--- pam-0.99.7.1.orig/debian/libpam-runtime.install +++ pam-0.99.7.1/debian/libpam-runtime.install @@ -0,0 +1,5 @@ +debian/tmp/etc/pam.conf etc +debian/tmp/etc/pam.d/other etc/pam.d +debian/tmp/usr/share/pam usr/share +debian/tmp/usr/sbin/pam_getenv usr/sbin +debian/tmp/usr/share/locale usr/share --- pam-0.99.7.1.orig/debian/libpam-runtime.links +++ pam-0.99.7.1/debian/libpam-runtime.links @@ -0,0 +1 @@ +usr/share/man/man7/PAM.7.gz usr/share/man/man7/pam.7.gz --- pam-0.99.7.1.orig/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful +++ pam-0.99.7.1/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful @@ -0,0 +1,251 @@ +Patch for Debian bug #163787 et al + +Always use the process uid, not getlogin(), to identify an applicant in +pam_wheel; utmp may be wrong or may have no entry at all in the case of +an xterm + +Authors: Ben Collins <bcollins@debian.org> + +Upstream status: submitted in <20070901175405.GA26092@dario.dodds.net> + +Index: Linux-PAM/modules/pam_wheel/pam_wheel.c +=================================================================== +--- Linux-PAM/modules/pam_wheel/pam_wheel.c.orig ++++ Linux-PAM/modules/pam_wheel/pam_wheel.c +@@ -60,9 +60,8 @@ + /* argument parsing */ + + #define PAM_DEBUG_ARG 0x0001 +-#define PAM_USE_UID_ARG 0x0002 +-#define PAM_TRUST_ARG 0x0004 +-#define PAM_DENY_ARG 0x0010 ++#define PAM_TRUST_ARG 0x0002 ++#define PAM_DENY_ARG 0x0004 + #define PAM_ROOT_ONLY_ARG 0x0020 + + static int +@@ -80,8 +79,7 @@ + + if (!strcmp(*argv,"debug")) + ctrl |= PAM_DEBUG_ARG; +- else if (!strcmp(*argv,"use_uid")) +- ctrl |= PAM_USE_UID_ARG; ++ else if (!strcmp(*argv,"use_uid")); /* ignored for compat. */ + else if (!strcmp(*argv,"trust")) + ctrl |= PAM_TRUST_ARG; + else if (!strcmp(*argv,"deny")) +@@ -129,27 +127,14 @@ + } + } + +- if (ctrl & PAM_USE_UID_ARG) { +- tpwd = pam_modutil_getpwuid (pamh, getuid()); +- if (!tpwd) { +- if (ctrl & PAM_DEBUG_ARG) { +- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); +- } +- return PAM_SERVICE_ERR; +- } +- fromsu = tpwd->pw_name; +- } else { +- fromsu = pam_modutil_getlogin(pamh); +- if (fromsu) { +- tpwd = pam_modutil_getpwnam (pamh, fromsu); +- } +- if (!fromsu || !tpwd) { +- if (ctrl & PAM_DEBUG_ARG) { +- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); +- } +- return PAM_SERVICE_ERR; ++ tpwd = pam_modutil_getpwuid (pamh, getuid()); ++ if (!tpwd) { ++ if (ctrl & PAM_DEBUG_ARG) { ++ pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); + } ++ return PAM_SERVICE_ERR; + } ++ fromsu = tpwd->pw_name; + + /* + * At this point fromsu = username-of-invoker; tpwd = pwd ptr for fromsu +Index: Linux-PAM/modules/pam_wheel/pam_wheel.8.xml +=================================================================== +--- Linux-PAM/modules/pam_wheel/pam_wheel.8.xml.orig ++++ Linux-PAM/modules/pam_wheel/pam_wheel.8.xml +@@ -33,9 +33,6 @@ + <arg choice="opt"> + trust + </arg> +- <arg choice="opt"> +- use_uid +- </arg> + </cmdsynopsis> + </refsynopsisdiv> + +@@ -115,18 +112,6 @@ + </para> + </listitem> + </varlistentry> +- <varlistentry> +- <term> +- <option>use_uid</option> +- </term> +- <listitem> +- <para> +- The check for wheel membership will be done against +- the current uid instead of the original one (useful when +- jumping with su from one account to another for example). +- </para> +- </listitem> +- </varlistentry> + </variablelist> + </refsect1> + +Index: Linux-PAM/modules/pam_wheel/pam_wheel.8 +=================================================================== +--- Linux-PAM/modules/pam_wheel/pam_wheel.8.orig ++++ Linux-PAM/modules/pam_wheel/pam_wheel.8 +@@ -1,11 +1,11 @@ + .\" Title: pam_wheel + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +-.\" Date: 06/09/2006 +-.\" Manual: Linux\-PAM Manual +-.\" Source: Linux\-PAM Manual ++.\" Generator: DocBook XSL Stylesheets v1.72.0 <http://docbook.sf.net/> ++.\" Date: 08/19/2007 ++.\" Manual: Linux-PAM Manual ++.\" Source: Linux-PAM Manual + .\" +-.TH "PAM_WHEEL" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_WHEEL" "8" "08/19/2007" "Linux\-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -14,7 +14,7 @@ + pam_wheel \- Only permit root access to members of group wheel + .SH "SYNOPSIS" + .HP 13 +-\fBpam_wheel.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid] ++\fBpam_wheel.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] + .SH "DESCRIPTION" + .PP + The pam_wheel PAM module is used to enforce the so\-called +@@ -24,30 +24,37 @@ + group. If no group with this name exist, the module is using the group with the group\-ID + \fB0\fR. + .SH "OPTIONS" +-.TP 3n ++.PP + \fBdebug\fR ++.RS 4 + Print debug information. +-.TP 3n ++.RE ++.PP + \fBdeny\fR ++.RS 4 + Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the + \fBgroup\fR + option), deny access. Conversely, if the user is not in the group, return PAM_IGNORE (unless + \fBtrust\fR + was also specified, in which case we return PAM_SUCCESS). +-.TP 3n ++.RE ++.PP + \fBgroup=\fR\fB\fIname\fR\fR ++.RS 4 + Instead of checking the wheel or GID 0 groups, use the + \fB\fIname\fR\fR + group to perform the authentication. +-.TP 3n ++.RE ++.PP + \fBroot_only\fR ++.RS 4 + The check for wheel membership is done only. +-.TP 3n ++.RE ++.PP + \fBtrust\fR ++.RS 4 + The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd). +-.TP 3n +-\fBuse_uid\fR +-The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example). ++.RE + .SH "MODULE SERVICES PROVIDED" + .PP + The +@@ -56,32 +63,46 @@ + \fBaccount\fR + services are supported. + .SH "RETURN VALUES" +-.TP 3n ++.PP + PAM_AUTH_ERR ++.RS 4 + Authentication failure. +-.TP 3n ++.RE ++.PP + PAM_BUF_ERR ++.RS 4 + Memory buffer error. +-.TP 3n ++.RE ++.PP + PAM_IGNORE ++.RS 4 + The return value should be ignored by PAM dispatch. +-.TP 3n ++.RE ++.PP + PAM_PERM_DENY ++.RS 4 + Permission denied. +-.TP 3n ++.RE ++.PP + PAM_SERVICE_ERR ++.RS 4 + Cannot determine the user name. +-.TP 3n ++.RE ++.PP + PAM_SUCCESS ++.RS 4 + Success. +-.TP 3n ++.RE ++.PP + PAM_USER_UNKNOWN ++.RS 4 + User not known. ++.RE + .SH "EXAMPLES" + .PP + The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non\-root applicants. + .sp +-.RS 3n ++.RS 4 + .nf + su auth sufficient pam_rootok.so + su auth required pam_wheel.so +Index: Linux-PAM/modules/pam_wheel/README +=================================================================== +--- Linux-PAM/modules/pam_wheel/README.orig ++++ Linux-PAM/modules/pam_wheel/README +@@ -39,12 +39,6 @@ + modules the wheel members may be able to su to root without being prompted + for a passwd). + +-use_uid +- +- The check for wheel membership will be done against the current uid instead +- of the original one (useful when jumping with su from one account to +- another for example). +- + EXAMPLES + + The root account gains access by default (rootok), only wheel members can --- pam-0.99.7.1.orig/debian/patches-applied/026_pam_unix_passwd_unknown_user +++ pam-0.99.7.1/debian/patches-applied/026_pam_unix_passwd_unknown_user @@ -0,0 +1,67 @@ +Patch from Martin Schwenke <martin@meltin.net> + +Index: Linux-PAM/modules/pam_unix/pam_unix_passwd.c +=================================================================== +--- Linux-PAM/modules/pam_unix/pam_unix_passwd.c.orig ++++ Linux-PAM/modules/pam_unix/pam_unix_passwd.c +@@ -516,7 +516,7 @@ + struct passwd *tmpent = NULL; + struct stat st; + FILE *pwfile, *opwfile; +- int err = 1; ++ int err = 1, found = 0; + int oldmask; + + oldmask = umask(077); +@@ -584,6 +584,7 @@ + + tmpent->pw_passwd = assigned_passwd.charp; + err = 0; ++ found = 1; + } + if (putpwent(tmpent, pwfile)) { + D(("error writing entry to password file: %m")); +@@ -620,7 +621,7 @@ + return PAM_SUCCESS; + } else { + unlink(PW_TMPFILE); +- return PAM_AUTHTOK_ERR; ++ return found ? PAM_AUTHTOK_ERR : PAM_USER_UNKNOWN; + } + } + +@@ -629,7 +630,7 @@ + struct spwd *spwdent = NULL, *stmpent = NULL; + struct stat st; + FILE *pwfile, *opwfile; +- int err = 1; ++ int err = 1, found = 0; + int oldmask; + + spwdent = getspnam(forwho); +@@ -697,6 +698,7 @@ + stmpent->sp_pwdp = towhat; + stmpent->sp_lstchg = time(NULL) / (60 * 60 * 24); + err = 0; ++ found = 1; + D(("Set password %s for %s", stmpent->sp_pwdp, forwho)); + } + +@@ -738,7 +740,7 @@ + return PAM_SUCCESS; + } else { + unlink(SH_TMPFILE); +- return PAM_AUTHTOK_ERR; ++ return found ? PAM_AUTHTOK_ERR : PAM_USER_UNKNOWN; + } + } + +@@ -885,7 +887,7 @@ + int retval = PAM_SUCCESS; + + /* UNIX passwords area */ +- pwd = getpwnam(user); /* Get password file entry... */ ++ _unix_getpwnam(pamh, user, 1, 0, &pwd); /* Get password *file* entry... */ + if (pwd == NULL) + return PAM_AUTHINFO_UNAVAIL; /* We don't need to do the rest... */ + --- pam-0.99.7.1.orig/debian/patches-applied/ubuntu-rlimit_nice_correction +++ pam-0.99.7.1/debian/patches-applied/ubuntu-rlimit_nice_correction @@ -0,0 +1,28 @@ +Index: pam-0.99.7.1/Linux-PAM/modules/pam_limits/pam_limits.c +=================================================================== +--- pam-0.99.7.1.orig/Linux-PAM/modules/pam_limits/pam_limits.c 2007-09-05 15:41:41.000000000 -0700 ++++ pam-0.99.7.1/Linux-PAM/modules/pam_limits/pam_limits.c 2007-09-05 15:42:40.000000000 -0700 +@@ -271,6 +271,12 @@ + pl->limits[i].limit.rlim_cur = 8192*1024; + pl->limits[i].limit.rlim_max = RLIM_INFINITY; + break; ++#ifdef RLIMIT_NICE ++ case RLIMIT_NICE: ++ pl->limits[i].limit.rlim_cur = 20; ++ pl->limits[i].limit.rlim_max = 20; ++ break; ++#endif + } + } + } +@@ -446,7 +452,9 @@ + case RLIMIT_NICE: + if (int_value > 19) + int_value = 19; +- rlimit_value = 19 - int_value; ++ if (int_value < -20) ++ int_value = -20; ++ rlimit_value = 20 - int_value; + #endif + break; + } --- pam-0.99.7.1.orig/debian/patches-applied/024_debian_cracklib_dict_path +++ pam-0.99.7.1/debian/patches-applied/024_debian_cracklib_dict_path @@ -0,0 +1,86 @@ +Fix the cracklib autoconf check so that HAVE_CRACK_H gets defined. + +Don't copy around the cracklib dictpath into a fixed-width buffer, when +we can just point at the existing strings; and allow the means to +specify a default dictionary when no dictionary is specified in +pam.conf. + +Authors: Steve Langasek <vorlon@debian.org> + +Upstream status: committed to CVS + +Index: Linux-PAM/modules/pam_cracklib/pam_cracklib.c +=================================================================== +--- Linux-PAM/modules/pam_cracklib/pam_cracklib.c.orig ++++ Linux-PAM/modules/pam_cracklib/pam_cracklib.c +@@ -56,6 +56,10 @@ + extern char *FascistCheck(char *pw, const char *dictpath); + #endif + ++#ifndef CRACKLIB_DICTS ++#define CRACKLIB_DICTS NULL ++#endif ++ + /* For Translators: "%s%s" could be replaced with "<service> " or "". */ + #define PROMPT1 _("New %s%spassword: ") + /* For Translators: "%s%s" could be replaced with "<service> " or "". */ +@@ -94,7 +98,7 @@ + int oth_credit; + int use_authtok; + char prompt_type[BUFSIZ]; +- char cracklib_dictpath[PATH_MAX]; ++ char *cracklib_dictpath; + }; + + #define CO_RETRY_TIMES 1 +@@ -159,14 +163,15 @@ + } else if (!strncmp(*argv,"use_authtok",11)) { + opt->use_authtok = 1; + } else if (!strncmp(*argv,"dictpath=",9)) { +- strncpy(opt->cracklib_dictpath, *argv+9, +- sizeof(opt->cracklib_dictpath) - 1); ++ opt->cracklib_dictpath = *argv+9; ++ if (!*(opt->cracklib_dictpath)) { ++ opt->cracklib_dictpath = CRACKLIB_DICTS; ++ } + } else { + pam_syslog(pamh,LOG_ERR,"pam_parse: unknown option; %s",*argv); + } + } + opt->prompt_type[sizeof(opt->prompt_type) - 1] = '\0'; +- opt->cracklib_dictpath[sizeof(opt->cracklib_dictpath) - 1] = '\0'; + + return ctrl; + } +@@ -514,8 +519,7 @@ + options.use_authtok = CO_USE_AUTHTOK; + memset(options.prompt_type, 0, BUFSIZ); + strcpy(options.prompt_type,"UNIX"); +- memset(options.cracklib_dictpath, 0, +- sizeof (options.cracklib_dictpath)); ++ options.cracklib_dictpath = CRACKLIB_DICTS; + + ctrl = _pam_parse(pamh, &options, argc, argv); + +@@ -609,7 +613,7 @@ + const char *crack_msg; + + D(("against cracklib")); +- if ((crack_msg = FascistCheck(token1,options.cracklib_dictpath[0] == '\0'?NULL:options.cracklib_dictpath))) { ++ if ((crack_msg = FascistCheck(token1,options.cracklib_dictpath))) { + if (ctrl & PAM_DEBUG_ARG) + pam_syslog(pamh,LOG_DEBUG,"bad password: %s",crack_msg); + pam_error(pamh, _("BAD PASSWORD: %s"), crack_msg); +Index: Linux-PAM/configure.in +=================================================================== +--- Linux-PAM/configure.in.orig ++++ Linux-PAM/configure.in +@@ -312,7 +312,7 @@ + AC_HELP_STRING([--disable-cracklib],[do not use cracklib]), + WITH_CRACKLIB=$enableval, WITH_CRACKLIB=yes) + if test x"$WITH_CRACKLIB" != xno ; then +- AC_CHECK_HEADER([crack.h], ++ AC_CHECK_HEADERS([crack.h], + AC_CHECK_LIB([crack], [FascistCheck], LIBCRACK="-lcrack", LIBCRACK="")) + else + LIBCRACK="" --- pam-0.99.7.1.orig/debian/patches-applied/045_pam_dispatch_jump_is_ignore +++ pam-0.99.7.1/debian/patches-applied/045_pam_dispatch_jump_is_ignore @@ -0,0 +1,31 @@ + +Previously jumps were treated as PAM_IGNORE in the freezing part of +the chain and PAM_OK (aka required) in the frozen part of the chain. +No one on pam-list was able to explain this behavior, so I changed it +to be consistent. + +Index: Linux-PAM/libpam/pam_dispatch.c +=================================================================== +--- Linux-PAM/libpam/pam_dispatch.c.orig ++++ Linux-PAM/libpam/pam_dispatch.c +@@ -229,19 +229,7 @@ + if ( _PAM_ACTION_IS_JUMP(action) ) { + + /* If we are evaluating a cached chain, we treat this +- module as required (aka _PAM_ACTION_OK) as well as +- executing the jump. */ +- +- if (use_cached_chain) { +- if (impression == _PAM_UNDEF +- || (impression == _PAM_POSITIVE +- && status == PAM_SUCCESS) ) { +- if ( retval != PAM_IGNORE || cached_retval == retval ) { +- impression = _PAM_POSITIVE; +- status = retval; +- } +- } +- } ++ module as ignored as well as executing the jump. */ + + /* this means that we need to skip #action stacked modules */ + do { --- pam-0.99.7.1.orig/debian/patches-applied/038_support_hurd +++ pam-0.99.7.1/debian/patches-applied/038_support_hurd @@ -0,0 +1,106 @@ +Prefer using getline() instead of a static buffer; makes pam_rhosts +portable to Hurd. + +Authors: Michal 'hramrach' Suchanek" <hramrach_l@centrum.cz>, + Steve Langasek <vorlon@debian.org> + +Upstream status: committed to CVS. + +Index: Linux-PAM/modules/pam_rhosts/pam_rhosts_auth.c +=================================================================== +--- Linux-PAM/modules/pam_rhosts/pam_rhosts_auth.c.orig ++++ Linux-PAM/modules/pam_rhosts/pam_rhosts_auth.c +@@ -293,7 +293,6 @@ + /* + luser is user entry from .rhosts/hosts.equiv file + ruser is user id on remote host +- rhost is the remote host name + */ + const void *user; + +@@ -348,11 +347,17 @@ + register const char *user; + register char *p; + int hcheck, ucheck; +- char buf[MAXHOSTNAMELEN + 128]; /* host + login */ ++ int retval = 1; ++#ifdef HAVE_GETLINE ++ char *buf=NULL; ++ size_t buflen=0; + +- buf[sizeof (buf)-1] = '\0'; /* terminate line */ ++ while (getline(&buf,&buflen,hostf) > 0) { ++#else ++ char buf[MAXHOSTNAMELEN + 128]; /* host + login */ + + while (fgets(buf, sizeof(buf), hostf) != NULL) { /* hostf file line */ ++#endif + p = buf; /* from beginning of file.. */ + + /* Skip empty or comment lines */ +@@ -401,7 +406,7 @@ + hcheck=__icheckhost(pamh, opts, raddr, buf, rhost); + + if (hcheck<0) +- return(1); ++ break; + + if (hcheck) { + /* Then check user part */ +@@ -411,18 +416,23 @@ + ucheck=__icheckuser(pamh, opts, user, ruser); + + /* Positive 'host user' match? */ +- if (ucheck>0) +- return(0); ++ if (ucheck>0) { ++ retval = 0; ++ break; ++ } + + /* Negative 'host -user' match? */ + if (ucheck<0) +- return(1); ++ break; + + /* Neither, go on looking for match */ + } + } ++#ifdef HAVE_GETLINE ++ if(buf)free(buf); ++#endif + +- return (1); ++ return retval; + } + + /* +Index: Linux-PAM/modules/pam_limits/pam_limits.c +=================================================================== +--- Linux-PAM/modules/pam_limits/pam_limits.c.orig ++++ Linux-PAM/modules/pam_limits/pam_limits.c +@@ -14,7 +14,7 @@ + */ + + #if !defined(linux) && !defined(__linux) +-#error THIS CODE IS KNOWN TO WORK ONLY ON LINUX !!! ++#warning THIS CODE IS KNOWN TO WORK ONLY ON LINUX !!! + #endif + + #include "config.h" +Index: Linux-PAM/modules/pam_xauth/pam_xauth.c +=================================================================== +--- Linux-PAM/modules/pam_xauth/pam_xauth.c.orig ++++ Linux-PAM/modules/pam_xauth/pam_xauth.c +@@ -63,6 +63,11 @@ + #define XAUTHDEF ".Xauthority" + #define XAUTHTMP ".xauthXXXXXX" + ++/* Hurd compatibility */ ++#ifndef PATH_MAX ++#define PATH_MAX 4096 ++#endif ++ + /* Possible paths to xauth executable */ + static const char * const xauthpaths[] = { + #ifdef PAM_PATH_XAUTH --- pam-0.99.7.1.orig/debian/patches-applied/008_modules_pam_limits_chroot +++ pam-0.99.7.1/debian/patches-applied/008_modules_pam_limits_chroot @@ -0,0 +1,346 @@ +Index: Linux-PAM/modules/pam_limits/pam_limits.c +=================================================================== +--- Linux-PAM/modules/pam_limits/pam_limits.c.orig ++++ Linux-PAM/modules/pam_limits/pam_limits.c +@@ -74,6 +74,7 @@ + int flag_numsyslogins; /* whether to limit logins only for a + specific user or to count all logins */ + int priority; /* the priority to run user process with */ ++ char chroot_dir[8092]; /* directory to chroot into */ + struct user_limits_struct limits[RLIM_NLIMITS]; + char conf_file[BUFSIZ]; + int utmp_after_pam_call; +@@ -84,6 +85,7 @@ + #define LIMIT_NUMSYSLOGINS RLIM_NLIMITS+2 + + #define LIMIT_PRI RLIM_NLIMITS+3 ++#define LIMIT_CHROOT RLIM_NLIMITS+4 + + #define LIMIT_SOFT 1 + #define LIMIT_HARD 2 +@@ -238,6 +240,8 @@ + pl->login_limit = -2; + pl->login_limit_def = LIMITS_DEF_NONE; + ++ pl->chroot_dir[0] = '\0'; ++ + return retval; + } + +@@ -306,6 +310,8 @@ + pl->flag_numsyslogins = 1; + } else if (strcmp(lim_item, "priority") == 0) { + limit_item = LIMIT_PRI; ++ } else if (strcmp(lim_item, "chroot") == 0) { ++ limit_item = LIMIT_CHROOT; + } else { + pam_syslog(pamh, LOG_DEBUG, "unknown limit item '%s'", lim_item); + return; +@@ -343,9 +349,9 @@ + pam_syslog(pamh, LOG_DEBUG, + "wrong limit value '%s' for limit type '%s'", + lim_value, lim_type); +- return; ++ return; + } +- } else { ++ } else if (limit_item != LIMIT_CHROOT) { + #ifdef __USE_FILE_OFFSET64 + rlimit_value = strtoull (lim_value, &endptr, 10); + #else +@@ -392,7 +398,9 @@ + break; + } + +- if ( (limit_item != LIMIT_LOGIN) ++ if (limit_item == LIMIT_CHROOT) ++ strncpy(pl->chroot_dir, value_orig, sizeof(pl->chroot_dir)); ++ else if ( (limit_item != LIMIT_LOGIN) + && (limit_item != LIMIT_NUMSYSLOGINS) + && (limit_item != LIMIT_PRI) ) { + if (limit_type & LIMIT_SOFT) { +@@ -590,6 +598,13 @@ + retval |= LOGIN_ERR; + } + ++ if (!retval && pl->chroot_dir[0]) { ++ i = chdir(pl->chroot_dir); ++ if (i == 0) ++ i = chroot(pl->chroot_dir); ++ if (i != 0) ++ retval = LIMIT_ERR; ++ } + return retval; + } + +Index: Linux-PAM/modules/pam_limits/limits.conf.5.xml +=================================================================== +--- Linux-PAM/modules/pam_limits/limits.conf.5.xml.orig ++++ Linux-PAM/modules/pam_limits/limits.conf.5.xml +@@ -223,6 +223,12 @@ + (Linux 2.6.12 and higher)</para> + </listitem> + </varlistentry> ++ <varlistentry> ++ <term><option>chroot</option></term> ++ <listitem> ++ <para>the directory to chroot the user to</para> ++ </listitem> ++ </varlistentry> + </variablelist> + </listitem> + </varlistentry> +Index: Linux-PAM/modules/pam_limits/limits.conf.5 +=================================================================== +--- Linux-PAM/modules/pam_limits/limits.conf.5.orig ++++ Linux-PAM/modules/pam_limits/limits.conf.5 +@@ -1,11 +1,11 @@ + .\" Title: limits.conf + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +-.\" Date: 06/22/2006 +-.\" Manual: Linux\-PAM Manual +-.\" Source: Linux\-PAM Manual ++.\" Generator: DocBook XSL Stylesheets v1.72.0 <http://docbook.sf.net/> ++.\" Date: 08/19/2007 ++.\" Manual: Linux-PAM Manual ++.\" Source: Linux-PAM Manual + .\" +-.TH "LIMITS.CONF" "5" "06/22/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" ++.TH "LIMITS.CONF" "5" "08/19/2007" "Linux\-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -23,38 +23,45 @@ + \fI<value>\fR + .PP + The fields listed above should be filled as follows: +-.TP 3n ++.PP + \fB<domain>\fR +-.RS 3n +-.TP 3n +-\(bu +-a username +-.TP 3n +-\(bu +-a groupname, with ++.RS 4 ++.sp ++.RS 4 ++\h'-04'\(bu\h'+03'a username ++.RE ++.sp ++.RS 4 ++\h'-04'\(bu\h'+03'a groupname, with + \fB@group\fR + syntax. This should not be confused with netgroups. +-.TP 3n +-\(bu +-the wildcard ++.RE ++.sp ++.RS 4 ++\h'-04'\(bu\h'+03'the wildcard + \fB*\fR, for default entry. +-.TP 3n +-\(bu +-the wildcard ++.RE ++.sp ++.RS 4 ++\h'-04'\(bu\h'+03'the wildcard + \fB%\fR, for maxlogins limit only, can also be used with + \fI%group\fR + syntax. + .RE +-.TP 3n ++.RE ++.PP + \fB<type>\fR +-.RS 3n +-.TP 3n ++.RS 4 ++.PP + \fBhard\fR ++.RS 4 + for enforcing + \fBhard\fR + resource limits. These limits are set by the superuser and enforced by the Kernel. The user cannot raise his requirement of system resources above such values. +-.TP 3n ++.RE ++.PP + \fBsoft\fR ++.RS 4 + for enforcing + \fBsoft\fR + resource limits. These limits are ones that the user can move up or down within the permitted range by any pre\-exisiting +@@ -62,8 +69,10 @@ + limits. The values specified with this token can be thought of as + \fIdefault\fR + values, for normal system usage. +-.TP 3n ++.RE ++.PP + \fB\-\fR ++.RS 4 + for enforcing both + \fBsoft\fR + and +@@ -72,65 +81,107 @@ + .sp + Note, if you specify a type of '\-' but neglect to supply the item and value fields then the module will never enforce any limits on the specified user/group etc. . + .RE +-.TP 3n ++.RE ++.PP + \fB<item>\fR +-.RS 3n +-.TP 3n ++.RS 4 ++.PP + \fBcore\fR ++.RS 4 + limits the core file size (KB) +-.TP 3n ++.RE ++.PP + \fBdata\fR ++.RS 4 + maximum data size (KB) +-.TP 3n ++.RE ++.PP + \fBfsize\fR ++.RS 4 + maximum filesize (KB) +-.TP 3n ++.RE ++.PP + \fBmemlock\fR ++.RS 4 + maximum locked\-in\-memory address space (KB) +-.TP 3n ++.RE ++.PP + \fBnofile\fR ++.RS 4 + maximum number of open files +-.TP 3n ++.RE ++.PP + \fBrss\fR ++.RS 4 + maximum resident set size (KB) +-.TP 3n ++.RE ++.PP + \fBstack\fR ++.RS 4 + maximum stack size (KB) +-.TP 3n ++.RE ++.PP + \fBcpu\fR ++.RS 4 + maximum CPU time (minutes) +-.TP 3n ++.RE ++.PP + \fBnproc\fR ++.RS 4 + maximum number of processes +-.TP 3n ++.RE ++.PP + \fBas\fR ++.RS 4 + address space limit +-.TP 3n ++.RE ++.PP + \fBmaxlogins\fR ++.RS 4 + maximum number of logins for this user +-.TP 3n ++.RE ++.PP + \fBmaxsyslogins\fR ++.RS 4 + maximum number of logins on system +-.TP 3n ++.RE ++.PP + \fBpriority\fR ++.RS 4 + the priority to run user process with (negative values boost process priority) +-.TP 3n ++.RE ++.PP + \fBlocks\fR ++.RS 4 + maximum locked files (Linux 2.4 and higher) +-.TP 3n ++.RE ++.PP + \fBsigpending\fR ++.RS 4 + maximum number of pending signals (Linux 2.6 and higher) +-.TP 3n ++.RE ++.PP + \fBmsqqueue\fR ++.RS 4 + maximum memory used by POSIX message queues (bytes) (Linux 2.6 and higher) +-.TP 3n ++.RE ++.PP + \fBnice\fR ++.RS 4 + maximum nice priority allowed to raise to (Linux 2.6.12 and higher) +-.TP 3n ++.RE ++.PP + \fBrtprio\fR ++.RS 4 + maximum realtime priority allowed for non\-privileged processes (Linux 2.6.12 and higher) + .RE + .PP ++\fBchroot\fR ++.RS 4 ++the directory to chroot the user to ++.RE ++.RE ++.PP + In general, individual limits have priority over group limits, so if you impose no limits for + \fIadmin\fR + group, but one of the members in this group have a limits line, the user will have its limits set according to this line. +@@ -149,7 +200,7 @@ + These are some example lines which might be specified in + \fI/etc/security/limits.conf\fR. + .sp +-.RS 3n ++.RS 4 + .nf + * soft core 0 + * hard rss 10000 +Index: Linux-PAM/modules/pam_limits/limits.conf +=================================================================== +--- Linux-PAM/modules/pam_limits/limits.conf.orig ++++ Linux-PAM/modules/pam_limits/limits.conf +@@ -35,6 +35,7 @@ + # - msgqueue - max memory used by POSIX message queues (bytes) + # - nice - max nice priority allowed to raise to + # - rtprio - max realtime priority ++# - chroot - change root to directory (Debian-specific) + # + #<domain> <type> <item> <value> + # +@@ -45,6 +46,7 @@ + #@faculty soft nproc 20 + #@faculty hard nproc 50 + #ftp hard nproc 0 ++#ftp - chroot /ftp + #@student - maxlogins 4 + + # End of file --- pam-0.99.7.1.orig/debian/patches-applied/ubuntu-regression_fix_securetty +++ pam-0.99.7.1/debian/patches-applied/ubuntu-regression_fix_securetty @@ -0,0 +1,13 @@ +Index: pam-0.99.7.1/Linux-PAM/modules/pam_securetty/pam_securetty.c +=================================================================== +--- pam-0.99.7.1.orig/Linux-PAM/modules/pam_securetty/pam_securetty.c 2007-09-12 15:18:49.000000000 -0700 ++++ pam-0.99.7.1/Linux-PAM/modules/pam_securetty/pam_securetty.c 2007-09-12 15:19:37.000000000 -0700 +@@ -83,7 +83,7 @@ + + user_pwd = pam_modutil_getpwnam(pamh, username); + if (user_pwd == NULL) { +- return PAM_USER_UNKNOWN; ++ return PAM_IGNORE; + } else if (user_pwd->pw_uid != 0) { /* If the user is not root, + securetty's does not apply + to them */ --- pam-0.99.7.1.orig/debian/patches-applied/015_hurd_portability +++ pam-0.99.7.1/debian/patches-applied/015_hurd_portability @@ -0,0 +1,60 @@ +Patch from Debian bug #76119 +Authors: Igor Khavkine <i_khavki@alcor.concordia.ca> + +Upstream status: committed to CVS + +Index: Linux-PAM/configure.in +=================================================================== +--- Linux-PAM/configure.in.orig ++++ Linux-PAM/configure.in +@@ -389,7 +389,7 @@ + AC_HEADER_DIRENT + AC_HEADER_STDC + AC_HEADER_SYS_WAIT +-AC_CHECK_HEADERS(fcntl.h limits.h malloc.h sys/file.h sys/ioctl.h sys/time.h syslog.h termio.h unistd.h sys/fsuid.h inittypes.h) ++AC_CHECK_HEADERS(fcntl.h limits.h malloc.h sys/file.h sys/ioctl.h sys/time.h syslog.h net/if.h termio.h unistd.h sys/fsuid.h inittypes.h) + + AC_CHECK_HEADERS(crypt.h) + +Index: Linux-PAM/modules/pam_rhosts/pam_rhosts_auth.c +=================================================================== +--- Linux-PAM/modules/pam_rhosts/pam_rhosts_auth.c.orig ++++ Linux-PAM/modules/pam_rhosts/pam_rhosts_auth.c +@@ -64,11 +64,10 @@ + #include <sys/fsuid.h> + #endif /* HAVE_SYS_FSUID_H */ + #ifdef HAVE_NET_IF_H +-#include <sys/if.h> ++#include <net/if.h> + #endif + #include <sys/types.h> + #include <sys/uio.h> +-#include <net/if.h> + #include <netinet/in.h> + + #ifndef MAXDNAME +Index: Linux-PAM/modules/pam_limits/pam_limits.c +=================================================================== +--- Linux-PAM/modules/pam_limits/pam_limits.c.orig ++++ Linux-PAM/modules/pam_limits/pam_limits.c +@@ -280,8 +280,10 @@ + limit_item = RLIMIT_NOFILE; + else if (strcmp(lim_item, "memlock") == 0) + limit_item = RLIMIT_MEMLOCK; ++#ifdef RLIMIT_AS + else if (strcmp(lim_item, "as") == 0) + limit_item = RLIMIT_AS; ++#endif /*RLIMIT_AS*/ + #ifdef RLIMIT_LOCKS + else if (strcmp(lim_item, "locks") == 0) + limit_item = RLIMIT_LOCKS; +@@ -385,7 +387,9 @@ + case RLIMIT_CORE: + case RLIMIT_RSS: + case RLIMIT_MEMLOCK: ++#ifdef RLIMIT_AS + case RLIMIT_AS: ++#endif + if (rlimit_value != RLIM_INFINITY) + rlimit_value *= 1024; + break; --- pam-0.99.7.1.orig/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root +++ pam-0.99.7.1/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root @@ -0,0 +1,110 @@ +Allow explicit limits for root. +Also, remove limits on su. +Index: Linux-PAM/modules/pam_limits/pam_limits.c +=================================================================== +--- Linux-PAM/modules/pam_limits/pam_limits.c.orig ++++ Linux-PAM/modules/pam_limits/pam_limits.c +@@ -69,6 +69,7 @@ + + /* internal data */ + struct pam_limit_s { ++ int root; /* running as root? */ + int login_limit; /* the max logins limit */ + int login_limit_def; /* which entry set the login limit */ + int flag_numsyslogins; /* whether to limit logins only for a +@@ -219,6 +220,7 @@ + + D(("called.")); + ++ pl->root = 0; + for(i = 0; i < RLIM_NLIMITS; i++) { + int r = getrlimit(i, &pl->limits[i].limit); + if (r == -1) { +@@ -230,6 +232,38 @@ + pl->limits[i].supported = 1; + pl->limits[i].src_soft = LIMITS_DEF_NONE; + pl->limits[i].src_hard = LIMITS_DEF_NONE; ++ switch(i) { ++ case RLIMIT_CPU: ++ case RLIMIT_FSIZE: ++ case RLIMIT_DATA: ++ case RLIMIT_RSS: ++ case RLIMIT_NPROC: ++ case RLIMIT_NOFILE: ++ case RLIMIT_MEMLOCK: ++#ifdef RLIMIT_AS ++ case RLIMIT_AS: ++#endif ++#ifdef RLIMIT_LOCKS ++ case RLIMIT_LOCKS: ++#endif ++#ifdef RLIMIT_SIGPENDING ++ case RLIMIT_SIGPENDING: ++#endif ++#ifdef RLIMIT_MSGQUEUE ++ case RLIMIT_MSGQUEUE: ++#endif ++ pl->limits[i].limit.rlim_cur = RLIM_INFINITY; ++ pl->limits[i].limit.rlim_max = RLIM_INFINITY; ++ break; ++ case RLIMIT_CORE: ++ pl->limits[i].limit.rlim_cur = 0; ++ pl->limits[i].limit.rlim_max = RLIM_INFINITY; ++ break; ++ case RLIMIT_STACK: ++ pl->limits[i].limit.rlim_cur = 8192*1024; ++ pl->limits[i].limit.rlim_max = RLIM_INFINITY; ++ break; ++ } + } + } + +@@ -510,7 +544,7 @@ + if (i == 4) { /* a complete line */ + if (strcmp(uname, domain) == 0) /* this user have a limit */ + process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl); +- else if (domain[0]=='@') { ++ else if (domain[0]=='@' && !pl->root) { + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_DEBUG, + "checking if %s is in group %s", +@@ -519,7 +553,7 @@ + if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) + process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, + pl); +- } else if (domain[0]=='%') { ++ } else if (domain[0]=='%' && !pl->root) { + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_DEBUG, + "checking if %s is in group %s", +@@ -533,7 +567,7 @@ + process_limit(pamh, LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl, + pl); + } +- } else if (strcmp(domain, "*") == 0) ++ } else if (strcmp(domain, "*") == 0 && !pl->root) + process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl, + pl); + } else if (i == 2 && ltype[0] == '-') { /* Probably a no-limit line */ +@@ -568,6 +602,12 @@ + int status; + int retval = LIMITED_OK; + ++ if (uid == 0) { ++ /* do not impose +ve priority limits on the superuser */ ++ if (pl->priority > 0) ++ pl->priority = 0; ++ } ++ + for (i=0, status=LIMITED_OK; i<RLIM_NLIMITS; i++) { + if (!pl->limits[i].supported) { + /* skip it if its not known to the system */ +@@ -648,6 +688,8 @@ + return PAM_ABORT; + } + ++ if (pwd->pw_uid == 0) ++ pl.root = 1; + retval = parse_config_file(pamh, pwd->pw_name, ctrl, &pl); + if (retval == PAM_IGNORE) { + D(("the configuration file has an applicable '<domain> -' entry")); --- pam-0.99.7.1.orig/debian/patches-applied/ubuntu-pam_selinux_seusers +++ pam-0.99.7.1/debian/patches-applied/ubuntu-pam_selinux_seusers @@ -0,0 +1,692 @@ +--- + Linux-PAM/modules/pam_selinux/pam_selinux.8.xml | 39 +- + Linux-PAM/modules/pam_selinux/pam_selinux.c | 464 ++++++++++++++++++------ + 2 files changed, 377 insertions(+), 126 deletions(-) + +Index: pam-0.99.7.1/Linux-PAM/modules/pam_selinux/pam_selinux.8.xml +=================================================================== +--- pam-0.99.7.1.orig/Linux-PAM/modules/pam_selinux/pam_selinux.8.xml ++++ pam-0.99.7.1/Linux-PAM/modules/pam_selinux/pam_selinux.8.xml +@@ -25,9 +25,6 @@ + debug + </arg> + <arg choice="opt"> +- multiple +- </arg> +- <arg choice="opt"> + open + </arg> + <arg choice="opt"> +@@ -36,6 +33,12 @@ + <arg choice="opt"> + verbose + </arg> ++ <arg choice="opt"> ++ select_context ++ </arg> ++ <arg choice="opt"> ++ use_current_range ++ </arg> + </cmdsynopsis> + </refsynopsisdiv> + +@@ -93,43 +96,53 @@ + </varlistentry> + <varlistentry> + <term> +- <option>multiple</option> ++ <option>open</option> + </term> + <listitem> + <para> +- Tells pam_selinux.so to allow the user to select the +- security context they will login with, if the user has +- more than one role. ++ Only execute the open_session portion of the module. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> +- <option>open</option> ++ <option>nottys</option> + </term> + <listitem> + <para> +- Only execute the open_session portion of the module. ++ Do not try to setup the ttys security context. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> +- <option>nottys</option> ++ <option>verbose</option> + </term> + <listitem> + <para> +- Do not try to setup the ttys security context. ++ attempt to inform the user when security context is set. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> +- <option>verbose</option> ++ <option>select_context</option> + </term> + <listitem> + <para> +- attempt to inform the user when security context is set. ++ Attempt to ask the user for a custom security context role. ++ If MLS is on ask also for sensitivity level. ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term> ++ <option>use_current_range</option> ++ </term> ++ <listitem> ++ <para> ++ Use the sensitivity range of the process for the user context. ++ This option and the select_context option are mutually exclusive. + </para> + </listitem> + </varlistentry> +Index: pam-0.99.7.1/Linux-PAM/modules/pam_selinux/pam_selinux.c +=================================================================== +--- pam-0.99.7.1.orig/Linux-PAM/modules/pam_selinux/pam_selinux.c ++++ pam-0.99.7.1/Linux-PAM/modules/pam_selinux/pam_selinux.c +@@ -63,9 +63,67 @@ + #include <selinux/selinux.h> + #include <selinux/get_context_list.h> + #include <selinux/flask.h> ++#include <selinux/av_permissions.h> + #include <selinux/selinux.h> + #include <selinux/context.h> ++#include <selinux/get_default_type.h> + ++#ifdef HAVE_LIBAUDIT ++#include <libaudit.h> ++#include <sys/select.h> ++#include <errno.h> ++#endif ++ ++/* Send audit message */ ++static ++ ++int send_audit_message(pam_handle_t *pamh, int success, security_context_t default_context, ++ security_context_t selected_context) ++{ ++ int rc=0; ++#ifdef HAVE_LIBAUDIT ++ char *msg = NULL; ++ int audit_fd = audit_open(); ++ security_context_t default_raw=NULL; ++ security_context_t selected_raw=NULL; ++ rc = -1; ++ if (audit_fd < 0) { ++ if (errno == EINVAL || errno == EPROTONOSUPPORT || ++ errno == EAFNOSUPPORT) ++ return 0; /* No audit support in kernel */ ++ pam_syslog(pamh, LOG_ERR, _("Error connecting to audit system.")); ++ return rc; ++ } ++ if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) { ++ pam_syslog(pamh, LOG_ERR, _("Error translating default context.")); ++ default_raw = NULL; ++ } ++ if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) { ++ pam_syslog(pamh, LOG_ERR, _("Error translating selected context.")); ++ selected_raw = NULL; ++ } ++ if (asprintf(&msg, "pam: default-context=%s selected-context=%s", ++ default_raw ? default_raw : (default_context ? default_context : "?"), ++ selected_raw ? selected_raw : (selected_context ? selected_context : "?")) < 0) { ++ pam_syslog(pamh, LOG_ERR, ("Error allocating memory.")); ++ goto out; ++ } ++ if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE, ++ msg, NULL, NULL, NULL, success) <= 0) { ++ pam_syslog(pamh, LOG_ERR, _("Error sending audit message.")); ++ goto out; ++ } ++ rc = 0; ++ out: ++ free(msg); ++ freecon(default_raw); ++ freecon(selected_raw); ++ close(audit_fd); ++#else ++ pam_syslog(pamh, LOG_NOTICE, "pam: default-context=%s selected-context=%s success %d", default_context, selected_context, success); ++#endif ++ return rc; ++} + static int + send_text (pam_handle_t *pamh, const char *text, int debug) + { +@@ -79,119 +137,64 @@ send_text (pam_handle_t *pamh, const cha + * is responsible for freeing the responses. + */ + static int +-query_response (pam_handle_t *pamh, const char *text, ++query_response (pam_handle_t *pamh, const char *text, const char *def, + char **responses, int debug) + { ++ int rc; ++ if (def) ++ rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, responses, "%s [%s] ", text, def); ++ else ++ rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, responses, "%s ", text); + if (debug) +- pam_syslog(pamh, LOG_NOTICE, "%s", text); +- +- return pam_prompt (pamh, PAM_PROMPT_ECHO_ON, responses, "%s", text); +-} +- +-static security_context_t +-select_context (pam_handle_t *pamh, security_context_t* contextlist, +- int debug) +-{ +- char *responses; +- char *text=calloc(PATH_MAX,1); +- +- if (text == NULL) +- return (security_context_t) strdup(contextlist[0]); +- +- snprintf(text, PATH_MAX, +- _("Your default context is %s. \n"), contextlist[0]); +- send_text(pamh,text,debug); +- free(text); +- query_response(pamh,_("Do you want to choose a different one? [n]"), +- &responses,debug); +- if (responses && ((responses[0] == 'y') || +- (responses[0] == 'Y'))) +- { +- int choice=0; +- int i; +- const char *prompt=_("Enter number of choice: "); +- int len=strlen(prompt); +- char buf[PATH_MAX]; +- +- _pam_drop(responses); +- for (i = 0; contextlist[i]; i++) { +- len+=strlen(contextlist[i]) + 10; +- } +- text=calloc(len,1); +- for (i = 0; contextlist[i]; i++) { +- snprintf(buf, PATH_MAX, +- "[%d] %s\n", i+1, contextlist[i]); +- strncat(text,buf,len); +- } +- strcat(text,prompt); +- while ((choice < 1) || (choice > i)) { +- query_response(pamh,text,&responses,debug); +- choice = strtol (responses, NULL, 10); +- _pam_drop(responses); +- } +- free(text); +- return (security_context_t) strdup(contextlist[choice-1]); +- } +- else if (responses) +- _pam_drop(responses); +- +- return (security_context_t) strdup(contextlist[0]); ++ pam_syslog(pamh, LOG_NOTICE, "%s %s", text, responses[0]); ++ return rc; + } + + static security_context_t + manual_context (pam_handle_t *pamh, const char *user, int debug) + { +- security_context_t newcon; ++ security_context_t newcon=NULL; + context_t new_context; + int mls_enabled = is_selinux_mls_enabled(); +- +- char *responses; ++ char *type=NULL; ++ char *responses=NULL; + + while (1) { + query_response(pamh, +- _("Would you like to enter a security context? [y] "), ++ _("Would you like to enter a security context? [N] "), NULL, + &responses,debug); +- if ((responses[0] == 'y') || (responses[0] == 'Y') || +- (responses[0] == '\0') ) ++ if ((responses[0] == 'y') || (responses[0] == 'Y')) + { + if (mls_enabled) + new_context = context_new ("user:role:type:level"); + else + new_context = context_new ("user:role:type"); +- _pam_drop(responses); + +- /* Allow the user to enter each field of the context individually */ ++ if (!new_context) ++ goto fail_set; ++ + if (context_user_set (new_context, user)) +- { +- context_free (new_context); +- return NULL; +- } +- query_response(pamh,_("role: "),&responses,debug); +- if (context_role_set (new_context, responses)) +- { +- _pam_drop(responses); +- context_free (new_context); +- return NULL; +- } ++ goto fail_set; ++ + _pam_drop(responses); +- query_response(pamh,_("type: "),&responses,debug); +- if (context_type_set (new_context, responses)) +- { +- _pam_drop(responses); +- context_free (new_context); +- return NULL; +- } ++ /* Allow the user to enter each field of the context individually */ ++ query_response(pamh,_("role:"), NULL, &responses,debug); ++ if (responses[0] != '\0') { ++ if (context_role_set (new_context, responses)) ++ goto fail_set; ++ if (get_default_type(responses, &type)) ++ goto fail_set; ++ if (context_type_set (new_context, type)) ++ goto fail_set; ++ } + _pam_drop(responses); + if (mls_enabled) + { +- query_response(pamh,_("level: "),&responses,debug); +- if (context_range_set (new_context, responses)) +- { +- _pam_drop(responses); +- context_free (new_context); +- return NULL; +- } +- _pam_drop(responses); ++ query_response(pamh,_("level:"), NULL, &responses,debug); ++ if (responses[0] != '\0') { ++ if (context_range_set (new_context, responses)) ++ goto fail_set; ++ } + } + /* Get the string value of the context and see if it is valid. */ + if (!security_check_context(context_str(new_context))) { +@@ -201,14 +204,129 @@ manual_context (pam_handle_t *pamh, cons + } + else + send_text(pamh,_("Not a valid security context"),debug); ++ context_free (new_context); + } + else { + _pam_drop(responses); + return NULL; + } + } /* end while */ ++ fail_set: ++ free(type); ++ _pam_drop(responses); ++ context_free (new_context); ++ return NULL; ++} ++ ++static int mls_range_allowed(pam_handle_t *pamh, security_context_t src, security_context_t dst, int debug) ++{ ++ struct av_decision avd; ++ int retval; ++ unsigned int bit = CONTEXT__CONTAINS; ++ context_t src_context = context_new (src); ++ context_t dst_context = context_new (dst); ++ context_range_set(dst_context, context_range_get(src_context)); ++ if (debug) ++ pam_syslog(pamh, LOG_NOTICE, "Checking if %s mls range valid for %s", dst, context_str(dst_context)); ++ ++ retval = security_compute_av(context_str(dst_context), dst, SECCLASS_CONTEXT, bit, &avd); ++ context_free(src_context); ++ context_free(dst_context); ++ if (retval || ((bit & avd.allowed) != bit)) ++ return 0; ++ ++ return 1; ++} ++ ++static security_context_t ++config_context (pam_handle_t *pamh, security_context_t puser_context, int debug) ++{ ++ security_context_t newcon=NULL; ++ context_t new_context; ++ int mls_enabled = is_selinux_mls_enabled(); ++ char *responses=NULL; ++ char *type=NULL; ++ char resp_val = 0; ++ ++ pam_prompt (pamh, PAM_TEXT_INFO, NULL, _("Default Security Context %s\n"), puser_context); ++ ++ while (1) { ++ query_response(pamh, ++ _("Would you like to enter a different role or level?"), "n", ++ &responses,debug); ++ ++ resp_val = responses[0]; ++ _pam_drop(responses); ++ if ((resp_val == 'y') || (resp_val == 'Y')) ++ { ++ new_context = context_new(puser_context); ++ ++ /* Allow the user to enter role and level individually */ ++ query_response(pamh,_("role:"), context_role_get(new_context), ++ &responses, debug); ++ if (responses[0]) { ++ if (get_default_type(responses, &type)) { ++ pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("No default type for role %s\n"), responses); ++ _pam_drop(responses); ++ continue; ++ } else { ++ if (context_role_set(new_context, responses)) ++ goto fail_set; ++ if (context_type_set (new_context, type)) ++ goto fail_set; ++ } ++ } ++ _pam_drop(responses); ++ if (mls_enabled) ++ { ++ query_response(pamh,_("level:"), context_range_get(new_context), ++ &responses, debug); ++ if (responses[0]) { ++ if (context_range_set(new_context, responses)) ++ goto fail_set; ++ } ++ _pam_drop(responses); ++ } ++ if (debug) ++ pam_syslog(pamh, LOG_NOTICE, "Selected Security Context %s", context_str(new_context)); ++ ++ /* Get the string value of the context and see if it is valid. */ ++ if (!security_check_context(context_str(new_context))) { ++ newcon = strdup(context_str(new_context)); ++ context_free (new_context); ++ ++ /* we have to check that this user is allowed to go into the ++ range they have specified ... role is tied to an seuser, so that'll ++ be checked at setexeccon time */ ++ if (mls_enabled && !mls_range_allowed(pamh, puser_context, newcon, debug)) { ++ pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", puser_context, newcon); ++ ++ send_audit_message(pamh, 0, puser_context, newcon); ++ ++ free(newcon); ++ goto fail_range; ++ } ++ return newcon; ++ } ++ else { ++ send_audit_message(pamh, 0, puser_context, context_str(new_context)); ++ send_text(pamh,_("Not a valid security context"),debug); ++ } ++ context_free(new_context); /* next time around allocates another */ ++ } ++ else ++ return strdup(puser_context); ++ } /* end while */ + + return NULL; ++ ++ fail_set: ++ free(type); ++ _pam_drop(responses); ++ context_free (new_context); ++ send_audit_message(pamh, 0, puser_context, NULL); ++ fail_range: ++ return NULL; + } + + static void +@@ -322,12 +440,17 @@ pam_sm_open_session(pam_handle_t *pamh, + int argc, const char **argv) + { + int i, debug = 0, ttys=1, has_tty=isatty(0); +- int verbose=0, multiple=0, close_session=0; ++ int verbose=0, close_session=0; ++ int select_context = 0; ++ int use_current_range = 0; + int ret = 0; + security_context_t* contextlist = NULL; + int num_contexts = 0; +- const void *username = NULL; ++ const char *username = NULL; + const void *tty = NULL; ++ char *seuser=NULL; ++ char *level=NULL; ++ security_context_t default_user_context=NULL; + + /* Parse arguments. */ + for (i = 0; i < argc; i++) { +@@ -340,17 +463,25 @@ pam_sm_open_session(pam_handle_t *pamh, + if (strcmp(argv[i], "verbose") == 0) { + verbose = 1; + } +- if (strcmp(argv[i], "multiple") == 0) { +- multiple = 1; +- } + if (strcmp(argv[i], "close") == 0) { + close_session = 1; + } ++ if (strcmp(argv[i], "select_context") == 0) { ++ select_context = 1; ++ } ++ if (strcmp(argv[i], "use_current_range") == 0) { ++ use_current_range = 1; ++ } + } +- ++ + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Open Session"); + ++ if (select_context && use_current_range) { ++ pam_syslog(pamh, LOG_ERR, "select_context cannot be used with use_current_range"); ++ select_context = 0; ++ } ++ + /* this module is only supposed to execute close_session */ + if (close_session) + return PAM_SUCCESS; +@@ -358,34 +489,110 @@ pam_sm_open_session(pam_handle_t *pamh, + if (!(selinux_enabled = is_selinux_enabled()>0) ) + return PAM_SUCCESS; + +- if (pam_get_item(pamh, PAM_USER, &username) != PAM_SUCCESS || ++ if (pam_get_item(pamh, PAM_USER, (void *) &username) != PAM_SUCCESS || + username == NULL) { + return PAM_USER_UNKNOWN; + } +- num_contexts = get_ordered_context_list(username, 0, &contextlist); ++ ++ if (getseuserbyname(username, &seuser, &level)==0) { ++ num_contexts = get_ordered_context_list_with_level(seuser, ++ level, ++ NULL, ++ &contextlist); ++ if (debug) ++ pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s", ++ username, seuser, level); ++ free(seuser); ++ free(level); ++ } + if (num_contexts > 0) { +- if (multiple && (num_contexts > 1) && has_tty) { +- user_context = select_context(pamh,contextlist, debug); +- freeconary(contextlist); +- } else { +- user_context = (security_context_t) strdup(contextlist[0]); +- freeconary(contextlist); +- } +- } else { ++ default_user_context=strdup(contextlist[0]); ++ freeconary(contextlist); ++ if (default_user_context == NULL) { ++ pam_syslog(pamh, LOG_ERR, _("Out of memory")); ++ return PAM_AUTH_ERR; ++ } ++ user_context = default_user_context; ++ if (select_context && has_tty) { ++ user_context = config_context(pamh, default_user_context, debug); ++ if (user_context == NULL) { ++ freecon(default_user_context); ++ pam_syslog(pamh, LOG_ERR, _("Unable to get valid context for %s"), ++ username); ++ pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("Unable to get valid context for %s"), username); ++ if (security_getenforce() == 1) ++ return PAM_AUTH_ERR; ++ else ++ return PAM_SUCCESS; ++ } ++ } ++ } ++ else { + if (has_tty) { +- user_context = manual_context(pamh,username,debug); ++ user_context = manual_context(pamh,seuser,debug); + if (user_context == NULL) { + pam_syslog (pamh, LOG_ERR, "Unable to get valid context for %s", +- (const char *)username); +- return PAM_AUTH_ERR; ++ username); ++ if (security_getenforce() == 1) ++ return PAM_AUTH_ERR; ++ else ++ return PAM_SUCCESS; + } + } else { + pam_syslog (pamh, LOG_ERR, + "Unable to get valid context for %s, No valid tty", +- (const char *)username); ++ username); ++ if (security_getenforce() == 1) ++ return PAM_AUTH_ERR; ++ else ++ return PAM_SUCCESS; ++ } ++ } ++ ++ if (use_current_range && is_selinux_mls_enabled()) { ++ security_context_t process_context=NULL; ++ if (getcon(&process_context) == 0) { ++ context_t pcon, ucon; ++ char *process_level=NULL; ++ security_context_t orig_context; ++ ++ if (user_context) ++ orig_context = user_context; ++ else ++ orig_context = default_user_context; ++ ++ pcon = context_new(process_context); ++ freecon(process_context); ++ process_level = strdup(context_range_get(pcon)); ++ context_free(pcon); ++ ++ if (debug) ++ pam_syslog (pamh, LOG_DEBUG, "process level=%s", process_level); ++ ++ ucon = context_new(orig_context); ++ ++ context_range_set(ucon, process_level); ++ free(process_level); ++ ++ if (!mls_range_allowed(pamh, orig_context, context_str(ucon), debug)) { ++ send_text(pamh, _("Requested MLS level not in permitted range"), debug); ++ /* even if default_user_context is NULL audit that anyway */ ++ send_audit_message(pamh, 0, default_user_context, context_str(ucon)); ++ context_free(ucon); + return PAM_AUTH_ERR; ++ } ++ ++ if (debug) ++ pam_syslog (pamh, LOG_DEBUG, "adjusted context=%s", context_str(ucon)); ++ ++ /* replace the user context with the level adjusted one */ ++ freecon(user_context); ++ user_context = strdup(context_str(ucon)); ++ ++ context_free(ucon); + } + } ++ + if (getexeccon(&prev_user_context)<0) { + prev_user_context=NULL; + } +@@ -410,6 +617,10 @@ pam_sm_open_session(pam_handle_t *pamh, + ttyn=strdup(tty); + ttyn_context=security_label_tty(pamh,ttyn,user_context); + } ++ send_audit_message(pamh, 1, default_user_context, user_context); ++ if (default_user_context != user_context) { ++ freecon(default_user_context); ++ } + ret = setexeccon(user_context); + if (ret==0 && verbose) { + char msg[PATH_MAX]; +@@ -420,14 +631,38 @@ pam_sm_open_session(pam_handle_t *pamh, + if (ret) { + pam_syslog(pamh, LOG_ERR, + "Error! Unable to set %s executable context %s.", +- (const char *)username, user_context); +- freecon(user_context); +- return PAM_AUTH_ERR; ++ username, user_context); ++ if (security_getenforce() == 1) { ++ freecon(user_context); ++ return PAM_AUTH_ERR; ++ } + } else { + if (debug) + pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s", +- (const char *)username, user_context); ++ username, user_context); ++ } ++#ifdef HAVE_SETKEYCREATECON ++ ret = setkeycreatecon(user_context); ++ if (ret==0 && verbose) { ++ char msg[PATH_MAX]; ++ snprintf(msg, sizeof(msg), ++ _("Key Creation Context %s Assigned"), user_context); ++ verbose_message(pamh, msg, debug); ++ } ++ if (ret) { ++ pam_syslog(pamh, LOG_ERR, ++ "Error! Unable to set %s key creation context %s.", ++ username, user_context); ++ if (security_getenforce() == 1) { ++ freecon(user_context); ++ return PAM_AUTH_ERR; ++ } ++ } else { ++ if (debug) ++ pam_syslog(pamh, LOG_NOTICE, "set %s key creation context to %s", ++ username, user_context); + } ++#endif + freecon(user_context); + + return PAM_SUCCESS; +@@ -472,7 +707,10 @@ pam_sm_close_session(pam_handle_t *pamh, + if (status) { + pam_syslog(pamh, LOG_ERR, "Error! Unable to set executable context %s.", + prev_user_context); +- return PAM_AUTH_ERR; ++ if (security_getenforce() == 1) ++ return PAM_AUTH_ERR; ++ else ++ return PAM_SUCCESS; + } + + if (debug) --- pam-0.99.7.1.orig/debian/patches-applied/043_pam_unix_unknown_user_not_alert +++ pam-0.99.7.1/debian/patches-applied/043_pam_unix_unknown_user_not_alert @@ -0,0 +1,41 @@ +Patch for Debian bugs #95220, #175900 + +A wrong username doesn't need to be logged as an 'alert', a 'warning' +should be sufficient. + +Authors: Sam Hartman <hartmans@debian.org> + +Upstream status: committed to CVS + +Index: Linux-PAM/modules/pam_unix/support.c +=================================================================== +--- Linux-PAM/modules/pam_unix/support.c.orig ++++ Linux-PAM/modules/pam_unix/support.c +@@ -675,12 +675,12 @@ + if (on(UNIX_AUDIT, ctrl)) { + /* this might be a typo and the user has given a password + instead of a username. Careful with this. */ +- pam_syslog(pamh, LOG_ALERT, ++ pam_syslog(pamh, LOG_WARNING, + "check pass; user (%s) unknown", name); + } else { + name = NULL; + if (on(UNIX_DEBUG, ctrl) || pwd == NULL) { +- pam_syslog(pamh, LOG_ALERT, ++ pam_syslog(pamh, LOG_WARNING, + "check pass; user unknown"); + } else { + /* don't log failure as another pam module can succeed */ +Index: Linux-PAM/modules/pam_unix/unix_chkpwd.c +=================================================================== +--- Linux-PAM/modules/pam_unix/unix_chkpwd.c.orig ++++ Linux-PAM/modules/pam_unix/unix_chkpwd.c +@@ -179,7 +179,7 @@ + } + } + if (pwd == NULL || salt == NULL) { +- _log_err(LOG_ALERT, "check pass; user unknown"); ++ _log_err(LOG_WARNING, "check pass; user unknown"); + p = NULL; + return PAM_USER_UNKNOWN; + } --- pam-0.99.7.1.orig/debian/patches-applied/006_docs_cleanup +++ pam-0.99.7.1/debian/patches-applied/006_docs_cleanup @@ -0,0 +1,31 @@ +Upstream status: committed to CVS + +Index: Linux-PAM/doc/man/pam.conf-syntax.xml +=================================================================== +--- Linux-PAM/doc/man/pam.conf-syntax.xml.orig ++++ Linux-PAM/doc/man/pam.conf-syntax.xml +@@ -211,7 +211,8 @@ + <emphasis>authtok_disable_aging</emphasis>, + <emphasis>try_again</emphasis>, <emphasis>ignore</emphasis>, + <emphasis>abort</emphasis>, <emphasis>authtok_expired</emphasis>, +- <emphasis>module_unknown</emphasis>, <emphasis>bad_item</emphasis> ++ <emphasis>module_unknown</emphasis>, <emphasis>bad_item</emphasis>, ++ <emphasis>conv_again</emphasis>, <emphasis>incomplete</emphasis>, + and <emphasis>default</emphasis>. + </para> + <para> +Index: Linux-PAM/doc/man/pam.conf.5 +=================================================================== +--- Linux-PAM/doc/man/pam.conf.5.orig ++++ Linux-PAM/doc/man/pam.conf.5 +@@ -175,7 +175,9 @@ + \fIabort\fR, + \fIauthtok_expired\fR, + \fImodule_unknown\fR, +-\fIbad_item\fR ++\fIbad_item\fR, ++\fIconv_again\fR, ++\fIincomplete\fR, + and + \fIdefault\fR. + .PP --- pam-0.99.7.1.orig/debian/patches-applied/autoconf.patch +++ pam-0.99.7.1/debian/patches-applied/autoconf.patch @@ -0,0 +1,4851 @@ +The process for refreshing this patch is: + + export QUILT_PATCHES=debian/patches-applied + quilt push autoconf.patch # to get everything applied up to this point + quilt push -f autoconf.patch # to override the errors when applying + (cd Linux-PAM && autoheader && aclocal -I m4 && automake && autoconf) + quilt refresh + find . -name '*.rej' | xargs rm + +Index: pam/Linux-PAM/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/Makefile.in ++++ pam/Linux-PAM/Makefile.in +@@ -39,7 +39,7 @@ + DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \ + $(srcdir)/Makefile.in $(srcdir)/config.h.in \ + $(top_srcdir)/configure ABOUT-NLS AUTHORS COPYING ChangeLog \ +- INSTALL NEWS compile config.guess config.rpath config.sub \ ++ INSTALL NEWS TODO compile config.guess config.rpath config.sub \ + depcomp install-sh ltmain.sh missing mkinstalldirs ylwrap + ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 + am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ +@@ -171,6 +171,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/aclocal.m4 +=================================================================== +--- pam.orig/Linux-PAM/aclocal.m4 ++++ pam/Linux-PAM/aclocal.m4 +@@ -18,7 +18,7 @@ + + # libtool.m4 - Configure libtool for the host system. -*-Autoconf-*- + +-# serial 48 AC_PROG_LIBTOOL ++# serial 51 Debian 1.5.24-1 AC_PROG_LIBTOOL + + + # AC_PROVIDE_IFELSE(MACRO-NAME, IF-PROVIDED, IF-NOT-PROVIDED) +@@ -181,7 +181,7 @@ + test -z "$ac_objext" && ac_objext=o + + # Determine commands to create old-style static archives. +-old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs' ++old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs' + old_postinstall_cmds='chmod 644 $oldlib' + old_postuninstall_cmds= + +@@ -268,8 +268,9 @@ + # Check for compiler boilerplate output or warnings with + # the simple compiler test code. + AC_DEFUN([_LT_COMPILER_BOILERPLATE], +-[ac_outfile=conftest.$ac_objext +-printf "$lt_simple_compile_test_code" >conftest.$ac_ext ++[AC_REQUIRE([LT_AC_PROG_SED])dnl ++ac_outfile=conftest.$ac_objext ++echo "$lt_simple_compile_test_code" >conftest.$ac_ext + eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err + _lt_compiler_boilerplate=`cat conftest.err` + $rm conftest* +@@ -281,8 +282,9 @@ + # Check for linker boilerplate output or warnings with + # the simple link test code. + AC_DEFUN([_LT_LINKER_BOILERPLATE], +-[ac_outfile=conftest.$ac_objext +-printf "$lt_simple_link_test_code" >conftest.$ac_ext ++[AC_REQUIRE([LT_AC_PROG_SED])dnl ++ac_outfile=conftest.$ac_objext ++echo "$lt_simple_link_test_code" >conftest.$ac_ext + eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err + _lt_linker_boilerplate=`cat conftest.err` + $rm conftest* +@@ -298,12 +300,20 @@ + # If we don't find anything, use the default library path according + # to the aix ld manual. + AC_DEFUN([_LT_AC_SYS_LIBPATH_AIX], +-[AC_LINK_IFELSE(AC_LANG_PROGRAM,[ +-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } +-}'` ++[AC_REQUIRE([LT_AC_PROG_SED])dnl ++AC_LINK_IFELSE(AC_LANG_PROGRAM,[ ++lt_aix_libpath_sed=' ++ /Import File Strings/,/^$/ { ++ /^0/ { ++ s/^0 *\(.*\)$/\1/ ++ p ++ } ++ }' ++aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` + # Check for a 64-bit object if we didn't find anything. +-if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } +-}'`; fi],[]) ++if test -z "$aix_libpath"; then ++ aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` ++fi],[]) + if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi + ])# _LT_AC_SYS_LIBPATH_AIX + +@@ -534,13 +544,17 @@ + rm -rf conftest* + ;; + +-x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*|s390*-*linux*|sparc*-*linux*) ++x86_64-*kfreebsd*-gnu|x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*| \ ++s390*-*linux*|sparc*-*linux*) + # Find out which ABI we are using. + echo 'int i;' > conftest.$ac_ext + if AC_TRY_EVAL(ac_compile); then + case `/usr/bin/file conftest.o` in + *32-bit*) + case $host in ++ x86_64-*kfreebsd*-gnu) ++ LD="${LD-ld} -m elf_i386_fbsd" ++ ;; + x86_64-*linux*) + LD="${LD-ld} -m elf_i386" + ;; +@@ -557,6 +571,9 @@ + ;; + *64-bit*) + case $host in ++ x86_64-*kfreebsd*-gnu) ++ LD="${LD-ld} -m elf_x86_64_fbsd" ++ ;; + x86_64-*linux*) + LD="${LD-ld} -m elf_x86_64" + ;; +@@ -628,7 +645,7 @@ + AC_CACHE_CHECK([$1], [$2], + [$2=no + ifelse([$4], , [ac_outfile=conftest.$ac_objext], [ac_outfile=$4]) +- printf "$lt_simple_compile_test_code" > conftest.$ac_ext ++ echo "$lt_simple_compile_test_code" > conftest.$ac_ext + lt_compiler_flag="$3" + # Insert the option either (1) after the last *FLAGS variable, or + # (2) before a word containing "conftest.", or (3) at the end. +@@ -669,11 +686,12 @@ + # ------------------------------------------------------------ + # Check whether the given compiler option works + AC_DEFUN([AC_LIBTOOL_LINKER_OPTION], +-[AC_CACHE_CHECK([$1], [$2], ++[AC_REQUIRE([LT_AC_PROG_SED])dnl ++AC_CACHE_CHECK([$1], [$2], + [$2=no + save_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS $3" +- printf "$lt_simple_link_test_code" > conftest.$ac_ext ++ echo "$lt_simple_link_test_code" > conftest.