From b392552522524f6bac9c01d469f33e87971dbe0f Mon Sep 17 00:00:00 2001
From: Stefan Schubert <schubi@suse.de>
Date: Wed, 25 Jan 2023 10:09:01 +0100
Subject: pam_pwhistory: use vendor specific pwhistory.conf as fallback

Use the vendor directory defined by --enable-vendordir=DIR configure
option as fallback for the distribution provided default config file
if there is no configuration in /etc.

* modules/pam_pwhistory/pam_pwhistory.8.xml: Describe pwhistory.conf
* modules/pam_pwhistory/pwhistory_config.c [VENDOR_SCONFIGDIR]
(VENDOR_PWHISTORY_DEFAULT_CONF): New macro.
(parse_config_file) [VENDOR_PWHISTORY_DEFAULT_CONF]: Try to open
VENDOR_PWHISTORY_DEFAULT_CONF if PWHISTORY_DEFAULT_CONF file does not
exist.
---
 modules/pam_pwhistory/pam_pwhistory.8.xml | 15 +++++++++++++++
 modules/pam_pwhistory/pwhistory_config.c  | 16 ++++++++++++++++
 2 files changed, 31 insertions(+)

(limited to 'modules/pam_pwhistory')

diff --git a/modules/pam_pwhistory/pam_pwhistory.8.xml b/modules/pam_pwhistory/pam_pwhistory.8.xml
index 62848666..d83d8d97 100644
--- a/modules/pam_pwhistory/pam_pwhistory.8.xml
+++ b/modules/pam_pwhistory/pam_pwhistory.8.xml
@@ -251,6 +251,21 @@ password     required       pam_unix.so        use_authtok
           <para>Default file with password history</para>
         </listitem>
       </varlistentry>
+      <varlistentry>
+        <term><filename>/etc/security/pwhistory.conf</filename></term>
+        <listitem>
+          <para>Config file for pam_pwhistory options</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry condition="with_vendordir">
+        <term><filename>%vendordir%/security/pwhistory.conf</filename></term>
+        <listitem>
+          <para>
+            Config file for pam_pwhistory options. It will be used if
+            <filename>/etc/security/pwhistory.conf</filename> does not exist.
+          </para>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 
diff --git a/modules/pam_pwhistory/pwhistory_config.c b/modules/pam_pwhistory/pwhistory_config.c
index b21879c6..692cf80e 100644
--- a/modules/pam_pwhistory/pwhistory_config.c
+++ b/modules/pam_pwhistory/pwhistory_config.c
@@ -39,6 +39,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <syslog.h>
+#include <sys/stat.h>
 
 #include <security/pam_modutil.h>
 
@@ -47,6 +48,10 @@
 
 #define PWHISTORY_DEFAULT_CONF SCONFIGDIR "/pwhistory.conf"
 
+#ifdef VENDOR_SCONFIGDIR
+#define VENDOR_PWHISTORY_DEFAULT_CONF (VENDOR_SCONFIGDIR "/pwhistory.conf")
+#endif
+
 void
 parse_config_file(pam_handle_t *pamh, int argc, const char **argv,
                   struct options_t *options)
@@ -65,6 +70,17 @@ parse_config_file(pam_handle_t *pamh, int argc, const char **argv,
 
     if (fname == NULL) {
         fname = PWHISTORY_DEFAULT_CONF;
+
+#ifdef VENDOR_PWHISTORY_DEFAULT_CONF
+        /*
+         * Check whether PWHISTORY_DEFAULT_CONF file is available.
+         * If it does not exist, fall back to VENDOR_PWHISTORY_DEFAULT_CONF file.
+         */
+        struct stat buffer;
+        if (stat(fname, &buffer) != 0 && errno == ENOENT) {
+            fname = VENDOR_PWHISTORY_DEFAULT_CONF;
+        }
+#endif
     }
 
     val = pam_modutil_search_key (pamh, fname, "debug");
-- 
cgit v1.2.3