%define libname %mklibname %{name} 0
%define develname %mklibname %{name} -d

%define with_prelude 0
%{?_without_prelude: %{expand: %%global with_prelude 0}}
%{?_with_prelude: %{expand: %%global with_prelude 1}}

%define bootstrap 0
%{?_without_bootstrap: %global bootstrap 0}
%{?_with_bootstrap: %global bootstrap 1}

%define pam_redhat_version 0.99.10-1

Summary:	A security tool which provides authentication for applications
Name:		pam
Version:	1.1.6
Release:	%mkrel 5
# The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
# as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
License:	BSD and GPLv2+
Group:		System/Libraries
Url:		http://www.linux-pam.org/
Source0:	http://www.linux-pam.org/library/Linux-PAM-%{version}.tar.bz2
Source1:	%{name}-tmpfiles.conf
Source2:	pam-redhat-%{pam_redhat_version}.tar.bz2
Source5:	other.pamd
Source6:	system-auth.pamd
Source7:	config-util.pamd
Source8:	dlopen.sh
Source9:	system-auth.5
Source10:	config-util.5
Source11:	90-nproc.conf

# RedHat patches
Patch1:  pam-1.0.90-redhat-modules.patch
Patch2:  pam-1.1.6-std-noclose.patch
Patch4:  pam-1.1.0-console-nochmod.patch
Patch5:  pam-1.1.0-notally.patch
Patch7:  pam-1.1.0-console-fixes.patch
Patch9:  pam-1.1.6-noflex.patch
Patch10: pam-1.1.3-nouserenv.patch
Patch11: pam-1.1.3-console-abstract.patch
Patch13: pam-1.1.5-limits-user.patch
Patch21: pam-1.1.6-install-empty.patch
Patch22: pam-1.1.5-unix-build.patch
Patch24: pam-1.1.6-namespace-mntopts.patch

# Mageia specific sources/patches
# (fl) fix infinite loop
Patch507:	pam-0.74-loop.patch
# (fc) don't complain when / is owned by root.adm
Patch508:	Linux-PAM-0.99.3.0-pamtimestampadm.patch
# (fl) pam_xauth: set extra groups because in high security levels
#      access to /usr/X11R6/bin dir is controlled by a group
Patch512:	Linux-PAM-1.1.1-xauth-groups.patch
# (blino) fix parallel build (pam_console)
Patch521:	Linux-PAM-0.99.3.0-pbuild-rh.patch

Patch700:	pam_fix_static_pam_console.patch
# (fc) do not output error when no file is in /etc/security/console.perms.d/
Patch701:	pam-1.1.0-console-nopermsd.patch
# (peroyvind): add missing constant that went with rpc removal from glibc 2.14
Patch702:	Linux-PAM-1.1.4-add-now-missing-nis-constant.patch

#add missing documentation
Source501: 	pam_tty_audit.8
Source502:	README
Requires(pre):	filesystem >= 2.1.9-18
Requires(post):	systemd >= %{systemd_required_version}
Requires:	cracklib-dicts
Requires:	setup >= 2.7.12-2
Requires:	pam_tcb >= 1.0.2-16
Conflicts:	initscripts < 3.94
Requires(pre):	rpm-helper
Requires(post):	coreutils
Requires(post):	tcb >= 1.0.2-16
BuildRequires:	bison cracklib-devel flex
%if !%{bootstrap}
# this pulls in the mega texlive load
BuildRequires:	linuxdoc-tools
%endif
BuildRequires:	db5_nss-devel
BuildRequires:	openssl-devel
BuildRequires:	libaudit-devel
BuildRequires:	glibc-crypt_blowfish-devel
BuildRequires:	gettext-devel
%if %with_prelude
BuildRequires:	prelude-devel >= 0.9.0
%else
BuildConflicts:	prelude-devel
%endif

%description
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policy without
having to recompile programs that handle authentication.

%package	doc
Summary:	Additional documentation for %{name}
Group:		System/Libraries
Requires:	%{name} = %{version}
BuildArch:	noarch

%description	doc
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policy without
having to recompile programs that handle authentication.

This is the documentation package of %{name}.

%package -n	%{libname}
Summary:	Libraries for %{name}
Group:		System/Libraries
Requires(pre):	filesystem >= 2.1.9-18

%description -n	%{libname}
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policy without
having to recompile programs that handle authentication.

This package contains the librairies for %{name}.

%package -n	%{develname}
Summary:	Development headers and libraries for %{name}
Group:		Development/Other
Requires(pre):	filesystem >= 2.1.9-18
Requires:	%{libname} = %{version}
Provides:	%{name}-devel = %{version}-%{release}
Provides:	lib%{name}-devel = %{version}-%{release}

%description -n	%{develname}
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policy without
having to recompile programs that handle authentication.

This package contains the development librairies for %{name}.