$ac_ext + if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then + # The linker can only warn and ignore the option if not recognized + # So say no if there are warnings +@@ -787,24 +805,27 @@ + fi + ;; + *) +- # If test is not a shell built-in, we'll probably end up computing a +- # maximum length that is only half of the actual maximum length, but +- # we can't tell. +- SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}} +- while (test "X"`$SHELL [$]0 --fallback-echo "X$teststring" 2>/dev/null` \ ++ lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null` ++ if test -n "$lt_cv_sys_max_cmd_len"; then ++ lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4` ++ lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3` ++ else ++ SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}} ++ while (test "X"`$SHELL [$]0 --fallback-echo "X$teststring" 2>/dev/null` \ + = "XX$teststring") >/dev/null 2>&1 && +- new_result=`expr "X$teststring" : ".*" 2>&1` && +- lt_cv_sys_max_cmd_len=$new_result && +- test $i != 17 # 1/2 MB should be enough +- do +- i=`expr $i + 1` +- teststring=$teststring$teststring +- done +- teststring= +- # Add a significant safety factor because C++ compilers can tack on massive +- # amounts of additional arguments before passing them to the linker. +- # It appears as though 1/2 is a usable value. +- lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2` ++ new_result=`expr "X$teststring" : ".*" 2>&1` && ++ lt_cv_sys_max_cmd_len=$new_result && ++ test $i != 17 # 1/2 MB should be enough ++ do ++ i=`expr $i + 1` ++ teststring=$teststring$teststring ++ done ++ teststring= ++ # Add a significant safety factor because C++ compilers can tack on massive ++ # amounts of additional arguments before passing them to the linker. ++ # It appears as though 1/2 is a usable value. ++ lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2` ++ fi + ;; + esac + ]) +@@ -1031,7 +1052,8 @@ + # --------------------------------- + # Check to see if options -c and -o are simultaneously supported by compiler + AC_DEFUN([AC_LIBTOOL_PROG_CC_C_O], +-[AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl ++[AC_REQUIRE([LT_AC_PROG_SED])dnl ++AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl + AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext], + [_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)], + [_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=no +@@ -1039,7 +1061,7 @@ + mkdir conftest + cd conftest + mkdir out +- printf "$lt_simple_compile_test_code" > conftest.$ac_ext ++ echo "$lt_simple_compile_test_code" > conftest.$ac_ext + + lt_compiler_flag="-o out/conftest2.$ac_objext" + # Insert the option either (1) after the last *FLAGS variable, or +@@ -1179,6 +1201,7 @@ + darwin*) + if test -n "$STRIP" ; then + striplib="$STRIP -x" ++ old_striplib="$STRIP -S" + AC_MSG_RESULT([yes]) + else + AC_MSG_RESULT([no]) +@@ -1196,7 +1219,8 @@ + # ----------------------------- + # PORTME Fill in your ld.so characteristics + AC_DEFUN([AC_LIBTOOL_SYS_DYNAMIC_LINKER], +-[AC_MSG_CHECKING([dynamic linker characteristics]) ++[AC_REQUIRE([LT_AC_PROG_SED])dnl ++AC_MSG_CHECKING([dynamic linker characteristics]) + library_names_spec= + libname_spec='lib$name' + soname_spec= +@@ -1210,20 +1234,58 @@ + version_type=none + dynamic_linker="$host_os ld.so" + sys_lib_dlsearch_path_spec="/lib /usr/lib" ++m4_if($1,[],[ + if test "$GCC" = yes; then +- sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"` +- if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then ++ case $host_os in ++ darwin*) lt_awk_arg="/^libraries:/,/LR/" ;; ++ *) lt_awk_arg="/^libraries:/" ;; ++ esac ++ lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e "s,=/,/,g"` ++ if echo "$lt_search_path_spec" | grep ';' >/dev/null ; then + # if the path contains ";" then we assume it to be the separator + # otherwise default to the standard path separator (i.e. ":") - it is + # assumed that no part of a normal pathname contains ";" but that should + # okay in the real world where ";" in dirpaths is itself problematic. +- sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'` ++ lt_search_path_spec=`echo "$lt_search_path_spec" | $SED -e 's/;/ /g'` + else +- sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` ++ lt_search_path_spec=`echo "$lt_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` + fi ++ # Ok, now we have the path, separated by spaces, we can step through it ++ # and add multilib dir if necessary. ++ lt_tmp_lt_search_path_spec= ++ lt_multi_os_dir=`$CC $CPPFLAGS $CFLAGS $LDFLAGS -print-multi-os-directory 2>/dev/null` ++ for lt_sys_path in $lt_search_path_spec; do ++ if test -d "$lt_sys_path/$lt_multi_os_dir"; then ++ lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path/$lt_multi_os_dir" ++ else ++ test -d "$lt_sys_path" && \ ++ lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path" ++ fi ++ done ++ lt_search_path_spec=`echo $lt_tmp_lt_search_path_spec | awk ' ++BEGIN {RS=" "; FS="/|\n";} { ++ lt_foo=""; ++ lt_count=0; ++ for (lt_i = NF; lt_i > 0; lt_i--) { ++ if ($lt_i != "" && $lt_i != ".") { ++ if ($lt_i == "..") { ++ lt_count++; ++ } else { ++ if (lt_count == 0) { ++ lt_foo="/" $lt_i lt_foo; ++ } else { ++ lt_count--; ++ } ++ } ++ } ++ } ++ if (lt_foo != "") { lt_freq[[lt_foo]]++; } ++ if (lt_freq[[lt_foo]] == 1) { print lt_foo; } ++}'` ++ sys_lib_search_path_spec=`echo $lt_search_path_spec` + else + sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib" +-fi ++fi]) + need_lib_prefix=unknown + hardcode_into_libs=no + +@@ -1380,12 +1442,8 @@ + shlibpath_overrides_runpath=yes + shlibpath_var=DYLD_LIBRARY_PATH + shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`' +- # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same. +- if test "$GCC" = yes; then +- sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"` +- else +- sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib' +- fi ++ m4_if([$1], [],[ ++ sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/local/lib"]) + sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib' + ;; + +@@ -1402,18 +1460,6 @@ + dynamic_linker=no + ;; + +-kfreebsd*-gnu) +- version_type=linux +- need_lib_prefix=no +- need_version=no +- library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' +- soname_spec='${libname}${release}${shared_ext}$major' +- shlibpath_var=LD_LIBRARY_PATH +- shlibpath_overrides_runpath=no +- hardcode_into_libs=yes +- dynamic_linker='GNU ld.so' +- ;; +- + freebsd* | dragonfly*) + # DragonFly does not have aout. When/if they implement a new + # versioning mechanism, adjust this. +@@ -1451,7 +1497,7 @@ + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + ;; +- freebsd*) # from 4.6 on ++ *) # from 4.6 on, and DragonFly + shlibpath_overrides_runpath=yes + hardcode_into_libs=yes + ;; +@@ -1514,7 +1560,7 @@ + postinstall_cmds='chmod 555 $lib' + ;; + +-interix3*) ++interix[[3-9]]*) + version_type=linux + need_lib_prefix=no + need_version=no +@@ -1569,7 +1615,7 @@ + ;; + + # This must be Linux ELF. +-linux*) ++linux* | k*bsd*-gnu) + version_type=linux + need_lib_prefix=no + need_version=no +@@ -1585,7 +1631,7 @@ + + # Append ld.so.conf contents to the search path + if test -f /etc/ld.so.conf; then +- lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '` ++ lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '` + sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" + fi + +@@ -1598,7 +1644,7 @@ + dynamic_linker='GNU/Linux ld.so' + ;; + +-knetbsd*-gnu) ++netbsdelf*-gnu) + version_type=linux + need_lib_prefix=no + need_version=no +@@ -1607,7 +1653,7 @@ + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + hardcode_into_libs=yes +- dynamic_linker='GNU ld.so' ++ dynamic_linker='NetBSD ld.elf_so' + ;; + + netbsd*) +@@ -1691,6 +1737,10 @@ + sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec" + ;; + ++rdos*) ++ dynamic_linker=no ++ ;; ++ + solaris*) + version_type=linux + need_lib_prefix=no +@@ -1796,7 +1846,8 @@ + # _LT_AC_TAGCONFIG + # ---------------- + AC_DEFUN([_LT_AC_TAGCONFIG], +-[AC_ARG_WITH([tags], ++[AC_REQUIRE([LT_AC_PROG_SED])dnl ++AC_ARG_WITH([tags], + [AC_HELP_STRING([--with-tags@<:@=TAGS@:>@], + [include additional configurations @<:@automatic@:>@])], + [tagnames="$withval"]) +@@ -2057,7 +2108,7 @@ + + # AC_PATH_TOOL_PREFIX + # ------------------- +-# find a file program which can recognise shared library ++# find a file program which can recognize shared library + AC_DEFUN([AC_PATH_TOOL_PREFIX], + [AC_REQUIRE([AC_PROG_EGREP])dnl + AC_MSG_CHECKING([for $1]) +@@ -2120,7 +2171,7 @@ + + # AC_PATH_MAGIC + # ------------- +-# find a file program which can recognise a shared library ++# find a file program which can recognize a shared library + AC_DEFUN([AC_PATH_MAGIC], + [AC_PATH_TOOL_PREFIX(${ac_tool_prefix}file, /usr/bin$PATH_SEPARATOR$PATH) + if test -z "$lt_cv_path_MAGIC_CMD"; then +@@ -2267,7 +2318,7 @@ + # how to check for library dependencies + # -- PORTME fill in with the dynamic library characteristics + AC_DEFUN([AC_DEPLIBS_CHECK_METHOD], +-[AC_CACHE_CHECK([how to recognise dependent libraries], ++[AC_CACHE_CHECK([how to recognize dependent libraries], + lt_cv_deplibs_check_method, + [lt_cv_file_magic_cmd='$MAGIC_CMD' + lt_cv_file_magic_test_file= +@@ -2306,16 +2357,22 @@ + + mingw* | pw32*) + # Base MSYS/MinGW do not provide the 'file' command needed by +- # func_win32_libid shell function, so use a weaker test based on 'objdump'. +- lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?' +- lt_cv_file_magic_cmd='$OBJDUMP -f' ++ # func_win32_libid shell function, so use a weaker test based on 'objdump', ++ # unless we find 'file', for example because we are cross-compiling. ++ if ( file / ) >/dev/null 2>&1; then ++ lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL' ++ lt_cv_file_magic_cmd='func_win32_libid' ++ else ++ lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?' ++ lt_cv_file_magic_cmd='$OBJDUMP -f' ++ fi + ;; + + darwin* | rhapsody*) + lt_cv_deplibs_check_method=pass_all + ;; + +-freebsd* | kfreebsd*-gnu | dragonfly*) ++freebsd* | dragonfly*) + if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then + case $host_cpu in + i*86 ) +@@ -2353,7 +2410,7 @@ + esac + ;; + +-interix3*) ++interix[[3-9]]*) + # PIC code is broken on Interix 3.x, that's why |\.a not |_pic\.a here + lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|\.a)$' + ;; +@@ -2369,11 +2426,11 @@ + ;; + + # This must be Linux ELF. +-linux*) ++linux* | k*bsd*-gnu) + lt_cv_deplibs_check_method=pass_all + ;; + +-netbsd*) ++netbsd* | netbsdelf*-gnu) + if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then + lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$' + else +@@ -2403,6 +2460,10 @@ + lt_cv_deplibs_check_method=pass_all + ;; + ++rdos*) ++ lt_cv_deplibs_check_method=pass_all ++ ;; ++ + solaris*) + lt_cv_deplibs_check_method=pass_all + ;; +@@ -2455,7 +2516,7 @@ + lt_cv_path_NM="$NM" + else + lt_nm_to_check="${ac_tool_prefix}nm" +- if test -n "$ac_tool_prefix" && test "$build" = "$host"; then ++ if test -n "$ac_tool_prefix" && test "$build" = "$host"; then + lt_nm_to_check="$lt_nm_to_check nm" + fi + for lt_tmp_nm in $lt_nm_to_check; do +@@ -2671,10 +2732,10 @@ + _LT_AC_TAGVAR(objext, $1)=$objext + + # Code to be used in simple compile tests +-lt_simple_compile_test_code="int some_variable = 0;\n" ++lt_simple_compile_test_code="int some_variable = 0;" + + # Code to be used in simple link tests +-lt_simple_link_test_code='int main(){return(0);}\n' ++lt_simple_link_test_code='int main(){return(0);}' + + _LT_AC_SYS_COMPILER + +@@ -2776,10 +2837,10 @@ + _LT_AC_TAGVAR(objext, $1)=$objext + + # Code to be used in simple compile tests +-lt_simple_compile_test_code="int some_variable = 0;\n" ++lt_simple_compile_test_code="int some_variable = 0;" + + # Code to be used in simple link tests +-lt_simple_link_test_code='int main(int, char *[[]]) { return(0); }\n' ++lt_simple_link_test_code='int main(int, char *[[]]) { return(0); }' + + # ltmain only uses $CC for tagged configurations so make sure $CC is set. + _LT_AC_SYS_COMPILER +@@ -2925,7 +2986,7 @@ + strings "$collect2name" | grep resolve_lib_name >/dev/null + then + # We have reworked collect2 +- _LT_AC_TAGVAR(hardcode_direct, $1)=yes ++ : + else + # We have old collect2 + _LT_AC_TAGVAR(hardcode_direct, $1)=unsupported +@@ -3084,10 +3145,10 @@ + case $cc_basename in + xlc*) + output_verbose_link_cmd='echo' +- _LT_AC_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring' ++ _LT_AC_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $xlcverstring' + _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags' + # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds +- _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' ++ _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $xlcverstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' + _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' + ;; + *) +@@ -3121,7 +3182,7 @@ + freebsd-elf*) + _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no + ;; +- freebsd* | kfreebsd*-gnu | dragonfly*) ++ freebsd* | dragonfly*) + # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF + # conventions + _LT_AC_TAGVAR(ld_shlibs, $1)=yes +@@ -3170,9 +3231,7 @@ + _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: + + case $host_cpu in +- hppa*64*|ia64*) +- _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir' +- ;; ++ hppa*64*|ia64*) ;; + *) + _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' + ;; +@@ -3240,7 +3299,7 @@ + ;; + esac + ;; +- interix3*) ++ interix[[3-9]]*) + _LT_AC_TAGVAR(hardcode_direct, $1)=no + _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no + _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' +@@ -3280,7 +3339,7 @@ + _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' + _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=: + ;; +- linux*) ++ linux* | k*bsd*-gnu) + case $cc_basename in + KCC*) + # Kuck and Associates, Inc. (KAI) C++ Compiler +@@ -3360,6 +3419,29 @@ + # dependencies. + output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list' + ;; ++ *) ++ case `$CC -V 2>&1 | sed 5q` in ++ *Sun\ C*) ++ # Sun C++ 5.9 ++ _LT_AC_TAGVAR(no_undefined_flag, $1)=' -zdefs' ++ _LT_AC_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' ++ _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file ${wl}$export_symbols' ++ _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' ++ _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive' ++ ++ # Not sure whether something based on ++ # $CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 ++ # would be better. ++ output_verbose_link_cmd='echo' ++ ++ # Archives containing C++ object files must be created using ++ # "CC -xar", where "CC" is the Sun C++ compiler. This is ++ # necessary to make sure instantiated templates are included ++ # in the archive. ++ _LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs' ++ ;; ++ esac ++ ;; + esac + ;; + lynxos*) +@@ -3382,7 +3464,7 @@ + ;; + esac + ;; +- netbsd*) ++ netbsd* | netbsdelf*-gnu) + if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then + _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags' + wlarc= +@@ -3398,16 +3480,20 @@ + _LT_AC_TAGVAR(ld_shlibs, $1)=no + ;; + openbsd*) +- _LT_AC_TAGVAR(hardcode_direct, $1)=yes +- _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no +- _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib' +- _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' +- if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then +- _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib' +- _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' +- _LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' ++ if test -f /usr/libexec/ld.so; then ++ _LT_AC_TAGVAR(hardcode_direct, $1)=yes ++ _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no ++ _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib' ++ _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' ++ if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then ++ _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib' ++ _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' ++ _LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' ++ fi ++ output_verbose_link_cmd='echo' ++ else ++ _LT_AC_TAGVAR(ld_shlibs, $1)=no + fi +- output_verbose_link_cmd='echo' + ;; + osf3*) + case $cc_basename in +@@ -3569,15 +3655,10 @@ + case $host_os in + solaris2.[[0-5]] | solaris2.[[0-5]].*) ;; + *) +- # The C++ compiler is used as linker so we must use $wl +- # flag to pass the commands to the underlying system +- # linker. We must also pass each convience library through +- # to the system linker between allextract/defaultextract. +- # The C++ compiler will combine linker options so we +- # cannot just pass the convience library names through +- # without $wl. ++ # The compiler driver will combine and reorder linker options, ++ # but understands `-z linker_flag'. + # Supported since Solaris 2.6 (maybe 2.5.1?) +- _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract' ++ _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract' + ;; + esac + _LT_AC_TAGVAR(link_all_deplibs, $1)=yes +@@ -3624,6 +3705,12 @@ + fi + + _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $wl$libdir' ++ case $host_os in ++ solaris2.[[0-5]] | solaris2.[[0-5]].*) ;; ++ *) ++ _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract' ++ ;; ++ esac + fi + ;; + esac +@@ -3867,7 +3954,7 @@ + # PORTME: override above test on systems where it is broken + ifelse([$1],[CXX], + [case $host_os in +-interix3*) ++interix[[3-9]]*) + # Interix 3.5 installs completely hosed .la files for C++, so rather than + # hack all around it, let's just trust "g++" to DTRT. + _LT_AC_TAGVAR(predep_objects,$1)= +@@ -3875,13 +3962,46 @@ + _LT_AC_TAGVAR(postdeps,$1)= + ;; + ++linux*) ++ case `$CC -V 2>&1 | sed 5q` in ++ *Sun\ C*) ++ # Sun C++ 5.9 ++ # ++ # The more standards-conforming stlport4 library is ++ # incompatible with the Cstd library. Avoid specifying ++ # it if it's in CXXFLAGS. Ignore libCrun as ++ # -library=stlport4 depends on it. ++ case " $CXX $CXXFLAGS " in ++ *" -library=stlport4 "*) ++ solaris_use_stlport4=yes ++ ;; ++ esac ++ if test "$solaris_use_stlport4" != yes; then ++ _LT_AC_TAGVAR(postdeps,$1)='-library=Cstd -library=Crun' ++ fi ++ ;; ++ esac ++ ;; ++ + solaris*) + case $cc_basename in + CC*) ++ # The more standards-conforming stlport4 library is ++ # incompatible with the Cstd library. Avoid specifying ++ # it if it's in CXXFLAGS. Ignore libCrun as ++ # -library=stlport4 depends on it. ++ case " $CXX $CXXFLAGS " in ++ *" -library=stlport4 "*) ++ solaris_use_stlport4=yes ++ ;; ++ esac ++ + # Adding this requires a known-good setup of shared libraries for + # Sun compiler versions before 5.6, else PIC objects from an old + # archive will be linked into the output, leading to subtle bugs. +- _LT_AC_TAGVAR(postdeps,$1)='-lCstd -lCrun' ++ if test "$solaris_use_stlport4" != yes; then ++ _LT_AC_TAGVAR(postdeps,$1)='-library=Cstd -library=Crun' ++ fi + ;; + esac + ;; +@@ -3930,10 +4050,17 @@ + _LT_AC_TAGVAR(objext, $1)=$objext + + # Code to be used in simple compile tests +-lt_simple_compile_test_code=" subroutine t\n return\n end\n" ++lt_simple_compile_test_code="\ ++ subroutine t ++ return ++ end ++" + + # Code to be used in simple link tests +-lt_simple_link_test_code=" program t\n end\n" ++lt_simple_link_test_code="\ ++ program t ++ end ++" + + # ltmain only uses $CC for tagged configurations so make sure $CC is set. + _LT_AC_SYS_COMPILER +@@ -4012,10 +4139,10 @@ + _LT_AC_TAGVAR(objext, $1)=$objext + + # Code to be used in simple compile tests +-lt_simple_compile_test_code="class foo {}\n" ++lt_simple_compile_test_code="class foo {}" + + # Code to be used in simple link tests +-lt_simple_link_test_code='public class conftest { public static void main(String[[]] argv) {}; }\n' ++lt_simple_link_test_code='public class conftest { public static void main(String[[]] argv) {}; }' + + # ltmain only uses $CC for tagged configurations so make sure $CC is set. + _LT_AC_SYS_COMPILER +@@ -4068,7 +4195,7 @@ + _LT_AC_TAGVAR(objext, $1)=$objext + + # Code to be used in simple compile tests +-lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }\n' ++lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }' + + # Code to be used in simple link tests + lt_simple_link_test_code="$lt_simple_compile_test_code" +@@ -4157,6 +4284,7 @@ + _LT_AC_TAGVAR(module_cmds, $1) \ + _LT_AC_TAGVAR(module_expsym_cmds, $1) \ + _LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1) \ ++ _LT_AC_TAGVAR(fix_srcfile_path, $1) \ + _LT_AC_TAGVAR(exclude_expsyms, $1) \ + _LT_AC_TAGVAR(include_expsyms, $1); do + +@@ -4203,7 +4331,7 @@ + # Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP) + # NOTE: Changes made to this file will be lost: look at ltmain.sh. + # +-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001 ++# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 + # Free Software Foundation, Inc. + # + # This file is part of GNU Libtool: +@@ -4528,7 +4656,7 @@ + sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec + + # Fix the shell variable \$srcfile for the compiler. +-fix_srcfile_path="$_LT_AC_TAGVAR(fix_srcfile_path, $1)" ++fix_srcfile_path=$lt_fix_srcfile_path + + # Set to yes if exported symbols are required. + always_export_symbols=$_LT_AC_TAGVAR(always_export_symbols, $1) +@@ -4611,6 +4739,7 @@ + # --------------------------------- + AC_DEFUN([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE], + [AC_REQUIRE([AC_CANONICAL_HOST]) ++AC_REQUIRE([LT_AC_PROG_SED]) + AC_REQUIRE([AC_PROG_NM]) + AC_REQUIRE([AC_OBJEXT]) + # Check for command to grab the raw symbol name followed by C symbol from nm. +@@ -4647,7 +4776,7 @@ + lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'" + lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/ {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/ {\"\2\", (lt_ptr) \&\2},/p'" + ;; +-linux*) ++linux* | k*bsd*-gnu) + if test "$host_cpu" = ia64; then + symcode='[[ABCDGIRSTW]]' + lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'" +@@ -4837,12 +4966,14 @@ + # like `-m68040'. + _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4' + ;; +- beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) ++ beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) + # PIC is the default for these OSes. + ;; +- mingw* | os2* | pw32*) ++ mingw* | cygwin* | os2* | pw32*) + # This hack is so that the source file can tell whether it is being + # built for inclusion in a dll (and should export symbols for example). ++ # Although the cygwin gcc ignores -fPIC, still need this for old-style ++ # (--disable-auto-import) libraries + _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT' + ;; + darwin* | rhapsody*) +@@ -4854,7 +4985,7 @@ + # DJGPP does not support shared libraries at all + _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)= + ;; +- interix3*) ++ interix[[3-9]]*) + # Interix 3.x gcc -fpic/-fPIC options generate broken code. + # Instead, we relocate shared libraries at runtime. + ;; +@@ -4920,7 +5051,7 @@ + ;; + esac + ;; +- freebsd* | kfreebsd*-gnu | dragonfly*) ++ freebsd* | dragonfly*) + # FreeBSD uses GNU C++ + ;; + hpux9* | hpux10* | hpux11*) +@@ -4963,7 +5094,7 @@ + ;; + esac + ;; +- linux*) ++ linux* | k*bsd*-gnu) + case $cc_basename in + KCC*) + # KAI C++ Compiler +@@ -4990,6 +5121,14 @@ + _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' + ;; + *) ++ case `$CC -V 2>&1 | sed 5q` in ++ *Sun\ C*) ++ # Sun C++ 5.9 ++ _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' ++ _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' ++ _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ' ++ ;; ++ esac + ;; + esac + ;; +@@ -5006,7 +5145,7 @@ + ;; + esac + ;; +- netbsd*) ++ netbsd* | netbsdelf*-gnu) + ;; + osf3* | osf4* | osf5*) + case $cc_basename in +@@ -5110,13 +5249,15 @@ + _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4' + ;; + +- beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) ++ beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) + # PIC is the default for these OSes. + ;; + +- mingw* | pw32* | os2*) ++ mingw* | cygwin* | pw32* | os2*) + # This hack is so that the source file can tell whether it is being + # built for inclusion in a dll (and should export symbols for example). ++ # Although the cygwin gcc ignores -fPIC, still need this for old-style ++ # (--disable-auto-import) libraries + _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT' + ;; + +@@ -5126,7 +5267,7 @@ + _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common' + ;; + +- interix3*) ++ interix[[3-9]]*) + # Interix 3.x gcc -fpic/-fPIC options generate broken code. + # Instead, we relocate shared libraries at runtime. + ;; +@@ -5184,7 +5325,7 @@ + esac + ;; + +- mingw* | pw32* | os2*) ++ mingw* | cygwin* | pw32* | os2*) + # This hack is so that the source file can tell whether it is being + # built for inclusion in a dll (and should export symbols for example). + _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT' +@@ -5217,7 +5358,7 @@ + _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; + +- linux*) ++ linux* | k*bsd*-gnu) + case $cc_basename in + icc* | ecc*) + _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' +@@ -5236,6 +5377,22 @@ + # All Alpha code is PIC. + _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' + ;; ++ *) ++ case `$CC -V 2>&1 | sed 5q` in ++ *Sun\ C*) ++ # Sun C 5.9 ++ _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' ++ _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' ++ _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' ++ ;; ++ *Sun\ F*) ++ # Sun Fortran 8.3 passes all unrecognized flags to the linker ++ _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' ++ _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' ++ _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='' ++ ;; ++ esac ++ ;; + esac + ;; + +@@ -5245,6 +5402,10 @@ + _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' + ;; + ++ rdos*) ++ _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' ++ ;; ++ + solaris*) + _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' +@@ -5339,7 +5500,8 @@ + # ------------------------------------ + # See if the linker supports building shared libraries. + AC_DEFUN([AC_LIBTOOL_PROG_LD_SHLIBS], +-[AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries]) ++[AC_REQUIRE([LT_AC_PROG_SED])dnl ++AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries]) + ifelse([$1],[CXX],[ + _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' + case $host_os in +@@ -5356,7 +5518,10 @@ + _LT_AC_TAGVAR(export_symbols_cmds, $1)="$ltdll_cmds" + ;; + cygwin* | mingw*) +- _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]] /s/.* \([[^ ]]*\)/\1 DATA/;/^.* __nm__/s/^.* __nm__\([[^ ]]*\) [[^ ]]*/\1 DATA/;/^I /d;/^[[AITW]] /s/.* //'\'' | sort | uniq > $export_symbols' ++ _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;/^.*[[ ]]__nm__/s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols' ++ ;; ++ linux* | k*bsd*-gnu) ++ _LT_AC_TAGVAR(link_all_deplibs, $1)=no + ;; + *) + _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' +@@ -5495,7 +5660,7 @@ + _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported + _LT_AC_TAGVAR(always_export_symbols, $1)=no + _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes +- _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]] /s/.* \([[^ ]]*\)/\1 DATA/'\'' | $SED -e '\''/^[[AITW]] /s/.* //'\'' | sort | uniq > $export_symbols' ++ _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/'\'' -e '\''/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols' + + if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then + _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' +@@ -5513,7 +5678,7 @@ + fi + ;; + +- interix3*) ++ interix[[3-9]]*) + _LT_AC_TAGVAR(hardcode_direct, $1)=no + _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no + _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' +@@ -5528,7 +5693,7 @@ + _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' + ;; + +- linux*) ++ gnu* | linux* | k*bsd*-gnu) + if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then + tmp_addflag= + case $cc_basename,$host_cpu in +@@ -5546,20 +5711,30 @@ + ifc* | ifort*) # Intel Fortran compiler + tmp_addflag=' -nofor_main' ;; + esac +- _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' ++ case `$CC -V 2>&1 | sed 5q` in ++ *Sun\ C*) # Sun C 5.9 ++ _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive' ++ tmp_sharedflag='-G' ;; ++ *Sun\ F*) # Sun Fortran 8.3 ++ tmp_sharedflag='-G' ;; ++ *) ++ tmp_sharedflag='-shared' ;; ++ esac ++ _LT_AC_TAGVAR(archive_cmds, $1)='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + + if test $supports_anon_versioning = yes; then + _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $output_objdir/$libname.ver~ + cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~ + $echo "local: *; };" >> $output_objdir/$libname.ver~ +- $CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib' ++ $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib' + fi ++ _LT_AC_TAGVAR(link_all_deplibs, $1)=no + else + _LT_AC_TAGVAR(ld_shlibs, $1)=no + fi + ;; + +- netbsd*) ++ netbsd* | netbsdelf*-gnu) + if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then + _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' + wlarc= +@@ -5592,7 +5767,7 @@ + + sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*) + case `$LD -v 2>&1` in +- *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.1[[0-5]].*) ++ *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.1[[0-5]].*) + _LT_AC_TAGVAR(ld_shlibs, $1)=no + cat <<_LT_EOF 1>&2 + +@@ -5711,7 +5886,7 @@ + strings "$collect2name" | grep resolve_lib_name >/dev/null + then + # We have reworked collect2 +- _LT_AC_TAGVAR(hardcode_direct, $1)=yes ++ : + else + # We have old collect2 + _LT_AC_TAGVAR(hardcode_direct, $1)=unsupported +@@ -5804,7 +5979,7 @@ + # The linker will automatically build a .lib file if we build a DLL. + _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)='true' + # FIXME: Should let the user specify the lib program. +- _LT_AC_TAGVAR(old_archive_cmds, $1)='lib /OUT:$oldlib$oldobjs$old_deplibs' ++ _LT_AC_TAGVAR(old_archive_cmds, $1)='lib -OUT:$oldlib$oldobjs$old_deplibs' + _LT_AC_TAGVAR(fix_srcfile_path, $1)='`cygpath -w "$srcfile"`' + _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes + ;; +@@ -5846,10 +6021,10 @@ + case $cc_basename in + xlc*) + output_verbose_link_cmd='echo' +- _LT_AC_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring' ++ _LT_AC_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $xlcverstring' + _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags' + # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds +- _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' ++ _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $xlcverstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' + _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' + ;; + *) +@@ -5889,7 +6064,7 @@ + ;; + + # FreeBSD 3 and greater uses gcc -shared to do shared libraries. +- freebsd* | kfreebsd*-gnu | dragonfly*) ++ freebsd* | dragonfly*) + _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -o $lib $libobjs $deplibs $compiler_flags' + _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' + _LT_AC_TAGVAR(hardcode_direct, $1)=yes +@@ -5991,7 +6166,7 @@ + _LT_AC_TAGVAR(link_all_deplibs, $1)=yes + ;; + +- netbsd*) ++ netbsd* | netbsdelf*-gnu) + if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then + _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out + else +@@ -6011,24 +6186,28 @@ + ;; + + openbsd*) +- _LT_AC_TAGVAR(hardcode_direct, $1)=yes +- _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no +- if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then +- _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' +- _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols' +- _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' +- _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' ++ if test -f /usr/libexec/ld.so; then ++ _LT_AC_TAGVAR(hardcode_direct, $1)=yes ++ _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no ++ if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then ++ _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' ++ _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols' ++ _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' ++ _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' ++ else ++ case $host_os in ++ openbsd[[01]].* | openbsd2.[[0-7]] | openbsd2.[[0-7]].*) ++ _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' ++ _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' ++ ;; ++ *) ++ _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' ++ _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' ++ ;; ++ esac ++ fi + else +- case $host_os in +- openbsd[[01]].* | openbsd2.[[0-7]] | openbsd2.[[0-7]].*) +- _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' +- _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' +- ;; +- *) +- _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' +- _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' +- ;; +- esac ++ _LT_AC_TAGVAR(ld_shlibs, $1)=no + fi + ;; + +@@ -6087,17 +6266,16 @@ + case $host_os in + solaris2.[[0-5]] | solaris2.[[0-5]].*) ;; + *) +- # The compiler driver will combine linker options so we +- # cannot just pass the convience library names through +- # without $wl, iff we do not link with $LD. +- # Luckily, gcc supports the same syntax we need for Sun Studio. ++ # The compiler driver will combine and reorder linker options, ++ # but understands `-z linker_flag'. GCC discards it without `$wl', ++ # but is careful enough not to reorder. + # Supported since Solaris 2.6 (maybe 2.5.1?) +- case $wlarc in +- '') +- _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract' ;; +- *) +- _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract' ;; +- esac ;; ++ if test "$GCC" = yes; then ++ _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract' ++ else ++ _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract' ++ fi ++ ;; + esac + _LT_AC_TAGVAR(link_all_deplibs, $1)=yes + ;; +@@ -6154,7 +6332,7 @@ + fi + ;; + +- sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7*) ++ sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*) + _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text' + _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no + _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no +@@ -6229,7 +6407,7 @@ + # to ld, don't add -lc before -lgcc. + AC_MSG_CHECKING([whether -lc should be explicitly linked in]) + $rm conftest* +- printf "$lt_simple_compile_test_code" > conftest.$ac_ext ++ echo "$lt_simple_compile_test_code" > conftest.$ac_ext + + if AC_TRY_EVAL(ac_compile) 2>conftest.err; then + soname=conftest +@@ -6332,6 +6510,30 @@ + [AC_CHECK_TOOL(RC, windres, no) + ]) + ++ ++# Cheap backport of AS_EXECUTABLE_P and required macros ++# from Autoconf 2.59; we should not use $as_executable_p directly. ++ ++# _AS_TEST_PREPARE ++# ---------------- ++m4_ifndef([_AS_TEST_PREPARE], ++[m4_defun([_AS_TEST_PREPARE], ++[if test -x / >/dev/null 2>&1; then ++ as_executable_p='test -x' ++else ++ as_executable_p='test -f' ++fi ++])])# _AS_TEST_PREPARE ++ ++# AS_EXECUTABLE_P ++# --------------- ++# Check whether a file is executable. ++m4_ifndef([AS_EXECUTABLE_P], ++[m4_defun([AS_EXECUTABLE_P], ++[AS_REQUIRE([_AS_TEST_PREPARE])dnl ++$as_executable_p $1[]dnl ++])])# AS_EXECUTABLE_P ++ + # NOTE: This macro has been submitted for inclusion into # + # GNU Autoconf as AC_PROG_SED. When it is available in # + # a released version of Autoconf we should remove this # +@@ -6352,12 +6554,13 @@ + test -z "$as_dir" && as_dir=. + for lt_ac_prog in sed gsed; do + for ac_exec_ext in '' $ac_executable_extensions; do +- if $as_executable_p "$as_dir/$lt_ac_prog$ac_exec_ext"; then ++ if AS_EXECUTABLE_P(["$as_dir/$lt_ac_prog$ac_exec_ext"]); then + lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext" + fi + done + done + done ++IFS=$as_save_IFS + lt_ac_max=0 + lt_ac_count=0 + # Add /usr/xpg4/bin/sed as it is typically found on Solaris +@@ -6390,6 +6593,7 @@ + done + ]) + SED=$lt_cv_path_SED ++AC_SUBST([SED]) + AC_MSG_RESULT([$SED]) + ]) + +Index: pam/Linux-PAM/conf/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/conf/Makefile.in ++++ pam/Linux-PAM/conf/Makefile.in +@@ -150,6 +150,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/conf/pam_conv1/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/conf/pam_conv1/Makefile.in ++++ pam/Linux-PAM/conf/pam_conv1/Makefile.in +@@ -170,6 +170,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/config.h.in +=================================================================== +--- pam.orig/Linux-PAM/config.h.in ++++ pam/Linux-PAM/config.h.in +@@ -19,6 +19,9 @@ + the CoreFoundation framework. */ + #undef HAVE_CFPREFERENCESCOPYAPPVALUE + ++/* Define to 1 if you have the <crack.h> header file. */ ++#undef HAVE_CRACK_H ++ + /* Define to 1 if you have the <crypt.h> header file. */ + #undef HAVE_CRYPT_H + +@@ -126,6 +129,9 @@ + /* Define to 1 if you have the <ndir.h> header file, and it defines `DIR'. */ + #undef HAVE_NDIR_H + ++/* Define to 1 if you have the <net/if.h> header file. */ ++#undef HAVE_NET_IF_H ++ + /* Define to 1 if you have the <paths.h> header file. */ + #undef HAVE_PATHS_H + +@@ -165,6 +171,9 @@ + /* Define to 1 if you have the <syslog.h> header file. */ + #undef HAVE_SYSLOG_H + ++/* Define to 1 if you have the <sys/capability.h> header file. */ ++#undef HAVE_SYS_CAPABILITY_H ++ + /* Define to 1 if you have the <sys/dir.h> header file, and it defines `DIR'. + */ + #undef HAVE_SYS_DIR_H +Index: pam/Linux-PAM/configure +=================================================================== +--- pam.orig/Linux-PAM/configure ++++ pam/Linux-PAM/configure +@@ -859,6 +859,7 @@ + LEX_OUTPUT_ROOT + LEXLIB + LN_S ++SED + GREP + EGREP + ECHO +@@ -4252,12 +4253,13 @@ + test -z "$as_dir" && as_dir=. + for lt_ac_prog in sed gsed; do + for ac_exec_ext in '' $ac_executable_extensions; do +- if $as_executable_p "$as_dir/$lt_ac_prog$ac_exec_ext"; then ++ if { test -f "$as_dir/$lt_ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$lt_ac_prog$ac_exec_ext"; }; then + lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext" + fi + done + done + done ++IFS=$as_save_IFS + lt_ac_max=0 + lt_ac_count=0 + # Add /usr/xpg4/bin/sed as it is typically found on Solaris +@@ -4292,6 +4294,7 @@ + fi + + SED=$lt_cv_path_SED ++ + { echo "$as_me:$LINENO: result: $SED" >&5 + echo "${ECHO_T}$SED" >&6; } + +@@ -4642,8 +4645,8 @@ + echo "${ECHO_T}$lt_cv_path_NM" >&6; } + NM="$lt_cv_path_NM" + +-{ echo "$as_me:$LINENO: checking how to recognise dependent libraries" >&5 +-echo $ECHO_N "checking how to recognise dependent libraries... $ECHO_C" >&6; } ++{ echo "$as_me:$LINENO: checking how to recognize dependent libraries" >&5 ++echo $ECHO_N "checking how to recognize dependent libraries... $ECHO_C" >&6; } + if test "${lt_cv_deplibs_check_method+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 + else +@@ -4684,16 +4687,22 @@ + + mingw* | pw32*) + # Base MSYS/MinGW do not provide the 'file' command needed by +- # func_win32_libid shell function, so use a weaker test based on 'objdump'. +- lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?' +- lt_cv_file_magic_cmd='$OBJDUMP -f' ++ # func_win32_libid shell function, so use a weaker test based on 'objdump', ++ # unless we find 'file', for example because we are cross-compiling. ++ if ( file / ) >/dev/null 2>&1; then ++ lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL' ++ lt_cv_file_magic_cmd='func_win32_libid' ++ else ++ lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?' ++ lt_cv_file_magic_cmd='$OBJDUMP -f' ++ fi + ;; + + darwin* | rhapsody*) + lt_cv_deplibs_check_method=pass_all + ;; + +-freebsd* | kfreebsd*-gnu | dragonfly*) ++freebsd* | dragonfly*) + if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then + case $host_cpu in + i*86 ) +@@ -4731,7 +4740,7 @@ + esac + ;; + +-interix3*) ++interix[3-9]*) + # PIC code is broken on Interix 3.x, that's why |\.a not |_pic\.a here + lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so|\.a)$' + ;; +@@ -4747,11 +4756,11 @@ + ;; + + # This must be Linux ELF. +-linux*) ++linux* | k*bsd*-gnu) + lt_cv_deplibs_check_method=pass_all + ;; + +-netbsd*) ++netbsd* | netbsdelf*-gnu) + if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then + lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$' + else +@@ -4781,6 +4790,10 @@ + lt_cv_deplibs_check_method=pass_all + ;; + ++rdos*) ++ lt_cv_deplibs_check_method=pass_all ++ ;; ++ + solaris*) + lt_cv_deplibs_check_method=pass_all + ;; +@@ -4867,7 +4880,7 @@ + ;; + *-*-irix6*) + # Find out which ABI we are using. +- echo '#line 4870 "configure"' > conftest.$ac_ext ++ echo '#line 4883 "configure"' > conftest.$ac_ext + if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>&5 + ac_status=$? +@@ -4902,7 +4915,8 @@ + rm -rf conftest* + ;; + +-x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*|s390*-*linux*|sparc*-*linux*) ++x86_64-*kfreebsd*-gnu|x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*| \ ++s390*-*linux*|sparc*-*linux*) + # Find out which ABI we are using. + echo 'int i;' > conftest.$ac_ext + if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 +@@ -4913,6 +4927,9 @@ + case `/usr/bin/file conftest.o` in + *32-bit*) + case $host in ++ x86_64-*kfreebsd*-gnu) ++ LD="${LD-ld} -m elf_i386_fbsd" ++ ;; + x86_64-*linux*) + LD="${LD-ld} -m elf_i386" + ;; +@@ -4929,6 +4946,9 @@ + ;; + *64-bit*) + case $host in ++ x86_64-*kfreebsd*-gnu) ++ LD="${LD-ld} -m elf_x86_64_fbsd" ++ ;; + x86_64-*linux*) + LD="${LD-ld} -m elf_x86_64" + ;; +@@ -6716,24 +6736,27 @@ + fi + ;; + *) +- # If test is not a shell built-in, we'll probably end up computing a +- # maximum length that is only half of the actual maximum length, but +- # we can't tell. +- SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}} +- while (test "X"`$SHELL $0 --fallback-echo "X$teststring" 2>/dev/null` \ ++ lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null` ++ if test -n "$lt_cv_sys_max_cmd_len"; then ++ lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4` ++ lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3` ++ else ++ SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}} ++ while (test "X"`$SHELL $0 --fallback-echo "X$teststring" 2>/dev/null` \ + = "XX$teststring") >/dev/null 2>&1 && +- new_result=`expr "X$teststring" : ".*" 2>&1` && +- lt_cv_sys_max_cmd_len=$new_result && +- test $i != 17 # 1/2 MB should be enough +- do +- i=`expr $i + 1` +- teststring=$teststring$teststring +- done +- teststring= +- # Add a significant safety factor because C++ compilers can tack on massive +- # amounts of additional arguments before passing them to the linker. +- # It appears as though 1/2 is a usable value. +- lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2` ++ new_result=`expr "X$teststring" : ".*" 2>&1` && ++ lt_cv_sys_max_cmd_len=$new_result && ++ test $i != 17 # 1/2 MB should be enough ++ do ++ i=`expr $i + 1` ++ teststring=$teststring$teststring ++ done ++ teststring= ++ # Add a significant safety factor because C++ compilers can tack on massive ++ # amounts of additional arguments before passing them to the linker. ++ # It appears as though 1/2 is a usable value. ++ lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2` ++ fi + ;; + esac + +@@ -6750,6 +6773,7 @@ + + + ++ + # Check for command to grab the raw symbol name followed by C symbol from nm. + { echo "$as_me:$LINENO: checking command to parse $NM output from $compiler object" >&5 + echo $ECHO_N "checking command to parse $NM output from $compiler object... $ECHO_C" >&6; } +@@ -6787,7 +6811,7 @@ + lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'" + lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/ {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/ {\"\2\", (lt_ptr) \&\2},/p'" + ;; +-linux*) ++linux* | k*bsd*-gnu) + if test "$host_cpu" = ia64; then + symcode='[ABCDGIRSTW]' + lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'" +@@ -7338,7 +7362,7 @@ + test -z "$ac_objext" && ac_objext=o + + # Determine commands to create old-style static archives. +-old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs' ++old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs' + old_postinstall_cmds='chmod 644 $oldlib' + old_postuninstall_cmds= + +@@ -7538,10 +7562,10 @@ + objext=$objext + + # Code to be used in simple compile tests +-lt_simple_compile_test_code="int some_variable = 0;\n" ++lt_simple_compile_test_code="int some_variable = 0;" + + # Code to be used in simple link tests +-lt_simple_link_test_code='int main(){return(0);}\n' ++lt_simple_link_test_code='int main(){return(0);}' + + + # If no C compiler was specified, use CC. +@@ -7556,13 +7580,13 @@ + + # save warnings/boilerplate of simple test code + ac_outfile=conftest.$ac_objext +-printf "$lt_simple_compile_test_code" >conftest.$ac_ext ++echo "$lt_simple_compile_test_code" >conftest.$ac_ext + eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err + _lt_compiler_boilerplate=`cat conftest.err` + $rm conftest* + + ac_outfile=conftest.$ac_objext +-printf "$lt_simple_link_test_code" >conftest.$ac_ext ++echo "$lt_simple_link_test_code" >conftest.$ac_ext + eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err + _lt_linker_boilerplate=`cat conftest.err` + $rm conftest* +@@ -7582,7 +7606,7 @@ + else + lt_cv_prog_compiler_rtti_exceptions=no + ac_outfile=conftest.$ac_objext +- printf "$lt_simple_compile_test_code" > conftest.$ac_ext ++ echo "$lt_simple_compile_test_code" > conftest.$ac_ext + lt_compiler_flag="-fno-rtti -fno-exceptions" + # Insert the option either (1) after the last *FLAGS variable, or + # (2) before a word containing "conftest.", or (3) at the end. +@@ -7593,11 +7617,11 @@ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` +- (eval echo "\"\$as_me:7596: $lt_compile\"" >&5) ++ (eval echo "\"\$as_me:7620: $lt_compile\"" >&5) + (eval "$lt_compile" 2>conftest.err) + ac_status=$? + cat conftest.err >&5 +- echo "$as_me:7600: \$? = $ac_status" >&5 ++ echo "$as_me:7624: \$? = $ac_status" >&5 + if (exit $ac_status) && test -s "$ac_outfile"; then + # The compiler can only warn and ignore the option if not recognized + # So say no if there are warnings other than the usual output. +@@ -7648,13 +7672,15 @@ + lt_prog_compiler_pic='-m68020 -resident32 -malways-restore-a4' + ;; + +- beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) ++ beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) + # PIC is the default for these OSes. + ;; + +- mingw* | pw32* | os2*) ++ mingw* | cygwin* | pw32* | os2*) + # This hack is so that the source file can tell whether it is being + # built for inclusion in a dll (and should export symbols for example). ++ # Although the cygwin gcc ignores -fPIC, still need this for old-style ++ # (--disable-auto-import) libraries + lt_prog_compiler_pic='-DDLL_EXPORT' + ;; + +@@ -7664,7 +7690,7 @@ + lt_prog_compiler_pic='-fno-common' + ;; + +- interix3*) ++ interix[3-9]*) + # Interix 3.x gcc -fpic/-fPIC options generate broken code. + # Instead, we relocate shared libraries at runtime. + ;; +@@ -7722,7 +7748,7 @@ + esac + ;; + +- mingw* | pw32* | os2*) ++ mingw* | cygwin* | pw32* | os2*) + # This hack is so that the source file can tell whether it is being + # built for inclusion in a dll (and should export symbols for example). + lt_prog_compiler_pic='-DDLL_EXPORT' +@@ -7755,7 +7781,7 @@ + lt_prog_compiler_static='-Bstatic' + ;; + +- linux*) ++ linux* | k*bsd*-gnu) + case $cc_basename in + icc* | ecc*) + lt_prog_compiler_wl='-Wl,' +@@ -7774,6 +7800,22 @@ + # All Alpha code is PIC. + lt_prog_compiler_static='-non_shared' + ;; ++ *) ++ case `$CC -V 2>&1 | sed 5q` in ++ *Sun\ C*) ++ # Sun C 5.9 ++ lt_prog_compiler_pic='-KPIC' ++ lt_prog_compiler_static='-Bstatic' ++ lt_prog_compiler_wl='-Wl,' ++ ;; ++ *Sun\ F*) ++ # Sun Fortran 8.3 passes all unrecognized flags to the linker ++ lt_prog_compiler_pic='-KPIC' ++ lt_prog_compiler_static='-Bstatic' ++ lt_prog_compiler_wl='' ++ ;; ++ esac ++ ;; + esac + ;; + +@@ -7783,6 +7825,10 @@ + lt_prog_compiler_static='-non_shared' + ;; + ++ rdos*) ++ lt_prog_compiler_static='-non_shared' ++ ;; ++ + solaris*) + lt_prog_compiler_pic='-KPIC' + lt_prog_compiler_static='-Bstatic' +@@ -7850,7 +7896,7 @@ + else + lt_prog_compiler_pic_works=no + ac_outfile=conftest.$ac_objext +- printf "$lt_simple_compile_test_code" > conftest.$ac_ext ++ echo "$lt_simple_compile_test_code" > conftest.$ac_ext + lt_compiler_flag="$lt_prog_compiler_pic -DPIC" + # Insert the option either (1) after the last *FLAGS variable, or + # (2) before a word containing "conftest.", or (3) at the end. +@@ -7861,11 +7907,11 @@ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` +- (eval echo "\"\$as_me:7864: $lt_compile\"" >&5) ++ (eval echo "\"\$as_me:7910: $lt_compile\"" >&5) + (eval "$lt_compile" 2>conftest.err) + ac_status=$? + cat conftest.err >&5 +- echo "$as_me:7868: \$? = $ac_status" >&5 ++ echo "$as_me:7914: \$? = $ac_status" >&5 + if (exit $ac_status) && test -s "$ac_outfile"; then + # The compiler can only warn and ignore the option if not recognized + # So say no if there are warnings other than the usual output. +@@ -7914,7 +7960,7 @@ + lt_prog_compiler_static_works=no + save_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS $lt_tmp_static_flag" +- printf "$lt_simple_link_test_code" > conftest.$ac_ext ++ echo "$lt_simple_link_test_code" > conftest.$ac_ext + if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then + # The linker can only warn and ignore the option if not recognized + # So say no if there are warnings +@@ -7954,7 +8000,7 @@ + mkdir conftest + cd conftest + mkdir out +- printf "$lt_simple_compile_test_code" > conftest.$ac_ext ++ echo "$lt_simple_compile_test_code" > conftest.$ac_ext + + lt_compiler_flag="-o out/conftest2.$ac_objext" + # Insert the option either (1) after the last *FLAGS variable, or +@@ -7965,11 +8011,11 @@ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` +- (eval echo "\"\$as_me:7968: $lt_compile\"" >&5) ++ (eval echo "\"\$as_me:8014: $lt_compile\"" >&5) + (eval "$lt_compile" 2>out/conftest.err) + ac_status=$? + cat out/conftest.err >&5 +- echo "$as_me:7972: \$? = $ac_status" >&5 ++ echo "$as_me:8018: \$? = $ac_status" >&5 + if (exit $ac_status) && test -s out/conftest2.$ac_objext + then + # The compiler can only warn and ignore the option if not recognized +@@ -8161,7 +8207,7 @@ + allow_undefined_flag=unsupported + always_export_symbols=no + enable_shared_with_static_runtimes=yes +- export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols' ++ export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/'\'' -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols' + + if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then + archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' +@@ -8179,7 +8225,7 @@ + fi + ;; + +- interix3*) ++ interix[3-9]*) + hardcode_direct=no + hardcode_shlibpath_var=no + hardcode_libdir_flag_spec='${wl}-rpath,$libdir' +@@ -8194,7 +8240,7 @@ + archive_expsym_cmds='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' + ;; + +- linux*) ++ gnu* | linux* | k*bsd*-gnu) + if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then + tmp_addflag= + case $cc_basename,$host_cpu in +@@ -8212,20 +8258,30 @@ + ifc* | ifort*) # Intel Fortran compiler + tmp_addflag=' -nofor_main' ;; + esac +- archive_cmds='$CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' ++ case `$CC -V 2>&1 | sed 5q` in ++ *Sun\ C*) # Sun C 5.9 ++ whole_archive_flag_spec='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive' ++ tmp_sharedflag='-G' ;; ++ *Sun\ F*) # Sun Fortran 8.3 ++ tmp_sharedflag='-G' ;; ++ *) ++ tmp_sharedflag='-shared' ;; ++ esac ++ archive_cmds='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + + if test $supports_anon_versioning = yes; then + archive_expsym_cmds='$echo "{ global:" > $output_objdir/$libname.ver~ + cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~ + $echo "local: *; };" >> $output_objdir/$libname.ver~ +- $CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib' ++ $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib' + fi ++ link_all_deplibs=no + else + ld_shlibs=no + fi + ;; + +- netbsd*) ++ netbsd* | netbsdelf*-gnu) + if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then + archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' + wlarc= +@@ -8377,7 +8433,7 @@ + strings "$collect2name" | grep resolve_lib_name >/dev/null + then + # We have reworked collect2 +- hardcode_direct=yes ++ : + else + # We have old collect2 + hardcode_direct=unsupported +@@ -8451,11 +8507,18 @@ + } && test -s conftest$ac_exeext && + $as_test_x conftest$ac_exeext; then + +-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } +-}'` ++lt_aix_libpath_sed=' ++ /Import File Strings/,/^$/ { ++ /^0/ { ++ s/^0 *\(.*\)$/\1/ ++ p ++ } ++ }' ++aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` + # Check for a 64-bit object if we didn't find anything. +-if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } +-}'`; fi ++if test -z "$aix_libpath"; then ++ aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` ++fi + else + echo "$as_me: failed program was:" >&5 + sed 's/^/| /' conftest.$ac_ext >&5 +@@ -8510,11 +8573,18 @@ + } && test -s conftest$ac_exeext && + $as_test_x conftest$ac_exeext; then + +-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } +-}'` ++lt_aix_libpath_sed=' ++ /Import File Strings/,/^$/ { ++ /^0/ { ++ s/^0 *\(.*\)$/\1/ ++ p ++ } ++ }' ++aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` + # Check for a 64-bit object if we didn't find anything. +-if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } +-}'`; fi ++if test -z "$aix_libpath"; then ++ aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` ++fi + else + echo "$as_me: failed program was:" >&5 + sed 's/^/| /' conftest.$ac_ext >&5 +@@ -8568,7 +8638,7 @@ + # The linker will automatically build a .lib file if we build a DLL. + old_archive_From_new_cmds='true' + # FIXME: Should let the user specify the lib program. +- old_archive_cmds='lib /OUT:$oldlib$oldobjs$old_deplibs' ++ old_archive_cmds='lib -OUT:$oldlib$oldobjs$old_deplibs' + fix_srcfile_path='`cygpath -w "$srcfile"`' + enable_shared_with_static_runtimes=yes + ;; +@@ -8610,10 +8680,10 @@ + case $cc_basename in + xlc*) + output_verbose_link_cmd='echo' +- archive_cmds='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring' ++ archive_cmds='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $xlcverstring' + module_cmds='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags' + # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds +- archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' ++ archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $xlcverstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' + module_expsym_cmds='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' + ;; + *) +@@ -8653,7 +8723,7 @@ + ;; + + # FreeBSD 3 and greater uses gcc -shared to do shared libraries. +- freebsd* | kfreebsd*-gnu | dragonfly*) ++ freebsd* | dragonfly*) + archive_cmds='$CC -shared -o $lib $libobjs $deplibs $compiler_flags' + hardcode_libdir_flag_spec='-R$libdir' + hardcode_direct=yes +@@ -8755,7 +8825,7 @@ + link_all_deplibs=yes + ;; + +- netbsd*) ++ netbsd* | netbsdelf*-gnu) + if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then + archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out + else +@@ -8775,24 +8845,28 @@ + ;; + + openbsd*) +- hardcode_direct=yes +- hardcode_shlibpath_var=no +- if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then +- archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' +- archive_expsym_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols' +- hardcode_libdir_flag_spec='${wl}-rpath,$libdir' +- export_dynamic_flag_spec='${wl}-E' ++ if test -f /usr/libexec/ld.so; then ++ hardcode_direct=yes ++ hardcode_shlibpath_var=no ++ if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then ++ archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' ++ archive_expsym_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols' ++ hardcode_libdir_flag_spec='${wl}-rpath,$libdir' ++ export_dynamic_flag_spec='${wl}-E' ++ else ++ case $host_os in ++ openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*) ++ archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' ++ hardcode_libdir_flag_spec='-R$libdir' ++ ;; ++ *) ++ archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' ++ hardcode_libdir_flag_spec='${wl}-rpath,$libdir' ++ ;; ++ esac ++ fi + else +- case $host_os in +- openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*) +- archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' +- hardcode_libdir_flag_spec='-R$libdir' +- ;; +- *) +- archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' +- hardcode_libdir_flag_spec='${wl}-rpath,$libdir' +- ;; +- esac ++ ld_shlibs=no + fi + ;; + +@@ -8851,17 +8925,16 @@ + case $host_os in + solaris2.[0-5] | solaris2.[0-5].*) ;; + *) +- # The compiler driver will combine linker options so we +- # cannot just pass the convience library names through +- # without $wl, iff we do not link with $LD. +- # Luckily, gcc supports the same syntax we need for Sun Studio. ++ # The compiler driver will combine and reorder linker options, ++ # but understands `-z linker_flag'. GCC discards it without `$wl', ++ # but is careful enough not to reorder. + # Supported since Solaris 2.6 (maybe 2.5.1?) +- case $wlarc in +- '') +- whole_archive_flag_spec='-z allextract$convenience -z defaultextract' ;; +- *) +- whole_archive_flag_spec='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract' ;; +- esac ;; ++ if test "$GCC" = yes; then ++ whole_archive_flag_spec='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract' ++ else ++ whole_archive_flag_spec='-z allextract$convenience -z defaultextract' ++ fi ++ ;; + esac + link_all_deplibs=yes + ;; +@@ -8918,7 +8991,7 @@ + fi + ;; + +- sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7*) ++ sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*) + no_undefined_flag='${wl}-z,text' + archive_cmds_need_lc=no + hardcode_shlibpath_var=no +@@ -8995,7 +9068,7 @@ + { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5 + echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; } + $rm conftest* +- printf "$lt_simple_compile_test_code" > conftest.$ac_ext ++ echo "$lt_simple_compile_test_code" > conftest.