2020-06-04  Dmitry V. Levin  <ldv@altlinux.org>

	maint: document release procedure.
	* maint/README-release: New file.

	maint: introduce gen-tag-message.
	* maint/gen-tag-message: New script for preparing tag message.

	maint: introduce make-dist.
	* maint/make-dist: New script for preparing release tarballs.

2020-06-03  Dmitry V. Levin  <ldv@altlinux.org>

	gitlog-to-changelog: update from gnulib.

2020-05-29  Josef Möllers  <jmoellers@suse.de>
	    Tomáš Mráz  <tmraz@redhat.com>
	    Dmitry V. Levin  <ldv@altlinux.org>

	pam_setquota: skip mountpoints equal to the user's $HOME.
	Matthias Gerstner found the following issue:

	<quote>
	So this pam_setquota module iterates over all mounted file systems using
	`setmntent()` and `getmntent()`.  It tries to find the longest match of
	a file system mounted on /home/$USER or above (except when the
	fs=/some/path parameter is passed to the pam module).

	The thing is that /home/$USER is owned by the unprivileged user.  And
	there exist tools like fusermount from libfuse which is by default
	installed setuid-root for everybody.  fusermount allows to mount a FUSE
	file system using an arbitrary "source device name" as the unprivileged
	user.

	Thus considering the following use case:

	1) there is only the root file system (/) or a file system is mounted on
	   /home, but not on /home/$USER.
	2) the attacker mounts a fake FUSE file system over its own home directory:

	  ```
	  user $ export _FUSE_COMMFD=0
	  user $ fusermount $HOME -ononempty,fsname=/dev/sda1
	  ```

	  This will result in a mount entry in /proc/mounts looking like this:

	  ```
	  /dev/sda1 on /home/$USER type fuse (rw,nosuid,nodev,relatime,user_id=1000,group_id=100)
	  ```
	3) when the attacker now logs in with pam_setquota configured then
	   pam_setquota will identify /dev/sda1 and the file system where
	   to apply the user's quota on.

	As a result an unprivileged user has full control over onto which block
	device the quota is applied.
	</quote>

	If the user's $HOME is on a separate partition, setting a quota on the
	user's $HOME does not really make sense, so this patch skips mountpoints
	equal to the user's $HOME, preventing the above mentioned bug as
	a side-effect (or vice-versa).

	Reported-by: Matthias Gerstner <mgerstner@suse.de>
	Resolves: https://github.com/linux-pam/linux-pam/pull/230

2020-05-25  Dmitry V. Levin  <ldv@altlinux.org>

	pam_debug: do not invoke pam_get_user and do not set PAM_USER.
	pam_debug used to invoke pam_get_user and set PAM_USER to "nobody" when
	pam_get_user returns an empty string as the user name.  When either of
	these functions returned an error value, it used to return that error
	value.  This hasn't been documented, and I couldn't find any rationale
	for this behaviour.

	* modules/pam_debug/pam_debug.c (pam_sm_authenticate): Do not invoke
	pam_get_user and pam_set_item.

2020-05-24  Yi-Jyun Pan  <pan93412@gmail.com>

	Translated using Weblate (Chinese (Traditional))
	Currently translated at 100.0% (122 of 122 strings)

	Translation: linux-pam/master
	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/zh_TW/

2020-05-22  Dmitry V. Levin  <ldv@altlinux.org>

	modules: downgrade syslog level for errors related to pam_get_user.
	* modules/pam_faillock/pam_faillock.c (get_pam_user): Downgrade
	the syslog level for diagnostics of errors returned by
	pam_modutil_getpwnam for users returned by pam_get_user
	from LOG_ERR to LOG_NOTICE.
	* modules/pam_keyinit/pam_keyinit.c (do_keyinit): Likewise.
	* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
	* modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Likewise.
	* modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Likewise.
	* modules/pam_mail/pam_mail.c (_do_mail): Likewise.
	* modules/pam_sepermit/pam_sepermit.c (sepermit_lock): Likewise.
	* modules/pam_tally/pam_tally.c (pam_get_uid): Likewise.
	* modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise.
	* modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
	* modules/pam_xauth/pam_xauth.c (pam_sm_open_session,
	pam_sm_close_session): Likewise.
	* modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Downgrade
	the syslog level for diagnostics of errors returned by
	pam_modutil_getpwnam for users returned by pam_get_user
	from LOG_WARNING to LOG_NOTICE.

	Suggested-by: Tomáš Mráz <tmraz@fedoraproject.org>

2020-05-22  Dmitry V. Levin  <ldv@altlinux.org>

	modules: downgrade syslog level for pam_get_user errors.
	* modules/pam_access/pam_access.c (pam_sm_authenticate): Downgrade
	the syslog level for pam_get_user errors from LOG_ERR to LOG_NOTICE.
	* modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Likewise.
	* modules/pam_ftp/pam_ftp.c (pam_sm_authenticate): Likewise.
	* modules/pam_group/pam_group.c (pam_sm_setcred): Likewise.
	* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
	* modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Likewise.
	* modules/pam_mail/pam_mail.c (_do_mail): Likewise.
	* modules/pam_nologin/pam_nologin.c (perform_check): Likewise.
	* modules/pam_rhosts/pam_rhosts.c (pam_sm_authenticate): Likewise.
	* modules/pam_sepermit/pam_sepermit.c (pam_sm_authenticate): Likewise.
	* modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Likewise.
	* modules/pam_tally/pam_tally.c (pam_get_uid): Likewise.
	* modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise.
	* modules/pam_time/pam_time.c (pam_sm_acct_mgmt): Likewise.
	* modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Likewise.
	* modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
	* modules/pam_userdb/pam_userdb.c (pam_sm_authenticate,
	pam_sm_acct_mgmt): Likewise.
	* modules/pam_usertype/pam_usertype.c (pam_usertype_get_uid): Likewise.
	* modules/pam_xauth/pam_xauth.c (pam_sm_open_session,
	pam_sm_close_session): Likewise.
	* modules/pam_securetty/pam_securetty.c (securetty_perform_check):
	Downgrade the syslog level for pam_get_user errors from LOG_WARNING
	to LOG_NOTICE.
	* modules/pam_stress/pam_stress.c (pam_sm_authenticate): Likewise.

