-$Id$
+=======================================================================
+=======================================================================
+
+ This file is no longer used for tracking changes for Linux-PAM. For
+ user visible changes, please look at the NEWS file. A more verbose
+ list of changes can be found in ChangeLog.
+
+=======================================================================
+=======================================================================
-----------------------------
library for helping to develop modules that contains it and other
stuff. Also add sha-1 and ripemd-160 digest algorithms.
- once above is done. remove hacks from the secret@here module etc..
- - remove prototype for gethostname in pam_access.c (Derrick)
- document PAM_INCOMPLETE changes
- verify that the PAM_INCOMPLETE interface is sensible. Can we
catch errors? should we permit item changing etc., between
- verify that the PAM_INCOMPLETE interface works (auth seems ok..)
- add PAM_INCOMPLETE support to modules (partially added to pam_pwdb)
- work on RFC.
- - do we still need to remove openlog/closelog from modules..?
- auth and acct support in pam_cracklib, "yes, I know the password
you just typed was valid, I just don't think it was very strong..."
- - add in the pam_cap and pam_netid modules
====================================================================
-Note, as of release 0.73, all checkins should be accompanied with a
-Bug ID. The bug IDs relate to sourceforge IDs.. (Of course, nothing is
-ever that simple. It turns out that at some point in Sourceforge's
-history all of the bug ids got bumped by 100000, so pretty much if you
-see a bug ID below that begins with a '1' and your attempted query
-fails, try adding 100000 to the number and trying again. I believe
-this only affects bugs before release 0.76.)
-
-You can query the related bug description with the following URL:
-
- http://sourceforge.net/tracker/index.php?func=detail&aid=XXXXXX&group_id=6663&atid=106663
-
-Where you should replace XXXXXX with a bug-id.
-
-For general documentation completion work, I'm doing it all with
-respect to specific tasks. Open tasks are listed here:
-
- http://sourceforge.net/pm/task.php?group_id=6663&group_project_id=2741&func=browse&set=open
If you have found a bug in Linux-PAM (including a documentation bug,
or a new feature request and/or patch), please consider filing such a
====================================================================
-0.76: please submit patches for this section with actual code/doc
+0.81: please submit patches for this section with actual code/doc
patches!
-
+* pam_umask: New module for setting umask from GECOS field, /etc/login.defs
+ or /etc/default/login (kukuk)
+* configure/pam_strerror: Remove old ugly-hack option for pam_strerror
+ interface change (kukuk)
+* configure.in: Fix AC_DEFINE usage for autoheader (kukuk)
+* configure.in/_pam_aconf.h.in: Remove feature.h inclusion (kukuk)
+* defs: Remove obsolete directory/content (kukuk)
+* Rename _pam_aconf.h.in to config.h (kukuk)
+* pam_unix: Don't ignore pam_get_item return value (kukuk)
+* pam_userdb: Fix regression - crash when crypt param not specified (t8m)
+* libpam: Remove pam_authenticate_secondary stub (kukuk)
+* Use autoconf/automake/libtool (kukuk)
+* pam_securetty: Be fail-close on user lookups, always log failures,
+ not just with "debug" (Solar Designer)
+* Add gettext support
+* Add translations for cs, de, es, fr, hu, it, ja, nb, pa, pt_BR,
+ pt, zh_CN and zh_TW
+* pam_limits: Apply ALT Linux/Owl patch
+* pam_motd: Apply ALT Linux/Owl patch
+* libpam: Cache pam_get_user() failures
+* libpam: Add pam_prompt,pam_vprompt,pam_error,pam_verror,pam_info
+ and pam_vinfo functions for use by modules as extension (kukuk).
+* pam_cracklib: Make path to cracklib dicts an option (kukuk).
+* libpam: Add pam_syslog function for unified syslog messages from
+ PAM modules (kukuk).
