This is the change log for our
tcb suite
implementing the alternative password shadowing scheme on
Owl.
2021-01-11 Solar Designer <solar at owl.openwall.com>
* tcb.spec: 1.2.
* LICENSE: Update copyright years for Dmitry's recent contributions.
2020-07-16 Dmitry V. Levin <ldv at owl.openwall.com>
tcb_chkpwd: remove the last remaining piece of NIS+ support.
* progs/tcb_chkpwd.c (unix_verify_password): Remove special handling
of NIS+ password entries.
tcb_unconvert: print error diagnostics if the final chown fails.
* progs/tcb_unconvert.c (main): Print error diagnostics in an unlikely
case of an error returned by the final chown invocation. This does
not affect the exit status of tcb_unconvert, though, since the final
chown does not affect the result of conversion.
2020-07-15 Dmitry V. Levin <ldv at owl.openwall.com>
pam_tcb: fix harmless -Wmissing-field-initializers compilation warning.
* pam_tcb/support.c (fake_pw): Explicitly initialize remaining members
of struct passwd with zero.
pam_tcb: fix harmless -Wpointer-sign compilation warnings.
* pam_tcb/support.h (struct pam_unix_params): Change the type of
"crypt_prefix" and "helper" fields from "const unsigned char *"
to "const char *".
2018-07-07 Dmitry V. Levin <ldv at owl.openwall.com>
pam_tcb: change the default prefix from $2y$ to $2b$ to be friendlier
to OpenBSD.
This does not affect builds with libxcrypt >= 4.1.0 that provides
CRYPT_GENSALT_IMPLEMENTS_DEFAULT_PREFIX feature test macro.
* pam_tcb/support.c (_set_ctrl)
[!CRYPT_GENSALT_IMPLEMENTS_DEFAULT_PREFIX]: Replace "$2y$"
with "$2b$".
* pam_tcb/pam_tcb.8 (prefix): Likewise.
2018-06-26 Dmitry V. Levin <ldv at owl.openwall.com>
pam_tcb: request automatic prefix if libcrypt implements it.
In libxcrypt, starting with version 4.0.0, supplying a null pointer
as the "prefix" argument to crypt_gensalt_ra function will cause it
to select the best available hash function.
Starting with version 4.1.0, libxcrypt provides
CRYPT_GENSALT_IMPLEMENTS_DEFAULT_PREFIX macro to test the availability
of this feature at build time.
* pam_tcb/support.c (_set_ctrl)
[CRYPT_GENSALT_IMPLEMENTS_DEFAULT_PREFIX]: When
pam_unix_param.crypt_prefix is NULL, do not reset it to the pam_tcb
default value.
* pam_tcb/pam_tcb.8: Document this.
pam_tcb: request automatic entropy if libcrypt implements it.
In libxcrypt, starting with version 4.0.0, supplying a null pointer
as the "rbytes" argument to crypt_gensalt_ra function will cause it
to acquire random bytes from the operating system.
Starting with version 4.1.0, libxcrypt provides
CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY macro to test the availability
of this feature at build time.
* pam_tcb/support.c (do_crypt)
[CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY]: Invoke crypt_gensalt_ra
with null "rbytes" and zero "nrbytes" arguments.
2018-06-19 Dmitry V. Levin <ldv at owl.openwall.com>
pam_tcb: sync password expiration messages with Linux-PAM-1.4.0.
* pam_tcb/support.h (P3_, MESSAGE_PASS_ENFORCED): New macros.
(MESSAGE_PASS_EXPIRED, MESSAGE_PASS_SAME, MESSAGE_PASS_NONE):
Update messages.
(MESSAGE_WARN_EXPIRE): Add count argument, update messages.
* pam_tcb/pam_unix_acct.c (pam_sm_acct_mgmt): Replace
MESSAGE_PASS_EXPIRED with MESSAGE_PASS_ENFORCED, update use of
MESSAGE_WARN_EXPIRE.
2018-05-31 Dmitry V. Levin <ldv at owl.openwall.com>
pam_tcb: use pam_get_authtok(3) instead of _unix_read_password.
This follows the change in pam_unix implemented in Linux-PAM
commit Linux-PAM-1.3.0~5.
pam_get_authtok(3) is available in OpenPAM since 2002-04-08
and in Linux-PAM since 2008-12-03.
As pam_get_authtok(3) does not support not_set_pass option,
the support for this not much useful option is dropped.
Instead pam_tcb gets a proper support for authtok_type= option.
* pam_tcb/pam_tcb.8 (not_set_pass): Remove.
(authtok_type): New option.
* pam_tcb/pam_unix_auth.c (DATA_AUTHTOK): Remove unused macro.
(pam_sm_authenticate): Use pam_get_authtok instead of
_unix_read_password.
* pam_tcb/pam_unix_passwd.c (DATA_OLD_AUTHTOK, DATA_NEW_AUTHTOK):
Remove unused macros.
(do_setpass): Remove "fromwhat" argument.
(unix_prelim): Use pam_get_authtok instead of _unix_read_password.
(pam_sm_chauthtok): Remove UNIX_NOT_SET_PASS support.
* pam_tcb/support.c (data_cleanup, _unix_read_password): Remove
unused functions.
(unix_bools): Replace "not_set_pass" with "use_first_pass" and
"try_first_pass".
(parse_opt): Remove manual handling of "use_first_pass" and
"try_first_pass".
(_set_ctrl): Replace "authtok_usage=" with "authtok_type=" in
the_cmdline_opts. Remove manual handling of "authtok_usage=".
* pam_tcb/support.h (UNIX_USE_FIRST_PASS, UNIX_TRY_FIRST_PASS,
UNIX_AUTHTOK_TYPE): New enum constants.
(PROMPT_PASS, PROMPT_OLDPASS, PROMPT_NEWPASS1, PROMPT_NEWPASS2,
MESSAGE_MISTYPED): Remove unused macros.
(UNIX_NOT_SET_PASS, USE_NONE, USE_TRY, USE_FORCED): Remove unused
enum constants.
(struct pam_unix_params): Remove unused authtok_usage field.
(_unix_read_password): Remove unused prototype.
2018-05-22 Dmitry V. Levin <ldv at owl.openwall.com>
pam_tcb: drop obsolete NIS/NIS+ support.
The GNU C library, starting with version 2.26, deprecated libnsl.
As result, pam_tcb no longer builds with modern versions of glibc
configured without --enable-obsolete-nsl option.
While glibc recommends to use replacement implementations based on
TIRPC, it's time to get rid of obsolete NIS/NIS+ support altogether.
* pam_tcb/yppasswd.h: Remove.
* pam_tcb/yppasswd_xdr.c: Likewise.
* pam_tcb/Makefile: Do not link with -lnsl.
(LIBSRC): Remove yppasswd_xdr.c.
* pam_tcb/pam_tcb.8: Remove references to NIS+.
* pam_tcb/pam_unix_passwd.c: Remove NIS/NIS+ support.
* pam_tcb/support.c: Likewise.
* pam_tcb/support.h: Likewise.
* progs/tcb_convert.8: Remove references to nis and nisplus.
2012-05-24 Dmitry V. Levin <ldv at owl.openwall.com>
pam_tcb: Implement i18n support.
Linux-PAM starting with release 0.81 implements i18n support using
gettext. This change extends i18n support to pam_tcb.
The i18n support is not enabled by default, define both ENABLE_NLS and
NLS_PACKAGE macros to enable it. When NLS_PACKAGE macro is defined to
"Linux-PAM", pam_tcb will re-use translated messages from Linux-PAM.
* pam_tcb/support.h: Mark all messages for translation. Pass through
dgettext all messages marked for translation when both ENABLE_NLS and
NLS_PACKAGE macros are defined.
2011-07-17 Solar Designer <solar at owl.openwall.com>
* tcb.spec: 1.1, "Requires: glibc-crypt_blowfish >= 1.2".
* pam_tcb/support.c (_set_ctrl), pam_tcb/pam_tcb.8: changed the default
hash encoding prefix from "$2a$" to "$2y$" (requires crypt_blowfish 1.2
or newer).
2010-06-07 Dmitry V. Levin <ldv at owl.openwall.com>
* tcb.spec: 1.0.6.
* libs/libtcb.c (tcb_is_suspect): Drop faulty check for sparse files.
It was based on a wrong assumption that st_blksize indicates the size
of allocated blocks. Also, the notion of sparse files does not apply
to filesystems with compression turned on.
The purpose of this check was to prevent some DoS attacks on root
invoking user management tools and on services doing authentication.
On a system with tcb shadow files, if group shadow access is somehow
compromised, those files may be directly written to by their
corresponding users as well as made sparse, which is what made this
check somewhat desirable, but it was insufficient and problematic.
Bug reported by Jim Darby <jim at jimbocorp.uklinux.net>.
2010-02-25 Dmitry V. Levin <ldv at owl.openwall.com>
* tcb.spec: 1.0.5.
2010-02-14 Dmitry V. Levin <ldv at owl.openwall.com>
Decrease the size of tcb_privs structure allocated in .data segment
from 256K to a two dozen bytes by moving a groups array to .bss segment.
* include/tcb.h (TCB_NGROUPS): Set to fixed value 1024 to reduce a waste
of address space. The former value NGROUPS_MAX is immensely large
nowdays, and root privileged processes are not expected to have so large
list of supplementary groups anyway.
(struct tcb_privs): Move the groups array outside the structure.
* libs/libtcb.c (glob_grplist): New static groups array.
(tcb_drop_priv_r): Set errno in case of invalid use.
(glob_privs, tcb_drop_priv_r, tcb_drop_priv): Update for the change of
tcb_privs structure.
* libs/nss.c (tcb_safe_open): Likewise.
2010-02-10 Dmitry V. Levin <ldv at owl.openwall.com>
* tcb.spec: 1.0.4.
* LICENSE: Update copyright for 2010 year.
2010-01-20 Dmitry V. Levin <ldv at owl.openwall.com>
* libs/libtcb.c (tcb_drop_priv_r): Fix potential grpbuf buffer
overflow. This function is expected to return -1 if the buffer in
tcb_privs structure is not sufficiently large to store all
supplementary groups, but it didn't. It treated 1st argument of
getgroups(2) as the size of buffer in bytes, but according to specs it
should be set to the size of buffer in items that can be stored there.
To reproduce the bug, one has to build tcb with NGROUPS_MAX value
lesser than the value defined in /proc/sys/kernel/ngroups_max, and set
an appropriate (greater than NGROUPS_MAX) number of supplementary
groups for the calling process. There doesn't appear to be any
untrusted user input involved. Thus, this bug doesn't have to be
treated as a security issue.
2010-01-19 Dmitry V. Levin <ldv at owl.openwall.com>
* libs/Makefile: Use LDFLAGS more consistently.
* progs/Makefile: Likewise.
Reported by Paweł Hajdan, Jr. <phajdan.jr at gentoo.org>.
2009-04-03 Dmitry V. Levin <ldv at owl.openwall.com>
* tcb.spec: 1.0.3.
2009-04-02 Dmitry V. Levin <ldv at owl.openwall.com>
* LICENSE: Update copyright for 2009 year.
* pam_tcb/pam_unix_passwd.c (update_file): Call fflush(3) and
fsync(2).
Reported by Ermanno Scaglione <erm67 at yahoo.it>.
* pam_tcb/support.c (_unix_fork, unix_run_helper_binary): Replace
all calls to exit(3) in child processes with calls to _exit(2).
Reported by Pascal Terjan <pterjan at mandriva.com>.
2006-10-31 Dmitry V. Levin <ldv at owl.openwall.com>
* tcb.spec: 1.0.2.
* pam_tcb/pam_unix_auth.c (pam_sm_authenticate): Free retval_data
pointer on error path.
* pam_tcb/support.c (user_in_nisdb): Free userinfo string.
* progs/tcb_chkpwd.c (zeroise): New function, zeroises string.
(unix_verify_password): Free stored_hash string, zeroise hash
strings.
Reported by Alexander Kanevskiy.
2006-05-06 Dmitry V. Levin <ldv at owl.openwall.com>
* tcb.spec: 1.0.1.
* LICENSE: Updated copyright for 2006 year.
* pam_tcb/pam_unix_sess.c (pam_sm_open_session): Fail with
PAM_SESSION_ERR for unknown users.
2005-12-28 Dmitry V. Levin <ldv at owl.openwall.com>
* tcb.spec: 1.0.
* LICENSE: Updated copyrights for 2004 and 2005 years.
* pam_tcb/pam_unix_passwd.c (pam_sm_chauthtok): Bump syslog
priorities of three error messages.
2005-09-26 Dmitry V. Levin <ldv at owl.openwall.com>
Update logging code to use pam_syslog.
Update conversation code to use pam_prompt.
* include/attribute.h (TCB_GNUC_PREREQ, TCB_FORMAT, TCB_NONNULL):
New macro.
(unused): Rewrite using TCB_GNUC_PREREQ.
* pam_tcb/compat.c: New file, defines pam_syslog and pam_prompt
if PAM does not provide them.
* pam_tcb/compat.h: New file, defines prototypes for pam_syslog
and pam_prompt if PAM does not provide them.
* pam_tcb/Makefile (LIBSRC): Add compat.c.
* pam_tcb/pam_unix_acct.c (acct_shadow): Add pam handle parameter.
(pam_sm_acct_mgmt): Pass pam handle to functions which now require
it. Replace _log_err with pam_syslog. Replace _make_remark
with pam_error and pam_info.
* pam_tcb/pam_unix_auth.c (pam_sm_authenticate, pam_sm_setcred):
Pass pam handle to functions which now require it.
(pam_sm_authenticate): Replace _log_err with pam_syslog.
* pam_tcb/pam_unix_passwd.c (PASSWD_TMP_FILE): Remove macro.
(update_file): New function, based on update_passwd and
update_shadow.
(update_passwd, update_shadow): Rewrite using update_file.
(get_nis_server, update_nis, do_setpass): Add pam handle
parameter.
(get_nis_server, update_nis, do_setpass, unix_approve_pass,
unix_prelim, pam_sm_chauthtok): Pass pam handle to functions
which now require it. Replace _log_err with pam_syslog.
Replace _make_remark with pam_error.
* pam_tcb/pam_unix_sess.c (pam_sm_open_session,
pam_sm_close_session): Pass pam handle to functions which now
require it. Replace _log_err with pam_syslog.
* pam_tcb/support.c (_log_err, converse, _make_remark): Remove
no longer used functions.
(_unix_fork, user_in_file, _unix_user_in_db,
unix_blankpasswd_plain, _unix_blankpasswd, check_crypt,
unix_verify_password_plain, crypt_wrapper_ra, crypt_wrapper,
do_crypt, parse_opt, _set_ctrl): Add pam handle parameter.
Pass pam handle to functions which now require it.
Replace _log_err with pam_syslog.
(_unix_read_password): Rewrite prompt handling to use pam_info
and pam_prompt.
* pam_tcb/support.h: Include "attribute.h" and "compat.h".
(cmdline_opts): Add const qualifier to optname variable.
(cb_func, _unix_user_in_db, _unix_fork, _set_ctrl,
_unix_blankpasswd, _unix_read_password, crypt_wrapper, do_crypt):
Update function prototypes.
(_log_err, _make_remark): Remove prototypes of removed functions.
2005-09-12 Dmitry V. Levin <ldv at owl.openwall.com>
Implement OpenPAM build support.
* Make.defs (CFLAGS): Remove -DLINUX_PAM.
* pam_tcb/pam_unix_acct.c: Include <syslog.h>.
Include <security/pam_appl.h> if and only if
[!__LIBPAM_VERSION && !__LINUX_PAM__].
* pam_tcb/pam_unix_auth.c: Likewise.
* pam_tcb/pam_unix_passwd.c: Likewise.
* pam_tcb/pam_unix_sess.c: Likewise.
* pam_tcb/support.c: Likewise.
* pam_tcb/support.h: Define pam_item_t and pam_data_t.
* pam_tcb/pam_unix_acct.c (pam_sm_acct_mgmt): Change type of
item variable.
* pam_tcb/pam_unix_auth.c (pam_sm_authenticate, pam_sm_setcred):
Likewise.
* pam_tcb/pam_unix_passwd.c (unix_prelim, pam_sm_chauthtok):
Likewise.
* pam_tcb/pam_unix_sess.c (pam_sm_open_session,
pam_sm_close_session): Likewise.
* pam_tcb/support.c (converse, failures_cleanup,
do_record_failure, _unix_read_password): Likewise.
* pam_tcb/pam_unix_auth.c (pam_sm_authenticate): Protect code
which uses PAM_CONV_AGAIN and PAM_INCOMPLETE with appropriate
ifdefs.
* pam_tcb/support.c (converse): Likewise.
2005-09-11 Dmitry V. Levin <ldv at owl.openwall.com>
* pam_tcb/pam_unix_auth.c (pam_sm_authenticate): Do not override
user prompt in calls to pam_get_user, recent PAM releases provide
better default.
* pam_tcb/pam_unix_passwd.c (pam_sm_chauthtok): Likewise.
* pam_tcb/support.h: Remove PROMPT_USER.
* pam_tcb/pam_unix_passwd.c (pam_sm_chauthtok): Fix password
string check to avoid potential NULL dereference.
* pam_tcb/support.c (unix_verify_password_plain): Check password
string to avoid potential NULL dereference.
(unix_run_helper_binary): Remove redundant password string check.
* progs/tcb_unconvert.c (copy_user_from_tcb): Add const qualifier
to msg variable, to fix warning reported by "gcc -Wwrite-strings".
2005-08-23 Dmitry V. Levin <ldv at altlinux.org>
Package pam_pwdb.so symlink and pam_pwdb(8) manual page link.
* pam_tcb/pam_pwdb.8: New file.
* Makefile, pam_tcb/Makefile, tcb.spec:
Install pam_pwdb.so and pam_pwdb.8.
* tcb.spec: 0.9.9.
2005-08-19 Dmitry V. Levin <ldv at altlinux.org>
In the PAM module, implement "openlog" option and disable
openlog/closelog calls for each logging function invocation
by default.
* pam_tcb/support.h: Rename UNIX_NOOPENLOG to UNIX_OPENLOG.
* pam_tcb/support.c (_log_err): When UNIX_OPENLOG is not set,
prefix log line with the module name.
(bool_names): Add negate field.
(unix_bools): Add "openlog" option.
(parse_opt): Handle negate field.
(_set_ctrl) [ENABLE_OPENLOG]: Set UNIX_OPENLOG.
* pam_tcb/pam_tcb.8: Document "openlog" option.
2005-08-18 Dmitry V. Levin <ldv at altlinux.org>
Restrict list of global symbols exported by the library,
NSS and PAM modules.
* libs/Makefile: New variables: LIB_MAP and NSS_MAP. Pass
--version-script argument when linking shared library and the
NSS module.
* libs/libnss_tcb.map: New file, version script for the NSS module.
* libs/libtcb.c (ch_uid, ch_gid): Make static.
* libs/libtcb.map: New file, version script for the library.
* pam_tcb/Makefile: New variable: PAM_MAP. Pass --version-script
argument when linking the PAM module.
* pam_tcb/pam_tcb.map: New file, version script for the PAM module.
2005-04-22 Dmitry V. Levin <ldv at altlinux.org>
Enhance multilib support.
* Make.defs: New variables: SLIBDIR and LIBDIR.
* libs/Makefile, pam_tcb/Makefile, tcb.spec: Use them.
* libs/Makefile, pam_tcb/Makefile, misc/Makefile, progs/Makefile:
Create all necessary directories in the beginning of install target.
2005-04-22 Dmitry V. Levin <ldv at altlinux.org>
Deal with compilation warnings generated by new gcc compiler.
* include/attribute.h: New file.
* libs/libtcb.c, pam_tcb/pam_unix_passwd.c,
pam_tcb/pam_unix_auth.c, pam_tcb/support.c, pam_tcb/support.h:
Include it.
* include/attribute.h, pam_tcb/support.h (_log_err): Add
workaround for those systems which lack support for __attribute__
directive.
* pam_tcb/support.c (_log_err): Remove no longer needed
__attribute__ directive.
* libs/libtcb.c (alarm_catch), pam_tcb/pam_unix_auth.c
(retval_cleanup), pam_tcb/pam_unix_passwd.c (update_nis),
pam_tcb/support.c (data_cleanup):
Mark unused arguments with "unused" attribute.
* libs/libtcb.c (ch_uid, ch_gid, tcb_drop_priv_r),
progs/tcb_chkpwd.c (is_two_strings),
pam_tcb/support.c (_set_ctrl):
Avoid comparison between signed and unsigned.
* pam_tcb/support.c (unix_run_helper_binary,
unix_verify_password_plain): Eliminate unused variable pamh.
* pam_tcb/pam_unix_acct.c (pam_sm_acct_mgmt),
pam_tcb/pam_unix_auth.c (pam_sm_authenticate, pam_sm_setcred),
pam_tcb/pam_unix_passwd.c (update_nis, do_setpass, unix_prelim,
pam_sm_chauthtok), pam_tcb/pam_unix_sess.c (pam_sm_open_session,
pam_sm_close_session), pam_tcb/support.c (converse,
failures_cleanup, do_record_failure, _unix_read_password):
Fix the strict aliasing issues.
* tcb.spec: 0.9.8.9.
2004-06-25 Dmitry V. Levin <ldv at altlinux.org>
* progs/tcb_unconvert.c (copy_from_tcb):
Zero errno before each readdir(3) call.
* tcb.spec: 0.9.8.8.
2003-11-02 Solar Designer <solar at owl.openwall.com>
* pam_tcb/Makefile: Use -fPIC.
* libs/Makefile, misc/Makefile, pam_tcb/Makefile, progs/Makefile,
tcb.spec: Renamed FAKEROOT to DESTDIR.
* tcb.spec: 0.9.8.7.
2003-10-29 Solar Designer <solar at owl.openwall.com>
* libs/nss.c, libs/libtcb.c, pam_tcb/support.c,
pam_tcb/pam_unix_passwd.c, pam_tcb/pam_unix_acct.c,
progs/tcb_convert.c, progs/tcb_unconvert.c: Don't depend on
*BSD-style asprintf(3) semantics as Ulrich has rejected that
patch.
* README: New file, explains how tcb may be built on non-Owl.
* tcb.spec: 0.9.8.6.
2003-04-18 Solar Designer <solar at owl.openwall.com>
* misc/tcb.5, pam_tcb/pam_tcb.8, progs/tcb_convert.8: Use bold
face for component names in .SH NAME, but avoid *roff commands
to not confuse makewhatis and apropos(1).
* LICENSE: Updated copyrights for year 2003.
* tcb.spec: 0.9.8.5.
2003-04-16 Dmitry V. Levin <ldv at altlinux.org>
* pam_tcb/support.c: Implemented proper fake salt creation
to avoid a timing attack.
* tcb.spec: 0.9.8.4.
2002-10-31 Solar Designer <solar at owl.openwall.com>
* progs/tcb_chkpwd.c: Optimized unix_verify_password() a bit,
from Dmitry V. Levin <ldv at altlinux.org>.
* tcb.spec: 0.9.8.3.
2002-10-30 Solar Designer <solar at owl.openwall.com>
* progs/tcb_convert.8: Noted that /etc/shadow backups need to be
removed as well, with /etc/shadow- as the particular example.
* tcb.spec: 0.9.8.2.
2002-10-24 Solar Designer <solar at owl.openwall.com>
* libs/nss.c, libs/libtcb.c, pam_tcb/support.c,
progs/tcb_chkpwd.c, progs/tcb_unconvert.c, misc/tcb.5: Cleaned
up the recent changes.
* tcb.spec: Set version to 0.9.8.1.
2002-08-20 Rafal Wojtczuk <nergal at owl.openwall.com>
* libs/nss.c, progs/tcb_unconvert.c, misc/tcb.5: Merged
enhancements which remove 32K users limit.
* libs/libtcb.c, include/tcb.h: Added ENABLE_SETFSUGID.
* pam_tcb/support.c, progs/tcb_chkpwd.c: Pass the username to
the helper binary such that it can handle non-unique UIDs.
* tcb.spec, libs/Makefile: Set version to 0.9.8.
2002-08-19 Solar Designer <solar at owl.openwall.com>
* tcb.spec, libs/Makefile: Moved libtcb.so symlink to /usr/lib
(patch from Dmitry V. Levin).
2002-08-04 Solar Designer <solar at owl.openwall.com>
* pam_tcb/pam_tcb.5, pam_tcb/pam_unix.5: Moved these manual
pages to section 8 (the files are now gone).
* pam_tcb/pam_tcb.8, pam_tcb/pam_unix.8: New files, based on
the section 5 manual pages with minor changes.
* tcb.spec, misc/tcb.5, progs/tcb_convert.8, pam_tcb/Makefile:
Updates to reflect the above change.
* libs/Makefile: Use trailing slashes after directories with
install commands.
2002-07-07 Solar Designer <solar at owl.openwall.com>
* pam_tcb/pam_unix_acct.c, pam_tcb/pam_unix_passwd.c: No
longer let root enforced password changes (sp_lstchg == 0)
take precedence over expired accounts (sp_expire).
2002-05-19 Solar Designer <solar at owl.openwall.com>
* Make.defs: Renamed SYSBIN to SBINDIR, define LIBEXECDIR.
* tcb.spec, progs/Makefile, pam_tcb/Makefile,
pam_tcb/pam_tcb.5, misc/tcb.5: Moved the chkpwd directory to
/usr/libexec.
* misc/Makefile: Deal with SBINDIR and LIBEXECDIR.
2001-11-28 Dmitry V. Levin <ldv at altlinux.org>
* pam_tcb/support.c: Replaced signal call with sigaction call.
* pam_tcb/support.c: Fixed possible "dereferencing NULL" typo.
* progs/tcb_chkpwd.c: Test also stdout for isatty.
* progs/Makefile: Create relative symlink instead of absolute.
* libs/nss.c: Fixed glibc-2.2.4 compilation warning.
* pam_tcb/pam_unix_passwd.c: Likewise.
* progs/tcb_unconvert.c: Likewise.
