summaryrefslogtreecommitdiff
path: root/extra/source/pam
diff options
context:
space:
mode:
Diffstat (limited to 'extra/source/pam')
-rwxr-xr-xextra/source/pam/make-pam-solibs-for-chrome.sh84
-rwxr-xr-xextra/source/pam/pam.SlackBuild173
-rw-r--r--extra/source/pam/patches/pam-1.0.90-redhat-modules.patch23
-rw-r--r--extra/source/pam/patches/pam-1.0.91-std-noclose.patch98
-rw-r--r--extra/source/pam/patches/pam-1.1.0-notally.patch12
-rw-r--r--extra/source/pam/patches/pam-1.1.1-faillock.patch1712
-rw-r--r--extra/source/pam/patches/pam-1.1.2-noflex.patch27
-rw-r--r--extra/source/pam/patches/pam-1.1.3-faillock-screensaver.patch167
-rw-r--r--extra/source/pam/patches/pam-1.1.3-limits-nosetreuid.patch64
-rw-r--r--extra/source/pam/patches/pam-1.1.3-limits-range.patch351
-rw-r--r--extra/source/pam/patches/pam-1.1.3-nouserenv.patch27
-rw-r--r--extra/source/pam/patches/pam-1.1.3-pwhistory-incomplete.patch54
-rw-r--r--extra/source/pam/patches/pam-1.1.3-securetty-console.patch120
-rw-r--r--extra/source/pam/slack-desc19
14 files changed, 0 insertions, 2931 deletions
diff --git a/extra/source/pam/make-pam-solibs-for-chrome.sh b/extra/source/pam/make-pam-solibs-for-chrome.sh
deleted file mode 100755
index e7cd4c9e..00000000
--- a/extra/source/pam/make-pam-solibs-for-chrome.sh
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/bin/sh
-
-# Copyright 2011 Patrick J. Volkerding, Sebeka, Minnesota, USA
-# All rights reserved.
-#
-# Redistribution and use of this script, with or without modification, is
-# permitted provided that the following conditions are met:
-#
-# 1. Redistributions of this script must retain the above copyright
-# notice, this list of conditions and the following disclaimer.
-#
-# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
-# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
-# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
-# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
-# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
-# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-# This expects to find a file pam-*.txz in the local directory that
-# will contain a usable PAM shared library to satify the requirement
-# for that library. To get whatever is actually using PAM working is
-# going to need more PAM structure installed, but luckily I've yet to
-# encounter what needs it and everything works fine with only the
-# libpam.so.0 installed.
-
-if ! ls pam-*-*-*.txz 1> /dev/null 2> /dev/null ; then
- echo "FAIL: no Slackware pam txz package found."
- exit 1
-fi
-
-PKGNAM=google-chrome-pam-solibs
-VERSION=${VERSION:-$(echo pam-*-*-*.txz | cut -f 2 -d -)}
-ARCH=${ARCH:-$(echo pam-*-*-*.txz | cut -f 3 -d -)}
-BUILD=${BUILD:-$(echo pam-*-*-*.txz | cut -f 4 -d - | cut -f 1 -d .)}
-
-CWD=$(pwd)
-TMP=${TMP:-/tmp}
-PKG=$TMP/package-$PKGNAM
-rm -rf $PKG
-mkdir -p $TMP $PKG
-
-cd $PKG
-mkdir tmp
-( cd tmp
- explodepkg $CWD/pam-$VERSION-$ARCH-$BUILD.txz
- sh install/doinst.sh
-)
-mkdir -p $PKG/opt/google/chrome
-if [ -d tmp/lib64 ]; then
- cp -a tmp/lib64/libpam.so.0* $PKG/opt/google/chrome
-else
- cp -a tmp/lib/libpam.so.0* $PKG/opt/google/chrome
-fi
-rm -rf $PKG/tmp
-
-mkdir -p $PKG/install
-cat << EOF > $PKG/install/slack-desc
-# HOW TO EDIT THIS FILE:
-# The "handy ruler" below makes it easier to edit a package description. Line
-# up the first '|' above the ':' following the base package name, and the '|'
-# on the right side marks the last column you can put a character in. You must
-# make exactly 11 lines for the formatting to be correct. It's also
-# customary to leave one space after the ':'.
- |-----handy-ruler------------------------------------------------------|
-google-chrome-pam-solibs: google-chrome-pam-solibs (libpam.so.0)
-google-chrome-pam-solibs:
-google-chrome-pam-solibs: This is a package that provides libpam.so.0 to satisfy the library
-google-chrome-pam-solibs: requirement for Google Chrome when that is installed in the
-google-chrome-pam-solibs: usual /opt/google/chrome directory. It does not provide any other
-google-chrome-pam-solibs: PAM features, and cannot be used to compile against or by other
-google-chrome-pam-solibs: programs. If you need real PAM for some reason (like to compile
-google-chrome-pam-solibs: Chromium), please see the pam.SlackBuild in the source directory.
-google-chrome-pam-solibs:
-google-chrome-pam-solibs:
-google-chrome-pam-solibs:
-EOF
-
-cd $PKG
-/sbin/makepkg -l y -c n $TMP/$PKGNAM-$VERSION-$ARCH-$BUILD$TAG.txz
-
diff --git a/extra/source/pam/pam.SlackBuild b/extra/source/pam/pam.SlackBuild
deleted file mode 100755
index bbea0617..00000000
--- a/extra/source/pam/pam.SlackBuild
+++ /dev/null
@@ -1,173 +0,0 @@
-#!/bin/sh
-
-# Copyright 2010 Vincent Batts, vbatts@hashbangbash.com
-# Copyright 2010, 2011 Patrick J. Volkerding, Sebeka, Minnesota, USA
-# All rights reserved.
-#
-# Redistribution and use of this script, with or without modification, is
-# permitted provided that the following conditions are met:
-#
-# 1. Redistributions of this script must retain the above copyright
-# notice, this list of conditions and the following disclaimer.
-#
-# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
-# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
-# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
-# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
-# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
-# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-# Call the church police! ;-)
-SRCNAM=Linux-PAM
-PKGNAM=pam
-PAMRHVER=${PAMRHVER:-$(echo pam-redhat-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1,2 -d - | rev)}
-VERSION=${VERSION:-$(echo $SRCNAM-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
-BUILD=${BUILD:-1}
-
-# Automatically determine the architecture we're building on:
-if [ -z "$ARCH" ]; then
- case "$( uname -m )" in
- i?86) export ARCH=i486 ;;
- arm*) export ARCH=arm ;;
- # Unless $ARCH is already set, use uname -m for all other archs:
- *) export ARCH=$( uname -m ) ;;
- esac
-fi
-
-NUMJOBS=${NUMJOBS:--j7}
-
-if [ "$ARCH" = "i386" ]; then
- SLKCFLAGS="-O2 -march=i386 -mcpu=i686"
- LIBDIRSUFFIX=""
-elif [ "$ARCH" = "i486" ]; then
- SLKCFLAGS="-O2 -march=i486 -mtune=i686"
- LIBDIRSUFFIX=""
-elif [ "$ARCH" = "s390" ]; then
- SLKCFLAGS="-O2"
- LIBDIRSUFFIX=""
-elif [ "$ARCH" = "x86_64" ]; then
- SLKCFLAGS="-O2 -fPIC"
- LIBDIRSUFFIX="64"
-else
- SLKCFLAGS="-O2"
- LIBDIRSUFFIX=""
-fi
-
-CWD=$(pwd)
-TMP=${TMP:-/tmp}
-PKG=$TMP/package-$PKGNAM
-
-rm -rf $PKG
-mkdir -p $TMP $PKG
-
-cd $TMP
-rm -rf $SRCNAM-$VERSION
-tar xvf $CWD/$SRCNAM-$VERSION.tar.?z* || exit 1
-cd $SRCNAM-$VERSION || exit 1
-
-# Better take the Red Hat added modules and patches, because that's very
-# likely to be the most standard as far as PAM goes:
-tar xvf $CWD/pam-redhat-$PAMRHVER.tar.?z* || exit 1
-mv pam-redhat-$PAMRHVER/{CHANGELOG*,COPYING*,README*} .
-mv pam-redhat-$PAMRHVER/* modules
-zcat $CWD/patches/pam-1.0.90-redhat-modules.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/patches/pam-1.0.91-std-noclose.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/patches/pam-1.1.0-notally.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/patches/pam-1.1.1-faillock.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/patches/pam-1.1.2-noflex.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/patches/pam-1.1.3-faillock-screensaver.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/patches/pam-1.1.3-limits-nosetreuid.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/patches/pam-1.1.3-limits-range.patch.gz | patch -p0 --verbose || exit 1
-zcat $CWD/patches/pam-1.1.3-nouserenv.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/patches/pam-1.1.3-pwhistory-incomplete.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/patches/pam-1.1.3-securetty-console.patch.gz | patch -p0 --verbose || exit 1
-
-# Churn some patches from .am -> .in:
-autoreconf -f
-
-# Make these 2 man pages or the build falls over later on:
-( cd modules/pam_faillock
- xmlto man faillock.8.xml
- xmlto man pam_faillock.8.xml
-)
-
-chown -R root:root .
-find . \
- \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
- -exec chmod 755 {} \; -o \
- \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
- -exec chmod 644 {} \;
-
-CFLAGS="$SLKCFLAGS" \
-CXXFLAGS="$SLKCFLAGS" \
-./configure \
- --prefix=/ \
- --libdir=/lib${LIBDIRSUFFIX} \
- --sysconfdir=/etc \
- --includedir=/usr/include/security \
- --datarootdir=/usr/share \
- --localstatedir=/var \
- --mandir=/usr/man \
- --docdir=/usr/doc/$PKGNAM-$VERSION \
- --enable-read-both-confs \
- --disable-prelude \
- --disable-selinux \
- --build=$ARCH-slackware-linux || exit 1
-
-make $NUMJOBS || make || exit 1
-make install DESTDIR=$PKG || exit 1
-
-# this is a pam helper, that can only be called from pam
-chown root:shadow $PKG/sbin/unix_chkpwd
-chmod g+s $PKG/sbin/unix_chkpwd
-
-# Strip binaries:
-( cd $PKG
- find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
- find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
-)
-
-# Compress and if needed symlink the man pages:
-if [ -d $PKG/usr/man ]; then
- ( cd $PKG/usr/man
- for manpagedir in $(find . -type d -name "man*") ; do
- ( cd $manpagedir
- for eachpage in $( find . -type l -maxdepth 1) ; do
- ln -s $( readlink $eachpage ).gz $eachpage.gz
- rm $eachpage
- done
- gzip -9 *.?
