diff options
Diffstat (limited to 'debian/patches')
22 files changed, 4197 insertions, 0 deletions
diff --git a/debian/patches/0003-pam_unix-obscure-checks.patch b/debian/patches/0003-pam_unix-obscure-checks.patch new file mode 100644 index 00000000..12651a0b --- /dev/null +++ b/debian/patches/0003-pam_unix-obscure-checks.patch @@ -0,0 +1,544 @@ +From: Sam Hartman <hartmans@debian.org> +Date: Mon, 11 Sep 2023 14:00:42 -0600 +Subject: pam_unix: obscure checks + +* Bring in the obscure checks that used to live in shadow so we can still support them + +* Set default minimum password length to 6 +--- + modules/pam_unix/Makefile.am | 2 +- + modules/pam_unix/README | 36 ++++++- + modules/pam_unix/obscure.c | 198 +++++++++++++++++++++++++++++++++++++ + modules/pam_unix/pam_unix.8 | 33 ++++++- + modules/pam_unix/pam_unix.8.xml | 77 ++++++++++++++- + modules/pam_unix/pam_unix_passwd.c | 10 +- + modules/pam_unix/support.h | 78 ++++++++------- + 7 files changed, 389 insertions(+), 45 deletions(-) + create mode 100644 modules/pam_unix/obscure.c + +diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am +index a1dfe44..ddba63c 100644 +--- a/modules/pam_unix/Makefile.am ++++ b/modules/pam_unix/Makefile.am +@@ -43,7 +43,7 @@ noinst_PROGRAMS = bigcrypt + + pam_unix_la_SOURCES = bigcrypt.c pam_unix_acct.c \ + pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \ +- passverify.c md5_good.c md5_broken.c ++ passverify.c md5_good.c md5_broken.c obscure.c + if HAVE_NIS + pam_unix_la_SOURCES += yppasswd_xdr.c + endif +diff --git a/modules/pam_unix/README b/modules/pam_unix/README +index 67a2d21..be11095 100644 +--- a/modules/pam_unix/README ++++ b/modules/pam_unix/README +@@ -171,8 +171,40 @@ broken_shadow + + minlen=n + +- Set a minimum password length of n characters. The max. for DES crypt based +- passwords are 8 characters. ++ Set a minimum password length of n characters. The default value is 6. The ++ maximum for DES crypt-based passwords is 8 characters. ++ ++obscure ++ ++ Enable some extra checks on password strength. These checks are based on ++ the "obscure" checks in the original shadow package. The behavior is ++ similar to the pam_cracklib module, but for non-dictionary-based checks. ++ The following checks are implemented: ++ ++ Palindrome ++ ++ Verifies that the new password is not a palindrome of (i.e., the ++ reverse of) the previous one. ++ ++ Case Change Only ++ ++ Verifies that the new password isn't the same as the old one with a ++ change of case. ++ ++ Similar ++ ++ Verifies that the new password isn't too much like the previous one. ++ ++ Simple ++ ++ Is the new password too simple? This is based on the length of the ++ password and the number of different types of characters (alpha, ++ numeric, etc.) used. ++ ++ Rotated ++ ++ Is the new password a rotated version of the old password? (E.g., ++ "billy" and "illyb") + + no_pass_expiry + +diff --git a/modules/pam_unix/obscure.c b/modules/pam_unix/obscure.c +new file mode 100644 +index 0000000..2ffac92 +--- /dev/null ++++ b/modules/pam_unix/obscure.c +@@ -0,0 +1,198 @@ ++/* ++ * Copyright 1989 - 1994, Julianne Frances Haugh ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors ++ * may be used to endorse or promote products derived from this software ++ * without specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND ++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE ++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT ++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY ++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ++ * SUCH DAMAGE. ++ */ ++ ++#include "config.h" ++ ++#include <ctype.h> ++#include <stdio.h> ++#include <unistd.h> ++#include <string.h> ++#include <stdlib.h> ++#include <pwd.h> ++#include <security/pam_modules.h> ++#include <security/_pam_macros.h> ++ ++ ++#include "support.h" ++ ++/* can't be a palindrome - like `R A D A R' or `M A D A M' */ ++static int palindrome(const char *old, const char *new) { ++ int i, j; ++ ++ i = strlen (new); ++ ++ for (j = 0;j < i;j++) ++ if (new[i - j - 1] != new[j]) ++ return 0; ++ ++ return 1; ++} ++ ++/* more than half of the characters are different ones. */ ++static int similar(const char *old, const char *new) { ++ int i, j; ++ ++ /* ++ * XXX - sometimes this fails when changing from a simple password ++ * to a really long one (MD5). For now, I just return success if ++ * the new password is long enough. Please feel free to suggest ++ * something better... --marekm ++ */ ++ if (strlen(new) >= 8) ++ return 0; ++ ++ for (i = j = 0; new[i] && old[i]; i++) ++ if (strchr(new, old[i])) ++ j++; ++ ++ if (i >= j * 2) ++ return 0; ++ ++ return 1; ++} ++ ++/* a nice mix of characters. */ ++static int simple(const char *old, const char *new) { ++ int digits = 0; ++ int uppers = 0; ++ int lowers = 0; ++ int others = 0; ++ int size; ++ int i; ++ ++ for (i = 0;new[i];i++) { ++ if (isdigit (new[i])) ++ digits++; ++ else if (isupper (new[i])) ++ uppers++; ++ else if (islower (new[i])) ++ lowers++; ++ else ++ others++; ++ } ++ ++ /* ++ * The scam is this - a password of only one character type ++ * must be 8 letters long. Two types, 7, and so on. ++ */ ++ ++ size = 9; ++ if (digits) size--; ++ if (uppers) size--; ++ if (lowers) size--; ++ if (others) size--; ++ ++ if (size <= i) ++ return 0; ++ ++ return 1; ++} ++ ++static char *str_lower(char *string) { ++ char *cp; ++ ++ for (cp = string; *cp; cp++) ++ *cp = tolower(*cp); ++ return string; ++} ++ ++static const char * password_check(const char *old, const char *new, ++ const struct passwd *pwdp) { ++ const char *msg = NULL; ++ char *oldmono, *newmono, *wrapped; ++ ++ if (strcmp(new, old) == 0) ++ return _("Bad: new password must be different than the old one"); ++ ++ newmono = str_lower(strdup(new)); ++ oldmono = str_lower(strdup(old)); ++ wrapped = (char *)malloc(strlen(oldmono) * 2 + 1); ++ strcpy (wrapped, oldmono); ++ strcat (wrapped, oldmono); ++ ++ if (palindrome(oldmono, newmono)) { ++ msg = _("Bad: new password cannot be a palindrome"); ++ } else if (strcmp(oldmono, newmono) == 0) { ++ msg = _("Bad: new and old password must differ by more than just case"); ++ } else if (similar(oldmono, newmono)) { ++ msg = _("Bad: new and old password are too similar"); ++ } else if (simple(old, new)) { ++ msg = _("Bad: new password is too simple"); ++ } else if (strstr(wrapped, newmono)) { ++ msg = _("Bad: new password is just a wrapped version of the old one"); ++ } ++ ++ _pam_delete(newmono); ++ _pam_delete(oldmono); ++ _pam_delete(wrapped); ++ ++ return msg; ++} ++ ++const char *obscure_msg(const char *old, const char *new, ++ const struct passwd *pwdp, unsigned int ctrl) { ++ int oldlen, newlen; ++ char *new1, *old1; ++ const char *msg; ++ ++ if (old == NULL) ++ return NULL; /* no check if old is NULL */ ++ ++ oldlen = strlen(old); ++ newlen = strlen(new); ++ ++ /* Remaining checks are optional. */ ++ if (off(UNIX_OBSCURE_CHECKS,ctrl)) ++ return NULL; ++ ++ if ((msg = password_check(old, new, pwdp)) != NULL) ++ return msg; ++ ++ /* The traditional crypt() truncates passwords to 8 chars. It is ++ possible to circumvent the above checks by choosing an easy ++ 8-char password and adding some random characters to it... ++ Example: "password$%^&*123". So check it again, this time ++ truncated to the maximum length. Idea from npasswd. --marekm */ ++ ++ if (!UNIX_DES_CRYPT(ctrl)) ++ return NULL; /* unlimited password length */ ++ ++ if (oldlen <= 8 && newlen <= 8) ++ return NULL; ++ ++ new1 = strndup(new,8); ++ old1 = strndup(old,8); ++ ++ msg = password_check(old1, new1, pwdp); ++ ++ _pam_delete(new1); ++ _pam_delete(old1); ++ ++ return msg; ++} +diff --git a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8 +index 438717f..6f5f19b 100644 +--- a/modules/pam_unix/pam_unix.8 ++++ b/modules/pam_unix/pam_unix.8 +@@ -216,7 +216,38 @@ minlen=n + .RS 4 + Set a minimum password length of + \fIn\fR +-characters\&. The max\&. for DES crypt based passwords are 8 characters\&. ++characters\&. The default value is 6\&. The maximum for DES crypt\-based passwords is 8 characters\&. ++.RE ++.PP ++\fBobscure\fR ++.RS 4 ++Enable some extra checks on password strength\&. These checks are based on the "obscure" checks in the original shadow package\&. The behavior is similar to the pam_cracklib module, but for non\-dictionary\-based checks\&. The following checks are implemented: ++.PP ++\fBPalindrome\fR ++.RS 4 ++Verifies that the new password is not a palindrome of (i\&.e\&., the reverse of) the previous one\&. ++.RE ++.PP ++\fBCase Change Only\fR ++.RS 4 ++Verifies that the new password isn\*(Aqt the same as the old one with a change of case\&. ++.RE ++.PP ++\fBSimilar\fR ++.RS 4 ++Verifies that the new password isn\*(Aqt too much like the previous one\&. ++.RE ++.PP ++\fBSimple\fR ++.RS 4 ++Is the new password too simple? This is based on the length of the password and the number of different types of characters (alpha, numeric, etc\&.) used\&. ++.RE ++.PP ++\fBRotated\fR ++.RS 4 ++Is the new password a rotated version of the old password? (E\&.g\&., "billy" and "illyb") ++.RE ++.sp + .RE + .PP + no_pass_expiry +diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml +index dfc0427..4e63a49 100644 +--- a/modules/pam_unix/pam_unix.8.xml ++++ b/modules/pam_unix/pam_unix.8.xml +@@ -397,8 +397,81 @@ + <listitem> + <para> + Set a minimum password length of <replaceable>n</replaceable> +- characters. The max. for DES crypt based passwords are 8 +- characters. ++ characters. The default value is 6. The maximum for DES ++ crypt-based passwords is 8 characters. ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term> ++ <option>obscure</option> ++ </term> ++ <listitem> ++ <para> ++ Enable some extra checks on password strength. These checks ++ are based on the "obscure" checks in the original shadow ++ package. The behavior is similar to the pam_cracklib ++ module, but for non-dictionary-based checks. The following ++ checks are implemented: ++ <variablelist> ++ <varlistentry> ++ <term> ++ <option>Palindrome</option> ++ </term> ++ <listitem> ++ <para> ++ Verifies that the new password is not a palindrome ++ of (i.e., the reverse of) the previous one. ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term> ++ <option>Case Change Only</option> ++ </term> ++ <listitem> ++ <para> ++ Verifies that the new password isn't the same as the ++ old one with a change of case. ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term> ++ <option>Similar</option> ++ </term> ++ <listitem> ++ <para> ++ Verifies that the new password isn't too much like ++ the previous one. ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term> ++ <option>Simple</option> ++ </term> ++ <listitem> ++ <para> ++ Is the new password too simple? This is based on ++ the length of the password and the number of ++ different types of characters (alpha, numeric, etc.) ++ used. ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term> ++ <option>Rotated</option> ++ </term> ++ <listitem> ++ <para> ++ Is the new password a rotated version of the old ++ password? (E.g., "billy" and "illyb") ++ </para> ++ </listitem> ++ </varlistentry> ++ </variablelist> + </para> + </listitem> + </varlistentry> +diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c +index c341741..652f3c5 100644 +--- a/modules/pam_unix/pam_unix_passwd.c ++++ b/modules/pam_unix/pam_unix_passwd.c +@@ -86,6 +86,9 @@ extern int getrpcport(const char *host, unsigned long prognum, + # endif /* GNU libc 2.1 */ + #endif + ++extern const char *obscure_msg(const char *, const char *, const struct passwd *, ++ unsigned int); ++ + /* + How it works: + Gets in username (has to be done) from the calling program +@@ -584,6 +587,11 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh + return retval; + } + } ++ if (!remark && pass_old != NULL) { /* only check if we don't already have a failure */ ++ struct passwd *pwd; ++ pwd = pam_modutil_getpwnam(pamh, user); ++ remark = (char *)obscure_msg(pass_old,pass_new,pwd,ctrl); /* do obscure checks */ ++ } + } + if (remark) { + _make_remark(pamh, ctrl, PAM_ERROR_MSG, remark); +@@ -599,7 +607,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) + int retval; + int remember = -1; + int rounds = 0; +- int pass_min_len = 0; ++ int pass_min_len = 6; + + /* <DO NOT free() THESE> */ + const char *user; +diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h +index 8105400..91e7478 100644 +--- a/modules/pam_unix/support.h ++++ b/modules/pam_unix/support.h +@@ -101,50 +101,52 @@ typedef struct { + #define UNIX_GOST_YESCRYPT_PASS 31 /* new password hashes will use gost-yescrypt */ + #define UNIX_YESCRYPT_PASS 32 /* new password hashes will use yescrypt */ + #define UNIX_NULLRESETOK 33 /* allow empty password if password reset is enforced */ ++#define UNIX_OBSCURE_CHECKS 34 /* enable obscure checks on passwords */ + /* -------------- */ +-#define UNIX_CTRLS_ 34 /* number of ctrl arguments defined */ ++#define UNIX_CTRLS_ 35 /* number of ctrl arguments defined */ + + #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)&&off(UNIX_GOST_YESCRYPT_PASS,ctrl)&&off(UNIX_YESCRYPT_PASS,ctrl)) + + static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = + { +-/* symbol token name ctrl mask ctrl * +- * --------------------------- -------------------- ------------------------- ---------------- */ +- +-/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01, 0}, +-/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02, 0}, +-/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04, 0}, +-/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010, 0}, +-/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060ULL), 020, 0}, +-/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060ULL), 040, 0}, +-/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0}, +-/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600ULL), 0200, 0}, +-/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600ULL), 0400, 0}, +-/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0}, +-/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0}, +-/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0}, +-/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0}, +-/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(015660420000ULL), 020000, 1}, +-/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000ULL), 0, 0}, +-/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000, 0}, +-/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000, 0}, +-/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000, 0}, +-/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(015660420000ULL), 0400000, 1}, +-/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000, 0}, +-/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000, 0}, +-/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000, 0}, +-/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000, 0}, +-/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(015660420000ULL), 020000000, 1}, +-/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(015660420000ULL), 040000000, 1}, +-/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0}, +-/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(015660420000ULL), 0200000000, 1}, +-/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0}, +-/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0}, +-/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0}, +-/* UNIX_DES */ {"des", _ALL_ON_^(015660420000ULL), 0, 1}, +-/* UNIX_GOST_YESCRYPT_PASS */ {"gost_yescrypt", _ALL_ON_^(015660420000ULL), 04000000000, 1}, +-/* UNIX_YESCRYPT_PASS */ {"yescrypt", _ALL_ON_^(015660420000ULL), 010000000000, 1}, +-/* UNIX_NULLRESETOK */ {"nullresetok", _ALL_ON_, 020000000000, 0}, ++/* symbol token name ctrl mask ctrl * ++ * --------------------------- -------------------- ------------------------- ------------ */ ++ ++/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 0x1, 0}, ++/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 0x2, 0}, ++/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 0x4, 0}, ++/* UNIX_AUDIT */ {"audit", _ALL_ON_, 0x8, 0}, ++/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(0x30ULL), 0x10, 0}, ++/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(0x30ULL), 0x20, 0}, ++/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0x40, 0}, ++/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0x180ULL), 0x80, 0}, ++/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0x180ULL), 0x100, 0}, ++/* UNIX__NONULL */ {NULL, _ALL_ON_, 0x200, 0}, ++/* UNIX__QUIET */ {NULL, _ALL_ON_, 0x400, 0}, ++/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 0x800, 0}, ++/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 0x1000, 0}, ++/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0x6EC22000ULL), 0x2000, 1}, ++/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(0x200ULL), 