%prep
%setup -q -n Linux-PAM-%{version} -a 2

# Add custom modules.
mv pam-redhat-%{pam_redhat_version}/* modules

# (RH)
%patch1 -p1 -b .redhat-modules
%patch2 -p1 -b .std-noclose
%patch4 -p1 -b .nochmod
%patch5 -p1 -b .notally
%patch7 -p1 -b .console-fixes
%patch9 -p1 -b .noflex
%patch10 -p1 -b .nouserenv
%patch11 -p1 -b .abstract
%patch13 -p1 -b .limits
%patch21 -p1 -b .empty
%patch22 -p1 -b .build
%patch24 -p1 -b .mntopts

# (Mageia)
%patch507 -p1 -b .loop
%patch508 -p1 -b .pamtimestampadm
%patch512 -p0 -b .xauth-groups
%patch521 -p1 -b .pbuild-rh
%patch700 -p1 -b .static
%patch701 -p1 -b .nopermsd
%patch702 -p1 -b .nis-const

# 08/08/2008 - vdanen - make pam provide pam_unix until we can work out all the issues in pam_tcb; this
# just makes things easier but is not meant to be a permanent solution
## Remove unwanted modules; pam_tcb provides pam_unix now
#for d in pam_unix; do
#    rm -rf modules/$d
#    sed -i "s,modules/$d/Makefile,," configure.in
#    sed -i "s/ $d / /" modules/Makefile.am
#done


install -m644 %{SOURCE501} %{SOURCE502} modules/pam_tty_audit/

mkdir -p doc/txts
for readme in modules/pam_*/README ; do
	cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'`
done

%build
autoreconf -fi -I m4

export BROWSER=""
CFLAGS="$RPM_OPT_FLAGS -fPIC -I%{_includedir}/db_nss -D_GNU_SOURCE" \
%configure2_5x \
	--includedir=%{_includedir}/security \
	--with-db-uniquename=_nss \
	--docdir=%{_docdir}/%{name} \
	--disable-selinux
%make

%install
mkdir -p %{buildroot}%{_includedir}/security
mkdir -p %{buildroot}%{_libdir}/security
%makeinstall_std LDCONFIG=:
install -d -m 755 %{buildroot}/etc/pam.d
install -m 644 %{SOURCE5} %{buildroot}/etc/pam.d/other
install -m 644 %{SOURCE6} %{buildroot}/etc/pam.d/system-auth
install -m 644 %{SOURCE7} %{buildroot}/etc/pam.d/config-util
install -m 644 %{SOURCE11} %{buildroot}%{_sysconfdir}/security/limits.d/90-nproc.conf
install -m 600 /dev/null %{buildroot}%{_sysconfdir}/security/opasswd
install -d -m 755 %{buildroot}/var/log
install -m 600 /dev/null %{buildroot}/var/log/tallylog

# Install man pages.
install -m 644 %{SOURCE9} %{SOURCE10} %{buildroot}%{_mandir}/man5/

# Install tmpfiles
install -D -p -m 644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/%{name}.conf

# remove unpackaged .la files
rm -rf %{buildroot}%{_libdir}/*.la %{buildroot}%{_libdir}/security/*.la

# no longer needed, handled by ACL in udev
for phase in auth acct passwd session ; do	 
	ln -sf pam_unix.so %{buildroot}%{_libdir}/security/pam_unix_${phase}.so	 
done

%find_lang Linux-PAM

%check
# (blino) we don't want to test if SE Linux is built, it's disabled
# Make sure every module subdirectory gave us a module.  Yes, this is hackish.
for dir in modules/pam_* ; do
if [ -d ${dir} ] && [ ${dir} != "modules/pam_selinux" && [ ${dir} != "modules/pam_sepermit"  ]; then
         [ ${dir} = "modules/pam_tally" ] && continue
	if ! ls -1 %{buildroot}%{_libdir}/security/`basename ${dir}`*.so ; then
		echo ERROR `basename ${dir}` did not build a module.
		exit 1
	fi
fi
done

# Check for module problems.  Specifically, check that every module we just
# installed can actually be loaded by a minimal PAM-aware application.
%{_sbindir}/ldconfig -n %{buildroot}%{_libdir}
for module in %{buildroot}%{_libdir}/security/pam*.so ; do
	if ! env LD_LIBRARY_PATH=%{buildroot}%{_libdir} \
		 %{SOURCE8} -ldl -lpam -L%{buildroot}%{_libdir} ${module} ; then
		echo ERROR module: ${module} cannot be loaded.
		exit 1
	fi
done

rmdir %{buildroot}/var/run/console

%post
%_tmpfilescreate %{name}

%posttrans
# (cg) Ensure that the pam_systemd.so is included for user ACLs under systemd
# Note: Only affects upgrades, but does no harm so always update if needed.
if ! grep -q "pam_systemd\.so" /etc/pam.d/system-auth; then
  echo "-session    optional      pam_systemd.so" >>/etc/pam.d/system-auth
fi

if [ ! -a /var/log/tallylog ] ; then
       install -m 600 /dev/null /var/log/tallylog
fi
if [ -f /etc/login.defs ] && ! grep -q USE_TCB /etc/login.defs; then
       %{_sbindir}/set_tcb --auto --migrate
fi


