ChangeLog

2024-12-22  Björn Esser  <besser82 at fedoraproject.org>

	tcb_(un)convert: Check for UID and EUID to be 0 before proceeding.
	Ensuring the program is run with root privileges on startup is the
	safer approach instead on relying that mode 0700 may prevent the
	tool being run by a regular system user.
	* progs/tcb_convert.c (main): Check for UID and EUID to be 0 before
	proceeding.
	* progs/tcb_unconvert.c (main): Likewise.

2024-12-20  Björn Esser  <besser82 at fedoraproject.org>

	libnss_tcb: Disallow potentially-malicious user names in getspnam(3).
	IEEE Std 1003.1-2001 allows only the following characters to appear
	in group- and usernames: letters, digits, underscores, periods,
	<at>-signs (@), and dashes.  The name may not start with a dash or
	an "@" sign.  The "$" sign is allowed at the end of usernames to
	allow typical Samba machine accounts.
	* libs/nss.c (_nss_tcb_getspnam_r): Check for potentially-malicious
	user names, and bail out in case.

2024-12-18  Björn Esser  <besser82 at fedoraproject.org>

	libnss_tcb: Initialize or rewind dirstream from inside setspent(3).
	On first call to setspent(3) initialize the directory stream properly;
	on subsequent calls use rewinddir(3) to reset the position of the
	directory stream to the beginning of the directory, and also update
	the existing directory stream to refer to the current state of the
	underlying directory it operates on.  As all internal functions are
	operating on thread-local storage now, this operation will be safe,
	since it will emit no effects outside of the thread calling the
	setspent(3) function itself.
	* libs/nss.c (_nss_tcb_setspent): Initialize or rewind dirstream.
	(_nss_tcb_getspent_r): Move initialization of the dirstream to
	_nss_tcb_setspent.

	libtcb: Add versioning to exported symbols.
	This change is implemented for adding some interfaces to libtcb to
	give it a more consumer friendly API and thus makes porting existing
	applications to be TCB aware easier.
	* libs/libtcb.map: Declare version for exported symbols.

	Add an option to omit the PAM module during build and install.
	This may be needed in distribution packages when preparing a
	bootstrap environment for new architectures.
	* Make.defs: Add OMIT_PAM_MODULE flag.
	* Makefile: Do not build/install the pam module if the
	OMIT_PAM_MODULE flag is set.

	* pam_tcb/Makefile: Move PAM_SO_SUFFIX to Make.defs.
	* Make.defs: Likewise.

2024-12-12  Björn Esser  <besser82 at fedoraproject.org>

	libtcb: Use thread-local storage for tcb_drop_priv and tcb_gain_priv.
	tcb_drop_priv and tcb_gain_priv now use per-thread storage areas
	for their operations, allocated upon the first call in each thread
	that uses them.  This makes it safe to call these functions from
	multiple threads simultaneously.
	The introduction of this feature is a safety net against sloppy
	coding.  Programs are still strongly encouraged to use the reentrant
	functions tcb_drop_priv_r and tcb_gain_priv_r instead.
	* libs/libtcb.c (get_thread_local_privs): New function, a thin
	wrapper to return the pointer to the thread-local storage area of
	the former file-global struct tcb_privs glob_privs.
	(tcb_drop_priv): Use the pointer to the thread-local struct tcb_privs
	provided by get_thread_local_privs().
	(tcb_gain_priv): Likewise.

	Makefile: Pass CFLAGS to the compiler when invoking the linker.
	Some CFLAGS imply effects on the linker too (e.g., -fsanitize=),
	so they must get passed within the linker rule as well.
	* libs/Makefile: Pass CFLAGS to the compiler when linking.
	* pam_tcb/Makefile: Likewise.
	* progs/Makefile: Likewise.
	* LICENSE: Update copyright for this contribution.

	libnss_tcb: Drop use of readdir_r(3).
	In commit 72ef702a886c8a9749bdc01d89a57cdf0455318c we introduced a
	replacment for the deprecated readdir_r(3) by using readdir(3) with
	global thread-local storage.  As almost any operating system released
	within the last eight years supports thread-local storage natively,
	there is little to no reason keeping the potentially dangerous
	fallback to readdir_r(3).
	* libs/nss.c (_nss_tcb_getspnam_r): Drop use of readdir_r(3).

2024-10-17  Dmitry V. Levin  <ldv at owl.openwall.com>

	pam_tcb: Do not use deprecated _pam_overwrite macro.
	* pam_tcb/support.h (pam_tcb_overwrite_string): New macro.
	(_pam_delete): Replace _pam_overwrite with pam_tcb_overwrite_string.
	* pam_tcb/pam_unix_passwd.c (pam_sm_chauthtok): Likewise.

	pam_tcb: Use _pam_delete in the compat implementation of pam_prompt.
	* pam_tcb/compat.c (pam_prompt): Use _pam_delete instead of
	_pam_overwrite followed by _pam_drop.

