From 513de029acc9f80ba5b34af22044ade69c955df791648204f53cb276cc56ae8f Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Fri, 29 Aug 2008 23:16:13 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=16 --- Linux-PAM-1.0.1-docs.tar.bz2 | 3 - Linux-PAM-1.0.1.tar.bz2 | 3 - Linux-PAM-1.0.2-SUSE-docs.tar.bz2 | 3 + Linux-PAM-1.0.2.tar.bz2 | 3 + Linux-PAM-docu-generated.diff | 1884 ++++++++++++++++++++++++++++ Linux-PAM-docu.diff | 1645 ++++++++++++++++++++++++ pam-1.0.0-selinux-env-params.patch | 561 +++++++++ pam-1.0.1-namespace-create.patch | 679 ++++++++++ pam.changes | 7 + pam.spec | 26 +- pam_sepermit.diff | 17 + pam_tally.diff | 173 +++ pam_xauth.diff | 26 + 13 files changed, 5020 insertions(+), 10 deletions(-) delete mode 100644 Linux-PAM-1.0.1-docs.tar.bz2 delete mode 100644 Linux-PAM-1.0.1.tar.bz2 create mode 100644 Linux-PAM-1.0.2-SUSE-docs.tar.bz2 create mode 100644 Linux-PAM-1.0.2.tar.bz2 create mode 100644 Linux-PAM-docu-generated.diff create mode 100644 Linux-PAM-docu.diff create mode 100644 pam-1.0.0-selinux-env-params.patch create mode 100644 pam-1.0.1-namespace-create.patch create mode 100644 pam_sepermit.diff create mode 100644 pam_tally.diff create mode 100644 pam_xauth.diff diff --git a/Linux-PAM-1.0.1-docs.tar.bz2 b/Linux-PAM-1.0.1-docs.tar.bz2 deleted file mode 100644 index cb0d8ee..0000000 --- a/Linux-PAM-1.0.1-docs.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0cece8350dacc264479a4d047b8b9bf0e6deab89a169f638aef8ebfb153f6d9d -size 709063 diff --git a/Linux-PAM-1.0.1.tar.bz2 b/Linux-PAM-1.0.1.tar.bz2 deleted file mode 100644 index 2a1cb29..0000000 --- a/Linux-PAM-1.0.1.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:62973b460be34fb7cb4b650bd62ce0c2318d13777b7312ef12656e55a2d9f00e -size 979879 diff --git a/Linux-PAM-1.0.2-SUSE-docs.tar.bz2 b/Linux-PAM-1.0.2-SUSE-docs.tar.bz2 new file mode 100644 index 0000000..13eac9b --- /dev/null +++ b/Linux-PAM-1.0.2-SUSE-docs.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2edaf8a8c29b7a214f99871aeb19a427c4a368604bc40281c655adfffb7852bc +size 475385 diff --git a/Linux-PAM-1.0.2.tar.bz2 b/Linux-PAM-1.0.2.tar.bz2 new file mode 100644 index 0000000..a4087f8 --- /dev/null +++ b/Linux-PAM-1.0.2.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1f85b4ed494c73b43fcfb195758ee6570615fd6e5f7cf09fd27644a1838019ae +size 980339 diff --git a/Linux-PAM-docu-generated.diff b/Linux-PAM-docu-generated.diff new file mode 100644 index 0000000..99b7bd0 --- /dev/null +++ b/Linux-PAM-docu-generated.diff @@ -0,0 +1,1884 @@ +--- Linux-PAM-1.0.2-old/doc/man/pam_getenv.3 2008-04-16 11:09:52.000000000 +0200 ++++ Linux-PAM-1.0.2/doc/man/pam_getenv.3 2008-08-29 14:06:54.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_getenv + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_GETENV" "3" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_GETENV" "3" "08/29/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -27,8 +27,9 @@ + \fBpam_getenv\fR + function searches the PAM environment list as associated with the handle + \fIpamh\fR +-for a string that matches the string pointed to by +-\fIname\fR\. The return values are of the form: "\fIname=value\fR"\. ++for an item that matches the string pointed to by ++\fIname\fR ++and returns the value of the environment variable\. + .SH "RETURN VALUES" + .PP + The +--- Linux-PAM-1.0.2-old/doc/man/pam_prompt.3 2008-04-16 11:09:59.000000000 +0200 ++++ Linux-PAM-1.0.2/doc/man/pam_prompt.3 2008-08-29 14:06:55.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_prompt + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_PROMPT" "3" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_PROMPT" "3" "08/29/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -27,7 +27,9 @@ + .PP + The + \fBpam_prompt\fR +-function constructs a message from the specified format string and arguments and passes it to ++function constructs a message from the specified format string and arguments and passes it to the conversation function as set by the service\. Upon successful return, ++\fIresponse\fR ++is set to point to a string returned from the conversation function\. This string is allocated on heap and should be freed\. + .SH "RETURN VALUES" + .PP + PAM_BUF_ERR +--- Linux-PAM-1.0.2-old/modules/pam_access/pam_access.8 2008-04-16 11:06:35.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_access/pam_access.8 2008-08-29 14:04:27.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_access + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_ACCESS" "8" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_ACCESS" "8" "08/29/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -64,9 +64,13 @@ + .RS 4 + The group database will not be used for tokens not identified as account name\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP +-All services are supported\. ++All module types (\fBauth\fR, ++\fBaccount\fR, ++\fBpassword\fR ++and ++\fBsession\fR) are provided\. + .SH "RETURN VALUES" + .PP + PAM_SUCCESS +@@ -105,7 +109,7 @@ + .PP + + \fBaccess.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8)\. + .SH "AUTHORS" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_cracklib/pam_cracklib.8 2008-04-16 11:06:38.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_cracklib/pam_cracklib.8 2008-08-29 14:04:30.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_cracklib + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_CRACKLIB" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_CRACKLIB" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -157,7 +157,7 @@ + \fBminlen\fR + less than 10\. + .sp +-(N > 0) This is the minimum number of upper case letters that must be met for a new password\. ++(N < 0) This is the minimum number of upper case letters that must be met for a new password\. + .RE + .PP + \fBlcredit=\fR\fB\fIN\fR\fR +@@ -212,11 +212,11 @@ + .RS 4 + Path to the cracklib dictionaries\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP +-Only he ++Only the + \fBpassword\fR +-service is supported\. ++module type is provided\. + .SH "RETURN VALUES" + .PP + .PP +@@ -302,7 +302,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8) + .SH "AUTHOR" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_cracklib/README 2008-04-16 11:06:39.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_cracklib/README 2008-08-29 14:04:32.000000000 +0200 +@@ -129,7 +129,7 @@ + will count +1 towards meeting the current minlen value. The default for + ucredit is 1 which is the recommended value for minlen less than 10. + +- (N > 0) This is the minimum number of upper case letters that must be met ++ (N < 0) This is the minimum number of upper case letters that must be met + for a new password. + + lcredit=N +--- Linux-PAM-1.0.2-old/modules/pam_debug/pam_debug.8 2008-04-16 11:06:41.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_debug/pam_debug.8 2008-08-29 14:04:34.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_debug + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_DEBUG" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_DEBUG" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -87,15 +87,13 @@ + Where + \fIvalue\fR + can be one of: success, open_err, symbol_err, service_err, system_err, buf_err, perm_denied, auth_err, cred_insufficient, authinfo_unavail, user_unknown, maxtries, new_authtok_reqd, acct_expired, session_err, cred_unavail, cred_expired, cred_err, no_module_data, conv_err, authtok_err, authtok_recover_err, authtok_lock_busy, authtok_disable_aging, try_again, ignore, abort, authtok_expired, module_unknown, bad_item, conv_again, incomplete\. +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP +-The services +-\fBauth\fR, ++All module types (\fBauth\fR, + \fBaccount\fR, + \fBpassword\fR + and +-\fBsession\fR +-are supported\. ++\fBsession\fR) are provided\. + .SH "RETURN VALUES" + .PP + PAM_SUCCESS +@@ -119,7 +117,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8) + .SH "AUTHOR" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_deny/pam_deny.8 2008-04-16 11:06:44.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_deny/pam_deny.8 2008-08-29 14:04:37.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_deny + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_DENY" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_DENY" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -22,13 +22,13 @@ + .SH "OPTIONS" + .PP + This module does not recognise any options\. +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP +-All services (\fBaccount\fR, ++All module types (\fBaccount\fR, + \fBauth\fR, + \fBpassword\fR + and +-\fBsession\fR) are supported\. ++\fBsession\fR) are provided\. + .SH "RETURN VALUES" + .PP + .PP +@@ -75,7 +75,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8) + .SH "AUTHOR" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_echo/pam_echo.8 2008-04-16 11:06:47.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_echo/pam_echo.8 2008-08-29 14:04:40.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_echo + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_ECHO" "8" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_ECHO" "8" "08/29/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -66,9 +66,13 @@ + \fI/path/message\fR + will be printed with the PAM conversion function as PAM_TEXT_INFO\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP +-All services are supported\. ++All module types (\fBauth\fR, ++\fBaccount\fR, ++\fBpassword\fR ++and ++\fBsession\fR) are provided\. + .SH "RETURN VALUES" + .PP + PAM_BUF_ERR +@@ -101,7 +105,7 @@ + .PP + + \fBpam.conf\fR(8), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8) + .SH "AUTHOR" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_env/pam_env.8 2008-04-16 11:06:52.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_env/pam_env.8 2008-08-29 14:04:44.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_env + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_ENV" "8" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_ENV" "8" "08/29/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -27,7 +27,7 @@ + .PP + This module can also parse a file with simple + \fIKEY=VAL\fR +-pairs on seperate lines (\fI/etc/environment\fR ++pairs on separate lines (\fI/etc/environment\fR + by default)\. You can change the default file to parse, with the + \fIenvfile\fR + flag and turn it on or off by setting the +@@ -59,13 +59,13 @@ + .RS 4 + Turns on or off the reading of the file specified by envfile (0 is off, 1 is on)\. By default this option is on\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP + The + \fBauth\fR + and + \fBsession\fR +-services are supported\. ++module types are provided\. + .SH "RETURN VALUES" + .PP + PAM_ABORT +@@ -102,7 +102,7 @@ + .PP + + \fBpam_env.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8)\. + .SH "AUTHOR" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_env/README 2008-04-16 11:06:53.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_env/README 2008-08-29 14:04:45.000000000 +0200 +@@ -11,7 +11,7 @@ + By default rules for (un)setting of variables is taken from the config file / + etc/security/pam_env.conf if no other file is specified. + +-This module can also parse a file with simple KEY=VAL pairs on seperate lines ++This module can also parse a file with simple KEY=VAL pairs on separate lines + (/etc/environment by default). You can change the default file to parse, with + the envfile flag and turn it on or off by setting the readenv flag to 1 or 0 + respectively. +--- Linux-PAM-1.0.2-old/modules/pam_exec/pam_exec.8 2008-04-16 11:09:09.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_exec/pam_exec.8 2008-08-29 14:06:39.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_exec + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_EXEC" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_EXEC" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -50,15 +50,13 @@ + .RS 4 + Per default pam_exec\.so will execute the external command with the real user ID of the calling process\. Specifying this option means the command is run with the effective user ID\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP +-The services +-\fBauth\fR, ++All module types (\fBauth\fR, + \fBaccount\fR, + \fBpassword\fR + and +-\fBsession\fR +-are supported\. ++\fBsession\fR) are provided\. + .SH "RETURN VALUES" + .PP + .PP +@@ -109,7 +107,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8) + .SH "AUTHOR" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_faildelay/pam_faildelay.8 2008-04-16 11:09:21.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_faildelay/pam_faildelay.8 2008-08-29 14:06:50.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_faildelay + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_FAILDELAY" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_FAILDELAY" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -34,11 +34,11 @@ + .RS 4 + Set the delay on failure to N microseconds\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP + Only the + \fBauth\fR +-service is supported\. ++module type is provided\. + .SH "RETURN VALUES" + .PP + PAM_IGNORE +@@ -66,7 +66,7 @@ + + \fBpam_fail_delay\fR(3), + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8) + .SH "AUTHOR" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_filter/pam_filter.8 2008-04-16 11:06:56.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_filter/pam_filter.8 2008-08-29 14:04:48.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_filter + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_FILTER" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_FILTER" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -109,15 +109,13 @@ + .RS 4 + The full pathname of the filter to be run and any command line arguments that the filter might expect\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP +-The services +-\fBauth\fR, ++All module types (\fBauth\fR, + \fBaccount\fR, + \fBpassword\fR + and +-\fBsession\fR +-are supported\. ++\fBsession\fR) are provided\. + .SH "RETURN VALUES" + .PP + .PP +@@ -147,7 +145,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8) + .SH "AUTHOR" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_ftp/pam_ftp.8 2008-04-16 11:07:01.