$ac_ext + + if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>&5 +@@ -9053,17 +9126,55 @@ + version_type=none + dynamic_linker="$host_os ld.so" + sys_lib_dlsearch_path_spec="/lib /usr/lib" ++ + if test "$GCC" = yes; then +- sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"` +- if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then ++ case $host_os in ++ darwin*) lt_awk_arg="/^libraries:/,/LR/" ;; ++ *) lt_awk_arg="/^libraries:/" ;; ++ esac ++ lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e "s,=/,/,g"` ++ if echo "$lt_search_path_spec" | grep ';' >/dev/null ; then + # if the path contains ";" then we assume it to be the separator + # otherwise default to the standard path separator (i.e. ":") - it is + # assumed that no part of a normal pathname contains ";" but that should + # okay in the real world where ";" in dirpaths is itself problematic. +- sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'` ++ lt_search_path_spec=`echo "$lt_search_path_spec" | $SED -e 's/;/ /g'` + else +- sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` ++ lt_search_path_spec=`echo "$lt_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` + fi ++ # Ok, now we have the path, separated by spaces, we can step through it ++ # and add multilib dir if necessary. ++ lt_tmp_lt_search_path_spec= ++ lt_multi_os_dir=`$CC $CPPFLAGS $CFLAGS $LDFLAGS -print-multi-os-directory 2>/dev/null` ++ for lt_sys_path in $lt_search_path_spec; do ++ if test -d "$lt_sys_path/$lt_multi_os_dir"; then ++ lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path/$lt_multi_os_dir" ++ else ++ test -d "$lt_sys_path" && \ ++ lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path" ++ fi ++ done ++ lt_search_path_spec=`echo $lt_tmp_lt_search_path_spec | awk ' ++BEGIN {RS=" "; FS="/|\n";} { ++ lt_foo=""; ++ lt_count=0; ++ for (lt_i = NF; lt_i > 0; lt_i--) { ++ if ($lt_i != "" && $lt_i != ".") { ++ if ($lt_i == "..") { ++ lt_count++; ++ } else { ++ if (lt_count == 0) { ++ lt_foo="/" $lt_i lt_foo; ++ } else { ++ lt_count--; ++ } ++ } ++ } ++ } ++ if (lt_foo != "") { lt_freq[lt_foo]++; } ++ if (lt_freq[lt_foo] == 1) { print lt_foo; } ++}'` ++ sys_lib_search_path_spec=`echo $lt_search_path_spec` + else + sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib" + fi +@@ -9223,12 +9334,8 @@ + shlibpath_overrides_runpath=yes + shlibpath_var=DYLD_LIBRARY_PATH + shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`' +- # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same. +- if test "$GCC" = yes; then +- sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"` +- else +- sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib' +- fi ++ ++ sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/local/lib" + sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib' + ;; + +@@ -9245,18 +9352,6 @@ + dynamic_linker=no + ;; + +-kfreebsd*-gnu) +- version_type=linux +- need_lib_prefix=no +- need_version=no +- library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' +- soname_spec='${libname}${release}${shared_ext}$major' +- shlibpath_var=LD_LIBRARY_PATH +- shlibpath_overrides_runpath=no +- hardcode_into_libs=yes +- dynamic_linker='GNU ld.so' +- ;; +- + freebsd* | dragonfly*) + # DragonFly does not have aout. When/if they implement a new + # versioning mechanism, adjust this. +@@ -9294,7 +9389,7 @@ + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + ;; +- freebsd*) # from 4.6 on ++ *) # from 4.6 on, and DragonFly + shlibpath_overrides_runpath=yes + hardcode_into_libs=yes + ;; +@@ -9357,7 +9452,7 @@ + postinstall_cmds='chmod 555 $lib' + ;; + +-interix3*) ++interix[3-9]*) + version_type=linux + need_lib_prefix=no + need_version=no +@@ -9412,7 +9507,7 @@ + ;; + + # This must be Linux ELF. +-linux*) ++linux* | k*bsd*-gnu) + version_type=linux + need_lib_prefix=no + need_version=no +@@ -9428,7 +9523,7 @@ + + # Append ld.so.conf contents to the search path + if test -f /etc/ld.so.conf; then +- lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '` ++ lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '` + sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" + fi + +@@ -9441,7 +9536,7 @@ + dynamic_linker='GNU/Linux ld.so' + ;; + +-knetbsd*-gnu) ++netbsdelf*-gnu) + version_type=linux + need_lib_prefix=no + need_version=no +@@ -9450,7 +9545,7 @@ + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + hardcode_into_libs=yes +- dynamic_linker='GNU ld.so' ++ dynamic_linker='NetBSD ld.elf_so' + ;; + + netbsd*) +@@ -9534,6 +9629,10 @@ + sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec" + ;; + ++rdos*) ++ dynamic_linker=no ++ ;; ++ + solaris*) + version_type=linux + need_lib_prefix=no +@@ -9687,6 +9786,7 @@ + darwin*) + if test -n "$STRIP" ; then + striplib="$STRIP -x" ++ old_striplib="$STRIP -S" + { echo "$as_me:$LINENO: result: yes" >&5 + echo "${ECHO_T}yes" >&6; } + else +@@ -10273,7 +10373,7 @@ + lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 + lt_status=$lt_dlunknown + cat > conftest.$ac_ext <<EOF +-#line 10276 "configure" ++#line 10376 "configure" + #include "confdefs.h" + + #if HAVE_DLFCN_H +@@ -10373,7 +10473,7 @@ + lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 + lt_status=$lt_dlunknown + cat > conftest.$ac_ext <<EOF +-#line 10376 "configure" ++#line 10476 "configure" + #include "confdefs.h" + + #if HAVE_DLFCN_H +@@ -10571,6 +10671,7 @@ + module_cmds \ + module_expsym_cmds \ + lt_cv_prog_compiler_c_o \ ++ fix_srcfile_path \ + exclude_expsyms \ + include_expsyms; do + +@@ -10615,7 +10716,7 @@ + # Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP) + # NOTE: Changes made to this file will be lost: look at ltmain.sh. + # +-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001 ++# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 + # Free Software Foundation, Inc. + # + # This file is part of GNU Libtool: +@@ -10939,7 +11040,7 @@ + sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec + + # Fix the shell variable \$srcfile for the compiler. +-fix_srcfile_path="$fix_srcfile_path" ++fix_srcfile_path=$lt_fix_srcfile_path + + # Set to yes if exported symbols are required. + always_export_symbols=$always_export_symbols +@@ -11108,10 +11209,10 @@ + objext_CXX=$objext + + # Code to be used in simple compile tests +-lt_simple_compile_test_code="int some_variable = 0;\n" ++lt_simple_compile_test_code="int some_variable = 0;" + + # Code to be used in simple link tests +-lt_simple_link_test_code='int main(int, char *[]) { return(0); }\n' ++lt_simple_link_test_code='int main(int, char *[]) { return(0); }' + + # ltmain only uses $CC for tagged configurations so make sure $CC is set. + +@@ -11127,13 +11228,13 @@ + + # save warnings/boilerplate of simple test code + ac_outfile=conftest.$ac_objext +-printf "$lt_simple_compile_test_code" >conftest.$ac_ext ++echo "$lt_simple_compile_test_code" >conftest.$ac_ext + eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err + _lt_compiler_boilerplate=`cat conftest.err` + $rm conftest* + + ac_outfile=conftest.$ac_objext +-printf "$lt_simple_link_test_code" >conftest.$ac_ext ++echo "$lt_simple_link_test_code" >conftest.$ac_ext + eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err + _lt_linker_boilerplate=`cat conftest.err` + $rm conftest* +@@ -11392,7 +11493,7 @@ + strings "$collect2name" | grep resolve_lib_name >/dev/null + then + # We have reworked collect2 +- hardcode_direct_CXX=yes ++ : + else + # We have old collect2 + hardcode_direct_CXX=unsupported +@@ -11466,11 +11567,18 @@ + } && test -s conftest$ac_exeext && + $as_test_x conftest$ac_exeext; then + +-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } +-}'` ++lt_aix_libpath_sed=' ++ /Import File Strings/,/^$/ { ++ /^0/ { ++ s/^0 *\(.*\)$/\1/ ++ p ++ } ++ }' ++aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` + # Check for a 64-bit object if we didn't find anything. +-if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } +-}'`; fi ++if test -z "$aix_libpath"; then ++ aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` ++fi + else + echo "$as_me: failed program was:" >&5 + sed 's/^/| /' conftest.$ac_ext >&5 +@@ -11526,11 +11634,18 @@ + } && test -s conftest$ac_exeext && + $as_test_x conftest$ac_exeext; then + +-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } +-}'` ++lt_aix_libpath_sed=' ++ /Import File Strings/,/^$/ { ++ /^0/ { ++ s/^0 *\(.*\)$/\1/ ++ p ++ } ++ }' ++aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` + # Check for a 64-bit object if we didn't find anything. +-if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } +-}'`; fi ++if test -z "$aix_libpath"; then ++ aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` ++fi + else + echo "$as_me: failed program was:" >&5 + sed 's/^/| /' conftest.$ac_ext >&5 +@@ -11649,10 +11764,10 @@ + case $cc_basename in + xlc*) + output_verbose_link_cmd='echo' +- archive_cmds_CXX='$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring' ++ archive_cmds_CXX='$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $xlcverstring' + module_cmds_CXX='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags' + # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds +- archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' ++ archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $xlcverstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' + module_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' + ;; + *) +@@ -11686,7 +11801,7 @@ + freebsd-elf*) + archive_cmds_need_lc_CXX=no + ;; +- freebsd* | kfreebsd*-gnu | dragonfly*) ++ freebsd* | dragonfly*) + # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF + # conventions + ld_shlibs_CXX=yes +@@ -11735,9 +11850,7 @@ + hardcode_libdir_separator_CXX=: + + case $host_cpu in +- hppa*64*|ia64*) +- hardcode_libdir_flag_spec_ld_CXX='+b $libdir' +- ;; ++ hppa*64*|ia64*) ;; + *) + export_dynamic_flag_spec_CXX='${wl}-E' + ;; +@@ -11805,7 +11918,7 @@ + ;; + esac + ;; +- interix3*) ++ interix[3-9]*) + hardcode_direct_CXX=no + hardcode_shlibpath_var_CXX=no + hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir' +@@ -11845,7 +11958,7 @@ + hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir' + hardcode_libdir_separator_CXX=: + ;; +- linux*) ++ linux* | k*bsd*-gnu) + case $cc_basename in + KCC*) + # Kuck and Associates, Inc. (KAI) C++ Compiler +@@ -11925,6 +12038,29 @@ + # dependencies. + output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list' + ;; ++ *) ++ case `$CC -V 2>&1 | sed 5q` in ++ *Sun\ C*) ++ # Sun C++ 5.9 ++ no_undefined_flag_CXX=' -zdefs' ++ archive_cmds_CXX='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' ++ archive_expsym_cmds_CXX='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file ${wl}$export_symbols' ++ hardcode_libdir_flag_spec_CXX='-R$libdir' ++ whole_archive_flag_spec_CXX='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive' ++ ++ # Not sure whether something based on ++ # $CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 ++ # would be better. ++ output_verbose_link_cmd='echo' ++ ++ # Archives containing C++ object files must be created using ++ # "CC -xar", where "CC" is the Sun C++ compiler. This is ++ # necessary to make sure instantiated templates are included ++ # in the archive. ++ old_archive_cmds_CXX='$CC -xar -o $oldlib $oldobjs' ++ ;; ++ esac ++ ;; + esac + ;; + lynxos*) +@@ -11947,7 +12083,7 @@ + ;; + esac + ;; +- netbsd*) ++ netbsd* | netbsdelf*-gnu) + if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then + archive_cmds_CXX='$LD -Bshareable -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags' + wlarc= +@@ -11963,16 +12099,20 @@ + ld_shlibs_CXX=no + ;; + openbsd*) +- hardcode_direct_CXX=yes +- hardcode_shlibpath_var_CXX=no +- archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib' +- hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir' +- if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then +- archive_expsym_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib' +- export_dynamic_flag_spec_CXX='${wl}-E' +- whole_archive_flag_spec_CXX="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' ++ if test -f /usr/libexec/ld.so; then ++ hardcode_direct_CXX=yes ++ hardcode_shlibpath_var_CXX=no ++ archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib' ++ hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir' ++ if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then ++ archive_expsym_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib' ++ export_dynamic_flag_spec_CXX='${wl}-E' ++ whole_archive_flag_spec_CXX="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' ++ fi ++ output_verbose_link_cmd='echo' ++ else ++ ld_shlibs_CXX=no + fi +- output_verbose_link_cmd='echo' + ;; + osf3*) + case $cc_basename in +@@ -12134,15 +12274,10 @@ + case $host_os in + solaris2.[0-5] | solaris2.[0-5].*) ;; + *) +- # The C++ compiler is used as linker so we must use $wl +- # flag to pass the commands to the underlying system +- # linker. We must also pass each convience library through +- # to the system linker between allextract/defaultextract. +- # The C++ compiler will combine linker options so we +- # cannot just pass the convience library names through +- # without $wl. ++ # The compiler driver will combine and reorder linker options, ++ # but understands `-z linker_flag'. + # Supported since Solaris 2.6 (maybe 2.5.1?) +- whole_archive_flag_spec_CXX='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract' ++ whole_archive_flag_spec_CXX='-z allextract$convenience -z defaultextract' + ;; + esac + link_all_deplibs_CXX=yes +@@ -12189,6 +12324,12 @@ + fi + + hardcode_libdir_flag_spec_CXX='${wl}-R $wl$libdir' ++ case $host_os in ++ solaris2.[0-5] | solaris2.[0-5].*) ;; ++ *) ++ whole_archive_flag_spec_CXX='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract' ++ ;; ++ esac + fi + ;; + esac +@@ -12380,7 +12521,7 @@ + + # PORTME: override above test on systems where it is broken + case $host_os in +-interix3*) ++interix[3-9]*) + # Interix 3.5 installs completely hosed .la files for C++, so rather than + # hack all around it, let's just trust "g++" to DTRT. + predep_objects_CXX= +@@ -12388,13 +12529,46 @@ + postdeps_CXX= + ;; + ++linux*) ++ case `$CC -V 2>&1 | sed 5q` in ++ *Sun\ C*) ++ # Sun C++ 5.9 ++ # ++ # The more standards-conforming stlport4 library is ++ # incompatible with the Cstd library. Avoid specifying ++ # it if it's in CXXFLAGS. Ignore libCrun as ++ # -library=stlport4 depends on it. ++ case " $CXX $CXXFLAGS " in ++ *" -library=stlport4 "*) ++ solaris_use_stlport4=yes ++ ;; ++ esac ++ if test "$solaris_use_stlport4" != yes; then ++ postdeps_CXX='-library=Cstd -library=Crun' ++ fi ++ ;; ++ esac ++ ;; ++ + solaris*) + case $cc_basename in + CC*) ++ # The more standards-conforming stlport4 library is ++ # incompatible with the Cstd library. Avoid specifying ++ # it if it's in CXXFLAGS. Ignore libCrun as ++ # -library=stlport4 depends on it. ++ case " $CXX $CXXFLAGS " in ++ *" -library=stlport4 "*) ++ solaris_use_stlport4=yes ++ ;; ++ esac ++ + # Adding this requires a known-good setup of shared libraries for + # Sun compiler versions before 5.6, else PIC objects from an old + # archive will be linked into the output, leading to subtle bugs. +- postdeps_CXX='-lCstd -lCrun' ++ if test "$solaris_use_stlport4" != yes; then ++ postdeps_CXX='-library=Cstd -library=Crun' ++ fi + ;; + esac + ;; +@@ -12431,12 +12605,14 @@ + # like `-m68040'. + lt_prog_compiler_pic_CXX='-m68020 -resident32 -malways-restore-a4' + ;; +- beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) ++ beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) + # PIC is the default for these OSes. + ;; +- mingw* | os2* | pw32*) ++ mingw* | cygwin* | os2* | pw32*) + # This hack is so that the source file can tell whether it is being + # built for inclusion in a dll (and should export symbols for example). ++ # Although the cygwin gcc ignores -fPIC, still need this for old-style ++ # (--disable-auto-import) libraries + lt_prog_compiler_pic_CXX='-DDLL_EXPORT' + ;; + darwin* | rhapsody*) +@@ -12448,7 +12624,7 @@ + # DJGPP does not support shared libraries at all + lt_prog_compiler_pic_CXX= + ;; +- interix3*) ++ interix[3-9]*) + # Interix 3.x gcc -fpic/-fPIC options generate broken code. + # Instead, we relocate shared libraries at runtime. + ;; +@@ -12514,7 +12690,7 @@ + ;; + esac + ;; +- freebsd* | kfreebsd*-gnu | dragonfly*) ++ freebsd* | dragonfly*) + # FreeBSD uses GNU C++ + ;; + hpux9* | hpux10* | hpux11*) +@@ -12557,7 +12733,7 @@ + ;; + esac + ;; +- linux*) ++ linux* | k*bsd*-gnu) + case $cc_basename in + KCC*) + # KAI C++ Compiler +@@ -12584,6 +12760,14 @@ + lt_prog_compiler_static_CXX='-non_shared' + ;; + *) ++ case `$CC -V 2>&1 | sed 5q` in ++ *Sun\ C*) ++ # Sun C++ 5.9 ++ lt_prog_compiler_pic_CXX='-KPIC' ++ lt_prog_compiler_static_CXX='-Bstatic' ++ lt_prog_compiler_wl_CXX='-Qoption ld ' ++ ;; ++ esac + ;; + esac + ;; +@@ -12600,7 +12784,7 @@ + ;; + esac + ;; +- netbsd*) ++ netbsd* | netbsdelf*-gnu) + ;; + osf3* | osf4* | osf5*) + case $cc_basename in +@@ -12698,7 +12882,7 @@ + else + lt_prog_compiler_pic_works_CXX=no + ac_outfile=conftest.$ac_objext +- printf "$lt_simple_compile_test_code" > conftest.$ac_ext ++ echo "$lt_simple_compile_test_code" > conftest.$ac_ext + lt_compiler_flag="$lt_prog_compiler_pic_CXX -DPIC" + # Insert the option either (1) after the last *FLAGS variable, or + # (2) before a word containing "conftest.", or (3) at the end. +@@ -12709,11 +12893,11 @@ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` +- (eval echo "\"\$as_me:12712: $lt_compile\"" >&5) ++ (eval echo "\"\$as_me:12896: $lt_compile\"" >&5) + (eval "$lt_compile" 2>conftest.err) + ac_status=$? + cat conftest.err >&5 +- echo "$as_me:12716: \$? = $ac_status" >&5 ++ echo "$as_me:12900: \$? = $ac_status" >&5 + if (exit $ac_status) && test -s "$ac_outfile"; then + # The compiler can only warn and ignore the option if not recognized + # So say no if there are warnings other than the usual output. +@@ -12762,7 +12946,7 @@ + lt_prog_compiler_static_works_CXX=no + save_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS $lt_tmp_static_flag" +- printf "$lt_simple_link_test_code" > conftest.$ac_ext ++ echo "$lt_simple_link_test_code" > conftest.$ac_ext + if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then + # The linker can only warn and ignore the option if not recognized + # So say no if there are warnings +@@ -12802,7 +12986,7 @@ + mkdir conftest + cd conftest + mkdir out +- printf "$lt_simple_compile_test_code" > conftest.$ac_ext ++ echo "$lt_simple_compile_test_code" > conftest.$ac_ext + + lt_compiler_flag="-o out/conftest2.$ac_objext" + # Insert the option either (1) after the last *FLAGS variable, or +@@ -12813,11 +12997,11 @@ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` +- (eval echo "\"\$as_me:12816: $lt_compile\"" >&5) ++ (eval echo "\"\$as_me:13000: $lt_compile\"" >&5) + (eval "$lt_compile" 2>out/conftest.err) + ac_status=$? + cat out/conftest.err >&5 +- echo "$as_me:12820: \$? = $ac_status" >&5 ++ echo "$as_me:13004: \$? = $ac_status" >&5 + if (exit $ac_status) && test -s out/conftest2.$ac_objext + then + # The compiler can only warn and ignore the option if not recognized +@@ -12883,7 +13067,10 @@ + export_symbols_cmds_CXX="$ltdll_cmds" + ;; + cygwin* | mingw*) +- export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS] /s/.* \([^ ]*\)/\1 DATA/;/^.* __nm__/s/^.* __nm__\([^ ]*\) [^ ]*/\1 DATA/;/^I /d;/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols' ++ export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/;/^.*[ ]__nm__/s/^.*[ ]__nm__\([^ ]*\)[ ][^ ]*/\1 DATA/;/^I[ ]/d;/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols' ++ ;; ++ linux* | k*bsd*-gnu) ++ link_all_deplibs_CXX=no + ;; + *) + export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' +@@ -12914,7 +13101,7 @@ + { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5 + echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; } + $rm conftest* +- printf "$lt_simple_compile_test_code" > conftest.$ac_ext ++ echo "$lt_simple_compile_test_code" > conftest.$ac_ext + + if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>&5 +@@ -12972,20 +13159,7 @@ + version_type=none + dynamic_linker="$host_os ld.so" + sys_lib_dlsearch_path_spec="/lib /usr/lib" +-if test "$GCC" = yes; then +- sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"` +- if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then +- # if the path contains ";" then we assume it to be the separator +- # otherwise default to the standard path separator (i.e. ":") - it is +- # assumed that no part of a normal pathname contains ";" but that should +- # okay in the real world where ";" in dirpaths is itself problematic. +- sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'` +- else +- sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` +- fi +-else +- sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib" +-fi ++ + need_lib_prefix=unknown + hardcode_into_libs=no + +@@ -13142,12 +13316,7 @@ + shlibpath_overrides_runpath=yes + shlibpath_var=DYLD_LIBRARY_PATH + shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`' +- # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same. +- if test "$GCC" = yes; then +- sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"` +- else +- sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib' +- fi ++ + sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib' + ;; + +@@ -13164,18 +13333,6 @@ + dynamic_linker=no + ;; + +-kfreebsd*-gnu) +- version_type=linux +- need_lib_prefix=no +- need_version=no +- library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' +- soname_spec='${libname}${release}${shared_ext}$major' +- shlibpath_var=LD_LIBRARY_PATH +- shlibpath_overrides_runpath=no +- hardcode_into_libs=yes +- dynamic_linker='GNU ld.so' +- ;; +- + freebsd* | dragonfly*) + # DragonFly does not have aout. When/if they implement a new + # versioning mechanism, adjust this. +@@ -13213,7 +13370,7 @@ + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + ;; +- freebsd*) # from 4.6 on ++ *) # from 4.6 on, and DragonFly + shlibpath_overrides_runpath=yes + hardcode_into_libs=yes + ;; +@@ -13276,7 +13433,7 @@ + postinstall_cmds='chmod 555 $lib' + ;; + +-interix3*) ++interix[3-9]*) + version_type=linux + need_lib_prefix=no + need_version=no +@@ -13331,7 +13488,7 @@ + ;; + + # This must be Linux ELF. +-linux*) ++linux* | k*bsd*-gnu) + version_type=linux + need_lib_prefix=no + need_version=no +@@ -13347,7 +13504,7 @@ + + # Append ld.so.conf contents to the search path + if test -f /etc/ld.so.conf; then +- lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '` ++ lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '` + sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" + fi + +@@ -13360,7 +13517,7 @@ + dynamic_linker='GNU/Linux ld.so' + ;; + +-knetbsd*-gnu) ++netbsdelf*-gnu) + version_type=linux + need_lib_prefix=no + need_version=no +@@ -13369,7 +13526,7 @@ + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + hardcode_into_libs=yes +- dynamic_linker='GNU ld.so' ++ dynamic_linker='NetBSD ld.elf_so' + ;; + + netbsd*) +@@ -13453,6 +13610,10 @@ + sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec" + ;; + ++rdos*) ++ dynamic_linker=no ++ ;; ++ + solaris*) + version_type=linux + need_lib_prefix=no +@@ -13647,6 +13808,7 @@ + module_cmds_CXX \ + module_expsym_cmds_CXX \ + lt_cv_prog_compiler_c_o_CXX \ ++ fix_srcfile_path_CXX \ + exclude_expsyms_CXX \ + include_expsyms_CXX; do + +@@ -13967,7 +14129,7 @@ + sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec + + # Fix the shell variable \$srcfile for the compiler. +-fix_srcfile_path="$fix_srcfile_path_CXX" ++fix_srcfile_path=$lt_fix_srcfile_path + + # Set to yes if exported symbols are required. + always_export_symbols=$always_export_symbols_CXX +@@ -14058,10 +14220,17 @@ + objext_F77=$objext + + # Code to be used in simple compile tests +-lt_simple_compile_test_code=" subroutine t\n return\n end\n" ++lt_simple_compile_test_code="\ ++ subroutine t ++ return ++ end ++" + + # Code to be used in simple link tests +-lt_simple_link_test_code=" program t\n end\n" ++lt_simple_link_test_code="\ ++ program t ++ end ++" + + # ltmain only uses $CC for tagged configurations so make sure $CC is set. + +@@ -14077,13 +14246,13 @@ + + # save warnings/boilerplate of simple test code + ac_outfile=conftest.$ac_objext +-printf "$lt_simple_compile_test_code" >conftest.$ac_ext ++echo "$lt_simple_compile_test_code" >conftest.$ac_ext + eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err + _lt_compiler_boilerplate=`cat conftest.err` + $rm conftest* + + ac_outfile=conftest.$ac_objext +-printf "$lt_simple_link_test_code" >conftest.$ac_ext ++echo "$lt_simple_link_test_code" >conftest.$ac_ext + eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err + _lt_linker_boilerplate=`cat conftest.err` + $rm conftest* +@@ -14170,13 +14339,15 @@ + lt_prog_compiler_pic_F77='-m68020 -resident32 -malways-restore-a4' + ;; + +- beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) ++ beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) + # PIC is the default for these OSes. + ;; + +- mingw* | pw32* | os2*) ++ mingw* | cygwin* | pw32* | os2*) + # This hack is so that the source file can tell whether it is being + # built for inclusion in a dll (and should export symbols for example). ++ # Although the cygwin gcc ignores -fPIC, still need this for old-style ++ # (--disable-auto-import) libraries + lt_prog_compiler_pic_F77='-DDLL_EXPORT' + ;; + +@@ -14186,7 +14357,7 @@ + lt_prog_compiler_pic_F77='-fno-common' + ;; + +- interix3*) ++ interix[3-9]*) + # Interix 3.x gcc -fpic/-fPIC options generate broken code. + # Instead, we relocate shared libraries at runtime. + ;; +@@ -14244,7 +14415,7 @@ + esac + ;; + +- mingw* | pw32* | os2*) ++ mingw* | cygwin* | pw32* | os2*) + # This hack is so that the source file can tell whether it is being + # built for inclusion in a dll (and should export symbols for example). + lt_prog_compiler_pic_F77='-DDLL_EXPORT' +@@ -14277,7 +14448,7 @@ + lt_prog_compiler_static_F77='-Bstatic' + ;; + +- linux*) ++ linux* | k*bsd*-gnu) + case $cc_basename in + icc* | ecc*) + lt_prog_compiler_wl_F77='-Wl,' +@@ -14296,6 +14467,22 @@ + # All Alpha code is PIC. + lt_prog_compiler_static_F77='-non_shared' + ;; ++ *) ++ case `$CC -V 2>&1 | sed 5q` in ++ *Sun\ C*) ++ # Sun C 5.9 ++ lt_prog_compiler_pic_F77='-KPIC' ++ lt_prog_compiler_static_F77='-Bstatic' ++ lt_prog_compiler_wl_F77='-Wl,' ++ ;; ++ *Sun\ F*) ++ # Sun Fortran 8.3 passes all unrecognized flags to the linker ++ lt_prog_compiler_pic_F77='-KPIC' ++ lt_prog_compiler_static_F77='-Bstatic' ++ lt_prog_compiler_wl_F77='' ++ ;; ++ esac ++ ;; + esac + ;; + +@@ -14305,6 +14492,10 @@ + lt_prog_compiler_static_F77='-non_shared' + ;; + ++ rdos*) ++ lt_prog_compiler_static_F77='-non_shared' ++ ;; ++ + solaris*) + lt_prog_compiler_pic_F77='-KPIC' + lt_prog_compiler_static_F77='-Bstatic' +@@ -14372,7 +14563,7 @@ + else + lt_prog_compiler_pic_works_F77=no + ac_outfile=conftest.$ac_objext +- printf "$lt_simple_compile_test_code" > conftest.$ac_ext ++ echo "$lt_simple_compile_test_code" > conftest.$ac_ext + lt_compiler_flag="$lt_prog_compiler_pic_F77" + # Insert the option either (1) after the last *FLAGS variable, or + # (2) before a word containing "conftest.", or (3) at the end. +@@ -14383,11 +14574,11 @@ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` +- (eval echo "\"\$as_me:14386: $lt_compile\"" >&5) ++ (eval echo "\"\$as_me:14577: $lt_compile\"" >&5) + (eval "$lt_compile" 2>conftest.err) + ac_status=$? + cat conftest.err >&5 +- echo "$as_me:14390: \$? = $ac_status" >&5 ++ echo "$as_me:14581: \$? = $ac_status" >&5 + if (exit $ac_status) && test -s "$ac_outfile"; then + # The compiler can only warn and ignore the option if not recognized + # So say no if there are warnings other than the usual output. +@@ -14436,7 +14627,7 @@ + lt_prog_compiler_static_works_F77=no + save_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS $lt_tmp_static_flag" +- printf "$lt_simple_link_test_code" > conftest.$ac_ext ++ echo "$lt_simple_link_test_code" > conftest.$ac_ext + if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then + # The linker can only warn and ignore the option if not recognized + # So say no if there are warnings +@@ -14476,7 +14667,7 @@ + mkdir conftest + cd conftest + mkdir out +- printf "$lt_simple_compile_test_code" > conftest.$ac_ext ++ echo "$lt_simple_compile_test_code" > conftest.$ac_ext + + lt_compiler_flag="-o out/conftest2.$ac_objext" + # Insert the option either (1) after the last *FLAGS variable, or +@@ -14487,11 +14678,11 @@ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` +- (eval echo "\"\$as_me:14490: $lt_compile\"" >&5) ++ (eval echo "\"\$as_me:14681: $lt_compile\"" >&5) + (eval "$lt_compile" 2>out/conftest.err) + ac_status=$? + cat out/conftest.err >&5 +- echo "$as_me:14494: \$? = $ac_status" >&5 ++ echo "$as_me:14685: \$? = $ac_status" >&5 + if (exit $ac_status) && test -s out/conftest2.$ac_objext + then + # The compiler can only warn and ignore the option if not recognized +@@ -14683,7 +14874,7 @@ + allow_undefined_flag_F77=unsupported + always_export_symbols_F77=no + enable_shared_with_static_runtimes_F77=yes +- export_symbols_cmds_F77='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols' ++ export_symbols_cmds_F77='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/'\'' -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols' + + if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then + archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' +@@ -14701,7 +14892,7 @@ + fi + ;; + +- interix3*) ++ interix[3-9]*) + hardcode_direct_F77=no + hardcode_shlibpath_var_F77=no + hardcode_libdir_flag_spec_F77='${wl}-rpath,$libdir' +@@ -14716,7 +14907,7 @@ + archive_expsym_cmds_F77='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' + ;; + +- linux*) ++ gnu* | linux* | k*bsd*-gnu) + if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then + tmp_addflag= + case $cc_basename,$host_cpu in +@@ -14734,20 +14925,30 @@ + ifc* | ifort*) # Intel Fortran compiler + tmp_addflag=' -nofor_main' ;; + esac +- archive_cmds_F77='$CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' ++ case `$CC -V 2>&1 | sed 5q` in ++ *Sun\ C*) # Sun C 5.9 ++ whole_archive_flag_spec_F77='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive' ++ tmp_sharedflag='-G' ;; ++ *Sun\ F*) # Sun Fortran 8.3 ++ tmp_sharedflag='-G' ;; ++ *) ++ tmp_sharedflag='-shared' ;; ++ esac ++ archive_cmds_F77='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + + if test $supports_anon_versioning = yes; then + archive_expsym_cmds_F77='$echo "{ global:" > $output_objdir/$libname.ver~ + cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~ + $echo "local: *; };" >> $output_objdir/$libname.ver~ +- $CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib' ++ $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib' + fi ++ link_all_deplibs_F77=no + else + ld_shlibs_F77=no + fi + ;; + +- netbsd*) ++ netbsd* | netbsdelf*-gnu) + if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then + archive_cmds_F77='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' + wlarc= +@@ -14899,7 +15100,7 @@ + strings "$collect2name" | grep resolve_lib_name >/dev/null + then + # We have reworked collect2 +- hardcode_direct_F77=yes ++ : + else + # We have old collect2 + hardcode_direct_F77=unsupported +@@ -14963,11 +15164,18 @@ + } && test -s conftest$ac_exeext && + $as_test_x conftest$ac_exeext; then + +-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } +-}'` ++lt_aix_libpath_sed=' ++ /Import File Strings/,/^$/ { ++ /^0/ { ++ s/^0 *\(.*\)$/\1/ ++ p ++ } ++ }' ++aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` + # Check for a 64-bit object if we didn't find anything. +-if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } +-}'`; fi ++if test -z "$aix_libpath"; then ++ aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` ++fi + else + echo "$as_me: failed program was:" >&5 + sed 's/^/| /' conftest.$ac_ext >&5 +@@ -15012,11 +15220,18 @@ + } && test -s conftest$ac_exeext && + $as_test_x conftest$ac_exeext; then + +-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } +-}'` ++lt_aix_libpath_sed=' ++ /Import File Strings/,/^$/ { ++ /^0/ { ++ s/^0 *\(.*\)$/\1/ ++ p ++ } ++ }' ++aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` + # Check for a 64-bit object if we didn't find anything. +-if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } +-}'`; fi ++if test -z "$aix_libpath"; then ++ aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` ++fi + else + echo "$as_me: failed program was:" >&5 + sed 's/^/| /' conftest.$ac_ext >&5 +@@ -15070,7 +15285,7 @@ + # The linker will automatically build a .lib file if we build a DLL. + old_archive_From_new_cmds_F77='true' + # FIXME: Should let the user specify the lib program. +- old_archive_cmds_F77='lib /OUT:$oldlib$oldobjs$old_deplibs' ++ old_archive_cmds_F77='lib -OUT:$oldlib$oldobjs$old_deplibs' + fix_srcfile_path_F77='`cygpath -w "$srcfile"`' + enable_shared_with_static_runtimes_F77=yes + ;; +@@ -15112,10 +15327,10 @@ + case $cc_basename in + xlc*) + output_verbose_link_cmd='echo' +- archive_cmds_F77='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring' ++ archive_cmds_F77='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $xlcverstring' + module_cmds_F77='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags' + # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds +- archive_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' ++ archive_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $xlcverstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' + module_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' + ;; + *) +@@ -15155,7 +15370,7 @@ + ;; + + # FreeBSD 3 and greater uses gcc -shared to do shared libraries. +- freebsd* | kfreebsd*-gnu | dragonfly*) ++ freebsd* | dragonfly*) + archive_cmds_F77='$CC -shared -o $lib $libobjs $deplibs $compiler_flags' + hardcode_libdir_flag_spec_F77='-R$libdir' + hardcode_direct_F77=yes +@@ -15257,7 +15472,7 @@ + link_all_deplibs_F77=yes + ;; + +- netbsd*) ++ netbsd* | netbsdelf*-gnu) + if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then + archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out + else +@@ -15277,24 +15492,28 @@ + ;; + + openbsd*) +- hardcode_direct_F77=yes +- hardcode_shlibpath_var_F77=no +- if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then +- archive_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' +- archive_expsym_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols' +- hardcode_libdir_flag_spec_F77='${wl}-rpath,$libdir' +- export_dynamic_flag_spec_F77='${wl}-E' ++ if test -f /usr/libexec/ld.so; then ++ hardcode_direct_F77=yes ++ hardcode_shlibpath_var_F77=no ++ if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then ++ archive_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' ++ archive_expsym_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols' ++ hardcode_libdir_flag_spec_F77='${wl}-rpath,$libdir' ++ export_dynamic_flag_spec_F77='${wl}-E' ++ else ++ case $host_os in ++ openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*) ++ archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' ++ hardcode_libdir_flag_spec_F77='-R$libdir' ++ ;; ++ *) ++ archive_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' ++ hardcode_libdir_flag_spec_F77='${wl}-rpath,$libdir' ++ ;; ++ esac ++ fi + else +- case $host_os in +- openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*) +- archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' +- hardcode_libdir_flag_spec_F77='-R$libdir' +- ;; +- *) +- archive_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' +- hardcode_libdir_flag_spec_F77='${wl}-rpath,$libdir' +- ;; +- esac ++ ld_shlibs_F77=no + fi + ;; + +@@ -15353,17 +15572,16 @@ + case $host_os in + solaris2.[0-5] | solaris2.[0-5].*) ;; + *) +- # The compiler driver will combine linker options so we +- # cannot just pass the convience library names through +- # without $wl, iff we do not link with $LD. +- # Luckily, gcc supports the same syntax we need for Sun Studio. ++ # The compiler driver will combine and reorder linker options, ++ # but understands `-z linker_flag'. GCC discards it without `$wl', ++ # but is careful enough not to reorder. + # Supported since Solaris 2.6 (maybe 2.5.1?) +- case $wlarc in +- '') +- whole_archive_flag_spec_F77='-z allextract$convenience -z defaultextract' ;; +- *) +- whole_archive_flag_spec_F77='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract' ;; +- esac ;; ++ if test "$GCC" = yes; then ++ whole_archive_flag_spec_F77='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract' ++ else ++ whole_archive_flag_spec_F77='-z allextract$convenience -z defaultextract' ++ fi ++ ;; + esac + link_all_deplibs_F77=yes + ;; +@@ -15420,7 +15638,7 @@ + fi + ;; + +- sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7*) ++ sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*) + no_undefined_flag_F77='${wl}-z,text' + archive_cmds_need_lc_F77=no + hardcode_shlibpath_var_F77=no +@@ -15497,7 +15715,7 @@ + { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5 + echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; } + $rm conftest* +- printf "$lt_simple_compile_test_code" > conftest.$ac_ext ++ echo "$lt_simple_compile_test_code" > conftest.$ac_ext + + if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>&5 +@@ -15555,20 +15773,7 @@ + version_type=none + dynamic_linker="$host_os ld.so" + sys_lib_dlsearch_path_spec="/lib /usr/lib" +-if test "$GCC" = yes; then +- sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"` +- if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then +- # if the path contains ";" then we assume it to be the separator +- # otherwise default to the standard path separator (i.e. ":") - it is +- # assumed that no part of a normal pathname contains ";" but that should +- # okay in the real world where ";" in dirpaths is itself problematic. +- sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'` +- else +- sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` +- fi +-else +- sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib" +-fi ++ + need_lib_prefix=unknown + hardcode_into_libs=no + +@@ -15725,12 +15930,7 @@ + shlibpath_overrides_runpath=yes + shlibpath_var=DYLD_LIBRARY_PATH + shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`' +- # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same. +- if test "$GCC" = yes; then +- sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"` +- else +- sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib' +- fi ++ + sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib' + ;; + +@@ -15747,18 +15947,6 @@ + dynamic_linker=no + ;; + +-kfreebsd*-gnu) +- version_type=linux +- need_lib_prefix=no +- need_version=no +- library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' +- soname_spec='${libname}${release}${shared_ext}$major' +- shlibpath_var=LD_LIBRARY_PATH +- shlibpath_overrides_runpath=no +- hardcode_into_libs=yes +- dynamic_linker='GNU ld.so' +- ;; +- + freebsd* | dragonfly*) + # DragonFly does not have aout. When/if they implement a new + # versioning mechanism, adjust this. +@@ -15796,7 +15984,7 @@ + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + ;; +- freebsd*) # from 4.6 on ++ *) # from 4.6 on, and DragonFly + shlibpath_overrides_runpath=yes + hardcode_into_libs=yes + ;; +@@ -15859,7 +16047,7 @@ + postinstall_cmds='chmod 555 $lib' + ;; + +-interix3*) ++interix[3-9]*) + version_type=linux + need_lib_prefix=no + need_version=no +@@ -15914,7 +16102,7 @@ + ;; + + # This must be Linux ELF. +-linux*) ++linux* | k*bsd*-gnu) + version_type=linux + need_lib_prefix=no + need_version=no +@@ -15930,7 +16118,7 @@ + + # Append ld.so.conf contents to the search path + if test -f /etc/ld.so.conf; then +- lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '` ++ lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '` + sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" + fi + +@@ -15943,7 +16131,7 @@ + dynamic_linker='GNU/Linux ld.so' + ;; + +-knetbsd*-gnu) ++netbsdelf*-gnu) + version_type=linux + need_lib_prefix=no + need_version=no +@@ -15952,7 +16140,7 @@ + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + hardcode_into_libs=yes +- dynamic_linker='GNU ld.so' ++ dynamic_linker='NetBSD ld.elf_so' + ;; + + netbsd*) +@@ -16036,6 +16224,10 @@ + sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec" + ;; + ++rdos*) ++ dynamic_linker=no ++ ;; ++ + solaris*) + version_type=linux + need_lib_prefix=no +@@ -16230,6 +16422,7 @@ + module_cmds_F77 \ + module_expsym_cmds_F77 \ + lt_cv_prog_compiler_c_o_F77 \ ++ fix_srcfile_path_F77 \ + exclude_expsyms_F77 \ + include_expsyms_F77; do + +@@ -16550,7 +16743,7 @@ + sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec + + # Fix the shell variable \$srcfile for the compiler. +-fix_srcfile_path="$fix_srcfile_path_F77" ++fix_srcfile_path=$lt_fix_srcfile_path + + # Set to yes if exported symbols are required. + always_export_symbols=$always_export_symbols_F77 +@@ -16608,10 +16801,10 @@ + objext_GCJ=$objext + + # Code to be used in simple compile tests +-lt_simple_compile_test_code="class foo {}\n" ++lt_simple_compile_test_code="class foo {}" + + # Code to be used in simple link tests +-lt_simple_link_test_code='public class conftest { public static void main(String[] argv) {}; }\n' ++lt_simple_link_test_code='public class conftest { public static void main(String[] argv) {}; }' + + # ltmain only uses $CC for tagged configurations so make sure $CC is set. + +@@ -16627,13 +16820,13 @@ + + # save warnings/boilerplate of simple test code + ac_outfile=conftest.$ac_objext +-printf "$lt_simple_compile_test_code" >conftest.$ac_ext ++echo "$lt_simple_compile_test_code" >conftest.$ac_ext + eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err + _lt_compiler_boilerplate=`cat conftest.err` + $rm conftest* + + ac_outfile=conftest.$ac_objext +-printf "$lt_simple_link_test_code" >conftest.$ac_ext ++echo "$lt_simple_link_test_code" >conftest.$ac_ext + eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err + _lt_linker_boilerplate=`cat conftest.err` + $rm conftest* +@@ -16674,7 +16867,7 @@ + else + lt_cv_prog_compiler_rtti_exceptions=no + ac_outfile=conftest.$ac_objext +- printf "$lt_simple_compile_test_code" > conftest.$ac_ext ++ echo "$lt_simple_compile_test_code" > conftest.$ac_ext + lt_compiler_flag="-fno-rtti -fno-exceptions" + # Insert the option either (1) after the last *FLAGS variable, or + # (2) before a word containing "conftest.", or (3) at the end. +@@ -16685,11 +16878,11 @@ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` +- (eval echo "\"\$as_me:16688: $lt_compile\"" >&5) ++ (eval echo "\"\$as_me:16881: $lt_compile\"" >&5) + (eval "$lt_compile" 2>conftest.err) + ac_status=$? + cat conftest.err >&5 +- echo "$as_me:16692: \$? = $ac_status" >&5 ++ echo "$as_me:16885: \$? = $ac_status" >&5 + if (exit $ac_status) && test -s "$ac_outfile"; then + # The compiler can only warn and ignore the option if not recognized + # So say no if there are warnings other than the usual output. +@@ -16740,13 +16933,15 @@ + lt_prog_compiler_pic_GCJ='-m68020 -resident32 -malways-restore-a4' + ;; + +- beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) ++ beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) + # PIC is the default for these OSes. + ;; + +- mingw* | pw32* | os2*) ++ mingw* | cygwin* | pw32* | os2*) + # This hack is so that the source file can tell whether it is being + # built for inclusion in a dll (and should export symbols for example). ++ # Although the cygwin gcc ignores -fPIC, still need this for old-style ++ # (--disable-auto-import) libraries + lt_prog_compiler_pic_GCJ='-DDLL_EXPORT' + ;; + +@@ -16756,7 +16951,7 @@ + lt_prog_compiler_pic_GCJ='-fno-common' + ;; + +- interix3*) ++ interix[3-9]*) + # Interix 3.x gcc -fpic/-fPIC options generate broken code. + # Instead, we relocate shared libraries at runtime. + ;; +@@ -16814,7 +17009,7 @@ + esac + ;; + +- mingw* | pw32* | os2*) ++ mingw* | cygwin* | pw32* | os2*) + # This hack is so that the source file can tell whether it is being + # built for inclusion in a dll (and should export symbols for example). + lt_prog_compiler_pic_GCJ='-DDLL_EXPORT' +@@ -16847,7 +17042,7 @@ + lt_prog_compiler_static_GCJ='-Bstatic' + ;; + +- linux*) ++ linux* | k*bsd*-gnu) + case $cc_basename in + icc* | ecc*) + lt_prog_compiler_wl_GCJ='-Wl,' +@@ -16866,6 +17061,22 @@ + # All Alpha code is PIC. + lt_prog_compiler_static_GCJ='-non_shared' + ;; ++ *) ++ case `$CC -V 2>&1 | sed 5q` in ++ *Sun\ C*) ++ # Sun C 5.9 ++ lt_prog_compiler_pic_GCJ='-KPIC' ++ lt_prog_compiler_static_GCJ='-Bstatic' ++ lt_prog_compiler_wl_GCJ='-Wl,' ++ ;; ++ *Sun\ F*) ++ # Sun Fortran 8.3 passes all unrecognized flags to the linker ++ lt_prog_compiler_pic_GCJ='-KPIC' ++ lt_prog_compiler_static_GCJ='-Bstatic' ++ lt_prog_compiler_wl_GCJ='' ++ ;; ++ esac ++ ;; + esac + ;; + +@@ -16875,6 +17086,10 @@ + lt_prog_compiler_static_GCJ='-non_shared' + ;; + ++ rdos*) ++ lt_prog_compiler_static_GCJ='-non_shared' ++ ;; ++ + solaris*) + lt_prog_compiler_pic_GCJ='-KPIC' + lt_prog_compiler_static_GCJ='-Bstatic' +@@ -16942,7 +17157,7 @@ + else + lt_prog_compiler_pic_works_GCJ=no + ac_outfile=conftest.$ac_objext +- printf "$lt_simple_compile_test_code" > conftest.$ac_ext ++ echo "$lt_simple_compile_test_code" > conftest.$ac_ext + lt_compiler_flag="$lt_prog_compiler_pic_GCJ" + # Insert the option either (1) after the last *FLAGS variable, or + # (2) before a word containing "conftest.", or (3) at the end. +@@ -16953,11 +17168,11 @@ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` +- (eval echo "\"\$as_me:16956: $lt_compile\"" >&5) ++ (eval echo "\"\$as_me:17171: $lt_compile\"" >&5) + (eval "$lt_compile" 2>conftest.err) + ac_status=$? + cat conftest.err >&5 +- echo "$as_me:16960: \$? = $ac_status" >&5 ++ echo "$as_me:17175: \$? = $ac_status" >&5 + if (exit $ac_status) && test -s "$ac_outfile"; then + # The compiler can only warn and ignore the option if not recognized + # So say no if there are warnings other than the usual output. +@@ -17006,7 +17221,7 @@ + lt_prog_compiler_static_works_GCJ=no + save_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS $lt_tmp_static_flag" +- printf "$lt_simple_link_test_code" > conftest.$ac_ext ++ echo "$lt_simple_link_test_code" > conftest.$ac_ext + if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then + # The linker can only warn and ignore the option if not recognized + # So say no if there are warnings +@@ -17046,7 +17261,7 @@ + mkdir conftest + cd conftest + mkdir out +- printf "$lt_simple_compile_test_code" > conftest.$ac_ext ++ echo "$lt_simple_compile_test_code" > conftest.$ac_ext + + lt_compiler_flag="-o out/conftest2.$ac_objext" + # Insert the option either (1) after the last *FLAGS variable, or +@@ -17057,11 +17272,11 @@ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` +- (eval echo "\"\$as_me:17060: $lt_compile\"" >&5) ++ (eval echo "\"\$as_me:17275: $lt_compile\"" >&5) + (eval "$lt_compile" 2>out/conftest.err) + ac_status=$? + cat out/conftest.err >&5 +- echo "$as_me:17064: \$? = $ac_status" >&5 ++ echo "$as_me:17279: \$? = $ac_status" >&5 + if (exit $ac_status) && test -s out/conftest2.$ac_objext + then + # The compiler can only warn and ignore the option if not recognized +@@ -17253,7 +17468,7 @@ + allow_undefined_flag_GCJ=unsupported + always_export_symbols_GCJ=no + enable_shared_with_static_runtimes_GCJ=yes +- export_symbols_cmds_GCJ='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols' ++ export_symbols_cmds_GCJ='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/'\'' -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols' + + if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then + archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' +@@ -17271,7 +17486,7 @@ + fi + ;; + +- interix3*) ++ interix[3-9]*) + hardcode_direct_GCJ=no + hardcode_shlibpath_var_GCJ=no + hardcode_libdir_flag_spec_GCJ='${wl}-rpath,$libdir' +@@ -17286,7 +17501,7 @@ + archive_expsym_cmds_GCJ='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' + ;; + +- linux*) ++ gnu* | linux* | k*bsd*-gnu) + if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then + tmp_addflag= + case $cc_basename,$host_cpu in +@@ -17304,20 +17519,30 @@ + ifc* | ifort*) # Intel Fortran compiler + tmp_addflag=' -nofor_main' ;; + esac +- archive_cmds_GCJ='$CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' ++ case `$CC -V 2>&1 | sed 5q` in ++ *Sun\ C*) # Sun C 5.9 ++ whole_archive_flag_spec_GCJ='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive' ++ tmp_sharedflag='-G' ;; ++ *Sun\ F*) # Sun Fortran 8.3 ++ tmp_sharedflag='-G' ;; ++ *) ++ tmp_sharedflag='-shared' ;; ++ esac ++ archive_cmds_GCJ='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + + if test $supports_anon_versioning = yes; then + archive_expsym_cmds_GCJ='$echo "{ global:" > $output_objdir/$libname.ver~ + cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~ + $echo "local: *; };" >> $output_objdir/$libname.ver~ +- $CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib' ++ $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib' + fi ++ link_all_deplibs_GCJ=no + else + ld_shlibs_GCJ=no + fi + ;; + +- netbsd*) ++ netbsd* | netbsdelf*-gnu) + if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then + archive_cmds_GCJ='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' + wlarc= +@@ -17469,7 +17694,7 @@ + strings "$collect2name" | grep resolve_lib_name >/dev/null + then + # We have reworked collect2 +- hardcode_direct_GCJ=yes ++ : + else + # We have old collect2 + hardcode_direct_GCJ=unsupported +@@ -17543,11 +17768,18 @@ + } && test -s conftest$ac_exeext && + $as_test_x conftest$ac_exeext; then + +-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } +-}'` ++lt_aix_libpath_sed=' ++ /Import File Strings/,/^$/ { ++ /^0/ { ++ s/^0 *\(.*\)$/\1/ ++ p ++ } ++ }' ++aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` + # Check for a 64-bit object if we didn't find anything. +-if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } +-}'`; fi ++if test -z "$aix_libpath"; then ++ aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` ++fi + else + echo "$as_me: failed program was:" >&5 + sed 's/^/| /' conftest.$ac_ext >&5 +@@ -17602,11 +17834,18 @@ + } && test -s conftest$ac_exeext && + $as_test_x conftest$ac_exeext; then + +-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } +-}'` ++lt_aix_libpath_sed=' ++ /Import File Strings/,/^$/ { ++ /^0/ { ++ s/^0 *\(.*\)$/\1/ ++ p ++ } ++ }' ++aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` + # Check for a 64-bit object if we didn't find anything. +-if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } +-}'`; fi ++if test -z "$aix_libpath"; then ++ aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` ++fi + else + echo "$as_me: failed program was:" >&5 + sed 's/^/| /' conftest.$ac_ext >&5 +@@ -17660,7 +17899,7 @@ + # The linker will automatically build a .lib file if we build a DLL. + old_archive_From_new_cmds_GCJ='true' + # FIXME: Should let the user specify the lib program. +- old_archive_cmds_GCJ='lib /OUT:$oldlib$oldobjs$old_deplibs' ++ old_archive_cmds_GCJ='lib -OUT:$oldlib$oldobjs$old_deplibs' + fix_srcfile_path_GCJ='`cygpath -w "$srcfile"`' + enable_shared_with_static_runtimes_GCJ=yes + ;; +@@ -17702,10 +17941,10 @@ + case $cc_basename in + xlc*) + output_verbose_link_cmd='echo' +- archive_cmds_GCJ='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring' ++ archive_cmds_GCJ='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $xlcverstring' + module_cmds_GCJ='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags' + # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds +- archive_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' ++ archive_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $xlcverstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' + module_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' + ;; + *) +@@ -17745,7 +17984,7 @@ + ;; + + # FreeBSD 3 and greater uses gcc -shared to do shared libraries. +- freebsd* | kfreebsd*-gnu | dragonfly*) ++ freebsd* | dragonfly*) + archive_cmds_GCJ='$CC -shared -o $lib $libobjs $deplibs $compiler_flags' + hardcode_libdir_flag_spec_GCJ='-R$libdir' + hardcode_direct_GCJ=yes +@@ -17847,7 +18086,7 @@ + link_all_deplibs_GCJ=yes + ;; + +- netbsd*) ++ netbsd* | netbsdelf*-gnu) + if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then + archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out + else +@@ -17867,24 +18106,28 @@ + ;; + + openbsd*) +- hardcode_direct_GCJ=yes +- hardcode_shlibpath_var_GCJ=no +- if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then +- archive_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' +- archive_expsym_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols' +- hardcode_libdir_flag_spec_GCJ='${wl}-rpath,$libdir' +- export_dynamic_flag_spec_GCJ='${wl}-E' ++ if test -f /usr/libexec/ld.so; then ++ hardcode_direct_GCJ=yes ++ hardcode_shlibpath_var_GCJ=no ++ if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then ++ archive_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' ++ archive_expsym_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols' ++ hardcode_libdir_flag_spec_GCJ='${wl}-rpath,$libdir' ++ export_dynamic_flag_spec_GCJ='${wl}-E' ++ else ++ case $host_os in ++ openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*) ++ archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' ++ hardcode_libdir_flag_spec_GCJ='-R$libdir' ++ ;; ++ *) ++ archive_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' ++ hardcode_libdir_flag_spec_GCJ='${wl}-rpath,$libdir' ++ ;; ++ esac ++ fi + else +- case $host_os in +- openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*) +- archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' +- hardcode_libdir_flag_spec_GCJ='-R$libdir' +- ;; +- *) +- archive_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' +- hardcode_libdir_flag_spec_GCJ='${wl}-rpath,$libdir' +- ;; +- esac ++ ld_shlibs_GCJ=no + fi + ;; + +@@ -17943,17 +18186,16 @@ + case $host_os in + solaris2.[0-5] | solaris2.[0-5].*) ;; + *) +- # The compiler driver will combine linker options so we +- # cannot just pass the convience library names through +- # without $wl, iff we do not link with $LD. +- # Luckily, gcc supports the same syntax we need for Sun Studio. ++ # The compiler driver will combine and reorder linker options, ++ # but understands `-z linker_flag'. GCC discards it without `$wl', ++ # but is careful enough not to reorder. + # Supported since Solaris 2.6 (maybe 2.5.1?) +- case $wlarc in +- '') +- whole_archive_flag_spec_GCJ='-z allextract$convenience -z defaultextract' ;; +- *) +- whole_archive_flag_spec_GCJ='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract' ;; +- esac ;; ++ if test "$GCC" = yes; then ++ whole_archive_flag_spec_GCJ='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract' ++ else ++ whole_archive_flag_spec_GCJ='-z allextract$convenience -z defaultextract' ++ fi ++ ;; + esac + link_all_deplibs_GCJ=yes + ;; +@@ -18010,7 +18252,7 @@ + fi + ;; + +- sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7*) ++ sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*) + no_undefined_flag_GCJ='${wl}-z,text' + archive_cmds_need_lc_GCJ=no + hardcode_shlibpath_var_GCJ=no +@@ -18087,7 +18329,7 @@ + { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5 + echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; } + $rm conftest* +- printf "$lt_simple_compile_test_code" > conftest.$ac_ext ++ echo "$lt_simple_compile_test_code" > conftest.$ac_ext + + if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>&5 +@@ -18145,20 +18387,7 @@ + version_type=none + dynamic_linker="$host_os ld.so" + sys_lib_dlsearch_path_spec="/lib /usr/lib" +-if test "$GCC" = yes; then +- sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"` +- if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then +- # if the path contains ";" then we assume it to be the separator +- # otherwise default to the standard path separator (i.e. ":") - it is +- # assumed that no part of a normal pathname contains ";" but that should +- # okay in the real world where ";" in dirpaths is itself problematic. +- sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'` +- else +- sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` +- fi +-else +- sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib" +-fi ++ + need_lib_prefix=unknown + hardcode_into_libs=no + +@@ -18315,12 +18544,7 @@ + shlibpath_overrides_runpath=yes + shlibpath_var=DYLD_LIBRARY_PATH + shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`' +- # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same. +- if test "$GCC" = yes; then +- sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"` +- else +- sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib' +- fi ++ + sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib' + ;; + +@@ -18337,18 +18561,6 @@ + dynamic_linker=no + ;; + +-kfreebsd*-gnu) +- version_type=linux +- need_lib_prefix=no +- need_version=no +- library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' +- soname_spec='${libname}${release}${shared_ext}$major' +- shlibpath_var=LD_LIBRARY_PATH +- shlibpath_overrides_runpath=no +- hardcode_into_libs=yes +- dynamic_linker='GNU ld.so' +- ;; +- + freebsd* | dragonfly*) + # DragonFly does not have aout. When/if they implement a new + # versioning mechanism, adjust this. +@@ -18386,7 +18598,7 @@ + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + ;; +- freebsd*) # from 4.6 on ++ *) # from 4.6 on, and DragonFly + shlibpath_overrides_runpath=yes + hardcode_into_libs=yes + ;; +@@ -18449,7 +18661,7 @@ + postinstall_cmds='chmod 555 $lib' + ;; + +-interix3*) ++interix[3-9]*) + version_type=linux + need_lib_prefix=no + need_version=no +@@ -18504,7 +18716,7 @@ + ;; + + # This must be Linux ELF. +-linux*) ++linux* | k*bsd*-gnu) + version_type=linux + need_lib_prefix=no + need_version=no +@@ -18520,7 +18732,7 @@ + + # Append ld.so.conf contents to the search path + if test -f /etc/ld.so.conf; then +- lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '` ++ lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '` + sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" + fi + +@@ -18533,7 +18745,7 @@ + dynamic_linker='GNU/Linux ld.so' + ;; + +-knetbsd*-gnu) ++netbsdelf*-gnu) + version_type=linux + need_lib_prefix=no + need_version=no +@@ -18542,7 +18754,7 @@ + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + hardcode_into_libs=yes +- dynamic_linker='GNU ld.so' ++ dynamic_linker='NetBSD ld.elf_so' + ;; + + netbsd*) +@@ -18626,6 +18838,10 @@ + sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec" + ;; + ++rdos*) ++ dynamic_linker=no ++ ;; ++ + solaris*) + version_type=linux + need_lib_prefix=no +@@ -18820,6 +19036,7 @@ + module_cmds_GCJ \ + module_expsym_cmds_GCJ \ + lt_cv_prog_compiler_c_o_GCJ \ ++ fix_srcfile_path_GCJ \ + exclude_expsyms_GCJ \ + include_expsyms_GCJ; do + +@@ -19140,7 +19357,7 @@ + sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec + + # Fix the shell variable \$srcfile for the compiler. +-fix_srcfile_path="$fix_srcfile_path_GCJ" ++fix_srcfile_path=$lt_fix_srcfile_path + + # Set to yes if exported symbols are required. + always_export_symbols=$always_export_symbols_GCJ +@@ -19197,7 +19414,7 @@ + objext_RC=$objext + + # Code to be used in simple compile tests +-lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }\n' ++lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }' + + # Code to be used in simple link tests + lt_simple_link_test_code="$lt_simple_compile_test_code" +@@ -19216,13 +19433,13 @@ + + # save warnings/boilerplate of simple test code + ac_outfile=conftest.$ac_objext +-printf "$lt_simple_compile_test_code" >conftest.