0, 0}, ++/* UNIX_DEBUG */ {"debug", _ALL_ON_, 0x4000, 0}, ++/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0x8000, 0}, ++/* UNIX_NIS */ {"nis", _ALL_ON_, 0x10000, 0}, ++/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0x6EC22000ULL), 0x20000, 1}, ++/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 0x40000, 0}, ++/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 0x80000, 0}, ++/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 0x100000, 0}, ++/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 0x200000, 0}, ++/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0x6EC22000ULL), 0x400000, 1}, ++/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0x6EC22000ULL), 0x800000, 1}, ++/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0x1000000, 0}, ++/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0x6EC22000ULL), 0x2000000, 1}, ++/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0x4000000, 0}, ++/* UNIX_QUIET */ {"quiet", _ALL_ON_, 0x8000000, 0}, ++/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 0x10000000, 0}, ++/* UNIX_DES */ {"des", _ALL_ON_^(0x6EC22000ULL), 0, 1}, ++/* UNIX_GOST_YESCRYPT_PASS */ {"gost_yescrypt", _ALL_ON_^(0x6EC22000ULL), 0x20000000, 1}, ++/* UNIX_YESCRYPT_PASS */ {"yescrypt", _ALL_ON_^(0x6EC22000ULL), 0x40000000, 1}, ++/* UNIX_NULLRESETOK */ {"nullresetok", _ALL_ON_, 0x80000000, 0}, ++/* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x100000000, 0}, + }; + + #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) diff --git a/debian/patches/008_modules_pam_limits_chroot b/debian/patches/008_modules_pam_limits_chroot new file mode 100644 index 00000000..5466536f --- /dev/null +++ b/debian/patches/008_modules_pam_limits_chroot @@ -0,0 +1,144 @@ +From: Sam Hartman <hartmans@debian.org> +Date: Mon, 11 Sep 2023 14:00:42 -0600 +Subject: _modules_pam_limits_chroot + +=================================================================== +--- + modules/pam_limits/limits.conf | 2 ++ + modules/pam_limits/limits.conf.5 | 5 +++++ + modules/pam_limits/limits.conf.5.xml | 6 ++++++ + modules/pam_limits/pam_limits.c | 25 ++++++++++++++++++++++--- + 4 files changed, 35 insertions(+), 3 deletions(-) + +diff --git a/modules/pam_limits/limits.conf b/modules/pam_limits/limits.conf +index c6b058a..6b3865c 100644 +--- a/modules/pam_limits/limits.conf ++++ b/modules/pam_limits/limits.conf +@@ -49,6 +49,7 @@ + # - msgqueue - max memory used by POSIX message queues (bytes) + # - nice - max nice priority allowed to raise to values: [-20, 19] + # - rtprio - max realtime priority ++# - chroot - change root to directory (Debian-specific) + # + #<domain> <type> <item> <value> + # +@@ -60,6 +61,7 @@ + #@faculty soft nproc 20 + #@faculty hard nproc 50 + #ftp hard nproc 0 ++#ftp - chroot /ftp + #@student - maxlogins 4 + + # End of file +diff --git a/modules/pam_limits/limits.conf.5 b/modules/pam_limits/limits.conf.5 +index 32c4b2f..ce0ca35 100644 +--- a/modules/pam_limits/limits.conf.5 ++++ b/modules/pam_limits/limits.conf.5 +@@ -283,6 +283,11 @@ rtprio + .RS 4 + maximum realtime priority allowed for non\-privileged processes (Linux 2\&.6\&.12 and higher) + .RE ++.PP ++\fBchroot\fR ++.RS 4 ++the directory to chroot the user to ++.RE + .RE + .PP + All items support the values +diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml +index 9f2662a..f6f7d87 100644 +--- a/modules/pam_limits/limits.conf.5.xml ++++ b/modules/pam_limits/limits.conf.5.xml +@@ -271,6 +271,12 @@ + (Linux 2.6.12 and higher)</para> + </listitem> + </varlistentry> ++ <varlistentry> ++ <term><option>chroot</option></term> ++ <listitem> ++ <para>the directory to chroot the user to</para> ++ </listitem> ++ </varlistentry> + </variablelist> + </listitem> + </varlistentry> +diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c +index 746c441..529d2fc 100644 +--- a/modules/pam_limits/pam_limits.c ++++ b/modules/pam_limits/pam_limits.c +@@ -104,6 +104,7 @@ struct pam_limit_s { + specific user or to count all logins */ + int priority; /* the priority to run user process with */ + int nonewprivs; /* whether to prctl(PR_SET_NO_NEW_PRIVS) */ ++ char chroot_dir[8092]; /* directory to chroot into */ + struct user_limits_struct limits[RLIM_NLIMITS]; + const char *conf_file; + int utmp_after_pam_call; +@@ -115,6 +116,7 @@ struct pam_limit_s { + + #define LIMIT_PRI RLIM_NLIMITS+3 + #define LIMIT_NONEWPRIVS RLIM_NLIMITS+4 ++#define LIMIT_CHROOT RLIM_NLIMITS+5 + + #define LIMIT_SOFT 1 + #define LIMIT_HARD 2 +@@ -570,6 +572,8 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl) + pl->login_limit = -2; + pl->login_limit_def = LIMITS_DEF_NONE; + ++ pl->chroot_dir[0] = '\0'; ++ + return retval; + } + +@@ -677,6 +681,8 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type, + limit_item = LIMIT_PRI; + } else if (strcmp(lim_item, "nonewprivs") == 0) { + limit_item = LIMIT_NONEWPRIVS; ++ } else if (strcmp(lim_item, "chroot") == 0) { ++ limit_item = LIMIT_CHROOT; + } else { + pam_syslog(pamh, LOG_DEBUG, "unknown limit item '%s'", lim_item); + return; +@@ -726,9 +732,9 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type, + pam_syslog(pamh, LOG_DEBUG, + "wrong limit value '%s' for limit type '%s'", + lim_value, lim_type); +- return; ++ return; + } +- } else { ++ } else if (limit_item != LIMIT_CHROOT) { + #ifdef __USE_FILE_OFFSET64 + rlimit_value = strtoull (lim_value, &endptr, 10); + #else +@@ -803,7 +809,11 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type, + break; + } + +- if ( (limit_item != LIMIT_LOGIN) ++ if (limit_item == LIMIT_CHROOT) { ++ strncpy(pl->chroot_dir, value_orig, sizeof(pl->chroot_dir)-1); ++ pl->chroot_dir[sizeof(pl->chroot_dir)-1]='\0'; ++ } ++ else if ( (limit_item != LIMIT_LOGIN) + && (limit_item != LIMIT_NUMSYSLOGINS) + && (limit_item != LIMIT_PRI) + && (limit_item != LIMIT_NONEWPRIVS) ) { +@@ -1163,6 +1173,15 @@ static int setup_limits(pam_handle_t *pamh, + } + } + ++ if (!retval && pl->chroot_dir[0]) { ++ i = chdir(pl->chroot_dir); ++ if (i == 0) ++ i = chroot(pl->chroot_dir); ++ if (i == 0) ++ i = chdir("/"); ++ if (i != 0) ++ retval = LIMIT_ERR; ++ } + return retval; + } + diff --git a/debian/patches/022_pam_unix_group_time_miscfixes b/debian/patches/022_pam_unix_group_time_miscfixes new file mode 100644 index 00000000..1c8c3b67 --- /dev/null +++ b/debian/patches/022_pam_unix_group_time_miscfixes @@ -0,0 +1,28 @@ +From: Sam Hartman <hartmans@debian.org> +Date: Mon, 11 Sep 2023 14:00:42 -0600 +Subject: handle the case of flags being empty or only PAM_SILENT, which is + +documented in other PAM implementations as meaning PAM_ESTABLISH_CRED: +http://publib.boulder.ibm.com/infocenter/aix/v6r1/index.jsp?topic=%2Fcom.ibm.aix.basetechref%2Fdoc%2Fbasetrf1%2Fpam_setcred.htm +--- + modules/pam_group/pam_group.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c +index 6877849..7d11f59 100644 +--- a/modules/pam_group/pam_group.c ++++ b/modules/pam_group/pam_group.c +@@ -773,9 +773,12 @@ pam_sm_setcred (pam_handle_t *pamh, int flags, + unsigned setting; + + /* only interested in establishing credentials */ ++ /* PAM docs say that an empty flag is to be treated as PAM_ESTABLISH_CRED. ++ Some people just pass PAM_SILENT, so cope with it, too. */ + + setting = flags; +- if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))) { ++ if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED)) ++ && (setting != 0) && (setting != PAM_SILENT)) { + D(("ignoring call - not for establishing credentials")); + return PAM_SUCCESS; /* don't fail because of this */ + } diff --git a/debian/patches/026_pam_unix_passwd_unknown_user b/debian/patches/026_pam_unix_passwd_unknown_user new file mode 100644 index 00000000..45967e1d --- /dev/null +++ b/debian/patches/026_pam_unix_passwd_unknown_user @@ -0,0 +1,38 @@ +From: Martin Schwenke <martin@meltin.net> +Date: Mon, 11 Sep 2023 14:00:42 -0600 +Subject: distinguish between password manipulation failure and missing user. + +--- + modules/pam_unix/passverify.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c +index 81b10d8..7ff8bf0 100644 +--- a/modules/pam_unix/passverify.c ++++ b/modules/pam_unix/passverify.c +@@ -804,7 +804,7 @@ PAMH_ARG_DECL(int unix_update_passwd, + struct passwd *tmpent = NULL; + struct stat st; + FILE *pwfile, *opwfile; +- int err = 1; ++ int err = 1, found = 0; + int oldmask; + #ifdef WITH_SELINUX + char *prev_context_raw = NULL; +@@ -875,6 +875,7 @@ PAMH_ARG_DECL(int unix_update_passwd, + + tmpent->pw_passwd = assigned_passwd.charp; + err = 0; ++ found = 1; + } + if (putpwent(tmpent, pwfile)) { + D(("error writing entry to password file: %m")); +@@ -917,7 +918,7 @@ done: + return PAM_SUCCESS; + } else { + unlink(PW_TMPFILE); +- return PAM_AUTHTOK_ERR; ++ return found ? PAM_AUTHTOK_ERR : PAM_USER_UNKNOWN; + } + } + diff --git a/debian/patches/027_pam_limits_better_init_allow_explicit_root b/debian/patches/027_pam_limits_better_init_allow_explicit_root new file mode 100644 index 00000000..7d0fdded --- /dev/null +++ b/debian/patches/027_pam_limits_better_init_allow_explicit_root @@ -0,0 +1,268 @@ +From: Peter Paluch <peterp@frcatel.fri.utc.sk> +Date: Mon, 11 Sep 2023 14:00:42 -0600 +Subject: Allow explicit limits for root and reset limits on each session + +Bug-Debian: http://bugs.debian.org/63230 + +When crossing session boundaries (such as when su'ing from one user to +another), if the target account has no limit specified in limits.conf we +want to use the default, not the current value configured for the +source account. + +If /proc/1/limits is unavailable, fall back to a set of hard-coded values +that shadow the currently known defaults on Linux. + +Also, don't apply wildcard limits to the root account; only apply limits to +root that reference root by name. +=================================================================== +--- + modules/pam_limits/README | 1 + + modules/pam_limits/limits.conf | 4 ++ + modules/pam_limits/limits.conf.5 | 5 ++ + modules/pam_limits/limits.conf.5.xml | 6 +++ + modules/pam_limits/pam_limits.c | 89 ++++++++++++++++++++++++++++++++---- + 5 files changed, 96 insertions(+), 9 deletions(-) + +diff --git a/modules/pam_limits/README b/modules/pam_limits/README +index 98264b9..dc560ef 100644 +--- a/modules/pam_limits/README ++++ b/modules/pam_limits/README +@@ -68,6 +68,7 @@ These are some example lines which might be specified in /etc/security/ + limits.conf. + + * soft core 0 ++root hard core 100000 + * hard nofile 512 + @student hard nproc 20 + @faculty soft nproc 20 +diff --git a/modules/pam_limits/limits.conf b/modules/pam_limits/limits.conf +index e8a746c..c6b058a 100644 +--- a/modules/pam_limits/limits.conf ++++ b/modules/pam_limits/limits.conf +@@ -22,6 +22,9 @@ + # - the wildcard *, for default entry + # - the wildcard %, can be also used with %group syntax, + # for maxlogin limit ++# - NOTE: group and wildcard limits are not applied to root. ++# To apply a limit to the root user, <domain> must be ++# the literal username root. + # + #<type> can have the two values: + # - "soft" for enforcing the soft limits +@@ -51,6 +54,7 @@ + # + + #* soft core 0 ++#root hard core 100000 + #* hard rss 10000 + #@student hard nproc 20 + #@faculty soft nproc 20 +diff --git a/modules/pam_limits/limits.conf.5 b/modules/pam_limits/limits.conf.5 +index 25f4459..32c4b2f 100644 +--- a/modules/pam_limits/limits.conf.5 ++++ b/modules/pam_limits/limits.conf.5 +@@ -145,6 +145,10 @@ a gid specified as + \fB%:\fR\fI<gid>\fR + applicable to maxlogins limit only\&. It limits the total number of logins of all users that are member of the group with the specified gid\&. + .RE ++.sp ++\fBNOTE:\fR ++group and wildcard limits are not applied to the root user\&. To set a limit for the root user, this field must contain the literal username ++\fBroot\fR\&. + .RE + .PP + <type> +@@ -322,6 +326,7 @@ These are some example lines which might be specified in + .\} + .nf + * soft core 0 ++root hard core 100000 + * hard nofile 512 + @student hard nproc 20 + @faculty soft nproc 20 +diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml +index 2177da1..9f2662a 100644 +--- a/modules/pam_limits/limits.conf.5.xml ++++ b/modules/pam_limits/limits.conf.5.xml +@@ -89,6 +89,11 @@ + </para> + </listitem> + </itemizedlist> ++ <para> ++ <emphasis remap='B'>NOTE:</emphasis> group and wildcard limits are not ++ applied to the root user. To set a limit for the root user, this field ++ must contain the literal username <emphasis remap='B'>root</emphasis>. ++ </para> + </listitem> + </varlistentry> + +@@ -320,6 +325,7 @@ + </para> + <programlisting> + * soft core 0 ++root hard core 100000 + * hard nofile 512 + @student hard nproc 20 + @faculty soft nproc 20 +diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c +index 87bb4b7..adda08b 100644 +--- a/modules/pam_limits/pam_limits.c ++++ b/modules/pam_limits/pam_limits.c +@@ -47,10 +47,19 @@ + #include <libaudit.h> + #endif + ++ + #ifndef PR_SET_NO_NEW_PRIVS + # define PR_SET_NO_NEW_PRIVS 38 /* from <linux/prctl.h> */ + #endif + ++#ifndef MLOCK_LIMIT ++#ifdef __FreeBSD_kernel__ ++#define MLOCK_LIMIT RLIM_INFINITY ++#else ++#define MLOCK_LIMIT (64*1024) ++#endif ++#endif ++ + /* Module defines */ + #define LINE_LENGTH 1024 + +@@ -88,6 +97,7 @@ struct user_limits_struct { + + /* internal data */ + struct pam_limit_s { ++ int root; /* running as root? */ + int login_limit; /* the max logins limit */ + int login_limit_def; /* which entry set the login limit */ + int flag_numsyslogins; /* whether to limit logins only for a +@@ -455,9 +465,18 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl) + { + int i; + int retval = PAM_SUCCESS; ++ static int mlock_limit = 0; + + D(("called.")); + ++ pl->root = 0; ++ ++ if (mlock_limit == 0) { ++ mlock_limit = sysconf(_SC_PAGESIZE); ++ if (mlock_limit < MLOCK_LIMIT) ++ mlock_limit = MLOCK_LIMIT; ++ } ++ + for(i = 0; i < RLIM_NLIMITS; i++) { + int r = getrlimit(i, &pl->limits[i].limit); + if (r == -1) { +@@ -473,18 +492,68 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl) + } + + #ifdef __linux__ +- if (ctrl & PAM_SET_ALL) { +- parse_kernel_limits(pamh, pl, ctrl); ++ parse_kernel_limits(pamh, pl, ctrl); ++#endif + +- for(i = 0; i < RLIM_NLIMITS; i++) { ++ for(i = 0; i < RLIM_NLIMITS; i++) { + if (pl->limits[i].supported && + (pl->limits[i].src_soft == LIMITS_DEF_NONE || + pl->limits[i].src_hard == LIMITS_DEF_NONE)) { +- pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM default", rlimit2str(i)); ++#ifdef __linux__ ++ pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM default", rlimit2str(i)); ++#endif ++ pl->limits[i].src_soft = LIMITS_DEF_DEFAULT; ++ pl->limits[i].src_hard = LIMITS_DEF_DEFAULT; ++ switch(i) { ++ case RLIMIT_CPU: ++ case RLIMIT_FSIZE: ++ case RLIMIT_DATA: ++ case RLIMIT_RSS: ++ case RLIMIT_NPROC: ++#ifdef RLIMIT_AS ++ case RLIMIT_AS: ++#endif ++#ifdef RLIMIT_LOCKS ++ case RLIMIT_LOCKS: ++#endif ++ pl->limits[i].limit.rlim_cur = RLIM_INFINITY; ++ pl->limits[i].limit.rlim_max = RLIM_INFINITY; ++ break; ++ case RLIMIT_MEMLOCK: ++ pl->limits[i].limit.rlim_cur = mlock_limit; ++ pl->limits[i].limit.rlim_max = mlock_limit; ++ break; ++#ifdef RLIMIT_SIGPENDING ++ case RLIMIT_SIGPENDING: ++ pl->limits[i].limit.rlim_cur = 16382; ++ pl->limits[i].limit.rlim_max = 16382; ++ break; ++#endif ++#ifdef RLIMIT_MSGQUEUE ++ case RLIMIT_MSGQUEUE: ++ pl->limits[i].limit.rlim_cur = 819200; ++ pl->limits[i].limit.rlim_max = 819200; ++ break; ++#endif ++ case RLIMIT_CORE: ++ pl->limits[i].limit.rlim_cur = 0; ++ pl->limits[i].limit.rlim_max = RLIM_INFINITY; ++ break; ++ case RLIMIT_STACK: ++ pl->limits[i].limit.rlim_cur = 8192*1024; ++ pl->limits[i].limit.rlim_max = RLIM_INFINITY; ++ break; ++ case RLIMIT_NOFILE: ++ pl->limits[i].limit.rlim_cur = 1024; ++ pl->limits[i].limit.rlim_max = 1024; ++ break; ++ default: ++ pl->limits[i].src_soft = LIMITS_DEF_NONE; ++ pl->limits[i].src_hard = LIMITS_DEF_NONE; ++ break; ++ } + } +- } + } +-#endif + + errno = 0; + pl->priority = getpriority (PRIO_PROCESS, 0); +@@ -885,7 +954,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, + + if (strcmp(uname, domain) == 0) /* this user have a limit */ + process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl); +- else if (domain[0]=='@') { ++ else if (domain[0]=='@' && !pl->root) { + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_DEBUG, + "checking if %s is in group %s", +@@ -911,7 +980,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, + process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, + pl); + } +- } else if (domain[0]=='%') { ++ } else if (domain[0]=='%' && !pl->root) { + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_DEBUG, + "checking if %s is in group %s", +@@ -945,7 +1014,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, + } else { + switch(rngtype) { + case LIMIT_RANGE_NONE: +- if (strcmp(domain, "*") == 0) ++ if (strcmp(domain, "*") == 0 && !pl->root) + process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl, + pl); + break; +@@ -1228,6 +1297,8 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, + return PAM_ABORT; + } + ++ if (pwd->pw_uid == 0) ++ pl->root = 1; + retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, + ctrl, pl, conf_file_set_by_user); + if (retval == PAM_IGNORE) { diff --git a/debian/patches/031_pam_include b/debian/patches/031_pam_include new file mode 100644 index 00000000..5b632e2a --- /dev/null +++ b/debian/patches/031_pam_include @@ -0,0 +1,79 @@ +From: Sam Hartman <hartmans@debian.org> +Date: Mon, 11 Sep 2023 14:00:42 -0600 +Subject: _pam_include + +Patch to implement an @include directive for use in pam.d config files. + +Authors: Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de> + +Upstream status: not yet submitted +--- + libpam/pam_handlers.c | 36 ++++++++++++++++++++++++++++++++---- + 1 file changed, 32 insertions(+), 4 deletions(-) + +diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c +index 1f1917b..c7045d2 100644 +--- a/libpam/pam_handlers.c ++++ b/libpam/pam_handlers.c +@@ -123,6 +123,10 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f + module_type = PAM_T_ACCT; + } else if (!strcasecmp("password", tok)) { + module_type = PAM_T_PASS; ++ } else if (!strcasecmp("@include", tok)) { ++ pam_include = 1; ++ module_type = requested_module_type; ++ goto parsing_done; + } else { + /* Illegal module type */ + D(("_pam_init_handlers: bad module type: %s", tok)); +@@ -193,8 +197,10 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f + _pam_set_default_control(actions, _PAM_ACTION_BAD); + } + ++parsing_done: + tok = _pam_StrTok(NULL, " \n\t", &nexttok); + if (pam_include) { ++ struct stat include_dir; + if (substack) { + res = _pam_add_handler(pamh, PAM_HT_SUBSTACK, other, + stack_level, module_type, actions, tok, +@@ -205,13 +211,35 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f + return PAM_ABORT; + } + } +- if (_pam_load_conf_file(pamh, tok, this_service, module_type, +- stack_level + substack ++ if (tok[0] == '/') { ++ if (_pam_load_conf_file(pamh, tok, this_service, ++ module_type, stack_level + substack ++#ifdef PAM_READ_BOTH_CONFS ++ , !other ++#endif /* PAM_READ_BOTH_CONFS */ ++ ) == PAM_SUCCESS) ++ continue; ++ } ++ else if (!stat(PAM_CONFIG_D, &include_dir) ++ && S_ISDIR(include_dir.st_mode)) ++ { ++ char *include_file; ++ if (asprintf (&include_file, PAM_CONFIG_DF, tok) < 0) { ++ pam_syslog(pamh, LOG_CRIT, "asprintf failed"); ++ return PAM_ABORT; ++ } ++ if (_pam_load_conf_file(pamh, include_file, this_service, ++ module_type, stack_level + substack + #ifdef PAM_READ_BOTH_CONFS + , !other + #endif /* PAM_READ_BOTH_CONFS */ +- ) == PAM_SUCCESS) +- continue; ++ ) == PAM_SUCCESS) ++ { ++ free(include_file); ++ continue; ++ } ++ free(include_file); ++ } + _pam_set_default_control(actions, _PAM_ACTION_BAD); + mod_path = NULL; + handler_type = PAM_HT_MUST_FAIL; diff --git a/debian/patches/032_pam_limits_EPERM_NOT_FATAL b/debian/patches/032_pam_limits_EPERM_NOT_FATAL new file mode 100644 index 00000000..62656746 --- /dev/null +++ b/debian/patches/032_pam_limits_EPERM_NOT_FATAL @@ -0,0 +1,29 @@ +From: Sam Hartman <hartmans@debian.org> +Date: Mon, 11 Sep 2023 14:00:42 -0600 +Subject: _pam_limits_EPERM_NOT_FATAL + +setrlimit will sometimes return EPERM for example if you try to increase the +number of open files too much. This is not something we want to consider +fatal. This also happens if you use non-root and try to decrease a limit. +Running PAM as non-root is not so great. + +Authors: ? + +Upstream status: submitted in <20070830171918.GB30563@dario.dodds.net> +--- + modules/pam_limits/pam_limits.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c +index a58d424..746c441 100644 +--- a/modules/pam_limits/pam_limits.c ++++ b/modules/pam_limits/pam_limits.c +@@ -1124,6 +1124,8 @@ static int setup_limits(pam_handle_t *pamh, + if (res != 0) + pam_syslog(pamh, LOG_ERR, "Could not set limit for '%s': %m", + rlimit2str(i)); ++ if (res == -1 && errno == EPERM) ++ continue; + status |= res; + } + diff --git a/debian/patches/036_pam_wheel_getlogin_considered_harmful b/debian/patches/036_pam_wheel_getlogin_considered_harmful new file mode 100644 index 00000000..43979153 --- /dev/null +++ b/debian/patches/036_pam_wheel_getlogin_considered_harmful @@ -0,0 +1,148 @@ +From: Sam Hartman <hartmans@debian.org> +Date: Mon, 11 Sep 2023 14:00:42 -0600 +Subject: _pam_wheel_getlogin_considered_harmful + +Patch for Debian bug #163787 et al + +Always use the process uid, not getlogin(), to identify an applicant in +pam_wheel; utmp may be wrong or may have no entry at all in the case of +an xterm + +Authors: Ben Collins <bcollins@debian.org> + +Upstream status: submitted in <20070901175405.GA26092@dario.dodds.net> +--- + modules/pam_wheel/README | 6 ------ + modules/pam_wheel/pam_wheel.8.xml | 17 +-------------- + modules/pam_wheel/pam_wheel.c | 45 ++++++++------------------------------- + 3 files changed, 10 insertions(+), 58 deletions(-) + +diff --git a/modules/pam_wheel/README b/modules/pam_wheel/README +index 5dae4b6..ec9e7d7 100644 +--- a/modules/pam_wheel/README ++++ b/modules/pam_wheel/README +@@ -39,12 +39,6 @@ trust + modules the wheel members may be able to su to root without being prompted + for a passwd). + +-use_uid +- +- The check will be done against the real uid of the calling process, instead +- of trying to obtain the user from the login session associated with the +- terminal in use. +- + EXAMPLES + + The root account gains access by default (rootok), only wheel members can +diff --git a/modules/pam_wheel/pam_wheel.8.xml b/modules/pam_wheel/pam_wheel.8.xml +index af0fd61..b42e27d 100644 +--- a/modules/pam_wheel/pam_wheel.8.xml ++++ b/modules/pam_wheel/pam_wheel.8.xml +@@ -30,9 +30,6 @@ + <arg choice="opt" rep="norepeat"> + trust + </arg> +- <arg choice="opt" rep="norepeat"> +- use_uid +- </arg> + </cmdsynopsis> + </refsynopsisdiv> + +@@ -113,18 +110,6 @@ + </para> + </listitem> + </varlistentry> +- <varlistentry> +- <term> +- use_uid +- </term> +- <listitem> +- <para> +- The check will be done against the real uid of the calling process, +- instead of trying to obtain the user from the login session +- associated with the terminal in use. +- </para> +- </listitem> +- </varlistentry> + </variablelist> + </refsect1> + +@@ -237,4 +222,4 @@ su auth required pam_unix.so + </para> + </refsect1> + +-</refentry> +\ No newline at end of file ++</refentry> +diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c +index 179f56b..5eb7b82 100644 +--- a/modules/pam_wheel/pam_wheel.c ++++ b/modules/pam_wheel/pam_wheel.c +@@ -47,9 +47,8 @@ + /* argument parsing */ + + #define PAM_DEBUG_ARG 0x0001 +-#define PAM_USE_UID_ARG 0x0002 +-#define PAM_TRUST_ARG 0x0004 +-#define PAM_DENY_ARG 0x0010 ++#define PAM_TRUST_ARG 0x0002 ++#define PAM_DENY_ARG 0x0004 + #define PAM_ROOT_ONLY_ARG 0x0020 + + static int +@@ -68,8 +67,7 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv, + + if (!strcmp(*argv,"debug")) + ctrl |= PAM_DEBUG_ARG; +- else if (!strcmp(*argv,"use_uid")) +- ctrl |= PAM_USE_UID_ARG; ++ else if (!strcmp(*argv,"use_uid")); /* ignored for compat. */ + else if (!strcmp(*argv,"trust")) + ctrl |= PAM_TRUST_ARG; + else if (!strcmp(*argv,"deny")) +@@ -118,39 +116,14 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group) + } + } + +- if (ctrl & PAM_USE_UID_ARG) { +- tpwd = pam_modutil_getpwuid (pamh, getuid()); +- if (tpwd == NULL) { +- if (ctrl & PAM_DEBUG_ARG) { +- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); +- } +- return PAM_SERVICE_ERR; +- } +- fromsu = tpwd->pw_name; +- } else { +- fromsu = pam_modutil_getlogin(pamh); +- +- /* if getlogin fails try a fallback to PAM_RUSER */ +- if (fromsu == NULL) { +- const char *rhostname; +- +- retval = pam_get_item(pamh, PAM_RHOST, (const void **)&rhostname); +- if (retval != PAM_SUCCESS || rhostname == NULL) { +- retval = pam_get_item(pamh, PAM_RUSER, (const void **)&fromsu); +- } +- } +- +- if (fromsu != NULL) { +- tpwd = pam_modutil_getpwnam (pamh, fromsu); +- } +- +- if (fromsu == NULL || tpwd == NULL) { +- if (ctrl & PAM_DEBUG_ARG) { +- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); +- } +- return PAM_SERVICE_ERR; ++ tpwd = pam_modutil_getpwuid (pamh, getuid()); ++ if (tpwd == NULL) { ++ if (ctrl & PAM_DEBUG_ARG) { ++ pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); + } ++ return PAM_SERVICE_ERR; + } ++ fromsu = tpwd->pw_name; + + /* + * At this point fromsu = username-of-invoker; tpwd = pwd ptr for fromsu diff --git a/debian/patches/040_pam_limits_log_failure b/debian/patches/040_pam_limits_log_failure new file mode 100644 index 00000000..acb79450 --- /dev/null +++ b/debian/patches/040_pam_limits_log_failure @@ -0,0 +1,43 @@ +From: Sam Hartman <hartmans@debian.org> +Date: Mon, 11 Sep 2023 14:00:42 -0600 +Subject: _pam_limits_log_failure + +Patch for Debian bug #180310 + +Generate some (low-severity) log information whenever setrlimit() fails, +for debugging purposes. + +Authors: Sam Hartman <hartmans@debian.org> + +Upstream status: submitted in <20070830171918.GB30563@dario.dodds.net> +--- + modules/pam_limits/pam_limits.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c +index 529d2fc..da83b70 100644 +--- a/modules/pam_limits/pam_limits.c ++++ b/modules/pam_limits/pam_limits.c +@@ -1131,9 +1131,19 @@ static int setup_limits(pam_handle_t *pamh, + if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max) + pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max; + res = setrlimit(i, &pl->limits[i].limit); +- if (res != 0) +- pam_syslog(pamh, LOG_ERR, "Could not set limit for '%s': %m", +- rlimit2str(i)); ++ if (res != 0 && (i != RLIMIT_NOFILE ++ || pl->limits[i].limit.rlim_cur != RLIM_INFINITY)) ++ { ++ int save_errno = errno; ++ pam_syslog(pamh, LOG_DEBUG, ++ "Could not set limit for '%s' to soft=%d, hard=%d:" ++ " %m; uid=%lu,euid=%lu", rlimit2str(i), ++ pl->limits[i].limit.rlim_cur, ++ pl->limits[i].limit.rlim_max, ++ (unsigned long) getuid(), ++ (unsigned long) geteuid()); ++ errno = save_errno; ++ } + if (res == -1 && errno == EPERM) + continue; + status |= res; diff --git a/debian/patches/045_pam_dispatch_jump_is_ignore b/debian/patches/045_pam_dispatch_jump_is_ignore new file mode 100644 index 00000000..af08a9e4 --- /dev/null +++ b/debian/patches/045_pam_dispatch_jump_is_ignore @@ -0,0 +1,40 @@ +From: Sam Hartman <hartmans@debian.org> +Date: Mon, 11 Sep 2023 14:00:42 -0600 +Subject: _pam_dispatch_jump_is_ignore + +Previously jumps were treated as PAM_IGNORE in the freezing part of +the chain and PAM_OK (aka required) in the frozen part of the chain. +No one on pam-list was able to explain this behavior, so I changed it +to be consistent. +--- + libpam/pam_dispatch.c | 17 +---------------- + 1 file changed, 1 insertion(+), 16 deletions(-) + +diff --git a/libpam/pam_dispatch.c b/libpam/pam_dispatch.c +index 974104a..15cad01 100644 +--- a/libpam/pam_dispatch.c ++++ b/libpam/pam_dispatch.c +@@ -260,22 +260,7 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, + if ( _PAM_ACTION_IS_JUMP(action) ) { + + /* If we are evaluating a cached chain, we treat this +- module as required (aka _PAM_ACTION_OK) as well as +- executing the jump. */ +- +- if (use_cached_chain) { +- if (impression == _PAM_UNDEF +- || (impression == _PAM_POSITIVE +- && status == PAM_SUCCESS) ) { +- if ( retval != PAM_IGNORE || cached_retval == retval ) { +- if ( impression == _PAM_UNDEF && retval == PAM_SUCCESS ) { +- h->grantor = 1; +- } +- impression = _PAM_POSITIVE; +- status = retval; +- } +- } +- } ++ module as ignored as well as executing the jump. */ + + /* this means that we need to skip #action stacked modules */ + while (h->next != NULL && h->next->stack_level >= stack_level && action > 0) { diff --git a/debian/patches/PAM-manpage-section b/debian/patches/PAM-manpage-section new file mode 100644 index 00000000..0c2f40be --- /dev/null +++ b/debian/patches/PAM-manpage-section @@ -0,0 +1,2286 @@ +From: Sam Hartman <hartmans@debian.org> +Date: Mon, 11 Sep 2023 14:00:42 -0600 +Subject: PAM-manpage-section + +Patch to put the PAM manpage in section 7 (general topics) instead of 8 +(system administration commands) + +Authors: Steve Langasek <vorlon@debian.org> + +Upstream status: maybe provide a backwards-compatibility link first? +--- + doc/man/Makefile.am | 5 +- + doc/man/Makefile.in | 58 +++++----- + doc/man/PAM.7 | 138 ++++++++++++++++++++++++ + doc/man/misc_conv.3 | 2 +- + doc/man/misc_conv.3.xml | 2 +- + doc/man/pam.7 | 1 + + doc/man/pam.8.xml | 2 +- + doc/man/pam_acct_mgmt.3 | 2 +- + doc/man/pam_acct_mgmt.3.xml | 2 +- + doc/man/pam_authenticate.3 | 2 +- + doc/man/pam_authenticate.3.xml | 2 +- + doc/man/pam_chauthtok.3 | 2 +- + doc/man/pam_chauthtok.3.xml | 2 +- + doc/man/pam_conv.3 | 2 +- + doc/man/pam_conv.3.xml | 2 +- + doc/man/pam_error.3 | 2 +- + doc/man/pam_error.3.xml | 2 +- + doc/man/pam_get_authtok.3 | 2 +- + doc/man/pam_get_authtok.3.xml | 2 +- + doc/man/pam_get_item.3 | 4 +- + doc/man/pam_getenv.3 | 2 +- + doc/man/pam_getenv.3.xml | 2 +- + doc/man/pam_getenvlist.3 | 2 +- + doc/man/pam_getenvlist.3.xml | 2 +- + doc/man/pam_info.3 | 2 +- + doc/man/pam_info.3.xml | 2 +- + doc/man/pam_misc_drop_env.3 | 2 +- + doc/man/pam_misc_drop_env.3.xml | 2 +- + doc/man/pam_misc_paste_env.3 | 2 +- + doc/man/pam_misc_paste_env.3.xml | 2 +- + doc/man/pam_misc_setenv.3 | 2 +- + doc/man/pam_misc_setenv.3.xml | 2 +- + doc/man/pam_prompt.3 | 6 +- + doc/man/pam_prompt.3.xml | 2 +- + doc/man/pam_putenv.3 | 2 +- + doc/man/pam_putenv.3.xml | 2 +- + doc/man/pam_strerror.3 | 2 +- + doc/man/pam_strerror.3.xml | 2 +- + doc/man/pam_syslog.3 | 2 +- + doc/man/pam_syslog.3.xml | 2 +- + modules/pam_access/access.conf.5 | 2 +- + modules/pam_access/access.conf.5.xml | 2 +- + modules/pam_access/pam_access.8 | 2 +- + modules/pam_access/pam_access.8.xml | 2 +- + modules/pam_debug/pam_debug.8 | 2 +- + modules/pam_debug/pam_debug.8.xml | 2 +- + modules/pam_deny/pam_deny.8 | 2 +- + modules/pam_deny/pam_deny.8.xml | 2 +- + modules/pam_echo/pam_echo.8 | 2 +- + modules/pam_echo/pam_echo.8.xml | 2 +- + modules/pam_env/pam_env.8 | 6 +- + modules/pam_env/pam_env.8.xml | 2 +- + modules/pam_env/pam_env.conf.5 | 2 +- + modules/pam_env/pam_env.conf.5.xml | 2 +- + modules/pam_exec/pam_exec.8 | 2 +- + modules/pam_exec/pam_exec.8.xml | 2 +- + modules/pam_faildelay/pam_faildelay.8 | 2 +- + modules/pam_faildelay/pam_faildelay.8.xml | 2 +- + modules/pam_filter/pam_filter.8 | 2 +- + modules/pam_filter/pam_filter.8.xml | 2 +- + modules/pam_ftp/pam_ftp.8 | 2 +- + modules/pam_ftp/pam_ftp.8.xml | 2 +- + modules/pam_group/group.conf.5 | 2 +- + modules/pam_group/group.conf.5.xml | 2 +- + modules/pam_group/pam_group.8 | 2 +- + modules/pam_group/pam_group.8.xml | 2 +- + modules/pam_issue/pam_issue.8 | 2 +- + modules/pam_issue/pam_issue.8.xml | 2 +- + modules/pam_keyinit/pam_keyinit.8 | 2 +- + modules/pam_keyinit/pam_keyinit.8.xml | 2 +- + modules/pam_lastlog/pam_lastlog.8 | 2 +- + modules/pam_lastlog/pam_lastlog.8.xml | 2 +- + modules/pam_limits/limits.conf.5 | 2 +- + modules/pam_limits/limits.conf.5.xml | 2 +- + modules/pam_limits/pam_limits.8 | 2 +- + modules/pam_limits/pam_limits.8.xml | 2 +- + modules/pam_listfile/pam_listfile.8 | 2 +- + modules/pam_listfile/pam_listfile.8.xml | 2 +- + modules/pam_localuser/pam_localuser.8 | 2 +- + modules/pam_localuser/pam_localuser.8.xml | 2 +- + modules/pam_loginuid/pam_loginuid.8 | 2 +- + modules/pam_loginuid/pam_loginuid.8.xml | 2 +- + modules/pam_mail/pam_mail.8 | 2 +- + modules/pam_mail/pam_mail.8.xml | 2 +- + modules/pam_mkhomedir/pam_mkhomedir.8 | 2 +- + modules/pam_mkhomedir/pam_mkhomedir.8.xml | 2 +- + modules/pam_motd/pam_motd.8 | 2 +- + modules/pam_motd/pam_motd.8.xml | 2 +- + modules/pam_namespace/namespace.conf.5 | 2 +- + modules/pam_namespace/namespace.conf.5.xml | 2 +- + modules/pam_namespace/pam_namespace.8 | 2 +- + modules/pam_namespace/pam_namespace.8.xml | 2 +- + modules/pam_nologin/pam_nologin.8 | 2 +- + modules/pam_nologin/pam_nologin.8.xml | 2 +- + modules/pam_permit/pam_permit.8 | 2 +- + modules/pam_permit/pam_permit.8.xml | 2 +- + modules/pam_pwhistory/pam_pwhistory.8 | 2 +- + modules/pam_pwhistory/pam_pwhistory.8.xml | 2 +- + modules/pam_rhosts/pam_rhosts.8 | 2 +- + modules/pam_rhosts/pam_rhosts.8.xml | 2 +- + modules/pam_rootok/pam_rootok.8 | 2 +- + modules/pam_rootok/pam_rootok.8.xml | 2 +- + modules/pam_securetty/pam_securetty.8 | 2 +- + modules/pam_securetty/pam_securetty.8.xml | 2 +- + modules/pam_selinux/pam_selinux.8 | 6 +- + modules/pam_selinux/pam_selinux.8.xml | 2 +- + modules/pam_sepermit/pam_sepermit.8 | 2 +- + modules/pam_sepermit/pam_sepermit.8.xml | 2 +- + modules/pam_sepermit/sepermit.conf.5 | 2 +- + modules/pam_sepermit/sepermit.conf.5.xml | 2 +- + modules/pam_shells/pam_shells.8 | 2 +- + modules/pam_shells/pam_shells.8.xml | 2 +- + modules/pam_succeed_if/pam_succeed_if.8 | 2 +- + modules/pam_succeed_if/pam_succeed_if.8.xml | 2 +- + modules/pam_time/pam_time.8 | 2 +- + modules/pam_time/pam_time.8.xml | 2 +- + modules/pam_time/time.conf.5 | 2 +- + modules/pam_time/time.conf.5.xml | 2 +- + modules/pam_timestamp/pam_timestamp.8 | 2 +- + modules/pam_timestamp/pam_timestamp.8.xml | 2 +- + modules/pam_timestamp/pam_timestamp_check.8 | 2 +- + modules/pam_timestamp/pam_timestamp_check.8.xml | 2 +- + modules/pam_tty_audit/pam_tty_audit.8 | 2 +- + modules/pam_tty_audit/pam_tty_audit.8.xml | 2 +- + modules/pam_umask/pam_umask.8 | 2 +- + modules/pam_umask/pam_umask.8.xml | 2 +- + modules/pam_unix/pam_unix.8 | 2 +- + modules/pam_unix/pam_unix.8.xml | 2 +- + modules/pam_userdb/pam_userdb.8 | 2 +- + modules/pam_userdb/pam_userdb.8.xml | 2 +- + modules/pam_warn/pam_warn.8 | 2 +- + modules/pam_warn/pam_warn.8.xml | 2 +- + modules/pam_wheel/pam_wheel.8 | 13 +-- + modules/pam_wheel/pam_wheel.8.xml | 2 +- + modules/pam_xauth/pam_xauth.8 | 2 +- + modules/pam_xauth/pam_xauth.8.xml | 2 +- + 136 files changed, 315 insertions(+), 176 deletions(-) + create mode 100644 doc/man/PAM.7 + create mode 100644 doc/man/pam.7 + +diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am +index aec365c..b81ca72 100644 +--- a/doc/man/Makefile.am ++++ b/doc/man/Makefile.am +@@ -7,7 +7,7 @@ MAINTAINERCLEANFILES = $(MANS) + + EXTRA_DIST = $(MANS) $(XMLS) + +-man_MANS = pam.3 PAM.8 pam.8 pam.conf.5 pam.d.5 \ ++man_MANS = pam.3 PAM.7 pam.7 pam.conf.5 pam.d.5 \ + pam_acct_mgmt.3 pam_authenticate.3 \ + pam_chauthtok.3 pam_close_session.3 pam_conv.3 \ + pam_end.3 pam_error.3 \ +@@ -46,7 +46,8 @@ XMLS = pam.3.xml pam.8.xml pam.conf.5.xml \ + + + if ENABLE_REGENERATE_MAN +-PAM.8: pam.8 ++pam.8: pam.8.xml ++PAM.7 pam.7: pam.8 + pam_get_authtok_noverify.3: pam_get_authtok.3 + pam_get_authtok_verify.3: pam_get_authtok.3 + pam_verror.3: pam_error.3 +diff --git a/doc/man/Makefile.in b/doc/man/Makefile.in +index d18dc7d..30da4d0 100644 +--- a/doc/man/Makefile.in ++++ b/doc/man/Makefile.in +@@ -1,7 +1,7 @@ +-# Makefile.in generated by automake 1.16.3 from Makefile.am. ++# Makefile.in generated by automake 1.16.5 from Makefile.am. + # @configure_input@ + +-# Copyright (C) 1994-2020 Free Software Foundation, Inc. ++# Copyright (C) 1994-2021 Free Software Foundation, Inc. + + # This Makefile.in is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, +@@ -163,9 +163,9 @@ am__uninstall_files_from_dir = { \ + } + man3dir = $(mandir)/man3 + am__installdirs = "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man5dir)" \ +- "$(DESTDIR)$(man8dir)" ++ "$(DESTDIR)$(man7dir)" + man5dir = $(mandir)/man5 +-man8dir = $(mandir)/man8 ++man7dir = $(mandir)/man7 + NROFF = nroff + MANS = $(man_MANS) + am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +@@ -192,6 +192,8 @@ CPPFLAGS = @CPPFLAGS@ + CRYPTO_LIBS = @CRYPTO_LIBS@ + CRYPT_CFLAGS = @CRYPT_CFLAGS@ + CRYPT_LIBS = @CRYPT_LIBS@ ++CSCOPE = @CSCOPE@ ++CTAGS = @CTAGS@ + CYGPATH_W = @CYGPATH_W@ + DEFS = @DEFS@ + DEPDIR = @DEPDIR@ +@@ -205,6 +207,7 @@ ECHO_T = @ECHO_T@ + ECONF_CFLAGS = @ECONF_CFLAGS@ + ECONF_LIBS = @ECONF_LIBS@ + EGREP = @EGREP@ ++ETAGS = @ETAGS@ + EXEEXT = @EXEEXT@ + EXE_CFLAGS = @EXE_CFLAGS@ + EXE_LDFLAGS = @EXE_LDFLAGS@ +@@ -354,6 +357,7 @@ pdfdir = @pdfdir@ + prefix = @prefix@ + program_transform_name = @program_transform_name@ + psdir = @psdir@ ++runstatedir = @runstatedir@ + sbindir = @sbindir@ + sharedstatedir = @sharedstatedir@ + srcdir = @srcdir@ +@@ -366,7 +370,7 @@ top_srcdir = @top_srcdir@ + CLEANFILES = *~ + MAINTAINERCLEANFILES = $(MANS) + EXTRA_DIST = $(MANS) $(XMLS) +-man_MANS = pam.3 PAM.8 pam.8 pam.conf.5 pam.d.5 \ ++man_MANS = pam.3 PAM.7 pam.7 pam.conf.5 pam.d.5 \ + pam_acct_mgmt.3 pam_authenticate.3 \ + pam_chauthtok.3 pam_close_session.3 pam_conv.3 \ + pam_end.3 pam_error.3 \ +@@ -528,56 +532,55 @@ uninstall-man5: + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir) +-install-man8: $(man_MANS) ++install-man7: $(man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(man_MANS)'; \ +- test -n "$(man8dir)" \ ++ test -n "$(man7dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ +- echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \ +- $(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \ ++ echo " $(MKDIR_P) '$(DESTDIR)$(man7dir)'"; \ ++ $(MKDIR_P) "$(DESTDIR)$(man7dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ +- | sed -n '/\.8[a-z]*$$/p'; \ ++ | sed -n '/\.7[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ +- sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ ++ sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^7][0-9a-z]*$$,7,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ +- echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ +- $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ ++ echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man7dir)/$$inst'"; \ ++ $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man7dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ +- echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ +- $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ ++ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man7dir)'"; \ ++ $(INSTALL_DATA) $$files "$(DESTDIR)$(man7dir)" || exit $$?; }; \ + done; } + +-uninstall-man8: ++uninstall-man7: + @$(NORMAL_UNINSTALL) +- @list=''; test -n "$(man8dir)" || exit 0; \ ++ @list=''; test -n "$(man7dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ +- sed -n '/\.8[a-z]*$$/p'; \ +- } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ ++ sed -n '/\.7[a-z]*$$/p'; \ ++ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^7][0-9a-z]*$$,7,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ +- dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) ++ dir='$(DESTDIR)$(man7dir)'; $(am__uninstall_files_from_dir) + tags TAGS: + + ctags CTAGS: + + cscope cscopelist: + +- + distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +@@ -615,7 +618,7 @@ check-am: all-am + check: check-am + all-am: Makefile $(MANS) + installdirs: +- for dir in "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)"; do \ ++ for dir in "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man7dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done + install: install-am +@@ -686,7 +689,7 @@ install-info: install-info-am + + install-info-am: + +-install-man: install-man3 install-man5 install-man8 ++install-man: install-man3 install-man5 install-man7 + + install-pdf: install-pdf-am + +@@ -716,7 +719,7 @@ ps-am: + + uninstall-am: uninstall-man + +-uninstall-man: uninstall-man3 uninstall-man5 uninstall-man8 ++uninstall-man: uninstall-man3 uninstall-man5 uninstall-man7 + + .MAKE: install-am install-strip + +@@ -726,18 +729,19 @@ uninstall-man: uninstall-man3 uninstall-man5 uninstall-man8 + install install-am install-data install-data-am install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ +- install-man3 install-man5 install-man8 install-pdf \ ++ install-man3 install-man5 install-man7 install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \ + uninstall-am uninstall-man uninstall-man3 uninstall-man5 \ +- uninstall-man8 ++ uninstall-man7 + + .PRECIOUS: Makefile + + +-@ENABLE_REGENERATE_MAN_TRUE@PAM.8: pam.8 ++@ENABLE_REGENERATE_MAN_TRUE@pam.8: pam.8.xml ++@ENABLE_REGENERATE_MAN_TRUE@PAM.7 pam.7: pam.8 + @ENABLE_REGENERATE_MAN_TRUE@pam_get_authtok_noverify.3: pam_get_authtok.3 + @ENABLE_REGENERATE_MAN_TRUE@pam_get_authtok_verify.3: pam_get_authtok.3 + @ENABLE_REGENERATE_MAN_TRUE@pam_verror.3: pam_error.3 +diff --git a/doc/man/PAM.7 b/doc/man/PAM.7 +new file mode 100644 +index 0000000..00b313f +--- /dev/null ++++ b/doc/man/PAM.7 +@@ -0,0 +1,138 @@ ++'\" t ++.\" Title: pam ++.\" Author: [FIXME: author] [see http://www.docbook.org/tdg5/en/html/author] ++.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> ++.\" Date: 09/15/2023 ++.\" Manual: Linux-PAM Manual ++.\" Source: Linux-PAM ++.\" Language: English ++.\" ++.TH "PAM" "7" "09/15/2023" "Linux\-PAM" "Linux\-PAM Manual" ++.\" ----------------------------------------------------------------- ++.\" * Define some portability stuff ++.\" ----------------------------------------------------------------- ++.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ++.\" http://bugs.debian.org/507673 ++.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html ++.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ++.ie \n(.g .ds Aq \(aq ++.el .ds Aq ' ++.\" ----------------------------------------------------------------- ++.\" * set default formatting ++.\" ----------------------------------------------------------------- ++.\" disable hyphenation ++.nh ++.\" disable justification (adjust text to left margin only) ++.ad l ++.\" ----------------------------------------------------------------- ++.\" * MAIN CONTENT STARTS HERE * ++.\" ----------------------------------------------------------------- ++.SH "NAME" ++PAM, pam \- Pluggable Authentication Modules for Linux ++.SH "DESCRIPTION" ++.PP ++This manual is intended to offer a quick introduction to ++\fBLinux\-PAM\fR\&. For more information the reader is directed to the ++\fBLinux\-PAM system administrators\*(Aq guide\fR\&. ++.PP ++\fBLinux\-PAM\fR ++is a system of libraries that handle the authentication tasks of applications (services) on the system\&. The library provides a stable general interface (Application Programming Interface \- API) that privilege granting programs (such as ++\fBlogin\fR(1) ++and ++\fBsu\fR(1)) defer to to perform standard authentication tasks\&. ++.PP ++The principal feature of the PAM approach is that the nature of the authentication is dynamically configurable\&. In other words, the system administrator is free to choose how individual service\-providing applications will authenticate users\&. This dynamic configuration is set by the contents of the single ++\fBLinux\-PAM\fR ++configuration file ++/etc/pam\&.conf\&. Alternatively and preferably, the configuration can be set by individual configuration files located in a ++pam\&.d ++directory\&. The presence of this directory will cause ++\fBLinux\-PAM\fR ++to ++\fIignore\fR ++/etc/pam\&.conf\&. ++.PP ++Vendor\-supplied PAM configuration files might be installed in the system directory ++/usr/lib/pam\&.d/ ++or a configurable vendor specific directory instead of the machine configuration directory ++/etc/pam\&.d/\&. If no machine configuration file is found, the vendor\-supplied file is used\&. All files in ++/etc/pam\&.d/ ++override files with the same name in other directories\&. ++.PP ++From the point of view of the system administrator, for whom this manual is provided, it is not of primary importance to understand the internal behavior of the ++\fBLinux\-PAM\fR ++library\&. The important point to recognize is that the configuration file(s) ++\fIdefine\fR ++the connection between applications ++(\fBservices\fR) and the pluggable authentication modules ++(\fBPAM\fRs) that perform the actual authentication tasks\&. ++.PP ++\fBLinux\-PAM\fR ++separates the tasks of ++\fIauthentication\fR ++into four independent management groups: ++\fBaccount\fR ++management; ++\fBauth\fRentication management; ++\fBpassword\fR ++management; and ++\fBsession\fR ++management\&. (We highlight the abbreviations used for these groups in the configuration file\&.) ++.PP ++Simply put, these groups take care of different aspects of a typical user\*(Aqs request for a restricted service: ++.PP ++\fBaccount\fR ++\- provide account verification types of service: has the user\*(Aqs password expired?; is this user permitted access to the requested service? ++.PP ++\fBauth\fRentication \- authenticate a user and set up user credentials\&. Typically this is via some challenge\-response request that the user must satisfy: if you are who you claim to be please enter your password\&. Not all authentications are of this type, there exist hardware based authentication schemes (such as the use of smart\-cards and biometric devices), with suitable modules, these may be substituted seamlessly for more standard approaches to authentication \- such is the flexibility of ++\fBLinux\-PAM\fR\&. ++.PP ++\fBpassword\fR ++\- this group\*(Aqs responsibility is the task of updating authentication mechanisms\&. Typically, such services are strongly coupled to those of the ++\fBauth\fR ++group\&. Some authentication mechanisms lend themselves well to being updated with such a function\&. Standard UN*X password\-based access is the obvious example: please enter a replacement password\&. ++.PP ++\fBsession\fR ++\- this group of tasks cover things that should be done prior to a service being given and after it is withdrawn\&. Such tasks include the maintenance of audit trails and the mounting of the user\*(Aqs home directory\&. The ++\fBsession\fR ++management group is important as it provides both an opening and closing hook for modules to affect the services available to a user\&. ++.SH "FILES" ++.PP ++/etc/pam\&.conf ++.RS 4 ++the configuration file ++.RE ++.PP ++/etc/pam\&.d ++.RS 4 ++the ++\fBLinux\-PAM\fR ++configuration directory\&. Generally, if this directory is present, the ++/etc/pam\&.conf ++file is ignored\&. ++.RE ++.PP ++/usr/lib/pam\&.d ++.RS 4 ++the ++\fBLinux\-PAM\fR ++vendor configuration directory\&. Files in ++/etc/pam\&.d ++override files with the same name in this directory\&. ++.RE ++.SH "ERRORS" ++.PP ++Typically errors generated by the ++\fBLinux\-PAM\fR ++system of libraries, will be written to ++\fBsyslog\fR(3)\&. ++.SH "CONFORMING TO" ++.PP ++DCE\-RFC 86\&.0, October 1995\&. Contains additional features, but remains backwardly compatible with this RFC\&. ++.SH "SEE ALSO" ++.PP ++\fBpam\fR(3), ++\fBpam_authenticate\fR(3), ++\fBpam_sm_setcred\fR(3), ++\fBpam_strerror\fR(3), ++\fBPAM\fR(8) +diff --git a/doc/man/misc_conv.3 b/doc/man/misc_conv.3 +index 6265664..85d32db 100644 +--- a/doc/man/misc_conv.3 ++++ b/doc/man/misc_conv.3 +@@ -117,7 +117,7 @@ This function pointer is initialized to + .SH "SEE ALSO" + .PP + \fBpam_conv\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The +diff --git a/doc/man/misc_conv.3.xml b/doc/man/misc_conv.3.xml +index 92d4acd..2971b3a 100644 +--- a/doc/man/misc_conv.3.xml ++++ b/doc/man/misc_conv.3.xml +@@ -168,7 +168,7 @@ + <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/doc/man/pam.7 b/doc/man/pam.7 +new file mode 100644 +index 0000000..a15cab9 +--- /dev/null ++++ b/doc/man/pam.7 +@@ -0,0 +1 @@ ++.so PAM.7 +diff --git a/doc/man/pam.8.xml b/doc/man/pam.8.xml +index 7f3b051..cb6a7d8 100644 +--- a/doc/man/pam.8.xml ++++ b/doc/man/pam.8.xml +@@ -2,7 +2,7 @@ + + <refmeta> + <refentrytitle>pam</refentrytitle> +- <manvolnum>8</manvolnum> ++ <manvolnum>7</manvolnum> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> + </refmeta> +diff --git a/doc/man/pam_acct_mgmt.3 b/doc/man/pam_acct_mgmt.3 +index 18e91d5..1cfb501 100644 +--- a/doc/man/pam_acct_mgmt.3 ++++ b/doc/man/pam_acct_mgmt.3 +@@ -97,4 +97,4 @@ User unknown to password service\&. + \fBpam_authenticate\fR(3), + \fBpam_chauthtok\fR(3), + \fBpam_strerror\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +diff --git a/doc/man/pam_acct_mgmt.3.xml b/doc/man/pam_acct_mgmt.3.xml +index de6a94a..6ff3ccb 100644 +--- a/doc/man/pam_acct_mgmt.3.xml ++++ b/doc/man/pam_acct_mgmt.3.xml +@@ -136,7 +136,7 @@ + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/doc/man/pam_authenticate.3 b/doc/man/pam_authenticate.3 +index 1760e2a..463a518 100644 +--- a/doc/man/pam_authenticate.3 ++++ b/doc/man/pam_authenticate.3 +@@ -107,4 +107,4 @@ User unknown to authentication service\&. + \fBpam_setcred\fR(3), + \fBpam_chauthtok\fR(3), + \fBpam_strerror\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +diff --git a/doc/man/pam_authenticate.3.xml b/doc/man/pam_authenticate.3.xml +index 794a5c7..948b950 100644 +--- a/doc/man/pam_authenticate.3.xml ++++ b/doc/man/pam_authenticate.3.xml +@@ -160,7 +160,7 @@ + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/doc/man/pam_chauthtok.3 b/doc/man/pam_chauthtok.3 +index 60d267f..d7a1c1b 100644 +--- a/doc/man/pam_chauthtok.3 ++++ b/doc/man/pam_chauthtok.3 +@@ -106,4 +106,4 @@ User unknown to password service\&. + \fBpam_setcred\fR(3), + \fBpam_get_item\fR(3), + \fBpam_strerror\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +diff --git a/doc/man/pam_chauthtok.3.xml b/doc/man/pam_chauthtok.3.xml +index e184f45..95af359 100644 +--- a/doc/man/pam_chauthtok.3.xml ++++ b/doc/man/pam_chauthtok.3.xml +@@ -155,7 +155,7 @@ + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/doc/man/pam_conv.3 b/doc/man/pam_conv.3 +index 5ada083..35c35d0 100644 +--- a/doc/man/pam_conv.3 ++++ b/doc/man/pam_conv.3 +@@ -174,4 +174,4 @@ Success\&. + \fBpam_set_item\fR(3), + \fBpam_get_item\fR(3), + \fBpam_strerror\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +diff --git a/doc/man/pam_conv.3.xml b/doc/man/pam_conv.3.xml +index 31834f3..96bfd23 100644 +--- a/doc/man/pam_conv.3.xml ++++ b/doc/man/pam_conv.3.xml +@@ -219,7 +219,7 @@ struct pam_conv { + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/doc/man/pam_error.3 b/doc/man/pam_error.3 +index 9a6c3f8..6f04998 100644 +--- a/doc/man/pam_error.3 ++++ b/doc/man/pam_error.3 +@@ -80,7 +80,7 @@ System error\&. + \fBpam_vinfo\fR(3), + \fBpam_prompt\fR(3), + \fBpam_vprompt\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The +diff --git a/doc/man/pam_error.3.xml b/doc/man/pam_error.3.xml +index 0f294c2..82ea709 100644 +--- a/doc/man/pam_error.3.xml ++++ b/doc/man/pam_error.3.xml +@@ -102,7 +102,7 @@ + <refentrytitle>pam_vprompt</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/doc/man/pam_get_authtok.3 b/doc/man/pam_get_authtok.3 +index 105a217..3e6ddda 100644 +--- a/doc/man/pam_get_authtok.3 ++++ b/doc/man/pam_get_authtok.3 +@@ -162,7 +162,7 @@ New authentication tokens mismatch\&. + .RE + .SH "SEE ALSO" + .PP +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The +diff --git a/doc/man/pam_get_authtok.3.xml b/doc/man/pam_get_authtok.3.xml +index ba6d955..1cb7566 100644 +--- a/doc/man/pam_get_authtok.3.xml ++++ b/doc/man/pam_get_authtok.3.xml +@@ -229,7 +229,7 @@ + <title>SEE ALSO</title> + <para> + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/doc/man/pam_get_item.3 b/doc/man/pam_get_item.3 +index d08fde5..894c7f6 100644 +--- a/doc/man/pam_get_item.3 ++++ b/doc/man/pam_get_item.3 +@@ -2,12 +2,12 @@ + .