fix-up commit for grafting svn history onto git history

10 files changed, 380 insertions, 0 deletions

diff --git a/debian/local/Debian-PAM-MiniPolicy b/debian/local/Debian-PAM-MiniPolicy
new file mode 100644
index 00000000..cfbfd471
--- /dev/null
+++ b/debian/local/Debian-PAM-MiniPolicy
@@ -0,0 +1,161 @@
+Author: Ben Collins <bcollins@debian.org>
+Modified by: Sam Hartman <hartmans@debian.org>
+
+Objective: To document a base set of policies regarding PAM (Pluggable
+Authentication Modules) usage in Debian packages.
+
+===========================================================================
+
+In order to have a consistent and stable implementation across packages
+that use PAM, these guidelines will help to avoid some common mistakes and
+be usable as a cross reference for FAQ's.
+
+This document will not go into the details of how to add PAM usage to
+existing code, please read the documentation in the libpam-doc package for
+info on this, however it does specify behavior needed to make sure PAM
+modules in Debian will work with your application. 
+
+==================
+ PAM Applications
+==================
+
+Each application that uses PAM also must contain a file in
+/etc/pam.d/.  This file specifies which PAM modules will be used for
+the common PAM functions in that application. There are several notes
+concerning what modules to use in this file. Most commonly, this file
+should use the @include directive to include common-auth,
+common-session, common-account and common-password.  Under some
+circumstances (such as ftp auth, or auth based on tty) other modules
+will be required.
+
+Here is an example of a PAM configuration file that just includes the common module fragments:
+    #
+    # /etc/pam.d/other - specify the PAM fallback behaviour
+    #
+    # Note that this file is used for any unspecified service; for example
+    #if /etc/pam.d/cron  specifies no session modules but cron calls
+    #pam_open_session, the session module out of /etc/pam.d/other is
+    #used.  If you really want nothing to happen then use pam_permit.so or
+    #pam_deny.so as appropriate.
+
+    # We fall back to the system default in /etc/pam.d/common-*
+    # 
+
+    @include common-auth
+    @include common-account
+    @include common-password
+    @include common-session
+
+
+The name of this file is determined by the call to pam_start() in the
+application source code. The first parameter will be a string containing
+the "service" name (eg. "login", "httpd", etc..). Please make sure that
+the filename coincides with this parameter.
+
+The file should _not_ reference the full path of the modules. It only needs
+to reference the basename (eg. "pam_unix.so"). This will ensure that the
+program continues to work even if the module location changes, since
+libpam itself will resolve the location.
+
+Under no circumstances should any program in Debian use the pam_pwdb.so
+module by default. Instead the pam_unix.so module should be used. Most
+programs with RedHat support/default files will reference pam_pwdb.so in
+their example files. Do not use this. There are several problems with
+regard to pam_pwdb.so:
+
+  1) It attempts to reimplement glibc's NSS code. For example, if your
+  program uses pam_pwdb.so, and the user changes /etc/nsswitch.conf to use
+  NIS, NIS+, or LDAP, then your program will fail to work unless the user
+  also knows to edit /etc/pwdb.conf (which is not necessary for
+  pam_unix.so). In the case of LDAP, the program would become absolutely
+  useless until the user modifies the pam.d file themselves to use
+  pam_unix.so.
+
+  2) It adds to the layer of glibc function calls making it harder to
+  debug problems. Because libpwdb masks glibc native calls, it requires
+  being able to debug libpwdb, libpam, libc and the offending program.
+
+Note that pam_unix.so takes the same module arguments as pam_pwdb.so, so
+you can just replace the references. If you are not sure if the pam.d
+files is correctly setup, please feel free to email it to me, and I will
+glance it over.
+
+UPDATE: libpwdb and this libpam-pwdb have been removed from Debian as of
+Woody. So even if you decided to use pam_pwdb, it will be broken, so HAHA
+:)
+
+You should also not use the pam_stack module in the pam config file.
+It's not currently in Debian so it won't work.  While I cannot stop
+someone from packaging pam_stack for Debian, I will try to convince
+them that it is not the direction we want.  Pam_stack (among other
+faults) uses different pam handles for each step in the process--the
+handle used for session management is not the same as the handle used
+for authentication.  This breaks several modules.  We will have an
+alternate solution for shared PAM configuration across modules.
+
+
+Currently libpam-modules is in the base setup, so it's dependency is not
+needed (since the library depends on the correct version). However, if any
+modules other than the base set in libpam-modules are used, that package
+must be depended on.
+
+Applications need to depend on libpam-runtime (>= 0.76-14) to
+guarantee that /etc/pam.d/common-* exist.
+
+
+The pam_unix.so module allows programs to verify the authentication of the
+uid of the calling process without any set bits (uid or gid). NOTE: this
+means the user executing the program, you cannot authenticate against other
+users without suid root (root makes sure the NIS and NIS+ works too) or
+at least sgid shadow (wont work in the above cases). Most notably this
+affects programs like apache from being able to use PAM with much success
+since it runs as www-data which has no priviledges and cannot use pam_unix.so
+to auth against other users. On the other hand is does allow program like
+vlock to auth (but not auth the root password).
