Automatic import for version 1.1.4-9

.abf.yml

@@ -0,0 +1,3 @@
+sources:
+  "Linux-PAM-1.1.4.tar.bz2": 4634b09f9e059f384ce69dbaa4a67f88bef5cf7b
+  "pam-redhat-0.99.10-1.tar.bz2": 09e618edc5dcda9a6eb435a31db742afca673ae1

Linux-PAM-0.99.3.0-enable_rt.patch

@@ -0,0 +1,12 @@
+--- Linux-PAM-0.99.3.0/modules/pam_limits/limits.conf.enable_rt	2005-08-16 16:02:28.000000000 +0200
++++ Linux-PAM-0.99.3.0/modules/pam_limits/limits.conf	2006-01-28 14:51:28.000000000 +0100
+@@ -47,4 +47,9 @@
+ #ftp             hard    nproc           0
+ #@student        -       maxlogins       4
+ 
++*               -       rtprio           0
++*               -       nice             0
++@audio          -       rtprio           50
++@audio          -       nice             -10
++
+ # End of file

Linux-PAM-0.99.3.0-pamtimestampadm.patch

@@ -0,0 +1,14 @@
+--- Linux-PAM-0.99.3.0/modules/pam_timestamp/pam_timestamp.c.pamtimestampadm	2006-01-03 16:35:07.000000000 +0100
++++ Linux-PAM-0.99.3.0/modules/pam_timestamp/pam_timestamp.c	2006-01-27 22:31:39.000000000 +0100
+@@ -121,9 +121,9 @@
+ 				       scratch);
+ 				return PAM_AUTH_ERR;
+ 			}
+-			if (st.st_gid != 0) {
++			if ((st.st_gid != 0) && (st.st_gid != 4)) {
+ 				pam_syslog(pamh, LOG_ERR,
+-				       "`%s' owner GID != 0",
++				       "`%s' owner GID != 0 and != 4",
+ 				       scratch);
+ 				return PAM_AUTH_ERR;
+ 			}

Linux-PAM-0.99.3.0-pbuild-rh.patch

@@ -0,0 +1,11 @@
+--- Linux-PAM-0.99.3.0/modules/pam_console/Makefile.am.pbuild-rh	2005-12-15 23:07:37.000000000 +0100
++++ Linux-PAM-0.99.3.0/modules/pam_console/Makefile.am	2006-01-28 00:26:20.000000000 +0100
+@@ -57,6 +57,8 @@
+ pam_console_la_CFLAGS = $(AM_CFLAGS)
+ pam_console_apply_CFLAGS = $(AM_CFLAGS)
+ 
++configfile.tab.h: configfile.tab.c
++
+ configfile.tab.c: configfile.y
+ 	$(YACC) $(BISON_OPTS) -o $@ -p _pc_yy $<
+ 	sh $(srcdir)/sed-static $@

Linux-PAM-1.1.1-xauth-groups.patch

@@ -0,0 +1,67 @@
+--- modules/pam_xauth/pam_xauth.c	2010-10-08 13:56:11.000000000 +0200
++++ modules/pam_xauth/pam_xauth.c.oden	2010-11-03 11:23:06.714312576 +0100
+@@ -90,7 +90,7 @@ static const char * const xauthpaths[] =
+  * given input on stdin, and storing any output it generates. */
+ static int
+ run_coprocess(pam_handle_t *pamh, const char *input, char **output,
+-	      uid_t uid, gid_t gid, const char *command, ...)
++	      uid_t uid, gid_t gid, const char *name, const char *command, ...)
+ {
+ 	int ipipe[2], opipe[2], i;
+ 	char buf[LINE_MAX];
+@@ -141,6 +141,12 @@ run_coprocess(pam_handle_t *pamh, const
+ 		    pam_syslog (pamh, LOG_ERR, "setgroups() failed: %m");
+ 		    _exit (err);
+ 		  }
++
++               /* Mandriva Linux specific:
++                * we need to set the extra groups because in high security levels
++                * access to /usr/X11R6/bin dir is controlled by a group */
++                initgroups(name, gid);
++
+ 		if (setuid(uid) == -1)
+ 		  {
+ 		    int err = errno;
+@@ -148,6 +154,7 @@ run_coprocess(pam_handle_t *pamh, const
+ 				(unsigned long) geteuid ());
+ 		    _exit (err);
+ 		  }
++
+ 		/* Initialize the argument list. */
+ 		memset(args, 0, sizeof(args));
+ 		/* Set the pipe descriptors up as stdin and stdout, and close
+@@ -173,6 +180,7 @@ run_coprocess(pam_handle_t *pamh, const
+ 		}
+ 		/* Run the command. */
+ 		execv(command, args);
++		syslog(LOG_ERR, "pam_xauth: execvp of %s failed: %m", command);
+ 		/* Never reached. */
+ 		_exit(1);
+ 	}
+@@ -508,7 +516,7 @@ pam_sm_open_session (pam_handle_t *pamh,
+ 			   (unsigned long) getuid(), (unsigned long) getgid());
+ 	}
+ 	if (run_coprocess(pamh, NULL, &cookie,
+-			  getuid(), getgid(),
++			  getuid(), getgid(), rpwd->pw_name,
+ 			  xauth, "-f", cookiefile, "nlist", display,
+ 			  NULL) == 0) {
+ #ifdef WITH_SELINUX
+@@ -567,7 +575,7 @@ pam_sm_open_session (pam_handle_t *pamh,
+ 						       (unsigned long) getgid());
+ 					}
+ 					run_coprocess(pamh, NULL, &cookie,
+-						      getuid(), getgid(),
++						      getuid(), getgid(), rpwd->pw_name,
+ 						      xauth, "-f", cookiefile,
+ 						      "nlist", t, NULL);
+ 				}
+@@ -709,7 +717,7 @@ pam_sm_open_session (pam_handle_t *pamh,
+ 				  (unsigned long) tpwd->pw_gid);
+ 		}
+ 		run_coprocess(pamh, cookie, &tmp,
+-			      tpwd->pw_uid, tpwd->pw_gid,
++			      tpwd->pw_uid, tpwd->pw_gid, tpwd->pw_name,
+ 			      xauth, "-f", cookiefile, "nmerge", "-", NULL);
+ 
+ 		/* We don't need to keep a copy of these around any more. */

Linux-PAM-1.1.4-add-now-missing-nis-constant.patch

@@ -0,0 +1,11 @@
+--- Linux-PAM-1.1.4/modules/pam_unix/support.c.yp_const~	2011-07-19 14:31:36.081046306 +0200
++++ Linux-PAM-1.1.4/modules/pam_unix/support.c	2011-07-19 14:31:38.058067705 +0200
+@@ -21,6 +21,8 @@
+ #include <sys/resource.h>
+ #ifdef HAVE_RPCSVC_YPCLNT_H
+ #include <rpcsvc/ypclnt.h>
++#else
++#define YPERR_SUCCESS 0
+ #endif
+ 
+ #include <security/_pam_macros.h>