	Suggested-by: Tomáš Mráz <tmraz@fedoraproject.org>

2020-05-22  Dmitry V. Levin  <ldv@altlinux.org>

	pam_localuser: add a test for return values.
	* modules/pam_localuser/tst-pam_localuser-retval.c: New file.
	* modules/pam_localuser/Makefile.am (TESTS): Add $(check_PROGRAMS).
	(check_PROGRAMS, tst_pam_localuser_retval_LDADD): New variables.

	pam_localuser: refactor pam_sm_authenticate.
	* modules/pam_localuser/pam_localuser.c (check_user_in_passwd): New
	function.
	(pam_sm_authenticate): Use it.

2020-05-22  Dmitry V. Levin  <ldv@altlinux.org>

	pam_localuser: downgrade syslog level for errors related to user input.
	* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Downgrade
	the syslog level for errors related to pam_get_user from LOG_ERR to
	LOG_NOTICE.

	Suggested-by: Tomáš Mráz <tmraz@fedoraproject.org>

2020-05-21  Dmitry V. Levin  <ldv@altlinux.org>

	pam_localuser: re-format pam_sm_* function declarations.

2020-05-21  Dmitry V. Levin  <ldv@altlinux.org>

	pam_localuser: remove unused includes.
	Also, remove unused MODULE_NAME macro.

	* modules/pam_localuser/pam_localuser.c: Stop including unused header
	files.
	(MODULE_NAME): Remove.

2020-05-21  Dmitry V. Levin  <ldv@altlinux.org>

	pam_localuser: forward error values returned by pam_get_user.
	Starting with commit c2c601f5340a59c5c62193d55b555d384380ea38,
	pam_get_user is guaranteed to return one of the following values:
	PAM_SUCCESS, PAM_BUF_ERR, PAM_CONV_AGAIN, or PAM_CONV_ERR.

	* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Do not
	replace non-PAM_CONV_AGAIN error values returned by pam_get_user with
	PAM_SERVICE_ERR.
	* modules/pam_localuser/pam_localuser.8.xml (RETURN VALUES): Document
	new return values.

2020-05-21  Dmitry V. Levin  <ldv@altlinux.org>

	pam_localuser: return PAM_INCOMPLETE when pam_get_user returns PAM_CONV_AGAIN
	Give the application a chance to handle PAM_INCOMPLETE.

	* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return
	PAM_INCOMPLETE instead of PAM_SERVICE_ERR when pam_get_user returns
	PAM_CONV_AGAIN.
	* modules/pam_localuser/pam_localuser.8.xml (RETURN VALUES): Document
	it.

2020-05-21  Dmitry V. Levin  <ldv@altlinux.org>

	pam_localuser: open the passwd file after user name validation.
	Since user name is untrusted input, it should be validated earlier
	rather than later.

	* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Open
	the passwd file after user name validation.

2020-05-21  Dmitry V. Levin  <ldv@altlinux.org>

	pam_localuser: use BUFSIZ as the line buffer size.
	As BUFSIZ is the buffer size used in stdio, it must be an efficient size
	for the line buffer.  Also, it's larger than LINE_MAX used as the line
	buffer size before this change, effectively raising the maximum user
	name length supported by this module.

	* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Replace
	LINE_MAX with BUFSIZ.

2020-05-21  Dmitry V. Levin  <ldv@altlinux.org>

	pam_localuser: handle long lines in passwd files properly.
	Before this change, a long line in the passwd file used to be treated as
	several lines which could potentially result to false match and,
	consequently, to incorrect PAM_SUCCESS return value.

	* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Handle
	long lines in passwd files properly.

2020-05-21  Dmitry V. Levin  <ldv@altlinux.org>

	pam_localuser: get rid of a temporary buffer.
	* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Do not
	copy the user name into a temporary buffer, use the user name itself in
	comparisons.

	pam_localuser: log unrecognized options.
	* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Log
	unrecognized options.

2020-05-21  Dmitry V. Levin  <ldv@altlinux.org>

	pam_localuser: return PAM_SERVICE_ERR instead of PAM_SYSTEM_ERR.
	When passwd file cannot be opened or the user name either cannot be
	obtained or is not valid, return PAM_SERVICE_ERR instead of
	PAM_SYSTEM_ERR.

	* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return
	PAM_SERVICE_ERR instead of PAM_SYSTEM_ERR.

2020-05-21  Dmitry V. Levin  <ldv@altlinux.org>

	pam_localuser: reject user names that are too long.
	Too long user names used to be truncated which could potentially result
	to false match and, consequently, to incorrect PAM_SUCCESS return value.

	* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return
	PAM_SERVICE_ERR if the user name is too long.

2020-05-21  Dmitry V. Levin  <ldv@altlinux.org>

	pam_localuser: reject user names containing a colon.
	"root:x" is not a local user name even if the passwd file contains
	a line starting with "root:x:".

	* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return
	PAM_PERM_DENIED if the user name contains a colon.

