15 files changed, 115 insertions, 18 deletions
diff --git a/debian/clean b/debian/clean
index 62f09e76..4a7c5600 100644
--- a/debian/clean
+++ b/debian/clean
@@ -1 +1,2 @@
 debian/local/pam_getenv.8
+debian/libpam0g-dev.links
diff --git a/debian/control b/debian/control
index bd65eda2..db85c90a 100644
--- a/debian/control
+++ b/debian/control
@@ -14,6 +14,7 @@ Homepage: http://pam.sourceforge.net/
 Package: libpam0g
 Priority: required
 Architecture: any
+Multi-Arch: same
 Replaces: libpam0g-util
 Depends: ${shlibs:Depends}, ${misc:Depends}
 Suggests: libpam-doc
@@ -30,7 +31,9 @@ Package: libpam-modules
 Section: admin
 Priority: required
 Architecture: any
-Pre-Depends: ${shlibs:Depends}, ${misc:Depends}
+Multi-Arch: same
+Pre-Depends: ${shlibs:Depends}, ${misc:Depends},
+	libpam-modules-bin (= ${binary:Version})
 Conflicts: libpam-motd, libpam-mkhomedir, libpam-umask
 Replaces: libpam0g-util, libpam-umask
 Provides: libpam-motd, libpam-mkhomedir, libpam-umask
@@ -38,10 +41,22 @@ Description: Pluggable Authentication Modules for PAM
  This package completes the set of modules for PAM. It includes the
   pam_unix_*.so module as well as some specialty modules.
 
+Package: libpam-modules-bin
+Section: admin
+Priority: required
+Architecture: any
+Multi-Arch: foreign
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Replaces: libpam-modules (<< 1.1.0-3)
+Description: Pluggable Authentication Modules for PAM - helper binaries
+ This package contains helper binaries used by the standard set of PAM
+ modules in the libpam-modules package.
+
 Package: libpam-runtime
 Section: admin
 Priority: required
 Architecture: all
+Multi-Arch: foreign
 Depends: ${misc:Depends}, debconf (>= 1.5.19), libpam-modules (>= 1.0.1-6)
 Replaces: libpam0g-util, libpam0g-dev
 Conflicts: libpam0g-util
@@ -70,6 +85,7 @@ Package: libpam-cracklib
 Section: admin
 Priority: optional
 Architecture: any
+Multi-Arch: same
 Replaces: libpam0g-cracklib, libpam-modules (<< 1.1.0-3)
 Depends: ${misc:Depends}, ${shlibs:Depends}, libpam-runtime (>= 1.0.1-6), cracklib-runtime, wamerican | wordlist
 Description: PAM module to enable cracklib support
diff --git a/debian/libpam-cracklib.install b/debian/libpam-cracklib.install
index eb29160b..55265e5e 100644
--- a/debian/libpam-cracklib.install
+++ b/debian/libpam-cracklib.install
@@ -1,2 +1,2 @@
-lib/security/pam_cracklib.so
+lib/*/security/pam_cracklib.so
 debian/pam-configs/cracklib	usr/share/pam-configs
diff --git a/debian/libpam-modules-bin.install b/debian/libpam-modules-bin.install
new file mode 100644
index 00000000..5a8f9cc0
--- /dev/null
+++ b/debian/libpam-modules-bin.install
@@ -0,0 +1,6 @@
+sbin/unix_chkpwd	sbin
+sbin/unix_update	sbin
+sbin/pam_tally		sbin
+sbin/pam_tally2         sbin
+sbin/mkhomedir_helper	sbin
+
diff --git a/debian/libpam-modules-bin.lintian-overrides b/debian/libpam-modules-bin.lintian-overrides
new file mode 100644
index 00000000..a4579766
--- /dev/null
+++ b/debian/libpam-modules-bin.lintian-overrides
@@ -0,0 +1,3 @@
+# yes, we know it's sgid, that's the whole point...