%files -f Linux-PAM.lang
%doc NEWS
%docdir %{_docdir}/%{name}
%dir /etc/pam.d
%config(noreplace) /etc/environment
%config(noreplace) /etc/pam.d/other
%attr(0644,root,shadow) %config(noreplace) /etc/pam.d/system-auth
%config(noreplace) /etc/pam.d/config-util
%{_sbindir}/mkhomedir_helper
%{_sbindir}/pam_console_apply
%{_sbindir}/pam_tally2
%{_sbindir}/unix_chkpwd
%{_sbindir}/unix_update
%attr(4755,root,root) %{_sbindir}/pam_timestamp_check
%{_tmpfilesdir}/%{name}.conf
%config(noreplace) %{_sysconfdir}/security/access.conf
%config(noreplace) %{_sysconfdir}/security/chroot.conf
%config(noreplace) %{_sysconfdir}/security/console.perms
%config(noreplace) %{_sysconfdir}/security/console.handlers
%config(noreplace) %{_sysconfdir}/security/group.conf
%config(noreplace) %{_sysconfdir}/security/limits.conf
%dir %{_sysconfdir}/security/limits.d
%config(noreplace) %{_sysconfdir}/security/limits.d/90-nproc.conf
%config(noreplace) %{_sysconfdir}/security/namespace.conf
%attr(755,root,root) %config(noreplace) %{_sysconfdir}/security/namespace.init
%config(noreplace) %{_sysconfdir}/security/pam_env.conf
%config(noreplace) %{_sysconfdir}/security/time.conf
%config(noreplace) %{_sysconfdir}/security/opasswd
%dir %{_sysconfdir}/security/console.apps
%dir %{_sysconfdir}/security/console.perms.d
%ghost %verify(not md5 size mtime) /var/log/tallylog
%{_mandir}/man5/*
%{_mandir}/man8/*

%files -n %{libname}
%{_libdir}/libpam.so.*
%{_libdir}/libpamc.so.*
%{_libdir}/libpam_misc.so.*
%{_libdir}/security/*.so
%{_libdir}/security/pam_filter
%dir %{_libdir}/security

%files -n %{develname}
%doc Copyright
%{_libdir}/libpam.so
%{_libdir}/libpam_misc.so
%{_libdir}/libpamc.so
%{_includedir}/security/*.h
%{_mandir}/man3/*

%files doc
%doc doc/txts doc/specs/rfc86.0.txt Copyright


%changelog

* Sun Mar 24 2013 colin <colin> 1.1.6-5.mga3
+ Revision: 405136
- Use tmpfiles macros and add system version to requires (mga#9302)

* Sun Mar 10 2013 luigiwalser <luigiwalser> 1.1.6-4.mga3
+ Revision: 402037
- prevent logged-in users from running fork bombs (rhbz#432903)
- add support for tmpfs mount options in pam_namespace (from fedora)

* Sun Jan 13 2013 umeabot <umeabot> 1.1.6-3.mga3
+ Revision: 362361
- Mass Rebuild - https://wiki.mageia.org/en/Feature:Mageia3MassRebuild

* Wed Jan 09 2013 cjw <cjw> 1.1.6-2.mga3
+ Revision: 343442
- add BuildRequires: gettext-devel
- fix build with automake 1.13

* Mon Sep 03 2012 luigiwalser <luigiwalser> 1.1.6-1.mga3
+ Revision: 287431
- 1.1.6
- update URLs
- resync some patches from fedora

* Tue Jul 31 2012 fwang <fwang> 1.1.5-4.mga3
+ Revision: 276295
- rebuild for db-5.3

* Wed Jul 25 2012 fwang <fwang> 1.1.5-3.mga3
+ Revision: 274190
- build with db 5.2

* Mon Jul 23 2012 colin <colin> 1.1.5-2.mga3
+ Revision: 273694
- Move to /usr
- Fix build with glibc-2.16 (patch from Arch)
- Ensure that /run/console directory is created via tmpfiles

* Sun Feb 19 2012 luigiwalser <luigiwalser> 1.1.5-1.mga2
+ Revision: 210662
- 1.1.5
- remove upstreamed security patches
- fix URL
- various cleanups from mdv:
  - work around ordering issue by moving %%post script to %%posttrans
  - check if /etc/login.defs exists before trying to open it in scriplet
  - spec cleanups
  - add bootstrap option to avoid texlive
  - add patch for missing nis constant removed from glibc (patch 702)

* Tue Jan 17 2012 colin <colin> 1.1.3-7.mga2
+ Revision: 197402
- Fix typo in post script (systemd auth issues mga#4134

* Sun Jan 08 2012 colin <colin> 1.1.3-6.mga2
+ Revision: 193519
- Ensure pam_systemd is included in system-auth (mga#3822)

  + anssi <anssi>
    - fix USE_TCB check in %%post to avoid running the migration script every
      time (from Mandriva)