\" Title: pam_get_item + .\" Author: [FIXME: author] [see http://www.docbook.org/tdg5/en/html/author] + .\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +-.\" Date: 05/07/2023 ++.\" Date: 09/15/2023 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM + .\" Language: English + .\" +-.TH "PAM_GET_ITEM" "3" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" ++.TH "PAM_GET_ITEM" "3" "09/15/2023" "Linux\-PAM" "Linux\-PAM Manual" + .\" ----------------------------------------------------------------- + .\" * Define some portability stuff + .\" ----------------------------------------------------------------- +diff --git a/doc/man/pam_getenv.3 b/doc/man/pam_getenv.3 +index d0d3999..f639ef9 100644 +--- a/doc/man/pam_getenv.3 ++++ b/doc/man/pam_getenv.3 +@@ -57,4 +57,4 @@ function returns NULL on failure\&. + \fBpam_start\fR(3), + \fBpam_getenvlist\fR(3), + \fBpam_putenv\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +diff --git a/doc/man/pam_getenv.3.xml b/doc/man/pam_getenv.3.xml +index df25863..b5dbc12 100644 +--- a/doc/man/pam_getenv.3.xml ++++ b/doc/man/pam_getenv.3.xml +@@ -58,7 +58,7 @@ + <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/doc/man/pam_getenvlist.3 b/doc/man/pam_getenvlist.3 +index 8369764..e2ae949 100644 +--- a/doc/man/pam_getenvlist.3 ++++ b/doc/man/pam_getenvlist.3 +@@ -63,4 +63,4 @@ function returns NULL on failure\&. + \fBpam_start\fR(3), + \fBpam_getenv\fR(3), + \fBpam_putenv\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +diff --git a/doc/man/pam_getenvlist.3.xml b/doc/man/pam_getenvlist.3.xml +index 54b1f41..7f755e5 100644 +--- a/doc/man/pam_getenvlist.3.xml ++++ b/doc/man/pam_getenvlist.3.xml +@@ -76,7 +76,7 @@ + <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/doc/man/pam_info.3 b/doc/man/pam_info.3 +index d66dee4..a76e039 100644 +--- a/doc/man/pam_info.3 ++++ b/doc/man/pam_info.3 +@@ -76,7 +76,7 @@ System error\&. + .RE + .SH "SEE ALSO" + .PP +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The +diff --git a/doc/man/pam_info.3.xml b/doc/man/pam_info.3.xml +index 5155d41..9b4a3f0 100644 +--- a/doc/man/pam_info.3.xml ++++ b/doc/man/pam_info.3.xml +@@ -90,7 +90,7 @@ + <title>SEE ALSO</title> + <para> + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/doc/man/pam_misc_drop_env.3 b/doc/man/pam_misc_drop_env.3 +index b3d162c..ca84c1c 100644 +--- a/doc/man/pam_misc_drop_env.3 ++++ b/doc/man/pam_misc_drop_env.3 +@@ -52,7 +52,7 @@ all memory before + .SH "SEE ALSO" + .PP + \fBpam_getenvlist\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The +diff --git a/doc/man/pam_misc_drop_env.3.xml b/doc/man/pam_misc_drop_env.3.xml +index a7f6cc8..c7a2576 100644 +--- a/doc/man/pam_misc_drop_env.3.xml ++++ b/doc/man/pam_misc_drop_env.3.xml +@@ -43,7 +43,7 @@ + <refentrytitle>pam_getenvlist</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/doc/man/pam_misc_paste_env.3 b/doc/man/pam_misc_paste_env.3 +index d707daa..6ca8c50 100644 +--- a/doc/man/pam_misc_paste_env.3 ++++ b/doc/man/pam_misc_paste_env.3 +@@ -47,7 +47,7 @@ PAM_SUCCESS\&. + .SH "SEE ALSO" + .PP + \fBpam_putenv\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The +diff --git a/doc/man/pam_misc_paste_env.3.xml b/doc/man/pam_misc_paste_env.3.xml +index 06194a9..2d99a1f 100644 +--- a/doc/man/pam_misc_paste_env.3.xml ++++ b/doc/man/pam_misc_paste_env.3.xml +@@ -41,7 +41,7 @@ + <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/doc/man/pam_misc_setenv.3 b/doc/man/pam_misc_setenv.3 +index 70030b7..0b1380a 100644 +--- a/doc/man/pam_misc_setenv.3 ++++ b/doc/man/pam_misc_setenv.3 +@@ -52,7 +52,7 @@ are concatenated with an \*(Aq=\*(Aq to form a name=value and passed to + .SH "SEE ALSO" + .PP + \fBpam_putenv\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The +diff --git a/doc/man/pam_misc_setenv.3.xml b/doc/man/pam_misc_setenv.3.xml +index 4414d54..c9403c5 100644 +--- a/doc/man/pam_misc_setenv.3.xml ++++ b/doc/man/pam_misc_setenv.3.xml +@@ -48,7 +48,7 @@ + <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/doc/man/pam_prompt.3 b/doc/man/pam_prompt.3 +index 3070747..aeaaac0 100644 +--- a/doc/man/pam_prompt.3 ++++ b/doc/man/pam_prompt.3 +@@ -2,12 +2,12 @@ + .\" Title: pam_prompt + .\" Author: [FIXME: author] [see http://www.docbook.org/tdg5/en/html/author] + .\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +-.\" Date: 05/07/2023 ++.\" Date: 09/15/2023 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM + .\" Language: English + .\" +-.TH "PAM_PROMPT" "3" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" ++.TH "PAM_PROMPT" "3" "09/15/2023" "Linux\-PAM" "Linux\-PAM Manual" + .\" ----------------------------------------------------------------- + .\" * Define some portability stuff + .\" ----------------------------------------------------------------- +@@ -70,7 +70,7 @@ System error\&. + .RE + .SH "SEE ALSO" + .PP +-\fBpam\fR(8), ++\fBpam\fR(7), + \fBpam_conv\fR(3) + .SH "STANDARDS" + .PP +diff --git a/doc/man/pam_prompt.3.xml b/doc/man/pam_prompt.3.xml +index c65a0c9..b53f502 100644 +--- a/doc/man/pam_prompt.3.xml ++++ b/doc/man/pam_prompt.3.xml +@@ -92,7 +92,7 @@ + <title>SEE ALSO</title> + <para> + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum> +diff --git a/doc/man/pam_putenv.3 b/doc/man/pam_putenv.3 +index 3b826b1..0e1002b 100644 +--- a/doc/man/pam_putenv.3 ++++ b/doc/man/pam_putenv.3 +@@ -108,4 +108,4 @@ The environment variable was successfully updated\&. + \fBpam_getenv\fR(3), + \fBpam_getenvlist\fR(3), + \fBpam_strerror\fR(3), +-\fBpam\fR(8) ++\fBpam\fR(7) +diff --git a/doc/man/pam_putenv.3.xml b/doc/man/pam_putenv.3.xml +index 7267046..8daca00 100644 +--- a/doc/man/pam_putenv.3.xml ++++ b/doc/man/pam_putenv.3.xml +@@ -143,7 +143,7 @@ + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/doc/man/pam_strerror.3 b/doc/man/pam_strerror.3 +index 408eb3a..d6c5d51 100644 +--- a/doc/man/pam_strerror.3 ++++ b/doc/man/pam_strerror.3 +@@ -49,4 +49,4 @@ function returns a pointer to a string describing the error code passed in the a + This function returns always a pointer to a string\&. + .SH "SEE ALSO" + .PP +-\fBpam\fR(8) ++\fBpam\fR(7) +diff --git a/doc/man/pam_strerror.3.xml b/doc/man/pam_strerror.3.xml +index b76cbc4..2c7a8a9 100644 +--- a/doc/man/pam_strerror.3.xml ++++ b/doc/man/pam_strerror.3.xml +@@ -48,7 +48,7 @@ + <title>SEE ALSO</title> + <para> + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/doc/man/pam_syslog.3 b/doc/man/pam_syslog.3 +index 8223131..d1f2589 100644 +--- a/doc/man/pam_syslog.3 ++++ b/doc/man/pam_syslog.3 +@@ -67,7 +67,7 @@ with the difference that it takes a set of arguments which have been obtained us + variable argument list macros\&. + .SH "SEE ALSO" + .PP +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "STANDARDS" + .PP + The +diff --git a/doc/man/pam_syslog.3.xml b/doc/man/pam_syslog.3.xml +index f5be287..5005476 100644 +--- a/doc/man/pam_syslog.3.xml ++++ b/doc/man/pam_syslog.3.xml +@@ -63,7 +63,7 @@ + <title>SEE ALSO</title> + <para> + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/modules/pam_access/access.conf.5 b/modules/pam_access/access.conf.5 +index b45e914..774e5cd 100644 +--- a/modules/pam_access/access.conf.5 ++++ b/modules/pam_access/access.conf.5 +@@ -210,7 +210,7 @@ option, the spaces will become part of the actual item and the line will be most + .PP + \fBpam_access\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHORS" + .PP + Original +diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml +index ff1cb22..e1e5531 100644 +--- a/modules/pam_access/access.conf.5.xml ++++ b/modules/pam_access/access.conf.5.xml +@@ -229,7 +229,7 @@ + <para> + <citerefentry><refentrytitle>pam_access</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, +- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> ++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry> + </para> + </refsect1> + +diff --git a/modules/pam_access/pam_access.8 b/modules/pam_access/pam_access.8 +index c9f9d40..5b0e1a3 100644 +--- a/modules/pam_access/pam_access.8 ++++ b/modules/pam_access/pam_access.8 +@@ -133,7 +133,7 @@ Default configuration file + .PP + \fBaccess.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8)\&. ++\fBpam\fR(7)\&. + .SH "AUTHORS" + .PP + The logdaemon style login access control scheme was designed and implemented by Wietse Venema\&. The pam_access PAM module was developed by Alexei Nogin <alexei@nogin\&.dnttm\&.ru>\&. The IPv6 support and the network(address) / netmask feature was developed and provided by Mike Becher <mike\&.becher@lrz\-muenchen\&.de>\&. +diff --git a/modules/pam_access/pam_access.8.xml b/modules/pam_access/pam_access.8.xml +index 010e749..cc01d5c 100644 +--- a/modules/pam_access/pam_access.8.xml ++++ b/modules/pam_access/pam_access.8.xml +@@ -270,7 +270,7 @@ + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry>. + </para> + </refsect1> +diff --git a/modules/pam_debug/pam_debug.8 b/modules/pam_debug/pam_debug.8 +index b1a6de7..2b2dee3 100644 +--- a/modules/pam_debug/pam_debug.8 ++++ b/modules/pam_debug/pam_debug.8 +@@ -138,7 +138,7 @@ auth sufficient pam_debug\&.so auth=success cred=success + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_debug was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. +diff --git a/modules/pam_debug/pam_debug.8.xml b/modules/pam_debug/pam_debug.8.xml +index 1c98f17..939c19b 100644 +--- a/modules/pam_debug/pam_debug.8.xml ++++ b/modules/pam_debug/pam_debug.8.xml +@@ -213,7 +213,7 @@ auth sufficient pam_debug.so auth=success cred=success + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/modules/pam_deny/pam_deny.8 b/modules/pam_deny/pam_deny.8 +index 85146f1..81d5343 100644 +--- a/modules/pam_deny/pam_deny.8 ++++ b/modules/pam_deny/pam_deny.8 +@@ -96,7 +96,7 @@ other session required pam_deny\&.so + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_deny was written by Andrew G\&. Morgan <morgan@kernel\&.org> +diff --git a/modules/pam_deny/pam_deny.8.xml b/modules/pam_deny/pam_deny.8.xml +index db8fcb6..de41a59 100644 +--- a/modules/pam_deny/pam_deny.8.xml ++++ b/modules/pam_deny/pam_deny.8.xml +@@ -117,7 +117,7 @@ other session required pam_deny.so + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/modules/pam_echo/pam_echo.8 b/modules/pam_echo/pam_echo.8 +index c927488..5f0712b 100644 +--- a/modules/pam_echo/pam_echo.8 ++++ b/modules/pam_echo/pam_echo.8 +@@ -126,7 +126,7 @@ password required pam_unix\&.so + .PP + \fBpam.conf\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + Thorsten Kukuk <kukuk@thkukuk\&.de> +diff --git a/modules/pam_echo/pam_echo.8.xml b/modules/pam_echo/pam_echo.8.xml +index 07b793d..cf2d006 100644 +--- a/modules/pam_echo/pam_echo.8.xml ++++ b/modules/pam_echo/pam_echo.8.xml +@@ -156,7 +156,7 @@ password required pam_unix.so + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry></para> + </refsect1> + +diff --git a/modules/pam_env/pam_env.8 b/modules/pam_env/pam_env.8 +index f4e15f3..afef8b1 100644 +--- a/modules/pam_env/pam_env.8 ++++ b/modules/pam_env/pam_env.8 +@@ -2,12 +2,12 @@ + .\" Title: pam_env + .\" Author: [see the "AUTHOR" section] + .\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +-.\" Date: 05/07/2023 ++.\" Date: 09/13/2023 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM + .\" Language: English + .\" +-.TH "PAM_ENV" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" ++.TH "PAM_ENV" "8" "09/13/2023" "Linux\-PAM" "Linux\-PAM Manual" + .\" ----------------------------------------------------------------- + .\" * Define some portability stuff + .\" ----------------------------------------------------------------- +@@ -153,7 +153,7 @@ User specific environment file + .PP + \fBpam_env.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8), ++\fBpam\fR(7), + \fBenviron\fR(7)\&. + .SH "AUTHOR" + .PP +diff --git a/modules/pam_env/pam_env.8.xml b/modules/pam_env/pam_env.8.xml +index fb172e1..a720d37 100644 +--- a/modules/pam_env/pam_env.8.xml ++++ b/modules/pam_env/pam_env.8.xml +@@ -295,7 +295,7 @@ + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum> +diff --git a/modules/pam_env/pam_env.conf.5 b/modules/pam_env/pam_env.conf.5 +index 90de5ea..9d9af67 100644 +--- a/modules/pam_env/pam_env.conf.5 ++++ b/modules/pam_env/pam_env.conf.5 +@@ -125,7 +125,7 @@ Silly examples of escaped variables, just to show how they work\&. + .PP + \fBpam_env\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8), ++\fBpam\fR(7), + \fBenviron\fR(7) + .SH "AUTHOR" + .PP +diff --git a/modules/pam_env/pam_env.conf.5.xml b/modules/pam_env/pam_env.conf.5.xml +index 81fc961..38bc5fd 100644 +--- a/modules/pam_env/pam_env.conf.5.xml ++++ b/modules/pam_env/pam_env.conf.5.xml +@@ -135,7 +135,7 @@ + <para> + <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, +- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>, ++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>, + <citerefentry><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry> + </para> + </refsect1> +diff --git a/modules/pam_exec/pam_exec.8 b/modules/pam_exec/pam_exec.8 +index 4c7023d..bfa49f8 100644 +--- a/modules/pam_exec/pam_exec.8 ++++ b/modules/pam_exec/pam_exec.8 +@@ -182,7 +182,7 @@ with effective user ID\&. + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_exec was written by Thorsten Kukuk <kukuk@thkukuk\&.de> and Josh Triplett <josh@joshtriplett\&.org>\&. +diff --git a/modules/pam_exec/pam_exec.8.xml b/modules/pam_exec/pam_exec.8.xml +index 13abe6e..2eedb28 100644 +--- a/modules/pam_exec/pam_exec.8.xml ++++ b/modules/pam_exec/pam_exec.8.xml +@@ -300,7 +300,7 @@ + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/modules/pam_faildelay/pam_faildelay.8 b/modules/pam_faildelay/pam_faildelay.8 +index 9d1d475..0e798cd 100644 +--- a/modules/pam_faildelay/pam_faildelay.8 ++++ b/modules/pam_faildelay/pam_faildelay.8 +@@ -87,7 +87,7 @@ auth optional pam_faildelay\&.so delay=10000000 + \fBpam_fail_delay\fR(3), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_faildelay was written by Darren Tucker <dtucker@zip\&.com\&.au>\&. +diff --git a/modules/pam_faildelay/pam_faildelay.8.xml b/modules/pam_faildelay/pam_faildelay.8.xml +index c31b507..49ec46f 100644 +--- a/modules/pam_faildelay/pam_faildelay.8.xml ++++ b/modules/pam_faildelay/pam_faildelay.8.xml +@@ -118,7 +118,7 @@ auth optional pam_faildelay.so delay=10000000 + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/modules/pam_filter/pam_filter.8 b/modules/pam_filter/pam_filter.8 +index 7a0735b..c9b2ee7 100644 +--- a/modules/pam_filter/pam_filter.8 ++++ b/modules/pam_filter/pam_filter.8 +@@ -166,7 +166,7 @@ to see how to configure login to transpose upper and lower case letters once the + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_filter was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. +diff --git a/modules/pam_filter/pam_filter.8.xml b/modules/pam_filter/pam_filter.8.xml +index 8015f41..0b85e82 100644 +--- a/modules/pam_filter/pam_filter.8.xml ++++ b/modules/pam_filter/pam_filter.8.xml +@@ -243,7 +243,7 @@ + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/modules/pam_ftp/pam_ftp.8 b/modules/pam_ftp/pam_ftp.8 +index e15dda7..c705ea1 100644 +--- a/modules/pam_ftp/pam_ftp.8 ++++ b/modules/pam_ftp/pam_ftp.8 +@@ -119,7 +119,7 @@ auth required pam_listfile\&.so \e + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_ftp was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. +diff --git a/modules/pam_ftp/pam_ftp.8.xml b/modules/pam_ftp/pam_ftp.8.xml +index 03f3678..90079d3 100644 +--- a/modules/pam_ftp/pam_ftp.8.xml ++++ b/modules/pam_ftp/pam_ftp.8.xml +@@ -165,7 +165,7 @@ auth required pam_listfile.so \ + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/modules/pam_group/group.conf.5 b/modules/pam_group/group.conf.5 +index 96009fe..96bb061 100644 +--- a/modules/pam_group/group.conf.5 ++++ b/modules/pam_group/group.conf.5 +@@ -115,7 +115,7 @@ xsh; tty* ;%admin;Al0000\-2400;plugdev + .PP + \fBpam_group\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_group was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. +diff --git a/modules/pam_group/group.conf.5.xml b/modules/pam_group/group.conf.5.xml +index a8875b3..8d5b2d4 100644 +--- a/modules/pam_group/group.conf.5.xml ++++ b/modules/pam_group/group.conf.5.xml +@@ -131,7 +131,7 @@ xsh; tty* ;%admin;Al0000-2400;plugdev + <para> + <citerefentry><refentrytitle>pam_group</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, +- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> ++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry> + </para> + </refsect1> + +diff --git a/modules/pam_group/pam_group.8 b/modules/pam_group/pam_group.8 +index 959c749..1553f20 100644 +--- a/modules/pam_group/pam_group.8 ++++ b/modules/pam_group/pam_group.8 +@@ -103,7 +103,7 @@ Default configuration file + .PP + \fBgroup.