rpms/pam/devel pam-0.99.8.1-unix-blankpass.patch, 1.1, 1.2 pam-0.99.8.1-unix-update-helper.patch, 1.1, 1.2 pam.spec, 1.156, 1.157

Tue Sep 18 20:24:00 UTC 2007

Author: tmraz

Update of /cvs/pkgs/rpms/pam/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv737

Modified Files:
	pam-0.99.8.1-unix-blankpass.patch 
	pam-0.99.8.1-unix-update-helper.patch pam.spec 
Log Message:
* Tue Sep 18 2007 Tomas Mraz <tmraz at redhat.com> 0.99.8.1-7
- when SELinux enabled always run the helper binary instead of
  direct shadow access (#293181)


pam-0.99.8.1-unix-blankpass.patch:

Index: pam-0.99.8.1-unix-blankpass.patch
===================================================================
RCS file: /cvs/pkgs/rpms/pam/devel/pam-0.99.8.1-unix-blankpass.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2

--- pam-0.99.8.1-unix-blankpass.patch	24 Aug 2007 13:15:01 -0000	1.1
+++ pam-0.99.8.1-unix-blankpass.patch	18 Sep 2007 20:23:57 -0000	1.2
@@ -1,7 +1,7 @@
 diff -up Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c.blankpass Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c
---- Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c.blankpass	2007-08-22 18:45:17.000000000 +0200
-+++ Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c	2007-08-24 10:21:54.000000000 +0200
-@@ -48,7 +48,7 @@ int main(int argc, char *argv[])
+--- Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c.blankpass	2007-09-18 13:50:40.000000000 +0200
++++ Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c	2007-09-18 13:50:40.000000000 +0200
+@@ -50,7 +50,7 @@ int main(int argc, char *argv[])
  	char pass[MAXPASS + 1];
  	char *option;
  	int npass, nullok;
@@ -10,7 +10,7 @@
  	int retval = PAM_AUTH_ERR;
  	char *user;
  	char *passwords[] = { pass };
-@@ -113,6 +113,10 @@ int main(int argc, char *argv[])
+@@ -115,6 +115,10 @@ int main(int argc, char *argv[])
  	if (npass != 1) {	/* is it a valid password? */
  		_log_err(LOG_DEBUG, "no valid password supplied");
  	}
@@ -21,7 +21,7 @@
  
  	retval = _unix_verify_password(user, pass, nullok);
  
-@@ -120,8 +124,11 @@ int main(int argc, char *argv[])
+@@ -122,8 +126,11 @@ int main(int argc, char *argv[])
  
  	/* return pass or fail */
  
@@ -36,11 +36,11 @@
  	} else {
  	    return PAM_SUCCESS;
 diff -up Linux-PAM-0.99.8.1/modules/pam_unix/support.c.blankpass Linux-PAM-0.99.8.1/modules/pam_unix/support.c
---- Linux-PAM-0.99.8.1/modules/pam_unix/support.c.blankpass	2007-08-22 18:45:17.000000000 +0200
-+++ Linux-PAM-0.99.8.1/modules/pam_unix/support.c	2007-08-24 10:38:09.000000000 +0200
-@@ -36,6 +36,9 @@
- #define SELINUX_ENABLED 0
- #endif
+--- Linux-PAM-0.99.8.1/modules/pam_unix/support.c.blankpass	2007-09-18 13:50:40.000000000 +0200
++++ Linux-PAM-0.99.8.1/modules/pam_unix/support.c	2007-09-18 17:56:57.000000000 +0200
+@@ -38,6 +38,9 @@
+ 
+ const char app_name[]="pam_unix";
  
 +static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
 +				   unsigned int ctrl, const char *user);
@@ -48,18 +48,17 @@
  /* this is a front-end for module-application conversations */
  
  int _make_remark(pam_handle_t * pamh, unsigned int ctrl,
-@@ -441,6 +444,14 @@ _unix_blankpasswd (pam_handle_t *pamh, u
+@@ -442,6 +445,13 @@ _unix_blankpasswd (pam_handle_t *pamh, u
+ 			 * ...and shadow password file entry for this user,
  			 * if shadowing is enabled
  			 */
- 			spwdent = pam_modutil_getspnam(pamh, name);
-+			if (spwdent == NULL && (geteuid() || SELINUX_ENABLED)) {
-+				/* we are not root perhaps this is the reason? Run helper */
++			if (geteuid() || SELINUX_ENABLED) {
++				/* We do not have direct access to shadow. Run helper. */
 +				D(("running helper binary"));
 +				if (_unix_run_helper_binary(pamh, "", ctrl, name) == PAM_SUCCESS)
 +					return 1;
-+				else
-+					return 0;
++				return 0;
 +			}
+ 			spwdent = pam_modutil_getspnam(pamh, name);
  		}
  		if (spwdent)
- 			salt = x_strdup(spwdent->sp_pwdp);

pam-0.99.8.1-unix-update-helper.patch:

View full diff with command:
/usr/bin/cvs -f diff  -kk -u -N -r 1.1 -r 1.2 pam-0.99.8.1-unix-update-helper.patch
Index: pam-0.99.8.1-unix-update-helper.patch
===================================================================
RCS file: /cvs/pkgs/rpms/pam/devel/pam-0.99.8.1-unix-update-helper.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- pam-0.99.8.1-unix-update-helper.patch	23 Jul 2007 18:46:31 -0000	1.1
+++ pam-0.99.8.1-unix-update-helper.patch	18 Sep 2007 20:23:57 -0000	1.2
@@ -1,846 +1,224 @@
---- /dev/null	2007-07-08 21:11:04.052436262 +0200
-+++ Linux-PAM-0.99.8.1/modules/pam_unix/passupdate.c	2007-07-23 13:40:56.000000000 +0200
-@@ -0,0 +1,560 @@
-+/*
-+ * Main coding by Elliot Lee <sopwith at redhat.com>, Red Hat Software.
-+ * Copyright (C) 1996.
-+ * Copyright (c) Jan Rêkorajski, 1999.
-+ * Copyright (c) Red Hat, Inc., 2007
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the above copyright
-+ *    notice, and the entire permission notice in its entirety,
-+ *    including the disclaimer of warranties.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ *    notice, this list of conditions and the following disclaimer in the
-+ *    documentation and/or other materials provided with the distribution.
-+ * 3. The name of the author may not be used to endorse or promote
-+ *    products derived from this software without specific prior
-+ *    written permission.
-+ *
-+ * ALTERNATIVELY, this product may be distributed under the terms of
-+ * the GNU Public License, in which case the provisions of the GPL are
-+ * required INSTEAD OF the above restrictions.  (This clause is
-+ * necessary due to a potential bad interaction between the GPL and
-+ * the restrictions contained in a BSD-style copyright.)
-+ *
-+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
-+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-+ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
-+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ */
-+
-+/* this will be included from module and update helper */
+diff -up Linux-PAM-0.99.8.1/modules/pam_unix/pam_unix_passwd.c.update-helper Linux-PAM-0.99.8.1/modules/pam_unix/pam_unix_passwd.c
+--- Linux-PAM-0.99.8.1/modules/pam_unix/pam_unix_passwd.c.update-helper	2007-04-30 12:47:30.000000000 +0200
++++ Linux-PAM-0.99.8.1/modules/pam_unix/pam_unix_passwd.c	2007-09-18 09:52:43.000000000 +0200
+@@ -2,6 +2,7 @@
+  * Main coding by Elliot Lee <sopwith at redhat.com>, Red Hat Software.
+  * Copyright (C) 1996.
+  * Copyright (c) Jan Rêkorajski, 1999.
++ * Copyright (c) Red Hat, Inc., 2007.
+  *
+  * Redistribution and use in source and binary forms, with or without
+  * modification, are permitted provided that the following conditions
+@@ -92,15 +93,6 @@ extern int getrpcport(const char *host, 
+ #endif				/* GNU libc 2.1 */
+ 
+ /*
+- * PAM framework looks for these entry-points to pass control to the
+- * password changing module.
+- */
+-
+-#if defined(USE_LCKPWDF) && !defined(HAVE_LCKPWDF)
+-# include "./lckpwdf.-c"
+-#endif
+-
+-/*
+    How it works:
+    Gets in username (has to be done) from the calling program
+    Does authentication of user (only if we are not running as root)
+@@ -108,82 +100,15 @@ extern int getrpcport(const char *host, 
+    Sets it.
+  */
+ 
+-/* passwd/salt conversion macros */
+-
+-#define ascii_to_bin(c) ((c)>='a'?(c-59):(c)>='A'?((c)-53):(c)-'.')
+-#define bin_to_ascii(c) ((c)>=38?((c)-38+'a'):(c)>=12?((c)-12+'A'):(c)+'.')
+-
+ /* data tokens */
+ 
+ #define _UNIX_OLD_AUTHTOK	"-UN*X-OLD-PASS"
+ #define _UNIX_NEW_AUTHTOK	"-UN*X-NEW-PASS"
+ 
+ #define MAX_PASSWD_TRIES	3
+-#define PW_TMPFILE		"/etc/npasswd"
+-#define SH_TMPFILE		"/etc/nshadow"
+ #ifndef CRACKLIB_DICTS
+ #define CRACKLIB_DICTS		NULL
+ #endif
+-#define OPW_TMPFILE		"/etc/security/nopasswd"
+-#define OLD_PASSWORDS_FILE	"/etc/security/opasswd"
+-
+-/*
+- * i64c - convert an integer to a radix 64 character
+- */
