ if (check_old_password (pamh, user, newpass, -+ options.debug) != PAM_SUCCESS) -+ { -+ pam_error (pamh, -+ _("Password has been already used. Choose another.")); -+ _pam_overwrite (newpass); -+ _pam_drop (newpass); -+ if (tries >= options.tries) -+ { -+ if (options.debug) -+ pam_syslog (pamh, LOG_DEBUG, -+ "Aborted, too many tries"); -+ return PAM_MAXTRIES; -+ } -+ } -+ else -+ { -+ int failed; -+ char *new2; -+ -+ retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &new2, -+ AGAIN_PASSWORD_PROMPT, "UNIX", " "); -+ if (retval != PAM_SUCCESS) -+ return retval; -+ -+ if (new2 == NULL) -+ { /* Aborting password change... */ -+ pam_error (pamh, _("Password change aborted.")); -+ return PAM_AUTHTOK_ERR; -+ } -+ -+ failed = (strcmp (newpass, new2) != 0); -+ -+ _pam_overwrite (new2); -+ _pam_drop (new2); -+ -+ if (failed) -+ { -+ pam_error (pamh, MISTYPED_PASSWORD); -+ _pam_overwrite (newpass); -+ _pam_drop (newpass); -+ if (tries >= options.tries) -+ { -+ if (options.debug) -+ pam_syslog (pamh, LOG_DEBUG, -+ "Aborted, too many tries"); -+ return PAM_MAXTRIES; -+ } -+ } -+ } -+ } -+ -+ /* Remember new password */ -+ pam_set_item (pamh, PAM_AUTHTOK, (void *) newpass); -+ } -+ else /* newpass != NULL, we found an old password */ -+ { -+ if (options.debug) -+ pam_syslog (pamh, LOG_DEBUG, "look in old password file"); -+ -+ if (check_old_password (pamh, user, newpass, -+ options.debug) != PAM_SUCCESS) -+ { -+ pam_error (pamh, -+ _("Password has been already used. Choose another.")); -+ /* We are only here, because old password was set. -+ So overwrite it, else it will be stored! */ -+ pam_set_item (pamh, PAM_AUTHTOK, (void *) NULL); -+ -+ return PAM_AUTHTOK_ERR; -+ } -+ } -+ -+ return PAM_SUCCESS; -+} -+ -+ -+#ifdef PAM_STATIC -+/* static module data */ -+struct pam_module _pam_pwhistory_modstruct = { -+ "pam_pwhistory", -+ NULL, -+ NULL, -+ NULL, -+ NULL, -+ NULL, -+ pam_sm_chauthtok -+}; -+#endif ---- /dev/null 1 Jan 1970 00:00:00 -0000 -+++ modules/pam_pwhistory/tst-pam_pwhistory 10 Oct 2008 06:52:40 -0000 -@@ -0,0 +1,2 @@ -+#!/bin/sh -+../../tests/tst-dlopen .libs/pam_pwhistory.so ---- po/POTFILES.in 13 Feb 2008 14:39:41 -0000 1.15 -+++ po/POTFILES.in 10 Oct 2008 06:52:40 -0000 -@@ -58,6 +58,8 @@ - ./modules/pam_namespace/pam_namespace.c - ./modules/pam_nologin/pam_nologin.c - ./modules/pam_permit/pam_permit.c -+./modules/pam_pwhistory/opasswd.c -+./modules/pam_pwhistory/pam_pwhistory.c - ./modules/pam_rhosts/pam_rhosts.c - ./modules/pam_rootok/pam_rootok.c - ./modules/pam_securetty/pam_securetty.c ---- xtests/Makefile.am 18 Feb 2008 17:57:34 -0000 1.18 -+++ xtests/Makefile.am 10 Oct 2008 06:52:42 -0000 -@@ -28,7 +28,8 @@ - tst-pam_substack3.pamd tst-pam_substack3a.pamd tst-pam_substack3.sh \ - tst-pam_substack4.pamd tst-pam_substack4a.pamd tst-pam_substack4.sh \ - tst-pam_substack5.pamd tst-pam_substack5a.pamd tst-pam_substack5.sh \ -- tst-pam_assemble_line1.pamd tst-pam_assemble_line1.sh -+ tst-pam_assemble_line1.pamd tst-pam_assemble_line1.sh \ -+ tst-pam_pwhistory1.pamd tst-pam_pwhistory1.sh - - XTESTS = tst-pam_dispatch1 tst-pam_dispatch2 tst-pam_dispatch3 \ - tst-pam_dispatch4 tst-pam_dispatch5 \ -@@ -36,7 +37,8 @@ - tst-pam_unix1 tst-pam_unix2 tst-pam_unix3 \ - tst-pam_access1 tst-pam_access2 tst-pam_access3 \ - tst-pam_access4 tst-pam_limits1 tst-pam_succeed_if1 \ -- tst-pam_group1 tst-pam_authfail tst-pam_authsucceed -+ tst-pam_group1 tst-pam_authfail tst-pam_authsucceed \ -+ tst-pam_pwhistory1 - - NOSRCTESTS = tst-pam_substack1 tst-pam_substack2 tst-pam_substack3 \ - tst-pam_substack4 tst-pam_substack5 tst-pam_assemble_line1 ---- xtests/run-xtests.sh 19 Oct 2007 17:06:29 -0000 1.8 -+++ xtests/run-xtests.sh 10 Oct 2008 06:52:42 -0000 -@@ -23,6 +23,8 @@ - install -m 644 "${SRCDIR}"/group.conf /etc/security/group.conf - cp /etc/security/limits.conf /etc/security/limits.conf-pam-xtests - install -m 644 "${SRCDIR}"/limits.conf /etc/security/limits.conf -+mv /etc/security/opasswd /etc/security/opasswd-pam-xtests -+ - for testname in $XTESTS ; do - for cfg in "${SRCDIR}"/$testname*.pamd ; do - install -m 644 $cfg /etc/pam.d/$(basename $cfg .pamd) -@@ -49,6 +51,7 @@ - mv /etc/security/access.conf-pam-xtests /etc/security/access.conf - mv /etc/security/group.conf-pam-xtests /etc/security/group.conf - mv /etc/security/limits.conf-pam-xtests /etc/security/limits.conf -+mv /etc/security/opasswd-pam-xtests /etc/security/opasswd - if test "$failed" -ne 0; then - echo "===================" - echo "$failed of $all tests failed" ---- /dev/null 1 Jan 1970 00:00:00 -0000 -+++ xtests/tst-pam_pwhistory1.c 10 Oct 2008 06:52:42 -0000 -@@ -0,0 +1,169 @@ -+/* -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, and the entire permission notice in its entirety, -+ * including the disclaimer of warranties. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. The name of the author may not be used to endorse or promote -+ * products derived from this software without specific prior -+ * written permission. -+ * -+ * ALTERNATIVELY, this product may be distributed under the terms of -+ * the GNU Public License, in which case the provisions of the GPL are -+ * required INSTEAD OF the above restrictions. (This clause is -+ * necessary due to a potential bad interaction between the GPL and -+ * the restrictions contained in a BSD-style copyright.) -+ * -+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+/* -+ * Check remember handling -+ * Change ten times the password -+ * Try the ten passwords again, should always be rejected -+ * Try a new password, should succeed -+ */ -+ -+#ifdef HAVE_CONFIG_H -+#include -+#endif -+ -+#include -+#include -+#include -+#include -+ -+static int in_test; -+ -+static const char *passwords[] = { -+ "pamhistory01", "pamhistory02", "pamhistory03", -+ "pamhistory04", "pamhistory05", "pamhistory06", -+ "pamhistory07", "pamhistory08", "pamhistory09", -+ "pamhistory10", -+ "pamhistory01", "pamhistory02", "pamhistory03", -+ "pamhistory04", "pamhistory05", "pamhistory06", -+ "pamhistory07", "pamhistory08", "pamhistory09", -+ "pamhistory10", -+ "pamhistory11", -+ "pamhistory01", "pamhistory02", "pamhistory03", -+ "pamhistory04", "pamhistory05", "pamhistory06", -+ "pamhistory07", "pamhistory08", "pamhistory09", -+ "pamhistory10"}; -+ -+static int debug; -+ -+/* A conversation function which uses an internally-stored value for -+ the responses. */ -+static int -+fake_conv (int num_msg, const struct pam_message **msgm, -+ struct pam_response **response, void *appdata_ptr UNUSED) -+{ -+ struct pam_response *reply; -+ int count; -+ -+ /* Sanity test. */ -+ if (num_msg <= 0) -+ return PAM_CONV_ERR; -+ -+ if (debug) -+ fprintf (stderr, "msg_style=%d, msg=%s\n", msgm[0]->msg_style, -+ msgm[0]->msg); -+ -+ if (msgm[0]->msg_style != 1) -+ return PAM_SUCCESS; -+ -+ /* Allocate memory for the responses. */ -+ reply = calloc (num_msg, sizeof (struct pam_response)); -+ if (reply == NULL) -+ return PAM_CONV_ERR; -+ -+ /* Each prompt elicits the same response. */ -+ for (count = 0; count < num_msg; ++count) -+ { -+ reply[count].resp_retcode = 0; -+ reply[count].resp = strdup (passwords[in_test]); -+ if (debug) -+ fprintf (stderr, "send password %s\n", reply[count].resp); -+ } -+ -+ /* Set the pointers in the response structure and return. */ -+ *response = reply; -+ return PAM_SUCCESS; -+} -+ -+static struct pam_conv conv = { -+ fake_conv, -+ NULL -+}; -+ -+ -+int -+main(int argc, char *argv[]) -+{ -+ pam_handle_t *pamh=NULL; -+ const char *user="tstpampwhistory"; -+ int retval; -+ -+ if (argc > 1 && strcmp (argv[1], "-d") == 0) -+ debug = 1; -+ -+ for (in_test = 0; -+ in_test < (int)(sizeof (passwords)/sizeof (char *)); in_test++) -+ { -+ -+ retval = pam_start("tst-pam_pwhistory1", user, &conv, &pamh); -+ if (retval != PAM_SUCCESS) -+ { -+ if (debug) -+ fprintf (stderr, "pwhistory1-%d: pam_start returned %d\n", -+ in_test, retval); -+ return 1; -+ } -+ -+ retval = pam_chauthtok (pamh, 0); -+ if (in_test < 10 || in_test == 20) -+ { -+ if (retval != PAM_SUCCESS) -+ { -+ if (debug) -+ fprintf (stderr, "pwhistory1-%d: pam_chauthtok returned %d\n", -+ in_test, retval); -+ return 1; -+ } -+ } -+ else if (in_test < 20) -+ { -+ if (retval != PAM_MAXTRIES) -+ { -+ if (debug) -+ fprintf (stderr, "pwhistory1-%d: pam_chauthtok returned %d\n", -+ in_test, retval); -+ return 1; -+ } -+ } -+ -+ retval = pam_end (pamh,retval); -+ if (retval != PAM_SUCCESS) -+ { -+ if (debug) -+ fprintf (stderr, "pwhistory1: pam_end returned %d\n", retval); -+ return 1; -+ } -+ } -+ -+ return 0; -+} -Index: xtests/tst-pam_pwhistory1.pamd -=================================================================== -RCS file: xtests/tst-pam_pwhistory1.pamd -diff -N xtests/tst-pam_pwhistory1.pamd ---- /dev/null 1 Jan 1970 00:00:00 -0000 -+++ xtests/tst-pam_pwhistory1.pamd 10 Oct 2008 06:52:42 -0000 -@@ -0,0 +1,7 @@ -+#%PAM-1.0 -+auth required pam_permit.so -+account required pam_permit.so -+password required pam_pwhistory.so remember=10 retry=1 debug -+password required pam_unix.so use_authtok md5 -+session required pam_permit.so -+ -Index: xtests/tst-pam_pwhistory1.sh -=================================================================== -RCS file: xtests/tst-pam_pwhistory1.sh -diff -N xtests/tst-pam_pwhistory1.sh ---- /dev/null 1 Jan 1970 00:00:00 -0000 -+++ xtests/tst-pam_pwhistory1.sh 10 Oct 2008 06:52:42 -0000 -@@ -0,0 +1,7 @@ -+#!/bin/bash -+ -+/usr/sbin/useradd tstpampwhistory -+./tst-pam_pwhistory1 -+RET=$? -+/usr/sbin/userdel -r tstpampwhistory 2> /dev/null -+exit $RET ---- /dev/null 2008-06-06 22:36:48.000000000 +0200 -+++ modules/pam_pwhistory/pam_pwhistory.8 2008-10-11 16:23:45.000000000 +0200 -@@ -0,0 +1,127 @@ -+.\" Title: pam_pwhistory -+.\" Author: -+.\" Generator: DocBook XSL Stylesheets v1.73.2 -+.\" Date: 10/11/2008 -+.\" Manual: Linux-PAM Manual -+.\" Source: Linux-PAM Manual -+.\" -+.TH "PAM_PWHISTORY" "8" "10/11/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -+.\" disable hyphenation -+.nh -+.\" disable justification (adjust text to left margin only) -+.ad l -+.SH "NAME" -+pam_pwhistory - PAM module to remember last passwords -+.SH "SYNOPSIS" -+.HP 17 -+\fBpam_pwhistory\.so\fR [debug] [use_authtok] [enforce_for_root] [remember=\fIN\fR] [retry=\fIN\fR] -+.SH "DESCRIPTION" -+.PP -+This module saves the last passwords for each user in order to force password change history and keep the user from alternating between the same password too frequently\. -+.PP -+This module does not work togehter with kerberos\. In general, it does not make much sense to use this module in conjuction with NIS or LDAP, since the old passwords are stored on the local machine and are not available on another machine for password history checking\. -+.SH "OPTIONS" -+.PP -+\fBdebug\fR -+.RS 4 -+Turns on debugging via -+\fBsyslog\fR(3)\. -+.RE -+.PP -+\fBuse_authtok\fR -+.RS 4 -+When password changing enforce the module to use the new password provided by a previously stacked -+\fBpassword\fR -+module (this is used in the example of the stacking of the -+\fBpam_cracklib\fR -+module documented below)\. -+.RE -+.PP -+\fBenforce_for_root\fR -+.RS 4 -+If this option is set, the check is enforced for root, too\. -+.RE -+.PP -+\fBremember=\fR\fB\fIN\fR\fR -+.RS 4 -+The last -+\fIN\fR -+passwords for each user are saved in -+\fI/etc/security/opasswd\fR\. The default is -+\fI10\fR\. -+.RE -+.PP -+\fBretry=\fR\fB\fIN\fR\fR -+.RS 4 -+Prompt user at most -+\fIN\fR -+times before returning with error\. The default is -+\fI1\fR\. -+.RE -+.SH "MODULE TYPES PROVIDED" -+.PP -+Only the -+\fBpassword\fR -+module type is provided\. -+.SH "RETURN VALUES" -+.PP -+PAM_AUTHTOK_ERR -+.RS 4 -+No new password was entered, the user aborted password change or new password couldn\'t be set\. -+.RE -+.PP -+PAM_IGNORE -+.RS 4 -+Password history was disabled\. -+.RE -+.PP -+PAM_MAXTRIES -+.RS 4 -+Password was rejected too often\. -+.RE -+.PP -+PAM_USER_UNKNOWN -+.RS 4 -+User is not known to system\. -+.RE -+.SH "EXAMPLES" -+.PP -+An example password section would be: -+.sp -+.RS 4 -+.nf -+#%PAM\-1\.0 -+password required pam_pwhistory\.so -+password required pam_unix\.so use_authtok -+ -+.fi -+.RE -+.PP -+In combination with -+\fBpam_cracklib\fR: -+.sp -+.RS 4 -+.nf -+#%PAM\-1\.0 -+password required pam_cracklib\.so retry=3 -+password required pam_pwhistory\.so use_authtok -+password required pam_unix\.so use_authtok -+ -+.fi -+.RE -+.sp -+.SH "FILES" -+.PP -+\fI/etc/security/opasswd\fR -+.RS 4 -+File with password history -+.RE -+.SH "SEE ALSO" -+.PP -+ -+\fBpam.conf\fR(5), -+\fBpam.d\fR(5), -+\fBpam\fR(8) -+.SH "AUTHOR" -+.PP -+pam_pwhistory was written by Thorsten Kukuk diff --git a/pam_pwhistory-type.diff b/pam_pwhistory-type.diff deleted file mode 100644 index 0fe7a01..0000000 --- a/pam_pwhistory-type.diff +++ /dev/null @@ -1,102 +0,0 @@ -Index: modules/pam_pwhistory/pam_pwhistory.8.xml -=================================================================== -RCS file: /cvsroot/pam/Linux-PAM/modules/pam_pwhistory/pam_pwhistory.8.xml,v -retrieving revision 1.1 -diff -u -r1.1 pam_pwhistory.8.xml ---- modules/pam_pwhistory/pam_pwhistory.8.xml 10 Oct 2008 06:53:45 -0000 1.1 -+++ modules/pam_pwhistory/pam_pwhistory.8.xml 19 Nov 2008 14:24:00 -0000 -@@ -33,6 +33,9 @@ - - retry=N - -+ -+ type=STRING -+ - - - -@@ -119,6 +122,21 @@ - - - -+ -+ -+ -+ -+ -+ -+ The default action is for the module to use the -+ following prompts when requesting passwords: -+ "New UNIX password: " and "Retype UNIX password: ". -+ The default word UNIX can -+ be replaced with this option. -+ -+ -+ -+ - - - -Index: modules/pam_pwhistory/pam_pwhistory.c -=================================================================== -RCS file: /cvsroot/pam/Linux-PAM/modules/pam_pwhistory/pam_pwhistory.c,v -retrieving revision 1.1 -diff -u -r1.1 pam_pwhistory.c ---- modules/pam_pwhistory/pam_pwhistory.c 10 Oct 2008 06:53:45 -0000 1.1 -+++ modules/pam_pwhistory/pam_pwhistory.c 19 Nov 2008 14:24:00 -0000 -@@ -58,7 +58,9 @@ - - #include "opasswd.h" - -+/* For Translators: "%s%s" could be replaced with " " or "". */ - #define NEW_PASSWORD_PROMPT _("New %s%spassword: ") -+/* For Translators: "%s%s" could be replaced with " " or "". */ - #define AGAIN_PASSWORD_PROMPT _("Retype new %s%spassword: ") - #define MISTYPED_PASSWORD _("Sorry, passwords do not match.") - -@@ -70,6 +72,7 @@ - int enforce_for_root; - int remember; - int tries; -+ const char *prompt_type; - }; - typedef struct options_t options_t; - -@@ -101,6 +104,8 @@ - } - else if (strcasecmp (argv, "enforce_for_root") == 0) - options->enforce_for_root = 1; -+ else if (strncasecmp (argv, "type=", 5) == 0) -+ options->prompt_type = &argv[5]; - else - pam_syslog (pamh, LOG_ERR, "pam_pwhistory: unknown option: %s", argv); - } -@@ -121,6 +126,7 @@ - /* Set some default values, which could be overwritten later. */ - options.remember = 10; - options.tries = 1; -+ options.prompt_type = "UNIX"; - - /* Parse parameters for module */ - for ( ; argc-- > 0; argv++) -@@ -209,7 +215,8 @@ - while ((newpass == NULL) && (tries++ < options.tries)) - { - retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &newpass, -- NEW_PASSWORD_PROMPT, "UNIX", " "); -+ NEW_PASSWORD_PROMPT, options.prompt_type, -+ strlen (options.prompt_type) > 0?" ":""); - if (retval != PAM_SUCCESS) - { - _pam_drop (newpass); -@@ -249,7 +256,9 @@ - char *new2; - - retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &new2, -- AGAIN_PASSWORD_PROMPT, "UNIX", " "); -+ AGAIN_PASSWORD_PROMPT, -+ options.prompt_type, -+ strlen (options.prompt_type) > 0?" ":""); - if (retval != PAM_SUCCESS) - return retval; - diff --git a/pam_sepermit.diff b/pam_sepermit.diff deleted file mode 100644 index 8989421..0000000 --- a/pam_sepermit.diff +++ /dev/null @@ -1,17 +0,0 @@ - -2008-04-17 Tomas Mraz - - * modules/pam_sepermit/pam_sepermit.c(sepermit_match): Do not try - to lock if euid != 0. - ---- Linux-PAM-1.0/modules/pam_sepermit/pam_sepermit.c 