1.8.0

2025-02-23 16:32:51 +00:00 · 2014-01-21 14:49:16 +04:00 · 2014-01-21 14:49:16 +04:00 · f4bec3e628
commit f4bec3e628
parent 5490f0133d
17 changed files with 286 additions and 205 deletions
--- a/.abf.yml
+++ b/.abf.yml
@ -1,3 +1,5 @@
 removed_sources:
  Linux-PAM-1.1.4.tar.bz2: 4634b09f9e059f384ce69dbaa4a67f88bef5cf7b
 sources:
-  "Linux-PAM-1.1.4.tar.bz2": 4634b09f9e059f384ce69dbaa4a67f88bef5cf7b
+  Linux-PAM-1.1.8.tar.bz2: f8ce53c67363f78d520392fa1c253c4978058be1
-  "pam-redhat-0.99.10-1.tar.bz2": 09e618edc5dcda9a6eb435a31db742afca673ae1
+  pam-redhat-0.99.10-1.tar.bz2: 09e618edc5dcda9a6eb435a31db742afca673ae1
--- a/90-nproc.conf
+++ b/90-nproc.conf
@ -0,0 +1,6 @@
 # Default limit for number of user's processes to prevent
 # accidental fork bombs.
 # See rhbz #432903 for reasoning.
 *          soft    nproc     1024
 root       soft    nproc     unlimited
--- a/Linux-PAM-1.1.1-xauth-groups.patch
+++ b/Linux-PAM-1.1.1-xauth-groups.patch
@ -1,5 +1,5 @@
--- modules/pam_xauth/pam_xauth.c	2010-10-08 13:56:11.000000000 +0200
+--- a/modules/pam_xauth/pam_xauth.c	2010-10-08 13:56:11.000000000 +0200
-+++ modules/pam_xauth/pam_xauth.c.oden	2010-11-03 11:23:06.714312576 +0100
+++ b/modules/pam_xauth/pam_xauth.c.oden	2010-11-03 11:23:06.714312576 +0100
@@ -90,7 +90,7 @@ static const char * const xauthpaths[] =
  * given input on stdin, and storing any output it generates. */
 static int
--- a/Linux-PAM-1.1.4.tar.bz2.sign
+++ b/Linux-PAM-1.1.4.tar.bz2.sign
@ -1,8 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 Comment: See http://www.kernel.org/signature.html for info
 iD8DBQBOBHzAyGugalF9Dw4RAvUUAJ0SfOT7ITyalk4JsmIe5tJSdIB5ygCfZ2ku
 aHp5ptRfKYgWdlnFv+3F7H4=
 =kqy6
 -----END PGP SIGNATURE-----
--- a/pam-0.99.3.0-README.update
+++ b/pam-0.99.3.0-README.update
@ -1,34 +0,0 @@
 PAM 0.99.3.0 update notes
 - pam_stack module depreciation
 The pam_stack module is now deprecated. It has to be replaced by
 include directives in pam.d configuration files. pam_stack usage won't
 make pam fail in this release, but it will be removed in a future
 release, better avoid it. It's basically a matter of replacing
 "required pam_stack.so service=<foo>" with "include <foo>".
 This can't be automatically updated on system-edited configuration
 files because it isn't always that simple. Some "sufficient"
 directives in the included file may now occult directives that were
 previously matched, in the same configuration phase
 (auth/account/password/session).
 So, the rules may have to be reordered, and the "include" directives
 have often to be lowered at the bottom of each phase.
 See Fedora instructions and release notes for more details.
 http://www.redhat.com/archives/fedora-devel-list/2005-October/msg00050.html
 http://www.redhat.com/archives/fedora-devel-list/2005-October/msg00084.html
 http://fedora.redhat.com/docs/release-notes/fc5/test2-latest-en/sn-package-notes.html
 - pam_pwdb dropped
 The pam_pwdb module has been obsolete for a couple of years now, it is
 not anymore available in the pam package from Mandriva.