* Fri Nov 11 2011 colin <colin> 1.1.3-5.mga2
+ Revision: 166528
- Fix CVE-2011-3148, CVE-2011-3149 relating to overflows in pam_env. mga#3192

* Wed Nov 09 2011 colin <colin> 1.1.3-4.mga2
+ Revision: 165866
- Drop default rt prio/nice values for members of the audio group. mga#2503
- Add optional pam_systemd to system-auth session.
   * This is quite safe even when dealing with non-systemd systems
     as it is both optional in the session sense, and is prefixed by -
     thus not breaking things when pam_systemd.so is not installed.
     The module itself deals gracefully when systemd is used for boot
     or not (the latter being a noop)

* Tue Jan 11 2011 pterjan <pterjan> 1.1.3-2.mga1
+ Revision: 6072
- Remove removed file from file list

  + blino <blino>
    - remove old readme files
    - update comment
    - remove old comments, ldconfig scripts, version checks, conflicts, obsoletes
    - imported package pam


* Wed Nov 03 2010 Oden Eriksson <oeriksson@mandriva.com> 1.1.3-1mdv2011.0
+ Revision: 592873
- 1.1.3
- sync patches with pam-1.1.3-1.fc15.src.rpm
- rediffed P512

* Mon Mar 15 2010 Oden Eriksson <oeriksson@mandriva.com> 1.1.1-2mdv2010.1
+ Revision: 519980
- rebuilt against audit-2 libs

* Wed Dec 30 2009 Frederik Himpe <fhimpe@mandriva.org> 1.1.1-1mdv2010.1
+ Revision: 484161
- Update to new version 1.1.1
- Remove authok patch: integrated upstream
- Rediff xauth groups patch
- Don't run libtoolize: it breaks build
- drop tests for not pulling in libpthread like in Fedora (as NPTL
  should be safe and pam_userdb now links to libpthread on x86_64)

* Tue Oct 06 2009 Frederic Crozat <fcrozat@mandriva.com> 1.1.0-6mdv2010.0
+ Revision: 454902
- Patch701: do not complain if there is no files in /etc/security/console.perms.d/

* Sun Sep 27 2009 Olivier Blin <oblin@mandriva.com> 1.1.0-5mdv2010.0
+ Revision: 450211
- fix crash on some archs, pam is building with static all functions
  with is plain wrong, this tends to make pam_comsole_apply
  unhappy/crashing (from Arnaud Patard)

* Tue Sep 08 2009 Frederic Crozat <fcrozat@mandriva.com> 1.1.0-4mdv2010.0
+ Revision: 433622
- Patch4 (Fedora): do not chmod tty on login/login with pam_console anymore
- Patch5 (Fedora): drop pam_tally, use pam_tally2 instead

* Thu Aug 27 2009 Frederic Crozat <fcrozat@mandriva.com> 1.1.0-3mdv2010.0
+ Revision: 421690
- Patch3 (Fedora): fix for pam_cracklib from upstream

* Mon Jul 27 2009 Frederic Crozat <fcrozat@mandriva.com> 1.1.0-2mdv2010.0
+ Revision: 400600
- remove default rules for console.perms, device ownership should not change anymore

* Mon Jul 27 2009 Frederic Crozat <fcrozat@mandriva.com> 1.1.0-1mdv2010.0
+ Revision: 400582
- Release 1.1.0
- no longer change devices ownership based on console privilege, handled by consolekit now (remove source500, patches 500, 501)

* Sun May 10 2009 Frederik Himpe <fhimpe@mandriva.org> 1.0.92-1mdv2010.0
+ Revision: 374099
- Remove verbose limits patch: a similar change was implemented upstream
- Update to new version Linux-PAM 1.0.92 and pam-redhat 0.99.10-1
- Resync patches with Fedora
- Rediff xauth-groups patch
- Remove man page typo fix, noselinux and bid 34010 patches
  (integrated upstream)
- Don't conflict with libselinux-devel and use --disable-selinux in
  configure call
- Disable verbose call patch for now, upstream code has changed too

* Thu Apr 16 2009 Frederik Himpe <fhimpe@mandriva.org> 0.99.8.1-20mdv2009.1
+ Revision: 367795
- Disable fork option for pam_tcb, to reflect the change made in set_tcb

* Mon Mar 30 2009 Frederic Crozat <fcrozat@mandriva.com> 0.99.8.1-19mdv2009.1
+ Revision: 362380
- Add console for raw1394 (Mdv bug #47622)

* Thu Mar 19 2009 Frederik Himpe <fhimpe@mandriva.org> 0.99.8.1-18mdv2009.1
+ Revision: 358110
- Add upstream patch fixing security issue (Bugtraq ID 34010)

* Sun Mar 08 2009 Michael Scherer <misc@mandriva.org> 0.99.8.1-17mdv2009.1
+ Revision: 352736
- fix build by updating libtool script
- update patch 32
- rediff patch 31