2020-05-21  Dmitry V. Levin  <ldv@altlinux.org>

	pam_mkhomedir: add a test for return values.
	* modules/pam_mkhomedir/tst-pam_mkhomedir-retval.c: New file.
	* modules/pam_mkhomedir/Makefile.am (TESTS): Add $(check_PROGRAMS).
	(check_PROGRAMS, tst_pam_mkhomedir_retval_LDADD): New variables.

	pam_faildelay: add a test for return values.
	* modules/pam_faildelay/tst-pam_faildelay-retval.c: New file.
	* modules/pam_faildelay/Makefile.am (TESTS): Add $(check_PROGRAMS).
	(check_PROGRAMS, tst_pam_faildelay_retval_LDADD): New variables.

	pam_rootok: add a test for return values.
	* modules/pam_rootok/tst-pam_rootok-retval.c: New file.
	* modules/pam_rootok/Makefile.am (TESTS): Add $(check_PROGRAMS).
	(check_PROGRAMS, tst_pam_rootok_retval_LDADD): New variables.

	pam_nologin: add a test for return values.
	* modules/pam_nologin/tst-pam_nologin-retval.c: New file.
	* modules/pam_nologin/Makefile.am (TESTS): Add $(check_PROGRAMS).
	(check_PROGRAMS, tst_pam_nologin_retval_LDADD): New variables.

	pam_echo: add a test for return values.
	* modules/pam_echo/tst-pam_echo-retval.c: New file.
	* modules/pam_echo/Makefile.am (TESTS): Add $(check_PROGRAMS).
	(check_PROGRAMS, tst_pam_echo_retval_LDADD): New variables.

	pam_warn: add a test for return values.
	* modules/pam_warn/tst-pam_warn-retval.c: New file.
	* modules/pam_warn/Makefile.am (TESTS): Add $(check_PROGRAMS).
	(check_PROGRAMS, tst_pam_warn_retval_LDADD): New variables.

	pam_debug: add a test for return values.
	* modules/pam_debug/tst-pam_debug-retval.c: New file.
	* modules/pam_debug/Makefile.am (TESTS): Add $(check_PROGRAMS).
	(check_PROGRAMS, tst_pam_debug_retval_LDADD): New variables.

	pam_permit: add a test for return values.
	* modules/pam_permit/tst-pam_permit-retval.c: New file.
	* modules/pam_permit/Makefile.am (TESTS): Add $(check_PROGRAMS).
	(check_PROGRAMS, tst_pam_permit_retval_LDADD): New variables.

	pam_deny: add a test for return values.
	* modules/pam_deny/tst-pam_deny-retval.c: New file.
	* modules/pam_deny/Makefile.am (TESTS): Add $(check_PROGRAMS).
	(check_PROGRAMS, tst_pam_deny_retval_LDADD): New variables.

2020-05-21  Dmitry V. Levin  <ldv@altlinux.org>

	Introduce test_assert.h.
	Introduce a new internal header file for definitions of handy macros
	providing convenient assertion testing functionality.

	* libpam/include/test_assert.h: New file.
	* libpam/Makefile.am (noinst_HEADERS): Add include/test_assert.h.

2020-05-21  Andreas Henriksson  <andreas+fedora@fatal.se>

	Translated using Weblate (Swedish)
	Currently translated at 100.0% (122 of 122 strings)

	Translation: linux-pam/master
	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/sv/

2020-05-17  Dmitry V. Levin  <ldv@altlinux.org>

	doc: fix the description of stack jump effects.
	Every stack jump, besides the jump itself, has a side effect which is
	one of 'ignore', 'ok', or 'bad'.  Unfortunately, the side effect is far
	from obvious because it depends on the PAM function call, and the
	documentation that contradicts the implementation does not help either.

	* doc/man/pam.conf-syntax.xml (actionN): Rewrite the description
	of stack jump effects to match the implementation.

	Fixes: 871a6e14d65c3c446ae0af51166dabc7a47a2b56

2020-05-17  Weblate (bot)  <noreply@weblate.org>
	    Allan Nordhøy  <epost@anotheragency.no>
	    Dmitry V. Levin  <ldv@altlinux.org>

	Translations update from Weblate (#227)
	* Translated using Weblate (Norwegian Bokmål)
	
	Currently translated at 99.1% (121 of 122 strings)
	
	Translation: linux-pam/master
	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/nb_NO/
	
	* Translated using Weblate (Catalan)
	
	Currently translated at 98.3% (120 of 122 strings)
	
	Translation: linux-pam/master
	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ca/

2020-05-16  Dmitry V. Levin  <ldv@altlinux.org>

	modules: do not check user name for emptyness before passing it to pam_modutil_getpwnam
	pam_modutil_getpwnam is perfectly capable of handling empty strings as
	user names, no need to double check that.

	* modules/pam_access/pam_access.c (pam_sm_authenticate): Do not check
	the user name for emptyness before passing it to pam_modutil_getpwnam.
	* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
	* modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Likewise.
	* modules/pam_shells/pam_shells.c (perform_check): Likewise.
	* modules/pam_tally/pam_tally.c (pam_get_uid): Likewise.
	* modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise.
	* modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.

2020-05-15  Dmitry V. Levin  <ldv@altlinux.org>

	pam_usertype: Document return values forwarded from pam_get_user.
	* modules/pam_usertype/pam_usertype.8.xml (RETURN VALUES): Document
	PAM_BUF_ERR and PAM_CONV_ERR return values.

2020-05-15  Dmitry V. Levin  <ldv@altlinux.org>

	pam_usertype: return PAM_INCOMPLETE when pam_get_user returns PAM_CONV_AGAIN
	Give the application a chance to handle PAM_INCOMPLETE.

	* modules/pam_usertype/pam_usertype.c (pam_usertype_get_uid): Return
	PAM_INCOMPLETE instead of PAM_CONV_AGAIN when pam_get_user returns
	PAM_CONV_AGAIN.
	* modules/pam_usertype/pam_usertype.8.xml (RETURN VALUES): Document it.

2020-05-15  Dmitry V. Levin  <ldv@altlinux.org>

	pam_faillock: Document return values forwarded from pam_get_user.
	* modules/pam_faillock/pam_faillock.8.xml (RETURN VALUES): Document
	PAM_BUF_ERR and PAM_CONV_ERR return values.

2020-05-15  Dmitry V. Levin  <ldv@altlinux.org>

	pam_faillock: return PAM_INCOMPLETE when pam_get_user returns PAM_CONV_AGAIN
	Give the application a chance to handle PAM_INCOMPLETE.