2023-01-21  Dmitry V. Levin  <ldv at owl.openwall.com>

	Use setgroups syscall instead of the libc function.
	* libs/libtcb.c (sys_setgroups): New function, a thin wrapper around
	setgroups syscall.
	(tcb_drop_priv_r, tcb_gain_priv_r): Use it instead of setgroups.

2023-01-20  Dmitry V. Levin  <ldv at owl.openwall.com>

	Make -DENABLE_SETFSUGID the default and only implementation.
	* libs/libtcb.c [!ENABLE_SETFSUGID]: Remove.
	* tcb.spec: Remove -DENABLE_SETFSUGID.
	* ci/run-build-and-tests.sh: Likewise.

2021-09-30  Björn Esser  <besser82 at fedoraproject.org>

	pam_tcb: Fix "-Wpedantic".
	* pam_tcb/pam_unix_auth.c (pam_sm_authenticate): ISO C forbids
	omitting the middle term of a '?:' expression.
	* pam_tcb/pam_unix_sess.c (pam_sm_open_session): Likewise.
	* pam_tcb/pam_unix_passwd.c (pam_sm_chauthtok): Likewise.
	* pam_tcb/pam_unix_passwd.c (unix_prelim): Likewise.
	* pam_tcb/support.c (_set_ctrl): Likewise.
	* pam_tcb/support.h (pam_tcb_getlogin): New function.
	Small static inline wrapper around getlogin(3).

	* Make.defs: Add "-Wextra" to default CFLAGS.  Add an option to
	enable "-Werror" also.

	* ci/run-build-and-tests.sh: Build with "-Werror" enabled on CI.

	misc: Add preset file for systemd-sysusers.
	Such preset files are used with distributions that rely
	on systemd-sysusers to ensure all required system users
	and system groups are present on system boot.
	* Make.defs: Add preset for SYSUSERSDIR.
	* Makefile: Add (optional) top-level "install-sysusers" and
	"install-sysusers-auth" targets.
	* misc/Makefile: Likewise, with also adding build and clean
	targets.
	"install-sysusers-auth" targets.
	* misc/tcb.sysusers.in: New file.
	* misc/tcb-auth.sysusers: New file.
	* .gitignore: Add build output from "misc" directory.

	misc: Add pkgconfig file.
	pkgconfig files provide a useful mechanism for storing various
	information about libraries and packages on a given system.
	Information stored by .pc files include compiler and linker flags
	necessary to use a given library, as well as any other relevant
	metadata.
	* Make.defs: Add new presets for PREFIX, INCLUDEDIR, and
	PKGCONFIGDIR.  Also adapt the existing presets slightly.
	* misc/Makefile: Build and install the pkgconfig file.
	Also use INCLUDEDIR instead of hardcoding its path, and
	adapt the clean target.
	* misc/tcb.pc.in: New file.
	* tcb.spec: Add pkgconfig file.
	* .gitignore: Add ignore rule for tcb.pc.

	* Make.defs: Change MANDIR to "/usr/share/man".

2021-09-25  Björn Esser  <besser82 at fedoraproject.org>

	* pam_tcb/support.c (_set_ctrl): Request automatic prefix only if
	libcrypt really implements it.
	In some specific, but unusual, build-time configurations of libxcrypt
	the CRYPT_GENSALT_IMPLEMENTS_DEFAULT_PREFIX feature-test macro is
	defined to 0, which means libxcrypt does not provide a best-choice
	default prefix.

	libnss_tcb: Apply proper soname during linking.
	* libs/Makefile: Apply proper soname to libnss_tcb.so.2.

	libnss_tcb: Drop unneeded LIBNSL from linked libraries.
	* libs/Makefile: Stop linking libnss_tcb.so.2 against LIBNSL.

	make: Allow install and mkdir programs to be user configurable.
	Also pass an explicit dirmode to MKDIR.
	* Make.defs: Allow for configurable install and mkdir programs.
	* libs/Makefile: Likewise.
	* misc/Makefile: Likewise.
	* pam_tcb/Makefile: Likewise.
	* progs/Makefile: Likewise.

	libnss_tcb: Use readdir(3) with glibc >= 2.24.
	* libs/nss.c (_nss_tcb_getspnam_r): glibc, since version 2.24,
	has deprecated readdir_r(3).  It is recommended that applications
	use readdir(3) instead of readdir_r(3).  Also use thread local
	storage for the underlying directory stream in this case.
	* LICENSE: Update copyright for this contribution.

	pam_tcb: Allow setting a custom PAM_SO_SUFFIX during build.
	At least FreeBSD and NetBSD are using OpenPAM, which needs
	the ability to specify a PAM_SO_SUFFIX to externally built
	modules.
	* pam_tcb/Makefile: Honor PAM_SO_SUFFIX variable.

	pam_tcb: Apply proper soname during linking if PAM_SO_SUFFIX
	is set.
	* pam_tcb/Makefile: Apply proper soname with PAM_SO_SUFFIX
	not being empty. Adapt clean target also.