+
+The application needs to follow the following rules to make sure PAM
+modules work:
+
+1) Use the same PAM handle for all operations.  This means it is not OK
+to call pam_start once for authentication and then later for session
+management.  Modules need to be able to store pam_data between entry
+points.
+
+2) The pam_open_session and pam_setcred calls must be made in a parent
+process  of the eventual session.  They need to be able to enfluence
+the environment of the session.
+
+3) If you are started as root or have root privs for some other
+reason, pam_open_session and pam_setcred should be called while still
+root.
+
+4) Implied by 1, make sure that pam_close_session and pam_end are
+called in the same process or a process decended from the execution
+context as pam_open_session and pam_setcred.  The pam_close_session
+call may need state stored in the handle  by the open session entry
+point to clean up properly.  The pam_finish call may need to free data
+(thus influencing system state in some cases) allocated in the earlier
+calls.
+
+
+
+=============
+ PAM Modules
+=============
+
+Separately packaged pam modules should adhere to a few basic setup rules:
+
+  1) Packages should use the naming scheme of `libpam-<name>' (eg.
+  libpam-ldap).
+
+  2) The modules should be located in the directory of the most recent
+  libpam-modules (currently /lib/security).
+
+  3) The module should be named as pam_<name>.so. The module should not
+  contain a version suffix.
+
+  4) The module should be linked to libpam (-lpam) when compiled so that
+  proper version dependencies will work.
+
+  5) Any config files should be located in /etc/security. The filename
+  will be in the form of <name>.conf.
diff --git a/debian/local/common-account b/debian/local/common-account
new file mode 100644
index 00000000..67983019
--- /dev/null
+++ b/debian/local/common-account
@@ -0,0 +1,9 @@
+#
+# /etc/pam.d/common-account - authorization settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authorization modules that define
+# the central access policy for use on the system.  The default is to
+# only deny service to users whose accounts are expired in /etc/shadow.
+#
+account	required	pam_unix.so
diff --git a/debian/local/common-auth b/debian/local/common-auth
new file mode 100644
index 00000000..63d129aa
--- /dev/null
+++ b/debian/local/common-auth
@@ -0,0 +1,10 @@
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
+# traditional Unix authentication mechanisms.
+#
+auth	required	pam_unix.so nullok_secure
diff --git a/debian/local/common-auth.md5sums b/debian/local/common-auth.md5sums
new file mode 100644
index 00000000..31477ad0
--- /dev/null
+++ b/debian/local/common-auth.md5sums
@@ -0,0 +1 @@
+933d757dcd5974b00619f68955743be7  /etc/pam.d/common-auth
diff --git a/debian/local/common-password b/debian/local/common-password
new file mode 100644
index 00000000..45959eb5
--- /dev/null
+++ b/debian/local/common-password
@@ -0,0 +1,34 @@
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define the services to be
+# used to change user passwords.  The default is pam_unix.
+
+# Explanation of pam_unix options:
+#
+# The "nullok" option allows users to change an empty password, else
+# empty passwords are treated as locked accounts.
+#
+# The "md5" option enables MD5 passwords.  Without this option, the
+# default is Unix crypt.
+#
+# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
+# login.defs.
+#
+# You can also use the "min" option to enforce the length of the new
+# password.
+#
+# See the pam_unix manpage for other options.
+
+password   required   pam_unix.so nullok obscure md5
+
+# Alternate strength checking for password. Note that this
+# requires the libpam-cracklib package to be installed.
+# You will need to comment out the password line above and
+# uncomment the next two in order to use this.
+# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
+#
+# password required	  pam_cracklib.so retry=3 minlen=6 difok=3
+# password required	  pam_unix.so use_authtok nullok md5
+
diff --git a/debian/local/common-password.md5sums b/debian/local/common-password.md5sums
new file mode 100644
index 00000000..569ca682
--- /dev/null
+++ b/debian/local/common-password.md5sums
@@ -0,0 +1,2 @@
+601ecfbc99fd359877552cb5298087ad  /etc/pam.d/common-password
+e5ae8ba8d00083c922d9d82a0432ef78  /etc/pam.d/common-password
diff --git a/debian/local/common-session b/debian/local/common-session
new file mode 100644
index 00000000..dc11da6d
--- /dev/null
+++ b/debian/local/common-session
@@ -0,0 +1,9 @@
+#
+# /etc/pam.d/common-session - session-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of sessions of *any* kind (both interactive and
+# non-interactive).  The default is pam_unix.
+#
+session	required	pam_unix.so
diff --git a/debian/local/other b/debian/local/other
new file mode 100644
index 00000000..59d776c9
--- /dev/null
+++ b/debian/local/other
@@ -0,0 +1,16 @@
+#
+# /etc/pam.d/other - specify the PAM fallback behaviour
+#
+# Note that this file is used for any unspecified service; for example
+#if /etc/pam.d/cron  specifies no session modules but cron calls
+#pam_open_session, the session module out of /etc/pam.d/other is
+#used.  If you really want nothing to happen then use pam_permit.so or
+#pam_deny.so as appropriate.