Linux-PAM-1.1.4-group_add_users.patch

@@ -0,0 +1,11 @@
+--- Linux-PAM-1.1.4.orig/modules/pam_group/group.conf	2011-06-21 13:04:56.000000000 +0400
++++ Linux-PAM-1.1.4/modules/pam_group/group.conf	2012-04-20 15:45:10.000000000 +0400
+@@ -101,6 +101,8 @@
+ 
+ #xsh; tty* ;%admin;Al0000-2400;plugdev
+ 
++*;*;*;Al0000-2400;users
++
+ #
+ # End of group.conf file
+ #

Linux-PAM-1.1.4.tar.bz2.sign

@@ -0,0 +1,8 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+Comment: See http://www.kernel.org/signature.html for info
+
+iD8DBQBOBHzAyGugalF9Dw4RAvUUAJ0SfOT7ITyalk4JsmIe5tJSdIB5ygCfZ2ku
+aHp5ptRfKYgWdlnFv+3F7H4=
+=kqy6
+-----END PGP SIGNATURE-----

README

@@ -0,0 +1,48 @@
+pam_tty_audit ? Enable or disable TTY auditing for specified users
+
+-------------------------------------------------------------------------------
+
+DESCRIPTION
+
+The pam_tty_audit PAM module is used to enable or disable TTY auditing. By
+default, the kernel does not audit input on any TTY.
+
+OPTIONS
+
+disable=patterns
+
+    For each user matching one of comma-separated glob patterns, disable TTY
+    auditing. This overrides any previous enable option matchin the same user
+    name on the command line.
+
+enable=patterns
+
+    For each user matching one of comma-separated glob patterns, enable TTY
+    auditing. This overrides any previous disable option matching the same user
+    name on the command line.
+
+open_only
+
+    Set the TTY audit flag when opening the session, but do not restore it when
+    closing the session. Using this option is necessary for some services that
+    don't fork() to run the authenticated session, such as sudo.
+
+NOTES
+
+When TTY auditing is enabled, it is inherited by all processes started by that
+user. In particular, daemons restarted by an user will still have TTY auditing
+enabled, and audit TTY input even by other users unless auditing for these
+users is explicitly disabled. Therefore, it is recommended to use disable=* as
+the first option for most daemons using PAM.
+
+EXAMPLES
+
+Audit all administrative actions.
+
+session required pam_tty_audit.so disable=* enable=root
+
+
+AUTHOR
+
+pam_tty_audit was written by Miloslav Trma? <mitr@redhat.com>.
+

config-util.5

@@ -0,0 +1,36 @@
+.TH SYSTEM-AUTH 5 "2006 Feb 3" "Red Hat" "Linux-PAM Manual"
+.SH NAME
+
+config-util \- Common PAM configuration file for configuration utilities
+
+.SH SYNOPSIS
+.B /etc/pam.d/config-util
+.sp 2
+.SH DESCRIPTION
+
+The purpose of this configuration file is to provide common 
+configuration file for all configuration utilities which must be run
+from the supervisor account and use the userhelper wrapper application.
+
+.sp
+The
+.BR config-util
+configuration file is included from all individual configuration
+files of such utilities with the help of the
+.BR include
+directive.
+There are not usually any other modules in the individual configuration
+files of these utilities.
+
+.sp
+It is possible for example to modify duration of the validity of the 
+authentication timestamp there. See
+.BR pam_timestamp(8)
+for details.
+
+.SH BUGS
+.sp 2
+None known.
+
+.SH "SEE ALSO"
+pam(8), config-util(5), pam_timestamp(8)

config-util.pamd

@@ -0,0 +1,8 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		sufficient	pam_timestamp.so
+auth		include		system-auth
+account		required	pam_permit.so
+session		required	pam_permit.so
+session		optional	pam_xauth.so
+session		optional	pam_timestamp.so

dlopen.sh

@@ -0,0 +1,75 @@
+#!/bin/sh
+
+tempdir=`mktemp -d /tmp/dlopenXXXXXX`
+test -n "$tempdir" || exit 1
+cat >> $tempdir/dlopen.c << _EOF
+#include <dlfcn.h>
+#include <stdio.h>
+#include <limits.h>
+#include <sys/stat.h>
+/* Simple program to see if dlopen() would succeed. */
+int main(int argc, char **argv)
+{
+	int i;
+	struct stat st;
+	char buf[PATH_MAX];
+	for (i = 1; i < argc; i++) {
+		if (dlopen(argv[i], RTLD_NOW)) {
+			fprintf(stdout, "dlopen() of \"%s\" succeeded.\n",
+				argv[i]);
+		} else {
+			snprintf(buf, sizeof(buf), "./%s", argv[i]);
+			if ((stat(buf, &st) == 0) && dlopen(buf, RTLD_NOW)) {
+				fprintf(stdout, "dlopen() of \"./%s\" "
+					"succeeded.\n", argv[i]);
+			} else {
+				fprintf(stdout, "dlopen() of \"%s\" failed: "
+					"%s\n", argv[i], dlerror());
+				return 1;
+			}
+		}
+	}
+	return 0;
+}
+_EOF
+
+for arg in $@ ; do
+	case "$arg" in
+	"")
+		;;
+	-I*|-D*|-f*|-m*|-g*|-O*|-W*)
+		cflags="$cflags $arg"
+		;;
+	-l*|-L*)
+		ldflags="$ldflags $arg"
+		;;
+	/*)
+		modules="$modules $arg"
+		;;
+	*)
+		modules="$modules $arg"
+		;;
+	esac
+done
+
+${CC:-gcc} $RPM_OPT_FLAGS $CFLAGS -o $tempdir/dlopen $cflags $tempdir/dlopen.c $ldflags -ldl
+
+retval=0
+for module in $modules ; do
+	case "$module" in
+	"")
+		;;
+	/*)
+		$tempdir/dlopen "$module"
+		retval=$?
+		;;
+	*)
+		$tempdir/dlopen ./"$module"
+		retval=$?
+		;;
+	esac
+done
+
+rm -f $tempdir/dlopen $tempdir/dlopen.c
+rmdir $tempdir
+exit $retval

other.pamd

@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth     required       pam_deny.so
+account  required       pam_deny.so
+password required       pam_deny.so
+session  required       pam_deny.so

pam-0.74-loop.patch

@@ -0,0 +1,12 @@
+--- pam-0.74/modules/pam_console/chmod.c.fred	Fri Mar  9 02:00:21 2001
++++ pam-0.74/modules/pam_console/chmod.c	Thu Mar 15 16:54:27 2001
+@@ -161,7 +161,8 @@
+     {
+       if(mntent->mnt_dir &&
+          mntent->mnt_fsname &&
+-	 (fnmatch(dir, mntent->mnt_dir, 0) == 0))
++	 (fnmatch(dir, mntent->mnt_dir, 0) == 0) &&
++	 strcmp(dir, mntent->mnt_fsname))
+         {
+           errors |= change_file(mntent->mnt_fsname, changes, TRUE, user, group);
+         }