+-static int i64c(int i)
+-{
+-	if (i < 0)
+-		return ('.');
+-	else if (i > 63)
+-		return ('z');
+-	if (i == 0)
+-		return ('.');
+-	if (i == 1)
+-		return ('/');
+-	if (i >= 2 && i <= 11)
+-		return ('0' - 2 + i);
+-	if (i >= 12 && i <= 37)
+-		return ('A' - 12 + i);
+-	if (i >= 38 && i <= 63)
+-		return ('a' - 38 + i);
+-	return ('\0');
+-}
+-
+-static char *crypt_md5_wrapper(const char *pass_new)
+-{
+-	/*
+-	 * Code lifted from Marek Michalkiewicz's shadow suite. (CG)
+-	 * removed use of static variables (AGM)
+-	 */
+-
+-	struct timeval tv;
+-	MD5_CTX ctx;
+-	unsigned char result[16];
+-	char *cp = (char *) result;
+-	unsigned char tmp[16];
+-	int i;
+-	char *x = NULL;
+-
+-	GoodMD5Init(&ctx);
+-	gettimeofday(&tv, (struct timezone *) 0);
+-	GoodMD5Update(&ctx, (void *) &tv, sizeof tv);
+-	i = getpid();
+-	GoodMD5Update(&ctx, (void *) &i, sizeof i);
+-	i = clock();
+-	GoodMD5Update(&ctx, (void *) &i, sizeof i);
+-	GoodMD5Update(&ctx, result, sizeof result);
+-	GoodMD5Final(tmp, &ctx);
+-	strcpy(cp, "$1$");	/* magic for the MD5 */
+-	cp += strlen(cp);
+-	for (i = 0; i < 8; i++)
+-		*cp++ = i64c(tmp[i] & 077);
+-	*cp = '\0';
+-
+-	/* no longer need cleartext */
+-	x = Goodcrypt_md5(pass_new, (const char *) result);
+-
+-	return x;
+-}
+ 
+ static char *getNISserver(pam_handle_t *pamh)
+ {
+@@ -217,7 +142,8 @@ static char *getNISserver(pam_handle_t *
+ 
+ #ifdef WITH_SELINUX
+ 
+-static int _unix_run_shadow_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user, const char *fromwhat, const char *towhat)
++static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user,
++    const char *fromwhat, const char *towhat, int remember)
+ {
+     int retval, child, fds[2];
+     void (*sighandler)(int) = NULL;
+@@ -247,7 +173,8 @@ static int _unix_run_shadow_binary(pam_h
+         size_t i=0;
+         struct rlimit rlim;
+ 	static char *envp[] = { NULL };
+-	char *args[] = { NULL, NULL, NULL, NULL };
++	char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL };
++        char buffer[16];
+ 
+ 	/* XXX - should really tidy up PAM here too */
+ 
+@@ -270,11 +197,18 @@ static int _unix_run_shadow_binary(pam_h
+         }
+ 
+ 	/* exec binary helper */
+-	args[0] = x_strdup(CHKPWD_HELPER);
++	args[0] = x_strdup(UPDATE_HELPER);
+ 	args[1] = x_strdup(user);
+-	args[2] = x_strdup("shadow");
++	args[2] = x_strdup("update");
++	if (on(UNIX_SHADOW, ctrl))
++		args[3] = x_strdup("1");
++	else
++		args[3] = x_strdup("0");
+ 
+-	execve(CHKPWD_HELPER, args, envp);
++        snprintf(buffer, sizeof(buffer), "%d", remember);
++        args[4] = x_strdup(buffer);
++	
++	execve(UPDATE_HELPER, args, envp);
[...1746 lines suppressed...]
++      if (getfscreatecon(&prev_context)<0) {
++	freecon(shadow_context);
++	return PAM_AUTHTOK_ERR;
++      }
++      if (setfscreatecon(shadow_context)) {
++	freecon(shadow_context);
++	freecon(prev_context);
++	return PAM_AUTHTOK_ERR;
++      }
++      freecon(shadow_context);
++    }
++#endif
++    pwfile = fopen(SH_TMPFILE, "w");
++    umask(oldmask);
++    if (pwfile == NULL) {
++	err = 1;
++	goto done;
++    }
++
++    opwfile = fopen("/etc/shadow", "r");
++    if (opwfile == NULL) {
++	fclose(pwfile);
++	err = 1;
++	goto done;
++    }
++
++    if (fstat(fileno(opwfile), &st) == -1) {
++	fclose(opwfile);
++	fclose(pwfile);
++	err = 1;
++	goto done;
++    }
++
++    if (fchown(fileno(pwfile), st.st_uid, st.st_gid) == -1) {
++	fclose(opwfile);
++	fclose(pwfile);
++	err = 1;
++	goto done;
++    }
++    if (fchmod(fileno(pwfile), st.st_mode) == -1) {
++	fclose(opwfile);
++	fclose(pwfile);
++	err = 1;
++	goto done;
++    }
++
++    stmpent = fgetspent(opwfile);
++    while (stmpent) {
++
++	if (!strcmp(stmpent->sp_namp, forwho)) {
++	    stmpent->sp_pwdp = towhat;
++	    stmpent->sp_lstchg = time(NULL) / (60 * 60 * 24);
++	    err = 0;
++	    D(("Set password %s for %s", stmpent->sp_pwdp, forwho));
++	}
++
++	if (putspent(stmpent, pwfile)) {
