Hello community,
here is the log from the commit of package pam for openSUSE:Factory checked in
at 2015-05-06 11:21:57
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pam (Old)
and /work/SRC/openSUSE:Factory/.pam.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam"
Changes:
--------
--- /work/SRC/openSUSE:Factory/pam/pam.changes 2015-01-30 06:02:46.000000000
+0100
+++ /work/SRC/openSUSE:Factory/.pam.new/pam.changes 2015-05-06
11:21:58.000000000 +0200
@@ -1,0 +2,6 @@
+Mon Apr 27 17:14:40 CEST 2015 - ku...@suse.de
+
+- Update to version 1.2.0
+ - obsoletes Linux-PAM-git-20150109.diff
+
+-------------------------------------------------------------------
Old:
----
Linux-PAM-1.1.8-docs.tar.bz2
Linux-PAM-1.1.8.tar.bz2
Linux-PAM-git-20150109.diff
New:
----
Linux-PAM-1.2.0-docs.tar.bz2
Linux-PAM-1.2.0.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ pam.spec ++++++
--- /var/tmp/diff_new_pack.widPZ0/_old 2015-05-06 11:21:59.000000000 +0200
+++ /var/tmp/diff_new_pack.widPZ0/_new 2015-05-06 11:21:59.000000000 +0200
@@ -1,7 +1,7 @@
#
# spec file for package pam
#
-# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -29,11 +29,11 @@
%if %{enable_selinux}
BuildRequires: libselinux-devel
%endif
-%define libpam_so_version 0.83.1
-%define libpam_misc_so_version 0.82.0
+%define libpam_so_version 0.84.1
+%define libpam_misc_so_version 0.82.1
%define libpamc_so_version 0.82.1
#
-Version: 1.1.8
+Version: 1.2.0
Release: 0
Summary: A Security Tool that Provides Authentication for Applications
License: GPL-2.0+ or BSD-3-Clause
@@ -52,7 +52,6 @@
Source8: etc.environment
Source9: baselibs.conf
Patch0: fix-man-links.dif
-Patch1: Linux-PAM-git-20150109.diff
Patch2: pam-limit-nproc.patch
Patch3: encryption_method_nis.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -103,7 +102,6 @@
%prep
%setup -q -n Linux-PAM-%{version} -b 1
%patch0 -p1
-%patch1 -p2
%patch2 -p1
%patch3 -p1
++++++ Linux-PAM-1.1.8-docs.tar.bz2 -> Linux-PAM-1.2.0-docs.tar.bz2 ++++++
Files old/Linux-PAM-1.1.8/doc/adg/Linux-PAM_ADG.pdf and
new/Linux-PAM-1.2.0/doc/adg/Linux-PAM_ADG.pdf differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Linux-PAM-1.1.8/doc/adg/Linux-PAM_ADG.txt
new/Linux-PAM-1.2.0/doc/adg/Linux-PAM_ADG.txt
--- old/Linux-PAM-1.1.8/doc/adg/Linux-PAM_ADG.txt 2013-09-19
10:06:41.000000000 +0200
+++ new/Linux-PAM-1.2.0/doc/adg/Linux-PAM_ADG.txt 2015-03-24
14:08:22.000000000 +0100
@@ -12,7 +12,7 @@
Abstract
-This manual documents what an application developer needs to know about the
+This manual documents what an application developer needs to know about the
Linux-PAM library. It describes how an application might use the Linux-PAM
library to authenticate users. In addition it contains a description of the
functions to be found in libpam_misc library, that can be used in general
@@ -303,7 +303,7 @@
callback function, cleanup() (See pam_set_data(3) and pam_get_data(3)). In this
way the module can be given notification of the pass/fail nature of the
tear-down process, and perform any last minute tasks that are appropriate to
-the module before it is unlinked. This argument can be logically OR'd with
+the module before it is unlinked. This argument can be logically OR'd with
PAM_DATA_SILENT to indicate to indicate that the module should not treat the
call too seriously. It is generally used to indicate that the current closing
of the library is in a fork(2)ed process, and that the parent will take care of
@@ -387,7 +387,7 @@
PAM_RHOST
- The requesting hostname (the hostname of the machine from which the
+ The requesting hostname (the hostname of the machine from which the
PAM_RUSER entity is requesting service). That is PAM_RUSER@PAM_RHOST does
identify the requesting user. In some applications, PAM_RHOST may be NULL.
In such situations, it is unclear where the authentication request is
@@ -416,7 +416,7 @@
PAM_FAIL_DELAY
- A function pointer to redirect centrally managed failure delays. See
+ A function pointer to redirect centrally managed failure delays. See
pam_fail_delay(3).
PAM_XDISPLAY
@@ -529,7 +529,7 @@
PAM_RHOST
- The requesting hostname (the hostname of the machine from which the
+ The requesting hostname (the hostname of the machine from which the
PAM_RUSER entity is requesting service). That is PAM_RUSER@PAM_RHOST does
identify the requesting user. In some applications, PAM_RHOST may be NULL.
In such situations, it is unclear where the authentication request is
@@ -558,7 +558,7 @@
PAM_FAIL_DELAY
- A function pointer to redirect centrally managed failure delays. See
+ A function pointer to redirect centrally managed failure delays. See
pam_fail_delay(3).
PAM_XDISPLAY
@@ -645,12 +645,12 @@
The pam_fail_delay function provides a mechanism by which an application or
module can suggest a minimum delay of usec micro-seconds. The function keeps a
-record of the longest time requested with this function. Should
+record of the longest time requested with this function. Should
pam_authenticate(3) fail, the failing return to the application is delayed by
-an amount of time randomly distributed (by up to 25%) about this longest value.
+an amount of time randomly distributed (by up to 50%) about this longest value.
Independent of success, the delay time is reset to its zero default value when
-the PAM service module returns control to the application. The delay occurs
+the PAM service module returns control to the application. The delay occurs
after all authentication modules have been called, but before control is
returned to the service application.
@@ -708,8 +708,8 @@
required to provide an authentication token depending upon the authentication
service, usually this is a password, but could also be a finger print.
-The PAM service module may request that the user enter their username vio the
-the conversation mechanism (see pam_start(3) and pam_conv(3)). The name of the
+The PAM service module may request that the user enter their username via the
+conversation mechanism (see pam_start(3) and pam_conv(3)). The name of the
authenticated user will be present in the PAM item PAM_USER. This item may be
recovered with a call to pam_get_item(3).
@@ -741,7 +741,7 @@
For some reason the application does not have sufficient credentials to
authenticate the user.
-PAM_AUTHINFO_UNVAIL
+PAM_AUTHINFO_UNAVAIL
The modules were not able to access the authentication information. This
might be due to a network or hardware failure etc.
@@ -774,7 +774,7 @@
The pam_setcred function is used to establish, maintain and delete the
credentials of a user. It should be called to set the credentials after a user
-has been authenticated and before a session is opened for the user (with
+has been authenticated and before a session is opened for the user (with
pam_open_session(3)). The credentials should be deleted after the session has
been closed (with pam_close_session(3)).
@@ -1024,7 +1024,7 @@
3.1.12.1. DESCRIPTION
The pam_close_session function is used to indicate that an authenticated
-session has ended. The session should have been created with a call to
+session has ended. The session should have been created with a call to
pam_open_session(3).
It should be noted that the effective uid, geteuid(2). of the application
@@ -1091,7 +1091,7 @@
Without an '=' the pam_putenv() function will delete the corresponding
variable from the PAM environment.
-pam_putenv() operates on a copy of name_value, which means in contrast to
+pam_putenv() operates on a copy of name_value, which means in contrast to
putenv(3), the application is responsible to free the data.
3.1.13.2. RETURN VALUES
@@ -1206,7 +1206,7 @@
The other arguments of a call to conv() concern the information exchanged by
module and application. That is to say, num_msg holds the length of the array
of pointers, msg. After a successful return, the pointer resp points to an
-array of pam_response structures, holding the application supplied text. The
+array of pam_response structures, holding the application supplied text. The
resp_retcode member of this struct is unused and should be set to zero. It is
the caller's responsibility to release both, this array and the responses
themselves, using free(3). Note, *resp is a struct pam_response array and not
@@ -1220,7 +1220,7 @@
On failure, the conversation function should release any resources it has
allocated, and return one of the predefined PAM error codes.
-Each message can have one of four types, specified by the msg_style member of
+Each message can have one of four types, specified by the msg_style member of
struct pam_message:
PAM_PROMPT_ECHO_OFF
@@ -1287,7 +1287,7 @@
3.3. Programming notes
-Note, all of the authentication service function calls accept the token
+Note, all of the authentication service function calls accept the token
PAM_SILENT, which instructs the modules to not send messages to the
application. This token can be logically OR'd with any one of the permitted
tokens specific to the individual function calls. PAM_SILENT does not override
@@ -1305,9 +1305,9 @@
A poorly (or maliciously) written application can defeat any Linux-PAM module's
authentication mechanisms by simply ignoring it's return values. It is the
applications task and responsibility to grant privileges and access to
-services. The Linux-PAM library simply assumes the responsibility of
+services. The Linux-PAM library simply assumes the responsibility of
authenticating the user; ascertaining that the user is who they say they are.
