Accepting request 1080766 from Linux-PAM

OBS-URL: https://build.opensuse.org/request/show/1080766 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=130
2023-04-21 12:15:28 +00:00 · 2023-04-21 12:15:28 +00:00 · a121788e00
commit a121788e00
parent d77629b88f 81568528fd
13 changed files with 142 additions and 28024 deletions
--- a/Linux-PAM-1.5.2-docs.tar.xz
+++ b/Linux-PAM-1.5.2-docs.tar.xz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:bd75b3474dfbed60dff728721c48a6dd88bfea901b607c469bbe5fa5ccc535e4
 size 443276
--- a/Linux-PAM-1.5.2-docs.tar.xz.asc
+++ b/Linux-PAM-1.5.2-docs.tar.xz.asc
@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIcBAABCgAGBQJhMg78AAoJEKgEH6g54W429wIP/1FdfjVSygdVkmCSbMl0Dvbp
 7/DOYkDb1W3KSzD4Y0pE76HXAxC5fL32781oioP3vx4YKLfP7VMxHM42ugFhKBcZ
 cdXZGwCHxvbfNesjm++Lg5I0w16Qh9BoJ5UNbcLoIur+bpadmhPorj2SutPY/U9j
 klKESN5AQtdnqUivTWbm4z8CrmZs3NoQTCfkv+ABW33olrj2gJtZucuMjfwDMQFS
 oDikxPUErpz7tUDuWEM5Gp26B9iuz4mX/2pUmta18r0Y6RGSl6QtmjEhTlGR2n5R
 XEDIZX4vLAYzWum63bzJH/xiyoRMur0lO55GSPtpLnLYPdaot8fWYzdpvRdfg7DR
 rristlSYNtRhs3ORbMvvxqgkdzVKa6CLm9WuJiTHPY2dxNP6q8TYdHxyPtrscyz0
 ijhvxAYGHvJ47JESvV16pLaQhTKdVp95aM+pC8A2WfCMZf8WfKM8ZpT9JtZ6tjwC
 wc79KWEX9SARoiqk0ZuqITu1pR9gzzDS5WBehwvJkTFm95PkaxQyPNCYwbUIouUf
 c+mg5u2xaXrR4NWLMZZid0HRivwYb3/nK8hqUqRaUEri2KoSl6N5f8KlNiyLQiUN
 JYB/GRWFueCkGPzuhCREyxdQ0Pxh3H1Us6TLgFHYv/ZdJjYY9GpqLXx7PuoKhZUU
 kfOtmSc7D8FhaXULOtvi
 =ijjK
 -----END PGP SIGNATURE-----
--- a/Linux-PAM-1.5.2.90.tar.xz
+++ b/Linux-PAM-1.5.2.90.tar.xz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:5a819c1b629b8101543e6c964a4e22d23b29f3456d28b4ba403dd280e46a6315
 size 1009900
--- a/Linux-PAM-1.5.2.tar.xz
+++ b/Linux-PAM-1.5.2.tar.xz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:e4ec7131a91da44512574268f493c6d8ca105c87091691b8e9b56ca685d4f94d
 size 988784
--- a/Linux-PAM-1.5.2.tar.xz.asc
+++ b/Linux-PAM-1.5.2.tar.xz.asc
@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIcBAABCgAGBQJhMg48AAoJEKgEH6g54W42TUgP/0feavEYuZpjTWche32Ug2nu
 h6TGQbqkAasDexkHf6S2p+LYbt/6Nl+EpzOtELY/F3qRq8aYgTlHpJETSSBcZ++t
 tIhoaPAhEt+N5vb4YfTQcYIGihdgAzQCj0LViEuG/1PgSUjPdbW8RyvfJTw6I3Ch
 XUulrEwyudPCZHDpdW06DMv2we/7oTzrWHVDEmY/TTFKCvDSuAixLrxZrLO/MRK4
 huhXhe3oGv+TtLCqPcr0nJDTl44XNQOTbP/Dl+EI/5tXlDLXLH+IiPEMvnDRbsdd
 ngqdwM6wsOenEtlcA27YkDID/FRwgGJILKNaaUKSIa/uk8Tzy+Lx0j1wKEmE8P4T
 JI+24IIP5Gw8Sxd+NB8lSjtHXlyJF8psAFRWnTb67mgVTXruDXo771Mhqqy2Vu74
 sjf03w6jYrcGGKHlr7Q08jncghmMHFdW6jAcOG02oNO1oNrSu67MjAIqFox36Byu
 FmCajrGBwCR6bWmHCFRGT9qESWg9zRjPL7vkVBmAQg4J4og8FExUi8wBqt1zFH8W
 vGTgCDB/Oue3nYTws27hNKEeYumA8emOHyCG4n80vyA6DbRp+7nrtcDnJQir0lzf
 8UfWxooIJNqFH9ohnAqMTqJbKJkjLswLnTVpuyJvgzDwGl4sdSvIToxTo/2jp2W+
 q1y3BpSxAA1wOd9/mTM+
 =KMIz
 -----END PGP SIGNATURE-----
--- a/docbook5.patch
+++ b/docbook5.patch
--- a/pam-bsc1177858-dont-free-environment-string.patch
+++ b/pam-bsc1177858-dont-free-environment-string.patch
@ -1,26 +0,0 @@
 Index: Linux-PAM-1.4.0/modules/pam_xauth/pam_xauth.c
 ===================================================================
 --- Linux-PAM-1.4.0.orig/modules/pam_xauth/pam_xauth.c
