update 1.8

.abf.yml

@@ -1,4 +1,5 @@
-sources:
+removed_sources:
   Linux-PAM-1.1.4.tar.bz2: 4634b09f9e059f384ce69dbaa4a67f88bef5cf7b
-  Linux-PAM-1.1.4.tar.bz2.sign: f8d2e1b7d8d15ed3bca5fe0f7b5171e4f1105f29
+sources:
+  Linux-PAM-1.1.8.tar.bz2: f8ce53c67363f78d520392fa1c253c4978058be1
   pam-redhat-0.99.10-1.tar.bz2: 09e618edc5dcda9a6eb435a31db742afca673ae1

107.patch

@@ -1,33 +0,0 @@
-
-diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
-index 5193733..b3f08b1 100644
---- a/modules/pam_timestamp/pam_timestamp.c
-+++ b/modules/pam_timestamp/pam_timestamp.c
-@@ -158,7 +158,7 @@ check_tty(const char *tty)
- 		tty = strrchr(tty, '/') + 1;
- 	}
- 	/* Make sure the tty wasn't actually a directory (no basename). */
--	if (strlen(tty) == 0) {
-+	if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
- 		return NULL;
- 	}
- 	return tty;
-@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
- 		if (pwd != NULL) {
- 			ruser = pwd->pw_name;
- 		}
-+	} else {
-+		/*
-+		 * This ruser is used by format_timestamp_name as a component
-+		 * of constructed timestamp pathname, so ".", "..", and '/'
-+		 * are disallowed to avoid potential path traversal issues.
-+		 */
-+		if (!strcmp(ruser, ".") ||
-+		    !strcmp(ruser, "..") ||
-+		    strchr(ruser, '/')) {
-+			ruser = NULL;
-+		}
- 	}
- 	if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
- 		*ruserbuf = '\0';
-

90-nproc.conf

@@ -0,0 +1,6 @@
+# Default limit for number of user's processes to prevent
+# accidental fork bombs.
+# See rhbz #432903 for reasoning.
+
+*          soft    nproc     1024
+root       soft    nproc     unlimited

Linux-PAM-1.1.4-group_add_users.patch

@@ -4,7 +4,7 @@
  
  #xsh; tty* ;%admin;Al0000-2400;plugdev
  
-+*;*;*;Al0000-2400;users
++*;*;*;Al0000-2400;users, lp
 +
  #
  # End of group.conf file

pam-0.99.3.0-README.update

@@ -1,34 +0,0 @@
-PAM 0.99.3.0 update notes
-
-- pam_stack module depreciation
-
-The pam_stack module is now deprecated. It has to be replaced by
-include directives in pam.d configuration files. pam_stack usage won't
-make pam fail in this release, but it will be removed in a future
-release, better avoid it. It's basically a matter of replacing
-"required pam_stack.so service=<foo>" with "include <foo>".
-
-This can't be automatically updated on system-edited configuration
-files because it isn't always that simple. Some "sufficient"
-directives in the included file may now occult directives that were
-previously matched, in the same configuration phase
-(auth/account/password/session).
-So, the rules may have to be reordered, and the "include" directives
-have often to be lowered at the bottom of each phase.
-
-See Fedora instructions and release notes for more details.
-http://www.redhat.com/archives/fedora-devel-list/2005-October/msg00050.html
-http://www.redhat.com/archives/fedora-devel-list/2005-October/msg00084.html
-http://fedora.redhat.com/docs/release-notes/fc5/test2-latest-en/sn-package-notes.html
-
-- pam_pwdb dropped
-
-The pam_pwdb module has been obsolete for a couple of years now, it is
-not anymore available in the pam package from Mandriva.
-The pam_unix module has to be prefered.
-
-- services linked with pam
-
-Services linked with the old pam library have to be restarted once the
-new pam package has been installed.
-This includes services such as crond, xdm, gdm, kdm, samba.

pam-0.99.8.1-11mdv2009.0-README.update

@@ -1,8 +0,0 @@
-PAM 0.99.8.1 update notes
-
-- pam_unix dropped
-
-The pam_unix module has been dropped in favour of the pam_tcb module and is
-no longer available in the pam package from Mandriva.  The pam_tcb module will
-work with the TCB shadowing scheme or regular shadow passwords.  It also provides
-the ability to use blowfish passwords, rather than just md5 passwords.