	* modules/pam_faillock/pam_faillock.c (get_pam_user): Return
	PAM_INCOMPLETE instead of PAM_CONV_AGAIN when pam_get_user returns
	PAM_CONV_AGAIN.
	* modules/pam_faillock/pam_faillock.8.xml (RETURN VALUES): Document it.

2020-05-15  Dmitry V. Levin  <ldv@altlinux.org>

	pam_securetty: forward error values returned by pam_get_user.
	Starting with commit c2c601f5340a59c5c62193d55b555d384380ea38,
	pam_get_user is guaranteed to return one of the following values:
	PAM_SUCCESS, PAM_BUF_ERR, PAM_CONV_AGAIN, or PAM_CONV_ERR.

	* modules/pam_securetty/pam_securetty.c (pam_sm_authenticate): Do not
	replace non-PAM_CONV_AGAIN error values returned by pam_get_user with
	PAM_SERVICE_ERR.
	* modules/pam_securetty/pam_securetty.8.xml (RETURN VALUES): Document
	new return values.

2020-05-15  Dmitry V. Levin  <ldv@altlinux.org>

	modules: do not check user name for NULL if pam_get_user returned PAM_SUCCESS
	If pam_get_user returned PAM_SUCCESS, the user name is guaranteed
	to be a valid C string, no need to double check that.

	* modules/pam_access/pam_access.c (pam_sm_authenticate): Do not check
	for NULL the user name returned by pam_get_user when the latter returned
	PAM_SUCCESS.
	* modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Likewise.
	* modules/pam_debug/pam_debug.c (pam_sm_authenticate): Likewise.
	* modules/pam_filter/pam_filter.c (process_args): Likewise.
	* modules/pam_ftp/pam_ftp.c (pam_sm_authenticate): Likewise.
	* modules/pam_group/pam_group.c (pam_sm_setcred): Likewise.
	* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
	* modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Likewise.
	* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Likewise.
	* modules/pam_mail/pam_mail.c (_do_mail): Likewise.
	* modules/pam_nologin/pam_nologin.c (perform_check): Likewise.
	* modules/pam_permit/pam_permit.c (pam_sm_authenticate): Likewise.
	* modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Likewise.
	* modules/pam_rhosts/pam_rhosts.c (pam_sm_authenticate): Likewise.
	* modules/pam_securetty/pam_securetty.c (pam_sm_authenticate): Likewise.
	* modules/pam_sepermit/pam_sepermit.c (pam_sm_authenticate): Likewise.
	* modules/pam_shells/pam_shells.c (perform_check): Likewise.
	* modules/pam_stress/pam_stress.c (pam_sm_authenticate): Likewise.
	* modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Likewise.
	* modules/pam_time/pam_time.c (pam_sm_acct_mgmt): Likewise.
	* modules/pam_timestamp/pam_timestamp.c (get_timestamp_name): Likewise.
	* modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
	* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Likewise.
	* modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Likewise.
	* modules/pam_usertype/pam_usertype.c (pam_usertype_get_uid): Likewise.
	* modules/pam_wheel/pam_wheel.c (perform_check): Likewise.
	* modules/pam_userdb/pam_userdb.c (pam_sm_authenticate, pam_sm_acct_mgmt):
	Likewise.

2020-05-14  Dmitry V. Levin  <ldv@altlinux.org>

	pam_umask: Document return values forwarded from pam_get_user.
	* modules/pam_umask/pam_umask.8.xml (RETURN VALUES): Document
	PAM_BUF_ERR, PAM_CONV_ERR, and PAM_INCOMPLETE return values.

	pam_exec: Document return values forwarded from pam_get_user.
	* modules/pam_exec/pam_exec.8.xml (RETURN VALUES): Document
	PAM_BUF_ERR, PAM_CONV_ERR, and PAM_INCOMPLETE return values.

2020-05-13  Dmitry V. Levin  <ldv@altlinux.org>

	Deprecate pam_cracklib, pam_tally, and pam_tally2.
	Deprecate pam_cracklib, there are two better alternatives to this
	obsolete module: pam_passwdqc from passwdqc project and pam_pwquality
	from libpwquality project.

	Deprecate pam_tally and pam_tally2 in favour of pam_faillock.

	* configure.ac: Implement --enable-cracklib=check that enables build
	of pam_cracklib when libcrack is available.
	Disable build of pam_cracklib, pam_tally, and pam_tally2 by default.
	* NEWS: Mention this change.
	* ci/run-build-and-tests.sh (DISTCHECK_CONFIGURE_FLAGS): Add
	--enable-tally, --enable-tally2, and --enable-cracklib=check
	to check build of these deprecated modules.

2020-05-13  Dmitry V. Levin  <ldv@altlinux.org>

	NEWS: update.

2020-05-12  Thorsten Kukuk  <5908016+thkukuk@users.noreply.github.com>

	Use correct path for pam_namespace.service file (#223)

2020-05-09  Dmitry V. Levin  <ldv@altlinux.org>

	pam_setquota: fix return value when the user is unknown.
	Following the bad example in pam_mkhomedir module, from the very
	beginning pam_setquota module used to return PAM_CRED_INSUFFICIENT
	when pam_modutil_getpwnam() returned an error.  Fix this now
	by changing the return value to PAM_USER_UNKNOWN.

	* modules/pam_setquota/pam_setquota.c (pam_sm_open_session): Return
	PAM_USER_UNKNOWN instead of PAM_CRED_INSUFFICIENT.
	* modules/pam_setquota/pam_setquota.8.xml (PAM_CRED_INSUFFICIENT):
	Replace with PAM_USER_UNKNOWN.

2020-05-09  Dmitry V. Levin  <ldv@altlinux.org>

	pam_mkhomedir: fix return value when the user is unknown.
	From the very beginning pam_mkhomedir module used to return
	PAM_CRED_INSUFFICIENT when getpwnam() or pam_modutil_getpwnam()
	returned an error.  Fix this now by changing the return value
	to PAM_USER_UNKNOWN.