	* .gitignore: Adapt ignore rule for pam_tcb.so with
	PAM_SO_SUFFIX set.

2021-09-25  Dmitry V. Levin  <ldv at owl.openwall.com>

	Add github CI.
	This enables a whitespace check and a bunch of build checks using
	several versions of gcc and clang.
	* .gitattributes: New file.
	* .github/workflows/ci.yml: Likewise.
	* ci/install-dependencies.sh: Likewise.
	* ci/run-build-and-tests.sh: Likewise.
	* LICENSE: Mention the license of CI scripts.

	* .gitignore: New file.

	* pam_tcb/pam_tcb.8: Remove trailing whitespace.
	* pam_tcb/support.c: Likewise.

2021-01-20  Solar Designer  <solar at owl.openwall.com>

	* README: Mention libxcrypt, use https URLs.

2021-01-11  Solar Designer  <solar at owl.openwall.com>

	* tcb.spec: 1.2.
	* LICENSE: Update copyright years for Dmitry's recent contributions.

2020-07-16  Dmitry V. Levin  <ldv at owl.openwall.com>

	tcb_chkpwd: remove the last remaining piece of NIS+ support.
	* progs/tcb_chkpwd.c (unix_verify_password): Remove special handling
	of NIS+ password entries.

	tcb_unconvert: print error diagnostics if the final chown fails.
	* progs/tcb_unconvert.c (main): Print error diagnostics in an unlikely
	case of an error returned by the final chown invocation.  This does
	not affect the exit status of tcb_unconvert, though, since the final
	chown does not affect the result of conversion.

2020-07-15  Dmitry V. Levin  <ldv at owl.openwall.com>

	pam_tcb: fix harmless -Wmissing-field-initializers compilation warning.
	* pam_tcb/support.c (fake_pw): Explicitly initialize remaining members
	of struct passwd with zero.

	pam_tcb: fix harmless -Wpointer-sign compilation warnings.
	* pam_tcb/support.h (struct pam_unix_params): Change the type of
	"crypt_prefix" and "helper" fields from "const unsigned char *"
	to "const char *".

2018-07-07  Dmitry V. Levin  <ldv at owl.openwall.com>

	pam_tcb: change the default prefix from $2y$ to $2b$ to be friendlier
	to OpenBSD.
	This does not affect builds with libxcrypt >= 4.1.0 that provides
	CRYPT_GENSALT_IMPLEMENTS_DEFAULT_PREFIX feature test macro.
	* pam_tcb/support.c (_set_ctrl)
	[!CRYPT_GENSALT_IMPLEMENTS_DEFAULT_PREFIX]: Replace "$2y$"
	with "$2b$".
	* pam_tcb/pam_tcb.8 (prefix): Likewise.

2018-06-26  Dmitry V. Levin  <ldv at owl.openwall.com>

	pam_tcb: request automatic prefix if libcrypt implements it.
	In libxcrypt, starting with version 4.0.0, supplying a null pointer
	as the "prefix" argument to crypt_gensalt_ra function will cause it
	to select the best available hash function.
	Starting with version 4.1.0, libxcrypt provides
	CRYPT_GENSALT_IMPLEMENTS_DEFAULT_PREFIX macro to test the availability
	of this feature at build time.
	* pam_tcb/support.c (_set_ctrl)
	[CRYPT_GENSALT_IMPLEMENTS_DEFAULT_PREFIX]: When
	pam_unix_param.crypt_prefix is NULL, do not reset it to the pam_tcb
	default value.
	* pam_tcb/pam_tcb.8: Document this.

	pam_tcb: request automatic entropy if libcrypt implements it.
	In libxcrypt, starting with version 4.0.0, supplying a null pointer
	as the "rbytes" argument to crypt_gensalt_ra function will cause it
	to acquire random bytes from the operating system.
	Starting with version 4.1.0, libxcrypt provides
	CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY macro to test the availability
	of this feature at build time.
	* pam_tcb/support.c (do_crypt)
	[CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY]: Invoke crypt_gensalt_ra
	with null "rbytes" and zero "nrbytes" arguments.

2018-06-19  Dmitry V. Levin  <ldv at owl.openwall.com>

	pam_tcb: sync password expiration messages with Linux-PAM-1.4.0.
	* pam_tcb/support.h (P3_, MESSAGE_PASS_ENFORCED): New macros.
	(MESSAGE_PASS_EXPIRED, MESSAGE_PASS_SAME, MESSAGE_PASS_NONE):
	Update messages.
	(MESSAGE_WARN_EXPIRE): Add count argument, update messages.
	* pam_tcb/pam_unix_acct.c (pam_sm_acct_mgmt): Replace
	MESSAGE_PASS_EXPIRED with MESSAGE_PASS_ENFORCED, update use of
	MESSAGE_WARN_EXPIRE.