 The pam_unix module has to be prefered.
 - services linked with pam
 Services linked with the old pam library have to be restarted once the
 new pam package has been installed.
 This includes services such as crond, xdm, gdm, kdm, samba.
--- a/pam-0.99.8.1-11mdv2009.0-README.update
+++ b/pam-0.99.8.1-11mdv2009.0-README.update
@ -1,8 +0,0 @@
 PAM 0.99.8.1 update notes
 - pam_unix dropped
 The pam_unix module has been dropped in favour of the pam_tcb module and is
 no longer available in the pam package from Mandriva.  The pam_tcb module will
 work with the TCB shadowing scheme or regular shadow passwords.  It also provides
 the ability to use blowfish passwords, rather than just md5 passwords.
--- a/pam-1.1.2-noflex.patch
+++ b/pam-1.1.2-noflex.patch
@ -1,27 +0,0 @@
 diff -up Linux-PAM-1.1.2/doc/Makefile.am.noflex Linux-PAM-1.1.2/doc/Makefile.am
 --- Linux-PAM-1.1.2/doc/Makefile.am.noflex	2008-02-04 16:05:51.000000000 +0100
 +++ Linux-PAM-1.1.2/doc/Makefile.am	2010-09-20 10:40:59.000000000 +0200
@@ -2,7 +2,7 @@
 # Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
 #
 -SUBDIRS = man specs sag adg mwg
 +SUBDIRS = man sag adg mwg
 CLEANFILES = *~
 diff -up Linux-PAM-1.1.2/Makefile.am.noflex Linux-PAM-1.1.2/Makefile.am
 --- Linux-PAM-1.1.2/Makefile.am.noflex	2010-07-08 14:04:19.000000000 +0200
 +++ Linux-PAM-1.1.2/Makefile.am	2010-09-20 10:04:56.000000000 +0200
@@ -5,9 +5,9 @@
 AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news
 if STATIC_MODULES
 -SUBDIRS = modules libpam libpamc libpam_misc tests po conf doc examples xtests
 +SUBDIRS = modules libpam libpamc libpam_misc tests po doc examples xtests
 else
 -SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests
 +SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests
 endif
 CLEANFILES = *~
--- a/pam-1.1.5-limits-user.patch
+++ b/pam-1.1.5-limits-user.patch
@ -0,0 +1,12 @@
 diff -up Linux-PAM-1.1.5/modules/pam_limits/limits.conf.limits Linux-PAM-1.1.5/modules/pam_limits/limits.conf
 --- Linux-PAM-1.1.5/modules/pam_limits/limits.conf.limits	2011-06-21 11:04:56.000000000 +0200
 +++ Linux-PAM-1.1.5/modules/pam_limits/limits.conf	2011-12-21 09:09:17.000000000 +0100
@@ -1,5 +1,8 @@
 # /etc/security/limits.conf
 #
 +#This file sets the resource limits for the users logged in via PAM.
 +#It does not affect resource limits of the system services.