 +++ Linux-PAM-1.4.0/modules/pam_xauth/pam_xauth.c
@@ -701,8 +701,9 @@ pam_sm_open_session (pam_handle_t *pamh,
 			pam_syslog(pamh, LOG_ERR,
 				   "can't set environment variable '%s'",
 				   xauthority);
 -		putenv (xauthority); /* The environment owns this string now. */
 -		/* Don't free environment variables nor set them to NULL. */
 +		if (putenv (xauthority) == 0) /* The environment owns this string now. */
 +		    xauthority = NULL;
 +		/* Don't free environment variables. */
 		/* set $DISPLAY in pam handle to make su - work */
 		{
@@ -765,7 +766,8 @@ cleanup:
 		unsetenv (XAUTHENV);
 	free(cookiefile);
 	free(cookie);
 -	free(xauthority);
 +	if (xauthority != NULL)	/* If it hasn't been successfully passed to putenv() ... */
 +	    free(xauthority);
 	return retval;
 }
--- a/pam-git.diff
+++ b/pam-git.diff
--- a/pam-xauth_ownership.patch
+++ b/pam-xauth_ownership.patch
@ -1,105 +0,0 @@
 diff -urN Linux-PAM-1.5.0/modules/pam_xauth/pam_xauth.c Linux-PAM-1.5.0.xauth/modules/pam_xauth/pam_xauth.c
 --- Linux-PAM-1.5.0/modules/pam_xauth/pam_xauth.c	2020-11-10 16:46:13.000000000 +0100
 +++ Linux-PAM-1.5.0.xauth/modules/pam_xauth/pam_xauth.c	2020-11-19 11:50:54.176925556 +0100
@@ -355,11 +355,13 @@
 	char *cookiefile = NULL, *xauthority = NULL,
 	     *cookie = NULL, *display = NULL, *tmp = NULL,
 	     *xauthlocalhostname = NULL;
 -	const char *user, *xauth = NULL;
 +	const char *user, *xauth = NULL, *login_name;
 	struct passwd *tpwd, *rpwd;
 	int fd, i, debug = 0;
 	int retval = PAM_SUCCESS;
 -	uid_t systemuser = 499, targetuser = 0;
 +	uid_t systemuser = 499, targetuser = 0, uid;
 +	gid_t gid;
 +	struct stat st;
 	/* Parse arguments.  We don't understand many, so no sense in breaking
 	 * this into a separate function. */
@@ -429,7 +431,16 @@
 		retval = PAM_SESSION_ERR;
 		goto cleanup;
 	}
 -	rpwd = pam_modutil_getpwuid(pamh, getuid());
 +
 +	login_name = pam_modutil_getlogin(pamh);
 +	if (login_name == NULL) {
 +		login_name = "";
 +	}
 +	if (*login_name)
 +		rpwd = pam_modutil_getpwnam(pamh, login_name);
 +	else
 +		rpwd = pam_modutil_getpwuid(pamh, getuid());
 +
 	if (rpwd == NULL) {
 		pam_syslog(pamh, LOG_ERR,
 			   "error determining invoking user's name");
@@ -518,18 +529,26 @@
 			   cookiefile);
 	}
 +	/* Get owner and group of the cookiefile */
 +	uid = getuid();
 +	gid = getgid();
 +	if (stat(cookiefile, &st) == 0) {
 +		uid = st.st_uid;
 +		gid = st.st_gid;
 +	}
 +
 	/* Read the user's .Xauthority file.  Because the current UID is
 	 * the original user's UID, this will only fail if something has
 	 * gone wrong, or we have no cookies. */
 	if (debug) {
 		pam_syslog(pamh, LOG_DEBUG,
 -			   "running \"%s %s %s %s %s\" as %lu/%lu",
 -			   xauth, "-f", cookiefile, "nlist", display,
 -			   (unsigned long) getuid(), (unsigned long) getgid());
 +			   "running \"%s %s %s %s %s %s\" as %lu/%lu",
 +			   xauth, "-i", "-f", cookiefile, "nlist", display,
 +			   (unsigned long) uid, (unsigned long) gid);
 	}
 	if (run_coprocess(pamh, NULL, &cookie,
 -			  getuid(), getgid(),