2018-05-31  Dmitry V. Levin  <ldv at owl.openwall.com>

	pam_tcb: use pam_get_authtok(3) instead of _unix_read_password.
	This follows the change in pam_unix implemented in Linux-PAM
	commit Linux-PAM-1.3.0~5.
	pam_get_authtok(3) is available in OpenPAM since 2002-04-08
	and in Linux-PAM since 2008-12-03.
	As pam_get_authtok(3) does not support not_set_pass option,
	the support for this not much useful option is dropped.
	Instead pam_tcb gets a proper support for authtok_type= option.
	* pam_tcb/pam_tcb.8 (not_set_pass): Remove.
	(authtok_type): New option.
	* pam_tcb/pam_unix_auth.c (DATA_AUTHTOK): Remove unused macro.
	(pam_sm_authenticate): Use pam_get_authtok instead of
	_unix_read_password.
	* pam_tcb/pam_unix_passwd.c (DATA_OLD_AUTHTOK, DATA_NEW_AUTHTOK):
	Remove unused macros.
	(do_setpass): Remove "fromwhat" argument.
	(unix_prelim): Use pam_get_authtok instead of _unix_read_password.
	(pam_sm_chauthtok): Remove UNIX_NOT_SET_PASS support.
	* pam_tcb/support.c (data_cleanup, _unix_read_password): Remove
	unused functions.
	(unix_bools): Replace "not_set_pass" with "use_first_pass" and
	"try_first_pass".
	(parse_opt): Remove manual handling of "use_first_pass" and
	"try_first_pass".
	(_set_ctrl): Replace "authtok_usage=" with "authtok_type=" in
	the_cmdline_opts.  Remove manual handling of "authtok_usage=".
	* pam_tcb/support.h (UNIX_USE_FIRST_PASS, UNIX_TRY_FIRST_PASS,
	UNIX_AUTHTOK_TYPE): New enum constants.
	(PROMPT_PASS, PROMPT_OLDPASS, PROMPT_NEWPASS1, PROMPT_NEWPASS2,
	MESSAGE_MISTYPED): Remove unused macros.
	(UNIX_NOT_SET_PASS, USE_NONE, USE_TRY, USE_FORCED): Remove unused
	enum constants.
	(struct pam_unix_params): Remove unused authtok_usage field.
	(_unix_read_password): Remove unused prototype.

2018-05-22  Dmitry V. Levin  <ldv at owl.openwall.com>

	pam_tcb: drop obsolete NIS/NIS+ support.
	The GNU C library, starting with version 2.26, deprecated libnsl.
	As result, pam_tcb no longer builds with modern versions of glibc
	configured without --enable-obsolete-nsl option.
	While glibc recommends to use replacement implementations based on
	TIRPC, it's time to get rid of obsolete NIS/NIS+ support altogether.
	* pam_tcb/yppasswd.h: Remove.
	* pam_tcb/yppasswd_xdr.c: Likewise.
	* pam_tcb/Makefile: Do not link with -lnsl.
	(LIBSRC): Remove yppasswd_xdr.c.
	* pam_tcb/pam_tcb.8: Remove references to NIS+.
	* pam_tcb/pam_unix_passwd.c: Remove NIS/NIS+ support.
	* pam_tcb/support.c: Likewise.
	* pam_tcb/support.h: Likewise.
	* progs/tcb_convert.8: Remove references to nis and nisplus.

2012-05-24  Dmitry V. Levin  <ldv at owl.openwall.com>

	pam_tcb: Implement i18n support.
	Linux-PAM starting with release 0.81 implements i18n support using
	gettext.  This change extends i18n support to pam_tcb.
	The i18n support is not enabled by default, define both ENABLE_NLS and
	NLS_PACKAGE macros to enable it.  When NLS_PACKAGE macro is defined to
	"Linux-PAM", pam_tcb will re-use translated messages from Linux-PAM.
	* pam_tcb/support.h: Mark all messages for translation.  Pass through
	dgettext all messages marked for translation when both ENABLE_NLS and
	NLS_PACKAGE macros are defined.

2011-07-17  Solar Designer  <solar at owl.openwall.com>

	* tcb.spec: 1.1, "Requires: glibc-crypt_blowfish >= 1.2".

	* pam_tcb/support.c (_set_ctrl), pam_tcb/pam_tcb.8: changed the default
	hash encoding prefix from "$2a$" to "$2y$" (requires crypt_blowfish 1.2
	or newer).

2010-06-07  Dmitry V. Levin  <ldv at owl.openwall.com>

	* tcb.spec: 1.0.6.

