From f06eb03db868f648eceaaf3d7eecce4a2abc446e Mon Sep 17 00:00:00 2001
From: Tomáš Mráz <tmraz@fedoraproject.org>
Date: Dec 15 2005 23:47:42 +0000
Subject: - support netgroup matching in pam_succeed_if

- upgrade to new release
- drop pam_pwdb as it was obsolete long ago
- we don't build static libraries anymore

---

diff --git a/.cvsignore b/.cvsignore
index 9d8aa73..f5fed4b 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -1,4 +1,3 @@
-pwdb-0.62.tar.gz
 db-4.3.27.tar.gz
-Linux-PAM-0.80.tar.bz2
-pam-redhat-0.80-1.tar.bz2
+Linux-PAM-0.99.2.1.tar.bz2
+pam-redhat-0.99.1-1.tar.bz2
diff --git a/pam-0.99.2.1-selinux-nofail.patch b/pam-0.99.2.1-selinux-nofail.patch
new file mode 100644
index 0000000..83dcef7
--- /dev/null
+++ b/pam-0.99.2.1-selinux-nofail.patch
@@ -0,0 +1,78 @@
+--- Linux-PAM-0.99.2.1/modules/pam_selinux/pam_selinux.c.nofail	2005-11-29 10:22:05.000000000 +0100
++++ Linux-PAM-0.99.2.1/modules/pam_selinux/pam_selinux.c	2005-12-15 14:12:54.000000000 +0100
+@@ -327,6 +327,8 @@
+   int num_contexts = 0;
+   const void *username = NULL;
+   const void *tty = NULL;
++  char *seuser=NULL;
++  char *level=NULL;
+ 
+   /* Parse arguments. */
+   for (i = 0; i < argc; i++) {
+@@ -361,7 +363,18 @@
+                    username == NULL) {
+     return PAM_AUTH_ERR;
+   }
+-  num_contexts = get_ordered_context_list(username, 0, &contextlist);
++
++  if (getseuserbyname(username, &seuser, &level)==0) {
++	  num_contexts = get_ordered_context_list_with_level(seuser, 
++							     level,
++							     NULL, 
++							     &contextlist);
++	  if (debug)
++		  pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s",
++			 (const char *)username, seuser, level);
++	  free(seuser);
++	  free(level);
++  }
+   if (num_contexts > 0) {
+     if (multiple && (num_contexts > 1) && has_tty) {
+       user_context = select_context(pamh,contextlist, debug);
+@@ -376,13 +389,19 @@
+       if (user_context == NULL) {
+ 	pam_syslog (pamh, LOG_ERR, "Unable to get valid context for %s",
+ 		    (const char *)username);
+-	return PAM_AUTH_ERR;
++        if (security_getenforce() == 1)
++          return PAM_AUTH_ERR;
++        else
++          return PAM_SUCCESS;
+       }
+     } else {
+         pam_syslog (pamh, LOG_ERR,
+ 		    "Unable to get valid context for %s, No valid tty",
+ 		    (const char *)username);
+-	return PAM_AUTH_ERR;
++        if (security_getenforce() == 1)
++          return PAM_AUTH_ERR;
++        else
++          return PAM_SUCCESS;
+     }
+   }
+   if (getexeccon(&prev_user_context)<0) {
+@@ -420,8 +439,10 @@
+     pam_syslog(pamh, LOG_ERR,
+ 	       "Error!  Unable to set %s executable context %s.",
+ 	       (const char *)username, user_context);
+-    freecon(user_context);
+-    return PAM_AUTH_ERR;
++    if (security_getenforce() == 1) {
++       freecon(user_context);
++       return PAM_AUTH_ERR;
++    }
+   } else {
+     if (debug)
+       pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s",
+@@ -471,7 +492,10 @@
+   if (status) {
+     pam_syslog(pamh, LOG_ERR, "Error!  Unable to set executable context %s.",
+ 	       prev_user_context);
+-    return PAM_AUTH_ERR;
++    if (security_getenforce() == 1)
++       return PAM_AUTH_ERR;
++    else
++       return PAM_SUCCESS;
+   }
+ 
+   if (debug)
diff --git a/pam.spec b/pam.spec
index ebd513b..8298d1b 100644
--- a/pam.spec
+++ b/pam.spec
@@ -6,43 +6,34 @@
 %define pwdb_version 0.62
 %define db_version 4.3.27
 %define db_conflicting_version 4.4.0
-%define pam_redhat_release 1
+%define pam_redhat_version 0.99.1-1
 