 +#
 #Each line describes a limit for a user in the form:
 #
 #<domain>        <type>  <item>  <value>
--- a/pam-1.1.6-noflex.patch
+++ b/pam-1.1.6-noflex.patch
@ -0,0 +1,24 @@
 diff -up Linux-PAM-1.1.6/doc/Makefile.am.noflex Linux-PAM-1.1.6/doc/Makefile.am
 --- Linux-PAM-1.1.6/doc/Makefile.am.noflex	2012-08-15 13:08:43.000000000 +0200
 +++ Linux-PAM-1.1.6/doc/Makefile.am	2012-08-17 14:13:11.904949748 +0200
@@ -2,7 +2,7 @@
 # Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
 #
 -SUBDIRS = man specs sag adg mwg
 +SUBDIRS = man sag adg mwg
 CLEANFILES = *~
 diff -up Linux-PAM-1.1.6/Makefile.am.noflex Linux-PAM-1.1.6/Makefile.am
 --- Linux-PAM-1.1.6/Makefile.am.noflex	2012-08-15 13:08:43.000000000 +0200
 +++ Linux-PAM-1.1.6/Makefile.am	2012-08-17 14:15:36.705359892 +0200
@@ -4,7 +4,7 @@
 AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news
 -SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests
 +SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests
 CLEANFILES = *~
--- a/pam-1.0.91-std-noclose.patch
+++ b/pam-1.0.91-std-noclose.patch
@ -1,7 +1,7 @@
-diff -up Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c
+diff -up Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c
--- Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose	2009-03-03 14:56:01.000000000 +0100
+--- Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose	2012-08-15 13:08:43.000000000 +0200
-+++ Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c	2009-03-26 10:02:15.000000000 +0100
+++ Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c	2012-08-17 13:25:20.684075361 +0200
-@@ -131,13 +131,21 @@ create_homedir (pam_handle_t *pamh, int 
+@@ -133,13 +133,21 @@ create_homedir (pam_handle_t *pamh, opti
    if (child == 0) {
         int i;
         struct rlimit rlim;
@ -21,59 +21,13 @@ diff -up Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose Linu
                 rlim.rlim_max = MAX_FD_NO;
 -	  for (i=0; i < (int)rlim.rlim_max; i++) {
 +	  for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
- 	  	close(i);
+ 		close(i);
 	  }
 	}
-diff -up Linux-PAM-1.0.91/modules/pam_unix/support.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/support.c
+diff -up Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c
--- Linux-PAM-1.0.91/modules/pam_unix/support.c.std-noclose	2009-03-03 14:56:01.000000000 +0100
+--- Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c.std-noclose	2012-08-15 13:08:43.000000000 +0200
-+++ Linux-PAM-1.0.91/modules/pam_unix/support.c	2009-03-26 10:08:59.000000000 +0100
+++ Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c	2012-08-17 13:22:51.664560481 +0200
-@@ -443,13 +443,16 @@ static int _unix_run_helper_binary(pam_h
+@@ -105,16 +105,18 @@ int _unix_run_verify_binary(pam_handle_t
 	/* reopen stdin as pipe */
 	dup2(fds[0], STDIN_FILENO);
 +	/* and replace also the stdout/err as the helper will
 +           not write anything there */
 +	dup2(fds[1], STDOUT_FILENO);
 +	dup2(fds[1], STDERR_FILENO);
 	if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
           if (rlim.rlim_max >= MAX_FD_NO)
                 rlim.rlim_max = MAX_FD_NO;
 -	  for (i=0; i < (int)rlim.rlim_max; i++) {
 -		if (i != STDIN_FILENO)
 -	  	   close(i);
 +	  for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
 +	  	close(i);
 	  }
 	}
 diff -up Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c
 --- Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c.std-noclose	2009-03-03 14:56:01.000000000 +0100
 +++ Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c	2009-03-26 10:07:06.000000000 +0100
@@ -175,13 +175,16 @@ static int _unix_run_update_binary(pam_h
 	/* reopen stdin as pipe */
 	dup2(fds[0], STDIN_FILENO);
 +	/* and replace also the stdout/err as the helper will
 +           not write anything there */
 +	dup2(fds[1], STDOUT_FILENO);
 +	dup2(fds[1], STDERR_FILENO);
