pam_faillock: use vendor specific faillock.conf as fallback

Use the vendor directory defined by --enable-vendordir=DIR configure
option as fallback for the distribution provided default config file
if there is no configuration in /etc.

* modules/pam_faillock/pam_faillock.8.xml: Describe this.
* modules/pam_faillock/faillock.h [VENDOR_SCONFIGDIR]
(VENDOR_FAILLOCK_DEFAULT_CONF): New macro.
* modules/pam_faillock/pam_faillock.c (read_config_file)
[VENDOR_FAILLOCK_DEFAULT_CONF]: Try to open VENDOR_FAILLOCK_DEFAULT_CONF
file when FAILLOCK_DEFAULT_CONF file does not exist.

Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
Resolves: https://github.com/linux-pam/linux-pam/pull/423

1 files changed, 9 insertions, 0 deletions

diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c
index 8328fbae..932d4281 100644
--- a/modules/pam_faillock/pam_faillock.c
+++ b/modules/pam_faillock/pam_faillock.c
@@ -192,6 +192,15 @@ read_config_file(pam_handle_t *pamh, struct options *opts, const char *cfgfile)
 	char linebuf[FAILLOCK_CONF_MAX_LINELEN+1];
 
 	f = fopen(cfgfile, "r");
+#ifdef VENDOR_FAILLOCK_DEFAULT_CONF
+	if (f == NULL && errno == ENOENT && cfgfile == default_faillock_conf) {
+	  /*
+	   * If the default configuration file in /etc does not exist,
+	   * try the vendor configuration file as fallback.
+	   */
+	  f = fopen(VENDOR_FAILLOCK_DEFAULT_CONF, "r");
+	}
+#endif
 	if (f == NULL) {
 		/* ignore non-existent default config file */
 		if (errno == ENOENT && cfgfile == default_faillock_conf)