From 4d96b59360a57a7a96443e6c34d2cfd13ea3f5e3 Mon Sep 17 00:00:00 2001
From: Stefan Schubert <schubi@suse.de>
Date: Wed, 8 Dec 2021 14:28:18 +0100
Subject: pam_sepermit: use vendor specific sepermit.conf as fallback

Use the vendor directory defined by --enable-vendordir=DIR configure
option as fallback for the distribution provided default config file
if there is no configuration in /etc.

* modules/pam_sepermit/pam_sepermit.c [VENDOR_SCONFIGDIR]
(SEPERMIT_VENDOR_CONF_FILE): New macro.
(pam_sm_authenticate) [SEPERMIT_VENDOR_CONF_FILE]: Use it as default
config file when conf= option is not specified and the file pointed
by SEPERMIT_CONF_FILE does not exist.
* modules/pam_sepermit/pam_sepermit.8.xml: Describe it.

Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
Resolves: https://github.com/linux-pam/linux-pam/pull/411
---
 modules/pam_sepermit/pam_sepermit.8.xml |  6 +++++-
 modules/pam_sepermit/pam_sepermit.c     | 17 ++++++++++++++++-
 2 files changed, 21 insertions(+), 2 deletions(-)

(limited to 'modules/pam_sepermit')

diff --git a/modules/pam_sepermit/pam_sepermit.8.xml b/modules/pam_sepermit/pam_sepermit.8.xml
index 30d9cc54..5763c346 100644
--- a/modules/pam_sepermit/pam_sepermit.8.xml
+++ b/modules/pam_sepermit/pam_sepermit.8.xml
@@ -54,7 +54,11 @@
       <refentrytitle>sepermit.conf</refentrytitle><manvolnum>5</manvolnum>
       </citerefentry> for details.
     </para>
-
+      <para condition="with_vendordir">
+      If there is no explicitly specified configuration file and
+      <filename>/etc/security/sepermit.conf</filename> does not exist,
+      <filename>%vendordir%/security/sepermit.conf</filename> is used.
+    </para>
   </refsect1>
 
   <refsect1 id="pam_sepermit-options">
diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c
index 5a622027..5fbc8fdd 100644
--- a/modules/pam_sepermit/pam_sepermit.c
+++ b/modules/pam_sepermit/pam_sepermit.c
@@ -64,6 +64,9 @@
 #include "pam_inline.h"
 
 #define SEPERMIT_CONF_FILE	(SCONFIGDIR "/sepermit.conf")
+#ifdef VENDOR_SCONFIGDIR
+# define SEPERMIT_VENDOR_CONF_FILE	(VENDOR_SCONFIGDIR "/sepermit.conf");
+#endif
 #define MODULE "pam_sepermit"
 #define OPT_DELIM ":"
 
@@ -373,7 +376,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
 	const char *user = NULL;
 	char *seuser = NULL;
 	char *level = NULL;
-	const char *cfgfile = SEPERMIT_CONF_FILE;
+	const char *cfgfile = NULL;
 
 	/* Parse arguments. */
 	for (i = 0; i < argc; i++) {
@@ -388,6 +391,18 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
 		}
 	}
 
+	if (cfgfile == NULL) {
+#ifdef SEPERMIT_VENDOR_CONF_FILE
+		struct stat buffer;
+
+		cfgfile = SEPERMIT_CONF_FILE;
+		if (stat(cfgfile, &buffer) != 0 && errno == ENOENT)
+			cfgfile = SEPERMIT_VENDOR_CONF_FILE;
+#else
+		cfgfile = SEPERMIT_CONF_FILE;
+#endif
+	}
+
 	if (debug)
 		pam_syslog(pamh, LOG_NOTICE, "Parsing config file: %s", cfgfile);
 
-- 
cgit v1.2.3