pam-1.1.5-limits-user.patch

@@ -0,0 +1,12 @@
+diff -up Linux-PAM-1.1.5/modules/pam_limits/limits.conf.limits Linux-PAM-1.1.5/modules/pam_limits/limits.conf
+--- Linux-PAM-1.1.5/modules/pam_limits/limits.conf.limits	2011-06-21 11:04:56.000000000 +0200
++++ Linux-PAM-1.1.5/modules/pam_limits/limits.conf	2011-12-21 09:09:17.000000000 +0100
+@@ -1,5 +1,8 @@
+ # /etc/security/limits.conf
+ #
++#This file sets the resource limits for the users logged in via PAM.
++#It does not affect resource limits of the system services.
++#
+ #Each line describes a limit for a user in the form:
+ #
+ #<domain>        <type>  <item>  <value>

pam-1.1.6-noflex.patch

@@ -0,0 +1,24 @@
+diff -up Linux-PAM-1.1.6/doc/Makefile.am.noflex Linux-PAM-1.1.6/doc/Makefile.am
+--- Linux-PAM-1.1.6/doc/Makefile.am.noflex	2012-08-15 13:08:43.000000000 +0200
++++ Linux-PAM-1.1.6/doc/Makefile.am	2012-08-17 14:13:11.904949748 +0200
+@@ -2,7 +2,7 @@
+ # Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+ #
+ 
+-SUBDIRS = man specs sag adg mwg
++SUBDIRS = man sag adg mwg
+ 
+ CLEANFILES = *~
+ 
+diff -up Linux-PAM-1.1.6/Makefile.am.noflex Linux-PAM-1.1.6/Makefile.am
+--- Linux-PAM-1.1.6/Makefile.am.noflex	2012-08-15 13:08:43.000000000 +0200
++++ Linux-PAM-1.1.6/Makefile.am	2012-08-17 14:15:36.705359892 +0200
+@@ -4,7 +4,7 @@
+ 
+ AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news
+ 
+-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests
++SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests
+ 
+ CLEANFILES = *~
+ 