-Care should be taken to anticipate all of the documented behavior of the
+Care should be taken to anticipate all of the documented behavior of the
Linux-PAM library functions. A failure to do this will most certainly lead to a
future security breach.
@@ -1328,7 +1328,7 @@
4.2. Choice of a service name
-When picking the service-name that corresponds to the first entry in the
+When picking the service-name that corresponds to the first entry in the
Linux-PAM configuration file, the application programmer should avoid the
temptation of choosing something related to argv[0]. It is a trivial matter for
any user to invoke any application on a system under a different name and this
@@ -1347,7 +1347,7 @@
need do is, ln -s /target/application ./preferred_name and then run ./
preferred_name.
-By studying the Linux-PAM configuration file(s), an attacker can choose the
+By studying the Linux-PAM configuration file(s), an attacker can choose the
preferred_name to be that of a service enjoying minimal protection; for example
a game which uses Linux-PAM to restrict access to certain hours of the day. If
the service-name were to be linked to the filename under which the service was
@@ -1377,8 +1377,8 @@
the user requesting a service should be the current UID (user ID) of the
running process; the identity of the privilege granting user is the EUID
(effective user ID) of the running process; the identity of the user, under
-whose name the service will be executed, is given by the contents of the
-PAM_USER pam_get_item(3). Note, modules can change the values of PAM_USER and
+whose name the service will be executed, is given by the contents of the
+PAM_USER pam_get_item(3). Note, modules can change the values of PAM_USER and
PAM_RUSER during any of the pam_*() library calls. For this reason, the
application should take care to use the pam_get_item() every time it wishes to
establish who the authenticated user is (or will currently be).
@@ -1409,7 +1409,7 @@
Care should be taken to ensure that the proper execution of an application is
not compromised by a lack of system resources. If an application is unable to
open sufficient files to perform its service, it should fail gracefully, or
-request additional resources. Specifically, the quantities manipulated by the
+request additional resources. Specifically, the quantities manipulated by the
setrlimit(2) family of commands should be taken into consideration.
This is also true of conversation prompts. The application should not accept
@@ -1480,7 +1480,7 @@
This variable contains the time (as returned by time(2)) that the will time
out. By default it has the value 0, which indicates that the conversation
function will not timeout. The application may set its value to sometime in
- the future, but this should be done prior to passing control to the
+ the future, but this should be done prior to passing control to the
Linux-PAM library.
const char *pam_misc_conv_die_line;
@@ -1488,7 +1488,7 @@
Used in conjuction with pam_misc_conv_die_time, this variable is a pointer
to the string that will be displayed when the conversation times out. Its
default value is a translated version of “...Sorry, your time is up!”, but
- this can be changed by the application prior to passing control to
+ this can be changed by the application prior to passing control to
Linux-PAM.
int pam_misc_conv_died;
@@ -1620,7 +1620,7 @@
Credentials
Having successfully authenticated the user, PAM is able to establish
- certain characteristics/attributes of the user. These are termed
+ certain characteristics/attributes of the user. These are termed
credentials. Examples of which are group memberships to perform privileged
tasks with, and tickets in the form of environment variables etc. . Some
user-credentials, such as the user's UID and GID (plus default group
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/Linux-PAM-1.1.8/doc/adg/html/adg-interface-by-app-expected.html
new/Linux-PAM-1.2.0/doc/adg/html/adg-interface-by-app-expected.html
--- old/Linux-PAM-1.1.8/doc/adg/html/adg-interface-by-app-expected.html
2013-09-19 10:06:43.000000000 +0200
+++ new/Linux-PAM-1.2.0/doc/adg/html/adg-interface-by-app-expected.html
2015-03-24 14:08:24.000000000 +0100
@@ -330,7 +330,7 @@
function keeps a record of the longest time requested with this
function. Should
<span class="citerefentry"><span
class="refentrytitle">pam_authenticate</span>(3)</span> fail, the failing
return to the application is
- delayed by an amount of time randomly distributed (by up to 25%)
+ delayed by an amount of time randomly distributed (by up to 50%)
about this longest value.
</p><p>
Independent of success, the delay time is reset to its zero
@@ -384,7 +384,7 @@
usually this is a password, but could also be a finger print.
</p><p>
The PAM service module may request that the user enter their
- username vio the the conversation mechanism (see
+ username via the conversation mechanism (see
<span class="citerefentry"><span
class="refentrytitle">pam_start</span>(3)</span> and
<span class="citerefentry"><span
class="refentrytitle">pam_conv</span>(3)</span>). The name of the authenticated
user
will be present in the PAM item PAM_USER. This item may be
@@ -408,7 +408,7 @@
</p></dd><dt><span
class="term">PAM_CRED_INSUFFICIENT</span></dt><dd><p>
For some reason the application does not have sufficient
credentials to authenticate the user.
- </p></dd><dt><span
class="term">PAM_AUTHINFO_UNVAIL</span></dt><dd><p>
+ </p></dd><dt><span
class="term">PAM_AUTHINFO_UNAVAIL</span></dt><dd><p>
The modules were not able to access the authentication
information. This might be due to a network or hardware
failure etc.
Files old/Linux-PAM-1.1.8/doc/mwg/Linux-PAM_MWG.pdf and
new/Linux-PAM-1.2.0/doc/mwg/Linux-PAM_MWG.pdf differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Linux-PAM-1.1.8/doc/mwg/Linux-PAM_MWG.txt
new/Linux-PAM-1.2.0/doc/mwg/Linux-PAM_MWG.txt
--- old/Linux-PAM-1.1.8/doc/mwg/Linux-PAM_MWG.txt 2013-09-19
10:06:45.000000000 +0200
+++ new/Linux-PAM-1.2.0/doc/mwg/Linux-PAM_MWG.txt 2015-03-24
14:08:31.000000000 +0100
@@ -100,8 +100,8 @@
system file, /etc/pam.conf, to authenticate a user request via the locally
available authentication modules. The modules themselves will usually be
located in the directory /lib/security (or /lib64/security, depending on the
-architecture) and take the form of dynamically loadable object files (see
-dlopen(3). Alternatively, the modules can be statically linked into the
+architecture) and take the form of dynamically loadable object files (see
+dlopen(3). Alternatively, the modules can be statically linked into the
Linux-PAM library; this is mostly to allow Linux-PAM to be used on platforms
without dynamic linking available, but this is a deprecated functionality. It
is the Linux-PAM interface that is called by an application and it is the
@@ -127,7 +127,7 @@
2.1. Getting and setting PAM_ITEMs and data
-First, we cover what the module should expect from the Linux-PAM library and a
+First, we cover what the module should expect from the Linux-PAM library and a
Linux-PAM aware application. Essentially this is the libpam.* library.
2.1.1. Set module internal data
@@ -150,17 +150,16 @@
2.1.1.1. DESCRIPTION
The pam_set_data function associates a pointer to an object with the
-(hopefully) unique string module_data_name in the PAM context specified by the
+(hopefully) unique string module_data_name in the PAM context specified by the
pamh argument.
PAM modules may be dynamically loadable objects. In general such files should
-not contain static variables. This function and its counterpart pam_get_data
-(3), provide a mechanism for a module to associate some data with the handle
-pamh. Typically a module will call the pam_set_data function to register some
-data under a (hopefully) unique module_data_name. The data is available for use
-by other modules too but not by an application. Since this functions stores
-only a pointer to the data, the module should not modify or free the content of
-it.
+not contain static variables. This function and its counterpart pam_get_data(3)
+, provide a mechanism for a module to associate some data with the handle pamh.
+Typically a module will call the pam_set_data function to register some data
+under a (hopefully) unique module_data_name. The data is available for use by
+other modules too but not by an application. Since this functions stores only a
+pointer to the data, the module should not modify or free the content of it.
The function cleanup() is associated with the data and, if non-NULL, it is
called when this data is over-written or following a call to pam_end(3).
@@ -302,7 +301,7 @@
PAM_RHOST
- The requesting hostname (the hostname of the machine from which the
+ The requesting hostname (the hostname of the machine from which the
PAM_RUSER entity is requesting service). That is PAM_RUSER@PAM_RHOST does
identify the requesting user. In some applications, PAM_RHOST may be NULL.
In such situations, it is unclear where the authentication request is
@@ -331,7 +330,7 @@
PAM_FAIL_DELAY
- A function pointer to redirect centrally managed failure delays. See
+ A function pointer to redirect centrally managed failure delays. See
pam_fail_delay(3).
PAM_XDISPLAY
@@ -444,7 +443,7 @@
PAM_RHOST
- The requesting hostname (the hostname of the machine from which the
+ The requesting hostname (the hostname of the machine from which the
PAM_RUSER entity is requesting service). That is PAM_RUSER@PAM_RHOST does
identify the requesting user. In some applications, PAM_RHOST may be NULL.
In such situations, it is unclear where the authentication request is
@@ -473,7 +472,7 @@
PAM_FAIL_DELAY
- A function pointer to redirect centrally managed failure delays. See
+ A function pointer to redirect centrally managed failure delays. See
pam_fail_delay(3).