$ac_ext ++echo "$lt_simple_compile_test_code" >conftest.$ac_ext + eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err + _lt_compiler_boilerplate=`cat conftest.err` + $rm conftest* + + ac_outfile=conftest.$ac_objext +-printf "$lt_simple_link_test_code" >conftest.$ac_ext ++echo "$lt_simple_link_test_code" >conftest.$ac_ext + eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err + _lt_linker_boilerplate=`cat conftest.err` + $rm conftest* +@@ -19300,6 +19517,7 @@ + module_cmds_RC \ + module_expsym_cmds_RC \ + lt_cv_prog_compiler_c_o_RC \ ++ fix_srcfile_path_RC \ + exclude_expsyms_RC \ + include_expsyms_RC; do + +@@ -19620,7 +19838,7 @@ + sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec + + # Fix the shell variable \$srcfile for the compiler. +-fix_srcfile_path="$fix_srcfile_path_RC" ++fix_srcfile_path=$lt_fix_srcfile_path + + # Set to yes if exported symbols are required. + always_export_symbols=$always_export_symbols_RC +@@ -21235,18 +21453,23 @@ + fi + + if test x"$WITH_CRACKLIB" != xno ; then +- if test "${ac_cv_header_crack_h+set}" = set; then +- { echo "$as_me:$LINENO: checking for crack.h" >&5 +-echo $ECHO_N "checking for crack.h... $ECHO_C" >&6; } +-if test "${ac_cv_header_crack_h+set}" = set; then ++ ++for ac_header in crack.h ++do ++as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` ++if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then ++ { echo "$as_me:$LINENO: checking for $ac_header" >&5 ++echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; } ++if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + echo $ECHO_N "(cached) $ECHO_C" >&6 + fi +-{ echo "$as_me:$LINENO: result: $ac_cv_header_crack_h" >&5 +-echo "${ECHO_T}$ac_cv_header_crack_h" >&6; } ++ac_res=`eval echo '${'$as_ac_Header'}'` ++ { echo "$as_me:$LINENO: result: $ac_res" >&5 ++echo "${ECHO_T}$ac_res" >&6; } + else + # Is the header compilable? +-{ echo "$as_me:$LINENO: checking crack.h usability" >&5 +-echo $ECHO_N "checking crack.h usability... $ECHO_C" >&6; } ++{ echo "$as_me:$LINENO: checking $ac_header usability" >&5 ++echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; } + cat >conftest.$ac_ext <<_ACEOF + /* confdefs.h. */ + _ACEOF +@@ -21254,7 +21477,7 @@ + cat >>conftest.$ac_ext <<_ACEOF + /* end confdefs.h. */ + $ac_includes_default +-#include <crack.h> ++#include <$ac_header> + _ACEOF + rm -f conftest.$ac_objext + if { (ac_try="$ac_compile" +@@ -21286,15 +21509,15 @@ + echo "${ECHO_T}$ac_header_compiler" >&6; } + + # Is the header present? +-{ echo "$as_me:$LINENO: checking crack.h presence" >&5 +-echo $ECHO_N "checking crack.h presence... $ECHO_C" >&6; } ++{ echo "$as_me:$LINENO: checking $ac_header presence" >&5 ++echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; } + cat >conftest.$ac_ext <<_ACEOF + /* confdefs.h. */ + _ACEOF + cat confdefs.h >>conftest.$ac_ext + cat >>conftest.$ac_ext <<_ACEOF + /* end confdefs.h. */ +-#include <crack.h> ++#include <$ac_header> + _ACEOF + if { (ac_try="$ac_cpp conftest.$ac_ext" + case "(($ac_try" in +@@ -21327,41 +21550,45 @@ + # So? What about this header? + case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in + yes:no: ) +- { echo "$as_me:$LINENO: WARNING: crack.h: accepted by the compiler, rejected by the preprocessor!" >&5 +-echo "$as_me: WARNING: crack.h: accepted by the compiler, rejected by the preprocessor!" >&2;} +- { echo "$as_me:$LINENO: WARNING: crack.h: proceeding with the compiler's result" >&5 +-echo "$as_me: WARNING: crack.h: proceeding with the compiler's result" >&2;} ++ { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 ++echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} ++ { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 ++echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} + ac_header_preproc=yes + ;; + no:yes:* ) +- { echo "$as_me:$LINENO: WARNING: crack.h: present but cannot be compiled" >&5 +-echo "$as_me: WARNING: crack.h: present but cannot be compiled" >&2;} +- { echo "$as_me:$LINENO: WARNING: crack.h: check for missing prerequisite headers?" >&5 +-echo "$as_me: WARNING: crack.h: check for missing prerequisite headers?" >&2;} +- { echo "$as_me:$LINENO: WARNING: crack.h: see the Autoconf documentation" >&5 +-echo "$as_me: WARNING: crack.h: see the Autoconf documentation" >&2;} +- { echo "$as_me:$LINENO: WARNING: crack.h: section \"Present But Cannot Be Compiled\"" >&5 +-echo "$as_me: WARNING: crack.h: section \"Present But Cannot Be Compiled\"" >&2;} +- { echo "$as_me:$LINENO: WARNING: crack.h: proceeding with the preprocessor's result" >&5 +-echo "$as_me: WARNING: crack.h: proceeding with the preprocessor's result" >&2;} +- { echo "$as_me:$LINENO: WARNING: crack.h: in the future, the compiler will take precedence" >&5 +-echo "$as_me: WARNING: crack.h: in the future, the compiler will take precedence" >&2;} ++ { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 ++echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} ++ { echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 ++echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} ++ { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 ++echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} ++ { echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 ++echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} ++ { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 ++echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} ++ { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 ++echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} + + ;; + esac +-{ echo "$as_me:$LINENO: checking for crack.h" >&5 +-echo $ECHO_N "checking for crack.h... $ECHO_C" >&6; } +-if test "${ac_cv_header_crack_h+set}" = set; then ++{ echo "$as_me:$LINENO: checking for $ac_header" >&5 ++echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; } ++if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + echo $ECHO_N "(cached) $ECHO_C" >&6 + else +- ac_cv_header_crack_h=$ac_header_preproc ++ eval "$as_ac_Header=\$ac_header_preproc" + fi +-{ echo "$as_me:$LINENO: result: $ac_cv_header_crack_h" >&5 +-echo "${ECHO_T}$ac_cv_header_crack_h" >&6; } ++ac_res=`eval echo '${'$as_ac_Header'}'` ++ { echo "$as_me:$LINENO: result: $ac_res" >&5 ++echo "${ECHO_T}$ac_res" >&6; } + + fi +-if test $ac_cv_header_crack_h = yes; then +- { echo "$as_me:$LINENO: checking for FascistCheck in -lcrack" >&5 ++if test `eval echo '${'$as_ac_Header'}'` = yes; then ++ cat >>confdefs.h <<_ACEOF ++#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1 ++_ACEOF ++ { echo "$as_me:$LINENO: checking for FascistCheck in -lcrack" >&5 + echo $ECHO_N "checking for FascistCheck in -lcrack... $ECHO_C" >&6; } + if test "${ac_cv_lib_crack_FascistCheck+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +@@ -21430,6 +21657,7 @@ + + fi + ++done + + else + LIBCRACK="" +@@ -23012,7 +23240,8 @@ + + + +-for ac_header in fcntl.h limits.h malloc.h sys/file.h sys/ioctl.h sys/time.h syslog.h termio.h unistd.h sys/fsuid.h inittypes.h ++ ++for ac_header in fcntl.h limits.h malloc.h sys/file.h sys/ioctl.h sys/time.h syslog.h net/if.h termio.h unistd.h sys/fsuid.h inittypes.h + do + as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` + if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then +@@ -28407,12 +28636,12 @@ + LEX_OUTPUT_ROOT!$LEX_OUTPUT_ROOT$ac_delim + LEXLIB!$LEXLIB$ac_delim + LN_S!$LN_S$ac_delim ++SED!$SED$ac_delim + GREP!$GREP$ac_delim + EGREP!$EGREP$ac_delim + ECHO!$ECHO$ac_delim + AR!$AR$ac_delim + RANLIB!$RANLIB$ac_delim +-CPP!$CPP$ac_delim + _ACEOF + + if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then +@@ -28454,6 +28683,7 @@ + ac_delim='%!_!# ' + for ac_last_try in false false false false false :; do + cat >conf$$subs.sed <<_ACEOF ++CPP!$CPP$ac_delim + CXX!$CXX$ac_delim + CXXFLAGS!$CXXFLAGS$ac_delim + ac_ct_CXX!$ac_ct_CXX$ac_delim +@@ -28531,7 +28761,7 @@ + LTLIBOBJS!$LTLIBOBJS$ac_delim + _ACEOF + +- if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 75; then ++ if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 76; then + break + elif $ac_last_try; then + { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 +Index: pam/Linux-PAM/doc/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/doc/Makefile.in ++++ pam/Linux-PAM/doc/Makefile.in +@@ -165,6 +165,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/doc/adg/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/doc/adg/Makefile.in ++++ pam/Linux-PAM/doc/adg/Makefile.in +@@ -142,6 +142,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/doc/man/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/doc/man/Makefile.in ++++ pam/Linux-PAM/doc/man/Makefile.in +@@ -149,6 +149,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/doc/mwg/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/doc/mwg/Makefile.in ++++ pam/Linux-PAM/doc/mwg/Makefile.in +@@ -142,6 +142,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/doc/sag/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/doc/sag/Makefile.in ++++ pam/Linux-PAM/doc/sag/Makefile.in +@@ -142,6 +142,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/doc/specs/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/doc/specs/Makefile.in ++++ pam/Linux-PAM/doc/specs/Makefile.in +@@ -180,6 +180,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/examples/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/examples/Makefile.in ++++ pam/Linux-PAM/examples/Makefile.in +@@ -172,6 +172,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/libpam/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/libpam/Makefile.in ++++ pam/Linux-PAM/libpam/Makefile.in +@@ -190,6 +190,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/libpam_misc/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/libpam_misc/Makefile.in ++++ pam/Linux-PAM/libpam_misc/Makefile.in +@@ -177,6 +177,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/libpamc/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/libpamc/Makefile.in ++++ pam/Linux-PAM/libpamc/Makefile.in +@@ -187,6 +187,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/libpamc/test/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/libpamc/test/Makefile.in ++++ pam/Linux-PAM/libpamc/test/Makefile.in +@@ -142,6 +142,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/Makefile.in ++++ pam/Linux-PAM/modules/Makefile.in +@@ -154,6 +154,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_access/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_access/Makefile.in ++++ pam/Linux-PAM/modules/pam_access/Makefile.in +@@ -178,6 +178,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_cracklib/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_cracklib/Makefile.in ++++ pam/Linux-PAM/modules/pam_cracklib/Makefile.in +@@ -176,6 +176,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_debug/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_debug/Makefile.in ++++ pam/Linux-PAM/modules/pam_debug/Makefile.in +@@ -175,6 +175,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_deny/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_deny/Makefile.in ++++ pam/Linux-PAM/modules/pam_deny/Makefile.in +@@ -175,6 +175,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_echo/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_echo/Makefile.in ++++ pam/Linux-PAM/modules/pam_echo/Makefile.in +@@ -175,6 +175,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_env/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_env/Makefile.in ++++ pam/Linux-PAM/modules/pam_env/Makefile.in +@@ -180,6 +180,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_exec/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_exec/Makefile.in ++++ pam/Linux-PAM/modules/pam_exec/Makefile.in +@@ -175,6 +175,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_faildelay/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_faildelay/Makefile.in ++++ pam/Linux-PAM/modules/pam_faildelay/Makefile.in +@@ -175,6 +175,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_filter/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_filter/Makefile.in ++++ pam/Linux-PAM/modules/pam_filter/Makefile.in +@@ -190,6 +190,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_filter/upperLOWER/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_filter/upperLOWER/Makefile.in ++++ pam/Linux-PAM/modules/pam_filter/upperLOWER/Makefile.in +@@ -164,6 +164,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_ftp/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_ftp/Makefile.in ++++ pam/Linux-PAM/modules/pam_ftp/Makefile.in +@@ -175,6 +175,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_group/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_group/Makefile.in ++++ pam/Linux-PAM/modules/pam_group/Makefile.in +@@ -178,6 +178,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_issue/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_issue/Makefile.in ++++ pam/Linux-PAM/modules/pam_issue/Makefile.in +@@ -175,6 +175,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_keyinit/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_keyinit/Makefile.in ++++ pam/Linux-PAM/modules/pam_keyinit/Makefile.in +@@ -177,6 +177,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_lastlog/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_lastlog/Makefile.in ++++ pam/Linux-PAM/modules/pam_lastlog/Makefile.in +@@ -175,6 +175,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_limits/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_limits/Makefile.in ++++ pam/Linux-PAM/modules/pam_limits/Makefile.in +@@ -178,6 +178,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_listfile/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_listfile/Makefile.in ++++ pam/Linux-PAM/modules/pam_listfile/Makefile.in +@@ -175,6 +175,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_localuser/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_localuser/Makefile.in ++++ pam/Linux-PAM/modules/pam_localuser/Makefile.in +@@ -175,6 +175,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_loginuid/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_loginuid/Makefile.in ++++ pam/Linux-PAM/modules/pam_loginuid/Makefile.in +@@ -175,6 +175,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_mail/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_mail/Makefile.in ++++ pam/Linux-PAM/modules/pam_mail/Makefile.in +@@ -175,6 +175,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_mkhomedir/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_mkhomedir/Makefile.in ++++ pam/Linux-PAM/modules/pam_mkhomedir/Makefile.in +@@ -175,6 +175,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_motd/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_motd/Makefile.in ++++ pam/Linux-PAM/modules/pam_motd/Makefile.in +@@ -175,6 +175,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_namespace/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_namespace/Makefile.in ++++ pam/Linux-PAM/modules/pam_namespace/Makefile.in +@@ -189,6 +189,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_nologin/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_nologin/Makefile.in ++++ pam/Linux-PAM/modules/pam_nologin/Makefile.in +@@ -175,6 +175,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_permit/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_permit/Makefile.in ++++ pam/Linux-PAM/modules/pam_permit/Makefile.in +@@ -175,6 +175,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_rhosts/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_rhosts/Makefile.in ++++ pam/Linux-PAM/modules/pam_rhosts/Makefile.in +@@ -178,6 +178,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_rootok/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_rootok/Makefile.in ++++ pam/Linux-PAM/modules/pam_rootok/Makefile.in +@@ -176,6 +176,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_securetty/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_securetty/Makefile.in ++++ pam/Linux-PAM/modules/pam_securetty/Makefile.in +@@ -65,8 +65,8 @@ + securelibLTLIBRARIES_INSTALL = $(INSTALL) + LTLIBRARIES = $(securelib_LTLIBRARIES) + pam_securetty_la_LIBADD = +-pam_securetty_la_SOURCES = pam_securetty.c +-pam_securetty_la_OBJECTS = pam_securetty.lo ++am_pam_securetty_la_OBJECTS = pam_securetty.lo tty_secure.lo ++pam_securetty_la_OBJECTS = $(am_pam_securetty_la_OBJECTS) + DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ + depcomp = $(SHELL) $(top_srcdir)/depcomp + am__depfiles_maybe = depfiles +@@ -79,8 +79,8 @@ + LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +-SOURCES = pam_securetty.c +-DIST_SOURCES = pam_securetty.c ++SOURCES = $(pam_securetty_la_SOURCES) ++DIST_SOURCES = $(pam_securetty_la_SOURCES) + man8dir = $(mandir)/man8 + NROFF = nroff + MANS = $(man_MANS) +@@ -175,6 +175,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +@@ -255,6 +256,10 @@ + AM_LDFLAGS = -no-undefined -avoid-version -module \ + -L$(top_builddir)/libpam -lpam $(am__append_1) + securelib_LTLIBRARIES = pam_securetty.la ++pam_securetty_la_SOURCES = \ ++ pam_securetty.c \ ++ tty_secure.c ++ + @ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README + all: all-am + +@@ -326,6 +331,7 @@ + -rm -f *.tab.c + + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_securetty.Plo@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tty_secure.Plo@am__quote@ + + .c.o: + @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +Index: pam/Linux-PAM/modules/pam_selinux/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_selinux/Makefile.in ++++ pam/Linux-PAM/modules/pam_selinux/Makefile.in +@@ -190,6 +190,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_shells/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_shells/Makefile.in ++++ pam/Linux-PAM/modules/pam_shells/Makefile.in +@@ -175,6 +175,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_stress/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_stress/Makefile.in ++++ pam/Linux-PAM/modules/pam_stress/Makefile.in +@@ -170,6 +170,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_succeed_if/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_succeed_if/Makefile.in ++++ pam/Linux-PAM/modules/pam_succeed_if/Makefile.in +@@ -175,6 +175,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_tally/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_tally/Makefile.in ++++ pam/Linux-PAM/modules/pam_tally/Makefile.in +@@ -192,6 +192,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_time/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_time/Makefile.in ++++ pam/Linux-PAM/modules/pam_time/Makefile.in +@@ -178,6 +178,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_umask/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_umask/Makefile.in ++++ pam/Linux-PAM/modules/pam_umask/Makefile.in +@@ -175,6 +175,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_unix/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_unix/Makefile.in ++++ pam/Linux-PAM/modules/pam_unix/Makefile.in +@@ -40,8 +40,7 @@ + build_triplet = @build@ + host_triplet = @host@ + @HAVE_LIBSELINUX_TRUE@am__append_1 = -D"WITH_SELINUX" +-@HAVE_LIBCRACK_TRUE@am__append_2 = -D"USE_CRACKLIB" +-@HAVE_VERSIONING_TRUE@am__append_3 = -Wl,--version-script=$(srcdir)/../modules.map ++@HAVE_VERSIONING_TRUE@am__append_2 = -Wl,--version-script=$(srcdir)/../modules.map + sbin_PROGRAMS = unix_chkpwd$(EXEEXT) + noinst_PROGRAMS = bigcrypt$(EXEEXT) + subdir = modules/pam_unix +@@ -72,10 +71,10 @@ + "$(DESTDIR)$(man8dir)" + securelibLTLIBRARIES_INSTALL = $(INSTALL) + LTLIBRARIES = $(securelib_LTLIBRARIES) +-pam_unix_la_LIBADD = ++pam_unix_la_DEPENDENCIES = ../pam_securetty/tty_secure.lo + am_pam_unix_la_OBJECTS = bigcrypt.lo pam_unix_acct.lo pam_unix_auth.lo \ + pam_unix_passwd.lo pam_unix_sess.lo support.lo yppasswd_xdr.lo \ +- md5_good.lo md5_broken.lo ++ md5_good.lo md5_broken.lo obscure.lo + pam_unix_la_OBJECTS = $(am_pam_unix_la_OBJECTS) + pam_unix_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ +@@ -209,6 +208,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +@@ -289,16 +289,18 @@ + secureconfdir = $(SCONFIGDIR) + AM_CFLAGS = -I$(top_srcdir)/libpam/include \ + -I$(top_srcdir)/libpamc/include \ +- -DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" $(am__append_1) \ ++ -DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" $(am__append_1) ++pam_unix_la_LDFLAGS = -no-undefined -avoid-version -module @LIBNSL@ \ ++ -L$(top_builddir)/libpam -lpam @LIBCRYPT@ @LIBSELINUX@ \ + $(am__append_2) +-pam_unix_la_LDFLAGS = -no-undefined -avoid-version -module @LIBCRACK@ \ +- @LIBNSL@ -L$(top_builddir)/libpam -lpam @LIBCRYPT@ \ +- @LIBSELINUX@ $(am__append_3) + securelib_LTLIBRARIES = pam_unix.la + noinst_HEADERS = md5.h support.h yppasswd.h bigcrypt.h + pam_unix_la_SOURCES = bigcrypt.c pam_unix_acct.c \ + pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \ +- yppasswd_xdr.c md5_good.c md5_broken.c ++ yppasswd_xdr.c md5_good.c md5_broken.c obscure.c ++ ++pam_unix_la_LIBADD = \ ++ ../pam_securetty/tty_secure.lo + + bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c + bigcrypt_CFLAGS = $(AM_CFLAGS) +@@ -424,6 +426,7 @@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bigcrypt.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5_broken.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5_good.Plo@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/obscure.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_unix_acct.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_unix_auth.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_unix_passwd.Plo@am__quote@ +Index: pam/Linux-PAM/modules/pam_userdb/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_userdb/Makefile.in ++++ pam/Linux-PAM/modules/pam_userdb/Makefile.in +@@ -179,6 +179,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_warn/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_warn/Makefile.in ++++ pam/Linux-PAM/modules/pam_warn/Makefile.in +@@ -175,6 +175,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_wheel/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_wheel/Makefile.in ++++ pam/Linux-PAM/modules/pam_wheel/Makefile.in +@@ -175,6 +175,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/modules/pam_xauth/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_xauth/Makefile.in ++++ pam/Linux-PAM/modules/pam_xauth/Makefile.in +@@ -175,6 +175,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/tests/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/tests/Makefile.in ++++ pam/Linux-PAM/tests/Makefile.in +@@ -224,6 +224,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ +Index: pam/Linux-PAM/xtests/Makefile.in +=================================================================== +--- pam.orig/Linux-PAM/xtests/Makefile.in ++++ pam/Linux-PAM/xtests/Makefile.in +@@ -179,6 +179,7 @@ + RANLIB = @RANLIB@ + SCONFIGDIR = @SCONFIGDIR@ + SECUREDIR = @SECUREDIR@ ++SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ + STRIP = @STRIP@ --- pam-0.99.7.1.orig/debian/patches-applied/040_pam_limits_log_failure +++ pam-0.99.7.1/debian/patches-applied/040_pam_limits_log_failure @@ -0,0 +1,33 @@ +Patch for Debian bug #180310 + +Generate some (low-severity) log information whenever setrlimit() fails, +for debugging purposes. + +Authors: Sam Hartman <hartmans@debian.org> + +Upstream status: submitted in <20070830171918.GB30563@dario.dodds.net> + +Index: Linux-PAM/modules/pam_limits/pam_limits.c +=================================================================== +--- Linux-PAM/modules/pam_limits/pam_limits.c.orig ++++ Linux-PAM/modules/pam_limits/pam_limits.c +@@ -622,6 +622,19 @@ + if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max) + pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max; + retval = setrlimit(i, &pl->limits[i].limit); ++ if (retval != 0 && (i != RLIMIT_NOFILE ++ || pl->limits[i].limit.rlim_cur != RLIM_INFINITY)) ++ { ++ int save_errno = errno; ++ pam_syslog(pamh, LOG_DEBUG, ++ "setrlimit limit #%d to soft=%d, hard=%d failed:" ++ " %m; uid=%lu,euid=%lu", i, ++ pl->limits[i].limit.rlim_cur, ++ pl->limits[i].limit.rlim_max, ++ (unsigned long) getuid(), ++ (unsigned long) geteuid()); ++ errno = save_errno; ++ } + if (retval == -1 && errno==EPERM) + continue; + status |= retval; --- pam-0.99.7.1.orig/debian/patches-applied/limits_wrong_strncpy +++ pam-0.99.7.1/debian/patches-applied/limits_wrong_strncpy @@ -0,0 +1,92 @@ +Patch for Debian bug #331278 + +Remove a number of unnecessary string manipulations, including a +strncpy() that was acting on overlapping memory. + +Authors: Steve Langasek <vorlon@debian.org> + +Upstream status: committed to CVS + +Index: pam/Linux-PAM/modules/pam_limits/pam_limits.c +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_limits/pam_limits.c ++++ pam/Linux-PAM/modules/pam_limits/pam_limits.c +@@ -492,8 +492,6 @@ + } + #undef CONF_FILE + +- /* init things */ +- memset(buf, 0, sizeof(buf)); + /* start the show */ + while (fgets(buf, LINE_LENGTH, fil) != NULL) { + char domain[LINE_LENGTH]; +@@ -502,46 +500,40 @@ + char value[LINE_LENGTH]; + int i; + size_t j; +- char *tptr; ++ char *tptr,*line; + +- tptr = buf; ++ line = buf; + /* skip the leading white space */ +- while (*tptr && isspace(*tptr)) +- tptr++; +- strncpy(buf, tptr, sizeof(buf)-1); +- buf[sizeof(buf)-1] = '\0'; ++ while (*line && isspace(*line)) ++ line++; + + /* Rip off the comments */ +- tptr = strchr(buf,'#'); ++ tptr = strchr(line,'#'); + if (tptr) + *tptr = '\0'; + /* Rip off the newline char */ +- tptr = strchr(buf,'\n'); ++ tptr = strchr(line,'\n'); + if (tptr) + *tptr = '\0'; + /* Anything left ? */ +- if (!strlen(buf)) { +- memset(buf, 0, sizeof(buf)); ++ if (!strlen(line)) + continue; +- } + +- memset(domain, 0, sizeof(domain)); +- memset(ltype, 0, sizeof(ltype)); +- memset(item, 0, sizeof(item)); +- memset(value, 0, sizeof(value)); ++ domain[0] = ltype[0] = item[0] = value[0] = '\0'; + +- i = sscanf(buf,"%s%s%s%s", domain, ltype, item, value); ++ i = sscanf(line,"%s%s%s%s", domain, ltype, item, value); + D(("scanned line[%d]: domain[%s], ltype[%s], item[%s], value[%s]", + i, domain, ltype, item, value)); + + for(j=0; j < strlen(ltype); j++) + ltype[j]=tolower(ltype[j]); +- for(j=0; j < strlen(item); j++) +- item[j]=tolower(item[j]); +- for(j=0; j < strlen(value); j++) +- value[j]=tolower(value[j]); + + if (i == 4) { /* a complete line */ ++ for(j=0; j < strlen(item); j++) ++ item[j]=tolower(item[j]); ++ for(j=0; j < strlen(value); j++) ++ value[j]=tolower(value[j]); ++ + if (strcmp(uname, domain) == 0) /* this user have a limit */ + process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl); + else if (domain[0]=='@' && !pl->root) { +@@ -587,7 +579,7 @@ + return PAM_IGNORE; + } + } else { +- pam_syslog(pamh, LOG_WARNING, "invalid line '%s' - skipped", buf); ++ pam_syslog(pamh, LOG_WARNING, "invalid line '%s' - skipped", line); + } + } + fclose(fil); --- pam-0.99.7.1.orig/debian/patches-applied/065_pam_unix_cracklib_disable +++ pam-0.99.7.1/debian/patches-applied/065_pam_unix_cracklib_disable @@ -0,0 +1,18 @@ +Index: pam/Linux-PAM/modules/pam_unix/Makefile.am +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_unix/Makefile.am ++++ pam/Linux-PAM/modules/pam_unix/Makefile.am +@@ -21,12 +21,9 @@ + if HAVE_LIBSELINUX + AM_CFLAGS += -D"WITH_SELINUX" + endif +-if HAVE_LIBCRACK +- AM_CFLAGS += -D"USE_CRACKLIB" +-endif + + pam_unix_la_LDFLAGS = -no-undefined -avoid-version -module \ +- @LIBCRACK@ @LIBNSL@ -L$(top_builddir)/libpam -lpam \ ++ @LIBNSL@ -L$(top_builddir)/libpam -lpam \ + @LIBCRYPT@ @LIBSELINUX@ + if HAVE_VERSIONING + pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map --- pam-0.99.7.1.orig/debian/patches-applied/022_pam_unix_group_time_miscfixes +++ pam-0.99.7.1/debian/patches-applied/022_pam_unix_group_time_miscfixes @@ -0,0 +1,39 @@ + * Add support for credential reinitialization in pam_group, closes: #108697 + * By default do complete matches not substring matches for pam_time. + You can include explicit wildcard for substring, closes: #66152 + +Index: Linux-PAM/modules/pam_time/pam_time.c +=================================================================== +--- Linux-PAM/modules/pam_time/pam_time.c.orig ++++ Linux-PAM/modules/pam_time/pam_time.c +@@ -324,7 +324,11 @@ + return FALSE; + } + } +- return ( !len ); ++ /* By this point we know that we didn't treat a * in b as a wildcard. ++ the only way we got done with the loop is if we consumed every ++ character in b. Thus the strings are equal if their ++ lengths are the same otherwise not equal. */ ++ return (strlen (a) == strlen (b)); + } + + typedef struct { +Index: Linux-PAM/modules/pam_group/pam_group.c +=================================================================== +--- Linux-PAM/modules/pam_group/pam_group.c.orig ++++ Linux-PAM/modules/pam_group/pam_group.c +@@ -758,9 +758,12 @@ + unsigned setting; + + /* only interested in establishing credentials */ ++ /* PAM docs say that an empty flag is to be treated as PAM_ESTABLISH_CRED. ++ Some people just pass PAM_SILENT, so cope with it, too. */ + + setting = flags; +- if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))) { ++ if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED)) ++ && (setting != 0) && (setting != PAM_SILENT)) { + D(("ignoring call - not for establishing credentials")); + return PAM_SUCCESS; /* don't fail because of this */ + } --- pam-0.99.7.1.orig/debian/patches-applied/007_modules_pam_unix +++ pam-0.99.7.1/debian/patches-applied/007_modules_pam_unix @@ -0,0 +1,989 @@ +Index: Linux-PAM/modules/pam_unix/pam_unix_passwd.c +=================================================================== +--- Linux-PAM/modules/pam_unix/pam_unix_passwd.c.orig ++++ Linux-PAM/modules/pam_unix/pam_unix_passwd.c +@@ -127,6 +127,9 @@ + #define OPW_TMPFILE "/etc/security/nopasswd" + #define OLD_PASSWORDS_FILE "/etc/security/opasswd" + ++extern const char *obscure_msg(const char *, const char *, const struct passwd *, ++ unsigned int); ++ + /* + * i64c - convert an integer to a radix 64 character + */ +@@ -957,7 +960,8 @@ + static int _pam_unix_approve_pass(pam_handle_t * pamh + ,unsigned int ctrl + ,const char *pass_old +- ,const char *pass_new) ++ ,const char *pass_new, ++ int pass_min_len) + { + const void *user; + const char *remark = NULL; +@@ -991,11 +995,10 @@ + #ifdef USE_CRACKLIB + remark = FascistCheck (pass_new, CRACKLIB_DICTS); + D(("called cracklib [%s]", remark)); +-#else +- if (strlen(pass_new) < 6) ++#endif ++ if (strlen(pass_new) < pass_min_len) + remark = _("You must choose a longer password"); + D(("length check [%s]", remark)); +-#endif + if (on(UNIX_REMEMBER_PASSWD, ctrl)) { + if ((retval = check_old_password(user, pass_new)) == PAM_AUTHTOK_ERR) + remark = _("Password has been already used. Choose another."); +@@ -1005,6 +1008,11 @@ + return retval; + } + } ++ if (!remark && pass_old != NULL) { /* only check if we don't already have a failure */ ++ struct passwd *pwd; ++ pwd = pam_modutil_getpwnam(pamh, user); ++ remark = (char *)obscure_msg(pass_old,pass_new,pwd,ctrl); /* do obscure checks */ ++ } + } + if (remark) { + _make_remark(pamh, ctrl, PAM_ERROR_MSG, remark); +@@ -1020,6 +1028,7 @@ + unsigned int ctrl, lctrl; + int retval, i; + int remember = -1; ++ int pass_min_len = 6; + + /* <DO NOT free() THESE> */ + const char *user; +@@ -1028,7 +1037,7 @@ + + D(("called.")); + +- ctrl = _set_ctrl(pamh, flags, &remember, argc, argv); ++ ctrl = _set_ctrl(pamh, flags, &remember, &pass_min_len, argc, argv); + + /* + * First get the name of a user +@@ -1235,7 +1244,8 @@ + if (*(const char *)pass_new == '\0') { /* "\0" password = NULL */ + pass_new = NULL; + } +- retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new); ++ retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, ++ pass_new, pass_min_len); + } + + if (retval != PAM_SUCCESS) { +@@ -1281,7 +1291,8 @@ + return retval; + } + +- retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new); ++ retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new, ++ pass_min_len); + if (retval != PAM_SUCCESS) { + pam_syslog(pamh, LOG_NOTICE, + "new password not acceptable 2"); +Index: Linux-PAM/modules/pam_unix/pam_unix_acct.c +=================================================================== +--- Linux-PAM/modules/pam_unix/pam_unix_acct.c.orig ++++ Linux-PAM/modules/pam_unix/pam_unix_acct.c +@@ -202,7 +202,7 @@ + + D(("called.")); + +- ctrl = _set_ctrl(pamh, flags, NULL, argc, argv); ++ ctrl = _set_ctrl(pamh, flags, NULL, NULL, argc, argv); + + retval = pam_get_item(pamh, PAM_USER, &void_uname); + uname = void_uname; +@@ -266,7 +266,9 @@ + + curdays = time(NULL) / (60 * 60 * 24); + D(("today is %d, last change %d", curdays, spent->sp_lstchg)); +- if ((curdays > spent->sp_expire) && (spent->sp_expire != -1)) { ++ if ((curdays > spent->sp_expire) && (spent->sp_expire != -1) ++ && (spent->sp_expire != 0)) ++ { + pam_syslog(pamh, LOG_NOTICE, + "account %s has expired (account expired)", + uname); +@@ -293,7 +295,9 @@ + if ((curdays - spent->sp_lstchg > spent->sp_max) + && (curdays - spent->sp_lstchg > spent->sp_inact) + && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact) +- && (spent->sp_max != -1) && (spent->sp_inact != -1)) { ++ && (spent->sp_max != -1) && (spent->sp_max != 0) ++ && (spent->sp_inact != -1) && (spent->sp_inact != 0)) ++ { + pam_syslog(pamh, LOG_NOTICE, + "account %s has expired (failed to change password)", + uname); +@@ -302,7 +306,9 @@ + D(("account expired 2")); + return PAM_ACCT_EXPIRED; + } +- if ((curdays - spent->sp_lstchg > spent->sp_max) && (spent->sp_max != -1)) { ++ if ((curdays - spent->sp_lstchg > spent->sp_max) ++ && (spent->sp_max != -1) && (spent->sp_max != 0)) ++ { + pam_syslog(pamh, LOG_DEBUG, + "expired password for user %s (password aged)", + uname); +@@ -312,7 +318,9 @@ + return PAM_NEW_AUTHTOK_REQD; + } + if ((curdays - spent->sp_lstchg > spent->sp_max - spent->sp_warn) +- && (spent->sp_max != -1) && (spent->sp_warn != -1)) { ++ && (spent->sp_max != -1) && (spent->sp_warn != -1) ++ && (spent->sp_max != 0) && (spent->sp_warn != 0)) ++ { + daysleft = (spent->sp_lstchg + spent->sp_max) - curdays; + pam_syslog(pamh, LOG_DEBUG, + "password for user %s will expire in %d days", +Index: Linux-PAM/modules/pam_unix/support.c +=================================================================== +--- Linux-PAM/modules/pam_unix/support.c.orig ++++ Linux-PAM/modules/pam_unix/support.c +@@ -53,8 +53,8 @@ + * set the control flags for the UNIX module. + */ + +-int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int argc, +- const char **argv) ++int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *pass_min_len, ++ int argc, const char **argv) + { + unsigned int ctrl; + +@@ -80,6 +80,7 @@ + D(("SILENT")); + set(UNIX__QUIET, ctrl); + } ++ + /* now parse the arguments to this module */ + + while (argc-- > 0) { +@@ -89,7 +90,8 @@ + + for (j = 0; j < UNIX_CTRLS_; ++j) { + if (unix_args[j].token +- && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) { ++ && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) ++ { + break; + } + } +@@ -101,20 +103,25 @@ + ctrl &= unix_args[j].mask; /* for turning things off */ + ctrl |= unix_args[j].flag; /* for turning things on */ + +- if (remember != NULL) { +- if (j == UNIX_REMEMBER_PASSWD) { +- *remember = strtol(*argv + 9, NULL, 10); +- if ((*remember == INT_MIN) || (*remember == INT_MAX)) +- *remember = -1; +- if (*remember > 400) +- *remember = 400; +- } ++ /* special cases */ ++ if (remember != NULL && j == UNIX_REMEMBER_PASSWD) { ++ *remember = strtol(*argv + 9, NULL, 10); ++ if ((*remember == INT_MIN) || (*remember == INT_MAX)) ++ *remember = -1; ++ if (*remember > 400) ++ *remember = 400; ++ } else if (pass_min_len && j == UNIX_MIN_PASS_LEN) { ++ *pass_min_len = atoi(*argv + 4); + } + } + + ++argv; /* step to next argument */ + } + ++ if (off(UNIX_BIGCRYPT,ctrl) && off(UNIX_MD5_PASS,ctrl) ++ && pass_min_len && *pass_min_len > 8) ++ *pass_min_len = 8; ++ + if (flags & PAM_DISALLOW_NULL_AUTHTOK) { + D(("DISALLOW_NULL_AUTHTOK")); + set(UNIX__NONULL, ctrl); +@@ -692,6 +699,8 @@ + } else if (!p || (*salt == '*')) { + retval = PAM_AUTH_ERR; + } else { ++ /* Hack off sysv pw aging foo */ ++ if (strrchr(salt, ',')) *(strrchr(salt, ',')) = '\0'; + if (!strncmp(salt, "$1$", 3)) { + pp = Goodcrypt_md5(p, salt); + if (strcmp(pp, salt) != 0) { +Index: Linux-PAM/modules/pam_unix/support.h +=================================================================== +--- Linux-PAM/modules/pam_unix/support.h.orig ++++ Linux-PAM/modules/pam_unix/support.h +@@ -84,8 +84,11 @@ + #define UNIX_NOREAP 21 /* don't reap child process */ + #define UNIX_BROKEN_SHADOW 22 /* ignore errors reading password aging + * information during acct management */ ++#define UNIX_MAX_PASS_LEN 23 /* internal, for compatibility only */ ++#define UNIX_MIN_PASS_LEN 24 /* Min length for password */ ++#define UNIX_OBSCURE_CHECKS 25 /* enable obscure checks on passwords */ + /* -------------- */ +-#define UNIX_CTRLS_ 23 /* number of ctrl arguments defined */ ++#define UNIX_CTRLS_ 26 /* number of ctrl arguments defined */ + + + static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = +@@ -93,29 +96,32 @@ + /* symbol token name ctrl mask ctrl * + * ----------------------- ------------------- --------------------- -------- */ + +-/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01}, +-/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02}, +-/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04}, +-/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010}, +-/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060), 020}, +-/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060), 040}, +-/* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0100}, +-/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200}, +-/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400}, +-/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000}, +-/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000}, +-/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000}, +-/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000}, +-/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0400000), 020000}, +-/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000), 0}, +-/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000}, +-/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000}, +-/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000}, +-/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(020000), 0400000}, +-/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000}, +-/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000}, +-/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000}, +-/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000}, ++/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 0x1}, ++/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 0x2}, ++/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 0x4}, ++/* UNIX_AUDIT */ {"audit", _ALL_ON_, 0x8}, ++/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(0x30), 0x10}, ++/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(0x30), 0x20}, ++/* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0x40}, ++/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0x180), 0x80}, ++/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0x180), 0x100}, ++/* UNIX__NONULL */ {NULL, _ALL_ON_, 0x200}, ++/* UNIX__QUIET */ {NULL, _ALL_ON_, 0x400}, ++/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 0x800}, ++/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 0x1000}, ++/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0x20000), 0x2000}, ++/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(0x200), 0}, ++/* UNIX_DEBUG */ {"debug", _ALL_ON_, 0x4000}, ++/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0x8000}, ++/* UNIX_NIS */ {"nis", _ALL_ON_, 0x10000}, ++/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0x2000), 0x20000}, ++/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 0x40000}, ++/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 0x80000}, ++/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 0x100000}, ++/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 0x200000}, ++/* UNIX_MAX_PASS_LEN */ {"max=", _ALL_ON_, 0}, ++/* UNIX_MIN_PASS_LEN */ {"min=", _ALL_ON_, 0x400000}, ++/* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x800000}, + }; + + #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) +@@ -131,8 +137,8 @@ + + extern int _make_remark(pam_handle_t * pamh, unsigned int ctrl + ,int type, const char *text); +-extern int _set_ctrl(pam_handle_t * pamh, int flags, int *remember, int argc, +- const char **argv); ++extern int _set_ctrl(pam_handle_t * pamh, int flags, int *remember, ++ int *pass_min_len, int argc, const char **argv); + extern int _unix_getpwnam (pam_handle_t *pamh, + const char *name, int files, int nis, + struct passwd **ret); +Index: Linux-PAM/modules/pam_unix/unix_chkpwd.c +=================================================================== +--- Linux-PAM/modules/pam_unix/unix_chkpwd.c.orig ++++ Linux-PAM/modules/pam_unix/unix_chkpwd.c +@@ -192,6 +192,13 @@ + return PAM_AUTHTOK_ERR; + } + ++ /* Hack off SysVR4 password aging */ ++ { ++ char *tmp; ++ ++ if ((tmp = strrchr(salt, ',')) != NULL) *tmp = '\0'; ++ } ++ + /* the moment of truth -- do we agree with the password? */ + retval = PAM_AUTH_ERR; + if (!strncmp(salt, "$1$", 3)) { +Index: Linux-PAM/modules/pam_unix/pam_unix.8.xml +=================================================================== +--- Linux-PAM/modules/pam_unix/pam_unix.8.xml.orig ++++ Linux-PAM/modules/pam_unix/pam_unix.8.xml +@@ -269,6 +269,90 @@ + </para> + </listitem> + </varlistentry> ++ <varlistentry> ++ <term> ++ <option>min=<replaceable>n</replaceable></option> ++ </term> ++ <listitem> ++ <para> ++ Set a minimum password length of <replaceable>n</replaceable> ++ characters. The default value is 1. ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term> ++ <option>obscure</option> ++ </term> ++ <listitem> ++ <para> ++ Enable some extra checks on password strength. These checks ++ are based on the "obscure" checks in the original shadow ++ package. The behavior is similar to the pam_cracklib ++ module, but for non-dictionary-based checks. The following ++ checks are implemented: ++ <variablelist> ++ <varlistentry> ++ <term> ++ <option>Palindrome</option> ++ </term> ++ <listitem> ++ <para> ++ Verifies that the new password is not a palindrome ++ of (i.e., the reverse of) the previous one. ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term> ++ <option>Case Change Only</option> ++ </term> ++ <listitem> ++ <para> ++ Verifies that the new password isn't the same as the ++ old one with a change of case. ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term> ++ <option>Similar</option> ++ </term> ++ <listitem> ++ <para> ++ Verifies that the new password isn't too much like ++ the previous one. ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term> ++ <option>Simple</option> ++ </term> ++ <listitem> ++ <para> ++ Is the new password too simple? This is based on ++ the length of the password and the number of ++ different types of characters (alpha, numeric, etc.) ++ used. ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term> ++ <option>Rotated</option> ++ </term> ++ <listitem> ++ <para> ++ Is the new password a rotated version of the old ++ password? (E.g., "billy" and "illyb") ++ </para> ++ </listitem> ++ </varlistentry> ++ </variablelist> ++ </para> ++ </listitem> ++ </varlistentry> + </variablelist> + <para> + Invalid arguments are logged with <citerefentry> +Index: Linux-PAM/modules/pam_unix/obscure.c +=================================================================== +--- /dev/null ++++ Linux-PAM/modules/pam_unix/obscure.c +@@ -0,0 +1,198 @@ ++/* ++ * Copyright 1989 - 1994, Julianne Frances Haugh ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors ++ * may be used to endorse or promote products derived from this software ++ * without specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND ++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE ++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT ++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY ++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ++ * SUCH DAMAGE. ++ */ ++ ++#include "config.h" ++ ++#include <ctype.h> ++#include <stdio.h> ++#include <unistd.h> ++#include <string.h> ++#include <stdlib.h> ++#include <pwd.h> ++#include <security/pam_modules.h> ++#include <security/_pam_macros.h> ++ ++ ++#include "support.h" ++ ++/* can't be a palindrome - like `R A D A R' or `M A D A M' */ ++static int palindrome(const char *old, const char *new) { ++ int i, j; ++ ++ i = strlen (new); ++ ++ for (j = 0;j < i;j++) ++ if (new[i - j - 1] != new[j]) ++ return 0; ++ ++ return 1; ++} ++ ++/* more than half of the characters are different ones. */ ++static int similar(const char *old, const char *new) { ++ int i, j; ++ ++ /* ++ * XXX - sometimes this fails when changing from a simple password ++ * to a really long one (MD5). For now, I just return success if ++ * the new password is long enough. Please feel free to suggest ++ * something better... --marekm ++ */ ++ if (strlen(new) >= 8) ++ return 0; ++ ++ for (i = j = 0; new[i] && old[i]; i++) ++ if (strchr(new, old[i])) ++ j++; ++ ++ if (i >= j * 2) ++ return 0; ++ ++ return 1; ++} ++ ++/* a nice mix of characters. */ ++static int simple(const char *old, const char *new) { ++ int digits = 0; ++ int uppers = 0; ++ int lowers = 0; ++ int others = 0; ++ int size; ++ int i; ++ ++ for (i = 0;new[i];i++) { ++ if (isdigit (new[i])) ++ digits++; ++ else if (isupper (new[i])) ++ uppers++; ++ else if (islower (new[i])) ++ lowers++; ++ else ++ others++; ++ } ++ ++ /* ++ * The scam is this - a password of only one character type ++ * must be 8 letters long. Two types, 7, and so on. ++ */ ++ ++ size = 9; ++ if (digits) size--; ++ if (uppers) size--; ++ if (lowers) size--; ++ if (others) size--; ++ ++ if (size <= i) ++ return 0; ++ ++ return 1; ++} ++ ++static char *str_lower(char *string) { ++ char *cp; ++ ++ for (cp = string; *cp; cp++) ++ *cp = tolower(*cp); ++ return string; ++} ++ ++static const char * password_check(const char *old, const char *new, ++ const struct passwd *pwdp) { ++ const char *msg = NULL; ++ char *oldmono, *newmono, *wrapped; ++ ++ if (strcmp(new, old) == 0) ++ return _("Bad: new password must be different than the old one"); ++ ++ newmono = str_lower(strdup(new)); ++ oldmono = str_lower(strdup(old)); ++ wrapped = (char *)malloc(strlen(oldmono) * 2 + 1); ++ strcpy (wrapped, oldmono); ++ strcat (wrapped, oldmono); ++ ++ if (palindrome(oldmono, newmono)) { ++ msg = _("Bad: new password cannot be a palindrome"); ++ } else if (strcmp(oldmono, newmono) == 0) { ++ msg = _("Bad: new and old password must differ by more than just case"); ++ } else if (similar(oldmono, newmono)) { ++ msg = _("Bad: new and old password are too similar"); ++ } else if (simple(old, new)) { ++ msg = _("Bad: new password is too simple"); ++ } else if (strstr(wrapped, newmono)) { ++ msg = _("Bad: new password is just a wrapped version of the old one"); ++ } ++ ++ _pam_delete(newmono); ++ _pam_delete(oldmono); ++ _pam_delete(wrapped); ++ ++ return msg; ++} ++ ++const char *obscure_msg(const char *old, const char *new, ++ const struct passwd *pwdp, unsigned int ctrl) { ++ int oldlen, newlen; ++ char *new1, *old1; ++ const char *msg; ++ ++ if (old == NULL) ++ return NULL; /* no check if old is NULL */ ++ ++ oldlen = strlen(old); ++ newlen = strlen(new); ++ ++ /* Remaining checks are optional. */ ++ if (off(UNIX_OBSCURE_CHECKS,ctrl)) ++ return NULL; ++ ++ if ((msg = password_check(old, new, pwdp)) != NULL) ++ return msg; ++ ++ /* The traditional crypt() truncates passwords to 8 chars. It is ++ possible to circumvent the above checks by choosing an easy ++ 8-char password and adding some random characters to it... ++ Example: "password$%^&*123". So check it again, this time ++ truncated to the maximum length. Idea from npasswd. --marekm */ ++ ++ if (on(UNIX_MD5_PASS,ctrl) || on(UNIX_BIGCRYPT,ctrl)) ++ return NULL; /* unlimited password length */ ++ ++ if (oldlen <= 8 && newlen <= 8) ++ return NULL; ++ ++ new1 = strndup(new,8); ++ old1 = strndup(old,8); ++ ++ msg = password_check(old1, new1, pwdp); ++ ++ _pam_delete(new1); ++ _pam_delete(old1); ++ ++ return msg; ++} +Index: Linux-PAM/modules/pam_unix/pam_unix.8 +=================================================================== +--- Linux-PAM/modules/pam_unix/pam_unix.8.orig ++++ Linux-PAM/modules/pam_unix/pam_unix.8 +@@ -1,133 +1,201 @@ + .\" Title: pam_unix + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +-.\" Date: 09/20/2006 +-.\" Manual: Linux\-PAM Manual +-.\" Source: Linux\-PAM Manual ++.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/> ++.\" Date: 08/31/2007 ++.\" Manual: Linux-PAM Manual ++.\" Source: Linux-PAM Manual + .\" +-.TH "PAM_UNIX" "8" "09/20/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_UNIX" "8" "08/31/2007" "Linux-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) + .ad l + .SH "NAME" +-pam_unix \- Module for traditional password authentication ++pam_unix - Module for traditional password authentication + .SH "SYNOPSIS" + .HP 12 +-\fBpam_unix.so\fR [...] ++\fBpam_unix\.so\fR [\.\.\.] + .SH "DESCRIPTION" + .PP +-This is the standard Unix authentication module. It uses standard calls from the system's libraries to retrieve and set account information as well as authentication. Usually this is obtained from the /etc/passwd and the /etc/shadow file as well if shadow is enabled. ++This is the standard Unix authentication module\. It uses standard calls from the system\'s libraries to retrieve and set account information as well as authentication\. Usually this is obtained from the /etc/passwd and the /etc/shadow file as well if shadow is enabled\. + .PP +-The account component performs the task of establishing the status of the user's account and password based on the following ++The account component performs the task of establishing the status of the user\'s account and password based on the following + \fIshadow\fR +-elements: expire, last_change, max_change, min_change, warn_change. In the case of the latter, it may offer advice to the user on changing their password or, through the ++elements: expire, last_change, max_change, min_change, warn_change\. In the case of the latter, it may offer advice to the user on changing their password or, through the + \fBPAM_AUTHTOKEN_REQD\fR +-return, delay giving service to the user until they have established a new password. The entries listed above are documented in the ++return, delay giving service to the user until they have established a new password\. The entries listed above are documented in the + \fBshadow\fR(5) +-manual page. Should the user's record not contain one or more of these entries, the corresponding ++manual page\. Should the user\'s record not contain one or more of these entries, the corresponding + \fIshadow\fR +-check is not performed. ++check is not performed\. + .PP +-The authentication component performs the task of checking the users credentials (password). The default action of this module is to not permit the user access to a service if their official password is blank. ++The authentication component performs the task of checking the users credentials (password)\. The default action of this module is to not permit the user access to a service if their official password is blank\. + .PP + A helper binary, +-\fBunix_chkpwd\fR(8), is provided to check the user's password when it is stored in a read protected database. This binary is very simple and will only check the password of the user invoking it. It is called transparently on behalf of the user by the authenticating component of this module. In this way it is possible for applications like ++\fBunix_chkpwd\fR(8), is provided to check the user\'s password when it is stored in a read protected database\. This binary is very simple and will only check the password of the user invoking it\. It is called transparently on behalf of the user by the authenticating component of this module\. In this way it is possible for applications like + \fBxlock\fR(1) +-to work without being setuid\-root. The module, by default, will temporarily turn off SIGCHLD handling for the duration of execution of the helper binary. This is generally the right thing to do, as many applications are not prepared to handle this signal from a child they didn't know was +-\fBfork()\fRd. The ++to work without being setuid\-root\. The module, by default, will temporarily turn off SIGCHLD handling for the duration of execution of the helper binary\. This is generally the right thing to do, as many applications are not prepared to handle this signal from a child they didn\'t know was ++\fBfork()\fRd\. The + \fBnoreap\fR +-module argument can be used to suppress this temporary shielding and may be needed for use with certain applications. ++module argument can be used to suppress this temporary shielding and may be needed for use with certain applications\. + .PP +-The password component of this module performs the task of updating the user's password. ++The password component of this module performs the task of updating the user\'s password\. + .PP +-The session component of this module logs when a user logins or leave the system. ++The session component of this module logs when a user logins or leave the system\. + .PP +-Remaining arguments, supported by others functions of this module, are silently ignored. Other arguments are logged as errors through +-\fBsyslog\fR(3). ++Remaining arguments, supported by others functions of this module, are silently ignored\. Other arguments are logged as errors through ++\fBsyslog\fR(3)\. + .SH "OPTIONS" +-.TP 3n ++.PP + \fBdebug\fR ++.RS 4 + Turns on debugging via +-\fBsyslog\fR(3). +-.TP 3n ++\fBsyslog\fR(3)\. ++.RE ++.PP + \fBaudit\fR +-A little more extreme than debug. +-.TP 3n ++.RS 4 ++A little more extreme than debug\. ++.RE ++.PP + \fBnullok\fR +-The default action of this module is to not permit the user access to a service if their official password is blank. The ++.RS 4 ++The default action of this module is to not permit the user access to a service if their official password is blank\. The + \fBnullok\fR +-argument overrides this default. +-.TP 3n ++argument overrides this default\. ++.RE ++.PP + \fBtry_first_pass\fR +-Before prompting the user for their password, the module first tries the previous stacked module's password in case that satisfies this module as well. +-.TP 3n ++.RS 4 ++Before prompting the user for their password, the module first tries the previous stacked module\'s password in case that satisfies this module as well\. ++.RE ++.PP + \fBuse_first_pass\fR ++.RS 4 + The argument + \fBuse_first_pass\fR +-forces the module to use a previous stacked modules password and will never prompt the user \- if no password is available or the password is not appropriate, the user will be denied access. +-.TP 3n ++forces the module to use a previous stacked modules password and will never prompt the user \- if no password is available or the password is not appropriate, the user will be denied access\. ++.RE ++.PP + \fBnodelay\fR +-This argument can be used to discourage the authentication component from requesting a delay should the authentication as a whole fail. The default action is for the module to request a delay\-on\-failure of the order of two second. +-.TP 3n ++.RS 4 ++This argument can be used to discourage the authentication component from requesting a delay should the authentication as a whole fail\. The default action is for the module to request a delay\-on\-failure of the order of two second\. ++.RE ++.PP + \fBuse_authtok\fR ++.RS 4 + When password changing enforce the module to set the new password to the one provided by a previously stacked + \fBpassword\fR + module (this is used in the example of the stacking of the + \fBpam_cracklib\fR +-module documented above). +-.TP 3n ++module documented above)\. ++.RE ++.PP + \fBnot_set_pass\fR +-This argument is used to inform the module that it is not to pay attention to/make available the old or new passwords from/to other (stacked) password modules. +-.TP 3n ++.RS 4 ++This argument is used to inform the module that it is not to pay attention to/make available the old or new passwords from/to other (stacked) password modules\. ++.RE ++.PP + \fBnis\fR +-NIS RPC is used for setting new passwords. +-.TP 3n ++.RS 4 ++NIS RPC is used for setting new passwords\. ++.RE ++.PP + \fBremember=\fR\fB\fIn\fR\fR ++.RS 4 + The last + \fIn\fR + passwords for each user are saved in + \fI/etc/security/opasswd\fR +-in order to force password change history and keep the user from alternating between the same password too frequently. +-.TP 3n ++in order to force password change history and keep the user from alternating between the same password too frequently\. ++.RE ++.PP + \fBshadow\fR +-Try to maintain a shadow based system. +-.TP 3n ++.RS 4 ++Try to maintain a shadow based system\. ++.RE ++.PP + \fBmd5\fR +-When a user changes their password next, encrypt it with the MD5 algorithm. +-.TP 3n ++.RS 4 ++When a user changes their password next, encrypt it with the MD5 algorithm\. ++.RE ++.PP + \fBbigcrypt\fR +-When a user changes their password next, encrypt it with the DEC C2 algorithm. +-.TP 3n ++.RS 4 ++When a user changes their password next, encrypt it with the DEC C2 algorithm\. ++.RE ++.PP + \fBbroken_shadow\fR +-Ignore errors reading shadow inforation for users in the account management module. ++.RS 4 ++Ignore errors reading shadow inforation for users in the account management module\. ++.RE ++.PP ++\fBmin=\fR\fB\fIn\fR\fR ++.RS 4 ++Set a minimum password length of ++\fIn\fR ++characters\. The default value is 1\. ++.RE ++.PP ++\fBobscure\fR ++.RS 4 ++Enable some extra checks on password strength\. These checks are based on the "obscure" checks in the original shadow package\. The behavior is similar to the pam_cracklib module, but for non\-dictionary\-based checks\. The following checks are implemented: ++.PP ++\fBPalindrome\fR ++.RS 4 ++Verifies that the new password is not a palindrome of (i\.e\., the reverse of) the previous one\. ++.RE ++.PP ++\fBCase Change Only\fR ++.RS 4 ++Verifies that the new password isn\'t the same as the old one with a change of case\. ++.RE ++.PP ++\fBSimilar\fR ++.RS 4 ++Verifies that the new password isn\'t too much like the previous one\. ++.RE ++.PP ++\fBSimple\fR ++.RS 4 ++Is the new password too simple? This is based on the length of the password and the number of different types of characters (alpha, numeric, etc\.) used\. ++.RE ++.PP ++\fBRotated\fR ++.RS 4 ++Is the new password a rotated version of the old password? (E\.g\., "billy" and "illyb") ++.RE ++.sp ++.RE + .PP + Invalid arguments are logged with +-\fBsyslog\fR(3). ++\fBsyslog\fR(3)\. + .SH "MODULE SERVICES PROVIDED" + .PP +-All service are supported. ++All service are supported\. + .SH "RETURN VALUES" +-.TP 3n ++.PP + PAM_IGNORE +-Ignore this module. ++.RS 4 ++Ignore this module\. ++.RE + .SH "EXAMPLES" + .PP + An example usage for +-\fI/etc/pam.d/login\fR ++\fI/etc/pam\.d/login\fR + would be: + .sp +-.RS 3n ++.RS 4 + .nf + # Authenticate the user +-auth required pam_unix.so ++auth required pam_unix\.so + # Ensure users account and password are still active +-account required pam_unix.so ++account required pam_unix\.so + # Change the users password, but at first check the strength + # with pam_cracklib(8) +-password required pam_cracklib.so retry=3 minlen=6 difok=3 +-password required pam_unix.so use_authtok nullok md5 +-session required pam_unix.so ++password required pam_cracklib\.so retry=3 minlen=6 difok=3 ++password required pam_unix\.so use_authtok nullok md5 ++session required pam_unix\.so + + .fi + .RE +@@ -140,4 +208,4 @@ + \fBpam\fR(8) + .SH "AUTHOR" + .PP +-pam_unix was written by various people. ++pam_unix was written by various people\. +Index: Linux-PAM/modules/pam_unix/Makefile.am +=================================================================== +--- Linux-PAM/modules/pam_unix/Makefile.am.orig ++++ Linux-PAM/modules/pam_unix/Makefile.am +@@ -42,7 +42,7 @@ + + pam_unix_la_SOURCES = bigcrypt.c pam_unix_acct.c \ + pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \ +- yppasswd_xdr.c md5_good.c md5_broken.c ++ yppasswd_xdr.c md5_good.c md5_broken.c obscure.c + + bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c + bigcrypt_CFLAGS = $(AM_CFLAGS) +Index: Linux-PAM/modules/pam_unix/README +=================================================================== +--- Linux-PAM/modules/pam_unix/README.orig ++++ Linux-PAM/modules/pam_unix/README +@@ -119,6 +119,42 @@ + Ignore errors reading shadow inforation for users in the account management + module. + ++min=n ++ ++ Set a minimum password length of n characters. The default value is 6. ++ ++obscure ++ ++ Enable some extra checks on password strength. These checks are based on ++ the "obscure" checks in the original shadow package. The behavior is ++ similar to the pam_cracklib module, but for non-dictionary-based checks. ++ The following checks are implemented: ++ ++ Palindrome ++ ++ Verifies that the new password is not a palindrome of (i.e., the ++ reverse of) the previous one. ++ ++ Case Change Only ++ ++ Verifies that the new password isn't the same as the old one with a ++ change of case. ++ ++ Similar ++ ++ Verifies that the new password isn't too much like the previous one. ++ ++ Simple ++ ++ Is the new password too simple? This is based on the length of the ++ password and the number of different types of characters (alpha, ++ numeric, etc.) used. ++ ++ Rotated ++ ++ Is the new password a rotated version of the old password? (E.g., ++ "billy" and "illyb") ++ + Invalid arguments are logged with syslog(3). + + EXAMPLES +Index: Linux-PAM/modules/pam_unix/pam_unix_auth.c +=================================================================== +--- Linux-PAM/modules/pam_unix/pam_unix_auth.c.orig ++++ Linux-PAM/modules/pam_unix/pam_unix_auth.c +@@ -111,7 +111,7 @@ + + D(("called.")); + +- ctrl = _set_ctrl(pamh, flags, NULL, argc, argv); ++ ctrl = _set_ctrl(pamh, flags, NULL, NULL, argc, argv); + + /* Get a few bytes so we can pass our return value to + pam_sm_setcred(). */ +Index: Linux-PAM/modules/pam_unix/pam_unix_sess.c +=================================================================== +--- Linux-PAM/modules/pam_unix/pam_unix_sess.c.orig ++++ Linux-PAM/modules/pam_unix/pam_unix_sess.c +@@ -73,7 +73,7 @@ + + D(("called.")); + +- ctrl = _set_ctrl(pamh, flags, NULL, argc, argv); ++ ctrl = _set_ctrl(pamh, flags, NULL, NULL, argc, argv); + + retval = pam_get_item(pamh, PAM_USER, (void *) &user_name); + if (user_name == NULL || *user_name == '\0' || retval != PAM_SUCCESS) { +@@ -107,7 +107,7 @@ + + D(("called.")); + +- ctrl = _set_ctrl(pamh, flags, NULL, argc, argv); ++ ctrl = _set_ctrl(pamh, flags, NULL, NULL, argc, argv); + + retval = pam_get_item(pamh, PAM_USER, (void *) &user_name); + if (user_name == NULL || *user_name == '\0' || retval != PAM_SUCCESS) { --- pam-0.99.7.1.orig/debian/patches-applied/PAM-manpage-section +++ pam-0.99.7.1/debian/patches-applied/PAM-manpage-section @@ -0,0 +1,48 @@ +Index: pam/Linux-PAM/doc/man/PAM.8 +=================================================================== +--- pam.orig/Linux-PAM/doc/man/PAM.8 ++++ pam/Linux-PAM/doc/man/PAM.8 +@@ -5,7 +5,7 @@ + .