+* pam_tally, pam_time, pam_userdb: use pam_syslog and pam_prompt (ldv)
+* pam_issue: major cleanup (ldv)
+* pam_echo: New PAM module for message output (kukuk)
+* pam_limits: Fix regression from RLIMIT_NICE support (wrong limit
+ values for other limits are applied) patch by Anton Guda
+* pam_unix: Always honor nis flag on password change (by Aaron Hope)
+* libpam: Moved functions from pammodutil to libpam (t8m)
+* pam_lastlog: Cleanup, fix broken logic in pam_parse,
+ modify wtmp by default, nowtmp option switches that off (ldv)
+
+0.80: Wed Jul 13 13:23:20 CEST 2005
+* pam_tally: test for NULL data before dereferencing them (t8m)
+* pam_unix: fix regression introduced in 0.78 - both NIS and local password
+ should be changed if possible (t8m)
+* misc_conv: flush input first then print the prompt - fixes problem
+ with expect scripts (t8m)
+* pam_unix: nis option shouldn't clear the shadow option (t8m)
+* cleanups and minor bugfixes by Steve Grubb (t8m)
+* pam_private.h: set PAM_DEFAULT_PROMPT to "login: " (kukuk)
+* pam_mkhomedir: Create parent directories if they do not already
+ exist (Bug 600351 - kukuk)
+* pam_mkhomedir: Set owner/permissions of home directory after we
+ created all files (Bug 1032922 - kukuk)
+* pam_rhosts: Get rid of static buffer for path (kukuk)
+* pam_selinux/pam_unix/pam_rootok: Add SELinux support based on
+ patch from Red Hat (kukuk)
+* pam_limits: Correct support of unlimited limits, use correct type
+ for rlimit value (Bug 945449 - kukuk, t8m)
+* pam_xauth: Unset the XAUTHORITY variable when requesting user is
+ root and target user is not (t8m)
+* pam_access: Add listsep option to set list element separator by
+ Richard Shaffer (t8m)
+* pam_limits: Don't reset process priority if none is specified in
+ the config file (Novell #81690 - kukuk)
+* Fix all occurrence of dereferencing type-punned pointer will break
+ strict-aliasing rules warnings (kukuk)
+* pam_limits: Support new limits in linux 2.6.12 (t8m)
+* pam_mkhomedir: change mode datatype (toady)
+* pam_limits: Don't lowercase login names (kukuk)
+
+0.79: Thu Mar 31 16:48:45 CEST 2005
+* pam_tally: added audit option (toady)
+* pam_unix: don't log user unknown failure when he can be properly
+ authenticated by another module (t8m)
+* configure: don't abort if no cracklib dictinaries were found, but
+ warn user that pam_cracklib will not be built (kukuk)
+* modules/pam_unix/support.c: Fix return value if user aborts while
+ changes the password (Bug 872945 - kukuk)
+* modules/pam_unix/support.c: Fix return value for an unknown user
+ (Bug 872943 - kukuk)
+* pam_limits: support for new Linux kernel 2.6 limits (from toby cabot
+ - t8m)
+* pam_tally: major rewrite of the module (t8m)
+* libpam: don't return PAM_IGNORE for OK or JUMP actions if using
+ cached chain (Bug 629251 - t8m)
+* pam_nologin: don't overwrite return value with return from
+ pam_get_item (t8m)
+* libpam: Add more checks for broken PAM configuration files to
+ avoid seg.faults (kukuk)
+* pam_shells: correct README
+* libpam: Fix debug code (kukuk)
+* pam_limits: Fix order of LIMITS_DEF_* priorities (kukuk)
+* pam_xauth: preserve DISPLAY variable (Novell #66885 - kukuk)
+* libpam: Add prelude ids (http://www.prelude-ids.org) support,
+ as experimental. (toady)
+* configure: Add the directory where new versions of cracklib is
+ installed (from Jim Gifford - toady)
+* libpamc: Use standard u_intX_t types instead of __uX (kukuk)
+
+0.78: Do Nov 18 14:48:36 CET 2004
+
+* pam_unix: change the order of trying password changes - local first,
+ NIS second (t8m)
+* pam_wheel: add option only_root to make it affect authentication
+ to root account only
+* pam_unix: test return values on renaming files and report error to
+ syslog and to user
+* pam_unix: forced password change shouldn't trump account expiration
+* pam_unix: remove the use of openlog (from debian - toady)
+* pam_unix: NIS cleanup (patch from Philippe Troin)
+* pam_access: you can now authenticate an explicit user on an explicit
+ tty (from debian - toady)
+* pam_limits, pam_rhosts, pam_unix: fixed hurd portability issues
+ (patch from Igor Khavkine)
+* pam_env: added comments in the configuration file to avoid errors
+ (from debian - toady)
+* pam_mail: check PAM_NO_ENV to know if we can delete the environment
+ variable (from debian - toady)
+* pam_filter: s/termio/termios/g (from debian - toady)
+* pam_mkhomedir: no maxpathlen required (from debian - toady)
+* pam_limits: applied patch to allow explicit limits for root
+ and remove limits on su. (from debian - toady)
+* pam_unix: severe denial of service possible with this module since
+ it locked too aggressively. Bug report and testing help from Sascha
+ Loetz. (Bug 664290 - agmorgan)
+* getlogin was spoofable: "/tmp/" and "/dev/" have the same number of
+ characters, so 'ln /dev/tty /tmp/tty1 ; bash < /tmp/tty1 ; logname'
+ attacks could potentially spoof pam_wheel with the 'trust' module
+ argument into granting access to a luser. Also, pam_unix gave
+ odd error messages in such a situation (logname != uid). This
+ problem was found by David Endler of iDefense.com (Bug 667584 -
+ agmorgan).