PAM_XDISPLAY
@@ -554,7 +553,7 @@
contents of *user. Note, this memory should not be free()'d or modified by the
module.
-This function sets the PAM_USER item associated with the pam_set_item(3) and
+This function sets the PAM_USER item associated with the pam_set_item(3) and
pam_get_item(3) functions.
2.1.5.2. RETURN VALUES
@@ -606,7 +605,7 @@
The other arguments of a call to conv() concern the information exchanged by
module and application. That is to say, num_msg holds the length of the array
of pointers, msg. After a successful return, the pointer resp points to an
-array of pam_response structures, holding the application supplied text. The
+array of pam_response structures, holding the application supplied text. The
resp_retcode member of this struct is unused and should be set to zero. It is
the caller's responsibility to release both, this array and the responses
themselves, using free(3). Note, *resp is a struct pam_response array and not
@@ -620,7 +619,7 @@
On failure, the conversation function should release any resources it has
allocated, and return one of the predefined PAM error codes.
-Each message can have one of four types, specified by the msg_style member of
+Each message can have one of four types, specified by the msg_style member of
struct pam_message:
PAM_PROMPT_ECHO_OFF
@@ -721,7 +720,7 @@
Without an '=' the pam_putenv() function will delete the corresponding
variable from the PAM environment.
-pam_putenv() operates on a copy of name_value, which means in contrast to
+pam_putenv() operates on a copy of name_value, which means in contrast to
putenv(3), the application is responsible to free the data.
2.1.7.2. RETURN VALUES
@@ -839,12 +838,12 @@
The pam_fail_delay function provides a mechanism by which an application or
module can suggest a minimum delay of usec micro-seconds. The function keeps a
-record of the longest time requested with this function. Should
+record of the longest time requested with this function. Should
pam_authenticate(3) fail, the failing return to the application is delayed by
-an amount of time randomly distributed (by up to 25%) about this longest value.
+an amount of time randomly distributed (by up to 50%) about this longest value.
Independent of success, the delay time is reset to its zero default value when
-the PAM service module returns control to the application. The delay occurs
+the PAM service module returns control to the application. The delay occurs
after all authentication modules have been called, but before control is
returned to the service application.
@@ -908,10 +907,10 @@
of some other part of the module.
As an informative example, consider the possibility that an application applies
-to change a user's authentication token, without having first requested that
+to change a user's authentication token, without having first requested that
Linux-PAM authenticate the user. In some cases this may be deemed appropriate:
when root wants to change the authentication token of some lesser user. In
-other cases it may not be appropriate: when joe maliciously wants to reset
+other cases it may not be appropriate: when joe maliciously wants to reset
alice's password; or when anyone other than the user themself wishes to reset
their KERBEROS authentication token. A policy for this action should be defined
by any reasonable authentication scheme, the module writer should consider this
@@ -923,7 +922,7 @@
pam.conf file, the module developer may define all six of the following
functions. For those functions that would not be called, the module should
return PAM_SERVICE_ERR and write an appropriate message to the system log. When
-this action is deemed inappropriate, the function would simply return
+this action is deemed inappropriate, the function would simply return
PAM_IGNORE.
3.1.3. Arguments supplied to the module
@@ -966,7 +965,7 @@
3.2.1.1. DESCRIPTION
-The pam_sm_authenticate function is the service module's implementation of the
+The pam_sm_authenticate function is the service module's implementation of the
pam_authenticate(3) interface.
This function performs the task of authenticating the user.
@@ -1031,7 +1030,7 @@
3.2.2.1. DESCRIPTION
-The pam_sm_setcred function is the service module's implementation of the
+The pam_sm_setcred function is the service module's implementation of the
pam_setcred(3) interface.
This function performs the task of altering the credentials of the user with
@@ -1122,7 +1121,7 @@
3.3.1.1. DESCRIPTION
-The pam_sm_acct_mgmt function is the service module's implementation of the
+The pam_sm_acct_mgmt function is the service module's implementation of the
pam_acct_mgmt(3) interface.
This function performs the task of establishing whether the user is permitted
@@ -1196,7 +1195,7 @@
3.4.1.1. DESCRIPTION
-The pam_sm_open_session function is the service module's implementation of the
+The pam_sm_open_session function is the service module's implementation of the
pam_open_session(3) interface.
This function is called to commence a session. The only valid value for flags
@@ -1280,7 +1279,7 @@
3.5.1.1. DESCRIPTION
-The pam_sm_chauthtok function is the service module's implementation of the
+The pam_sm_chauthtok function is the service module's implementation of the
pam_chauthtok(3) interface.
This function is used to (re-)set the authentication token of the user.
@@ -1304,21 +1303,21 @@
for altering the user's authentication token. If the module requires access
to another system over some network it should attempt to verify it can
connect to this system on receiving this flag. If a module cannot establish
- it is ready to update the user's authentication token it should return
+ it is ready to update the user's authentication token it should return
PAM_TRY_AGAIN, this information will be passed back to the application.
- If the control value sufficient is used in the password stack, the
+ If the control value sufficient is used in the password stack, the
PAM_PRELIM_CHECK section of the modules following that control value is not
always executed.
PAM_UPDATE_AUTHTOK
This informs the module that this is the call it should change the
- authorization tokens. If the flag is logically OR'd with
+ authorization tokens. If the flag is logically OR'd with
PAM_CHANGE_EXPIRED_AUTHTOK, the token is only changed if it has actually
expired.
-The PAM library calls this function twice in succession. The first time with
+The PAM library calls this function twice in succession. The first time with
PAM_PRELIM_CHECK and then, if the module does not return PAM_TRY_AGAIN,
subsequently with PAM_UPDATE_AUTHTOK. It is only on the second call that the
authorization token is (possibly) changed.
@@ -1413,11 +1412,11 @@
identifier; returned by the function getuid(2).
• Y, the privileged identity of the application used to grant the requested
- service. This is the effective user identifier; returned by the function
+ service. This is the effective user identifier; returned by the function
geteuid(2).
• Z, the user under whose identity the service will be granted. This is the
- username returned by pam_get_user() and also stored in the Linux-PAM item,
+ username returned by pam_get_user() and also stored in the Linux-PAM item,
PAM_USER.
• Linux-PAM has a place for an additional user identity that a module may
@@ -1442,7 +1441,7 @@
5.1.4. Authentication tokens
-To ensure that the authentication tokens are not left lying around the items,
+To ensure that the authentication tokens are not left lying around the items,
PAM_AUTHTOK and PAM_OLDAUTHTOK, are not available to the application: they are
defined in <security/pam_modules.h>. This is ostensibly for security reasons,
but a maliciously programmed application will always have access to all memory
@@ -1481,13 +1480,13 @@
Only rarely should error information be directed to the user. Usually, this is
to be limited to “sorry you cannot login now” type messages. Information
concerning errors in the configuration file, /etc/pam.conf, or due to some
-system failure encountered by the module, should be written to syslog(3) with
+system failure encountered by the module, should be written to syslog(3) with
facility-type LOG_AUTHPRIV.
With a few exceptions, the level of logging is, at the discretion of the module
developer. Here is the recommended usage of different logging levels:
- • As a general rule, errors encountered by a module should be logged at the
+ • As a general rule, errors encountered by a module should be logged at the
LOG_ERR level. However, information regarding an unrecognized argument,
passed to a module from an entry in the /etc/pam.conf file, is required to
be logged at the LOG_ERR level.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/Linux-PAM-1.1.8/doc/mwg/html/mwg-expected-by-module-other.html
new/Linux-PAM-1.2.0/doc/mwg/html/mwg-expected-by-module-other.html
--- old/Linux-PAM-1.1.8/doc/mwg/html/mwg-expected-by-module-other.html
2013-09-19 10:06:47.000000000 +0200
+++ new/Linux-PAM-1.2.0/doc/mwg/html/mwg-expected-by-module-other.html
2015-03-24 14:08:33.000000000 +0100
@@ -18,7 +18,7 @@
function keeps a record of the longest time requested with this
function. Should
<span class="citerefentry"><span
class="refentrytitle">pam_authenticate</span>(3)</span> fail, the failing
return to the application is
- delayed by an amount of time randomly distributed (by up to 25%)
+ delayed by an amount of time randomly distributed (by up to 50%)
about this longest value.
</p><p>
Independent of success, the delay time is reset to its zero
Files old/Linux-PAM-1.1.8/doc/sag/Linux-PAM_SAG.pdf and
new/Linux-PAM-1.2.0/doc/sag/Linux-PAM_SAG.pdf differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Linux-PAM-1.1.8/doc/sag/Linux-PAM_SAG.txt
new/Linux-PAM-1.2.0/doc/sag/Linux-PAM_SAG.txt
--- old/Linux-PAM-1.1.8/doc/sag/Linux-PAM_SAG.txt 2013-09-19
10:06:33.000000000 +0200
+++ new/Linux-PAM-1.2.0/doc/sag/Linux-PAM_SAG.txt 2015-03-25
13:58:23.000000000 +0100
@@ -12,7 +12,7 @@
Abstract
-This manual documents what a system-administrator needs to know about the
+This manual documents what a system-administrator needs to know about the
Linux-PAM library. It covers the correct syntax of the PAM configuration file
and discusses strategies for maintaining a secure system.