 	if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
 	  if (rlim.rlim_max >= MAX_FD_NO)
 	    rlim.rlim_max = MAX_FD_NO;
 -	  for (i=0; i < (int)rlim.rlim_max; i++) {
 -	    if (i != STDIN_FILENO)
 -	  	   close(i);
 +	  for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
 +	    close(i);
 	  }
 	}
 diff -up Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c
 --- Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c.std-noclose	2009-03-03 14:56:01.000000000 +0100
 +++ Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c	2009-03-26 10:05:41.000000000 +0100
@@ -100,16 +100,18 @@ int _unix_run_verify_binary(pam_handle_t
     /* reopen stdout as pipe */
     dup2(fds[1], STDOUT_FILENO);
@ -96,3 +50,49 @@ diff -up Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c.std-noclose Linux-PAM
       }
     }
 diff -up Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c
 --- Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c.std-noclose	2012-08-15 13:08:43.000000000 +0200
 +++ Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c	2012-08-17 14:10:38.917346789 +0200
@@ -210,13 +210,16 @@ static int _unix_run_update_binary(pam_h
 	/* reopen stdin as pipe */
 	dup2(fds[0], STDIN_FILENO);
 +	/* and replace also the stdout/err as the helper will
 +           not write anything there */
 +	dup2(fds[1], STDOUT_FILENO);
 +	dup2(fds[1], STDERR_FILENO);
 	if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
 	  if (rlim.rlim_max >= MAX_FD_NO)
 	    rlim.rlim_max = MAX_FD_NO;
 -	  for (i=0; i < (int)rlim.rlim_max; i++) {
 -	    if (i != STDIN_FILENO)
 -		close(i);
 +	  for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
 +	    close(i);
 	  }
 	}
 diff -up Linux-PAM-1.1.6/modules/pam_unix/support.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/support.c
 --- Linux-PAM-1.1.6/modules/pam_unix/support.c.std-noclose	2012-08-15 13:08:43.000000000 +0200
 +++ Linux-PAM-1.1.6/modules/pam_unix/support.c	2012-08-17 14:12:10.833511475 +0200
@@ -469,13 +469,16 @@ static int _unix_run_helper_binary(pam_h
 	/* reopen stdin as pipe */
 	dup2(fds[0], STDIN_FILENO);
 +	/* and replace also the stdout/err as the helper will
 +           not write anything there */
 +	dup2(fds[1], STDOUT_FILENO);
 +	dup2(fds[1], STDERR_FILENO);
 	if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
           if (rlim.rlim_max >= MAX_FD_NO)
                 rlim.rlim_max = MAX_FD_NO;
 -	  for (i=0; i < (int)rlim.rlim_max; i++) {
 -		if (i != STDIN_FILENO)
 -		  close(i);
 +	  for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
 +		close(i);
 	  }
 	}
--- a/pam-1.1.7-tty-audit-init.patch
+++ b/pam-1.1.7-tty-audit-init.patch
@ -0,0 +1,48 @@
 diff -up Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-init Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c
 --- Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-init	2013-08-28 10:53:40.000000000 +0200
 +++ Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c	2013-10-04 14:51:19.944994905 +0200
@@ -36,6 +36,7 @@
    USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
    DAMAGE. */
 +#include "config.h"
 #include <errno.h>
 #include <fnmatch.h>
 #include <stdlib.h>
@@ -108,7 +109,7 @@ nl_recv (int fd, unsigned type, void *bu
   struct msghdr msg;
   struct nlmsghdr nlm;
   struct iovec iov[2];
 -  ssize_t res;
 +  ssize_t res, resdiff;
  again:
   iov[0].iov_base = &nlm;
@@ -160,12 +161,17 @@ nl_recv (int fd, unsigned type, void *bu
   res = recvmsg (fd, &msg, 0);
   if (res == -1)
     return -1;
 -  if ((size_t)res != NLMSG_LENGTH (size)
 +  resdiff = NLMSG_LENGTH(size) - (size_t)res;
 +  if (resdiff < 0
       || nlm.nlmsg_type != type)
     {
       errno = EIO;
       return -1;
     }
 +  else if (resdiff > 0)
 +    {
 +      memset((char *)buf + res, 0, resdiff);
 +    }
   return 0;
 }
@@ -275,6 +281,8 @@ pam_sm_open_session (pam_handle_t *pamh,