 -			  xauth, "-f", cookiefile, "nlist", display,
 +			  uid, gid,
 +			  xauth, "-i", "-f", cookiefile, "nlist", display,
 			  NULL) == 0) {
 #ifdef WITH_SELINUX
 		char *context_raw = NULL;
@@ -583,12 +602,12 @@
 						       cookiefile,
 						       "nlist",
 						       t,
 -						       (unsigned long) getuid(),
 -						       (unsigned long) getgid());
 +						       (unsigned long) uid,
 +						       (unsigned long) gid);
 					}
 					run_coprocess(pamh, NULL, &cookie,
 -						      getuid(), getgid(),
 -						      xauth, "-f", cookiefile,
 +						      uid, gid,
 +						      xauth, "-i", "-f", cookiefile,
 						      "nlist", t, NULL);
 				}
 				free(t);
@@ -673,13 +692,17 @@
 			goto cleanup;
 		}
 +		if (debug) {
 +			pam_syslog(pamh, LOG_DEBUG, "set environment variable '%s'",
 +				   xauthority);
 +		}
 		/* Set the new variable in the environment. */
 		if (pam_putenv (pamh, xauthority) != PAM_SUCCESS)
 			pam_syslog(pamh, LOG_ERR,
 				   "can't set environment variable '%s'",
 				   xauthority);
 		putenv (xauthority); /* The environment owns this string now. */
 -		xauthority = NULL; /* Don't free environment variables. */
 +		/* Don't free environment variables nor set them to NULL. */
 		/* set $DISPLAY in pam handle to make su - work */
 		{
--- a/pam.changes
+++ b/pam.changes
@ -1,3 +1,39 @@
 -------------------------------------------------------------------
 Thu Apr 20 09:40:50 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>
 - pam-extra: add split provide
 -------------------------------------------------------------------
 Wed Apr 12 11:28:48 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>
 - pam-userdb: add split provide
 -------------------------------------------------------------------
 Tue Apr 11 07:53:44 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>
 - Drop pam-xauth_ownership.patch, got fixed in sudo itself
 - Drop pam-bsc1177858-dont-free-environment-string.patch, was a 
  fix for above patch
 -------------------------------------------------------------------
 Thu Apr  6 12:11:30 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>
 - Use bcond selinux to disable SELinux
 - Remove old pam_unix_* compat symlinks
 - Move pam_userdb to own pam-userdb sub-package
 - pam-extra contains now modules having extended dependencies like
  libsystemd
 - Update to 1.5.3.90 git snapshot
 - Drop merged patches:
  - pam-git.diff
  - docbook5.patch
  - pam_pwhistory-docu.patch
  - pam_xauth_data.3.xml.patch
 - Drop Linux-PAM-1.5.2.90.tar.xz as we have to rebuild all
  documentation anyways and don't use the prebuild versions
 - Move all devel manual pages to pam-manpages, too. Fixes the 
  problem that adjusted defaults not shown correct.
 -------------------------------------------------------------------
 Mon Mar 20 10:12:41 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>
--- a/pam.spec
+++ b/pam.spec
@ -35,6 +35,7 @@
 %define livepatchable 0
 %endif
 %bcond_without selinux
 %bcond_with debug
 %define flavor @BUILD_FLAVOR@%{nil}
@ -46,15 +47,18 @@
 %if "%{flavor}" == "full"