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_ftp/pam_ftp.8 2008-08-29 14:04:51.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_ftp + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_FTP" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_FTP" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -56,11 +56,11 @@ + \fB\fIXXX,YYY,\.\.\.\fR\fR\. Should the applicant enter one of these usernames the returned username is set to the first in the list: + \fIXXX\fR\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP + Only the + \fBauth\fR +-service is supported\. ++module type is provided\. + .SH "RETURN VALUES" + .PP + .PP +@@ -98,7 +98,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8) + .SH "AUTHOR" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_group/pam_group.8 2008-04-16 11:07:06.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_group/pam_group.8 2008-08-29 14:04:55.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_group + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_GROUP" "8" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_GROUP" "8" "08/29/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -39,11 +39,11 @@ + .SH "OPTIONS" + .PP + This module does not recognise any options\. +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP + Only the + \fBauth\fR +-service is supported\. ++module type is provided\. + .SH "RETURN VALUES" + .PP + PAM_SUCCESS +@@ -87,7 +87,7 @@ + .PP + + \fBgroup.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8)\. + .SH "AUTHORS" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_issue/pam_issue.8 2008-04-16 11:07:09.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_issue/pam_issue.8 2008-08-29 14:04:58.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_issue + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_ISSUE" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_ISSUE" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -87,11 +87,11 @@ + .RS 4 + The file to output if not using the default\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP + Only the + \fBauth\fR +-service is supported\. ++module type is provided\. + .SH "RETURN VALUES" + .PP + .PP +@@ -131,7 +131,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8) + .SH "AUTHOR" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_keyinit/pam_keyinit.8 2008-04-16 11:07:12.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_keyinit/pam_keyinit.8 2008-08-29 14:05:02.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_keyinit + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_KEYINIT" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_KEYINIT" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -53,11 +53,11 @@ + .RS 4 + Causes the session keyring of the invoking process to be revoked when the invoking process exits if the session keyring was created for this process in the first place\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP + Only the + \fBsession\fR +-service is supported\. ++module type is provided\. + .SH "RETURN VALUES" + .PP + PAM_SUCCESS +@@ -110,7 +110,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8) + \fBkeyctl\fR(1) + .SH "AUTHOR" +--- Linux-PAM-1.0.2-old/modules/pam_lastlog/pam_lastlog.8 2008-04-16 11:07:16.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_lastlog/pam_lastlog.8 2008-08-29 14:05:05.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_lastlog + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_LASTLOG" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_LASTLOG" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -62,11 +62,11 @@ + .RS 4 + Don\'t update the wtmp entry\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP + Only the + \fBsession\fR +-service is supported\. ++module type is provided\. + .SH "RETURN VALUES" + .PP + .PP +@@ -106,7 +106,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8) + .SH "AUTHOR" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_limits/pam_limits.8 2008-04-16 11:07:20.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_limits/pam_limits.8 2008-08-29 14:05:09.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_limits + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_LIMITS" "8" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_LIMITS" "8" "08/29/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -56,11 +56,11 @@ + .RS 4 + Do not report exceeded maximum logins count to the audit subsystem\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP + Only the + \fBsession\fR +-service is supported\. ++module type is provided\. + .SH "RETURN VALUES" + .PP + PAM_ABORT +@@ -125,7 +125,7 @@ + .PP + + \fBlimits.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8)\. + .SH "AUTHORS" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_listfile/pam_listfile.8 2008-04-16 11:07:24.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_listfile/pam_listfile.8 2008-08-29 14:05:12.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_listfile + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_LISTFILE" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_LISTFILE" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -98,15 +98,13 @@ + .RS 4 + Do not treat service refusals or missing list files as errors that need to be logged\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP +-The services +-\fBauth\fR, ++All module types (\fBauth\fR, + \fBaccount\fR, + \fBpassword\fR + and +-\fBsession\fR +-are supported\. ++\fBsession\fR) are provided\. + .SH "RETURN VALUES" + .PP + .PP +@@ -182,7 +180,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8) + .SH "AUTHOR" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_localuser/pam_localuser.8 2008-04-16 11:07:27.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_localuser/pam_localuser.8 2008-08-29 14:05:16.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_localuser + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_LOCALUSER" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_LOCALUSER" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -33,13 +33,13 @@ + Use a file other than + \fI/etc/passwd\fR\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP +-All services (\fBaccount\fR, ++All module types (\fBaccount\fR, + \fBauth\fR, + \fBpassword\fR + and +-\fBsession\fR) are supported\. ++\fBsession\fR) are provided\. + .SH "RETURN VALUES" + .PP + .PP +@@ -81,7 +81,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8) + .SH "AUTHOR" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_loginuid/pam_loginuid.8 2008-04-16 11:09:18.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_loginuid/pam_loginuid.8 2008-08-29 14:06:47.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_loginuid + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_LOGINUID" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_LOGINUID" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -24,11 +24,11 @@ + .RS 4 + This option, when given, will cause this module to query the audit daemon status and deny logins if it is not running\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP +-The ++Only the + \fBsession\fR +-service is supported\. ++module type is provided\. + .SH "RETURN VALUES" + .PP + .PP +@@ -54,7 +54,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8), + \fBauditctl\fR(8), + \fBauditd\fR(8) +--- Linux-PAM-1.0.2-old/modules/pam_mail/pam_mail.8 2008-04-16 11:07:30.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_mail/pam_mail.8 2008-08-29 14:05:19.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_mail + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_MAIL" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_MAIL" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -87,13 +87,13 @@ + .RS 4 + Old style "You have\.\.\." format which doesn\'t show the mail spool being used\. This also implies "empty"\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP + The +-\fBauth\fR ++\fBsession\fR + and +-\fBaccount\fR +-services are supported\. ++\fBauth\fR ++(on establishment and deletion of credentials) module types are provided\. + .SH "RETURN VALUES" + .PP + PAM_BUF_ERR +@@ -132,7 +132,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8) + .SH "AUTHOR" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_mkhomedir/pam_mkhomedir.8 2008-04-16 11:07:34.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_mkhomedir/pam_mkhomedir.8 2008-08-29 14:05:22.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_mkhomedir + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_MKHOMEDIR" "8" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_MKHOMEDIR" "8" "08/29/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -41,11 +41,11 @@ + directory to override the default + \fI/etc/skel\fR\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP + Only the + \fBsession\fR +-service is supported\. ++module type is provided\. + .SH "RETURN VALUES" + .PP + PAM_BUF_ERR +@@ -102,7 +102,7 @@ + .SH "SEE ALSO" + .PP + +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8)\. + .SH "AUTHOR" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_motd/pam_motd.8 2008-04-16 11:07:37.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_motd/pam_motd.8 2008-08-29 14:05:26.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_motd + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_MOTD" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_MOTD" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -28,11 +28,11 @@ + \fI/path/filename\fR + file is displayed as message of the day\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP + Only the + \fBsession\fR +-service is supported\. ++module type is provided\. + .SH "RETURN VALUES" + .PP + PAM_IGNORE +@@ -57,7 +57,7 @@ + + \fBmotd\fR(5), + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8) + .SH "AUTHOR" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_namespace/namespace.conf.5 2008-04-16 11:09:13.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_namespace/namespace.conf.5 2008-08-29 14:06:43.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: namespace.conf + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "NAMESPACE\.CONF" "5" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "NAMESPACE\.CONF" "5" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -18,7 +18,7 @@ + \fIpam_namespace\.so\fR + module allows setup of private namespaces with polyinstantiated directories\. Directories can be polyinstantiated based on user name or, in the case of SELinux, user name, sensitivity level or complete security context\. If an executable script + \fI/etc/security/namespace\.init\fR +-exists, it is used to initialize the namespace every time a new instance directory is setup\. The script receives the polyinstantiated directory path and the instance directory path as its arguments\. ++exists, it is used to initialize the namespace every time an instance directory is set up and mounted\. The script receives the polyinstantiated directory path and the instance directory path as its arguments\. + .PP + The + \fI/etc/security/namespace\.conf\fR +--- Linux-PAM-1.0.2-old/modules/pam_namespace/pam_namespace.8 2008-04-16 11:09:14.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_namespace/pam_namespace.8 2008-08-29 14:06:45.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_namespace + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_NAMESPACE" "8" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_NAMESPACE" "8" "08/29/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -19,7 +19,7 @@ + .PP + The pam_namespace PAM module sets up a private namespace for a session with polyinstantiated directories\. A polyinstantiated directory provides a different instance of itself based on user name, or when using SELinux, user name, security context or both\. If an executable script + \fI/etc/security/namespace\.init\fR +-exists, it is used to initialize the namespace every time a new instance directory is setup\. The script receives the polyinstantiated directory path, the instance directory path, flag whether the instance directory was newly created (0 for no, 1 for yes), and the user name as its arguments\. ++exists, it is used to initialize the instance directory after it is set up and mounted on the polyinstantiated direcory\. The script receives the polyinstantiated directory path, the instance directory path, flag whether the instance directory was newly created (0 for no, 1 for yes), and the user name as its arguments\. + .PP + The pam_namespace module disassociates the session namespace from the parent namespace\. Any mounts/unmounts performed in the parent namespace, such as mounting of devices, are not reflected in the session namespace\. To propagate selected mount/unmount events from the parent namespace into the disassociated session namespace, an administrator may use the special shared\-subtree feature\. For additional information on shared\-subtree feature, please refer to the mount(8) man page and the shared\-subtree description at http://lwn\.net/Articles/159077 and http://lwn\.net/Articles/159092\. + .SH "OPTIONS" +@@ -73,11 +73,11 @@ + .RS 4 + Useful for services which do not use pam_selinux for changing the SELinux context with setexeccon call\. The module will use the default SELinux context of the user for the level and context polyinstantiation\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP +-The ++Only the + \fBsession\fR +-service is supported\. The module must not be called from multithreaded processes\. ++module type is provided\. The module must not be called from multithreaded processes\. + .SH "RETURN VALUES" + .PP + PAM_SUCCESS +@@ -149,7 +149,7 @@ + .PP + + \fBnamespace.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBmount\fR(8), + \fBpam\fR(8)\. + .SH "AUTHORS" +--- Linux-PAM-1.0.2-old/modules/pam_nologin/pam_nologin.8 2008-04-16 11:07:40.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_nologin/pam_nologin.8 2008-08-29 14:05:29.