pam-1.1.6-std-noclose.patch

@@ -0,0 +1,98 @@
+diff -up Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c
+--- Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose	2012-08-15 13:08:43.000000000 +0200
++++ Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c	2012-08-17 13:25:20.684075361 +0200
+@@ -133,13 +133,21 @@ create_homedir (pam_handle_t *pamh, opti
+    if (child == 0) {
+         int i;
+         struct rlimit rlim;
++	int dummyfds[2];
+ 	static char *envp[] = { NULL };
+ 	char *args[] = { NULL, NULL, NULL, NULL, NULL };
+ 
++	/* replace std file descriptors with a dummy pipe */
++	if (pipe(dummyfds) == 0) {
++		dup2(dummyfds[0], STDIN_FILENO);
++		dup2(dummyfds[1], STDOUT_FILENO);
++		dup2(dummyfds[1], STDERR_FILENO);
++	}
++
+ 	if (getrlimit(RLIMIT_NOFILE, &rlim)==0) {
+           if (rlim.rlim_max >= MAX_FD_NO)
+                 rlim.rlim_max = MAX_FD_NO;
+-	  for (i=0; i < (int)rlim.rlim_max; i++) {
++	  for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
+ 		close(i);
+ 	  }
+ 	}
+diff -up Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c
+--- Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c.std-noclose	2012-08-15 13:08:43.000000000 +0200
++++ Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c	2012-08-17 13:22:51.664560481 +0200
+@@ -105,16 +105,18 @@ int _unix_run_verify_binary(pam_handle_t
+ 
+     /* reopen stdout as pipe */
+     dup2(fds[1], STDOUT_FILENO);
++    /* and replace also the stdin, stderr so we do not exec the helper with
++       tty as stdin, it will not read anything from there anyway */
++    dup2(fds[0], STDIN_FILENO);
++    dup2(fds[1], STDERR_FILENO);
+ 
+     /* XXX - should really tidy up PAM here too */
+ 
+     if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
+       if (rlim.rlim_max >= MAX_FD_NO)
+         rlim.rlim_max = MAX_FD_NO;
+-      for (i=0; i < (int)rlim.rlim_max; i++) {
+-	if (i != STDOUT_FILENO) {
+-	  close(i);
+-	}
++      for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
++	close(i);
+       }
+     }
+ 
+diff -up Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c
+--- Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c.std-noclose	2012-08-15 13:08:43.000000000 +0200
++++ Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c	2012-08-17 14:10:38.917346789 +0200
+@@ -210,13 +210,16 @@ static int _unix_run_update_binary(pam_h
+ 
+ 	/* reopen stdin as pipe */
+ 	dup2(fds[0], STDIN_FILENO);
++	/* and replace also the stdout/err as the helper will
++           not write anything there */
++	dup2(fds[1], STDOUT_FILENO);
++	dup2(fds[1], STDERR_FILENO);
+ 
+ 	if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
+ 	  if (rlim.rlim_max >= MAX_FD_NO)
+ 	    rlim.rlim_max = MAX_FD_NO;
+-	  for (i=0; i < (int)rlim.rlim_max; i++) {
+-	    if (i != STDIN_FILENO)
+-		close(i);
++	  for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
++	    close(i);
+ 	  }
+ 	}
+ 
+diff -up Linux-PAM-1.1.6/modules/pam_unix/support.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/support.c
+--- Linux-PAM-1.1.6/modules/pam_unix/support.c.std-noclose	2012-08-15 13:08:43.000000000 +0200
++++ Linux-PAM-1.1.6/modules/pam_unix/support.c	2012-08-17 14:12:10.833511475 +0200
+@@ -469,13 +469,16 @@ static int _unix_run_helper_binary(pam_h
+ 
+ 	/* reopen stdin as pipe */
+ 	dup2(fds[0], STDIN_FILENO);
++	/* and replace also the stdout/err as the helper will
++           not write anything there */
++	dup2(fds[1], STDOUT_FILENO);
++	dup2(fds[1], STDERR_FILENO);
+ 
+ 	if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
+           if (rlim.rlim_max >= MAX_FD_NO)
+                 rlim.rlim_max = MAX_FD_NO;
+-	  for (i=0; i < (int)rlim.rlim_max; i++) {
+-		if (i != STDIN_FILENO)
+-		  close(i);
++	  for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
++		close(i);
+ 	  }
+ 	}
+ 

pam-1.1.7-tty-audit-init.patch

@@ -0,0 +1,48 @@
+diff -up Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-init Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c
+--- Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-init	2013-08-28 10:53:40.000000000 +0200
++++ Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c	2013-10-04 14:51:19.944994905 +0200
+@@ -36,6 +36,7 @@
+    USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+    DAMAGE. */
+ 
++#include "config.h"
+ #include <errno.h>
+ #include <fnmatch.h>
+ #include <stdlib.h>
+@@ -108,7 +109,7 @@ nl_recv (int fd, unsigned type, void *bu
+   struct msghdr msg;
+   struct nlmsghdr nlm;
+   struct iovec iov[2];
+-  ssize_t res;
++  ssize_t res, resdiff;
+ 
+  again:
+   iov[0].iov_base = &nlm;
+@@ -160,12 +161,17 @@ nl_recv (int fd, unsigned type, void *bu
+   res = recvmsg (fd, &msg, 0);
+   if (res == -1)
+     return -1;
+-  if ((size_t)res != NLMSG_LENGTH (size)
++  resdiff = NLMSG_LENGTH(size) - (size_t)res;
++  if (resdiff < 0
+       || nlm.nlmsg_type != type)
+     {
+       errno = EIO;
+       return -1;
+     }
++  else if (resdiff > 0)
++    {
++      memset((char *)buf + res, 0, resdiff);
++    }
+   return 0;
+ }
+ 
+@@ -275,6 +281,8 @@ pam_sm_open_session (pam_handle_t *pamh,
+       return PAM_SESSION_ERR;
+     }
+ 
++  memcpy(&new_status, old_status, sizeof(new_status));
++
+   new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
+ #ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
+   new_status.log_passwd = log_passwd;

