Copy stable/10@r272459 to releng/10.1 as part of
the 10.1-RELEASE process.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Fixes to man8 groff mandoc style, usage mistakes, or typos.

PR: 168016
Submitted by: Nobuyuki Koganemaru
Approved by: gjb
MFC after: 3 days

Fix error messages containing the executed command name

Before, we took the first argument to pam_exec(8). With the addition of
options in front of the command, this could be wrong.

Now, options are parsed before calling _pam_exec() and messages contain
the proper command name.

While here, fix a warning.

Sponsored by: Yakaz (http://www.yakaz.com)

Use program exit status as pam_exec return code (optional)

pam_exec(8) now accepts a new option "return_prog_exit_status". When
set, the program exit status is used as the pam_exec return code. It
allows the program to tell why the step failed (eg. user unknown).
However, if it exits with a code not allowed by the calling PAM service
module function (see $PAM_SM_FUNC below), a warning is logged and
PAM_SERVICE_ERR is returned.

The following changes are related to this new feature but they apply no
matter if the "return_prog_exit_status" option is set or not.

The environment passed to the program is extended:
o $PAM_SM_FUNC contains the name of the PAM service module function
(eg. pam_sm_authenticate).
o All valid PAM return codes' numerical values are available
through variables named after the return code name. For instance,
$PAM_SUCCESS, $PAM_USER_UNKNOWN or $PAM_PERM_DENIED.

pam_exec return code better reflects what went on:
o If the program exits with !0, the return code is now
PAM_PERM_DENIED, not PAM_SYSTEM_ERR.
o If the program fails because of a signal (WIFSIGNALED) or doesn't
terminate normally (!WIFEXITED), the return code is now
PAM_SERVICE_ERR, not PAM_SYSTEM_ERR.
o If a syscall in pam_exec fails, the return code remains
PAM_SYSTEM_ERR.

waitpid(2) is called in a loop. If it returns because of EINTR, do it
again. Before, it would return PAM_SYSTEM_ERR without waiting for the
child to exit.

Several log messages now include the PAM service module function name.

The man page is updated accordingly.

Reviewed by: gleb@, des@
Sponsored by: Yakaz (http://www.yakaz.com)
MFC after: 2 weeks

Build lib/ with WARNS=6 by default.

Similar to libexec/, do the same with lib/. Make WARNS=6 the norm and
lower it when needed.

I'm setting WARNS?=0 for secure/. It seems secure/ includes the
Makefile.inc provided by lib/. I'm not going to touch that directory.
Most of the code there is contributed anyway.

Include <stdio.h> for asprintf().

Submitted by: Pawel Worach

childerr needs to be volatile so gcc won't optimize it away.

PR: bin/85830
MFC after: 1 week

When (re)allocating space for an array of pointers to char, use
sizeof(*list), not sizeof(**list). (i.e., sizeof(pointer) rather than
sizeof(char)).

It is possible that this buffer overflow is exploitable, but it was
added after RELENG_5 forked and hasn't been MFCed, so this will not
receive an advisory.

Submitted by: Vitezslav Novy
MFC after: 1 day

Assorted markup fixes.

Approved by: re

In addition to the PAM environment, export a handful of useful PAM items.

Suggested by: Ed Maste <emaste@phaedrus.sandvine.ca>

Mechanically kill hard sentence breaks.

style.Makefile(5) police
(I've tried to keep to the spirit of the original formatting)

Reviewed by: des

Don't blame markm for what he didn't do - writing these man pages, for
instance. Also bump the date since I made substantial modifications
earlier today.

Update copyright.

Export the PAM environment to the child process instead of the "normal"
environment list, which may be unsafe and / or sensitive.

Sponsored by: DARPA, NAI Labs

Just to show that PAM can do almost anything from the ridiculous to the
obscene, or - as they say in New York - sophisticated, add pam_echo(8) and
pam_exec(8) to our ever-lengthening roster of PAM modules.

Sponsored by: DARPA, NAI Labs.