- )
- done
- )
-fi
-
-mkdir -p $PKG/usr/doc/$PKGNAM-$VERSION
-cp -a \
- AUTHORS COPYING* Copyright NEWS README* \
- $PKG/usr/doc/$PKGNAM-$VERSION
-
-# If there's a ChangeLog, installing at least part of the recent history
-# is useful, but don't let it get totally out of control:
-if [ -r ChangeLog ]; then
- DOCSDIR=$(echo $PKG/usr/doc/${PKGNAM}-$VERSION)
- cat ChangeLog | head -n 1000 > $DOCSDIR/ChangeLog
- touch -r ChangeLog $DOCSDIR/ChangeLog
-fi
-if [ -r CHANGELOG ]; then
- DOCSDIR=$(echo $PKG/usr/doc/${PKGNAM}-$VERSION)
- cat CHANGELOG | head -n 1000 > $DOCSDIR/CHANGELOG
- touch -r CHANGELOG $DOCSDIR/CHANGELOG
-fi
-rm -f $PKG/usr/doc/$PKGNAM-$VERSION/index.html
-
-mkdir -p $PKG/install
-cat $CWD/slack-desc > $PKG/install/slack-desc
-
-cd $PKG
-/sbin/makepkg -l y -c n $TMP/$PKGNAM-$VERSION-$ARCH-$BUILD$TAG.txz
-
diff --git a/extra/source/pam/patches/pam-1.0.90-redhat-modules.patch b/extra/source/pam/patches/pam-1.0.90-redhat-modules.patch
deleted file mode 100644
index 3ad41ccc..00000000
--- a/extra/source/pam/patches/pam-1.0.90-redhat-modules.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-diff -up Linux-PAM-1.0.90/modules/Makefile.am.redhat-modules Linux-PAM-1.0.90/modules/Makefile.am
---- Linux-PAM-1.0.90/modules/Makefile.am.redhat-modules 2008-11-29 08:27:35.000000000 +0100
-+++ Linux-PAM-1.0.90/modules/Makefile.am 2008-12-16 13:40:16.000000000 +0100
-@@ -3,6 +3,7 @@
- #
-
- SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \
-+ pam_chroot pam_console pam_postgresok \
- pam_env pam_exec pam_faildelay pam_filter pam_ftp \
- pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
- pam_listfile pam_localuser pam_loginuid pam_mail \
-diff -up Linux-PAM-1.0.90/configure.in.redhat-modules Linux-PAM-1.0.90/configure.in
---- Linux-PAM-1.0.90/configure.in.redhat-modules 2008-12-02 16:25:01.000000000 +0100
-+++ Linux-PAM-1.0.90/configure.in 2008-12-16 13:39:11.000000000 +0100
-@@ -531,6 +531,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
- libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \
- po/Makefile.in \
- modules/Makefile \
-+ modules/pam_chroot/Makefile modules/pam_console/Makefile \
-+ modules/pam_postgresok/Makefile \
- modules/pam_access/Makefile modules/pam_cracklib/Makefile \
- modules/pam_debug/Makefile modules/pam_deny/Makefile \
- modules/pam_echo/Makefile modules/pam_env/Makefile \
diff --git a/extra/source/pam/patches/pam-1.0.91-std-noclose.patch b/extra/source/pam/patches/pam-1.0.91-std-noclose.patch
deleted file mode 100644
index 73594849..00000000
--- a/extra/source/pam/patches/pam-1.0.91-std-noclose.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-diff -up Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c
---- Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose 2009-03-03 14:56:01.000000000 +0100
-+++ Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c 2009-03-26 10:02:15.000000000 +0100
-@@ -131,13 +131,21 @@ create_homedir (pam_handle_t *pamh, int
- if (child == 0) {
- int i;
- struct rlimit rlim;
-+ int dummyfds[2];
- static char *envp[] = { NULL };
- char *args[] = { NULL, NULL, NULL, NULL, NULL };
-
-+ /* replace std file descriptors with a dummy pipe */
-+ if (pipe(dummyfds) == 0) {
-+ dup2(dummyfds[0], STDIN_FILENO);
-+ dup2(dummyfds[1], STDOUT_FILENO);
-+ dup2(dummyfds[1], STDERR_FILENO);
-+ }
-+
- if (getrlimit(RLIMIT_NOFILE, &rlim)==0) {
- if (rlim.rlim_max >= MAX_FD_NO)
- rlim.rlim_max = MAX_FD_NO;
-- for (i=0; i < (int)rlim.rlim_max; i++) {
-+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
- close(i);
- }
- }
-diff -up Linux-PAM-1.0.91/modules/pam_unix/support.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/support.c
---- Linux-PAM-1.0.91/modules/pam_unix/support.c.std-noclose 2009-03-03 14:56:01.000000000 +0100
-+++ Linux-PAM-1.0.91/modules/pam_unix/support.c 2009-03-26 10:08:59.000000000 +0100
-@@ -443,13 +443,16 @@ static int _unix_run_helper_binary(pam_h
-
- /* reopen stdin as pipe */
- dup2(fds[0], STDIN_FILENO);
-+ /* and replace also the stdout/err as the helper will
-+ not write anything there */
-+ dup2(fds[1], STDOUT_FILENO);
-+ dup2(fds[1], STDERR_FILENO);
-
- if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
- if (rlim.rlim_max >= MAX_FD_NO)
- rlim.rlim_max = MAX_FD_NO;
-- for (i=0; i < (int)rlim.rlim_max; i++) {
-- if (i != STDIN_FILENO)
-- close(i);
-+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
-+ close(i);
- }
- }
-
-diff -up Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c
---- Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c.std-noclose 2009-03-03 14:56:01.000000000 +0100
-+++ Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c 2009-03-26 10:07:06.000000000 +0100
-@@ -175,13 +175,16 @@ static int _unix_run_update_binary(pam_h
-
- /* reopen stdin as pipe */
- dup2(fds[0], STDIN_FILENO);
-+ /* and replace also the stdout/err as the helper will
-+ not write anything there */
-+ dup2(fds[1], STDOUT_FILENO);
-+ dup2(fds[1], STDERR_FILENO);
-
- if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
- if (rlim.rlim_max >= MAX_FD_NO)
- rlim.rlim_max = MAX_FD_NO;
-- for (i=0; i < (int)rlim.rlim_max; i++) {
-- if (i != STDIN_FILENO)
-- close(i);
-+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
-+ close(i);
- }
- }
-
-diff -up Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c
---- Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c.std-noclose 2009-03-03 14:56:01.000000000 +0100
-+++ Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c 2009-03-26 10:05:41.000000000 +0100
-@@ -100,16 +100,18 @@ int _unix_run_verify_binary(pam_handle_t
-
- /* reopen stdout as pipe */
- dup2(fds[1], STDOUT_FILENO);
-+ /* and replace also the stdin, stderr so we do not exec the helper with
-+ tty as stdin, it will not read anything from there anyway */
-+ dup2(fds[0], STDIN_FILENO);
-+ dup2(fds[1], STDERR_FILENO);
-
- /* XXX - should really tidy up PAM here too */
-
- if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
- if (rlim.rlim_max >= MAX_FD_NO)
- rlim.rlim_max = MAX_FD_NO;
-- for (i=0; i < (int)rlim.rlim_max; i++) {
-- if (i != STDOUT_FILENO) {
-- close(i);
-- }
-+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
-+ close(i);
- }
- }
-
diff --git a/extra/source/pam/patches/pam-1.1.0-notally.patch b/extra/source/pam/patches/pam-1.1.0-notally.patch
deleted file mode 100644
index 9327eecb..00000000
--- a/extra/source/pam/patches/pam-1.1.0-notally.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up Linux-PAM-1.1.0/modules/Makefile.am.notally Linux-PAM-1.1.0/modules/Makefile.am
---- Linux-PAM-1.1.0/modules/Makefile.am.notally 2009-07-27 17:39:25.000000000 +0200
-+++ Linux-PAM-1.1.0/modules/Makefile.am 2009-09-01 17:40:16.000000000 +0200
-@@ -10,7 +10,7 @@ SUBDIRS = pam_access pam_cracklib pam_de
- pam_mkhomedir pam_motd pam_namespace pam_nologin \
- pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \
- pam_selinux pam_sepermit pam_shells pam_stress \
-- pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \
-+ pam_succeed_if pam_tally2 pam_time pam_timestamp \
- pam_tty_audit pam_umask \
- pam_unix pam_userdb pam_warn pam_wheel pam_xauth
-
diff --git a/extra/source/pam/patches/pam-1.1.1-faillock.patch b/extra/source/pam/patches/pam-1.1.1-faillock.patch
deleted file mode 100644
index 46f30374..00000000
--- a/extra/source/pam/patches/pam-1.1.1-faillock.patch
+++ /dev/null
@@ -1,1712 +0,0 @@
-diff -up Linux-PAM-1.1.1/configure.in.faillock Linux-PAM-1.1.1/configure.in
---- Linux-PAM-1.1.1/configure.in.faillock 2010-09-17 15:58:41.000000000 +0200
-+++ Linux-PAM-1.1.1/configure.in 2010-09-17 15:58:41.000000000 +0200
-@@ -539,7 +539,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
- modules/pam_access/Makefile modules/pam_cracklib/Makefile \
- modules/pam_debug/Makefile modules/pam_deny/Makefile \
- modules/pam_echo/Makefile modules/pam_env/Makefile \
-- modules/pam_faildelay/Makefile \
-+ modules/pam_faildelay/Makefile modules/pam_faillock/Makefile \
- modules/pam_filter/Makefile modules/pam_filter/upperLOWER/Makefile \
- modules/pam_ftp/Makefile modules/pam_group/Makefile \
- modules/pam_issue/Makefile modules/pam_keyinit/Makefile \
-diff -up Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock Linux-PAM-1.1.1/doc/sag/pam_faillock.xml
---- Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock 2010-09-17 16:05:56.000000000 +0200
-+++ Linux-PAM-1.1.1/doc/sag/pam_faillock.xml 2010-09-17 16:08:26.000000000 +0200
-@@ -0,0 +1,38 @@
-+<?xml version='1.0' encoding='UTF-8'?>
-+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
-+ "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-+<section id='sag-pam_faillock'>
-+ <title>pam_faillock - temporarily locking access based on failed authentication attempts during an interval</title>
-+ <cmdsynopsis>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_faillock-cmdsynopsisauth"]/*)'/>
-+ </cmdsynopsis>
-+ <cmdsynopsis>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_faillock-cmdsynopsisacct"]/*)'/>
-+ </cmdsynopsis>
-+ <section id='sag-pam_faillock-description'>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-description"]/*)'/>
-+ </section>
-+ <section id='sag-pam_faillock-options'>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-options"]/*)'/>
-+ </section>
-+ <section id='sag-pam_faillock-types'>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-types"]/*)'/>
-+ </section>
-+ <section id='sag-pam_faillock-return_values'>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-return_values"]/*)'/>
-+ </section>
-+ <section id='sag-pam_faillock-examples'>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-examples"]/*)'/>
-+ </section>
-+ <section id='sag-pam_faillock-author'>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-author"]/*)'/>
-+ </section>
-+</section>
-diff -up Linux-PAM-1.1.1/modules/Makefile.am.faillock Linux-PAM-1.1.1/modules/Makefile.am
---- Linux-PAM-1.1.1/modules/Makefile.am.faillock 2010-09-17 15:58:41.000000000 +0200
-+++ Linux-PAM-1.1.1/modules/Makefile.am 2010-09-17 15:58:41.000000000 +0200
-@@ -3,7 +3,7 @@
- #
-
- SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \
-- pam_chroot pam_console pam_postgresok \
-+ pam_chroot pam_console pam_postgresok pam_faillock \
- pam_env pam_exec pam_faildelay pam_filter pam_ftp \
- pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
- pam_listfile pam_localuser pam_loginuid pam_mail \
-diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.c
---- Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock 2010-09-17 15:58:41.000000000 +0200
-+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.c 2010-09-17 15:58:41.000000000 +0200
-@@ -0,0 +1,147 @@
-+/*
-+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, and the entire permission notice in its entirety,
-+ * including the disclaimer of warranties.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. The name of the author may not be used to endorse or promote
-+ * products derived from this software without specific prior
-+ * written permission.
-+ *
-+ * ALTERNATIVELY, this product may be distributed under the terms of
-+ * the GNU Public License, in which case the provisions of the GPL are
-+ * required INSTEAD OF the above restrictions. (This clause is
-+ * necessary due to a potential bad interaction between the GPL and
-+ * the restrictions contained in a BSD-style copyright.)
-+ *
-+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
-+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
-+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ */
-+
-+#include "config.h"
-+#include <string.h>
-+#include <stdlib.h>
-+#include <unistd.h>
-+#include <errno.h>
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+#include <sys/file.h>
-+#include <fcntl.h>
-+#include <security/pam_modutil.h>
-+
-+#include "faillock.h"
-+
-+int
-+open_tally (const char *dir, const char *user, int create)
-+{
-+ char *path;
-+ int flags = O_RDWR;
-+ int fd;
-+
-+ if (strstr(user, "../") != NULL)
-+ /* just a defensive programming as the user must be a
-+ * valid user on the system anyway
-+ */
-+ return -1;
-+ path = malloc(strlen(dir) + strlen(user) + 2);
-+ if (path == NULL)
-+ return -1;
-+
-+ strcpy(path, dir);
-+ if (*dir && dir[strlen(dir) - 1] != '/') {
-+ strcat(path, "/");
-+ }
-+ strcat(path, user);
-+
-+ if (create) {
-+ flags |= O_CREAT;
-+ }
-+
-+ fd = open(path, flags, 0600);
-+
-+ if (fd != -1)
-+ while (flock(fd, LOCK_EX) == -1 && errno == EINTR);
-+
-+ return fd;
-+}
-+
-+#define CHUNK_SIZE (64 * sizeof(struct tally))
-+#define MAX_RECORDS 1024
-+
-+int
-+read_tally(int fd, struct tally_data *tallies)
-+{
-+ void *data = NULL, *newdata;
-+ unsigned int count = 0;
-+ ssize_t chunk = 0;
-+
-+ do {
-+ newdata = realloc(data, count * sizeof(struct tally) + CHUNK_SIZE);
-+ if (newdata == NULL) {
-+ free(data);
-+ return -1;
-+ }
-+
-+ data = newdata;
-+
-+ chunk = pam_modutil_read(fd, (char *)data + count * sizeof(struct tally), CHUNK_SIZE);
-+ if (chunk < 0) {
-+ free(data);
-+ return -1;
-+ }
-+
-+ count += chunk/sizeof(struct tally);
-+
-+ if (count >= MAX_RECORDS)
-+ break;
-+ }
-+ while (chunk == CHUNK_SIZE);
-+
-+ tallies->records = data;
-+ tallies->count = count;
-+
-+ return 0;
-+}
-+
-+int
-+update_tally(int fd, struct tally_data *tallies)
-+{
-+ void *data = tallies->records;
-+ unsigned int count = tallies->count;
-+ ssize_t chunk;
-+
-+ if (tallies->count > MAX_RECORDS) {
-+ data = tallies->records + (count - MAX_RECORDS);
-+ count = MAX_RECORDS;
-+ }
-+
-+ if (lseek(fd, 0, SEEK_SET) == (off_t)-1) {
-+ return -1;
-+ }
-+
-+ chunk = pam_modutil_write(fd, data, count * sizeof(struct tally));
-+
-+ if (chunk != (ssize_t)(count * sizeof(struct tally))) {
-+ return -1;
-+ }
-+
-+ if (ftruncate(fd, count * sizeof(struct tally)) == -1)
-+ return -1;
-+
-+ return 0;
-+}
-diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.h
---- Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock 2010-09-17 15:58:41.000000000 +0200
-+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.h 2010-09-17 15:58:41.000000000 +0200
-@@ -0,0 +1,72 @@
-+/*
-+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, and the entire permission notice in its entirety,
-+ * including the disclaimer of warranties.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. The name of the author may not be used to endorse or promote
-+ * products derived from this software without specific prior
-+ * written permission.
-+ *
-+ * ALTERNATIVELY, this product may be distributed under the terms of
-+ * the GNU Public License, in which case the provisions of the GPL are
-+ * required INSTEAD OF the above restrictions. (This clause is
-+ * necessary due to a potential bad interaction between the GPL and
-+ * the restrictions contained in a BSD-style copyright.)