\" Manual: Linux\-PAM Manual + .\" Source: Linux\-PAM Manual + .\" +-.TH "PAM" "8" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM" "7" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -100,4 +100,4 @@ + \fBpam_authenticate\fR(3), + \fBpam_sm_setcred\fR(3), + \fBpam_strerror\fR(3), +-\fBPAM\fR(8) ++\fBPAM\fR(7) +Index: pam/Linux-PAM/doc/man/pam.8 +=================================================================== +--- pam.orig/Linux-PAM/doc/man/pam.8 ++++ pam/Linux-PAM/doc/man/pam.8 +@@ -1 +1 @@ +-.so man8/PAM.8 ++.so man7/PAM.7 +Index: pam/Linux-PAM/doc/man/pam.8.xml +=================================================================== +--- pam.orig/Linux-PAM/doc/man/pam.8.xml ++++ pam/Linux-PAM/doc/man/pam.8.xml +@@ -6,7 +6,7 @@ + + <refmeta> + <refentrytitle>pam</refentrytitle> +- <manvolnum>8</manvolnum> ++ <manvolnum>7</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + +@@ -179,7 +179,7 @@ + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> +- <refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum> ++ <refentrytitle>PAM</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + </para> + </refsect1> --- pam-0.99.7.1.orig/debian/patches-applied/misc_conv_allow_sigint.patch +++ pam-0.99.7.1/debian/patches-applied/misc_conv_allow_sigint.patch @@ -0,0 +1,28 @@ +Patch for Debian bug #1708 + +Don't block SIGINT in misc_conv, it's perfectly valid to allow the user +to interrupt at a prompt if the application hasn't otherwise blocked the +signal. + +Authors: Steve Langasek <vorlon@debian.org> + +Upstream status: committed to CVS + +Index: pam/Linux-PAM/libpam_misc/misc_conv.c +=================================================================== +--- pam.orig/Linux-PAM/libpam_misc/misc_conv.c ++++ pam/Linux-PAM/libpam_misc/misc_conv.c +@@ -150,12 +150,11 @@ + have_term = 1; + + /* +- * We make a simple attempt to block TTY signals from terminating ++ * We make a simple attempt to block TTY signals from suspending + * the conversation without giving PAM a chance to clean up. + */ + + sigemptyset(&nset); +- sigaddset(&nset, SIGINT); + sigaddset(&nset, SIGTSTP); + (void) sigprocmask(SIG_BLOCK, &nset, &oset); + --- pam-0.99.7.1.orig/debian/patches-applied/019_pam_listfile_quiet +++ pam-0.99.7.1/debian/patches-applied/019_pam_listfile_quiet @@ -0,0 +1,235 @@ +Patch for Debian bug #84428 + +Support a 'quiet' option to pam_listfile, to reduce the logging output + +Authors: Ben Collins <bcollins@debian.org>, + Steve Langasek <vorlon@debian.org> + +Upstream status: committed to CVS + +Index: Linux-PAM/modules/pam_listfile/pam_listfile.c +=================================================================== +--- Linux-PAM/modules/pam_listfile/pam_listfile.c.orig ++++ Linux-PAM/modules/pam_listfile/pam_listfile.c +@@ -68,7 +68,7 @@ + pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) + { +- int retval, i, citem=0, extitem=0, onerr=PAM_SERVICE_ERR, sense=2; ++ int retval, i, citem=0, extitem=0, onerr=PAM_SERVICE_ERR, sense=2, quiet=0; + const void *void_citemp; + const char *citemp; + char *ifname=NULL; +@@ -155,6 +155,8 @@ + apply_type=APPLY_TYPE_USER; + strncpy(apply_val,myval,sizeof(apply_val)-1); + } ++ } else if (!strcmp(mybuf,"quiet")) { ++ quiet = 1; + } else { + free(ifname); + pam_syslog(pamh,LOG_ERR, "Unknown option: %s",mybuf); +@@ -399,8 +401,9 @@ + #endif + (void) pam_get_item(pamh, PAM_SERVICE, &service); + (void) pam_get_user(pamh, &user_name, NULL); +- pam_syslog (pamh, LOG_ALERT, "Refused user %s for service %s", +- user_name, (const char *)service); ++ if (!quiet) ++ pam_syslog (pamh, LOG_ALERT, "Refused user %s for service %s", ++ user_name, (const char *)service); + return PAM_AUTH_ERR; + } + } +Index: Linux-PAM/modules/pam_listfile/pam_listfile.8 +=================================================================== +--- Linux-PAM/modules/pam_listfile/pam_listfile.8.orig ++++ Linux-PAM/modules/pam_listfile/pam_listfile.8 +@@ -1,11 +1,11 @@ + .\" Title: pam_listfile + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +-.\" Date: 06/22/2006 +-.\" Manual: Linux\-PAM Manual +-.\" Source: Linux\-PAM Manual ++.\" Generator: DocBook XSL Stylesheets v1.72.0 <http://docbook.sf.net/> ++.\" Date: 08/25/2007 ++.\" Manual: Linux-PAM Manual ++.\" Source: Linux-PAM Manual + .\" +-.TH "PAM_LISTFILE" "8" "06/22/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_LISTFILE" "8" "08/25/2007" "Linux\-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -14,7 +14,7 @@ + pam_listfile \- deny or allow services based on an arbitrary file + .SH "SYNOPSIS" + .HP 16 +-\fBpam_listfile.so\fR item=[tty|user|rhost|ruser|group|shell] sense=[allow|deny] file=\fI/path/filename\fR onerr=[succeed|fail] [apply=[\fIuser\fR|\fI@group\fR]] ++\fBpam_listfile.so\fR item=[tty|user|rhost|ruser|group|shell] sense=[allow|deny] file=\fI/path/filename\fR onerr=[succeed|fail] [apply=[\fIuser\fR|\fI@group\fR]] [quiet] + .SH "DESCRIPTION" + .PP + pam_listfile is a PAM module which provides a way to deny or allow services based on an arbitrary file. +@@ -64,25 +64,40 @@ + No credentials are awarded by this module. + .SH "OPTIONS" + .PP +-.TP 3n ++.PP + \fBitem=[tty|user|rhost|ruser|group|shell]\fR ++.RS 4 + What is listed in the file and should be checked for. +-.TP 3n ++.RE ++.PP + \fBsense=[allow|deny]\fR ++.RS 4 + Action to take if found in file, if the item is NOT found in the file, then the opposite action is requested. +-.TP 3n ++.RE ++.PP + \fBfile=\fR\fB\fI/path/filename\fR\fR ++.RS 4 + File containing one item per line. The file needs to be a plain file and not world writeable. +-.TP 3n ++.RE ++.PP + \fBonerr=[succeed|fail]\fR ++.RS 4 + What to do if something weird happens like being unable to open the file. +-.TP 3n ++.RE ++.PP + \fBapply=[\fR\fB\fIuser\fR\fR\fB|\fR\fB\fI@group\fR\fR\fB]\fR ++.RS 4 + Restrict the user class for which the restriction apply. Note that with + \fBitem=[user|ruser|group]\fR + this oes not make sense, but for + \fBitem=[tty|rhost|shell]\fR + it have a meaning. ++.RE ++.PP ++\fBquiet\fR ++.RS 4 ++Do not treat service refusals or missing list files as errors that need to be logged. ++.RE + .SH "MODULE SERVICES PROVIDED" + .PP + The services +@@ -94,34 +109,44 @@ + are supported. + .SH "RETURN VALUES" + .PP +-.TP 3n ++.PP + PAM_AUTH_ERR ++.RS 4 + Authentication failure. +-.TP 3n ++.RE ++.PP + PAM_BUF_ERR ++.RS 4 + Memory buffer error. +-.TP 3n ++.RE ++.PP + PAM_IGNORE ++.RS 4 + The rule does not apply to the + \fBapply\fR + option. +-.TP 3n ++.RE ++.PP + PAM_SERVICE_ERR ++.RS 4 + Error in service module. +-.TP 3n ++.RE ++.PP + PAM_SUCCESS ++.RS 4 + Success. ++.RE + .SH "EXAMPLES" + .PP + Classic 'ftpusers' authentication can be implemented with this entry in + \fI/etc/pam.d/ftpd\fR: + .sp +-.RS 3n ++.RS 4 + .nf + # + # deny ftp\-access to users listed in the /etc/ftpusers file + # +-auth required pam_listfile.so \\ ++auth required pam_listfile.so \e + onerr=succeed item=user sense=deny file=/etc/ftpusers + + .fi +@@ -137,12 +162,12 @@ + \fI/etc/pam.d/login\fR + entry like this: + .sp +-.RS 3n ++.RS 4 + .nf + # + # permit login to users listed in /etc/loginusers + # +-auth required pam_listfile.so \\ ++auth required pam_listfile.so \e + onerr=fail item=user sense=allow file=/etc/loginusers + + .fi +Index: Linux-PAM/modules/pam_listfile/pam_listfile.8.xml +=================================================================== +--- Linux-PAM/modules/pam_listfile/pam_listfile.8.xml.orig ++++ Linux-PAM/modules/pam_listfile/pam_listfile.8.xml +@@ -33,6 +33,9 @@ + <arg choice="opt"> + apply=[<replaceable>user</replaceable>|<replaceable>@group</replaceable>] + </arg> ++ <arg choice="opt"> ++ quiet ++ </arg> + </cmdsynopsis> + </refsynopsisdiv> + +@@ -155,6 +158,18 @@ + </para> + </listitem> + </varlistentry> ++ ++ <varlistentry> ++ <term> ++ <option>quiet</option> ++ </term> ++ <listitem> ++ <para> ++ Do not treat service refusals or missing list files as ++ errors that need to be logged. ++ </para> ++ </listitem> ++ </varlistentry> + </variablelist> + + </para> +Index: Linux-PAM/modules/pam_listfile/README +=================================================================== +--- Linux-PAM/modules/pam_listfile/README.orig ++++ Linux-PAM/modules/pam_listfile/README +@@ -58,6 +58,11 @@ + item=[user|ruser|group] this oes not make sense, but for item=[tty|rhost| + shell] it have a meaning. + ++quiet ++ ++ Do not treat service refusals or missing list files as errors that need to ++ be logged. ++ + EXAMPLES + + Classic 'ftpusers' authentication can be implemented with this entry in /etc/ --- pam-0.99.7.1.orig/debian/patches-applied/021_nis_cleanup +++ pam-0.99.7.1/debian/patches-applied/021_nis_cleanup @@ -0,0 +1,44 @@ +Patch from Philippe Troin <phil@fifi.org> + +Originally this included a bunch of changes to locking, but the more +recent code pulled from Linux_pam CVS seems to fix that issue. + +Index: Linux-PAM/modules/pam_unix/pam_unix_passwd.c +=================================================================== +--- Linux-PAM/modules/pam_unix/pam_unix_passwd.c.orig ++++ Linux-PAM/modules/pam_unix/pam_unix_passwd.c +@@ -1107,7 +1107,7 @@ + + if (_unix_blankpasswd(pamh, ctrl, user)) { + return PAM_SUCCESS; +- } else if (off(UNIX__IAMROOT, ctrl)) { ++ } else if (off(UNIX__IAMROOT, ctrl) || on(UNIX_NIS, ctrl)) { + /* instruct user what is happening */ + if (asprintf(&Announce, _("Changing password for %s."), + user) < 0) { +@@ -1120,7 +1120,9 @@ + set(UNIX__OLD_PASSWD, lctrl); + retval = _unix_read_password(pamh, lctrl + ,Announce +- ,_("(current) UNIX password: ") ++ ,(on(UNIX__IAMROOT, ctrl) ++ ? _("NIS server root password: ") ++ : _("(current) UNIX password: ")) + ,NULL + ,_UNIX_OLD_AUTHTOK + ,&pass_old); +@@ -1131,9 +1133,12 @@ + "password - (old) token not obtained"); + return retval; + } +- /* verify that this is the password for this user */ ++ /* verify that this is the password for this user ++ * if we're not using NIS */ + +- retval = _unix_verify_password(pamh, user, pass_old, ctrl); ++ if (off(UNIX_NIS, ctrl)) { ++ retval = _unix_verify_password(pamh, user, pass_old, ctrl); ++ } + } else { + D(("process run by root so do nothing this time around")); + pass_old = NULL; --- pam-0.99.7.1.orig/debian/patches-applied/046_pam_group_example +++ pam-0.99.7.1/debian/patches-applied/046_pam_group_example @@ -0,0 +1,27 @@ +Patch for Debian bug #197080 + +Don't use the 'games' group as an example in group.conf, this is a +potential security hole. + +Authors: Peter Cordes <peter@llama.nslug.ns.ca> + +Upstream status: committed to CVS + +Index: Linux-PAM/modules/pam_group/group.conf +=================================================================== +--- Linux-PAM/modules/pam_group/group.conf.orig ++++ Linux-PAM/modules/pam_group/group.conf +@@ -88,10 +88,11 @@ + # + # another example: running 'xsh' on tty* (any ttyXXX device), + # the user 'sword' is given access to games (through membership of +-# the floppy group) after work hours ++# the sound and play group) after work hours. (The games group owns ++# high-score files and so on, so don't ever give users access to it.) + # + +-#xsh; tty* ;sword;!Wk0900-1800;games, sound ++#xsh; tty* ;sword;!Wk0900-1800;sound, play + #xsh; tty* ;*;Al0900-1800;floppy + + # --- pam-0.99.7.1.orig/debian/patches-applied/ubuntu-fix_standard_types +++ pam-0.99.7.1/debian/patches-applied/ubuntu-fix_standard_types @@ -0,0 +1,13 @@ +Index: pam-0.99.7.1/Linux-PAM/libpamc/test/regress/test.libpamc.c +=================================================================== +--- pam-0.99.7.1.orig/Linux-PAM/libpamc/test/regress/test.libpamc.c 2007-09-05 15:34:52.000000000 -0700 ++++ pam-0.99.7.1/Linux-PAM/libpamc/test/regress/test.libpamc.c 2007-09-05 15:35:12.000000000 -0700 +@@ -157,7 +157,7 @@ + return temp_packet.buffer; + } + +-void packet_to_prompt(pamc_bp_t *prompt_p, __u8 control, ++void packet_to_prompt(pamc_bp_t *prompt_p, u_int8_t control, + struct internal_packet *packet) + { + PAM_BP_RENEW(prompt_p, control, packet->at); --- pam-0.99.7.1.orig/debian/patches-applied/055_pam_unix_nullok_secure +++ pam-0.99.7.1/debian/patches-applied/055_pam_unix_nullok_secure @@ -0,0 +1,196 @@ +Debian patch to add a new 'nullok_secure' option to pam_unix, which +accepts users with null passwords only when the applicant is connected +from a tty listed in /etc/securetty. + +Authors: Sam Hartman <hartmans@debian.org>, + Steve Langasek <vorlon@debian.org> + +Upstream status: not yet submitted + +Index: Linux-PAM/modules/pam_unix/support.c +=================================================================== +--- Linux-PAM/modules/pam_unix/support.c.orig ++++ Linux-PAM/modules/pam_unix/support.c +@@ -87,15 +87,22 @@ + /* now parse the arguments to this module */ + + while (argc-- > 0) { +- int j; ++ int j, sl; + + D(("pam_unix arg: %s", *argv)); + + for (j = 0; j < UNIX_CTRLS_; ++j) { +- if (unix_args[j].token +- && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) +- { +- break; ++ if (unix_args[j].token) { ++ sl = strlen(unix_args[j].token); ++ if (unix_args[j].token[sl-1] == '=') { ++ /* exclude argument from comparison */ ++ if (!strncmp(*argv, unix_args[j].token, sl)) ++ break; ++ } else { ++ /* compare full strings */ ++ if (!strcmp(*argv, unix_args[j].token)) ++ break; ++ } + } + } + +@@ -472,6 +479,17 @@ + if (salt) + _pam_delete(salt); + ++ if ((retval == 1) && on(UNIX_NULLOK_SECURE, ctrl)) { ++ int retval2; ++ const void *uttyname; ++ retval2 = pam_get_item(pamh, PAM_TTY, &uttyname); ++ if (retval2 != PAM_SUCCESS || uttyname == NULL) ++ return 0; ++ ++ if (_pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) ++ return 0; ++ } ++ + return retval; + } + +@@ -692,7 +710,7 @@ + int salt_len = strlen(salt); + if (!salt_len) { + /* the stored password is NULL */ +- if (off(UNIX__NONULL, ctrl)) {/* this means we've succeeded */ ++ if (_unix_blankpasswd(pamh, ctrl, name)) {/* this means we've succeeded */ + D(("user has empty password - access granted")); + retval = PAM_SUCCESS; + } else { +Index: Linux-PAM/modules/pam_unix/support.h +=================================================================== +--- Linux-PAM/modules/pam_unix/support.h.orig ++++ Linux-PAM/modules/pam_unix/support.h +@@ -87,8 +87,9 @@ + #define UNIX_MAX_PASS_LEN 23 /* internal, for compatibility only */ + #define UNIX_MIN_PASS_LEN 24 /* Min length for password */ + #define UNIX_OBSCURE_CHECKS 25 /* enable obscure checks on passwords */ ++#define UNIX_NULLOK_SECURE 26 /* NULL passwords allowed only on secure ttys */ + /* -------------- */ +-#define UNIX_CTRLS_ 26 /* number of ctrl arguments defined */ ++#define UNIX_CTRLS_ 27 /* number of ctrl arguments defined */ + + + static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = +@@ -105,7 +106,7 @@ + /* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0x40}, + /* UNIX__PRELIM */ {NULL, _ALL_ON_^(0x180), 0x80}, + /* UNIX__UPDATE */ {NULL, _ALL_ON_^(0x180), 0x100}, +-/* UNIX__NONULL */ {NULL, _ALL_ON_, 0x200}, ++/* UNIX__NONULL */ {NULL, _ALL_ON_^(0x1000000), 0x200}, + /* UNIX__QUIET */ {NULL, _ALL_ON_, 0x400}, + /* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 0x800}, + /* UNIX_SHADOW */ {"shadow", _ALL_ON_, 0x1000}, +@@ -122,6 +123,7 @@ + /* UNIX_MAX_PASS_LEN */ {"max=", _ALL_ON_, 0}, + /* UNIX_MIN_PASS_LEN */ {"min=", _ALL_ON_, 0x400000}, + /* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x800000}, ++/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(0x200), 0x1000000}, + }; + + #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) +@@ -157,6 +159,9 @@ + ,const void **pass); + extern int _unix_shadowed(const struct passwd *pwd); + ++extern int _pammodutil_tty_secure(const pam_handle_t *pamh, ++ const char *uttyname); ++ + extern struct spwd *_unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user); + + extern unsigned int pass_min_len; +Index: Linux-PAM/modules/pam_unix/Makefile.am +=================================================================== +--- Linux-PAM/modules/pam_unix/Makefile.am.orig ++++ Linux-PAM/modules/pam_unix/Makefile.am +@@ -44,6 +44,9 @@ + pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \ + yppasswd_xdr.c md5_good.c md5_broken.c obscure.c + ++pam_unix_la_LIBADD = \ ++ ../pam_securetty/tty_secure.lo ++ + bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c + bigcrypt_CFLAGS = $(AM_CFLAGS) + bigcrypt_LDFLAGS = @LIBCRYPT@ +Index: Linux-PAM/modules/pam_unix/README +=================================================================== +--- Linux-PAM/modules/pam_unix/README.orig ++++ Linux-PAM/modules/pam_unix/README +@@ -57,7 +57,16 @@ + + The default action of this module is to not permit the user access to a + service if their official password is blank. The nullok argument overrides +- this default. ++ this default and allows any user with a blank password to access the ++ service. ++ ++nullok_secure ++ ++ The default action of this module is to not permit the user access to a ++ service if their official password is blank. The nullok_secure argument ++ overrides this default and allows any user with a blank password to access ++ the service as long as the value of PAM_TTY is set to one of the values ++ found in /etc/securetty. + + try_first_pass + +Index: Linux-PAM/modules/pam_unix/pam_unix.8 +=================================================================== +--- Linux-PAM/modules/pam_unix/pam_unix.8.orig ++++ Linux-PAM/modules/pam_unix/pam_unix.8 +@@ -62,7 +62,14 @@ + .RS 4 + The default action of this module is to not permit the user access to a service if their official password is blank\. The + \fBnullok\fR +-argument overrides this default\. ++argument overrides this default and allows any user with a blank password to access the service\. ++.RE ++.PP ++\fBnullok_secure\fR ++.RS 4 ++The default action of this module is to not permit the user access to a service if their official password is blank\. The ++\fBnullok_secure\fR ++argument overrides this default and allows any user with a blank password to access the service as long as the value of PAM_TTY is set to one of the values found in /etc/securetty\. + .RE + .PP + \fBtry_first_pass\fR +Index: Linux-PAM/modules/pam_unix/pam_unix.8.xml +=================================================================== +--- Linux-PAM/modules/pam_unix/pam_unix.8.xml.orig ++++ Linux-PAM/modules/pam_unix/pam_unix.8.xml +@@ -135,7 +135,24 @@ + <para> + The default action of this module is to not permit the + user access to a service if their official password is blank. +- The <option>nullok</option> argument overrides this default. ++ The <option>nullok</option> argument overrides this default ++ and allows any user with a blank password to access the ++ service. ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term> ++ <option>nullok_secure</option> ++ </term> ++ <listitem> ++ <para> ++ The default action of this module is to not permit the ++ user access to a service if their official password is blank. ++ The <option>nullok_secure</option> argument overrides this ++ default and allows any user with a blank password to access ++ the service as long as the value of PAM_TTY is set to one of ++ the values found in /etc/securetty. + </para> + </listitem> + </varlistentry> --- pam-0.99.7.1.orig/debian/patches-applied/pam_env_ignore_garbage.patch +++ pam-0.99.7.1/debian/patches-applied/pam_env_ignore_garbage.patch @@ -0,0 +1,46 @@ +Patch for Debian bug #439984 + +pam_env was not correctly skipping over non-alphanumeric variable names, +and was not handling the PAM_BAD_ITEM error return from pam_putenv() +when clearing an unset variable. + +Authors: Steve Langasek <vorlon@debian.org> + +Upstream status: submitted in <20070830222058.GA9984@dario.dodds.net> + +Index: pam/Linux-PAM/modules/pam_env/pam_env.c +=================================================================== +--- pam.orig/Linux-PAM/modules/pam_env/pam_env.c ++++ pam/Linux-PAM/modules/pam_env/pam_env.c +@@ -232,9 +232,14 @@ + + for ( i = 0 ; key[i] != '=' && key[i] != '\0' ; i++ ) + if (!isalnum(key[i]) && key[i] != '_') { +- D(("key is not alpha numeric - '%s', ignoring", key)); +- continue; ++ pam_syslog(pamh, LOG_ERR, ++ "non-alphanumeric key '%s' in %s', ignoring", ++ key, file); ++ break; + } ++ /* non-alphanumeric key, ignore this line */ ++ if (key[i] != '=' && key[i] != '\0') ++ continue; + + /* now we try to be smart about quotes around the value, + but not too smart, we can't get all fancy with escaped +@@ -248,6 +253,14 @@ + key[i] = '\0'; + } + ++ /* if this is a request to delete a variable, check that it's ++ actually set first, so we don't get a vague error back from ++ pam_putenv() */ ++ for (i = 0; key[i] != '=' && key[i] != '\0'; i++); ++ ++ if (key[i] == '\0' && !pam_getenv(pamh,key)) ++ continue; ++ + /* set the env var, if it fails, we break out of the loop */ + retval = pam_putenv(pamh, key); + if (retval != PAM_SUCCESS) { --- pam-0.99.7.1.orig/debian/patches-applied/series +++ pam-0.99.7.1/debian/patches-applied/series @@ -0,0 +1,35 @@ +006_docs_cleanup -p0 +007_modules_pam_unix -p0 +008_modules_pam_limits_chroot -p0 +015_hurd_portability -p0 +019_pam_listfile_quiet -p0 +021_nis_cleanup -p0 +022_pam_unix_group_time_miscfixes -p0 +024_debian_cracklib_dict_path -p0 +026_pam_unix_passwd_unknown_user -p0 +027_pam_limits_better_init_allow_explicit_root -p0 +031_pam_include +032_pam_limits_EPERM_NOT_FATAL -p0 +036_pam_wheel_getlogin_considered_harmful -p0 +038_support_hurd -p0 +hurd_no_setfsuid -p0 +040_pam_limits_log_failure -p0 +043_pam_unix_unknown_user_not_alert -p0 +045_pam_dispatch_jump_is_ignore -p0 +046_pam_group_example -p0 +049_pam_unix_sane_locking -p0 +054_pam_security_abstract_securetty_handling -p0 +055_pam_unix_nullok_secure -p0 +057_pam_unix_passwd_OOM_check -p0 +065_pam_unix_cracklib_disable +PAM-manpage-section +no_pthread_mutexes +limits_wrong_strncpy +misc_conv_allow_sigint.patch +pam_env_ignore_garbage.patch +autoconf.patch +ubuntu-fix_standard_types +ubuntu-rlimit_nice_correction +ubuntu-user_defined_environment +ubuntu-regression_fix_securetty +ubuntu-pam_selinux_seusers --- pam-0.99.7.1.orig/debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL +++ pam-0.99.7.1/debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL @@ -0,0 +1,33 @@ +setrlimit will sometimes return EPERM for example if youp try to +increase the number of open files too much. This is not something we +want to consider fatal. This also happens if you use non-root and +try to decrease a limit. Running PAM as non-root is not so great. + +Authors: ? + +Upstream status: submitted in <20070830171918.GB30563@dario.dodds.net> + +Index: Linux-PAM/modules/pam_limits/pam_limits.c +=================================================================== +--- Linux-PAM/modules/pam_limits/pam_limits.c.orig ++++ Linux-PAM/modules/pam_limits/pam_limits.c +@@ -609,6 +609,7 @@ + } + + for (i=0, status=LIMITED_OK; i<RLIM_NLIMITS; i++) { ++ int retval; + if (!pl->limits[i].supported) { + /* skip it if its not known to the system */ + continue; +@@ -620,7 +621,10 @@ + } + if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max) + pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max; +- status |= setrlimit(i, &pl->limits[i].limit); ++ retval = setrlimit(i, &pl->limits[i].limit); ++ if (retval == -1 && errno==EPERM) ++ continue; ++ status |= retval; + } + + if (status) { --- pam-0.99.7.1.orig/debian/patches-applied/hurd_no_setfsuid +++ pam-0.99.7.1/debian/patches-applied/hurd_no_setfsuid @@ -0,0 +1,110 @@ +On systems without setfsuid(), use setreuid() instead. + +Authors: Steve Langasek <vorlon@debian.org> + +Upstream status: superseded by pam_modutil_set_euid proposal + +Index: Linux-PAM/modules/pam_xauth/pam_xauth.c +=================================================================== +--- Linux-PAM/modules/pam_xauth/pam_xauth.c.orig ++++ Linux-PAM/modules/pam_xauth/pam_xauth.c +@@ -35,7 +35,9 @@ + + #include "config.h" + #include <sys/types.h> ++#ifdef HAVE_SYS_FSUID_H + #include <sys/fsuid.h> ++#endif /* HAVE_SYS_FSUID_H */ + #include <sys/wait.h> + #include <errno.h> + #include <fnmatch.h> +@@ -210,6 +212,9 @@ + FILE *fp; + int i; + uid_t euid; ++#ifndef HAVE_SYS_FSUID_H ++ uid_t uid; ++#endif + /* Check this user's <sense> file. */ + pwd = pam_modutil_getpwnam(pamh, this_user); + if (pwd == NULL) { +@@ -226,9 +231,34 @@ + return PAM_SESSION_ERR; + } + euid = geteuid(); ++#ifdef HAVE_SYS_FSUID_H + setfsuid(pwd->pw_uid); ++#else ++ uid = getuid(); ++ if (uid == pwd->pw_uid) ++ setreuid(euid, uid); ++ else { ++ setreuid(0, -1); ++ if (setreuid(-1, uid) == -1) { ++ setreuid(-1, 0); ++ setreuid(0, -1); ++ if (setreuid(-1, pwd->pw_uid)) ++ return PAM_CRED_INSUFFICIENT; ++ } ++ } ++#endif + fp = fopen(path, "r"); ++#ifdef HAVE_SYS_FSUID_H + setfsuid(euid); ++#else ++ if (uid == pwd->pw_uid) ++ setreuid(uid, euid); ++ else { ++ if (setreuid(-1, 0) == -1) ++ setreuid(uid, -1); ++ setreuid(-1, euid); ++ } ++#endif + if (fp != NULL) { + char buf[LINE_MAX], *tmp; + /* Scan the file for a list of specs of users to "trust". */ +@@ -297,6 +327,9 @@ + int fd, i, debug = 0; + int retval = PAM_SUCCESS; + uid_t systemuser = 499, targetuser = 0, euid; ++#ifndef HAVE_SYS_FSUID_H ++ uid_t uid; ++#endif + + /* Parse arguments. We don't understand many, so no sense in breaking + * this into a separate function. */ +@@ -541,9 +574,34 @@ + + /* Generate a new file to hold the data. */ + euid = geteuid(); ++#ifdef HAVE_SYS_FSUID_H + setfsuid(tpwd->pw_uid); ++#else ++ uid = getuid(); ++ if (uid == tpwd->pw_uid) ++ setreuid(euid, uid); ++ else { ++ setreuid(0, -1); ++ if (setreuid(-1, uid) == -1) { ++ setreuid(-1, 0); ++ setreuid(0, -1); ++ if (setreuid(-1, tpwd->pw_uid)) ++ return PAM_CRED_INSUFFICIENT; ++ } ++ } ++#endif + fd = mkstemp(xauthority + strlen(XAUTHENV) + 1); ++#ifdef HAVE_SYS_FSUID_H + setfsuid(euid); ++#else ++ if (uid == tpwd->pw_uid) ++ setreuid(uid, euid); ++ else { ++ if (setreuid(-1, 0) == -1) ++ setreuid(uid, -1); ++ setreuid(-1, euid); ++ } ++#endif + if (fd == -1) { + pam_syslog(pamh, LOG_ERR, + "error creating temporary file `%s': %m", --- pam-0.99.7.1.orig/debian/patches-applied/ubuntu-user_defined_environment +++ pam-0.99.7.1/debian/patches-applied/ubuntu-user_defined_environment @@ -0,0 +1,220 @@ +Index: pam-0.99.7.1/Linux-PAM/modules/pam_env/pam_env.c +=================================================================== +--- pam-0.99.7.1.orig/Linux-PAM/modules/pam_env/pam_env.c 2007-09-05 16:19:34.000000000 -0700 ++++ pam-0.99.7.1/Linux-PAM/modules/pam_env/pam_env.c 2007-09-05 16:21:28.000000000 -0700 +@@ -11,6 +11,9 @@ + #define DEFAULT_ETC_ENVFILE "/etc/environment" + #define DEFAULT_READ_ENVFILE 1 + ++#define DEFAULT_USER_ENVFILE ".pam_environment" ++#define DEFAULT_USER_READ_ENVFILE 1 ++ + #include "config.h" + + #include <ctype.h> +@@ -75,16 +78,20 @@ + /* argument parsing */ + + #define PAM_DEBUG_ARG 0x01 +-#define PAM_NEW_CONF_FILE 0x02 +-#define PAM_ENV_SILENT 0x04 +-#define PAM_NEW_ENV_FILE 0x10 + + static int + _pam_parse (const pam_handle_t *pamh, int argc, const char **argv, +- const char **conffile, const char **envfile, int *readenv) ++ char **conffile, char **envfile, int *readenv, ++ int *user_read_env, char **user_env_file) + { + int ctrl=0; + ++ /* handle out of memory ; fixme */ ++ *user_env_file = strdup(DEFAULT_USER_ENVFILE); ++ *envfile = strdup(DEFAULT_ETC_ENVFILE); ++ *readenv = DEFAULT_READ_ENVFILE; ++ *user_read_env = DEFAULT_USER_READ_ENVFILE; ++ *conffile = strdup(DEFAULT_CONF_FILE); + + /* step through arguments */ + for (; argc-- > 0; ++argv) { +@@ -94,25 +101,36 @@ + if (!strcmp(*argv,"debug")) + ctrl |= PAM_DEBUG_ARG; + else if (!strncmp(*argv,"conffile=",9)) { +- *conffile = 9 + *argv; +- if (**conffile != '\0') { +- D(("new Configuration File: %s", *conffile)); +- ctrl |= PAM_NEW_CONF_FILE; +- } else { ++ if (*argv+9 == '\0') { + pam_syslog(pamh, LOG_ERR, + "conffile= specification missing argument - ignored"); ++ } else { ++ free(*conffile); ++ *conffile = x_strdup(9+*argv); ++ D(("new Configuration File: %s", *conffile)); + } + } else if (!strncmp(*argv,"envfile=",8)) { +- *envfile = 8 + *argv; +- if (**envfile != '\0') { +- D(("new Env File: %s", *envfile)); +- ctrl |= PAM_NEW_ENV_FILE; +- } else { ++ if (*argv+8 == '\0') { + pam_syslog (pamh, LOG_ERR, + "envfile= specification missing argument - ignored"); ++ } else { ++ free(*envfile); ++ *envfile = x_strdup(8+*argv); ++ D(("new Env File: %s", *envfile)); ++ } ++ } else if (!strncmp(*argv,"user_env_file=",13)) { ++ if (*argv+13 == '\0') { ++ pam_syslog (pamh, LOG_ERR, ++ "user_env_file= specification missing argument - ignored"); ++ } else { ++ free(*user_env_file); ++ *user_env_file = x_strdup(13+*argv); ++ D(("new User Env File: %s", *user_env_file)); + } + } else if (!strncmp(*argv,"readenv=",8)) + *readenv = atoi(8+*argv); ++ else if (!strncmp(*argv,"user_readenv=",13)) ++ *user_read_env = atoi(13+*argv); + else + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); + } +@@ -121,10 +139,9 @@ + } + + static int +-_parse_config_file(pam_handle_t *pamh, int ctrl, const char *conffile) ++_parse_config_file(pam_handle_t *pamh, const char *file) + { + int retval; +- const char *file; + char buffer[BUF_SIZE]; + FILE *conf; + VAR Var, *var=&Var; +@@ -132,12 +149,6 @@ + var->name=NULL; var->defval=NULL; var->override=NULL; + D(("Called.")); + +- if (ctrl & PAM_NEW_CONF_FILE) { +- file = conffile; +- } else { +- file = DEFAULT_CONF_FILE; +- } +- + D(("Config file name is: %s", file)); + + /* +@@ -184,18 +195,12 @@ + } + + static int +-_parse_env_file(pam_handle_t *pamh, int ctrl, const char *env_file) ++_parse_env_file(pam_handle_t *pamh, const char *file) + { + int retval=PAM_SUCCESS, i, t; +- const char *file; + char buffer[BUF_SIZE], *key, *mark; + FILE *conf; + +- if (ctrl & PAM_NEW_ENV_FILE) +- file = env_file; +- else +- file = DEFAULT_ETC_ENVFILE; +- + D(("Env file name is: %s", file)); + + if ((conf = fopen(file,"r")) == NULL) { +@@ -751,23 +756,52 @@ + int argc, const char **argv) + { + int retval, ctrl, readenv=DEFAULT_READ_ENVFILE; +- const char *conf_file = NULL, *env_file = NULL; ++ int read_user_env = DEFAULT_USER_READ_ENVFILE; ++ char *conf_file = NULL, *env_file = NULL, *user_env_file = NULL; + + /* + * this module sets environment variables read in from a file + */ + + D(("Called.")); +- ctrl = _pam_parse(pamh, argc, argv, &conf_file, &env_file, &readenv); ++ ctrl = _pam_parse(pamh, argc, argv, &conf_file, &env_file, &readenv, ++ &read_user_env, &user_env_file); + +- retval = _parse_config_file(pamh, ctrl, conf_file); ++ retval = _parse_config_file(pamh, conf_file); + + if(readenv && retval == PAM_SUCCESS) { +- retval = _parse_env_file(pamh, ctrl, env_file); ++ retval = _parse_env_file(pamh, env_file); + if (retval == PAM_IGNORE) + retval = PAM_SUCCESS; + } + ++ if(read_user_env && retval == PAM_SUCCESS) { ++ char *envpath = NULL; ++ struct passwd *user_entry; ++ const char *username; ++ struct stat statbuf; ++ ++ username = _pam_get_item_byname(pamh, "PAM_USER"); ++ ++ user_entry = getpwnam(username); ++ if (!user_entry) { ++ pam_syslog(pamh, LOG_ERR, "No such user!?"); ++ } ++ else { ++ if (!(envpath = malloc(strlen(user_entry->pw_dir) + 1 + strlen(user_env_file) + 1))) { ++ pam_syslog(pamh, LOG_ERR, "Malloc failed"); ++ return PAM_BUF_ERR; ++ } ++ sprintf(envpath, "%s/%s", user_entry->pw_dir, user_env_file); ++ if (stat(envpath, &statbuf) == 0) { ++ retval = _parse_config_file(pamh, envpath); ++ if (retval == PAM_IGNORE) ++ retval = PAM_SUCCESS; ++ } ++ free(envpath); ++ } ++ } ++ + /* indicate success or failure */ + + D(("Exit.")); +@@ -786,28 +820,9 @@ + pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) + { +- int retval, ctrl, readenv=DEFAULT_READ_ENVFILE; +- const char *conf_file = NULL, *env_file = NULL; +- +- /* +- * this module sets environment variables read in from a file +- */ +- +- D(("Called.")); +- ctrl = _pam_parse(pamh, argc, argv, &conf_file, &env_file, &readenv); +- +- retval = _parse_config_file(pamh, ctrl, conf_file); +- +- if(readenv && retval == PAM_SUCCESS) { +- retval = _parse_env_file(pamh, ctrl, env_file); +- if (retval == PAM_IGNORE) +- retval = PAM_SUCCESS; +- } +- +- /* indicate success or failure */ +- +- D(("Exit.")); +- return retval; ++ /* Function was identical to pam_sm_setcred, so call it instead */ ++ D(("Called -- calling pam_sm_setcred instead...")); ++ return pam_sm_setcred(pamh, flags, argc, argv); + } + + PAM_EXTERN int --- pam-0.99.7.1.orig/debian/patches-applied/031_pam_include +++ pam-0.99.7.1/debian/patches-applied/031_pam_include @@ -0,0 +1,58 @@ +Patch to implement an @include directive for use in pam.d config files. + +Authors: Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de> + +Upstream status: not yet submitted + +Index: pam/Linux-PAM/libpam/pam_handlers.c +=================================================================== +--- pam.orig/Linux-PAM/libpam/pam_handlers.c ++++ pam/Linux-PAM/libpam/pam_handlers.c +@@ -114,6 +114,10 @@ + module_type = PAM_T_ACCT; + } else if (!strcasecmp("password", tok)) { + module_type = PAM_T_PASS; ++ } else if (!strcasecmp("@include", tok)) { ++ pam_include = 1; ++ module_type = requested_module_type; ++ goto parsing_done; + } else { + /* Illegal module type */ + D(("_pam_init_handlers: bad module type: %s", tok)); +@@ -178,14 +182,33 @@ + _pam_set_default_control(actions, _PAM_ACTION_BAD); + } + ++parsing_done: + tok = _pam_StrTok(NULL, " \n\t", &nexttok); + if (pam_include) { +- if (_pam_load_conf_file(pamh, tok, this_service, module_type ++ struct stat include_dir; ++ if (tok[0] == '/') { ++ if (_pam_load_conf_file(pamh, tok, this_service, module_type + #ifdef PAM_READ_BOTH_CONFS +- , !other ++ , !other + #endif /* PAM_READ_BOTH_CONFS */ + ) == PAM_SUCCESS) +- continue; ++ continue; ++ } else if (!stat(PAM_CONFIG_D, &include_dir) && S_ISDIR(include_dir.st_mode)) { ++ char *include_file; ++ if (asprintf (&include_file, PAM_CONFIG_DF, tok) < 0) { ++ pam_syslog(pamh, LOG_CRIT, "asprintf failed"); ++ return PAM_ABORT; ++ } ++ if (_pam_load_conf_file(pamh, include_file, this_service, module_type ++#ifdef PAM_READ_BOTH_CONFS ++ , !other ++#endif /* PAM_READ_BOTH_CONFS */ ++ ) == PAM_SUCCESS) { ++ free(include_file); ++ continue; ++ } ++ free(include_file); ++ } + _pam_set_default_control(actions, _PAM_ACTION_BAD); + mod_path = NULL; + must_fail = 1; --- pam-0.99.7.1.orig/debian/patches-applied/no_pthread_mutexes +++ pam-0.99.7.1/debian/patches-applied/no_pthread_mutexes @@ -0,0 +1,205 @@ +Don't use pthread mutexes in libpam unnecessarily; this avoids linking +problems on non-Linux platforms. + +Authors: Steve Langasek <vorlon@debian.org> + +Upstream status: committed to CVS + +Index: pam/Linux-PAM/libpam/pam_modutil_getgrgid.c +=================================================================== +--- pam.orig/Linux-PAM/libpam/pam_modutil_getgrgid.c ++++ pam/Linux-PAM/libpam/pam_modutil_getgrgid.c +@@ -12,20 +12,9 @@ + #include <errno.h> + #include <limits.h> + #include <grp.h> +-#include <pthread.h> + #include <stdio.h> + #include <stdlib.h> + +-static pthread_mutex_t _pammodutil_mutex = PTHREAD_MUTEX_INITIALIZER; +-static void _pammodutil_lock(void) +-{ +- pthread_mutex_lock(&_pammodutil_mutex); +-} +-static void _pammodutil_unlock(void) +-{ +- pthread_mutex_unlock(&_pammodutil_mutex); +-} +- + static int intlen(int number) + { + int len = 2; +@@ -95,13 +84,11 @@ + for (i = 0; i < INT_MAX; i++) { + sprintf(data_name, "_pammodutil_getgrgid_%ld_%d", + (long) gid, i); +- _pammodutil_lock(); + status = PAM_NO_MODULE_DATA; + if (pam_get_data(pamh, data_name, &ignore) != PAM_SUCCESS) { + status = pam_set_data(pamh, data_name, + result, pam_modutil_cleanup); + } +- _pammodutil_unlock(); + if (status == PAM_SUCCESS) { + break; + } +Index: pam/Linux-PAM/libpam/pam_modutil_getgrnam.c +=================================================================== +--- pam.orig/Linux-PAM/libpam/pam_modutil_getgrnam.c ++++ pam/Linux-PAM/libpam/pam_modutil_getgrnam.c +@@ -12,20 +12,9 @@ + #include <errno.h> + #include <limits.h> + #include <grp.h> +-#include <pthread.h> + #include <stdio.h> + #include <stdlib.h> + +-static pthread_mutex_t _pammodutil_mutex = PTHREAD_MUTEX_INITIALIZER; +-static void _pammodutil_lock(void) +-{ +- pthread_mutex_lock(&_pammodutil_mutex); +-} +-static void _pammodutil_unlock(void) +-{ +- pthread_mutex_unlock(&_pammodutil_mutex); +-} +- + static int intlen(int number) + { + int len = 2; +@@ -84,13 +73,11 @@ + if (pamh != NULL) { + for (i = 0; i < INT_MAX; i++) { + sprintf(data_name, "_pammodutil_getgrnam_%s_%d", group, i); +- _pammodutil_lock(); + status = PAM_NO_MODULE_DATA; + if (pam_get_data(pamh, data_name, &ignore) != PAM_SUCCESS) { + status = pam_set_data(pamh, data_name, + result, pam_modutil_cleanup); + } +- _pammodutil_unlock(); + if (status == PAM_SUCCESS) { + break; + } +Index: pam/Linux-PAM/libpam/pam_modutil_getpwnam.c +=================================================================== +--- pam.orig/Linux-PAM/libpam/pam_modutil_getpwnam.c ++++ pam/Linux-PAM/libpam/pam_modutil_getpwnam.c +@@ -11,21 +11,10 @@ + + #include <errno.h> + #include <limits.h> +-#include <pthread.h> + #include <pwd.h> + #include <stdio.h> + #include <stdlib.h> + +-static pthread_mutex_t _pammodutil_mutex = PTHREAD_MUTEX_INITIALIZER; +-static void _pammodutil_lock(void) +-{ +- pthread_mutex_lock(&_pammodutil_mutex); +-} +-static void _pammodutil_unlock(void) +-{ +- pthread_mutex_unlock(&_pammodutil_mutex); +-} +- + static int intlen(int number) + { + int len = 2; +@@ -84,13 +73,11 @@ + if (pamh != NULL) { + for (i = 0; i < INT_MAX; i++) { + sprintf(data_name, "_pammodutil_getpwnam_%s_%d", user, i); +- _pammodutil_lock(); + status = PAM_NO_MODULE_DATA; + if (pam_get_data(pamh, data_name, &ignore) != PAM_SUCCESS) { + status = pam_set_data(pamh, data_name, + result, pam_modutil_cleanup); + } +- _pammodutil_unlock(); + if (status == PAM_SUCCESS) { + break; + } +Index: pam/Linux-PAM/libpam/pam_modutil_getpwuid.c +=================================================================== +--- pam.orig/Linux-PAM/libpam/pam_modutil_getpwuid.c ++++ pam/Linux-PAM/libpam/pam_modutil_getpwuid.c +@@ -11,21 +11,10 @@ + + #include <errno.h> + #include <limits.h> +-#include <pthread.h> + #include <pwd.h> + #include <stdio.h> + #include <stdlib.h> + +-static pthread_mutex_t _pammodutil_mutex = PTHREAD_MUTEX_INITIALIZER; +-static void _pammodutil_lock(void) +-{ +- pthread_mutex_lock(&_pammodutil_mutex); +-} +-static void _pammodutil_unlock(void) +-{ +- pthread_mutex_unlock(&_pammodutil_mutex); +-} +- + static int intlen(int number) + { + int len = 2; +@@ -95,13 +84,11 @@ + for (i = 0; i < INT_MAX; i++) { + sprintf(data_name, "_pammodutil_getpwuid_%ld_%d", + (long) uid, i); +- _pammodutil_lock(); + status = PAM_NO_MODULE_DATA; + if (pam_get_data(pamh, data_name, &ignore) != PAM_SUCCESS) { + status = pam_set_data(pamh, data_name, + result, pam_modutil_cleanup); + } +- _pammodutil_unlock(); + if (status == PAM_SUCCESS) { + break; + } +Index: pam/Linux-PAM/libpam/pam_modutil_getspnam.c +=================================================================== +--- pam.orig/Linux-PAM/libpam/pam_modutil_getspnam.c ++++ pam/Linux-PAM/libpam/pam_modutil_getspnam.c +@@ -11,21 +11,10 @@ + + #include <errno.h> + #include <limits.h> +-#include <pthread.h> + #include <shadow.h> + #include <stdio.h> + #include <stdlib.h> + +-static pthread_mutex_t _pammodutil_mutex = PTHREAD_MUTEX_INITIALIZER; +-static void _pammodutil_lock(void) +-{ +- pthread_mutex_lock(&_pammodutil_mutex); +-} +-static void _pammodutil_unlock(void) +-{ +- pthread_mutex_unlock(&_pammodutil_mutex); +-} +- + static int intlen(int number) + { + int len = 2; +@@ -84,13 +73,11 @@ + if (pamh != NULL) { + for (i = 0; i < INT_MAX; i++) { + sprintf(data_name, "_pammodutil_getspnam_%s_%d", user, i); +- _pammodutil_lock(); + status = PAM_NO_MODULE_DATA; + if (pam_get_data(pamh, data_name, &ignore) != PAM_SUCCESS) { + status = pam_set_data(pamh, data_name, + result, pam_modutil_cleanup); + } +- _pammodutil_unlock(); + if (status == PAM_SUCCESS) { + break; + } --- pam-0.99.7.1.orig/debian/patches-applied/049_pam_unix_sane_locking +++ pam-0.99.7.1/debian/patches-applied/049_pam_unix_sane_locking @@ -0,0 +1,150 @@ +Delta from 1.12 to 1.13 from Linux-PAM pam_unix_passwd.c +made to work with our changes. Not sure this is actually relevant, as +other changes seem to have been made upstream. This patch was +specifically reverted in upstream CVS revision 1.18 as introducing a +"race". + +Index: Linux-PAM/modules/pam_unix/pam_unix_passwd.c +=================================================================== +--- Linux-PAM/modules/pam_unix/pam_unix_passwd.c.orig ++++ Linux-PAM/modules/pam_unix/pam_unix_passwd.c +@@ -749,8 +749,7 @@ + char *towhat, unsigned int ctrl, int remember) + { + struct passwd *pwd = NULL; +- int retval = 0; +- int unlocked = 0; ++ int retval = 0, i = 0; + char *master = NULL; + + D(("called")); +@@ -770,12 +769,6 @@ + int status; + enum clnt_stat err; + +- /* Unlock passwd file to avoid deadlock */ +-#ifdef USE_LCKPWDF +- ulckpwdf(); +-#endif +- unlocked = 1; +- + /* Initialize password information */ + yppwd.newpw.pw_passwd = pwd->pw_passwd; + yppwd.newpw.pw_name = pwd->pw_name; +@@ -833,29 +826,28 @@ + } + + if (_unix_comesfromsource(pamh, forwho, 1, 0)) { +-#ifdef USE_LCKPWDF +- if(unlocked) { +- int i = 0; +- /* These values for the number of attempts and the sleep time +- are, of course, completely arbitrary. +- My reading of the PAM docs is that, once pam_chauthtok() has been +- called with PAM_UPDATE_AUTHTOK, we are obliged to take any +- reasonable steps to make sure the token is updated; so retrying +- for 1/10 sec. isn't overdoing it. */ +- while((retval = lckpwdf()) != 0 && i < 100) { +- usleep(1000); +- i++; +- } +- if(retval != 0) { +- return PAM_AUTHTOK_LOCK_BUSY; +- } +- } +-#endif + /* first, save old password */ + if (save_old_password(pamh, forwho, fromwhat, remember)) { + retval = PAM_AUTHTOK_ERR; + goto done; + } ++ ++#ifdef USE_LCKPWDF ++ /* These values for the number of attempts and the sleep time ++ are, of course, completely arbitrary. ++ My reading of the PAM docs is that, once pam_chauthtok() has been ++ called with PAM_UPDATE_AUTHTOK, we are obliged to take any ++ reasonable steps to make sure the token is updated; so retrying ++ for 1/10 sec. isn't overdoing it. */ ++ while((retval = lckpwdf()) != 0 && i < 100) { ++ usleep(1000); ++ i++; ++ } ++ if(retval != 0) { ++ retval = PAM_AUTHTOK_LOCK_BUSY; ++ goto done; ++ } ++#endif + if (on(UNIX_SHADOW, ctrl) || _unix_shadowed(pwd)) { + retval = _update_shadow(pamh, forwho, towhat); + #ifdef WITH_SELINUX +@@ -1024,7 +1016,7 @@ + int argc, const char **argv) + { + unsigned int ctrl, lctrl; +- int retval, i; ++ int retval; + int remember = -1; + + /* <DO NOT free() THESE> */ +@@ -1255,30 +1247,11 @@ + pass_new = pass_old = NULL; /* tidy up */ + return retval; + } +-#ifdef USE_LCKPWDF +- /* These values for the number of attempts and the sleep time +- are, of course, completely arbitrary. +- My reading of the PAM docs is that, once pam_chauthtok() has been +- called with PAM_UPDATE_AUTHTOK, we are obliged to take any +- reasonable steps to make sure the token is updated; so retrying +- for 1/10 sec. isn't overdoing it. */ +- i=0; +- while((retval = lckpwdf()) != 0 && i < 100) { +- usleep(1000); +- i++; +- } +- if(retval != 0) { +- return PAM_AUTHTOK_LOCK_BUSY; +- } +-#endif + + if (pass_old) { + retval = _unix_verify_password(pamh, user, pass_old, ctrl); + if (retval != PAM_SUCCESS) { + pam_syslog(pamh, LOG_NOTICE, "user password changed by another process"); +-#ifdef USE_LCKPWDF +- ulckpwdf(); +-#endif + return retval; + } + } +@@ -1286,9 +1259,6 @@ + retval = _unix_verify_shadow(pamh, user, ctrl); + if (retval != PAM_SUCCESS) { + pam_syslog(pamh, LOG_NOTICE, "user not authenticated 2"); +-#ifdef USE_LCKPWDF +- ulckpwdf(); +-#endif + return retval; + } + +@@ -1297,9 +1267,6 @@ + pam_syslog(pamh, LOG_NOTICE, + "new password not acceptable 2"); + pass_new = pass_old = NULL; /* tidy up */ +-#ifdef USE_LCKPWDF +- ulckpwdf(); +-#endif + return retval; + } + +@@ -1341,9 +1308,6 @@ + pam_syslog(pamh, LOG_CRIT, + "out of memory for password"); + pass_new = pass_old = NULL; /* tidy up */ +-#ifdef USE_LCKPWDF +- ulckpwdf(); +-#endif + return PAM_BUF_ERR; + } + /* copy first 8 bytes of password */ --- pam-0.99.7.1.orig/debian/patches-applied/057_pam_unix_passwd_OOM_check +++ pam-0.99.7.1/debian/patches-applied/057_pam_unix_passwd_OOM_check @@ -0,0 +1,21 @@ +Index: Linux-PAM/modules/pam_unix/pam_unix_passwd.c +=================================================================== +--- Linux-PAM/modules/pam_unix/pam_unix_passwd.c.orig ++++ Linux-PAM/modules/pam_unix/pam_unix_passwd.c +@@ -1323,6 +1323,16 @@ + } + } + ++ /* A null pointer here indicates a memory failure ++ somewhere along the way; don't set the password to ++ NULL! */ ++ if (tpass == NULL) { ++ pam_syslog(pamh, LOG_CRIT, ++ "out of memory for password"); ++ pass_new = pass_old = NULL; /* tidy up */ ++ return PAM_BUF_ERR; ++ } ++ + D(("password processed")); + + /* update the password database(s) -- race conditions..? */ --- pam-0.99.7.1.orig/debian/patches-applied/054_pam_security_abstract_securetty_handling +++ pam-0.99.7.1/debian/patches-applied/054_pam_security_abstract_securetty_handling @@ -0,0 +1,215 @@ +Index: Linux-PAM/modules/pam_securetty/pam_securetty.c +=================================================================== +--- Linux-PAM/modules/pam_securetty/pam_securetty.c.orig ++++ Linux-PAM/modules/pam_securetty/pam_securetty.c +@@ -1,8 +1,5 @@ + /* pam_securetty module */ + +-#define SECURETTY_FILE "/etc/securetty" +-#define TTY_PREFIX "/dev/" +- + /* + * by Elliot Lee <sopwith@redhat.com>, Red Hat Software. + * July 25, 1996. +@@ -37,6 +34,9 @@ + #include <security/pam_modutil.h> + #include <security/pam_ext.h> + ++extern int _pammodutil_tty_secure(const pam_handle_t *pamh, ++ const char *uttyname); ++ + #define PAM_DEBUG_ARG 0x0001 + + static int +@@ -67,11 +67,7 @@ + const char *username; + const char *uttyname; + const void *void_uttyname; +- char ttyfileline[256]; +- char ptname[256]; +- struct stat ttyfileinfo; + struct passwd *user_pwd; +- FILE *ttyfile; + + /* log a trail for debugging */ + if (ctrl & PAM_DEBUG_ARG) { +@@ -101,63 +97,10 @@ + return PAM_SERVICE_ERR; + } + +- /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ +- if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) { +- uttyname += sizeof(TTY_PREFIX)-1; +- } +- +- if (stat(SECURETTY_FILE, &ttyfileinfo)) { +- pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE); +- return PAM_SUCCESS; /* for compatibility with old securetty handling, +- this needs to succeed. But we still log the +- error. */ +- } +- +- if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { +- /* If the file is world writable or is not a +- normal file, return error */ +- pam_syslog(pamh, LOG_ERR, +- "%s is either world writable or not a normal file", +- SECURETTY_FILE); +- return PAM_AUTH_ERR; +- } +- +- ttyfile = fopen(SECURETTY_FILE,"r"); +- if (ttyfile == NULL) { /* Check that we opened it successfully */ +- pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); +- return PAM_SERVICE_ERR; +- } +- +- if (isdigit(uttyname[0])) { +- snprintf(ptname, sizeof(ptname), "pts/%s", uttyname); +- } else { +- ptname[0] = '\0'; +- } +- +- retval = 1; +- +- while ((fgets(ttyfileline, sizeof(ttyfileline)-1, ttyfile) != NULL) +- && retval) { +- if (ttyfileline[strlen(ttyfileline) - 1] == '\n') +- ttyfileline[strlen(ttyfileline) - 1] = '\0'; +- +- retval = ( strcmp(ttyfileline, uttyname) +- && (!ptname[0] || strcmp(ptname, uttyname)) ); +- } +- fclose(ttyfile); +- +- if (retval) { +- pam_syslog(pamh, LOG_WARNING, "access denied: tty '%s' is not secure !", +- uttyname); +- +- retval = PAM_AUTH_ERR; +- } else { +- if ((retval == PAM_SUCCESS) && (ctrl & PAM_DEBUG_ARG)) { +- pam_syslog(pamh, LOG_DEBUG, "access allowed for '%s' on '%s'", +- username, uttyname); +- } +- retval = PAM_SUCCESS; +- ++ retval = _pammodutil_tty_secure(pamh, uttyname); ++ if ((retval == PAM_SUCCESS) && (ctrl & PAM_DEBUG_ARG)) { ++ pam_syslog(pamh, LOG_DEBUG, "access allowed for '%s' on '%s'", ++ username, uttyname); + } + + return retval; +Index: Linux-PAM/modules/pam_securetty/tty_secure.c +=================================================================== +--- /dev/null ++++ Linux-PAM/modules/pam_securetty/tty_secure.c +@@ -0,0 +1,92 @@ ++/* ++ * A function to determine if a particular line is in /etc/securetty ++ */ ++ ++ ++#define SECURETTY_FILE "/etc/securetty" ++#define TTY_PREFIX "/dev/" ++ ++/* This function taken out of pam_securetty by Sam Hartman ++ * <hartmans@debian.org>*/ ++/* ++ * by Elliot Lee <sopwith@redhat.com>, Red Hat Software. ++ * July 25, 1996. ++ * Slight modifications AGM. 1996/12/3 ++ */ ++ ++#include <unistd.h> ++#include <sys/types.h> ++#include <sys/stat.h> ++#include <security/pam_modules.h> ++#include <stdarg.h> ++#include <syslog.h> ++#include <sys/syslog.h> ++#include <stdio.h> ++#include <string.h> ++#include <stdlib.h> ++#include <ctype.h> ++#include <security/pam_modutil.h> ++#include <security/pam_ext.h> ++ ++extern int _pammodutil_tty_secure(const pam_handle_t *pamh, ++ const char *uttyname); ++ ++int _pammodutil_tty_secure(const pam_handle_t *pamh, const char *uttyname) ++{ ++ int retval = PAM_AUTH_ERR; ++ char ttyfileline[256]; ++ char ptname[256]; ++ struct stat ttyfileinfo; ++ FILE *ttyfile; ++ /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ ++ if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) ++ uttyname += sizeof(TTY_PREFIX)-1; ++ ++ if (stat(SECURETTY_FILE, &ttyfileinfo)) { ++ pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", ++ SECURETTY_FILE); ++ return PAM_SUCCESS; /* for compatibility with old securetty handling, ++ this needs to succeed. But we still log the ++ error. */ ++ } ++ ++ if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { ++ /* If the file is world writable or is not a ++ normal file, return error */ ++ pam_syslog(pamh, LOG_ERR, ++ "%s is either world writable or not a normal file", ++ SECURETTY_FILE); ++ return PAM_AUTH_ERR; ++ } ++ ++ ttyfile = fopen(SECURETTY_FILE,"r"); ++ if(ttyfile == NULL) { /* Check that we opened it successfully */ ++ pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); ++ return PAM_SERVICE_ERR; ++ } ++ ++ if (isdigit(uttyname[0])) { ++ snprintf(ptname, sizeof(ptname), "pts/%s", uttyname); ++ } else { ++ ptname[0] = '\0'; ++ } ++ ++ retval = 1; ++ ++ while ((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL) ++ && retval) { ++ if(ttyfileline[strlen(ttyfileline) - 1] == '\n') ++ ttyfileline[strlen(ttyfileline) - 1] = '\0'; ++ retval = ( strcmp(ttyfileline,uttyname) ++ && (!ptname[0] || strcmp(ptname, uttyname)) ); ++ } ++ fclose(ttyfile); ++ ++ if(retval) { ++ pam_syslog(pamh, LOG_WARNING, "access denied: tty '%s' is not secure !", ++ uttyname); ++ retval = PAM_AUTH_ERR; ++ } ++ ++ return retval; ++} +Index: Linux-PAM/modules/pam_securetty/Makefile.am +=================================================================== +--- Linux-PAM/modules/pam_securetty/Makefile.am.orig ++++ Linux-PAM/modules/pam_securetty/Makefile.am +@@ -23,6 +23,10 @@ + + securelib_LTLIBRARIES = pam_securetty.la + ++pam_securetty_la_SOURCES = \ ++ pam_securetty.c \ ++ tty_secure.c ++ + if ENABLE_REGENERATE_MAN + noinst_DATA = README + README: pam_securetty.8.xml --- pam-0.99.7.1.orig/debian/libpam-doc.doc-base.applications-guide +++ pam-0.99.7.1/debian/libpam-doc.doc-base.applications-guide @@ -0,0 +1,17 @@ +Document: pam-applications-guide +Title: The Linux-PAM Application Developers' Guide +Author: Andrew G. Morgan <morgan@linux.kernel.org> +Abstract: This manual documents what an application developer needs to know + about the Linux-PAM library. It describes how an application might use + the Linux-PAM library to authenticate users. In addition it contains a + description of the funtions to be found in libpam_misc library, that can + be used in general applications. Finally, it contains some comments on PAM + related security issues for the application developer. +Section: Apps/Programming + +Format: HTML +Index: /usr/share/doc/libpam-doc/html/Linux-PAM_ADG.html +Files: /usr/share/doc/libpam-doc/html/Linux-PAM_ADG.html /usr/share/doc/libpam-doc/html/adg*.html + +Format: text +Files: /usr/share/doc/libpam-doc/txt/Linux-PAM_ADG.txt.gz --- pam-0.99.7.1.orig/debian/libpam-runtime.postinst +++ pam-0.99.7.1/debian/libpam-runtime.postinst @@ -0,0 +1,21 @@ +#!/bin/sh -e + +# If the user has removed the config file, respect this sign of dementia +# -- only create on package install. + +if [ -z "$2" ] || dpkg --compare-versions "$2" lt 0.76-17 +then + for configfile in common-auth common-account common-session \ + common-password + do + if [ ! -f /etc/pam.d/$configfile ] || \ + fgrep -q `md5sum /etc/pam.d/$configfile` \ + /usr/share/pam/$configfile.md5sums 2>/dev/null + then + cp /usr/share/pam/$configfile /etc/pam.d/ + fi + done + rm -f /etc/pam.d/other.pre-upgrade 2>/dev/null || true +fi + +#DEBHELPER# --- pam-0.99.7.1.orig/debian/libpam-cracklib.files +++ pam-0.99.7.1/debian/libpam-cracklib.files @@ -0,0 +1 @@ +lib/security/pam_cracklib.so --- pam-0.99.7.1.orig/debian/libpam0g-dev.manpages +++ pam-0.99.7.1/debian/libpam0g-dev.manpages @@ -0,0 +1 @@ +debian/tmp/usr/share/man/man3/* --- pam-0.99.7.1.orig/debian/libpam0g.lintian +++ pam-0.99.7.1/debian/libpam0g.lintian @@ -0,0 +1,8 @@ +# obvious multilib package false-positive; also the package name hasn't +# changed since the glibc transition, go us! +libpam0g: package-name-doesnt-match-sonames libpam0 libpam-misc0 libpamc0 +# yes, these are deliberately asked in the postinst because the checking +# for daemons to be restarted needs to be done in the postinst and not +# before +libpam0g: no-debconf-config +libpam0g: postinst-uses-db-input --- pam-0.99.7.1.orig/debian/libpam-modules.conffiles.hurd-i386 +++ pam-0.99.7.1/debian/libpam-modules.conffiles.hurd-i386 @@ -0,0 +1,4 @@ +/etc/security/access.conf +/etc/security/group.conf +/etc/security/pam_env.conf +/etc/security/time.conf --- pam-0.99.7.1.orig/debian/libpam-runtime.manpages +++ pam-0.99.7.1/debian/libpam-runtime.manpages @@ -0,0 +1,4 @@ +debian/tmp/usr/share/man/man5/pam.conf.5 +debian/tmp/usr/share/man/man5/pam.d.5 +debian/tmp/usr/share/man/man8/PAM.8 +debian/local/pam_getenv.8 --- pam-0.99.7.1.orig/debian/changelog.old +++ pam-0.99.7.1/debian/changelog.old @@ -0,0 +1,13 @@ +pam (0.50-1) unstable; urgency=low + + * added Debian GNU/Linux package maintenance system files. + * changes to the installation procedure to fit the Debian packaging + system ($PREFIX handling, unconditionally install configuration files, + don't run ldconfig after installing the shared libraries). + * added documentation in the extradoc directory + * commented out all unused entries in etc/pam.conf, etc/secure/group.conf + and etc/secure/time.conf + + -- Patrick Weemeeuw <patrick.weemeeuw@kulnet.kuleuven.ac.be> + + --- pam-0.99.7.1.orig/debian/rules +++ pam-0.99.7.1/debian/rules @@ -0,0 +1,153 @@ +#!/usr/bin/make -f +# Made with the aid of dh_make, by Craig Small +# Sample debian/rules that uses debhelper. GNU copyright 1997 by Joey Hess. +# This version is for a hypothetical package that builds an +# architecture-dependant package, as well as an architecture-independant +# package. + +CFLAGS := -g -D_GNU_SOURCE -D_REENTRANT -fPIC -DCRACKLIB_DICTS=CRACKLIB_DICTPATH + +ifeq (,$(findstring noopt, ${DEB_BUILD_OPTIONS})) +CFLAGS += -O2 +endif + +DEB_HOST_GNU_TYPE := $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +DEB_BUILD_GNU_TYPE := $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) + +ifeq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE)) + conf_args = --build $(DEB_BUILD_GNU_TYPE) +else + conf_args = --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE) +endif + +LC_COLLATE=C +export LC_COLLATE + +QUILT_PATCH_DIR = debian/patches-applied +include /usr/share/quilt/quilt.make + +BUILD_TREE=Linux-PAM + +d = $(CURDIR)/debian +dl = $(d)/local +i = install -p -m 0644 +ie = install -p -m 0755 + +build: configure build-stamp +build-stamp: + dh_testdir + + # Compile everything else + $(MAKE) -C $(BUILD_TREE) CFLAGS="$(CFLAGS)" + + pod2man --section 8 --release="Debian GNU/Linux" $(dl)/pam_getenv >$(dl)/pam_getenv.8 + + touch build-stamp + +configure: patch configure-stamp +configure-stamp: + cd $(BUILD_TREE) && \ + ./configure $(conf_args) \ + --sysconfdir=/etc --prefix=/usr --enable-static --enable-shared \ + --mandir=/usr/share/man --infodir=/usr/share/info --libdir=/lib \ + --sbindir=/sbin --enable-docdir=/usr/share/doc/libpam-doc \ + --with-mailspool=/var/mail + touch configure-stamp + + +clean: clean-patched unpatch + +clean-patched: + dh_testdir + dh_testroot + [ ! -f $(BUILD_TREE)/Makefile ] || $(MAKE) -C $(BUILD_TREE) distclean + rm -f $(dl)/pam_getenv.8 + rm -f build-stamp configure-stamp + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + $(MAKE) -C $(BUILD_TREE) DESTDIR=$(CURDIR)/debian/tmp install + + # Provided in libpam-cracklib + rm -f $(CURDIR)/debian/libpam-modules/lib/security/pam_cracklib.so + # .la files are teh devil + rm -f $(CURDIR)/debian/tmp/lib/*.la + # for modules, we only want the .so + rm -f $(CURDIR)/debian/tmp/lib/security/*.la \ + $(CURDIR)/debian/tmp/lib/security/*.a + +# Build architecture-independent files here. +binary-indep: install + dh_testdir -i + dh_testroot -i + + mkdir -p debian/tmp/etc/pam.d + mkdir -p debian/tmp/usr/share/pam + $(i) $(dl)/pam.conf $(d)/tmp/etc + -mkdir -p $(d)/tmp/usr/sbin $(d)/tmp/usr/share/man/man8 + $(ie) $(dl)/pam_getenv $(d)/tmp/usr/sbin + $(i) $(dl)/other $(d)/tmp/etc/pam.d + $(i) $(dl)/common-* $(d)/tmp/usr/share/pam/ + + dh_install -i + + dh_installman -i + dh_installdocs -i + dh_installchangelogs -i $(BUILD_TREE)/ChangeLog + dh_compress -i -X.html + dh_link -i + dh_fixperms -i + dh_installdeb -i + dh_gencontrol -i + dh_md5sums -i + dh_builddeb -i + +binary-arch: install + dh_testdir -a + dh_testroot -a + + mkdir -p debian/tmp/usr/lib + mv debian/tmp/lib/*.a debian/tmp/usr/lib + dh_movefiles -plibpam0g-dev -plibpam-cracklib -plibpam0g + dh_movefiles -plibpam-modules `cd $(d)/tmp && ls lib/security/*.so` + dh_link -a + dh_installman -a + rm -rf $(d)/libpam-modules/usr/share/man/man7 + rm -f $(d)/libpam-modules/usr/share/man/man8/pam.8 + rm -f $(d)/libpam-modules/usr/share/man/man5/pam.conf.5 + rm -f $(d)/libpam-modules/usr/share/man/man5/pam.d.5 + + dh_installdebconf -a + dh_installdocs -a $(BUILD_TREE)/README + dh_installexamples -a + find $(d)/libpam0g-dev/usr/share/doc/libpam0g-dev/examples -type f -name 'Makefile*' -print0 | xargs -0 rm -f + + dh_installcron -a + + dh_installchangelogs -a $(BUILD_TREE)/ChangeLog + for pkg in libpam0g libpam-modules; do \ + install -m 0644 -D $(d)/$$pkg.lintian $(d)/$$pkg/usr/share/lintian/overrides/$$pkg || exit; \ + done + + dh_strip -a + dh_compress -a + dh_fixperms -a + # by default, unix_chkpwd is installed 4755, but 2755 is + # enough (unless used with nis, which dpkg-statoverrides it + # again) + chown root:shadow $(d)/libpam-modules/sbin/unix_chkpwd + chmod 02755 $(d)/libpam-modules/sbin/unix_chkpwd + dh_makeshlibs -plibpam0g -V "libpam0g (>= 0.99.7.1)" + dh_installdeb -a + dh_shlibdeps -a -L libpam0g -l$(CURDIR)/debian/libpam0g/lib + dh_gencontrol -a + dh_md5sums -a + dh_builddeb -a + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary patch unpatch install configure --- pam-0.99.7.1.orig/debian/control +++ pam-0.99.7.1/debian/control @@ -0,0 +1,88 @@ +Source: pam +Section: libs +Priority: optional +Uploaders: Karl Ramm <kcr@debian.org>, Sam Hartman <hartmans@debian.org>, Roger Leigh <rleigh@debian.org> +Maintainer: Ubuntu Core Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Steve Langasek <vorlon@debian.org> +Standards-Version: 3.7.2 +Build-Depends: cracklib2-dev (>= 2.7-9), bzip2, debhelper, quilt, flex, libdb-dev, libselinux1-dev [!hurd-i386 !kfreebsd-i386 !kfreebsd-amd64 !netbsd-i386], po-debconf +Build-Depends-Indep: xsltproc, libxml2-utils, docbook-xml, docbook-xsl, w3m +Build-Conflicts-Indep: fop +XS-Vcs-Svn: svn://svn.debian.org/svn/pkg-pam/trunk/pam/ +XS-Vcs-Browser: http://svn.debian.org/wsvn/pkg-pam/trunk/pam/ + +Package: libpam0g +Priority: required +Architecture: any +Conflicts: libpam0 (<= 0.56-2), libpam +Replaces: libpam0g-util +Depends: ${shlibs:Depends}, ${misc:Depends}, libpam-runtime +Suggests: libpam-doc +Description: Pluggable Authentication Modules library + Contains the C shared library for Linux-PAM, a suite of shared + libraries that enable the local system administrator to choose how + applications authenticate users. In other words, without rewriting + or recompiling a PAM-aware application, it is possible to switch + between the authentication mechanism(s) it uses. One may entirely + upgrade the local authentication system without touching the + applications themselves. + +Package: libpam-modules +Priority: required +Architecture: any +Depends: ${shlibs:Depends} +Conflicts: libpam0g-modules (= 0.66-1), libpam-motd, libpam-mkhomedir, libpam-umask, suidmanager (<< 0.50) +Replaces: libpam0g-util, libpam-umask +Provides: libpam-motd, libpam-mkhomedir, libpam-umask +Description: Pluggable Authentication Modules for PAM + This package completes the set of modules for PAM. It includes the + pam_unix_*.so module as well as some specialty modules. + +Package: libpam-runtime +Section: admin +Priority: required +Architecture: all +Replaces: libpam0g-util, libpam0g-dev +Conflicts: libpam0g-util, libpam0g (<< 0.66-0) +Description: Runtime support for the PAM library + Contains configuration files and directories required for + authentication to work on Debian systems. This package is required + on almost all installations. + +Package: libpam0g-dev +Section: libdevel +Priority: optional +Architecture: any +Depends: libpam0g (= ${binary:Version}), libc6-dev|libc-dev +Conflicts: libpam-dev, libpam-dbg +Replaces: libpam0g (<= 0.65) +Provides: libpam-dev +Description: Development files for PAM + Contains C header files and development shared libraries libraries for + libpam, the pluggable authentication modules, a suite of shared libraries + that enable the local system administrator to choose how applications + authenticate users. + . + PAM decouples applications from the authentication mechanism, making it + possible to upgrade the authentication system without recompiling or + rewriting the applications. + +Package: libpam-cracklib +Priority: optional +Architecture: any +Replaces: libpam0g-cracklib +Depends: ${shlibs:Depends}, cracklib-runtime, wamerican | wordlist +Description: PAM module to enable cracklib support + This package includes libpam_cracklib, a PAM module that tests + passwords to make sure they are not too weak during password change. + +Package: libpam-doc +Provides: pam-doc +Section: doc +Priority: optional +Architecture: all +Description: Documentation of PAM + Contains documentation (in HTML, ASCII, and PostScript format) for + libpam, the Pluggable Authentication Modules library, a suite of shared + libraries that enable the local system administrator to choose how + applications authenticate users. --- pam-0.99.7.1.orig/debian/libpam0g.templates +++ pam-0.99.7.1/debian/libpam0g.templates @@ -0,0 +1,30 @@ +Template: libpam0g/restart-services +Type: string +_Description: Services to restart for PAM library upgrade: + Most services that use PAM need to be restarted to use modules built for + this new version of libpam. Please review the following space-separated + list of init.d scripts for services to be restarted now, and correct it + if needed. + . + Some other services such as xscreensaver, gnome-screensaver, and xlockmore + cannot be restarted for you. You will not be able to authenticate to these + services until you restart them manually. + +Template: libpam0g/xdm-needs-restart +Type: error +_Description: Display manager must be restarted manually + The kdm, wdm, and xdm display managers require a restart for the new + version of libpam, but there are X login sessions active on your system that + would be terminated by this restart. You will therefore need to restart + these services by hand before further X logins will be possible. + +Template: libpam0g/restart-failed +Type: error +#flag:translate!:3 +_Description: Failure restarting some services for PAM upgrade + The following services could not be restarted for the PAM library upgrade: + . + ${services} + . + You will need to start these manually by running + '/etc/init.d/<service> start'. --- pam-0.99.7.1.orig/debian/README.debian +++ pam-0.99.7.1/debian/README.debian @@ -0,0 +1,36 @@ +PAM for DEBIAN +-------------- + +PAM (Pluggable Authentication Modules) provides system administrators with a +powerful method of controlling system access and methods of authentication. + +The documentation for PAM is packaged in the "libpam-doc" package. The +"Linux-PAM System Administrator's Guide" covers configuring PAM, what +modules are available etc. The documentation also includes "The Linux-PAM +Application Developers' Guide" and "The Linux-PAM Module Writers' Guide". + +The Debian default configuration is to emulate the old UNIX authentication. + +The Debian PAM packages live at svn://svn.debian.org/pkg-pam/. The +current version is in the trunk directory; previous versions live in +the tags directory. + +Changes Since Debian 3.0 +------------------------ + +The pam_securetty module used to prompt for a password when it was +going to fail access. This Debian-specific patch defeats one of the +key uses of this module: to deny access to privileged accounts soon +enough in the PAM stack that the password is never requested and is +not compromised over insecure network links. If you want to ask for +the password use required not requisite in your PAM config. + +Previously, pam_rhosts allowed the .rhosts file to be a symlink. This +was a debian specific change that has been dropped because it is not +the upstream behavior nor is it the documented behavior of ruserok(3). + +Similarly, pam_listfile used to allow the user file to be a symlink. +This is no longer allowed because upstream seems to be against the +change. Please see discussion started by Sam Hartman on +pam-list@redhat.com during the May 2002 time frame. + --- pam-0.99.7.1.orig/debian/po/pt_BR.po +++ pam-0.99.7.1/debian/po/pt_BR.po @@ -0,0 +1,95 @@ +# pam Brazilian Portuguese translation +# Copyright (c) 2007 Steve Langasek <vorlon@debian.org> +# This file is distributed under the same license as the pam package. +# Eder L. Marques <frolic@debian-ce.org>, 2007. +# +msgid "" +msgstr "" +"Project-Id-Version: pam_0.99.7.1-5\n" +"Report-Msgid-Bugs-To: vorlon@debian.org\n" +"POT-Creation-Date: 2007-09-24 17:06-0700\n" +"PO-Revision-Date: 2007-09-26 15:53-0300\n" +"Last-Translator: Eder L. Marques <frolic@debian-ce.org>\n" +"Language-Team: l10n Portuguese <debian-l10n-portuguese@lists.debian.org>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"pt_BR utf-8\n" +"X-Generator: KBabel 1.11.4\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Serviços a serem reiniciados para a atualização de bibliotecas PAM:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"A maioria dos serviços que utilizam PAM precisam ser reiniciados para usar " +"os módulos construÃdos para esta nova versão da libpam. Por favor, revise a " +"seguinte lista separada por espaços de seus scripts init.d para os serviços " +"a serem reiniciados agora, e a corrija se necessário." + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Some other services such as xscreensaver, gnome-screensaver, and xlockmore " +"cannot be restarted for you. You will not be able to authenticate to these " +"services until you restart them manually." +msgstr "" +"Alguns dos outros serviços como xscreensaver, gnome-screensaver e xlockmore " +"não podem ser reiniciados para você. Você não será capaz de autenticar " +"nestes serviços até que os tenha reiniciado manualmente." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Gerenciadores de display devem ser reiniciados manualmente" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Os gerenciadores de display kdm, wdm e xdm precisam ser reiniciados para a " +"nova versão da libpam, mas existem sessões de login X ativas em seu sistema " +"que podem ser terminadas por este reinicio. Você consequentemente " +"necessitará reiniciar estes serviços manualmente antes que logins X " +"adicionais sejam possÃveis." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Falha ao reiniciar alguns serviços para a atualização da PAM" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Os seguintes serviços não puderam ser reiniciados para a atualização da " +"biblioteca PAM:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/<service> " +"start'." +msgstr "" +"Você deverá iniciá-los manualmente executando '/etc/init.d/<serviço> start'." --- pam-0.99.7.1.orig/debian/po/bg.po +++ pam-0.99.7.1/debian/po/bg.po @@ -0,0 +1,89 @@ +# translation of bg.po to Bulgarian +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# +# Damyan Ivanov <dam@modsoftsys.com>, 2007. +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: vorlon@debian.org\n" +"POT-Creation-Date: 2007-09-24 17:06-0700\n" +"PO-Revision-Date: 2007-09-25 14:24+0300\n" +"Last-Translator: Damyan Ivanov <dam@modsoftsys.com>\n" +"Language-Team: Bulgarian <dict@fsa-bg.org>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "РеÑтартиране на уÑлуги при обновÑване на PAM:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"Повечето уÑлуги, които използват PAM Ñ‚Ñ€Ñбва да бъдат реÑтартирани за да " +"могат да използват модулите за новата верÑÐ¸Ñ Ð½Ð° libpam. Прегледайте ÑпиÑъка " +"от init.d Ñкриптове по-долу и го коригирайте ако е необходимо. Имената на " +"отделните Ñкриптове Ñ‚Ñ€Ñбва да Ñа отделени Ñ Ð¸Ð½Ñ‚ÐµÑ€Ð²Ð°Ð»." + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Some other services such as xscreensaver, gnome-screensaver, and xlockmore " +"cannot be restarted for you. You will not be able to authenticate to these " +"services until you restart them manually." +msgstr "" +"ÐÑкои друго уÑлуги като xscreensaver, gnome-screensaver и xlockmore не могат " +"да бъдат реÑтартирани автоматично. ÐÑма да можете да Ñе идентифицирате пред " +"тези уÑлуги докато не ги реÑтартирате." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Мениджъра на диÑплеи трÑбва да бъде реÑтартиран ръчно" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Мениджърите на диÑплеи kdm, wdm и xdm трÑбва да бъдат реÑтартирани, но това би прекъÑнало активните влизаниÑ и затова тази операциÑ нÑма да бъде извършена автоматично. Преди " +"да може отново да Ñе влезе в ÑиÑтемата " +"чрез тези уÑлуги, те трÑбва да бъдат реÑтартирани ръчно." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Грешка при реÑтартиране на нÑкои уÑлуги за обновÑване на PAM" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "Следните уÑлуги не бÑха реÑтартирани за обновÑването на PAM:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/<service> " +"start'." +msgstr "Ще Ñ‚Ñ€Ñбва Ñами да ги Ñтартирате чрез „/etc/init.d/<уÑлуга> start“." --- pam-0.99.7.1.orig/debian/po/templates.pot +++ pam-0.99.7.1/debian/po/templates.pot @@ -0,0 +1,79 @@ +# Debconf questions for the Linux-PAM package. +# Copyright (C) 2007 Steve Langasek <vorlon@debian.org> +# This file is distributed under the same license as the pam package. +# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: pam 0.99.7.1-5\n" +"Report-Msgid-Bugs-To: vorlon@debian.org\n" +"POT-Creation-Date: 2007-09-24 17:06-0700\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" +"Language-Team: LANGUAGE <LL@li.org>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=CHARSET\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Some other services such as xscreensaver, gnome-screensaver, and xlockmore " +"cannot be restarted for you. You will not be able to authenticate to these " +"services until you restart them manually." +msgstr "" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/<service> " +"start'." +msgstr "" --- pam-0.99.7.1.orig/debian/po/zh_CN.po +++ pam-0.99.7.1/debian/po/zh_CN.po @@ -0,0 +1,91 @@ +# Simplified Chinese translation for debconf templates of the pam package +# +# The original English strings (msgid) are: +# Copyright (C) 2007 Steve Langasek <vorlon@debian.org> +# The translations (msgstr) are: +# Copyright (C) 2007 Ming Hua <minghua-guest@users.alioth.debian.org> +# +# This file is distributed under the same license as the pam package. +# +msgid "" +msgstr "" +"Project-Id-Version: pam 0.99.7.1-5\n" +"Report-Msgid-Bugs-To: vorlon@debian.org\n" +"POT-Creation-Date: 2007-09-24 17:06-0700\n" +"PO-Revision-Date: 2007-09-25 23:06-0500\n" +"Last-Translator: Ming Hua <minghua-guest@users.alioth.debian.org>\n" +"Language-Team: Debian Chinese [GB] <debian-chinese-gb@lists.debian.org>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "å› PAM 库å‡çº§è€Œéœ€è¦é‡æ–°å¯åŠ¨çš„æœåŠ¡ï¼š" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"为了使用基于这个新版本 libpam 编译的模å—,ç»å¤§éƒ¨åˆ†ä½¿ç”¨ PAM çš„æœåŠ¡éƒ½éœ€è¦è¢«é‡æ–°" +"å¯åŠ¨ã€‚请å¤æŸ¥ä¸‹é¢è¿™ä¸ªéœ€è¦é‡æ–°å¯åŠ¨çš„æœåŠ¡æ‰€å¯¹åº”çš„ init.d script 列表,script å" +"称之间以åŠè§’ç©ºæ ¼åˆ†éš”ã€‚å¦‚åˆ—è¡¨æœ‰è¯¯ï¼Œè¯·ç›´æŽ¥æ›´æ£ã€‚" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Some other services such as xscreensaver, gnome-screensaver, and xlockmore " +"cannot be restarted for you. You will not be able to authenticate to these " +"services until you restart them manually." +msgstr "" +"æ— æ³•ä¸ºæ‚¨é‡æ–°å¯åŠ¨å¦‚ xscreensaverã€gnome-screensaver å’Œ xclockmore 一类的æœåŠ¡ã€‚" +"在您手动é‡æ–°å¯åŠ¨å®ƒä»¬ä¹‹å‰ï¼Œå°†æ— 法在这些æœåŠ¡ä¸éªŒè¯èº«ä»½ã€‚" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "必须手动é‡æ–°å¯åŠ¨æ˜¾ç¤ºç®¡ç†å™¨" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"由于 lipam 更新到新版本,显示管ç†å™¨ kdmã€wdm å’Œ xdm 需è¦è¢«é‡æ–°å¯åŠ¨ã€‚但是您的" +"系统上有æ£åœ¨è¿è¡Œçš„ X 登录会è¯ï¼Œè€Œå¦‚æžœé‡æ–°å¯åŠ¨æ˜¾ç¤ºç®¡ç†å™¨æœåŠ¡ï¼Œè¿™äº› X 会è¯å°±ä¼š" +"被强行结æŸã€‚å› æ¤ï¼Œæ‚¨éœ€è¦æ‰‹åŠ¨é‡æ–°å¯åŠ¨è¿™äº›æœåŠ¡ï¼Œå¦åˆ™æ‚¨å°†æ— 法å†ç™»å½•è¿› X 窗å£ç³»" +"统。" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "为 PAM å‡çº§é‡æ–°å¯åŠ¨æŸäº›æœåŠ¡å¤±è´¥" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "å‡çº§ PAM 库时,下列æœåŠ¡æ— 法被é‡æ–°å¯åŠ¨ï¼š" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/<service> " +"start'." +msgstr "您需è¦è¿è¡Œâ€œ/etc/init.d/<æœåŠ¡> startâ€æ¥æ‰‹åŠ¨å¯åŠ¨è¿™äº›æœåŠ¡ã€‚" --- pam-0.99.7.1.orig/debian/po/ru.po +++ pam-0.99.7.1/debian/po/ru.po @@ -0,0 +1,94 @@ +# translation of ru.po to Russian +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# +# Yuri Kozlov <kozlov.y@gmail.com>, 2007. +msgid "" +msgstr "" +"Project-Id-Version: 0.99.7.1-4\n" +"Report-Msgid-Bugs-To: vorlon@debian.org\n" +"POT-Creation-Date: 2007-09-24 17:06-0700\n" +"PO-Revision-Date: 2007-09-25 20:51+0400\n" +"Last-Translator: Yuri Kozlov <kozlov.y@gmail.com>\n" +"Language-Team: Russian <debian-l10n-russian@lists.debian.org>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%" +"10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "СервиÑÑ‹, которые будут перезапущены поÑле Ð¾Ð±Ð½Ð¾Ð²Ð»ÐµÐ½Ð¸Ñ Ð±Ð¸Ð±Ð»Ð¸Ð¾Ñ‚ÐµÐºÐ¸ PAM:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"Чтобы задейÑтвовать новые верÑии модулей из libpam нужно перезапуÑтить " +"большинÑтво ÑервиÑов, иÑпользующих PAM. Внимательно проÑмотрите и " +"отредактируйте (еÑли необходимо) ÑпиÑок (Ñлементы разделÑÑŽÑ‚ÑÑ Ð¿Ñ€Ð¾Ð±ÐµÐ»Ð¾Ð¼) " +"Ñценариев ÑервиÑов из init.d, которые будут перезапущены." + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Some other services such as xscreensaver, gnome-screensaver, and xlockmore " +"cannot be restarted for you. You will not be able to authenticate to these " +"services until you restart them manually." +msgstr "" +"ЕÑÑ‚ÑŒ неÑколько ÑервиÑов, которые Ð½ÐµÐ»ÑŒÐ·Ñ Ð¿ÐµÑ€ÐµÐ·Ð°Ð¿ÑƒÑтить автоматичеÑки: " +"xscreensaver, gnome-screensaver и xlockmore. Ð’Ñ‹ не Ñможете ввеÑти правильный " +"пароль в Ñтих ÑервиÑах, пока не перезапуÑтите их вручную." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Программу входа в ÑиÑтему нужно перезапуÑтить вручную" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Ð”Ð»Ñ Ñ€Ð°Ð±Ð¾Ñ‚Ñ‹ Ñ Ð½Ð¾Ð²Ð¾Ð¹ верÑией libpam программам Ð´Ð»Ñ Ð²Ñ…Ð¾Ð´Ð° в ÑиÑтему kdm, wdm и " +"xdm требуетÑÑ Ð¿ÐµÑ€ÐµÐ·Ð°Ð¿ÑƒÑк, но Ñто прервёт вÑе запущенные X-ÑеÑÑии. ПоÑтому " +"вам нужно перезапуÑтить Ñти ÑервиÑÑ‹ вручную Ð´Ð»Ñ Ñ‚Ð¾Ð³Ð¾, чтобы можно было Ñнова " +"входить в ÑиÑтему через X." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "При обновлении PAM перезапуÑк некоторых ÑервиÑов завершилÑÑ Ð½ÐµÑƒÐ´Ð°Ñ‡Ð½Ð¾" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"При обновлении библиотеки PAM не удалоÑÑŒ перезапуÑтить Ñледующие ÑервиÑÑ‹:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/<service> " +"start'." +msgstr "" +"Вам нужно перезапуÑтить их вручную, выполнив '/etc/init.d/<ÑервиÑ> start'." --- pam-0.99.7.1.orig/debian/po/POTFILES.in +++ pam-0.99.7.1/debian/po/POTFILES.in @@ -0,0 +1 @@ +[type: gettext/rfc822deb] libpam0g.templates --- pam-0.99.7.1.orig/debian/po/pt.po +++ pam-0.99.7.1/debian/po/pt.po @@ -0,0 +1,94 @@ +# translation of pam debconf to Portuguese +# Copyright (C) 2007 Américo Monteiro +# This file is distributed under the same license as the pam package. +# +# Américo Monteiro <a_monteiro@netcabo.pt>, 2007. +msgid "" +msgstr "" +"Project-Id-Version: pam 0.99.7.1-5\n" +"Report-Msgid-Bugs-To: vorlon@debian.org\n" +"POT-Creation-Date: 2007-09-24 17:06-0700\n" +"PO-Revision-Date: 2007-09-25 19:04+0100\n" +"Last-Translator: Américo Monteiro <a_monteiro@netcabo.pt>\n" +"Language-Team: Portuguese <traduz@debianpt.org>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Serviços a reiniciar para a actualização da biblioteca PAM:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"A maioria dos serviços que usam PAM precisam ser reiniciados para usarem os " +"módulos construidos para esta nova versão do libpam. Por favor, reveja a " +"seguinte lista de scripts init.d de serviços para serem reiniciados agora " +"(separados por espaços), e corrija-a se for necessário." + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Some other services such as xscreensaver, gnome-screensaver, and xlockmore " +"cannot be restarted for you. You will not be able to authenticate to these " +"services until you restart them manually." +msgstr "" +"Outros serviços como o xscreensaver, gnome-screensaver, e xlockmore não " +"podem ser reiniciados para si. Você não vai poder autenticar-se nestes " +"serviços até que você os reinicie manualmente." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "O gestor de display tem que ser reiniciado manualmente" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Os gestores de display kdm, wdm, e xdm necessitam de reiniciar para a nova " +"versão de libpam, mas existem sessões de login X activas no seu sistema que " +"seriam terminadas por esta reiniciação. Então, você irá necessitar de " +"reiniciar estes serviços manualmente antes que sejam possÃveis mais logins X." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Falha ao reiniciar alguns serviços para a actualização PAM" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Os seguintes serviços não puderam ser reiniciados para a actualização da " +"biblioteca PAM:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/<service> " +"start'." +msgstr "" +"Você precisa de iniciar manualmente estes serviços fazendo '/etc/init.d/" +"<service> start'." --- pam-0.99.7.1.orig/debian/po/cs.po +++ pam-0.99.7.1/debian/po/cs.po @@ -0,0 +1,106 @@ +# Czech translation of pam debconf mesages. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the pam package. +# Miroslav Kure <kurem@debian.cz>, 2007. +# +msgid "" +msgstr "" +"Project-Id-Version: pam\n" +"Report-Msgid-Bugs-To: vorlon@debian.org\n" +"POT-Creation-Date: 2007-09-24 17:06-0700\n" +"PO-Revision-Date: 2007-09-08 18:26+0200\n" +"Last-Translator: Miroslav Kure <kurem@debian.cz>\n" +"Language-Team: Czech <debian-l10n-czech@lists.debian.org>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Služby, které se majà restartovat po aktualizaci knihovny PAM:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"Aby se zaÄaly použÃvat moduly z nové verze knihovny libpam, musà se vÄ›tÅ¡ina " +"služeb použÃvajÃcÃch PAM restartovat. Zkontrolujte prosÃm následujÃcà seznam " +"služeb (init.d skriptů), které se majà nynà restartovat a v pÅ™ÃpadÄ› potÅ™eby " +"seznam opravte." + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Some other services such as xscreensaver, gnome-screensaver, and xlockmore " +"cannot be restarted for you. You will not be able to authenticate to these " +"services until you restart them manually." +msgstr "" +"NÄ›které služby (napÅ™. xscreensaver, gnome-screensaver a xlockmore) nemohou " +"být restartovány automaticky. Dokud je nerestartujete ruÄnÄ›, nebudete se " +"moci vůÄi nim autentizovat." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Správce displeje se musà restartovat ruÄnÄ›" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +#, fuzzy +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Správcové displejů kdm, wdm a xdm musà být s novou verzà libpam " +"restartováni. Restart tÄ›chto služeb by vÅ¡ak ukonÄil vÅ¡echna stávajÃcà X " +"sezenà obsluhovaná zmÃnÄ›nými správci. Protože je ve vaÅ¡em prostÅ™edà " +"nastavena promÄ›nná $DISPLAY, nebudou tyto služby nynà restartovány a budete " +"je muset restartovat ruÄnÄ›, protože do té doby nebudou použitelné." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Restartovánà nÄ›kterých služeb pÅ™i aktualizaci PAMu selhalo" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"NásledujÃcà služby nemohly být pÅ™i aktualizaci knihovny PAM restartovány:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/<service> " +"start'." +msgstr "" +"Tyto služby budete muset spustit ruÄnÄ› pÅ™Ãkazem '/etc/init.d/<služba> start'." + +#~ msgid "" +#~ "Among the services that require restarting are the display managers kdm, " +#~ "wdm, and xdm. If you are upgrading from within an X session started with " +#~ "one of these display managers, restarting that service will terminate " +#~ "your X session. It is recommended that you remove that service from the " +#~ "list here and restart it later at your convenience." +#~ msgstr "" +#~ "Mezi službami vyžadujÃcÃmi restart jsou i správci displejů kdm, wdm a " +#~ "xdm. Aktualizujete-li z X sezenà spuÅ¡tÄ›ného nÄ›kterým ze zmÃnÄ›ných " +#~ "programů, znamená to, že restart pÅ™ÃsluÅ¡né služby ukonÄà stávajÃcà X " +#~ "sezenÃ. V takovém pÅ™ÃpadÄ› doporuÄujeme službu ze seznamu odstranit a " +#~ "restartovat pozdÄ›ji, až pro to nastane vhodnÄ›jÅ¡Ã pÅ™Ãležitost." --- pam-0.99.7.1.orig/debian/po/de.po +++ pam-0.99.7.1/debian/po/de.po @@ -0,0 +1,97 @@ +# German translation of pam debconf templates +# Copyright (C) 2007 Steve Langasek <vorlon@debian.org> +# This file is distributed under the same license as the pam package. +# Sven Joachim <svenjoac@gmx.de>, 2007. +# +msgid "" +msgstr "" +"Project-Id-Version: pam 0.99.7.1-5\n" +"Report-Msgid-Bugs-To: vorlon@debian.org\n" +"POT-Creation-Date: 2007-09-24 17:06-0700\n" +"PO-Revision-Date: 2007-09-04 17:08+0200\n" +"Last-Translator: Sven Joachim <svenjoac@gmx.de>\n" +"Language-Team: German <debian-l10n-german@lists.debian.org>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Neu zu startende Dienste für das Upgrade der PAM-Bibliothek:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"Die meisten Dienste, die PAM verwenden, müssen neu gestartet werden, um " +"Module dieser neuen Version von libpam verwenden zu können. Bitte überprüfen " +"Sie die folgende, Leerzeichen-getrennte Liste von init.d-Skripten für " +"Dienste, die jetzt neu zu starten sind, und korrigieren Sie diese Liste " +"nötigenfalls." + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Some other services such as xscreensaver, gnome-screensaver, and xlockmore " +"cannot be restarted for you. You will not be able to authenticate to these " +"services until you restart them manually." +msgstr "" +"Einige andere Dienste wie xscreensaver, gnome-screensaver und xlockmore " +"können nicht automatisch neu gestartet werden. Sie werden sich gegenüber " +"diesen Diensten nicht authentifizieren können, bis Sie sie manuell neu " +"gestartet haben." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Display-Manager müssen manuell neu gestartet werden" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +#, fuzzy +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Die Display-Manager kdm, wdm und xdm erfordern einen Neustart für die neue " +"Version von libpam, aber diese Dienste neu zu starten würde jede unter ihnen " +"laufende X-Sitzung beenden. Weil die Variable $DISPLAY in Ihrer Umgebung " +"gesetzt ist, sind diese Dienste nicht für Sie neu gestartet worden. Sie " +"müssen sie daher von Hand neu starten, bevor Sie sie wieder nutzen können." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Fehler beim Neustart einiger Dienste für das PAM-Upgrade" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Die folgenden Dienste konnten für das Upgrade der PAM-Bibliothek nicht neu " +"gestartet werden:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/<service> " +"start'." +msgstr "" +"Sie müssen diese manuell neu starten, indem Sie »/etc/init.d/<Dienst> start« " +"ausführen." --- pam-0.99.7.1.orig/debian/po/vi.po +++ pam-0.99.7.1/debian/po/vi.po @@ -0,0 +1,106 @@ +# Vietnamese translation for PAM. +# Copyright © 2007 Free Software Foundation, Inc. +# Clytie Siddall <clytie@riverland.net.au>, 2007 +# +msgid "" +msgstr "" +"Project-Id-Version: pam 0.99.7.1-5\n" +"Report-Msgid-Bugs-To: vorlon@debian.org\n" +"POT-Creation-Date: 2007-09-24 17:06-0700\n" +"PO-Revision-Date: 2007-09-28 23:58+0930\n" +"Last-Translator: Clytie Siddall <clytie@riverland.net.au>\n" +"Language-Team: Vietnamese <vi-VN@googlegroups.com>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=1; plural=0;\n" +"X-Generator: LocFactoryEditor 1.7b1\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Dịch vụ cần khởi chạy lại khi nâng cấp thÆ° viện PAM:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"Phần lá»›n dịch vụ sá» dụng PAM cÅ©ng cần phải được khởi chạy lại để sá» dụng các " +"mô-Ä‘un được xây dá»±ng cho phân vùng libpam má»›i nà y. Hãy xem lại danh sách " +"định giá»›i bằng dấu cách theo đây hiển thị các dịch vụ cần khởi chạy lại ngay " +"bây giá», và sá»a chữa nếu cần thiết." + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Some other services such as xscreensaver, gnome-screensaver, and xlockmore " +"cannot be restarted for you. You will not be able to authenticate to these " +"services until you restart them manually." +msgstr "" +"Má»™t số dịch vụ khác nhÆ° xscreensaver, gnome-screensaver, và xlockmore không " +"thể được khởi chạy lại cho bạn.Bạn sẽ không thể xác thá»±c được tá»›i dịch vụ " +"nhÆ° váºy nếu bạn chÆ°a tá»± khởi chạy lại nó." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Trình quản lý trình bà y phải được khởi chạy bằng tay" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Trình quản lý trình bà y kdm, wdm, hay xdm cần thiết được khởi chạy lại để sá» " +"dụng phiên bản má»›i của thÆ° viện libpam, nhÆ°ng việc khởi chạy lại dịch vụ nà y " +"sẽ cÅ©ng chấm dứt phiên chạy X Ä‘ang hoạt Ä‘á»™ng. Vì váºy bạn cần phải tá»± khởi " +"chạy trình quản lý trình bà y để có khả năng sá» dụng nó lại." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Lá»—i khởi chạy lại má»™t số dịch vụ để nâng cấp PAM" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Những dịch vụ theo đây không thể được khởi chạy lại để nâng cấp thÆ° viện PAM:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/<service> " +"start'." +msgstr "" +"Bạn cần phải tá»± khởi chạy lại chúng bằng cách chạy lệnh « /etc/init.d/" +"<tên_dịch_vụ> start »." + +#~ msgid "" +#~ "Among the services that require restarting are the display managers kdm, " +#~ "wdm, and xdm. If you are upgrading from within an X session started with " +#~ "one of these display managers, restarting that service will terminate " +#~ "your X session. It is recommended that you remove that service from the " +#~ "list here and restart it later at your convenience." +#~ msgstr "" +#~ "Các dịch vụ cần khởi chạy lại bao gồm trình quản lý trình bà y kÄ‘m, wdm và " +#~ "xdm. Nếu bạn Ä‘ang nâng cấp từ bên trong phiên chạy X được bắt đầu bằng " +#~ "má»™t của những trình quản lý trình bà y nà y, việc khởi chạy lại dịch vụ đó " +#~ "sẽ cÅ©ng chấm dứt phiên chạy X của bạn. Khuyên bạn gỡ bá» dịch vụ đó khá»i " +#~ "danh sách ở đây, rồi khởi chạy lại nó vá» sau." --- pam-0.99.7.1.orig/debian/po/fi.po +++ pam-0.99.7.1/debian/po/fi.po @@ -0,0 +1,101 @@ +msgid "" +msgstr "" +"Project-Id-Version: pam 0.99.7.1-4\n" +"Report-Msgid-Bugs-To: vorlon@debian.org\n" +"POT-Creation-Date: 2007-09-24 17:06-0700\n" +"PO-Revision-Date: 2007-09-23 13:14+0200\n" +"Last-Translator: Esko Arajärvi <edu@iki.fi>\n" +"Language-Team: Finnish <debian-l10n-finnish@lists.debian.org>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=utf-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Poedit-Language: Finnish\n" +"X-Poedit-Country: FINLAND\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Palvelut, jotka käynnistetään uudelleen PAM-kirjastoa päivitettäessä:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"Useimmat PAM:ia käyttävät palvelut pitää käynnistää uudelleen libpamin uuden " +"version käyttöönottamiseksi. Tarkista seuraava välilyönnein eroteltu lista " +"niiden palveluiden init.d-komentotiedostoista, jotka käynnistetään " +"uudelleen, ja muokkaa listaa tarvittaessa." + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Some other services such as xscreensaver, gnome-screensaver, and xlockmore " +"cannot be restarted for you. You will not be able to authenticate to these " +"services until you restart them manually." +msgstr "" +"Joitain muita palveluita, kuten xscreensaver, gnome-screensaver ja xlockmore " +"ei voida käynnistää automaattisesti. Et voi kirjautua näihin palveluihin " +"ennen kuin olet manuaalisesti käynnistänyt ne uudelleen." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "" +"Virhe PAM:in päivityksen yhteydessä käynnistettäessä uudelleen joitain " +"palveluita" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"Seuraavia palveluita ei voitu käynnistää uudelleen PAM-kirjastoa " +"päivitettäessä:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/<service> " +"start'." +msgstr "" +"Nämä palvelut tulee käynnistää uudelleen ajamalla '/etc/init.d/<palvelu> " +"start'." + +#~ msgid "" +#~ "Among the services that require restarting are the display managers kdm, " +#~ "wdm, and xdm. If you are upgrading from within an X session started with " +#~ "one of these display managers, restarting that service will terminate " +#~ "your X session. It is recommended that you remove that service from the " +#~ "list here and restart it later at your convenience." +#~ msgstr "" +#~ "Näytönhallintaohjelmat kdm, wdm ja xdm ovat niiden palveluiden joukossa, " +#~ "jotka tulee käynnistää uudelleen. Jos ajat päivitystä X-istunnosta, joka " +#~ "on käynnistetty jollain näistä ohjelmista, kyseisen palvelun " +#~ "käynnistäminen uudelleen lopettaa X-istuntosi. On suositeltavaa poistaa " +#~ "kyseinen palvelu listasta ja käynnistää se uudelleen myöhemmin." --- pam-0.99.7.1.orig/debian/po/es.po +++ pam-0.99.7.1/debian/po/es.po @@ -0,0 +1,136 @@ +# pam po-debconf translation to Spanish +# Copyright (C) 2007 Software in the Public Interest, SPI Inc. +# This file is distributed under the same license as the pam package. +# +# Changes: +# - Initial translation +# Javier Fernández-Sanguino <jfs@debian.org>, 2007 +# +# +# Traductores, si no conoce el formato PO, merece la pena leer la +# documentación de gettext, especialmente las secciones dedicadas a este +# formato, por ejemplo ejecutando: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Equipo de traducción al español, por favor lean antes de traducir +# los siguientes documentos: +# +# - El proyecto de traducción de Debian al español +# http://www.debian.org/intl/spanish/ +# especialmente las notas y normas de traducción en +# http://www.debian.org/intl/spanish/notas +# +# - La guÃa de traducción de po's de debconf: +# /usr/share/doc/po-debconf/README-trans +# o http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Si tiene dudas o consultas sobre esta traducción consulte con el último +# traductor (campo Last-Translator) y ponga en copia a la lista de +# traducción de Debian al español (<debian-l10n-spanish@lists.debian.org>) +# +msgid "" +msgstr "" +"Project-Id-Version: pam 0.79-4\n" +"Report-Msgid-Bugs-To: vorlon@debian.org\n" +"POT-Creation-Date: 2007-09-24 17:06-0700\n" +"PO-Revision-Date: 2007-09-04 23:48+0200\n" +"Last-Translator: Steve Langasek <vorlon@debian.org>\n" +"Language-Team: Debian Spanish <debian-l10n-spanish@lists.debian.org>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-POFile-SpellExtra: kdm gnome xscreensaver xdm xlockmore wdm start init\n" +"X-POFile-SpellExtra: screensaver PAM libpam\n" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "Services to restart for PAM library upgrade:" +msgstr "Servicios a reiniciar para la actualización de la biblioteca de PAM:" + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Most services that use PAM need to be restarted to use modules built for " +"this new version of libpam. Please review the following space-separated " +"list of init.d scripts for services to be restarted now, and correct it if " +"needed." +msgstr "" +"Es necesario reiniciar la mayorÃa de los servicios que utilizan PAM para que " +"usen los módulos de esta versión de libpam. Por favor, revise la lista " +"separada por espacios mostrada a continuación que indica los servicios a " +"reiniciar ahora y corrÃjala si es necesario." + +#. Type: string +#. Description +#: ../libpam0g.templates:1001 +msgid "" +"Some other services such as xscreensaver, gnome-screensaver, and xlockmore " +"cannot be restarted for you. You will not be able to authenticate to these " +"services until you restart them manually." +msgstr "" +"Algunos servicios, como «xscreensaver», «gnome-screensaver» y «xlockmore», " +"no podrán reiniciarse. La autenticación no funcionará en estos servicios " +"hasta que los reinicie manualmente." + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +msgid "Display manager must be restarted manually" +msgstr "Debe reiniciar manualmente los gestores de pantalla" + +#. Type: error +#. Description +#: ../libpam0g.templates:2001 +#, fuzzy +msgid "" +"The kdm, wdm, and xdm display managers require a restart for the new version " +"of libpam, but there are X login sessions active on your system that would " +"be terminated by this restart. You will therefore need to restart these " +"services by hand before further X logins will be possible." +msgstr "" +"Entre los servicios que deben reiniciarse debido a la nueva versión de " +"libpam están los gestores de pantalla kdm, wdm y xdm. El reinicio de estos " +"servicios terminarÃa las sesiones de X actualmente en ejecución en su " +"sistema, asà que debe reiniciar estos servicios manualmente antes de que sea " +"posible abrir otra sesión." + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "Failure restarting some services for PAM upgrade" +msgstr "Fallo al reiniciar alguno de los servicios en la actualización de PAM" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"The following services could not be restarted for the PAM library upgrade:" +msgstr "" +"No fue posible reiniciar los servicios indicados a continuación dentro la " +"actualización de la biblioteca de PAM:" + +#. Type: error +#. Description +#: ../libpam0g.templates:3001 +msgid "" +"You will need to start these manually by running '/etc/init.d/<service> " +"start'." +msgstr "" +"Deberá arrancar manualmente estos servicios ejecutando «/etc/init.d/" +"<servicio> start»." + +#~ msgid "" +#~ "Among the services that require restarting are the display managers kdm, " +#~ "wdm, and xdm. If you are upgrading from within an X session started with " +#~ "one of these display managers, restarting that service will terminate " +#~ "your X session. It is recommended that you remove that service from the " +#~ "list here and restart it later at your convenience." +#~ msgstr "" +#~ "Entre los servicios que deben reiniciarse están los gestores de pantalla " +#~ "kdm, wdm y xdm. El reinicio del servicio terminará su sesión de X si está " +#~ "actualizando desde una sesión de X arrancada desde alguno de estos " +#~ "gestores. Se le recomienda eliminar el servicio de la lista y reiniciarlo " +#~ "más adelante cuando lo considere oportuno." --- pam-0.99.7.1.orig/debian/changelog +++ pam-0.99.7.1/debian/changelog @@ -0,0 +1,1931 @@ +pam (0.99.7.1-5ubuntu4) hardy; urgency=low + + * ubuntu-pam_selinux_seusers: patch pam_selinux to correctly support + seusers (backported from changes in PAM 0.99.8). Without this patch + login will not get correct security context when using libselinux + >= 1.27.2 (LP: #187822). + + -- Caleb Case <ccase@tresys.com> Wed, 30 Jan 2008 06:39:48 -0500 + +pam (0.99.7.1-5ubuntu3) hardy; urgency=low + + * Temporarily reenable libpam-foreground in common-session again, until + dbus' at_console policy works with ConsoleKit. + + -- Martin Pitt <martin.pitt@ubuntu.com> Thu, 29 Nov 2007 15:17:54 +0100 + +pam (0.99.7.1-5ubuntu2) hardy; urgency=low + + * debian/local/common-session{,.md5sums}, debian/control: Drop + libpam-foreground, superseded by ConsoleKit integration into hal. + * debian/control: Build against libdb4.6 again. This drops this Debian delta + and 4.6 is our target version in Hardy. + + -- Martin Pitt <martin.pitt@ubuntu.com> Thu, 22 Nov 2007 18:56:47 +0100 + +pam (0.99.7.1-5ubuntu1) gutsy; urgency=low + + * Resynchronise with Debian. Remaining changes: + - debian/control, debian/local/common-session{,md5sums}: use + libpam-foreground for session management. + - debian/rules: install unix_chkpwd setgid shadow instead of setuid root. + The nis package handles overriding this as necessary. + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf. + - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t + type rather than __u8. + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. Bound + RLIMIT_NICE from below as well as from above. Fix off-by-one error when + converting RLIMIT_NICE to the range of values used by the kernel. + (Originally patch 101; converted to quilt.) + - debian/patches-applied/ubuntu-user_defined_environment: Look at + ~/.pam_environment too, with the same format as + /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.) + - debian/patches-applied/ubuntu-regression_fix_securetty: securetty's + earlier behavior would correctly prompt for password on bad usernames + (LP: #139075). + - Build using db4.5 instead of db4.6. + - debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running (LP: #141309). + * debian/libpam0g.postinst: don't display a debconf warning about display + managers that need restarting when update-manager is running, instead + signal to update-notifier if a reboot is required. + + -- Steve Langasek <vorlon@debian.org> Fri, 28 Sep 2007 23:45:24 -0700 + +pam (0.99.7.1-5) unstable; urgency=low + + * More lintian overrides, related to debconf prompting in the postinst + * Debconf translations: + - Brazilian Portuguese, thanks to Eder L. Marques <frolic@debian-ce.org> + (closes: #440385) + - Russian, thanks to Yuri Kozlov <kozlov.y@gmail.com> + (closes: #440390, #440953, #444039) + - Bulgarian, thanks to Damyan Ivanov <dam@modsoftsys.com> + (closes: #441863) + - Finnish, thanks to Esko Arajärvi <edu@iki.fi> (closes: #443720) + - Simplified Chinese, thanks to Ming Hua + <minghua-guest@users.alioth.debian.org> (closes: #443924) + - Updated Portuguese, thanks to Américo Monteiro <a_monteiro@netcabo.pt> + - Updated Vietnamese, thanks to Clytie Siddall <clytie@riverland.net.au> + (closes: #440800) + - Updated German, thanks to Sven Joachim <svenjoac@gmx.de> + - Updated Spanish, thanks to Javier Fernández-Sanguino Peña + <jfs@debian.org> + - Updated Czech, thanks to Miroslav Kure <kurem@debian.cz> + (closes: #441325) + * Further cleanups of 007_modules_pam_unix -- don't use a global variable + for pass_min_len, don't gratuitously move the length checking into the + "obscure" checks, and internationalize the error strings. + * Stop overriding the built-in default minimum password length in + /etc/pam.d/common-password, and also drop the "max" option which has now + been obsoleted. + * Fix up the comments in /etc/pam.d/common-password to make it clear that + the options are specific to pam_unix. Closes: #414559. + * Patch 038: fix another thinko in the getline handling. Closes: #442276. + * If there are active X logins, don't restart kdm, wdm, and xdm by default; + instead, display a debconf error if they haven't been restarted. + Closes: #441843. + * Drop the local patch for Linux capabilities in pam_limits; Linux + capabilities are not generally useful in a PAM context, and the PAM + capabilities patch has been broken through much of its life. + Closes: #440130. + * -Wl,-z,defs was never enabled correctly, drop it since upstream is + already using -no-undefined + * Pass --build and --host args to ./configure as necessary, for + cross-building support. + + -- Steve Langasek <vorlon@debian.org> Fri, 28 Sep 2007 00:17:00 -0700 + +pam (0.99.7.1-4ubuntu4) gutsy; urgency=low + + * debian/libpam0g.postinst: call "reload" for all display managers + (LP: #139065). + * debian/libpam0g.postinst: only ask questions during update-manager when + there are non-default services running (LP: #141309). + + -- Kees Cook <kees@ubuntu.com> Mon, 24 Sep 2007 15:01:29 -0700 + +pam (0.99.7.1-4ubuntu3) gutsy; urgency=low + + * ubuntu-regression_fix_securetty: securetty's earlier behavior would + correctly prompt for password on bad usernames (LP: #139075). + + -- Kees Cook <kees@ubuntu.com> Wed, 12 Sep 2007 15:20:09 -0700 + +pam (0.99.7.1-4ubuntu2) gutsy; urgency=low + + * Build using db4.5 (instead of db4.6). One db4.x version less on the CD. + + -- Matthias Klose <doko@ubuntu.com> Wed, 12 Sep 2007 17:44:25 +0200 + +pam (0.99.7.1-4ubuntu1) gutsy; urgency=low + + * Resynchronise with Debian (LP: #43169, #14505, #80431). Remaining changes: + - debian/control, debian/local/common-session{,md5sums}: use + libpam-foreground for session management. + - debian/rules: install unix_chkpwd setgid shadow instead of setuid root. + The nis package handles overriding this as necessary. + - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not + present there or in /etc/security/pam_env.conf. + - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t + type rather than __u8. + - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly + initialise RLIMIT_NICE rather than relying on the kernel limits. Bound + RLIMIT_NICE from below as well as from above. Fix off-by-one error when + converting RLIMIT_NICE to the range of values used by the kernel. + (Originally patch 101; converted to quilt.) + - debian/patches-applied/ubuntu-user_defined_environment: Look at + ~/.pam_environment too, with the same format as + /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.) + * Dropped: + - debian/rules: bashism fixes (merged upstream). + - debian/control: Conflict on ancient nis (expired with Breezy). + - debian/libpam-runtime.postinst: check for ancient pam (expired with + Breezy). + + -- Kees Cook <kees@ubuntu.com> Wed, 05 Sep 2007 15:18:36 -0700 + +pam (0.99.7.1-4) unstable; urgency=low + + * libpam0g.postinst, libpam0g.templates: gdm doesn't need to be restarted + to fix the library skew, only reloaded; special-case this daemon in the + postinst and remove the mention of it from the debconf template, also + tightening the language of the debconf template in the process. + Closes: #440074. + * Add courier-authdaemon to the list of services that need to be + restarted; thanks to Micah Anderson for reporting. + * New patch pam_env_ignore_garbage.patch: fix pam_env to really skip over + garbage lines in /etc/environment and log an error, instead of failing + with an obscure error; and ignore any PAM_BAD_ITEM values returned + by pam_putenv(), since this is the expected error return when trying + to delete a non-existent var. Closes: #439984. + * Yet another thinko in hurd_no_setfsuid and in + 029_pam_limits_capabilities; this code should really be Hurd-safe at + last... + * getline() returns -1 on EOF, not 0; check this appropriately, to fix + an infinite loop in pam_rhosts_auth. Thanks to Stephan Springl + <springl-rhosts@bfw-online.de> for the fix. Closes: #440019. + * Use ${misc:Depends} for libpam0g, so we get a proper dependency on + debconf. + * 019_pam_listfile_quiet: per discussion with upstream, don't suppress + errors about missing files or files with wrong permissions; these are + real errors that should not be buried. + * Drop the remainder of 061_pam_issue_double_free, not required for the + original bugfix. + * Drop patch 064_pam_unix_cracklib_dictpath, which is not needed now that + we define CRACKLIB_DICTS in debian/rules. + * Drop patch 063_paswd_segv, superseded by a different upstream fix + * Split 047_pam_limits_chroot_string_value up between + 008_modules_pam_limits_chroot and 029_pam_limits_capabilites + * Updates to patch 007_modules_pam_unix: restore the same built-in min + password len of 6 that upstream uses; fix a typo panlindrome -> + palindrome. + * The 'max=' option was never intended to be used to limit maximum password + length for users, only to declare what the number of significant + characters /is/ for a password. But we don't need a config option to + tell us that, we know the answer based on which crypt type we're using, + so drop this as a config file option. Closes: #389197. + * Debconf translations: + - Spanish, thanks to Javier Fernández-Sanguino Peña <jfs@debian.org> + - Vietnamese, thanks to Clytie Siddall <clytie@riverland.net.au> + - German, thanks to Sven Joachim <svenjoac@gmx.de> (closes: #440355) + - Czech, thanks to Miroslav Kure <kurem@upcase.inf.upol.cz> + (closes: #440362) + - Portuguese, thanks to Américo Monteiro <a_monteiro@netcabo.pt> + (closes: #440368) + + -- Steve Langasek <vorlon@debian.org> Fri, 31 Aug 2007 17:11:05 -0700 + +pam (0.99.7.1-3) unstable; urgency=low + + * New patch limits_wrong_strncpy: fix unnecessary manipulations of string + buffers, including an illegal use of strncpy(). Thanks to Paul Hampson + for reporting. Closes: #331278. + * New patch misc_conv_allow_sigint.patch: allow SIGINT to be handled by the + application, instead of blocking it when misc_conv is in use and + preventing users from being able to ^C at any PAM prompt. Closes: #1708. + * 024_debian_cracklib_dict_path: default to NULL instead of a specific + dictionary path when none is defined for consistency with the new upstream + version of cracklib, and define our path in debian/rules. + * 055_pam_unix_nullok_secure: document the pam_unix "nullok_secure" option, + a prereq for forwarding this patch upstream. Closes: #325974. + * Create /etc/security/opasswd on new installs or on upgrades from + 0.99.7.1-2 or below, so that users that enable the remember=<n> option to + pam_unix aren't left unable to change passwords. Closes: #95324. + * Fix a couple of thinkos in hurd_no_setfsuid, that were preventing the code + from compiling on the Hurd still. Thanks to Michael Banck for the catch. + * Fix a memory leak in the pam_limits capabilities patch: always + cap_free() the cap_t before returning from pam_sm_open_session(). + Closes: #153157. + * libpam0g.postinst, libpam0g.templates: on upgrades from versions + prior to 0.99.7.1-3, restart known PAM-using services so that they + get the new libpam symbols, since otherwise the newer PAM modules + will fail to load. Postinst taken from libssl0.9.8; thanks to + Christoph Martin for the fine example! Closes: #439835. + * Build-depend on po-debconf to support l10n of the debconf questions + from the above. + + -- Steve Langasek <vorlon@debian.org> Tue, 28 Aug 2007 06:33:33 -0700 + +pam (0.99.7.1-2) unstable; urgency=low + + * New upstream release; thanks to Roger Leigh and Jan Christoph Nordholz + for their extensive work in helping to prepare for this update in Debian. + Closes: #360460. + - now uses autoconf for library detection, so SELinux should not be + unconditionally enabled on non-Linux archs. Closes: #333141. + - pam_mail notice handling has been completely reworked, so there should + no longer be missing spaces in the messages. Closes: #119689. + - with libtool and autoconf, now behaves "sensibly" on unknown + platforms. Closes: #165067. + - the source now builds without warnings. Closes: #212165. + - uses automake instead of hand-rolled makefiles with indentation + bugs. Closes: #241661, #328084. + - pam_mkhomedir now creates directories recursively as needed. + Closes: #178225. + - pam_listfile now supports being used as a session module too. + Closes: #416665. + - misspelled pam_userdb log message has been corrected. Closes: #305058. + - the current pam_strerror manpage no longer mentions "Unknown + Linux-PAM error". Closes: #220157. + - the text documentation no longer uses ANSI bold sequences. + Closes: #181451. + - pam_localuser now supports being used as a session module. + Closes: #412484. + - package no longer fails to build with dash as /bin/sh. + Closes: #331208. + - All modules should now be documented in the system administrator + guide. Closes: #350620. + - pam_userdb now logs an error instead of segfaulting when no db= + option is provided. Closes: #436005. + - pam_time now warns on a missing tty instead of erroring out, + making it possible to use the module with non-console services. + Closes: #127931. + - upstream changelog is now 'ChangeLog' instead of 'CHANGELOG'; install + accordingly + - bump the shlibs + - the 'test.c' example no longer exists + - add /usr/share/locale to libpam-runtime. + - CVE-2005-2977: only uid=0 is allowed to invoke unix_chkpwd with an + arbitrary username, and then only when SELinux is active. + Closes: #336344. + * Mark myself as primary maintainer as previously discussed with Sam, and + add Roger as an uploader. + * Refactor to use quilt. + * Update to Standards-Version 3.7.2. + * Drop unnecessary build-dependency on patch, which is + build-essential (and no longer invoked directly). + * Drop patches 002_debian_no_ldconfig_call, 010_pam_cplusplus, + 018_man_fixes, 030_makefile_link_against_libpam, + 037_pam_issue_ttyname_can_be_null, 044_configure_supports_bsd, + 050_configure_in_gnu and 052_pam_unix_no_openlog, which have been + superseded upstream. + * Drop patches 005_pam_limits_099_6, + 012_pam_group_less_restrictive_charset, 023_pam_env_limits_miscfixes, + 048_pam_group_colon_valid_char, 058_pam_env_enable, 059_pam_userdb_segv, + 060_pam_tally_segv and 062_c++_safe_headers, which have been integrated + upstream. + * Patch 057: SELinux support is merged upstream, leaving only an + unrelated OOM check for pam_unix_passwd. Rename as + 057_pam_unix_passwd_OOM_check. + * Patches 006, 008, 036: update for the switch from SGML to XML. + * Patch 007: update for the switch from SGML to XML; drop some log + messages that were already added upstream; update for the pam_modutil + changes; tighten the flag handling of the 'obscure' option; drop bogus + check in unix_chkpwd for null passwords. Also fix a grammar error + along the way. Closes: #362855. + * Patch 024: CRACKLIB_DICTPATH is no longer set in configure.in, so patch + pam_cracklib.c instead to use the default dictpath already available + from crack.h; and patch configure.in to use AC_CHECK_HEADERS instead + of AC_CHECK_HEADER, so crack.h is actually included. Also remove + unnecessary string copies, which break on the Hurd due to PATH_MAX. + * Patch 038: partially merged/superseded upstream; also add new Hurd + fix for pam_xauth. + * Patch 061: partially merged upstream + * Use ${binary:Version} instead of ${Source-Version} in + debian/control. + * Remove empty maintainer scripts debian/libpam0g-dev.{postinst,prerm}, + debian/libpam0g.{postinst,prerm}, and + debian/libpam-modules.{postinst,prerm}; debhelper can autogenerate these + just fine without our help. + * Build-Depend on xsltproc, libxml2-utils, docbook-xml, docbook-xsl + and w3m instead of on linuxdoc-tools, linuxdoc-tools-latex, tetex-extra, + groff, and opensp. + * Also build-depend on flex for libfl.a. + * Updates for documentation handling: + - move debian/local/pam-*-guide to debian/libpam-doc.doc-base.foo-guide, + and invoke dh_installdocs instead of installing these by hand. + - drop libpam-doc.