  + Antoine Ginies <aginies@mandriva.com>
    - rebuild

* Tue Aug 12 2008 Vincent Danen <vdanen@mandriva.com> 0.99.8.1-16mdv2009.0
+ Revision: 271144
- call set_tcb in %%post and require tcb itself as a result

* Tue Aug 12 2008 Olivier Blin <oblin@mandriva.com> 0.99.8.1-15mdv2009.0
+ Revision: 271055
- move pam_tcb conflict in the proper lib package (#42709)

* Mon Aug 11 2008 Olivier Blin <oblin@mandriva.com> 0.99.8.1-14mdv2009.0
+ Revision: 270658
- conflict with old tcb package that contained pam_unix

* Sat Aug 09 2008 Vincent Danen <vdanen@mandriva.com> 0.99.8.1-13mdv2009.0
+ Revision: 270079
- require new pam_tcb release
  require specific setup version for the shadow group
  restore old pam_unix and its symlinks
  ensure system-auth permissions and ownership

* Thu Aug 07 2008 Thierry Vignaud <tv@mandriva.org> 0.99.8.1-12mdv2009.0
+ Revision: 265321
- rebuild early 2009.0 package (before pixel changes)

  + Oden Eriksson <oeriksson@mandriva.com>
    - unset BROWSER

  + Pixel <pixel@mandriva.com>
    - do not call ldconfig in %%post/%%postun, it is now handled by filetriggers

* Thu May 22 2008 Vincent Danen <vdanen@mandriva.com> 0.99.8.1-11mdv2009.0
+ Revision: 210056
- libpam conflicts with pam < 0.99.8.1-10mdv
- dropped the system-auth migration as per blino
- restored the 0.99.3.1 README
- renamed and trimmed the 0.99.8.1-11mdv README

* Tue May 20 2008 Vincent Danen <vdanen@mandriva.com> 0.99.8.1-10mdv2009.0
+ Revision: 209289
- gracefully handle non-standard system-auth configurations to replace pam_unix with pam_tcb (for instances like using ldap for auth, etc.) which, if not done correctly or immediately, could result in local accounts being locked out

* Mon May 19 2008 Vincent Danen <vdanen@mandriva.com> 0.99.8.1-9mdv2009.0
+ Revision: 209172
- add -D_GNU_SOURCE to $CFLAGS in order to compile pam_console and pam_timestamp
- requires pam_tcb
- buildrequires glibc-crypt_blowfish-devel
- don't build pam_unix; pam_tcb provides it
- unix_chkpwd and unix_update are no longer required without pam_unix
- clean up system-auth(5)
- update system-auth to use pam_tcb
- updated the Mandriva-specific README

* Fri Jan 18 2008 Frederic Crozat <fcrozat@mandriva.com> 0.99.8.1-8mdv2008.1
+ Revision: 154727
- Update license info based on fedora specfile
- Update patches 25, 44 with latest version from fedora
- Remove patch26, merged into patch25
- Patch42, 43 (Fedora): don't use pam_console to change device ownership, rely on HAL ACL now
- Patch46 (Fedora): fix in operator (Fedora #295151)
- Patch47 (Fedora): fix invalid free on xauth module
- Patch48 (Fedora): add support for substack include
- Patch49, 50 (Fedora): add tty_audio module
- Patch523: fix build when SELinux is disabled
- Source501, 502 : add missing documentation from tarball
- Resync system-auth file with Fedora

* Fri Dec 21 2007 Oden Eriksson <oeriksson@mandriva.com> 0.99.8.1-7mdv2008.1
+ Revision: 136256
- link against the bdb 4.6.x assembly-mutex-only db (buchan)

  + Thierry Vignaud <tv@mandriva.org>
    - kill re-definition of %%buildroot on Pixel's request

  + Marcelo Ricardo Leitner <mrl@mandriva.com>
    - As Blino pointed out, we can do Requires(post): coreutils as coreutils
      currently just "Requires: pam", with no specific order.
      This also fix a bug in the previous "fix" that would make the /dev/null
      device be copied instead of creating a blank file.
    - Do not use the install utility on %%post section because we can't require
      coreutils as coreutils already requires us. So replace install calls by
      cp -a and chmod ones, fixing without introducing a circular dependency.

* Thu Sep 20 2007 Frederic Crozat <fcrozat@mandriva.com> 0.99.8.1-6mdv2008.0
+ Revision: 91448
- Update patch24 with latest fedora version
- Patch25 (Fedora): do not ask for blank password when SELinux confined (Fedora #254044)

* Wed Sep 12 2007 Anssi Hannula <anssi@mandriva.org> 0.99.8.1-5mdv2008.0
+ Revision: 84662
- show 0.99.3.0 notes only when upgrading from an older version

* Mon Sep 10 2007 Olivier Blin <oblin@mandriva.com> 0.99.8.1-4mdv2008.0
+ Revision: 84153
- make evdev mouse devices owned by console user (fix synclient, #32955)

* Mon Sep 03 2007 Frederic Crozat <fcrozat@mandriva.com> 0.99.8.1-3mdv2008.0
+ Revision: 78627
- Update patches 40 & 5 with latest version from RH (Fix Mdv bug #32741)
- Patch44 (RH): fix homedir init with namespace module

