From 5896ae50af24a5402eee3bdeb782fb5736daf3cb Mon Sep 17 00:00:00 2001 From: Stefan Schubert Date: Mon, 10 Jan 2022 10:57:54 +0100 Subject: pam_faillock: use vendor specific faillock.conf as fallback Use the vendor directory defined by --enable-vendordir=DIR configure option as fallback for the distribution provided default config file if there is no configuration in /etc. * modules/pam_faillock/pam_faillock.8.xml: Describe this. * modules/pam_faillock/faillock.h [VENDOR_SCONFIGDIR] (VENDOR_FAILLOCK_DEFAULT_CONF): New macro. * modules/pam_faillock/pam_faillock.c (read_config_file) [VENDOR_FAILLOCK_DEFAULT_CONF]: Try to open VENDOR_FAILLOCK_DEFAULT_CONF file when FAILLOCK_DEFAULT_CONF file does not exist. Co-authored-by: Dmitry V. Levin Resolves: https://github.com/linux-pam/linux-pam/pull/423 --- modules/pam_faillock/faillock.h | 3 +++ modules/pam_faillock/pam_faillock.8.xml | 18 +++++++++++++++++- modules/pam_faillock/pam_faillock.c | 9 +++++++++ 3 files changed, 29 insertions(+), 1 deletion(-) (limited to 'modules/pam_faillock') diff --git a/modules/pam_faillock/faillock.h b/modules/pam_faillock/faillock.h index a6081077..c3f157ef 100644 --- a/modules/pam_faillock/faillock.h +++ b/modules/pam_faillock/faillock.h @@ -68,6 +68,9 @@ struct tally_data { #define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock" #define FAILLOCK_DEFAULT_CONF SCONFIGDIR "/faillock.conf" +#ifdef VENDOR_SCONFIGDIR +#define VENDOR_FAILLOCK_DEFAULT_CONF VENDOR_SCONFIGDIR "/faillock.conf" +#endif int open_tally(const char *dir, const char *user, uid_t uid, int create); int read_tally(int fd, struct tally_data *tallies); diff --git a/modules/pam_faillock/pam_faillock.8.xml b/modules/pam_faillock/pam_faillock.8.xml index 58c16442..79bcbbd0 100644 --- a/modules/pam_faillock/pam_faillock.8.xml +++ b/modules/pam_faillock/pam_faillock.8.xml @@ -134,10 +134,17 @@ - + Use another configuration file instead of the default /etc/security/faillock.conf. + + Use another configuration file instead of the default + which is to use the file + /etc/security/faillock.conf or, + if that one is not present, the file + %vendordir%/security/faillock.conf. + @@ -328,6 +335,15 @@ session required pam_selinux.so open the config file for pam_faillock options + + %vendordir%/security/faillock.conf + + + the config file for pam_faillock options. It will be used if + /etc/security/faillock.conf does not exist. + + + diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c index 8328fbae..932d4281 100644 --- a/modules/pam_faillock/pam_faillock.c +++ b/modules/pam_faillock/pam_faillock.c @@ -192,6 +192,15 @@ read_config_file(pam_handle_t *pamh, struct options *opts, const char *cfgfile) char linebuf[FAILLOCK_CONF_MAX_LINELEN+1]; f = fopen(cfgfile, "r"); +#ifdef VENDOR_FAILLOCK_DEFAULT_CONF + if (f == NULL && errno == ENOENT && cfgfile == default_faillock_conf) { + /* + * If the default configuration file in /etc does not exist, + * try the vendor configuration file as fallback. + */ + f = fopen(VENDOR_FAILLOCK_DEFAULT_CONF, "r"); + } +#endif if (f == NULL) { /* ignore non-existent default config file */ if (errno == ENOENT && cfgfile == default_faillock_conf) -- cgit v1.2.3