pam-1.1.7-unix-build.patch

@@ -0,0 +1,34 @@
+diff -up Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c.build Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c
+--- Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c.build	2012-07-23 18:46:27.709804094 +0200
++++ Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c	2012-07-23 18:46:27.764805293 +0200
+@@ -47,6 +47,8 @@
+ #include <time.h>		/* for time() */
+ #include <errno.h>
+ #include <sys/wait.h>
++#include <sys/time.h>
++#include <sys/resource.h>
+ 
+ #include <security/_pam_macros.h>
+ 
+diff -up Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c.build Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c
+--- Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c.build	2012-07-23 18:55:16.433314731 +0200
++++ Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c	2012-07-23 18:54:48.064697131 +0200
+@@ -53,6 +53,7 @@
+ #include <fcntl.h>
+ #include <ctype.h>
+ #include <sys/time.h>
++#include <sys/resource.h>
+ #include <sys/stat.h>
+ 
+ #include <signal.h>
+diff -up Linux-PAM-1.1.5/modules/pam_unix/support.c.build Linux-PAM-1.1.5/modules/pam_unix/support.c
+--- Linux-PAM-1.1.5/modules/pam_unix/support.c.build	2012-07-23 18:46:27.000000000 +0200
++++ Linux-PAM-1.1.5/modules/pam_unix/support.c	2012-07-23 18:54:23.645165507 +0200
+@@ -18,6 +18,7 @@
+ #include <signal.h>
+ #include <ctype.h>
+ #include <syslog.h>
++#include <sys/time.h>
+ #include <sys/resource.h>
+ #ifdef HAVE_RPCSVC_YPCLNT_H
+ #include <rpcsvc/ypclnt.h>

pam.spec

@@ -18,39 +18,43 @@ Epoch:	1
 
 Summary:	A security tool which provides authentication for applications
 Name:		pam
-Version:	1.1.4
-Release:	20
+Version:	1.1.8
+Release:	3
 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
 # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
 License:	BSD and GPLv2+
 Group:		System/Libraries
 Url:		http://www.kernel.org/pub/linux/libs/pam/index.html
 Source0:	ftp://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2
-Source1:	ftp://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2.sign
 Source2:	pam-redhat-%{pam_redhat_version}.tar.bz2
-Source3:	pam-0.99.3.0-README.update
-Source4:	pam-0.99.8.1-11mdv2009.0-README.update
 Source5:	other.pamd
 Source6:	system-auth.pamd
 Source7:	config-util.pamd
 Source8:	dlopen.sh
 Source9:	system-auth.5
 Source10:	config-util.5
+Source11:	postlogin.pamd
+Source12:	postlogin.5
+Source13:	pamtmp.conf
+Source14:	90-nproc.conf
 #add missing documentation
 Source501: 	pam_tty_audit.8
 Source502:	README
 
 # RedHat patches
 Patch1:  pam-1.0.90-redhat-modules.patch
-Patch2:		pam-1.0.91-std-noclose.patch
+Patch2:  pam-1.1.6-std-noclose.patch
 Patch4:  pam-1.1.0-console-nochmod.patch
 Patch5:  pam-1.1.0-notally.patch
 Patch7:  pam-1.1.0-console-fixes.patch
-Patch9:		pam-1.1.2-noflex.patch
+Patch9:  pam-1.1.6-noflex.patch
 Patch10: pam-1.1.3-nouserenv.patch
 Patch11: pam-1.1.3-console-abstract.patch
+Patch13: pam-1.1.5-limits-user.patch
+Patch22: pam-1.1.7-unix-build.patch
+Patch32: pam-1.1.7-tty-audit-init.patch
 