 Summary: A security tool which provides authentication for applications.
 Name: pam
-Version: 0.80
-Release: 14.1
+Version: 0.99.2.1
+Release: 1
 License: GPL or BSD
 Group: System Environment/Base
 Source0: ftp.us.kernel.org:/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
 Source1: ftp.us.kernel.org:/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2.sign
-Source2: pam-redhat-%{version}-%{pam_redhat_release}.tar.bz2
-Source3: pwdb-%{pwdb_version}.tar.gz
+Source2: pam-redhat-%{pam_redhat_version}.tar.bz2
 Source4: db-%{db_version}.tar.gz
 Source5: other.pamd
 Source6: system-auth.pamd
 Source7: config-util.pamd
 Source8: dlopen.sh
-Patch10: pam-0.77-lastlog-utmp.patch
+Patch1: pam-0.99.2.1-redhat-modules.patch
 Patch21: pam-0.78-unix-hpux-aging.patch
 Patch28: pam-0.75-sgml2latex.patch
-Patch34: pam-0.77-dbpam.patch
-Patch61: pam-pwdbselinux.patch
-Patch65: pam-0.80-audit.patch
-Patch66: pam-0.79-loginuid-req-audit.patch
-Patch70: pam-0.80-selinux-nofail.patch
-Patch71: pam-0.80-install-perms.patch
-Patch72: pam-0.80-pie.patch
-Patch73: pam-0.80-cleanup.patch
-Patch74: pam-0.79-userdb-test-null.patch
-Patch75: pam-0.80-limits-process.patch
-Patch76: pam-0.80-unix-honor-nis.patch
+Patch34: pam-0.99.2.1-dbpam.patch
+Patch65: pam-0.99.2.1-audit.patch
+Patch66: pam-0.99.2.1-loginuid-req-audit.patch
+Patch70: pam-0.99.2.1-selinux-nofail.patch
+Patch72: pam-0.99.2.1-pie.patch
 Patch77: pam-0.80-console-doc-fix.patch
-Patch78: pam-0.77-can-2005-2977.patch
-Patch79: pam-0.80-access-notty.patch
-Patch80: pam-0.80-selinux-drop-multiple.patch
-Patch81: pam-0.80-xauth-path.patch
-Patch82: pam-0.80-stack-deprecate.patch
+Patch80: pam-0.99.2.1-selinux-drop-multiple.patch
+Patch83: pam-0.77-succif-netgroup.patch
+Patch84: pam-0.99.2.1-lastlog-fixes.patch
 
 BuildRoot: %{_tmppath}/%{name}-root
 Requires: cracklib, cracklib-dicts >= 2.8, initscripts >= 3.94
@@ -86,38 +77,30 @@ contains header files and static libraries used for building both
 PAM-aware applications and modules for use with PAM.
 
 %prep
-%setup -q -n Linux-PAM-%{version} -a 2 -a 3 -a 4
+%setup -q -n Linux-PAM-%{version} -a 2 -a 4
 cp $RPM_SOURCE_DIR/other.pamd .
 cp $RPM_SOURCE_DIR/system-auth.pamd .
 cp $RPM_SOURCE_DIR/config-util.pamd .
 
-%patch10 -p1 -b .lastlog-utmp
+%patch1 -p0 -b .redhat-modules
 %patch21 -p1 -b .unix-hpux-aging
 %patch28 -p1 -b .doc
 %patch34 -p1 -b .dbpam
-%patch61 -p1 -b .pwdbselinux 
 %if %{WITH_AUDIT}
 %patch65 -p1 -b .audit
 %patch66 -p1 -b .req-audit
 %endif
 %patch70 -p1 -b .nofail
-%patch71 -p1 -b .install-perms
 %patch72 -p1 -b .pie
-%patch73 -p1 -b .cleanup
-%patch74 -p1 -b .test-null
-%patch75 -p1 -b .process-limit
-%patch76 -p1 -b .honor-nis
 %patch77 -p1 -b .console-doc
-%patch78 -p1 -b .only-root
-%patch79 -p1 -b .notty
 %patch80 -p1 -b .drop-multiple
-%patch81 -p1 -b .xauth-path
-%patch82 -p1 -b .stack-deprecate
+%patch83 -p1 -b .succif-netgroup
+%patch84 -p0 -b .lastlog-fixes
 
 for readme in modules/pam_*/README ; do
 	cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'`
 done
-autoconf
+autoreconf
 