@@ -114,8 +114,8 @@
series of configuration files located in /etc/pam.d/) to authenticate a user
request via the locally available authentication modules. The modules
themselves will usually be located in the directory /lib/security or /lib64/
-security and take the form of dynamically loadable object files (see dlopen
-(3)).
+security and take the form of dynamically loadable object files (see dlopen(3)
+).
Chapter 2. Some comments on the text
@@ -169,7 +169,7 @@
they will soon learn their multiplication tables. As they mature, the
authentication can be upgraded to include (long) division!
-Linux-PAM deals with four separate types of (management) task. These are:
+Linux-PAM deals with four separate types of (management) task. These are:
authentication management; account management; session management; and password
management. The association of the preferred management scheme with the
behavior of an application is made with entries in the relevant Linux-PAM
@@ -203,7 +203,7 @@
By way of explanation, the left of the figure represents the application;
application X. Such an application interfaces with the Linux-PAM library and
-knows none of the specifics of its configured authentication method. The
+knows none of the specifics of its configured authentication method. The
Linux-PAM library (in the center) consults the contents of the PAM
configuration file and loads the modules that are appropriate for
application-X. These modules fall into one of four management groups
@@ -251,7 +251,7 @@
An important feature of PAM, is that a number of rules may be stacked to
combine the services of a number of PAMs for a given authentication task.
-The service is typically the familiar name of the corresponding application:
+The service is typically the familiar name of the corresponding application:
login and su are good examples. The service-name, other, is reserved for giving
default rules. Only lines that mention the current service (or in the absence
of such, the other entries) will be associated with the given
@@ -360,9 +360,9 @@
module for which the line is defined. It is selected from one of these: success
, open_err, symbol_err, service_err, system_err, buf_err, perm_denied, auth_err
, cred_insufficient, authinfo_unavail, user_unknown, maxtries, new_authtok_reqd
-, acct_expired, session_err, cred_unavail, cred_expired, cred_err,
-no_module_data, conv_err, authtok_err, authtok_recover_err, authtok_lock_busy,
-authtok_disable_aging, try_again, ignore, abort, authtok_expired,
+, acct_expired, session_err, cred_unavail, cred_expired, cred_err,
+no_module_data, conv_err, authtok_err, authtok_recover_err, authtok_lock_busy,
+authtok_disable_aging, try_again, ignore, abort, authtok_expired,
module_unknown, bad_item, conv_again, incomplete, and default.
The last of these, default, implies 'all valueN's not mentioned explicitly.
@@ -389,7 +389,7 @@
this tells PAM that the administrator thinks this return code should
contribute directly to the return code of the full stack of modules. In
- other words, if the former state of the stack would lead to a return of
+ other words, if the former state of the stack would lead to a return of
PAM_SUCCESS, the module's return code will override this value. Note, if
the former state of the stack holds some value that is indicative of a
modules failure, this 'ok' value will not be used to override that value.
@@ -476,7 +476,7 @@
4.3. Example configuration file entries
-In this section, we give some examples of entries that can be present in the
+In this section, we give some examples of entries that can be present in the
Linux-PAM configuration file. As a first attempt at configuring your system you
could do worse than to implement these.
@@ -558,7 +558,7 @@
In general, Linux-PAM errs towards the latter. Any number of configuration
errors can disable access to your system partially, or completely.
-The most dramatic problem that is likely to be encountered when configuring
+The most dramatic problem that is likely to be encountered when configuring
Linux-PAM is that of deleting the configuration file(s): /etc/pam.d/* and/or /
etc/pam.conf. This will lock you out of your own system!
@@ -601,26 +601,29 @@
The pam_access PAM module is mainly for access management. It provides
logdaemon style login access control based on login names, host or domain
-names, internet addresses or network numbers, or on terminal line names in case
-of non-networked logins.
+names, internet addresses or network numbers, or on terminal line names, X
+$DISPLAY values, or PAM service names in case of non-networked logins.
By default rules for access management are taken from config file /etc/security
/access.conf if you don't specify another file.
If Linux PAM is compiled with audit support the module will report when it
-denies access based on origin (host or tty).
+denies access based on origin (host, tty, etc.).
6.1.2. DESCRIPTION
The /etc/security/access.conf file specifies (user/group, host), (user/group,
-network/netmask) or (user/group, tty) combinations for which a login will be
-either accepted or refused.
+network/netmask), (user/group, tty), (user/group, X-$DISPLAY-value), or (user/
+group, pam-service-name) combinations for which a login will be either accepted
+or refused.
When someone logs in, the file access.conf is scanned for the first entry that
matches the (user/group, host) or (user/group, network/netmask) combination,
or, in case of non-networked logins, the first entry that matches the (user/
-group, tty) combination. The permissions field of that table entry determines
-whether the login will be accepted or refused.
+group, tty) combination, or in the case of non-networked logins without a tty,
+the first entry that matches the (user/group, X-$DISPLAY-value) or (user/group,
+pam-service-name/) combination. The permissions field of that table entry
+determines whether the login will be accepted or refused.
Each line of the login access control table has three fields separated by a ":"
character (colon):
@@ -636,16 +639,21 @@
(group).
The third field, the origins field, should be a list of one or more tty names
-(for non-networked logins), host names, domain names (begin with "."), host
-addresses, internet network numbers (end with "."), internet network addresses
-with network mask (where network mask can be a decimal number or an internet
-address also), ALL (which always matches) or LOCAL. LOCAL keyword matches if
-and only if the PAM_RHOST is not set and <origin> field is thus set from
-PAM_TTY or PAM_SERVICE". If supported by the system you can use @netgroupname
-in host or user patterns. The @@netgroupname syntax is supported in the user
-pattern only and it makes the local system hostname to be passed to the
-netgroup match call in addition to the user name. This might not work correctly
-on some libc implementations causing the match to always fail.
+(for non-networked logins), X $DISPLAY values or PAM service names (for
+non-networked logins without a tty), host names, domain names (begin with "."),
+host addresses, internet network numbers (end with "."), internet network
+addresses with network mask (where network mask can be a decimal number or an
+internet address also), ALL (which always matches) or LOCAL. The LOCAL keyword
+matches if and only if pam_get_item(3), when called with an item_type of
+PAM_RHOST, returns NULL or an empty string (and therefore the origins field is
+compared against the return value of pam_get_item(3) called with an item_type
+of PAM_TTY or, absent that, PAM_SERVICE).
+
+If supported by the system you can use @netgroupname in host or user patterns.
+The @@netgroupname syntax is supported in the user pattern only and it makes
+the local system hostname to be passed to the netgroup match call in addition
+to the user name. This might not work correctly on some libc implementations
+causing the match to always fail.
The EXCEPT operator makes it possible to write very compact rules.
@@ -757,7 +765,7 @@
+ : root : 192.168.201.
-User root should be able to have access from hosts foo1.bar.org and
+User root should be able to have access from hosts foo1.bar.org and
foo2.bar.org (uses string matching also).
+ : root : foo1.bar.org foo2.bar.org
@@ -1297,16 +1305,20 @@
6.6.1. DESCRIPTION
The pam_env PAM module allows the (un)setting of environment variables.
-Supported is the use of previously set environment variables as well as
+Supported is the use of previously set environment variables as well as
PAM_ITEMs such as PAM_RHOST.
-By default rules for (un)setting of variables is taken from the config file /
-etc/security/pam_env.conf if no other file is specified.
-
-This module can also parse a file with simple KEY=VAL pairs on separate lines
-(/etc/environment by default). You can change the default file to parse, with
-the envfile flag and turn it on or off by setting the readenv flag to 1 or 0
-respectively.
+By default rules for (un)setting of variables are taken from the config file /
+etc/security/pam_env.conf. An alternate file can be specified with the conffile
+option.
+
+Second a file (/etc/environment by default) with simple KEY=VAL pairs on
+separate lines will be read. With the envfile option an alternate file can be
+specified. And with the readenv option this can be completly disabled.
+
+Third it will read a user configuration file ($HOME/.pam_environment by
+default). The default file file can be changed with the user_envfile option and
+it can be turned on and off with the user_readenv option.
Since setting of PAM environment variables can have side effects to other
modules, this module should be the last one on the stack.
@@ -1327,13 +1339,14 @@
VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]]
(Possibly non-existent) environment variables may be used in values using the $
-{string} syntax and (possibly non-existent) PAM_ITEMs may be used in values
-using the @{string} syntax. Both the $ and @ characters can be backslash
-escaped to be used as literal values values can be delimited with "", escaped "
-not supported. Note that many environment variables that you would like to use
-may not be set by the time the module is called. For example, HOME is used
-below several times, but many PAM applications don't make it available by the
-time you need it.
