From 89054484253e29a7a74c6326cf07c74ce4f2f192 Mon Sep 17 00:00:00 2001
From: Stefan Schubert <schubi@suse.de>
Date: Fri, 3 Dec 2021 15:56:49 +0100
Subject: pam_time: use vendor specific time.conf as fallback

Use the vendor directory defined by --enable-vendordir=DIR configure
option as fallback for the distribution provided default config file
if there is no configuration in /etc.

* modules/pam_time/pam_time.8.xml: Describe this.
* modules/pam_time/time.h [VENDOR_SCONFIGDIR] (VENDOR_PAM_TIME_CONF):
New macro.
* modules/pam_time/pam_time.c (_pam_parse) [VENDOR_PAM_TIME_CONF]:
Try to open VENDOR_PAM_TIME_CONF file when no conffile= option was
specified and PAM_TIME_CONF file does not exist.

Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
Resolves: https://github.com/linux-pam/linux-pam/pull/409
---
 modules/pam_time/pam_time.8.xml |  5 +++++
 modules/pam_time/pam_time.c     | 16 ++++++++++++++++
 2 files changed, 21 insertions(+)

(limited to 'modules/pam_time')

diff --git a/modules/pam_time/pam_time.8.xml b/modules/pam_time/pam_time.8.xml
index 4708220c..a33744ea 100644
--- a/modules/pam_time/pam_time.8.xml
+++ b/modules/pam_time/pam_time.8.xml
@@ -51,6 +51,11 @@
       <filename>/etc/security/time.conf</filename>.
       An alternative file can be specified with the <emphasis>conffile</emphasis> option.
     </para>
+    <para condition="with_vendordir">
+      If there is no explicitly specified configuration file and
+      <filename>/etc/security/time.conf</filename> does not exist,
+      <filename>%vendordir%/security/time.conf</filename> is used.
+    </para>
     <para>
       If Linux PAM is compiled with audit support the module will report
       when it denies access.
diff --git a/modules/pam_time/pam_time.c b/modules/pam_time/pam_time.c
index 8eebc914..b99e4c32 100644
--- a/modules/pam_time/pam_time.c
+++ b/modules/pam_time/pam_time.c
@@ -34,6 +34,9 @@
 #endif
 
 #define PAM_TIME_CONF	(SCONFIGDIR "/time.conf")
+#ifdef VENDOR_SCONFIGDIR
+#define VENDOR_PAM_TIME_CONF (VENDOR_SCONFIGDIR "/time.conf")
+#endif
 
 #define PAM_TIME_BUFLEN        1000
 #define FIELD_SEPARATOR        ';'   /* this is new as of .02 */
@@ -79,6 +82,19 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv, const char **
 	}
     }
 
+#ifdef VENDOR_PAM_TIME_CONF
+    if (*conffile == PAM_TIME_CONF) {
+	/*
+	 * Check whether PAM_TIME_CONF file is available.
+	 * If it does not exist, fall back to VENDOR_PAM_TIME_CONF file.
+	 */
+	struct stat buffer;
+	if (stat(*conffile, &buffer) != 0 && errno == ENOENT) {
+	    *conffile = VENDOR_PAM_TIME_CONF;
+	}
+    }
+#endif
+
     return ctrl;
 }
 
-- 
cgit v1.2.3