-# Mandriva specific sources/patches
+# ROSA specific sources/patches
 # (fl) fix infinite loop
 Patch507:	pam-0.74-loop.patch
 # (fc) 0.75-29mdk don't complain when / is owned by root.adm
@@ -86,6 +90,7 @@ BuildRequires:	db_nss-devel
 BuildRequires:	openssl-devel
 BuildRequires:	libaudit-devel
 BuildRequires:	glibc-crypt_blowfish-devel
+BuildRequires:  gettext-devel
 %if %with_prelude
 BuildRequires:	prelude-devel >= 0.9.0
 %else
@@ -98,6 +103,8 @@ Requires(pre):	rpm-helper
 Requires(post):	coreutils >= 8.12-7.2
 #Requires(post):	tcb >= 1.0.2-16
 Conflicts:	%{_lib}pam0 < 1.1.4-5
+Requires: libpwquality >= 0.9.9
+
 
 %description
 PAM (Pluggable Authentication Modules) is a system security tool that
@@ -115,6 +122,7 @@ This is the documentation package of %{name}.
 %package -n	%{libname}
 Summary:	Library for %{name}
 Group:		System/Libraries
+Conflicts:	pam < 1.1.4-5
 
 %description -n	%{libname}
 This package contains the library libpam for %{name}.
@@ -142,7 +150,6 @@ Requires:	%{libname} = %{EVRD}
 Requires:	%{libnamec} = %{EVRD}
 Requires:	%{libname_misc} = %{EVRD}
 Provides:	%{name}-devel = %{EVRD}
-Provides:	lib%{name}-devel = %{EVRD}
 
 %description -n	%{develname}
 PAM (Pluggable Authentication Modules) is a system security tool that
@@ -157,37 +164,7 @@ This package contains the development libraries for %{name}.
 # Add custom modules.
 mv pam-redhat-%{pam_redhat_version}/* modules
 
-# (RH)
-%patch1 -p1 -b .redhat-modules
-%patch2 -p1 -b .std-noclose
-%patch4 -p1 -b .nochmod
-%patch5 -p1 -b .notally
-%patch7 -p1 -b .console-fixes
-%patch9 -p1 -b .noflex
-%patch10 -p1 -b .nouserenv
-%patch11 -p1 -b .abstract
-
-# (Mandriva)
-%patch507 -p1 -b .loop
-%patch508 -p1 -b .pamtimestampadm
-%patch512 -p0 -b .xauth-groups
-%patch517 -p1 -b .enable_rt
-%patch521 -p1 -b .pbuild-rh
-%patch700 -p1 -b .static
-%patch701 -p1 -b .nopermsd
-%patch702 -p1 -b .nis_const~
-%patch801 -p1 -b .group_users
-%patch802 -p1
-%patch803 -p1
-
-# 08/08/2008 - vdanen - make pam provide pam_unix until we can work out all the issues in pam_tcb; this
-# just makes things easier but is not meant to be a permanent solution
-## Remove unwanted modules; pam_tcb provides pam_unix now
-#for d in pam_unix; do
-#    rm -rf modules/$d
-#    sed -i "s,modules/$d/Makefile,," configure.in
-#    sed -i "s/ $d / /" modules/Makefile.am
-#done
+%apply_patches
 
 install -m644 %{SOURCE501} %{SOURCE502} modules/pam_tty_audit/
 
@@ -196,10 +173,8 @@ for readme in modules/pam_*/README ; do
 	cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'`
 done
 
-cp %{SOURCE4} README.0.99.8.1.update.urpmi
-
 #libtoolize -cf
-autoreconf -I m4
+autoreconf -ifs -I m4
 
 %build
 export BROWSER=""
@@ -222,12 +197,14 @@ install -d -m 755 %{buildroot}/etc/pam.d
 install -m 644 %{SOURCE5} %{buildroot}/etc/pam.d/other
 install -m 644 %{SOURCE6} %{buildroot}/etc/pam.d/system-auth
 install -m 644 %{SOURCE7} %{buildroot}/etc/pam.d/config-util
+install -m 644 %{SOURCE11} %{buildroot}/etc/pam.d/postlogin
 install -m 600 /dev/null %{buildroot}%{_sysconfdir}/security/opasswd
 install -d -m 755 %{buildroot}/var/log
 install -m 600 /dev/null %{buildroot}/var/log/tallylog
+install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/security/limits.d/90-nproc.conf
 
