[packages/coreutils.git] / coreutils-pam.patch

diff -Nur coreutils-5.2.1.orig/configure.ac coreutils-5.2.1/configure.ac
--- coreutils-5.2.1.orig/configure.ac   Tue Mar  2 23:47:31 2004
+++ coreutils-5.2.1/configure.ac        Thu Mar 18 17:06:38 2004
@@ -7,6 +7,13 @@
 
 AM_INIT_AUTOMAKE([1.8 gnits dist-bzip2])
 
+dnl Give the chance to enable PAM
+AC_ARG_ENABLE(pam, dnl
+[  --enable-pam            Enable use of the PAM libraries],
+AC_DEFINE(USE_PAM,,[Use PAM?])
+LIB_PAM="-ldl -lpam -lpam_misc"
+)
+
 gl_DEFAULT_POSIX2_VERSION
 gl_USE_SYSTEM_EXTENSIONS
 jm_PERL
@@ -235,6 +242,13 @@
 AM_GNU_GETTEXT([external], [need-ngettext])
 AM_GNU_GETTEXT_VERSION(0.13.1)
 
+# just in case we want PAM
+AC_SUBST(LIB_PAM)
+# with PAM su doesn't need libcrypt
+if test -n "$LIB_PAM" ; then
+  LIB_CRYPT=
+fi
+
 AC_CONFIG_FILES(
   Makefile
   doc/Makefile
diff -Nur coreutils-5.2.1.orig/doc/coreutils.texi coreutils-5.2.1/doc/coreutils.texi
--- coreutils-5.2.1.orig/doc/coreutils.texi     Thu Mar 18 16:58:54 2004
+++ coreutils-5.2.1/doc/coreutils.texi  Thu Mar 18 17:08:08 2004
@@ -11892,32 +11892,6 @@
 the exit status of the subshell otherwise
 @end display
 
-@cindex wheel group, not supported
-@cindex group wheel, not supported
-@cindex fascism
-@subsection Why GNU @command{su} does not support the @samp{wheel} group
-
-(This section is by Richard Stallman.)
-
-@cindex Twenex
-@cindex MIT AI lab
-Sometimes a few of the users try to hold total power over all the
-rest.  For example, in 1984, a few users at the MIT AI lab decided to
-seize power by changing the operator password on the Twenex system and
-keeping it secret from everyone else.  (I was able to thwart this coup
-and give power back to the users by patching the kernel, but I
-wouldn't know how to do that in Unix.)
-
-However, occasionally the rulers do tell someone.  Under the usual
-@command{su} mechanism, once someone learns the root password who
-sympathizes with the ordinary users, he or she can tell the rest.  The
-``wheel group'' feature would make this impossible, and thus cement the
-power of the rulers.
-
-I'm on the side of the masses, not that of the rulers.  If you are
-used to supporting the bosses and sysadmins in whatever they do, you
-might find this idea strange at first.
-
 
