Package: libpam-runtime Version: 0.76-22 Priority: wishlist Tags: patch Checking the documentation in the pam binary RPMs of SuSE I've found that they have some manpages that are neither included upstream nor available in the Debian packages. Some of the documentation applies to PAM modules that are not (yet) available in Debian but some of it applies to modules in Debian (pam_securetty, and pam_nologin) also, one of the manpages (of unix_chkpwd.8) is slightly better than the Debian-provided manpage.
Attached is a patch adding (and installing) these manpages to the Debian package, although the manpages for modules not available (pam_localuser, pam_succeed_if and pam_xauth) are not installed. I'm going to ask for these modules in a separate bug, however. Regards Javier
diff -Nru pam-0.76.old/debian/local/pam_localuser.8.unavailable pam-0.76/debian/local/pam_localuser.8.unavailable --- pam-0.76.old/debian/local/pam_localuser.8.unavailable 1970-01-01 01:00:00.000000000 +0100 +++ pam-0.76/debian/local/pam_localuser.8.unavailable 2005-03-21 16:16:27.000000000 +0100 @@ -0,0 +1,36 @@ +.\" Copyright 2000 Red Hat, Inc. +.TH pam_localuser 8 2000/7/21 "Red Hat" "System Administrator's Manual" + +.SH NAME +pam_localuser \- require users to be listed in /etc/passwd + +.SH SYNOPSIS +.B account sufficient /lib/security/pam_localuser.so \fIargs\fP +.br +.B account required /lib/security/pam_wheel.so group=devel + +.SH DESCRIPTION +pam_localuser.so exists to help implement site-wide login policies, where +they typically include a subset of the network's users and a few accounts +that are local to a particular workstation. Using pam_localuser.so and +pam_wheel.so or pam_listfile.so is an effective way to restrict access to +either local users and/or a subset of the network's users. + +This could also be implemented using pam_listfile.so and a very short awk +script invoked by cron, but it's common enough to have been separated out. + +.SH ARGUMENTS +.IP debug +turns on debugging +.IP file=\fBFILE\fP +uses a file other than \fB/etc/passwd\fP. + +.SH FILES +/etc/passwd + +.SH BUGS +Let's hope not, but if you find any, please report them via the "Bug Track" +link at http://bugzilla.redhat.com/bugzilla/ + +.SH AUTHOR +Nalin Dahyabhai <[EMAIL PROTECTED]> diff -Nru pam-0.76.old/debian/local/pam_nologin.8 pam-0.76/debian/local/pam_nologin.8 --- pam-0.76.old/debian/local/pam_nologin.8 1970-01-01 01:00:00.000000000 +0100 +++ pam-0.76/debian/local/pam_nologin.8 2005-03-21 16:16:27.000000000 +0100 @@ -0,0 +1,86 @@ +.\" Copyright (C) 2003 International Business Machines Corp. +.\" This file is distributed according to the GNU General Public License. +.\" See the file COPYING in the top level source directory for details. +.\" +.de Sh \" Subsection +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.TH "PAM_NOLOGIN" 8 "2003-03-21" "Linux 2.4" "System Administrator's Manual" +.SH NAME +pam_nologin \- Disables login for all except root when +\fI/etc/nologin\fR exists +.SH "SYNOPSIS" +.ad l +.hy 0 + +/lib/security/pam_nologin +.sp +.ad +.hy + +.SH "DESCRIPTION" + +.PP +\fBpam_nologin\fR is a PAM module that prevents users from logging +into the system when \fI/etc/nologin\fR exists. +The contents of the \fI/etc/nologin\fR file are displayed to the user. +The \fBpam_nologin\fR module has no effect on the root user's ability to log in. + +.SH "OPTIONS" + +.PP +\fBpam_login\fR has no options. + +.SH "MODULE SERVICES PROVIDED" + +.TP +auth +_authentication and _setcred (blank) + +.SH "RETURN CODES" +.PP +\fBpam_nologin\fR has the following return codes: +.TP +PAM_SUCCESS +Success: either the user is root or the \fI/etc/nologin\fR file does not exist. + +.TP +PAM_SERVICE_ERR +The module was unable to get the user name. + +.TP +PAM_USER_UNKNOWN +The module cannot get the UID associated with this user. + +.TP +PAM_AUTH_ERR +The user is not root and \fI/etc/nologin\fR exists, so the user is +not permitted to log in. + +.SH "HISTORY" + +.PP +\fBpam_nologin\fR was written by Michael K. Johnson. + +.SH "SEE ALSO" + +.PP +\fBpam.conf\fR(8), \fBpam.d\fR(8), \fBpam\fR(8), \fBnologin\fR(8). + +.SH AUTHOR +Emily Ratliff. diff -Nru pam-0.76.old/debian/local/pam_securetty.8 pam-0.76/debian/local/pam_securetty.8 --- pam-0.76.old/debian/local/pam_securetty.8 1970-01-01 01:00:00.000000000 +0100 +++ pam-0.76/debian/local/pam_securetty.8 2005-03-21 16:16:27.000000000 +0100 @@ -0,0 +1,98 @@ +.