 %define build_main 0
 %define build_doc 1
 %define build_extra 1
 %define build_userdb 1
 %define name_suffix -%{flavor}-src
 %else
 %define build_main 1
 %define build_doc 0
 %define build_extra 0
 %define build_userdb 0
 %define name_suffix %{nil}
 %endif
 #
 %define enable_selinux 1
 %define libpam_so_version 0.85.1
 %define libpam_misc_so_version 0.82.1
 %define libpamc_so_version 0.82.1
@ -67,14 +71,14 @@
 #
 Name:           pam%{name_suffix}
 #
-Version:        1.5.2
+Version:        1.5.2.90
 Release:        0
 Summary:        A Security Tool that Provides Authentication for Applications
 License:        GPL-2.0-or-later OR BSD-3-Clause
 Group:          System/Libraries
-URL:            http://www.linux-pam.org/
+URL:            https://github.com/linux-pam/linux-pam
 Source:         Linux-PAM-%{version}.tar.xz
-Source1:        Linux-PAM-%{version}-docs.tar.xz
+# XXX Source1:        Linux-PAM-%{version}.tar.xz.asc
 Source2:        macros.pam
 Source3:        other.pamd
 Source4:        common-auth.pamd
@ -86,20 +90,12 @@ Source10:       unix2_chkpwd.c
 Source11:       unix2_chkpwd.8
 Source12:       pam-login_defs-check.sh
 Source13:       pam.tmpfiles
 Source14:       Linux-PAM-%{version}-docs.tar.xz.asc
 Source15:       Linux-PAM-%{version}.tar.xz.asc
 Source20:       common-session-nonlogin.pamd
 Source21:       postlogin-auth.pamd
 Source22:       postlogin-account.pamd
 Source23:       postlogin-password.pamd
 Source24:       postlogin-session.pamd
 Patch1:         pam-limit-nproc.patch
 Patch3:         pam-xauth_ownership.patch
 Patch4:         pam-bsc1177858-dont-free-environment-string.patch
 Patch5:        pam_xauth_data.3.xml.patch
 Patch11:        pam-git.diff
 Patch13:        pam_pwhistory-docu.patch
 Patch14:        docbook5.patch
 BuildRequires:  audit-devel
 BuildRequires:  bison
 BuildRequires:  flex
@ -110,39 +106,55 @@ Requires(post): permissions
 # Upgrade this symbol version only if new variables appear!
 # Verify by shadow-login_defs-check.sh from shadow source package.
 Recommends:     login_defs-support-for-pam >= 1.5.2
 %if 0%{?suse_version} > 1320
 BuildRequires:  pkgconfig(libeconf)
-%endif
+%if %{with selinux}
 %if %{enable_selinux}
 BuildRequires:  libselinux-devel
 %endif
 Obsoletes:      pam_unix
 Obsoletes:      pam_unix-nis
 Recommends:     pam-manpages
 %if 0%{?suse_version} >= 1330
 Requires(pre):  group(shadow)
 Requires(pre):  user(root)
 %endif
 %description
 PAM (Pluggable Authentication Modules) is a system security tool that
 allows system administrators to set authentication policies without
 having to recompile programs that do authentication.
-%package extra
+%if %{build_userdb}
 %package -n pam-userdb
 Summary:        PAM module to authenticate against a separate database
 Group:          System/Libraries
 Provides:       pam-extra:%{_pam_moduledir}/pam_userdb.so
 BuildRequires:  libdb-4_8-devel
 BuildRequires:  pam-devel
-%description extra
+%description -n pam-userdb
 PAM (Pluggable Authentication Modules) is a system security tool that
 allows system administrators to set authentication policies without
 having to recompile programs that do authentication.
-This package contains useful extra modules eg pam_userdb which is
+This package contains pam_userdb which is used to verify a
-used to verify a username/password pair against values stored in
+username/password pair against values stored in a Berkeley DB database.
-a Berkeley DB database.
+%endif
 %if %{build_extra}
 %package -n pam-extra
 Summary:        PAM module with extended dependencies
 Group:          System/Libraries
 BuildRequires:  pkgconfig(systemd)
 BuildRequires:  pam-devel
 Provides:	pam:%{_sbindir}/pam_timestamp_check
 %description -n pam-extra
 PAM (Pluggable Authentication Modules) is a system security tool that
 allows system administrators to set authentication policies without
 having to recompile programs that do authentication.
 This package contains extra modules eg pam_issue and pam_timestamp which
 can have extended dependencies.
 %endif
 %if %{build_doc}
@ -191,17 +203,9 @@ This package contains header files and static libraries used for
 building both PAM-aware applications and modules for use with PAM.
 %prep
-%setup -q -n Linux-PAM-%{version} -b 1
+%setup -q -n Linux-PAM-%{version}
 cp -a %{SOURCE12} .
 %patch11 -p1
 %patch1 -p1
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 %if %{build_doc}
 %patch13 -p1
 %patch14 -p1
 %endif
 %build
 bash ./pam-login_defs-check.sh