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8)\&. ++\fBpam\fR(7)\&. + .SH "AUTHORS" + .PP + pam_group was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. +diff --git a/modules/pam_group/pam_group.8.xml b/modules/pam_group/pam_group.8.xml +index 695a7ba..292ee1c 100644 +--- a/modules/pam_group/pam_group.8.xml ++++ b/modules/pam_group/pam_group.8.xml +@@ -149,7 +149,7 @@ + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry>. + </para> + </refsect1> +diff --git a/modules/pam_issue/pam_issue.8 b/modules/pam_issue/pam_issue.8 +index fdeed52..745cc42 100644 +--- a/modules/pam_issue/pam_issue.8 ++++ b/modules/pam_issue/pam_issue.8 +@@ -152,7 +152,7 @@ to set the user specific issue at login: + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_issue was written by Ben Collins <bcollins@debian\&.org>\&. +diff --git a/modules/pam_issue/pam_issue.8.xml b/modules/pam_issue/pam_issue.8.xml +index 20d3245..02b31f6 100644 +--- a/modules/pam_issue/pam_issue.8.xml ++++ b/modules/pam_issue/pam_issue.8.xml +@@ -216,7 +216,7 @@ + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/modules/pam_keyinit/pam_keyinit.8 b/modules/pam_keyinit/pam_keyinit.8 +index 5d7b3e4..50e4fe6 100644 +--- a/modules/pam_keyinit/pam_keyinit.8 ++++ b/modules/pam_keyinit/pam_keyinit.8 +@@ -137,7 +137,7 @@ This will prevent keys from one session leaking into another session for the sam + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8), ++\fBpam\fR(7), + \fBkeyctl\fR(1) + .SH "AUTHOR" + .PP +diff --git a/modules/pam_keyinit/pam_keyinit.8.xml b/modules/pam_keyinit/pam_keyinit.8.xml +index 7b0a73b..0bab086 100644 +--- a/modules/pam_keyinit/pam_keyinit.8.xml ++++ b/modules/pam_keyinit/pam_keyinit.8.xml +@@ -229,7 +229,7 @@ session required pam_keyinit.so + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum> +diff --git a/modules/pam_lastlog/pam_lastlog.8 b/modules/pam_lastlog/pam_lastlog.8 +index 3a85ede..3c161ff 100644 +--- a/modules/pam_lastlog/pam_lastlog.8 ++++ b/modules/pam_lastlog/pam_lastlog.8 +@@ -189,7 +189,7 @@ Lastlog logging file + \fBlimits.conf\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_lastlog was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. +diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml +index 1fd9d9d..7c15b93 100644 +--- a/modules/pam_lastlog/pam_lastlog.8.xml ++++ b/modules/pam_lastlog/pam_lastlog.8.xml +@@ -322,7 +322,7 @@ + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/modules/pam_limits/limits.conf.5 b/modules/pam_limits/limits.conf.5 +index ce0ca35..c9c4187 100644 +--- a/modules/pam_limits/limits.conf.5 ++++ b/modules/pam_limits/limits.conf.5 +@@ -351,7 +351,7 @@ ftp hard nproc 0 + .PP + \fBpam_limits\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8), ++\fBpam\fR(7), + \fBgetrlimit\fR(2), + \fBgetrlimit\fR(3p) + .SH "AUTHOR" +diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml +index f6f7d87..d389335 100644 +--- a/modules/pam_limits/limits.conf.5.xml ++++ b/modules/pam_limits/limits.conf.5.xml +@@ -350,7 +350,7 @@ ftp hard nproc 0 + <para> + <citerefentry><refentrytitle>pam_limits</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, +- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>, ++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>, + <citerefentry><refentrytitle>getrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>, + <citerefentry><refentrytitle>getrlimit</refentrytitle><manvolnum>3p</manvolnum></citerefentry> + </para> +diff --git a/modules/pam_limits/pam_limits.8 b/modules/pam_limits/pam_limits.8 +index a3d15f2..f971b64 100644 +--- a/modules/pam_limits/pam_limits.8 ++++ b/modules/pam_limits/pam_limits.8 +@@ -146,7 +146,7 @@ Replace "login" for each service you are using this module\&. + .PP + \fBlimits.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8)\&. ++\fBpam\fR(7)\&. + .SH "AUTHORS" + .PP + pam_limits was initially written by Cristian Gafton <gafton@redhat\&.com> +diff --git a/modules/pam_limits/pam_limits.8.xml b/modules/pam_limits/pam_limits.8.xml +index cca046c..8f026f0 100644 +--- a/modules/pam_limits/pam_limits.8.xml ++++ b/modules/pam_limits/pam_limits.8.xml +@@ -264,7 +264,7 @@ session required pam_limits.so + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry>. + </para> + </refsect1> +diff --git a/modules/pam_listfile/pam_listfile.8 b/modules/pam_listfile/pam_listfile.8 +index 5052664..a23e6e5 100644 +--- a/modules/pam_listfile/pam_listfile.8 ++++ b/modules/pam_listfile/pam_listfile.8 +@@ -205,7 +205,7 @@ to the root account\&. + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_listfile was written by Michael K\&. Johnson <johnsonm@redhat\&.com> and Elliot Lee <sopwith@cuc\&.edu>\&. +diff --git a/modules/pam_listfile/pam_listfile.8.xml b/modules/pam_listfile/pam_listfile.8.xml +index 8847415..af747c1 100644 +--- a/modules/pam_listfile/pam_listfile.8.xml ++++ b/modules/pam_listfile/pam_listfile.8.xml +@@ -278,7 +278,7 @@ auth required pam_listfile.so \ + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/modules/pam_localuser/pam_localuser.8 b/modules/pam_localuser/pam_localuser.8 +index 455fdb2..f4f2b29 100644 +--- a/modules/pam_localuser/pam_localuser.8 ++++ b/modules/pam_localuser/pam_localuser.8 +@@ -117,7 +117,7 @@ Local user account information\&. + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_localuser was written by Nalin Dahyabhai <nalin@redhat\&.com>\&. +diff --git a/modules/pam_localuser/pam_localuser.8.xml b/modules/pam_localuser/pam_localuser.8.xml +index 2002d1d..e4b9e07 100644 +--- a/modules/pam_localuser/pam_localuser.8.xml ++++ b/modules/pam_localuser/pam_localuser.8.xml +@@ -184,7 +184,7 @@ account required pam_wheel.so + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/modules/pam_loginuid/pam_loginuid.8 b/modules/pam_loginuid/pam_loginuid.8 +index 32f1b54..70669a2 100644 +--- a/modules/pam_loginuid/pam_loginuid.8 ++++ b/modules/pam_loginuid/pam_loginuid.8 +@@ -85,7 +85,7 @@ session required pam_loginuid\&.so + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8), ++\fBpam\fR(7), + \fBauditctl\fR(8), + \fBauditd\fR(8) + .SH "AUTHOR" +diff --git a/modules/pam_loginuid/pam_loginuid.8.xml b/modules/pam_loginuid/pam_loginuid.8.xml +index d5285f0..1beba98 100644 +--- a/modules/pam_loginuid/pam_loginuid.8.xml ++++ b/modules/pam_loginuid/pam_loginuid.8.xml +@@ -118,7 +118,7 @@ session required pam_loginuid.so + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>auditctl</refentrytitle><manvolnum>8</manvolnum> +diff --git a/modules/pam_mail/pam_mail.8 b/modules/pam_mail/pam_mail.8 +index 36b95ba..ae4b890 100644 +--- a/modules/pam_mail/pam_mail.8 ++++ b/modules/pam_mail/pam_mail.8 +@@ -153,7 +153,7 @@ session optional pam_mail\&.so standard + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_mail was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. +diff --git a/modules/pam_mail/pam_mail.8.xml b/modules/pam_mail/pam_mail.8.xml +index 2c0c054..9b4ce36 100644 +--- a/modules/pam_mail/pam_mail.8.xml ++++ b/modules/pam_mail/pam_mail.8.xml +@@ -262,7 +262,7 @@ session optional pam_mail.so standard + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/modules/pam_mkhomedir/pam_mkhomedir.8 b/modules/pam_mkhomedir/pam_mkhomedir.8 +index 112b39b..6962971 100644 +--- a/modules/pam_mkhomedir/pam_mkhomedir.8 ++++ b/modules/pam_mkhomedir/pam_mkhomedir.8 +@@ -129,7 +129,7 @@ A sample /etc/pam\&.d/login file: + .SH "SEE ALSO" + .PP + \fBpam.d\fR(5), +-\fBpam\fR(8)\&. ++\fBpam\fR(7)\&. + .SH "AUTHOR" + .PP + pam_mkhomedir was written by Jason Gunthorpe <jgg@debian\&.org>\&. +diff --git a/modules/pam_mkhomedir/pam_mkhomedir.8.xml b/modules/pam_mkhomedir/pam_mkhomedir.8.xml +index ad95724..25f5497 100644 +--- a/modules/pam_mkhomedir/pam_mkhomedir.8.xml ++++ b/modules/pam_mkhomedir/pam_mkhomedir.8.xml +@@ -202,7 +202,7 @@ + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry>. + </para> + </refsect1> +diff --git a/modules/pam_motd/pam_motd.8 b/modules/pam_motd/pam_motd.8 +index b1a70c0..3f65bb5 100644 +--- a/modules/pam_motd/pam_motd.8 ++++ b/modules/pam_motd/pam_motd.8 +@@ -185,7 +185,7 @@ session optional pam_motd\&.so motd=/elsewhere/motd motd_dir=/elsewhere/motd\& + \fBmotd\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_motd was written by Ben Collins <bcollins@debian\&.org>\&. +diff --git a/modules/pam_motd/pam_motd.8.xml b/modules/pam_motd/pam_motd.8.xml +index 7442037..2fc5310 100644 +--- a/modules/pam_motd/pam_motd.8.xml ++++ b/modules/pam_motd/pam_motd.8.xml +@@ -193,7 +193,7 @@ session optional pam_motd.so motd=/elsewhere/motd motd_dir=/elsewhere/motd.d + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/modules/pam_namespace/namespace.conf.5 b/modules/pam_namespace/namespace.conf.5 +index cf2509c..e4e8cfd 100644 +--- a/modules/pam_namespace/namespace.conf.5 ++++ b/modules/pam_namespace/namespace.conf.5 +@@ -162,7 +162,7 @@ This module also depends on pam_selinux\&.so setting the context\&. + .PP + \fBpam_namespace\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHORS" + .PP + The namespace\&.conf manual page was written by Janak Desai <janak@us\&.ibm\&.com>\&. More features added by Tomas Mraz <tmraz@redhat\&.com>\&. +diff --git a/modules/pam_namespace/namespace.conf.5.xml b/modules/pam_namespace/namespace.conf.5.xml +index d398639..dcf6973 100644 +--- a/modules/pam_namespace/namespace.conf.5.xml ++++ b/modules/pam_namespace/namespace.conf.5.xml +@@ -222,7 +222,7 @@ + <para> + <citerefentry><refentrytitle>pam_namespace</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, +- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> ++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry> + </para> + </refsect1> + +diff --git a/modules/pam_namespace/pam_namespace.8 b/modules/pam_namespace/pam_namespace.8 +index 3c9e9b3..d69f9fd 100644 +--- a/modules/pam_namespace/pam_namespace.8 ++++ b/modules/pam_namespace/pam_namespace.8 +@@ -148,7 +148,7 @@ To use polyinstantiation with graphical display manager gdm, please refer to gdm + \fBnamespace.conf\fR(5), + \fBpam.d\fR(5), + \fBmount\fR(8), +-\fBpam\fR(8)\&. ++\fBpam\fR(7)\&. + .SH "AUTHORS" + .PP + The namespace setup scheme was designed by Stephen Smalley, Janak Desai and Chad Sellers\&. The pam_namespace PAM module was developed by Janak Desai <janak@us\&.ibm\&.com>, Chad Sellers <csellers@tresys\&.com> and Steve Grubb <sgrubb@redhat\&.com>\&. Additional improvements by Xavier Toth <txtoth@gmail\&.com> and Tomas Mraz <tmraz@redhat\&.com>\&. +diff --git a/modules/pam_namespace/pam_namespace.8.xml b/modules/pam_namespace/pam_namespace.8.xml +index 598037a..954093d 100644 +--- a/modules/pam_namespace/pam_namespace.8.xml ++++ b/modules/pam_namespace/pam_namespace.8.xml +@@ -389,7 +389,7 @@ + <refentrytitle>mount</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry>. + </para> + </refsect1> +diff --git a/modules/pam_nologin/pam_nologin.8 b/modules/pam_nologin/pam_nologin.8 +index ceb0237..c5df1b7 100644 +--- a/modules/pam_nologin/pam_nologin.8 ++++ b/modules/pam_nologin/pam_nologin.8 +@@ -124,7 +124,7 @@ modules would lead to a successful login because the nologin module + \fBnologin\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_nologin was written by Michael K\&. Johnson <johnsonm@redhat\&.com>\&. +diff --git a/modules/pam_nologin/pam_nologin.8.xml b/modules/pam_nologin/pam_nologin.8.xml +index 1ea725c..1cc721a 100644 +--- a/modules/pam_nologin/pam_nologin.8.xml ++++ b/modules/pam_nologin/pam_nologin.8.xml +@@ -157,7 +157,7 @@ auth required pam_nologin.so + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/modules/pam_permit/pam_permit.8 b/modules/pam_permit/pam_permit.8 +index 5b1881f..5432b75 100644 +--- a/modules/pam_permit/pam_permit.8 ++++ b/modules/pam_permit/pam_permit.8 +@@ -78,7 +78,7 @@ account required pam_permit\&.so + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_permit was written by Andrew G\&. Morgan, <morgan@kernel\&.org>\&. +diff --git a/modules/pam_permit/pam_permit.8.xml b/modules/pam_permit/pam_permit.8.xml +index 0634e5e..9e6c7d0 100644 +--- a/modules/pam_permit/pam_permit.8.xml ++++ b/modules/pam_permit/pam_permit.8.xml +@@ -88,7 +88,7 @@ account required pam_permit.so + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/modules/pam_pwhistory/pam_pwhistory.8 b/modules/pam_pwhistory/pam_pwhistory.8 +index df95ee3..e430bcd 100644 +--- a/modules/pam_pwhistory/pam_pwhistory.8 ++++ b/modules/pam_pwhistory/pam_pwhistory.8 +@@ -179,7 +179,7 @@ Config file for pam_pwhistory options + \fBpwhistory.conf\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + \fBpam_get_authtok\fR(3) + .SH "AUTHOR" + .PP +diff --git a/modules/pam_pwhistory/pam_pwhistory.8.xml b/modules/pam_pwhistory/pam_pwhistory.8.xml +index d83d8d9..a5185fc 100644 +--- a/modules/pam_pwhistory/pam_pwhistory.8.xml ++++ b/modules/pam_pwhistory/pam_pwhistory.8.xml +@@ -282,7 +282,7 @@ password required pam_unix.so use_authtok + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + <citerefentry> + <refentrytitle>pam_get_authtok</refentrytitle><manvolnum>3</manvolnum> +diff --git a/modules/pam_rhosts/pam_rhosts.8 b/modules/pam_rhosts/pam_rhosts.8 +index 36077de..327ad22 100644 +--- a/modules/pam_rhosts/pam_rhosts.8 ++++ b/modules/pam_rhosts/pam_rhosts.8 +@@ -122,7 +122,7 @@ auth required pam_unix\&.so + \fBrhosts\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_rhosts was written by Thorsten Kukuk <kukuk@thkukuk\&.de> +diff --git a/modules/pam_rhosts/pam_rhosts.8.xml b/modules/pam_rhosts/pam_rhosts.8.xml +index b8a5c1c..41d541c 100644 +--- a/modules/pam_rhosts/pam_rhosts.8.xml ++++ b/modules/pam_rhosts/pam_rhosts.8.xml +@@ -153,7 +153,7 @@ auth required pam_unix.so + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/modules/pam_rootok/pam_rootok.8 b/modules/pam_rootok/pam_rootok.8 +index 5fc021f..984cadd 100644 +--- a/modules/pam_rootok/pam_rootok.8 ++++ b/modules/pam_rootok/pam_rootok.8 +@@ -100,7 +100,7 @@ auth required pam_unix\&.so + \fBsu\fR(1), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_rootok was written by Andrew G\&. Morgan, <morgan@kernel\&.org>\&. +diff --git a/modules/pam_rootok/pam_rootok.8.xml b/modules/pam_rootok/pam_rootok.8.xml +index a79c073..f30ad37 100644 +--- a/modules/pam_rootok/pam_rootok.8.xml ++++ b/modules/pam_rootok/pam_rootok.8.xml +@@ -113,7 +113,7 @@ auth required pam_unix.so + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/modules/pam_securetty/pam_securetty.8 b/modules/pam_securetty/pam_securetty.8 +index ca90438..95804fb 100644 +--- a/modules/pam_securetty/pam_securetty.8 ++++ b/modules/pam_securetty/pam_securetty.8 +@@ -134,7 +134,7 @@ auth required pam_unix\&.so + \fBsecuretty\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_securetty was written by Elliot Lee <sopwith@cuc\&.edu>\&. +diff --git a/modules/pam_securetty/pam_securetty.8.xml b/modules/pam_securetty/pam_securetty.8.xml +index 9038f5b..fcf0e88 100644 +--- a/modules/pam_securetty/pam_securetty.8.xml ++++ b/modules/pam_securetty/pam_securetty.8.xml +@@ -184,7 +184,7 @@ auth required pam_unix.so + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/modules/pam_selinux/pam_selinux.8 b/modules/pam_selinux/pam_selinux.8 +index 260bc47..12fe015 100644 +--- a/modules/pam_selinux/pam_selinux.8 ++++ b/modules/pam_selinux/pam_selinux.8 +@@ -2,12 +2,12 @@ + .\" Title: pam_selinux + .\" Author: [see the "AUTHOR" section] + .\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +-.\" Date: 05/07/2023 ++.\" Date: 09/13/2023 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM + .\" Language: English + .