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_nologin + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_NOLOGIN" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_NOLOGIN" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -34,13 +34,13 @@ + .RS 4 + Return PAM_SUCCESS if no file exists, the default is PAM_IGNORE\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP + The + \fBauth\fR + and + \fBacct\fR +-services are supported\. ++module types are provided\. + .SH "RETURN VALUES" + .PP + PAM_AUTH_ERR +@@ -103,7 +103,7 @@ + + \fBnologin\fR(5), + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8) + .SH "AUTHOR" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_permit/pam_permit.8 2008-04-16 11:07:43.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_permit/pam_permit.8 2008-08-29 14:05:32.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_permit + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_PERMIT" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_PERMIT" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -27,15 +27,15 @@ + .SH "OPTIONS" + .PP + This module does not recognise any options\. +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP +-The services ++The + \fBauth\fR, + \fBaccount\fR, + \fBpassword\fR + and + \fBsession\fR +-are supported\. ++module types are provided\. + .SH "RETURN VALUES" + .PP + PAM_SUCCESS +@@ -57,7 +57,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8) + .SH "AUTHOR" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_rhosts/pam_rhosts.8 2008-04-16 11:07:46.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_rhosts/pam_rhosts.8 2008-08-29 14:05:36.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_rhosts + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_RHOSTS" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_RHOSTS" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -53,11 +53,11 @@ + \fIaccount\fR + as root\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP + Only the + \fBauth\fR +-service is supported\. ++module type is provided\. + .SH "RETURN VALUES" + .PP + PAM_AUTH_ERR +@@ -101,7 +101,7 @@ + \fBhosts.equiv\fR(5), + \fBrhosts\fR(5), + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8) + .SH "AUTHOR" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_rootok/pam_rootok.8 2008-04-16 11:07:49.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_rootok/pam_rootok.8 2008-08-29 14:05:39.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_rootok + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_ROOTOK" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_ROOTOK" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -31,11 +31,11 @@ + .RS 4 + Print debug information\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP + Only the + \fBauth\fR +-service is supported\. ++type is provided\. + .SH "RETURN VALUES" + .PP + PAM_SUCCESS +@@ -76,7 +76,7 @@ + + \fBsu\fR(1), + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8) + .SH "AUTHOR" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_securetty/pam_securetty.8 2008-04-16 11:07:52.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_securetty/pam_securetty.8 2008-08-29 14:05:42.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_securetty + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_SECURETTY" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_SECURETTY" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -37,11 +37,11 @@ + .RS 4 + Print debug information\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP + Only the + \fBauth\fR +-service is supported\. ++module type is provided\. + .SH "RETURN VALUES" + .PP + PAM_SUCCESS +@@ -67,7 +67,7 @@ + \fI/etc/securetty\fR\. + .RE + .PP +-PAM_IGNORE ++PAM_USER_UNKNOWN + .RS 4 + The module could not find the user name in the + \fI/etc/passwd\fR +@@ -90,7 +90,7 @@ + + \fBsecuretty\fR(5), + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8) + .SH "AUTHOR" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_selinux/pam_selinux.8 2008-04-16 11:07:56.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_selinux/pam_selinux.8 2008-08-29 14:05:46.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_selinux + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_SELINUX" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_SELINUX" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -14,7 +14,7 @@ + pam_selinux - PAM module to set the default security context + .SH "SYNOPSIS" + .HP 15 +-\fBpam_selinux\.so\fR [close] [debug] [open] [nottys] [verbose] [select_context] [use_current_range] ++\fBpam_selinux\.so\fR [close] [debug] [open] [nottys] [verbose] [select_context] [env_params] [use_current_range] + .SH "DESCRIPTION" + .PP + In a nutshell, pam_selinux sets up the default security context for the next execed shell\. +@@ -55,9 +55,17 @@ + Attempt to ask the user for a custom security context role\. If MLS is on ask also for sensitivity level\. + .RE + .PP ++\fBenv_params\fR ++.RS 4 ++Attempt to obtain a custom security context role from PAM environment\. If MLS is on obtain also sensitivity level\. This option and the select_context option are mutually exclusive\. The respective PAM environment variables are ++\fISELINUX_ROLE_REQUESTED\fR, ++\fISELINUX_LEVEL_REQUESTED\fR, and ++\fISELINUX_USE_CURRENT_RANGE\fR\. The first two variables are self describing and the last one if set to 1 makes the PAM module behave as if the use_current_range was specified on the command line of the module\. ++.RE ++.PP + \fBuse_current_range\fR + .RS 4 +-Use the sensitivity range of the process for the user context\. This option and the select_context option are mutually exclusive\. ++Use the sensitivity level of the current process for the user context instead of the default level\. Also supresses asking of the sensitivity level from the user or obtaining it from PAM environment\. + .RE + .SH "MODULE SERVICES PROVIDED" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_selinux/README 2008-04-16 11:07:55.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_selinux/README 2008-08-29 14:05:45.000000000 +0200 +@@ -48,10 +48,21 @@ + Attempt to ask the user for a custom security context role. If MLS is on + ask also for sensitivity level. + ++env_params ++ ++ Attempt to obtain a custom security context role from PAM environment. If ++ MLS is on obtain also sensitivity level. This option and the select_context ++ option are mutually exclusive. The respective PAM environment variables are ++ SELINUX_ROLE_REQUESTED, SELINUX_LEVEL_REQUESTED, and ++ SELINUX_USE_CURRENT_RANGE. The first two variables are self describing and ++ the last one if set to 1 makes the PAM module behave as if the ++ use_current_range was specified on the command line of the module. ++ + use_current_range + +- Use the sensitivity range of the process for the user context. This option +- and the select_context option are mutually exclusive. ++ Use the sensitivity level of the current process for the user context ++ instead of the default level. Also supresses asking of the sensitivity ++ level from the user or obtaining it from PAM environment. + + EXAMPLES + +--- Linux-PAM-1.0.2-old/modules/pam_sepermit/pam_sepermit.8 2008-04-16 11:07:59.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_sepermit/pam_sepermit.8 2008-08-29 14:05:49.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_sepermit + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_SEPERMIT" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_SEPERMIT" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -49,13 +49,13 @@ + .RS 4 + Path to alternative config file overriding the default\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP +-Only the ++The + \fBauth\fR + and + \fBaccount\fR +-services are supported\. ++module types are provided\. + .SH "RETURN VALUES" + .PP + PAM_AUTH_ERR +--- Linux-PAM-1.0.2-old/modules/pam_shells/pam_shells.8 2008-04-16 11:08:01.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_shells/pam_shells.8 2008-08-29 14:05:51.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_shells + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_SHELLS" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_SHELLS" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -26,13 +26,13 @@ + .SH "OPTIONS" + .PP + This module does not recognise any options\. +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP +-The services ++The + \fBauth\fR + and + \fBaccount\fR +-are supported\. ++module types are provided\. + .SH "RETURN VALUES" + .PP + PAM_AUTH_ERR +@@ -66,7 +66,7 @@ + + \fBshells\fR(5), + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8) + .SH "AUTHOR" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_succeed_if/pam_succeed_if.8 2008-04-16 11:08:05.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_succeed_if/pam_succeed_if.8 2008-08-29 14:05:55.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_succeed_if + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM + .\" Source: Linux-PAM + .\" +-.TH "PAM_SUCCEED_IF" "8" "04/16/2008" "Linux-PAM" "Linux\-PAM" ++.TH "PAM_SUCCEED_IF" "8" "08/29/2008" "Linux-PAM" "Linux\-PAM" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -141,9 +141,13 @@ + .RS 4 + (user,host) is not in given netgroup\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP +-All services are supported\. ++All module types (\fBaccount\fR, ++\fBauth\fR, ++\fBpassword\fR ++and ++\fBsession\fR) are provided\. + .SH "RETURN VALUES" + .PP + PAM_SUCCESS +@@ -158,7 +162,7 @@ + .PP + PAM_SERVICE_ERR + .RS 4 +-A service error occured or the arguments can\'t be parsed as numbers\. ++A service error occured or the arguments can\'t be parsed correctly\. + .RE + .SH "EXAMPLES" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_tally/pam_tally.8 2008-04-16 11:08:10.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_tally/pam_tally.8 2008-08-29 14:05:59.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_tally + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_TALLY" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_TALLY" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -14,7 +14,7 @@ + pam_tally - The login counter (tallying) module + .SH "SYNOPSIS" + .HP 13 +-\fBpam_tally\.so\fR [file=\fI/path/to/counter\fR] [onerr=[\fIfail\fR|\fIsucceed\fR]] [magic_root] [even_deny_root_account] [deny=\fIn\fR] [lock_time=\fIn\fR] [unlock_time=\fIn\fR] [per_user] [no_lock_time] [no_reset] [audit] ++\fBpam_tally\.so\fR [file=\fI/path/to/counter\fR] [onerr=[\fIfail\fR|\fIsucceed\fR]] [magic_root] [even_deny_root_account] [deny=\fIn\fR] [lock_time=\fIn\fR] [unlock_time=\fIn\fR] [per_user] [no_lock_time] [no_reset] [audit] [silent] [no_log_info] + .HP 10 + \fBpam_tally\fR [\-\-file\ \fI/path/to/counter\fR] [\-\-user\ \fIusername\fR] [\-\-reset[=\fIn\fR]] [\-\-quiet] + .SH "DESCRIPTION" +@@ -45,7 +45,7 @@ + \fIauth\fR + and + \fIaccount\fR +-services\. ++module types\. + .PP + \fBonerr=[\fR\fB\fIfail\fR\fR\fB|\fR\fB\fIsucceed\fR\fR\fB]\fR + .RS 4 +@@ -66,6 +66,17 @@ + .RS 4 + Will log the user name into the system log if the user is not found\. + .RE ++.PP ++\fBsilent\fR ++.RS 4 ++Don\'t print informative messages\. ++.RE ++.PP ++\fBno_log_info\fR ++.RS 4 ++Don\'t log informative messages via ++\fBsyslog\fR(3)\. ++.RE + .RE + .PP + AUTH OPTIONS +@@ -154,13 +165,13 @@ + Don\'t reset count on successful entry, only decrement\. + .RE + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP + The + \fBauth\fR + and + \fBaccount\fR +-services are supported\. ++module types are provided\. + .SH "RETURN VALUES" + .PP + PAM_AUTH_ERR +@@ -214,7 +225,7 @@ + + \fBfaillog\fR(8), + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8) + .SH "AUTHOR" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_tally/README 2008-04-16 11:08:11.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_tally/README 2008-08-29 14:06:00.000000000 +0200 +@@ -25,7 +25,7 @@ + + GLOBAL OPTIONS + +- This can be used for auth and account services. ++ This can be used for auth and account module types. + + onerr=[fail|succeed] + +@@ -41,6 +41,14 @@ + + Will log the user name into the system log if the user is not found. + ++ silent ++ ++ Don't print informative messages. ++ ++ no_log_info ++ ++ Don't log informative messages via syslog(3). ++ + AUTH OPTIONS + + Authentication phase first checks if user should be denied access and if +--- Linux-PAM-1.0.2-old/modules/pam_time/pam_time.8 2008-04-16 11:08:15.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_time/pam_time.8 2008-08-29 14:06:03.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_time + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_TIME" "8" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_TIME" "8" "08/29/2008" "Linux-PAM Manual" "Linux-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -35,11 +35,11 @@ + .RS 4 + Do not report logins at disallowed time to the audit subsystem\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP + Only the + \fBaccount\fR +-service is supported\. ++type is provided\. + .SH "RETURN VALUES" + .PP + PAM_SUCCESS +@@ -88,7 +88,7 @@ + .PP + + \fBtime.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8)\. + .SH "AUTHOR" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_tty_audit/pam_tty_audit.8 2008-04-16 11:08:21.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_tty_audit/pam_tty_audit.8 2008-08-29 14:06:06.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_tty_audit + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_TTY_AUDIT" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_TTY_AUDIT" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -43,11 +43,11 @@ + to run the authenticated session, such as + \fBsudo\fR\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP + Only the + \fBsession\fR +-service is supported\. ++type is supported\. + .SH "RETURN VALUES" + .PP + PAM_SESSION_ERR +--- Linux-PAM-1.0.2-old/modules/pam_umask/pam_umask.8 2008-04-16 11:08:27.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_umask/pam_umask.8 2008-08-29 14:06:10.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_umask + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_UMASK" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_UMASK" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -70,11 +70,11 @@ + \fBmask\fR + & 0777\. The value is interpreted as Octal\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP + Only the + \fBsession\fR +-service is supported\. ++type is provided\. + .SH "RETURN VALUES" + .PP + .PP +@@ -109,7 +109,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8) + .SH "AUTHOR" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_unix/pam_unix.8 2008-04-16 11:08:40.