@ -220,6 +224,7 @@ CFLAGS="$CFLAGS -fpatchable-function-entry=16,14 -fdump-ipa-clones"
 	--enable-isadir=../..%{_pam_moduledir} \
 	--enable-securedir=%{_pam_moduledir} \
 	--enable-vendordir=%{_prefix}/etc \
 	--disable-nis \
 %if %{with debug}
 	--enable-debug
 %endif
@ -291,9 +296,6 @@ mkdir -p %{buildroot}%{_prefix}/lib/motd.d
 # Remove crap
 #
 find %{buildroot} -type f -name "*.la" -delete -print
 for x in pam_unix_auth pam_unix_acct pam_unix_passwd pam_unix_session; do
  ln -f %{buildroot}%{_pam_moduledir}/pam_unix.so %{buildroot}%{_pam_moduledir}/$x.so
 done
 #
 # Install READMEs of PAM modules
 #
@ -312,27 +314,25 @@ install -D -m 644 %{SOURCE2} %{buildroot}%{_rpmmacrodir}/macros.pam
 # /run/motd.d
 install -Dm0644 %{SOURCE13} %{buildroot}%{_tmpfilesdir}/pam.conf
-mkdir -p %{buildroot}%{_pam_secdistconfdir}
+mkdir -p %{buildroot}%{_pam_secdistconfdir}/{limits.d,namespace.d}
 mv %{buildroot}%{_sysconfdir}/security/{limits.conf,faillock.conf,group.conf,pam_env.conf,access.conf,limits.d,sepermit.conf,time.conf} %{buildroot}%{_pam_secdistconfdir}/
 mv %{buildroot}%{_sysconfdir}/security/{namespace.conf,namespace.d,namespace.init} %{buildroot}%{_pam_secdistconfdir}/
 mv %{buildroot}%{_sysconfdir}/environment %{buildroot}%{_distconfdir}/environment
 # Remove manual pages for main package
 %if !%{build_doc}
-rm -rf %{buildroot}%{_mandir}/man[58]/*
+rm -rf %{buildroot}%{_mandir}/man?/*
 install -m 644 modules/pam_userdb/pam_userdb.8 %{buildroot}/%{_mandir}/man8/
 %else
 install -m 644 %{_sourcedir}/unix2_chkpwd.8 %{buildroot}/%{_mandir}/man8/
 # bsc#1188724
 echo '.so man8/pam_motd.8' > %{buildroot}%{_mandir}/man5/motd.5
 %endif
 %if !%{build_main}
 rm -rf %{buildroot}{%{_sysconfdir},%{_distconfdir},%{_sbindir},%{_pam_secconfdir},%{_pam_confdir},%{_datadir}/locale}
 rm -rf %{buildroot}{%{_includedir},%{_libdir},%{_prefix}/lib}
 rm -rf %{buildroot}%{_mandir}/man3/*
 rm -rf %{buildroot}%{_mandir}/man8/pam_userdb.8*
 %if !%{build_main}
 rm -rf %{buildroot}{%{_sysconfdir},%{_distconfdir},%{_sbindir}/{f*,m*,pam_n*,pw*,u*},%{_pam_secconfdir},%{_pam_confdir},%{_datadir}/locale}
 rm -rf %{buildroot}{%{_includedir},%{_libdir}/{libpam*,pkgconfig},%{_pam_vendordir},%{_rpmmacrodir},%{_tmpfilesdir}}
 rm -rf %{buildroot}%{_pam_moduledir}/pam_{a,b,c,d,e,f,g,h,j,k,l,m,n,o,p,q,r,s,v,w,x,y,z,time.,tt,um,un,usertype}*
 %else
 # Delete files for extra package
 rm -rf  %{buildroot}{%{_pam_moduledir}/pam_issue.so,%{_pam_moduledir}/pam_timestamp.so,%{_sbindir}/pam_timestamp_check}
 # Create filelist with translations
 %find_lang Linux-PAM
@ -392,13 +392,13 @@ done
 %{_pam_secdistconfdir}/faillock.conf
 %{_pam_secdistconfdir}/limits.conf
 %{_pam_secdistconfdir}/pam_env.conf
-%if %{enable_selinux}
+%if %{with selinux}
 %{_pam_secdistconfdir}/sepermit.conf
 %endif
 %{_pam_secdistconfdir}/time.conf
 %{_pam_secdistconfdir}/namespace.conf
 %{_pam_secdistconfdir}/namespace.init
-%config(noreplace) %{_pam_secconfdir}/pwhistory.conf
+%{_pam_secdistconfdir}/pwhistory.conf
 %dir %{_pam_secdistconfdir}/namespace.d
 %{_libdir}/libpam.so.0
 %{_libdir}/libpam.so.%{libpam_so_version}
@ -420,9 +420,7 @@ done
 %{_pam_moduledir}//pam_filter/upperLOWER
 %{_pam_moduledir}/pam_ftp.so
 %{_pam_moduledir}/pam_group.so
 %{_pam_moduledir}/pam_issue.so
 %{_pam_moduledir}/pam_keyinit.so
 %{_pam_moduledir}/pam_lastlog.so
 %{_pam_moduledir}/pam_limits.so
 %{_pam_moduledir}/pam_listfile.so
 %{_pam_moduledir}/pam_localuser.so
@ -437,7 +435,7 @@ done
 %{_pam_moduledir}/pam_rhosts.so
 %{_pam_moduledir}/pam_rootok.so
 %{_pam_moduledir}/pam_securetty.so
-%if %{enable_selinux}
+%if %{with selinux}
 %{_pam_moduledir}/pam_selinux.so
 %{_pam_moduledir}/pam_sepermit.so
 %endif
@ -446,14 +444,9 @@ done
 %{_pam_moduledir}/pam_stress.so
 %{_pam_moduledir}/pam_succeed_if.so
 %{_pam_moduledir}/pam_time.so
 %{_pam_moduledir}/pam_timestamp.so
 %{_pam_moduledir}/pam_tty_audit.so
 %{_pam_moduledir}/pam_umask.so
 %{_pam_moduledir}/pam_unix.so
 %{_pam_moduledir}/pam_unix_acct.so
 %{_pam_moduledir}/pam_unix_auth.so
 %{_pam_moduledir}/pam_unix_passwd.so
 %{_pam_moduledir}/pam_unix_session.so
 %{_pam_moduledir}/pam_usertype.so
 %{_pam_moduledir}/pam_warn.so
 %{_pam_moduledir}/pam_wheel.so
@ -461,7 +454,6 @@ done
 %{_sbindir}/faillock
 %{_sbindir}/mkhomedir_helper
 %{_sbindir}/pam_namespace_helper
 %{_sbindir}/pam_timestamp_check
 %{_sbindir}/pwhistory_helper
 %verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix_chkpwd
 %verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix2_chkpwd