	* libs/libtcb.c (tcb_is_suspect): Drop faulty check for sparse files.
	It was based on a wrong assumption that st_blksize indicates the size
	of allocated blocks.  Also, the notion of sparse files does not apply
	to filesystems with compression turned on.
	The purpose of this check was to prevent some DoS attacks on root
	invoking user management tools and on services doing authentication.
	On a system with tcb shadow files, if group shadow access is somehow
	compromised, those files may be directly written to by their
	corresponding users as well as made sparse, which is what made this
	check somewhat desirable, but it was insufficient and problematic.
	Bug reported by Jim Darby <jim at jimbocorp.uklinux.net>.

2010-02-25  Dmitry V. Levin  <ldv at owl.openwall.com>

	* tcb.spec: 1.0.5.

2010-02-14  Dmitry V. Levin  <ldv at owl.openwall.com>

	Decrease the size of tcb_privs structure allocated in .data segment
	from 256K to a two dozen bytes by moving a groups array to .bss segment.
	* include/tcb.h (TCB_NGROUPS): Set to fixed value 1024 to reduce a waste
	of address space.  The former value NGROUPS_MAX is immensely large
	nowdays, and root privileged processes are not expected to have so large
	list of supplementary groups anyway.
	(struct tcb_privs): Move the groups array outside the structure.
	* libs/libtcb.c (glob_grplist): New static groups array.
	(tcb_drop_priv_r): Set errno in case of invalid use.
	(glob_privs, tcb_drop_priv_r, tcb_drop_priv): Update for the change of
	tcb_privs structure.
	* libs/nss.c (tcb_safe_open): Likewise.

2010-02-10  Dmitry V. Levin  <ldv at owl.openwall.com>

	* tcb.spec: 1.0.4.
	* LICENSE: Update copyright for 2010 year.

2010-01-20  Dmitry V. Levin  <ldv at owl.openwall.com>

	* libs/libtcb.c (tcb_drop_priv_r): Fix potential grpbuf buffer
	overflow.  This function is expected to return -1 if the buffer in
	tcb_privs structure is not sufficiently large to store all
	supplementary groups, but it didn't.  It treated 1st argument of
	getgroups(2) as the size of buffer in bytes, but according to specs it
	should be set to the size of buffer in items that can be stored there.
	To reproduce the bug, one has to build tcb with NGROUPS_MAX value
	lesser than the value defined in /proc/sys/kernel/ngroups_max, and set
	an appropriate (greater than NGROUPS_MAX) number of supplementary
	groups for the calling process.  There doesn't appear to be any
	untrusted user input involved.  Thus, this bug doesn't have to be
	treated as a security issue.

2010-01-19  Dmitry V. Levin  <ldv at owl.openwall.com>

	* libs/Makefile: Use LDFLAGS more consistently.
	* progs/Makefile: Likewise.
	Reported by Paweł Hajdan, Jr. <phajdan.jr at gentoo.org>.

2009-04-03  Dmitry V. Levin  <ldv at owl.openwall.com>

	* tcb.spec: 1.0.3.

2009-04-02  Dmitry V. Levin  <ldv at owl.openwall.com>

	* LICENSE: Update copyright for 2009 year.

	* pam_tcb/pam_unix_passwd.c (update_file): Call fflush(3) and
	fsync(2).
	Reported by Ermanno Scaglione <erm67 at yahoo.it>.

	* pam_tcb/support.c (_unix_fork, unix_run_helper_binary): Replace
	all calls to exit(3) in child processes with calls to _exit(2).
	Reported by Pascal Terjan <pterjan at mandriva.com>.

2006-10-31  Dmitry V. Levin  <ldv at owl.openwall.com>

	* tcb.spec: 1.0.2.

	* pam_tcb/pam_unix_auth.c (pam_sm_authenticate): Free retval_data
	pointer on error path.
	* pam_tcb/support.c (user_in_nisdb): Free userinfo string.
	* progs/tcb_chkpwd.c (zeroise): New function, zeroises string.
	(unix_verify_password): Free stored_hash string, zeroise hash
	strings.
	Reported by Alexander Kanevskiy.

2006-05-06  Dmitry V. Levin  <ldv at owl.openwall.com>

	* tcb.spec: 1.0.1.
	* LICENSE: Updated copyright for 2006 year.

	* pam_tcb/pam_unix_sess.c (pam_sm_open_session): Fail with
	PAM_SESSION_ERR for unknown users.

2005-12-28  Dmitry V. Levin  <ldv at owl.openwall.com>

	* tcb.spec: 1.0.
	* LICENSE: Updated copyrights for 2004 and 2005 years.

	* pam_tcb/pam_unix_passwd.c (pam_sm_chauthtok): Bump syslog
	priorities of three error messages.

2005-09-26  Dmitry V. Levin  <ldv at owl.openwall.com>

	Update logging code to use pam_syslog.
	Update conversation code to use pam_prompt.