	* modules/pam_mkhomedir/mkhomedir_helper.c (main): Return
	PAM_USER_UNKNOWN instead of PAM_CRED_INSUFFICIENT.
	* modules/pam_mkhomedir/pam_mkhomedir.c (pam_sm_open_session): Likewise.
	* modules/pam_mkhomedir/pam_mkhomedir.8.xml (PAM_CRED_INSUFFICIENT):
	Remove.

2020-05-06  Dmitry V. Levin  <ldv@altlinux.org>

	pam_get_user: do not override valid values returned by the conversation function
	When the conversation function returned a value different from
	PAM_CONV_AGAIN and provided no response, pam_get_user used to replace
	the return value with PAM_CONV_ERR.  Fix this and replace the return
	value only if it was PAM_SUCCESS.

	* libpam/pam_item.c (pam_get_user): Do not override valid values
	returned by the conversation function.

2020-05-06  Dmitry V. Levin  <ldv@altlinux.org>

	pam_get_user: filter conversation function return values.
	Do not assume that the conversation function provided by the application
	strictly follows the return values guidelines, replace undocumented
	return values with PAM_CONV_ERR.

	* libpam/pam_item.c (pam_get_user): If the value returned by the
	conversation function is not one of PAM_SUCCESS, PAM_BUF_ERR,
	PAM_CONV_AGAIN, or PAM_CONV_ERR, replace it with PAM_CONV_ERR.

2020-05-06  Dmitry V. Levin  <ldv@altlinux.org>

	man: document other valid pam_get_user return values.
	* doc/man/pam_get_user.3.xml (pam_get_user-return_values): Add
	PAM_BUF_ERR, PAM_ABORT, and PAM_CONV_AGAIN.

2020-05-06  Dmitry V. Levin  <ldv@altlinux.org>

	pam_get_user: consistently return PAM_SYSTEM_ERR if user specified a NULL pointer
	pam_get_user returns PAM_SYSTEM_ERR in case of pamh == NULL.
	In case of user == NULL, however, it used to return PAM_PERM_DENIED,
	and in case of NULL conversation function it used to return
	PAM_SERVICE_ERR.

	According to the documentation, PAM_SYSTEM_ERR shall be returned
	if a NULL pointer was submitted.

	Fix this inconsistency and return PAM_SYSTEM_ERR in each of these
	programming error cases.

	* libpam/pam_item.c (pam_get_user): Return PAM_SYSTEM_ERR instead of
	PAM_PERM_DENIED if user == NULL.  Return PAM_SYSTEM_ERR instead of
	PAM_SERVICE_ERR if pamh->pam_conversation == NULL.

2020-05-06  Weblate (bot)  <noreply@weblate.org>

	Translations update from Weblate.
	* Translated using Weblate (Spanish)
	
	Currently translated at 81.9% (100 of 122 strings)
	
	* Translated using Weblate (Portuguese)
	
	Currently translated at 100.0% (122 of 122 strings)

2020-05-03  Dmitry V. Levin  <ldv@altlinux.org>

	doc: remove references to PAM_SM_* macros.
	Starting with commit a684595c0bbd88df71285f43fb27630e3829121e aka
	Linux-PAM-1.3.0~14 (Remove "--enable-static-modules" option and support
	from Linux-PAM), PAM_SM_* macros have no effect.

	modules: remove PAM_SM_* macros.
	Starting with commit a684595c0bbd88df71285f43fb27630e3829121e aka
	Linux-PAM-1.3.0~14 (Remove "--enable-static-modules" option and support
	from Linux-PAM), PAM_SM_* macros have no effect.

2020-05-03  Dmitry V. Levin  <ldv@altlinux.org>

	pam_usertype: do not override the default prompt.
	Following the bad example in pam_succeed_if module, from the very
	beginning pam_usertype used to override the default prompt used by
	pam_get_user() with "login: ".  Fix this now.

	* modules/pam_usertype/pam_usertype.c (pam_sm_authenticate): Do not
	request PAM_USER_PROMPT item, invoke pam_get_user() with the default
	prompt.

2020-05-03  Dmitry V. Levin  <ldv@altlinux.org>

	pam_succeed_if: do not override the default prompt.
	From the very beginning pam_succeed_if used to override the default
	prompt used by pam_get_user() with "login: ".  Fix this now.

	* modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Do not
	request PAM_USER_PROMPT item, invoke pam_get_user() with the default
	prompt.

2020-05-03  Dmitry V. Levin  <ldv@altlinux.org>

	modules/*/Makefile.am: rename TESTS to dist_check_SCRIPTS.
	... and remove $(TESTS) from EXTRA_DIST.

	The change is performed automatically using the following script:
	  sed -i -e 's/^TESTS = \(tst.*\)/dist_check_SCRIPTS = \1\nTESTS = $(dist_check_SCRIPTS)/' \
	         -e '/^EXTRA_DIST/ s/ \$(TESTS)//' modules/*/Makefile.am

2020-05-03  Dmitry V. Levin  <ldv@altlinux.org>

	modules/*/Makefile.am: rename man_MANS to dist_man_MANS.
	... and remove $(MANS) from EXTRA_DIST.

	The change is performed automatically using the following script:
	  sed -i 's/^man_MANS/dist_&/; /^EXTRA_DIST/ s/ \$(MANS)//' modules/*/Makefile.am

2020-05-03  Dmitry V. Levin  <ldv@altlinux.org>

	pam_namespace: cleanup pam_namespace.service installation.
	* modules/pam_namespace/Makefile.am (service_DATA): New variable.
	(install-data-local): Remove all commands related to servicedir.
	(uninstall-local): Remove.

	Fixes: 59812d1cf ("pam_namespace: secure tmp-inst directories")

2020-05-03  Dmitry V. Levin  <ldv@altlinux.org>

	modules/*/Makefile.am: add dist_ prefix to *_DATA.
	... and remove $(DATA) from EXTRA_DIST.