@ -469,23 +461,30 @@ done
 %{_unitdir}/pam_namespace.service
 %{_tmpfilesdir}/pam.conf
 %files extra
 %defattr(-,root,root,755)
 %{_pam_moduledir}/pam_userdb.so
 %{_mandir}/man8/pam_userdb.8%{?ext_man}
 %files devel
 %defattr(644,root,root,755)
 %dir %{_includedir}/security
 %{_mandir}/man3/pam*
 %{_mandir}/man3/misc_conv.3%{?ext_man}
 %{_includedir}/security/*.h
 %{_libdir}/libpam.so
 %{_libdir}/libpamc.so
 %{_libdir}/libpam_misc.so
 %{_rpmmacrodir}/macros.pam
 %{_libdir}/pkgconfig/pam*.pc
 %endif
 %if %{build_userdb}
 %files -n pam-userdb
 %defattr(-,root,root,755)
 %{_pam_moduledir}/pam_userdb.so
 %{_mandir}/man8/pam_userdb.8%{?ext_man}
 %endif
 %if %{build_extra}
 %files -n pam-extra
 %defattr(-,root,root,755)
 %{_pam_moduledir}/pam_issue.so
 %{_pam_moduledir}/pam_timestamp.so
 %{_sbindir}/pam_timestamp_check
 %endif
 %if %{build_doc}
@ -499,6 +498,8 @@ done
 %doc %{_defaultdocdir}/pam/*.txt
 %files -n pam-manpages
 %{_mandir}/man3/pam*.3%{?ext_man}
 %{_mandir}/man3/misc_conv.3%{?ext_man}
 %{_mandir}/man5/environment.5%{?ext_man}
 %{_mandir}/man5/*.conf.5%{?ext_man}
 %{_mandir}/man5/pam.d.5%{?ext_man}
@ -520,7 +521,6 @@ done
 %{_mandir}/man8/pam_group.8%{?ext_man}
 %{_mandir}/man8/pam_issue.8%{?ext_man}
 %{_mandir}/man8/pam_keyinit.8%{?ext_man}
 %{_mandir}/man8/pam_lastlog.8%{?ext_man}
 %{_mandir}/man8/pam_limits.8%{?ext_man}
 %{_mandir}/man8/pam_listfile.8%{?ext_man}
 %{_mandir}/man8/pam_localuser.8%{?ext_man}
--- a/pam_pwhistory-docu.patch
+++ b/pam_pwhistory-docu.patch
@ -1,264 +0,0 @@
 diff --git a/modules/pam_pwhistory/Makefile.am b/modules/pam_pwhistory/Makefile.am
 index 8a4dbcb2..c29a8e11 100644
 --- a/modules/pam_pwhistory/Makefile.am
 +++ b/modules/pam_pwhistory/Makefile.am
@@ -9,9 +9,10 @@ MAINTAINERCLEANFILES = $(MANS) README
 EXTRA_DIST = $(XMLS)
 if HAVE_DOC
 -dist_man_MANS = pam_pwhistory.8 pwhistory_helper.8
 +dist_man_MANS = pam_pwhistory.8 pwhistory_helper.8 pwhistory.conf.5
 endif
 -XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml
 +XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml \
 +  pwhistory.conf.5.xml
 dist_check_SCRIPTS = tst-pam_pwhistory
 TESTS = $(dist_check_SCRIPTS)
 diff --git a/modules/pam_pwhistory/pam_pwhistory.8.xml b/modules/pam_pwhistory/pam_pwhistory.8.xml
 index d88115c2..2a8fa7f6 100644
 --- a/modules/pam_pwhistory/pam_pwhistory.8.xml
 +++ b/modules/pam_pwhistory/pam_pwhistory.8.xml
@@ -36,6 +36,12 @@
       <arg choice="opt">
         authtok_type=<replaceable>STRING</replaceable>
       </arg>
 +      <arg choice="opt">
 +	      file=<replaceable>/path/filename</replaceable>
 +      </arg>
 +      <arg choice="opt">
 +	      conf=<replaceable>/path/to/config-file</replaceable>
 +      </arg>
     </cmdsynopsis>
   </refsynopsisdiv>
@@ -104,7 +110,7 @@
         <listitem>
           <para>
             The last <replaceable>N</replaceable> passwords for each
 -            user are saved in <filename>/etc/security/opasswd</filename>.
 +            user are saved.
             The default is <emphasis>10</emphasis>. Value of
             <emphasis>0</emphasis> makes the module to keep the existing
             contents of the <filename>opasswd</filename> file unchanged.
@@ -137,7 +143,39 @@
           </listitem>
         </varlistentry>
 +        <varlistentry>
 +          <term>
 +            <option>file=<replaceable>/path/filename</replaceable></option>
 +          </term>
 +          <listitem>
 +            <para>
 +              Store password history in file <filename>/path/filename</filename>
 +              rather than the default location. The default location is
 +	      <filename>/etc/security/opasswd</filename>.
 +            </para>
 +          </listitem>
 +        </varlistentry>
 +
 +        <varlistentry>
 +          <term>
 +            <option>conf=<replaceable>/path/to/config-file</replaceable></option>
 +          </term>
 +          <listitem>
 +            <para>
 +              Use another configuration file instead of the default
 +              <filename>/etc/security/pwhistory.conf</filename>.
 +            </para>
 +          </listitem>
 +        </varlistentry>
 +
     </variablelist>
 +    <para>
 +      The options for configuring the module behavior are described in the
 +      <citerefentry><refentrytitle>pwhistory.conf</refentrytitle>
 +      <manvolnum>5</manvolnum></citerefentry> manual page. The options
 +      specified on the module command line override the values from the
 +      configuration file.