	* include/attribute.h (TCB_GNUC_PREREQ, TCB_FORMAT, TCB_NONNULL):
	New macro.
	(unused): Rewrite using TCB_GNUC_PREREQ.
	* pam_tcb/compat.c: New file, defines pam_syslog and pam_prompt
	if PAM does not provide them.
	* pam_tcb/compat.h: New file, defines prototypes for pam_syslog
	and pam_prompt if PAM does not provide them.
	* pam_tcb/Makefile (LIBSRC): Add compat.c.
	* pam_tcb/pam_unix_acct.c (acct_shadow): Add pam handle parameter.
	(pam_sm_acct_mgmt): Pass pam handle to functions which now require
	it.  Replace _log_err with pam_syslog.	Replace _make_remark
	with pam_error and pam_info.
	* pam_tcb/pam_unix_auth.c (pam_sm_authenticate, pam_sm_setcred):
	Pass pam handle to functions which now require it.
	(pam_sm_authenticate): Replace _log_err with pam_syslog.
	* pam_tcb/pam_unix_passwd.c (PASSWD_TMP_FILE): Remove macro.
	(update_file): New function, based on update_passwd and
	update_shadow.
	(update_passwd, update_shadow): Rewrite using update_file.
	(get_nis_server, update_nis, do_setpass): Add pam handle
	parameter.
	(get_nis_server, update_nis, do_setpass, unix_approve_pass,
	unix_prelim, pam_sm_chauthtok): Pass pam handle to functions
	which now require it.  Replace _log_err with pam_syslog.
	Replace _make_remark with pam_error.
	* pam_tcb/pam_unix_sess.c (pam_sm_open_session,
	pam_sm_close_session): Pass pam handle to functions which now
	require it.  Replace _log_err with pam_syslog.
	* pam_tcb/support.c (_log_err, converse, _make_remark): Remove
	no longer used functions.
	(_unix_fork, user_in_file, _unix_user_in_db,
	unix_blankpasswd_plain, _unix_blankpasswd, check_crypt,
	unix_verify_password_plain, crypt_wrapper_ra, crypt_wrapper,
	do_crypt, parse_opt, _set_ctrl): Add pam handle parameter.
	Pass pam handle to functions which now require it.
	Replace _log_err with pam_syslog.
	(_unix_read_password): Rewrite prompt handling to use pam_info
	and pam_prompt.
	* pam_tcb/support.h: Include "attribute.h" and "compat.h".
	(cmdline_opts): Add const qualifier to optname variable.
	(cb_func, _unix_user_in_db, _unix_fork, _set_ctrl,
	_unix_blankpasswd, _unix_read_password, crypt_wrapper, do_crypt):
	Update function prototypes.
	(_log_err, _make_remark): Remove prototypes of removed functions.

2005-09-12  Dmitry V. Levin  <ldv at owl.openwall.com>

	Implement OpenPAM build support.

	* Make.defs (CFLAGS): Remove -DLINUX_PAM.
	* pam_tcb/pam_unix_acct.c: Include <syslog.h>.
	Include <security/pam_appl.h> if and only if
	[!__LIBPAM_VERSION && !__LINUX_PAM__].
	* pam_tcb/pam_unix_auth.c: Likewise.
	* pam_tcb/pam_unix_passwd.c: Likewise.
	* pam_tcb/pam_unix_sess.c: Likewise.
	* pam_tcb/support.c: Likewise.

	* pam_tcb/support.h: Define pam_item_t and pam_data_t.
	* pam_tcb/pam_unix_acct.c (pam_sm_acct_mgmt): Change type of
	item variable.
	* pam_tcb/pam_unix_auth.c (pam_sm_authenticate, pam_sm_setcred):
	Likewise.
	* pam_tcb/pam_unix_passwd.c (unix_prelim, pam_sm_chauthtok):
	Likewise.
	* pam_tcb/pam_unix_sess.c (pam_sm_open_session,
	pam_sm_close_session): Likewise.
	* pam_tcb/support.c (converse, failures_cleanup,
	do_record_failure, _unix_read_password): Likewise.

	* pam_tcb/pam_unix_auth.c (pam_sm_authenticate): Protect code
	which uses PAM_CONV_AGAIN and PAM_INCOMPLETE with appropriate
	ifdefs.
	* pam_tcb/support.c (converse): Likewise.

2005-09-11  Dmitry V. Levin  <ldv at owl.openwall.com>

	* pam_tcb/pam_unix_auth.c (pam_sm_authenticate): Do not override
	user prompt in calls to pam_get_user, recent PAM releases provide
	better default.
	* pam_tcb/pam_unix_passwd.c (pam_sm_chauthtok): Likewise.
	* pam_tcb/support.h: Remove PROMPT_USER.