2008-03-31 12:31:50.000000000 +0200 -+++ Linux-PAM/modules/pam_sepermit/pam_sepermit.c 2008-04-17 16:29:02.000000000 +0200 -@@ -305,7 +305,7 @@ - free(line); - fclose(f); - if (matched) -- return exclusive ? sepermit_lock(pamh, user, debug) : 0; -+ return (geteuid() == 0 && exclusive) ? sepermit_lock(pamh, user, debug) : 0; - else - return -1; - } diff --git a/pam_tally-deprecated.diff b/pam_tally-deprecated.diff new file mode 100644 index 0000000..4bd4a14 --- /dev/null +++ b/pam_tally-deprecated.diff @@ -0,0 +1,55 @@ +--- modules/pam_tally/pam_tally.8.xml ++++ modules/pam_tally/pam_tally.8.xml 2009/03/27 10:49:17 +@@ -81,7 +81,13 @@ + + + This module maintains a count of attempted accesses, can +- reset count on success, can deny access if too many attempts fail. ++ reset count on success, can deny access if too many attempts ++ fail. ++ ++ ++ pam_tally has several limitations, which are solved with ++ pam_tally2. For this reason pam_tally is deprecated and ++ will be removed in a future release. + + + pam_tally comes in two parts: +--- modules/pam_tally/pam_tally.c ++++ modules/pam_tally/pam_tally.c 2009/03/27 10:52:56 +@@ -630,6 +630,8 @@ + const char + *user; + ++ pam_syslog (pamh, LOG_INFO, "pam_tally is deprecated and obsoleted by pam_tally2"); ++ + rvcheck = tally_parse_args(pamh, opts, PHASE_AUTH, argc, argv); + if ( rvcheck != PAM_SUCCESS ) + RETURN_ERROR( rvcheck ); +@@ -664,6 +666,8 @@ + const char + *user; + ++ pam_syslog (pamh, LOG_INFO, "pam_tally is deprecated and obsoleted by pam_tally2"); ++ + rv = tally_parse_args(pamh, opts, PHASE_AUTH, argc, argv); + if ( rv != PAM_SUCCESS ) + RETURN_ERROR( rv ); +@@ -709,6 +713,8 @@ + const char + *user; + ++ pam_syslog (pamh, LOG_INFO, "pam_tally is deprecated and obsoleted by pam_tally2"); ++ + rv = tally_parse_args(pamh, opts, PHASE_ACCOUNT, argc, argv); + if ( rv != PAM_SUCCESS ) + RETURN_ERROR( rv ); +@@ -815,6 +821,8 @@ + exit(0); + } + ++ fprintf (stderr, "\npam_tally is deprecated and pam_tally2 should be used instead\n\n"); ++ + umask(077); + + /* diff --git a/pam_tally-fdleak.diff b/pam_tally-fdleak.diff deleted file mode 100644 index 153256d..0000000 --- a/pam_tally-fdleak.diff +++ /dev/null @@ -1,37 +0,0 @@ -2008-09-25 Tomas Mraz - - * modules/pam_tally/pam_tally.c(get_tally): Fix syslog message. - (tally_check): Open faillog read only. Close file descriptor. - Fix typos in messages. - ---- modules/pam_tally/pam_tally.c 9 Jul 2008 12:23:23 -0000 1.30 -+++ modules/pam_tally/pam_tally.c 19 Sep 2008 12:29:21 -0000 -@@ -350,7 +350,7 @@ get_tally(pam_handle_t *pamh, tally_t *t - } - - if ( ! ( *TALLY = fopen(filename,(*tally!=TALLY_HI)?"r+":"r") ) ) { -- pam_syslog(pamh, LOG_ALERT, "Error opening %s for update", filename); -+ pam_syslog(pamh, LOG_ALERT, "Error opening %s for %s", filename, *tally!=TALLY_HI?"update":"read"); - - /* Discovering why account service fails: e/uid are target user. - * -@@ -504,7 +504,7 @@ tally_check (time_t oldtime, pam_handle_ - tally_t - deny = opts->deny; - tally_t -- tally = 0; /* !TALLY_HI --> Log opened for update */ -+ tally = TALLY_HI; - long - lock_time = opts->lock_time; - -@@ -515,6 +515,10 @@ tally_check (time_t oldtime, pam_handle_ - i=get_tally(pamh, &tally, uid, opts->filename, &TALLY, fsp); - if ( i != PAM_SUCCESS ) { RETURN_ERROR( i ); } - -+ if ( TALLY != NULL ) { -+ fclose(TALLY); -+ } -+ - if ( !(opts->ctrl & OPT_MAGIC_ROOT) || getuid() ) { /* magic_root skips tally check */ - - /* To deny or not to deny; that is the question */ diff --git a/pam_tally.diff b/pam_tally.diff deleted file mode 100644 index 2987152..0000000 --- a/pam_tally.diff +++ /dev/null @@ -1,173 +0,0 @@ - -2008-07-09 Thorsten Kukuk - - * modules/pam_tally/pam_tally.c: Add support for silent and - no_log_info options. - * modules/pam_tally/pam_tally.8.xml: Document silent and - no_log_info options. - ---- Linux-PAM-1.0/modules/pam_tally/pam_tally.8.xml 2007-10-10 16:10:07.000000000 +0200 -+++ Linux-PAM/modules/pam_tally/pam_tally.8.xml 2008-08-20 20:56:28.000000000 +0200 -@@ -51,6 +51,12 @@ - - audit - -+ -+ silent -+ -+ -+ no_log_info -+ - - - pam_tally -@@ -150,6 +156,26 @@ - - - -+ -+ -+ -+ -+ -+ -+ Don't print informative messages. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ Don't log informative messages via syslog3. -+ -+ -+ - - - ---- Linux-PAM-1.0/modules/pam_tally/pam_tally.c 2007-11-20 11:58:11.000000000 +0100 -+++ Linux-PAM/modules/pam_tally/pam_tally.c 2008-07-16 10:09:02.000000000 +0200 -@@ -97,6 +97,8 @@ - #define OPT_NO_LOCK_TIME 020 - #define OPT_NO_RESET 040 - #define OPT_AUDIT 0100 -+#define OPT_SILENT 0200 -+#define OPT_NOLOGNOTICE 0400 - - - /*---------------------------------------------------------------------*/ -@@ -205,6 +207,12 @@ - else if ( ! strcmp ( *argv, "audit") ) { - opts->ctrl |= OPT_AUDIT; - } -+ else if ( ! strcmp ( *argv, "silent") ) { -+ opts->ctrl |= OPT_SILENT; -+ } -+ else if ( ! strcmp ( *argv, "no_log_info") ) { -+ opts->ctrl |= OPT_NOLOGNOTICE; -+ } - else { - pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); - } -@@ -524,12 +532,17 @@ - { - if ( lock_time + oldtime > time(NULL) ) - { -- pam_syslog(pamh, LOG_NOTICE, -- "user %s (%lu) has time limit [%lds left]" -- " since last failure.", -- user, (unsigned long int) uid, -- oldtime+lock_time -- -time(NULL)); -+ if (!(opts->ctrl & OPT_SILENT)) -+ pam_info (pamh, -+ _("Account temporary locked (%lds seconds left)"), -+ oldtime+lock_time-time(NULL)); -+ -+ if (!(opts->ctrl & OPT_NOLOGNOTICE)) -+ pam_syslog (pamh, LOG_NOTICE, -+ "user %s (%lu) has time limit [%lds left]" -+ " since last failure.", -+ user, (unsigned long int) uid, -+ oldtime+lock_time-time(NULL)); - return PAM_AUTH_ERR; - } - } -@@ -545,9 +558,14 @@ - ( tally > deny ) && /* tally>deny means exceeded */ - ( ((opts->ctrl & OPT_DENY_ROOT) || uid) ) /* even_deny stops uid check */ - ) { -- pam_syslog(pamh, LOG_NOTICE, -- "user %s (%lu) tally "TALLY_FMT", deny "TALLY_FMT, -- user, (unsigned long int) uid, tally, deny); -+ if (!(opts->ctrl & OPT_SILENT)) -+ pam_info (pamh, _("Accounted locked due to "TALLY_FMT" failed login"), -+ tally); -+ -+ if (!(opts->ctrl & OPT_NOLOGNOTICE)) -+ pam_syslog(pamh, LOG_NOTICE, -+ "user %s (%lu) tally "TALLY_FMT", deny "TALLY_FMT, -+ user, (unsigned long int) uid, tally, deny); - return PAM_AUTH_ERR; /* Only unconditional failure */ - } - } -@@ -594,7 +612,7 @@ - #ifdef PAM_SM_AUTH - - PAM_EXTERN int --pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, -+pam_sm_authenticate(pam_handle_t *pamh, int flags, - int argc, const char **argv) - { - int -@@ -612,6 +630,9 @@ - if ( rvcheck != PAM_SUCCESS ) - RETURN_ERROR( rvcheck ); - -+ if (flags & PAM_SILENT) -+ opts->ctrl |= OPT_SILENT; -+ - rvcheck = pam_get_uid(pamh, &uid, &user, opts); - if ( rvcheck != PAM_SUCCESS ) - RETURN_ERROR( rvcheck ); -@@ -625,7 +646,7 @@ - } - - PAM_EXTERN int --pam_sm_setcred(pam_handle_t *pamh, int flags UNUSED, -+pam_sm_setcred(pam_handle_t *pamh, int flags, - int argc, const char **argv) - { - int -@@ -643,6 +664,9 @@ - if ( rv != PAM_SUCCESS ) - RETURN_ERROR( rv ); - -+ if (flags & PAM_SILENT) -+ opts->ctrl |= OPT_SILENT; -+ - rv = pam_get_uid(pamh, &uid, &user, opts); - if ( rv != PAM_SUCCESS ) - RETURN_ERROR( rv ); -@@ -667,7 +691,7 @@ - /* To reset failcount of user on successfull login */ - - PAM_EXTERN int --pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, -+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, - int argc, const char **argv) - { - int -@@ -685,6 +709,9 @@ - if ( rv != PAM_SUCCESS ) - RETURN_ERROR( rv ); - -+ if (flags & PAM_SILENT) -+ opts->ctrl |= OPT_SILENT; -+ - rv = pam_get_uid(pamh, &uid, &user, opts); - if ( rv != PAM_SUCCESS ) - RETURN_ERROR( rv ); diff --git a/pam_tally2.diff b/pam_tally2.diff deleted file mode 100644 index ef6a93c..0000000 --- a/pam_tally2.diff +++ /dev/null @@ -1,1622 +0,0 @@ -diff -up pam/configure.in.pt2 pam/configure.in ---- pam/configure.in.pt2 