pam (1.4.0-12) unstable; urgency=medium

  * Don't build with NIS support.  This is only used for password changes on
    NIS systems, and is pulling a large dependency chain into the Essential
    package set which is not justifiable.

[dgit import unpatched pam 1.4.0-12]

1 files changed, 25 insertions, 0 deletions

diff --git a/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch b/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch
new file mode 100644
index 00000000..0ce85eb7
--- /dev/null
+++ b/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch
@@ -0,0 +1,25 @@
+Revert upstream change that prevents pam_unix from working with sgid
+shadow applications.
+
+Authors: Steve Langasek <vorlon@debian.org>
+
+Upstream status: to be submitted (and debated...)
+
+Index: pam/modules/pam_unix/passverify.c
+===================================================================
+--- pam.orig/modules/pam_unix/passverify.c
++++ pam/modules/pam_unix/passverify.c
+@@ -198,11 +198,11 @@
+ 			 * ...and shadow password file entry for this user,
+ 			 * if shadowing is enabled
+ 			 */
++			*spwdent = pam_modutil_getspnam(pamh, name);
+ #ifndef HELPER_COMPILE
+-			if (geteuid() || SELINUX_ENABLED)
++			if (*spwdent == NULL && (geteuid() || SELINUX_ENABLED))
+ 				return PAM_UNIX_RUN_HELPER;
+ #endif
+-			*spwdent = pam_modutil_getspnam(pamh, name);
+ 			if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL)
+ 				return PAM_AUTHINFO_UNAVAIL;
+ 		}