+* added my new DSA public key to the pgp.keys.asc file. Also included
+ a signed copy of my new public key (1024D/D41A6DF2) made with my old
+ key (1024/2A398175).
+* added "include" directive to config file syntax.
+ The whole idea is to create few "systemwide" pam configs and include
+ parts of them in application pam configs.
+ (patch by "Dmitry V. Levin" <ldv@altlinux.org>) (Bug 812567 - baggins).
+* doc/modules/pam_mkhomedir.sgml: Remove wrong debug options
+ (Bug 591605 - kukuk)
+* pam_unix: Call password checking helper whenever the password field
+ contains only one character (Bug 1027903 - kukuk)
+* libpam/pam_start.c: All service names should be files below /etc/pam.d
+ and nothing else. Forbid paths. (Bug 1027912 - kukuk)
+* pam_cracklib: Fix error in distance algorithm in the 0.9 pam_cracklib
+ module (Bug 1010142 - toady)
+* pam_userdb: applied patch from Paul Walmsley <paul@booyaka.com>
+ it now indicates whether encrypted or plaintext passwords are stored
+ in the database needed for pam_userdb (BerliOS - toady)
+* pam_group: The module should also ignore PAM_REINITIALIZE_CRED to
+ avoid spurious errors (from Linux distributors - kukuk)
+* pam_cracklib: Clear the entire options structure (from Linux
+ distributors - kukuk)
+* pam_issue: We write a NUL to prompt_tmp[tot_size] later, so make sure
+ that the destination is part of the allocated block, make do_prompt
+ static (from Linux distributors - kukuk)
+* ldconfig: Only run full ldconfig, if we don't install into a FAKEROOT
+ environment, else let ldconfig only create the symlinks correct
+ (from Linux distributors - kukuk)
+* pam_unix/pam_pwdb: Use SIG_DFL instead of SIG_IGN for SIGCHLD
+ (from Linux distributors - kukuk)
+* Add most of Steve Grubb's resource leak and other fixes (from
+ Linux distributors - kukuk)
+* doc/Makefile: Don't include .cvsignore files in tar ball (kukuk)
+* libpam_misc/misc_conv.c: Differentiate between Ctrl-D and
+ <Return> (Bug 1032604 - kukuk)
+* Make.Rules.in: Add targets for installing man pages for modules
+ (from Linux distributors - kukuk)
+* Add pam_xauth module (Bug 436440 - kukuk)
+* Add pam_localuser module (Bug 436444 - kukuk)
+* Add pam_succeed_if module (from Linux distributors - kukuk)
+* configure.in: Fix check for libcrypt (Bug 417704 - kukuk)
+* Add the "broken_shadow" argument to pam_unix, for ignoring errors
+ reading shadow information (from Linux distributors - kukuk)
+* Add patches to make PAM modules reentrant (Bug 440107 - kukuk)
+* Merge patches from Red Hat (Bug 477000 and other - kukuk)
+* Fix pam_rhosts option parsing (Bug 922648 - kukuk)
+* Add $ISA support in config files (from Red Hat - kukuk)
+
+0.77: Mon Sep 23 10:25:42 PDT 2002
+
+* documentation support for pdf files was not quite right -
+ installation was messed up.