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_unix/pam_unix.8 2008-08-29 14:06:21.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_unix + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_UNIX" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_UNIX" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -148,9 +148,13 @@ + .PP + Invalid arguments are logged with + \fBsyslog\fR(3)\. +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP +-All service are supported\. ++All module types (\fBaccount\fR, ++\fBauth\fR, ++\fBpassword\fR ++and ++\fBsession\fR) are provided\. + .SH "RETURN VALUES" + .PP + PAM_IGNORE +@@ -182,7 +186,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8) + .SH "AUTHOR" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_userdb/pam_userdb.8 2008-04-16 11:08:48.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_userdb/pam_userdb.8 2008-08-29 14:06:25.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_userdb + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_USERDB" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_USERDB" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -73,13 +73,13 @@ + .RS 4 + The username and password are concatenated together in the database hash as \'username\-password\' with a random value\. if the concatenation of the username and password with a dash in the middle returns any result, the user is valid\. this is useful in cases where the username may not be unique but the username and password pair are\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP +-The services ++The + \fBauth\fR + and + \fBaccount\fR +-are supported\. ++module types are provided\. + .SH "RETURN VALUES" + .PP + PAM_AUTH_ERR +@@ -129,7 +129,7 @@ + + \fBcrypt\fR(3), + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8) + .SH "AUTHOR" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_warn/pam_warn.8 2008-04-16 11:08:53.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_warn/pam_warn.8 2008-08-29 14:06:28.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_warn + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_WARN" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_WARN" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -23,15 +23,15 @@ + .SH "OPTIONS" + .PP + This module does not recognise any options\. +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP +-The services ++The + \fBauth\fR, + \fBaccount\fR, + \fBpassword\fR + and + \fBsession\fR +-are supported\. ++module types are provided\. + .SH "RETURN VALUES" + .PP + PAM_IGNORE +@@ -62,7 +62,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8) + .SH "AUTHOR" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_wheel/pam_wheel.8 2008-04-16 11:08:57.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_wheel/pam_wheel.8 2008-08-29 14:06:31.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_wheel + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_WHEEL" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_WHEEL" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -60,13 +60,13 @@ + .RS 4 + The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example)\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP + The + \fBauth\fR + and + \fBaccount\fR +-services are supported\. ++module types are provided\. + .SH "RETURN VALUES" + .PP + PAM_AUTH_ERR +@@ -120,7 +120,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8) + .SH "AUTHOR" + .PP +--- Linux-PAM-1.0.2-old/modules/pam_xauth/pam_xauth.8 2008-04-16 11:09:03.000000000 +0200 ++++ Linux-PAM-1.0.2/modules/pam_xauth/pam_xauth.8 2008-08-29 14:06:35.000000000 +0200 +@@ -1,11 +1,11 @@ + .\" Title: pam_xauth + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.73.1 +-.\" Date: 04/16/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 ++.\" Date: 08/29/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual + .\" +-.TH "PAM_XAUTH" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_XAUTH" "8" "08/29/2008" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -82,11 +82,11 @@ + .RS 4 + Specify a single target UID which is exempt from the systemuser check\. + .RE +-.SH "MODULE SERVICES PROVIDED" ++.SH "MODULE TYPES PROVIDED" + .PP + Only the + \fBsession\fR +-service is supported\. ++type is provided\. + .SH "RETURN VALUES" + .PP + PAM_BUF_ERR +@@ -156,7 +156,7 @@ + .PP + + \fBpam.conf\fR(5), +-\fBpam.d\fR(8), ++\fBpam.d\fR(5), + \fBpam\fR(8) + .SH "AUTHOR" + .PP diff --git a/Linux-PAM-docu.diff b/Linux-PAM-docu.diff new file mode 100644 index 0000000..d1a460a --- /dev/null +++ b/Linux-PAM-docu.diff @@ -0,0 +1,1645 @@ +--- Linux-PAM-1.0/doc/man/pam_getenv.3.xml 2006-06-25 21:01:00.000000000 +0200 ++++ Linux-PAM/doc/man/pam_getenv.3.xml 2008-06-22 09:47:28.000000000 +0200 +@@ -32,9 +32,9 @@ + + The pam_getenv function searches the + PAM environment list as associated with the handle +- pamh for a string that matches the string +- pointed to by name. The return values are +- of the form: "name=value". ++ pamh for an item that matches the string ++ pointed to by name and returns the value ++ of the environment variable. + + + +--- Linux-PAM-1.0/doc/man/pam_prompt.3.xml 2006-05-04 08:56:08.000000000 +0200 ++++ Linux-PAM/doc/man/pam_prompt.3.xml 2008-06-22 09:47:29.000000000 +0200 +@@ -44,7 +44,11 @@ + DESCRIPTION + + The pam_prompt function constructs a message +- from the specified format string and arguments and passes it to ++ from the specified format string and arguments and passes it to the ++ conversation function as set by the service. Upon successful return, ++ response is set to point to a string ++ returned from the conversation function. This string is allocated ++ on heap and should be freed. + + + +--- Linux-PAM-1.0/doc/sag/pam_access.xml 2006-10-13 13:33:18.000000000 +0200 ++++ Linux-PAM/doc/sag/pam_access.xml 2008-08-20 20:56:21.000000000 +0200 +@@ -19,9 +19,9 @@ + + +-
++
+ ++ href="../../modules/pam_access/pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_cracklib/pam_cracklib.8.xml" xpointer='xpointer(//refsect1[@id = "pam_cracklib-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_debug/pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_deny/pam_deny.8.xml" xpointer='xpointer(//refsect1[@id = "pam_deny-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_echo/pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_env/pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_exec/pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_faildelay/pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_filter/pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_ftp/pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_group/pam_group.8.xml" xpointer='xpointer(//refsect1[@id = "pam_group-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_issue/pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_keyinit/pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_lastlog/pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_limits/pam_limits.8.xml" xpointer='xpointer(//refsect1[@id = "pam_limits-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_listfile/pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_localuser/pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_loginuid/pam_loginuid.8.xml" xpointer='xpointer(//refsect1[@id = "pam_loginuid-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_mail/pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_mkhomedir/pam_mkhomedir.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mkhomedir-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_motd/pam_motd.8.xml" xpointer='xpointer(//refsect1[@id = "pam_motd-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_namespace/pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_nologin/pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_permit/pam_permit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_permit-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_rhosts/pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_rootok/pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_securetty/pam_securetty.8.xml" xpointer='xpointer(//refsect1[@id = "pam_securetty-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_sepermit/pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_shells/pam_shells.8.xml" xpointer='xpointer(//refsect1[@id = "pam_shells-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_succeed_if/pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_tally/pam_tally.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_time/pam_time.8.xml" xpointer='xpointer(//refsect1[@id = "pam_time-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_tty_audit/pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_umask/pam_umask.8.xml" xpointer='xpointer(//refsect1[@id = "pam_umask-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_unix/pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_userdb/pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_warn/pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_wheel/pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-types"]/*)'/> +
+
+ +
+-
++
+ ++ href="../../modules/pam_xauth/pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-types"]/*)'/> +
+
+ + + If Linux PAM is compiled with audit support the module will report +- when it denies access based on origin (host or tty). ++ when it denies access based on origin (host or tty). + + + +@@ -159,10 +159,11 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- All services are supported. ++ All module types (, , ++ and ) are provided. + + + +@@ -231,7 +232,7 @@ + access.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_cracklib/pam_cracklib.8.xml 2007-11-06 15:58:54.000000000 +0100 ++++ Linux-PAM/modules/pam_cracklib/pam_cracklib.8.xml 2008-08-20 20:56:25.000000000 +0200 +@@ -281,7 +281,7 @@ + than 10. + + +- (N > 0) This is the minimum number of upper ++ (N < 0) This is the minimum number of upper + case letters that must be met for a new password. + + +@@ -376,10 +376,10 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- Only he service is supported. ++ Only the module type is provided. + + + +@@ -495,7 +495,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_debug/pam_debug.8.xml 2006-06-17 19:20:40.000000000 +0200 ++++ Linux-PAM/modules/pam_debug/pam_debug.8.xml 2008-08-20 20:56:25.000000000 +0200 +@@ -171,11 +171,11 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- The services , , +- and are supported. ++ All module types (, , ++ and ) are provided. + + + +@@ -213,7 +213,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_deny/pam_deny.8.xml 2007-11-06 15:58:54.000000000 +0100 ++++ Linux-PAM/modules/pam_deny/pam_deny.8.xml 2008-08-20 20:56:25.000000000 +0200 +@@ -38,11 +38,11 @@ + This module does not recognise any options. + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- All services (, , +- and ) are supported. ++ All module types (, , ++ and ) are provided. + + + +@@ -117,7 +117,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_echo/pam_echo.8.xml 2006-06-22 21:44:30.000000000 +0200 ++++ Linux-PAM/modules/pam_echo/pam_echo.8.xml 2008-08-20 20:56:25.000000000 +0200 +@@ -96,10 +96,12 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- All services are supported. ++ All module types (, , ++ and ) are provided. ++ + + + +@@ -154,7 +156,7 @@ + pam.conf8 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_env/environment 2006-09-01 13:37:13.000000000 +0200 ++++ Linux-PAM/modules/pam_env/environment 2008-08-01 14:10:43.000000000 +0200 +@@ -1,5 +1,5 @@ + # + # This file is parsed by pam_env module + # +-# Syntax: simple "KEY=VAL" pairs on seperate lines ++# Syntax: simple "KEY=VAL" pairs on separate lines + # +--- Linux-PAM-1.0/modules/pam_env/pam_env.8.xml 2006-06-22 21:44:30.000000000 +0200 ++++ Linux-PAM/modules/pam_env/pam_env.8.xml 2008-08-20 20:56:25.000000000 +0200 +@@ -53,7 +53,7 @@ + + + This module can also parse a file with simple +- KEY=VAL pairs on seperate lines ++ KEY=VAL pairs on separate lines + (/etc/environment by default). You can + change the default file to parse, with the envfile + flag and turn it on or off by setting the readenv +@@ -118,11 +118,11 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- The and services +- are supported. ++ The and module ++ types are provided. + + + +@@ -189,7 +189,7 @@ + pam_env.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_exec/pam_exec.8.xml 2008-02-04 16:27:31.000000000 +0100 ++++ Linux-PAM/modules/pam_exec/pam_exec.8.xml 2008-08-20 20:56:25.000000000 +0200 +@@ -123,11 +123,11 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- The services , , +- and are supported. ++ All module types (, , ++ and ) are provided. + + + +@@ -199,7 +199,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_faildelay/pam_faildelay.8.xml 2006-12-07 13:34:00.000000000 +0100 ++++ Linux-PAM/modules/pam_faildelay/pam_faildelay.8.xml 2008-08-20 20:56:25.000000000 +0200 +@@ -68,10 +68,10 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- Only the service is supported. ++ Only the module type is provided. + + + +@@ -118,7 +118,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_filter/pam_filter.8.xml 2006-06-09 18:44:06.000000000 +0200 ++++ Linux-PAM/modules/pam_filter/pam_filter.8.xml 2008-08-20 20:56:26.000000000 +0200 +@@ -188,11 +188,11 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- The services , , +- and are supported. ++ All module types (, , ++ and ) are provided. + + + +@@ -243,7 +243,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_ftp/pam_ftp.8.xml 2006-06-09 18:44:06.000000000 +0200 ++++ Linux-PAM/modules/pam_ftp/pam_ftp.8.xml 2008-08-20 20:56:26.000000000 +0200 +@@ -105,10 +105,10 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- Only the service is supported. ++ Only the module type is provided. + + + +@@ -165,7 +165,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_group/pam_group.8.xml 2007-11-06 15:58:54.000000000 +0100 ++++ Linux-PAM/modules/pam_group/pam_group.8.xml 2008-08-20 20:56:26.000000000 +0200 +@@ -65,10 +65,10 @@ + This module does not recognise any options. + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- Only the service is supported. ++ Only the module type is provided. + + + +@@ -145,7 +145,7 @@ + group.