+
+# We fall back to the system default in /etc/pam.d/common-*
+# 
+
+@include common-auth
+@include common-account
+@include common-password
+@include common-session
diff --git a/debian/local/pam.conf b/debian/local/pam.conf
new file mode 100644
index 00000000..3eeb72d3
--- /dev/null
+++ b/debian/local/pam.conf
@@ -0,0 +1,15 @@
+# ---------------------------------------------------------------------------#
+# /etc/pam.conf								     #
+# ---------------------------------------------------------------------------#
+#
+# NOTE
+# ----
+#
+# NOTE: Most program use a file under the /etc/pam.d/ directory to setup their
+# PAM service modules. This file is used only if that directory does not exist.
+# ---------------------------------------------------------------------------#
+
+# Format:
+# serv.	module	   ctrl	      module [path]	...[args..]		     #
+# name	type	   flag							     #
+
diff --git a/debian/local/pam_getenv b/debian/local/pam_getenv
new file mode 100644
index 00000000..2abddcad
--- /dev/null
+++ b/debian/local/pam_getenv
@@ -0,0 +1,123 @@
+#!/usr/bin/perl -w
+
+=head1 NAME
+
+pam_getenv - get environment variables from /etc/environment
+
+=head1 SYNOPSIS
+
+pam_getenv B<[-l] [-s]> I<env_var>
+
+=head1 DESCRIPTION
+
+This tool  will print out the value of I<env_var> from F</etc/environment>.  It will attempt to expand environment variable references in the definition of I<env_var> but will fail if PAM items are expanded.
+
+The B<-l> option indicates the script should return an environment variable related to default locale information.
+
+The B<-s> option indicates that the script should return an
+system default environment variable.
+
+Currently neither the B<-l> or B<-s> options do anything.  They are
+included because future versions of Debian may have a separate
+repository for the initial environment used by init scripts and for
+system locale information.  These options will allow this script to be
+a stable interface even in that environment.
+
+=cut
+
+# Copyright 2004 by Sam Hartman
+# This script may be copied under the terms of the GNU GPL
+# version 2, or at your option any later version.
+
+use strict;
+use vars qw(*CONFIGFILE *ENVFILE);
+
+sub read_line($) {
+  my $fh = shift;
+  my $line;
+  local $_;
+  line: while (<$fh>) {
+    chomp;
+    s/^\s+//;
+s/\#.*$//;
+    next if $_ eq "";
+    if (s/\\\s*$//) {
+      $line .= $_;
+      next line;
+    }
+
+    $line .= $_;
+    last;
+  }
+  $line;
+  
+}
+
+
+sub parse_line($) {
+  my $var;
+  my (%x, @x);
+  local $_ = shift;
+  return undef unless defined $_ and s/(\S+)\s//;
+  $var->{Name} = $1;
+  s/^\s*//;
+  @x = split(/=([^"\s]\S*|"[^"]*")\s*/, $_);
+  unless (scalar(@x)%2 == 0) {
+    push @x, undef;
+  }
+  %x = @x;
+  @{$var}{"Default", "Override"} =
+    @x{"DEFAULT", "OVERRIDE"};
+  $var;
+}
+
+sub expand_val($) {
+  my ($val) = @_;
+return undef unless $val;
+	die "Cannot handle PAM items\n" if /(?<!\\)\@/;
+  $val =~ s/(?<!\\)\${([^}]+)}/$ENV{$1}||""/eg;
+  return $val;
+}
+
+my $lookup;
+
+while ($_ = shift) {
+  next if $_ eq "-s";
+  next if $_ eq "-l";
+  $lookup = $_;
+  last;
+}
+unless (defined $lookup) {
+  die "Usage: pam_getenv [-l] [-s] env_var\n";
+}
+
+my %allvars;
+
+open (CONFIGFILE, "/etc/security/pam_env.conf")
+  or die "Cannot open environment file: $!\n";
+
+while (my $var = parse_line(read_line(\*CONFIGFILE))) {
+  my $val;
+  unless ($val = expand_val($var->{Override})) {
+    $val = expand_val($var->{Default});
+  }
+  $allvars{$var->{Name}} = $val;
+}
+
+if (open (ENVFILE, "/etc/environment")) {
+  while (my $line = read_line(\*ENVFILE)) {
+    $line =~ s/^export //;
+    $line =~ /(.*?)=(.+)/ or next;
+    my ($var, $val) = ($1, $2);
+    # This is bizarre logic (" and ' match each other, quotes are only
+    # significant at the start and end of the string, and the trailing quote
+    # may be omitted), but it's what pam_env does.
+    $val =~ s/^["'](.*?)["']?$/$1/;
+    $allvars{$var} = $val;
+  }
+}
+
+if (exists $allvars{$lookup}) {
+  print $allvars{$lookup}, "\n";
+  exit(0);
+}