+libpam-modules-bin: setgid-binary sbin/unix_chkpwd 2755 root/shadow
+
diff --git a/debian/libpam-modules-bin.manpages b/debian/libpam-modules-bin.manpages
new file mode 100644
index 00000000..90fddec4
--- /dev/null
+++ b/debian/libpam-modules-bin.manpages
@@ -0,0 +1,2 @@
+debian/tmp/usr/share/man/man8/mkhomedir_helper.8
+debian/tmp/usr/share/man/man8/unix_*.8
diff --git a/debian/libpam-modules.install b/debian/libpam-modules.install
index 3c6872d2..191a34ea 100644
--- a/debian/libpam-modules.install
+++ b/debian/libpam-modules.install
@@ -1,7 +1,2 @@
 etc/security/*		etc/security
-sbin/unix_chkpwd	sbin
-sbin/unix_update	sbin
-sbin/pam_tally		sbin
-sbin/pam_tally2		sbin
-sbin/mkhomedir_helper	sbin
-lib/security/*.so	lib/security
+lib/*/security/*.so
diff --git a/debian/libpam-modules.lintian-overrides b/debian/libpam-modules.lintian-overrides
deleted file mode 100644
index e323f6f8..00000000
--- a/debian/libpam-modules.lintian-overrides
+++ /dev/null
@@ -1,3 +0,0 @@
-# yes, we know it's sgid, that's the whole point...
-libpam-modules: setgid-binary sbin/unix_chkpwd 2755 root/shadow
-
diff --git a/debian/libpam-modules.manpages b/debian/libpam-modules.manpages
index 96fce214..a9f488d0 100644
--- a/debian/libpam-modules.manpages
+++ b/debian/libpam-modules.manpages
@@ -1,4 +1,2 @@
 debian/tmp/usr/share/man/man8/pam_*.8
-debian/tmp/usr/share/man/man8/mkhomedir_helper.8
-debian/tmp/usr/share/man/man8/unix_*.8
 debian/tmp/usr/share/man/man5/*conf.5
diff --git a/debian/libpam0g-dev.install b/debian/libpam0g-dev.install
index c51c0567..d8f5d831 100644
--- a/debian/libpam0g-dev.install
+++ b/debian/libpam0g-dev.install
@@ -1,2 +1,2 @@
 usr/include/security/*
-lib/*.a			usr/lib
+lib/*/*.a		usr/lib
diff --git a/debian/libpam0g-dev.links b/debian/libpam0g-dev.links.in
index f595eeb9..f595eeb9 100644
--- a/debian/libpam0g-dev.links
+++ b/debian/libpam0g-dev.links.in
diff --git a/debian/libpam0g.install b/debian/libpam0g.install
index d9178d41..622f9ef2 100644
--- a/debian/libpam0g.install
+++ b/debian/libpam0g.install
@@ -1 +1 @@
-lib/lib*.so.*
+lib/*/lib*.so.*
diff --git a/debian/patches-applied/lib_security_multiarch_compat b/debian/patches-applied/lib_security_multiarch_compat
new file mode 100644
index 00000000..9d6d40a9
--- /dev/null
+++ b/debian/patches-applied/lib_security_multiarch_compat
@@ -0,0 +1,71 @@
+Unqualified module paths should always be looked up in *both* the default
+module dir, *and* the ISA dir.  That's what paths are for.
+
+This lets us have a soft transition to multiarch for modules without having
+to rewrite /etc/pam.d/ files or add ugly symlinks.
+
+Authors: Steve Langasek <vorlon@debian.org>
+
+Upstream status: not ready to be committed - this needs tweaked, we're
+currently abusing the existing variables and inverting their meaning in
+order to get everything installed where we want it and get absolute paths
+the way we want them.
+
+Index: multiarch/libpam/pam_handlers.c
+===================================================================
+--- multiarch.orig/libpam/pam_handlers.c
++++ multiarch/libpam/pam_handlers.c
+@@ -705,7 +705,26 @@
+ 	}
+ #else
+ 	D(("_pam_load_module: _pam_dlopen(%s)", mod_path));
+-	mod->dl_handle = _pam_dlopen(mod_path);
++	if (mod_path[0] == '/') {
++	    mod->dl_handle = _pam_dlopen(mod_path);
++	} else {
++	    if (asprintf(&mod_full_isa_path, "%s%s",
++	                 DEFAULT_MODULE_PATH, mod_path) >= 0) {
++		mod->dl_handle = _pam_dlopen(mod_full_isa_path);
++		_pam_drop(mod_full_isa_path);
++	    } else {
++		pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path");
++	    }
++	    if (!mod->dl_handle) {
++		if (asprintf(&mod_full_isa_path, "%s/%s",
++		             _PAM_ISA, mod_path) >= 0) {
++		    mod->dl_handle = _pam_dlopen(mod_full_isa_path);
++		    _pam_drop(mod_full_isa_path);
++		} else {
++		    pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path");
++		}
++	    }
++	}
+ 	D(("_pam_load_module: _pam_dlopen'ed"));
+ 	D(("_pam_load_module: dlopen'ed"));
+ 	if (mod->dl_handle == NULL) {
+@@ -775,7 +794,6 @@
+     struct handler **handler_p2;
+     struct handlers *the_handlers;
+     const char *sym, *sym2;
+-    char *mod_full_path;
+     servicefn func, func2;
+     int mod_type = PAM_MT_FAULTY_MOD;
+ 
+@@ -787,16 +805,7 @@
+ 
+     if ((handler_type == PAM_HT_MODULE || handler_type == PAM_HT_SILENT_MODULE) &&
+ 	mod_path != NULL) {
+-	if (mod_path[0] == '/') {
+-	    mod = _pam_load_module(pamh, mod_path, handler_type);
+-	} else if (asprintf(&mod_full_path, "%s%s",
+-			     DEFAULT_MODULE_PATH, mod_path) >= 0) {
+-	    mod = _pam_load_module(pamh, mod_full_path, handler_type);
+-	    _pam_drop(mod_full_path);
+-	} else {
+-	    pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path");
+-	    return PAM_ABORT;
+-	}
++	mod = _pam_load_module(pamh, mod_path, handler_type);
+ 
+ 	if (mod == NULL) {
+ 	    /* if we get here with NULL it means allocation error */
diff --git a/debian/patches-applied/series b/debian/patches-applied/series
index 7455447a..f6b5d3f7 100644
--- a/debian/patches-applied/series
+++ b/debian/patches-applied/series
@@ -22,3 +22,4 @@ autoconf.patch
 update-motd
 fix-man-crud
 sys-types-include.patch
+lib_security_multiarch_compat
diff --git a/debian/rules b/debian/rules
index d8cc37ed..7f4ed318 100755
--- a/debian/rules
+++ b/debian/rules
@@ -24,7 +24,8 @@ dl = $(d)/local
 
 override_dh_auto_configure:
 	dh_auto_configure -- --enable-static --enable-shared \
-		--libdir=/lib --sbindir=/sbin --disable-audit \
+		--libdir=/lib/$(DEB_HOST_GNU_TYPE) --sbindir=/sbin \
+		--enable-isadir=/lib/security --disable-audit \
 		CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)"
 
 # make sure the SAG, MWG, ADG are readable with a browser.
@@ -47,11 +48,17 @@ override_dh_installman:
 	rm -f $(d)/libpam-modules/usr/share/man/man5/pam.conf.5
 	rm -f $(d)/libpam-modules/usr/share/man/man8/pam_cracklib.8
 
+# dh_link doesn't do wildcards, so we can't auto-link to the right per-arch
+# directory
+override_dh_link:
+	sed -e"s,^/lib,/lib/$(DEB_HOST_GNU_TYPE)," $(d)/libpam0g-dev.links.in > $(d)/libpam0g-dev.links
+	dh_link
+
 # using perms that differ from upstream (sgid instead of suid) /and/ that
 # dh_fixperms doesn't want
 override_dh_fixperms:
 	dh_fixperms
 ifneq (,$(findstring libpam-modules, $(shell dh_listpackages)))
-	chgrp shadow $(d)/libpam-modules/sbin/unix_chkpwd
-	chmod 02755 $(d)/libpam-modules/sbin/unix_chkpwd
+	chgrp shadow $(d)/libpam-modules-bin/sbin/unix_chkpwd
+	chmod 02755 $(d)/libpam-modules-bin/sbin/unix_chkpwd
 endif