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_issue/pam_issue.8.xml 2006-06-21 08:35:25.000000000 +0200 ++++ Linux-PAM/modules/pam_issue/pam_issue.8.xml 2008-08-20 20:56:26.000000000 +0200 +@@ -146,10 +146,10 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- Only the service is supported. ++ Only the module type is provided. + + + +@@ -216,7 +216,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_keyinit/pam_keyinit.8.xml 2006-06-27 14:34:07.000000000 +0200 ++++ Linux-PAM/modules/pam_keyinit/pam_keyinit.8.xml 2008-08-20 20:56:26.000000000 +0200 +@@ -121,10 +121,10 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- Only the session service is supported. ++ Only the module type is provided. + + + +@@ -220,7 +220,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_lastlog/pam_lastlog.8.xml 2006-06-09 18:44:07.000000000 +0200 ++++ Linux-PAM/modules/pam_lastlog/pam_lastlog.8.xml 2008-08-20 20:56:26.000000000 +0200 +@@ -140,10 +140,10 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- Only the service is supported. ++ Only the module type is provided. + + + +@@ -213,7 +213,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_limits/pam_limits.8.xml 2007-12-07 16:40:02.000000000 +0100 ++++ Linux-PAM/modules/pam_limits/pam_limits.8.xml 2008-08-20 20:56:26.000000000 +0200 +@@ -132,10 +132,10 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- Only the service is supported. ++ Only the module type is provided. + + + +@@ -239,7 +239,7 @@ + limits.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_listfile/pam_listfile.8.xml 2007-11-06 15:58:54.000000000 +0100 ++++ Linux-PAM/modules/pam_listfile/pam_listfile.8.xml 2008-08-20 20:56:27.000000000 +0200 +@@ -175,11 +175,11 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- The services , , +- and are supported. ++ All module types (, , ++ and ) are provided. + + + +@@ -278,7 +278,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_localuser/pam_localuser.8.xml 2006-12-13 11:35:49.000000000 +0100 ++++ Linux-PAM/modules/pam_localuser/pam_localuser.8.xml 2008-08-20 20:56:27.000000000 +0200 +@@ -80,11 +80,11 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- All services (, , +- and ) are supported. ++ All module types (, , ++ and ) are provided. + + + +@@ -155,7 +155,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_loginuid/pam_loginuid.8.xml 2006-09-01 15:17:47.000000000 +0200 ++++ Linux-PAM/modules/pam_loginuid/pam_loginuid.8.xml 2008-08-20 20:56:27.000000000 +0200 +@@ -57,10 +57,10 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- The service is supported. ++ Only the module type is provided. + + + +@@ -101,7 +101,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_mail/pam_mail.8.xml 2006-06-09 18:44:07.000000000 +0200 ++++ Linux-PAM/modules/pam_mail/pam_mail.8.xml 2008-08-20 20:56:27.000000000 +0200 +@@ -193,11 +193,12 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- The auth and +- account services are supported. ++ The and ++ (on establishment and ++ deletion of credentials) module types are provided. + + + +@@ -261,7 +262,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_mkhomedir/pam_mkhomedir.8.xml 2006-05-30 15:03:09.000000000 +0200 ++++ Linux-PAM/modules/pam_mkhomedir/pam_mkhomedir.8.xml 2008-08-20 20:56:27.000000000 +0200 +@@ -95,10 +95,10 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- Only the service is supported. ++ Only the module type is provided. + + + +@@ -186,7 +186,7 @@ + SEE ALSO + + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_motd/pam_motd.8.xml 2006-10-26 15:51:51.000000000 +0200 ++++ Linux-PAM/modules/pam_motd/pam_motd.8.xml 2008-08-20 20:56:27.000000000 +0200 +@@ -55,10 +55,10 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- Only the service is supported. ++ Only the module type is provided. + + + +@@ -96,7 +96,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_namespace/pam_namespace.8.xml 2008-02-13 13:49:44.000000000 +0100 ++++ Linux-PAM/modules/pam_namespace/pam_namespace.8.xml 2008-08-20 20:56:27.000000000 +0200 +@@ -237,11 +237,11 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- The service is supported. The module must not +- be called from multithreaded processes. ++ Only the module type is provided. ++ The module must not be called from multithreaded processes. + + + +@@ -365,7 +365,7 @@ + namespace.conf5 + , + +- pam.d8 ++ pam.d5 + , + + mount8 +--- Linux-PAM-1.0/modules/pam_nologin/pam_nologin.8.xml 2006-06-04 03:48:34.000000000 +0200 ++++ Linux-PAM/modules/pam_nologin/pam_nologin.8.xml 2008-08-20 20:56:27.000000000 +0200 +@@ -68,11 +68,11 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- The and services are +- supported. ++ The and module ++ types are provided. + + + +@@ -156,7 +156,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_permit/pam_permit.8.xml 2007-11-06 15:58:54.000000000 +0100 ++++ Linux-PAM/modules/pam_permit/pam_permit.8.xml 2008-08-20 20:56:27.000000000 +0200 +@@ -47,11 +47,12 @@ + This module does not recognise any options. + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- The services , , +- and are supported. ++ The , , ++ and ++ module types are provided. + + + +@@ -87,7 +88,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_rhosts/pam_rhosts.8.xml 2006-06-28 09:22:43.000000000 +0200 ++++ Linux-PAM/modules/pam_rhosts/pam_rhosts.8.xml 2008-08-20 20:56:28.000000000 +0200 +@@ -89,10 +89,10 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- Only the service is supported. ++ Only the module type is provided. + + + +@@ -153,7 +153,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_rootok/pam_rootok.8.xml 2006-06-04 14:11:16.000000000 +0200 ++++ Linux-PAM/modules/pam_rootok/pam_rootok.8.xml 2008-08-20 20:56:28.000000000 +0200 +@@ -54,10 +54,10 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- Only the service is supported. ++ Only the type is provided. + + + +@@ -112,7 +112,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_securetty/pam_securetty.8.xml 2006-06-04 17:29:23.000000000 +0200 ++++ Linux-PAM/modules/pam_securetty/pam_securetty.8.xml 2008-08-20 20:56:28.000000000 +0200 +@@ -64,10 +64,10 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- Only the service is supported. ++ Only the module type is provided. + + + +@@ -116,7 +116,7 @@ + + + +- PAM_IGNORE ++ PAM_USER_UNKNOWN + + + The module could not find the user name in the +@@ -149,7 +149,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_sepermit/pam_sepermit.8.xml 2008-01-29 16:38:35.000000000 +0100 ++++ Linux-PAM/modules/pam_sepermit/pam_sepermit.8.xml 2008-08-20 20:56:28.000000000 +0200 +@@ -87,11 +87,11 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- Only the and +- services are supported. ++ The and ++ module types are provided. + + + +--- Linux-PAM-1.0/modules/pam_shells/pam_shells.8.xml 2007-11-06 15:58:54.000000000 +0100 ++++ Linux-PAM/modules/pam_shells/pam_shells.8.xml 2008-08-20 20:56:28.000000000 +0200 +@@ -41,11 +41,11 @@ + This module does not recognise any options. + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- The services and +- are supported. ++ The and ++ module types are provided. + + + +@@ -99,7 +99,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_succeed_if/pam_succeed_if.8.xml 2008-01-07 15:54:50.000000000 +0100 ++++ Linux-PAM/modules/pam_succeed_if/pam_succeed_if.8.xml 2008-08-20 20:56:28.000000000 +0200 +@@ -215,10 +215,11 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- All services are supported. ++ All module types (, , ++ and ) are provided. + + + +@@ -249,7 +250,7 @@ + + + A service error occured or the arguments can't be +- parsed as numbers. ++ parsed correctly. + + + +--- Linux-PAM-1.0/modules/pam_tally/pam_tally.8.xml 2007-10-10 16:10:07.000000000 +0200 ++++ Linux-PAM/modules/pam_tally/pam_tally.8.xml 2008-08-20 20:56:28.000000000 +0200 +@@ -113,7 +119,7 @@ + + + This can be used for auth and +- account services. ++ account module types. + + + +@@ -322,11 +348,11 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + + The and +- services are supported. ++ module types are provided. + + + +@@ -409,7 +435,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_time/pam_time.8.xml 2007-12-07 16:40:02.000000000 +0100 ++++ Linux-PAM/modules/pam_time/pam_time.8.xml 2008-08-20 20:56:28.000000000 +0200 +@@ -49,7 +49,7 @@ + + + If Linux PAM is compiled with audit support the module will report +- when it denies access. ++ when it denies access. + + + +@@ -83,10 +83,10 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- Only the service is supported. ++ Only the type is provided. + + + +@@ -166,7 +166,7 @@ + time.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_tty_audit/pam_tty_audit.8.xml 2008-01-29 16:09:29.000000000 +0100 ++++ Linux-PAM/modules/pam_tty_audit/pam_tty_audit.8.xml 2008-08-20 20:56:29.000000000 +0200 +@@ -80,10 +80,10 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- Only the session service is supported. ++ Only the session type is supported. + + + +--- Linux-PAM-1.0/modules/pam_umask/pam_umask.8.xml 2006-08-06 13:38:43.000000000 +0200 ++++ Linux-PAM/modules/pam_umask/pam_umask.8.xml 2008-08-20 20:56:29.000000000 +0200 +@@ -141,10 +141,10 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- Only the service is supported. ++ Only the type is provided. + + + +@@ -202,7 +202,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_unix/pam_unix.8.xml 2008-01-23 16:35:12.000000000 +0100 ++++ Linux-PAM/modules/pam_unix/pam_unix.8.xml 2008-08-20 20:56:29.000000000 +0200 +@@ -85,7 +85,7 @@ + + + +- The session component of this module logs when a user logins ++ The session component of this module logs when a user logins + or leave the system. + + +@@ -314,10 +314,11 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- All service are supported. ++ All module types (, , ++ and ) are provided. + + + +@@ -361,7 +362,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_userdb/pam_userdb.8.xml 2006-06-09 18:44:07.000000000 +0200 ++++ Linux-PAM/modules/pam_userdb/pam_userdb.8.xml 2008-08-20 20:56:29.000000000 +0200 +@@ -189,11 +189,11 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- The services and +- are supported. ++ The and module ++ types are provided. + + + +@@ -274,7 +274,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_warn/pam_warn.8.xml 2007-11-06 15:58:54.000000000 +0100 ++++ Linux-PAM/modules/pam_warn/pam_warn.8.xml 2008-08-20 20:56:29.000000000 +0200 +@@ -38,11 +38,12 @@ + This module does not recognise any options. + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- The services , , +- and are supported. ++ The , , ++ and module ++ types are provided. + + + +@@ -86,7 +87,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_wheel/pam_wheel.8.xml 2006-09-10 01:11:34.000000000 +0200 ++++ Linux-PAM/modules/pam_wheel/pam_wheel.8.xml 2008-08-20 20:56:29.000000000 +0200 +@@ -130,11 +130,11 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + + The auth and +- account services are supported. ++ account module types are provided. + + + +@@ -224,7 +224,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 +--- Linux-PAM-1.0/modules/pam_xauth/pam_xauth.8.xml 2007-11-06 15:58:54.000000000 +0100 ++++ Linux-PAM/modules/pam_xauth/pam_xauth.8.xml 2008-08-20 20:56:30.000000000 +0200 +@@ -147,10 +147,10 @@ + + + +- +- MODULE SERVICES PROVIDED ++ ++ MODULE TYPES PROVIDED + +- Only the session service is supported. ++ Only the session type is provided. + + + +@@ -273,7 +273,7 @@ + pam.conf5 + , + +- pam.d8 ++ pam.d5 + , + + pam8 diff --git a/pam-1.0.0-selinux-env-params.patch b/pam-1.0.0-selinux-env-params.patch new file mode 100644 index 0000000..ac4d53a --- /dev/null +++ b/pam-1.0.0-selinux-env-params.patch @@ -0,0 +1,561 @@ +Index: modules/pam_selinux/pam_selinux.8.xml +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/modules/pam_selinux/pam_selinux.8.xml,v +retrieving revision 1.2 +diff -u -p -r1.2 pam_selinux.8.xml +--- modules/pam_selinux/pam_selinux.8.xml 15 Jun 2007 10:17:22 -0000 1.2 ++++ modules/pam_selinux/pam_selinux.8.xml 19 May 2008 15:44:08 -0000 +@@ -37,6 +37,9 @@ + select_context + + ++ env_params ++ ++ + use_current_range + + +@@ -137,12 +140,30 @@ + + + ++ ++ ++ ++ ++ Attempt to obtain a custom security context role from PAM environment. ++ If MLS is on obtain also sensitivity level. This option and the ++ select_context option are mutually exclusive. The respective PAM ++ environment variables are SELINUX_ROLE_REQUESTED, ++ SELINUX_LEVEL_REQUESTED, and ++ SELINUX_USE_CURRENT_RANGE. The first two variables ++ are self describing and the last one if set to 1 makes the PAM module behave as ++ if the use_current_range was specified on the command line of the module. ++ ++ ++ ++ ++ + + + + +- Use the sensitivity range of the process for the user context. +- This option and the select_context option are mutually exclusive. ++ Use the sensitivity level of the current process for the user context ++ instead of the default level. Also supresses asking of the ++ sensitivity level from the user or obtaining it from PAM environment. + + + +Index: modules/pam_selinux/pam_selinux.c +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/modules/pam_selinux/pam_selinux.c,v +retrieving revision 1.16 +diff -u -p -r1.16 pam_selinux.c +--- modules/pam_selinux/pam_selinux.c 22 Apr 2008 19:21:37 -0000 1.16 ++++ modules/pam_selinux/pam_selinux.c 19 May 2008 15:44:08 -0000 +@@ -2,8 +2,9 @@ + * A module for Linux-PAM that will set the default security context after login + * via PAM. + * +- * Copyright (c) 2003 Red Hat, Inc. ++ * Copyright (c) 2003-2008 Red Hat, Inc. + * Written by Dan Walsh ++ * Additional improvements by Tomas Mraz + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions +@@ -138,15 +139,22 @@ send_text (pam_handle_t *pamh, const cha + */ + static int + query_response (pam_handle_t *pamh, const char *text, const