	The change is performed automatically using the following script:
	  sed -i 's/^[a-z]*_DATA/dist_&/; /^EXTRA_DIST/ s/ \$(DATA)//' modules/*/Makefile.am

2020-05-03  Dmitry V. Levin  <ldv@altlinux.org>

	modules/pam_timestamp/Makefile.am: rename noinst_PROGRAMS to check_PROGRAMS
	... and remove nodist_TESTS.

	* modules/pam_timestamp/Makefile.am (nodist_TESTS): Remove.
	(TESTS): Replace $(nodist_TESTS) with $(check_PROGRAMS).
	(noinst_PROGRAMS): Rename to check_PROGRAMS.

2020-05-03  Dmitry V. Levin  <ldv@altlinux.org>

	modules/pam_timestamp/Makefile.am: rename dist_TESTS to dist_check_SCRIPTS
	... and remove it from EXTRA_DIST

	* modules/pam_timestamp/Makefile.am (EXTRA_DIST): Remove $(dist_TESTS).
	(dist_TESTS): Rename to dist_check_SCRIPTS.
	(TESTS): Replace $(dist_TESTS) with $(dist_check_SCRIPTS).

2020-05-03  Dmitry V. Levin  <ldv@altlinux.org>

	modules/pam_namespace/Makefile.am: add dist_ prefix to secureconf_SCRIPTS
	... and remove $(SCRIPTS) from EXTRA_DIST.

	* modules/pam_namespace/Makefile.am (EXTRA_DIST): Remove $(SCRIPTS).
	(secureconf_SCRIPTS): Rename to dist_secureconf_SCRIPTS.

2020-05-03  Dmitry V. Levin  <ldv@altlinux.org>

	Translated using Weblate (Russian)
	Currently translated at 100.0% (122 of 122 strings)

	Translation: linux-pam/master
	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ru/

2020-05-03  Yuri Chornoivan  <yurchor@ukr.net>

	Translated using Weblate (Ukrainian)
	Currently translated at 100.0% (122 of 122 strings)

	Translation: linux-pam/master
	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/uk/

2020-05-03  Oğuz Ersen  <oguzersen@protonmail.com>

	Translated using Weblate (Turkish)
	Currently translated at 100.0% (122 of 122 strings)

	Translation: linux-pam/master
	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/tr/

2020-05-03  Julien Humbert  <julroy67@gmail.com>

	Translated using Weblate (French)
	Currently translated at 100.0% (122 of 122 strings)

	Translation: linux-pam/master
	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fr/

2020-05-03  scootergrisen  <scootergrisen@gmail.com>

	Translated using Weblate (Danish)
	Currently translated at 100.0% (122 of 122 strings)

	Translation: linux-pam/master
	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/da/

2020-05-03  Piotr Drąg  <piotrdrag@gmail.com>

	Translated using Weblate (Polish)
	Currently translated at 100.0% (122 of 122 strings)

	Translation: linux-pam/master
	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/

2020-04-30  Tomas Mraz  <tmraz@fedoraproject.org>

	Update .po and .pot files after adding pam_faillock.

	pam_faillock: Correct the grammar of translated strings.
	Also make the message the same as in pam_tally2.

	pam_faillock: Add conf option to use a different config file.

	pam_faillock: New module for locking after multiple auth failures.

2020-04-29  Weblate (bot)  <noreply@weblate.org>
	    Alesker Abdullayev - FEDORA Azerbaijan  <tech@abdullaeff.com>
	    Allan Nordhøy  <epost@anotheragency.no>

	Translations update from Weblate (#215)
	Updated translation using Weblate
	
	* Translated using Weblate (Azerbaijani)
	
	Currently translated at 15.8% (19 of 120 strings)
	
	* Translated using Weblate (Norwegian Bokmål)
	
	Currently translated at 100.0% (120 of 120 strings)

2020-04-28  Dmitry V. Levin  <ldv@altlinux.org>

	build: rework vendordir substitution.
	Since Make.xml.rules is the only place where XSLTPROC_CUSTOM was used,
	remove stereotypic definitions from other Makefiles, this way we no
	longer have to worry about vendordir being used somewhere else in
	documentation files.

	Likewise, define VENDORDIR in config.h and remove stereotypic
	-DVENDORDIR= additions from other Makefiles, this way we no longer
	have to worry about VENDORDIR being used somewhere else in the code.

	* configure.ac (AM_CONDITIONAL): Remove HAVE_VENDORDIR.
	(AC_DEFINE_UNQUOTED): Add VENDORDIR.
	(AC_SUBST): Remove VENDORDIR, add STRINGPARAM_VENDORDIR.
	* Make.xml.rules.in: Replace $(XSLTPROC_CUSTOM) with
	@STRINGPARAM_VENDORDIR@.
	* doc/man/Makefile.am (XSLTPROC_CUSTOM): Remove.
	* libpam/Makefile.am [HAVE_VENDORDIR]: Remove.
	* modules/pam_securetty/Makefile.am [HAVE_VENDORDIR]: Remove.
	(XSLTPROC_CUSTOM): Remove.
	* modules/pam_securetty/pam_securetty.c: Move definitions of local
	macros after config.h to benefit from macros defined there.

2020-04-28  Dmitry V. Levin  <ldv@altlinux.org>

	Make.xml.rules: prepare for configure substitutions.
	* Make.xml.rules: Rename to ...
	* Make.xml.rules.in: ... new file.
	* Makefile.am (EXTRA_DIST): Remove Make.xml.rules.
	* configure.ac (AC_CONFIG_FILES): Add Make.xml.rules.

2020-04-27  Dmitry V. Levin  <ldv@altlinux.org>

	pam_namespace: replace namespace.init with $(SCRIPTS) in EXTRA_DIST.
	As namespace.init is listed in secureconf_SCRIPTS which is part of
	generated SCRIPTS variable.

	* modules/pam_namespace/Makefile.am (EXTRA_DIST): Replace namespace.init
	with $(SCRIPTS).