\" Copyright (C) 2003 International Business Machines Corp. +.\" This file is distributed according to the GNU General Public License. +.\" See the file COPYING in the top level source directory for details. +.\" +.de Sh \" Subsection +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.TH "PAM_SECURETTY" 8 "2003-02-21" "Linux 2.4" "System Administrator's Manual" +.SH NAME +pam_securetty \- Limits root to logging in on devices listed in /etc/securetty +.SH "SYNOPSIS" +.ad l +.hy 0 + +/usr/security/pam_securetty +.sp +.ad +.hy + +.SH "DESCRIPTION" + +.PP +\fBpam_securetty\fR is a PAM module that allows root logins only if the +user is logging in on a "secure" tty, as defined by the listing in +\fI/etc/securetty\fR. +\fBpam_securetty\fR also checks to make sure that \fI/etc/securetty\fR +is a plain file and not world writable. + +.PP +This module has no effect on non-root users. + +.SH "OPTIONS" +.PP +\fBpam_securetty\fR has no options. + +.SH "RETURN CODES" +.PP +\fBpam_securetty\fR has the following return codes: +.TP +PAM_SUCCESS +The user is allowed to continue authentication. +Either the user is not root, or the root user is trying to log in on +an acceptable device. + +.TP +PAM_AUTH_ERR +Authentication is rejected. +Either root is attempting to log in via an unacceptable device, +or the \fI/etc/securetty\fR file is world writable or not a normal file. + +.TP +PAM_INCOMPLETE +An application error occurred. \fBpam_securetty\fR was not able to get +information it required from the application that called it. + +.TP +PAM_SERVICE_ERR +An error occurred while the module was determining the user's name or tty, +or the module could not open \fI/etc/securetty\fR. + +.TP +PAM_IGNORE +The module could not find the user name in the +\fI/etc/passwd\fR file to verify whether the user had a UID of 0. +Therefore, the results of running this module are ignored. + +.SH "HISTORY" + +.PP +\fBpam_securetty\fR was written by Elliot Lee. + +.SH "FILES" + +.PP + \fI/etc/securetty\fR + +.SH "SEE ALSO" + +.PP +\fBpam.conf\fR(8), \fBpam.d\fR(8), \fBpam\fR(8), \fBsecuretty\fR(8). + +.SH AUTHOR +Emily Ratliff. diff -Nru pam-0.76.old/debian/local/pam_succeed_if.8.unavailable pam-0.76/debian/local/pam_succeed_if.8.unavailable --- pam-0.76.old/debian/local/pam_succeed_if.8.unavailable 1970-01-01 01:00:00.000000000 +0100 +++ pam-0.76/debian/local/pam_succeed_if.8.unavailable 2005-03-21 16:16:27.000000000 +0100 @@ -0,0 +1,30 @@ +.\" Copyright 2003 Red Hat, Inc. +.\" Written by Nalin Dahyabhai <[EMAIL PROTECTED]> +.TH pam_succeed_if 8 2003/6/30 "Red Hat Linux" "System Administrator's Manual" + +.SH NAME +pam_succeed_if \- succeed or fail based on account characteristics + +.SH SYNOPSIS +.B account sufficient pam_succeed_if.so uid < 500 + +.SH DESCRIPTION +pam_succeed_if.so is designed to succeed or fail authentication based on +characteristics of the account belonging to the user being authenticated. + +The module can be given one or more conditions as module arguments, and +authentication will succeed only if all of the conditions are met. + +.SH ARGUMENTS +.IP debug +Turns on debugging messages sent to syslog. +.IP use_uid +Evaluate conditions using the account of the user whose UID the application +is running under instead of the user being authenticated. + +.SH BUGS +Let's hope not, but if you find any, please report them via the "Bug Track" +link at http://bugzilla.redhat.com/bugzilla/ + +.SH AUTHOR +Nalin Dahyabhai <[EMAIL PROTECTED]> diff -Nru pam-0.76.old/debian/local/pam_xauth.8.unavailable pam-0.76/debian/local/pam_xauth.8.unavailable --- pam-0.76.old/debian/local/pam_xauth.8.unavailable 1970-01-01 01:00:00.000000000 +0100 +++ pam-0.76/debian/local/pam_xauth.8.unavailable 2005-03-21 16:16:27.000000000 +0100 @@ -0,0 +1,82 @@ +.