+* pam_wheel was too aggressive to grant access (in the case of the
+ 'deny' option you want to pay attention to 'trust'). Fix from
+ Nalin (Bugs 476951, 476953 - agmorgan)
+* account management support for: pam_shells, pam_listfile, pam_wheel
+ and pam_securetty (+ static module fix for pam_nologin). Patch from
+ redhat through Harald Welte (Bug 436435 - agmorgan).
+* pam_wheel feature from Nalin - can use the module to provide wheel
+ access to non-root accounts. Also from Nalin, a bugfix related to
+ the primary group of the applicant is the 'wheel' group. (Bugs
+ 476980, 476941 - agmorgan)
+* pam_unix and pam_pwdb: by default turn off the SIGCHLD handler while
+ running the helper binary (patch from Nalin) added the "noreap"
+ module argument to both of these modules to turn off this new
+ default. Bugfix found by Silvan Minghetti for former module and
+ 521314 checkin. (Bugs 476963, 521314 - agmorgan).
+* updated CHANGELOG and configure.in for 0.77 work.
+
+0.76: Mon Jul 8 21:44:59 PDT 2002
+
+* pam_unix: fix for legacy crypt() support when the password entered
+ was long. (Bug 521314 - agmorgan).
+* pam_access no longer include gethostname() prototype complaint from
+ David Lee (Bug 415423 - agmorgan).
+* make pam_nologin more secure by default, added two new module
+ arguments etc. - acting on suggestion from Nico (Bug 419307 -
+ agmorgan)
+* link in libpam to libpam_misc - since the latter uses functions in
+ the former it makes some sort of sense to do this (although, in the
+ static library case, I remain to be convinced). (Bug 565470 -
+ agmorgan).
+* absorbed some of the proposed darwin (OS X) changes from Luke Howard
+ (of PADL software) - hopefully will get the rest (see Rob Braun's
+ 534205) by 0.77 (Bug 491466 - agmorgan).
+* README fix for pam_unix from Nalin (Bug 476971 - agmorgan).
+* add support for building pdf files from the documentation - request
+ from 'lolive' (Bug 471377 - agmorgan).
+* documented the equivalent '[..]' expressions for "required"
+ etc. Request from Ross Patterson (Bug 529078 - agmorgan).
+* '[...]' parsing: document it and also fix it to support '\]' escape
+ sequence. Feature request from Russell Kliese (Bug 517064 -
+ agmorgan).
+* pam_rootok: compilation warning noted by Tony den Haan wrt no
+ prototype for strcmp() (Bug 557322 - agmorgan).
* documentation: (a few of mine in passing) and app documentation
suggestions regarding PAM environment variables and module
documentation changes regarding the conversation function from Jenn
This is entirely inapropriate as it overrides PAM_USER_PROMPT. (Bug
486361 - agmorgan).
* added a static module helper library object includes a few changes
- to examples/xsh.c for testing purposes, and also modified the
- pam_rhosts_auth module to use this new library. (Bug 490938,
- 409852 - agmorgan)
+ to examples/xsh.c for testing purposes (added a simple shell wrapper
+ for running xsh with the sandbox libraries), and also modified the
+ pam_rhosts_auth module to use this new library. (Bug 490938, 409852
+ - agmorgan).
* pam_unix: fix 'likeauth' to kill off the memory leak once and for all.
(Bug 483959 - vorlon)
* pam_unix: restore handling of 'likeauth' argument to a known working
* verified that the setcred stack didn't suffer from the bug I was
nervous about, add a new module pam_debug to help me test this.
fixed a libpam/pam_dispatch.c instrumentation line that I tripped
- over when testing. (Bug 424315 - agmorgan)
+ over when testing. Also restructured pam_warn to help here (Bug
+ 424315 - agmorgan).
* pam_unix/support.c: sample use of reentrant NSS function. Not yet active,
because modules do not include _pam_aconf_h! (Bug 440107 - vorlon)
* doc/Makefile changes - use $(mandir) [courtesy Harald Welte] (Bug