 %build
 CFLAGS="-fPIC $RPM_OPT_FLAGS" ; export CFLAGS
@@ -148,26 +131,19 @@ make
 make install
 popd
 
-pushd pwdb-%{pwdb_version}
-make 
-make install INCLUDED=${topdir}/include/pwdb LIBDIR=${topdir}/%{_lib} LDCONFIG=:
-rm ${topdir}/%{_lib}/*.so*
-popd
-
 CPPFLAGS=-I${topdir}/include ; export CPPFLAGS
 export LIBNAME="%{_lib}"
 LDFLAGS=-L${topdir}/%{_lib} ; export LDFLAGS
 %configure \
 	--libdir=/%{_lib} \
-	--enable-static-libpam \
-	--enable-fakeroot=$RPM_BUILD_ROOT \
+	--includedir=%{_includedir}/security \
 	--enable-isadir=../../%{_lib}/security
 make
 
 %install
 rm -rf $RPM_BUILD_ROOT
 # Install the binaries, libraries, and modules.
-make install FAKEROOT=$RPM_BUILD_ROOT LDCONFIG=:
+make install DESTDIR=$RPM_BUILD_ROOT LDCONFIG=:
 
 # Install default configuration files.
 install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/pam.d
@@ -180,13 +156,15 @@ install -m 600 /dev/null $RPM_BUILD_ROOT%{_sysconfdir}/security/opasswd
 strip $RPM_BUILD_ROOT%{_sbindir}/* ||:
 
 # Remove docs for modules we exclude from the files manifest.
-#rm doc/*/*pam_timestamp*
+rm doc/*/*pam_pwdb*
 
 # Install man pages.
 install -d -m 755 $RPM_BUILD_ROOT%{_mandir}/man{3,5,8}
 install -m 644 doc/man/*.3 $RPM_BUILD_ROOT%{_mandir}/man3/
 install -m 644 doc/man/*.8 $RPM_BUILD_ROOT%{_mandir}/man8/
 
+# Remove pam_pwdb so it won't error out
+rm -rf modules/pam_pwdb
 # Make sure every module subdirectory gave us a module.  Yes, this is hackish.
 for dir in modules/pam_* ; do
 if [ -d ${dir} ] ; then
@@ -216,28 +194,28 @@ for module in $RPM_BUILD_ROOT/%{_lib}/security/pam*.so ; do
 	fi
 done
 
-# Move static libraries and make new .so links -- this depends on the value
+for phase in auth acct passwd session ; do
+	ln -sf pam_unix.so $RPM_BUILD_ROOT/%{_lib}/security/pam_unix_${phase}.so 
+done
+
+# Remove .la files and make new .so links -- this depends on the value
 # of _libdir not changing, and *not* being /usr/lib.
 install -d -m 755 $RPM_BUILD_ROOT%{_libdir}
 for lib in libpam libpamc libpam_misc ; do
-ln -sf ../../%{_lib}/${lib}.so.%{version} $RPM_BUILD_ROOT%{_libdir}/${lib}.so
-rm -f $RPM_BUILD_ROOT/%{_lib}/${lib}.so $RPM_BUILD_ROOT/%{_lib}/${lib}.so.?
-mv $RPM_BUILD_ROOT/%{_lib}/${lib}.a $RPM_BUILD_ROOT%{_libdir}/
+ln -sf ../../%{_lib}/${lib}.so.*.* $RPM_BUILD_ROOT%{_libdir}/${lib}.so
+rm -f $RPM_BUILD_ROOT/%{_lib}/${lib}.so
+rm -f $RPM_BUILD_ROOT/%{_lib}/${lib}.la
 done
-
-# Install the pwdb configuration file.
-install -m644 pwdb-%{pwdb_version}/conf/pwdb.conf $RPM_BUILD_ROOT%{_sysconfdir}/
-
-# Remove unwanted files from the buildroot.
-rm $RPM_BUILD_ROOT/%{_lib}/security/pam_radius.so
-rm -f doc/txts/README.pam_radius
+rm -f $RPM_BUILD_ROOT/%{_lib}/security/*.la
 