\" +-.TH "PAM_SELINUX" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" ++.TH "PAM_SELINUX" "8" "09/13/2023" "Linux\-PAM" "Linux\-PAM Manual" + .\" ----------------------------------------------------------------- + .\" * Define some portability stuff + .\" ----------------------------------------------------------------- +@@ -144,7 +144,7 @@ session optional pam_selinux\&.so + \fBexecve\fR(2), + \fBtty\fR(4), + \fBpam.d\fR(5), +-\fBpam\fR(8), ++\fBpam\fR(7), + \fBselinux\fR(8) + .SH "AUTHOR" + .PP +diff --git a/modules/pam_selinux/pam_selinux.8.xml b/modules/pam_selinux/pam_selinux.8.xml +index 3aa632c..7ec5daf 100644 +--- a/modules/pam_selinux/pam_selinux.8.xml ++++ b/modules/pam_selinux/pam_selinux.8.xml +@@ -255,7 +255,7 @@ session optional pam_selinux.so + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum> +diff --git a/modules/pam_sepermit/pam_sepermit.8 b/modules/pam_sepermit/pam_sepermit.8 +index f47f4a8..3270746 100644 +--- a/modules/pam_sepermit/pam_sepermit.8 ++++ b/modules/pam_sepermit/pam_sepermit.8 +@@ -124,7 +124,7 @@ session required pam_permit\&.so + \fBsepermit.conf\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + \fBselinux\fR(8) + .SH "AUTHOR" + .PP +diff --git a/modules/pam_sepermit/pam_sepermit.8.xml b/modules/pam_sepermit/pam_sepermit.8.xml +index 791d2bb..1ead429 100644 +--- a/modules/pam_sepermit/pam_sepermit.8.xml ++++ b/modules/pam_sepermit/pam_sepermit.8.xml +@@ -177,7 +177,7 @@ session required pam_permit.so + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + <citerefentry> + <refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum> +diff --git a/modules/pam_sepermit/sepermit.conf.5 b/modules/pam_sepermit/sepermit.conf.5 +index e2b1736..d2cd381 100644 +--- a/modules/pam_sepermit/sepermit.conf.5 ++++ b/modules/pam_sepermit/sepermit.conf.5 +@@ -110,7 +110,7 @@ These are some example lines which might be specified in + .PP + \fBpam_sepermit\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8), ++\fBpam\fR(7), + \fBselinux\fR(8), + .SH "AUTHOR" + .PP +diff --git a/modules/pam_sepermit/sepermit.conf.5.xml b/modules/pam_sepermit/sepermit.conf.5.xml +index ff924ce..1f1dcae 100644 +--- a/modules/pam_sepermit/sepermit.conf.5.xml ++++ b/modules/pam_sepermit/sepermit.conf.5.xml +@@ -93,7 +93,7 @@ + <para> + <citerefentry><refentrytitle>pam_sepermit</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, +- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>, ++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>, + <citerefentry><refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + </para> + </refsect1> +diff --git a/modules/pam_shells/pam_shells.8 b/modules/pam_shells/pam_shells.8 +index af3dc66..7962bad 100644 +--- a/modules/pam_shells/pam_shells.8 ++++ b/modules/pam_shells/pam_shells.8 +@@ -84,7 +84,7 @@ auth required pam_shells\&.so + \fBshells\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_shells was written by Erik Troan <ewt@redhat\&.com>\&. +diff --git a/modules/pam_shells/pam_shells.8.xml b/modules/pam_shells/pam_shells.8.xml +index b9f90e9..bff889f 100644 +--- a/modules/pam_shells/pam_shells.8.xml ++++ b/modules/pam_shells/pam_shells.8.xml +@@ -107,7 +107,7 @@ auth required pam_shells.so + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/modules/pam_succeed_if/pam_succeed_if.8 b/modules/pam_succeed_if/pam_succeed_if.8 +index e61af0c..98a9d85 100644 +--- a/modules/pam_succeed_if/pam_succeed_if.8 ++++ b/modules/pam_succeed_if/pam_succeed_if.8 +@@ -220,7 +220,7 @@ type required othermodule\&.so arguments\&.\&.\&. + .SH "SEE ALSO" + .PP + \fBglob\fR(7), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + Nalin Dahyabhai <nalin@redhat\&.com> +diff --git a/modules/pam_succeed_if/pam_succeed_if.8.xml b/modules/pam_succeed_if/pam_succeed_if.8.xml +index 90fd114..b8f65e7 100644 +--- a/modules/pam_succeed_if/pam_succeed_if.8.xml ++++ b/modules/pam_succeed_if/pam_succeed_if.8.xml +@@ -291,7 +291,7 @@ type required othermodule.so arguments... + <refentrytitle>glob</refentrytitle><manvolnum>7</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/modules/pam_time/pam_time.8 b/modules/pam_time/pam_time.8 +index 48c7ffc..13a53ef 100644 +--- a/modules/pam_time/pam_time.8 ++++ b/modules/pam_time/pam_time.8 +@@ -116,7 +116,7 @@ login account required pam_time\&.so + .PP + \fBtime.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8)\&. ++\fBpam\fR(7)\&. + .SH "AUTHOR" + .PP + pam_time was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. +diff --git a/modules/pam_time/pam_time.8.xml b/modules/pam_time/pam_time.8.xml +index 1fa60a1..748bcd1 100644 +--- a/modules/pam_time/pam_time.8.xml ++++ b/modules/pam_time/pam_time.8.xml +@@ -186,7 +186,7 @@ login account required pam_time.so + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry>. + </para> + </refsect1> +diff --git a/modules/pam_time/time.conf.5 b/modules/pam_time/time.conf.5 +index c68dfa7..9064977 100644 +--- a/modules/pam_time/time.conf.5 ++++ b/modules/pam_time/time.conf.5 +@@ -109,7 +109,7 @@ games ; * ; !waster ; Wd0000\-2400 | Wk1800\-0800 + .PP + \fBpam_time\fR(8), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_time was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. +diff --git a/modules/pam_time/time.conf.5.xml b/modules/pam_time/time.conf.5.xml +index 3fe263d..30c9a92 100644 +--- a/modules/pam_time/time.conf.5.xml ++++ b/modules/pam_time/time.conf.5.xml +@@ -133,7 +133,7 @@ games ; * ; !waster ; Wd0000-2400 | Wk1800-0800 + <para> + <citerefentry><refentrytitle>pam_time</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, +- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> ++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry> + </para> + </refsect1> + +diff --git a/modules/pam_timestamp/pam_timestamp.8 b/modules/pam_timestamp/pam_timestamp.8 +index a7b7e1c..347724b 100644 +--- a/modules/pam_timestamp/pam_timestamp.8 ++++ b/modules/pam_timestamp/pam_timestamp.8 +@@ -124,7 +124,7 @@ timestamp files and directories + \fBpam_timestamp_check\fR(8), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_timestamp was written by Nalin Dahyabhai\&. +diff --git a/modules/pam_timestamp/pam_timestamp.8.xml b/modules/pam_timestamp/pam_timestamp.8.xml +index a763ad8..e6b2df7 100644 +--- a/modules/pam_timestamp/pam_timestamp.8.xml ++++ b/modules/pam_timestamp/pam_timestamp.8.xml +@@ -190,7 +190,7 @@ session optional pam_timestamp.so + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/modules/pam_timestamp/pam_timestamp_check.8 b/modules/pam_timestamp/pam_timestamp_check.8 +index 3425a36..f19a225 100644 +--- a/modules/pam_timestamp/pam_timestamp_check.8 ++++ b/modules/pam_timestamp/pam_timestamp_check.8 +@@ -127,7 +127,7 @@ timestamp files and directories + \fBpam_timestamp_check\fR(8), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_timestamp was written by Nalin Dahyabhai\&. +diff --git a/modules/pam_timestamp/pam_timestamp_check.8.xml b/modules/pam_timestamp/pam_timestamp_check.8.xml +index f0c0956..e947f75 100644 +--- a/modules/pam_timestamp/pam_timestamp_check.8.xml ++++ b/modules/pam_timestamp/pam_timestamp_check.8.xml +@@ -189,7 +189,7 @@ session optional pam_timestamp.so + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/modules/pam_tty_audit/pam_tty_audit.8 b/modules/pam_tty_audit/pam_tty_audit.8 +index ada11ae..2ba5335 100644 +--- a/modules/pam_tty_audit/pam_tty_audit.8 ++++ b/modules/pam_tty_audit/pam_tty_audit.8 +@@ -129,7 +129,7 @@ session required pam_tty_audit\&.so disable=* enable=root + \fBaureport\fR(8), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_tty_audit was written by Miloslav Trmač <mitr@redhat\&.com>\&. The log_passwd option was added by Richard Guy Briggs <rgb@redhat\&.com>\&. +diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml +index b46bbf7..79d8115 100644 +--- a/modules/pam_tty_audit/pam_tty_audit.8.xml ++++ b/modules/pam_tty_audit/pam_tty_audit.8.xml +@@ -178,7 +178,7 @@ session required pam_tty_audit.so disable=* enable=root + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/modules/pam_umask/pam_umask.8 b/modules/pam_umask/pam_umask.8 +index 741c316..c7636e2 100644 +--- a/modules/pam_umask/pam_umask.8 ++++ b/modules/pam_umask/pam_umask.8 +@@ -170,7 +170,7 @@ to set the user specific umask at login: + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_umask was written by Thorsten Kukuk <kukuk@thkukuk\&.de>\&. +diff --git a/modules/pam_umask/pam_umask.8.xml b/modules/pam_umask/pam_umask.8.xml +index 0527667..acb3bc0 100644 +--- a/modules/pam_umask/pam_umask.8.xml ++++ b/modules/pam_umask/pam_umask.8.xml +@@ -243,7 +243,7 @@ + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8 +index 6f5f19b..07f8308 100644 +--- a/modules/pam_unix/pam_unix.8 ++++ b/modules/pam_unix/pam_unix.8 +@@ -310,7 +310,7 @@ session required pam_unix\&.so + \fBlogin.defs\fR(5), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_unix was written by various people\&. +diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml +index 4e63a49..a025c0e 100644 +--- a/modules/pam_unix/pam_unix.8.xml ++++ b/modules/pam_unix/pam_unix.8.xml +@@ -556,7 +556,7 @@ session required pam_unix.so + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/modules/pam_userdb/pam_userdb.8 b/modules/pam_userdb/pam_userdb.8 +index c639772..a2493b5 100644 +--- a/modules/pam_userdb/pam_userdb.8 ++++ b/modules/pam_userdb/pam_userdb.8 +@@ -152,7 +152,7 @@ auth sufficient pam_userdb\&.so icase db=/etc/dbtest + \fBcrypt\fR(3), + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_userdb was written by Cristian Gafton >gafton@redhat\&.com<\&. +diff --git a/modules/pam_userdb/pam_userdb.8.xml b/modules/pam_userdb/pam_userdb.8.xml +index 0f96410..86ba895 100644 +--- a/modules/pam_userdb/pam_userdb.8.xml ++++ b/modules/pam_userdb/pam_userdb.8.xml +@@ -276,7 +276,7 @@ auth sufficient pam_userdb.so icase db=/etc/dbtest + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/modules/pam_warn/pam_warn.8 b/modules/pam_warn/pam_warn.8 +index 3e507d7..0138c70 100644 +--- a/modules/pam_warn/pam_warn.8 ++++ b/modules/pam_warn/pam_warn.8 +@@ -83,7 +83,7 @@ other session required pam_deny\&.so + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_warn was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. +diff --git a/modules/pam_warn/pam_warn.8.xml b/modules/pam_warn/pam_warn.8.xml +index a20c5f7..a69e1d6 100644 +--- a/modules/pam_warn/pam_warn.8.xml ++++ b/modules/pam_warn/pam_warn.8.xml +@@ -87,7 +87,7 @@ other session required pam_deny.so + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/modules/pam_wheel/pam_wheel.8 b/modules/pam_wheel/pam_wheel.8 +index 8077e81..ca687e5 100644 +--- a/modules/pam_wheel/pam_wheel.8 ++++ b/modules/pam_wheel/pam_wheel.8 +@@ -2,12 +2,12 @@ + .\" Title: pam_wheel + .\" Author: [see the "AUTHOR" section] + .\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +-.\" Date: 05/07/2023 ++.\" Date: 09/13/2023 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM + .\" Language: English + .\" +-.TH "PAM_WHEEL" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" ++.TH "PAM_WHEEL" "8" "09/13/2023" "Linux\-PAM" "Linux\-PAM Manual" + .\" ----------------------------------------------------------------- + .\" * Define some portability stuff + .\" ----------------------------------------------------------------- +@@ -31,7 +31,7 @@ + pam_wheel \- Only permit root access to members of group wheel + .SH "SYNOPSIS" + .HP \w'\fBpam_wheel\&.so\fR\ 'u +-\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid] ++\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] + .SH "DESCRIPTION" + .PP + The pam_wheel PAM module is used to enforce the so\-called +@@ -72,11 +72,6 @@ trust + .RS 4 + The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd)\&. + .RE +-.PP +-use_uid +-.RS 4 +-The check will be done against the real uid of the calling process, instead of trying to obtain the user from the login session associated with the terminal in use\&. +-.RE + .SH "MODULE TYPES PROVIDED" + .PP + The +@@ -141,7 +136,7 @@ su auth required pam_unix\&.so + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_wheel was written by Cristian Gafton <gafton@redhat\&.com>\&. +diff --git a/modules/pam_wheel/pam_wheel.8.xml b/modules/pam_wheel/pam_wheel.8.xml +index b42e27d..86f2828 100644 +--- a/modules/pam_wheel/pam_wheel.8.xml ++++ b/modules/pam_wheel/pam_wheel.8.xml +@@ -210,7 +210,7 @@ su auth required pam_unix.so + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> +diff --git a/modules/pam_xauth/pam_xauth.8 b/modules/pam_xauth/pam_xauth.8 +index 31c9074..e6f23c1 100644 +--- a/modules/pam_xauth/pam_xauth.8 ++++ b/modules/pam_xauth/pam_xauth.8 +@@ -177,7 +177,7 @@ XXX + .PP + \fBpam.conf\fR(5), + \fBpam.d\fR(5), +-\fBpam\fR(8) ++\fBpam\fR(7) + .SH "AUTHOR" + .PP + pam_xauth was written by Nalin Dahyabhai <nalin@redhat\&.com>, based on original version by Michael K\&. Johnson <johnsonm@redhat\&.com>\&. +diff --git a/modules/pam_xauth/pam_xauth.8.xml b/modules/pam_xauth/pam_xauth.8.xml +index f5fc5a3..214226b 100644 +--- a/modules/pam_xauth/pam_xauth.8.xml ++++ b/modules/pam_xauth/pam_xauth.8.xml +@@ -273,7 +273,7 @@ session optional pam_xauth.so + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> diff --git a/debian/patches/fix-autoreconf.patch b/debian/patches/fix-autoreconf.patch new file mode 100644 index 00000000..927a0473 --- /dev/null +++ b/debian/patches/fix-autoreconf.patch @@ -0,0 +1,27 @@ +From: Andreas Henriksson <andreas@fatal.se> +Date: Thu, 8 Nov 2018 19:09:21 +0100 +Subject: fix-autoreconf.patch + +Do not override user variables in Makefile.am, see the +"Flag Variables Ordering" section of the automake manual. +--- + doc/specs/Makefile.am | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/doc/specs/Makefile.am b/doc/specs/Makefile.am +index 58e14b3..2ebd980 100644 +--- a/doc/specs/Makefile.am ++++ b/doc/specs/Makefile.am +@@ -12,9 +12,9 @@ draft-morgan-pam-current.txt: padout draft-morgan-pam.raw + AM_YFLAGS = -d + + CC = @CC_FOR_BUILD@ +-CPPFLAGS = @BUILD_CPPFLAGS@ +-CFLAGS = @BUILD_CFLAGS@ +-LDFLAGS = @BUILD_LDFLAGS@ ++AM_CPPFLAGS = @BUILD_CPPFLAGS@ ++AM_CFLAGS = @BUILD_CFLAGS@ ++AM_LDFLAGS = @BUILD_LDFLAGS@ + + padout_CFLAGS = $(WARN_CFLAGS) -Wno-unused-function -Wno-sign-compare + diff --git a/debian/patches/hurd_no_setfsuid b/debian/patches/hurd_no_setfsuid new file mode 100644 index 00000000..16d8ba54 --- /dev/null +++ b/debian/patches/hurd_no_setfsuid @@ -0,0 +1,84 @@ +From: Sam Hartman <hartmans@debian.org> +Date: Mon, 11 Sep 2023 14:00:42 -0600 +Subject: hurd_no_setfsuid + +On systems without setfsuid(), use setreuid() instead. + +Authors: Steve Langasek <vorlon@debian.org> + +Upstream status: to be forwarded, now that pam_modutil_{drop,regain}_priv + are implemented +--- + libpam/pam_modutil_priv.c | 40 ++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 40 insertions(+) + +diff --git a/libpam/pam_modutil_priv.c b/libpam/pam_modutil_priv.c +index a463e06..7df6e6b 100644 +--- a/libpam/pam_modutil_priv.c ++++ b/libpam/pam_modutil_priv.c +@@ -14,7 +14,9 @@ + #include <syslog.h> + #include <pwd.h> + #include <grp.h> ++#ifdef HAVE_SYS_FSUID_H + #include <sys/fsuid.h> ++#endif /* HAVE_SYS_FSUID_H */ + + /* + * Two setfsuid() calls in a row are necessary to check +@@ -22,17 +24,55 @@ + */ + static int change_uid(uid_t uid, uid_t *save) + { ++#ifdef HAVE_SYS_FSUID_H + uid_t tmp = setfsuid(uid); + if (save) + *save = tmp; + return (uid_t) setfsuid(uid) == uid ? 0 : -1; ++#else ++ uid_t euid = geteuid(); ++ uid_t ruid = getuid(); ++ if (save) ++ *save = ruid; ++ if (ruid == uid && uid != 0) ++ if (setreuid(euid, uid)) ++ return -1; ++ else { ++ setreuid(0, -1); ++ if (setreuid(-1, uid)) { ++ setreuid(-1, 0); ++ setreuid(0, -1); ++ if (setreuid(-1, uid)) ++ return -1; ++ } ++ } ++#endif + } + static int change_gid(gid_t gid, gid_t *save) + { ++#ifdef HAVE_SYS_FSUID_H + gid_t tmp = setfsgid(gid); + if (save) + *save = tmp; + return (gid_t) setfsgid(gid) == gid ? 