2020-04-27  Dmitry V. Levin  <ldv@altlinux.org>

	pam_env: remove environment from EXTRA_DIST.
	* modules/pam_env/Makefile.am (EXTRA_DIST): Remove environment as it is
	listed in sysconf_DATA which is part of DATA which is already listed in
	EXTRA_DIST.

2020-04-27  Dmitry V. Levin  <ldv@altlinux.org>

	modules/*/Makefile.am: remove $(secureconf_DATA) from EXTRA_DIST.
	Since the whole $(DATA) is listed in EXTRA_DIST, $(secureconf_DATA)
	can be safely de-listed.

	* modules/pam_access/Makefile.am (EXTRA_DIST): Remove
	$(secureconf_DATA).
	* modules/pam_env/Makefile.am: Likewise.
	* modules/pam_group/Makefile.am: Likewise.
	* modules/pam_limits/Makefile.am: Likewise.
	* modules/pam_namespace/Makefile.am: Likewise.
	* modules/pam_sepermit/Makefile.am: Likewise.
	* modules/pam_time/Makefile.am: Likewise.

2020-04-27  Dmitry V. Levin  <ldv@altlinux.org>

	modules/*/Makefile.am: replace README with $(DATA) in EXTRA_DIST.
	Since the GNU Automake distributes README files by default, the only
	reason why README had to be listed in EXTRA_DIST was to make these
	README files generated.

	Since README is also listed in noinst_DATA, we can safely replace
	README in EXTRA_DIST with $(DATA), this also opens the way for
	further EXTRA_DIST cleanup.

	* modules/*/Makefile.am (EXTRA_DIST): Replace README with $(DATA).

2020-04-27  Dmitry V. Levin  <ldv@altlinux.org>

	modules/*/Makefile.am: reorder lines to promote uniformity.
	This is essentially a no-op change that makes modules/*/Makefile.am
	files less divergent.

2020-04-27  Dmitry V. Levin  <ldv@altlinux.org>

	build: move README prerequisites rule from modules/*/Makefile.am to Make.xml.rules
	As the rule is now the same in every modules/*/Makefile.am file,
	move it to Make.xml.rules.

	* Make.xml.rules (README): New prerequisites rule.
	* modules/pam_access/Makefile.am (README): Remove rule.
	* modules/pam_cracklib/Makefile.am (README): Likewise.
	* modules/pam_debug/Makefile.am (README): Likewise.
	* modules/pam_deny/Makefile.am (README): Likewise.
	* modules/pam_echo/Makefile.am (README): Likewise.
	* modules/pam_env/Makefile.am (README): Likewise.
	* modules/pam_exec/Makefile.am (README): Likewise.
	* modules/pam_faildelay/Makefile.am (README): Likewise.
	* modules/pam_filter/Makefile.am (README): Likewise.
	* modules/pam_ftp/Makefile.am (README): Likewise.
	* modules/pam_group/Makefile.am (README): Likewise.
	* modules/pam_issue/Makefile.am (README): Likewise.
	* modules/pam_keyinit/Makefile.am (README): Likewise.
	* modules/pam_lastlog/Makefile.am (README): Likewise.
	* modules/pam_limits/Makefile.am (README): Likewise.
	* modules/pam_listfile/Makefile.am (README): Likewise.
	* modules/pam_localuser/Makefile.am (README): Likewise.
	* modules/pam_loginuid/Makefile.am (README): Likewise.
	* modules/pam_mail/Makefile.am (README): Likewise.
	* modules/pam_mkhomedir/Makefile.am (README): Likewise.
	* modules/pam_motd/Makefile.am (README): Likewise.
	* modules/pam_namespace/Makefile.am (README): Likewise.
	* modules/pam_nologin/Makefile.am (README): Likewise.
	* modules/pam_permit/Makefile.am (README): Likewise.
	* modules/pam_pwhistory/Makefile.am (README): Likewise.
	* modules/pam_rhosts/Makefile.am (README): Likewise.
	* modules/pam_rootok/Makefile.am (README): Likewise.
	* modules/pam_securetty/Makefile.am (README): Likewise.
	* modules/pam_selinux/Makefile.am (README): Likewise.
	* modules/pam_sepermit/Makefile.am (README): Likewise.
	* modules/pam_setquota/Makefile.am (README): Likewise.
	* modules/pam_shells/Makefile.am (README): Likewise.
	* modules/pam_succeed_if/Makefile.am (README): Likewise.
	* modules/pam_tally/Makefile.am (README): Likewise.
	* modules/pam_tally2/Makefile.am (README): Likewise.
	* modules/pam_time/Makefile.am (README): Likewise.
	* modules/pam_timestamp/Makefile.am (README): Likewise.
	* modules/pam_tty_audit/Makefile.am (README): Likewise.
	* modules/pam_umask/Makefile.am (README): Likewise.
	* modules/pam_unix/Makefile.am (README): Likewise.
	* modules/pam_userdb/Makefile.am (README): Likewise.
	* modules/pam_usertype/Makefile.am (README): Likewise.
	* modules/pam_warn/Makefile.am (README): Likewise.
	* modules/pam_wheel/Makefile.am (README): Likewise.
	* modules/pam_xauth/Makefile.am (README): Likewise.

2020-04-27  Dmitry V. Levin  <ldv@altlinux.org>

	modules/*/Makefile.am: list prerequisites of README target uniformly.
	There is no need to list prerequisites of README targets manually as
	all README targets depend on $(XMLS).