 +    </para>
   </refsect1>
   <refsect1 id="pam_pwhistory-types">
@@ -213,7 +251,7 @@ password     required       pam_unix.so        use_authtok
       <varlistentry>
         <term><filename>/etc/security/opasswd</filename></term>
         <listitem>
 -          <para>File with password history</para>
 +          <para>Default file with password history</para>
         </listitem>
       </varlistentry>
     </variablelist>
@@ -222,6 +260,9 @@ password     required       pam_unix.so        use_authtok
   <refsect1 id='pam_pwhistory-see_also'>
     <title>SEE ALSO</title>
     <para>
 +      <citerefentry>
 +	<refentrytitle>pwhistory.conf</refentrytitle><manvolnum>5</manvolnum>
 +      </citerefentry>,
       <citerefentry>
 	<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
       </citerefentry>,
 diff --git a/modules/pam_pwhistory/pwhistory.conf.5.xml b/modules/pam_pwhistory/pwhistory.conf.5.xml
 new file mode 100644
 index 00000000..bac5ffed
 --- /dev/null
 +++ b/modules/pam_pwhistory/pwhistory.conf.5.xml
@@ -0,0 +1,155 @@
 +<?xml version="1.0" encoding='UTF-8'?>
 +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
 +	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
 +
 +<refentry id="pwhistory.conf">
 +
 +  <refmeta>
 +    <refentrytitle>pwhistory.conf</refentrytitle>
 +    <manvolnum>5</manvolnum>
 +    <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
 +  </refmeta>
 +
 +  <refnamediv id="pwhistory.conf-name">
 +    <refname>pwhistory.conf</refname>
 +    <refpurpose>pam_pwhistory configuration file</refpurpose>
 +  </refnamediv>
 +
 +  <refsect1 id="pwhistory.conf-description">
 +
 +    <title>DESCRIPTION</title>
 +    <para>
 +       <emphasis remap='B'>pwhistory.conf</emphasis> provides a way to configure the
 +       default settings for saving the last passwords for each user.
 +       This file is read by the <emphasis>pam_pwhistory</emphasis> module and is the
 +       preferred method over configuring <emphasis>pam_pwhistory</emphasis> directly.
 +    </para>
 +    <para>
 +       The file has a very simple <emphasis>name = value</emphasis> format with possible comments
 +       starting with <emphasis>#</emphasis> character. The whitespace at the beginning of line, end
 +       of line, and around the <emphasis>=</emphasis> sign is ignored.
 +    </para>
 +  </refsect1>
 +
 +  <refsect1 id="pwhistory.conf-options">
 +
 +    <title>OPTIONS</title>
 +         <variablelist>
 +            <varlistentry>
 +              <term>
 +                <option>debug</option>
 +              </term>
 +              <listitem>
 +                <para>
 +                  Turns on debugging via
 +                  <citerefentry>
 +                    <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum>
 +                  </citerefentry>.
 +                </para>
 +              </listitem>
 +            </varlistentry>
 +            <varlistentry>
 +              <term>
 +                <option>enforce_for_root</option>
 +              </term>
 +              <listitem>
 +                <para>
 +                  If this option is set, the check is enforced for root, too.
 +                </para>
 +              </listitem>
 +            </varlistentry>
 +            <varlistentry>
 +              <term>
 +                <option>remember=<replaceable>N</replaceable></option>
 +              </term>
 +              <listitem>
 +                <para>
 +                  The last <replaceable>N</replaceable> passwords for each
 +                  user are saved.
 +                  The default is <emphasis>10</emphasis>. Value of
 +                  <emphasis>0</emphasis> makes the module to keep the existing
 +                  contents of the <filename>opasswd</filename> file unchanged.
 +                </para>
 +              </listitem>
 +            </varlistentry>
 +            <varlistentry>
 +              <term>
 +                <option>retry=<replaceable>N</replaceable></option>
 +              </term>
 +              <listitem>
 +                <para>
 +                  Prompt user at most <replaceable>N</replaceable> times
 +                  before returning with error. The default is 1.
 +                </para>
 +              </listitem>
 +            </varlistentry>
 +            <varlistentry>
 +              <term>
 +                <option>file=<replaceable>/path/filename</replaceable></option>
 +              </term>
 +              <listitem>
 +                <para>
 +                  Store password history in file
 +                  <replaceable>/path/filename</replaceable> rather than the default
 +                  location. The default location is
 +	                <filename>/etc/security/opasswd</filename>.