{postinst,prerm}, which are no longer needed. + - add an install target to debian/rules, and have binary-indep depend on + it instead of trying to install doc files individually from the source + tree + - consequently, drop libpam-doc.dirs as well which is no longer needed + and no longer accurate + - add debian/libpam-doc.install for moving the docs to the right place, + and also replace libpam-runtime.files with libpam-runtime.install; + for the moment this means we're using both dh_movefiles and + dh_install... + - libpam0g.docs: install the Debian-PAM-MiniPolicy from here, further + cleaning up debian/rules + * Drop debian/libpam0g.links, no longer needed because upstream now has a + working install target which creates the library symlinks + * Add libpam-modules.links: create pam_unix_{acct,auth,passwd,session}.so + symlinks by hand, no longer provided upstream. + * debian/patches-applied/PAM-manpage-section: "PAM" is not a daemon, manpage + belongs in section 7, not in section 8. + * Actually ship the pam, pam.conf, and pam.d manpages in libpam-runtime. + * debian/patches-applied/autoconf.patch: move all changes to autotools + generated files into a single patch at the end of the stack. + - don't touch configure in debian/rules, the quilt patch takes care + of this for us. + * New patch 064_pam_unix_cracklib_dictpath: correctly define + CRACKLIB_DICTS, since this is not defined by configure. Thanks to Jan + Christoph Nordholz. + * New patch 065_pam_unix_cracklib_disable: Debian-specific patch to disable + cracklib support in pam_unix. Thanks to Christoph Nordholz. + * debian/rules: + - Rename OS_CFLAGS to CFLAGS. + - kill off references to unused variables + - make binary-arch also depend on the install target, and streamline the + rules + - fix up the clean target to not ignore errors; thanks to Roger Leigh + - drop the local module_check target in favor of using -Wl,-z,defs + in LDFLAGS to enforce correct linkage of all objects at build time + * Drop debian/local/unix_chkpwd.8 in favor of the upstream manpage. + * libpam-modules.files: /usr/sbin/pam_tally has moved to /sbin/pam_tally + for consistency. + * Update to debhelper V5. + * Don't ship Makefiles as part of the libpam0g-dev examples. + * libpam-modules.manpages, libpam-runtime.manpages, libpam0g-dev.manpages: + put all the manpages in the correct packages. Closes: #411812, + #62193, #313486, #300773, #330545, #184270. + * Drop libpam{0g,0g-dev,-modules,-runtime}.dirs, not needed for anything + because we aren't trying to ship empty directories in the packages + * Build-Conflict with fop, to avoid unreproducible builds of pdf + documentation from a tool in contrib. + * libpam-cracklib should depend on a real wordlist package, per policy; + use wamerican as the default. + * Drop local/pam-undocumented.7 from the package, since we no longer have + a reason to ship it + * Add lintian overrides for known false-positives + * Conflicts/Replaces/Provides libpam-umask, now included upstream. + Closes: #436222. + * Upstream no longer marks unix_chkpwd suid-root for us, so set the perms + by hand in debian/rules. In the process, unix_chkpwd is now writable + by the owner, as expected by policy. Closes: #368100. + * Migrate from db4.3 to db4.6; once again, no administrator action should + be needed for upgrading on-disk database formats. Closes: #354309. + * Add XS-Vcs-Svn and XS-Vcs-Browser fields to debian/control; thanks to + Laurent Bigonville for the hint. Closes: #439038. + * Add a watch file for use with uscan; thanks to Laurent Bigonville for + this patch as well. Closes: #439040. + * Rewrite of 031_pam_include, fixing a memory leak and letting us drop + patch 056_no_label_at_end; thanks to Jan Christoph Nordholz + <hesso@pool.math.tu-berlin.de> for this much-improved version! + * New patch no_pthread_mutexes: don't use pthread mutexes in + pam_modutil functions, they're not needed because pam handles + themselves should not be used concurrently by multiple threads and + using pthreads causes problems for portable linking. + * New patch hurd_no_setfsuid: if we don't have sys/fsuid.h, work around + using setreuid instead. + + -- Steve Langasek <vorlon@debian.org> Sun, 26 Aug 2007 19:15:09 -0700 + +pam (0.79-4ubuntu2) feisty; urgency=low + + * Remove /usr/bin/X11 from default PATH (new installs only). + + -- Colin Watson <cjwatson@ubuntu.com> Wed, 20 Dec 2006 16:14:37 +0000 + +pam (0.79-4ubuntu1) feisty; urgency=low + + * Resynchronise with Debian. Remaining changes: + - Patch 100 (renumbered from 060): Look at ~/.pam_environment too, with + the same format as /etc/security/pam_env.conf. + - Patch 101 (renumbered from 061): Explicitly initialise RLIMIT_NICE + rather than relying on the kernel limits. Bound RLIMIT_NICE from below + as well as from above. Fix off-by-one error when converting + RLIMIT_NICE to the range of values used by the kernel. + - Add PATH to /etc/environment if it's not present there or in + /etc/security/pam_env.conf. + - debian/rules: Fix a bashism. + - Install unix_chkpwd setgid shadow instead of setuid root. The nis + package handles overriding this as necessary. + - Use pam_foreground in the default session. + - Linux-PAM/libpamc/test/regress/test.libpamc.c: Use standard u_int8_t + type rather than __u8. + + -- Colin Watson <cjwatson@ubuntu.com> Tue, 19 Dec 2006 10:32:47 +0000 + +pam (0.79-4) unstable; urgency=medium + + * Medium-urgency upload; at least one RC bugfix, but also a + significant number of changes, hence not urgency=high. + * Move libpam-modules and libpam0g to Section: libs and libpam-runtime + to section: admin, to match the overrides in the archive. + * Move old changelog entries (well, entry) that don't follow the current + format to debian/changelog.old, since there's no way to figure out a + timestamp for an 8-year-old upload, and this is the most effective + way to clear a glut of lintian warnings. + * Fix the formatting of the libpam-cracklib package description. + * Patch 010: remove parts of the patch that aren't necessary for C++ + compatibility. + * Patch 060: fix a segfault in pam_tally caused by misuse of + pam_get_data(); already fixed upstream. Closes: #335273. + * Patch 061: fix a double free in pam_issue, caused by overuse (and misuse) + of strdup (similar to patch 059). Already fixed upstream. + Closes: #327272. + * Don't build-depend on libselinux1-dev and libcap-dev on kfreebsd archs. + Closes: #352329. + * Patch 005: sync pam_limits with upstream: + - support "-" (unlimited) for all limit types except process priority. + - support the additional aliases "-1", "unlimited", and "infinity" for + clearing the limits; closes: #122400, #149027. + - restrict the range of process priority, login count, and system login + count settings to (INT_MIN,INT_MAX) (heh). + - special-case RLIM_INFINITY when applying multipliers to values from + the config. + - document maxsyslogins in the default limits.conf; closes: #149883. + - use the current process priority as a default instead of resetting to + 0; closes: #241663. + - add support for (and document) new RLIMIT_NICE and RLIMIT_RTPRIO + settings in Linux 2.6.12 and above; closes: #313542, #313588. + - allow imposing limits on uid=0. + * Patch 027: only set RLIM_INFINITY as the default for the limits where + we know this is sensible, so that recompiling in an environment with new + limits doesn't create a security hole -- as happened with RLIMIT_NICE and + RLIMIT_RTPRIO! Thanks to Ville Hallik for the initial patch. + Closes: #388431. + * Patch 029, 047: Fix up the broken pam_limits capabilities patch so it + actually works -- which may well be a first... Closes: #318452. + + -- Steve Langasek <vorlon@debian.org> Mon, 23 Oct 2006 05:36:08 -0700 + +pam (0.79-3.2) unstable; urgency=low + + * Non-maintainer upload to fix important bug, that makes passwd segfault + when CTRL-D is pressed at the password prompt. Applied the patch + provided by Dann Frazier. (Closes: #360657) + + -- Margarita Manterola <marga@debian.org> Sat, 5 Aug 2006 02:11:22 -0300 + +pam (0.79-3.1ubuntu1) edgy; urgency=low + + * Resynchronise with Debian. + + -- Colin Watson <cjwatson@ubuntu.com> Thu, 29 Jun 2006 17:27:34 +0100 + +pam (0.79-3.1) unstable; urgency=low + + * Non-maintainer upload. + * Linux-PAM/libpamc/include/security/pam_client.h, + Linux-PAM/libpamc/pamc_converse.c: Apply patch from + latest upstream version to remove redefinition of internal + glibc/libstdc++ types. Closes: #344447. + + -- Roger Leigh <rleigh@debian.org> Sun, 5 Feb 2006 21:46:59 +0000 + +pam (0.79-3ubuntu14) dapper; urgency=low + + * debian/patches-applied/061_pam_rlimits_nice_rtprio: Protect use of + RLIMIT_NICE in init_limits() with an #ifdef. + + -- Colin Watson <cjwatson@ubuntu.com> Fri, 12 May 2006 17:42:40 +0100 + +pam (0.79-3ubuntu13) dapper; urgency=low + + * debian/patches-applied/061_pam_rlimits_nice_rtprio: Set soft and hard + nice limits to 20 (= userland nice value 0) rather than unlimited by + default. Correct off-by-one error (the same error as in Linux 2.6.12, + but fixed in 2.6.13) in user<->kernel translation of nice limit. + + -- Colin Watson <cjwatson@ubuntu.com> Thu, 11 May 2006 11:29:58 +0100 + +pam (0.79-3ubuntu12) dapper; urgency=low + + * debian/control: Add libpam-foreground dependency to libpam-runtime, since + the default /etc/pam.d/common-session refers to it. Closes: LP#35142 + + -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 10 Apr 2006 14:42:40 +0200 + +pam (0.79-3ubuntu11) dapper; urgency=low + + [ Dana Olson ] + * debian/patches-applied/061_pam_rlimits_nice_rtprio: removed glibc + workaround now that glibc is aware of rlimits. + + [ Martin Pitt ] + * debian/rules: Fix bashisms. + + -- Martin Pitt <martin.pitt@ubuntu.com> Thu, 6 Apr 2006 15:03:37 +0200 + +pam (0.79-3ubuntu10) dapper; urgency=low + + * debian/patches-applied/061_pam_rlimits_nice_rtprio: Support "nice" and + "rtprio" rlimits, new in Linux 2.6.12. Backported from upstream thanks + to Dana Olson and others (closes: Malone #17348). + + -- Colin Watson <cjwatson@ubuntu.com> Thu, 23 Feb 2006 16:22:12 +0000 + +pam (0.79-3ubuntu9) dapper; urgency=low + + * Fix operator precedence in libpam-modules.postinst. + + -- Colin Watson <cjwatson@ubuntu.com> Thu, 16 Feb 2006 15:23:04 +0000 + +pam (0.79-3ubuntu8) dapper; urgency=low + + * Make pam_env be quiet if it can't find the user's configuration file, + since it's optional. + + -- Tollef Fog Heen <tfheen@ubuntu.com> Sat, 4 Feb 2006 16:44:12 +0100 + +pam (0.79-3ubuntu7) dapper; urgency=low + + * Add the PATH on initial install for real this time. + + -- Tollef Fog Heen <tfheen@ubuntu.com> Thu, 2 Feb 2006 20:33:42 +0100 + +pam (0.79-3ubuntu6) dapper; urgency=low + + * Changes from Roger Leigh: + + * Linux-PAM/libpamc/include/security/pam_client.h, + Linux-PAM/libpamc/pamc_converse.c: Apply patch from + latest upstream version to remove redefinition of internal + glibc/libstdc++ types. Closes: #344447. + * Linux-PAM/libpamc/test/regress/test.libpamc.c: Also switch to standard + types; not taken from upstream. + + -- Reinhard Tartler <siretart@ubuntu.com> Wed, 1 Feb 2006 13:14:24 +0000 + +pam (0.79-3ubuntu5) dapper; urgency=low + + * Add pam_foreground to /etc/pam.d/common-session + + -- Matthew Garrett <mjg59@srcf.ucam.org> Tue, 24 Jan 2006 02:26:19 +0000 + +pam (0.79-3ubuntu4) dapper; urgency=low + + * Add PATH on initial install, too. + + -- Tollef Fog Heen <tfheen@ubuntu.com> Mon, 23 Jan 2006 15:55:40 +0100 + +pam (0.79-3ubuntu3) dapper; urgency=low + + * Add PATH to /etc/environment if it's not present there or in + /etc/security/pam_env.conf and we are upgrading from a version which + didn't add it. + + -- Tollef Fog Heen <tfheen@ubuntu.com> Tue, 17 Jan 2006 15:54:01 +0100 + +pam (0.79-3ubuntu2) dapper; urgency=low + + * Look at ~/.pam_environment too. Same format as + /etc/security/pam_env.conf. The patch is recorded as + patches-applied/060_pam_env_per_user + + -- Tollef Fog Heen <tfheen@ubuntu.com> Tue, 17 Jan 2006 15:32:55 +0100 + +pam (0.79-3ubuntu1) dapper; urgency=low + + * Resynchronise with Debian. + + -- Colin Watson <cjwatson@ubuntu.com> Mon, 21 Nov 2005 12:15:44 +0000 + +pam (0.79-3) unstable; urgency=low + + * Patch 059 + - Fix a segfault in pam_userdb when the new "crypt=" option + is unset, as will be the case for all existing users; already fixed + upstream. Closes: #330829. + - Fix a memory leak in the same code due to gratuitous strdup()s. + * Further regression in pam_env: don't treat a missing /etc/environment + as a fatal error, either. Amend patch 058 accordingly. Closes: #330852. + + -- Steve Langasek <vorlon@debian.org> Fri, 30 Sep 2005 01:17:53 -0700 + +pam (0.79-2) unstable; urgency=low + + The ".c.o: rm -rf $@" release + * Fix debian/rules so that make clean doesn't remove ./configure when the + timestamp on configure.in is newer (!). + * Switch pam_userdb from db3 to db4.3, which according to the libdb + maintainers should require no manual intervention for upgrading on-disk + database formats. Closes: #165068. + * Patch 058: yes, of course we want to read /etc/environment by + default. Grr! Revert upstream change which disables this for no + apparent reason (closes: #330458). + * Tweak selinux rootok code to use the version of the function call that + doesn't pollute namespace + + -- Steve Langasek <vorlon@debian.org> Tue, 27 Sep 2005 02:44:36 -0700 + +pam (0.79-1) unstable; urgency=low + + * New upstream version (closes: #284954, #300775). + - includes some fixes for typos (closes: #319026). + - pam_unix should now be LSB 3.0-compliant (closes: #323982). + - fixes segfaults in libpam on config file syntax errors + (closes: #330097). + * Drop patches 000_bootstrap, 004_libpam_makefile_static_works, + 011_pam_access, 013_pam_filter_termio_to_termios, 017_misc_fixes, + 025_pam_group_conffile_name, 028_pam_mail_delete_only_when_set, + 033_use_gcc_not_ld, 034_pam_dispatch_ignore_PAM_IGNORE, + 035_pam_unix_security, 039_pam_mkhomedir_no_maxpathlen_required, + 041_call_bootstrap, 042_pam_mkhomedir_dest_not_source_for_errors, + 051_32_bit_pam_lastlog_ll_time, and + 053_pam_unix_user_known_returns_user_unknown which have been + integrated upstream. + * Merge one last bit of patch 053 into patch 043, where it should have + been in the first place + * Patch 057: SELinux support: + - add support to pam_unix for copying SELinux security contexts when + writing out new passwd/shadow files and creating lockfiles + - support calling unix_chkpwd if opening /etc/shadow fails due to + SELinux permissions + - allow unix_chkpwd to authenticate for any user when in an SELinux + context (hurray!); we depend on SELinux policies to prevent the + helper's use as a brute force tool + - also support querying user expiration info via unix_chkpwd + - misc cleanup: clean up file descriptors when invoking unix_chkpwd + (closes: #248310) + - make pam_rootok check the SELinux passwd class permissions, not just + the uid + - add new pam_selinux module (closes: #249499) + * Build-depend on libselinux1-dev. + * Fix pam_getenv, so that it can read the actual format of /etc/environment + instead of trying to read it using the syntax of + /etc/security/pam_env.conf; thanks to Colin Watson for the patch. + Closes: #327876. + * Set LC_COLLATE=C when using alphabetic range expressions in + debian/rules; bah, so *that's* what kept happening to my README file + when trying to build out of svn! Closes: #295296. + * Add a reference to the text of the GPL to debian/copyright. + + -- Steve Langasek <vorlon@debian.org> Sun, 25 Sep 2005 22:08:20 -0700 + +pam (0.76-23) unstable; urgency=low + + * Fix Gcc 3.4 compilation, Closes: #259634 + * Note that pam.conf is not read if /etc/pam.d exists, Closes: #248928 + * Fix typo in pam_env.conf, Closes: #277633 + + -- Sam Hartman <hartmans@debian.org> Sun, 10 Jul 2005 16:42:25 -0400 + +pam (0.76-22ubuntu3) breezy; urgency=low + + * Fix pam_getenv, which never worked: + - Parse /etc/security/pam_env.conf using its own syntax, and then + /etc/environment using its own syntax rather than the syntax of + /etc/security/pam_env.conf. + - 'my $val' was used in an incorrect scope; fixed. + - Exit non-zero if the requested environment variable is not found. + + -- Colin Watson <cjwatson@ubuntu.com> Mon, 12 Sep 2005 18:32:54 +0100 + +pam (0.76-22ubuntu2) breezy; urgency=low + + * debian/rules: Install unix_chkpwd setgid shadow instead of setuid root. + This only breaks when using NIS lookups, therefore the new nis package + dpkg-statoverrides it back to setuid root while being installed. + (Debian #155583, http://udu.wiki.ubuntu.com/ProactiveSecurityRoadmap) + * debian/control: Added conflict to nis (<< 3.13-3ubuntu1): This is the + version that corrects the permissions for usage with NIS. + + -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 17 Jun 2005 12:34:23 +0200 + +pam (0.76-22ubuntu1) breezy; urgency=low + + * Fix FTBFS with gcc-3.4 (closes: #259634). Ubuntu 9037. + + -- Matthias Klose <doko@ubuntu.com> Wed, 4 May 2005 18:14:51 +0200 + +pam (0.76-22) unstable; urgency=medium + + * Add uploaders + * Document location of repository + * Fix options containing arguments in pam_unix, Closes: #254904 + + -- Sam Hartman <hartmans@debian.org> Mon, 28 Jun 2004 14:28:08 -0400 + +pam (0.76-21) unstable; urgency=medium + + * Fix patch 055 again because -20 was broken and didn't actually fix the + problem. + + -- Sam Hartman <hartmans@debian.org> Tue, 4 May 2004 21:37:38 -0400 + +pam (0.76-20) unstable; urgency=medium + + * Update to patch 55 to only check securetty when we are sure the + password is null, Closes: #243698 + * Medium urgency because the version now in testing has confusing and + verbose log messages. + * Include pam_getenv script which hopefully will be used by some people + somewhere for some purpose + + -- Sam Hartman <hartmans@debian.org> Wed, 28 Apr 2004 22:51:18 -0400 + +pam (0.76-19) unstable; urgency=low + + * Oops, too busy testing the upgrade from woody to make sure the upgrade + from -16 to -18 worked. Thanks to all those who reported, + Closes: #243413 + + -- Sam Hartman <hartmans@debian.org> Tue, 13 Apr 2004 16:08:54 -0400 + +pam (0.76-18) unstable; urgency=low + + * Manipulate conffiles to avoid unnecessary prompt in woody to sarge + upgrade, Closes: #218318 + + -- Sam Hartman <hartmans@debian.org> Sat, 10 Apr 2004 18:10:35 -0400 + +pam (0.76-17) unstable; urgency=low + + * common-password now includes length restrictions and cracklib + examples, Closes: #227681, #237537 + * Patch 054: abstract out the logic from pam_securetty to determine if a + tty is in /etc/securetty into a library function + * Patch 55: Add nullok_secure option to pam_unix. If set, then null + passwords are accepted from terminals in /etc/securetty. + * common-auth now includes nullok_secure, Closes: #228114 + + + -- Sam Hartman <hartmans@debian.org> Sun, 4 Apr 2004 23:10:11 -0400 + +pam (0.76-16) unstable; urgency=low + + * Patch 51 from the x86-64 folks to support 32-bit ll_time in + pam_lastlog even if time_t is 64-bits + * Don't call openlog in pam_unix (patch 52), Closes: #213566 + * Return PAM_USER_UNKNOWN for unknown users in pam_unix (patch 53), Closes: #204506 + + -- Sam Hartman <hartmans@debian.org> Tue, 23 Mar 2004 22:26:04 -0500 + +pam (0.76-15) unstable; urgency=low + + * Fix description of libpam-runtime, Closes: #209755 + * Fix description of libpam-cracklib, Closes: #210014 + * Depend on libc6-dev|libc-dev not libc6-dev, Closes: #212354 + * Clean up binaries, Thanks Russell, Closes: #212158 + * Depend on sufficiently new cracklib2-dev, Closes: #214092 + * Treate GNU/* as GNU for OS variable to make pam_limits compile, + (patch 050) Closes: #220980 + * No longer build-depend on latex2html, Closes: #221318 + * Allow : in tty specification for pam_group, (patch 048) Closes: #220439 + * Pull in locking patch from Linux-PAM CVS; this ended up causing + 021_pam_nis_locking to be reworked and that patch now no longer + contains locking fixes, but just NIS cleanup in general. See + 049_pam_unix_sane_locking for the locking changes, Closes: #220158 + + -- Sam Hartman <hartmans@debian.org> Mon, 12 Jan 2004 02:23:59 -0500 + +pam (0.76-14) unstable; urgency=low + + * Pull in NMU diff from 13.1, Closes: #186011 + * Split out common-password into its own file, Closes: #207497 + * Make other a conffile again and update to @include stuff + * Add missing symlink, Closes: #196605 + * Remove undocumented manpages + * Update PAM mini-policy + + -- Sam Hartman <hartmans@debian.org> Mon, 1 Sep 2003 18:08:54 -0400 + +pam (0.76-13.1) unstable; urgency=low + + * NMU with maintainer's permission. + * Add three new config files (/etc/pam.d/common-{auth,account,session}) + to libpam-runtime. Other packages which depend on libpam-runtime + can now @include these files from their own PAM configs. + * Convert /etc/pam.d/other from a conffile to a non-conffile config + file. Closes: #186011. + * Remove empty libpam-runtime.prerm script (debhelper will autocreate if needed) + + -- Steve Langasek <vorlon@debian.org> Tue, 19 Aug 2003 19:41:03 -0500 + +pam (0.76-13) unstable; urgency=low + + * Nope, that dependency didn't work, so let's remove it. If we run into other module versioning issues, I now have an arm build environment to debug with. Closes: #198618 + + -- Sam Hartman <hartmans@debian.org> Mon, 7 Jul 2003 00:22:34 -0400 + +pam (0.76-12) unstable; urgency=low + + * Fix group.conf example, (patch 046) Closes: #197080 + * Ignore module return value in jumps, (patch 045) Closes: #176693 + * Accept string value for chroot limit, thanks Andrei Pelinescu-Onciul, + Patch (047), Closes: #196903 + * Depend on libpam-modules instead of conflicting with older versions. + This creates a circular dependency between libpam0g and + libpam-modules. James says this works fine; we hope he's right. + Closes: #196949 + -- Sam Hartman <hartmans@debian.org> Sat, 21 Jun 2003 17:19:29 -0400 + +pam (0.76-11) unstable; urgency=low + + * Don't allow db4 to satisfy build-depends because it doesn't actually + work, and sometimes building with it would be wrong. + * Don't depend on libpcap-dev on Debian BSD + * Conflict with old libpam-modules, Closes: #191906 + * Incorrect username should not be logged at alert (patch 43), + Closes: #175900 + * Patch to support FreeBSD (patch 44, thanks Robert), Closes: #191906 + + -- Sam Hartman <hartmans@debian.org> Sat, 31 May 2003 19:55:26 -0400 + +pam (0.76-10) unstable; urgency=low + + * Don't double list conffiles, Closes: #190954 + * Only install example sources not executables, Closes: #185286 + * Display correct directory in error message for pam_mkhomedir, patch + 042 thanks to Akira TAGOH, Closes: #165240 + * Don't log EPERM when setting NOFILE limit as Linux doesn't let you + set that to -1, Closes: #180310 + * Add newline to end of distributed time.conf, Closes: #172229 + * Up our standards version and support noopt in DEB_BUILD_OPTIONS + + -- Sam Hartman <hartmans@debian.org> Sat, 3 May 2003 22:28:37 -0400 + +pam (0.76-9) unstable; urgency=low + + * Fix pam_rhosts hurd patch so it actually works, Closes: #172914 + * Fix patch 040 not to clobber errno when logging the error fails, + Closes: #172186 + * Fix dependency for linuxdoc-tools, Closes: #173097 + + -- Sam Hartman <hartmans@debian.org> Sun, 15 Dec 2002 17:10:58 -0500 + +pam (0.76-8) unstable; urgency=low + + * Have makefile appropriately depend on bootstrap-libpam + * Install pam minipolicy, Closes: #167798 + * Don't segfault if ttyname is null; this avoids the segfault but does + not actually make pam_issue useful for ssh. I believe the way + pam_issue works is fundamentally incompatible with what sshd expects + from PAM (patch 037), Closes: #153152 + * We actually fixed passwords containing , in 0.76-6, but failed to + document it. They do work, Closes: #164713 + * Note that /etc/pam.d/other is a fall back for each service + * Patches from Michal 'hramrach' Suchanek" <hramrach_l@centrum.cz> to + make HURD work, Closes: #165066 (patch 038 and 039) + * Don't depend on gs and other doc prep tools for build-depends, just + build-depends-indep, Closes: #165065 + * Patch from Eric Anderson <anderse@hpl.hp.com> to log failures of + setrlimit (patch 040), Closes: #169836 + * Build pam_limits on hurd, Closes: #165190 + + -- Sam Hartman <hartmans@debian.org> Sun, 24 Nov 2002 22:04:28 -0500 + +pam (0.76-7) unstable; urgency=low + + * Fix handling of pam_ignore in case where we're skipping modules; + update to patch 034 + + -- Sam Hartman <hartmans@debian.org> Sun, 20 Oct 2002 21:49:22 -0400 + +pam (0.76-6) unstable; urgency=low + + * The "No, I don't think I actually want any of what upstream is + smoking" release + * If this were already in testing, this would be an severity emergency + upload + * pam_unix currently treats * in shadow file as no password not + disabled; major security issue; fixed in upstream CVS, (patch 035) Closes: #164659 + * OK, I think this actually fixes the rest of the manpage symlinks, + Closes: #163839, #164298 + * You don't want to use getlogin for pam_wheel because utmp may be wrong or for xterm have no entry, pull forward patch from the 0.72 packages (patch 036), Closes: #163787 + + -- Sam Hartman <hartmans@debian.org> Tue, 15 Oct 2002 10:44:56 -0400 + +pam (0.76-5) unstable; urgency=low + + * Fix library links from 0.75 to 0.76 + * Ignore PAM_IGNORE in _pam_dispatch_aux (patch 34), Closes: #163841 + * Fix man page symlinks, Closes: #163839 + + -- Sam Hartman <hartmans@debian.org> Fri, 11 Oct 2002 01:08:06 -0400 + +pam (0.76-4) unstable; urgency=low + + * Upstream correctly states that one should use gcc not ld when + linking and then hapilly proceeds to actually use ld, fixed, Closes: #163711 + + * Remove experimental warning from readme, Closes: 163742 + + -- Sam Hartman <hartmans@debian.org> Mon, 7 Oct 2002 23:45:53 -0400 + +pam (0.76-3) unstable; urgency=low + + * Oops, let's try building -fpic. This currently builds everything + -fpic which is somewhat wrong, but doing more than that requires + significant build system hacking (touch every makefile for dynamic + objects), so it will wait, Closes: #163600 + + -- Sam Hartman <hartmans@debian.org> Sun, 6 Oct 2002 23:33:12 -0400 + +pam (0.76-2) unstable; urgency=low + + * Link against appropriate libraries so we find the symbols we need, + Closes: #162175 + * The if everyone's going to complain when I upload broken software to + experimental release, I might as well upload to unstable and give them + something worth actually complaining about release. + * Also the remove the scourge of dbs release + * Include patch 034 from the 0.72 packages, meaning that we've included + all the patches we need before release + * Reject the patch to pam_wheel as I cannot find out what reasonable + thing it was trying to do and it seemed broken + * libpam-cracklib should depend on wordlist so it actually works; + thanks Olaf Meeuwissen, + Closes: #112965 + * Merge build-depends and build-depends-indep because I'm a bad person + and was too lazy to make docs build in a separate pass. I'll deal in + a few versions. + + -- Sam Hartman <hartmans@debian.org> Sun, 6 Oct 2002 18:52:13 -0400 + +pam (0.76-1) experimental; urgency=low + + * New upstream version + * Upstream includes fix to not break cron, Closes: 160566 + * New Upstream correctly handles priority < 0 for pam_limits, Closes: #126251 + * .cvsignores removed, Closes: #159961 + + -- Sam Hartman <hartmans@debian.org> Sun, 22 Sep 2002 16:11:35 -0400 + +pam (0.75-3) experimental; urgency=low + + * Apply patch 027 pam_limits so that we initialize to wide open not + current limits. + * In pam_mail, don't complain about deleting environment variable if + we never set it, Closes: #58429 + * Don't set default max procs limit in pam_limits, Closes: #116874 + * libpam-runtime now arch all since it has no arch-specific files, + Closes: #132545 + * Update mini policy to reflect confusion on debian-devel + + -- Sam Hartman <hartmans@debian.org> Tue, 16 Jul 2002 09:30:50 -0400 + +pam (0.75-2) experimental; urgency=low + + * Fix pam_userdb to build and to build against db3, fixes patch 020 + * Fix upstream makefile so pam_group has valid configuration, closes: #148657 + * time.conf reference to logoutd removed, closes: #143801 + * The static library contains all the appropriate symbols in this + version. You may find the complete lack of PAM modules somewhat + frustrating; currently the static pam library is only useful if you + register your own modules. Fixing this would require annoying hacking + on the upstream build system, closes: #103495 + * unix_chkpwd.8 typo fixes thanks to dancer@anthill.echidna.id.au, + Closes: #139949 + * Since we're working on the new upstream version, we also have the new docs, closes: #147763 + * Patch from Martin Schwenke <martin@meltin.net> to only change + passwords in pam_unix when they exist in the password file; hopefully + does not break NIS, closes: #135990 + * Another patch from Martin to return PAM_USER_UNKNOWN if we ever + actually do get into the password changing routine only to find that + we have no password to change, closes: #135604 + * .cvsignore no longer installed, closes: #120795 + * We're using debhelper 3, just in time to be obselete, Closes: #93414 + + -- Sam Hartman <hartmans@debian.org> Sat, 8 Jun 2002 18:04:40 -0400 + +pam (0.75-1) experimental; urgency=low + + * Preliminary test packages + * New upstream version + * Hopefully works mostly the same as 0.72 except for upstream bug + fixes and for the fact that pam_limits is fairly broken right now. + * If it breaks you are lucky if you get to keep both pieces release. + + -- Sam Hartman <hartmans@debian.org> Sat, 25 May 2002 22:57:57 -0400 + +pam (0.72-35) unstable; urgency=medium + + * Fix like_auth to make libpam-krb5 and libpam-heimdal actually useful, + patch from RISKO Gergely , closes: #126251 + + -- Sam Hartman <hartmans@debian.org> Mon, 21 Jan 2002 15:20:22 -0500 + +pam (0.72-34) unstable; urgency=medium + + * Note that HOME may not be useful in pam_environment, closes: #109281 + * Don't smash case domains (groups/users) in pam_limits, closes: #119893 + * Remove double the from description, closes: #107705 + * Fix typo on mail message, closes: #119689 + * Medium since these are small fixes that should go into woody + + -- Sam Hartman <hartmans@debian.org> Fri, 23 Nov 2001 21:24:20 -0500 + +pam (0.72-33) unstable; urgency=low + + * Fix pam_mail to look in /var/mail not /var/spool/mail, thanks mjb. + + -- Sam Hartman <hartmans@debian.org> Thu, 11 Oct 2001 15:44:32 -0400 + +pam (0.72-32) unstable; urgency=medium + + * This should probably get into testing before freeze; medium. + * Patch from Volker Stolz to fix bug in previous pam_group patch, + closes: #111854 + + -- Sam Hartman <hartmans@debian.org> Sat, 22 Sep 2001 06:32:29 -0400 + +pam (0.72-31) unstable; urgency=low + + * Add support for credential reinitialization in pam_group, closes: #108697 + + -- Sam Hartman <hartmans@debian.org> Fri, 31 Aug 2001 13:16:39 -0400 + +pam (0.72-30) unstable; urgency=low + + * Include patch from robbe@orcus.priv.at to build pam_limits on hurd, + closes: #103556 + * Start installing limits.conf for hurd (may not work quite right) + + -- Sam Hartman <hartmans@debian.org> Mon, 16 Jul 2001 09:35:51 -0400 + +pam (0.72-29) unstable; urgency=low + + * Correctly declare uint32 type for ia64, closes: #104584 + + -- Sam Hartman <hartmans@debian.org> Sat, 14 Jul 2001 01:30:39 -0400 + +pam (0.72-28) unstable; urgency=low + + * Fix scanf string so pam_limits chroot works, closes: #100812 + * Only log unknown user at warning, not alert, closes: #95220 + * By default do complete matches not substring matches for pam_time. + You can include explicit wildcard for substring, closes: #66152 + + -- Sam Hartman <hartmans@debian.org> Tue, 3 Jul 2001 17:31:45 -0400 + +pam (0.72-27) unstable; urgency=low + + * Fix typo in last patch + + -- Sam Hartman <hartmans@debian.org> Mon, 25 Jun 2001 18:27:42 -0400 + +pam (0.72-26) unstable; urgency=low + + * Block SIGCHLD when calling unix password verification program, patch from mdz@debian.org, fixes pam part of #97977 + + -- Sam Hartman <hartmans@debian.org> Mon, 25 Jun 2001 08:47:12 -0400 + +pam (0.72-25) unstable; urgency=medium + + * Depend on opensp, working around #89063, closes: #100125 + * This is urgency medium to get docs back into testing. + + -- Sam Hartman <hartmans@debian.org> Fri, 8 Jun 2001 11:44:12 -0400 + +pam (0.72-24) unstable; urgency=low + + * New NIS double locking and root password patch from Philippe Troin + <phil@fifi.org>, fixes bug in unreleased patch submitted for + 0.72-23. Also improves changing root password so it does something; + ongoing discussion on whether this is right. + + -- Sam Hartman <hartmans@debian.org> Mon, 21 May 2001 08:06:05 -0400 + +pam (0.72-23) unstable; urgency=low + + * Patch from Benoit Gaussen <ben@trez42.net> , Don't trim from , to end + of string in user input, only trim from salt + grabbed from passwd file, closes: #96779 + * Fix NIS double locking, closes: #96736 + + -- Sam Hartman <hartmans@debian.org> Wed, 16 May 2001 15:46:34 -0400 + +pam (0.72-22) unstable; urgency=low + + * Fix pam.8 to be pam.7, closes: #92874 + + -- Sam Hartman <hartmans@debian.org> Tue, 17 Apr 2001 23:04:04 -0400 + +pam (0.72-21) unstable; urgency=low + + * Don't depend on libcap for hurd, closes: #91998 + * Don't list scurity/limits.conf as a conffile for hurd + + -- Sam Hartman <hartmans@debian.org> Mon, 9 Apr 2001 12:30:18 -0400 + +pam (0.72-20) unstable; urgency=low + + * Install pam-undocumented in -runtime not -dev, closes: #93063 + * Mark pam-runtime as replacing files from -dev in case you installed + -19 and have pam-undocumented in the wrong place + + -- Sam Hartman <hartmans@debian.org> Fri, 6 Apr 2001 06:38:15 -0400 + + + +pam (0.72-19) unstable; urgency=low + + * New maintainer, closes: #92353 + * Install pam-undocumented; somehow it was not installed in -18 + + -- Sam Hartman <hartmans@debian.org> Wed, 4 Apr 2001 21:32:17 -0400 + +pam (0.72-18) unstable; urgency=low + + * pam_securetty: log failed tty checks. Normally this was only done if + the "debug" option was on...do it regardless now, closes: #89390 + * Get rid of log message for when "root" is not applied to group checks. + closes: #88825 + * Add quiet option to pam_listfile, closes: #84428 + * pam(8) should be pam(7), pam.conf(8) should be pam.conf(5), closes: + #89322 + * Added groff to Build-Depends-Indep, closes: #88794 + + -- Ben Collins <bcollins@debian.org> Sun, 25 Mar 2001 21:40:32 -0500 + +pam (0.72-17) unstable; urgency=low + + * Fixed login in pam_limits where the max logins could be ignored. + + -- Ben Collins <bcollins@debian.org> Fri, 9 Mar 2001 09:14:48 -0500 + +pam (0.72-16) unstable; urgency=low + + * New pam limits cap patch from Topi Miettinen + <Topi.Miettinen@koti.tpo.fi>, closes: #88401, #88406, #88525, #88399, + #86197 + * pwdb no longer used, closes: #59917 + * fix patch 023 for gethostbyname build failure, closes: #86156 + * Make sure unix_chkpwd gets installed as suid root, closes: #88519 + * Fix whatis parse of manpages, closes: #86203 + * pam_listfile, fix arg parsing when arg does not contain '=', closes: + #86070 + + -- Ben Collins <bcollins@debian.org> Sun, 4 Mar 2001 22:45:58 -0500 + +pam (0.72-15) unstable; urgency=low + + * Doh, added build-depends for libcap, closes: #85352 + * Change section of libpam-cracklib from admin to libs to match + overrides. + + -- Ben Collins <bcollins@debian.org> Fri, 9 Feb 2001 09:06:40 -0500 + +pam (0.72-14) unstable; urgency=low + + * Added fix to pam_access for gethostname decleration. closes: #82100 + * Just name the lib/security directory instead of all the modules + seperately for dh_movefiles. closes: #76119 + * Fix pam_env corruption, closes: #66849, #77229 + * Add patch to allow recursive /etc/skel copy in pam_mkhomedir, closes: + #67211 + * remove dh_suidregister call, added conflict for old suidregister + package + * Applied patch for Linux capabilities in pam_limits, closes: #74176 + * pam_issue.so works for me, without segv, and even with escapes. This + is with login. Note, things like pam_issue do not work with ssh simply + because ssh is not able to work in that way (does not support + arbiitrary conversations). So if you want it to work there, file a bug + on ssh, not on libpam-modules. closes: #77228 + * unix_chkpwd: check for NULL password, closes: #69960 + + -- Ben Collins <bcollins@debian.org> Thu, 8 Feb 2001 11:06:03 -0500 + +pam (0.72-13) unstable; urgency=low + + * Fix grammar in pam_source.sgml, closes: #78959 + * pam_undocumented.7: Fix escaped 's, closes: #75987 + * Fix build ordering, closes: #71442, #80397, #77017 + * Applied Hurd patch, closes: #76119 + * Use gcc for linking, not ld. closes: #71941 + * Pretty sure this was fixed, closes: #67172 + * Applied spealang fixes to Debian-mini-policy. closes: #80249 + * Applied patch to allow devfs style terminal devices with pam_group, + closes: #77661 + * Could not reproduce, even using md5 passwords. User, if you still have + * this problem, you need to tell me with what service (login, which I + tested, sshd, telnet, etc...) and also send me the entire pam.d file + for that service. closes: #76087 + * Fixed awhile back, closes: #72858 + * Closing this since I am not going to include any modules in this + package that aren't in upstream. If someone else wants to package + these modules seperately, they can do so. closes: #69550 + * For correct usage, pam_wheel.so should be used with "sufficient" and + not "required". This is documented. If you use "required", then you + must also use the "trust" option, but that doesn't give you the + results you want. closes: #76236 + + -- Ben Collins <bcollins@debian.org> Sun, 31 Dec 2000 05:38:23 -0500 + +pam (0.72-12) frozen unstable; urgency=low + + * Recompile against db2 for glibc change + * Add db2 to build-deps + + -- Ben Collins <bcollins@debian.org> Wed, 27 Sep 2000 12:08:11 -0400 + +pam (0.72-11) frozen unstable; urgency=low + + * Removed all traces of pwdb in packages. libpwdb has been removed from + the archive. This means that the pam_pwdb and pam_radius modules are + no longer available (from the libpam-pwdb package). + * doc/modules/pam_wheel.sgml: Really spell out that being a member of a + group meands the user is listed in /etc/group, closes: #69242 + * doc/*: s/PAM_AUTHOK_RECOVERY_ERR/PAM_AUTHOK_RECOVER_ERR/g, + closes: #64473 + * pam_wheel: PAM does not distinguish it, the libc calls make the + distinction. The users gid is returned in their passwd info, while + getgrent() returns only the members of the group listed in /etc/group. + This is ok, because if it's really that important, you can actually + have it in both places. The fact that it's documented should suffice + in making this clear, closes: #69236 + * Sorry, but seperate modules generally need to be packaged seperately. + I don't want to overload this package with everyone's pet module, so I + have to put my foot down, closes: #61759 + * Actually, I'm going to move in Woody to make packages depend more on + the defaults in /etc/pam.d/other, so that admins have less to + maintain. For one, all packages should not have a password service + listed, closes: #70000 (YAY! I got the 70k rollover bug number!) + * Sorry, I can't include this. "," is a legitimate char in a password + salt/hash. If you can code up something that is super intelligent + about lenghts of the field, I can go for it, maybe, closes: #59459 + * modules/pam_limits: Added chroot feature patch, closes: #61090 + * modules/pam_access: Allow last field to contain ':', closes: #67291 + * modules/pam_limits: Allow explicit limits for root, closes: #62448 + * modules/pam_unix: Do not zero old/new password fields, libpam does + this itself, and doing so in the module breaks stacking, + closes: #66270 + * modules/pam_group: Allow alpha *and* numeric in tty field (duh), + closes: #63752 + * modules/pam_access: Enable NIS, closes: #64854 + * libpam0g-dbg: removed, useless anyway + + -- Ben Collins <bcollins@debian.org> Wed, 30 Aug 2000 18:39:32 -0400 + +pam (0.72-10) frozen unstable; urgency=low + + * Update build depends + * Fixed logic for showing non-existent user names when auth failed in + pam_unix.so, closes: #67786 (thanks to Jim Breton for being patient in + helping track this down). It would sometimes show them, even if we + didn't want to. + + -- Ben Collins <bcollins@debian.org> Thu, 27 Jul 2000 09:17:08 -0400 + +pam (0.72-9) frozen unstable; urgency=low + + * pam_unix: do not call obscure_msg() of pass_old is NULL, + closes: #65321 + * pam_access: check for from[0] == '\0' so that tty logic is actually + used, closes: #65401 + + -- Ben Collins <bcollins@debian.org> Wed, 14 Jun 2000 11:38:35 -0400 + +pam (0.72-8) frozen unstable; urgency=low + + * Build depends added in previous version, closes: #60817, #61439 + * Allow use of ":0" in group.conf, closes: #61966 + * Added syslog entry to notify that a user succesfully changed their + password, closes: #61724 + * Make pam_unix compatible with HP-UX style NIS+ password information, + patch from ldaffner@rsn.hp.com, closes: #61942 + * If "audit" is not enabled, don't let pam_unix print the names of + unknown users for auth attempts, closes: #61942 + * Fixed ttyname() parsing in pam_access to match that of the old shadow + access.conf s,/dev/,, closes: #61644 + * Set some sane defaults for pam_limits.so instead of carrying over + potentially bad defaults, patch from Peter Paluch + <peterp@frcatel.fri.utc.sk> closes: #63230 + * Allow explicit (e.g. specified specifically for) limits for root, + patch from Topi Miettinen <Topi.Miettinen@nic.fi>, closes: #62448 + * Added information to time.conf about logoutd, which is now enabled via + this file. + * cracklib maintainer claims this isn't a bug, closes: #54180 + * fixed control syntax handling which was causing segfaults, closes: #62237 + + -- Ben Collins <bcollins@debian.org> Sat, 29 Apr 2000 11:39:59 -0400 + +pam (0.72-7) frozen unstable; urgency=low + + * pam_limits: fix parsing of users which explicitly removes limits, + closes: #59911, #60287 + * Added build-depends + + -- Ben Collins <bcollins@debian.org> Mon, 20 Mar 2000 16:06:28 -0500 + +pam (0.72-6) frozen unstable; urgency=low + + * Remove conflict for libpam0g-util from libpam0g and put it in + libpam-runtime. This should fix a problem with upgrades that apt + experiences, closes: #58677 + + -- Ben Collins <bcollins@debian.org> Mon, 28 Feb 2000 14:05:28 -0500 + +pam (0.72-5) frozen unstable; urgency=low + + * Added obscure password checks to pam_unix. Required for shadow to be + able to emulate the pre-PAM setup (referenced in a bug on passwd). + * Applied patch from #57800 to fix NIS/NIS+ shadow accounting checks, + closes: #57800, #58164 + * Fixed two typos in the PAM System Administrators Guide, + closes: #56578, #56587 + + -- Ben Collins <bcollins@debian.org> Mon, 28 Feb 2000 10:58:09 -0500 + +pam (0.72-4) frozen unstable; urgency=low + + * unix_chkpwd: check for NULL on stdin aswell as 0 reads, closes: #56375 + * pam_unix/Makefile: removed bashism, closes: #56370 + * fixed in shadow upload, closes: #49832 + + -- Ben Collins <bcollins@debian.org> Sat, 29 Jan 2000 00:27:28 -0500 + +pam (0.72-3) unstable; urgency=low + + * Added cpluplus wraps in all the headers, closes: #53653 + + -- Ben Collins <bcollins@debian.org> Sun, 2 Jan 2000 15:15:40 -0500 + +pam (0.72-2) unstable; urgency=low + + * Well, this is an odd one. A recompile fixes it. So it must have been a + problem from linking with 0.71 when this is version 0.72. All of this + build daemons seem to have compiled the latest 0.72, so this should be + resolved after this gets recompiled on all of them, closes: #51619, #49584 + * This is from a very old version (0.56) of libpam0. It is not relevant + to the latest version, closes: #47162 + + -- Ben Collins <bcollins@debian.org> Sun, 26 Dec 1999 09:10:13 -0500 + +pam (0.72-1) unstable; urgency=low + + * New upstream source release, lots of patches merged upstream (thanks + Andrew). + * libpam-doc: now provides pam-doc, closes: #45631 + * cleanups to the build system + * shlibs.local: bumped shlib deps + + -- Ben Collins <bcollins@debian.org> Tue, 14 Dec 1999 11:17:36 -0500 + +pam (0.71-3) unstable; urgency=low + + * Debian-PAM-MiniPolicy: new document describing how PAM is implemented + in Debian + + -- Ben Collins <bcollins@debian.org> Fri, 26 Nov 1999 17:26:40 -0500 + +pam (0.71-2) unstable; urgency=low + + * pam_listfile: lstat -> stat, closes: #49833 + * pam_tally: install the pam_tally program, closes: #50314 + * debian/control: libpam-modules, replaces libpam0g-util, closes: #50716 + + -- Ben Collins <bcollins@debian.org> Thu, 25 Nov 1999 21:02:23 -0500 + +pam (0.71-1) unstable; urgency=low + + * New upstream release, merges lots of patches from the Debian source, + also merges the pam_{motd,mkhomedir,issue} modules into the main + source. Lots of minor bugs fixed, and compiler warnings + * pam_mail: Reimplemented the authentication handlers, so now this works + as both (changes nothing in Debian, but was required to get the patch + accepted upstream) + * general: Lots of small edits to fix compiler warnings + * pam_userdb: fixed potential usage of an unitialized value as + PAM_AUTHTOK, doesn't look particularly exploitable, but better safe + than sorry + + -- Ben Collins <bcollins@debian.org> Mon, 8 Nov 1999 19:21:52 -0500 + +pam (0.70-4) unstable; urgency=low + + * pam_wheel/pam_wheel.c: change to use getpwuid(getuid()) by default, so + avoid the problems associated with getlogin() + + -- Ben Collins <bcollins@debian.org> Mon, 1 Nov 1999 13:33:10 -0500 + +pam (0.70-3) unstable; urgency=low + + * Applied patch from Herbert Xu to enable PAM_CONV_AGAIN support in + pam_ftp, closes: #47288 + + -- Ben Collins <bcollins@debian.org> Wed, 13 Oct 1999 13:25:21 -0400 + +pam (0.70-2) unstable; urgency=low + + * 100_pam_pwdb_security_fix: new patch fixes security problem with + regard to NIS accounts + + -- Ben Collins <bcollins@debian.org> Wed, 13 Oct 1999 11:42:41 -0400 + +pam (0.70-1) unstable; urgency=low + + * New upstream release + * Seems there were a lot of fixes merged/matches upstream, looks good, + (maybe it's time I start sending my patches in, since the maintainer + is active again). + * libpamc: new library (libpam client library), this actually used to be + in the Debian packages for a few versions, but it was removed upstream. + Guess what, it's back :) + + -- Ben Collins <bcollins@debian.org> Sun, 10 Oct 1999 01:07:43 -0400 + +pam (0.69-11) unstable; urgency=low + + * {pwdb,unix}_chkpwd.8: fixed format to get rid of "no whatis" warnings + from mandb, closes: #47004 + * pam_unix.sgml: new file, documents the pam_unix.so module, + closes: #46511 + + -- Ben Collins <bcollins@debian.org> Sat, 9 Oct 1999 12:41:58 -0400 + +pam (0.69-10) unstable; urgency=low + + * libpam/pam_item.c: fixed debug message being in wrong place + * 013_pam_issue: new patch, provides issue file parsing for PAM + applications (helps to replace lost functionality in login). + + -- Ben Collins <bcollins@debian.org> Wed, 6 Oct 1999 20:30:17 -0400 + +pam (0.69-9) unstable; urgency=low + + * Fix typo in pam_mail.so module's "no" return + + -- Ben Collins <bcollins@debian.org> Sun, 3 Oct 1999 15:08:56 -0400 + +pam (0.69-8) unstable; urgency=low + + * docs/modules/pam_mkhomedir.sgml: Fixed module name + * changed build system structure + * libpam/Makefile: add -lcrypt to the linked libs, closes: #46104 + * increase shlib deps to 0.69-7, closes: #45801 + * pam_motd.c: close motd file after reading, closes: #46122 + * pam_motd.c: fix setting \0 in the wrong place when motd file is + zero length, closes: #45686, #45632 + * pam_unix_acct.c: allow '0' to denote disabled for some expiry fields + since chage(1) documents it this way, closes: #45446 + * pam_mail.c|modules/pam_mail.sgml: added 2 options, one "standard" to + give the old style "You have ..." response and "quiet" which only + reports new mail for both formats, documented both options, + closes: #45670 + * with the new pam_unix module, this bug is fixed, closes: #42230 + * pam_limits.c: make sure that we not only ignore limits on root, we + also remove them just in case we are su'ing from a limited user to + the root account (since as root they can remove the limits anyway), + closes: #35302 + + -- Ben Collins <bcollins@debian.org> Sun, 3 Oct 1999 12:07:28 -0400 + +pam (0.69-7) unstable; urgency=low + + * debian/rules: fixed module_check + * pam_env/pam_env.c: fixed env parsing to include values wrapped in '' + and also allow continued lines with a trailing '\'. + * pam_motd,pam_mail: converted to session modules, so that they could + be ordered with the lastlog module + * updated default pam.d/login to reflect above change (now login looks + the same as the non-PAM version, lastlog, then motd, and then mail + check) + * pam_motd: removed extraneous \n from output + * modules/pam_limits/pam_limits.c: Fixed parsing of lines with only + "domain -", which was documented as being able to get rid of limits + for that user or group. + * debian/control: (libpam-cracklib) Added depends for cracklib-runtime, + closes: #45488 + * modules/pam_env.c: Fixed /etc/environment parsing causing segfaults on + long lines, closes: #45408 + + -- Ben Collins <bcollins@debian.org> Sun, 19 Sep 1999 13:50:40 -0400 + +pam (0.69-6) unstable; urgency=low + + * Install unix_chkpwd suid root, it's needed for NIS to work without + modification to the binary. + * modules/pam_limits/pam_limits.c: hmm, some how I got a strange broken + patch left over from the source upgrade...removed all but the pwdb + purging, closes: #45088 + * modules/pam_env/pam_env.c: Changed to a debug message, instead of a + syslog message when /etc/environment does not exist. + + -- Ben Collins <bcollins@debian.org> Wed, 15 Sep 1999 04:25:21 -0400 + +pam (0.69-5) unstable; urgency=low + + * Removed libpam0g's preinst check for full paths in the pam.d files, + this should really be a lintian check at build (i think the old libpam + could not work like this, but hey...things change for the better some + times. This PAM works fine like that). closes: #45001 + +NOTE: Debian packages should not reference modules by the full path + so they don't break if I ever decide to move the modules to a different + default directory. Only the admin should reference full paths and only + for locally installed modules. I have submitted a request to check for + this in lintian along with a few other devious things. + * debian/patches/008_pam_mkhomedir: Fix title of sgml doc + * modules/pam_userdb/Makefile: added patch for building against glibc 2.0 + (request from Roman Hodek), closes: #45064 + + -- Ben Collins <bcollins@debian.org> Tue, 14 Sep 1999 06:12:34 -0400 + +pam (0.69-4) unstable; urgency=low + + * Link all dynamic modules with libpam. For some reason, alpha doesn't + like it when we don't + + -- Ben Collins <bcollins@debian.org> Mon, 13 Sep 1999 06:01:40 -0400 + +pam (0.69-3) unstable; urgency=low + + * doc/modules/pam_cracklib.sgml: changed to correct path for + cracklib_dict reference. + * modules/pam_env/pam_env.c: now groks bash style env's from + /etc/environment to be compatible with other programs that use it. + * modules/pam_securetty/pam_securetty.c: don't just plain fail when + root isn't allowed to login, fake a password request just like any + good auth module would. Keeps us from letting them know that they + are doing something bad :) + * modules/pam_{motd,mkhomedir}: merged these two modules into this + source, also wrote corresponding sgml files for libpam-doc, + closes: #40754 + * debian/control: Moved libpam0g, libpam-modules and libpam-runtime + to base with required priority since login depends on them and + policy will require this + + -- Ben Collins <bcollins@debian.org> Sat, 11 Sep 1999 08:06:02 -0400 + +pam (0.69-2) unstable; urgency=low + + * Modified build so that it uses libs and headers in the build tree + rather than on the local system. This involved changint the build + order slightly and should make it easier to compile on new archs. + * Modified pam_limits so that it was invoked during pam_sm_setcred() + instead of during pam_sm_session_open() so that it will work with + shadow's su. + * Fixed missing symbols in libpam.so, they were caused by it thinking + it was supposed to have static modules built in. + * Fixed problem where libpam was getting built with -DDEBUG + * pam_unix_passwd.c: Changed the perms on shadow to be 0.42 and 0640 + instead of 0.0 and 0600 + * unix_chkpwd: fix it not being sgid shadow + + -- Ben Collins <bcollins@debian.org> Thu, 9 Sep 1999 13:52:01 -0400 + +pam (0.69-1) unstable; urgency=low + + * New upstream source + - Now with a new and improved pam_unix module, closes: #38631 + - Lot's of documentation cleanups + * Converted build system to dbs (doogie's build system, aka Adam Heath) + * Fixed libpam.so compilation so that it did not link with any of the + modules (this was causing lot's of problems, closes; #43913, #40739 + * modules/pam_ftp/pam_ftp.c: Fixed sizeof, to use strlen, + closes: #44054, #41845, #44142, #39129, #39871, #44412 + * Postscript pages are now generated correctly, closes: #41608 + * Moved to FHS compliance (including use of debhelper 2.0.40), + this also raises the policy version to 3.0.1.1 + * Don't check the paths in /etc/pam.d files anymore. This is old + and causes nothing but complaints, closes: #39747 + * Build libpam0g-dbg with debuggable static and shared libraries, also + enabled the internal DEBUG_REL compile flag for these so that the + debugging messages will also be output + + -- Ben Collins <bcollins@debian.org> Tue, 7 Sep 1999 17:45:20 -0400 + +pam (0.66-10) unstable; urgency=low + + * Added ability for pam_env to parse /etc/environment and updated + docs to reflect it + * Applied patch for pwdb_chkpwd man page, closes: #38976 + * Merged pam_unix_*.so modules into one pam_unix.so with symlinks + for backward compatibility. This helps centralize this module the + same way the pam_pwdb.so is and the way pam_unix.so is on other + operating systems (commercial ones specifically). + * Closed by pam-apps upload, closes: #38632 + * Fixed `sgml2latex' syntax, closes: #39119 + * Added doc-base support, closes: #37627 + + -- Ben Collins <bcollins@debian.org> Wed, 16 Jun 1999 01:20:23 -0400 + +pam (0.66-9.1) unstable; urgency=low + + * SPARC NMU to fix chown symbols when compiling with glibc 2.1.1 + + -- Ben Collins <bcollins@debian.org> Tue, 11 May 1999 13:33:33 +0000 + +pam (0.66-9) unstable; urgency=low + + * Changed the debian/rules to not mess with the library symlinks (ie + running ldconfig in the lib dir) and all is well, closes: #36169 + + -- Ben Collins <bcollins@debian.org> Sun, 18 Apr 1999 09:09:51 -0400 + +pam (0.66-8) unstable; urgency=low + + * Compiled with libpam_client.so now (seperate lib in libpam0g) + * Made regex for libpam0g postinst a little more specific so it + didn't flag false problems. closes: #34626 + * Applied patch to fix pam_ftp, closes: #35388 + * Modified pam_mail and pam_lastlog to honor PAM_SILENT in order to + enable apps to use hushlogin/PAM_SILENT + * Fixed problem with libpam_client.so being static + + -- Ben Collins <bcollins@debian.org> Mon, 15 Mar 1999 20:54:23 -0500 + +pam (0.66-7) unstable; urgency=low + + * Fixed XCASE in pam_filter.c (not really in glibc 2.1 by default) + + -- Ben Collins <bcollins@debian.org> Sat, 6 Mar 1999 18:46:56 -0500 + +pam (0.66-6) unstable; urgency=low + + * Removed empty /lib/security/ from libpam0g (is created in + libpam-runtime) + * Added a depends for libpam-runtime to libpam0g (was supposed to be + there, must have deleted it) + * Removed empty /usr/bin from libpam-runtime (old directory where + upperLOWER was) + + -- Ben Collins <bcollins@debian.org> Wed, 24 Feb 1999 13:14:25 -0500 + +pam (0.66-5) unstable; urgency=low + + * Removed harcoded libc6 dependency from libpam0g-dev and changed it to + libc6-dev. closes: #33615 + * Added md5 flag for pam_unix_passwd.so + * Removed upperLOWER program since it is just an example. Moved it's + source to the examples directory in libpam-modules + * Fixed documentation of pam_strerror() and examples. closes #31142 + * Made pam_unix_passwd.so leave /etc/shadow mode 640 and root.shadow + after changes + * Fixed problem in pam_unix_auth that didn't let you su from a normal + user to another normal user (ie. neither one was root) + * Closing misc fixed bugs. closes #32809, #32274 (have been fixed, + just need closing) + * Tested lockvc with pam support, works for normal users (pam_pwdb) + closes: #31150 + * Changed /var/log/wtmp in pam_lastlog docs to reflect correct + /var/log/lastlog file. closes: #26544 + * Added -ldl to libpam.so, so apps don't have to + + -- Ben Collins <bcollins@debian.org> Fri, 19 Feb 1999 18:47:30 -0500 + +pam (0.66-4) unstable; urgency=low + + * Changed pwdb_chkpwd to sgid shadow instead of suid root since it only + needs read permissions to /etc/shadow and not write. + * Moved a lot of files arouns to get rid of libpam-runtime dependencies + * Put libpam-pwdb into it's own package + * Removed -lpwdb links for modules since libpwdb is somewhat buggy (or + alteast it's interaction with libpam is) + * Fixed bug in pam_unix_passwd.so that caused it to never authenticate + the correct passwd, making it so you couldn't change the passwd + + -- Ben Collins <bcollins@debian.org> Tue, 16 Feb 1999 15:50:28 -0500 + +pam (0.66-3) unstable; urgency=low + + * Fixed defaults in /etc/pam.d/other to be pam_unix_*.so modules instead + of the accidental pam_pwdb.so module + * Fixed suid of pwdb_chkpwd (had to move dh_fixperms after + dh_suidregister) + * Added Replaces: libpam0g-util in order to help dpkg upgrade from + older packages + * Applied glibc 2.1 patch from Christian Meder. closes: #32809 + * Moved libpam-doc to Section doc. closes: #32274 + + -- Ben Collins <bcollins@debian.org> Fri, 12 Feb 1999 02:01:43 -0500 + +pam (0.66-2) unstable; urgency=low + + * Removed all of the versioned module stuff. Modules are now in + /lib/security and stay there. Seems after discussion, that modules may + not change as often as thought + * Fixed suidregister for pwdb_chkpwd + * Fixed incomplete descriptions in control file + * This is a kludge to close some bugs since the last upload was yanked + before being installed in the archive, closes: #16882, #30862, #7725, + #10234, #10406, #12210, #14291, #15528, #15529, #20660, #25330, + #29868, #31088, #31128, #9131, #9919, #19383, #5132, #14533, #25915, + #28075, #31548, #31191 + + -- Ben Collins <bcollins@debian.org> Tue, 2 Feb 1999 12:47:25 -0500 + +pam (0.66-1) unstable; urgency=low + + * New maintainer + * New upstream release. closes: #16882, #30862, #7725 + * Created a better split of the main lib and the runtime to kill the + circular dependencies and make it possible to have two .so version of + the library installed for upgrades. closes: #10234, #10406, #12210, + bug #14291, #15528, #15529, #20660, #25330, #29868, #31088, #31128, + bug #9131, #9919. + * Harcoded modules directory prefixed with the .so version, and + used alternatives to create the symlink to the 'default' modules + directory. libpam will use the full path when specified, but use the + versioned modules directory for relative names. + * Put libpam0g-cracklib modules back in (own package). This means that + cracklib support is _not_ in the static libpam.a, also cracklib + support is _not_ in pam_unix_passwd.o, but only in pam_cracklib.so + by itself. + * Fixed a few typos in the source causing compile errors + * Fixed source #include's so that pam _didn't_ have to be installed + in order to compile the source ( changed from <> to "" ) + * Removed empty directories from built packages + * Opted not to build examples, only going to put *.c files in examples + directory for libpam0g-dev + * Moved *.sgml files for modules into their own directory (looks like + that is what the original maintainer wanted to do, but it didn't go) + * Moved doc build to arch-indep build in rules so that it doesn't get + built when specifying -B with debuild/dpkg-buildpackage. + * Moved `touch .quiet...' to build-stamp in order to have -B builds not + ask about pam.conf + * Split out non-standard modules to their own package, so as to make the + base install smaller (planning for base inclusion here) + * Created small manpage for pwdb_chkpwd. closes: #10941 + * The Copright file in /usr/doc/*/ was already named copright and not + compressed. closes: #14533 + * Package is now lintian clean. closes #19383, #5132 + * There is a maintainer now and the patch for #25915 is still included + so.... closes: #25915 + * Added check for editor backup files in /etc/pam.d (*~). closes: #28075 + * Applied patch for md5.h in pam_pwdb module. closes: #31548 + * Added support for dhelp in libpam-doc. closes: #31191 + + -- Ben Collins <bcollins@debian.org> Wed, 20 Jan 1999 07:09:15 -0500 + +pam (0.65-0.8) frozen unstable; urgency=high + + * Marked PAM as orphaned, given that there has been no maintainer upload + in almost two years. + * [defs/debian.defs] Removed superflous cracklib2 dependency. + (Urgent as cracklib still has release-critical bugs). + (Fixes #30862). + + -- J.H.M. Dassen (Ray) <jdassen@wi.LeidenUniv.nl> Wed, 20 Jan 1999 09:34:35 +0100 + +pam (0.65-0.7) frozen unstable; urgency=high + + * Fixed security vulnerability in the pam_unix and pam_tally modules + (reported by Michal Zalewski on bugtraq; patch + A000-SECURITY-PATCH-0.65-and-below.gz by Andrey V. Savochkin). + + -- J.H.M. Dassen (Ray) <jdassen@wi.LeidenUniv.nl> Tue, 29 Dec 1998 16:20:18 +0100 + +pam (0.65-0.6) unstable; urgency=high + + * Fixed distribution of files over the various packages, which was + severely messed up. + * Added appropriate Replaces: to ensure upgrading from both the hamm + version and previous slink versions. + * Fixed debug libraries, PAM module loading. + * Added examples. + * Added a "pam-undocumented" manpage pointing to libpam-doc, and + made links for functions without a manpage to that. + + -- J.H.M. Dassen (Ray) <jdassen@wi.LeidenUniv.nl> Sun, 11 Oct 1998 19:29:40 +0200 + +pam (0.65-0.5) unstable; urgency=low + + * Rewritten the preinst warning text (it still mentioned the search path). + + -- J.H.M. Dassen (Ray) <jdassen@wi.LeidenUniv.nl> Fri, 9 Oct 1998 14:23:18 +0200 + +pam (0.65-0.4) unstable; urgency=high + + * It looks like I misunderstood DEFAULT_MODULE_PATH: Linux-PAM does not + currently seem to be easily configured to look for modules in more than + one directory. With this version, it's configured to look only in + /lib/security . + + -- J.H.M. Dassen (Ray) <jdassen@wi.LeidenUniv.nl> Fri, 9 Oct 1998 11:43:34 +0200 + +pam (0.65-0.3) unstable; urgency=medium + + * Moving the PAM modules to /lib/security broke netatalk. + Added a preinst script to detect /etc/pam.d files with explicit paths to + PAM modules, give a warning about them, and offer to abort the install + (Fixes #27514). + + -- J.H.M. Dassen (Ray) <jdassen@wi.LeidenUniv.nl> Tue, 6 Oct 1998 20:10:43 +0200 + +pam (0.65-0.2) unstable; urgency=low + + * Argh. The tools didn't recognise -0.1 as a new upstream release, so + my previous upload was rejected due to a missing .orig.tar.gz . + + -- J.H.M. Dassen (Ray) <jdassen@wi.LeidenUniv.nl> Sun, 4 Oct 1998 17:15:09 +0200 + +pam (0.65-0.1) experimental; urgency=low + + * New upstream version. + * Non-maintainer upload. + * Major package overhaul; now uses debhelper. + * In experimental for now. *Please* provide feedback; if the feedback is + positive, we can put this in slink. + * Dropped libc5 support. + * [libpam/pam_static.c] Fixed compilation: "pamh" was undefined; use "NULL". + is this the correct fix? + * [defs/debian.defs] New. + * [Makefile] + * Exit when a make in a subdirectory fails. + * Compile statically too. + * New variables: LC, LP, LPLIBS, DEFAULT_MODULE_PATH . + * [libpam/Makefile] + * Use DEFAULT_MODULE_PATH if nonempty. + * Link libpam against LPLIBS. + * [modules/*/Makefile] + * Link the dynamic security objects against libpam and libc + (LP and LC). + * [modules/pam_pwdb/Makefile] + * Link dynamic security objects against libcrypt and libnsl. + * [conf/install_conf] Allow for non-interactive install (as the other + install_conf scripts already did). + * Automatically determine the list of /etc/security/* conffiles. + * Moved libpam to /lib, and PAM modules to /lib/security as they will + become part of the base system in the future. + * Built without cracklib support, to keep the base system smaller. + * /sbin/pwdb_chkpwd is undocumented, as is upperLOWER. + + -- J.H.M. Dassen (Ray) <jdassen@wi.LeidenUniv.nl> Fri, 2 Oct 1998 20:23:27 +0200 + +pam (0.57b-0.4) unstable; urgency=high + + * Non maintainer upload + My previous upload had removed the libc5 stuff from the controlfile + messing up things. Change 'Architecture: any' to 'i386 m68k' for those + .deb's instead. + + -- Turbo Fredriksson <turbo@debian.org> Thu, 20 Aug 1998 20:06:50 -0400 + +pam (0.57b-0.3) unstable; urgency=high + + * Non maintainer upload + On a glibc2.1 system, XCASE is only defined in the <bits/termios.h> + _IF_ '__USE_MISC' or '__USE_UNIX98' is defined. + + -- Turbo Fredriksson <turbo@debian.org> Sun, 16 Aug 1998 22:13:45 -0400 + +pam (0.57b-0.2) unstable; urgency=high + + * Yet another non-maintainer release. + * Zero changes; simply a re-upload due to a rm-trigger happy release + ``manager''. + + -- James Troup <jjtroup@comp.brad.ac.uk> Tue, 17 Mar 1998 19:55:16 +0100 + +pam (0.57b-0.1) unstable; urgency=medium + + * Non-maintainer release. + * debian/control (Standards-Version): Updated to 2.4.0.0. + * debian/control (libpam0g-dev): Also conflict with libpam-dbg. + * debian/postinst: use case statement instead of if. + * debian/rules (COMPAT_ARCHES): removed sparc. + * debian/rules (binary-libc6-dev, binary-libc5-altdev): strip static libraries with + --strip-debug, not --strip-unneeded. + * debian/rules: each package now has it's own doc directory under + /usr/doc/, containing at least the copyright file (Policy 5.6). + * debian/rules: install files with `install -m 644' not `cp -p' to avoid + read-only files. + * debian/rules (binary-libc6-util): strip /usr/lib/*/security/*.so with + --strip-unneeded. + * debian/rules (binary-libc5-util): ditto. + * debian/rules (binary-libc5): don't depend on binary-libc5. + + -- James Troup <jjtroup@comp.brad.ac.uk> Sat, 7 Mar 1998 18:04:19 +0100 + +pam (0.57b-0) unstable; urgency=medium + + * Non-maintainer release. + * New upstream version. + * Doesn't use pristine upstream source as the upstream tar ball is broken. + * Added libc6 libraries libpam0g, libpam0g-dev, libpam0g-dbg and + libpam0g-util. [#11697] + * libpam-dev becomes libpam0-altdev, libpam-util -> libpam0-altutil and + libpam-dbg is removed. + * libpam0 depends on libpam0g because libpam0g contains the pam conffile. + * libpam0-util depends on libpam0g-util because libpam0g contains the binary. + * Compiled with -D_REENTRANT and link with -lc. + * Fixed permissions on shared libraries. + * Corrected syntax of /etc/pam.d/other. [#10497, #10758, #12030] + * Fixed typos in postinst. [#10474, #11365] + * Made /etc/pam.conf a conffile. + * Updated URL in copyright file. + * Removed over-zelaously installed README* files from libpam-doc. + + -- James Troup <jjtroup@comp.brad.ac.uk> Sat, 22 Nov 1997 17:54:30 +0100 + +pam (0.56-2) unstable; urgency=low + + * Added /etc/pam.d/other with policy 'deny'. + * Add manual pages for PAM security modules. + + -- Klee Dienes <klee@debian.org> Sat, 15 Mar 1997 22:33:22 -0500 + +pam (0.56-1) unstable; urgency=low + + * New upstream release. + * Converted to new packaging format. + * Reorganization of package structure (-dev, -dbg, etc). + + -- Klee Dienes <klee@debian.org> Sat, 8 Mar 1997 01:21:17 -0500 --- pam-0.99.7.1.orig/debian/libpam0g.docs +++ pam-0.99.7.1/debian/libpam0g.docs @@ -0,0 +1 @@ +debian/local/Debian-PAM-MiniPolicy --- pam-0.99.7.1.orig/debian/libpam0g-dev.files +++ pam-0.99.7.1/debian/libpam0g-dev.files @@ -0,0 +1,4 @@ +usr/include/security/* +usr/lib/libpam.a +usr/lib/libpamc.a +usr/lib/libpam_misc.a --- pam-0.99.7.1.orig/debian/copyright +++ pam-0.99.7.1/debian/copyright @@ -0,0 +1,50 @@ +This package was debianized by J.H.M. Dassen (Ray) jdassen@debian.org on +Wed, 23 Sep 1998 20:29:32 +0200. + +It was downloaded from ftp://ftp.kernel.org/pub/linux/libs/pam/pre/ + +Copyright: + +Unless otherwise *explicitly* stated the following text describes the +licensed conditions under which the contents of this Linux-PAM release +may be distributed: + +------------------------------------------------------------------------- +Redistribution and use in source and binary forms of Linux-PAM, with +or without modification, are permitted provided that the following +conditions are met: + +1. Redistributions of source code must retain any existing copyright + notice, and this entire permission notice in its entirety, + including the disclaimer of warranties. + +2. Redistributions in binary form must reproduce all prior and current + copyright notices, this list of conditions, and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + +3. The name of any author may not be used to endorse or promote + products derived from this software without their specific prior + written permission. + +ALTERNATIVELY, this product may be distributed under the terms of the +GNU General Public License, in which case the provisions of the GNU +GPL are required INSTEAD OF the above restrictions. (This clause is +necessary due to a potential conflict between the GNU GPL and the +restrictions contained in a BSD-style copyright.) + +THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED +WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, +INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS +OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR +TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH +DAMAGE. +------------------------------------------------------------------------- + +On Debian GNU/Linux systems, the complete text of the GNU General +Public License can be found in `/usr/share/common-licenses/GPL'. --- pam-0.99.7.1.orig/debian/libpam0g.postinst +++ pam-0.99.7.1/debian/libpam0g.postinst @@ -0,0 +1,230 @@ +#!/bin/bash + +# postinst based heavily on the postinst of libssl0.9.8, courtesy of +# Christoph Martin. + +. /usr/share/debconf/confmodule + +set -e + +# element() is a helper function for file-rc: +element() { + local element list IFS + + element="$1" + + [ "$2" = "in" ] && shift + list="$2" + [ "$list" = "-" ] && return 1 + [ "$list" = "*" ] && return 0 + + IFS="," + set -- $list + case $element in + "$1"|"$2"|"$3"|"$4"|"$5"|"$6"|"$7"|"$8"|"$9") + return 0 + esac + return 1 +} + +# filerc (runlevel, service) returns /etc/init.d/service, if service is +# running in $runlevel: +filerc() { + local runlevel basename + runlevel=$1 + basename=$2 + while read LINE + do + case $LINE in + \#*|"") continue + esac + + set -- $LINE + SORT_NO="$1"; STOP="$2"; START="$3"; CMD="$4" + [ "$CMD" = "/etc/init.d/$basename" ] || continue + + if element "$runlevel" in "$START" || element "S" in "$START" + then + echo "/etc/init.d/$basename" + return 0 + fi + done < /etc/runlevel.conf + echo "" +} + +installed_services() { + check="$@" + + # Only get the ones that are installed, and configured + check=$(dpkg -s $check 2> /dev/null | egrep '^Package:|^Status:' | awk '{if ($1 ~ /^Package:/) { package=$2 } else if ($0 ~ /^Status: .* installed$/) { print package }}') + + # some init scripts don't match the package names + check=$(echo $check | \ + sed -e's/\bapache2-common\b/apache2/g' \ + -e's/\bat\b/atd/g' \ + -e's/\bdovecot-common\b/dovecot/g' \ + -e's/\bdante-server\b/danted/g' \ + -e's/\bexim4-base\b/exim4/g' \ + -e's/\bheartbeat-2\b/heartbeat/g' \ + -e's/\bhylafax-server\b/hylafax/g' \ + -e's/\bpartimage-server\b/partimaged/g' \ + -e's/\bsasl2-bin\b/saslauthd/g' \ + ) + + for service in $check; do + if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then + idl=$(ls /etc/init.d/${service} 2> /dev/null | head -n 1) + if [ -n "$idl" ] && [ -x $idl ]; then + services="$service $services" + else + echo "WARNING: init script for $service not found." >&2 + fi + else + if [ -f /usr/share/file-rc/rc ] || [ -f /usr/lib/file-rc/rc ] && [ -f /etc/runlevel.conf ]; then + idl=$(filerc $rl $service) + else + idl=$(ls /etc/rc${rl}.d/S??${service} 2> /dev/null | head -n 1) + fi + if [ -n "$idl" ] && [ -x $idl ]; then + services="$service $services" + fi + fi + done + echo "$services" +} + +if [ "$1" = "configure" ] +then + if [ ! -z "$2" ]; then + if dpkg --compare-versions "$2" lt 0.99.7.1-3; then + db_version 2.0 + + echo -n "Checking for services that may need to be restarted..." + + check="apache2-common at bayonne cherokee courier-authdaemon" + check="$check cron cupsys" + check="$check dante-server diald dovecot-common exim exim4-base" + check="$check fcron fireflier-server freeradius gdm heartbeat" + check="$check heartbeat-2 hylafax-server iiimf-server inn2" + check="$check kannel linesrv linesrv-mysql lsh-server" + check="$check muddleftpd netatalk nuauth partimage-server" + check="$check perdition pgpool popa3d postgresql-7.4" + check="$check postgresql-8.1 postgresql-8.2 proftpd pure-ftpd" + check="$check pure-ftpd-ldap pure-ftpd-mysql" + check="$check pure-ftpd-postgresql racoon samba sasl2-bin" + check="$check sfs-server solid-pop3d squid squid3 tac-plus" + check="$check vsftpd wu-ftpd wzdftpd xrdp yardradius yaws" + + if ! who | awk '{print $2}'|grep -q ':[0-9]'; then + check="$check kdm wdm xdm" + fi + + echo "Checking init scripts..." + services=$(installed_services "$check") + if [ -n "$services" ]; then + db_reset libpam0g/restart-services + db_set libpam0g/restart-services "$services" + question_priority="critical" + # Do not prompt when we're running in the upgrade-manager + # and only default services need restarting. + nondefault_services=$(echo "$services" | sed \ + -e's/\batd\b//g' \ + -e's/\bcron\b//g' \ + -e's/\bcupsys\b//g' \ + -e's/\bgdm\b//g' \ + -e's/\bkdm\b//g' \ + -e's/^ *//g') + if [ -n "$RELEASE_UPGRADE_IN_PROGRESS" ] && [ -z "$nondefault_services" ]; then + question_priority="medium" + fi + db_input "$question_priority" libpam0g/restart-services || true + db_go || true + db_get libpam0g/restart-services + + if [ "x$RET" != "x" ] + then + services=$RET + else + services="" + fi + echo + if [ "$services" != "" ]; then + echo "Restarting services possibly affected by the upgrade:" + failed="" + rl=$(runlevel | sed 's/.*\ //') + for service in $services; do + if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then + idl="invoke-rc.d ${service}" + elif [ -f /usr/share/file-rc/rc ] || [ -f /usr/lib/file-rc/rc ] && [ -f /etc/runlevel.conf ]; then + idl=$(filerc $rl $service) + else + idl=$(ls /etc/rc${rl}.d/S??${service} 2> /dev/null | head -n 1) + fi + + case "$service" in + gdm) + echo -n " $service: reloading..." + if $idl reload > /dev/null 2>&1; then + echo "done." + else + echo "FAILED! ($?)" + failed="$service $failed" + fi + continue + ;; + esac + echo -n " $service: stopping..." + $idl stop > /dev/null 2>&1 || true + sleep 1 + echo -n "starting..." + if $idl start > /dev/null 2>&1; then + echo "done." + else + echo "FAILED! ($?)" + failed="$service $failed" + fi + done + echo + if [ -n "$failed" ]; then + db_subst libpam0g/restart-failed services "$failed" + db_input critical libpam0g/restart-failed || true + db_go || true + else + echo "Services restarted successfully." + fi + echo + fi + else + echo "Nothing to restart." + fi + + if who | awk '{print $2}' | grep -q ':[0-9]'; then + dms="" + for service in kdm wdm xdm; do + case "$services" in + *$service*) ;; + *) dms="$dms $service" + esac + done + services=$(installed_services "$dms") + if [ -n "$services" ]; then + if [ -n "$RELEASE_UPGRADE_IN_PROGRESS" ] \ + && [ -x /usr/share/update-notifier/notify-reboot-required ] + then + /usr/share/update-notifier/notify-reboot-required + else + db_input critical libpam0g/xdm-needs-restart || true + db_go || true + fi + fi + fi + + # Shut down the frontend, to make sure none of the + # restarted services keep a connection open to it + db_stop + fi # end upgrading and $2 lt 0.99.7.1-3 + fi # Upgrading +fi + +#DEBHELPER# + --- pam-0.99.7.1.orig/debian/NEWS +++ pam-0.99.7.1/debian/NEWS @@ -0,0 +1,23 @@ +pam (0.99.7.1-5) unstable; urgency=low + + * Default Unix minimum password length has changed + + Previous versions of pam_unix on Debian had a built-in minimum password + length of 1 character, and a minimum password length configured in + /etc/pam.d/common-password of 4 characters. This differed from the + upstream default of 6 characters. This has been changed, so the + default /etc/pam.d/common-password no longer overrides the compile-time + default and the compile-time default has been raised to 6 characters. + If you are using pam_unix but are not using the default + /etc/pam.d/common-password file, it is recommended that you drop any + min= options to pam_unix from your config unless you have stronger + local password requirements that the upstream default. + + The password length 'max' option has also been deprecated in this + version because it was never written to work as suggested in the + documentation. If you are using pam_unix but are not using the default + /etc/pam.d/common-password file, you should remove any old max= options + to pam_unix from your config as this option will be considered an error + in future versions of pam. + + -- Steve Langasek <vorlon@debian.org> Sat, 01 Sep 2007 21:27:11 -0700 --- pam-0.99.7.1.orig/debian/libpam-doc.doc-base.admin-guide +++ pam-0.99.7.1/debian/libpam-doc.doc-base.admin-guide @@ -0,0 +1,14 @@ +Document: pam-admin-guide +Title: The Linux-PAM System Administrators' Guide +Author: Andrew G. Morgan <morgan@linux.kernel.org> +Abstract: This manual documents what a system administrator needs to know + about the Linux-PAM library. It covers the correct syntax of the PAM + configuration file and discusses strategies for maintaining a secure system. +Section: Apps/System + +Format: HTML +Index: /usr/share/doc/libpam-doc/html/Linux-PAM_SAG.html +Files: /usr/share/doc/libpam-doc/html/Linux-PAM_SAG.html /usr/share/doc/libpam-doc/html/sag-*.html + +Format: text +Files: /usr/share/doc/libpam-doc/txt/Linux-PAM_SAG.txt.gz --- pam-0.99.7.1.orig/debian/libpam-doc.install +++ pam-0.99.7.1/debian/libpam-doc.install @@ -0,0 +1,3 @@ +debian/tmp/usr/share/doc/Linux-PAM/*.html usr/share/doc/libpam-doc/html +debian/tmp/usr/share/doc/Linux-PAM/*.txt usr/share/doc/libpam-doc/txt + --- pam-0.99.7.1.orig/debian/TODO +++ pam-0.99.7.1/debian/TODO @@ -0,0 +1,10 @@ +- make pam_unix.so modules have some means of allowing other than root + to auth users via unix_chkpwd (maybe unix_chkpwd needs a secure conf + file?) +- Put in some of the Hurd related fixes +- Build-Depend-Indep on fop and install PDF docs, and add them to + doc-base. This depends on fop being patched to build using Java in + main so it can move out of contrib. +- drop the pam_limits capabilities patch and the dependency on libcap, + because this stuff is long broken on Linux with no hope of + resurrection. --- pam-0.99.7.1.orig/debian/libpam-modules.files +++ pam-0.99.7.1/debian/libpam-modules.files @@ -0,0 +1,3 @@ +etc/security/ +sbin/unix_chkpwd +sbin/pam_tally --- pam-0.99.7.1.orig/debian/libpam0g.files +++ pam-0.99.7.1/debian/libpam0g.files @@ -0,0 +1 @@ +lib/lib*.so.* --- pam-0.99.7.1.orig/debian/libpam-runtime.postrm +++ pam-0.99.7.1/debian/libpam-runtime.postrm @@ -0,0 +1,16 @@ +#!/bin/sh -e + +if [ "$1" = "purge" ]; then + rm -f /etc/pam.d/common-auth /etc/pam.d/common-account \ + /etc/pam.d/common-session /etc/pam.d/common-password +fi + +case $1 in + abort-upgrade|abort-install) + mv /etc/pam.d/other.pre-upgrade /etc/pam.d/other 2>/dev/null ||true + ;; + esac + + + +#DEBHELPER# --- pam-0.99.7.1.orig/debian/libpam-modules.examples +++ pam-0.99.7.1/debian/libpam-modules.examples @@ -0,0 +1,2 @@ +Linux-PAM/modules/pam_filter/upperLOWER/*.c + --- pam-0.99.7.1.orig/debian/libpam0g-dev.examples +++ pam-0.99.7.1/debian/libpam0g-dev.examples @@ -0,0 +1,6 @@ +Linux-PAM/examples/Makefile +Linux-PAM/examples/blank.c +Linux-PAM/examples/check_user.c +Linux-PAM/examples/vpass.c +Linux-PAM/examples/xsh.c +Linux-PAM/libpamc/test --- pam-0.99.7.1.orig/debian/libpam-doc.doc-base.modules-guide +++ pam-0.99.7.1/debian/libpam-doc.doc-base.modules-guide @@ -0,0 +1,14 @@ +Document: pam-modules-guide +Title: The Linux-PAM Module Writers' Guide +Author: ndrew G. Morgan <morgan@linux.kernel.org> +Abstract: This manual documents what a programmer needs to know in order to + write a module that conforms to the Linux-PAM standard. It also discusses + some security issues from the point of view of the module programmer. +Section: Apps/Programming + +Format: HTML +Index: /usr/share/doc/libpam-doc/html/Linux-PAM_MWG.html +Files: /usr/share/doc/libpam-doc/html/Linux-PAM_MWG.html /usr/share/doc/libpam-doc/html/mwg*.html + +Format: text +Files: /usr/share/doc/libpam-doc/txt/Linux-PAM_MWG.txt.gz --- pam-0.99.7.1.orig/debian/libpam-modules.manpages +++ pam-0.99.7.1/debian/libpam-modules.manpages @@ -0,0 +1,2 @@ +debian/tmp/usr/share/man/man8/*.8 +debian/tmp/usr/share/man/man5/*.5 --- pam-0.99.7.1.orig/debian/local/common-auth +++ pam-0.99.7.1/debian/local/common-auth @@ -0,0 +1,10 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +auth required pam_unix.so nullok_secure --- pam-0.99.7.1.orig/debian/local/common-auth.md5sums +++ pam-0.99.7.1/debian/local/common-auth.md5sums @@ -0,0 +1 @@ +933d757dcd5974b00619f68955743be7 /etc/pam.d/common-auth --- pam-0.99.7.1.orig/debian/local/common-session.md5sums +++ pam-0.99.7.1/debian/local/common-session.md5sums @@ -0,0 +1 @@ +f7579c375b4f4d51ce36aa74718194f3 /etc/pam.d/common-session --- pam-0.99.7.1.orig/debian/local/common-password +++ pam-0.99.7.1/debian/local/common-password @@ -0,0 +1,34 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# +# The "nullok" option allows users to change an empty password, else +# empty passwords are treated as locked accounts. +# +# The "md5" option enables MD5 passwords. Without this option, the +# default is Unix crypt. +# +# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in +# login.defs. +# +# You can also use the "min" option to enforce the length of the new +# password. +# +# See the pam_unix manpage for other options. + +password required pam_unix.so nullok obscure md5 + +# Alternate strength checking for password. Note that this +# requires the libpam-cracklib package to be installed. +# You will need to comment out the password line above and +# uncomment the next two in order to use this. +# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH') +# +# password required pam_cracklib.so retry=3 minlen=6 difok=3 +# password required pam_unix.so use_authtok nullok md5 + --- pam-0.99.7.1.orig/debian/local/common-password.md5sums +++ pam-0.99.7.1/debian/local/common-password.md5sums @@ -0,0 +1,2 @@ +601ecfbc99fd359877552cb5298087ad /etc/pam.d/common-password +e5ae8ba8d00083c922d9d82a0432ef78 /etc/pam.d/common-password --- pam-0.99.7.1.orig/debian/local/common-session +++ pam-0.99.7.1/debian/local/common-session @@ -0,0 +1,10 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive). The default is pam_unix. +# +session required pam_unix.so +session optional pam_foreground.so --- pam-0.99.7.1.orig/debian/local/pam_getenv +++ pam-0.99.7.1/debian/local/pam_getenv @@ -0,0 +1,123 @@ +#!/usr/bin/perl -w + +=head1 NAME + +pam_getenv - get environment variables from /etc/environment + +=head1 SYNOPSIS + +pam_getenv B<[-l] [-s]> I<env_var> + +=head1 DESCRIPTION + +This tool will print out the value of I<env_var> from F</etc/environment>. It will attempt to expand environment variable references in the definition of I<env_var> but will fail if PAM items are expanded. + +The B<-l> option indicates the script should return an environment variable related to default locale information. + +The B<-s> option indicates that the script should return an +system default environment variable. + +Currently neither the B<-l> or B<-s> options do anything. They are +included because future versions of Debian may have a separate +repository for the initial environment used by init scripts and for +system locale information. These options will allow this script to be +a stable interface even in that environment. + +=cut + +# Copyright 2004 by Sam Hartman +# This script may be copied under the terms of the GNU GPL +# version 2, or at your option any later version. + +use strict; +use vars qw(*CONFIGFILE *ENVFILE); + +sub read_line($) { + my $fh = shift; + my $line; + local $_; + line: while (<$fh>) { + chomp; + s/^\s+//; +s/\#.*$//; + next if $_ eq ""; + if (s/\\\s*$//) { + $line .= $_; + next line; + } + + $line .= $_; + last; + } + $line; + +} + + +sub parse_line($) { + my $var; + my (%x, @x); + local $_ = shift; + return undef unless defined $_ and s/(\S+)\s//; + $var->{Name} = $1; + s/^\s*//; + @x = split(/=([^"\s]\S*|"[^"]*")\s*/, $_); + unless (scalar(@x)%2 == 0) { + push @x, undef; + } + %x = @x; + @{$var}{"Default", "Override"} = + @x{"DEFAULT", "OVERRIDE"}; + $var; +} + +sub expand_val($) { + my ($val) = @_; +return undef unless $val; + die "Cannot handle PAM items\n" if /(?<!\\)\@/; + $val =~ s/(?<!\\)\${([^}]+)}/$ENV{$1}||""/eg; + return $val; +} + +my $lookup; + +while ($_ = shift) { + next if $_ eq "-s"; + next if $_ eq "-l"; + $lookup = $_; + last; +} +unless (defined $lookup) { + die "Usage: pam_getenv [-l] [-s] env_var\n"; +} + +my %allvars; + +open (CONFIGFILE, "/etc/security/pam_env.conf") + or die "Cannot open environment file: $!\n"; + +while (my $var = parse_line(read_line(\*CONFIGFILE))) { + my $val; + unless ($val = expand_val($var->{Override})) { + $val = expand_val($var->{Default}); + } + $allvars{$var->{Name}} = $val; +} + +if (open (ENVFILE, "/etc/environment")) { + while (my $line = read_line(\*ENVFILE)) { + $line =~ s/^export //; + $line =~ /(.*?)=(.+)/ or next; + my ($var, $val) = ($1, $2); + # This is bizarre logic (" and ' match each other, quotes are only + # significant at the start and end of the string, and the trailing quote + # may be omitted), but it's what pam_env does. + $val =~ s/^["'](.*?)["']?$/$1/; + $allvars{$var} = $val; + } +} + +if (exists $allvars{$lookup}) { + print $allvars{$lookup}, "\n"; + exit(0); +} --- pam-0.99.7.1.orig/debian/local/Debian-PAM-MiniPolicy +++ pam-0.99.7.1/debian/local/Debian-PAM-MiniPolicy @@ -0,0 +1,161 @@ +Author: Ben Collins <bcollins@debian.org> +Modified by: Sam Hartman <hartmans@debian.org> + +Objective: To document a base set of policies regarding PAM (Pluggable +Authentication Modules) usage in Debian packages. + +=========================================================================== + +In order to have a consistent and stable implementation across packages +that use PAM, these guidelines will help to avoid some common mistakes and +be usable as a cross reference for FAQ's. + +This document will not go into the details of how to add PAM usage to +existing code, please read the documentation in the libpam-doc package for +info on this, however it does specify behavior needed to make sure PAM +modules in Debian will work with your application. + +================== + PAM Applications +================== + +Each application that uses PAM also must contain a file in +/etc/pam.d/. This file specifies which PAM modules will be used for +the common PAM functions in that application. There are several notes +concerning what modules to use in this file. Most commonly, this file +should use the @include directive to include common-auth, +common-session, common-account and common-password. Under some +circumstances (such as ftp auth, or auth based on tty) other modules +will be required. + +Here is an example of a PAM configuration file that just includes the common module fragments: + # + # /etc/pam.d/other - specify the PAM fallback behaviour + # + # Note that this file is used for any unspecified service; for example + #if /etc/pam.d/cron specifies no session modules but cron calls + #pam_open_session, the session module out of /etc/pam.d/other is + #used. If you really want nothing to happen then use pam_permit.so or + #pam_deny.so as appropriate. + + # We fall back to the system default in /etc/pam.d/common-* + # + + @include common-auth + @include common-account + @include common-password + @include common-session + + +The name of this file is determined by the call to pam_start() in the +application source code. The first parameter will be a string containing +the "service" name (eg. "login", "httpd", etc..). Please make sure that +the filename coincides with this parameter. + +The file should _not_ reference the full path of the modules. It only needs +to reference the basename (eg. "pam_unix.so"). This will ensure that the +program continues to work even if the module location changes, since +libpam itself will resolve the location. + +Under no circumstances should any program in Debian use the pam_pwdb.so +module by default. Instead the pam_unix.so module should be used. Most +programs with RedHat support/default files will reference pam_pwdb.so in +their example files. Do not use this. There are several problems with +regard to pam_pwdb.so: + + 1) It attempts to reimplement glibc's NSS code. For example, if your + program uses pam_pwdb.so, and the user changes /etc/nsswitch.conf to use + NIS, NIS+, or LDAP, then your program will fail to work unless the user + also knows to edit /etc/pwdb.conf (which is not necessary for + pam_unix.so). In the case of LDAP, the program would become absolutely + useless until the user modifies the pam.d file themselves to use + pam_unix.so. + + 2) It adds to the layer of glibc function calls making it harder to + debug problems. Because libpwdb masks glibc native calls, it requires + being able to debug libpwdb, libpam, libc and the offending program. + +Note that pam_unix.so takes the same module arguments as pam_pwdb.so, so +you can just replace the references. If you are not sure if the pam.d +files is correctly setup, please feel free to email it to me, and I will +glance it over. + +UPDATE: libpwdb and this libpam-pwdb have been removed from Debian as of +Woody. So even if you decided to use pam_pwdb, it will be broken, so HAHA +:) + +You should also not use the pam_stack module in the pam config file. +It's not currently in Debian so it won't work. While I cannot stop +someone from packaging pam_stack for Debian, I will try to convince +them that it is not the direction we want. Pam_stack (among other +faults) uses different pam handles for each step in the process--the +handle used for session management is not the same as the handle used +for authentication. This breaks several modules. We will have an +alternate solution for shared PAM configuration across modules. + + +Currently libpam-modules is in the base setup, so it's dependency is not +needed (since the library depends on the correct version). However, if any +modules other than the base set in libpam-modules are used, that package +must be depended on. + +Applications need to depend on libpam-runtime (>= 0.76-14) to +guarantee that /etc/pam.d/common-* exist. + + +The pam_unix.so module allows programs to verify the authentication of the +uid of the calling process without any set bits (uid or gid). NOTE: this +means the user executing the program, you cannot authenticate against other +users without suid root (root makes sure the NIS and NIS+ works too) or +at least sgid shadow (wont work in the above cases). Most notably this +affects programs like apache from being able to use PAM with much success +since it runs as www-data which has no priviledges and cannot use pam_unix.so +to auth against other users. On the other hand is does allow program like +vlock to auth (but not auth the root password). + +The application needs to follow the following rules to make sure PAM +modules work: + +1) Use the same PAM handle for all operations. This means it is not OK +to call pam_start once for authentication and then later for session +management. Modules need to be able to store pam_data between entry +points. + +2) The pam_open_session and pam_setcred calls must be made in a parent +process of the eventual session. They need to be able to enfluence +the environment of the session. + +3) If you are started as root or have root privs for some other +reason, pam_open_session and pam_setcred should be called while still +root. + +4) Implied by 1, make sure that pam_close_session and pam_end are +called in the same process or a process decended from the execution +context as pam_open_session and pam_setcred. The pam_close_session +call may need state stored in the handle by the open session entry +point to clean up properly. The pam_finish call may need to free data +(thus influencing system state in some cases) allocated in the earlier +calls. + + + +============= + PAM Modules +============= + +Separately packaged pam modules should adhere to a few basic setup rules: + + 1) Packages should use the naming scheme of `libpam-<name>' (eg. + libpam-ldap). + + 2) The modules should be located in the directory of the most recent + libpam-modules (currently /lib/security). + + 3) The module should be named as pam_<name>.so. The module should not + contain a version suffix. + + 4) The module should be linked to libpam (-lpam) when compiled so that + proper version dependencies will work. + + 5) Any config files should be located in /etc/security. The filename + will be in the form of <name>.conf. --- pam-0.99.7.1.orig/debian/local/pam.conf +++ pam-0.99.7.1/debian/local/pam.conf @@ -0,0 +1,15 @@ +# ---------------------------------------------------------------------------# +# /etc/pam.conf # +# ---------------------------------------------------------------------------# +# +# NOTE +# ---- +# +# NOTE: Most program use a file under the /etc/pam.d/ directory to setup their +# PAM service modules. This file is used only if that directory does not exist. +# ---------------------------------------------------------------------------# + +# Format: +# serv. module ctrl module [path] ...[args..] # +# name type flag # + --- pam-0.99.7.1.orig/debian/local/other +++ pam-0.99.7.1/debian/local/other @@ -0,0 +1,16 @@ +# +# /etc/pam.d/other - specify the PAM fallback behaviour +# +# Note that this file is used for any unspecified service; for example +#if /etc/pam.d/cron specifies no session modules but cron calls +#pam_open_session, the session module out of /etc/pam.d/other is +#used. If you really want nothing to happen then use pam_permit.so or +#pam_deny.so as appropriate. + +# We fall back to the system default in /etc/pam.d/common-* +# + +@include common-auth +@include common-account +@include common-password +@include common-session --- pam-0.99.7.1.orig/debian/local/common-account +++ pam-0.99.7.1/debian/local/common-account @@ -0,0 +1,9 @@ +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authorization modules that define +# the central access policy for use on the system. The default is to +# only deny service to users whose accounts are expired in /etc/shadow. +# +account required pam_unix.so --- pam-0.99.7.1.orig/debian/compat +++ pam-0.99.7.1/debian/compat @@ -0,0 +1 @@ +5 --- pam-0.99.7.1.orig/debian/libpam-modules.links +++ pam-0.99.7.1/debian/libpam-modules.links @@ -0,0 +1,4 @@ +/lib/security/pam_unix.so /lib/security/pam_unix_acct.so +/lib/security/pam_unix.so /lib/security/pam_unix_auth.so +/lib/security/pam_unix.so /lib/security/pam_unix_passwd.so +/lib/security/pam_unix.so /lib/security/pam_unix_session.so --- pam-0.99.7.1.orig/debian/watch +++ pam-0.99.7.1/debian/watch @@ -0,0 +1,3 @@ +version=3 +opts=pasv ftp://ftp.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-(.*).tar.gz + --- pam-0.99.7.1.orig/debian/to-be-evaluated/006_compile_warnings +++ pam-0.99.7.1/debian/to-be-evaluated/006_compile_warnings @@ -0,0 +1,12 @@ +--- Linux-PAM-0.72/modules/pam_tally/pam_tally.c~ Tue Dec 14 12:52:35 1999 ++++ Linux-PAM-0.72/modules/pam_tally/pam_tally.c Tue Dec 14 12:52:29 1999 +@@ -70,7 +70,9 @@ + #endif + + static struct faillog faillog; ++#ifndef MAIN + static time_t fail_time; ++#endif + + /*---------------------------------------------------------------------*/ + --- pam-0.99.7.1.orig/debian/to-be-evaluated/040_hurd_limits +++ pam-0.99.7.1/debian/to-be-evaluated/040_hurd_limits @@ -0,0 +1,97 @@ + +diff -urN Linux-PAM-0.72/modules/pam_limits/Makefile Linux-PAM-0.72.new/modules/pam_limits/Makefile +--- Linux-PAM-0.72/modules/pam_limits/Makefile Wed Jul 4 20:58:43 2001 ++++ Linux-PAM-0.72.new/modules/pam_limits/Makefile Wed Jul 4 19:31:37 2001 +@@ -6,7 +6,7 @@ + # Created by Cristian Gafton <gafton@redhat.com> 1996/09/10 + # + +-ifeq ($(OS),linux) ++ifneq (,$(findstring $(OS),gnu linux)) + TITLE=pam_limits + CONFD=$(CONFIGED)/security + export CONFD +@@ -22,7 +22,10 @@ + LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) + LIBOBJS = $(addprefix static/,$(LIBOBJ)) + ++ifeq (linux,$(OS)) + LINKLIBS+=-lcap ++CFLAGS+=-DUSE_CAPABILITIES ++endif + + dynamic/%.o : %.c + $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ +diff -urN Linux-PAM-0.72/modules/pam_limits/pam_limits.c Linux-PAM-0.72.new/modules/pam_limits/pam_limits.c +--- Linux-PAM-0.72/modules/pam_limits/pam_limits.c Wed Jul 4 20:58:48 2001 ++++ Linux-PAM-0.72.new/modules/pam_limits/pam_limits.c Wed Jul 4 19:31:31 2001 +@@ -13,12 +13,10 @@ + * See end for Copyright information + */ + +-#if !(defined(linux)) +-#error THIS CODE IS KNOWN TO WORK ONLY ON LINUX !!! +-#endif +- ++#ifdef USE_CAPABILITIES + #include <sys/capability.h> + #include <sys/prctl.h> ++#endif + + #include <stdio.h> + #include <unistd.h> +@@ -62,9 +60,11 @@ + specific user or to count all logins */ + static int priority; /* the priority to run user process with */ + static char chroot_dir[8092] = ""; /* directory to chroot into */ ++#ifdef USE_CAPABILITIES + static cap_t capabilities; /* capability handle */ + static int caps_set = 0; /* capabilities set */ + static int caps_allocated = 0; /* capabilities allocated */ ++#endif + + #define LIMIT_LOGIN RLIM_NLIMITS+1 + #define LIMIT_NUMSYSLOGINS RLIM_NLIMITS+2 +@@ -261,11 +261,13 @@ + priority = 0; + login_limit = -2; + login_limit_def = LIMITS_DEF_NONE; ++#ifdef USE_CAPABILITIES + if (caps_allocated) + cap_free(capabilities); + capabilities = cap_init(); + caps_allocated = 1; + caps_set = 0; ++#endif + return retval; + } + +@@ -401,9 +403,13 @@ + } else if (limit_item == LIMIT_CHROOT) { + strncpy(chroot_dir, value_orig, sizeof(chroot_dir)); + } else if (limit_item == LIMIT_CAPS) { ++#ifdef USE_CAPABILITIES + capabilities = cap_from_text(value_orig); + prctl(PR_SET_KEEPCAPS, 1); + caps_set = 1; ++#else ++ _pam_log(LOG_WARNING, "capabilities not supported on this system, ignoring them"); ++#endif + } + return; + } +@@ -533,12 +539,14 @@ + if (i != 0) + retval = LIMIT_ERR; + } ++#ifdef USE_CAPABILITIES + if (!retval && caps_set) { + retval = cap_set_proc(capabilities) ? LIMIT_ERR : 0; + cap_free(capabilities); + caps_set = 0; + caps_allocated = 0; + } ++#endif + return retval; + } + \ No newline at end of file --- pam-0.99.7.1.orig/debian/libpam-runtime.preinst +++ pam-0.99.7.1/debian/libpam-runtime.preinst @@ -0,0 +1,50 @@ +#! /bin/sh +# see: dh_installdeb(1) + +set -e + +remove_md5() { + if md5sum $1 2>/dev/null |grep -q $2; then + cp $1 $1.pre-upgrade + sed -e '/password[ \t]*required[ \t]*pam_unix.so/ s/ md5$//' $1 >$1.post-upgrade \ + && mv $1.post-upgrade $1 + fi + } + + + +# summary of how this script can be called: +# * <new-preinst> `install' +# * <new-preinst> `install' <old-version> +# * <new-preinst> `upgrade' <old-version> +# * <old-preinst> `abort-upgrade' <new-version> +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + install|upgrade) + if [ "x$2" != "x" ] ; then + if dpkg --compare-versions $2 lt 0.76 ; then + remove_md5 /etc/pam.d/other a9a9d551b75001ccb5b553927e46e601 + fi + fi + + ;; + + abort-upgrade) + ;; + + *) + echo "preinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 --- pam-0.99.7.1.orig/debian/libpam-modules.lintian +++ pam-0.99.7.1/debian/libpam-modules.lintian @@ -0,0 +1,2 @@ +# yes, we know it's suid, that's the whole point... +libpam-modules: setuid-binary sbin/unix_chkpwd 4755 root/root --- pam-0.99.7.1.orig/debian/scripts/file2cat +++ pam-0.99.7.1/debian/scripts/file2cat @@ -0,0 +1,13 @@ +#!/bin/sh + +if [ "$1" = "" ]; then + echo "Usage: file2cat <file>" + exit 1 +fi + +case "$1" in + *.gz|*.Z|*.tgz) cmd=zcat;; + *.bz|*.bz2) cmd=bzcat;; + *) cmd=cat;; +esac +$cmd $1 --- pam-0.99.7.1.orig/debian/scripts/dbs-build.mk +++ pam-0.99.7.1/debian/scripts/dbs-build.mk @@ -0,0 +1,92 @@ +#!/usr/bin/make -f +# Separate tarball/patch build system by Adam Heath <doogie@debian.org> +# Modified by Ben Collins <bcollins@debian.org> + +SHELL := /bin/bash -e +SOURCE_DIR := build-tree +STAMP_DIR := stampdir +PATCH_DIR := debian/patches + +patched := $(STAMP_DIR)/patch +unpacked := $(STAMP_DIR)/unpack + +ifdef TAR_DIR + BUILD_TREE := $(SOURCE_DIR)/$(TAR_DIR) +else + BUILD_TREE := $(SOURCE_DIR) +endif + +dh_mak_deps := $(shell DH_COMPAT=$(DH_COMPAT) perl debian/scripts/dh_split makedeps) +dh_gen_deps := $(shell DH_COMPAT=$(DH_COMPAT) perl debian/scripts/dh_split gendeps) + +$(dh_mak_deps): $(dh_gen_deps) + perl debian/scripts/dh_split + +setup: $(dh_mak_deps) + dh_testdir + @-up-scripts + $(MAKE) -f debian/rules $(unpacked) $(patched) + +$(patched)/: $(STAMP_DIR)/created $(unpacked) + test -d $(STAMP_DIR)/patches || mkdir -p $(STAMP_DIR)/patches + @if [ -d "$(PATCH_DIR)" ]; then \ + mkdir -p $(STAMP_DIR)/log/patches; \ + for f in `(cd $(PATCH_DIR); find -type f ! -name 'chk-*') | sort | \ + sed s,'./',,g`; do \ + stampfile=$(STAMP_DIR)/patches/$$f; \ + log=$(STAMP_DIR)/log/patches/$$f; \ + if [ ! -e $$stampfile ]; then \ + echo -n "Applying patch $(PATCH_DIR)/$$f ... "; \ + if $(SHELL) debian/scripts/file2cat $(PATCH_DIR)/$$f | \ + (cd $(BUILD_TREE);patch -p1 --no-backup-if-mismatch) > $$log 2>&1; then \ + echo successful.; \ + touch $$stampfile; \ + else \ + echo "failed! (check $$log for reason)"; \ + exit 1; \ + fi; \ + else \ + echo Already applied $(PATCH_DIR)/$$f.; \ + fi; \ + done; \ + fi + touch $@ + +$(unpacked): $(STAMP_DIR)/created + mkdir -p $(STAMP_DIR)/sources $(SOURCE_DIR) $(STAMP_DIR)/log/sources + @for f in `find . -type f -maxdepth 1 -name \*.tgz -o -name \*.tar.gz -o \ + -name \*.tar.bz -o -name \*.tar.bz2 | sort | sed s,'./',,g`; do \ + stampfile=$(STAMP_DIR)/sources/`basename $$f`; \ + log=$(STAMP_DIR)/log/sources/`basename $$f`; \ + if [ ! -e $$stampfile ]; then \ + echo -n "Extracting source $$f ... "; \ + if $(SHELL) debian/scripts/file2cat $$f | \ + (cd $(SOURCE_DIR); tar xv) > $$log 2>&1; then \ + echo successful.; \ + touch $$stampfile; \ + else \ + echo failed!; \ + exit 1; \ + fi; \ + else \ + echo Already unpacked $$f.; \ + fi; \ + done + touch $@ + +make_patch: + mv $(BUILD_TREE) $(BUILD_TREE).new + rm -rf $(STAMP_DIR) + $(MAKE) -f debian/rules $(unpacked) $(patched) +ifndef TAR_DIR + diff -urN $(BUILD_TREE) $(BUILD_TREE).new > new.diff +else + (cd $(SOURCE_DIR) && diff -urN $(TAR_DIR) $(TAR_DIR).new || true) > new.diff +endif + rm -rf $(BUILD_TREE) + mv $(BUILD_TREE).new $(BUILD_TREE) + @echo; ls -l new.diff + +$(STAMP_DIR)/created: + test -d $(STAMP_DIR) || mkdir $(STAMP_DIR) + touch $(STAMP_DIR)/created --- pam-0.99.7.1.orig/debian/libpam0g-dev.links +++ pam-0.99.7.1/debian/libpam0g-dev.links @@ -0,0 +1,3 @@ +/lib/libpam.so.0 usr/lib/libpam.so +/lib/libpamc.so.0 usr/lib/libpamc.so +/lib/libpam_misc.so.0 usr/lib/libpam_misc.so --- pam-0.99.7.1.orig/debian/libpam-modules.postinst +++ pam-0.99.7.1/debian/libpam-modules.postinst @@ -0,0 +1,25 @@ +#!/bin/sh -e + +# If the user has removed the config file, respect this sign of dementia +# -- only create on package install. + +if [ -z "$2" ] || dpkg --compare-versions "$2" lt 0.99.7.1-3 +then + if ! [ -f /etc/security/opasswd ]; then + umask 066 + touch /etc/security/opasswd + umask 022 + fi +fi + +# Add PATH to /etc/environment if it's not present there or in +# /etc/security/pam_env.conf +if [ "$1" = "configure" ] && (dpkg --compare-versions 0.79-3ubuntu6 ge "$2" || [ "$2" = "" ]); then + if ! grep -qs ^PATH /etc/security/pam_env.conf; then + if ! grep -qs ^PATH /etc/environment; then + echo 'PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games"' >> /etc/environment + fi + fi +fi + +#DEBHELPER# --- pam-0.99.7.1.orig/Linux-PAM/modules/pam_unix/CHANGELOG +++ pam-0.99.7.1/Linux-PAM/modules/pam_unix/CHANGELOG @@ -1,4 +1,4 @@ -$Id: CHANGELOG,v 1.1.1.1 2000/06/20 22:12:01 agmorgan Exp $ +$Id: CHANGELOG 274 2005-07-13 09:52:25Z vorlon $ * Mon Aug 16 1999 Jan Rêkorajski <baggins@pld.org.pl> - fixed reentrancy problems --- pam-0.99.7.1.orig/Linux-PAM/modules/pam_unix/pam_unix_sess.c +++ pam-0.99.7.1/Linux-PAM/modules/pam_unix/pam_unix_sess.c @@ -1,5 +1,5 @@ /* - * $Id: pam_unix_sess.c,v 1.9 2006/06/17 16:44:58 kukuk Exp $ + * $Id: pam_unix_sess.c 405 2007-08-19 01:43:47Z vorlon $ * * Copyright Alexander O. Yuriev, 1996. All rights reserved. * Copyright Jan Rêkorajski, 1999. All rights reserved. --- pam-0.99.7.1.orig/Linux-PAM/modules/pam_unix/md5_crypt.c +++ pam-0.99.7.1/Linux-PAM/modules/pam_unix/md5_crypt.c @@ -1,5 +1,5 @@ /* - * $Id: md5_crypt.c,v 1.2 2001/07/10 20:24:16 vorlon Exp $ + * $Id: md5_crypt.c 274 2005-07-13 09:52:25Z vorlon $ * * ---------------------------------------------------------------------------- * "THE BEER-WARE LICENSE" (Revision 42): --- pam-0.99.7.1.orig/Linux-PAM/modules/pam_unix/md5.c +++ pam-0.99.7.1/Linux-PAM/modules/pam_unix/md5.c @@ -1,5 +1,5 @@ /* - * $Id: md5.c,v 1.1.1.1 2000/06/20 22:12:03 agmorgan Exp $ + * $Id: md5.c 274 2005-07-13 09:52:25Z vorlon $ * * This code implements the MD5 message-digest algorithm. * The algorithm is due to Ron Rivest. This code was --- pam-0.99.7.1.orig/Linux-PAM/modules/pam_unix/support.h +++ pam-0.99.7.1/Linux-PAM/modules/pam_unix/support.h @@ -1,5 +1,5 @@ /* - * $Id: support.h,v 1.12 2005/09/26 14:27:09 t8m Exp $ + * $Id: support.h 405 2007-08-19 01:43:47Z vorlon $ */ #ifndef _PAM_UNIX_SUPPORT_H --- pam-0.99.7.1.orig/Linux-PAM/modules/pam_filter/pam_filter.c +++ pam-0.99.7.1/Linux-PAM/modules/pam_filter/pam_filter.c @@ -1,5 +1,5 @@ /* - * $Id: pam_filter.c,v 1.12 2005/12/12 14:45:00 ldv Exp $ + * $Id: pam_filter.c 405 2007-08-19 01:43:47Z vorlon $ * * written by Andrew Morgan <morgan@transmeta.com> with much help from * Richard Stevens' UNIX Network Programming book. --- pam-0.99.7.1.orig/Linux-PAM/modules/pam_nologin/pam_nologin.c +++ pam-0.99.7.1/Linux-PAM/modules/pam_nologin/pam_nologin.c @@ -1,7 +1,7 @@ /* pam_nologin module */ /* - * $Id: pam_nologin.c,v 1.11 2005/09/22 22:16:02 ldv Exp $ + * $Id: pam_nologin.c 405 2007-08-19 01:43:47Z vorlon $ * * Written by Michael K. Johnson <johnsonm@redhat.com> 1996/10/24 * --- pam-0.99.7.1.orig/Linux-PAM/modules/pam_permit/pam_permit.c +++ pam-0.99.7.1/Linux-PAM/modules/pam_permit/pam_permit.c @@ -1,7 +1,7 @@ /* pam_permit module */ /* - * $Id: pam_permit.c,v 1.4 2005/09/17 08:50:29 t8m Exp $ + * $Id: pam_permit.c 405 2007-08-19 01:43:47Z vorlon $ * * Written by Andrew Morgan <morgan@parc.power.net> 1996/3/11 * --- pam-0.99.7.1.orig/Linux-PAM/modules/pam_tally/faillog.h +++ pam-0.99.7.1/Linux-PAM/modules/pam_tally/faillog.h @@ -30,7 +30,7 @@ /* * faillog.h - login failure logging file format * - * $Id: faillog.h,v 1.1.1.1 2000/06/20 22:11:59 agmorgan Exp $ + * $Id: faillog.h 274 2005-07-13 09:52:25Z vorlon $ * * The login failure file is maintained by login(1) and faillog(8) * Each record in the file represents a separate UID and the file --- pam-0.99.7.1.orig/Linux-PAM/modules/pam_deny/pam_deny.c +++ pam-0.99.7.1/Linux-PAM/modules/pam_deny/pam_deny.c @@ -1,7 +1,7 @@ /* pam_deny module */ /* - * $Id: pam_deny.c,v 1.4 2005/12/14 09:58:32 kukuk Exp $ + * $Id: pam_deny.c 405 2007-08-19 01:43:47Z vorlon $ * * Written by Andrew Morgan <morgan@parc.power.net> 1996/3/11 * --- pam-0.99.7.1.orig/Linux-PAM/modules/pam_ftp/pam_ftp.c +++ pam-0.99.7.1/Linux-PAM/modules/pam_ftp/pam_ftp.c @@ -1,7 +1,7 @@ /* pam_ftp module */ /* - * $Id: pam_ftp.c,v 1.10 2005/10/04 11:35:18 ldv Exp $ + * $Id: pam_ftp.c 405 2007-08-19 01:43:47Z vorlon $ * * Written by Andrew Morgan <morgan@linux.kernel.org> 1996/3/11 * --- pam-0.99.7.1.orig/Linux-PAM/modules/pam_stress/README +++ pam-0.99.7.1/Linux-PAM/modules/pam_stress/README @@ -1,5 +1,5 @@ # -# $Id: README,v 1.1.1.1 2000/06/20 22:11:57 agmorgan Exp $ +# $Id: README 274 2005-07-13 09:52:25Z vorlon $ # # This describes the behavior of this module with respect to the # /etc/pam.conf file. --- pam-0.99.7.1.orig/Linux-PAM/modules/pam_rootok/pam_rootok.c +++ pam-0.99.7.1/Linux-PAM/modules/pam_rootok/pam_rootok.c @@ -1,7 +1,7 @@ /* pam_rootok module */ /* - * $Id: pam_rootok.c,v 1.7 2005/12/12 14:45:02 ldv Exp $ + * $Id: pam_rootok.c 405 2007-08-19 01:43:47Z vorlon $ * * Written by Andrew Morgan <morgan@linux.kernel.org> 1996/3/11 */ --- pam-0.99.7.1.orig/Linux-PAM/modules/pam_env/pam_env.c +++ pam-0.99.7.1/Linux-PAM/modules/pam_env/pam_env.c @@ -1,7 +1,7 @@ /* pam_env module */ /* - * $Id: pam_env.c,v 1.13 2005/12/12 14:45:00 ldv Exp $ + * $Id: pam_env.c 405 2007-08-19 01:43:47Z vorlon $ * * Written by Dave Kinchlea <kinch@kinch.ark.com> 1997/01/31 * Inspired by Andrew Morgan <morgan@kernel.org>, who also supplied the --- pam-0.99.7.1.orig/Linux-PAM/modules/pam_warn/pam_warn.c +++ pam-0.99.7.1/Linux-PAM/modules/pam_warn/pam_warn.c @@ -1,7 +1,7 @@ /* pam_warn module */ /* - * $Id: pam_warn.c,v 1.6 2005/09/17 08:59:04 t8m Exp $ + * $Id: pam_warn.c 405 2007-08-19 01:43:47Z vorlon $ * * Written by Andrew Morgan <morgan@linux.kernel.org> 1996/3/11 */ --- pam-0.99.7.1.orig/Linux-PAM/modules/pam_userdb/create.pl +++ pam-0.99.7.1/Linux-PAM/modules/pam_userdb/create.pl @@ -2,7 +2,7 @@ # this program creates a database in ARGV[1] from pairs given on # stdandard input # -# $Id: create.pl,v 1.2 2004/09/28 13:48:47 kukuk Exp $ +# $Id: create.pl 274 2005-07-13 09:52:25Z vorlon $ use DB_File; --- pam-0.99.7.1.orig/Linux-PAM/modules/pam_userdb/pam_userdb.h +++ pam-0.99.7.1/Linux-PAM/modules/pam_userdb/pam_userdb.h @@ -1,7 +1,7 @@ #ifndef _PAM_USERSDB_H #define _PAM_USERSDB_H -/* $Id: pam_userdb.h,v 1.4 2005/09/18 13:04:57 kukuk Exp $ */ +/* $Id: pam_userdb.h 405 2007-08-19 01:43:47Z vorlon $ */ /* Header files */ #include <security/pam_appl.h> --- pam-0.99.7.1.orig/Linux-PAM/modules/pam_motd/pam_motd.c +++ pam-0.99.7.1/Linux-PAM/modules/pam_motd/pam_motd.c @@ -4,7 +4,7 @@ * Modified for pam_motd by Ben Collins <bcollins@debian.org> * * Based off of: - * $Id: pam_motd.c,v 1.12 2005/10/04 11:35:18 ldv Exp $ + * $Id: pam_motd.c 405 2007-08-19 01:43:47Z vorlon $ * * Written by Michael K. Johnson <johnsonm@redhat.com> 1996/10/24 * --- pam-0.99.7.1.orig/Linux-PAM/modules/pam_debug/pam_debug.c +++ pam-0.99.7.1/Linux-PAM/modules/pam_debug/pam_debug.c @@ -1,7 +1,7 @@ /* pam_permit module */ /* - * $Id: pam_debug.c,v 1.5 2006/01/24 09:42:46 kukuk Exp $ + * $Id: pam_debug.c 405 2007-08-19 01:43:47Z vorlon $ * * Written by Andrew Morgan <morgan@kernel.org> 2001/02/04 * --- pam-0.99.7.1.orig/Linux-PAM/libpamc/test/modules/pam_secret.c +++ pam-0.99.7.1/Linux-PAM/libpamc/test/modules/pam_secret.c @@ -1,5 +1,5 @@ /* - * $Id: pam_secret.c,v 1.3 2004/09/14 14:22:39 kukuk Exp $ + * $Id: pam_secret.c 274 2005-07-13 09:52:25Z vorlon $ * * Copyright (c) 1999 Andrew G. Morgan <morgan@linux.kernel.org> */ --- pam-0.99.7.1.orig/Linux-PAM/libpamc/pamc_client.c +++ pam-0.99.7.1/Linux-PAM/libpamc/pamc_client.c @@ -1,5 +1,5 @@ /* - * $Id: pamc_client.c,v 1.1.1.1 2000/06/20 22:11:25 agmorgan Exp $ + * $Id: pamc_client.c 274 2005-07-13 09:52:25Z vorlon $ * * Copyright (c) Andrew G. Morgan <morgan@ftp.kernel.org> * --- pam-0.99.7.1.orig/Linux-PAM/libpamc/pamc_converse.c +++ pam-0.99.7.1/Linux-PAM/libpamc/pamc_converse.c @@ -1,5 +1,5 @@ /* - * $Id: pamc_converse.c,v 1.5 2005/11/24 17:15:31 ldv Exp $ + * $Id: pamc_converse.c 405 2007-08-19 01:43:47Z vorlon $ * * Copyright (c) Andrew G. Morgan <morgan@ftp.kernel.org> * --- pam-0.99.7.1.orig/Linux-PAM/libpamc/libpamc.h +++ pam-0.99.7.1/Linux-PAM/libpamc/libpamc.h @@ -1,5 +1,5 @@ /* - * $Id: libpamc.h,v 1.2 2000/11/19 23:54:03 agmorgan Exp $ + * $Id: libpamc.h 274 2005-07-13 09:52:25Z vorlon $ * * Copyright (c) Andrew G. Morgan <morgan@ftp.kernel.org> * --- pam-0.99.7.1.orig/Linux-PAM/libpamc/pamc_load.c +++ pam-0.99.7.1/Linux-PAM/libpamc/pamc_load.c @@ -1,5 +1,5 @@ /* - * $Id: pamc_load.c,v 1.1.1.1 2000/06/20 22:11:26 agmorgan Exp $ + * $Id: pamc_load.c 274 2005-07-13 09:52:25Z vorlon $ * * Copyright (c) 1999 Andrew G. Morgan <morgan@ftp.kernel.org> * --- pam-0.99.7.1.orig/Linux-PAM/libpamc/include/security/pam_client.h +++ pam-0.99.7.1/Linux-PAM/libpamc/include/security/pam_client.h @@ -1,5 +1,5 @@ /* - * $Id: pam_client.h,v 1.7 2005/05/20 14:58:58 kukuk Exp $ + * $Id: pam_client.h 405 2007-08-19 01:43:47Z vorlon $ * * Copyright (c) 1999 Andrew G. Morgan <morgan@linux.kernel.org> * --- pam-0.99.7.1.orig/Linux-PAM/conf/md5itall +++ pam-0.99.7.1/Linux-PAM/conf/md5itall @@ -1,6 +1,6 @@ #!/bin/bash # -# $Id: md5itall,v 1.2 2000/12/04 19:02:33 baggins Exp $ +# $Id: md5itall 274 2005-07-13 09:52:25Z vorlon $ # # Created by Andrew G. Morgan (morgan@parc.power.net) # --- pam-0.99.7.1.orig/Linux-PAM/conf/pam.conf +++ pam-0.99.7.1/Linux-PAM/conf/pam.conf @@ -3,7 +3,7 @@ # # # Last modified by Andrew G. Morgan <morgan@kernel.org> # # ---------------------------------------------------------------------------# -# $Id: pam.conf,v 1.2 2001/04/08 06:02:33 agmorgan Exp $ +# $Id: pam.conf 274 2005-07-13 09:52:25Z vorlon $ # ---------------------------------------------------------------------------# # serv. module ctrl module [path] ...[args..] # # name type flag # --- pam-0.99.7.1.orig/Linux-PAM/doc/specs/std-agent-id.raw +++ pam-0.99.7.1/Linux-PAM/doc/specs/std-agent-id.raw @@ -1,6 +1,6 @@ PAM working group ## A.G. Morgan -## $Id: std-agent-id.raw,v 1.1 2001/12/08 18:56:47 agmorgan Exp $ ## +## $Id: std-agent-id.raw 274 2005-07-13 09:52:25Z vorlon $ ## ## Pluggable Authentication Modules ## --- pam-0.99.7.1.orig/Linux-PAM/doc/specs/draft-morgan-pam.raw +++ pam-0.99.7.1/Linux-PAM/doc/specs/draft-morgan-pam.raw @@ -761,4 +761,4 @@ Andrew G. Morgan Email: morgan@kernel.org -## $Id: draft-morgan-pam.raw,v 1.2 2001/12/08 18:56:47 agmorgan Exp $ ## +## $Id: draft-morgan-pam.raw 274 2005-07-13 09:52:25Z vorlon $ ## --- pam-0.99.7.1.orig/Linux-PAM/examples/check_user.c +++ pam-0.99.7.1/Linux-PAM/examples/check_user.c @@ -1,5 +1,5 @@ /* - $Id: check_user.c,v 1.2 2000/12/04 19:02:33 baggins Exp $ + $Id: check_user.c 274 2005-07-13 09:52:25Z vorlon $ This program was contributed by Shane Watts <shane@icarus.bofh.asn.au> slight modifications by AGM. --- pam-0.99.7.1.orig/Linux-PAM/examples/blank.c +++ pam-0.99.7.1/Linux-PAM/examples/blank.c @@ -1,5 +1,5 @@ /* - * $Id: blank.c,v 1.2 2000/12/04 19:02:33 baggins Exp $ + * $Id: blank.c 274 2005-07-13 09:52:25Z vorlon $ */ /* Andrew Morgan (morgan@parc.power.net) -- a self contained `blank' --- pam-0.99.7.1.orig/Linux-PAM/libpam_misc/help_env.c +++ pam-0.99.7.1/Linux-PAM/libpam_misc/help_env.c @@ -1,5 +1,5 @@ /* - * $Id: help_env.c,v 1.4 2005/09/20 08:31:27 kukuk Exp $ + * $Id: help_env.c 405 2007-08-19 01:43:47Z vorlon $ * * This file was written by Andrew G. Morgan <morgan@parc.power.net> * --- pam-0.99.7.1.orig/Linux-PAM/libpam_misc/include/security/pam_misc.h +++ pam-0.99.7.1/Linux-PAM/libpam_misc/include/security/pam_misc.h @@ -1,4 +1,4 @@ -/* $Id: pam_misc.h,v 1.5 2005/08/16 12:27:40 kukuk Exp $ */ +/* $Id: pam_misc.h 405 2007-08-19 01:43:47Z vorlon $ */ #ifndef __PAMMISC_H #define __PAMMISC_H --- pam-0.99.7.1.orig/Linux-PAM/libpam/pam_session.c +++ pam-0.99.7.1/Linux-PAM/libpam/pam_session.c @@ -1,7 +1,7 @@ /* pam_session.c - PAM Session Management */ /* - * $Id: pam_session.c,v 1.6 2006/07/24 15:47:40 kukuk Exp $ + * $Id: pam_session.c 405 2007-08-19 01:43:47Z vorlon $ */ #include "pam_private.h" --- pam-0.99.7.1.orig/Linux-PAM/libpam/pam_end.c +++ pam-0.99.7.1/Linux-PAM/libpam/pam_end.c @@ -1,7 +1,7 @@ /* pam_end.c */ /* - * $Id: pam_end.c,v 1.4 2006/01/12 10:06:49 t8m Exp $ + * $Id: pam_end.c 405 2007-08-19 01:43:47Z vorlon $ */ #include "pam_private.h" --- pam-0.99.7.1.orig/Linux-PAM/libpam/pam_env.c +++ pam-0.99.7.1/Linux-PAM/libpam/pam_env.c @@ -7,7 +7,7 @@ * This file was written from a "hint" provided by the people at SUN. * and the X/Open XSSO draft of March 1997. * - * $Id: pam_env.c,v 1.6 2005/09/04 20:32:25 kukuk Exp $ + * $Id: pam_env.c 405 2007-08-19 01:43:47Z vorlon $ */ #include "pam_private.h" --- pam-0.99.7.1.orig/Linux-PAM/libpam/pam_item.c +++ pam-0.99.7.1/Linux-PAM/libpam/pam_item.c @@ -1,7 +1,7 @@ /* pam_item.c */ /* - * $Id: pam_item.c,v 1.13 2006/03/12 10:26:30 kukuk Exp $ + * $Id: pam_item.c 405 2007-08-19 01:43:47Z vorlon $ */ #include "pam_private.h" --- pam-0.99.7.1.orig/Linux-PAM/libpam/pam_start.c +++ pam-0.99.7.1/Linux-PAM/libpam/pam_start.c @@ -3,7 +3,7 @@ /* Creator Marc Ewing * Maintained by AGM * - * $Id: pam_start.c,v 1.9 2006/07/24 15:47:40 kukuk Exp $ + * $Id: pam_start.c 405 2007-08-19 01:43:47Z vorlon $ * */ --- pam-0.99.7.1.orig/Linux-PAM/libpam/pam_password.c +++ pam-0.99.7.1/Linux-PAM/libpam/pam_password.c @@ -1,7 +1,7 @@ /* pam_password.c - PAM Password Management */ /* - * $Id: pam_password.c,v 1.5 2006/07/24 15:47:40 kukuk Exp $ + * $Id: pam_password.c 405 2007-08-19 01:43:47Z vorlon $ */ /* #define DEBUG */ --- pam-0.99.7.1.orig/Linux-PAM/libpam/pam_tokens.h +++ pam-0.99.7.1/Linux-PAM/libpam/pam_tokens.h @@ -1,7 +1,7 @@ /* * pam_tokens.h * - * $Id: pam_tokens.h,v 1.4 2006/01/24 23:28:32 kukuk Exp $ + * $Id: pam_tokens.h 405 2007-08-19 01:43:47Z vorlon $ * * This is a Linux-PAM Library Private Header file. It contains tokens * that are used when we parse the configuration file(s). --- pam-0.99.7.1.orig/Linux-PAM/libpam/pam_auth.c +++ pam-0.99.7.1/Linux-PAM/libpam/pam_auth.c @@ -1,7 +1,7 @@ /* * pam_auth.c -- PAM authentication * - * $Id: pam_auth.c,v 1.7 2006/07/24 15:47:40 kukuk Exp $ + * $Id: pam_auth.c 405 2007-08-19 01:43:47Z vorlon $ * */ --- pam-0.99.7.1.orig/Linux-PAM/libpam/pam_delay.c +++ pam-0.99.7.1/Linux-PAM/libpam/pam_delay.c @@ -4,7 +4,7 @@ * Copyright (c) Andrew G. Morgan <morgan@kernel.org> 1996-9 * All rights reserved. * - * $Id: pam_delay.c,v 1.6 2003/07/13 20:01:44 vorlon Exp $ + * $Id: pam_delay.c 274 2005-07-13 09:52:25Z vorlon $ * */