* Mon Aug 13 2007 Olivier Blin <oblin@mandriva.com> 0.99.8.1-2mdv2008.0
+ Revision: 62485
- add scanner devices in the usb group (#29489, #29562)
- make sure devices are accessible by their group if specified in console.perms (#29489)
- remove mode definitions from mdvperms patch (will be done by a one-liner in the spec)
- restore console settings for lp class (wrongly removed in 0.99.6.0 rediff, #29562)
- move lp class in 50-mandriva.perms
- add compatibility symlinks for pam_unix_{auth,acct,passwd,session}.so
- add /etc/security/opasswd file
- add more module checks in check section (from Fedora)
- move checks in check section
- properly include /var/log/faillog and tallylog as ghosts and create them in post script (from Fedora)
- add user and new instance parameters to namespace init (from Fedora)
- fix typo in man pages
- enable libaudit
- rediff mdv perms patch
- do not log an audit error when uid != 0 (from Fedora)
- update to pam-redhat-0.99.8-1
- adapt to new devel library policy
- add signature
- rename sources to match RH spec file
- remove useless chmod

* Tue Jul 24 2007 Olivier Blin <oblin@mandriva.com> 0.99.8.1-1mdv2008.0
+ Revision: 55033
- 0.99.8.1
- update RH patches
- package /sbin/unix_update
- remove old packaging hacks
- use new doc directory policy

* Sat Jul 21 2007 David Walluck <walluck@mandriva.org> 0.99.7.1-3mdv2008.0
+ Revision: 54187
- add config-util.pamd


* Wed Feb 07 2007 Olivier Blin <oblin@mandriva.com> 0.99.7.1-2mdv2007.0
+ Revision: 117173
- mark doc dir as docdir
- fix doc installation
- update pam_redhat to 0.99.7-1
- allow more X displays as consoles (RH #227462)

* Wed Jan 24 2007 Olivier Blin <oblin@mandriva.com> 0.99.7.1-1mdv2007.1
+ Revision: 112870
- 0.99.7.1

* Tue Jan 23 2007 Olivier Blin <oblin@mandriva.com> 0.99.7.0-1mdv2007.1
+ Revision: 112280
- 0.99.7.0

* Fri Oct 20 2006 Olivier Blin <oblin@mandriva.com> 0.99.6.3-1mdv2007.1
+ Revision: 71373
- link pam_userdb with db4 (#26242 and #26572)
- pam_loginuid is now in upstream sources
- remove console reset patch, now handled upstream
- 0.99.6.3

* Sat Sep 16 2006 Olivier Blin <oblin@mandriva.com> 0.99.6.0-3mdv2007.0
+ Revision: 61618
- 0.99.6.0-3mdv
- chown IR remote controls devices to console user (Anssi Hannula, #24785)
- add /dev/scd* /dev/sg* /dev/cdrw* /dev/dvdrw* in burner devices list (#25371 and #24541)

* Wed Aug 30 2006 Olivier Blin <oblin@mandriva.com> 0.99.6.0-2mdv2007.0
+ Revision: 58719
- bump release
- make cdrom devices owned by cdrom group

  + Anssi Hannula <anssi@mandriva.org>
    - add /dev/input/by-path/*-joystick to <joystick> class (fixes #23775)
    - make <sound> class devices accessible by audio group (fixes #24300)
    - make <v4l> and <dvb> class devices accessible by video group (fixes #24786)

* Fri Aug 11 2006 Olivier Blin <oblin@mandriva.com> 0.99.6.0-1mdv2007.0
+ Revision: 55258
- use ndbm from db1 to build pam_userdb
- drop html, ps and pdf doc (pdf doc would require Apache's fop to be packaged)
- make doc/txts directory (not provided upstream anymore)
- namespace.init is now provided upstream
- drop more sgml hacks (sgml not used upstream anymore)
- remove pam-0.77-use_uid.patch (fixed upstream)
- remove pam_keyinit patches (merged upstream)
- remove pam-0.99.5.0-access-gai.patch (applied upstream)
- remove pam-0.99.4.0-succif-service.patch (merged upstream)
- remove sgml2latex patch, it doesn't apply anymore since xml is used instead of sgml in 0.99.6.0
- 0.99.6.0
- really use pam-redhat-0.99.6-1
- remove patch merged in pam-redhat 0.99.6-1
- revoke keyrings properly when pam_keyinit called more than once (RH)
- don't log pam_keyinit debug messages by default
- drop ainit from console.handlers (RH)
- add pam_keyinit to the default system-auth file (RH)
- fixed network match in pam_access (from Redhat)
- sync with pam-redhat 0.99.6-1 (and rediff mdvperms, RH merged a lot of our permissions)
- import pam-0.99.5.0-2mdv2007.0