pam-0.99.3.0-README.update

@@ -0,0 +1,34 @@
+PAM 0.99.3.0 update notes
+
+- pam_stack module depreciation
+
+The pam_stack module is now deprecated. It has to be replaced by
+include directives in pam.d configuration files. pam_stack usage won't
+make pam fail in this release, but it will be removed in a future
+release, better avoid it. It's basically a matter of replacing
+"required pam_stack.so service=<foo>" with "include <foo>".
+
+This can't be automatically updated on system-edited configuration
+files because it isn't always that simple. Some "sufficient"
+directives in the included file may now occult directives that were
+previously matched, in the same configuration phase
+(auth/account/password/session).
+So, the rules may have to be reordered, and the "include" directives
+have often to be lowered at the bottom of each phase.
+
+See Fedora instructions and release notes for more details.
+http://www.redhat.com/archives/fedora-devel-list/2005-October/msg00050.html
+http://www.redhat.com/archives/fedora-devel-list/2005-October/msg00084.html
+http://fedora.redhat.com/docs/release-notes/fc5/test2-latest-en/sn-package-notes.html
+
+- pam_pwdb dropped
+
+The pam_pwdb module has been obsolete for a couple of years now, it is
+not anymore available in the pam package from Mandriva.
+The pam_unix module has to be prefered.
+
+- services linked with pam
+
+Services linked with the old pam library have to be restarted once the
+new pam package has been installed.
+This includes services such as crond, xdm, gdm, kdm, samba.

pam-0.99.8.1-11mdv2009.0-README.update

@@ -0,0 +1,8 @@
+PAM 0.99.8.1 update notes
+
+- pam_unix dropped
+
+The pam_unix module has been dropped in favour of the pam_tcb module and is
+no longer available in the pam package from Mandriva.  The pam_tcb module will
+work with the TCB shadowing scheme or regular shadow passwords.  It also provides
+the ability to use blowfish passwords, rather than just md5 passwords.

pam-1.0.90-redhat-modules.patch

@@ -0,0 +1,23 @@
+diff -up Linux-PAM-1.0.90/modules/Makefile.am.redhat-modules Linux-PAM-1.0.90/modules/Makefile.am
+--- Linux-PAM-1.0.90/modules/Makefile.am.redhat-modules	2008-11-29 08:27:35.000000000 +0100
++++ Linux-PAM-1.0.90/modules/Makefile.am	2008-12-16 13:40:16.000000000 +0100
+@@ -3,6 +3,7 @@
+ #
+ 
+ SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \
++	pam_chroot pam_console pam_postgresok \
+ 	pam_env pam_exec pam_faildelay pam_filter pam_ftp \
+ 	pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
+ 	pam_listfile pam_localuser pam_loginuid pam_mail \
+diff -up Linux-PAM-1.0.90/configure.in.redhat-modules Linux-PAM-1.0.90/configure.in
+--- Linux-PAM-1.0.90/configure.in.redhat-modules	2008-12-02 16:25:01.000000000 +0100
++++ Linux-PAM-1.0.90/configure.in	2008-12-16 13:39:11.000000000 +0100
+@@ -531,6 +531,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
+ 	libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \
+ 	po/Makefile.in \
+ 	modules/Makefile \
++	modules/pam_chroot/Makefile modules/pam_console/Makefile \
++	modules/pam_postgresok/Makefile \
+ 	modules/pam_access/Makefile modules/pam_cracklib/Makefile \
+         modules/pam_debug/Makefile modules/pam_deny/Makefile \
+ 	modules/pam_echo/Makefile modules/pam_env/Makefile \

pam-1.0.91-std-noclose.patch

@@ -0,0 +1,98 @@
+diff -up Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c
+--- Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose	2009-03-03 14:56:01.000000000 +0100
++++ Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c	2009-03-26 10:02:15.000000000 +0100
+@@ -131,13 +131,21 @@ create_homedir (pam_handle_t *pamh, int 
+    if (child == 0) {
+         int i;
+         struct rlimit rlim;
++	int dummyfds[2];
+ 	static char *envp[] = { NULL };
+ 	char *args[] = { NULL, NULL, NULL, NULL, NULL };
+ 
++	/* replace std file descriptors with a dummy pipe */
++	if (pipe(dummyfds) == 0) {
++		dup2(dummyfds[0], STDIN_FILENO);
++		dup2(dummyfds[1], STDOUT_FILENO);
++		dup2(dummyfds[1], STDERR_FILENO);
++	}
++
+ 	if (getrlimit(RLIMIT_NOFILE, &rlim)==0) {
+           if (rlim.rlim_max >= MAX_FD_NO)
+                 rlim.rlim_max = MAX_FD_NO;
+-	  for (i=0; i < (int)rlim.rlim_max; i++) {
++	  for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
+ 	  	close(i);
+ 	  }
+ 	}
+diff -up Linux-PAM-1.0.91/modules/pam_unix/support.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/support.c
+--- Linux-PAM-1.0.91/modules/pam_unix/support.c.std-noclose	2009-03-03 14:56:01.000000000 +0100
++++ Linux-PAM-1.0.91/modules/pam_unix/support.c	2009-03-26 10:08:59.000000000 +0100
+@@ -443,13 +443,16 @@ static int _unix_run_helper_binary(pam_h
+ 
+ 	/* reopen stdin as pipe */
+ 	dup2(fds[0], STDIN_FILENO);
++	/* and replace also the stdout/err as the helper will
++           not write anything there */
++	dup2(fds[1], STDOUT_FILENO);
++	dup2(fds[1], STDERR_FILENO);
+ 
+ 	if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
+           if (rlim.rlim_max >= MAX_FD_NO)
+                 rlim.rlim_max = MAX_FD_NO;
+-	  for (i=0; i < (int)rlim.rlim_max; i++) {
+-		if (i != STDIN_FILENO)
+-	  	   close(i);
++	  for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
++	  	close(i);
+ 	  }
+ 	}
+ 
+diff -up Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c
+--- Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c.std-noclose	2009-03-03 14:56:01.000000000 +0100
++++ Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c	2009-03-26 10:07:06.000000000 +0100
+@@ -175,13 +175,16 @@ static int _unix_run_update_binary(pam_h
+ 
+ 	/* reopen stdin as pipe */
+ 	dup2(fds[0], STDIN_FILENO);
++	/* and replace also the stdout/err as the helper will
++           not write anything there */
++	dup2(fds[1], STDOUT_FILENO);
++	dup2(fds[1], STDERR_FILENO);
+ 
+ 	if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
+ 	  if (rlim.rlim_max >= MAX_FD_NO)
+ 	    rlim.rlim_max = MAX_FD_NO;
+-	  for (i=0; i < (int)rlim.rlim_max; i++) {
+-	    if (i != STDIN_FILENO)
+-	  	   close(i);
++	  for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
++	    close(i);
+ 	  }
+ 	}
+ 
+diff -up Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c
+--- Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c.std-noclose	2009-03-03 14:56:01.000000000 +0100
++++ Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c	2009-03-26 10:05:41.000000000 +0100
+@@ -100,16 +100,18 @@ int _unix_run_verify_binary(pam_handle_t
+ 
+     /* reopen stdout as pipe */
+     dup2(fds[1], STDOUT_FILENO);
++    /* and replace also the stdin, stderr so we do not exec the helper with
++       tty as stdin, it will not read anything from there anyway */
++    dup2(fds[0], STDIN_FILENO);
++    dup2(fds[1], STDERR_FILENO);
+ 
+     /* XXX - should really tidy up PAM here too */
+ 
+     if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
+       if (rlim.rlim_max >= MAX_FD_NO)
+         rlim.rlim_max = MAX_FD_NO;
+-      for (i=0; i < (int)rlim.rlim_max; i++) {
+-	if (i != STDOUT_FILENO) {
+-	  close(i);
+-	}
++      for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
++	close(i);
+       }
+     }
+ 