	* pam_tcb/pam_unix_passwd.c (pam_sm_chauthtok): Fix password
	string check to avoid potential NULL dereference.
	* pam_tcb/support.c (unix_verify_password_plain): Check password
	string to avoid potential NULL dereference.
	(unix_run_helper_binary): Remove redundant password string check.

	* progs/tcb_unconvert.c (copy_user_from_tcb): Add const qualifier
	to msg variable, to fix warning reported by "gcc -Wwrite-strings".

2005-08-23  Dmitry V. Levin  <ldv at altlinux.org>

	Package pam_pwdb.so symlink and pam_pwdb(8) manual page link.

	* pam_tcb/pam_pwdb.8: New file.
	* Makefile, pam_tcb/Makefile, tcb.spec:
	Install pam_pwdb.so and pam_pwdb.8.

	* tcb.spec: 0.9.9.

2005-08-19  Dmitry V. Levin  <ldv at altlinux.org>

	In the PAM module, implement "openlog" option and disable
	openlog/closelog calls for each logging function invocation
	by default.

	* pam_tcb/support.h: Rename UNIX_NOOPENLOG to UNIX_OPENLOG.
	* pam_tcb/support.c (_log_err): When UNIX_OPENLOG is not set,
	prefix log line with the module name.
	(bool_names): Add negate field.
	(unix_bools): Add "openlog" option.
	(parse_opt): Handle negate field.
	(_set_ctrl) [ENABLE_OPENLOG]: Set UNIX_OPENLOG.
	* pam_tcb/pam_tcb.8: Document "openlog" option.

2005-08-18  Dmitry V. Levin  <ldv at altlinux.org>

	Restrict list of global symbols exported by the library,
	NSS and PAM modules.

	* libs/Makefile: New variables: LIB_MAP and NSS_MAP.  Pass
	--version-script argument when linking shared library and the
	NSS module.
	* libs/libnss_tcb.map: New file, version script for the NSS module.
	* libs/libtcb.c (ch_uid, ch_gid): Make static.
	* libs/libtcb.map: New file, version script for the library.

	* pam_tcb/Makefile: New variable: PAM_MAP.  Pass --version-script
	argument when linking the PAM module.
	* pam_tcb/pam_tcb.map: New file, version script for the PAM module.

2005-04-22  Dmitry V. Levin  <ldv at altlinux.org>

	Enhance multilib support.

	* Make.defs: New variables: SLIBDIR and LIBDIR.
	* libs/Makefile, pam_tcb/Makefile, tcb.spec: Use them.

	* libs/Makefile, pam_tcb/Makefile, misc/Makefile, progs/Makefile:
	Create all necessary directories in the beginning of install target.

2005-04-22  Dmitry V. Levin  <ldv at altlinux.org>

	Deal with compilation warnings generated by new gcc compiler.

	* include/attribute.h: New file.
	* libs/libtcb.c, pam_tcb/pam_unix_passwd.c,
	pam_tcb/pam_unix_auth.c, pam_tcb/support.c, pam_tcb/support.h:
	Include it.

	* include/attribute.h, pam_tcb/support.h (_log_err): Add
	workaround for those systems which lack support for __attribute__
	directive.

	* pam_tcb/support.c (_log_err): Remove no longer needed
	__attribute__ directive.

	* libs/libtcb.c (alarm_catch), pam_tcb/pam_unix_auth.c
	(retval_cleanup), pam_tcb/pam_unix_passwd.c (update_nis),
	pam_tcb/support.c (data_cleanup):
	Mark unused arguments with "unused" attribute.

	* libs/libtcb.c (ch_uid, ch_gid, tcb_drop_priv_r),
	progs/tcb_chkpwd.c (is_two_strings),
	pam_tcb/support.c (_set_ctrl):
	Avoid comparison between signed and unsigned.

	* pam_tcb/support.c (unix_run_helper_binary,
	unix_verify_password_plain): Eliminate unused variable pamh.

	* pam_tcb/pam_unix_acct.c (pam_sm_acct_mgmt),
	pam_tcb/pam_unix_auth.c (pam_sm_authenticate, pam_sm_setcred),
	pam_tcb/pam_unix_passwd.c (update_nis, do_setpass, unix_prelim,
	pam_sm_chauthtok), pam_tcb/pam_unix_sess.c (pam_sm_open_session,
	pam_sm_close_session), pam_tcb/support.c (converse,
	failures_cleanup, do_record_failure, _unix_read_password):
	Fix the strict aliasing issues.

	* tcb.spec: 0.9.8.9.

2004-06-25  Dmitry V. Levin  <ldv at altlinux.org>

	* progs/tcb_unconvert.c (copy_from_tcb):
	Zero errno before each readdir(3) call.

	* tcb.spec: 0.9.8.8.

2003-11-02  Solar Designer  <solar at owl.openwall.com>

	* pam_tcb/Makefile: Use -fPIC.