 # Install man pages.
-install -m 644 %{SOURCE9} %{SOURCE10} %{buildroot}%{_mandir}/man5/
+install -m 644 %{SOURCE9} %{SOURCE10} %{SOURCE12} %{buildroot}%{_mandir}/man5/
 
 # no longer needed, handled by ACL in udev
 for phase in auth acct passwd session ; do
@@ -238,6 +215,16 @@ done
 rm -f %{buildroot}/%{_lib}/security/*.la
 rm -f %{buildroot}/%{_lib}/*.la
 
+#Set suid bit for /sbin/unix_chkpwd (bug #3169)
+chmod u+s %{buildroot}/sbin/unix_chkpwd
+
+# Install the file for autocreation of /var/run subdirectories on boot
+mkdir -p %{buildroot}%{_prefix}/lib/tmfiles.d/
+install -m644 -D %{SOURCE13} %{buildroot}%{_prefix}/lib/tmpfiles.d/pam.conf
+
+# For drakauth copy system-auth to system-auth-default
+cp -f %{buildroot}/etc/pam.d/system-auth %{buildroot}/etc/pam.d/system-auth-default
+
 %find_lang Linux-PAM
 
 %check
@@ -279,13 +266,15 @@ fi
 #fi
 
 %files -f Linux-PAM.lang
-%doc NEWS README.0.99.8.1.update.urpmi
+%doc NEWS
 %docdir %{_docdir}/%{name}
 %dir /etc/pam.d
 %config(noreplace) /etc/environment
-%config(noreplace) /etc/pam.d/other
+%config /etc/pam.d/other
 %attr(0644,root,shadow) %config(noreplace) /etc/pam.d/system-auth
-%config(noreplace) /etc/pam.d/config-util
+%attr(0644,root,shadow) %config(noreplace) /etc/pam.d/system-auth-default
+%config /etc/pam.d/config-util
+%config /etc/pam.d/postlogin
 /sbin/mkhomedir_helper
 /sbin/pam_console_apply
 /sbin/pam_tally2
@@ -304,11 +293,13 @@ fi
 %config(noreplace) %{_sysconfdir}/security/sepermit.conf
 %config(noreplace) %{_sysconfdir}/security/time.conf
 %config(noreplace) %{_sysconfdir}/security/opasswd
+%config(noreplace) %{_sysconfdir}/security/limits.d/90-nproc.conf
 %dir %{_sysconfdir}/security/console.apps
 %dir %{_sysconfdir}/security/console.perms.d
 %dir /%{_lib}/security
 /%{_lib}/security/*.so
 /%{_lib}/security/pam_filter
+/usr/lib/tmpfiles.d/pam.conf
 %dir /var/run/console
 %ghost %verify(not md5 size mtime) /var/log/tallylog
 %{_mandir}/man5/*

password-auth.pamd

@@ -0,0 +1,18 @@
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authconfig is run.
+auth        required      pam_env.so
+auth        sufficient    pam_unix.so try_first_pass nullok
+auth        required      pam_deny.so
+
+account     required      pam_unix.so
+
+password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
+password    required      pam_deny.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+-session     optional      pam_systemd.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so

postlogin.5

@@ -0,0 +1,46 @@
+.TH POSTLOGIN 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual"
+.SH NAME
+
+postlogin \- Common configuration file for PAMified services
+
+.SH SYNOPSIS
+.B /etc/pam.d/postlogin
+.sp 2
+.SH DESCRIPTION
+
+The purpose of this PAM configuration file is to provide a common
+place for all PAM modules which should be called after the stack
+configured in
+.BR system-auth
+or the other common PAM configuration files.
+
+.sp
+The
+.BR postlogin
+configuration file is included from all individual service configuration
+files that provide login service with shell or file access.
+
+.SH NOTES
+The modules in the postlogin configuration file are executed regardless
+of the success or failure of the modules in the
+.BR system-auth
+configuration file.
+
+.SH BUGS
+.sp 2
+Sometimes it would be useful to be able to skip the postlogin modules in
+case the substack of the
+.BR system-auth
+modules failed. Unfortunately the current Linux-PAM library does not
+provide any way how to achieve this.
+
+.SH "SEE ALSO"
+pam(8), config-util(5), system-auth(5)
+
+The three
+.BR Linux-PAM
+Guides, for
+.BR "system administrators" ", "
+.BR "module developers" ", "
+and
+.BR "application developers" ". "

postlogin.pamd

@@ -0,0 +1,7 @@
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authconfig is run.
+
+session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* quiet
+session     [default=1]   pam_lastlog.so nowtmp silent
+session     optional      pam_lastlog.so silent noupdate showfailed

smartcard-auth.pamd

@@ -0,0 +1,19 @@
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authconfig is run.
+auth        required      pam_env.so
+auth        [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card
+auth        required      pam_deny.so
+
+account     required      pam_unix.so
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 500 quiet
+account     required      pam_permit.so
+
+password    optional      pam_pkcs11.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+-session     optional      pam_systemd.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so

system-auth.5

@@ -1,39 +1,58 @@
-.TH SYSTEM-AUTH 5 "2006 Feb 3" "Red Hat" "Linux-PAM Manual"
+.TH SYSTEM-AUTH 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual"
 .SH NAME
 
 system-auth \- Common configuration file for PAMified services
 
 .SH SYNOPSIS
 .B /etc/pam.d/system-auth
+.B /etc/pam.d/password-auth
+.B /etc/pam.d/fingerprint-auth
+.B /etc/pam.d/smartcard-auth
 .sp 2
 .SH DESCRIPTION
 
-The purpose of this configuration file is to provide common 
-configuration file for all applications and service daemons
-calling PAM library.
+The purpose of these configuration files are to provide a common
+interface for all applications and service daemons calling into
+the PAM library.
 
 .sp
-The \fBsystem-auth\fR configuration file is included from all individual service configuration
-files with the help of the \fBinclude\fR directive.
+The
+.BR system-auth
+configuration file is included from nearly all individual service configuration
+files with the help of the
+.BR substack
+directive.
+
+.sp
+The
+.BR password-auth
+.BR fingerprint-auth
+.BR smartcard-auth
+configuration files are for applications which handle authentication from
+different types of devices via simultaneously running individual conversations
+instead of one aggregate conversation.
 
 .SH NOTES
-There should be no \fBsufficient\fR modules in the \fBsession\fR
-part of \fBsystem-auth\fR file because individual services may add session modules after
-\fBinclude\fR of the \fBsystem-auth\fR file. Execution of these modules would be skipped if there were sufficient
-modules in \fBsystem-auth\fR file.
-
-.sp
-Conversely there should not be any modules after
-\fBinclude\fR directive in the individual service files in
-\fBauth\fR, \fBaccount\fR and \fBpassword\fR
-sections otherwise they could be bypassed.
+Previously these common configuration files were included with the help
+of the
+.BR include
+directive. This limited the use of the different action types of modules.
+With the use of
+.BR substack
+directive to include these common configuration files this limitation
+no longer applies.
 
 .SH BUGS
 .sp 2
 None known.
 
 .SH "SEE ALSO"
-\fBpam\fR(8), \fBconfig-util\fR(5)
+pam(8), config-util(5), postlogin(5)
 
-The three \fBLinux-PAM\fR Guides, for \fBsystem administrators\fR,
-\fBmodule developers\fR, and \fBapplication developers\fR.
+The three
+.BR Linux-PAM
+Guides, for
+.BR "system administrators" ", "
+.BR "module developers" ", "
+and
+.BR "application developers" ". "

system-auth.pamd

@@ -1,17 +1,18 @@
 #%PAM-1.0
-
+# This file is auto-generated.
+# User changes will be destroyed the next time authconfig is run.
 auth        required      pam_env.so
 auth        sufficient    pam_unix.so try_first_pass nullok
 auth        required      pam_deny.so
 
 account     required      pam_unix.so
 
-password    required      pam_cracklib.so try_first_pass retry=3
-password    sufficient    pam_unix.so  try_first_pass use_authtok shadow nullok sha15
+password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
 password    required      pam_deny.so
 
 session     optional      pam_keyinit.so revoke
 session     required      pam_limits.so
+-session     optional      pam_systemd.so
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
--session    optional      pam_systemd.so