char *def, +- char **responses, int debug) ++ char **response, int debug) + { + int rc; + if (def) +- rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, responses, "%s [%s] ", text, def); ++ rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, response, "%s [%s] ", text, def); + else +- rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, responses, "%s ", text); +- if (debug) +- pam_syslog(pamh, LOG_NOTICE, "%s %s", text, responses[0]); ++ rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, response, "%s ", text); ++ ++ if (*response == NULL) { ++ rc = PAM_CONV_ERR; ++ } ++ ++ if (rc != PAM_SUCCESS) { ++ pam_syslog(pamh, LOG_WARNING, "No response to query: %s", text); ++ } else if (debug) ++ pam_syslog(pamh, LOG_NOTICE, "%s %s", text, *response); + return rc; + } + +@@ -157,13 +165,15 @@ manual_context (pam_handle_t *pamh, cons + context_t new_context; + int mls_enabled = is_selinux_mls_enabled(); + char *type=NULL; +- char *responses=NULL; ++ char *response=NULL; + + while (1) { +- query_response(pamh, +- _("Would you like to enter a security context? [N] "), NULL, +- &responses,debug); +- if ((responses[0] == 'y') || (responses[0] == 'Y')) ++ if (query_response(pamh, ++ _("Would you like to enter a security context? [N] "), NULL, ++ &response, debug) != PAM_SUCCESS) ++ return NULL; ++ ++ if ((response[0] == 'y') || (response[0] == 'Y')) + { + if (mls_enabled) + new_context = context_new ("user:role:type:level"); +@@ -176,26 +186,29 @@ manual_context (pam_handle_t *pamh, cons + if (context_user_set (new_context, user)) + goto fail_set; + +- _pam_drop(responses); ++ _pam_drop(response); + /* Allow the user to enter each field of the context individually */ +- query_response(pamh,_("role:"), NULL, &responses,debug); +- if (responses[0] != '\0') { +- if (context_role_set (new_context, responses)) ++ if (query_response(pamh, _("role:"), NULL, &response, debug) == PAM_SUCCESS && ++ response[0] != '\0') { ++ if (context_role_set (new_context, response)) + goto fail_set; +- if (get_default_type(responses, &type)) ++ if (get_default_type(response, &type)) + goto fail_set; + if (context_type_set (new_context, type)) + goto fail_set; + } +- _pam_drop(responses); ++ _pam_drop(response); ++ + if (mls_enabled) + { +- query_response(pamh,_("level:"), NULL, &responses,debug); +- if (responses[0] != '\0') { +- if (context_range_set (new_context, responses)) ++ if (query_response(pamh, _("level:"), NULL, &response, debug) == PAM_SUCCESS && ++ response[0] != '\0') { ++ if (context_range_set (new_context, response)) + goto fail_set; + } ++ _pam_drop(response); + } ++ + /* Get the string value of the context and see if it is valid. */ + if (!security_check_context(context_str(new_context))) { + newcon = strdup(context_str(new_context)); +@@ -204,16 +217,17 @@ manual_context (pam_handle_t *pamh, cons + } + else + send_text(pamh,_("Not a valid security context"),debug); +- context_free (new_context); ++ ++ context_free (new_context); + } + else { +- _pam_drop(responses); ++ _pam_drop(response); + return NULL; + } + } /* end while */ + fail_set: + free(type); +- _pam_drop(responses); ++ _pam_drop(response); + context_free (new_context); + return NULL; + } +@@ -239,69 +253,91 @@ static int mls_range_allowed(pam_handle_ + } + + static security_context_t +-config_context (pam_handle_t *pamh, security_context_t puser_context, int debug) ++config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_current_range, int debug) + { + security_context_t newcon=NULL; + context_t new_context; + int mls_enabled = is_selinux_mls_enabled(); +- char *responses=NULL; ++ char *response=NULL; + char *type=NULL; + char resp_val = 0; + +- pam_prompt (pamh, PAM_TEXT_INFO, NULL, _("Default Security Context %s\n"), puser_context); ++ pam_prompt (pamh, PAM_TEXT_INFO, NULL, _("Default Security Context %s\n"), defaultcon); + + while (1) { +- query_response(pamh, ++ if (query_response(pamh, + _("Would you like to enter a different role or level?"), "n", +- &responses,debug); +- +- resp_val = responses[0]; +- _pam_drop(responses); ++ &response, debug) == PAM_SUCCESS) { ++ resp_val = response[0]; ++ _pam_drop(response); ++ } else { ++ resp_val = 'N'; ++ } + if ((resp_val == 'y') || (resp_val == 'Y')) + { +- new_context = context_new(puser_context); +- ++ if ((new_context = context_new(defaultcon)) == NULL) ++ goto fail_set; ++ + /* Allow the user to enter role and level individually */ +- query_response(pamh,_("role:"), context_role_get(new_context), +- &responses, debug); +- if (responses[0]) { +- if (get_default_type(responses, &type)) { +- pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("No default type for role %s\n"), responses); +- _pam_drop(responses); ++ if (query_response(pamh, _("role:"), context_role_get(new_context), ++ &response, debug) == PAM_SUCCESS && response[0]) { ++ if (get_default_type(response, &type)) { ++ pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("No default type for role %s\n"), response); ++ _pam_drop(response); + continue; + } else { +- if (context_role_set(new_context, responses)) ++ if (context_role_set(new_context, response)) + goto fail_set; + if (context_type_set (new_context, type)) + goto fail_set; + } + } +- _pam_drop(responses); ++ _pam_drop(response); ++ + if (mls_enabled) + { +- query_response(pamh,_("level:"), context_range_get(new_context), +- &responses, debug); +- if (responses[0]) { +- if (context_range_set(new_context, responses)) +- goto fail_set; ++ if (use_current_range) { ++ security_context_t mycon = NULL; ++ context_t my_context; ++ ++ if (getcon(&mycon) != 0) ++ goto fail_set; ++ my_context = context_new(mycon); ++ if (my_context == NULL) { ++ freecon(mycon); ++ goto fail_set; ++ } ++ freecon(mycon); ++ if (context_range_set(new_context, context_range_get(my_context))) { ++ context_free(my_context); ++ goto fail_set; ++ } ++ context_free(my_context); ++ } else if (query_response(pamh, _("level:"), context_range_get(new_context), ++ &response, debug) == PAM_SUCCESS && response[0]) { ++ if (context_range_set(new_context, response)) ++ goto fail_set; + } +- _pam_drop(responses); ++ _pam_drop(response); + } ++ + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Selected Security Context %s", context_str(new_context)); + + /* Get the string value of the context and see if it is valid. */ + if (!security_check_context(context_str(new_context))) { + newcon = strdup(context_str(new_context)); +- context_free (new_context); ++ if (newcon == NULL) ++ goto fail_set; ++ context_free(new_context); + + /* we have to check that this user is allowed to go into the + range they have specified ... role is tied to an seuser, so that'll + be checked at setexeccon time */ +- if (mls_enabled && !mls_range_allowed(pamh, puser_context, newcon, debug)) { +- pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", puser_context, newcon); ++ if (mls_enabled && !mls_range_allowed(pamh, defaultcon, newcon, debug)) { ++ pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", defaultcon, newcon); + +- send_audit_message(pamh, 0, puser_context, newcon); ++ send_audit_message(pamh, 0, defaultcon, newcon); + + free(newcon); + goto fail_range; +@@ -309,26 +345,120 @@ config_context (pam_handle_t *pamh, secu + return newcon; + } + else { +- send_audit_message(pamh, 0, puser_context, context_str(new_context)); ++ send_audit_message(pamh, 0, defaultcon, context_str(new_context)); + send_text(pamh,_("Not a valid security context"),debug); + } + context_free(new_context); /* next time around allocates another */ + } + else +- return strdup(puser_context); ++ return strdup(defaultcon); + } /* end while */ + + return NULL; + + fail_set: + free(type); +- _pam_drop(responses); ++ _pam_drop(response); + context_free (new_context); +- send_audit_message(pamh, 0, puser_context, NULL); ++ send_audit_message(pamh, 0, defaultcon, NULL); + fail_range: + return NULL; + } + ++static security_context_t ++context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_params, int use_current_range, int debug) ++{ ++ security_context_t newcon = NULL; ++ context_t new_context; ++ context_t my_context = NULL; ++ int mls_enabled = is_selinux_mls_enabled(); ++ const char *env = NULL; ++ char *type = NULL; ++ ++ if ((new_context = context_new(defaultcon)) == NULL) ++ goto fail_set; ++ ++ if (env_params && (env = pam_getenv(pamh, "SELINUX_ROLE_REQUESTED")) != NULL && env[0] != '\0') { ++ if (debug) ++ pam_syslog(pamh, LOG_NOTICE, "Requested role: %s", env); ++ ++ if (get_default_type(env, &type)) { ++ pam_syslog(pamh, LOG_NOTICE, "No default type for role %s", env); ++ goto fail_set; ++ } else { ++ if (context_role_set(new_context, env)) ++ goto fail_set; ++ if (context_type_set(new_context, type)) ++ goto fail_set; ++ } ++ } ++ ++ if (mls_enabled) { ++ if ((env = pam_getenv(pamh, "SELINUX_USE_CURRENT_RANGE")) != NULL && env[0] == '1') { ++ if (debug) ++ pam_syslog(pamh, LOG_NOTICE, "SELINUX_USE_CURRENT_RANGE is set"); ++ use_current_range = 1; ++ } ++ ++ if (use_current_range) { ++ security_context_t mycon = NULL; ++ ++ if (getcon(&mycon) != 0) ++ goto fail_set; ++ my_context = context_new(mycon); ++ if (my_context == NULL) { ++ freecon(mycon); ++ goto fail_set; ++ } ++ freecon(mycon); ++ env = context_range_get(my_context); ++ } else { ++ env = pam_getenv(pamh, "SELINUX_LEVEL_REQUESTED"); ++ } ++ ++ if (env != NULL && env[0] != '\0') { ++ if (debug) ++ pam_syslog(pamh, LOG_NOTICE, "Requested level: %s", env); ++ if (context_range_set(new_context, env)) ++ goto fail_set; ++ } ++ } ++ ++ newcon = strdup(context_str(new_context)); ++ if (newcon == NULL) ++ goto fail_set; ++ ++ if (debug) ++ pam_syslog(pamh, LOG_NOTICE, "Selected Security Context %s", newcon); ++ ++ /* Get the string value of the context and see if it is valid. */ ++ if (security_check_context(newcon)) { ++ pam_syslog(pamh, LOG_NOTICE, "Not a valid security context %s", newcon); ++ send_audit_message(pamh, 0, defaultcon, newcon); ++ freecon(newcon); ++ newcon = NULL; ++ ++ goto fail_set; ++ } ++ ++ /* we have to check that this user is allowed to go into the ++ range they have specified ... role is tied to an seuser, so that'll ++ be checked at setexeccon time */ ++ if (mls_enabled && !mls_range_allowed(pamh, defaultcon, newcon, debug)) { ++ pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", defaultcon, newcon); ++ send_audit_message(pamh, 0, defaultcon, newcon); ++ freecon(newcon); ++ newcon = NULL; ++ } ++ ++ fail_set: ++ free(type); ++ context_free(my_context); ++ context_free(new_context); ++ send_audit_message(pamh, 0, defaultcon, NULL); ++ return newcon; ++} ++ + static void + security_restorelabel_tty(const pam_handle_t *pamh, + const char *tty, security_context_t context) +@@ -439,13 +569,14 @@ PAM_EXTERN int + pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) + { +- int i, debug = 0, ttys=1, has_tty=isatty(0); ++ int i, debug = 0, ttys=1; + int verbose=0, close_session=0; + int select_context = 0; + int use_current_range = 0; + int ret = 0; + security_context_t* contextlist = NULL; + int num_contexts = 0; ++ int env_params = 0; + const char *username = NULL; + const void *tty = NULL; + char *seuser=NULL; +@@ -472,13 +603,16 @@ pam_sm_open_session(pam_handle_t *pamh, + if (strcmp(argv[i], "use_current_range") == 0) { + use_current_range = 1; + } ++ if (strcmp(argv[i], "env_params") == 0) { ++ env_params = 1; ++ } + } + + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Open Session"); + +- if (select_context && use_current_range) { +- pam_syslog(pamh, LOG_ERR, "select_context cannot be used with use_current_range"); ++ if (select_context && env_params) { ++ pam_syslog(pamh, LOG_ERR, "select_context cannot be used with env_params"); + select_context = 0; + } + +@@ -510,12 +644,17 @@ pam_sm_open_session(pam_handle_t *pamh, + freeconary(contextlist); + if (default_user_context == NULL) { + pam_syslog(pamh, LOG_ERR, "Out of memory"); +- return PAM_AUTH_ERR; ++ return PAM_BUF_ERR; + } ++ + user_context = default_user_context; +- if (select_context && has_tty) { +- user_context = config_context(pamh, default_user_context, debug); +- if (user_context == NULL) { ++ if (select_context) { ++ user_context = config_context(pamh, default_user_context, use_current_range, debug); ++ } else if (env_params || use_current_range) { ++ user_context = context_from_env(pamh, default_user_context, env_params, use_current_range, debug); ++ } ++ ++ if (user_context == NULL) { + freecon(default_user_context); + pam_syslog(pamh, LOG_ERR, "Unable to get valid context for %s", + username); +@@ -524,11 +663,9 @@ pam_sm_open_session(pam_handle_t *pamh, + return PAM_AUTH_ERR; + else + return PAM_SUCCESS; +- } +- } ++ } + } + else { +- if (has_tty) { + user_context = manual_context(pamh,seuser,debug); + if (user_context == NULL) { + pam_syslog (pamh, LOG_ERR, "Unable to get valid context for %s", +@@ -538,59 +675,6 @@ pam_sm_open_session(pam_handle_t *pamh, + else + return PAM_SUCCESS; + } +- } else { +- pam_syslog (pamh, LOG_ERR, +- "Unable to get valid context for %s, No valid tty", +- username); +- if (security_getenforce() == 1) +- return PAM_AUTH_ERR; +- else +- return PAM_SUCCESS; +- } +- } +- +- if (use_current_range && is_selinux_mls_enabled()) { +- security_context_t process_context=NULL; +- if (getcon(&process_context) == 0) { +- context_t pcon, ucon; +- char *process_level=NULL; +- security_context_t orig_context; +- +- if (user_context) +- orig_context = user_context; +- else +- orig_context = default_user_context; +- +- pcon = context_new(process_context); +- freecon(process_context); +- process_level = strdup(context_range_get(pcon)); +- context_free(pcon); +- +- if (debug) +- pam_syslog (pamh, LOG_DEBUG, "process level=%s", process_level); +- +- ucon = context_new(orig_context); +- +- context_range_set(ucon, process_level); +- free(process_level); +- +- if (!mls_range_allowed(pamh, orig_context, context_str(ucon), debug)) { +- send_text(pamh, _("Requested MLS level not in permitted range"), debug); +- /* even if default_user_context is NULL audit that anyway */ +- send_audit_message(pamh, 0, default_user_context, context_str(ucon)); +- context_free(ucon); +- return PAM_AUTH_ERR; +- } +- +- if (debug) +- pam_syslog (pamh, LOG_DEBUG, "adjusted context=%s", context_str(ucon)); +- +- /* replace the user context with the level adjusted one */ +- freecon(user_context); +- user_context = strdup(context_str(ucon)); +- +- context_free(ucon); +- } + } + + if (getexeccon(&prev_user_context)<0) { +@@ -613,7 +697,7 @@ pam_sm_open_session(pam_handle_t *pamh, + } + } + } +- if(ttys && tty ) { ++ if (ttys && tty) { + ttyn=strdup(tty); + ttyn_context=security_label_tty(pamh,ttyn,user_context); + } diff --git a/pam-1.0.1-namespace-create.patch b/pam-1.0.1-namespace-create.patch new file mode 100644 index 0000000..7d12105 --- /dev/null +++ b/pam-1.0.1-namespace-create.patch @@ -0,0 +1,679 @@ +diff -up Linux-PAM-1.0.1/modules/pam_namespace/pam_namespace.c.create Linux-PAM-1.0.1/modules/pam_namespace/pam_namespace.c +--- Linux-PAM-1.0.1/modules/pam_namespace/pam_namespace.c.create 2008-03-20 18:06:32.000000000 +0100 ++++ Linux-PAM-1.0.1/modules/pam_namespace/pam_namespace.c 2008-04-03 17:32:28.000000000 +0200 +@@ -32,6 +32,8 @@ + * DEALINGS IN THE SOFTWARE. + */ + ++#define _ATFILE_SOURCE ++ + #include "pam_namespace.h" + #include "argv_parse.h" + +@@ -78,11 +80,29 @@ static void del_polydir_list(struct poly + } + } + +-static void cleanup_data(pam_handle_t *pamh UNUSED , void *data, int err UNUSED) ++static void unprotect_dirs(struct protect_dir_s *dir) ++{ ++ struct protect_dir_s *next; ++ ++ while (dir != NULL) { ++ umount(dir->dir); ++ free(dir->dir); ++ next = dir->next; ++ free(dir); ++ dir = next; ++ } ++} ++ ++static void cleanup_polydir_data(pam_handle_t *pamh UNUSED , void *data, int err UNUSED) + { + del_polydir_list(data); + } + ++static void cleanup_protect_data(pam_handle_t *pamh UNUSED , void *data, int err UNUSED) ++{ ++ unprotect_dirs(data); ++} ++ + static char *expand_variables(const char *orig, const char *var_names[], const char *var_values[]) + { + const char *src = orig; +@@ -132,8 +152,8 @@ static char *expand_variables(const char + + static int parse_create_params(char *params, struct polydir_s *poly) + { +- char *sptr; +- struct passwd *pwd; ++ char *next; ++ struct passwd *pwd = NULL; + struct group *grp; + + poly->mode = (mode_t)ULONG_MAX; +@@ -144,28 +164,40 @@ static int parse_create_params(char *par + return 0; + params++; + +- params = strtok_r(params, ",", &sptr); +- if (params == NULL) +- return 0; ++ next = strchr(params, ','); ++ if (next != NULL) { ++ *next = '\0'; ++ next++; ++ } + +- errno = 0; +- poly->mode = (mode_t)strtoul(params, NULL, 0); +- if (errno != 0) { +- poly->mode = (mode_t)ULONG_MAX; ++ if (*params != '\0') { ++ errno = 0; ++ poly->mode = (mode_t)strtoul(params, NULL, 0); ++ if (errno != 0) { ++ poly->mode = (mode_t)ULONG_MAX; ++ } + } + +- params = strtok_r(NULL, ",", &sptr); ++ params = next; + if (params == NULL) + return 0; ++ next = strchr(params, ','); ++ if (next != NULL) { ++ *next = '\0'; ++ next++; ++ } + +- pwd = getpwnam(params); /* session modules are not reentrant */ +- if (pwd == NULL) +- return -1; +- poly->owner = pwd->pw_uid; +- +- params = strtok_r(NULL, ",", &sptr); +- if (params == NULL) { +- poly->group = pwd->pw_gid; ++ if (*params != '\0') { ++ pwd = getpwnam(params); /* session modules are not reentrant */ ++ if (pwd == NULL) ++ return -1; ++ poly->owner = pwd->pw_uid; ++ } ++ ++ params = next; ++ if (params == NULL || *params == '\0') { ++ if (pwd != NULL) ++ poly->group = pwd->pw_gid; + return 0; + } + grp = getgrnam(params); +@@ -199,7 +231,7 @@ static int parse_method(char *method, st + struct instance_data *idata) + { + enum polymethod pm; +- char *sptr; ++ char *sptr = NULL; + static const char *method_names[] = { "user", "context", "level", "tmpdir", + "tmpfs", NULL }; + static const char *flag_names[] = { "create", "noinit", "iscript", +@@ -921,10 +953,158 @@ fail: + return rc; + } + ++static int protect_mount(int dfd, const char *path, struct instance_data *idata) ++{ ++ struct protect_dir_s *dir = idata->protect_dirs; ++ char tmpbuf[64]; ++ ++ while (dir != NULL) { ++ if (strcmp(path, dir->dir) == 0) { ++ return 0; ++ } ++ dir = dir->next; ++ } ++ ++ dir = calloc(1, sizeof(*dir)); ++ ++ if (dir == NULL) { ++ return -1; ++ } ++ ++ dir->dir = strdup(path); ++ ++ if (dir->dir == NULL) { ++ free(dir); ++ return -1; ++ } ++ ++ snprintf(tmpbuf, sizeof(tmpbuf), "/proc/self/fd/%d", dfd); ++ ++ if (idata->flags & PAMNS_DEBUG) { ++ pam_syslog(idata->pamh, LOG_INFO, ++ "Protect mount of %s over itself", path); ++ } ++ ++ if (mount(tmpbuf, tmpbuf, NULL, MS_BIND, NULL) != 0) { ++ int save_errno = errno; ++ pam_syslog(idata->pamh, LOG_ERR, ++ "Protect mount of %s failed: %m", tmpbuf); ++ free(dir->dir); ++ free(dir); ++ errno = save_errno; ++ return -1; ++ } ++ ++ dir->next = idata->protect_dirs; ++ idata->protect_dirs = dir; ++ ++ return 0; ++} ++ ++static int protect_dir(const char *path, mode_t mode, int do_mkdir, ++ struct instance_data *idata) ++{ ++ char *p = strdup(path); ++ char *d; ++ char *dir = p; ++ int dfd = AT_FDCWD; ++ int dfd_next; ++ int save_errno; ++ int flags = O_RDONLY; ++ int rv = -1; ++ struct stat st; ++ ++ if (p == NULL) { ++ goto error; ++ } ++ ++ if (*dir == '/') { ++ dfd = open("/", flags); ++ if (dfd == -1) { ++ goto error; ++ } ++ dir++; /* assume / is safe */ ++ } ++ ++ while ((d=strchr(dir, '/')) != NULL) { ++ *d = '\0'; ++ dfd_next = openat(dfd, dir, flags); ++ if (dfd_next == -1) { ++ goto error; ++ } ++ ++ if (dfd != AT_FDCWD) ++ close(dfd); ++ dfd = dfd_next; ++ ++ if (fstat(dfd, &st) != 0) { ++ goto error; ++ } ++ ++ if (flags & O_NOFOLLOW) { ++ /* we are inside user-owned dir - protect */ ++ if (protect_mount(dfd, p, idata) == -1) ++ goto error; ++ } else if (st.st_uid != 0 || st.st_gid != 0 || ++ (st.st_mode & S_IWOTH)) { ++ /* do not follow symlinks on subdirectories */ ++ flags |= O_NOFOLLOW; ++ } ++ ++ *d = '/'; ++ dir = d + 1; ++ } ++ ++ rv = openat(dfd, dir, flags); ++ ++ if (rv == -1) { ++ if (!do_mkdir || mkdirat(dfd, dir, mode) != 0) { ++ goto error; ++ } ++ rv = openat(dfd, dir, flags); ++ } ++ ++ if (rv != -1) { ++ if (fstat(rv, &st) != 0) { ++ save_errno = errno; ++ close(rv); ++ rv = -1; ++ errno = save_errno; ++ goto error; ++ } ++ if (!S_ISDIR(st.st_mode)) { ++ close(rv); ++ errno = ENOTDIR; ++ rv = -1; ++ goto error; ++ } ++ } ++ ++ if (flags & O_NOFOLLOW) { ++ /* we are inside user-owned dir - protect */ ++ if (protect_mount(rv, p, idata) == -1) { ++ save_errno = errno; ++ close(rv); ++ rv = -1; ++ errno = save_errno; ++ } ++ } ++ ++error: ++ save_errno = errno; ++ free(p); ++ if (dfd != AT_FDCWD) ++ close(dfd); ++ errno = save_errno; ++ ++ return rv; ++} ++ + static int check_inst_parent(char *ipath, struct instance_data *idata) + { + struct stat instpbuf; + char *inst_parent, *trailing_slash; ++ int dfd; + /* + * stat the instance parent path to make sure it exists + * and is a directory. Check that its mode is 000 (unless the +@@ -942,30 +1122,27 @@ static int check_inst_parent(char *ipath + if (trailing_slash) + *trailing_slash = '\0'; + +- if (stat(inst_parent, &instpbuf) < 0) { +- pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m", inst_parent); +- free(inst_parent); +- return PAM_SESSION_ERR; +- } ++ dfd = protect_dir(inst_parent, 0, 1, idata); + +- /* +- * Make sure we are dealing with a directory +- */ +- if (!S_ISDIR(instpbuf.st_mode)) { +- pam_syslog(idata->pamh, LOG_ERR, "Instance parent %s is not a dir", +- inst_parent); ++ if (dfd == -1 || fstat(dfd, &instpbuf) < 0) { ++ pam_syslog(idata->pamh, LOG_ERR, ++ "Error creating or accessing instance parent %s, %m", inst_parent); ++ if (dfd != -1) ++ close(dfd); + free(inst_parent); + return PAM_SESSION_ERR; + } + + if ((idata->flags & PAMNS_IGN_INST_PARENT_MODE) == 0) { +- if (instpbuf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) { +- pam_syslog(idata->pamh, LOG_ERR, "Mode of inst parent %s not 000", ++ if ((instpbuf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) || instpbuf.st_uid != 0) { ++ pam_syslog(idata->pamh, LOG_ERR, "Mode of inst parent %s not 000 or owner not root", + inst_parent); ++ close(dfd); + free(inst_parent); + return PAM_SESSION_ERR; + } + } ++ close(dfd); + free(inst_parent); + return PAM_SUCCESS; + } +@@ -1051,6 +1228,8 @@ static int create_polydir(struct polydir + security_context_t dircon, oldcon = NULL; + #endif + const char *dir = polyptr->dir; ++ uid_t uid; ++ gid_t gid; + + if (polyptr->mode != (mode_t)ULONG_MAX) + mode = polyptr->mode; +@@ -1077,8 +1256,8 @@ static int create_polydir(struct polydir + } + #endif + +- rc = mkdir(dir, mode); +- if (rc != 0) { ++ rc = protect_dir(dir, mode, 1, idata); ++ if (rc == -1) { + pam_syslog(idata->pamh, LOG_ERR, + "Error creating directory %s: %m", dir); + return PAM_SESSION_ERR; +@@ -1098,36 +1277,41 @@ static int create_polydir(struct polydir + + if (polyptr->mode != (mode_t)ULONG_MAX) { + /* explicit mode requested */ +- if (chmod(dir, mode) != 0) { ++ if (fchmod(rc, mode) != 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Error changing mode of directory %s: %m", dir); ++ close(rc); ++ umount(dir); /* undo the eventual protection bind mount */ + rmdir(dir); + return PAM_SESSION_ERR; + } + } + +- if (polyptr->owner != (uid_t)ULONG_MAX) { +- if (chown(dir, polyptr->owner, polyptr->group) != 0) { +- pam_syslog(idata->pamh, LOG_ERR, +- "Unable to change owner on directory %s: %m", dir); +- rmdir(dir); +- return PAM_SESSION_ERR; +- } +- if (idata->flags & PAMNS_DEBUG) +- pam_syslog(idata->pamh, LOG_DEBUG, +- "Polydir owner %u group %u from configuration", polyptr->owner, polyptr->group); +- } else { +- if (chown(dir, idata->uid, idata->gid) != 0) { +- pam_syslog(idata->pamh, LOG_ERR, +- "Unable to change owner on directory %s: %m", dir); +- rmdir(dir); +- return PAM_SESSION_ERR; +- } +- if (idata->flags & PAMNS_DEBUG) +- pam_syslog(idata->pamh, LOG_DEBUG, +- "Polydir owner %u group %u", idata->uid, idata->gid); ++ if (polyptr->owner != (uid_t)ULONG_MAX) ++ uid = polyptr->owner; ++ else ++ uid = idata->uid; ++ ++ if (polyptr->group != (gid_t)ULONG_MAX) ++ gid = polyptr->group; ++ else ++ gid = idata->gid; ++ ++ if (fchown(rc, uid, gid) != 0) { ++ pam_syslog(idata->pamh, LOG_ERR, ++ "Unable to change owner on directory %s: %m", dir); ++ close(rc); ++ umount(dir); /* undo the eventual protection bind mount */ ++ rmdir(dir); ++ return PAM_SESSION_ERR; + } + ++ close(rc); ++ ++ if (idata->flags & PAMNS_DEBUG) ++ pam_syslog(idata->pamh, LOG_DEBUG, ++ "Polydir owner %u group %u", uid, gid); ++ + return PAM_SUCCESS; + } + +@@ -1135,17 +1319,16 @@ static int create_polydir(struct polydir + * Create polyinstantiated instance directory (ipath). + */ + #ifdef WITH_SELINUX +-static int create_dirs(struct polydir_s *polyptr, char *ipath, struct stat *statbuf, ++static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat *statbuf, + security_context_t icontext, security_context_t ocontext, + struct instance_data *idata) + #else +-static int create_dirs(struct polydir_s *polyptr, char *ipath, struct stat *statbuf, ++static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat *statbuf, + struct instance_data *idata) + #endif + { + struct stat newstatbuf; + int fd; +- int newdir = 0; + + /* + * Check to make sure instance parent is valid. +@@ -1171,7 +1354,7 @@ static int create_dirs(struct polydir_s + strcpy(ipath, polyptr->instance_prefix); + } else if (mkdir(ipath, S_IRUSR) < 0) { + if (errno == EEXIST) +- goto inst_init; ++ return PAM_IGNORE; + else { + pam_syslog(idata->pamh, LOG_ERR, "Error creating %s, %m", + ipath); +@@ -1179,7 +1362,6 @@ static int create_dirs(struct polydir_s + } + } + +- newdir = 1; + /* Open a descriptor to it to prevent races */ + fd = open(ipath, O_DIRECTORY | O_RDONLY); + if (fd < 0) { +@@ -1235,33 +1417,22 @@ static int create_dirs(struct polydir_s + return PAM_SESSION_ERR; + } + close(fd); +- +- /* +- * Check to see if there is a namespace initialization script in +- * the /etc/security directory. If such a script exists +- * execute it and pass directory to polyinstantiate and instance +- * directory as arguments. +- */ +- +-inst_init: +- if (polyptr->flags & POLYDIR_NOINIT) +- return PAM_SUCCESS; +- +- return inst_init(polyptr, ipath, idata, newdir); ++ return PAM_SUCCESS; + } + + + /* + * This function performs the namespace setup for a particular directory +- * that is being polyinstantiated. It creates an MD5 hash of instance +- * directory, calls create_dirs to create it with appropriate ++ * that is being polyinstantiated. It calls poly_name to create name of instance ++ * directory, calls create_instance to mkdir it with appropriate + * security attributes, and performs bind mount to setup the process + * namespace. + */ + static int ns_setup(struct polydir_s *polyptr, + struct instance_data *idata) + { +- int retval = 0; ++ int retval; ++ int newdir = 1; + char *inst_dir = NULL; + char *instname = NULL; + struct stat statbuf; +@@ -1273,37 +1444,40 @@ static int ns_setup(struct polydir_s *po + pam_syslog(idata->pamh, LOG_DEBUG, + "Set namespace for directory %s", polyptr->dir); + +- while (stat(polyptr->dir, &statbuf) < 0) { +- if (retval || !