pam-1.1.0-console-fixes.patch

@@ -0,0 +1,71 @@
+diff -up Linux-PAM-1.1.0/modules/pam_console/handlers.c.consolefix Linux-PAM-1.1.0/modules/pam_console/handlers.c
+--- Linux-PAM-1.1.0/modules/pam_console/handlers.c.consolefix	2009-11-02 08:45:24.000000000 +0100
++++ Linux-PAM-1.1.0/modules/pam_console/handlers.c	2009-11-02 08:50:19.000000000 +0100
+@@ -172,13 +172,13 @@ call_exec(struct console_handler *handle
+         const char *flagptr;
+         const char **argv;
+         int i = 0;
+-        argv = malloc(sizeof(*argv)*nparams+2);
+-        
++        argv = malloc(sizeof(*argv)*(nparams+2));
++
+         if (argv == NULL)
+                 return;
+-        
++
+         argv[i++] = handler->executable;
+-        
++
+         for (flagptr = handler->flags; *flagptr != '\0'; flagptr += strlen(flagptr)+1) {
+                 switch (testflag(flagptr)) {
+                 case HF_LOGFAIL:
+@@ -231,7 +231,7 @@ execute_handler(pam_handle_t *pamh, stru
+         }
+ 
+ 	sighandler = signal(SIGCHLD, SIG_DFL);
+-        
++
+         child = fork();
+         switch (child) {
+         case -1:
+@@ -246,30 +246,31 @@ execute_handler(pam_handle_t *pamh, stru
+                 if (!wait_exit) {
+ 			switch(fork()) {
+ 			case 0:
+-				exit(0);
++				if(setsid() == -1) {
++					_exit(255);
++				}
++				break;
+ 			case -1:
+-				exit(255);
++				_exit(255);
+ 			default:
+-                    		if(setsid() == -1) {
+-                            		exit(255);
+-				}
++				_exit(0);
+ 			}
+                 }
+                 if (set_uid) {
+                         struct passwd *pw;
+                         pw = getpwnam(user);
+                         if (pw == NULL)
+-                                exit(255);
++                                _exit(255);
+                         if (setgid(pw->pw_gid) == -1 ||
+                             setuid(pw->pw_uid) == -1)
+-                                exit(255);
++                                _exit(255);
+                 }
+                 call_exec(handler, nparams, user, tty);
+-                exit(255);
++                _exit(255);
+         default:
+                 break;
+         }
+-        
++
+         waitpid(child, &rv, 0);
+ 
+ 	if (sighandler != SIG_ERR)

pam-1.1.0-console-nochmod.patch

@@ -0,0 +1,26 @@
+diff -up Linux-PAM-1.1.0/modules/pam_console/console.handlers.nochmod Linux-PAM-1.1.0/modules/pam_console/console.handlers
+--- Linux-PAM-1.1.0/modules/pam_console/console.handlers.nochmod	2008-12-16 13:37:52.000000000 +0100
++++ Linux-PAM-1.1.0/modules/pam_console/console.handlers	2009-09-01 17:20:08.000000000 +0200
+@@ -15,5 +15,3 @@
+ # touch unlock wait /var/run/console-unlocked
+ 
+ console consoledevs tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]+\.[0-9]+ :[0-9]+
+-/sbin/pam_console_apply lock logfail wait -t tty -s
+-/sbin/pam_console_apply unlock logfail wait -r -t tty -s
+diff -up Linux-PAM-1.1.0/modules/pam_console/Makefile.am.nochmod Linux-PAM-1.1.0/modules/pam_console/Makefile.am
+--- Linux-PAM-1.1.0/modules/pam_console/Makefile.am.nochmod	2008-12-16 13:37:52.000000000 +0100
++++ Linux-PAM-1.1.0/modules/pam_console/Makefile.am	2009-09-01 17:42:47.000000000 +0200
+@@ -38,7 +38,6 @@ sbin_PROGRAMS = pam_console_apply
+ 
+ 
+ secureconf_DATA = console.perms console.handlers
+-permsd_DATA = 50-default.perms
+ 
+ FLEX_OPTS = -Cr
+ BISON_OPTS = -d
+@@ -62,4 +61,5 @@ configfile.c: configfile.tab.c configfil
+ 
+ install-data-local:
+ 	mkdir -p $(DESTDIR)$(secureconfdir)/console.apps
++	mkdir -p $(DESTDIR)$(permsddir)
+ 	mkdir -m $(LOCKMODE) -p -p $(DESTDIR)$(LOCKDIR)

pam-1.1.0-console-nopermsd.patch

@@ -0,0 +1,11 @@
+--- Linux-PAM-1.1.0/modules/pam_console/pam_console_apply.c.error	2009-10-06 17:34:02.000000000 +0200
++++ Linux-PAM-1.1.0/modules/pam_console/pam_console_apply.c	2009-10-06 17:39:14.000000000 +0200
+@@ -65,7 +65,7 @@ parse_files(void)
+ 	on system locale */
+ 	oldlocale = setlocale(LC_COLLATE, "C");
+ 
+-	rc = glob(PERMS_GLOB, GLOB_NOCHECK, NULL, &globbuf);
++	rc = glob(PERMS_GLOB, 0, NULL, &globbuf);
+ 	setlocale(LC_COLLATE, oldlocale);
+ 	if (rc)
+ 		return;