-+ *
-+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
-+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
-+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ */
-+
-+/*
-+ * faillock.h - authentication failure data file record structure
-+ *
-+ * Each record in the file represents an instance of login failure of
-+ * the user at the recorded time
-+ */
-+
-+
-+#ifndef _FAILLOCK_H
-+#define _FAILLOCK_H
-+
-+#include <stdint.h>
-+
-+#define TALLY_STATUS_VALID 0x1 /* the tally file entry is valid */
-+#define TALLY_STATUS_RHOST 0x2 /* the source is rhost */
-+#define TALLY_STATUS_TTY 0x4 /* the source is tty - if both TALLY_FLAG_RHOST and TALLY_FLAG_TTY are not set the source is service */
-+
-+struct tally {
-+ char source[52]; /* rhost or tty of the login failure (not necessarily NULL terminated) */
-+ uint16_t reserved; /* reserved for future use */
-+ uint16_t status; /* record status */
-+ uint64_t time; /* time of the login failure */
-+};
-+/* 64 bytes per entry */
-+
-+struct tally_data {
-+ struct tally *records; /* array of tallies */
-+ unsigned int count; /* number of records */
-+};
-+
-+#define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock"
-+
-+int open_tally(const char *dir, const char *user, int create);
-+int read_tally(int fd, struct tally_data *tallies);
-+int update_tally(int fd, struct tally_data *tallies);
-+#endif
-+
-diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml
---- Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock 2010-09-17 15:58:41.000000000 +0200
-+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml 2010-09-17 15:58:41.000000000 +0200
-@@ -0,0 +1,123 @@
-+<?xml version="1.0" encoding='UTF-8'?>
-+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
-+
-+<refentry id="faillock">
-+
-+ <refmeta>
-+ <refentrytitle>faillock</refentrytitle>
-+ <manvolnum>8</manvolnum>
-+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
-+ </refmeta>
-+
-+ <refnamediv id="pam_faillock-name">
-+ <refname>faillock</refname>
-+ <refpurpose>Tool for displaying and modifying the authentication failure record files</refpurpose>
-+ </refnamediv>
-+
-+ <refsynopsisdiv>
-+ <cmdsynopsis id="faillock-cmdsynopsis">
-+ <command>faillock</command>
-+ <arg choice="opt">
-+ --dir <replaceable>/path/to/tally-directory</replaceable>
-+ </arg>
-+ <arg choice="opt">
-+ --user <replaceable>username</replaceable>
-+ </arg>
-+ <arg choice="opt">
-+ --reset
-+ </arg>
-+ </cmdsynopsis>
-+ </refsynopsisdiv>
-+
-+ <refsect1 id="faillock-description">
-+
-+ <title>DESCRIPTION</title>
-+
-+ <para>
-+ The <emphasis>pam_faillock.so</emphasis> module maintains a list of
-+ failed authentication attempts per user during a specified interval
-+ and locks the account in case there were more than
-+ <replaceable>deny</replaceable> consecutive failed authentications.
-+ It stores the failure records into per-user files in the tally
-+ directory.
-+ </para>
-+ <para>
-+ The <command>faillock</command> command is an application which
-+ can be used to examine and modify the contents of the
-+ the tally files. It can display the recent failed authentication
-+ attempts of the <replaceable>username</replaceable> or clear the tally
-+ files of all or individual <replaceable>usernames</replaceable>.
-+ </para>
-+ </refsect1>
-+
-+ <refsect1 id="faillock-options">
-+
-+ <title>OPTIONS</title>
-+ <variablelist>
-+ <varlistentry>
-+ <term>
-+ <option>--dir <replaceable>/path/to/tally-directory</replaceable></option>
-+ </term>
-+ <listitem>
-+ <para>
-+ The directory where the user files with the failure records are kept. The
-+ default is <filename>/var/run/faillock</filename>.
-+ </para>
-+ </listitem>
-+ </varlistentry>
-+ <varlistentry>
-+ <term>
-+ <option>--user <replaceable>username</replaceable></option>
-+ </term>
-+ <listitem>
-+ <para>
-+ The user whose failure records should be displayed or cleared.
-+ </para>
-+ </listitem>
-+ </varlistentry>
-+ <varlistentry>
-+ <term>
-+ <option>--reset</option>
-+ </term>
-+ <listitem>
-+ <para>
-+ Instead of displaying the user's failure records, clear them.
-+ </para>
-+ </listitem>
-+ </varlistentry>
-+ </variablelist>
-+ </refsect1>
-+
-+ <refsect1 id="faillock-files">
-+ <title>FILES</title>
-+ <variablelist>
-+ <varlistentry>
-+ <term><filename>/var/run/faillock/*</filename></term>
-+ <listitem>
-+ <para>the files logging the authentication failures for users</para>
-+ </listitem>
-+ </varlistentry>
-+ </variablelist>
-+ </refsect1>
-+
-+ <refsect1 id='faillock-see_also'>
-+ <title>SEE ALSO</title>
-+ <para>
-+ <citerefentry>
-+ <refentrytitle>pam_faillock</refentrytitle><manvolnum>8</manvolnum>
-+ </citerefentry>,
-+ <citerefentry>
-+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
-+ </citerefentry>
-+ </para>
-+ </refsect1>
-+
-+ <refsect1 id='faillock-author'>
-+ <title>AUTHOR</title>
-+ <para>
-+ faillock was written by Tomas Mraz.
-+ </para>
-+ </refsect1>
-+
-+</refentry>
-diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/main.c
---- Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock 2010-09-17 15:58:41.000000000 +0200
-+++ Linux-PAM-1.1.1/modules/pam_faillock/main.c 2010-09-17 15:58:41.000000000 +0200
-@@ -0,0 +1,231 @@
-+/*
-+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, and the entire permission notice in its entirety,
-+ * including the disclaimer of warranties.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. The name of the author may not be used to endorse or promote
-+ * products derived from this software without specific prior
-+ * written permission.
-+ *
-+ * ALTERNATIVELY, this product may be distributed under the terms of
-+ * the GNU Public License, in which case the provisions of the GPL are
-+ * required INSTEAD OF the above restrictions. (This clause is
-+ * necessary due to a potential bad interaction between the GPL and
-+ * the restrictions contained in a BSD-style copyright.)
-+ *
-+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
-+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
-+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ */
-+
-+#include "config.h"
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <dirent.h>
-+#include <errno.h>
-+#include <pwd.h>
-+#include <time.h>
-+#ifdef HAVE_LIBAUDIT
-+#include <libaudit.h>
-+#endif
-+
-+#include "faillock.h"
-+
-+struct options {
-+ unsigned int reset;
-+ const char *dir;
-+ const char *user;
-+ const char *progname;
-+};
-+
-+static int
-+args_parse(int argc, char **argv, struct options *opts)
-+{
-+ int i;
-+ memset(opts, 0, sizeof(*opts));
-+
-+ opts->dir = FAILLOCK_DEFAULT_TALLYDIR;
-+ opts->progname = argv[0];
-+
-+ for (i = 1; i < argc; ++i) {
-+
-+ if (strcmp(argv[i], "--dir") == 0) {
-+ ++i;
-+ if (i >= argc || strlen(argv[i]) == 0) {
-+ fprintf(stderr, "%s: No directory supplied.\n", argv[0]);
-+ return -1;
-+ }
-+ opts->dir = argv[i];
-+ }
-+ else if (strcmp(argv[i], "--user") == 0) {
-+ ++i;
-+ if (i >= argc || strlen(argv[i]) == 0) {
-+ fprintf(stderr, "%s: No user name supplied.\n", argv[0]);
-+ return -1;
-+ }
-+ opts->user = argv[i];
-+ }
-+ else if (strcmp(argv[i], "--reset") == 0) {
-+ opts->reset = 1;
-+ }
-+ else {
-+ fprintf(stderr, "%s: Unknown option: %s\n", argv[0], argv[i]);
-+ return -1;
-+ }
-+ }
-+ return 0;
-+}
-+
-+static void
-+usage(const char *progname)
-+{
-+ fprintf(stderr, _("Usage: %s [--dir /path/to/tally-directory] [--user username] [--reset]\n"),
-+ progname);
-+}
-+
-+static int
-+do_user(struct options *opts, const char *user)
-+{
-+ int fd;
-+ int rv;
-+ struct tally_data tallies;
-+
-+ fd = open_tally(opts->dir, user, 0);
-+
-+ if (fd == -1) {
-+ if (errno == ENOENT) {
-+ return 0;
-+ }
-+ else {
-+ fprintf(stderr, "%s: Error opening the tally file for %s:",
-+ opts->progname, user);
-+ perror(NULL);
-+ return 3;
-+ }
-+ }
-+ if (opts->reset) {
-+#ifdef HAVE_LIBAUDIT
-+ char buf[64];
-+ int audit_fd;
-+#endif
-+
-+ while ((rv=ftruncate(fd, 0)) == -1 && errno == EINTR);
-+ if (rv == -1) {
-+ fprintf(stderr, "%s: Error clearing the tally file for %s:",
-+ opts->progname, user);
-+ perror(NULL);
-+#ifdef HAVE_LIBAUDIT
-+ }
-+ if ((audit_fd=audit_open()) >= 0) {
-+ struct passwd *pwd;
-+
-+ if ((pwd=getpwnam(user)) != NULL) {
-+ snprintf(buf, sizeof(buf), "faillock reset uid=%u",
-+ pwd->pw_uid);
-+ audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
-+ buf, NULL, NULL, NULL, rv == 0);
-+ }
-+ close(audit_fd);
-+ }
-+ if (rv == -1) {
-+#endif
-+ close(fd);
-+ return 4;
-+ }
-+ }
-+ else {
-+ unsigned int i;
-+
-+ memset(&tallies, 0, sizeof(tallies));
-+ if ((rv=read_tally(fd, &tallies)) == -1) {
-+ fprintf(stderr, "%s: Error reading the tally file for %s:",
-+ opts->progname, user);
-+ perror(NULL);
-+ close(fd);
-+ return 5;
-+ }
-+
-+ printf("%s:\n", user);
-+ printf("%-19s %-5s %-48s %-5s\n", "When", "Type", "Source", "Valid");
-+
-+ for (i = 0; i < tallies.count; i++) {
-+ struct tm *tm;
-+ char timebuf[80];
-+ uint16_t status = tallies.records[i].status;
-+ time_t when = tallies.records[i].time;
-+
-+ tm = localtime(&when);
-+ strftime(timebuf, sizeof(timebuf), "%Y-%m-%d %H:%M:%S", tm);
-+ printf("%-19s %-5s %-52.52s %s\n", timebuf,
-+ status & TALLY_STATUS_RHOST ? "RHOST" : (status & TALLY_STATUS_TTY ? "TTY" : "SVC"),
-+ tallies.records[i].source, status & TALLY_STATUS_VALID ? "V":"I");
-+ }
-+ free(tallies.records);
-+ }
-+ close(fd);
-+ return 0;
-+}
-+
-+static int
-+do_allusers(struct options *opts)
-+{
-+ struct dirent **userlist;
-+ int rv, i;
-+
-+ rv = scandir(opts->dir, &userlist, NULL, alphasort);
-+ if (rv < 0) {
-+ fprintf(stderr, "%s: Error reading tally directory: ", opts->progname);
-+ perror(NULL);
-+ return 2;
-+ }
-+
-+ for (i = 0; i < rv; i++) {
-+ if (userlist[i]->d_name[0] == '.') {
-+ if ((userlist[i]->d_name[1] == '.' && userlist[i]->d_name[2] == '\0') ||
-+ userlist[i]->d_name[1] == '\0')
-+ continue;
-+ }
-+ do_user(opts, userlist[i]->d_name);
-+ free(userlist[i]);
-+ }
-+ free(userlist);
-+
-+ return 0;
-+}
-+
-+
-+/*-----------------------------------------------------------------------*/
-+int
-+main (int argc, char *argv[])
-+{
-+ struct options opts;
-+
-+ if (args_parse(argc, argv, &opts)) {
-+ usage(argv[0]);
-+ return 1;
-+ }
-+
-+ if (opts.user == NULL) {
-+ return do_allusers(&opts);
-+ }
-+
-+ return do_user(&opts, opts.user);
-+}
-+
-diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am
---- Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock 2010-09-17 15:58:41.000000000 +0200
-+++ Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am 2010-09-17 15:58:41.000000000 +0200
-@@ -0,0 +1,43 @@
-+#
-+# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk <kukuk@thkukuk.de>
-+# Copyright (c) 2008 Red Hat, Inc.
-+# Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
-+#
-+
-+CLEANFILES = *~
-+MAINTAINERCLEANFILES = $(MANS) README
-+
-+EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_faillock
-+
-+man_MANS = pam_faillock.8 faillock.8
-+XMLS = README.xml pam_faillock.8.xml faillock.8.xml
-+
-+TESTS = tst-pam_faillock
-+
-+securelibdir = $(SECUREDIR)
-+secureconfdir = $(SCONFIGDIR)
-+
-+noinst_HEADERS = faillock.h
-+
-+faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
-+pam_faillock_la_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
-+
-+pam_faillock_la_LDFLAGS = -no-undefined -avoid-version -module
-+pam_faillock_la_LIBADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT)
-+if HAVE_VERSIONING
-+ pam_faillock_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
-+endif
-+
-+faillock_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT)
-+
-+securelib_LTLIBRARIES = pam_faillock.la
-+sbin_PROGRAMS = faillock
-+
-+pam_faillock_la_SOURCES = pam_faillock.c faillock.c
-+faillock_SOURCES = main.c faillock.c
-+
-+if ENABLE_REGENERATE_MAN
-+noinst_DATA = README
-+README: pam_faillock.8.xml
-+-include $(top_srcdir)/Make.xml.rules
-+endif
-diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c
---- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock 2010-09-17 15:58:41.000000000 +0200
-+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c 2010-09-17 15:58:41.000000000 +0200
-@@ -0,0 +1,550 @@
-+/*
-+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, and the entire permission notice in its entirety,
-+ * including the disclaimer of warranties.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. The name of the author may not be used to endorse or promote
-+ * products derived from this software without specific prior
-+ * written permission.
-+ *
-+ * ALTERNATIVELY, this product may be distributed under the terms of
-+ * the GNU Public License, in which case the provisions of the GPL are
-+ * required INSTEAD OF the above restrictions. (This clause is
-+ * necessary due to a potential bad interaction between the GPL and
-+ * the restrictions contained in a BSD-style copyright.)