 +                </para>
 +              </listitem>
 +            </varlistentry>
 +        </variablelist>
 +  </refsect1>
 +
 +  <refsect1 id='pwhistory.conf-examples'>
 +    <title>EXAMPLES</title>
 +    <para>
 +      /etc/security/pwhistory.conf file example:
 +    </para>
 +    <programlisting>
 +debug
 +remember=5
 +file=/tmp/opasswd
 +    </programlisting>
 +  </refsect1>
 +
 +  <refsect1 id="pwhistory.conf-files">
 +    <title>FILES</title>
 +    <variablelist>
 +      <varlistentry>
 +        <term><filename>/etc/security/pwhistory.conf</filename></term>
 +        <listitem>
 +          <para>the config file for custom options</para>
 +        </listitem>
 +      </varlistentry>
 +    </variablelist>
 +  </refsect1>
 +
 +  <refsect1 id='pwhistory.conf-see_also'>
 +    <title>SEE ALSO</title>
 +    <para>
 +      <citerefentry>
 +        <refentrytitle>pwhistory</refentrytitle><manvolnum>8</manvolnum>
 +      </citerefentry>,
 +      <citerefentry>
 +        <refentrytitle>pam_pwhistory</refentrytitle><manvolnum>8</manvolnum>
 +      </citerefentry>,
 +      <citerefentry>
 +        <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
 +      </citerefentry>,
 +      <citerefentry>
 +        <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
 +      </citerefentry>,
 +      <citerefentry>
 +        <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
 +      </citerefentry>
 +    </para>
 +  </refsect1>
 +
 +  <refsect1 id='pwhistory.conf-author'>
 +    <title>AUTHOR</title>
 +      <para>
 +        pam_pwhistory was written by Thorsten Kukuk. The support for
 +        pwhistory.conf was written by Iker Pedrosa.
 +      </para>
 +  </refsect1>
 +
 +</refentry>
--- a/pam_xauth_data.3.xml.patch
+++ b/pam_xauth_data.3.xml.patch
@ -1,97 +0,0 @@
 --- a/doc/man/pam_xauth_data.3.xml	2021-11-01 12:04:45.640077994 +0100
 +++ b/doc/man/pam_xauth_data.3.xml	2019-09-24 13:06:13.531781973 +0200
@@ -0,0 +1,94 @@
 +<?xml version="1.0" encoding="UTF-8"?>
 +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
 +                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
 +
 +<refentry id="pam_xauth_data">
 +
 +  <refmeta>
 +    <refentrytitle>pam_xauth_data</refentrytitle>
 +    <manvolnum>3</manvolnum>
 +    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
 +  </refmeta>
 +
 +  <refnamediv id="pam_xauth_data-name">
 +    <refname>pam_xauth_data</refname>
 +    <refpurpose>structure containing X authentication data</refpurpose>
 +  </refnamediv>
 +
 +<!-- body begins here -->
 +
 +  <refsynopsisdiv>
 +    <funcsynopsis id="pam_xauth_data-synopsis">
 +      <funcsynopsisinfo>#include &lt;security/pam_appl.h&gt;</funcsynopsisinfo>
 +    </funcsynopsis>
 +    <programlisting>
 +struct pam_xauth_data {
 +    int namelen;
 +    char *name;
 +    int datalen;
 +    char *data;
 +};
 +    </programlisting>
 +  </refsynopsisdiv>
 +
 +  <refsect1 id='pam_xauth_data-description'>
 +    <title>DESCRIPTION</title>
 +    <para>
 +      The <function>pam_xauth_data</function> structure contains X
 +      authentication data used to make a connection to an X display.
 +      Using this mechanism, an application can communicate X
 +      authentication data to PAM service modules.  This allows modules to
 +      make a connection to the user's X display in order to label the
 +      user's session on login, display visual feedback or for other
 +      purposes.
 +    </para>
 +    <para>
 +      The <emphasis>name</emphasis> field contains the name of the
 +      authentication method, such as "MIT-MAGIC-COOKIE-1".  The
 +      <emphasis>namelen</emphasis> field contains the length of this string,
 +      not including the trailing NUL character.
 +    </para>
 +    <para>
 +      The <emphasis>data</emphasis> field contains the authentication
 +      method-specific data corresponding to the specified name.  The
 +      <emphasis>datalen</emphasis> field contains its length in bytes.
 +    </para>
 +    <para>
 +      The X authentication data can be changed with the
 +      <emphasis>PAM_XAUTH_DATA</emphasis> item. It can be queried and
 +      set with
 +      <citerefentry>
 +        <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum>
 +      </citerefentry>
 +      and
 +      <citerefentry>
 +        <refentrytitle>pam_set_item </refentrytitle><manvolnum>3</manvolnum>
 +      </citerefentry>  respectively.  The value used to set it should be
 +      a pointer to a pam_xauth_data structure.  An internal copy of both
 +      the structure itself and its fields is made by PAM when setting the
 +      item.
 +    </para>
 +  </refsect1>
 +
 +  <refsect1 id='pam_xauth_data-see_also'>
 +    <title>SEE ALSO</title>
 +    <para>
 +      <citerefentry>
 +        <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum>
 +      </citerefentry>,
 +      <citerefentry>
 +        <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum>
 +      </citerefentry>,
 +    </para>
 +  </refsect1>
 +
 +  <refsect1 id='pam_xauth_data-standards'>
 +    <title>STANDARDS</title>
 +    <para>
 +      The <function>pam_xauth_data</function> structure and
 +      <emphasis>PAM_XAUTH_DATA</emphasis> item are
 +      Linux-PAM extensions.
 +    </para>
 +  </refsect1>
 +
 +</refentry>