\" Copyright 2001,2003 Red Hat, Inc. +.\" Written by Nalin Dahyabhai <[EMAIL PROTECTED]>, based on the original +.\" version by Michael K. Johnson +.TH pam_xauth 8 2003/7/24 "Red Hat Linux" "System Administrator's Manual" +.SH NAME +pam_xauth \- forward xauth keys between users +.SH SYNOPSIS +.B session optional /lib/security/pam_xauth.so \fIarguments\fP +.SH DESCRIPTION +pam_xauth.so is designed to forward xauth keys (sometimes referred +to as "cookies") between users. + +Without pam_xauth, when xauth is enabled and a user uses the \fBsu\fP command +to assume another user's priviledges, that user is no longer able to access +the original user's X display because the new user does not have the key +needed to access the display. pam_xauth solves the problem by forwarding the +key from the user running su (the source user) to the user whose +identity the source user is assuming (the target user) when the session +is created, and destroying the key when the session is torn down. + +This means, for example, that when you run \fBsu\fP from an xterm sesssion, +you will be able to run X programs without explicitly dealing with the +xauth command or ~/.Xauthority files. + +pam_xauth will only forward keys if xauth can list a key connected +to the $DISPLAY environment variable. + +Primitive access control is provided by \fB~/.xauth/export\fP in the invoking +user's home directory and \fB~/.xauth/import\fP in the target user's home +directory. + +If a user has a \fB~/.xauth/import\fP file, the user will only receive cookies +from users listed in the file. If there is no \fB~/.xauth/import\fP file, +the user will accept cookies from any other user. + +If a user has a \fB.xauth/export\fP file, the user will only forward cookies +to users listed in the file. If there is no \fB~/.xauth/export\fP file, and +the invoking user is not \fBroot\fP, the user will forward cookies to +any other user. If there is no \fB~/.xauth/export\fP file, and the invoking +user is \fBroot\fP, the user will \fInot\fP forward cookies to other users. + +Both the import and export files support wildcards (such as \fI*\fP). Both +the import and export files can be empty, signifying that no users are allowed. + +.SH ARGUMENTS +.IP debug +Turns on debugging messages sent to syslog. +.IP xauthpath=\fI/usr/X11R6/bin/xauth\fP +Specify the path the xauth program (the default is /usr/X11R6/bin/xauth). +.IP systemuser=\fInumber\fP +Specify the highest UID which will be assumed to belong to a "system" user. +pam_xauth will refuse to forward credentials to users with UID less than or +equal to this number, except for root and the "targetuser", if specified. +.IP targetuser=\fInumber\fP +Specify a single target UID which is exempt from the systemuser check. +.SH "IMPLEMENTATION DETAILS" +pam_xauth will work \fIonly\fP if it is used from a setuid application +in which the getuid() call returns the id of the user running the +application, and for which PAM can supply the name of the account that +the user is attempting to assume. The typical application of this +type is \fBsu\fP. The application must call both pam_open_session() and +pam_close_session() with the ruid set to the uid of the calling user +and the euid set to root, and must have provided as the PAM_USER item +the name of the target user. + +pam_xauth calls \fBxauth\fP as the source user to extract the key for +$DISPLAY, then calls xauth as the target user to merge the key +into the a temporary database and later remove the database. + +pam_xauth cannot be told not to remove the keys when the session +is closed. +.SH "SEE ALSO" +\fI/usr/share/doc/pam*/html/index.html\fP +.SH FILES +\fI~/.xauth/import\fP +\fI~/.xauth/export\fP +.SH BUGS +Let's hope not, but if you find any, please report them via the "Bug Track" +link at http://bugzilla.redhat.com/bugzilla/ +.SH AUTHOR +Nalin Dahyabhai <[EMAIL PROTECTED]>, based on original version by +Michael K. Johnson <[EMAIL PROTECTED]> diff -Nru pam-0.76.old/debian/local/unix_chkpwd.8 pam-0.76/debian/local/unix_chkpwd.8 --- pam-0.76.old/debian/local/unix_chkpwd.8 2005-03-21 16:23:30.000000000 +0100 +++ pam-0.76/debian/local/unix_chkpwd.8 2005-03-21 16:18:34.000000000 +0100 @@ -1,17 +1,88 @@ -.TH UNIX_CHKPWD 8 "4 Jun 1999" "Linux-PAM 0.69" "Linux-PAM Manual" +.\" Copyright (C) 2003 International Business Machines Corporation +.\" This file is distributed according to the GNU General Public License. +.\" See the file COPYING in the top level source directory for details. +.\" +.de Sh \" Subsection +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.TH "UNIX_CHKPWD" 8 "2003-03-21" "Linux-PAM 0.76" "Linux-PAM Manual" .SH NAME -\fBunix_chkpwd\fR \- check the password of the invoking user -.SH SYNOPSIS -<not invoked manually> -.SH DESCRIPTION -A helper binary for the pam_unix module, unix_chkpwd, is provided to check -the user's password when it is stored in a read protected database, such as -shadow'd passwords. This binary is very simple and will only check the password +unix_chkpwd \- helper binary that verifies the password of the current user +.SH "SYNOPSIS" +.ad l +.hy 0 + +/sbin/unix_chkpwd [\fIusername\fR] +.sp +.ad +.hy +.SH "DESCRIPTION" +.PP +\fBunix_chkpwd\fR is a helper program for the pam_unix module that verifies +the password of the current user when it is stored in a read protected database, +such as shadow'd passwords. It is not intended to be run directly from +the command line and logs a security violation if done so. + +This binary is very simple and will only check the password of the user invoking it. It is called transparently on behalf of the user by the authenticating component of the pam_unix module. In this way it is possible for applications like .B xlock -to work work without being setuid root. -.SH USAGE -This program is not intended to be called directly by users and will log to syslog -if it is called improperly (i.e., by someone trying to exploit it). +to work work without being setuid root. + +It is typically installed setuid root or setgid shadow. + +.SH "OPTIONS" +.PP +unix_pwdchk optionally takes the following argument: +.TP +\fIusername\fR +The username of the user whose password you want to check: this must match the current user id. + +.SH "INPUTS" +.PP +unix_pwdchk expects the following inputs via stdin: +.TP +\fIoption\fR +Either nullok or nonull, depending on whether the user can have an empty password. +.TP +\fIpassword\fR +The password to verify. + +.SH "RETURN CODES" +.PP +\fBunix_chkpwd\fR has the following return codes: +.TP +1 +unix_chkpwd was inappropriately called from the command line or the password is incorrect. + +.TP +0 +The password is correct. + +.SH "HISTORY" +Written by Andrew Morgan + +.SH "SEE ALSO" + +.PP +\fBpam\fR(8) + +.SH AUTHOR +Emily Ratliff. + diff -Nru pam-0.76.old/debian/rules pam-0.76/debian/rules --- pam-0.76.old/debian/rules 2005-03-21 16:23:30.000000000 +0100 +++ pam-0.76/debian/rules 2005-03-21 16:21:15.000000000 +0100 @@ -84,6 +84,8 @@ dh_movefiles -i dh_installman -plibpam-runtime $(BUILD_TREE)/doc/man/*.[578] + # Additional documentation + dh_installman -plibpam-runtime $(dl)/pam_*[578] rm debian/libpam-runtime/usr/share/man/man8/{pam.8,pam.d.8,pam.conf.8} dh_installdocs -i dh_installchangelogs -i $(BUILD_TREE)/CHANGELOG
signature.asc
Description: Digital signature