       return PAM_SESSION_ERR;
     }
 +  memcpy(&new_status, old_status, sizeof(new_status));
 +
   new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
 #ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
   new_status.log_passwd = log_passwd;
--- a/pam-1.1.7-unix-build.patch
+++ b/pam-1.1.7-unix-build.patch
@ -0,0 +1,34 @@
 diff -up Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c.build Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c
 --- Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c.build	2012-07-23 18:46:27.709804094 +0200
 +++ Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c	2012-07-23 18:46:27.764805293 +0200
@@ -47,6 +47,8 @@
 #include <time.h>		/* for time() */
 #include <errno.h>
 #include <sys/wait.h>
 +#include <sys/time.h>
 +#include <sys/resource.h>
 #include <security/_pam_macros.h>
 diff -up Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c.build Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c
 --- Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c.build	2012-07-23 18:55:16.433314731 +0200
 +++ Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c	2012-07-23 18:54:48.064697131 +0200
@@ -53,6 +53,7 @@
 #include <fcntl.h>
 #include <ctype.h>
 #include <sys/time.h>
 +#include <sys/resource.h>
 #include <sys/stat.h>
 #include <signal.h>
 diff -up Linux-PAM-1.1.5/modules/pam_unix/support.c.build Linux-PAM-1.1.5/modules/pam_unix/support.c
 --- Linux-PAM-1.1.5/modules/pam_unix/support.c.build	2012-07-23 18:46:27.000000000 +0200
 +++ Linux-PAM-1.1.5/modules/pam_unix/support.c	2012-07-23 18:54:23.645165507 +0200
@@ -18,6 +18,7 @@
 #include <signal.h>
 #include <ctype.h>
 #include <syslog.h>
 +#include <sys/time.h>
 #include <sys/resource.h>
 #ifdef HAVE_RPCSVC_YPCLNT_H
 #include <rpcsvc/ypclnt.h>
--- a/pam.spec
+++ b/pam.spec
@ -18,8 +18,8 @@ Epoch:	1
 Summary:	A security tool which provides authentication for applications
 Name:		pam
-Version:	1.1.4
+Version:	1.1.8
-Release:	17
+Release:	1
 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
 # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
 License:	BSD and GPLv2+
@ -28,32 +28,34 @@ Url:		http://www.kernel.org/pub/linux/libs/pam/index.html
 Source0:	ftp://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2
 Source1:	ftp://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2.sign
 Source2:	pam-redhat-%{pam_redhat_version}.tar.bz2
 Source3:	pam-0.99.3.0-README.update
 Source4:	pam-0.99.8.1-11mdv2009.0-README.update
 Source5:	other.pamd
 Source6:	system-auth.pamd
 Source7:	config-util.pamd
 Source8:	dlopen.sh
 Source9:	system-auth.5
 Source10:	config-util.5
-Source11: postlogin.pamd
+Source11:	postlogin.pamd
-Source12: postlogin.5
+Source12:	postlogin.5
-Source13: pamtmp.conf
+Source13:	pamtmp.conf
 Source14:	90-nproc.conf
 #add missing documentation
 Source501: 	pam_tty_audit.8
 Source502:	README
 # RedHat patches
-Patch1:		pam-1.0.90-redhat-modules.patch
+Patch1:  pam-1.0.90-redhat-modules.patch
-Patch2:		pam-1.0.91-std-noclose.patch
+Patch2:  pam-1.1.6-std-noclose.patch
-Patch4:		pam-1.1.0-console-nochmod.patch
+Patch4:  pam-1.1.0-console-nochmod.patch
-Patch5:		pam-1.1.0-notally.patch
+Patch5:  pam-1.1.0-notally.patch
-Patch7:		pam-1.1.0-console-fixes.patch
+Patch7:  pam-1.1.0-console-fixes.patch
-Patch9:		pam-1.1.2-noflex.patch
+Patch9:  pam-1.1.6-noflex.patch
-Patch10:	pam-1.1.3-nouserenv.patch
+Patch10: pam-1.1.3-nouserenv.patch
-Patch11:	pam-1.1.3-console-abstract.patch
+Patch11: pam-1.1.3-console-abstract.patch
 Patch13: pam-1.1.5-limits-user.patch
 Patch22: pam-1.1.7-unix-build.patch
 Patch32: pam-1.1.7-tty-audit-init.patch
-# Mandriva specific sources/patches
+# ROSA specific sources/patches
 # (fl) fix infinite loop
 Patch507:	pam-0.74-loop.patch
 # (fc) 0.75-29mdk don't complain when / is owned by root.adm
@ -158,35 +160,7 @@ This package contains the development libraries for %{name}.