-+ *
-+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
-+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
-+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ */
-+
-+#include "config.h"
-+#include <stdio.h>
-+#include <string.h>
-+#include <unistd.h>
-+#include <stdint.h>
-+#include <stdlib.h>
-+#include <errno.h>
-+#include <time.h>
-+#include <pwd.h>
-+#include <syslog.h>
-+
-+#ifdef HAVE_LIBAUDIT
-+#include <libaudit.h>
-+#endif
-+
-+#include <security/pam_modules.h>
-+#include <security/pam_modutil.h>
-+#include <security/pam_ext.h>
-+
-+#include "faillock.h"
-+
-+#define PAM_SM_AUTH
-+#define PAM_SM_ACCOUNT
-+
-+#define FAILLOCK_ACTION_PREAUTH 0
-+#define FAILLOCK_ACTION_AUTHSUCC 1
-+#define FAILLOCK_ACTION_AUTHFAIL 2
-+
-+#define FAILLOCK_FLAG_DENY_ROOT 0x1
-+#define FAILLOCK_FLAG_AUDIT 0x2
-+#define FAILLOCK_FLAG_SILENT 0x4
-+#define FAILLOCK_FLAG_NO_LOG_INFO 0x8
-+#define FAILLOCK_FLAG_UNLOCKED 0x10
-+
-+#define MAX_TIME_INTERVAL 604800 /* 7 days */
-+
-+struct options {
-+ unsigned int action;
-+ unsigned int flags;
-+ unsigned short deny;
-+ unsigned int fail_interval;
-+ unsigned int unlock_time;
-+ unsigned int root_unlock_time;
-+ const char *dir;
-+ const char *user;
-+ int failures;
-+ uint64_t latest_time;
-+ uid_t uid;
-+ uint64_t now;
-+};
-+
-+static void
-+args_parse(pam_handle_t *pamh, int argc, const char **argv,
-+ int flags, struct options *opts)
-+{
-+ int i;
-+ memset(opts, 0, sizeof(*opts));
-+
-+ opts->dir = FAILLOCK_DEFAULT_TALLYDIR;
-+ opts->deny = 3;
-+ opts->fail_interval = 900;
-+ opts->unlock_time = 600;
-+ opts->root_unlock_time = MAX_TIME_INTERVAL+1;
-+
-+ for (i = 0; i < argc; ++i) {
-+
-+ if (strncmp(argv[i], "dir=", 4) == 0) {
-+ if (argv[i][4] != '/') {
-+ pam_syslog(pamh, LOG_ERR,
-+ "Tally directory is not absolute path (%s); keeping default", argv[i]);
-+ } else {
-+ opts->dir = argv[i]+4;
-+ }
-+ }
-+ else if (strncmp(argv[i], "deny=", 5) == 0) {
-+ if (sscanf(argv[i]+5, "%hu", &opts->deny) != 1) {
-+ pam_syslog(pamh, LOG_ERR,
-+ "Bad number supplied for deny argument");
-+ }
-+ }
-+ else if (strncmp(argv[i], "fail_interval=", 14) == 0) {
-+ unsigned int temp;
-+ if (sscanf(argv[i]+14, "%u", &temp) != 1 ||
-+ temp > MAX_TIME_INTERVAL) {
-+ pam_syslog(pamh, LOG_ERR,
-+ "Bad number supplied for fail_interval argument");
-+ } else {
-+ opts->fail_interval = temp;
-+ }
-+ }
-+ else if (strncmp(argv[i], "unlock_time=", 12) == 0) {
-+ unsigned int temp;
-+ if (sscanf(argv[i]+12, "%u", &temp) != 1 ||
-+ temp > MAX_TIME_INTERVAL) {
-+ pam_syslog(pamh, LOG_ERR,
-+ "Bad number supplied for unlock_time argument");
-+ } else {
-+ opts->unlock_time = temp;
-+ }
-+ }
-+ else if (strncmp(argv[i], "root_unlock_time=", 17) == 0) {
-+ unsigned int temp;
-+ if (sscanf(argv[i]+17, "%u", &temp) != 1 ||
-+ temp > MAX_TIME_INTERVAL) {
-+ pam_syslog(pamh, LOG_ERR,
-+ "Bad number supplied for root_unlock_time argument");
-+ } else {
-+ opts->root_unlock_time = temp;
-+ }
-+ }
-+ else if (strcmp(argv[i], "preauth") == 0) {
-+ opts->action = FAILLOCK_ACTION_PREAUTH;
-+ }
-+ else if (strcmp(argv[i], "authfail") == 0) {
-+ opts->action = FAILLOCK_ACTION_AUTHFAIL;
-+ }
-+ else if (strcmp(argv[i], "authsucc") == 0) {
-+ opts->action = FAILLOCK_ACTION_AUTHSUCC;
-+ }
-+ else if (strcmp(argv[i], "even_deny_root") == 0) {
-+ opts->flags |= FAILLOCK_FLAG_DENY_ROOT;
-+ }
-+ else if (strcmp(argv[i], "audit") == 0) {
-+ opts->flags |= FAILLOCK_FLAG_AUDIT;
-+ }
-+ else if (strcmp(argv[i], "silent") == 0) {
-+ opts->flags |= FAILLOCK_FLAG_SILENT;
-+ }
-+ else if (strcmp(argv[i], "no_log_info") == 0) {
-+ opts->flags |= FAILLOCK_FLAG_NO_LOG_INFO;
-+ }
-+ else {
-+ pam_syslog(pamh, LOG_ERR, "Unknown option: %s", argv[i]);
-+ }
-+ }
-+
-+ if (opts->root_unlock_time == MAX_TIME_INTERVAL+1)
-+ opts->root_unlock_time = opts->unlock_time;
-+ if (flags & PAM_SILENT)
-+ opts->flags |= FAILLOCK_FLAG_SILENT;
-+}
-+
-+static int get_pam_user(pam_handle_t *pamh, struct options *opts)
-+{
-+ const char *user;
-+ int rv;
-+ struct passwd *pwd;
-+
-+ if ((rv=pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) {
-+ return rv;
-+ }
-+
-+ if (*user == '\0') {
-+ return PAM_IGNORE;
-+ }
-+
-+ if ((pwd=pam_modutil_getpwnam(pamh, user)) == NULL) {
-+ if (opts->flags & FAILLOCK_FLAG_AUDIT) {
-+ pam_syslog(pamh, LOG_ERR, "User unknown: %s", user);
-+ }
-+ else {
-+ pam_syslog(pamh, LOG_ERR, "User unknown");
-+ }
-+ return PAM_IGNORE;
-+ }
-+ opts->user = user;
-+ opts->uid = pwd->pw_uid;
-+ return PAM_SUCCESS;
-+}
-+
-+static int
-+check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies, int *fd)
-+{
-+ int tfd;
-+ unsigned int i;
-+ uint64_t latest_time;
-+ int failures;
-+
-+ opts->now = time(NULL);
-+
-+ tfd = open_tally(opts->dir, opts->user, 0);
-+
-+ *fd = tfd;
-+
-+ if (tfd == -1) {
-+ if (errno == EACCES || errno == ENOENT) {
-+ return PAM_SUCCESS;
-+ }
-+ pam_syslog(pamh, LOG_ERR, "Error opening the tally file for %s: %m", opts->user);
-+ return PAM_SYSTEM_ERR;
-+ }
-+
-+ if (read_tally(tfd, tallies) != 0) {
-+ pam_syslog(pamh, LOG_ERR, "Error reading the tally file for %s: %m", opts->user);
-+ return PAM_SYSTEM_ERR;
-+ }
-+
-+ if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
-+ return PAM_SUCCESS;
-+ }
-+
-+ latest_time = 0;
-+ for(i = 0; i < tallies->count; i++) {
-+ if ((tallies->records[i].status & TALLY_STATUS_VALID) &&
-+ tallies->records[i].time > latest_time)
-+ latest_time = tallies->records[i].time;
-+ }
-+
-+ opts->latest_time = latest_time;
-+
-+ failures = 0;
-+ for(i = 0; i < tallies->count; i++) {
-+ if ((tallies->records[i].status & TALLY_STATUS_VALID) &&
-+ latest_time - tallies->records[i].time < opts->fail_interval) {
-+ ++failures;
-+ }
-+ }
-+
-+ opts->failures = failures;
-+
-+ if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
-+ return PAM_SUCCESS;
-+ }
-+
-+ if (opts->deny && failures >= opts->deny) {
-+ if ((opts->uid && latest_time + opts->unlock_time < opts->now) ||
-+ (!opts->uid && latest_time + opts->root_unlock_time < opts->now)) {
-+#ifdef HAVE_LIBAUDIT
-+ if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */
-+ char buf[64];
-+ int audit_fd;
-+
-+ audit_fd = audit_open();
-+ /* If there is an error & audit support is in the kernel report error */
-+ if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT ||
-+ errno == EAFNOSUPPORT))
-+ return PAM_SYSTEM_ERR;
-+
-+ snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
-+ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
-+ NULL, NULL, NULL, 1);
-+ }
-+#endif
-+ opts->flags |= FAILLOCK_FLAG_UNLOCKED;
-+ return PAM_SUCCESS;
-+ }
-+ return PAM_AUTH_ERR;
-+ }
-+ return PAM_SUCCESS;
-+}
-+
-+static void
-+reset_tally(pam_handle_t *pamh, struct options *opts, int *fd)
-+{
-+ int rv;
-+
-+ while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR);
-+ if (rv == -1) {
-+ pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user);
-+ }
-+}
-+
-+static int
-+write_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies, int *fd)
-+{
-+ struct tally *records;
-+ unsigned int i;
-+ int failures;
-+ unsigned int oldest;
-+ uint64_t oldtime;
-+ const void *source = NULL;
-+
-+ if (*fd == -1) {
-+ *fd = open_tally(opts->dir, opts->user, 1);
-+ }
-+ if (*fd == -1) {
-+ if (errno == EACCES) {
-+ return PAM_SUCCESS;
-+ }
-+ pam_syslog(pamh, LOG_ERR, "Error opening the tally file for %s: %m", opts->user);
-+ return PAM_SYSTEM_ERR;
-+ }
-+
-+ oldtime = 0;
-+ oldest = 0;
-+ failures = 0;
-+
-+ for (i = 0; i < tallies->count; ++i) {
-+ if (tallies->records[i].time < oldtime) {
-+ oldtime = tallies->records[i].time;
-+ oldest = i;
-+ }
-+ if (opts->flags & FAILLOCK_FLAG_UNLOCKED ||
-+ opts->now - tallies->records[i].time >= opts->fail_interval ) {
-+ tallies->records[i].status &= ~TALLY_STATUS_VALID;
-+ } else {
-+ ++failures;
-+ }
-+ }
-+
-+ if (oldest >= tallies->count || (tallies->records[oldest].status & TALLY_STATUS_VALID)) {
-+ oldest = tallies->count;
-+
-+ if ((records=realloc(tallies->records, (oldest+1) * sizeof (*tallies->records))) == NULL) {
-+ pam_syslog(pamh, LOG_CRIT, "Error allocating memory for tally records: %m");
-+ return PAM_BUF_ERR;
-+ }
-+
-+ ++tallies->count;
-+ tallies->records = records;
-+ }
-+
-+ memset(&tallies->records[oldest], 0, sizeof (*tallies->records));
-+
-+ tallies->records[oldest].status = TALLY_STATUS_VALID;
-+ if (pam_get_item(pamh, PAM_RHOST, &source) != PAM_SUCCESS || source == NULL) {
-+ if (pam_get_item(pamh, PAM_TTY, &source) != PAM_SUCCESS || source == NULL) {
-+ if (pam_get_item(pamh, PAM_SERVICE, &source) != PAM_SUCCESS || source == NULL) {
-+ source = "";
-+ }
-+ }
-+ else {
-+ tallies->records[oldest].status |= TALLY_STATUS_TTY;
-+ }
-+ }
-+ else {
-+ tallies->records[oldest].status |= TALLY_STATUS_RHOST;
-+ }
-+
-+ strncpy(tallies->records[oldest].source, source, sizeof(tallies->records[oldest].source));
-+ /* source does not have to be null terminated */
-+
-+ tallies->records[oldest].time = opts->now;
-+
-+ ++failures;
-+
-+ if (opts->deny && failures == opts->deny) {
-+#ifdef HAVE_LIBAUDIT
-+ char buf[64];
-+ int audit_fd;
-+
-+ audit_fd = audit_open();
-+ /* If there is an error & audit support is in the kernel report error */
-+ if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT ||
-+ errno == EAFNOSUPPORT))
-+ return PAM_SYSTEM_ERR;
-+
-+ snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
-+ audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
-+ NULL, NULL, NULL, 1);
-+
-+ if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
-+ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
-+ NULL, NULL, NULL, 1);
-+ }
-+ close(audit_fd);
-+#endif
-+ if (!(opts->flags & FAILLOCK_FLAG_NO_LOG_INFO)) {
-+ pam_syslog(pamh, LOG_INFO, "Consecutive login failures for user %s account temporarily locked",
-+ opts->user);
-+ }
-+ }
-+
-+ if (update_tally(*fd, tallies) == 0)
-+ return PAM_SUCCESS;
-+
-+ return PAM_SYSTEM_ERR;
-+}
-+
-+static void
-+faillock_message(pam_handle_t *pamh, struct options *opts)
-+{
-+ int64_t left;
-+
-+ if (!(opts->flags & FAILLOCK_FLAG_SILENT)) {
-+ if (opts->uid) {
-+ left = opts->latest_time + opts->unlock_time - opts->now;
-+ }
-+ else {
-+ left = opts->latest_time + opts->root_unlock_time - opts->now;
-+ }
-+
-+ left /= 60; /* minutes */
-+
-+ pam_info(pamh, _("Account temporarily locked due to %d failed logins"),
-+ opts->failures);
-+ pam_info(pamh, _("(%d minutes left to unlock)"), (int)left);
-+ }
-+}
-+
-+static void
-+tally_cleanup(struct tally_data *tallies, int fd)
-+{
-+ if (fd != -1) {
-+ close(fd);
-+ }
-+
-+ free(tallies->records);
-+}
-+
-+/*---------------------------------------------------------------------*/
-+
-+PAM_EXTERN int
-+pam_sm_authenticate(pam_handle_t *pamh, int flags,
-+ int argc, const char **argv)
-+{
-+ struct options opts;
-+ int rv, fd = -1;
-+ struct tally_data tallies;
-+
-+ memset(&tallies, 0, sizeof(tallies));
-+
-+ args_parse(pamh, argc, argv, flags, &opts);
-+
-+ pam_fail_delay(pamh, 2000000); /* 2 sec delay for on failure */
-+
-+ if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) {
-+ return rv;
-+ }
-+
-+ switch (opts.action) {
-+ case FAILLOCK_ACTION_PREAUTH:
-+ rv = check_tally(pamh, &opts, &tallies, &fd);
-+ if (rv == PAM_AUTH_ERR && !(opts.flags & FAILLOCK_FLAG_SILENT)) {
-+ faillock_message(pamh, &opts);
-+ }
-+ break;
-+
-+ case FAILLOCK_ACTION_AUTHSUCC:
-+ rv = check_tally(pamh, &opts, &tallies, &fd);
-+ if (rv == PAM_SUCCESS && fd != -1) {
-+ reset_tally(pamh, &opts, &fd);
-+ }
-+ break;
-+
-+ case FAILLOCK_ACTION_AUTHFAIL:
-+ rv = check_tally(pamh, &opts, &tallies, &fd);
-+ if (rv == PAM_SUCCESS) {
-+ rv = PAM_IGNORE; /* this return value should be ignored */
-+ write_tally(pamh, &opts, &tallies, &fd);
-+ }
-+ break;
-+ }
-+
-+ tally_cleanup(&tallies, fd);
-+
-+ return rv;
-+}
-+
-+/*---------------------------------------------------------------------*/
-+
-+PAM_EXTERN int
-+pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED,
-+ int argc UNUSED, const char **argv UNUSED)
-+{
-+ return PAM_SUCCESS;
-+}
-+
-+/*---------------------------------------------------------------------*/
-+
-+PAM_EXTERN int
-+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
-+ int argc, const char **argv)
-+{
-+ struct options opts;
-+ int rv, fd = -1;
-+ struct tally_data tallies;
-+
-+ memset(&tallies, 0, sizeof(tallies));
-+
-+ args_parse(pamh, argc, argv, flags, &opts);
-+
-+ opts.action = FAILLOCK_ACTION_AUTHSUCC;
-+
-+ if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) {
-+ return rv;
-+ }
-+
-+ check_tally(pamh, &opts, &tallies, &fd);
-+ if (fd != -1) {
-+ reset_tally(pamh, &opts, &fd);
-+ }
-+
-+ tally_cleanup(&tallies, fd);
-+
-+ return PAM_SUCCESS;
-+}
-+
-+/*-----------------------------------------------------------------------*/
-+
-+#ifdef PAM_STATIC
-+
-+/* static module data */
-+
-+struct pam_module _pam_faillock_modstruct = {
-+ MODULE_NAME,
-+#ifdef PAM_SM_AUTH
-+ pam_sm_authenticate,
-+ pam_sm_setcred,
-+#else
-+ NULL,
-+ NULL,
-+#endif
-+#ifdef PAM_SM_ACCOUNT
-+ pam_sm_acct_mgmt,
-+#else
-+ NULL,
-+#endif
-+ NULL,
-+ NULL,
-+ NULL,
-+};
-+
-+#endif /* #ifdef PAM_STATIC */
-+
-diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml
---- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock 2010-09-17 15:58:41.000000000 +0200
-+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml 2010-09-17 15:58:41.000000000 +0200
-@@ -0,0 +1,396 @@
-+<?xml version="1.0" encoding='UTF-8'?>
-+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
-+
-+<refentry id="pam_faillock">
-+
-+ <refmeta>
-+ <refentrytitle>pam_faillock</refentrytitle>
-+ <manvolnum>8</manvolnum>
-+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
-+ </refmeta>
-+
-+ <refnamediv id="pam_faillock-name">
-+ <refname>pam_faillock</refname>
-+ <refpurpose>Module counting authentication failures during a specified interval</refpurpose>
-+ </refnamediv>
-+
-+ <refsynopsisdiv>
-+ <cmdsynopsis id="pam_faillock-cmdsynopsisauth">
-+ <command>auth ... pam_faillock.so</command>
-+ <arg choice="req">
-+ preauth|authfail|authsucc
-+ </arg>
-+ <arg choice="opt">
-+ dir=<replaceable>/path/to/tally-directory</replaceable>
-+ </arg>
-+ <arg choice="opt">
-+ even_deny_root
-+ </arg>
-+ <arg choice="opt">
-+ deny=<replaceable>n</replaceable>
-+ </arg>
-+ <arg choice="opt">
-+ fail_interval=<replaceable>n</replaceable>
-+ </arg>
-+ <arg choice="opt">
-+ unlock_time=<replaceable>n</replaceable>
-+ </arg>
-+ <arg choice="opt">
-+ root_unlock_time=<replaceable>n</replaceable>
-+ </arg>
-+ <arg choice="opt">
-+ audit
-+ </arg>
-+ <arg choice="opt">
-+ silent
-+ </arg>
-+ <arg choice="opt">
-+ no_log_info
-+ </arg>
-+ </cmdsynopsis>
-+ <cmdsynopsis id="pam_faillock-cmdsynopsisacct">
-+ <command>account ... pam_faillock.so</command>
-+ <arg choice="opt">
-+ dir=<replaceable>/path/to/tally-directory</replaceable>
-+ </arg>
-+ <arg choice="opt">
-+ no_log_info
-+ </arg>
-+ </cmdsynopsis>
-+ </refsynopsisdiv>
-+
-+ <refsect1 id="pam_faillock-description">
-+
-+ <title>DESCRIPTION</title>
-+
-+ <para>
-+ This module maintains a list of failed authentication attempts per
-+ user during a specified interval and locks the account in case
-+ there were more than <replaceable>deny</replaceable> consecutive
-+ failed authentications.
-+ </para>
-+ <para>
-+ Normally, failed attempts to authenticate <emphasis>root</emphasis> will
-+ <emphasis remap='B'>not</emphasis> cause the root account to become
-+ blocked, to prevent denial-of-service: if your users aren't given
-+ shell accounts and root may only login via <command>su</command> or
-+ at the machine console (not telnet/rsh, etc), this is safe.
-+ </para>
-+ </refsect1>
-+
-+ <refsect1 id="pam_faillock-options">
-+
-+ <title>OPTIONS</title>
-+ <variablelist>
-+ <varlistentry>
-+ <term>
-+ <option>{preauth|authfail|authsucc}</option>
-+ </term>
-+ <listitem>
-+ <para>
-+ This argument must be set accordingly to the position of this module
-+ instance in the PAM stack.
-+ </para>
-+ <para>
-+ The <emphasis>preauth</emphasis> argument must be used when the module
-+ is called before the modules which ask for the user credentials such
-+ as the password. The module just examines whether the user should
-+ be blocked from accessing the service in case there were anomalous
-+ number of failed consecutive authentication attempts recently. This
-+ call is optional if <emphasis>authsucc</emphasis> is used.
-+ </para>
-+ <para>
-+ The <emphasis>authfail</emphasis> argument must be used when the module
-+ is called after the modules which determine the authentication outcome,
-+ failed. Unless the user is already blocked due to previous authentication
-+ failures, the module will record the failure into the appropriate user
-+ tally file.
-+ </para>
-+ <para>
-+ The <emphasis>authsucc</emphasis> argument must be used when the module
-+ is called after the modules which determine the authentication outcome,
-+ succeded. Unless the user is already blocked due to previous authentication
-+ failures, the module will then clear the record of the failures in the
-+ respective user tally file. Otherwise it will return authentication error.
-+ If this call is not done, the pam_faillock will not distinguish between
-+ consecutive and non-consecutive failed authentication attempts. The
-+ <emphasis>preauth</emphasis> call must be used in such case. Due to
-+ complications in the way the PAM stack can be configured it is also
-+ possible to call <emphasis>pam_faillock</emphasis> as an account module.
-+ In such configuration the module must be also called in the
-+ <emphasis>preauth</emphasis> stage.
-+ </para>
-+ </listitem>
-+ </varlistentry>
-+ <varlistentry>
-+ <term>
-+ <option>dir=<replaceable>/path/to/tally-directory</replaceable></option>
-+ </term>
-+ <listitem>
-+ <para>
-+ The directory where the user files with the failure records are kept. The
-+ default is <filename>/var/run/faillock</filename>.
-+ </para>
-+ </listitem>
-+ </varlistentry>
-+ <varlistentry>
-+ <term>
-+ <option>audit</option>
-+ </term>
-+ <listitem>
-+ <para>
-+ Will log the user name into the system log if the user is not found.
-+ </para>
-+ </listitem>
-+ </varlistentry>
-+ <varlistentry>
-+ <term>
-+ <option>silent</option>
-+ </term>
-+ <listitem>
-+ <para>
-+ Don't print informative messages. This option is implicite
-+ in the <emphasis>authfail</emphasis> and <emphasis>authsucc</emphasis>
-+ functions.
-+ </para>
-+ </listitem>
-+ </varlistentry>
-+ <varlistentry>
-+ <term>
-+ <option>no_log_info</option>
-+ </term>
-+ <listitem>
-+ <para>
-+ Don't log informative messages via <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
-+ </para>
-+ </listitem>
-+ </varlistentry>
-+ <varlistentry>
-+ <term>
-+ <option>deny=<replaceable>n</replaceable></option>
-+ </term>
-+ <listitem>
-+ <para>
-+ Deny access if the number of consecutive authentication failures
-+ for this user during the recent interval exceeds
-+ <replaceable>n</replaceable>. The default is 3.
-+ </para>
-+ </listitem>
-+ </varlistentry>
-+ <varlistentry>
-+ <term>
-+ <option>fail_interval=<replaceable>n</replaceable></option>
-+ </term>
-+ <listitem>
-+ <para>
-+ The length of the interval during which the consecutive
-+ authentication failures must happen for the user account
-+ lock out is <replaceable>n</replaceable> seconds.
-+ The default is 900 (15 minutes).
-+ </para>
-+ </listitem>
-+ </varlistentry>
-+ <varlistentry>
-+ <term>
-+ <option>unlock_time=<replaceable>n</replaceable></option>
-+ </term>
-+ <listitem>
-+ <para>
-+ The access will be reenabled after
-+ <replaceable>n</replaceable> seconds after the lock out.
-+ The default is 600 (10 minutes).
-+ </para>
-+ </listitem>
-+ </varlistentry>
-+ <varlistentry>
-+ <term>
-+ <option>even_deny_root</option>
-+ </term>
-+ <listitem>
-+ <para>
-+ Root account can become locked as well as regular accounts.
-+ </para>
-+ </listitem>
-+ </varlistentry>
-+ <varlistentry>
-+ <term>
-+ <option>root_unlock_time=<replaceable>n</replaceable></option>
-+ </term>
-+ <listitem>
-+ <para>
-+ This option implies <option>even_deny_root</option> option.
-+ Allow access after <replaceable>n</replaceable> seconds
-+ to root account after the account is locked. In case the
-+ option is not specified the value is the same as of the
-+ <option>unlock_time</option> option.
-+ </para>
-+ </listitem>
-+ </varlistentry>
-+ </variablelist>
-+ </refsect1>
-+
-+ <refsect1 id="pam_faillock-types">
-+ <title>MODULE TYPES PROVIDED</title>
-+ <para>
-+ The <option>auth</option> and <option>account</option> module types are
-+ provided.
-+ </para>
-+ </refsect1>
-+
-+ <refsect1 id='pam_faillock-return_values'>
-+ <title>RETURN VALUES</title>
-+ <variablelist>
-+ <varlistentry>
-+ <term>PAM_AUTH_ERR</term>
-+ <listitem>
-+ <para>
-+ A invalid option was given, the module was not able
-+ to retrieve the user name, no valid counter file
-+ was found, or too many failed logins.
-+ </para>
-+ </listitem>
-+ </varlistentry>
-+ <varlistentry>
-+ <term>PAM_SUCCESS</term>
-+ <listitem>
-+ <para>
-+ Everything was successful.
-+ </para>
-+ </listitem>
-+ </varlistentry>
-+ <varlistentry>
-+ <term>PAM_IGNORE</term>
-+ <listitem>
-+ <para>
-+ User not present in passwd database.
-+ </para>
-+ </listitem>
-+ </varlistentry>
-+ </variablelist>
-+ </refsect1>
-+
-+ <refsect1 id='pam_faillock-notes'>
-+ <title>NOTES</title>
-+ <para>
-+ <emphasis>pam_faillock</emphasis> setup in the PAM stack is different
-+ from the <emphasis>pam_tally2</emphasis> module setup.
-+ </para>
-+ <para>
-+ There is no setuid wrapper for access to the data file such as when the
-+ <emphasis remap='B'>pam_faillock.so</emphasis> module is called from
-+ a screensaver. As this would make it impossible to share PAM configuration
-+ with such services the following workaround is used: If the data file
-+ cannot be opened because of insufficient permissions
-+ (<errorcode>EACCES</errorcode>) the module returns
-+ <errorcode>PAM_SUCCESS</errorcode>.
-+ </para>
-+ <para>
-+ Note that using the module in <option>preauth</option> without the
-+ <option>silent</option> option or with <emphasis>requisite</emphasis>
-+ control field leaks an information about existence or
-+ non-existence of an user account in the system because
-+ the failures are not recorded for the unknown users. The message
-+ about the user account being locked is never displayed for nonexisting
-+ user accounts allowing the adversary to infer that a particular account
-+ is not existing on a system.
-+ </para>
-+ </refsect1>
-+
-+ <refsect1 id='pam_faillock-examples'>
-+ <title>EXAMPLES</title>
-+ <para>
-+ Here are two possible configuration examples for <filename>/etc/pam.d/login</filename>.