(polyptr->flags & POLYDIR_CREATE)) { +- pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m", +- polyptr->dir); +- return PAM_SESSION_ERR; +- } else { +- if (create_polydir(polyptr, idata) != PAM_SUCCESS) +- return PAM_SESSION_ERR; +- retval = PAM_SESSION_ERR; /* bail out on next failed stat */ +- } +- } ++ retval = protect_dir(polyptr->dir, 0, 0, idata); + +- /* +- * Make sure we are dealing with a directory +- */ +- if (!S_ISDIR(statbuf.st_mode)) { +- pam_syslog(idata->pamh, LOG_ERR, "Polydir %s is not a dir", ++ if (retval < 0 && errno != ENOENT) { ++ pam_syslog(idata->pamh, LOG_ERR, "Polydir %s access error: %m", + polyptr->dir); +- return PAM_SESSION_ERR; ++ return PAM_SESSION_ERR; + } + ++ if (retval < 0 && (polyptr->flags & POLYDIR_CREATE)) { ++ if (create_polydir(polyptr, idata) != PAM_SUCCESS) ++ return PAM_SESSION_ERR; ++ } else { ++ close(retval); ++ } ++ + if (polyptr->method == TMPFS) { + if (mount("tmpfs", polyptr->dir, "tmpfs", 0, NULL) < 0) { + pam_syslog(idata->pamh, LOG_ERR, "Error mounting tmpfs on %s, %m", + polyptr->dir); + return PAM_SESSION_ERR; + } +- /* we must call inst_init after the mount in this case */ ++ ++ if (polyptr->flags & POLYDIR_NOINIT) ++ return PAM_SUCCESS; ++ + return inst_init(polyptr, "tmpfs", idata, 1); + } + ++ if (stat(polyptr->dir, &statbuf) < 0) { ++ pam_syslog(idata->pamh, LOG_ERR, "Error stating %s: %m", ++ polyptr->dir); ++ return PAM_SESSION_ERR; ++ } ++ + /* + * Obtain the name of instance pathname based on the + * polyinstantiation method and instance context returned by +@@ -1341,14 +1515,18 @@ static int ns_setup(struct polydir_s *po + * contexts, owner, group and mode bits. + */ + #ifdef WITH_SELINUX +- retval = create_dirs(polyptr, inst_dir, &statbuf, instcontext, ++ retval = create_instance(polyptr, inst_dir, &statbuf, instcontext, + origcontext, idata); + #else +- retval = create_dirs(polyptr, inst_dir, &statbuf, idata); ++ retval = create_instance(polyptr, inst_dir, &statbuf, idata); + #endif + +- if (retval < 0) { +- pam_syslog(idata->pamh, LOG_ERR, "Error creating instance dir"); ++ if (retval == PAM_IGNORE) { ++ newdir = 0; ++ retval = PAM_SUCCESS; ++ } ++ ++ if (retval != PAM_SUCCESS) { + goto error_out; + } + +@@ -1363,6 +1541,9 @@ static int ns_setup(struct polydir_s *po + goto error_out; + } + ++ if (!(polyptr->flags & POLYDIR_NOINIT)) ++ retval = inst_init(polyptr, inst_dir, idata, newdir); ++ + goto cleanup; + + /* +@@ -1600,12 +1781,21 @@ static int setup_namespace(struct instan + } + } + out: +- if (retval != PAM_SUCCESS) ++ if (retval != PAM_SUCCESS) { ++ cleanup_tmpdirs(idata); ++ unprotect_dirs(idata->protect_dirs); ++ } else if (pam_set_data(idata->pamh, NAMESPACE_PROTECT_DATA, idata->protect_dirs, ++ cleanup_protect_data) != PAM_SUCCESS) { ++ pam_syslog(idata->pamh, LOG_ERR, "Unable to set namespace protect data"); + cleanup_tmpdirs(idata); +- else if (pam_set_data(idata->pamh, NAMESPACE_POLYDIR_DATA, idata->polydirs_ptr, +- cleanup_data) != PAM_SUCCESS) { +- pam_syslog(idata->pamh, LOG_ERR, "Unable to set namespace data"); ++ unprotect_dirs(idata->protect_dirs); ++ return PAM_SYSTEM_ERR; ++ } else if (pam_set_data(idata->pamh, NAMESPACE_POLYDIR_DATA, idata->polydirs_ptr, ++ cleanup_polydir_data) != PAM_SUCCESS) { ++ pam_syslog(idata->pamh, LOG_ERR, "Unable to set namespace polydir data"); + cleanup_tmpdirs(idata); ++ pam_set_data(idata->pamh, NAMESPACE_PROTECT_DATA, NULL, NULL); ++ idata->protect_dirs = NULL; + return PAM_SYSTEM_ERR; + } + return retval; +@@ -1742,6 +1932,7 @@ PAM_EXTERN int pam_sm_open_session(pam_h + /* init instance data */ + idata.flags = 0; + idata.polydirs_ptr = NULL; ++ idata.protect_dirs = NULL; + idata.pamh = pamh; + #ifdef WITH_SELINUX + if (is_selinux_enabled()) +@@ -1893,6 +2084,7 @@ PAM_EXTERN int pam_sm_close_session(pam_ + } + + pam_set_data(idata.pamh, NAMESPACE_POLYDIR_DATA, NULL, NULL); ++ pam_set_data(idata.pamh, NAMESPACE_PROTECT_DATA, NULL, NULL); + + return PAM_SUCCESS; + } +diff -up Linux-PAM-1.0.1/modules/pam_namespace/pam_namespace.h.create Linux-PAM-1.0.1/modules/pam_namespace/pam_namespace.h +--- Linux-PAM-1.0.1/modules/pam_namespace/pam_namespace.h.create 2008-02-13 13:49:44.000000000 +0100 ++++ Linux-PAM-1.0.1/modules/pam_namespace/pam_namespace.h 2008-03-20 18:07:29.000000000 +0100 +@@ -107,6 +107,7 @@ + + #define NAMESPACE_MAX_DIR_LEN 80 + #define NAMESPACE_POLYDIR_DATA "pam_namespace:polydir_data" ++#define NAMESPACE_PROTECT_DATA "pam_namespace:protect_data" + + /* + * Polyinstantiation method options, based on user, security context +@@ -156,9 +157,15 @@ struct polydir_s { + struct polydir_s *next; /* pointer to the next polydir entry */ + }; + ++struct protect_dir_s { ++ char *dir; /* protected directory */ ++ struct protect_dir_s *next; /* next entry */ ++}; ++ + struct instance_data { + pam_handle_t *pamh; /* The pam handle for this instance */ + struct polydir_s *polydirs_ptr; /* The linked list pointer */ ++ struct protect_dir_s *protect_dirs; /* The pointer to stack of mount-protected dirs */ + char user[LOGIN_NAME_MAX]; /* User name */ + char ruser[LOGIN_NAME_MAX]; /* Requesting user name */ + uid_t uid; /* The uid of the user */ +@@ -166,3 +173,4 @@ struct instance_data { + uid_t ruid; /* The uid of the requesting user */ + unsigned long flags; /* Flags for debug, selinux etc */ + }; ++ +diff -up Linux-PAM-1.0.1/modules/pam_namespace/namespace.conf.5.xml.create Linux-PAM-1.0.1/modules/pam_namespace/namespace.conf.5.xml +--- Linux-PAM-1.0.1/modules/pam_namespace/namespace.conf.5.xml.create 2008-02-13 13:49:44.000000000 +0100 ++++ Linux-PAM-1.0.1/modules/pam_namespace/namespace.conf.5.xml 2008-04-18 14:38:57.000000000 +0200 +@@ -25,8 +25,8 @@ + Directories can be polyinstantiated based on user name + or, in the case of SELinux, user name, sensitivity level or complete security context. If an + executable script /etc/security/namespace.init +- exists, it is used to initialize the namespace every time a new instance +- directory is setup. The script receives the polyinstantiated ++ exists, it is used to initialize the namespace every time an instance ++ directory is set up and mounted. The script receives the polyinstantiated + directory path and the instance directory path as its arguments. + + +diff -up Linux-PAM-1.0.1/modules/pam_namespace/pam_namespace.8.xml.create Linux-PAM-1.0.1/modules/pam_namespace/pam_namespace.8.xml +--- Linux-PAM-1.0.1/modules/pam_namespace/pam_namespace.8.xml.create 2008-02-13 13:49:44.000000000 +0100 ++++ Linux-PAM-1.0.1/modules/pam_namespace/pam_namespace.8.xml 2008-04-18 14:40:54.000000000 +0200 +@@ -64,11 +64,11 @@ + provides a different instance of itself based on user name, or when + using SELinux, user name, security context or both. If an executable + script /etc/security/namespace.init exists, it +- is used to initialize the namespace every time a new instance +- directory is setup. The script receives the polyinstantiated +- directory path, the instance directory path, flag whether the instance +- directory was newly created (0 for no, 1 for yes), and the user name +- as its arguments. ++ is used to initialize the instance directory after it is set up ++ and mounted on the polyinstantiated direcory. The script receives the ++ polyinstantiated directory path, the instance directory path, flag ++ whether the instance directory was newly created (0 for no, 1 for yes), ++ and the user name as its arguments. + + + diff --git a/pam.changes b/pam.changes index 69a3532..8d55cb3 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Aug 29 15:17:50 CEST 2008 - kukuk@suse.de + +- Update to version 1.0.2 (fix SELinux regression) +- enhance pam_tally [FATE#303753] +- Backport fixes from CVS + ------------------------------------------------------------------- Wed Aug 20 14:59:30 CEST 2008 - prusnak@suse.cz diff --git a/pam.spec b/pam.spec index 1960504..d631896 100644 --- a/pam.spec +++ b/pam.spec @@ -1,5 +1,5 @@ # -# spec file for package pam (Version 1.0.1) +# spec file for package pam (Version 1.0.2) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -34,12 +34,12 @@ BuildRequires: libselinux-devel License: BSD 3-Clause; GPL v2 or later Group: System/Libraries AutoReqProv: on -Version: 1.0.1 -Release: 26 +Version: 1.0.2 +Release: 1 Summary: A Security Tool that Provides Authentication for Applications Obsoletes: pam-laus Source: Linux-PAM-%{version}.tar.bz2 -Source1: Linux-PAM-%{version}-docs.tar.bz2 +Source1: Linux-PAM-%{version}-SUSE-docs.tar.bz2 Source2: securetty Source3: other.pamd Source4: common-auth.pamd @@ -48,6 +48,13 @@ Source6: common-password.pamd Source7: common-session.pamd Source8: etc.environment BuildRoot: %{_tmppath}/%{name}-%{version}-build +Patch: Linux-PAM-docu.diff +Patch1: pam_tally.diff +Patch2: pam_xauth.diff +Patch3: pam_sepermit.diff +Patch4: pam-1.0.1-namespace-create.patch +Patch5: pam-1.0.0-selinux-env-params.patch +Patch6: Linux-PAM-docu-generated.diff %description PAM (Pluggable Authentication Modules) is a system security tool that @@ -89,6 +96,13 @@ building both PAM-aware applications and modules for use with PAM. %prep %setup -q -n Linux-PAM-%{version} -b 1 +%patch -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p0 +%patch6 -p1 %build CFLAGS="$RPM_OPT_FLAGS" \ @@ -290,6 +304,10 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/libpam_misc.so %changelog +* Fri Aug 29 2008 kukuk@suse.de +- Update to version 1.0.2 (fix SELinux regression) +- enhance pam_tally [FATE#303753] +- Backport fixes from CVS * Wed Aug 20 2008 prusnak@suse.cz - enabled SELinux support [Fate#303662] * Wed Apr 16 2008 kukuk@suse.de diff --git a/pam_sepermit.diff b/pam_sepermit.diff new file mode 100644 index 0000000..8989421 --- /dev/null +++ b/pam_sepermit.diff @@ -0,0 +1,17 @@ + +2008-04-17 Tomas Mraz + + * modules/pam_sepermit/pam_sepermit.c(sepermit_match): Do not try + to lock if euid != 0. + +--- Linux-PAM-1.0/modules/pam_sepermit/pam_sepermit.c 2008-03-31 12:31:50.000000000 +0200 ++++ Linux-PAM/modules/pam_sepermit/pam_sepermit.c 2008-04-17 16:29:02.000000000 +0200 +@@ -305,7 +305,7 @@ + free(line); + fclose(f); + if (matched) +- return exclusive ? sepermit_lock(pamh, user, debug) : 0; ++ return (geteuid() == 0 && exclusive) ? sepermit_lock(pamh, user, debug) : 0; + else + return -1; + } diff --git a/pam_tally.diff b/pam_tally.diff new file mode 100644 index 0000000..2987152 --- /dev/null +++ b/pam_tally.diff @@ -0,0 +1,173 @@ + +2008-07-09 Thorsten Kukuk + + * modules/pam_tally/pam_tally.c: Add support for silent and + no_log_info options. + * modules/pam_tally/pam_tally.8.xml: Document silent and + no_log_info options. + +--- Linux-PAM-1.0/modules/pam_tally/pam_tally.8.xml 2007-10-10 16:10:07.000000000 +0200 ++++ Linux-PAM/modules/pam_tally/pam_tally.8.xml 2008-08-20 20:56:28.000000000 +0200 +@@ -51,6 +51,12 @@ + + audit + ++ ++ silent ++ ++ ++ no_log_info ++ + + + pam_tally +@@ -150,6 +156,26 @@ + + + ++ ++ ++ ++ ++ ++ ++ Don't print informative messages. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Don't log informative messages via syslog3. ++ ++ ++ + + + +--- Linux-PAM-1.0/modules/pam_tally/pam_tally.c 2007-11-20 11:58:11.000000000 +0100 ++++ Linux-PAM/modules/pam_tally/pam_tally.c 2008-07-16 10:09:02.000000000 +0200 +@@ -97,6 +97,8 @@ + #define OPT_NO_LOCK_TIME 020 + #define OPT_NO_RESET 040 + #define OPT_AUDIT 0100 ++#define OPT_SILENT 0200 ++#define OPT_NOLOGNOTICE 0400 + + + /*---------------------------------------------------------------------*/ +@@ -205,6 +207,12 @@ + else if ( ! strcmp ( *argv, "audit") ) { + opts->ctrl |= OPT_AUDIT; + } ++ else if ( ! strcmp ( *argv, "silent") ) { ++ opts->ctrl |= OPT_SILENT; ++ } ++ else if ( ! strcmp ( *argv, "no_log_info") ) { ++ opts->ctrl |= OPT_NOLOGNOTICE; ++ } + else { + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); + } +@@ -524,12 +532,17 @@ + { + if ( lock_time + oldtime > time(NULL) ) + { +- pam_syslog(pamh, LOG_NOTICE, +- "user %s (%lu) has time limit [%lds left]" +- " since last failure.", +- user, (unsigned long int) uid, +- oldtime+lock_time +- -time(NULL)); ++ if (!(opts->ctrl & OPT_SILENT)) ++ pam_info (pamh, ++ _("Account temporary locked (%lds seconds left)"), ++ oldtime+lock_time-time(NULL)); ++ ++ if (!(opts->ctrl & OPT_NOLOGNOTICE)) ++ pam_syslog (pamh, LOG_NOTICE, ++ "user %s (%lu) has time limit [%lds left]" ++ " since last failure.", ++ user, (unsigned long int) uid, ++ oldtime+lock_time-time(NULL)); + return PAM_AUTH_ERR; + } + } +@@ -545,9 +558,14 @@ + ( tally > deny ) && /* tally>deny means exceeded */ + ( ((opts->ctrl & OPT_DENY_ROOT) || uid) ) /* even_deny stops uid check */ + ) { +- pam_syslog(pamh, LOG_NOTICE, +- "user %s (%lu) tally "TALLY_FMT", deny "TALLY_FMT, +- user, (unsigned long int) uid, tally, deny); ++ if (!(opts->ctrl & OPT_SILENT)) ++ pam_info (pamh, _("Accounted locked due to "TALLY_FMT" failed login"), ++ tally); ++ ++ if (!(opts->ctrl & OPT_NOLOGNOTICE)) ++ pam_syslog(pamh, LOG_NOTICE, ++ "user %s (%lu) tally "TALLY_FMT", deny "TALLY_FMT, ++ user, (unsigned long int) uid, tally, deny); + return PAM_AUTH_ERR; /* Only unconditional failure */ + } + } +@@ -594,7 +612,7 @@ + #ifdef PAM_SM_AUTH + + PAM_EXTERN int +-pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, ++pam_sm_authenticate(pam_handle_t *pamh, int flags, + int argc, const char **argv) + { + int +@@ -612,6 +630,9 @@ + if ( rvcheck != PAM_SUCCESS ) + RETURN_ERROR( rvcheck ); + ++ if (flags & PAM_SILENT) ++ opts->ctrl |= OPT_SILENT; ++ + rvcheck = pam_get_uid(pamh, &uid, &user, opts); + if ( rvcheck != PAM_SUCCESS ) + RETURN_ERROR( rvcheck ); +@@ -625,7 +646,7 @@ + } + + PAM_EXTERN int +-pam_sm_setcred(pam_handle_t *pamh, int flags UNUSED, ++pam_sm_setcred(pam_handle_t *pamh, int flags, + int argc, const char **argv) + { + int +@@ -643,6 +664,9 @@ + if ( rv != PAM_SUCCESS ) + RETURN_ERROR( rv ); + ++ if (flags & PAM_SILENT) ++ opts->ctrl |= OPT_SILENT; ++ + rv = pam_get_uid(pamh, &uid, &user, opts); + if ( rv != PAM_SUCCESS ) + RETURN_ERROR( rv ); +@@ -667,7 +691,7 @@ + /* To reset failcount of user on successfull login */ + + PAM_EXTERN int +-pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, ++pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, + int argc, const char **argv) + { + int +@@ -685,6 +709,9 @@ + if ( rv != PAM_SUCCESS ) + RETURN_ERROR( rv ); + ++ if (flags & PAM_SILENT) ++ opts->ctrl |= OPT_SILENT; ++ + rv = pam_get_uid(pamh, &uid, &user, opts); + if ( rv != PAM_SUCCESS ) + RETURN_ERROR( rv ); diff --git a/pam_xauth.diff b/pam_xauth.diff new file mode 100644 index 0000000..25d99c9 --- /dev/null +++ b/pam_xauth.diff @@ -0,0 +1,26 @@ + +2008-04-08 Tomas Mraz + + * modules/pam_xauth/pam_xauth.c(run_coprocess): Avoid multiple + calls to sysconf() (based on patch by Sami Farin). + +--- Linux-PAM-1.0/modules/pam_xauth/pam_xauth.c 2007-10-01 11:41:32.000000000 +0200 ++++ Linux-PAM/modules/pam_xauth/pam_xauth.c 2008-06-22 09:47:33.000000000 +0200 +@@ -118,6 +118,7 @@ + size_t j; + char *args[10]; + const char *tmp; ++ int maxopened; + /* Drop privileges. */ + setgid(gid); + setgroups(0, NULL); +@@ -129,7 +130,8 @@ + * descriptors. */ + dup2(ipipe[0], STDIN_FILENO); + dup2(opipe[1], STDOUT_FILENO); +- for (i = 0; i < sysconf(_SC_OPEN_MAX); i++) { ++ maxopened = (int)sysconf(_SC_OPEN_MAX); ++ for (i = 0; i < maxopened; i++) { + if ((i != STDIN_FILENO) && (i != STDOUT_FILENO)) { + close(i); + }