++	    D(("error writing entry to shadow file: %m"));
++	    err = 1;
++	    break;
++	}
++
++	stmpent = fgetspent(opwfile);
++    }
++    fclose(opwfile);
++
++    if (fclose(pwfile)) {
++	D(("error writing entries to shadow file: %m"));
++	err = 1;
++    }
++
++ done:
++    if (!err) {
++	if (!rename(SH_TMPFILE, "/etc/shadow"))
++#ifdef HELPER_COMPILE
++	    _log_err(
++#else
++	    pam_syslog(pamh, 
++#endif
++		LOG_NOTICE, "password changed for %s", forwho);
++	else
++	    err = 1;
++    }
++
++#ifdef WITH_SELINUX
++    if (SELINUX_ENABLED) {
++      if (setfscreatecon(prev_context)) {
++	err = 1;
++      }
++      if (prev_context)
++	freecon(prev_context);
++      prev_context=NULL;
++    }
++#endif
++
++    if (!err) {
++	return PAM_SUCCESS;
++    } else {
++	unlink(SH_TMPFILE);
++	return PAM_AUTHTOK_ERR;
++    }
++}
+diff -up /dev/null Linux-PAM-0.99.8.1/modules/pam_unix/unix_update.c
+--- /dev/null	2007-09-17 08:57:19.474470099 +0200
++++ Linux-PAM-0.99.8.1/modules/pam_unix/unix_update.c	2007-09-18 10:16:36.000000000 +0200
+@@ -0,0 +1,264 @@
 +/*
 + * This program is designed to run setuid(root) or with sufficient
 + * privilege to read all of the unix password databases. It is designed
@@ -1984,6 +2009,8 @@
 +        _pam_drop(xx);          \
 +}
 +
++const char app_name[] = "unix_update";
++
 +static int
 +_unix_shadowed(const struct passwd *pwd)
 +{
@@ -2194,8 +2221,9 @@
 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 + * OF THE POSSIBILITY OF SUCH DAMAGE.
 + */
---- /dev/null	2007-07-08 21:11:04.052436262 +0200
-+++ Linux-PAM-0.99.8.1/modules/pam_unix/passverify.c	2007-07-23 13:40:56.000000000 +0200
+diff -up /dev/null Linux-PAM-0.99.8.1/modules/pam_unix/passverify.c
+--- /dev/null	2007-09-17 08:57:19.474470099 +0200
++++ Linux-PAM-0.99.8.1/modules/pam_unix/passverify.c	2007-09-18 10:15:19.000000000 +0200
 @@ -0,0 +1,308 @@
 +/*
 + * This program is designed to run setuid(root) or with sufficient
@@ -2242,7 +2270,7 @@
 +	va_list args;
 +
 +	va_start(args, format);
-+	openlog("unix_chkpwd", LOG_CONS | LOG_PID, LOG_AUTHPRIV);
++	openlog(app_name, LOG_CONS | LOG_PID, LOG_AUTHPRIV);
 +	vsyslog(err, format, args);
 +	va_end(args);
 +	closelog();
@@ -2505,9 +2533,40 @@
 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 + * OF THE POSSIBILITY OF SUCH DAMAGE.
 + */
+diff -up Linux-PAM-0.99.8.1/modules/pam_unix/support.c.update-helper Linux-PAM-0.99.8.1/modules/pam_unix/support.c
+--- Linux-PAM-0.99.8.1/modules/pam_unix/support.c.update-helper	2007-02-06 17:06:45.000000000 +0100
++++ Linux-PAM-0.99.8.1/modules/pam_unix/support.c	2007-09-18 12:05:31.000000000 +0200
+@@ -36,6 +36,8 @@
+ #define SELINUX_ENABLED 0
+ #endif
+ 
++const char app_name[]="pam_unix";
++
+ /* this is a front-end for module-application conversations */
+ 
+ int _make_remark(pam_handle_t * pamh, unsigned int ctrl,
+@@ -627,7 +629,7 @@ int _unix_verify_password(pam_handle_t *
+ 				setreuid( save_uid, -1 );
+ 				setreuid( -1, save_euid );
+ 			}
+-		} else if (_unix_shadowed(pwd)) {
++		} else if (_unix_shadowed(pwd) && !SELINUX_ENABLED) {
+ 			/*
+ 			 * ...and shadow password file entry for this user,
+ 			 * if shadowing is enabled
+diff -up Linux-PAM-0.99.8.1/modules/pam_unix/Makefile.am.update-helper Linux-PAM-0.99.8.1/modules/pam_unix/Makefile.am
 --- Linux-PAM-0.99.8.1/modules/pam_unix/Makefile.am.update-helper	2006-12-18 19:50:50.000000000 +0100
-+++ Linux-PAM-0.99.8.1/modules/pam_unix/Makefile.am	2007-07-23 13:40:56.000000000 +0200
-@@ -16,7 +16,8 @@
++++ Linux-PAM-0.99.8.1/modules/pam_unix/Makefile.am	2007-09-18 12:54:44.000000000 +0200
+@@ -4,7 +4,7 @@
+ 
+ CLEANFILES = *~
+ 
+-EXTRA_DIST = README md5.c md5_crypt.c lckpwdf.-c $(MANS) CHANGELOG \
++EXTRA_DIST = README md5.c md5_crypt.c lckpwdf.-c passupdate.c $(MANS) CHANGELOG \
+ 		tst-pam_unix $(XMLS) 
+ 
+ man_MANS = pam_unix.8 unix_chkpwd.8
+@@ -16,7 +16,8 @@ securelibdir = $(SECUREDIR)
  secureconfdir = $(SCONFIGDIR)
  
  AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
@@ -2517,7 +2576,7 @@
  
  if HAVE_LIBSELINUX
    AM_CFLAGS += -D"WITH_SELINUX"
-@@ -34,9 +35,9 @@
+@@ -34,9 +35,9 @@ endif
  
  securelib_LTLIBRARIES = pam_unix.la
  
@@ -2529,7 +2588,7 @@
  
  noinst_PROGRAMS = bigcrypt
  
-@@ -48,11 +49,16 @@
+@@ -48,11 +49,16 @@ bigcrypt_SOURCES = bigcrypt.c bigcrypt_m
  bigcrypt_CFLAGS = $(AM_CFLAGS)
  bigcrypt_LDFLAGS = @LIBCRYPT@
  


Index: pam.spec
===================================================================
RCS file: /cvs/pkgs/rpms/pam/devel/pam.spec,v
retrieving revision 1.156
retrieving revision 1.157
diff -u -r1.156 -r1.157
--- pam.spec	24 Aug 2007 13:15:01 -0000	1.156
+++ pam.spec	18 Sep 2007 20:23:57 -0000	1.157
@@ -11,7 +11,7 @@
 Summary: A security tool which provides authentication for applications
 Name: pam
 Version: 0.99.8.1
-Release: 6%{?dist}
+Release: 7%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
 # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
 # pam_rhosts_auth module is BSD with advertising
@@ -397,6 +397,10 @@
 %doc doc/adg/*.txt doc/adg/html
 
 %changelog
+* Tue Sep 18 2007 Tomas Mraz <tmraz at redhat.com> 0.99.8.1-7
+- when SELinux enabled always run the helper binary instead of
+  direct shadow access (#293181)
+
 * Fri Aug 24 2007 Tomas Mraz <tmraz at redhat.com> 0.99.8.1-6
 - do not ask for blank password when SELinux confined (#254044)
 - initialize homedirs in namespace init script (original patch by dwalsh)