* Tue Jul 04 2006 Olivier Blin <oblin@mandriva.com> 0.99.5.0-2mdv2007.0
- Source500: add ttyACM* devices in the serial class (#23190)
- Patch83 (from Fedora): add service as value to be matched and list
  matching to pam_succeed_if
- use upstream redhat-modules patch

* Thu Jun 29 2006 Olivier Blin <oblin@mandriva.com> 0.99.5.0-1mdv2007.0
- 0.99.5.0
- Patch523: temporary patch to add namespace.init, which is missing from dist
  (extracted from RH old namespace patch)
- package namespace files in /etc/security
- Patch84 (from RH): pam_console_apply shouldn't access /var when called with -r

* Thu Jun 29 2006 Olivier Blin <oblin@mandriva.com> 0.99.4.0-1mdv2007.0
- 0.99.4.0
- from Fedora:
  o pam-0.99.4.0-redhat-modules
  o pam-redhat-0.99.5-1
  o add system-auth and config-util man pages
- drop Patch523 and all pwdb bits
- drop glib2-devel BuildRequires (pam_console_apply don't need it anymore)
- rediff Patch500 (mdv perms)
- drop Patch520 (merged upstream)
- don't check for userdb module, we don't built it
  (it requires an internal libdb copy)
- package pam_tally2

* Thu Feb 02 2006 Olivier Blin <oblin@mandriva.com> 0.99.3.0-6mdk
- update instructions in the README.update.urpmi file (Source4)

* Wed Feb 01 2006 Thierry Vignaud <tvignaud@mandriva.com> 0.99.3.0-5mdk
- patch 500:
  o fix firewire perms (#20270)
  o fix printer perms (#13013)

* Mon Jan 30 2006 Olivier Blin <oblin@mandriva.com> 0.99.3.0-4mdk
- don't build prelude (#20896)
- Patch523: allow to disable pwdb
- disable pam_pwdb
- make unix_chkpwd setuid root again
- Source2: remove hardcoded /lib/security in source
  (even if spec-helper fixes it later)
- don't add video group in %%pre, it's already in the setup package
- remove hardcoded workaround for a (more than) 2 years-old pam
- more BuildRequires fixes: drop autoconf2.1, use glib2-devel
  (thanks to Stefan van der Eijk)
- rpmbuildupdatable
- Source4: README.update.urpmi

* Sat Jan 28 2006 Olivier Blin <oblin@mandriva.com> 0.99.3.0-3mdk
- BuildRequires automake1.8 (Stefan van der Eijk)
- fix again Patch517 (use real patch name)
- fix typo in modules installation test

* Sat Jan 28 2006 Olivier Blin <oblin@mandriva.com> 0.99.3.0-2mdk
- BuildConflicts with libselinux-devel (#20871)
- don't test if modules/pam_selinux is built, we don't want it
- Patch517: fix typo in limits.conf (Andrey Borzenkov, #20872)
- BuildRequires openssl-devel (#20874)
- Patch511: use pam_syslog instead of old _pam_log in pam_limits
  (Andrey Borzenkov, #20876)
- BuildRequires prelude-devel

* Sat Jan 28 2006 Olivier Blin <oblin@mandriva.com> 0.99.3.0-1mdk
- 0.99.3.0
- sync with RH (all of their others patches are either merged upstream,
  or useless in Mandriva, such as SE Linux):
  o drop Patch39 (wasn't needed for 0.77)
  o drop Patch[0,1,2,3,5,6,7,8,9,11,12,13,14,15,16,17,18,19,20],
    Patch[22,23,24,25,26,27,30,31,32,33,35,36,37,40] and Source4
    (dropped during 0.78 upgrade)
  o drop Patch29 (dropped during 0.79 upgrade)
  o drop Patch4 (dropped during 0.80 upgrade)
  o rediff Patch21
  o don't use fakeroot anymore
  o don't enable static-pam
  o drop Patch10 (dropped during 0.99.2.1 upgrade)
  o rediff Patch34
  o fix descriptions
- rediff Patch500, and split out Mandriva-specific perms in Source500
  (installed as 50-mandriva.perms)
- remove devfs-style paths in Patch500/Source500
- drop Patch502 (dead X problem fixed otherwise upstream)
- drop Patch503 (we don't need pam_console_apply_devfsd)
- rediff Patch504 (drop merged parts), Patch508, Patch512
- drop Patch506 (not required anymore to detect cracklib dicts on x86_64)
- drop Patch507 (tty name not found fixed otherwise upstream)
- drop Patch509 (fixed upstream)
- drop Patch513 (fixed otherwise upstream, should still work with lsb-test-pam)
- drop Patch514 (kill pam_console_setowner, pam_console_apply should be used)
- drop Patch515 (/etc/environment test fixed upstream)
- drop Patch516 (RT now supported upstream)
- rediff Patch517 (apply on limits.conf, use new rtprio keyword instead of
  previous rt_priority)
- drop Patch518 (build with gcc 4 works fine now)
- add comments about ghost patches
- Patch520 and Patch521: fix parallel build
- Patch522: ensure that sgml2txt worked
- package new security/console.handlers and security/console.perms.d/
- package pam_filter/upperLOWER
- package libpamc
- package security/chroot.conf
- package lang files
- don't package pwdb_chkpwd
- more description fixes