2008-10-16 16:12:18.000000000 +0200 -+++ pam/configure.in 2008-10-15 10:28:46.000000000 +0200 -@@ -548,6 +548,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefil - modules/pam_sepermit/Makefile \ - modules/pam_shells/Makefile modules/pam_stress/Makefile \ - modules/pam_succeed_if/Makefile modules/pam_tally/Makefile \ -+ modules/pam_tally2/Makefile \ - modules/pam_time/Makefile modules/pam_tty_audit/Makefile \ - modules/pam_umask/Makefile \ - modules/pam_unix/Makefile modules/pam_userdb/Makefile \ -diff -up pam/modules/Makefile.am.pt2 pam/modules/Makefile.am ---- pam/modules/Makefile.am.pt2 2008-10-16 16:12:18.000000000 +0200 -+++ pam/modules/Makefile.am 2008-10-15 10:28:13.000000000 +0200 -@@ -9,7 +9,7 @@ SUBDIRS = pam_access pam_cracklib pam_de - pam_mkhomedir pam_motd pam_namespace pam_nologin \ - pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \ - pam_selinux pam_sepermit pam_shells pam_stress \ -- pam_succeed_if pam_tally pam_time pam_tty_audit pam_umask \ -+ pam_succeed_if pam_tally pam_tally2 pam_time pam_tty_audit pam_umask \ - pam_unix pam_userdb pam_warn pam_wheel pam_xauth - - CLEANFILES = *~ -diff -up pam/modules/pam_tally2/tallylog.h.pt2 pam/modules/pam_tally2/tallylog.h ---- pam/modules/pam_tally2/tallylog.h.pt2 2008-10-15 12:14:21.000000000 +0200 -+++ pam/modules/pam_tally2/tallylog.h 2008-02-27 17:08:50.000000000 +0100 -@@ -0,0 +1,52 @@ -+/* -+ * Copyright 2006, Red Hat, Inc. -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. Neither the name of Red Hat, Inc. nor the names of its contributors -+ * may be used to endorse or promote products derived from this software -+ * without specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY RED HAT, INC. AND CONTRIBUTORS ``AS IS'' AND -+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE -+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -+ * SUCH DAMAGE. -+ */ -+ -+/* -+ * tallylog.h - login failure data file format -+ * -+ * The new login failure file is not compatible with the old faillog(8) format -+ * Each record in the file represents a separate UID and the file -+ * is indexed in that fashion. -+ */ -+ -+ -+#ifndef _TALLYLOG_H -+#define _TALLYLOG_H -+ -+#include -+ -+struct tallylog { -+ char fail_line[52]; /* rhost or tty of last failure */ -+ uint16_t reserved; /* reserved for future use */ -+ uint16_t fail_cnt; /* failures since last success */ -+ uint64_t fail_time; /* time of last failure */ -+}; -+/* 64 bytes / entry */ -+ -+#endif -diff -up pam/modules/pam_tally2/pam_tally.c.pt2 pam/modules/pam_tally2/pam_tally.c ---- pam/modules/pam_tally2/pam_tally.c.pt2 2008-10-15 12:14:21.000000000 +0200 -+++ pam/modules/pam_tally2/pam_tally.c 2008-10-15 12:07:54.000000000 +0200 -@@ -0,0 +1,985 @@ -+/* -+ * pam_tally.c -+ * -+ */ -+ -+ -+/* By Tim Baverstock , Multi Media Machine Ltd. -+ * 5 March 1997 -+ * -+ * Stuff stolen from pam_rootok and pam_listfile -+ * -+ * Changes by Tomas Mraz 5 January 2005, 26 January 2006 -+ * Audit option added for Tomas patch by Sebastien Tricaud 13 January 2005 -+ * Portions Copyright 2006, Red Hat, Inc. -+ * Portions Copyright 1989 - 1993, Julianne Frances Haugh -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors -+ * may be used to endorse or promote products derived from this software -+ * without specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND -+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE -+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -+ * SUCH DAMAGE. -+ */ -+ -+#include "config.h" -+ -+#if defined(MAIN) && defined(MEMORY_DEBUG) -+# undef exit -+#endif /* defined(MAIN) && defined(MEMORY_DEBUG) */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#ifdef HAVE_LIBAUDIT -+#include -+#endif -+ -+#include -+#include -+#include -+#include "tallylog.h" -+ -+#ifndef TRUE -+#define TRUE 1L -+#define FALSE 0L -+#endif -+ -+#ifndef HAVE_FSEEKO -+#define fseeko fseek -+#endif -+ -+/* -+ * here, we make a definition for the externally accessible function -+ * in this file (this definition is required for static a module -+ * but strongly encouraged generally) it is used to instruct the -+ * modules include file to define the function prototypes. -+ */ -+ -+#ifndef MAIN -+#define PAM_SM_AUTH -+#define PAM_SM_ACCOUNT -+/* #define PAM_SM_SESSION */ -+/* #define PAM_SM_PASSWORD */ -+ -+#include -+#include -+#endif -+#include -+ -+/*---------------------------------------------------------------------*/ -+ -+#define DEFAULT_LOGFILE "/var/log/tallylog" -+#define MODULE_NAME "pam_tally2" -+ -+#define tally_t uint16_t -+#define TALLY_HI ((tally_t)~0L) -+ -+struct tally_options { -+ const char *filename; -+ tally_t deny; -+ long lock_time; -+ long unlock_time; -+ long root_unlock_time; -+ unsigned int ctrl; -+}; -+ -+#define PHASE_UNKNOWN 0 -+#define PHASE_AUTH 1 -+#define PHASE_ACCOUNT 2 -+#define PHASE_SESSION 3 -+ -+#define OPT_MAGIC_ROOT 01 -+#define OPT_FAIL_ON_ERROR 02 -+#define OPT_DENY_ROOT 04 -+#define OPT_QUIET 040 -+#define OPT_AUDIT 0100 -+#define OPT_NOLOGNOTICE 0400 -+ -+ -+/*---------------------------------------------------------------------*/ -+ -+/* some syslogging */ -+ -+#ifdef MAIN -+#define pam_syslog tally_log -+static void -+tally_log (const pam_handle_t *pamh UNUSED, int priority UNUSED, -+ const char *fmt, ...) -+{ -+ va_list args; -+ -+ va_start(args, fmt); -+ fprintf(stderr, "%s: ", MODULE_NAME); -+ vfprintf(stderr, fmt, args); -+ fprintf(stderr,"\n"); -+ va_end(args); -+} -+ -+#define pam_modutil_getpwnam(pamh, user) getpwnam(user) -+#endif -+ -+/*---------------------------------------------------------------------*/ -+ -+/* --- Support function: parse arguments --- */ -+ -+#ifndef MAIN -+ -+static void -+log_phase_no_auth(pam_handle_t *pamh, int phase, const char *argv) -+{ -+ if ( phase != PHASE_AUTH ) { -+ pam_syslog(pamh, LOG_ERR, -+ "option %s allowed in auth phase only", argv); -+ } -+} -+ -+static int -+tally_parse_args(pam_handle_t *pamh, struct tally_options *opts, -+ int phase, int argc, const char **argv) -+{ -+ memset(opts, 0, sizeof(*opts)); -+ opts->filename = DEFAULT_LOGFILE; -+ opts->ctrl = OPT_FAIL_ON_ERROR; -+ opts->root_unlock_time = -1; -+ -+ for ( ; argc-- > 0; ++argv ) { -+ -+ if ( ! strncmp( *argv, "file=", 5 ) ) { -+ const char *from = *argv + 5; -+ if ( *from!='/' ) { -+ pam_syslog(pamh, LOG_ERR, -+ "filename not /rooted; %s", *argv); -+ return PAM_AUTH_ERR; -+ } -+ opts->filename = from; -+ } -+ else if ( ! strcmp( *argv, "onerr=fail" ) ) { -+ opts->ctrl |= OPT_FAIL_ON_ERROR; -+ } -+ else if ( ! strcmp( *argv, "onerr=succeed" ) ) { -+ opts->ctrl &= ~OPT_FAIL_ON_ERROR; -+ } -+ else if ( ! strcmp( *argv, "magic_root" ) ) { -+ opts->ctrl |= OPT_MAGIC_ROOT; -+ } -+ else if ( ! strcmp( *argv, "even_deny_root_account" ) || -+ ! strcmp( *argv, "even_deny_root" ) ) { -+ log_phase_no_auth(pamh, phase, *argv); -+ opts->ctrl |= OPT_DENY_ROOT; -+ } -+ else if ( ! strncmp( *argv, "deny=", 5 ) ) { -+ log_phase_no_auth(pamh, phase, *argv); -+ if ( sscanf((*argv)+5,"%hu",&opts->deny) != 1 ) { -+ pam_syslog(pamh, LOG_ERR, "bad number supplied: %s", *argv); -+ return PAM_AUTH_ERR; -+ } -+ } -+ else if ( ! strncmp( *argv, "lock_time=", 10 ) ) { -+ log_phase_no_auth(pamh, phase, *argv); -+ if ( sscanf((*argv)+10,"%ld",&opts->lock_time) != 1 ) { -+ pam_syslog(pamh, LOG_ERR, "bad number supplied: %s", *argv); -+ return PAM_AUTH_ERR; -+ } -+ } -+ else if ( ! strncmp( *argv, "unlock_time=", 12 ) ) { -+ log_phase_no_auth(pamh, phase, *argv); -+ if ( sscanf((*argv)+12,"%ld",&opts->unlock_time) != 1 ) { -+ pam_syslog(pamh, LOG_ERR, "bad number supplied: %s", *argv); -+ return PAM_AUTH_ERR; -+ } -+ } -+ else if ( ! strncmp( *argv, "root_unlock_time=", 17 ) ) { -+ log_phase_no_auth(pamh, phase, *argv); -+ if ( sscanf((*argv)+17,"%ld",&opts->root_unlock_time) != 1 ) { -+ pam_syslog(pamh, LOG_ERR, "bad number supplied: %s", *argv); -+ return PAM_AUTH_ERR; -+ } -+ opts->ctrl |= OPT_DENY_ROOT; /* even_deny_root implied */ -+ } -+ else if ( ! strcmp( *argv, "quiet" ) || -+ ! strcmp ( *argv, "silent")) { -+ opts->ctrl |= OPT_QUIET; -+ } -+ else if ( ! strcmp ( *argv, "no_log_info") ) { -+ opts->ctrl |= OPT_NOLOGNOTICE; -+ } -+ else if ( ! strcmp ( *argv, "audit") ) { -+ opts->ctrl |= OPT_AUDIT; -+ } -+ else { -+ pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); -+ } -+ } -+ -+ if (opts->root_unlock_time == -1) -+ opts->root_unlock_time = opts->unlock_time; -+ -+ return PAM_SUCCESS; -+} -+ -+#endif /* #ifndef MAIN */ -+ -+/*---------------------------------------------------------------------*/ -+ -+/* --- Support function: get uid (and optionally username) from PAM or -+ cline_user --- */ -+ -+#ifdef MAIN -+static char *cline_user=0; /* cline_user is used in the administration prog */ -+#endif -+ -+static int -+pam_get_uid(pam_handle_t *pamh, uid_t *uid, const char **userp, struct tally_options *opts) -+{ -+ const char *user = NULL; -+ struct passwd *pw; -+ -+#ifdef MAIN -+ user = cline_user; -+#else -+ if ((pam_get_user( pamh, &user, NULL )) != PAM_SUCCESS) { -+ user = NULL; -+ } -+#endif -+ -+ if ( !user || !