0 : -1; ++#else ++ gid_t egid = getegid(); ++ gid_t rgid = getgid(); ++ if (save) ++ *save = rgid; ++ if (rgid == gid) ++ if (setregid(egid, gid)) ++ return -1; ++ else { ++ setregid(0, -1); ++ if (setregid(-1, gid)) { ++ setregid(-1, 0); ++ setregid(0, -1); ++ if (setregid(-1, gid)) ++ return -1; ++ } ++ } ++#endif + } + + static int cleanup(struct pam_modutil_privs *p) diff --git a/debian/patches/lib_security_multiarch_compat b/debian/patches/lib_security_multiarch_compat new file mode 100644 index 00000000..0e7ada42 --- /dev/null +++ b/debian/patches/lib_security_multiarch_compat @@ -0,0 +1,79 @@ +From: Sam Hartman <hartmans@debian.org> +Date: Mon, 11 Sep 2023 14:00:42 -0600 +Subject: lib_security_multiarch_compat + +Unqualified module paths should always be looked up in *both* the default +module dir, *and* the ISA dir. That's what paths are for. + +This lets us have a soft transition to multiarch for modules without having +to rewrite /etc/pam.d/ files or add ugly symlinks. + +Authors: Steve Langasek <vorlon@debian.org> + +Upstream status: not ready to be committed - this needs tweaked, we're +currently abusing the existing variables and inverting their meaning in +order to get everything installed where we want it and get absolute paths +the way we want them. +--- + libpam/pam_handlers.c | 34 ++++++++++++++++++++++------------ + 1 file changed, 22 insertions(+), 12 deletions(-) + +diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c +index c7045d2..dc5f81f 100644 +--- a/libpam/pam_handlers.c ++++ b/libpam/pam_handlers.c +@@ -737,7 +737,27 @@ _pam_load_module(pam_handle_t *pamh, const char *mod_path, int handler_type) + success = PAM_ABORT; + + D(("_pam_load_module: _pam_dlopen(%s)", mod_path)); +- mod->dl_handle = _pam_dlopen(mod_path); ++ if (mod_path[0] == '/') { ++ mod->dl_handle = _pam_dlopen(mod_path); ++ } else { ++ char *mod_full_path = NULL; ++ if (asprintf(&mod_full_path, "%s%s", ++ DEFAULT_MODULE_PATH, mod_path) >= 0) { ++ mod->dl_handle = _pam_dlopen(mod_full_path); ++ _pam_drop(mod_full_path); ++ } else { ++ pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path"); ++ } ++ if (!mod->dl_handle) { ++ if (asprintf(&mod_full_path, "%s/%s", ++ _PAM_ISA, mod_path) >= 0) { ++ mod->dl_handle = _pam_dlopen(mod_full_path); ++ _pam_drop(mod_full_path); ++ } else { ++ pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path"); ++ } ++ } ++ } + D(("_pam_load_module: _pam_dlopen'ed")); + D(("_pam_load_module: dlopen'ed")); + if (mod->dl_handle == NULL) { +@@ -814,7 +834,6 @@ int _pam_add_handler(pam_handle_t *pamh + struct handler **handler_p2; + struct handlers *the_handlers; + const char *sym, *sym2; +- char *mod_full_path; + servicefn func, func2; + int mod_type = PAM_MT_FAULTY_MOD; + +@@ -826,16 +845,7 @@ int _pam_add_handler(pam_handle_t *pamh + + if ((handler_type == PAM_HT_MODULE || handler_type == PAM_HT_SILENT_MODULE) && + mod_path != NULL) { +- if (mod_path[0] == '/') { +- mod = _pam_load_module(pamh, mod_path, handler_type); +- } else if (asprintf(&mod_full_path, "%s%s", +- DEFAULT_MODULE_PATH, mod_path) >= 0) { +- mod = _pam_load_module(pamh, mod_full_path, handler_type); +- _pam_drop(mod_full_path); +- } else { +- pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path"); +- return PAM_ABORT; +- } ++ mod = _pam_load_module(pamh, mod_path, handler_type); + + if (mod == NULL) { + /* if we get here with NULL it means allocation error */ diff --git a/debian/patches/make_documentation_reproducible.patch b/debian/patches/make_documentation_reproducible.patch new file mode 100644 index 00000000..105766a9 --- /dev/null +++ b/debian/patches/make_documentation_reproducible.patch @@ -0,0 +1,25 @@ +From: "jumapico@gmail.com" <jumapico@gmail.com> +Date: Mon, 11 Sep 2023 14:00:42 -0600 +Subject: Make documentation reproducible + +Last-Update: 2019-01-06 + +Add LC_ALL=C.UTF-8 to w3m to avoid changes in the output when build the +documentation with different locales. +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index b9b0f83..5f11912 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -647,7 +647,7 @@ JH_CHECK_XML_CATALOG([http://docbook.sourceforge.net/release/xsl-ns/current/manp + + AC_PATH_PROG([BROWSER], [w3m]) + if test -n "$BROWSER"; then +- BROWSER="$BROWSER -T text/html -dump" ++ BROWSER="LC_ALL=C.UTF-8 $BROWSER -T text/html -dump" + else + AC_PATH_PROG([BROWSER], [elinks]) + if test -n "$BROWSER"; then diff --git a/debian/patches/no_PATH_MAX_on_hurd b/debian/patches/no_PATH_MAX_on_hurd new file mode 100644 index 00000000..6c20ab8c --- /dev/null +++ b/debian/patches/no_PATH_MAX_on_hurd @@ -0,0 +1,28 @@ +From: Steve Langasek <vorlon@debian.org> +Date: Mon, 11 Sep 2023 14:00:42 -0600 +Subject: define PATH_MAX for compatibility when it's not already set + +Bug-Debian: http://bugs.debian.org/552043 + +Some platforms, such as the Hurd, don't set PATH_MAX. Set a reasonable +default value in this case. +--- + tests/tst-dlopen.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tests/tst-dlopen.c b/tests/tst-dlopen.c +index 7092716..535ee1c 100644 +--- a/tests/tst-dlopen.c ++++ b/tests/tst-dlopen.c +@@ -16,6 +16,11 @@ + #include <limits.h> + #include <sys/stat.h> + ++/* Hurd compatibility */ ++#ifndef PATH_MAX ++#define PATH_MAX 4096 ++#endif ++ + /* Simple program to see if dlopen() would succeed. */ + int main(int argc, char **argv) + { diff --git a/debian/patches/nullok_secure-compat.patch b/debian/patches/nullok_secure-compat.patch new file mode 100644 index 00000000..a69cd05e --- /dev/null +++ b/debian/patches/nullok_secure-compat.patch @@ -0,0 +1,32 @@ +From: Steve Langasek <vorlon@debian.org> +Date: Mon, 11 Sep 2023 14:00:42 -0600 +Subject: Support nullok_secure as a deprecated alias for nullok + +Last-Update: 2020-08-11 +--- + modules/pam_unix/support.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h +index 91e7478..e15ee98 100644 +--- a/modules/pam_unix/support.h ++++ b/modules/pam_unix/support.h +@@ -102,8 +102,9 @@ typedef struct { + #define UNIX_YESCRYPT_PASS 32 /* new password hashes will use yescrypt */ + #define UNIX_NULLRESETOK 33 /* allow empty password if password reset is enforced */ + #define UNIX_OBSCURE_CHECKS 34 /* enable obscure checks on passwords */ ++#define UNIX_NULLOK_SECURE 35 /* deprecated alias for nullok */ + /* -------------- */ +-#define UNIX_CTRLS_ 35 /* number of ctrl arguments defined */ ++#define UNIX_CTRLS_ 36 /* number of ctrl arguments defined */ + + #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)&&off(UNIX_GOST_YESCRYPT_PASS,ctrl)&&off(UNIX_YESCRYPT_PASS,ctrl)) + +@@ -147,6 +148,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = + /* UNIX_YESCRYPT_PASS */ {"yescrypt", _ALL_ON_^(0x6EC22000ULL), 0x40000000, 1}, + /* UNIX_NULLRESETOK */ {"nullresetok", _ALL_ON_, 0x80000000, 0}, + /* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x100000000, 0}, ++/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(0x200ULL), 0, 0}, + }; + + #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) diff --git a/debian/patches/pam-limits-nofile-fd-setsize-cap b/debian/patches/pam-limits-nofile-fd-setsize-cap new file mode 100644 index 00000000..866ff1e3 --- /dev/null +++ b/debian/patches/pam-limits-nofile-fd-setsize-cap @@ -0,0 +1,65 @@ +From: Robie Basak <robie.basak@ubuntu.com> +Date: Mon, 11 Sep 2023 14:00:42 -0600 +Subject: pam_limits: cap the default soft nofile limit read from pid 1 to + FD_SETSIZE + +Cap the default soft nofile limit read from pid 1 to FD_SETSIZE since +larger values can cause problems with fd_set overflow and systemd sets +itself higher. + +See: +https://lists.ubuntu.com/archives/ubuntu-devel/2010-September/031446.html +http://www.outflux.net/blog/archives/2014/06/13/5-year-old-glibc-select-weakness-fixed/ +https://sourceware.org/bugzilla/show_bug.cgi?id=10352 +https://github.com/systemd/systemd/commit/4096d6f5879aef73e20dd7b62a01f447629945b0 + +pam_limits reads the default limits from /proc/1/limits. Previously, +using upstart, this resulted in a 1024 nofile soft limit on Ubuntu +systems by default. Using systemd, this results in a limit of 65536 +instead. This is not the intention of systemd upstream. See systemd +commit 4096d6f for an explanation of systemd's behaviour. + +If we want to make such a change to the default distribution soft limit +in PAM, we should do it deliberately and carefully, not accidentally. A +change should consider what uses select(2) and might inadvertently (and +incorrectly) assume that file descriptors will always fit into an +fd_set, what vulnerabilities or crashes the change could consequently +create, and whether the protection now present with FORTIFY_SOURCE is +suitably enabled in all relevant builds. + +So this keeps the soft limit at 1024 for now. The hard limit will rise +to 65536 along with systemd. Anything that knows that it will not be +buggy with respect to fd_set and FD_SETSIZE, such as by using poll(2) or +epoll(7) instead of select(2), can always raise the soft limit itself +without issue. + +20:54 <rbasak> slangasek: [...] I'm also not sure how to go about +upstreaming this as pam_limits seems to be heavily patched already. + +Forwarded: no +Reviewed-by: Adam Conrad <adconrad@ubuntu.com> +Reviewed-by: Martin Pitt <martin.pitt@ubuntu.com> +Last-Update: 2015-04-22 +--- + modules/pam_limits/pam_limits.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c +index adda08b..a58d424 100644 +--- a/modules/pam_limits/pam_limits.c ++++ b/modules/pam_limits/pam_limits.c +@@ -459,6 +459,14 @@ static void parse_kernel_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int + pl->limits[i].src_hard = LIMITS_DEF_KERNEL; + } + fclose(limitsfile); ++ ++ /* Cap the default soft nofile limit read from pid 1 to FD_SETSIZE ++ * since larger values can cause problems with fd_set overflow and ++ * systemd sets itself higher. */ ++ if (pl->limits[RLIMIT_NOFILE].src_soft == LIMITS_DEF_KERNEL && ++ pl->limits[RLIMIT_NOFILE].limit.rlim_cur > FD_SETSIZE) { ++ pl->limits[RLIMIT_NOFILE].limit.rlim_cur = FD_SETSIZE; ++ } + } + + static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl) diff --git a/debian/patches/pam_mkhomedir_stat_before_opendir b/debian/patches/pam_mkhomedir_stat_before_opendir new file mode 100644 index 00000000..50026225 --- /dev/null +++ b/debian/patches/pam_mkhomedir_stat_before_opendir @@ -0,0 +1,34 @@ +From: Sam Hartman <hartmans@debian.org> +Date: Mon, 11 Sep 2023 14:00:42 -0600 +Subject: pam_mkhomedir_stat_before_opendir + +=================================================================== +--- + modules/pam_mkhomedir/mkhomedir_helper.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/modules/pam_mkhomedir/mkhomedir_helper.c b/modules/pam_mkhomedir/mkhomedir_helper.c +index 3213f02..643d5d0 100644 +--- a/modules/pam_mkhomedir/mkhomedir_helper.c ++++ b/modules/pam_mkhomedir/mkhomedir_helper.c +@@ -39,6 +39,7 @@ create_homedir(const struct passwd *pwd, + DIR *d; + struct dirent *dent; + int retval = PAM_SESSION_ERR; ++ struct stat stat_buf; + + /* Create the new directory */ + if (mkdir(dest, 0700) && errno != EEXIST) +@@ -54,6 +55,12 @@ create_homedir(const struct passwd *pwd, + goto go_out; + } + ++ /* Various things such as an autofs mount with browsing disabled ++ * can cause the directory to appear only on stat. The intent is ++ * to minimize network traversal when a file explorer tries to ++ * traverse large chunks of a directory tree. So stat first.*/ ++ stat(source, &stat_buf); ++ + /* Scan the directory */ + d = opendir(source); + if (d == NULL) diff --git a/debian/patches/pam_unix_dont_trust_chkpwd_caller.patch b/debian/patches/pam_unix_dont_trust_chkpwd_caller.patch new file mode 100644 index 00000000..5a94c25d --- /dev/null +++ b/debian/patches/pam_unix_dont_trust_chkpwd_caller.patch @@ -0,0 +1,32 @@ +From: Sam Hartman <hartmans@debian.org> +Date: Mon, 11 Sep 2023 14:00:42 -0600 +Subject: pam_unix_dont_trust_chkpwd_caller + +Dropping suid bits is not enough to let us trust the caller; the unix_chkpwd +helper could be sgid shadow instead of suid root, as it is in Debian and +Ubuntu by default. Drop any sgid bits as well. + +Authors: Steve Langasek <vorlon@debian.org>, + Michael Spang <mspang@csclub.uwaterloo.ca> + +Upstream status: to be submitted +--- + modules/pam_unix/unix_chkpwd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c +index 556a2e2..5e7b571 100644 +--- a/modules/pam_unix/unix_chkpwd.c ++++ b/modules/pam_unix/unix_chkpwd.c +@@ -138,9 +138,10 @@ int main(int argc, char *argv[]) + /* if the caller specifies the username, verify that user + matches it */ + if (user == NULL || strcmp(user, argv[1])) { ++ gid_t gid = getgid(); + user = argv[1]; + /* no match -> permanently change to the real user and proceed */ +- if (setuid(getuid()) != 0) ++ if (setresgid(gid, gid, gid) != 0 || setuid(getuid()) != 0) + return PAM_AUTH_ERR; + } + } diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 00000000..8f2a05e1 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,21 @@ +pam_unix_dont_trust_chkpwd_caller.patch +make_documentation_reproducible.patch +0003-pam_unix-obscure-checks.patch +022_pam_unix_group_time_miscfixes +026_pam_unix_passwd_unknown_user +031_pam_include +036_pam_wheel_getlogin_considered_harmful +027_pam_limits_better_init_allow_explicit_root +pam-limits-nofile-fd-setsize-cap +032_pam_limits_EPERM_NOT_FATAL +008_modules_pam_limits_chroot +040_pam_limits_log_failure +045_pam_dispatch_jump_is_ignore +hurd_no_setfsuid +PAM-manpage-section +update-motd +lib_security_multiarch_compat +no_PATH_MAX_on_hurd +fix-autoreconf.patch +nullok_secure-compat.patch +pam_mkhomedir_stat_before_opendir diff --git a/debian/patches/update-motd b/debian/patches/update-motd new file mode 100644 index 00000000..fc9c9d8d --- /dev/null +++ b/debian/patches/update-motd @@ -0,0 +1,123 @@ +From: Sam Hartman <hartmans@debian.org> +Date: Mon, 11 Sep 2023 14:00:42 -0600 +Subject: update-motd + +Provide a more dynamic MOTD, based on the short-lived update-motd project. + +Authors: Dustin Kirkland <kirkland@canonical.com> + +Last-Update: 2019-02-12 +Forwarded: no +Bug-Ubuntu: https://bugs.launchpad.net/bugs/399071 +--- + modules/pam_motd/README | 4 ++++ + modules/pam_motd/pam_motd.8 | 7 +++++++ + modules/pam_motd/pam_motd.8.xml | 11 +++++++++++ + modules/pam_motd/pam_motd.c | 18 ++++++++++++++++++ + 4 files changed, 40 insertions(+) + +diff --git a/modules/pam_motd/README b/modules/pam_motd/README +index 01bc64e..375ec80 100644 +--- a/modules/pam_motd/README ++++ b/modules/pam_motd/README +@@ -52,6 +52,10 @@ motd_dir=/path/dirname.d + colon-separated list. By default this option is set to /etc/motd.d:/run/ + motd.d:/usr/lib/motd.d. + ++noupdate ++ ++ Don't run the scripts in /etc/update-motd.d to refresh the motd file. ++ + When no options are given, the default behavior applies for both options. + Specifying either option (or both) will disable the default behavior for both + options. +diff --git a/modules/pam_motd/pam_motd.8 b/modules/pam_motd/pam_motd.8 +index 3f65bb5..6a6ab4e 100644 +--- a/modules/pam_motd/pam_motd.8 ++++ b/modules/pam_motd/pam_motd.8 +@@ -109,6 +109,13 @@ directory is scanned and each file contained inside of it is displayed\&. Multip + /etc/motd\&.d:/run/motd\&.d:/usr/lib/motd\&.d\&. + .RE + .PP ++\fBnoupdate\fR ++.RS 4 ++Don\*(Aqt run the scripts in ++/etc/update\-motd\&.d ++to refresh the motd file\&. ++.RE ++.PP + When no options are given, the default behavior applies for both options\&. Specifying either option (or both) will disable the default behavior for both options\&. + .SH "MODULE TYPES PROVIDED" + .PP +diff --git a/modules/pam_motd/pam_motd.8.xml b/modules/pam_motd/pam_motd.8.xml +index 2fc5310..8369779 100644 +--- a/modules/pam_motd/pam_motd.8.xml ++++ b/modules/pam_motd/pam_motd.8.xml +@@ -112,6 +112,17 @@ + </para> + </listitem> + </varlistentry> ++ <varlistentry> ++ <term> ++ <option>noupdate</option> ++ </term> ++ <listitem> ++ <para> ++ Don't run the scripts in <filename>/etc/update-motd.d</filename> ++ to refresh the motd file. ++ </para> ++ </listitem> ++ </varlistentry> + </variablelist> + <para> + When no options are given, the default behavior applies for both +diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c +index 5ca486e..8472dd6 100644 +--- a/modules/pam_motd/pam_motd.c ++++ b/modules/pam_motd/pam_motd.c +@@ -383,6 +383,7 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags, + int argc, const char **argv) + { + int retval = PAM_IGNORE; ++ int do_update = 1; + const char *motd_path = NULL; + char *motd_path_copy = NULL; + unsigned int num_motd_paths = 0; +@@ -392,6 +393,7 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags, + unsigned int num_motd_dir_paths = 0; + char **motd_dir_path_split = NULL; + int report_missing; ++ struct stat st; + + if (flags & PAM_SILENT) { + return retval; +@@ -421,6 +423,9 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags, + "motd_dir= specification missing argument - ignored"); + } + } ++ else if (!strcmp(*argv,"noupdate")) { ++ do_update = 0; ++ } + else + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); + } +@@ -433,6 +438,19 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags, + report_missing = 1; + } + ++ /* Run the update-motd dynamic motd scripts, outputting to /run/motd.dynamic. ++ This will be displayed only when calling pam_motd with ++ motd=/run/motd.dynamic; current /etc/pam.d/login and /etc/pam.d/sshd ++ display both this file and /etc/motd. */ ++ if (do_update && (stat("/etc/update-motd.d", &st) == 0) ++ && S_ISDIR(st.st_mode)) ++ { ++ mode_t old_mask = umask(0022); ++ if (!system("/usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new")) ++ rename("/run/motd.dynamic.new", "/run/motd.dynamic"); ++ umask(old_mask); ++ } ++ + if (motd_path != NULL) { + motd_path_copy = strdup(motd_path); + } |