+{string} syntax and (possibly non-existent) PAM_ITEMs as well as HOME and SHELL
+may be used in values using the @{string} syntax. Both the $ and @ characters
+can be backslash escaped to be used as literal values values can be delimited
+with "", escaped " not supported. Note that many environment variables that you
+would like to use may not be set by the time the module is called. For example,
+${HOME} is used below several times, but many PAM applications don't make it
+available by the time you need it. The special variables @{HOME} and @{SHELL}
+are expanded to the values for the user from his passwd entry.
The "#" character at start of line (no space at front) can be used to mark this
line as a comment line.
@@ -1352,8 +1365,10 @@
envfile=/path/to/environment
- Indicate an alternative environment file to override the default. This can
- be useful when different services need different environments.
+ Indicate an alternative environment file to override the default. The
+ syntax are simple KEY=VAL pairs on separate lines. The export instruction
+ can be specified for bash compatibility, but will be ignored. This can be
+ useful when different services need different environments.
readenv=0|1
@@ -1362,9 +1377,10 @@
user_envfile=filename
- Indicate an alternative .pam_environment file to override the default. This
- can be useful when different services need different environments. The
- filename is relative to the user home directory.
+ Indicate an alternative .pam_environment file to override the default.The
+ syntax is the same as for /etc/environment. The filename is relative to the
+ user home directory. This can be useful when different services need
+ different environments.
user_readenv=0|1
@@ -1431,6 +1447,7 @@
NNTPSERVER DEFAULT=localhost
PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\
:/usr/bin:/usr/local/bin/X11:/usr/bin/X11
+ XDG_DATA_HOME @{HOME}/share/
Silly examples of escaped variables, just to show how they work.
@@ -1636,17 +1653,17 @@
have read the pam(3) manual page. Basically, for each management group
there are up to two ways of calling the module's functions. In the case of
the authentication and session components there are actually two separate
- functions. For the case of authentication, these functions are
+ functions. For the case of authentication, these functions are
pam_authenticate(3) and pam_setcred(3), here run1 means run the filter from
the pam_authenticate function and run2 means run the filter from
pam_setcred. In the case of the session modules, run1 implies that the
- filter is invoked at the pam_open_session(3) stage, and run2 for
+ filter is invoked at the pam_open_session(3) stage, and run2 for
pam_close_session(3).
For the case of the account component. Either run1 or run2 may be used.
For the case of the password component, run1 is used to indicate that the
- filter is run on the first occasion of pam_chauthtok(3) (the
+ filter is run on the first occasion of pam_chauthtok(3) (the
PAM_PRELIM_CHECK phase) and run2 is used to indicate that the filter is run
on the second occasion (the PAM_UPDATE_AUTHTOK phase).
@@ -1690,7 +1707,7 @@
pam_ftp is a PAM module which provides a pluggable anonymous ftp mode of
access.
-This module intercepts the user's name and password. If the name is ftp or
+This module intercepts the user's name and password. If the name is ftp or
anonymous, the user's password is broken up at the @ delimiter into a PAM_RUSER
and a PAM_RHOST part; these pam-items being set accordingly. The username (
PAM_USER) is set to ftp. In this case the module succeeds. Alternatively, the
@@ -1874,10 +1891,11 @@
xsh;tty*&!ttyp*;us;Al0000-2400;floppy
-Running 'xsh' on tty* (any ttyXXX device), the user 'sword' is given access to
-games (through membership of the floppy group) after work hours.
+Running 'xsh' on tty* (any ttyXXX device), the users 'sword', 'pike' and
+'shield' are given access to games (through membership of the floppy group)
+after work hours.
-xsh; tty* ;sword;!Wk0900-1800;games, sound
+xsh; tty* ;sword|pike|shield;!Wk0900-1800;games, sound
xsh; tty* ;*;Al0900-1800;floppy
@@ -2284,7 +2302,7 @@
for enforcing soft resource limits. These limits are ones that the user
can move up or down within the permitted range by any pre-existing hard
- limits. The values specified with this token can be thought of as
+ limits. The values specified with this token can be thought of as
default values, for normal system usage.
-
@@ -2315,7 +2333,7 @@
nofile
- maximum number of open files
+ maximum number of open file descriptors
rss
@@ -2339,11 +2357,14 @@
maxlogins
- maximum number of logins for this user except for this with uid=0
+ maximum number of logins for this user (this limit does not apply to
+ user with uid=0)
maxsyslogins
- maximum number of all logins on system
+ maximum number of all logins on system; user is not allowed to log-in
+ if total number of all users' logins is greater than specified number
+ (this limit does not apply to user with uid=0)
priority
@@ -2496,7 +2517,7 @@
pam_listfile is a PAM module which provides a way to deny or allow services
based on an arbitrary file.
-The module gets the item of the type specified -- user specifies the username,
+The module gets the item of the type specified -- user specifies the username,
PAM_USER; tty specifies the name of the terminal over which the request has
been made, PAM_TTY; rhost specifies the name of the remote host (if any) from
which the request was made, PAM_RHOST; and ruser specifies the name of the
@@ -2513,7 +2534,7 @@
An additional argument, apply=, can be used to restrict the application of the
above to a specific user (apply=username) or a given group (apply=@groupname).
-This added restriction is only meaningful when used with the tty, rhost and
+This added restriction is only meaningful when used with the tty, rhost and
shell items.
Besides this last one, all arguments should be specified; do not count on any
@@ -2697,9 +2718,19 @@
6.18.4. RETURN VALUES
+PAM_SUCCESS
+
+ The loginuid value is set and auditd is running if check requested.
+
+PAM_IGNORE
+
+ The /proc/self/loginuid file is not present on the system or the login
+ process runs inside uid namespace and kernel does not support overwriting
+ loginuid.
+
PAM_SESSION_ERR
- An error occurred during session management.
+ Any other error prevented setting loginuid or auditd is not running.
6.18.5. EXAMPLES
@@ -2764,7 +2795,7 @@
nopen
- Don't print any mail information on login. This flag is useful to get the
+ Don't print any mail information on login. This flag is useful to get the
MAIL environment variable set, but to not display any information about it.
quiet
@@ -3024,7 +3055,7 @@
The directory where polyinstantiated instances are to be created, must exist
and must have, by default, the mode of 0000. The requirement that the instance
-parent be of mode 0000 can be overridden with the command line option
+parent be of mode 0000 can be overridden with the command line option
ignore_instance_parent_mode
In case of context or level polyinstantiation the SELinux context which is used
@@ -3408,7 +3439,7 @@
personal configuration file.
The module authenticates a remote user (internally specified by the item
-PAM_RUSER connecting from the remote host (internally specified by the item
+PAM_RUSER connecting from the remote host (internally specified by the item
PAM_RHOST). Accordingly, for applications to be compatible this authentication
module they must set these items prior to calling pam_authenticate(). The
module is not capable of independently probing the network connection for such
@@ -3918,7 +3949,7 @@
onerr=[fail|succeed]
- If something weird happens (like unable to open the file), return with
+ If something weird happens (like unable to open the file), return with
PAM_SUCCESS if onerr=succeed is given, else with the corresponding PAM
error code.
@@ -4081,7 +4112,7 @@
onerr=[fail|succeed]
- If something weird happens (like unable to open the file), return with
+ If something weird happens (like unable to open the file), return with
PAM_SUCCESS if onerr=succeed is given, else with the corresponding PAM
error code.
@@ -4161,7 +4192,7 @@
magic_root
If the module is invoked by a user with uid=0 the counter is not
- changed. The sysadmin should use this for user launched services, like
+ changed. The sysadmin should use this for user launched services, like
su, otherwise this argument should be omitted.
6.33.3. MODULE TYPES PROVIDED
@@ -4189,7 +4220,7 @@
is caused by requirement of compatibility of the tallylog file format between
32bit and 64bit architectures on multiarch systems.
-There is no setuid wrapper for access to the data file such as when the
+There is no setuid wrapper for access to the data file such as when the
pam_tally2.so module is called from xscreensaver. As this would make it
impossible to share PAM configuration with such services the following
workaround is used: If the data file cannot be opened because of insufficient
@@ -4363,7 +4394,8 @@
6.35. pam_timestamp - authenticate using cached successful authentication
attempts
-pam_timestamp.so [ timestamp_timeout=number ] [ verbose ] [ debug ]
+pam_timestamp.so [ timestampdir=directory ] [ timestamp_timeout=number ] [
+verbose ] [ debug ]
6.35.1. DESCRIPTION
@@ -4378,6 +4410,10 @@
6.35.2. OPTIONS
+timestampdir=directory
+
+ Specify an alternate directory where pam_timestamp creates timestamp files.
+
timestamp_timeout=number
How long should pam_timestamp treat timestamp as valid after their last
@@ -4427,7 +4463,7 @@
6.35.7. FILES
-/var/run/sudo/...
+/var/run/pam_timestamp/...
timestamp files and directories
@@ -4526,9 +4562,9 @@
The account component performs the task of establishing the status of the
user's account and password based on the following shadow elements: expire,
last_change, max_change, min_change, warn_change. In the case of the latter, it
-may offer advice to the user on changing their password or, through the
+may offer advice to the user on changing their password or, through the
PAM_AUTHTOKEN_REQD return, delay giving service to the user until they have
-established a new password. The entries listed above are documented in the
+established a new password. The entries listed above are documented in the
shadow(5) manual page. Should the user's record not contain one or more of
these entries, the corresponding shadow check is not performed.