*user ) { -+ pam_syslog(pamh, LOG_ERR, "pam_get_uid; user?"); -+ return PAM_AUTH_ERR; -+ } -+ -+ if ( ! ( pw = pam_modutil_getpwnam( pamh, user ) ) ) { -+ opts->ctrl & OPT_AUDIT ? -+ pam_syslog(pamh, LOG_ERR, "pam_get_uid; no such user %s", user) : -+ pam_syslog(pamh, LOG_ERR, "pam_get_uid; no such user"); -+ return PAM_USER_UNKNOWN; -+ } -+ -+ if ( uid ) *uid = pw->pw_uid; -+ if ( userp ) *userp = user; -+ return PAM_SUCCESS; -+} -+ -+/*---------------------------------------------------------------------*/ -+ -+/* --- Support functions: set/get tally data --- */ -+ -+#ifndef MAIN -+ -+static void -+_cleanup(pam_handle_t *pamh UNUSED, void *data, int error_status UNUSED) -+{ -+ free(data); -+} -+ -+ -+static void -+tally_set_data( pam_handle_t *pamh, time_t oldtime ) -+{ -+ time_t *data; -+ -+ if ( (data=malloc(sizeof(time_t))) != NULL ) { -+ *data = oldtime; -+ pam_set_data(pamh, MODULE_NAME, (void *)data, _cleanup); -+ } -+} -+ -+static int -+tally_get_data( pam_handle_t *pamh, time_t *oldtime ) -+{ -+ int rv; -+ const void *data; -+ -+ rv = pam_get_data(pamh, MODULE_NAME, &data); -+ if ( rv == PAM_SUCCESS && data != NULL && oldtime != NULL ) { -+ *oldtime = *(const time_t *)data; -+ pam_set_data(pamh, MODULE_NAME, NULL, NULL); -+ } -+ else { -+ rv = -1; -+ *oldtime = 0; -+ } -+ return rv; -+} -+#endif /* #ifndef MAIN */ -+ -+/*---------------------------------------------------------------------*/ -+ -+/* --- Support function: open/create tallyfile and return tally for uid --- */ -+ -+/* If on entry tallyfile doesn't exist, creation is attempted. */ -+ -+static int -+get_tally(pam_handle_t *pamh, uid_t uid, const char *filename, -+ FILE **tfile, struct tallylog *tally) -+{ -+ struct stat fileinfo; -+ int lstat_ret; -+ -+ lstat_ret = lstat(filename, &fileinfo); -+ if (lstat_ret) { -+ int save_errno; -+ int oldmask = umask(077); -+ *tfile=fopen(filename, "a"); -+ save_errno = errno; -+ /* Create file, or append-open in pathological case. */ -+ umask(oldmask); -+ if ( !*tfile ) { -+#ifndef MAIN -+ if (save_errno == EPERM) { -+ return PAM_IGNORE; /* called with insufficient access rights */ -+ } -+#endif -+ errno = save_errno; -+ pam_syslog(pamh, LOG_ALERT, "Couldn't create %s: %m", filename); -+ return PAM_AUTH_ERR; -+ } -+ lstat_ret = fstat(fileno(*tfile),&fileinfo); -+ fclose(*tfile); -+ *tfile = NULL; -+ } -+ -+ if ( lstat_ret ) { -+ pam_syslog(pamh, LOG_ALERT, "Couldn't stat %s", filename); -+ return PAM_AUTH_ERR; -+ } -+ -+ if ((fileinfo.st_mode & S_IWOTH) || !S_ISREG(fileinfo.st_mode)) { -+ /* If the file is world writable or is not a -+ normal file, return error */ -+ pam_syslog(pamh, LOG_ALERT, -+ "%s is either world writable or not a normal file", -+ filename); -+ return PAM_AUTH_ERR; -+ } -+ -+ if (!(*tfile = fopen(filename, "r+"))) { -+#ifndef MAIN -+ if (errno == EPERM) /* called with insufficient access rights */ -+ return PAM_IGNORE; -+#endif -+ pam_syslog(pamh, LOG_ALERT, "Error opening %s for update: %m", filename); -+ -+ return PAM_AUTH_ERR; -+ } -+ -+ if (fseeko(*tfile, (off_t)uid*(off_t)sizeof(*tally), SEEK_SET)) { -+ pam_syslog(pamh, LOG_ALERT, "fseek failed for %s: %m", filename); -+ fclose(*tfile); -+ *tfile = NULL; -+ return PAM_AUTH_ERR; -+ } -+ -+ if (fileinfo.st_size < (off_t)(uid+1)*(off_t)sizeof(*tally)) { -+ memset(tally, 0, sizeof(*tally)); -+ } else if (fread(tally, sizeof(*tally), 1, *tfile) == 0) { -+ memset(tally, 0, sizeof(*tally)); -+ /* Shouldn't happen */ -+ } -+ -+ tally->fail_line[sizeof(tally->fail_line)-1] = '\0'; -+ -+ return PAM_SUCCESS; -+} -+ -+/*---------------------------------------------------------------------*/ -+ -+/* --- Support function: update and close tallyfile with tally!=TALLY_HI --- */ -+ -+static int -+set_tally(pam_handle_t *pamh, uid_t uid, -+ const char *filename, FILE **tfile, struct tallylog *tally) -+{ -+ if (tally->fail_cnt != TALLY_HI) { -+ if (fseeko(*tfile, (off_t)uid * sizeof(*tally), SEEK_SET)) { -+ pam_syslog(pamh, LOG_ALERT, "fseek failed for %s: %m", filename); -+ return PAM_AUTH_ERR; -+ } -+ if (fwrite(tally, sizeof(*tally), 1, *tfile) == 0) { -+ pam_syslog(pamh, LOG_ALERT, "update (fwrite) failed for %s: %m", filename); -+ return PAM_AUTH_ERR; -+ } -+ } -+ -+ if (fclose(*tfile)) { -+ *tfile = NULL; -+ pam_syslog(pamh, LOG_ALERT, "update (fclose) failed for %s: %m", filename); -+ return PAM_AUTH_ERR; -+ } -+ *tfile=NULL; -+ return PAM_SUCCESS; -+} -+ -+/*---------------------------------------------------------------------*/ -+ -+/* --- PAM bits --- */ -+ -+#ifndef MAIN -+ -+#define RETURN_ERROR(i) return ((opts->ctrl & OPT_FAIL_ON_ERROR)?(i):(PAM_SUCCESS)) -+ -+/*---------------------------------------------------------------------*/ -+ -+static int -+tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid, -+ const char *user, struct tally_options *opts, -+ struct tallylog *tally) -+{ -+ int rv = PAM_SUCCESS; -+#ifdef HAVE_LIBAUDIT -+ char buf[64]; -+ int audit_fd = -1; -+#endif -+ -+ if ((opts->ctrl & OPT_MAGIC_ROOT) && getuid() == 0) { -+ return PAM_SUCCESS; -+ } -+ /* magic_root skips tally check */ -+#ifdef HAVE_LIBAUDIT -+ audit_fd = audit_open(); -+ /* If there is an error & audit support is in the kernel report error */ -+ if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT || -+ errno == EAFNOSUPPORT)) -+ return PAM_SYSTEM_ERR; -+#endif -+ if (opts->deny != 0 && /* deny==0 means no deny */ -+ tally->fail_cnt > opts->deny && /* tally>deny means exceeded */ -+ ((opts->ctrl & OPT_DENY_ROOT) || uid)) { /* even_deny stops uid check */ -+#ifdef HAVE_LIBAUDIT -+ if (tally->fail_cnt == opts->deny+1) { -+ /* First say that max number was hit. */ -+ snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid); -+ audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf, -+ NULL, NULL, NULL, 1); -+ } -+#endif -+ if (uid) { -+ /* Unlock time check */ -+ if (opts->unlock_time && oldtime) { -+ if (opts->unlock_time + oldtime <= time(NULL)) { -+ /* ignore deny check after unlock_time elapsed */ -+#ifdef HAVE_LIBAUDIT -+ snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid); -+ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, -+ NULL, NULL, NULL, 1); -+#endif -+ rv = PAM_SUCCESS; -+ goto cleanup; -+ } -+ } -+ } else { -+ /* Root unlock time check */ -+ if (opts->root_unlock_time && oldtime) { -+ if (opts->root_unlock_time + oldtime <= time(NULL)) { -+ /* ignore deny check after unlock_time elapsed */ -+#ifdef HAVE_LIBAUDIT -+ snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid); -+ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, -+ NULL, NULL, NULL, 1); -+#endif -+ rv = PAM_SUCCESS; -+ goto cleanup; -+ } -+ } -+ } -+ -+#ifdef HAVE_LIBAUDIT -+ if (tally->fail_cnt == opts->deny+1) { -+ /* First say that max number was hit. */ -+ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf, -+ NULL, NULL, NULL, 1); -+ } -+#endif -+ -+ if (!