pam (1.4.0-10) unstable; urgency=medium

  * Fix syntax error in libpam0g.postinst when a systemd unit fails,
    Closes: #992538
  * Include upstream patch not to use crypt_checksalt; without this
    passwords set prior to bullseye were considered expired, Closes:
    #992848
  * Support DPKG_ROOT for pam-auth-update, thanks Johannes 'josch' Schauer
    Closes: #983427

[dgit import unpatched pam 1.4.0-10]

1 files changed, 25 insertions, 0 deletions

diff --git a/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch b/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch
new file mode 100644
index 00000000..0ce85eb7
--- /dev/null
+++ b/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch
@@ -0,0 +1,25 @@
+Revert upstream change that prevents pam_unix from working with sgid
+shadow applications.
+
+Authors: Steve Langasek <vorlon@debian.org>
+
+Upstream status: to be submitted (and debated...)
+
+Index: pam/modules/pam_unix/passverify.c
+===================================================================
+--- pam.orig/modules/pam_unix/passverify.c
++++ pam/modules/pam_unix/passverify.c
+@@ -198,11 +198,11 @@
+ 			 * ...and shadow password file entry for this user,
+ 			 * if shadowing is enabled
+ 			 */
++			*spwdent = pam_modutil_getspnam(pamh, name);
+ #ifndef HELPER_COMPILE
+-			if (geteuid() || SELINUX_ENABLED)
++			if (*spwdent == NULL && (geteuid() || SELINUX_ENABLED))
+ 				return PAM_UNIX_RUN_HELPER;
+ #endif
+-			*spwdent = pam_modutil_getspnam(pamh, name);
+ 			if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL)
+ 				return PAM_AUTHINFO_UNAVAIL;
+ 		}