pam-1.1.0-notally.patch

@@ -0,0 +1,12 @@
+diff -up Linux-PAM-1.1.0/modules/Makefile.am.notally Linux-PAM-1.1.0/modules/Makefile.am
+--- Linux-PAM-1.1.0/modules/Makefile.am.notally	2009-07-27 17:39:25.000000000 +0200
++++ Linux-PAM-1.1.0/modules/Makefile.am	2009-09-01 17:40:16.000000000 +0200
+@@ -10,7 +10,7 @@ SUBDIRS = pam_access pam_cracklib pam_de
+ 	pam_mkhomedir pam_motd pam_namespace pam_nologin \
+ 	pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \
+ 	pam_selinux pam_sepermit pam_shells pam_stress \
+-	pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \
++	pam_succeed_if pam_tally2 pam_time pam_timestamp \
+ 	pam_tty_audit pam_umask \
+ 	pam_unix pam_userdb pam_warn pam_wheel pam_xauth
+ 

pam-1.1.2-noflex.patch

@@ -0,0 +1,27 @@
+diff -up Linux-PAM-1.1.2/doc/Makefile.am.noflex Linux-PAM-1.1.2/doc/Makefile.am
+--- Linux-PAM-1.1.2/doc/Makefile.am.noflex	2008-02-04 16:05:51.000000000 +0100
++++ Linux-PAM-1.1.2/doc/Makefile.am	2010-09-20 10:40:59.000000000 +0200
+@@ -2,7 +2,7 @@
+ # Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+ #
+ 
+-SUBDIRS = man specs sag adg mwg
++SUBDIRS = man sag adg mwg
+ 
+ CLEANFILES = *~
+ 
+diff -up Linux-PAM-1.1.2/Makefile.am.noflex Linux-PAM-1.1.2/Makefile.am
+--- Linux-PAM-1.1.2/Makefile.am.noflex	2010-07-08 14:04:19.000000000 +0200
++++ Linux-PAM-1.1.2/Makefile.am	2010-09-20 10:04:56.000000000 +0200
+@@ -5,9 +5,9 @@
+ AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news
+ 
+ if STATIC_MODULES
+-SUBDIRS = modules libpam libpamc libpam_misc tests po conf doc examples xtests
++SUBDIRS = modules libpam libpamc libpam_misc tests po doc examples xtests
+ else
+-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests
++SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests
+ endif
+ 
+ CLEANFILES = *~

pam-1.1.3-console-abstract.patch

@@ -0,0 +1,82 @@
+diff -up Linux-PAM-1.1.3/modules/pam_console/pam_console.c.abstract Linux-PAM-1.1.3/modules/pam_console/pam_console.c
+--- Linux-PAM-1.1.3/modules/pam_console/pam_console.c.abstract	2008-12-16 13:37:52.000000000 +0100
++++ Linux-PAM-1.1.3/modules/pam_console/pam_console.c	2010-11-01 17:01:55.000000000 +0100
+@@ -34,6 +34,8 @@
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <sys/param.h>
++#include <sys/socket.h>
++#include <sys/un.h>
+ #include <fcntl.h>
+ #include <unistd.h>
+ #include <stdio.h>
+@@ -136,6 +138,32 @@ check_one_console_name(const char *name,
+ }
+ 
+ static int
++try_xsocket(const char *path, size_t len) {
++    int fd;
++    union {
++       struct sockaddr    sa;
++       struct sockaddr_un su;
++    } addr;
++
++    fd = socket(AF_UNIX, SOCK_STREAM, 0);
++    if (fd < 0)
++        return 0;
++
++    memset(&addr, 0, sizeof(addr));
++    addr.su.sun_family = AF_UNIX;
++
++    if (len > sizeof(addr.su.sun_path))
++        return 0;
++    memcpy(addr.su.sun_path, path, len);
++    if (connect(fd, &addr.sa, sizeof(addr.su)) == 0) {
++        close(fd);
++        return 1;
++    }
++    close(fd);
++    return 0;
++}
++
++static int
+ check_console_name(pam_handle_t *pamh, const char *consolename, int nonroot_ok, int on_set) {
+     int found = 0;
+     int statted = 0;
+@@ -186,22 +214,29 @@ check_console_name(pam_handle_t *pamh, c
+     if (!statted && (consolename[0] == ':')) {
+         int l;
+         char *dot = NULL;
+-        strcpy(full_path, "/tmp/.X11-unix/X");
+-        l = sizeof(full_path) - 1 - strlen(full_path);
++        char *path = full_path + 1;
++        
++        full_path[0] = '\0';
++        strcpy(path, "/tmp/.X11-unix/X");
++        l = sizeof(full_path) - 2 - strlen(path);
+         dot = strchr(consolename + 1, '.');
+         if (dot != NULL) {
+             l = (l < dot - consolename - 1) ? l : dot - consolename - 1;
+         }
+-        strncat(full_path, consolename + 1, l);
++        strncat(path, consolename + 1, l);
+ 	full_path[sizeof(full_path) - 1] = '\0';
+-        _pam_log(pamh, LOG_DEBUG, TRUE, "checking possible console \"%s\"",
+-		 full_path);
+-        if (lstat(full_path, &st) != -1) {
++        _pam_log(pamh, LOG_DEBUG, TRUE, "checking possible X socket \"%s\"",
++		 path);
++
++        /* this will work because st.st_uid is 0 */
++        if (try_xsocket(full_path, strlen(path)+1)) {
++           statted = 1;
++        } else if (try_xsocket(path, strlen(path))) {
+            statted = 1;
+         }
+         else if (!on_set) {  /* there is no X11 socket in case of X11 crash */
+             _pam_log(pamh, LOG_DEBUG, TRUE, "can't find X11 socket to examine for %s probably due to X crash", consolename);
+-            statted = 1; /* this will work because st.st_uid is 0 */
++            statted = 1; 
+         }
+     }
+ 

pam-1.1.3-nouserenv.patch

@@ -0,0 +1,27 @@
+diff -up pam/modules/pam_env/pam_env.c.nouserenv pam/modules/pam_env/pam_env.c
+--- pam/modules/pam_env/pam_env.c.nouserenv	2010-10-20 09:59:30.000000000 +0200
++++ pam/modules/pam_env/pam_env.c	2010-11-01 14:42:01.000000000 +0100
+@@ -10,7 +10,7 @@
+ #define DEFAULT_READ_ENVFILE    1
+ 
+ #define DEFAULT_USER_ENVFILE    ".pam_environment"
+-#define DEFAULT_USER_READ_ENVFILE 1
++#define DEFAULT_USER_READ_ENVFILE 0
+ 
+ #include "config.h"
+ 
+diff -up pam/modules/pam_env/pam_env.8.xml.nouserenv pam/modules/pam_env/pam_env.8.xml
+--- pam/modules/pam_env/pam_env.8.xml.nouserenv	2010-10-20 09:59:30.000000000 +0200
++++ pam/modules/pam_env/pam_env.8.xml	2010-11-01 14:42:01.000000000 +0100
+@@ -147,7 +147,10 @@
+         <listitem>
+           <para>
+             Turns on or off the reading of the user specific environment
+-            file. 0 is off, 1 is on. By default this option is on.
++            file. 0 is off, 1 is on. By default this option is off as user
++            supplied environment variables in the PAM environment could affect
++            behavior of subsequent modules in the stack without the consent
++            of the system administrator.
+           </para>
+         </listitem>
+       </varlistentry>