(opts->ctrl & OPT_QUIET)) { -+ pam_info(pamh, _("Account locked due to %hu failed logins"), -+ tally->fail_cnt); -+ } -+ if (!(opts->ctrl & OPT_NOLOGNOTICE)) { -+ pam_syslog(pamh, LOG_NOTICE, -+ "user %s (%lu) tally %hu, deny %hu", -+ user, (unsigned long)uid, tally->fail_cnt, opts->deny); -+ } -+ rv = PAM_AUTH_ERR; /* Only unconditional failure */ -+ goto cleanup; -+ } -+ -+ /* Lock time check */ -+ if (opts->lock_time && oldtime) { -+ if (opts->lock_time + oldtime > time(NULL)) { -+ /* don't increase fail_cnt or update fail_time when -+ lock_time applies */ -+ tally->fail_cnt = oldcnt; -+ tally->fail_time = oldtime; -+ -+ if (!(opts->ctrl & OPT_QUIET)) { -+ pam_info(pamh, _("Account temporary locked (%ld seconds left)"), -+ oldtime+opts->lock_time-time(NULL)); -+ } -+ if (!(opts->ctrl & OPT_NOLOGNOTICE)) { -+ pam_syslog(pamh, LOG_NOTICE, -+ "user %s (%lu) has time limit [%lds left]" -+ " since last failure.", -+ user, (unsigned long)uid, -+ oldtime+opts->lock_time-time(NULL)); -+ } -+ rv = PAM_AUTH_ERR; -+ goto cleanup; -+ } -+ } -+ -+cleanup: -+#ifdef HAVE_LIBAUDIT -+ if (audit_fd != -1) { -+ close(audit_fd); -+ } -+#endif -+ return rv; -+} -+ -+/* --- tally bump function: bump tally for uid by (signed) inc --- */ -+ -+static int -+tally_bump (int inc, time_t *oldtime, pam_handle_t *pamh, -+ uid_t uid, const char *user, struct tally_options *opts) -+{ -+ struct tallylog tally; -+ tally_t oldcnt; -+ FILE *tfile = NULL; -+ const void *remote_host = NULL; -+ int i, rv; -+ -+ tally.fail_cnt = 0; /* !TALLY_HI --> Log opened for update */ -+ -+ i = get_tally(pamh, uid, opts->filename, &tfile, &tally); -+ if (i != PAM_SUCCESS) { -+ if (tfile) -+ fclose(tfile); -+ RETURN_ERROR(i); -+ } -+ -+ /* to remember old fail time (for locktime) */ -+ if (oldtime) { -+ *oldtime = (time_t)tally.fail_time; -+ } -+ -+ tally.fail_time = time(NULL); -+ -+ (void) pam_get_item(pamh, PAM_RHOST, &remote_host); -+ if (!remote_host) { -+ (void) pam_get_item(pamh, PAM_TTY, &remote_host); -+ if (!remote_host) { -+ remote_host = "unknown"; -+ } -+ } -+ -+ strncpy(tally.fail_line, remote_host, -+ sizeof(tally.fail_line)-1); -+ tally.fail_line[sizeof(tally.fail_line)-1] = 0; -+ -+ oldcnt = tally.fail_cnt; -+ -+ if (!(opts->ctrl & OPT_MAGIC_ROOT) || getuid()) { -+ /* magic_root doesn't change tally */ -+ tally.fail_cnt += inc; -+ -+ if (tally.fail_cnt == TALLY_HI) { /* Overflow *and* underflow. :) */ -+ tally.fail_cnt -= inc; -+ pam_syslog(pamh, LOG_ALERT, "Tally %sflowed for user %s", -+ (inc<0)?"under":"over",user); -+ } -+ } -+ -+ rv = tally_check(oldcnt, *oldtime, pamh, uid, user, opts, &tally); -+ -+ i = set_tally(pamh, uid, opts->filename, &tfile, &tally); -+ if (i != PAM_SUCCESS) { -+ if (tfile) -+ fclose(tfile); -+ if (rv == PAM_SUCCESS) -+ RETURN_ERROR( i ); -+ /* fallthrough */ -+ } -+ -+ return rv; -+} -+ -+static int -+tally_reset (pam_handle_t *pamh, uid_t uid, struct tally_options *opts) -+{ -+ struct tallylog tally; -+ FILE *tfile = NULL; -+ int i; -+ -+ /* resets only if not magic root */ -+ -+ if ((opts->ctrl & OPT_MAGIC_ROOT) && getuid() == 0) { -+ return PAM_SUCCESS; -+ } -+ -+ tally.fail_cnt = 0; /* !TALLY_HI --> Log opened for update */ -+ -+ i=get_tally(pamh, uid, opts->filename, &tfile, &tally); -+ if (i != PAM_SUCCESS) { -+ if (tfile) -+ fclose(tfile); -+ RETURN_ERROR(i); -+ } -+ -+ memset(&tally, 0, sizeof(tally)); -+ -+ i=set_tally(pamh, uid, opts->filename, &tfile, &tally); -+ if (i != PAM_SUCCESS) { -+ if (tfile) -+ fclose(tfile); -+ RETURN_ERROR(i); -+ } -+ -+ return PAM_SUCCESS; -+} -+ -+/*---------------------------------------------------------------------*/ -+ -+/* --- authentication management functions (only) --- */ -+ -+PAM_EXTERN int -+pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, -+ int argc, const char **argv) -+{ -+ int -+ rv; -+ time_t -+ oldtime = 0; -+ struct tally_options -+ options, *opts = &options; -+ uid_t -+ uid; -+ const char -+ *user; -+ -+ rv = tally_parse_args(pamh, opts, PHASE_AUTH, argc, argv); -+ if (rv != PAM_SUCCESS) -+ RETURN_ERROR(rv); -+ -+ if (flags & PAM_SILENT) -+ opts->ctrl |= OPT_QUIET; -+ -+ rv = pam_get_uid(pamh, &uid, &user, opts); -+ if (rv != PAM_SUCCESS) -+ RETURN_ERROR(rv); -+ -+ rv = tally_bump(1, &oldtime, pamh, uid, user, opts); -+ -+ tally_set_data(pamh, oldtime); -+ -+ return rv; -+} -+ -+PAM_EXTERN int -+pam_sm_setcred(pam_handle_t *pamh, int flags UNUSED, -+ int argc, const char **argv) -+{ -+ int -+ rv; -+ time_t -+ oldtime = 0; -+ struct tally_options -+ options, *opts = &options; -+ uid_t -+ uid; -+ const char -+ *user; -+ -+ rv = tally_parse_args(pamh, opts, PHASE_AUTH, argc, argv); -+ if ( rv != PAM_SUCCESS ) -+ RETURN_ERROR( rv ); -+ -+ rv = pam_get_uid(pamh, &uid, &user, opts); -+ if ( rv != PAM_SUCCESS ) -+ RETURN_ERROR( rv ); -+ -+ if ( tally_get_data(pamh, &oldtime) != 0 ) -+ /* no data found */ -+ return PAM_SUCCESS; -+ -+ return tally_reset(pamh, uid, opts); -+} -+ -+/*---------------------------------------------------------------------*/ -+ -+/* --- authentication management functions (only) --- */ -+ -+/* To reset failcount of user on successfull login */ -+ -+PAM_EXTERN int -+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, -+ int argc, const char **argv) -+{ -+ int -+ rv; -+ time_t -+ oldtime = 0; -+ struct tally_options -+ options, *opts = &options; -+ uid_t -+ uid; -+ const char -+ *user; -+ -+ rv = tally_parse_args(pamh, opts, PHASE_ACCOUNT, argc, argv); -+ if ( rv != PAM_SUCCESS ) -+ RETURN_ERROR( rv ); -+ -+ rv = pam_get_uid(pamh, &uid, &user, opts); -+ if ( rv != PAM_SUCCESS ) -+ RETURN_ERROR( rv ); -+ -+ if ( tally_get_data(pamh, &oldtime) != 0 ) -+ /* no data found */ -+ return PAM_SUCCESS; -+ -+ return tally_reset(pamh, uid, opts); -+} -+ -+/*-----------------------------------------------------------------------*/ -+ -+#ifdef PAM_STATIC -+ -+/* static module data */ -+ -+struct pam_module _pam_tally_modstruct = { -+ MODULE_NAME, -+#ifdef PAM_SM_AUTH -+ pam_sm_authenticate, -+ pam_sm_setcred, -+#else -+ NULL, -+ NULL, -+#endif -+#ifdef PAM_SM_ACCOUNT -+ pam_sm_acct_mgmt, -+#else -+ NULL, -+#endif -+ NULL, -+ NULL, -+ NULL, -+}; -+ -+#endif /* #ifdef PAM_STATIC */ -+ -+/*-----------------------------------------------------------------------*/ -+ -+#else /* #ifndef MAIN */ -+ -+static const char *cline_filename = DEFAULT_LOGFILE; -+static tally_t cline_reset = TALLY_HI; /* Default is `interrogate only' */ -+static int cline_quiet = 0; -+ -+/* -+ * Not going to link with pamlib just for these.. :) -+ */ -+ -+static const char * -+pam_errors( int i ) -+{ -+ switch (i) { -+ case PAM_AUTH_ERR: return _("Authentication error"); -+ case PAM_SERVICE_ERR: return _("Service error"); -+ case PAM_USER_UNKNOWN: return _("Unknown user"); -+ default: return _("Unknown error"); -+ } -+} -+ -+static int -+getopts( char **argv ) -+{ -+ const char *pname = *argv; -+ for ( ; *argv ; (void)(*argv && ++argv) ) { -+ if ( !strcmp (*argv,"--file") ) cline_filename=*++argv; -+ else if ( !strcmp(*argv,"-f") ) cline_filename=*++argv; -+ else if ( !strncmp(*argv,"--file=",7) ) cline_filename=*argv+7; -+ else if ( !strcmp (*argv,"--user") ) cline_user=*++argv; -+ else if ( !strcmp (*argv,"-u") ) cline_user=*++argv; -+ else if ( !strncmp(*argv,"--user=",7) ) cline_user=*argv+7; -+ else if ( !strcmp (*argv,"--reset") ) cline_reset=0; -+ else if ( !strcmp (*argv,"-r") ) cline_reset=0; -+ else if ( !strncmp(*argv,"--reset=",8)) { -+ if ( sscanf(*argv+8,"%hu",&cline_reset) != 1 ) -+ fprintf(stderr,_("%s: Bad number given to --reset=\n"),pname), exit(0); -+ } -+ else if ( !strcmp (*argv,"--quiet") ) cline_quiet=1; -+ else { -+ fprintf(stderr,_("%s: Unrecognised option %s\n"),pname,*argv); -+ return FALSE; -+ } -+ } -+ return TRUE; -+} -+ -+static void -+print_one(const struct tallylog *tally, uid_t uid) -+{ -+ static int once; -+ char *cp; -+ time_t fail_time; -+ struct tm *tm; -+ struct passwd *pwent; -+ const char *username = "[NONAME]"; -+ char ptime[80]; -+ -+ pwent = getpwuid(uid); -+ fail_time = tally->fail_time; -+ tm = localtime(&fail_time); -+ strftime (ptime, sizeof (ptime), "%D %H:%M:%S", tm); -+ cp = ptime; -+ if (pwent) { -+ username = pwent->pw_name; -+ } -+ if (!once) { -+ printf (_("Login Failures Latest failure From\n")); -+ once++; -+ } -+ printf ("%-15.15s %5hu ", username, tally->fail_cnt); -+ if (tally->fail_time) { -+ printf ("%-17.17s %s", cp, tally->fail_line); -+ } -+ putchar ('\n'); -+} -+ -+int -+main( int argc UNUSED, char **argv ) -+{ -+ struct tallylog tally; -+ -+ if ( ! getopts( argv+1 ) ) { -+ printf(_("%s: [-f rooted-filename] [--file rooted-filename]\n" -+ " [-u username] [--user username]\n" -+ " [-r] [--reset[=n]] [--quiet]\n"), -+ *argv); -+ exit(2); -+ } -+ -+ umask(077); -+ -+ /* -+ * Major difference between individual user and all users: -+ * --user just handles one user, just like PAM. -+ * without --user it handles all users, sniffing cline_filename for nonzeros -+ */ -+ -+ if ( cline_user ) { -+ uid_t uid; -+ FILE *tfile=0; -+ struct tally_options opts; -+ int i; -+ -+ memset(&opts, 0, sizeof(opts)); -+ opts.ctrl = OPT_AUDIT; -+ i=pam_get_uid(NULL, &uid, NULL, &opts); -+ if ( i != PAM_SUCCESS ) { -+ fprintf(stderr,"%s: %s\n",*argv,pam_errors(i)); -+ exit(1); -+ } -+ -+ i=get_tally(NULL, uid, cline_filename, &tfile, &tally); -+ if ( i != PAM_SUCCESS ) { -+ if (tfile) -+ fclose(tfile); -+ fprintf(stderr, "%s: %s\n", *argv, pam_errors(i)); -+ exit(1); -+ } -+ -+ if ( !cline_quiet ) -+ print_one(&tally, uid); -+ -+ if (cline_reset != TALLY_HI) { -+#ifdef HAVE_LIBAUDIT -+ char buf[64]; -+ int audit_fd = audit_open(); -+ snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset); -+ audit_log_user_message(audit_fd, AUDIT_USER_ACCT, -+ buf, NULL, NULL, NULL, 1); -+ if (audit_fd >=0) -+ close(audit_fd); -+#endif -+ if (cline_reset == 0) { -+ memset(&tally, 0, sizeof(tally)); -+ } else { -+ tally.fail_cnt = cline_reset; -+ } -+ i=set_tally(NULL, uid, cline_filename, &tfile, &tally); -+ if (i != PAM_SUCCESS) { -+ if (tfile) fclose(tfile); -+ fprintf(stderr,"%s: %s\n",*argv,pam_errors(i)); -+ exit(1); -+ } -+ } else { -+ fclose(tfile); -+ } -+ } -+ else /* !cline_user (ie, operate on all users) */ { -+ FILE *tfile=fopen(cline_filename, "r"); -+ uid_t uid=0; -+ if (!tfile && cline_reset != 0) { -+ perror(*argv); -+ exit(1); -+ } -+ -+ for ( ; tfile && !feof(tfile); uid++ ) { -+ if ( !fread(&tally, sizeof(tally), 1, tfile) -+ || !tally.fail_cnt ) { -+ continue; -+ } -+ print_one(&tally, uid); -+ } -+ if (tfile) -+ fclose(tfile); -+ if ( cline_reset!=0 && cline_reset!=TALLY_HI ) { -+ fprintf(stderr,_("%s: Can't reset all users to non-zero\n"),*argv); -+ } -+ else if ( !cline_reset ) { -+#ifdef HAVE_LIBAUDIT -+ char buf[64]; -+ int audit_fd = audit_open(); -+ snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0"); -+ audit_log_user_message(audit_fd, AUDIT_USER_ACCT, -+ buf, NULL, NULL, NULL, 1); -+ if (audit_fd >=0) -+ close(audit_fd); -+#endif -+ tfile=fopen(cline_filename, "w"); -+ if ( !tfile ) perror(*argv), exit(0); -+ fclose(tfile); -+ } -+ } -+ return 0; -+} -+ -+ -+#endif /* #ifndef MAIN */ -diff -up pam/modules/pam_tally2/README.xml.pt2 pam/modules/pam_tally2/README.xml ---- pam/modules/pam_tally2/README.xml.pt2 2008-10-15 12:14:21.000000000 +0200 -+++ pam/modules/pam_tally2/README.xml 2008-10-15 11:14:27.000000000 +0200 -@@ -0,0 +1,46 @@ -+ -+ -+--> -+]> -+ -+
-+ -+ -+ -+ -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="pam_tally2.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_tally2-name"]/*)'/> -+ -+ -+ -+ -+
-+ -+
-+ -+
-+ -+
-+ -+
-+ -+
-+ -+
-+ -+
-+ -+
-+ -+
-+ -+
-diff -up pam/modules/pam_tally2/tst-pam_tally2.pt2 pam/modules/pam_tally2/tst-pam_tally2 ---- pam/modules/pam_tally2/tst-pam_tally2.pt2 2008-10-15 12:14:21.000000000 +0200 -+++ pam/modules/pam_tally2/tst-pam_tally2 2008-10-15 10:23:18.000000000 +0200 -@@ -0,0 +1,2 @@ -+#!/bin/sh -+../../tests/tst-dlopen .libs/pam_tally2.so -diff -up pam/modules/pam_tally2/pam_tally2.8.xml.pt2 pam/modules/pam_tally2/pam_tally2.8.xml ---- pam/modules/pam_tally2/pam_tally2.8.xml.pt2 2008-10-15 12:14:21.000000000 +0200 -+++ pam/modules/pam_tally2/pam_tally2.8.xml 2008-10-15 11:36:00.000000000 +0200 -@@ -0,0 +1,439 @@ -+ -+ -+ -+ -+ -+ -+ pam_tally2 -+ 8 -+ Linux-PAM Manual -+ -+ -+ -+ pam_tally2 -+ The login counter (tallying) module -+ -+ -+ -+ -+ pam_tally2.so -+ -+ file=/path/to/counter -+ -+ -+ onerr=[fail|succeed] -+ -+ -+ magic_root -+ -+ -+ even_deny_root -+ -+ -+ deny=n -+ -+ -+ lock_time=n -+ -+ -+ unlock_time=n -+ -+ -+ root_unlock_time=n -+ -+ -+ audit -+ -+ -+ silent -+ -+ -+ no_log_info -+ -+ -+ -+ pam_tally2 -+ -+ --file /path/to/counter -+ -+ -+ --user username -+ -+ -+ --reset[=n] -+ -+ -+ --quiet -+ -+ -+ -+ -+ -+ -+ DESCRIPTION -+ -+ -+ This module maintains a count of attempted accesses, can -+ reset count on success, can deny access if too many attempts fail. -+ -+ -+ pam_tally2 comes in two parts: -+ pam_tally2.so and -+ pam_tally2. The former is the PAM module and -+ the latter, a stand-alone program. pam_tally2 -+ is an (optional) application which can be used to interrogate and -+ manipulate the counter file. It can display users' counts, set -+ individual counts, or clear all counts. Setting artificially high -+ counts may be useful for blocking users without changing their -+ passwords. For example, one might find it useful to clear all counts -+ every midnight from a cron job. -+ -+ -+ Normally, failed attempts to access root will -+ not cause the root account to become -+ blocked, to prevent denial-of-service: if your users aren't given -+ shell accounts and root may only login via su or -+ at the machine console (not telnet/rsh, etc), this is safe. -+ -+ -+ -+ -+ -+ OPTIONS -+ -+ -+ -+ GLOBAL OPTIONS -+ -+ -+ -+ This can be used for auth and -+ account module types. -+ -+ -+ -+ -+ -+ -+ -+ -+ If something weird happens (like unable to open the file), -+ return with PAM_SUCESS if -+ -+ is given, else with the corresponding PAM error code. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ File where to keep counts. Default is -+ /var/log/tallylog. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ Will log the user name into the system log if the user is not found. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ Don't print informative messages. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ Don't log informative messages via syslog3. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ AUTH OPTIONS -+ -+ -+ -+ Authentication phase first increments attempted login counter and -+ checks if user should be denied access. If the user is authenticated -+ and the login process continues on call to -+ pam_setcred3 -+ it resets the attempts counter. -+ -+ -+ -+ -+ -+ -+ -+ -+ Deny access if tally for this user exceeds -+ n. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ Always deny for n seconds -+ after failed attempt. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ Allow access after n seconds -+ after failed attempt. If this option is used the user will -+ be locked out for the specified amount of time after he -+ exceeded his maximum allowed attempts. Otherwise the -+ account is locked until the lock is removed by a manual -+ intervention of the system administrator. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ If the module is invoked by a user with uid=0 the -+ counter is not incremented. The sys-admin should use this -+ for user launched services, like su, -+ otherwise this argument should be omitted. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ Do not use the .fail_locktime field in -+ /var/log/faillog for this user. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ Don't reset count on successful entry, only decrement. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ Root account can become unavailable. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ This option implies option. -+ Allow access after n seconds -+ to root acccount after failed attempt. If this option is used -+ the root user will be locked out for the specified amount of -+ time after he exceeded his maximum allowed attempts. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ ACCOUNT OPTIONS -+ -+ -+ -+ Account phase resets attempts counter if the user is -+ not magic root. -+ This phase can be used optionaly for services which don't call -+ -+ pam_setcred3 -+ correctly or if the reset should be done regardless -+ of the failure of the account phase of other modules. -+ -+ -+ -+ -+ -+ -+ -+ -+ If the module is invoked by a user with uid=0 the -+ counter is not changed. The sys-admin should use this -+ for user launched services, like su, -+ otherwise this argument should be omitted. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ MODULE TYPES PROVIDED -+ -+ The and -+ module types are provided. -+ -+ -+ -+ -+ RETURN VALUES -+ -+ -+ PAM_AUTH_ERR -+ -+ -+ A invalid option was given, the module was not able -+ to retrive the user name, no valid counter file -+ was found, or too many failed logins. -+ -+ -+ -+ -+ PAM_SUCCESS -+ -+ -+ Everything was successfull. -+ -+ -+ -+ -+ PAM_USER_UNKNOWN -+ -+ -+ User not known. -+ -+ -+ -+ -+ -+ -+ -+ NOTES -+ -+ pam_tally2 is not compatible with the old pam_tally faillog file format. -+ This is caused by requirement of compatibility of the tallylog file -+ format between 32bit and 64bit architectures on multiarch systems. -+ -+ -+ There is no setuid wrapper for access to the data file such as when the -+ pam_tally2.so module is called from -+ xscreensaver. As this would make it impossible to share PAM configuration -+ with such services the following workaround is used: If the data file -+ cannot be opened because of insufficient permissions -+ (EPERM) the module returns -+ PAM_IGNORE. -+ -+ -+ -+ -+ EXAMPLES -+ -+ Add the following line to /etc/pam.d/login to -+ lock the account after 4 failed logins. Root account will be locked -+ as well. The accounts will be automatically unlocked after 20 minutes. -+ The module does not have to be called in the account phase because the -+ login calls -+ pam_setcred3 -+ correctly. -+ -+ -+auth required pam_securetty.so -+auth required pam_tally2.so deny=4 even_deny_root unlock_time=1200 -+auth required pam_env.so -+auth required pam_unix.so -+auth required pam_nologin.so -+account required pam_unix.so -+password required pam_unix.so -+session required pam_limits.so -+session required pam_unix.so -+session required pam_lastlog.so nowtmp -+session optional pam_mail.so standard -+ -+ -+ -+ -+ FILES -+ -+ -+ /var/log/tallylog -+ -+ failure count logging file -+ -+ -+ -+ -+ -+ -+ SEE ALSO -+ -+ -+ pam.conf5 -+ , -+ -+ pam.d5 -+ , -+ -+ pam8 -+ -+ -+ -+ -+ -+ AUTHOR -+ -+ pam_tally was written by Tim Baverstock and Tomas Mraz. -+ -+ -+ -+ -+ -diff -up pam/modules/pam_tally2/Makefile.am.pt2 pam/modules/pam_tally2/Makefile.am ---- pam/modules/pam_tally2/Makefile.am.pt2 2008-10-15 12:13:43.000000000 +0200 -+++ pam/modules/pam_tally2/Makefile.am 2008-10-15 11:31:41.000000000 +0200 -@@ -0,0 +1,40 @@ -+# -+# Copyright (c) 2005, 2006, 2007 Thorsten Kukuk -+# Copyright (c) 2008 Red Hat, Inc. -+# -+ -+CLEANFILES = *~ -+ -+EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_tally2 -+ -+man_MANS = pam_tally2.8 -+XMLS = README.xml pam_tally2.8.xml -+ -+TESTS = tst-pam_tally2 -+ -+securelibdir = $(SECUREDIR) -+secureconfdir = $(SCONFIGDIR) -+ -+noinst_HEADERS = tallylog.h -+ -+AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include -+ -+pam_tally2_la_LDFLAGS = -no-undefined -avoid-version -module -+pam_tally2_la_LIBADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT) -+if HAVE_VERSIONING -+ pam_tally2_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map -+endif -+ -+pam_tally2_LDADD = $(LIBAUDIT) -+ -+securelib_LTLIBRARIES = pam_tally2.la -+sbin_PROGRAMS = pam_tally2 -+ -+pam_tally2_la_SOURCES = pam_tally.c -+pam_tally2_SOURCES = pam_tally_app.c -+ -+if ENABLE_REGENERATE_MAN -+noinst_DATA = README -+README: pam_tally2.8.xml -+-include $(top_srcdir)/Make.xml.rules -+endif -diff -up pam/modules/pam_tally2/pam_tally_app.c.pt2 pam/modules/pam_tally2/pam_tally_app.c ---- pam/modules/pam_tally2/pam_tally_app.c.pt2 2008-10-15 12:14:21.000000000 +0200 -+++ pam/modules/pam_tally2/pam_tally_app.c 2008-02-27 17:08:50.000000000 +0100 -@@ -0,0 +1,7 @@ -+/* -+ # This seemed like such a good idea at the time. :) -+ */ -+ -+#define MAIN -+#include "pam_tally.c" -+ diff --git a/pam_time.diff b/pam_time.diff deleted file mode 100644 index 8e158a0..0000000 --- a/pam_time.diff +++ /dev/null @@ -1,18 +0,0 @@ -2008-11-25 Thorsten Kukuk - - * modules/pam_time/pam_time.c (is_same): Fix check - of correct string length (debian bug #326407). - ---- modules/pam_time/pam_time.c 7 Dec 2007 15:40:02 -0000 1.16 -+++ modules/pam_time/pam_time.c 25 Nov 2008 13:37:12 -0000 -@@ -358,8 +358,8 @@ - - /* Ok, we know that b is a substring from A and does not contain - wildcards, but now the length of both strings must be the same, -- too. */ -- if (strlen (a) != strlen(b)) -+ too. In this case it means, a[i] has to be the end of the string. */ -+ if (a[i] != '\0') - return FALSE; - - return ( !len ); diff --git a/pam_xauth-XAUTHLOCALHOSTNAME.diff b/pam_xauth-XAUTHLOCALHOSTNAME.diff deleted file mode 100644 index 42a71c8..0000000 --- a/pam_xauth-XAUTHLOCALHOSTNAME.diff +++ /dev/null @@ -1,54 +0,0 @@ ---- modules/pam_xauth/pam_xauth.c 8 Apr 2008 07:01:41 -0000 1.16 -+++ modules/pam_xauth/pam_xauth.c 18 Nov 2008 12:30:58 -0000 -@@ -280,7 +280,7 @@ - return noent_code; - default: - if (debug) { -- pam_syslog(pamh, LOG_ERR, -+ pam_syslog(pamh, LOG_DEBUG, - "error opening %s: %m", path); - } - return PAM_PERM_DENIED; -@@ -293,7 +293,8 @@ - int argc, const char **argv) - { - char *cookiefile = NULL, *xauthority = NULL, -- *cookie = NULL, *display = NULL, *tmp = NULL; -+ *cookie = NULL, *display = NULL, *tmp = NULL, -+ *xauthlocalhostname = NULL; - const char *user, *xauth = NULL; - struct passwd *tpwd, *rpwd; - int fd, i, debug = 0; -@@ -588,14 +589,30 @@ - - if (asprintf(&d, "DISPLAY=%s", display) < 0) - { -- pam_syslog(pamh, LOG_DEBUG, "out of memory"); -+ pam_syslog(pamh, LOG_ERR, "out of memory"); - cookiefile = NULL; - retval = PAM_SESSION_ERR; - goto cleanup; - } - - if (pam_putenv (pamh, d) != PAM_SUCCESS) -- pam_syslog (pamh, LOG_DEBUG, -+ pam_syslog (pamh, LOG_ERR, -+ "can't set environment variable '%s'", d); -+ free (d); -+ } -+ -+ /* set XAUTHLOCALHOSTNAME to make sure that su - work under gnome */ -+ if ((xauthlocalhostname = getenv("XAUTHLOCALHOSTNAME")) != NULL) { -+ char *d; -+ -+ if (asprintf(&d, "XAUTHLOCALHOSTNAME=%s", xauthlocalhostname) < 0) { -+ pam_syslog(pamh, LOG_ERR, "out of memory"); -+ retval = PAM_SESSION_ERR; -+ goto cleanup; -+ } -+ -+ if (pam_putenv (pamh, d) != PAM_SUCCESS) -+ pam_syslog (pamh, LOG_ERR, - "can't set environment variable '%s'", d); - free (d); - } diff --git a/pam_xauth.diff b/pam_xauth.diff deleted file mode 100644 index 25d99c9..0000000 --- a/pam_xauth.diff +++ /dev/null @@ -1,26 +0,0 @@ - -2008-04-08 Tomas Mraz - - * modules/pam_xauth/pam_xauth.c(run_coprocess): Avoid multiple - calls to sysconf() (based on patch by Sami Farin). - ---- Linux-PAM-1.0/modules/pam_xauth/pam_xauth.c 2007-10-01 11:41:32.000000000 +0200 -+++ Linux-PAM/modules/pam_xauth/pam_xauth.c 2008-06-22 09:47:33.000000000 +0200 -@@ -118,6 +118,7 @@ - size_t j; - char *args[10]; - const char *tmp; -+ int maxopened; - /* Drop privileges. */ - setgid(gid); - setgroups(0, NULL); -@@ -129,7 +130,8 @@ - * descriptors. */ - dup2(ipipe[0], STDIN_FILENO); - dup2(opipe[1], STDOUT_FILENO); -- for (i = 0; i < sysconf(_SC_OPEN_MAX); i++) { -+ maxopened = (int)sysconf(_SC_OPEN_MAX); -+ for (i = 0; i < maxopened; i++) { - if ((i != STDIN_FILENO) && (i != STDOUT_FILENO)) { - close(i); - }