* Thu Jan 26 2006 Olivier Blin <oblin@mandriva.com> 0.77-37mdk
- handle permissions for /dev/bus/usb

* Tue Jan 24 2006 Olivier Blin <oblin@mandriva.com> 0.77-36mdk
- fix permissions for more DVB devices (merge Patch520 in Patch500)

* Mon Jan 23 2006 Olivier Blin <oblin@mandriva.com> 0.77-35mdk
- update Patch514 to handle multiple arguments in pam_console_setowner,
  (from Andrey Borzenkov, #20269, it's about reimplementing recent
   pam_console_apply in our weird pam_console_setowner)
- use requires instead of prereq for pam-doc

* Tue Jan 10 2006 Thierry Vignaud <tvignaud@mandriva.com> 0.77-34mdk
- patch 520: set perms for DVB devices (#14688)

* Fri Jan 06 2006 Oden Eriksson <oeriksson@mandriva.com> 0.77-33mdk
- drop selinux (P60)
- removed two hunks from P40 (required the selinux patch applied)
- dropped P62 (required the selinux patch applied)
- rebuilt against a non selinux enabled pwdb lib (thanks stefan)

* Wed Oct 05 2005 Gwenole Beauchesne <gbeauchesne@mandriva.com> 0.77-32mdk
- fix build on ppc64

* Tue Sep 20 2005 Frederic Lepied <flepied@mandriva.com> 0.77-31mdk
- fix uninitialized variable user (aka fix crash on C3)

* Sun Jul 31 2005 Couriousous <couriousous@mandriva.org> 0.77-30mdk
- Don't apply 64bit patch ( fix #16961 )

* Wed Jun 22 2005 Frederic Lepied <flepied@mandriva.com> 0.77-29mdk
- fixed dependencies

* Mon May 16 2005 Thierry Vignaud <tvignaud@mandrakesoft.com> 0.77-28mdk 
- patch 516: add support for RT/nice rlimit settings (kernel-2.6.12+)
- patch 517: enable new RT privileges for audio group in limits.conf
- patch 518: fix build with gcc-4.0

* Thu Apr 07 2005 Frederic Crozat <fcrozat@mandrakesoft.com> 0.77-27mdk 
- Update Patch500 to add /dev/zip* and /dev/jaz* as zip/jaz group for
  console privilege

* Thu Sep 30 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.77-26mdk
- give access to /dev/nvram in ro for console users
- handle /dev/dri* and /dev/nvidia the same way in startx and *dm modes.

* Tue Sep 21 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.77-25mdk
- pam_env: don't abort if /etc/environment isn't present (Oded Arbel)
- fix BuildRequires (Oded Arbel)
- create an empty /etc/environment
- add USB joystick devices to console.perms (bug #11190)

* Fri Sep 17 2004 Gwenole Beauchesne <gbeauchesne@mandrakesoft.com> 0.77-24mdk
- really build pam_console_apply_devfs against glib-1.2

* Sat Sep 11 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.77-23mdk
- fixed debug code in pam_console_apply_devfsd
- added a way to debug pam_console_setowner by setting PAM_DEBUG env variable
- don't apply patch63 to have console.lock at the usual place

* Fri Sep 10 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.77-22mdk
- implement pam_console_setowner for udev

* Thu Sep 09 2004 Frederic Crozat <fcrozat@mandrakesoft.com> 0.77-21mdk
- add sr* to cdrom group

* Wed Sep 08 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.77-20mdk
- fixed lookup when a group or a user doesn't exist (bug #11256)
- fixed the group of audio devices when nobody is connected

* Tue Aug 24 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.77-19mdk
- added /dev/rfcomm* /dev/ircomm* to serial group (Fred Crozat)

* Tue Aug 24 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.77-18mdk
- put back <serial> group in console.perms

* Tue Aug 24 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.77-17mdk
- manage dri files perm (bug #10876 )
- manage perm of /dev/raw1394 (bug #9240)
- console.perms more group friendly (bug #3033)
- merged with rh 0.77-54

* Wed Jul 28 2004 Frederic Crozat <fcrozat@mandrakesoft.com> 0.77-16mdk
- Update patch16 to give console permissions to rfcomm devices

* Tue Jul 06 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.77-15mdk
- fixed typo in provides for devel package

* Sat Jul 03 2004 Stew Benedict <sbenedict@mandrakesoft.com> 0.77-14mdk
- patch for lsb2 lsb-test-pam compliance (patch513)

* Mon Jun 14 2004 Per Øyvind Karlsen <peroyvind@linux-mandrake.com> 0.77-13mdk
- fix buildrequires
- fix provides
- cosmetics

* Tue Feb 24 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.77-12mdk
- console.perms: /proc/usb => /proc/bus/usb (Marcel Pol) [bug #8285]

* Thu Feb 19 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.77-11mdk
- added a trigger to be able to upgrade