	The change is performed automatically using the following script:
	  sed -i 's/^README: pam_.*/README: $(XMLS)/' modules/*/Makefile.am

	* modules/pam_access/Makefile.am (README): Replace pam_access.8.xml
	and access.conf.5.xml with $(XMLS).
	* modules/pam_cracklib/Makefile.am (README): Replace pam_cracklib.8.xml
	with $(XMLS).
	* modules/pam_debug/Makefile.am (README): Replace pam_debug.8.xml
	with $(XMLS).
	* modules/pam_deny/Makefile.am (README): Replace pam_deny.8.xml
	with $(XMLS).
	* modules/pam_echo/Makefile.am (README): Replace pam_echo.8.xml
	with $(XMLS).
	* modules/pam_env/Makefile.am (README): Replace pam_env.8.xml and
	pam_env.conf.5.xml with $(XMLS).
	* modules/pam_exec/Makefile.am (README): Replace pam_exec.8.xml
	with $(XMLS).
	* modules/pam_faildelay/Makefile.am (README): Replace
	pam_faildelay.8.xml with $(XMLS).
	* modules/pam_filter/Makefile.am (README): Replace pam_filter.8.xml
	with $(XMLS).
	* modules/pam_ftp/Makefile.am (README): Replace pam_ftp.8.xml with
	$(XMLS).
	* modules/pam_group/Makefile.am (README): Replace pam_group.8.xml
	and group.conf.5.xml with $(XMLS).
	* modules/pam_issue/Makefile.am (README): Replace pam_issue.8.xml
	with $(XMLS).
	* modules/pam_keyinit/Makefile.am (README): Replace pam_keyinit.8.xml
	with $(XMLS).
	* modules/pam_lastlog/Makefile.am (README): Replace pam_lastlog.8.xml
	with $(XMLS).
	* modules/pam_limits/Makefile.am (README): Replace pam_limits.8.xml
	and limits.conf.5.xml with $(XMLS).
	* modules/pam_listfile/Makefile.am (README): Replace pam_listfile.8.xml
	with $(XMLS).
	* modules/pam_localuser/Makefile.am (README): Replace
	pam_localuser.8.xml with $(XMLS).
	* modules/pam_loginuid/Makefile.am (README): Replace pam_loginuid.8.xml
	with $(XMLS).
	* modules/pam_mail/Makefile.am (README): Replace pam_mail.8.xml
	with $(XMLS).
	* modules/pam_mkhomedir/Makefile.am (README): Replace
	pam_mkhomedir.8.xml with $(XMLS).
	* modules/pam_motd/Makefile.am (README): Replace pam_motd.8.xml
	with $(XMLS).
	* modules/pam_namespace/Makefile.am (README): Replace
	pam_namespace.8.xml, namespace.conf.5.xml,
	and pam_namespace_helper.8.xml with $(XMLS).
	* modules/pam_nologin/Makefile.am (README): Replace pam_nologin.8.xml
	with $(XMLS).
	* modules/pam_permit/Makefile.am (README): Replace pam_permit.8.xml
	with $(XMLS).
	* modules/pam_pwhistory/Makefile.am (README): Replace
	pam_pwhistory.8.xml with $(XMLS).
	* modules/pam_rhosts/Makefile.am (README): Replace pam_rhosts.8.xml
	with $(XMLS).
	* modules/pam_rootok/Makefile.am (README): Replace pam_rootok.8.xml
	with $(XMLS).
	* modules/pam_securetty/Makefile.am (README): Replace
	pam_securetty.8.xml with $(XMLS).
	* modules/pam_selinux/Makefile.am (README): Replace pam_selinux.8.xml
	with $(XMLS).
	* modules/pam_sepermit/Makefile.am (README): Replace pam_sepermit.8.xml
	with $(XMLS).
	* modules/pam_setquota/Makefile.am (README): Replace pam_setquota.8.xml
	with $(XMLS).
	* modules/pam_shells/Makefile.am (README): Replace pam_shells.8.xml
	with $(XMLS).
	* modules/pam_succeed_if/Makefile.am (README): Replace
	pam_succeed_if.8.xml with $(XMLS).
	* modules/pam_tally/Makefile.am (README): Replace pam_tally.8.xml
	with $(XMLS).
	* modules/pam_tally2/Makefile.am (README): Replace pam_tally2.8.xml
	with $(XMLS).
	* modules/pam_time/Makefile.am (README): Replace pam_time.8.xml and
	time.conf.5.xml with $(XMLS).
	* modules/pam_timestamp/Makefile.am (README): Replace
	pam_timestamp.8.xml with $(XMLS).
	* modules/pam_tty_audit/Makefile.am (README): Replace
	pam_tty_audit.8.xml with $(XMLS).
	* modules/pam_umask/Makefile.am (README): Replace pam_umask.8.xml
	with $(XMLS).
	* modules/pam_unix/Makefile.am (README): Replace pam_unix.8.xml
	with $(XMLS).
	* modules/pam_userdb/Makefile.am (README): Replace pam_userdb.8.xml
	with $(XMLS).
	* modules/pam_usertype/Makefile.am (README): Replace pam_usertype.8.xml
	with $(XMLS).
	* modules/pam_warn/Makefile.am (README): Replace pam_warn.8.xml
	with $(XMLS).
	* modules/pam_wheel/Makefile.am (README): Replace pam_wheel.8.xml
	with $(XMLS).
	* modules/pam_xauth/Makefile.am (README): Replace pam_xauth.8.xml
	with $(XMLS).

2020-04-27  Dmitry V. Levin  <ldv@altlinux.org>

	modules/*/Makefile.am: list secureconf_DATA files in EXTRA_DIST uniformly
	The change was prepared using the following script:
	  git grep -l secureconf_DATA modules/*/Makefile.am |while read m; do
	    t="$(sed '/^secureconf_DATA = /!d;s///;q' -- "$m")"
	    sed -i "/^EXTRA_DIST =/ s/\\<$t\\>/\$(secureconf_DATA)/" -- "$m"
	  done

	* modules/pam_access/Makefile.am (EXTRA_DIST): Replace access.conf with
	$(secureconf_DATA).
	* modules/pam_env/Makefile.am (EXTRA_DIST): Replace pam_env.conf with
	$(secureconf_DATA).
	* modules/pam_group/Makefile.am (EXTRA_DIST): Replace group.conf with
	$(secureconf_DATA).