-+ They make <emphasis>pam_faillock</emphasis> to lock the account after 4 consecutive
-+ failed logins during the default interval of 15 minutes. Root account will be locked
-+ as well. The accounts will be automatically unlocked after 20 minutes.
-+ </para>
-+ <para>
-+ In the first example the module is called only in the <emphasis>auth</emphasis>
-+ phase and the module does not print any information about the account blocking
-+ by <emphasis>pam_faillock</emphasis>. The <emphasis>preauth</emphasis> call can
-+ be added to tell the user that his login is blocked by the module and also to abort
-+ the authentication without even asking for password in such case.
-+ </para>
-+ <programlisting>
-+auth required pam_securetty.so
-+auth required pam_env.so
-+auth required pam_nologin.so
-+# optionally call: auth requisite pam_faillock.so preauth deny=4 even_deny_root unlock_time=1200
-+# to display the message about account being locked
-+auth [success=1 default=bad] pam_unix.so
-+auth [default=die] pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200
-+auth sufficient pam_faillock.so authsucc deny=4 even_deny_root unlock_time=1200
-+auth required pam_deny.so
-+account required pam_unix.so
-+password required pam_unix.so shadow
-+session required pam_selinux.so close
-+session required pam_loginuid.so
-+session required pam_unix.so
-+session required pam_selinux.so open
-+ </programlisting>
-+ <para>
-+ In the second example the module is called both in the <emphasis>auth</emphasis>
-+ and <emphasis>account</emphasis> phases and the module gives the authenticating
-+ user message when the account is locked
-+ </para>
-+ <programlisting>
-+auth required pam_securetty.so
-+auth required pam_env.so
-+auth required pam_nologin.so
-+auth required pam_faillock.so preauth silent deny=4 even_deny_root unlock_time=1200
-+# optionally use requisite above if you do not want to prompt for the password
-+# on locked accounts, possibly with removing the silent option as well
-+auth sufficient pam_unix.so
-+auth [default=die] pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200
-+auth required pam_deny.so
-+account required pam_faillock.so
-+# if you drop the above call to pam_faillock.so the lock will be done also
-+# on non-consecutive authentication failures
-+account required pam_unix.so
-+password required pam_unix.so shadow
-+session required pam_selinux.so close
-+session required pam_loginuid.so
-+session required pam_unix.so
-+session required pam_selinux.so open
-+ </programlisting>
-+ </refsect1>
-+
-+ <refsect1 id="pam_faillock-files">
-+ <title>FILES</title>
-+ <variablelist>
-+ <varlistentry>
-+ <term><filename>/var/run/faillock/*</filename></term>
-+ <listitem>
-+ <para>the files logging the authentication failures for users</para>
-+ </listitem>
-+ </varlistentry>
-+ </variablelist>
-+ </refsect1>
-+
-+ <refsect1 id='pam_faillock-see_also'>
-+ <title>SEE ALSO</title>
-+ <para>
-+ <citerefentry>
-+ <refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum>
-+ </citerefentry>,
-+ <citerefentry>
-+ <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
-+ </citerefentry>,
-+ <citerefentry>
-+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
-+ </citerefentry>,
-+ <citerefentry>
-+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
-+ </citerefentry>
-+ </para>
-+ </refsect1>
-+
-+ <refsect1 id='pam_faillock-author'>
-+ <title>AUTHOR</title>
-+ <para>
-+ pam_faillock was written by Tomas Mraz.
-+ </para>
-+ </refsect1>
-+
-+</refentry>
-diff -up Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/README.xml
---- Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock 2010-09-17 15:58:41.000000000 +0200
-+++ Linux-PAM-1.1.1/modules/pam_faillock/README.xml 2010-09-17 15:58:41.000000000 +0200
-@@ -0,0 +1,46 @@
-+<?xml version="1.0" encoding='UTF-8'?>
-+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-+"http://www.docbook.org/xml/4.3/docbookx.dtd"
-+[
-+<!--
-+<!ENTITY pamaccess SYSTEM "pam_faillock.8.xml">
-+-->
-+]>
-+
-+<article>
-+
-+ <articleinfo>
-+
-+ <title>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="pam_faillock.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_faillock-name"]/*)'/>
-+ </title>
-+
-+ </articleinfo>
-+
-+ <section>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-description"]/*)'/>
-+ </section>
-+
-+ <section>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-options"]/*)'/>
-+ </section>
-+
-+ <section>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-notes"]/*)'/>
-+ </section>
-+
-+ <section>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-examples"]/*)'/>
-+ </section>
-+
-+ <section>
-+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-+ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-author"]/*)'/>
-+ </section>
-+
-+</article>
-diff -up Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock
---- Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock 2010-09-17 15:58:41.000000000 +0200
-+++ Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock 2010-09-17 15:58:41.000000000 +0200
-@@ -0,0 +1,2 @@
-+#!/bin/sh
-+../../tests/tst-dlopen .libs/pam_faillock.so
diff --git a/extra/source/pam/patches/pam-1.1.2-noflex.patch b/extra/source/pam/patches/pam-1.1.2-noflex.patch
deleted file mode 100644
index fc965559..00000000
--- a/extra/source/pam/patches/pam-1.1.2-noflex.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-diff -up Linux-PAM-1.1.2/doc/Makefile.am.noflex Linux-PAM-1.1.2/doc/Makefile.am
---- Linux-PAM-1.1.2/doc/Makefile.am.noflex 2008-02-04 16:05:51.000000000 +0100
-+++ Linux-PAM-1.1.2/doc/Makefile.am 2010-09-20 10:40:59.000000000 +0200
-@@ -2,7 +2,7 @@
- # Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
- #
-
--SUBDIRS = man specs sag adg mwg
-+SUBDIRS = man sag adg mwg
-
- CLEANFILES = *~
-
-diff -up Linux-PAM-1.1.2/Makefile.am.noflex Linux-PAM-1.1.2/Makefile.am
---- Linux-PAM-1.1.2/Makefile.am.noflex 2010-07-08 14:04:19.000000000 +0200
-+++ Linux-PAM-1.1.2/Makefile.am 2010-09-20 10:04:56.000000000 +0200
-@@ -5,9 +5,9 @@
- AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news
-
- if STATIC_MODULES
--SUBDIRS = modules libpam libpamc libpam_misc tests po conf doc examples xtests
-+SUBDIRS = modules libpam libpamc libpam_misc tests po doc examples xtests
- else
--SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests
-+SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests
- endif
-
- CLEANFILES = *~
diff --git a/extra/source/pam/patches/pam-1.1.3-faillock-screensaver.patch b/extra/source/pam/patches/pam-1.1.3-faillock-screensaver.patch
deleted file mode 100644
index 249d2850..00000000
--- a/extra/source/pam/patches/pam-1.1.3-faillock-screensaver.patch
+++ /dev/null
@@ -1,167 +0,0 @@
-diff -up Linux-PAM-1.1.3/modules/pam_faillock/faillock.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/faillock.c
---- Linux-PAM-1.1.3/modules/pam_faillock/faillock.c.screensaver 2010-11-10 11:46:07.000000000 +0100
-+++ Linux-PAM-1.1.3/modules/pam_faillock/faillock.c 2010-11-10 11:46:07.000000000 +0100
-@@ -41,13 +41,14 @@
- #include <sys/types.h>
- #include <sys/stat.h>
- #include <sys/file.h>
-+#include <sys/stat.h>
- #include <fcntl.h>
- #include <security/pam_modutil.h>
-
- #include "faillock.h"
-
- int
--open_tally (const char *dir, const char *user, int create)
-+open_tally (const char *dir, const char *user, uid_t uid, int create)
- {
- char *path;
- int flags = O_RDWR;
-@@ -69,8 +70,18 @@ open_tally (const char *dir, const char
-
- fd = open(path, flags, 0600);
-
-- if (fd != -1)
-+ free(path);
-+
-+ if (fd != -1) {
-+ struct stat st;
-+
- while (flock(fd, LOCK_EX) == -1 && errno == EINTR);
-+ if (fstat(fd, &st) == 0) {
-+ if (st.st_uid != uid) {
-+ fchown(fd, uid, -1);
-+ }
-+ }
-+ }
-
- return fd;
- }
-diff -up Linux-PAM-1.1.3/modules/pam_faillock/faillock.h.screensaver Linux-PAM-1.1.3/modules/pam_faillock/faillock.h
---- Linux-PAM-1.1.3/modules/pam_faillock/faillock.h.screensaver 2010-11-10 11:46:07.000000000 +0100
-+++ Linux-PAM-1.1.3/modules/pam_faillock/faillock.h 2010-11-10 11:46:07.000000000 +0100
-@@ -45,6 +45,7 @@
- #define _FAILLOCK_H
-
- #include <stdint.h>
-+#include <sys/types.h>
-
- #define TALLY_STATUS_VALID 0x1 /* the tally file entry is valid */
- #define TALLY_STATUS_RHOST 0x2 /* the source is rhost */
-@@ -65,7 +66,7 @@ struct tally_data {
-
- #define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock"
-
--int open_tally(const char *dir, const char *user, int create);
-+int open_tally(const char *dir, const char *user, uid_t uid, int create);
- int read_tally(int fd, struct tally_data *tallies);
- int update_tally(int fd, struct tally_data *tallies);
- #endif
-diff -up Linux-PAM-1.1.3/modules/pam_faillock/main.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/main.c
---- Linux-PAM-1.1.3/modules/pam_faillock/main.c.screensaver 2010-11-10 11:46:07.000000000 +0100
-+++ Linux-PAM-1.1.3/modules/pam_faillock/main.c 2010-11-10 11:46:07.000000000 +0100
-@@ -106,8 +106,11 @@ do_user(struct options *opts, const char
- int fd;
- int rv;
- struct tally_data tallies;
-+ struct passwd *pwd;
-
-- fd = open_tally(opts->dir, user, 0);
-+ pwd = getpwnam(user);
-+
-+ fd = open_tally(opts->dir, user, pwd != NULL ? pwd->pw_uid : 0, 0);
-
- if (fd == -1) {
- if (errno == ENOENT) {
-@@ -134,9 +137,8 @@ do_user(struct options *opts, const char
- #ifdef HAVE_LIBAUDIT
- }
- if ((audit_fd=audit_open()) >= 0) {
-- struct passwd *pwd;
-
-- if ((pwd=getpwnam(user)) != NULL) {
-+ if (pwd != NULL) {
- snprintf(buf, sizeof(buf), "faillock reset uid=%u",
- pwd->pw_uid);
- audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
-diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c
---- Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver 2010-11-10 11:46:07.000000000 +0100
-+++ Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c 2010-11-10 11:46:07.000000000 +0100
-@@ -213,7 +213,7 @@ check_tally(pam_handle_t *pamh, struct o
-
- opts->now = time(NULL);
-
-- tfd = open_tally(opts->dir, opts->user, 0);
-+ tfd = open_tally(opts->dir, opts->user, opts->uid, 0);
-
- *fd = tfd;
-
-@@ -289,9 +289,14 @@ reset_tally(pam_handle_t *pamh, struct o
- {
- int rv;
-
-- while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR);
-- if (rv == -1) {
-- pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user);
-+ if (*fd == -1) {
-+ *fd = open_tally(opts->dir, opts->user, opts->uid, 1);
-+ }
-+ else {
-+ while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR);
-+ if (rv == -1) {
-+ pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user);
-+ }
- }
- }
-
-@@ -306,7 +311,7 @@ write_tally(pam_handle_t *pamh, struct o
- const void *source = NULL;
-
- if (*fd == -1) {
-- *fd = open_tally(opts->dir, opts->user, 1);
-+ *fd = open_tally(opts->dir, opts->user, opts->uid, 1);
- }
- if (*fd == -1) {
- if (errno == EACCES) {
-@@ -463,7 +468,7 @@ pam_sm_authenticate(pam_handle_t *pamh,
-
- case FAILLOCK_ACTION_AUTHSUCC:
- rv = check_tally(pamh, &opts, &tallies, &fd);
-- if (rv == PAM_SUCCESS && fd != -1) {
-+ if (rv == PAM_SUCCESS) {
- reset_tally(pamh, &opts, &fd);
- }
- break;
-@@ -511,10 +516,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int
- return rv;
- }
-
-- check_tally(pamh, &opts, &tallies, &fd);
-- if (fd != -1) {
-- reset_tally(pamh, &opts, &fd);
-- }
-+ check_tally(pamh, &opts, &tallies, &fd); /* for auditing */
-+ reset_tally(pamh, &opts, &fd);
-
- tally_cleanup(&tallies, fd);
-
-diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml.screensaver Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml
---- Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml.screensaver 2010-11-10 11:46:07.000000000 +0100
-+++ Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml 2010-11-10 11:47:14.000000000 +0100
-@@ -277,13 +277,9 @@
- from the <emphasis>pam_tally2</emphasis> module setup.
- </para>
- <para>
-- There is no setuid wrapper for access to the data file such as when the
-- <emphasis remap='B'>pam_faillock.so</emphasis> module is called from
-- a screensaver. As this would make it impossible to share PAM configuration
-- with such services the following workaround is used: If the data file
-- cannot be opened because of insufficient permissions
-- (<errorcode>EACCES</errorcode>) the module returns
-- <errorcode>PAM_SUCCESS</errorcode>.
-+ The individual files with the failure records are created as owned by
-+ the user. This allows <emphasis remap='B'>pam_faillock.so</emphasis> module
-+ to work correctly when it is called from a screensaver.