	* libs/Makefile, misc/Makefile, pam_tcb/Makefile, progs/Makefile,
	tcb.spec: Renamed FAKEROOT to DESTDIR.

	* tcb.spec: 0.9.8.7.

2003-10-29  Solar Designer  <solar at owl.openwall.com>

	* libs/nss.c, libs/libtcb.c, pam_tcb/support.c,
	pam_tcb/pam_unix_passwd.c, pam_tcb/pam_unix_acct.c,
	progs/tcb_convert.c, progs/tcb_unconvert.c: Don't depend on
	*BSD-style asprintf(3) semantics as Ulrich has rejected that
	patch.

	* README: New file, explains how tcb may be built on non-Owl.

	* tcb.spec: 0.9.8.6.

2003-04-18  Solar Designer  <solar at owl.openwall.com>

	* misc/tcb.5, pam_tcb/pam_tcb.8, progs/tcb_convert.8: Use bold
	face for component names in .SH NAME, but avoid *roff commands
	to not confuse makewhatis and apropos(1).

	* LICENSE: Updated copyrights for year 2003.

	* tcb.spec: 0.9.8.5.

2003-04-16  Dmitry V. Levin  <ldv at altlinux.org>

	* pam_tcb/support.c: Implemented proper fake salt creation
	to avoid a timing attack.

	* tcb.spec: 0.9.8.4.

2002-10-31  Solar Designer  <solar at owl.openwall.com>

	* progs/tcb_chkpwd.c: Optimized unix_verify_password() a bit,
	from Dmitry V. Levin <ldv at altlinux.org>.

	* tcb.spec: 0.9.8.3.

2002-10-30  Solar Designer  <solar at owl.openwall.com>

	* progs/tcb_convert.8: Noted that /etc/shadow backups need to be
	removed as well, with /etc/shadow- as the particular example.

	* tcb.spec: 0.9.8.2.

2002-10-24  Solar Designer  <solar at owl.openwall.com>

	* libs/nss.c, libs/libtcb.c, pam_tcb/support.c,
	progs/tcb_chkpwd.c, progs/tcb_unconvert.c, misc/tcb.5: Cleaned
	up the recent changes.

	* tcb.spec: Set version to 0.9.8.1.

2002-08-20  Rafal Wojtczuk  <nergal at owl.openwall.com>

	* libs/nss.c, progs/tcb_unconvert.c, misc/tcb.5: Merged
	enhancements which remove 32K users limit.

	* libs/libtcb.c, include/tcb.h: Added ENABLE_SETFSUGID.

	* pam_tcb/support.c, progs/tcb_chkpwd.c: Pass the username to
	the helper binary such that it can handle non-unique UIDs.

	* tcb.spec, libs/Makefile: Set version to 0.9.8.

2002-08-19  Solar Designer  <solar at owl.openwall.com>

	* tcb.spec, libs/Makefile: Moved libtcb.so symlink to /usr/lib
	(patch from Dmitry V. Levin).

2002-08-04  Solar Designer  <solar at owl.openwall.com>

	* pam_tcb/pam_tcb.5, pam_tcb/pam_unix.5: Moved these manual
	pages to section 8 (the files are now gone).

	* pam_tcb/pam_tcb.8, pam_tcb/pam_unix.8: New files, based on
	the section 5 manual pages with minor changes.

	* tcb.spec, misc/tcb.5, progs/tcb_convert.8, pam_tcb/Makefile:
	Updates to reflect the above change.

	* libs/Makefile: Use trailing slashes after directories with
	install commands.

2002-07-07  Solar Designer  <solar at owl.openwall.com>

	* pam_tcb/pam_unix_acct.c, pam_tcb/pam_unix_passwd.c: No
	longer let root enforced password changes (sp_lstchg == 0)
	take precedence over expired accounts (sp_expire).

2002-05-19  Solar Designer  <solar at owl.openwall.com>

	* Make.defs: Renamed SYSBIN to SBINDIR, define LIBEXECDIR.

	* tcb.spec, progs/Makefile, pam_tcb/Makefile,
	pam_tcb/pam_tcb.5, misc/tcb.5: Moved the chkpwd directory to
	/usr/libexec.

	* misc/Makefile: Deal with SBINDIR and LIBEXECDIR.

2001-11-28  Dmitry V. Levin  <ldv at altlinux.org>

	* pam_tcb/support.c: Replaced signal call with sigaction call.

	* pam_tcb/support.c: Fixed possible "dereferencing NULL" typo.

	* progs/tcb_chkpwd.c: Test also stdout for isatty.

	* progs/Makefile: Create relative symlink instead of absolute.

	* libs/nss.c: Fixed glibc-2.2.4 compilation warning.
	* pam_tcb/pam_unix_passwd.c: Likewise.
	* progs/tcb_unconvert.c: Likewise.