 @node Delaying
 @chapter Delaying
diff -Nur coreutils-5.2.1.orig/man/es/su.1 coreutils-5.2.1/man/es/su.1
--- coreutils-5.2.1.orig/man/es/su.1    Mon Apr 12 14:26:19 1999
+++ coreutils-5.2.1/man/es/su.1 Thu Mar 18 17:05:55 2004
@@ -47,13 +47,6 @@
 puede ser compilado para reportar fallo, y opcionalmente éxito en syslog.
 .B su
 intentará utilizar syslog.
-.PP
-Este programa no soporta el grupo "wheel", el cual restringe quien podrá
-ejecutar
-.B su
-hacia la cuenta de root (el superusuario) ya que esta política podría
-ayudar a los administradores de máquinas a facilitar un uso inadecuado a otros
-usuarios.
 .SS OPCIONES
 .TP
 .I "\-c COMANDO, \-\-command=COMANDO"
@@ -118,22 +111,3 @@
 .I "\-\-version"
 Escribe información sobre la versión en  la  salida estándar y acaba sin
 provocar error.
-
-.SH Por que GNU no soporta el grupo "wheel" (por Richard Stallman)
-A veces, algunos listillos intentan hacerse con el poder total
-sobre el resto de usuarios. Por ejemplo, en 1984, un grupo de usuarios del
-laboratorio de Inteligencia Artificial del MIT decidieron tomar el poder
-cambiando el password de operador del sistema Twenex y manteniendolo secreto
-para el resto de usuarios. (De todas maneras, hubiera sido posible desbaratar
-la situación y devolver el control a los usuarios legítimos parcheando el
-kernel, pero no sabría como realizar esta operación en un sistema Unix.)
-.PP
-Sin embargo, casualmente alguien contó el secreto. Mediante el uso habitual de
-.B su
-una vez que alguien conoce el password de root puede contarselo al resto de 
-usuarios. El grupo "wheel" hará que esto sea imposible, protegiendo así el poder
-de los superusuarios.
-.PP
-Yo estoy del lado de las masas, no de los superusuarios. Si eres de los que
-estan de acuerdo con los jefes y los administradores de sistemas en cualquier
-cosa que hagan, al principio encontrarás esta idea algo extraña.
diff -Nur coreutils-5.2.1.orig/man/fr/su.1 coreutils-5.2.1/man/fr/su.1
--- coreutils-5.2.1.orig/man/fr/su.1    Sun Aug 10 12:00:00 2003
+++ coreutils-5.2.1/man/fr/su.1 Thu Mar 18 17:05:55 2004
@@ -54,13 +54,6 @@
 peut être compilé afin de fournir des rapports d'échec, et éventuellement
 de réussite des tentatives d'utilisation de
 .BR su .
-.PP
-Ce programme ne gère pas le "groupe wheel" utilisé pour restreindre
-l'accès par 
-.B su
-au compte Super-Utilisateur, car il pourrait aider des administrateurs
-système fascistes à disposer d'un pouvoir incontrôlé
-sur les autres utilisateurs.
 .SS OPTIONS
 .TP
 .I "\-c COMMANDE, \-\-command=COMMANDE"
@@ -119,25 +112,5 @@
 .I "\-\-version"
 Afficher un numéro de version sur la sortie standard et se terminer normalement.
 
-.SH Pourquoi GNU SU ne gère-t-il pas le groupe `wheel' (par Richard Stallman)
-Il peut arriver qu'un petit groupe d'utilisateurs essayent de s'approprier
-l'ensemble du système. Par exemple, en 1984, quelques utilisateurs du
-laboratoire d'I.A du MIT ont tentés de prendre le pouvoir en modifiant
-le mot de passe de l'opérateur sur le système Twenex, et en
-gardant ce mot de passe secret. (J'ai pu les en empêcher en modifiant le noyau, et
-restaurer ainsi les autres accès, mais je ne saurais pas en faire autant
-sous Unix).
-.PP
-Néanmoins, il arrive parfois que les chefs fournissent le mot
-de passe de root à un utilisateur ordinaire.
-Avec le mécanisme habituel de \fBsu\fP,
-une fois que quelqu'un connaît ce mot de passe, il peut le transmettre
-à ses amis. Le principe du "groupe wheel" rend ce partage impossible,
-ce qui renforce la puissance des chefs.
-.PP
-Je me situe du cote du peuple, pas du côté des chefs. Si vous avez l'habitude
-de soutenir les patrons et les administrateurs systèmes quoi qu'ils fassent,
-cette idée peut vous paraître étrange au premier abord.
-
 .SH TRADUCTION
 Christophe Blaess, 1997-2003.
diff -Nur coreutils-5.2.1.orig/man/hu/su.1 coreutils-5.2.1/man/hu/su.1
--- coreutils-5.2.1.orig/man/hu/su.1    Sun Jul  9 14:19:12 2000
+++ coreutils-5.2.1/man/hu/su.1 Thu Mar 18 17:05:55 2004
@@ -151,33 +151,6 @@
 .B "\-\-version"
 A program verziójáról ír ki információt a standard kimenetre, majd 
 sikeres visszatérési értékkel kilép.
-.SH Miért nem támogatja a GNU su a wheel csoportot? (Richard Stallman)
-
-Néha a rendszer fölötti teljes ellenõrzést egy néhány emberbõl 
-álló csoport akarja kézbe venni. Például 1984-ben pár user a MIT AI
-laborban úgy döntött, hogy átveszik az irányítást a Twenex rendszer
-operátori jelszavának megváltoztatásával, és annak titokban tartásával. 
-(A puccsot sikerült leverni, és a felhasználókat jogaikba visszahelyezni 
-egy kernel patch segítségével, de Unix alatt ezt nem tudtam volna megcsinálni.)
-(A fordító megj.: a wheel csoportot ezzel a módszerrel könnyen
-önkényesen is leszûkíthetik a csoporttagok , így tulajdonképpen nincs sok értelme.)
-.PP
-Néha az uralmon levõk elárulják a root jelszót. A szokásos su 
-mechanizmus szerint, ha valaki megtudja a root jelszót, és 
-szimpatizál a többi közönséges felhasználóval, elárulhatja nekik 
-is. A wheel csoport ezt lehetetlenné tenné, és így bebetonozná az 
-uralmon levõ hatalmát.
-.PP
-Én a tömegek oldalán állok, nem az uralkodókén. Ha te mindig a 
-fõnökök és a rendszergazdák oldalán állsz, bármit is tesznek, akkor 
-valószínûleg furcsálni fogod ezt a hozzáállást.
-.PP
-A fordító megjegyzése: 
-Valami jó azért mégis lenne a wheel csoportban: az, hogy ha a root 
-jelszó kitudódna azzal nem tudna bármelyik felhasználó közvetlenül 
-visszaélni. A wheel csoporthoz hasonló dolgot lehet elérni a
-.B sudo
-csomaggal.
 .SH MEGJEGYZÉS
 A hibákat a bug-sh-utils@gnu.org címen lehet jelenteni.
 Az oldalt Ragnar Hojland Espinosa <ragnar@macula.net> frissítette.
diff -Nur coreutils-5.2.1.orig/man/it/su.1 coreutils-5.2.1/man/it/su.1
--- coreutils-5.2.1.orig/man/it/su.1    Mon Jul  1 23:09:38 2002
+++ coreutils-5.2.1/man/it/su.1 Thu Mar 18 17:05:55 2004
@@ -52,11 +52,6 @@
 .B su
 può essere compilato per riportare tramite syslog gli errori, ed
 eventualmente anche i successi che ottiene.
-.PP
-Questo programma non supporta un "gruppo wheel" che limita chi può fare
-.B su
-agli account del superuser, poiché ciò può aiutare amministratori di
-sistema "fascisti" a tenere un potere inautorizzato sugli altri utenti.
 .SS OPZIONI
 .TP
 .I "\-c COMANDO, \-\-command=COMANDO"
@@ -117,21 +112,3 @@
 .I "\-\-version"
 Stampa in standard output informazioni sulla versione e esce (con
 successo). 
-.SH Perché GNU su non supporta il gruppo wheel (di Richard Stallman)
-Qualche volta pochi utenti provano a tenere il potere assoluto sul
-resto degli utenti. Per esempio, nel 1984, alcuni utenti nel
-laboratorio di AI del MIT decisero impossessarsi del potere cambiando
-la password dell'operatore su un sistema Twenex e tenendola segreta a
-tutti gli altri (fui in grado di contrastare questo colpaccio e
-restituire il potere agli utenti ``patch-ando'' il kernel, ma non
-saprei come fare ciò in Unix).
-.PP
-Comunque, occasionalmente i sovrani lo fanno. Tramite l'usuale
-meccanismo  su, una volta che qualcuno che simpatizzi con gli
-utenti normali, abbia imparato la password di root può dirla anche
-agli altri. La caratteristica del "gruppo wheel" renderebbe ciò
-impossibile, consolidando quindi il potere dei sovrani.
-.PP
-Io sono dalla parte delle masse, non da quella dei sovrani. Se tu sei
-abituato a sostenere i capi e gli amministratori di sistema in tutto
-quello che fanno, potresti trovare questa idea strana all'inizio.
diff -Nur coreutils-5.2.1.orig/man/ja/su.1 coreutils-5.2.1/man/ja/su.1
--- coreutils-5.2.1.orig/man/ja/su.1    Sun Dec 14 16:06:54 2003
+++ coreutils-5.2.1/man/ja/su.1 Thu Mar 18 17:05:55 2004
@@ -83,12 +83,6 @@
 .B su
 ¤¬¼ºÇÔ¤·¤¿¤È¤­ syslog ¤Ë¥ì¥Ý¡¼¥È¤¹¤ë¤è¤¦¤Ë¥³¥ó¥Ñ¥¤¥ë¤¹¤ë¤³¤È
 ¤¬¤Ç¤­¤ë¡ÊÀ®¸ù¤ò¥ì¥Ý¡¼¥È¤¹¤ë¤è¤¦¤Ë¤â¤Ç¤­¤ë¡Ë¡£
-.PP
-¤³¤Î¥×¥í¥°¥é¥à¤Ï "wheel group" ¤Îµ¡Ç½¡Ê
-.B su
-¤Ë¤è¤Ã¤Æ¥¹¡¼¥Ñ¡¼¥æ¡¼¥¶¡¼¥¢¥«¥¦¥ó¥È¤Ë¤Ê¤ì¤ë¥æ¡¼¥¶¤òÀ©¸Â¤¹¤ëµ¡Ç½¡Ë¤ò¥µ¥Ý¡¼
-¥È¤·¤Ê¤¤¡£¤³¤ì¤ÏÀìÀ©Åª¤Ê¥·¥¹¥Æ¥à´ÉÍý¼Ô¤¬Â¾¤Î¥æ¡¼¥¶¡¼¤ËÉÔÅö¤Ê¸¢ÎϤò¿¶¤ë
-¤¨¤Ê¤¤¤è¤¦¤Ë¤¹¤ë¤¿¤á¤Ç¤¢¤ë¡£
 .SS OPTIONS
 .TP
 .I "\-c COMMAND, \-\-command=COMMAND"
@@ -151,19 +145,3 @@
 .TP
 .I "\-\-version"
 ¥Ð¡¼¥¸¥ç¥ó¾ðÊó¤òɸ½à½ÐÎϤËɽ¼¨¤·¡¢¼Â¹ÔÀ®¸ù¤òÊÖ¤·¤Æ½ªÎ»¤¹¤ë¡£
-.SH GNU su ¤Ç wheel ¥°¥ë¡¼¥×¤ò¥µ¥Ý¡¼¥È¤·¤Ê¤¤¤ï¤±¡ÊRichard Stallman¡Ë
-¤È¤­¤ª¤ê¡¢¾¯¿ô¤Î¥æ¡¼¥¶¡¼¤Ë¤è¤Ã¤Æ¡¢Â¾¤Î¥æ¡¼¥¶¡¼¤ËÂФ¹¤ëÁ´¸¢¤ò¾¸°®¤·¤è¤¦
-¤È¤¹¤ë»î¤ß¤¬¤Ê¤µ¤ì¤ë¤³¤È¤¬¤¢¤ë¡£Î㤨¤Ð 1984 ǯ¡¢ MIT AI ¥é¥Ü¤Î¾¯¿ô¤Î¥æ¡¼
-¥¶¡¼¤Ï Twenex ¥·¥¹¥Æ¥à¤Î¥ª¥Ú¥ì¡¼¥¿¡¼¥Ñ¥¹¥ï¡¼¥É¤ÎÊѹ¹¸¢¸Â¤ò¶¯Ã¥¤·¡¢¤³¤ì
-¤ò¾¤Î¥æ¡¼¥¶¡¼¤«¤éÈëÆ¿¤¹¤ë¤³¤È¤Ë·èÄꤷ¤¿¡Ê¤³¤ÎºÝ¤Ë¤Ï»ä¤Ï¤³¤Î¥¯¡¼¥Ç¥¿¡¼
-¤Î΢¤ò¤«¤­¡¢¥«¡¼¥Í¥ë¤Ë¥Ñ¥Ã¥Á¤òÅö¤Æ¤Æ¸¢¸Â¤ò¼è¤êÊÖ¤¹¤³¤È¤ËÀ®¸ù¤·¤¿¡£¤·¤«
-¤·¤³¤ì¤¬ Unix ¤Ç¤¢¤Ã¤¿¤é¡¢»ä¤Ë¤Ï¤É¤¦¤¹¤ì¤Ð¤è¤¤¤«¤ï¤«¤é¤Ê¤«¤Ã¤¿¤À¤í¤¦¡Ë¡£
-.PP
-¤·¤«¤·¤Ê¤¬¤é¡¢»þ¤Ë¤ÏÀìÀ©¼Ô¤âÈëÌ©¤òϳ¤é¤¹¤â¤Î¤Ç¤¢¤ë¡£Ä̾ï¤Î su ¤Î¥á¥«¥Ë
-¥º¥à¤Ç¤Ï¡¢°ìÈ̥桼¥¶¡¼¤Î¦¤ËΩ¤Ä¼Ô¤¬ root ¤Î¥Ñ¥¹¥ï¡¼¥É¤òÃΤì¤Ð¡¢¤³¤ì¤ò
-¾¤Î¥æ¡¼¥¶¡¼¤Ë¤âÃΤ餻¤ë¤³¤È¤¬¤Ç¤­¤ë¡£¤·¤«¤· "wheel group" µ¡Ç½¤Ï¤³¤ì
-¤òÉÔ²Äǽ¤Ë¤·¡¢·ë²Ì¤È¤·¤ÆÀìÀ©¼Ôã¤Î¸¢¸Â¤ò¶¯¸Ç¤¿¤ë¤â¤Î¤Ë¤·¤Æ¤·¤Þ¤¦¡£
-.PP
-»ä¤ÏÂç½°¤Î¦¤ËΩ¤Ä¤â¤Î¤Ç¤¢¤ê¡¢ÀìÀ©Åª¤ÊΩ¾ì¤Ë¤ÏÈ¿ÂФ¹¤ë¡£¤¢¤Ê¤¿¤Ï¥Ü¥¹¤ä
-¥·¥¹¥Æ¥à´ÉÍý¼Ô¤Î¤ä¤ê¸ý¤Ë½¾¤¦¤³¤È¤Ë´·¤ì¤Æ¤¤¤ë¤«¤âÃΤì¤Ê¤¤¤¬¡¢¤½¤Î¾ì¹ç¤Ï
-¤Þ¤º¤½¤Î¤³¤È¼«¿È¤òÉԻ׵Ĥ˻פ¦¤Ù¤­¤Ç¤Ï¤Ê¤¤¤À¤í¤¦¤«¡£
diff -Nur coreutils-5.2.1.orig/man/pl/su.1 coreutils-5.2.1/man/pl/su.1
--- coreutils-5.2.1.orig/man/pl/su.1    Tue Jun 20 16:07:31 2000
+++ coreutils-5.2.1/man/pl/su.1 Thu Mar 18 17:05:55 2004
@@ -78,8 +78,6 @@
 mo¿e zostaæ tak skompilowane, by raportowa³o nieudane, lub opcjonalnie
 równie¿ udane próby zmiany id przy u¿yciu
 .BR su .
-Jednak \fBsu\fP w wersji GNU nie sprawdza czy u¿ytkownik jest cz³onkiem grupy
-`wheel' -- patrz poni¿ej.
 .SH OPCJE
 .TP
 .BR \-c " \fIpolecenie\fP, " \-\-command= \fIpolecenie
@@ -139,25 +137,6 @@
 .TP
 .B \-\-version
 Wy¶wietla numer wersji programu i koñczy pracê.
-.SH Dlaczego GNU `su' nie obs³uguje grupy `wheel'
-
-(Sekcjê tê napisa³ Richard Stallman)
-
-Czasami kilku u¿ytkowników usi³uje sprawowaæ nieograniczon± w³adzê nad
-pozosta³ymi. Na przyk³ad, w 1984, kilku u¿ytkowników w laboratorium AI MIT
-zdecydowa³o siê `przej±æ w³adzê' zmieniaj±c has³o operatora systemu Twenex
-i trzymaj±c je w tajemnicy przed wszystkimi innymi. (Uda³o mi siê
-udaremniæ ten zamach i przywróciæ w³adzê u¿ytkownikom ³ataj±c j±dro, lecz
-nie wiedzia³bym jak zrobiæ to w Uniksie.)
-
-Jednak, od czasu do czasu panuj±cy wyjawiaj± komu¶. Przy zwyk³ym
-mechanizmie `su', kto¶, kto pozna³ has³o root'a i sympatyzuje ze zwyk³ymi
-u¿ytkownikami, mo¿e przekazaæ je pozosta³ym. Funkcja "grupy wheel"
-uniemo¿liwia³aby to, i w ten sposób umacnia³a w³adzê rz±dz±cych.
-
-Jestem po stronie mas, nie po stronie rz±dz±cych. Je¿eli zwyk³e¶ popieraæ
-szefów i administratorów systemów we wszystkim, co robi±, podej¶cie to mo¿e
-pocz±tkowo wydaæ Ci siê dziwne.
 .SH "ZG£ASZANIE B£ÊDÓW"
 B³êdy proszê zg³aszaæ, w jêz.ang., do <bug-sh-utils@gnu.org>.
 .SH COPYRIGHT
diff -Nur coreutils-5.2.1.orig/po/pl.po coreutils-5.2.1/po/pl.po
--- coreutils-5.2.1.orig/po/pl.po       Thu Mar 18 16:58:54 2004
+++ coreutils-5.2.1/po/pl.po    Thu Mar 18 17:05:55 2004
@@ -7332,6 +7332,41 @@
 msgid "Usage: %s [OPTION]... [-] [USER [ARG]...]\n"
 msgstr "Sk³adnia: %s [OPCJA]... [-] [U¯YTKOWNIK [ARGUMENT]...]\n"
 
+#: src/su.c:468
+msgid "could not open session\n"
+msgstr "nie mo¿na otworzyæ sesji\n"
+
+#: src/su.c:476
+msgid "error copying PAM environment\n"
+msgstr "b³±d podczas kopiowania ¶rodowiska PAM\n"
+
+#: src/su.c:521
+#, c-format
+msgid "cannot fork user shell: %s"
+msgstr "nie mo¿na utworzyæ procesu pow³oki u¿ytkownika: %s"
+
+#: src/su.c:527
+#, c-format
+msgid "%s: signal malfunction\n"
+msgstr "%s: b³êdne dzia³anie sygna³ów\n"
+
+#: src/su.c:540
+#, c-format
+msgid "%s: signal masking malfunction\n"
+msgstr "%s: b³êdne dzia³anie maskowania sygna³ów\n"
+
+#: src/su.c:559
+msgid ""
+"\n"
+"Session terminated, killing shell..."
+msgstr ""
+"\n"
+"Sesja zakoñczona, zabijanie pow³oki..."
+
+#: src/su.c:569
+msgid " killed.\n"
+msgstr " zabito.\n"
+
 #: src/su.c:437
 msgid ""
 "Change the effective user id and group id to that of USER.\n"
diff -Nur coreutils-5.2.1.orig/src/Makefile.am coreutils-5.2.1/src/Makefile.am
--- coreutils-5.2.1.orig/src/Makefile.am        Mon Feb  2 09:12:57 2004
+++ coreutils-5.2.1/src/Makefile.am     Thu Mar 18 17:08:45 2004
@@ -63,7 +63,7 @@
 
 uptime_LDADD = $(LDADD) $(GETLOADAVG_LIBS)
 
-su_LDADD = $(LDADD) $(LIB_CRYPT)
+su_LDADD = $(LDADD) $(LIB_CRYPT) $(LIB_PAM)
 
 $(PROGRAMS): ../lib/libfetish.a
 
diff -Nur coreutils-5.2.1.orig/src/su.c coreutils-5.2.1/src/su.c
--- coreutils-5.2.1.orig/src/su.c       Wed Jan 21 23:27:02 2004
+++ coreutils-5.2.1/src/su.c    Thu Mar 18 17:11:21 2004
@@ -38,6 +38,16 @@
    restricts who can su to UID 0 accounts.  RMS considers that to
    be fascist.
 
+#ifdef USE_PAM
+
+   Actually, with PAM, su has nothing to do with whether or not a
+   wheel group is enforced by su.  RMS tries to restrict your access
+   to a su which implements the wheel group, but PAM considers that
+   to be fascist, and gives the user/sysadmin the opportunity to
+   enforce a wheel group by proper editing of /etc/pam.conf
+
+#endif
+
    Options:
    -, -l, --login      Make the subshell a login shell.
                        Unset all environment variables except
@@ -81,6 +91,14 @@
    prototype (returning `int') in <unistd.h>.  */
 #define getusershell _getusershell_sys_proto_
 
+#ifdef USE_PAM
+# include <security/pam_appl.h>
+# include <security/pam_misc.h>
+# include <signal.h>
+# include <sys/wait.h>
+# include <sys/fsuid.h>
+#endif /* USE_PAM */
+
 #include "system.h"
 #include "dirname.h"
 
@@ -141,7 +159,9 @@
 /* The user to become if none is specified.  */
 #define DEFAULT_USER "root"
 
+#ifndef USE_PAM
 char *crypt ();
+#endif
 char *getpass ();
 char *getusershell ();
 void endusershell ();
@@ -149,7 +169,7 @@
 
 extern char **environ;
 
-static void run_shell (const char *, const char *, char **)
+static void run_shell (const char *, const char *, char **, const struct passwd *)
      ATTRIBUTE_NORETURN;
 
 /* The name this program was run with.  */
@@ -262,7 +282,22 @@
 }
 #endif
 
+#ifdef USE_PAM
+static pam_handle_t *pamh = NULL;
+static int retval;
+static struct pam_conv conv = {
+  misc_conv,
+  NULL
+};
+
+#define PAM_BAIL_P if (retval) { \
+  pam_end(pamh, PAM_SUCCESS); \
+  return 0; \
+}
+#endif
+
 /* Ask the user for a password.
+   If PAM is in use, let PAM ask for the password if necessary.
    Return 1 if the user gives the correct password for entry PW,
    0 if not.  Return 1 without asking for a password if run by UID 0
    or if PW has an empty password.  */
@@ -270,6 +305,29 @@
 static int
 correct_password (const struct passwd *pw)
 {
+#ifdef USE_PAM
+  /* root always succeeds; this isn't an authentication question (no
+   * extra privs are being granted) so it shouldn't authenticate with PAM.
+   * However, we want to create the pam_handle so that proper credentials
+   * are created later with pam_setcred(). */
+  retval = pam_start(PROGRAM_NAME, pw->pw_name, &conv, &pamh);
+  PAM_BAIL_P;
+
+  retval = pam_authenticate(pamh, 0);
+  PAM_BAIL_P;
+
+  retval = pam_acct_mgmt(pamh, 0);
+  if (retval == PAM_NEW_AUTHTOK_REQD) {
+    /* password has expired.  Offer option to change it. */
+    if (getuid()) {
+           retval = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+           PAM_BAIL_P;
+    } else retval = PAM_SUCCESS;
+  }
+  PAM_BAIL_P;
+  /* must be authenticated if this point was reached */
+  return 1;
+#else /* !USE_PAM */
   char *unencrypted, *encrypted, *correct;
 #if HAVE_GETSPNAM && HAVE_STRUCT_SPWD_SP_PWDP
   /* Shadow passwd stuff for SVR3 and maybe other systems.  */
@@ -294,6 +352,7 @@
   encrypted = crypt (unencrypted, correct);
   memset (unencrypted, 0, strlen (unencrypted));
   return strcmp (encrypted, correct) == 0;
+#endif /* !USE_PAM */
 }
 
 /* Update `environ' for the new shell based on PW, with SHELL being
@@ -303,16 +362,20 @@
 modify_environment (const struct passwd *pw, const char *shell)
 {
   char *term;
+  char *display;
 
   if (simulate_login)
     {
-      /* Leave TERM unchanged.  Set HOME, SHELL, USER, LOGNAME, PATH.
+      /* Leave TERM, DISPLAY unchanged.  Set HOME, SHELL, USER, LOGNAME, PATH.
          Unset all other environment variables.  */
       term = getenv ("TERM");
+      display = getenv ("DISPLAY");
       environ = xmalloc (2 * sizeof (char *));
       environ[0] = 0;
       if (term)
        xputenv (concat ("TERM", "=", term));
+      if (display)
+       xputenv (concat ("DISPLAY", "=", display));
       xputenv (concat ("HOME", "=", pw->pw_dir));
       xputenv (concat ("SHELL", "=", shell));
       xputenv (concat ("USER", "=", pw->pw_name));
@@ -349,23 +412,74 @@
     error (EXIT_FAIL, errno, _("cannot set groups"));
   endgrent ();
 #endif
+#ifdef USE_PAM
+  retval = pam_setcred(pamh, PAM_ESTABLISH_CRED);
+  if (retval != PAM_SUCCESS)
+    error (1, 0, pam_strerror(pamh, retval));
+#endif /* USE_PAM */
   if (setgid (pw->pw_gid))
     error (EXIT_FAIL, errno, _("cannot set group id"));
   if (setuid (pw->pw_uid))
     error (EXIT_FAIL, errno, _("cannot set user id"));
 }
 
+#ifdef USE_PAM
+static int caught=0;
+/* Signal handler for parent process later */
+static void su_catch_sig(int sig)
+{
+  ++caught;
+}
+
+int
+pam_copyenv (pam_handle_t *pamh)
+{
+  char **env;
+ 
+  env = pam_getenvlist(pamh);
+  if(env) {
+    while(*env) {
+       xputenv(*env);
+       env++;
+    }
+  }
+  return(0);
+}
+#endif
+
 /* Run SHELL, or DEFAULT_SHELL if SHELL is empty.
    If COMMAND is nonzero, pass it to the shell with the -c option.
    If ADDITIONAL_ARGS is nonzero, pass it to the shell as more
    arguments.  */
 
 static void
-run_shell (const char *shell, const char *command, char **additional_args)
+run_shell (const char *shell, const char *command, char **additional_args, const struct passwd *pw)
 {
   const char **args;
   int argno = 1;
 
+#ifdef USE_PAM
+  int child;
+  sigset_t ourset;
+  int status;
+
+  retval = pam_open_session(pamh,0);
+  if (retval != PAM_SUCCESS) {
+    fprintf (stderr, _("could not open session\n"));
+    exit (1);
+  }
+
+/* do this at the last possible moment, because environment variables may
+   be passed even in the session phase
+*/
+  if(pam_copyenv(pamh) != PAM_SUCCESS)
+     fprintf (stderr, _("error copying PAM environment\n"));
+  
+  child = fork();
+  if (child == 0) {  /* child shell */
+  change_identity (pw);
+  pam_end(pamh, 0);
+#endif
   if (additional_args)
     args = xmalloc (sizeof (char *)
                                    * (10 + elements (additional_args)));
@@ -402,6 +516,61 @@
     error (0, errno, "%s", shell);
     exit (exit_status);
   }
+#ifdef USE_PAM
+  } else if (child == -1) {
+      fprintf(stderr, _("cannot fork user shell: %s"), strerror(errno));
+      exit(1);
+  }
+  /* parent only */
+  sigfillset(&ourset);
+  if (sigprocmask(SIG_BLOCK, &ourset, NULL)) {
+    fprintf(stderr, _("%s: signal malfunction\n"), PROGRAM_NAME);
+    caught = 1;
+  }
+  if (!caught) {
+    struct sigaction action;
+    action.sa_handler = su_catch_sig;
+    sigemptyset(&action.sa_mask);
+    action.sa_flags = 0;
+    sigemptyset(&ourset);
+    if (sigaddset(&ourset, SIGTERM)
+        || sigaddset(&ourset, SIGALRM)
+        || sigaction(SIGTERM, &action, NULL)
+        || sigprocmask(SIG_UNBLOCK, &ourset, NULL)) {
+      fprintf(stderr, _("%s: signal masking malfunction\n"), PROGRAM_NAME);
+      caught = 1;
+    }
+  }
+  if (!caught) {
+    do {
+      int pid;
+
+      pid = waitpid(-1, &status, WUNTRACED);
+
+      if (WIFSTOPPED(status)) {
+          kill(getpid(), SIGSTOP);
+          /* once we get here, we must have resumed */
+          kill(pid, SIGCONT);
+      }
+    } while (WIFSTOPPED(status));
+  }
+
+  if (caught) {
+    fprintf(stderr, _("\nSession terminated, killing shell..."));
+    kill (child, SIGTERM);
+  }
+  retval = pam_close_session(pamh, 0);
+  PAM_BAIL_P;
+  retval = pam_end(pamh, PAM_SUCCESS);
+  PAM_BAIL_P;
+  if (caught) {
+    sleep(2);
+    kill(child, SIGKILL);
+    fprintf(stderr, _(" killed.\n"));
+    exit(-1);
+  }
+  exit (WEXITSTATUS(status));
+#endif /* USE_PAM */
 }
 
 /* Return 1 if SHELL is a restricted shell (one not returned by
@@ -577,9 +746,14 @@
     }
   modify_environment (pw, shell);
 
+
+#ifdef USE_PAM
+  setfsuid(pw->pw_uid);
+#else
   change_identity (pw);
+#endif
   if (simulate_login && chdir (pw->pw_dir))
     error (0, errno, _("warning: cannot change directory to %s"), pw->pw_dir);
 
-  run_shell (shell, command, additional_args);
+  run_shell (shell, command, additional_args, pw);
 }