pam.spec

@@ -0,0 +1,337 @@
+%define major	0
+%define libname %mklibname %{name} %{major}
+%define libnamec %mklibname %{name}c %{major}
+%define libname_misc %mklibname %{name}_misc %{major}
+%define develname %mklibname %{name} -d
+
+%define with_prelude 0
+%{?_without_prelude: %{expand: %%global with_prelude 0}}
+%{?_with_prelude: %{expand: %%global with_prelude 1}}
+
+%define bootstrap 0
+%{?_without_bootstrap: %global bootstrap 0}
+%{?_with_bootstrap: %global bootstrap 1}
+
+%define pam_redhat_version 0.99.10-1
+
+Epoch:	1
+
+Summary:	A security tool which provides authentication for applications
+Name:		pam
+Version:	1.1.4
+Release:	9
+# The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
+# as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
+License:	BSD and GPLv2+
+Group:		System/Libraries
+Url:		http://www.kernel.org/pub/linux/libs/pam/index.html
+Source0:	ftp://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2
+Source1:	ftp://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2.sign
+Source2:	pam-redhat-%{pam_redhat_version}.tar.bz2
+Source3:	pam-0.99.3.0-README.update
+Source4:	pam-0.99.8.1-11mdv2009.0-README.update
+Source5:	other.pamd
+Source6:	system-auth.pamd
+Source7:	config-util.pamd
+Source8:	dlopen.sh
+Source9:	system-auth.5
+Source10:	config-util.5
+#add missing documentation
+Source501: 	pam_tty_audit.8
+Source502:	README
+
+# RedHat patches
+Patch1:		pam-1.0.90-redhat-modules.patch
+Patch2:		pam-1.0.91-std-noclose.patch
+Patch4:		pam-1.1.0-console-nochmod.patch
+Patch5:		pam-1.1.0-notally.patch
+Patch7:		pam-1.1.0-console-fixes.patch
+Patch9:		pam-1.1.2-noflex.patch
+Patch10:	pam-1.1.3-nouserenv.patch
+Patch11:	pam-1.1.3-console-abstract.patch
+
+# Mandriva specific sources/patches
+# (fl) fix infinite loop
+Patch507:	pam-0.74-loop.patch
+# (fc) 0.75-29mdk don't complain when / is owned by root.adm
+Patch508:	Linux-PAM-0.99.3.0-pamtimestampadm.patch
+# (fl) pam_xauth: set extra groups because in high security levels
+#      access to /usr/X11R6/bin dir is controlled by a group
+Patch512:	Linux-PAM-1.1.1-xauth-groups.patch
+# (tv/blino) add defaults for nice/rtprio in /etc/security/limits.conf
+Patch517:	Linux-PAM-0.99.3.0-enable_rt.patch
+# (blino) fix parallel build (pam_console)
+Patch521:	Linux-PAM-0.99.3.0-pbuild-rh.patch
+
+Patch700:	pam_fix_static_pam_console.patch
+# (fc) do not output error when no file is in /etc/security/console.perms.d/
+Patch701:	pam-1.1.0-console-nopermsd.patch
+# (proyvind): add missing constant that went with rpc removal from glibc 2.14
+Patch702:	Linux-PAM-1.1.4-add-now-missing-nis-constant.patch
+
+# (akdengi> add user to default group users which need for Samba
+Patch801:	Linux-PAM-1.1.4-group_add_users.patch
+
+BuildRequires:	selinux-devel >= 2.1.6-7
+BuildRequires:	bison
+BuildRequires:	cracklib-devel
+BuildRequires:	flex
+%if !%{bootstrap}
+# this pulls in the mega texlive load
+BuildRequires:	linuxdoc-tools
+%endif
+BuildRequires:	db_nss-devel
+BuildRequires:	openssl-devel
+BuildRequires:	libaudit-devel
+BuildRequires:	glibc-crypt_blowfish-devel
+%if %with_prelude
+BuildRequires:	prelude-devel >= 0.9.0
+%else
+BuildConflicts:	prelude-devel
+%endif
+Requires:	cracklib-dicts
+Requires:	setup >= 2.7.12-2
+Requires:	pam_tcb >= 1.0.2-16
+Requires(pre):	rpm-helper
+Requires(post):	coreutils >= 8.12-7.2
+Requires(post):	tcb >= 1.0.2-16
+Conflicts:	%{_lib}pam0 < 1.1.4-5
+
+%description
+PAM (Pluggable Authentication Modules) is a system security tool that
+allows system administrators to set authentication policy without
+having to recompile programs that handle authentication.
+
+%package	doc
+Summary:	Additional documentation for %{name}
+Group:		System/Libraries
+Requires:	%{name} = %{EVRD}
+
+%description	doc
+This is the documentation package of %{name}.
+
+%package -n	%{libname}
+Summary:	Library for %{name}
+Group:		System/Libraries
+
+%description -n	%{libname}
+This package contains the library libpam for %{name}.
+
+%package -n	%{libnamec}
+Summary:	Library for %{name}
+Group:		System/Libraries
+Conflicts:	%{_lib}pam0 < 1.1.4-5
+
+%description -n	%{libnamec}
+This package contains the library libpamc for %{name}.
+
+%package -n	%{libname_misc}
+Summary:	Library for %{name}
+Group:		System/Libraries
+Conflicts:	%{_lib}pam0 < 1.1.4-5
+
+%description -n	%{libname_misc}
+This package contains the library libpam_misc for %{name}.
+
+%package -n	%{develname}
+Summary:	Development headers and libraries for %{name}
+Group:		Development/Other
+Requires:	%{libname} = %{EVRD}
+Requires:	%{libnamec} = %{EVRD}
+Requires:	%{libname_misc} = %{EVRD}
+Provides:	%{name}-devel = %{EVRD}
+Provides:	lib%{name}-devel = %{EVRD}
+
+%description -n	%{develname}
+PAM (Pluggable Authentication Modules) is a system security tool that
+allows system administrators to set authentication policy without
+having to recompile programs that handle authentication.
+
+This package contains the development libraries for %{name}.
+
+%prep
+%setup -q -n Linux-PAM-%{version} -a 2
+
+# Add custom modules.
+mv pam-redhat-%{pam_redhat_version}/* modules
+
+# (RH)
+%patch1 -p1 -b .redhat-modules
+%patch2 -p1 -b .std-noclose
+%patch4 -p1 -b .nochmod
+%patch5 -p1 -b .notally
+%patch7 -p1 -b .console-fixes
+%patch9 -p1 -b .noflex
+%patch10 -p1 -b .nouserenv
+%patch11 -p1 -b .abstract
+
+# (Mandriva)
+%patch507 -p1 -b .loop
+%patch508 -p1 -b .pamtimestampadm
+%patch512 -p0 -b .xauth-groups