- </para>
- <para>
- Note that using the module in <option>preauth</option> without the
diff --git a/extra/source/pam/patches/pam-1.1.3-limits-nosetreuid.patch b/extra/source/pam/patches/pam-1.1.3-limits-nosetreuid.patch
deleted file mode 100644
index 885690d0..00000000
--- a/extra/source/pam/patches/pam-1.1.3-limits-nosetreuid.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-diff -up Linux-PAM-1.1.3/modules/pam_limits/pam_limits.c.nosetreuid Linux-PAM-1.1.3/modules/pam_limits/pam_limits.c
---- Linux-PAM-1.1.3/modules/pam_limits/pam_limits.c.nosetreuid 2009-02-20 14:27:14.000000000 +0100
-+++ Linux-PAM-1.1.3/modules/pam_limits/pam_limits.c 2010-11-11 12:31:04.000000000 +0100
-@@ -103,7 +103,6 @@ struct pam_limit_s {
- /* argument parsing */
-
- #define PAM_DEBUG_ARG 0x0001
--#define PAM_DO_SETREUID 0x0002
- #define PAM_UTMP_EARLY 0x0004
- #define PAM_NO_AUDIT 0x0008
-
-@@ -127,8 +126,6 @@ _pam_parse (const pam_handle_t *pamh, in
- ctrl |= PAM_DEBUG_ARG;
- } else if (!strncmp(*argv,"conf=",5)) {
- pl->conf_file = *argv+5;
-- } else if (!strncmp(*argv,"change_uid",10)) {
-- ctrl |= PAM_DO_SETREUID;
- } else if (!strcmp(*argv,"utmp_early")) {
- ctrl |= PAM_UTMP_EARLY;
- } else if (!strcmp(*argv,"noaudit")) {
-@@ -777,10 +774,6 @@ out:
- return retval;
- }
-
-- if (ctrl & PAM_DO_SETREUID) {
-- setreuid(pwd->pw_uid, -1);
-- }
--
- retval = setup_limits(pamh, pwd->pw_name, pwd->pw_uid, ctrl, pl);
- if (retval & LOGIN_ERR)
- pam_error(pamh, _("Too many logins for '%s'."), pwd->pw_name);
-diff -up Linux-PAM-1.1.3/modules/pam_limits/pam_limits.8.xml.nosetreuid Linux-PAM-1.1.3/modules/pam_limits/pam_limits.8.xml
---- Linux-PAM-1.1.3/modules/pam_limits/pam_limits.8.xml.nosetreuid 2009-06-01 09:03:20.000000000 +0200
-+++ Linux-PAM-1.1.3/modules/pam_limits/pam_limits.8.xml 2010-11-11 12:32:35.000000000 +0100
-@@ -23,9 +23,6 @@
- <cmdsynopsis id="pam_limits-cmdsynopsis">
- <command>pam_limits.so</command>
- <arg choice="opt">
-- change_uid
-- </arg>
-- <arg choice="opt">
- conf=<replaceable>/path/to/limits.conf</replaceable>
- </arg>
- <arg choice="opt">
-@@ -72,19 +69,6 @@
- <variablelist>
- <varlistentry>
- <term>
-- <option>change_uid</option>
-- </term>
-- <listitem>
-- <para>
-- Change real uid to the user for who the limits are set up. Use this
-- option if you have problems like login not forking a shell for user
-- who has no processes. Be warned that something else may break when
-- you do this.
-- </para>
-- </listitem>
-- </varlistentry>
-- <varlistentry>
-- <term>
- <option>conf=<replaceable>/path/to/limits.conf</replaceable></option>
- </term>
- <listitem>
diff --git a/extra/source/pam/patches/pam-1.1.3-limits-range.patch b/extra/source/pam/patches/pam-1.1.3-limits-range.patch
deleted file mode 100644
index c357eb28..00000000
--- a/extra/source/pam/patches/pam-1.1.3-limits-range.patch
+++ /dev/null
@@ -1,351 +0,0 @@
-Index: modules/pam_limits/limits.conf.5.xml
-===================================================================
-RCS file: /cvsroot/pam/Linux-PAM/modules/pam_limits/limits.conf.5.xml,v
-retrieving revision 1.9
-retrieving revision 1.11
-diff -u -p -r1.9 -r1.11
---- modules/pam_limits/limits.conf.5.xml 20 Feb 2009 13:27:14 -0000 1.9
-+++ modules/pam_limits/limits.conf.5.xml 14 Dec 2010 08:40:40 -0000 1.11
-@@ -53,7 +53,38 @@
- <listitem>
- <para>
- the wildcard <emphasis remap='B'>%</emphasis>, for maxlogins limit only,
-- can also be used with <emphasis remap='b'>%group</emphasis> syntax.
-+ can also be used with <emphasis remap='B'>%group</emphasis> syntax. If the
-+ <emphasis remap='B'>%</emphasis> wildcard is used alone it is identical
-+ to using <emphasis remap='B'>*</emphasis> with maxsyslogins limit. With
-+ a group specified after <emphasis remap='B'>%</emphasis> it limits the total
-+ number of logins of all users that are member of the group.
-+ </para>
-+ </listitem>
-+ <listitem>
-+ <para>
-+ an uid range specified as <replaceable>&lt;min_uid&gt;</replaceable><emphasis
-+ remap='B'>:</emphasis><replaceable>&lt;max_uid&gt;</replaceable>. If min_uid
-+ is omitted, the match is exact for the max_uid. If max_uid is omitted, all
-+ uids greater than or equal min_uid match.
-+ </para>
-+ </listitem>
-+ <listitem>
-+ <para>
-+ a gid range specified as <emphasis
-+ remap='B'>@</emphasis><replaceable>&lt;min_gid&gt;</replaceable><emphasis
-+ remap='B'>:</emphasis><replaceable>&lt;max_gid&gt;</replaceable>. If min_gid
-+ is omitted, the match is exact for the max_gid. If max_gid is omitted, all
-+ gids greater than or equal min_gid match. For the exact match all groups including
-+ the user's supplementary groups are examined. For the range matches only
-+ the user's primary group is examined.
-+ </para>
-+ </listitem>
-+ <listitem>
-+ <para>
-+ a gid specified as <emphasis
-+ remap='B'>%:</emphasis><replaceable>&lt;gid&gt;</replaceable> applicable
-+ to maxlogins limit only. It limits the total number of logins of all users
-+ that are member of the group with the specified gid.
- </para>
- </listitem>
- </itemizedlist>
-@@ -182,7 +213,7 @@
- <varlistentry>
- <term><option>maxsyslogins</option></term>
- <listitem>
-- <para>maximum number of logins on system</para>
-+ <para>maximum number of all logins on system</para>
- </listitem>
- </varlistentry>
- <varlistentry>
-@@ -272,12 +303,15 @@
- </para>
- <programlisting>
- * soft core 0
--* hard rss 10000
-+* hard nofile 512
- @student hard nproc 20
- @faculty soft nproc 20
- @faculty hard nproc 50
- ftp hard nproc 0
- @student - maxlogins 4
-+:123 hard cpu 5000
-+@500: soft cpu 10000
-+600:700 hard locks 10
- </programlisting>
- </refsect1>
-
-Index: modules/pam_limits/pam_limits.c
-===================================================================
-RCS file: /cvsroot/pam/Linux-PAM/modules/pam_limits/pam_limits.c,v
-retrieving revision 1.48
-retrieving revision 1.49
-diff -u -p -r1.48 -r1.49
---- modules/pam_limits/pam_limits.c 18 Nov 2010 09:37:32 -0000 1.48
-+++ modules/pam_limits/pam_limits.c 14 Dec 2010 08:40:40 -0000 1.49
-@@ -55,6 +55,12 @@
- #define LIMITS_DEF_DEFAULT 4 /* limit was set by an default entry */
- #define LIMITS_DEF_NONE 5 /* this limit was not set yet */
-
-+#define LIMIT_RANGE_ERR -1 /* error in specified uid/gid range */
-+#define LIMIT_RANGE_NONE 0 /* no range specified */
-+#define LIMIT_RANGE_ONE 1 /* exact uid/gid specified (:max_uid)*/
-+#define LIMIT_RANGE_MIN 2 /* only minimum uid/gid specified (min_uid:) */
-+#define LIMIT_RANGE_MM 3 /* both min and max uid/gid specified (min_uid:max_uid) */
-+
- static const char *limits_def_names[] = {
- "USER",
- "GROUP",
-@@ -520,8 +526,57 @@ process_limit (const pam_handle_t *pamh,
- return;
- }
-
--static int parse_config_file(pam_handle_t *pamh, const char *uname, int ctrl,
-- struct pam_limit_s *pl)
-+static int
-+parse_uid_range(pam_handle_t *pamh, const char *domain,
-+ uid_t *min_uid, uid_t *max_uid)
-+{
-+ const char *range = domain;
-+ char *pmax;
-+ char *endptr;
-+ int rv = LIMIT_RANGE_MM;
-+
-+ if ((pmax=strchr(range, ':')) == NULL)
-+ return LIMIT_RANGE_NONE;
-+ ++pmax;
-+
-+ if (range[0] == '@' || range[0] == '%')
-+ ++range;
-+
-+ if (range[0] == ':')
-+ rv = LIMIT_RANGE_ONE;
-+ else {
-+ errno = 0;
-+ *min_uid = strtoul (range, &endptr, 10);
-+ if (errno != 0 || (range == endptr) || *endptr != ':') {
-+ pam_syslog(pamh, LOG_DEBUG,
-+ "wrong min_uid/gid value in '%s'", domain);
-+ return LIMIT_RANGE_ERR;
-+ }
-+ }
-+
-+ if (*pmax == '\0') {
-+ if (rv == LIMIT_RANGE_ONE)
-+ return LIMIT_RANGE_ERR;
-+ else
-+ return LIMIT_RANGE_MIN;
-+ }
-+
-+ errno = 0;
-+ *max_uid = strtoul (pmax, &endptr, 10);
-+ if (errno != 0 || (pmax == endptr) || *endptr != '\0') {
-+ pam_syslog(pamh, LOG_DEBUG,
-+ "wrong max_uid/gid value in '%s'", domain);
-+ return LIMIT_RANGE_ERR;
-+ }
-+
-+ if (rv == LIMIT_RANGE_ONE)
-+ *min_uid = *max_uid;
-+ return rv;
-+}
-+
-+static int
-+parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid,
-+ int ctrl, struct pam_limit_s *pl)
- {
- FILE *fil;
- char buf[LINE_LENGTH];
-@@ -543,8 +598,10 @@ static int parse_config_file(pam_handle_
- char item[LINE_LENGTH];
- char value[LINE_LENGTH];
- int i;
-+ int rngtype;
- size_t j;
- char *tptr,*line;
-+ uid_t min_uid = (uid_t)-1, max_uid = (uid_t)-1;
-
- line = buf;
- /* skip the leading white space */
-@@ -572,6 +629,11 @@ static int parse_config_file(pam_handle_
- for(j=0; j < strlen(ltype); j++)
- ltype[j]=tolower(ltype[j]);
-
-+ if ((rngtype=parse_uid_range(pamh, domain, &min_uid, &max_uid)) < 0) {
-+ pam_syslog(pamh, LOG_WARNING, "invalid uid range '%s' - skipped", domain);
-+ continue;
-+ }
-+
- if (i == 4) { /* a complete line */
- for(j=0; j < strlen(item); j++)
- item[j]=tolower(item[j]);
-@@ -581,47 +643,133 @@ static int parse_config_file(pam_handle_
- if (strcmp(uname, domain) == 0) /* this user have a limit */
- process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl);
- else if (domain[0]=='@') {
-- if (ctrl & PAM_DEBUG_ARG) {
-+ if (ctrl & PAM_DEBUG_ARG) {
- pam_syslog(pamh, LOG_DEBUG,
- "checking if %s is in group %s",
- uname, domain + 1);
-- }
-- if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1))
-- process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl,
-+ }
-+ switch(rngtype) {
-+ case LIMIT_RANGE_NONE:
-+ if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1))
-+ process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl,
-+ pl);
-+ break;
-+ case LIMIT_RANGE_ONE:
-+ if (pam_modutil_user_in_group_nam_gid(pamh, uname, (gid_t)max_uid))
-+ process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl,
- pl);
-+ break;
-+ case LIMIT_RANGE_MM:
-+ if (gid > (gid_t)max_uid)
-+ break;
-+ /* fallthrough */
-+ case LIMIT_RANGE_MIN:
-+ if (gid >= (gid_t)min_uid)
-+ process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl,
-+ pl);
-+ }
- } else if (domain[0]=='%') {
-- if (ctrl & PAM_DEBUG_ARG) {
-+ if (ctrl & PAM_DEBUG_ARG) {
- pam_syslog(pamh, LOG_DEBUG,
- "checking if %s is in group %s",
- uname, domain + 1);
-- }
-- if (strcmp(domain,"%") == 0)
-- process_limit(pamh, LIMITS_DEF_ALL, ltype, item, value, ctrl,
-- pl);
-- else if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) {
-- strcpy(pl->login_group, domain+1);
-- process_limit(pamh, LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl,
-- pl);
- }
-- } else if (strcmp(domain, "*") == 0)
-- process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl,
-- pl);
-+ switch(rngtype) {
-+ case LIMIT_RANGE_NONE:
-+ if (strcmp(domain,"%") == 0)
-+ process_limit(pamh, LIMITS_DEF_ALL, ltype, item, value, ctrl,
-+ pl);
-+ else if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) {
-+ strcpy(pl->login_group, domain+1);
-+ process_limit(pamh, LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl,
-+ pl);
-+ }
-+ break;
-+ case LIMIT_RANGE_ONE:
-+ if (pam_modutil_user_in_group_nam_gid(pamh, uname, (gid_t)max_uid)) {
-+ struct group *grp;
-+ grp = pam_modutil_getgrgid(pamh, (gid_t)max_uid);
-+ strncpy(pl->login_group, grp->gr_name, sizeof(pl->login_group));
-+ pl->login_group[sizeof(pl->login_group)-1] = '\0';
-+ process_limit(pamh, LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl,
-+ pl);
-+ }
-+ break;
-+ case LIMIT_RANGE_MIN:
-+ case LIMIT_RANGE_MM:
-+ pam_syslog(pamh, LOG_WARNING, "range unsupported for %%group matching - ignored");
-+ }
-+ } else {
-+ switch(rngtype) {
-+ case LIMIT_RANGE_NONE:
-+ if (strcmp(domain, "*") == 0)
-+ process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl,
-+ pl);
-+ break;
-+ case LIMIT_RANGE_ONE:
-+ if (uid != max_uid)
-+ break;
-+ /* fallthrough */
-+ case LIMIT_RANGE_MM:
-+ if (uid > max_uid)
-+ break;
-+ /* fallthrough */
-+ case LIMIT_RANGE_MIN:
-+ if (uid >= min_uid)
-+ process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl);
-+ }
-+ }
- } else if (i == 2 && ltype[0] == '-') { /* Probably a no-limit line */
- if (strcmp(uname, domain) == 0) {
- if (ctrl & PAM_DEBUG_ARG) {
- pam_syslog(pamh, LOG_DEBUG, "no limits for '%s'", uname);
- }
-- fclose(fil);
-- return PAM_IGNORE;
-- } else if (domain[0] == '@' && pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) {
-+ } else if (domain[0] == '@') {
-+ switch(rngtype) {
-+ case LIMIT_RANGE_NONE:
-+ if (!pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1))
-+ continue; /* next line */
-+ break;
-+ case LIMIT_RANGE_ONE:
-+ if (!pam_modutil_user_in_group_nam_gid(pamh, uname, (gid_t)max_uid))
-+ continue; /* next line */
-+ break;
-+ case LIMIT_RANGE_MM:
-+ if (gid > (gid_t)max_uid)
-+ continue; /* next line */
-+ /* fallthrough */
-+ case LIMIT_RANGE_MIN:
-+ if (gid < (gid_t)min_uid)
-+ continue; /* next line */
-+ }
- if (ctrl & PAM_DEBUG_ARG) {
- pam_syslog(pamh, LOG_DEBUG,
- "no limits for '%s' in group '%s'",
- uname, domain+1);
- }
-- fclose(fil);
-- return PAM_IGNORE;
-+ } else {
-+ switch(rngtype) {
-+ case LIMIT_RANGE_NONE:
-+ continue; /* next line */
-+ case LIMIT_RANGE_ONE:
-+ if (uid != max_uid)
-+ continue; /* next line */
-+ break;
-+ case LIMIT_RANGE_MM:
-+ if (uid > max_uid)
-+ continue; /* next line */
-+ /* fallthrough */
-+ case LIMIT_RANGE_MIN:
-+ if (uid >= min_uid)
-+ break;
-+ continue; /* next line */
-+ }
-+ if (ctrl & PAM_DEBUG_ARG) {
-+ pam_syslog(pamh, LOG_DEBUG, "no limits for '%s'", uname);
-+ }
- }
-+ fclose(fil);
-+ return PAM_IGNORE;
- } else {
- pam_syslog(pamh, LOG_WARNING, "invalid line '%s' - skipped", line);
- }
-@@ -731,7 +879,7 @@ pam_sm_open_session (pam_handle_t *pamh,
- return PAM_ABORT;
- }
-
-- retval = parse_config_file(pamh, pwd->pw_name, ctrl, pl);
-+ retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl);
- if (retval == PAM_IGNORE) {
- D(("the configuration file ('%s') has an applicable '<domain> -' entry", CONF_FILE));
- return PAM_SUCCESS;
-@@ -755,7 +903,7 @@ pam_sm_open_session (pam_handle_t *pamh,
- /* Parse the *.conf files. */
- for (i = 0; globbuf.gl_pathv[i] != NULL; i++) {
- pl->conf_file = globbuf.gl_pathv[i];
-- retval = parse_config_file(pamh, pwd->pw_name, ctrl, pl);
-+ retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl);
- if (retval == PAM_IGNORE) {
- D(("the configuration file ('%s') has an applicable '<domain> -' entry", pl->conf_file));
- globfree(&globbuf);
diff --git a/extra/source/pam/patches/pam-1.1.3-nouserenv.patch b/extra/source/pam/patches/pam-1.1.3-nouserenv.patch
deleted file mode 100644
index f3a742c8..00000000
--- a/extra/source/pam/patches/pam-1.1.3-nouserenv.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-diff -up pam/modules/pam_env/pam_env.c.nouserenv pam/modules/pam_env/pam_env.c
---- pam/modules/pam_env/pam_env.c.nouserenv 2010-10-20 09:59:30.000000000 +0200
-+++ pam/modules/pam_env/pam_env.c 2010-11-01 14:42:01.000000000 +0100
-@@ -10,7 +10,7 @@
- #define DEFAULT_READ_ENVFILE 1
-
- #define DEFAULT_USER_ENVFILE ".pam_environment"
--#define DEFAULT_USER_READ_ENVFILE 1
-+#define DEFAULT_USER_READ_ENVFILE 0
-
- #include "config.h"
-
-diff -up pam/modules/pam_env/pam_env.8.xml.nouserenv pam/modules/pam_env/pam_env.8.xml
---- pam/modules/pam_env/pam_env.8.xml.nouserenv 2010-10-20 09:59:30.000000000 +0200
-+++ pam/modules/pam_env/pam_env.8.xml 2010-11-01 14:42:01.000000000 +0100
-@@ -147,7 +147,10 @@
- <listitem>
- <para>
- Turns on or off the reading of the user specific environment
-- file. 0 is off, 1 is on. By default this option is on.
-+ file. 0 is off, 1 is on. By default this option is off as user
-+ supplied environment variables in the PAM environment could affect
-+ behavior of subsequent modules in the stack without the consent
-+ of the system administrator.
- </para>
- </listitem>
- </varlistentry>
diff --git a/extra/source/pam/patches/pam-1.1.3-pwhistory-incomplete.patch b/extra/source/pam/patches/pam-1.1.3-pwhistory-incomplete.patch
deleted file mode 100644
index 6117b26e..00000000
--- a/extra/source/pam/patches/pam-1.1.3-pwhistory-incomplete.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-diff -up Linux-PAM-1.1.3/modules/pam_pwhistory/pam_pwhistory.c.incomplete Linux-PAM-1.1.3/modules/pam_pwhistory/pam_pwhistory.c
---- Linux-PAM-1.1.3/modules/pam_pwhistory/pam_pwhistory.c.incomplete 2008-12-18 14:09:36.000000000 +0100
-+++ Linux-PAM-1.1.3/modules/pam_pwhistory/pam_pwhistory.c 2010-11-11 14:45:02.000000000 +0100
-@@ -187,12 +187,13 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
- {
- retval = pam_get_authtok (pamh, PAM_AUTHTOK, &newpass, NULL);
- if (retval != PAM_SUCCESS && retval != PAM_TRY_AGAIN)
-- return retval;
-+ {
-+ if (retval == PAM_CONV_AGAIN)
-+ retval = PAM_INCOMPLETE;
-+ return retval;
-+ }
- tries++;
-
-- if (newpass == NULL || retval == PAM_TRY_AGAIN)
-- continue;
--
- if (options.debug)
- {
- if (newpass)
-@@ -201,12 +202,8 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
- pam_syslog (pamh, LOG_DEBUG, "got no auth token");
- }
-
-- if (retval != PAM_SUCCESS || newpass == NULL)
-- {
-- if (retval == PAM_CONV_AGAIN)
-- retval = PAM_INCOMPLETE;
-- return retval;
-- }
-+ if (newpass == NULL || retval == PAM_TRY_AGAIN)
-+ continue;
-
- if (options.debug)
- pam_syslog (pamh, LOG_DEBUG, "check against old password file");
-@@ -219,7 +216,6 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
- newpass = NULL;
- /* Remove password item, else following module will use it */
- pam_set_item (pamh, PAM_AUTHTOK, (void *) NULL);
-- continue;
- }
- }
-
-@@ -230,8 +226,7 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
- return PAM_MAXTRIES;
- }
-
-- /* Remember new password */
-- return pam_set_item (pamh, PAM_AUTHTOK, newpass);
-+ return PAM_SUCCESS;
- }
-
-
diff --git a/extra/source/pam/patches/pam-1.1.3-securetty-console.patch b/extra/source/pam/patches/pam-1.1.3-securetty-console.patch
deleted file mode 100644
index 94fa6ecf..00000000
--- a/extra/source/pam/patches/pam-1.1.3-securetty-console.patch
+++ /dev/null
@@ -1,120 +0,0 @@
-Index: modules/pam_securetty/pam_securetty.8.xml
-===================================================================
-RCS file: /cvsroot/pam/Linux-PAM/modules/pam_securetty/pam_securetty.8.xml,v
-retrieving revision 1.4
-retrieving revision 1.6
-diff -u -p -r1.4 -r1.6
---- modules/pam_securetty/pam_securetty.8.xml 18 Aug 2008 13:29:25 -0000 1.4
-+++ modules/pam_securetty/pam_securetty.8.xml 25 Nov 2010 16:58:59 -0000 1.6
-@@ -33,7 +33,9 @@
- user is logging in on a "secure" tty, as defined by the listing
- in <filename>/etc/securetty</filename>. pam_securetty also checks
- to make sure that <filename>/etc/securetty</filename> is a plain
-- file and not world writable.
-+ file and not world writable. It will also allow root logins on
-+ the tty specified with <option>console=</option> switch on the
-+ kernel command line.
- </para>
- <para>
- This module has no effect on non-root users and requires that the
-@@ -61,6 +63,18 @@
- </para>
- </listitem>
- </varlistentry>
-+ <varlistentry>
-+ <term>
-+ <option>noconsole</option>
-+ </term>
-+ <listitem>
-+ <para>
-+ Do not automatically allow root logins on the kernel console
-+ device, as specified on the kernel command line, if it is
-+ not also specified in the <filename>/etc/securetty</filename> file.
-+ </para>
-+ </listitem>
-+ </varlistentry>
- </variablelist>
- </refsect1>
-
-Index: modules/pam_securetty/pam_securetty.c
-===================================================================
-RCS file: /cvsroot/pam/Linux-PAM/modules/pam_securetty/pam_securetty.c,v
-retrieving revision 1.14
-retrieving revision 1.15
-diff -u -p -r1.14 -r1.15
---- modules/pam_securetty/pam_securetty.c 10 Sep 2009 10:19:58 -0000 1.14
-+++ modules/pam_securetty/pam_securetty.c 24 Nov 2010 12:28:01 -0000 1.15
-@@ -2,6 +2,7 @@
-
- #define SECURETTY_FILE "/etc/securetty"
- #define TTY_PREFIX "/dev/"
-+#define CMDLINE_FILE "/proc/cmdline"
-
- /*
- * by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
-@@ -22,6 +23,7 @@
- #include <pwd.h>
- #include <string.h>
- #include <ctype.h>
-+#include <limits.h>
-
- /*
- * here, we make a definition for the externally accessible function
-@@ -38,6 +40,7 @@
- #include <security/pam_ext.h>
-
- #define PAM_DEBUG_ARG 0x0001
-+#define PAM_NOCONSOLE_ARG 0x0002
-
- static int
- _pam_parse (const pam_handle_t *pamh, int argc, const char **argv)
-@@ -51,6 +54,8 @@ _pam_parse (const pam_handle_t *pamh, in
-
- if (!strcmp(*argv,"debug"))
- ctrl |= PAM_DEBUG_ARG;
-+ else if (!strcmp(*argv, "noconsole"))
-+ ctrl |= PAM_NOCONSOLE_ARG;
- else {
- pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
- }
-@@ -144,6 +149,40 @@ securetty_perform_check (pam_handle_t *p
- }
- fclose(ttyfile);
-
-+ if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) {
-+ FILE *cmdlinefile;
-+
-+ /* Allow access from the kernel console, if enabled */
-+ cmdlinefile = fopen(CMDLINE_FILE, "r");
-+
-+ if (cmdlinefile != NULL) {
-+ char line[LINE_MAX], *p;
-+
-+ line[0] = 0;
-+ fgets(line, sizeof(line), cmdlinefile);
-+ fclose(cmdlinefile);
-+
-+ for (p = line; p; p = strstr(p+1, "console=")) {
-+ char *e;
-+
-+ /* Test whether this is a beginning of a word? */
-+ if (p > line && p[-1] != ' ')
-+ continue;
-+
-+ /* Ist this our console? */
-+ if (strncmp(p + 8, uttyname, strlen(uttyname)))
-+ continue;
-+
-+ /* Is there any garbage after the TTY name? */
-+ e = p + 8 + strlen(uttyname);
-+ if (*e == ',' || *e == ' ' || *e == '\n' || *e == 0) {
-+ retval = 0;
-+ break;
-+ }
-+ }
-+ }
-+ }
-+
- if (retval) {
- pam_syslog(pamh, LOG_WARNING, "access denied: tty '%s' is not secure !",
- uttyname);
diff --git a/extra/source/pam/slack-desc b/extra/source/pam/slack-desc
deleted file mode 100644
index 8b57bc0d..00000000
--- a/extra/source/pam/slack-desc
+++ /dev/null
@@ -1,19 +0,0 @@
-# HOW TO EDIT THIS FILE:
-# The "handy ruler" below makes it easier to edit a package description. Line
-# up the first '|' above the ':' following the base package name, and the '|'
-# on the right side marks the last column you can put a character in. You must
-# make exactly 11 lines for the formatting to be correct. It's also
-# customary to leave one space after the ':'.
-
- |-----handy-ruler------------------------------------------------------|
-pam: pam (Pluggable Authentication Modules)
-pam:
-pam: PAM = Pluggable Authentication Modules. Basically, it is a flexible
-pam: mechanism for authenticating users. PAM provides a way to develop
-pam: programs that are independent of authentication scheme. However,
-pam: these programs will need "authentication modules" (and libpam) at
-pam: run-time in order to work.
-pam:
-pam:
-pam: Homepage: http://www.kernel.org/pub/linux/libs/pam/
-pam: