--- pwauth-2.3.8.orig/debian/compat +++ pwauth-2.3.8/debian/compat @@ -0,0 +1 @@ +7 --- pwauth-2.3.8.orig/debian/pwauth.man +++ pwauth-2.3.8/debian/pwauth.man @@ -0,0 +1,79 @@ +.\" Hey, EMACS: -*- nroff -*- +.\" First parameter, NAME, should be all caps +.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection +.\" other parameters are allowed: see man(7), man(1) +.TH PWAUTH 8 2009-05-02 +.\" Please adjust this date whenever revising the manpage. +.\" +.\" Some roff macros, for reference: +.\" .nh disable hyphenation +.\" .hy enable hyphenation +.\" .ad l left justify +.\" .ad b justify to both left and right margins +.\" .nf disable filling +.\" .fi enable filling +.\" .br insert line break +.\" .sp insert n+1 empty lines +.\" for manpage-specific macros, see man(7) +.SH NAME +pwauth \- authenticator for mod_authnz_external and the Apache HTTP Daemon +.SH SYNOPSIS +.B pwauth +.SH DESCRIPTION + +Pwauth is an authenticator designed to be used with +mod_auth_external or mod_authnz_external and the Apache +HTTP Daemon to support reasonably secure web +authentication out of the system password database on most +versions of Unix. Particulary - secure authentication against PAM. + +The simplest test pwauth is to start a root shell and just run pwauth. It will attempt to read the login and password from standard input, so type a login name, hit return, then type a password, and hit return (the password will echo on your screen). The check the status code that was returned (in csh: "echo $status" in sh: "echo $?"). + +If the login/password were correct you should get a zero status code. If not, you will get some other value. See below the list of status codes to find the meaning of the various values returned. Any values 50 or greater indicate a configuration error. + + +.SH STATUS CODES +.BR +.TP +.B 0 STATUS_OK +Login OK. +.TP +.B 1 STATUS_UNKNOWN +Nonexistant login or (for some configurations) incorrect password. +.TP +.B 2 STATUS_INVALID +Incorrect password (for some configurations). +.TP +.B 3 STATUS_BLOCKED +Uid number is below MIN_UNIX_UID value configured in config.h. +.TP +.B 4 STATUS_EXPIRED +Login ID has expired. +.TP +.B 5 STATUS_PW_EXPIRED +Login's password has expired. +.TP +.B 6 SSTATUS_NOLOGIN +Logins to system have been turned off (usually by /etc/nologin file). +.TP +.B 7 STATUS_MANYFAILES +Limit on number of bad logins exceeded. +.TP +.B 50 STATUS_INT_USER +pwauth was invoked by a uid not on the SERVER_UIDS list. If you get this error code, you probably have SERVER_UIDS set incorrectly in pwauth's config.h file. +.TP +.B 51 STATUS_INT_ARGS +pwauth was not given a login & password to check. The means the passing of data from mod_auth_external to pwauth is messed up. Most likely one is trying to pass data via environment variables, while the other is trying to pass data via a pipe. +.TP +.B 52 STATUS_INT_ERR +one of several rare and unlikely internal errors occurred. You'll have to read the source code to figure these out. +.TP +.B 53 STATUS_INT_NOROOT +pwauth was not able to read the password database. Usually this means it is not running as root. (PAM and login.conf configurations will return 1 in this case.) + +.SH AUTHOR +.B pwauth +was written by Jan Wolter . +.PP +This manual page was written by Hai Zaar , +for the Debian project (but may be used by others). --- pwauth-2.3.8.orig/debian/pam +++ pwauth-2.3.8/debian/pam @@ -0,0 +1,13 @@ +# +# The PAM configuration file for the `pwauth' service +# + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Standard Un*x authentication. +@include common-auth + +# Standard Un*x account +@include common-account --- pwauth-2.3.8.orig/debian/dirs +++ pwauth-2.3.8/debian/dirs @@ -0,0 +1 @@ +usr/sbin --- pwauth-2.3.8.orig/debian/changelog +++ pwauth-2.3.8/debian/changelog @@ -0,0 +1,6 @@ +pwauth (2.3.8-1) unstable; urgency=low + + * Initial release (Closes: #526762) + + -- Hai Zaar Sun, 05 May 2009 20:37:00 +0300 + --- pwauth-2.3.8.orig/debian/README.debian +++ pwauth-2.3.8/debian/README.debian @@ -0,0 +1,16 @@ +pwauth is intended for secure Apache auth against pam (shadow). + +To use it on Debian, make sure to also install libapache2-mod-authnz-external, +then add these lines to relevant Location or Directory section: + AuthBasicProvider external + AuthExternal pwauth + +And to the related virtual host section: + AddExternalAuth pwauth /usr/sbin/pwauth + SetExternalAuthMethod pwauth pipe + +See these links for more info: +http://blog.innerewut.de/2007/6/26/apache-2-2-authentication-with-mod_authnz_external +http://www.unixpapa.com/mod_auth_external + + --- pwauth-2.3.8.orig/debian/watch +++ pwauth-2.3.8/debian/watch @@ -0,0 +1,23 @@ +# Example watch control file for uscan +# Rename this file to "watch" and then you can run the "uscan" command +# to check for upstream updates and more. +# See uscan(1) for format + +# Compulsory line, this is a version 3 file +version=3 + +# Uncomment to examine a Webpage +# +#http://www.example.com/downloads.php pwauth-(.*)\.tar\.gz +http://code.google.com/p/pwauth/downloads/list http://pwauth.googlecode.com/files/pwauth-(.*)\.tar\.gz + +# Uncomment to examine a Webserver directory +#http://www.example.com/pub/pwauth-(.*)\.tar\.gz + +# Uncommment to examine a FTP server +#ftp://ftp.example.com/pub/pwauth-(.*)\.tar\.gz debian uupdate + +# Uncomment to find new files on sourceforge, for debscripts >= 2.9 +# http://sf.net/pwauth/pwauth-(.*)\.tar\.gz + + --- pwauth-2.3.8.orig/debian/control +++ pwauth-2.3.8/debian/control @@ -0,0 +1,18 @@ +Source: pwauth +Section: utils +Priority: optional +Maintainer: Hai Zaar +Build-Depends: debhelper (>= 7), libpam0g-dev, cdbs +Standards-Version: 3.8.1 + +Package: pwauth +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Recommends: libapache2-mod-authnz-external (>= 3.1.0) +Description: authenticator for mod_authnz_external and the Apache HTTP Daemon + Pwauth is an authenticator designed to be used with + mod_auth_external or mod_authnz_external and the Apache + HTTP Daemon to support reasonably secure web + authentication out of the system password database on most + versions of Unix. Particulary - secure authentication + against PAM. --- pwauth-2.3.8.orig/debian/docs +++ pwauth-2.3.8/debian/docs @@ -0,0 +1 @@ +FORM_AUTH --- pwauth-2.3.8.orig/debian/copyright +++ pwauth-2.3.8/debian/copyright @@ -0,0 +1,40 @@ +This package was debianized by Hai Zaar on +Sun, 3 May 2009 14:32:00 +0300. + + +It was downloaded from +http://code.google.com/p/pwauth/ + +Copyright Holder: Jan Wolter and Steven R. Weiss + +License: + + Copyright 1996, Jan D. Wolter and Steven R. Weiss, All Rights Reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + + 3. The names of the authors must not be used to endorse or + promote products derived from this software without prior written + permission. + + THIS SOFTWARE IS PROVIDED BY THE AUTHORS `AS IS'' AND ANY + EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS + BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE + OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, + EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. --- pwauth-2.3.8.orig/debian/rules +++ pwauth-2.3.8/debian/rules @@ -0,0 +1,14 @@ +#!/usr/bin/make -f + +include /usr/share/cdbs/1/rules/debhelper.mk +include /usr/share/cdbs/1/rules/simple-patchsys.mk +include /usr/share/cdbs/1/class/makefile.mk + +DEB_MAKE_INSTALL_TARGET = install DESTDIR=$(CURDIR)/debian/pwauth + +binary-fixup/pwauth:: + rm $(CURDIR)/debian/pwauth/usr/sbin/checkfaillog + rm $(CURDIR)/debian/pwauth/usr/sbin/unixgroup + # + chmod 2755 $(CURDIR)/debian/pwauth/usr/sbin/pwauth + chown root:shadow $(CURDIR)/debian/pwauth/usr/sbin/pwauth --- pwauth-2.3.8.orig/debian/lintian-overrides +++ pwauth-2.3.8/debian/lintian-overrides @@ -0,0 +1 @@ +pwauth: setgid-binary usr/sbin/pwauth 2755 root/shadow --- pwauth-2.3.8.orig/debian/pwauth.manpages +++ pwauth-2.3.8/debian/pwauth.manpages @@ -0,0 +1 @@ +debian/pwauth.man --- pwauth-2.3.8.orig/debian/patches/00-checkfaillog-includes-1.patch +++ pwauth-2.3.8/debian/patches/00-checkfaillog-includes-1.patch @@ -0,0 +1,18 @@ +Eliminate compilation warnings + +Author: Hai Zaar + +--- checkfaillog.c.orig 2009-04-01 12:26:30.000000000 +0300 ++++ checkfaillog.c 2009-04-01 12:26:55.000000000 +0300 +@@ -32,9 +32,11 @@ + */ + + #include ++#include + #include + #include + #include ++#include + + #include "config.h" + #include "fail_log.h" --- pwauth-2.3.8.orig/debian/patches/03-Makefile-debian-1.patch +++ pwauth-2.3.8/debian/patches/03-Makefile-debian-1.patch @@ -0,0 +1,51 @@ +Makefile fixes + +Author: Hai Zaar + +--- Makefile.orig 2009-04-01 12:40:59.000000000 +0300 ++++ Makefile 2009-04-01 12:41:23.000000000 +0300 +@@ -7,22 +7,24 @@ + + # Settings for author's system (Redhat 6.1) + CC=gcc +-LIB= -lcrypt +-LOCALFLAGS= -g ++LDFLAGS=-Wl,-z -Wl,defs -Wl,--as-needed ++LIB=-lpam ++LOCALFLAGS=-g -Wall + +-# For PAM on Redhat Linux +-# LIB=-lpam -ldl ++prefix=/usr ++sbindir=$(prefix)/sbin + +-# For PAM on Solaris or OS X +-# LIB=-lpam + + # -------------------- No User Servicable Parts Below ----------------------- + ++programs = pwauth checkfaillog unixgroup ++all: $(programs) ++ + CFLAGS= $(LOCALFLAGS) + + pwauth: main.o auth_aix.o auth_bsd.o auth_hpux.o auth_mdw.o auth_openbsd.o \ + auth_pam.o auth_sun.o fail_log.o lastlog.o nologin.o snooze.o +- $(CC) -o pwauth $(CFLAGS) main.o auth_aix.o auth_bsd.o auth_hpux.o \ ++ $(CC) -o pwauth $(CFLAGS) $(LDFLAGS) main.o auth_aix.o auth_bsd.o auth_hpux.o \ + auth_mdw.o auth_openbsd.o auth_pam.o auth_sun.o fail_log.o \ + lastlog.o nologin.o snooze.o $(LIB) + +@@ -46,7 +48,11 @@ + + + clean: +- rm -f *.o ++ $(MAKE) distclean + + distclean: + rm -f *.o pwauth checkfaillog ++ ++install: ++ mkdir -p $(DESTDIR)$(sbindir) ++ install $(programs) $(DESTDIR)$(sbindir) --- pwauth-2.3.8.orig/debian/patches/01-config-debian-1.patch +++ pwauth-2.3.8/debian/patches/01-config-debian-1.patch @@ -0,0 +1,138 @@ +Debian-specific config for pwauth. Also use proper style comments for C code. + +Author: Hai Zaar + +--- config.h.orig 2009-04-01 12:19:41.000000000 +0300 ++++ config.h 2009-04-01 12:21:03.000000000 +0300 +@@ -110,19 +110,19 @@ + * FreeBSD. + */ + +-/* #define SHADOW_NONE /**/ +-/* #define SHADOW_BSD /* FreeBSD, NetBSD, OpenBSD, BSDI, OS X */ +-#define SHADOW_SUN /* Linux, Solaris, IRIX */ +-/* #define SHADOW_JFH /**/ +-/* #define SHADOW_MDW /**/ +-/* #define SHADOW_AIX /* AIX */ +-/* #define SHADOW_HPUX /* HPUX ? */ +- +-/* #define PAM /* Linux PAM or OpenPAM*/ +-/* #define PAM_OS_X /* PAM on OS X */ +-/* #define PAM_SOLARIS /* PAM on Solaris other than 2.6 */ +-/* #define PAM_SOLARIS_26 /* PAM on Solaris 2.6 */ +-/* #define LOGIN_CONF_OPENBSD /* login.conf on OpenBSD */ ++/* #define SHADOW_NONE */ ++/* #define SHADOW_BSD FreeBSD, NetBSD, OpenBSD, BSDI, OS X */ ++/* #define SHADOW_SUN Linux, Solaris, IRIX */ ++/* #define SHADOW_JFH */ ++/* #define SHADOW_MDW */ ++/* #define SHADOW_AIX AIX */ ++/* #define SHADOW_HPUX HPUX ? */ ++ ++#define PAM /* Linux PAM or OpenPAM*/ ++/* #define PAM_OS_X PAM on OS X */ ++/* #define PAM_SOLARIS PAM on Solaris other than 2.6 */ ++/* #define PAM_SOLARIS_26 PAM on Solaris 2.6 */ ++/* #define LOGIN_CONF_OPENBSD login.conf on OpenBSD */ + + + /* There is also limited support for two failure logging systems (the database +@@ -179,13 +179,13 @@ + * reports and resets the failure count. + */ + +-/* #define FAILLOG_JFH /**/ +-/* #define FAILLOG_OPENBSD /**/ +-/* #define FAILLOG_PWAUTH /**/ +- +-/* #define PATH_FAILLOG "/var/log/faillog" /**/ +-/* #define MAX_FAIL_COUNT 40 /**/ +-/* #define RESET_FAIL_COUNT /**/ ++/* #define FAILLOG_JFH */ ++/* #define FAILLOG_OPENBSD */ ++/* #define FAILLOG_PWAUTH */ ++ ++/* #define PATH_FAILLOG "/var/log/faillog" */ ++/* #define MAX_FAIL_COUNT 40 */ ++/* #define RESET_FAIL_COUNT */ + + + /* If UNIX_LASTLOG is defined, the program will update the lastlog entry so +@@ -199,8 +199,8 @@ + * uid numbers. + */ + +-#define UNIX_LASTLOG /**/ +-#define HAVE_LASTLOG_H /**/ ++/* #define UNIX_LASTLOG */ ++/* #define HAVE_LASTLOG_H */ + + + /* If NOLOGIN_FILE is defined to the full path name of a file, then the +@@ -213,8 +213,8 @@ + * right with PAM. + */ + +-#define NOLOGIN_FILE "/etc/nologin" /**/ +-#define MIN_NOLOGIN_UID 1 /**/ ++/* #define NOLOGIN_FILE "/etc/nologin" */ ++/* #define MIN_NOLOGIN_UID 1 */ + + + /* Defining CHECK_LOGIN_EXPIRATION and CHECK_PASSWORD_EXPIRATION causes +@@ -226,8 +226,8 @@ + * system to test on, I haven't bothered. + */ + +-#define CHECK_LOGIN_EXPIRATION /**/ +-#define CHECK_PASSWORD_EXPIRATION /**/ ++/* #define CHECK_LOGIN_EXPIRATION */ ++/* #define CHECK_PASSWORD_EXPIRATION */ + + + /* SERVER_UIDS is a list of the uid numbers of the accounts that may run +@@ -245,7 +245,7 @@ + * last). + */ + +-#define SERVER_UIDS 72 /* user "nobody" */ ++#define SERVER_UIDS 33 /* user "www-data" */ + + + /* If MIN_UNIX_UID is defined to an integer, logins with uid numbers less than +@@ -265,7 +265,7 @@ + * lower case. This is useful for users accustomed to the Windows environment. + */ + +-/* #define IGNORE_CASE /**/ ++/* #define IGNORE_CASE */ + + + /* If DOMAIN_AWARE is enabled, then we we check login names to see if they +@@ -274,7 +274,7 @@ + * to login names formed like "domain\username". + */ + +-/* #define DOMAIN_AWARE /**/ ++/* #define DOMAIN_AWARE */ + + + /* On failed authentications, pwauth will sleep for SLEEP_TIME seconds, using +@@ -285,7 +285,7 @@ + * SLEEP_LOCK. SLEEP_TIME defaults to 2 seconds if not defined. + */ + +-#define SLEEP_LOCK "/var/run/pwauth.lock" ++/* #define SLEEP_LOCK "/var/run/pwauth.lock" */ + + + /* If ENV_METHOD is defined, pwauth expects mod_auth_external to be configured +@@ -295,7 +295,7 @@ + * This is insecure on some versions of Unixes, but might be a bit faster. + */ + +-/* #define ENV_METHOD /**/ ++/* #define ENV_METHOD */ + + + /* If /usr/include/paths.h exists define this. Obviously I need to autoconfig --- pwauth-2.3.8.orig/debian/patches/02-main-defines-1.patch +++ pwauth-2.3.8/debian/patches/02-main-defines-1.patch @@ -0,0 +1,25 @@ +Fix compilation warnings + +Author: Hai Zaar + +--- main.c.orig 2009-04-01 12:18:28.000000000 +0300 ++++ main.c 2009-04-01 12:25:45.000000000 +0300 +@@ -41,14 +41,16 @@ + /* Array of uid numbers that may run this program */ + int server_uids[]= {SERVER_UIDS, 0}; + ++void snooze(int seconds); /* defained in snooze.c */ ++int check_auth(char *login, char *passwd); /* defined in auth_*.c */ + +-main(int argc, char **argv) ++int main(int argc, char **argv) + { + #ifdef ENV_METHOD + char *login, *passwd; + #else + char login[BFSZ+1], passwd[BFSZ+1]; +- char *c, *strchr(); ++ char *c; + #endif + int uid,i; + int status; --- pwauth-2.3.8.orig/debian/patches/04-snooze-c-fix-1.patch +++ pwauth-2.3.8/debian/patches/04-snooze-c-fix-1.patch @@ -0,0 +1,15 @@ +Fix compilation warnings + +Author: Hai Zaar + +--- snooze.c.orig 2009-04-01 12:23:04.000000000 +0300 ++++ snooze.c 2009-04-01 12:24:39.000000000 +0300 +@@ -39,7 +39,7 @@ + * sleep time, if other pwauth processes are in sleeps. + */ + +-snooze(int seconds) ++void snooze(int seconds) + { + #ifdef SLEEP_LOCK + int slfd;