+%patch517 -p1 -b .enable_rt
+%patch521 -p1 -b .pbuild-rh
+%patch700 -p1 -b .static
+%patch701 -p1 -b .nopermsd
+%patch702 -p1 -b .nis_const~
+%patch801 -p1 -b .group_users
+
+# 08/08/2008 - vdanen - make pam provide pam_unix until we can work out all the issues in pam_tcb; this
+# just makes things easier but is not meant to be a permanent solution
+## Remove unwanted modules; pam_tcb provides pam_unix now
+#for d in pam_unix; do
+#    rm -rf modules/$d
+#    sed -i "s,modules/$d/Makefile,," configure.in
+#    sed -i "s/ $d / /" modules/Makefile.am
+#done
+
+install -m644 %{SOURCE501} %{SOURCE502} modules/pam_tty_audit/
+
+mkdir -p doc/txts
+for readme in modules/pam_*/README ; do
+	cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'`
+done
+
+cp %{SOURCE4} README.0.99.8.1.update.urpmi
+
+#libtoolize -cf
+autoreconf -I m4
+
+%build
+export BROWSER=""
+CFLAGS="$RPM_OPT_FLAGS -fPIC -I%{_includedir}/db_nss -D_GNU_SOURCE" \
+%configure2_5x \
+	--sbindir=/sbin \
+	--libdir=/%{_lib} \
+	--includedir=%{_includedir}/security \
+	--with-db-uniquename=_nss \
+	--docdir=%{_docdir}/%{name} \
+	--enable-selinux \
+	--enable-audit
+%make
+
+%install
+mkdir -p %{buildroot}%{_includedir}/security
+mkdir -p %{buildroot}/%{_lib}/security
+%makeinstall_std LDCONFIG=:
+install -d -m 755 %{buildroot}/etc/pam.d
+install -m 644 %{SOURCE5} %{buildroot}/etc/pam.d/other
+install -m 644 %{SOURCE6} %{buildroot}/etc/pam.d/system-auth
+install -m 644 %{SOURCE7} %{buildroot}/etc/pam.d/config-util
+install -m 600 /dev/null %{buildroot}%{_sysconfdir}/security/opasswd
+install -d -m 755 %{buildroot}/var/log
+install -m 600 /dev/null %{buildroot}/var/log/tallylog
+
+# Install man pages.
+install -m 644 %{SOURCE9} %{SOURCE10} %{buildroot}%{_mandir}/man5/
+
+# no longer needed, handled by ACL in udev
+for phase in auth acct passwd session ; do
+	ln -sf pam_unix.so %{buildroot}/%{_lib}/security/pam_unix_${phase}.so
+done
+
+# cleanup
+rm -f %{buildroot}/%{_lib}/security/*.la
+rm -f %{buildroot}/%{_lib}/*.la
+
+%find_lang Linux-PAM
+
+%check
+# (blino) we don't want to test if SE Linux is built, it's disabled
+# Make sure every module subdirectory gave us a module.  Yes, this is hackish.
+for dir in modules/pam_* ; do
+#if [ -d ${dir} ] && [[ "${dir}" != "modules/pam_selinux" ]] && [[ "${dir}" != "modules/pam_sepermit" ]]; then
+#         [[ "${dir}" = "modules/pam_tally" ]] && continue
+	if ! ls -1 %{buildroot}/%{_lib}/security/`basename ${dir}`*.so ; then
+		echo ERROR `basename ${dir}` did not build a module.
+		exit 1
+	fi
+#fi
+done
+
+# Check for module problems.  Specifically, check that every module we just
+# installed can actually be loaded by a minimal PAM-aware application.
+/sbin/ldconfig -n %{buildroot}/%{_lib}
+for module in %{buildroot}/%{_lib}/security/pam*.so ; do
+	if ! env LD_LIBRARY_PATH=%{buildroot}/%{_lib} \
+		sh %{SOURCE8} -ldl -lpam -L%{buildroot}/%{_lib} ${module} ; then
+		echo ERROR module: ${module} cannot be loaded.
+		exit 1
+	fi
+done
+
+%posttrans
+# (cg) Ensure that the pam_systemd.so is included for user ACLs under systemd
+# Note: Only affects upgrades, but does no harm so always update if needed.
+if ! grep -q "pam_systemd\.so" /etc/pam.d/system-auth; then
+	echo "-session    optional      pam_systemd.so" >>/etc/pam.d/system-auth
+fi
+
+if [ ! -a /var/log/tallylog ] ; then
+       install -m 600 /dev/null /var/log/tallylog
+fi
+if [ -f /etc/login.defs ] && ! grep -q USE_TCB /etc/login.defs; then
+       /usr/sbin/set_tcb --auto --migrate
+fi
+
+%files -f Linux-PAM.lang
+%doc NEWS README.0.99.8.1.update.urpmi
+%docdir %{_docdir}/%{name}
+%dir /etc/pam.d
+%config(noreplace) /etc/environment
+%config(noreplace) /etc/pam.d/other
+%attr(0644,root,shadow) %config(noreplace) /etc/pam.d/system-auth
+%config(noreplace) /etc/pam.d/config-util
+/sbin/mkhomedir_helper
+/sbin/pam_console_apply
+/sbin/pam_tally2
+/sbin/unix_chkpwd
+/sbin/unix_update
+%attr(4755,root,root) /sbin/pam_timestamp_check
+%config(noreplace) %{_sysconfdir}/security/access.conf
+%config(noreplace) %{_sysconfdir}/security/chroot.conf
+%config(noreplace) %{_sysconfdir}/security/console.perms
+%config(noreplace) %{_sysconfdir}/security/console.handlers
+%config(noreplace) %{_sysconfdir}/security/group.conf
+%config(noreplace) %{_sysconfdir}/security/limits.conf
+%config(noreplace) %{_sysconfdir}/security/namespace.conf
+%attr(755,root,root) %config(noreplace) %{_sysconfdir}/security/namespace.init
+%config(noreplace) %{_sysconfdir}/security/pam_env.conf
+%config(noreplace) %{_sysconfdir}/security/sepermit.conf
+%config(noreplace) %{_sysconfdir}/security/time.conf
+%config(noreplace) %{_sysconfdir}/security/opasswd
+%dir %{_sysconfdir}/security/console.apps
+%dir %{_sysconfdir}/security/console.perms.d
+%dir /%{_lib}/security
+/%{_lib}/security/*.so
+/%{_lib}/security/pam_filter
+%dir /var/run/console
+%ghost %verify(not md5 size mtime) /var/log/tallylog
+%{_mandir}/man5/*
+%{_mandir}/man8/*
+
+%files -n %{libname}
+/%{_lib}/libpam.so.%{major}*
+
+%files -n %{libnamec}
+/%{_lib}/libpamc.so.%{major}*
+
+%files -n %{libname_misc}
+/%{_lib}/libpam_misc.so.%{major}*
+
+%files -n %{develname}
+%doc Copyright
+/%{_lib}/libpam.so
+/%{_lib}/libpam_misc.so
+/%{_lib}/libpamc.so
+%{_includedir}/security/*.h
+%{_mandir}/man3/*
+
+%files doc
+%doc doc/txts doc/specs/rfc86.0.txt Copyright
+
+
+%changelog
+
+* Tue Feb 26 2013 Alexander Romanov <a.romanov@rosa-ntcit.ru>
+- Rosa initial commit