@@ -4614,7 +4650,7 @@
The last n passwords for each user are saved in /etc/security/opasswd in
order to force password change history and keep the user from alternating
- between the same password too frequently. Instead of this option the
+ between the same password too frequently. Instead of this option the
pam_pwhistory module should be used.
shadow
@@ -4710,14 +4746,15 @@
crypt=[crypt|none]
Indicates whether encrypted or plaintext passwords are stored in the
- database. If it is crypt, passwords should be stored in the database in
+ database. If it is crypt, passwords should be stored in the database in
crypt(3) form. If none is selected, passwords should be stored in the
database as plaintext.
db=/path/database
Use the /path/database database for performing lookup. There is no default;
- the module will return PAM_IGNORE if no database is provided.
+ the module will return PAM_IGNORE if no database is provided. Note that the
+ path to the database file should be specified without the .db suffix.
debug
@@ -4796,7 +4833,7 @@
6.38.5. EXAMPLES
-auth sufficient pam_userdb.so icase db=/etc/dbtest.db
+auth sufficient pam_userdb.so icase db=/etc/dbtest
6.38.6. AUTHOR
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Linux-PAM-1.1.8/doc/sag/html/sag-pam_access.html
new/Linux-PAM-1.2.0/doc/sag/html/sag-pam_access.html
--- old/Linux-PAM-1.1.8/doc/sag/html/sag-pam_access.html 2013-09-19
10:06:38.000000000 +0200
+++ new/Linux-PAM-1.2.0/doc/sag/html/sag-pam_access.html 2015-03-25
13:58:28.000000000 +0100
@@ -14,19 +14,24 @@
The pam_access PAM module is mainly for access management.
It provides logdaemon style login access control based on login
names, host or domain names, internet addresses or network numbers,
- or on terminal line names in case of non-networked logins.
+ or on terminal line names, X <code class="varname">$DISPLAY</code>
values,
+ or PAM service names in case of non-networked logins.
</p><p>
By default rules for access management are taken from config file
<code class="filename">/etc/security/access.conf</code> if you don't
specify
another file.
</p><p>
If Linux PAM is compiled with audit support the module will report
- when it denies access based on origin (host or tty).
+ when it denies access based on origin (host, tty, etc.).
</p></div><div class="section"><div class="titlepage"><div><div><h3
class="title"><a name="sag-access.conf-description"></a>6.1.2.
DESCRIPTION</h3></div></div></div><p>
The <code class="filename">/etc/security/access.conf</code> file
specifies
(<em class="replaceable"><code>user/group</code></em>, <em
class="replaceable"><code>host</code></em>),
- (<em class="replaceable"><code>user/group</code></em>, <em
class="replaceable"><code>network/netmask</code></em>) or
- (<em class="replaceable"><code>user/group</code></em>, <em
class="replaceable"><code>tty</code></em>)
+ (<em class="replaceable"><code>user/group</code></em>, <em
class="replaceable"><code>network/netmask</code></em>),
+ (<em class="replaceable"><code>user/group</code></em>, <em
class="replaceable"><code>tty</code></em>),
+ (<em class="replaceable"><code>user/group</code></em>,
+ <em class="replaceable"><code>X-$DISPLAY-value</code></em>), or
+ (<em class="replaceable"><code>user/group</code></em>,
+ <em class="replaceable"><code>pam-service-name</code></em>)
combinations for which a login will be either accepted or refused.
</p><p>
When someone logs in, the file <code class="filename">access.conf</code>
is
@@ -36,7 +41,14 @@
combination, or, in case of non-networked logins, the first entry
that matches the
(<em class="replaceable"><code>user/group</code></em>, <em
class="replaceable"><code>tty</code></em>)
- combination. The permissions field of that table entry determines
+ combination, or in the case of non-networked logins without a
+ tty, the first entry that matches the
+ (<em class="replaceable"><code>user/group</code></em>,
+ <em class="replaceable"><code>X-$DISPLAY-value</code></em>) or
+ (<em class="replaceable"><code>user/group</code></em>,
+ <em class="replaceable"><code>pam-service-name/</code></em>)
+ combination. The permissions field of that table entry
+ determines
whether the login will be accepted or refused.
</p><p>
Each line of the login access control table has three fields separated
@@ -57,14 +69,25 @@
</p><p>
The third field, the <em class="replaceable"><code>origins</code></em>
field, should be a list of one or more tty names (for non-networked
- logins), host names, domain names (begin with "."), host addresses,
+ logins), X <code class="varname">$DISPLAY</code> values or PAM service
+ names (for non-networked logins without a tty), host names,
+ domain names (begin with "."), host addresses,
internet network numbers (end with "."), internet network addresses
with network mask (where network mask can be a decimal number or an
internet address also), <span class="emphasis"><em>ALL</em></span>
(which always matches)
- or <span class="emphasis"><em>LOCAL</em></span>. <span
class="emphasis"><em>LOCAL</em></span>
- keyword matches if and only if the <span
class="emphasis"><em>PAM_RHOST</em></span> is
- not set and <origin> field is thus set from
- <span class="emphasis"><em>PAM_TTY</em></span> or <span
class="emphasis"><em>PAM_SERVICE</em></span>".
+ or <span class="emphasis"><em>LOCAL</em></span>. The <span
class="emphasis"><em>LOCAL</em></span>
+ keyword matches if and only if
+ <span class="citerefentry"><span
class="refentrytitle">pam_get_item</span>(3)</span>,
+ when called with an <em class="parameter"><code>item_type</code></em> of
+ <span class="emphasis"><em>PAM_RHOST</em></span>, returns <code
class="code">NULL</code> or an
+ empty string (and therefore the
+ <em class="replaceable"><code>origins</code></em> field is compared
against the
+ return value of
+ <span class="citerefentry"><span
class="refentrytitle">pam_get_item</span>(3)</span>
+ called with an <em class="parameter"><code>item_type</code></em> of
+ <span class="emphasis"><em>PAM_TTY</em></span> or, absent that,
+ <span class="emphasis"><em>PAM_SERVICE</em></span>).
+ </p><p>
If supported by the system you can use
<span class="emphasis"><em>@netgroupname</em></span> in host or user
patterns. The
<span class="emphasis"><em>@@netgroupname</em></span> syntax is
supported in the user
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Linux-PAM-1.1.8/doc/sag/html/sag-pam_env.html
new/Linux-PAM-1.2.0/doc/sag/html/sag-pam_env.html
--- old/Linux-PAM-1.1.8/doc/sag/html/sag-pam_env.html 2013-09-19
10:06:39.000000000 +0200
+++ new/Linux-PAM-1.2.0/doc/sag/html/sag-pam_env.html 2015-03-25
13:58:28.000000000 +0100
@@ -16,16 +16,21 @@
variables as well as <span class="emphasis"><em>PAM_ITEM</em></span>s
such as
<span class="emphasis"><em>PAM_RHOST</em></span>.
</p><p>
- By default rules for (un)setting of variables is taken from the
- config file <code class="filename">/etc/security/pam_env.conf</code> if
- no other file is specified.
- </p><p>
- This module can also parse a file with simple
- <span class="emphasis"><em>KEY=VAL</em></span> pairs on separate lines
- (<code class="filename">/etc/environment</code> by default). You can
- change the default file to parse, with the <span
class="emphasis"><em>envfile</em></span>
- flag and turn it on or off by setting the <span
class="emphasis"><em>readenv</em></span>
- flag to 1 or 0 respectively.
+ By default rules for (un)setting of variables are taken from the
+ config file <code class="filename">/etc/security/pam_env.conf</code>. An
+ alternate file can be specified with the <span
class="emphasis"><em>conffile</em></span>
+ option.
+ </p><p>
+ Second a file (<code class="filename">/etc/environment</code> by
default) with simple
+ <span class="emphasis"><em>KEY=VAL</em></span> pairs on separate lines
will be read.
+ With the <span class="emphasis"><em>envfile</em></span> option an
alternate file can be specified.
+ And with the <span class="emphasis"><em>readenv</em></span> option this
can be completly disabled.
+ </p><p>
+ Third it will read a user configuration file
+ (<code class="filename">$HOME/.pam_environment</code> by default).
+ The default file file can be changed with the
+ <span class="emphasis"><em>user_envfile</em></span> option
+ and it can be turned on and off with the <span
class="emphasis"><em>user_readenv</em></span> option.
</p><p>
Since setting of PAM environment variables can have side effects
to other modules, this module should be the last one on the stack.
@@ -49,14 +54,16 @@
[<em class="replaceable"><code>OVERRIDE=[value]</code></em>]
</p><p>
(Possibly non-existent) environment variables may be used in values
- using the ${string} syntax and (possibly non-existent) PAM_ITEMs may
- be used in values using the @{string} syntax. Both the $ and @
- characters can be backslash escaped to be used as literal values
+ using the ${string} syntax and (possibly non-existent) PAM_ITEMs as well
+ as HOME and SHELL may be used in values using the @{string} syntax. Both
+ the $ and @ characters can be backslash escaped to be used as literal
values
values can be delimited with "", escaped " not supported.
Note that many environment variables that you would like to use
may not be set by the time the module is called.
- For example, HOME is used below several times, but
+ For example, ${HOME} is used below several times, but
many PAM applications don't make it available by the time you need it.
+ The special variables @{HOME} and @{SHELL} are expanded to the values
+ for the user from his <span class="emphasis"><em>passwd</em></span>
entry.
</p><p>
The "<span class="emphasis"><em>#</em></span>" character at start of
line (no space
at front) can be used to mark this line as a comment line.
@@ -75,8 +82,11 @@
<code class="option">envfile=<em
class="replaceable"><code>/path/to/environment</code></em></code>
</span></dt><dd><p>
Indicate an alternative <code class="filename">environment</code>
- file to override the default. This can be useful when different
- services need different environments.
+ file to override the default. The syntax are simple
+ <span class="emphasis"><em>KEY=VAL</em></span> pairs on separate
lines. The
+ <span class="emphasis"><em>export</em></span> instruction can be
specified for bash
+ compatibility, but will be ignored.
+ This can be useful when different services need different
environments.
</p></dd><dt><span class="term">
<code class="option">readenv=<em
class="replaceable"><code>0|1</code></em></code>
</span></dt><dd><p>
@@ -86,9 +96,11 @@
<code class="option">user_envfile=<em
class="replaceable"><code>filename</code></em></code>
</span></dt><dd><p>
Indicate an alternative <code
class="filename">.pam_environment</code>
- file to override the default. This can be useful when different
- services need different environments. The filename is relative to
- the user home directory.
+ file to override the default.The syntax is the same as
+ for <span class="emphasis"><em>/etc/environment</em></span>.
+ The filename is relative to the user home directory.
+ This can be useful when different services need different
+ environments.
</p></dd><dt><span class="term">
<code class="option">user_readenv=<em
class="replaceable"><code>0|1</code></em></code>
</span></dt><dd><p>
@@ -126,6 +138,7 @@
NNTPSERVER DEFAULT=localhost
PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\
:/usr/bin:/usr/local/bin/X11:/usr/bin/X11
+ XDG_DATA_HOME @{HOME}/share/
</pre><p>
Silly examples of escaped variables, just to show how they work.
</p><pre class="programlisting">
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Linux-PAM-1.1.8/doc/sag/html/sag-pam_group.html
new/Linux-PAM-1.2.0/doc/sag/html/sag-pam_group.html
--- old/Linux-PAM-1.1.8/doc/sag/html/sag-pam_group.html 2013-09-19
10:06:39.000000000 +0200
+++ new/Linux-PAM-1.2.0/doc/sag/html/sag-pam_group.html 2015-03-25
13:58:28.000000000 +0100
@@ -95,10 +95,10 @@
Running 'xsh' on tty* (any ttyXXX device), the user 'us' is given access
to the floppy (through membership of the floppy group)
</p><pre
class="programlisting">xsh;tty*&!ttyp*;us;Al0000-2400;floppy</pre><p>
- Running 'xsh' on tty* (any ttyXXX device), the user 'sword' is given
access
- to games (through membership of the floppy group) after work hours.
+ Running 'xsh' on tty* (any ttyXXX device), the users 'sword', 'pike' and
+ 'shield' are given access to games (through membership of the floppy
group) after work hours.
</p><pre class="programlisting">
-xsh; tty* ;sword;!Wk0900-1800;games, sound
+xsh; tty* ;sword|pike|shield;!Wk0900-1800;games, sound
xsh; tty* ;*;Al0900-1800;floppy
</pre><p>
Any member of the group 'admin' running 'xsh' on tty*,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Linux-PAM-1.1.8/doc/sag/html/sag-pam_limits.html
new/Linux-PAM-1.2.0/doc/sag/html/sag-pam_limits.html
--- old/Linux-PAM-1.1.8/doc/sag/html/sag-pam_limits.html 2013-09-19
10:06:39.000000000 +0200
+++ new/Linux-PAM-1.2.0/doc/sag/html/sag-pam_limits.html 2015-03-25
13:58:28.000000000 +0100
@@ -91,8 +91,11 @@
limits on the specified user/group etc. .
</p></dd></dl></div></dd><dt><span class="term">
<code class="option"><item></code>
- </span></dt><dd><div class="variablelist"><dl
class="variablelist"><dt><span class="term"><code
class="option">core</code></span></dt><dd><p>limits the core file size
(KB)</p></dd><dt><span class="term"><code
class="option">data</code></span></dt><dd><p>maximum data size
(KB)</p></dd><dt><span class="term"><code
class="option">fsize</code></span></dt><dd><p>maximum filesize
(KB)</p></dd><dt><span class="term"><code
class="option">memlock</code></span></dt><dd><p>maximum locked-in-memory
address space (KB)</p></dd><dt><span class="term"><code
class="option">nofile</code></span></dt><dd><p>maximum number of open
files</p></dd><dt><span class="term"><code
class="option">rss</code></span></dt><dd><p>maximum resident set size (KB)
(Ignored in Linux 2.4.30 and higher)</p></dd><dt><span class="term"><code
class="option">stack</code></span></dt><dd><p>maximum stack size
(KB)</p></dd><dt><span class="term"><code
class="option">cpu</code></span></dt><dd><p>maximum CPU time
(minutes)</p></dd><dt><span class="term"><code
class="option">nproc</code></span></dt><dd><p>maximum number of
processes</p></dd><dt><span class="term"><code
class="option">as</code></span></dt><dd><p>address space limit
(KB)</p></dd><dt><span class="term"><code
class="option">maxlogins</code></span></dt><dd><p>maximum number of logins for
this user except
- for this with <span
class="emphasis"><em>uid=0</em></span></p></dd><dt><span class="term"><code
class="option">maxsyslogins</code></span></dt><dd><p>maximum number of all
logins on system</p></dd><dt><span class="term"><code
class="option">priority</code></span></dt><dd><p>the priority to run user
process with (negative
+ </span></dt><dd><div class="variablelist"><dl
class="variablelist"><dt><span class="term"><code
class="option">core</code></span></dt><dd><p>limits the core file size
(KB)</p></dd><dt><span class="term"><code
class="option">data</code></span></dt><dd><p>maximum data size
(KB)</p></dd><dt><span class="term"><code
class="option">fsize</code></span></dt><dd><p>maximum filesize
(KB)</p></dd><dt><span class="term"><code
class="option">memlock</code></span></dt><dd><p>maximum locked-in-memory
address space (KB)</p></dd><dt><span class="term"><code
class="option">nofile</code></span></dt><dd><p>maximum number of open file
descriptors</p></dd><dt><span class="term"><code
class="option">rss</code></span></dt><dd><p>maximum resident set size (KB)
(Ignored in Linux 2.4.30 and higher)</p></dd><dt><span class="term"><code
class="option">stack</code></span></dt><dd><p>maximum stack size
(KB)</p></dd><dt><span class="term"><code
class="option">cpu</code></span></dt><dd><p>maximum CPU time
(minutes)</p></dd><dt><span class="term"><code
class="option">nproc</code></span></dt><dd><p>maximum number of
processes</p></dd><dt><span class="term"><code
class="option">as</code></span></dt><dd><p>address space limit
(KB)</p></dd><dt><span class="term"><code
class="option">maxlogins</code></span></dt><dd><p>maximum number of logins for
this user (this limit does
+ not apply to user with <span
class="emphasis"><em>uid=0</em></span>)</p></dd><dt><span class="term"><code
class="option">maxsyslogins</code></span></dt><dd><p>maximum number of all
logins on system; user is not
+ allowed to log-in if total number of all users' logins is
+ greater than specified number (this limit does not apply to
+ user with <span
class="emphasis"><em>uid=0</em></span>)</p></dd><dt><span class="term"><code
class="option">priority</code></span></dt><dd><p>the priority to run user
process with (negative
values boost process priority)</p></dd><dt><span
class="term"><code class="option">locks</code></span></dt><dd><p>maximum locked
files (Linux 2.4 and higher)</p></dd><dt><span class="term"><code
class="option">sigpending</code></span></dt><dd><p>maximum number of pending
signals (Linux 2.6 and higher)</p></dd><dt><span class="term"><code
class="option">msgqueue</code></span></dt><dd><p>maximum memory used by POSIX
message queues (bytes)
(Linux 2.6 and higher)</p></dd><dt><span class="term"><code
class="option">nice</code></span></dt><dd><p>maximum nice priority allowed to
raise to (Linux 2.6.12 and higher) values: [-20,19]</p></dd><dt><span
class="term"><code class="option">rtprio</code></span></dt><dd><p>maximum
realtime priority allowed for non-privileged processes
(Linux 2.6.12 and
higher)</p></dd></dl></div></dd></dl></div><p>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Linux-PAM-1.1.8/doc/sag/html/sag-pam_loginuid.html
new/Linux-PAM-1.2.0/doc/sag/html/sag-pam_loginuid.html
--- old/Linux-PAM-1.1.8/doc/sag/html/sag-pam_loginuid.html 2013-09-19
10:06:39.000000000 +0200
+++ new/Linux-PAM-1.2.0/doc/sag/html/sag-pam_loginuid.html 2015-03-25
13:58:28.000000000 +0100
@@ -17,8 +17,14 @@
</p></dd></dl></div></div><div class="section"><div
class="titlepage"><div><div><h3 class="title"><a
name="sag-pam_loginuid-types"></a>6.18.3. MODULE TYPES
PROVIDED</h3></div></div></div><p>
Only the <code class="option">session</code> module type is provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3
class="title"><a name="sag-pam_loginuid-return_values"></a>6.18.4. RETURN
VALUES</h3></div></div></div><p>
- </p><div class="variablelist"><dl class="variablelist"><dt><span
class="term">PAM_SESSION_ERR</span></dt><dd><p>
- An error occurred during session management.