 # Add custom modules.
 mv pam-redhat-%{pam_redhat_version}/* modules
-# (RH)
+%apply_patches
 %patch1 -p1 -b .redhat-modules
 %patch2 -p1 -b .std-noclose
 %patch4 -p1 -b .nochmod
 %patch5 -p1 -b .notally
 %patch7 -p1 -b .console-fixes
 %patch9 -p1 -b .noflex
 %patch10 -p1 -b .nouserenv
 %patch11 -p1 -b .abstract
 # (Mandriva)
 %patch507 -p1 -b .loop
 %patch508 -p1 -b .pamtimestampadm
 %patch512 -p0 -b .xauth-groups
 %patch517 -p1 -b .enable_rt
 %patch521 -p1 -b .pbuild-rh
 %patch700 -p1 -b .static
 %patch701 -p1 -b .nopermsd
 %patch702 -p1 -b .nis_const~
 %patch801 -p1 -b .group_users
 # 08/08/2008 - vdanen - make pam provide pam_unix until we can work out all the issues in pam_tcb; this
 # just makes things easier but is not meant to be a permanent solution
 ## Remove unwanted modules; pam_tcb provides pam_unix now
 #for d in pam_unix; do
 #    rm -rf modules/$d
 #    sed -i "s,modules/$d/Makefile,," configure.in
 #    sed -i "s/ $d / /" modules/Makefile.am
 #done
 install -m644 %{SOURCE501} %{SOURCE502} modules/pam_tty_audit/
@ -195,8 +169,6 @@ for readme in modules/pam_*/README ; do
 	cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'`
 done
 cp %{SOURCE4} README.0.99.8.1.update.urpmi
 #libtoolize -cf
 autoreconf -ifs -I m4
@ -224,6 +196,7 @@ install -m 644 %{SOURCE11} %{buildroot}/etc/pam.d/postlogin
 install -m 600 /dev/null %{buildroot}%{_sysconfdir}/security/opasswd
 install -d -m 755 %{buildroot}/var/log
 install -m 600 /dev/null %{buildroot}/var/log/tallylog
 install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/security/limits.d/90-nproc.conf