pam_fix_static_pam_console.patch

@@ -0,0 +1,26 @@
+Index: Linux-PAM-0.99.7.1/modules/pam_console/configfile.h
+===================================================================
+--- Linux-PAM-0.99.7.1.orig/modules/pam_console/configfile.h
++++ Linux-PAM-0.99.7.1/modules/pam_console/configfile.h
+@@ -4,7 +4,7 @@
+  */
+ #ifndef _CONFIGFILE_H
+ #define _CONFIGFILE_H
+-#define STATIC static
++#define STATIC
+ 
+ #ifndef FALSE
+ #define FALSE 0
+Index: Linux-PAM-0.99.7.1/modules/pam_console/pam_console_apply.c
+===================================================================
+--- Linux-PAM-0.99.7.1.orig/modules/pam_console/pam_console_apply.c
++++ Linux-PAM-0.99.7.1/modules/pam_console/pam_console_apply.c
+@@ -17,7 +17,7 @@
+ #include <stdarg.h>
+ #include <glob.h>
+ #include <locale.h>
+-#define STATIC static
++#define STATIC
+ #include "configfile.h"
+ #include "chmod.h"
+ #include "pam_console.h"

pam_tty_audit.8

@@ -0,0 +1,80 @@
+.\"     Title: pam_tty_audit
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.73.2 <http://docbook.sf.net/>
+.\"      Date: 01/18/2008
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
+.\"
+.TH "PAM_TTY_AUDIT" "8" "01/18/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_tty_audit - Enable or disable TTY auditing for specified users
+.SH "SYNOPSIS"
+.HP 17
+\fBpam_tty_audit\.so\fR [disable=\fIpatterns\fR] [enable=\fIpatterns\fR]
+.SH "DESCRIPTION"
+.PP
+The pam_tty_audit PAM module is used to enable or disable TTY auditing\. By default, the kernel does not audit input on any TTY\.
+.SH "OPTIONS"
+.PP
+\fBdisable=\fR\fB\fIpatterns\fR\fR
+.RS 4
+For each user matching one of comma\-separated glob
+\fB\fIpatterns\fR\fR, disable TTY auditing\. This overrides any previous
+\fBenable\fR
+option matchin the same user name on the command line\.
+.RE
+.PP
+\fBenable=\fR\fB\fIpatterns\fR\fR
+.RS 4
+For each user matching one of comma\-separated glob
+\fB\fIpatterns\fR\fR, enable TTY auditing\. This overrides any previous
+\fBdisable\fR
+option matching the same user name on the command line\.
+.RE
+.PP
+\fBopen_only\fR
+.RS 4
+Set the TTY audit flag when opening the session, but do not restore it when closing the session\. Using this option is necessary for some services that don\'t
+\fBfork()\fR
+to run the authenticated session, such as
+\fBsudo\fR\.
+.RE
+.SH "MODULE SERVICES PROVIDED"
+.PP
+Only the
+\fBsession\fR
+service is supported\.
+.SH "RETURN VALUES"
+.PP
+PAM_SESSION_ERR
+.RS 4
+Error reading or modifying the TTY audit flag\. See the system log for more details\.
+.RE
+.PP
+PAM_SUCCESS
+.RS 4
+Success\.
+.RE
+.SH "NOTES"
+.PP
+When TTY auditing is enabled, it is inherited by all processes started by that user\. In particular, daemons restarted by an user will still have TTY auditing enabled, and audit TTY input even by other users unless auditing for these users is explicitly disabled\. Therefore, it is recommended to use
+\fBdisable=*\fR
+as the first option for most daemons using PAM\.
+.SH "EXAMPLES"
+.PP
+Audit all administrative actions\.
+.sp
+.RS 4
+.nf
+session	required pam_tty_audit\.so disable=* enable=root
+      
+.fi
+.RE
+.sp
+.SH "AUTHOR"
+.PP
+pam_tty_audit was written by Miloslav Trmač <mitr@redhat\.com>\.

system-auth.5

@@ -0,0 +1,39 @@
+.TH SYSTEM-AUTH 5 "2006 Feb 3" "Red Hat" "Linux-PAM Manual"
+.SH NAME
+
+system-auth \- Common configuration file for PAMified services
+
+.SH SYNOPSIS
+.B /etc/pam.d/system-auth
+.sp 2
+.SH DESCRIPTION
+
+The purpose of this configuration file is to provide common 
+configuration file for all applications and service daemons
+calling PAM library.
+
+.sp
+The \fBsystem-auth\fR configuration file is included from all individual service configuration
+files with the help of the \fBinclude\fR directive.
+
+.SH NOTES
+There should be no \fBsufficient\fR modules in the \fBsession\fR
+part of \fBsystem-auth\fR file because individual services may add session modules after
+\fBinclude\fR of the \fBsystem-auth\fR file. Execution of these modules would be skipped if there were sufficient
+modules in \fBsystem-auth\fR file.
+
+.sp
+Conversely there should not be any modules after
+\fBinclude\fR directive in the individual service files in
+\fBauth\fR, \fBaccount\fR and \fBpassword\fR
+sections otherwise they could be bypassed.
+
+.SH BUGS
+.sp 2
+None known.
+
+.SH "SEE ALSO"
+\fBpam\fR(8), \fBconfig-util\fR(5)
+
+The three \fBLinux-PAM\fR Guides, for \fBsystem administrators\fR,
+\fBmodule developers\fR, and \fBapplication developers\fR.

system-auth.pamd

@@ -0,0 +1,17 @@
+#%PAM-1.0
+
+auth        required      pam_env.so
+auth        sufficient    pam_tcb.so shadow nullok prefix=$2a$ count=8
+auth        required      pam_deny.so
+
+account     required      pam_tcb.so shadow
+
+password    required      pam_cracklib.so try_first_pass retry=3
+password    sufficient    pam_tcb.so use_authtok shadow write_to=shadow nullok prefix=$2a$ count=8
+password    required      pam_deny.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_tcb.so
+-session    optional      pam_systemd.so