 # Duplicate doc file sets.
-rm -fr $RPM_BUILD_ROOT/usr/doc/Linux-PAM $RPM_BUILD_ROOT/usr/share/doc/pam
+rm -fr $RPM_BUILD_ROOT/usr/share/doc/pam
 
 # Create /lib/security in case it isn't the same as /%{_lib}/security.
 install -m755 -d $RPM_BUILD_ROOT/lib/security
 
+%find_lang Linux-PAM
+
 %clean
 rm -rf $RPM_BUILD_ROOT
 
@@ -289,9 +267,8 @@ fi
 
 %postun -p /sbin/ldconfig
 
-%files
+%files -f Linux-PAM.lang
 %defattr(-,root,root)
-%config /etc/pwdb.conf
 %dir /etc/pam.d
 %config(noreplace) /etc/pam.d/other
 %config(noreplace) /etc/pam.d/system-auth
@@ -304,9 +281,8 @@ fi
 /%{_lib}/libpam_misc.so.*
 %{_sbindir}/pam_console_apply
 %{_sbindir}/pam_tally
-%{_sbindir}/pam_timestamp_check
-%{_sbindir}/pwdb_chkpwd
-%{_sbindir}/unix_chkpwd
+%attr(4755,root,root) %{_sbindir}/pam_timestamp_check
+%attr(4755,root,root) %{_sbindir}/unix_chkpwd
 %if %{_lib} != lib
 %dir /lib/security
 %endif
@@ -317,6 +293,7 @@ fi
 /%{_lib}/security/pam_cracklib.so
 /%{_lib}/security/pam_debug.so
 /%{_lib}/security/pam_deny.so
+/%{_lib}/security/pam_echo.so
 /%{_lib}/security/pam_env.so
 /%{_lib}/security/pam_filter.so
 /%{_lib}/security/pam_ftp.so
@@ -333,7 +310,6 @@ fi
 /%{_lib}/security/pam_nologin.so
 /%{_lib}/security/pam_permit.so
 /%{_lib}/security/pam_postgresok.so
-/%{_lib}/security/pam_pwdb.so
 /%{_lib}/security/pam_rhosts_auth.so
 /%{_lib}/security/pam_rootok.so
 /%{_lib}/security/pam_rps.so
@@ -346,6 +322,7 @@ fi
 /%{_lib}/security/pam_tally.so
 /%{_lib}/security/pam_time.so
 /%{_lib}/security/pam_timestamp.so
+/%{_lib}/security/pam_umask.so
 /%{_lib}/security/pam_unix.so
 /%{_lib}/security/pam_unix_acct.so
 /%{_lib}/security/pam_unix_auth.so
@@ -377,14 +354,17 @@ fi
 %defattr(-,root,root)
 %{_includedir}/security/
 %{_mandir}/man3/*
-%{_libdir}/libpam.a
 %{_libdir}/libpam.so
-%{_libdir}/libpamc.a
 %{_libdir}/libpamc.so
-%{_libdir}/libpam_misc.a
 %{_libdir}/libpam_misc.so
 
 %changelog
+* Thu Dec 15 2005 Tomas Mraz <tmraz@redhat.com> 0.99.2.1-1
+- support netgroup matching in pam_succeed_if
+- upgrade to new release
+- drop pam_pwdb as it was obsolete long ago
+- we don't build static libraries anymore
+
 * Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
 - rebuilt
 
diff --git a/sources b/sources
index 1c18e7f..0f47cf3 100644
--- a/sources
+++ b/sources
@@ -1,4 +1,3 @@
-1a1fd0312040ef37aa741d09465774b4  pwdb-0.62.tar.gz
 fcc481d52c3b80e20a328f8c0cb042bd  db-4.3.27.tar.gz
-ccff87fe639efdfc22b1ba4a0f08ec57  Linux-PAM-0.80.tar.bz2
-b37d2e60d22d4c780b1f130915c75b02  pam-redhat-0.80-1.tar.bz2
+9e564161c3a5f36bf0678ef227b2a897  Linux-PAM-0.99.2.1.tar.bz2
+3b7514ae5dd2b8ca5f7543a07d1970c0  pam-redhat-0.99.1-1.tar.bz2