 # Install man pages.
 install -m 644 %{SOURCE9} %{SOURCE10} %{SOURCE12} %{buildroot}%{_mandir}/man5/
@ -310,6 +283,7 @@ fi
 %config(noreplace) %{_sysconfdir}/security/pam_env.conf
 %config(noreplace) %{_sysconfdir}/security/time.conf
 %config(noreplace) %{_sysconfdir}/security/opasswd
 %config(noreplace) %{_sysconfdir}/security/limits.d/90-nproc.conf
 %dir %{_sysconfdir}/security/console.apps
 %dir %{_sysconfdir}/security/console.perms.d
 %dir /%{_lib}/security
@ -340,3 +314,4 @@ fi
 %files doc
 %doc doc/txts doc/specs/rfc86.0.txt Copyright
--- a/password-auth.pamd
+++ b/password-auth.pamd
@ -0,0 +1,18 @@
 #%PAM-1.0
 # This file is auto-generated.
 # User changes will be destroyed the next time authconfig is run.
 auth        required      pam_env.so
 auth        sufficient    pam_unix.so try_first_pass nullok
 auth        required      pam_deny.so
 account     required      pam_unix.so
 password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
 password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
 password    required      pam_deny.so
 session     optional      pam_keyinit.so revoke
 session     required      pam_limits.so
 -session     optional      pam_systemd.so
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
--- a/smartcard-auth.pamd
+++ b/smartcard-auth.pamd
@ -0,0 +1,19 @@
 #%PAM-1.0
 # This file is auto-generated.
 # User changes will be destroyed the next time authconfig is run.
 auth        required      pam_env.so
 auth        [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card
 auth        required      pam_deny.so
 account     required      pam_unix.so
 account     sufficient    pam_localuser.so
 account     sufficient    pam_succeed_if.so uid < 500 quiet
 account     required      pam_permit.so
 password    optional      pam_pkcs11.so
 session     optional      pam_keyinit.so revoke
 session     required      pam_limits.so
 -session     optional      pam_systemd.so
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
--- a/system-auth.5
+++ b/system-auth.5
@ -1,39 +1,58 @@
-.TH SYSTEM-AUTH 5 "2006 Feb 3" "Red Hat" "Linux-PAM Manual"
+.TH SYSTEM-AUTH 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual"
 .SH NAME
 system-auth \- Common configuration file for PAMified services
 .SH SYNOPSIS
 .B /etc/pam.d/system-auth
 .B /etc/pam.d/password-auth
 .B /etc/pam.d/fingerprint-auth
 .B /etc/pam.d/smartcard-auth
 .sp 2
 .SH DESCRIPTION
-The purpose of this configuration file is to provide common 
+The purpose of these configuration files are to provide a common
-configuration file for all applications and service daemons
+interface for all applications and service daemons calling into
-calling PAM library.
+the PAM library.
 .sp
-The \fBsystem-auth\fR configuration file is included from all individual service configuration
+The
-files with the help of the \fBinclude\fR directive.
+.BR system-auth
 configuration file is included from nearly all individual service configuration
 files with the help of the
 .BR substack
 directive.
 .sp
 The
 .BR password-auth
 .BR fingerprint-auth
 .BR smartcard-auth
 configuration files are for applications which handle authentication from
 different types of devices via simultaneously running individual conversations
 instead of one aggregate conversation.
 .SH NOTES
-There should be no \fBsufficient\fR modules in the \fBsession\fR
+Previously these common configuration files were included with the help
-part of \fBsystem-auth\fR file because individual services may add session modules after
+of the
-\fBinclude\fR of the \fBsystem-auth\fR file. Execution of these modules would be skipped if there were sufficient
+.BR include
-modules in \fBsystem-auth\fR file.
+directive. This limited the use of the different action types of modules.
-
+With the use of
-.sp
+.BR substack
-Conversely there should not be any modules after
+directive to include these common configuration files this limitation
-\fBinclude\fR directive in the individual service files in
+no longer applies.
 \fBauth\fR, \fBaccount\fR and \fBpassword\fR
 sections otherwise they could be bypassed.
 .SH BUGS
 .sp 2
 None known.
 .SH "SEE ALSO"
-\fBpam\fR(8), \fBconfig-util\fR(5)
+pam(8), config-util(5), postlogin(5)
-The three \fBLinux-PAM\fR Guides, for \fBsystem administrators\fR,
+The three
-\fBmodule developers\fR, and \fBapplication developers\fR.
+.BR Linux-PAM
 Guides, for
 .BR "system administrators" ", "
 .BR "module developers" ", "
 and
 .BR "application developers" ". "
--- a/system-auth.pamd
+++ b/system-auth.pamd
@ -1,13 +1,14 @@
 #%PAM-1.0
-
+# This file is auto-generated.
 # User changes will be destroyed the next time authconfig is run.
 auth        required      pam_env.so
 auth        sufficient    pam_unix.so try_first_pass nullok
 auth        required      pam_deny.so
 account     required      pam_unix.so
-#password    required      pam_cracklib.so try_first_pass retry=3
+password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
-password    sufficient    pam_unix.so try_first_pass nullok sha512 shadow
+password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
 password    required      pam_deny.so
 session     optional      pam_keyinit.so revoke