+ </p><div class="variablelist"><dl class="variablelist"><dt><span
class="term">PAM_SUCCESS</span></dt><dd><p>
+ The loginuid value is set and auditd is running if check
requested.
+ </p></dd><dt><span class="term">PAM_IGNORE</span></dt><dd><p>
+ The /proc/self/loginuid file is not present on the system or the
+ login process runs inside uid namespace and kernel does not
support
+ overwriting loginuid.
+ </p></dd><dt><span class="term">PAM_SESSION_ERR</span></dt><dd><p>
+ Any other error prevented setting loginuid or auditd is not
running.
</p></dd></dl></div><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3
class="title"><a name="sag-pam_loginuid-examples"></a>6.18.5.
EXAMPLES</h3></div></div></div><pre class="programlisting">
#%PAM-1.0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Linux-PAM-1.1.8/doc/sag/html/sag-pam_timestamp.html
new/Linux-PAM-1.2.0/doc/sag/html/sag-pam_timestamp.html
--- old/Linux-PAM-1.1.8/doc/sag/html/sag-pam_timestamp.html 2013-09-19
10:06:39.000000000 +0200
+++ new/Linux-PAM-1.2.0/doc/sag/html/sag-pam_timestamp.html 2015-03-25
13:58:29.000000000 +0100
@@ -1,4 +1,6 @@
<html><head><meta http-equiv="Content-Type" content="text/html;
charset=UTF-8"><title>6.35. pam_timestamp - authenticate using cached
successful authentication attempts</title><meta name="generator"
content="DocBook XSL Stylesheets V1.78.1"><link rel="home"
href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators'
Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A
reference guide for available modules"><link rel="prev"
href="sag-pam_time.html" title="6.34. pam_time - time controled access"><link
rel="next" href="sag-pam_umask.html" title="6.36. pam_umask - set the file mode
creation mask"></head><body bgcolor="white" text="black" link="#0000FF"
vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%"
summary="Navigation header"><tr><th colspan="3" align="center">6.35.
pam_timestamp - authenticate using cached successful authentication
attempts</th></tr><tr><td width="20%" align="left"><a accesskey="p"
href="sag-pam_time.html">Prev</a> </td><th width="60%" align="center">Chapter
6. A reference guide for available modules</th><td width="20%" align="right">
<a accesskey="n"
href="sag-pam_umask.html">Next</a></td></tr></table><hr></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a name="sag-pam_timestamp"></a>6.35. pam_timestamp -
authenticate using cached successful authentication
attempts</h2></div></div></div><div class="cmdsynopsis"><p><code
class="command">pam_timestamp.so</code> [
+ timestampdir=<em class="replaceable"><code>directory</code></em>
+ ] [
timestamp_timeout=<em class="replaceable"><code>number</code></em>
] [
verbose
@@ -16,9 +18,15 @@
<span class="emphasis"><em>pam_timestamp</em></span> will treat a sufficiently
recent timestamp
file as grounds for succeeding.
</p></div><div class="section"><div class="titlepage"><div><div><h3
class="title"><a name="sag-pam_timestamp-options"></a>6.35.2.
OPTIONS</h3></div></div></div><div class="variablelist"><dl
class="variablelist"><dt><span class="term">
+ <code class="option">timestampdir=<em
class="replaceable"><code>directory</code></em></code>
+ </span></dt><dd><p>
+ Specify an alternate directory where
+ <span class="emphasis"><em>pam_timestamp</em></span> creates
timestamp files.
+ </p></dd><dt><span class="term">
<code class="option">timestamp_timeout=<em
class="replaceable"><code>number</code></em></code>
</span></dt><dd><p>
- How long should pam_timestamp treat timestamp as valid after
their
+ How long should <span
class="emphasis"><em>pam_timestamp</em></span>
+ treat timestamp as valid after their
last modification date (in seconds). Default is 300 seconds.
</p></dd><dt><span class="term">
<code class="option">verbose</code>
@@ -48,6 +56,6 @@
session required pam_unix.so
session optional pam_timestamp.so
- </pre></div><div class="section"><div class="titlepage"><div><div><h3
class="title"><a name="sag-pam_timestamp-files"></a>6.35.7.
FILES</h3></div></div></div><div class="variablelist"><dl
class="variablelist"><dt><span class="term"><code
class="filename">/var/run/sudo/...</code></span></dt><dd><p>timestamp files and
directories</p></dd></dl></div></div><div class="section"><div
class="titlepage"><div><div><h3 class="title"><a
name="sag-pam_timestamp-author"></a>6.35.8. AUTHOR</h3></div></div></div><p>
+ </pre></div><div class="section"><div class="titlepage"><div><div><h3
class="title"><a name="sag-pam_timestamp-files"></a>6.35.7.
FILES</h3></div></div></div><div class="variablelist"><dl
class="variablelist"><dt><span class="term"><code
class="filename">/var/run/pam_timestamp/...</code></span></dt><dd><p>timestamp
files and directories</p></dd></dl></div></div><div class="section"><div
class="titlepage"><div><div><h3 class="title"><a
name="sag-pam_timestamp-author"></a>6.35.8. AUTHOR</h3></div></div></div><p>
pam_timestamp was written by Nalin Dahyabhai.
</p></div></div><div class="navfooter"><hr><table width="100%"
summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p"
href="sag-pam_time.html">Prev</a> </td><td width="20%" align="center"><a
accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%"
align="right"> <a accesskey="n"
href="sag-pam_umask.html">Next</a></td></tr><tr><td width="40%" align="left"
valign="top">6.34. pam_time - time controled access </td><td width="20%"
align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td
width="40%" align="right" valign="top"> 6.36. pam_umask - set the file mode
creation mask</td></tr></table></div></body></html>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Linux-PAM-1.1.8/doc/sag/html/sag-pam_userdb.html
new/Linux-PAM-1.2.0/doc/sag/html/sag-pam_userdb.html
--- old/Linux-PAM-1.1.8/doc/sag/html/sag-pam_userdb.html 2013-09-19
10:06:39.000000000 +0200
+++ new/Linux-PAM-1.2.0/doc/sag/html/sag-pam_userdb.html 2015-03-25
13:58:29.000000000 +0100
@@ -35,7 +35,8 @@
Use the <code class="filename">/path/database</code> database for
performing lookup. There is no default; the module will
return <span class="emphasis"><em>PAM_IGNORE</em></span> if no
- database is provided.
+ database is provided. Note that the path to the database file
+ should be specified without the <code class="filename">.db</code>
suffix.
</p></dd><dt><span class="term">
<code class="option">debug</code>
</span></dt><dd><p>
@@ -102,7 +103,7 @@
</p></dd><dt><span class="term">PAM_USER_UNKNOWN</span></dt><dd><p>
User not known to the underlying authentication module.
</p></dd></dl></div></div><div class="section"><div
class="titlepage"><div><div><h3 class="title"><a
name="sag-pam_userdb-examples"></a>6.38.5. EXAMPLES</h3></div></div></div><pre
class="programlisting">
-auth sufficient pam_userdb.so icase db=/etc/dbtest.db
+auth sufficient pam_userdb.so icase db=/etc/dbtest
</pre></div><div class="section"><div class="titlepage"><div><div><h3
class="title"><a name="sag-pam_userdb-author"></a>6.38.6.
AUTHOR</h3></div></div></div><p>
pam_userdb was written by Cristian Gafton >gaf...@redhat.com<.
</p></div></div><div class="navfooter"><hr><table width="100%"
summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p"
href="sag-pam_unix.html">Prev</a> </td><td width="20%" align="center"><a
accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%"
align="right"> <a accesskey="n"
href="sag-pam_warn.html">Next</a></td></tr><tr><td width="40%" align="left"
valign="top">6.37. pam_unix - traditional password authentication </td><td
width="20%" align="center"><a accesskey="h"
href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right"
valign="top"> 6.39. pam_warn - logs all PAM
items</td></tr></table></div></body></html>
++++++ Linux-PAM-1.1.8-docs.tar.bz2 -> Linux-PAM-1.2.0.tar.bz2 ++++++
++++ 287432 lines of diff (skipped)
